Category Archives: Internet, Unix en security

SpamAssassin to blacklist and unblacklist

SpamAssassin has a feature to blacklist and unblacklist certain e-mailaddressen. But recently I noticed something interesting that may need some more investigation. I have all addresses for domain example.org blacklisted, but also unblacklisted certain functional addresses as is shown in the example below.

blacklist_from          *@example.org
unblacklist_from        abuse@*
unblacklist_from        hostmaster@*
unblacklist_from        postmaster@*
unblacklist_from        security@*
unblacklist_from        webmaster@*

Now I expected that webmaster@example.org was going to be unblacklisted, meaning the mail would have both a spamscore of both +100 and -100 making it effective 0 again. This modification resulted in a spamscore of +100 and makes me worry that unblacklisting will demand that the domain part needs to be specified instead of having a wildcard. This will require some more testing in the near future, but for now it may affect other installations.

Getting Ext3/4 journal size

Ext3 is an successor of Ext2 with support for journaling which means it can have a log of all it’s recent changes it made or is going to make to the file system. This allows fsck to get the file system back in a good state when a power failure happens for example. But what is the size of the journal? Reading the manpage for tune2fs it says it needs to be between 1024 and 102400 blocks which means it can start with 1MB on a file system with a 1KB block size and 4M on a file system with 4KB a block size.

So let start to see which inode contains the journal and normally this should be inode 8 unless you have a file system that was upgraded from Ext2 to Ext3/4.

$ sudo LANG=C tune2fs -l /dev/sda1 | awk '/Journal inode/ {print $3}'
8

Now that we have the inode responsible for the in file system journal we can retrieve it details by doing a stat() with debugfs for that inode. Debugfs retrieve the details from the inode and on of them is de allocated size on disk.

$ sudo LANG=C debugfs -R "stat <8>" /dev/sda1 | awk '/Size: /{print $6}'|head -1
debugfs 1.42.4 (12-Jun-2012)
4194304

Now let use the same procedure on an other file system:

$ sudo LANG=C tune2fs -l /dev/mapper/data00-srv | awk '/Journal inode/ {print $3}'
8
$ sudo LANG=C debugfs -R "stat <8>" /dev/mapper/data00-srv | awk '/Size: /{print $6}'|head -1
debugfs 1.42.4 (12-Jun-2012)
134217728

There is also an easy way as dumpe2fs provides an interface to a lot of these values directly.

$ sudo LANG=C dumpe2fs /dev/mapper/data00-srv | grep ^Journal
dumpe2fs 1.42.4 (12-Jun-2012)
Journal inode:            8
Journal backup:           inode blocks
Journal features:         journal_incompat_revoke
Journal size:             128M
Journal length:           32768
Journal sequence:         0x0111fd4c
Journal start:            3380

Keep in mind that changing something on a live journal can destroy your file system, so never move the journal location or change it’s size unless it’s a clean unmounted file system.

BtrFS as ongoing project

BtrFS is still an ongoing project for me, but if it will become a production platform for me soon is the question. Also playing with mirroring on BtrFS level made me wonder even more as it does the calculating about storage usage a little bit differently. Normally with mirroring you see the storage you can allocate and has been allocated. With BtrFS you see the total amount of data available on all disks combined as show in the example below.

$ sudo btrfs filesystem df /mnt
Data, RAID1: total=5.98GB, used=5.36GB
System, RAID1: total=8.00MB, used=4.00KB
System: total=4.00MB, used=0.00
Metadata, RAID1: total=256.00MB, used=6.01MB
$ df -h /mnt
Filesystem                Size  Used Avail Use% Mounted on
/dev/mapper/vg01-btrfsm1   16G   11G  4.8G  70% /mnt

I really like ZFS, but I really wonder if BtrFS could replace it. For now I see too many drawbacks in how BtrFS has been implemented and how distributions may use it. Maybe when Debian 8 is in testing it may be a better time to give BtrFS another chance, but swap space and encrypted file systems are still problems that need to be tackled.

A /tmp for every user

With the transition towards /run some temporary files will move towards /run/user/, but enough files remain in /tmp. Files that may leak information or be a point of code injection as shown with CVE-2012-3355. A first step is to create a temporary directory for every user when he or she logs in to restrict exposure of temporary files.

