Older blog entries for Stevey (starting at number 654)

A beginning is a very delicate time.

Recently I wrote about docker, after a brief diversion into using runit for service management, I then wrote about it some more.

I'm currently setting up a new PXE-boot environment which uses docker for serving DHCP and TFTPD, which is my first "real" usage of any note. It is fun, although I now discover I'm not alone in using docker for this purpose.

Otherwise life is good, and my blog-spam detection service recently broke through the 11 million-rejected-comment barrier. The Wordpress Plugin is seeing a fair amount of use, which is encouraging - but more reviews would be nice ;)

I could write about work, I've not done that since changing job, but I'm waiting for something disruptive to happen first..

ObQuote: Dune. (film)

Syndicated 2014-01-06 07:30:43 from Steve Kemp's Blog

A good week?

This week my small collection of sysadmin tools received a lot of attention; I've no idea what triggered it, but it ended up on the front-page of github as a "trending repository".

Otherwise I've recently spent some time "playing about" with some security stuff. My first recent report wasn't deemed worthy of a security update, but it was still a fun one. From the package description rush is described as:

GNU Rush is a restricted shell designed for sites providing only limited access to resources for remote users. The main binary executable is configurable as a user login shell, intended for users that only are allowed remote login to the system at hand.

As the description says this is primarily intended for use by remote users, but if it is installed locally you can read "any file" on the local system.

How? Well the program is setuid(root) and allows you to specify an arbitrary configuration file as input. The very very first thing I tried to do with this program was feed it an invalid and unreadable-to-me configuration file.

Helpfully there is a debugging option you can add --lint to help you setup the software. Using it is as simple as:

shelob ~ $ rush --lint /etc/shadow
rush: Info: /etc/shadow:1: unknown statement: root:$6$zwJQWKVo$ofoV2xwfsff...Mxo/:15884:0:99999:7:::
rush: Info: /etc/shadow:2: unknown statement: daemon:*:15884:0:99999:7:::
rush: Info: /etc/shadow:3: unknown statement: bin:*:15884:0:99999:7:::
rush: Info: /etc/shadow:4: unknown statement: sys:*:15884:0:99999:7:::
..

How nice?

The only mitigating factor here is that only the first token on the line is reported - In this case we've exposed /etc/shadow which doesn't contain whitespace for the interesting users, so it's enough to start cracking those password hashes.

If you maintain a setuid binary you must be trying things like this.

If you maintain a setuid binary you must be confident in the codebase.

People will be happy to stress-test, audit, examine, and help you - just ask.

Simple security issues like this are frankly embarassing.

Anyway that's enough: #733505 / CVE-2013-6889.

Syndicated 2013-12-29 14:59:55 from Steve Kemp's Blog

It's a wonderful life

Today, here in the UK, the date is 11/12/13.

Today, here in Edinburgh, I we became married.

I've already promised I will make no more than two jokes, ever, about "owning a wife". I will save them for suitable occasions.

Syndicated 2013-12-11 16:41:00 from Steve Kemp's Blog

So PaaS

I just realised a lot of my projects are deployed in the same way:

  • They run under runit.
  • They operate directly from git clones.

This includes both Apache-based projects, and node.js projects.

I'm sure I could generalize this, and do clever things with git-hooks. Right now for example I have run-scripts which look like this:

#!/bin/sh
#
# /etc/service/blogspam.js/run - Runs the blogspam.net API.
#


# update the repository.
git pull --update --quiet

# install dependencies, if appropriate.
npm install

# launche
exec node server.js

It seems the only thing that differs is the name of the directory and the remote git clone URL.

With a bit of scripting magic I'm sure you could push applications to a virgin Debian installation and have it do the right thing.

I think the only obvious thing I'm missing is a list of Debian dependencies. Perhaps adding soemthing like the packages.json file I could add an extra step:

apt-get update -qq
apt-get install --yes --force-yes $(cat packages.apt)

Making deployments easy is a good thing, and consistency helps..

Syndicated 2013-12-06 21:13:27 from Steve Kemp's Blog

Belated updates

Today I should have been heading down to York, to attend the Bytemark Christmas party. Instead I'm here in Edinburgh, because wind/storms basically shutdown the rail network in Scotland for the morning.

Technically I could have probably made it, but only belatedly and only at a huge cost to my sanity. The train-station was insane with stranded people, and there seemed no guarantee the recently-revived service would continue.

So instead I'm sulking at home.

I had a lot of other things scheduled to do in York/London today/tomorrow, for reasons that will become apparent next week, so to say I'm annoyed is an understatement.

In happier news I'm not dead.

