Hacking Linux Kernel

Modifying Bootup Scripts in initrd

2010-02-02T01:39:00.000-08:00

Unpack it
--------
gunzip -c /minirt | cpio -idm

OR
>>mv minirt minirt.gz
>>gzip -d minirt.gz
>>cpio -i < .minirt

modify initrc or init

Pack it back
------------
find | cpio -H newc -o > ../new_initrd_file
gzip -9 new_initrd_file

Embedding Type 1 Fonts in Latex Generated PDFs

2009-06-27T22:04:00.000-07:00

modify file
/usr/share/gs-afpl/8.14/lib/gs_pdfwr.ps
and change lines

/.standardfonts [
/Courier /Courier-Bold /Courier-Oblique /Courier-BoldOblique
/Helvetica /Helvetica-Bold /Helvetica-Oblique /Helvetica-BoldOblique
/Times-Roman /Times-Bold /Times-Italic /Times-BoldItalic
/Symbol /ZapfDingbats
] readonly def

into

/.standardfonts [
% /Courier /Courier-Bold /Courier-Oblique /Courier-BoldOblique
% /Helvetica /Helvetica-Bold /Helvetica-Oblique /Helvetica-BoldOblique
% /Times-Roman /Times-Bold /Times-Italic /Times-BoldItalic
% /Symbol /ZapfDingbats
] readonly def

Compile using
>>latex myfile.tex

>>dvips -j0 -Ppdf -Pdownload35 -G0 myfile

>>ps2pdf -dMaxSubsetPct=100 -dCompatibilityLevel=1.4 -dSubsetFonts=true -dEmbedAllFonts=true myfile.ps

check using
>>pdffonts myfile.pdf

SELinux Tutorial

2007-05-29T16:16:00.000-07:00

I have found very few resources for SELinux on the web, which I believe is a idea tool box for the security engineer or for that matter any average Linux user who plans to use programs of the web without examining them for hacks. I have divided up this tutorial into 2 main sections, the first of which describes why SELinux is the coolest security tool ever followed by a detailed tutorial with a running example of getting up and running with it in no time.

SELinux in a Nutshell

The Big challenge is to find ways to have secure systems knowing that flawed application software will always exist. SELinux is an implementation of the reference monitor concept, where the operating system isolates passive resources into distinct objects such as files and active entities such as running programs into subjects. The reference monitor mechanism would then validate access between subjects and object by applying a security policy as embodied in a set of access control rules. Access control decisions are based on security attributes associated with each subject and object. The complexity is a direct result of Linux being complex. There is certainly a trade off in providing a system with the granularity to control every single permission for every object class.

SELinux's MAC vs Linux's DAC
Security-enhanced Linux (SELinux) is an implementation of a mandatory access control mechanism. This mechanism is in the Linux kernel, checking for allowed operations after standard Linux discretionary access controls are checked. Under DAC, ownership of a file object provides potentially risky control over the object. A user can expose a file or directory to a security or confidentiality breach with a misconfigured chmod command and an unexpected propagation of access rights. A process started by that user, such as a CGI script, can do anything it wants to the files owned by the user. A compromised Apache HTTP server can perform any operation on files in the Web group. Malicious or broken software can have root-level access to the entire system, either by running as a root process or using setuid or setgid. In addition under DAC, there are really only two major categories of users, administrators and non-administrators. In order for services and programs to run with any level of elevated privilege, the choices are few and course grained, and typically resolve to just giving full administrator access. Solutions such as ACLs (access control lists) can provide some additional security for allowing non-administrators expanded privileges, but for the most part a root account has complete discretion over the file system. A MAC or non-discretionary access control framework allows you to define permissions for how all processes (subjects) interact with other parts of the system such as files, devices, sockets, ports, and other processes (objects). This is done through an administratively-defined security policy. These processes and objects are controlled through the kernel, and security decisions are made on all available information rather than just user identity. With this model, a process can be granted just the permissions it needs to be functional. This follows the principle of least privilege. Under MAC, for example, users who have exposed their data using chmod are protected by the fact that their data is a kind only associated with user home directories, and confined processes cannot touch those files without permission and purpose written into the policy.

DAC	MAC
Object Owner has full power	Object Owner can have some power
Complete trust in users	Only trust in administrators
Decisions are based only on user id and object ownerships	Objects and tasks can themselves have IDs
Impossible to control data flow	Makes data-flow control possible

Setting up SE Linux on FC6

Installing SELinux Development Packages
Usually the 2-CD install of FC6 does not include the development packages for SELinux. So we need to install those first.

$ yum install selinux-policy-devel
$ yum install setools-devel
$ yum install setools-gui

It is also generally a good idea to install the audit daemon i.e user space tools for 2.6 kernel auditing. We will need this to monitor our generated AVC denial messages.