After installing the right module for PAM and enabling it, every user that logs in will get it’s own directory for temporary files. In this case based on the users ID-number, but still only accessible for the user themself.

$ sudo apt-get install libpam-tmpdir
$ sudo pam-auth-update --package tmpdir
$ ls -l /tmp
totaal 0
drwx--x--x 4 root       root       80 jun 24 22:01 user
$ sudo ls -l /tmp/user
totaal 0
drwx------ 2 root    root     40 jun 24 22:00 0
drwx------ 2 user1   users    40 jun 24 22:06 1000
drwx------ 2 user2   users    40 jun 24 22:03 1001

Files and directories that still remain in /tmp after this may ask for additional attention as the path to /tmp appears to be hardcoded. A small bugreport may be in order to just move away from hardcoded paths as in most cases they also indicate a hardcoded file for all users on the system.

Create home directory on first login

Creating home directories for new users can be a difficult task and specially in a LDAP-based environment, but most PAM installations have the option to create a new home directory before the user logon is completed. Debian also ships the module mpam_mkhomedir, but without a manifest to set it up correctly. Bug 640918 covers this issue, but for now creating the file /usr/share/pam-configs/mkhomedir with the content below resolves the problem.

Name: Create home directory on first login
Default: no
Priority: 0
Session-Type: Additional
Session-Final:
 required pam_mkhomedir.so umask=0027

After creating the file, the command below updates the PAM-config to create the home directory when a users home directory doesn’t exist. In the example configuration above the default umask is 0027 so only the user and group will have access to the home directory.

$ sudo pam-auth-update --package mkhomedir

By default the configuration in /etc/skel is being used to create a new home directory. This is a point of attention when the user needs files and/or directories when the user logs in and an example of this may be a Maildir for receiving mail.

Using PAM to allow access

Over the years PAM (Pluggable Authentication Modules) has become the standard on Solaris and Linux, and others like AIX and the known BSD’s are following. But by default all services that use PAM are allowing all users to use it unless the service itself takes action. So why not bring the authorization part to PAM and make the decision to allow access directly in PAM?

In this example we want to allow only access to Dovecot for users who are member of POSIX-group ac_mail. For this we use a module called pam_succeed_if which can verify if an user is in a certain group or not. Based on the standard PAM-file for a service we create a new file for Dovecot and added required line to do the authentication.

#%PAM-1.0
 
@include common-auth
auth required pam_succeed_if.so quiet user ingroup ac_mail
@include common-account
@include common-session

Also changing the Dovecot configuration to tell it to use the dovecot PAM-file.

passdb pam {
  args = session=yes dovecot
}

Now only users who are member of the ac_mail group can logon. This allows a system administrator to use LDAP for example so all machines have the same group information and all machines with the modified PAM configuration to use it. This way of allowing users to logon can also be used for other services that depend on PAM like Proftpd, OpenSSH or PostgreSQL for example.

WordPress “upgrades”

I have been a long time WordPress user and not very happy with it from time to time, but sometimes you just have to accept certain things. Using WordPress is one of them as it slow became the industry standard for weblogs. It also became the standard for trouble, quick updates and hacked weblogs. As I have to live with it, it became time to take a closer look at WordPress.

While WordPress has a lot of coding errors and that is something that can’t be fixed overnight, but what can be solved is the ability to install additional code. While it sounds a smart move to offers users a way to upgrade WordPress with one click in their browser or to install new plugins or themes, it is also a hazard. If a webserver is allowed to update the application it is running without any trouble, then it simply means anyone who can trick the application to write code to disk and execute it also can host anything he or she wants. A lot of phishing and spam sites do this trick to host their code in some directory of a broken plugin. And the PHP-interpreter always happy to execute any PHP-code it finds, this is a mayor flaw.

For Debian Squeeze there is a backport of WordPress 3.3.2 which matched my version already running. So installing the packages and switching the webservers documentroot to the one supplied by the packages resolved the first issue. Now only the user root can modify the WordPress installation which also include all plugins and themes for WordPress. The base of WordPress now has been secured as remote users can’t modify or install any code. Right? Both yes and no as people still are able to upload content for WordPress and this is something for further review. Most ideally the content will be hosted in an image gallery for example, but it is a risk to accept for now.