Walking to work this morning was horrific, there was so much wind 70-100mph, that I counldn't actually cross a bridge, on Ocean Drive, because I just kept getting blown into the road. (Yeah, that's a road that is very close to the coast. Driving wind. Horrible rain. Storming sea. Fun.)

I ended up retracing my steps, and taking a detour. (PS. My boots leaked.)

Not a good day. Enjoy some software instead - a trivial HTTP / XMPP bridge.

Syndicated 2013-12-05 15:27:52 from Steve Kemp's Blog

A difficult day

Today was my last day working at Bytemark, and I found it a lot harder than expected.

For better or worse I finished earlier than expected; having been gradually removing my accounts and privileges over the past few weeks I'd revoked my OpenVPN key this morning.

Mid-afternoon my openvpn connection tried to renegotiate session keys, or similar, and failed. So I stopped work a few hours early. That meant I managed to avoid sending my "goodbye world" email, which is probably for the best - after all a lovely company, lovely people, and a good environment, what can you say besides things that are lovely?

I think I largely wrapped things up neatly, and I'm pleased that one of my photos is hanging on the office wall. (I look forward to seeing that actually, I've only rarely made canvas prints.)

The only other thing of note this week has been the sharp rise in blogspam I've detected. Black Friday alive and well, on the internets ..

Syndicated 2013-11-29 20:34:31 from Steve Kemp's Blog

Things have settled down nicely

I've now completed all my KVM migrations. Moving my personal virtual machines from one host to another.

There were a few niggles, for example I didn't have a working IPv6 allocation at the time I moved things so I had to set that up post-migration.

I've also joined each of the hosts into a VPN which makes cross-guest communication secure and simple.

Finally I've overhauled my firewalls and service lists.

I installed a couple of extra guests, using libvirt and booting from the Debian ISO. The Debian installer continues to impress, though it did make me think I should overhaul my PXE setup at home.

It wouldn't be hard to have a Raspberry PI running as a TFTP + DHCP server. You could plug it into a network, reboot your desktop, and then have it boot into the imager. At the moment I run DHCP + TFTPD + etc on my main desktop, and that allows me to reimage any of the hosts in the flat easily, except itself obviously.

The last time I reinstalled this system I had to reconfigure DHCP + PXE + TFTP on another host. I think the next time I need to reinstall any system I'll "waste" an SD-card on an image-server host.

Finally I've recently read the Rick Cook Wizardy Series:

  • Geeky developer gets transferred to a typical fantasy land:
    • Where magic works/exists.
    • There are dragons.
    • He writes a magic-compiler using FORTH to build primitives into bigger spells.

Fun idea. Horrible puns. Some of the books were too long, or left plot elements dangling, but on average they were more good than bad. Albeit a little predictable and "simple".

Syndicated 2013-11-23 12:58:14 from Steve Kemp's Blog

All change

If this post is visible I should have migrated the following virtual machines to a new home:

  • mail.steve.org.uk - SMTP, IMAP, & etc.
  • www.steve.org.uk - And N other hosts.
  • rsync.io - Offsite backups for local people.

These previously existed on a machine at Bytemark, running under screen and KVM. Now they exist upon a different Bytemark-rented host.

TODO: Move 4096.io, configure an auto-builder guest (I have a slaughter policy for that), and allocate a /48 so that I regain IPv6 support (/56 would do, I guess. I want a /64 for each guest.).

Syndicated 2013-11-17 19:11:38 from Steve Kemp's Blog

Meanwhile, behind the facade of this innocent book store

In brief:

Syndicated 2013-11-14 23:33:21 from Steve Kemp's Blog

So I have a new project

Recently I decided to set myself a big photography challenge. The three options which I discussed with a couple of people were:

  • Photograph the front of every pub in the nearby area city-centre.
  • Photograph ever plaque, monument, and statue in the city-centre.
  • Photograph every gravestone and memorial bench in the city centre.

Ultimately I decided pubs would be most fun. Not least because you could do it every year or two, to see what changes occurred.

To make it more useful I decided to not only take the pictures, but to collect, and share, the meta-data too:

  • Lat/Longditude GPS for each pub.
  • Contact details for each pub.
  • etc.

Today I spent an hour walking up Easter road, and down Leith Walk. I shot the outside of about 20 pubs, and then fiddled with the layout and organization of the images.

I'm reasonably happy with the result, but it remains obvious that I'm not a designer.

The data-set use to generate the site - which is perhaps the most interesting/useful part of the whole exercise to other people - is available online too:

All the data, even the images, is stored on github for collaboration purposes. I'm not sure if folk will join in, but I can probably manage a few of the major thoroughfares every weekend indefinitely it will only take a couple of days to get "city-wide coverage", then the rest is gravy.

Syndicated 2013-11-10 23:31:39 from Steve Kemp's Blog

645 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!