$ yum install audit
$ /etc/init.d/auditd start

Working with the Policy Sources
Ever since FC started supporting modular policies, they have stopped shipping the targeted policy sources with Fedora. However the reference policy sources from Tresys are available for download and much easier to work with. While NSA's original example policy has very strong interdependencies between types and roles and therefore a very tight coupling of policy source modules, the reference policy has well-defined interfaces and no global use of type and other identifiers, In addition it layers all of its modules in 5 main categories of 'admin', 'apps', 'kernel', 'services' and 'system'.

The refpolicy at the time of writing this tutorial could be downloaded from http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease. After download run

$ make
$ make install-src
$ make install

The refpolicy will be compiled and installed into /etc/selinux/refpolicy/src/policy

Writing the Policy
I am going to describe how to write SELinux rules for a Linux Daemon Service particularly the Asterisk Call Server. The steps involved are pretty generic and can be used for any software you are planning to jail with selinux. When you download and install asterisk, take a note of where it installs its binaries, config, log files etc. We will need this knowledge to set up policy rules for it. Once you download and install the software try running it without selinux support; you can do this by typing

$ setenforce 0
$ /etc/init.d/asterisk start

This will switch selinux into permissive mode in which access checks still occur, but instead of denying unallowed access, it simply audits them. Now that we are certain that our daemon runs perfectly we are ready to write selinux policy files for it. Here is a listing of my asterisk.te (the main policy rules) file. I have commented each line in the listing to make it easier to understand.

asterisk.te
####################
policy_module(asterisk, 1.0)
####################
#
# Type declarations
#
# asterisk domain
type asterisk_t;

# asterisk entrypoint
type asterisk_exec_t;

#mark asterisk_t as a domain and asterisk_exec_t
#as an entry point into that domain
init_daemon_domain(asterisk_t, asterisk_exec_t)

# PID file /var/run/asterisk.pid
type asterisk_var_run_t;
files_pid_file(asterisk_var_run_t)

#configuration files
type asterisk_conf_t;
files_config_file(asterisk_conf_t)

#log files
type asterisk_log_t;
logging_log_file(asterisk_log_t)

#files and directories under /var/lib/asterisk
type asterisk_var_lib_t;
files_type(asterisk_var_lib_t)

# Log files - create, read, and append
allow asterisk_t asterisk_log_t : dir ra_dir_perms;
allow asterisk_t asterisk_log_t : file { create ra_file_perms };
logging_log_filetrans(asterisk_t, asterisk_log_t, file)
logging_search_logs(asterisk_t)

# configuration files - read
allow asterisk_t asterisk_conf_t : dir r_dir_perms;
allow asterisk_t asterisk_conf_t : file r_file_perms;
allow asterisk_t asterisk_conf_t : lnk_file { getattr read };

# PID file - create, read, and write
allow asterisk_t asterisk_var_run_t : dir rw_dir_perms;
allow asterisk_t asterisk_var_run_t : file create_file_perms;
files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)

# /var/lib/asterisk files/dirs - create, read, write
allow asterisk_t asterisk_var_lib_t : dir create_dir_perms;
allow asterisk_t asterisk_var_lib_t : file create_file_perms;
files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file)
files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, dir)

# Network Access
allow asterisk_t self : tcp_socket create_stream_socket_perms;
corenet_tcp_sendrecv_all_if(asterisk_t)
corenet_tcp_sendrecv_all_nodes(asterisk_t)
corenet_tcp_sendrecv_all_ports(asterisk_t)
corenet_non_ipsec_sendrecv(asterisk_t)
corenet_tcp_bind_all_nodes(asterisk_t)
corenet_tcp_bind_asterisk_port(asterisk_t)
sysnet_dns_name_resolve(asterisk_t)

Next we create a labeling policy in the form of file security contexts statements. We make use of the gen_context() template interface macro to handle both MLS/MCS and non MLS/MCS policies from the policy source. This file contains hard-coded listing of the directories for the asterisk daemon. The reader will have to change these paths for the application he is jailing via selinux.

asterisk.fc
################
#asterisk labeling policy
################
/usr/bin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t, s0)
/etc/asterisk(/.*)? gen_context(system_u:object_r:asterisk_conf_t, s0)
/var/log/asterisk(/.*)? gen_context(system_u:object_r:asterisk_log_t, s0)
/var/lib/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_lib_t, s0)
/var/run/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_run_t, s0)

Finally the external interfaces file for the daemon declares an interface for reading the log files. This way other domains are allowed access by simply calling this interface.
asterisk.if
################
interface(`asterisk_read_log',`
gen_require(`
type asterisk_log_t;
`)

logging_search_logs($1)
allow $1 asterisk_log_t : dir search_dir_perms;
allow $1 asterisk_log_t : file r_file_perms;