Switching to packages also showed something else as most WordPress users just install plugins and themes by using the webinterface. As only root can install new plugins and themes this reduces the choice people have to what the system administrator puts in a package and installs it. Sadly enough now script currently exist for building packages from plugin/theme files and a quick look it appears that this isn’t an issue for themes. But it appears to be an issue for plugins as some developers include an extract from PHP Pear to make sure the plugin always works.

So the coming week I have to spend some time in creating packages and do some coding to make packages work with system provided and updated PHP Pear code. But I still wonder why people write plugins and just copy code to make it “work”. I also wonder how many plugins have outdated code with some funny features or is it something I don’t want to know?

PAM bug hit Debian and others

It has been years since PAM was hit by a serious bug in PAM, but people who upgrade to libpam-systemd version 44-1 can find that sudo stops working. Reading the bugreport on Debian and FreeDesktop.org it doesn’t look promising as it also effects other distributions. For now it may be wise put systemd on hold in case the package transfers from unstable to testing.

Switching from VirtualBox to KVM (maybe)

I have been a VirtualBox user for a long time, but since I’m now looking more closely at BtrFS I also took a closer look at what is in $HOME. VirtualBox harddisks and ISO-images are a large chunk of it and maybe the time has come to look at a different solution. One of the plans is to move virtual machines to a dedicated machine instead of running some on my workstation when I need them. This could give me more options for longer experiments as then my personal data doesn’t has to share the same encrypted volume with the virtual machines.

As VirtualBox is mainly a desktop solution, then the other options are Xen and KVM for now. I picked KVM as it is shipped with RHEL6 and part of the vanilla Linux kernel since 2007. Also there is a nice (remote) management solution and closer integration in GNOME 3.4 in the form of GNOME Boxes. So the time has come to give it a go and first we create a line in /etc/fstab to mount the BtrFS subvolume.

LABEL=datavol	/var/lib/libvirt	btrfs	defaults,relatime,nodiratime,subvol=libvirt	0	0

Now we create the BtrFS subvolume and mount it. Afterward we install all required software and make a user member of the right group. It is important to note that one needs to logout and login afterwards. These right are only needed when doing local maintenance.

$ sudo btrfs subvolume create libvirt /media/btrfs-datavol
$ sudo mount /var/lib/libvirt
$ sudo apt-get install qemu-kvm virt-manager virt-viewer virtinst
$ sudo usermod -a -G libvirt <username>
</username>

The machine is now able to run virtual machines if it has an CPU with Intel-VT or AMD-V technology. And the first tests with Debian 6.0, Solaris 11 and Windows 7 looked very promising. The management interface is very clean and people who have worked with Solaris Container the commandline tool virsh is also a good option. One thing that seems to be missing is a storage snapshot option as in VirtualBox, but if it is a real miss I doubt as most images are on BtrFS and BtrFS supports snapshots on subvolume level.

For now KVM appears to be a good and free alternative for VirtualBox and VMWare. It may need some more love in the future, but for now it deserves some more testing from my side together with SELinux for stronger separation of virtual machines. Maybe I can say goodbye to DKMS for recompiling VirtualBox modules with every release and the Qt-toolkit as dependency for VirtualBox and switching back on the default GTK toolkit on my machine.

A goodbye to Java

In the past I already removed Flash and Mono from my systems due to security concerns, but since CVE-2011-3544 it was the final call for Java. It took some dependency checking as Debian was replacing OpenJDK with GCJ or vice versa in most cases, but the command below finished that on a lot of systems. I said farewell to NetBeans a long time ago since it was to slow on my system and the only thing left was LibreOffice Base that needed to be removed as well.

$ sudo apt-get remove --purge libgcj12 libgcj-common gcj-4.6-jre-headless \
    libgcj12-awt default-jre-headless

This action also made me wonder about the state of LibreOffice as it is mainly a big blob of code on the system like Firefox is as well btw. I read on there website somewhere that making Java an option is a long term goal, but will it be enough? For now it should be, as I prefer my documents in OpenDocument-format. When the next GTK3 based version of Abiword and Gnumeric are released I need to do some testing again to see if they support OpenDocument now better.