The above three files are all the source code we need to write to set up a simple selinux jail for our asterisk server. They should be copied to a separate directory and compiled into a policy package asterisk.pp using make. A generic makefile for compiling loadable modules can be copied over from /usr/share/selinux/devel/

compiling the policy
$ make

installing the policy
$ /usr/sbin/semodule -i asterisk.pp

checking if the policy was successfully installed
$ /usr/sbin/semodule -l
asterisk 1.0

relabeling all the files/directories in the file context file
$ restorecon /usr/bin/asterisk
$ restorecon -R /etc/asterisk/ /var/log/asterisk /var/lib/asterisk

verifying that the labeling occurred correctly using ls -Z
$ ls -scontext /usr/bin/asterisk /var/log/asterisk
system_u:object_r:asterisk_exec_t /usr/bin/asterisk

/var/log/asterisk:
system_u:object_r:asterisk_log_t asterisk.log

start asterisk
$ /etc/init.d/asterisk start

verify that it is running
$ ps axZ | grep asterisk

check for AVC denials
$ /usr/bin/audit2allow -i < /var/log/audit/audit.log

Edit the asterisk.te file to make sure that accesses that we are not permitting are suppressed by adding dontaudit rules and finally restart the asterisk server with selinux set to enforcing

$ setenforce 1
$ /etc/init.d/asterisk restart

Setting up a Xen DMZ using NAT and IPTables Filtering

2007-01-08T16:38:00.000-08:00

Make sure you are using a version of Dom0 with kernel support for IP Tables. See my previous post on compiling Xen from source.

IP Tables option can be found in the kernel menuconfig configuration under

Networking ---> Networking options ---> [*] Network packet filtering (replaces ipchains) ---> Core Netfilter Configuration ---> <*> Netfilter Xtables support (required for ip_tables)

Networking ---> Networking options ---> [*] Network packet filtering (replaces ipchains) ---> IP: Netfilter Configuration ---> <*> IP tables support (required for filtering/masq/NAT)

Setup the following options in /etc/xen/xend-config.sxp
(network-script network-nat)
(vif-script vif-nat)

Check (using ifconfig) that vif1.0 in Dom0 has an IP starting 10.0.0.*

Now edit your VM config file to set private local IP addresses
dhcp = "off"
vif = [ 'ip=10.0.0.1' ] <--the IP I want to assign to my VM
ip="10.0.0.1" <--add the above here again
gateway="10.0.0.128" <-- the internal IP address of my Dom0 vif1.0
netmask="255.255.255.0"

Similarly once you boot the VM you can update the above settings in /etc/network/interfaces file in DomU

auto eth0
iface eth0 inet static
address 10.0.0.1
netmask 255.255.255.0
gateway 10.0.0.128

At this point you should be able to ping Dom0 and nodes on the internet from DomU and DomU from Dom0. However DomU is not accessible from the internet because of its private IP address. To address this we can create a DMZ where Dom0 forwards packets to DomU using IP Table rules. For instance if we have an SSHd service running in DomU, then we can enable port forwarding in Dom0 using

iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 22 -j DNAT --to 10.0.0.1:22

A remote user who wants to SSH to DomU will simply give the Public IP of Dom0 while connecting via SSH.

Proxy settings for apt-get and wget

2007-01-05T16:04:00.000-08:00

export http_proxy="http://[address]:[port]/"

What Linux Drivers are being used?

2006-12-12T19:16:00.000-08:00

While recompiling a custom kernel depmod -a creates a "Makefile"-like dependency file, based on the symbols it finds in the set of modules mentioned on the command line or from the directories specified in the configuration file. This dependency file is later used by modprobe to automatically load the correct module or stack of modules.

If you are curious about which drivers are running and their purpose. Here is how to get started
Modules loaded automatically at boot time can be found under /lib/modules/KERNELNAME

The list of running modules can be found using

lsmod
$ less /proc/modules

More information about the modules can be found via

/sbin/modinfo video

Total Ram Memory Available

2006-12-08T17:37:00.000-08:00

free -m

Setting up your own SMTP and POP3 Mail Server

2006-11-21T13:27:00.000-08:00

I used SendMail for SMTP and Qpopper for POP3.

Download and install the sendmail package if you don't have it

rpm -qa | grep -i sendmail

Start it and check if its running

/etc/init.d/sendmail start
ps aux | grep -i sendmail

change into the mail config directory and edit the settings
cd /etc/mail

add the following to sendmail.mc
TRUST_AUTH_MECH('LOGIN PLAIN')dnl
define('confAUTH_MECHANISMS', 'LOGIN PLAIN')dnl
define('confSMTP_LOGIN_MSG', '$j')dnl

Comment this line out so Sendmail will listen for remote connections.
DAEMON_OPTIONS('Port=smtp,Addr=127.0.0.1, Name=MTA')dnl.

Make the config
make -C /etc/mail

Check firewall settings to allow access to port 25. Also allow access to other systems on domain by adding relays to the following file

/etc/mail/access
jf.intel.com RELAY

Compile it
makemap hash /etc/mail/access < /etc/mail/access

Check that there is a service listning on 25 by doing a port scan and try to telnet to it remotely
nmap localhost
telnet tsrd-rhel4-1 25
quit

Add you domain to
cd /etc/mail
vi local-host-names
intel.com

Create accounts
useradd webmaster
passwd webmaster
[enter password]
[confirm password]

Associate users to their email addresses

vi virtusertable
webmaster@intel.com webmaster

Compile
makemap -v hash ./virtusertable.db < ./virtusertable

Restart service
/etc/init.d/sendmail restart

Setting up POP3
Download QPopper and compile it
./configure --prefix=/usr --mandir=/usr/share/man
make all
make install

Use xinitd to manage it
cd /etc/xinetd.d
vi qpopper
# qpopper POP3 server
service pop3
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/popper
instances = 50
per_source = 10
log_on_failure += USERID
}

restart init.d
/etc/init.d/xinetd restart

check if the service is running on 110
nmap localhost

Check your mail
telnet localhost 110
user [account name]
pass [account password]

Checking running Kernel support for a module

2006-11-17T01:01:00.000-08:00

For instance this example checks for netfilter support
zgrep -i netfilter /proc/config.gz
CONFIG_NETFILTER=y

Installing Xen 3.0.3 from source on Ubuntu Edgy

2006-11-16T17:35:00.000-08:00

A step by step tutirial for people getting the most out of their PC with Xen virtualization
Getting the latest version of Xen

mkdir /home/xen
wget http://bits.xensource.com/oss-xen/release/3.0.3-0/src.tgz/xen-3.0.3_0-src.tgz

I used xen-3.0.3_0-src.tar from xen source. It contains the folders
patches\
There are a couple of generic linux patches in patches/ and these can be added to over the course of time.
linux-2.6-xen-sparse
This is the xen source tree

Adding Packages to system prior to install
apt-get update

apt-get install iproute bridge-utils python-twisted gcc-3.3 binutils make libcurl3-dev zlib1g-dev python-dev transfig bzip2 screen ssh debootstrap libcurl3-dev x-dev xorg-x11-devel libncurses5-dev tetex-base

These are the important packages I downloaded after many frustrating attempts at failed makes.

gunzip xen-3.0.3_0-src.tgz

tar -xvf xen-3.0.3_0-src.tar

Compiling Xen
Making changes to Makefile and Config.mk prior to install
Add the following options to CFLAGS -fno-stack-protector and -mno-tls-direct-seg-refs

make world

make install
Folders Created by make world followed by make install

pristine-linux-2.6.16.29 :- We will refer to original "untainted" kernel source directory that comes with the distribution as the pristine kernel sources. Pristine is unmodified reference and has patches applied from the patches/ directory.

linux-2.6.16.29-xen[0U]:- A xenized Linux

dist :- Inside dist the boot folder contains files to be copied to /boot, the lib/modules/2.6.16.29-xen0 to be copied to /lib/modules and usr/include/xen to be copied to /usr/include

Files Created by install.sh
The above copying is performed by this script. The important files are

1) xen-3.0.3-0.gz is the Xen hypervisor. It is the one that boots the machine in grub config file with label "kernel".It's the lowest layer of software in the system. You need it but it's not much use on its own - you also need a kernel for domain 0 (usually Linux)

2) vmlinuz-2.6.16.29-xen is the kernel for domain 0, and should be called by xen-3.0.3-0.gz for starting domain0, with label "module" in the grub config.

Other than these two there are configuration files and syms (debug) versions of these also created in the boot directory.

Compiling Dom0
make linux-2.6-xen0-config CONFIGMODE=menuconfig KERNELS="linux-2.6-xen0"

In the kernel comfiguration menu that shows up we enable quota, iptables, dummy network driver as modules.

make linux-2.6-xen0-build
make linux-2.6-xen0-install
depmod 2.6.16.29-xen0
./install.sh

This will copy the Dom0 kernel and the Xen VMM to the boot directory. Now we create the initrd

mkinitramfs -o initrd.img-2.6.16.29-xen0 2.6.16.29-xen0

Move all xen related files to a separate folder inside boot
cd /boot
mkdir xen
mv *xen* xen

Setting up Boot Parameters

I added the following entry to my /boot/grub/menu.lst
title Xen 3.0, kernel 2.6.16-xen <-- Label for boot screen selection
root (hd0,1) <--Harddrive and partition where your MBR resides
kernel /boot/xen/xen-3.gz root=/dev/hda1 dom0_mem=400000 <--Xen VMM module /boot/vmlinuz-2.6.16.29-xen ro console=tty0<--Dom0 ker
module /boot/initrd.img-2.6.16.29-xen <--initrd image. vmlinuz-2.6.11-9-xenU is the kernel that should be used to boot the other domains, the guests.

Usually, it is in the /etc/xen/domU config file as "kernel" parameter. This kernel is a bit smaller than the xen0 kernel but can only run in domUs. You may want to use it in your guests, or you can just use the xen0 kernel everywhere.

Final Checks
To improve performance disable TLS
mv /lib/tls /lib/tls.disabled

Make sure that hotplug udevs shortcuts have been created. There should be a softlink to xen-backend.rules in /etc/udev/rules.d. Make sure it starts with number and not a character.

Reboot Machine into Xen
Edit /etc/apt/sources.list
Uncomment the following lines
deb http://us.archive.ubuntu.com/ubuntu/ edgy universe
deb-src http://us.archive.ubuntu.com/ubuntu/ edgy universe
deb http://security.ubuntu.com/ubuntu edgy-security main restricted
deb-src http://security.ubuntu.com/ubuntu edgy-security main restricted
deb http://security.ubuntu.com/ubuntu edgy-security universe
deb-src http://security.ubuntu.com/ubuntu edgy-security universe

Compile DomU Kernel
cd /home/xen/xen-3.0.3_0-src/
make linux-2.6-xenU-config CONFIGMODE=menuconfig KERNELS="linux-2.6-xenU"

make linux-2.6-xenU-build
make linux-2.6-xenU-install
depmod 2.6.16.29-xenU

Download, Install and Configure xen-tools
mkdir /home/xen
apt-get update
apt-get install xen-tools
vim /etc/xen-tools/xen-tools.conf
dir = /home/xen
debootstrap = 1
size = 6Gb # Disk image size.
memory = 128Mb # Memory size
swap = 256Mb # Swap size
fs = ext3 # use the EXT3 filesystem for the disk image.
dist = edgy # Default distribution to install.
image = sparse # Specify sparse vs. full disk images.
gateway = 192.168.1.1
netmask = 255.255.255.0
passwd = 1
kernel = /boot/vmlinuz-2.6.16.29-xenU
initrd = /boot/initrd.img-2.6.16.29-xen0
mirror = http://ftp.us.debian.org/debian/
mirror = http://gb.archive.ubuntu.com/ubuntu/

Make sure Xend is running
xend start

Create a new virtual Machine
xen-create-image --hostname=vmubuntu1
xm create vmubuntu1.cfg -c

Network Setup
The above xen-tools configuration assigned a static IP address but if you are using dhcp for dom0 you might just want to stick to that for the DomUs.

iface eth0 inet dhcp <-- stick this into your /etc/network/interface file in DomU Make sure that your Dom0's /etc/network/interfaces file is configured correctly because the Xen network scripts pick up the settings from there. I also had to completely get rid of NetworkManager that I was using to manage by Wireless interfaces.
The VM image config file vmubuntu1.cfg should only have the following networking options.

dhcp = 'dhcp'
vif = [ ' ' ]

Make sure the bridge options are configured in /etc/xen/xend-config.sxp.

(network-script network-bridge)
(vif-script vif-bridge)

An ifconfig on Dom0 should show a eth, vif, peth and a xenbr interface. If you don't see these then something broke along the way and you need to try running the networking scripts in /etc/xen/scripts manually and examine the errors. What are all these new interfaces you ask? Well here is how the default bridged networking is supposed to work.

      Domain0 network stack
                ^^
                ||
                ||
      eth0 [local virtual interface]
                ^^
                ||
                || local traffic intended for domain0
                ||
                ||
xen-br0[bridge]<===> vif0.0 [virtual dom0] <===> eth0 [domU virtual nic]
   ||
   ||
   || external traffic
   ||
   VV
 peth0 [real, physical interface]
   ||
 --XX ------------ NETWORK -----------------

If you are not too keen on the default network configuration scripts, it is also easy to set up a bridge yourself

brctl addbr xenbr0
brctl stp xenbr0 off
brctl sethello xenbr0 0
brctl setfd xenbr0 0
ifconfig xenbr0 192.168.1.1 netmask 255.255.255.0 up

Copy over the library files to the new virtual disk
mkdir /mnt/vmdisk
mount -o loop /home/xen/domains/disk.img /mnt/vmdisk
cd /mnt/vmdisk/lib/modules
cp -a /lib/modules/2.6.16.29-xenU .
umount /mnt/vmdisk/

Check that the domains running
xm list

Linux Windows Dual Boot without nuking existing MBR

2006-11-15T14:41:00.000-08:00

Want to try out a Linux Distribution on your Windows PC without nuking your Windows MBR?
Here is how you go about it.

Assuming you partition your drive as follows

grub code (hda0,0), fdisk code /dev/hda1, primary, NTFS, Windows XP: 60 GB
grub code (hd0,1), fdisk code /dev/hda2, primary, ext3, Ubuntu Linux: 14 GB
grub code (hd0,2), fdisk code /dev/hda3, extended
grub code (hd0,3), fdisk code /dev/hda5 Linux Swap: 1 GB (the rule of thumb is twice as large as your RAM)
grub code (hd0,4), fdisk code /dev/hda6, FAT16: 5 GB for sharing

Install grub on (hd0,1). The "0" immediately after "hd" indicates the first hard drive (counting starts at zero instead of one). The "1" after the comma indicates the second primary partition.

Use QTParted to make the Windows partition active (instead of the Linux partition)

mkdir /mnt/shared
mount -t msdos /dev/hda6 /mnt/shared
dd if=/dev/hda2 of=/mnt/shared/ubuntu.bin bs=512 count=1
Reboot into Windows.
Copy ubuntu.bin to C:\
Add C:\ubuntu.bin="Ubuntu Linux" to boot.ini

Resolving stack_chk_fail Error

2006-11-14T00:06:00.000-08:00

Today I moved to the new version of gcc 4.1.2. When trying to compile Xen, it kept giving me a 'stack_chk_fail' symbol not found error.

Took me 4 hours to figure out that it wasn't a problem with Xen but with my gcc.
Apparently the new version of gcc emits extra code to check for buffer overflows, such as stack smashing attacks by default whereas my kernel did not support it and I had been using 2.6.17.10 !

Anyways resolved the problem by adding -fno-stack-protector to the CFLAGS option in the Makefile.

Root Permissions for Linux Live CD

2006-11-10T12:03:00.000-08:00

Installing Ubuntu 6.10. Open up a terminal and set your root password first using sudo passwd root

Detailed Recursive Directory Listing

2006-11-07T17:40:00.000-08:00

Try using the find command find . -maxdepth 4
rather than the overused ls

Redirect stdout to file and screen simultaneously

2006-11-02T13:32:00.000-08:00

./a.out | tee trace.txt

Search, Process, Replace strings in a File using Perl

2006-10-26T18:05:00.000-07:00

I wanted some one-line loop to read a log file containing serial numbers line-by-line, search for a serial using some regular expression, read it into a variable and then mark it as used back into the file so its not used again next time. Here is how it goes

So the file looks something like this

EVAL=SomeSerial1 #Created on Fri Oct 13 11:12:09 2006.
COM=SomeSerial2 #Created on Tue Oct 17 11:19:45 2006.
COM=SomeSerial3 #Created on Tue Oct 17 11:19:45 2006.

#Main
print &getSerialfromFile("./serialnumbers.txt", "COM=");

sub getSerialfromFile($$)
{
my $line;
my ($serials_file, $pattern) = (@_);
open(MAP, $serials_file) or die "failed to open $serials_file, $!";
my @lines = < MAP >
close(MAP);
foreach $line (@lines)
{
next unless ($line =~ s/^$pattern(.*?)\s/used$pattern$1/g) ;
# You can use the serial $1 here
}
open(MAP, ">", "./changed.txt");
print MAP @lines;
close(MAP);
}

Easy Error Logging in Perl via Log4Perl

2006-10-03T14:21:00.000-07:00

Need a quick and dirty tutorial on enabling loggers in your scripts? Here you go.
Download and Install Log-Log4perl-1.06 from CPAN (May prompt you to install IO-Tty-1.07).

The following perl script will let you give you the ability to define 3 filters for your logging: Error, Warn and Info. Warings and Errors are logged to one file and Info messages to the other.

use Log::Log4perl qw(get_logger);

# Define configuration
my $conf = q(
log4perl.logger = INFO, AppInfo, AppWarn, AppError

#filter to match INFO
log4perl.filter.MatchInfo = Log::Log4perl::Filter::LevelMatch
log4perl.filter.MatchInfo.LevelToMatch = INFO
log4perl.filter.MatchInfo.AcceptOnMatch = true

#filter to match Warn
log4perl.filter.MatchWarn = Log::Log4perl::Filter::LevelMatch
log4perl.filter.MatchWarn.LevelToMatch = WARN
log4perl.filter.MatchWarn.AcceptOnMatch = true

# filter to match Error
log4perl.filter.MatchError = Log::Log4perl::Filter::LevelMatch
log4perl.filter.MatchError.LevelToMatch = ERROR
log4perl.filter.MatchError.AcceptOnMatch = true

# Info Appender
log4perl.appender.AppInfo = Log::Log4perl::Appender::File
log4perl.appender.AppInfo.filename = detail.log
log4perl.appender.AppInfo.layout = PatternLayout
log4perl.appender.AppInfo.layout.ConversionPattern = %d %p> %F{1}:%L %M - %m%n
log4perl.appender.AppInfo.Filter = MatchInfo

# Warn Appender
log4perl.appender.AppWarn = Log::Log4perl::Appender::File
log4perl.appender.AppWarn.filename = result.log
log4perl.appender.AppWarn.layout = PatternLayout
log4perl.appender.AppWarn.Filter = MatchWarn

# Error Appender
log4perl.appender.AppError = Log::Log4perl::Appender::File
log4perl.appender.AppError.filename = detail.log
log4perl.appender.AppError.layout = PatternLayout
log4perl.appender.AppError.layout.ConversionPattern = %d %p> %F{1}:%L %M - %m%n
log4perl.appender.AppError.Filter = MatchError
);

# Initialize logging behaviour
Log::Log4perl->init( \$conf );

my $logger = get_logger("issa::test");
$logger->info("License file installed successfully");

Setting up CVS client in Linux

2006-09-29T15:18:00.000-07:00

This assumes that you have an account zanwar (set by your cvs admin) and cvs repository Project/Development on the CVS host cvs.cs.uiuc

>>export CVSROOT=:pserver:zanwar@cvs.uiuc.edu:/home/compiler/cvs/cplusplus
>>cvs login
>>cvs co Project/Development

Red Hat Network Setup

2006-09-29T14:47:00.000-07:00

Personally I think Red Hat's network configuration utilities in no where compare to Knoppix or Ubunto for instance.

Setting up networking is a very manual task. Here are the list of important files I needed to change to setup my Red Hat Enterprise Linux RHEL machine...

>> /etc/sysconfig/network
NETWORKING=yes
DHCP_HOSTNAME=tsrd-rhel4-1
DOMAINNAME=jf.intel.com

>> /etc/sysconfig/networking/profiles/default/hosts
127.0.0.1 localhost.localdomain tsrd-vmrhel localhost
134.134.25.201 tsrd-vmrhel.jf.intel.com tsrd-vmrhel localhost

>> /etc/sysconfig/networking/devices/ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=dhcp
TYPE=Ethernet
DOMAINNAME=jf.intel.com
HOSTNAME=tsrd-rhel4-1
DHCP_HOSTNAME=tsrd-rhel4-1

Also use the /sbin/route command to set up the kernel routing table

Linux Code Coverage profiling Tool

2006-09-18T16:54:00.000-07:00

Compile cpp file with debug options
g++ -ggdb -fprofile-arcs -ftest-coverage -o hello Hello.cpp

Try Running it
./hello

Run Code Coverage tool
gcov Hello.cpp

View the lines that will be executed
vi Hello.cpp.gcov

Loading Dynamic Libraries

2006-08-25T09:50:00.000-07:00

Some Linux API require the use of updated libraries. A common example is gethostbename command that is not thread safe. Attempting to run this with a old glibc while the network is down or with a null parameter will result in a segmentation fault. In order to see what libraries your executable is dependent upon use ldd executatble name. In order to make your executatable use an updated version of glibc, you might need to update your library path via export LD_LIBRARY_PATH=/lib/686

Getting Linux Command History

2006-08-25T09:40:00.000-07:00

Tired of remembering and repeating that long copy command again and again. Use history | grep "scp" and you will get a list of old scp commands you used recently. Execute anyone of them bny typing ! command# . Incidently !! repeats the last command.

Creating a isoLinux Bootable CD

2006-08-16T20:54:00.000-07:00

Open a root shell. The following commands create a temporary directory and copy the files required for the booting of the Linux system (the isolinux boot loader as well as the kernel and the initrd) into it:
mkdir /tmp/CDroot
cp /usr/share/syslinux/isolinux.bin /tmp/CDroot/
cp /boot/vmlinuz /tmp/CDroot/linux
cp /boot/initrd /tmp/CDroot

Create the boot loader configuration file /tmp/CDroot/isolinux.cfg with your preferred editor. Enter the following content:
DEFAULT linux
LABEL linux
KERNEL linux
APPEND initrd=initrd root=/dev/hdXY [boot parameter]

Enter your root partition for the parameter root=/dev/hdXY. It is listed in the file /etc/fstab. Enter additional options for the setting [boot parameter], which should be used during booting. The configuration files could, for example, look like this:
DEFAULT linux
LABEL linux
KERNEL linux
APPEND initrd=initrd root=/dev/hda7 hdd=ide-scsi

The following command (entered at a command prompt) then creates an ISO-9660 file system for the CD.

mkisofs -r -o /tmp/bootcd.iso -b isolinux/isolinux.bin -c isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table /tmp/bootcd

-r is important to be case sensitive

The file /tmp/bootcd.iso can be written to CD after that with either graphical CD writing applications, like K3b

Samba mounting Encrypted Linux file from Windows host in Vmware

2006-07-14T08:01:00.000-07:00

vi /etc/samba/smb.conf

[encrypted]
browseable = yes
comment = Encrypted FS on USB
writable = yes
locking = no
path = /encrypted
public = yes

mkdir /encrypted
mount -o umask=0 /dev/mapper/encrypted /encrypted/
/etc/init.d/samba start
smbpasswd -a knoppix

touch /encrypted/hello.txt

Go edit the hello.txt file in vmware windows My Network Places -> Workgroup computers

Verify that it has been changed

cat /encrypted/hello.txt

Creating a encrypted patition visible from both windows and linux

2006-07-13T13:44:00.000-07:00

Download and install uuid-dev, e2fsck and cryptsetup.

dd if=/dev/zero of=myencryptedfile.enc bs=1M count=20
losetup /dev/loop2 myencryptedfile.enc
cryptsetup -c aes -s 256 --verify-passphrase luksFormat /dev/loop2
cryptsetup luksOpen /dev/loop2 encrypted
mkdosfs /dev/mapper/encrypted
mount /dev/mapper/encrypted /mnt
ls /mnt
umount /mnt
cryptsetup luksClose encrypted
losetup -d /dev/loop2

Modifying the kernel's make install initrd image

2006-06-28T11:03:00.000-07:00

# Login as root
# mkdir myinitrd
# cd myinitrd
# gzip -dc < /boot/initrd-your-version-here.img | cpio -i
# edit init do what you want at the top of the script. Usually custom scripts added after mounting /proc but before mounting any drives
# find . | cpio -o -c |gzip -9 > /boot/initrd-your-version-here.img

Single Writer Multiple Readers using Anonymous Pipes

2006-06-27T10:36:00.000-07:00

Use the tee command. Here is an example where I use pipes and the linux cut/paste command to implement a windows like "scanning wireless networks available" in linux.

scan_nets(){
echo "Going to scan nets"
rm -rf *.trace
iwlist $wintf scanning | tee >(grep "ESSID" |cut -d ':' -f 2 > essid.trace ) >(grep "Encryption"|cut -d ':' -f 2 > enc.trace ) | (grep "Quality"|cut -d '=' -f 2 > quality.trace)

paste -d " :" essid.trace enc.trace <(cut -d " " -f 1,3 quality.trace) > table
availnets=`cat table`

selected_net=$($DIALOG --stdout --title "Scanned Networks Available. " --radiolist "Press Cancel to enter your own ESSID

ESSID Encypted? Signal Strength" 18 45 12 $availnets)
retval1=$?
case $retval1 in
0)
echo "Input string is $selected_net";;
1)
echo "Cancel pressed.";;
#No problem will prompt for essid later
255)
$DIALOG --no-close --no-buttons --title "Disable Network" --infobox "User Interrupt going to disable the network" 8 32 10
;;
esac
}

Creating symbolic links for bootup scripts

2006-06-10T14:35:00.000-07:00

If you want to startup a certain service e.g. vmware in runlevel 4 during system bootup.

cd /etc/rc4.d
ln -s ../init.d/vmware S90vmware

The S (as apposed to K) signifies that you want this script to run and the 90 determines the order of being called in this folder.

Coping folders between Machines

2006-06-09T08:23:00.000-07:00

Make sure you ssh/scp deamon is running.
/etc/init.d/ssh start

Regenerate host keys for ssh if necessary
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key

package your folder
tar -cvf folder.tar folder | gzip > folder.tgz

copy it
scp folder.tgz root@192.168.1.5:/home/anwar/myfiles

extract it
gunzip folder.tgz
tar -xvf folder.tar

Alternatively you can also use
smbmount //ipaddress/path/to/folder /mountfolder -o username=anwar

Linux Managing multiple Network interfaces

2006-06-09T07:35:00.000-07:00

If you have multiple network interfaces on your machine e.g. a wireless (check using iwconfig) and wired. i.e. eth0 and eth1. Linux will end up using the first one it finds. In order to use the interface of your choice, you can disable one or the other.

ifconfig eth1 down and force the other to take over using the pump command.

# pump -i eth0 --status
Check the status / get details of dhcp on eth0

# pump -i eth0 --release
Release dhcp IP on eth0

# pump -i eth0
Request a dhcp ip for eth0

Setting up Knoppix file system on a hard drive

2006-06-07T11:11:00.001-07:00

A Knoppix installation on you hard drive will use unionfs by default. You can check to see which folders are part of the unionfs tree by using the mount command and you can add more folders via
mount -t unionfs -o dirs=/ramdisk=rw:/KNOPPIX=rw unionfs /

Normally you can only write in the /KNOPPIX folder and therefore you will need to remount it to be writable via
mount -o remount, rw /KNOPPIX/

Another thing you might want to do is chroot /KNOPPIX/ so that you don't confuse / with /KNOPPIX

Before chrooting you can mount the /proc and /dev to the new folders.
mount -o bind /proc /KNOPPIX/proc

Setting up and Formatting encrypted Partitions

2006-06-06T10:44:00.000-07:00

losetup -e AES128 -T /dev/loop7 /dev/sda7

format
mke2fs -j /dev/loop7

changing & formatting partitions

2006-06-05T15:38:00.000-07:00

I prefer using cfdisk over fdisk because it is menu driven. Usually creating a partition table will involve a hda1 primary boot partition followed by a extended partition hda5 (linux), hda 6 (swap) and so on.

format boot via
mkfs.vfat -F 16 -n NAME -v /dev/hda1

format linux via
mke2fs -j -L KNOPPIX /dev/hda5

turn off filesystem checking via
tune2fs -c 0 /dev/hda5

set up swap via
mkswap /dev/hda6

changing a label of partition after you put your data on it
tune2fs -L NEWLABEL /dev/hda5

Disk Space Remaining

2006-06-02T14:55:00.000-07:00

df -h

and

du -hsc

Mounting a compressed image

2006-06-02T13:44:00.000-07:00

Needed when mounting a compressed KNOPPIX file found in the linux boot partition. For instance you need to recover some USB modules to place directly in miniroot.

insmod cloop.o file=/path/to/compressed/image

mount -o ro -t whatever /dev/cloop /mnt/compressed