Sunday, August 22, 2010

every: command not found

This was an interesting puzzle. I was looking at a hardening document for Linux that identified a huge number of files that needed more restrictive file permissions. Among them were /root/.bashc, /root/.bash_profile, /root/.bash_logout, and so on. It made sense-- nobody else needs to read them, yet they were 644 instead of 600.

But the doc pointed out that the user "root" might not use the bash shell. What if he was a psychopath and used csh? In that case you'd have to look for a bunch of .c* files. I immediately realized the best thing to do was to wildcard this task:
chmod 600 /root/.*
And then I moved on.

But within a few minutes... something was wrong. In another window, as user "doug", I tried to list a directory.
-bash: ls: command not found
What? I couldn't even list my home directory. As a matter of fact, I couldn't execute any command.

This is where your heart kind of skips a beat. As root I could list anything, including /bin/ls. So as root, I tried to switch to user doug:
su: warning: cannot changeto directory /home/doug:
  Permission denied
su: /bin/bash: Permission denied
Oh crap!

Eventually it occurred to me. Consider this situation:
ls -a /root
.   ..   .bashrc   .bash_logout   .bash_profile
When I used the dot-splat wild card, it must have picked up dot-dot, which would be the root directory. From there it probably reset the permissions on /bin, /etc, and so on. I just needed to reset those perms to 755.

No luck. As a matter of fact, every directory seemed to be correct. I could not see any permission that was wrong. And then... in a stroke of unparalleled genius, I tried something else. I looked at the only set of directory permissions you can never see:
# ls -ld /
drw------- 24 root root 4096 Aug 22 22:51 /
What about:
# chmod 755 /
# ls -ld /
drwxr-xr-x 24 root root 4096 Aug 22 22:51 /
And now everything works.


In the end, however, I do have to admit one thing: The system was significantly hardened. Hard as a brick!

Installing OpenSSH from Source

I've got a cluster of Fedora 9 machines that run Apache web servers. Since they run Apache 2.2, there is no reason to upgrade the OS. Unfortunately, I stumbled on a bug with Fedora 9's implementation of key authentication with OpenSSH. It was apparently fixed in F10, but as is one of the inherent dangers of Fedora not patched in F9. Rather than kluge around with patching the RPM, I decided to install OpenSSH from source.

When you visit the OpenSSH website you want to get the portable source. I downloaded that onto the box and extracted it to /usr/local to create the openssh-5.1p1 sub. Normally the README file explains the compile sequence but in this case I had to get the instructions from the FAQ.

The first few attempts failed until I installed zlib-devel and openssl-devel. Then it was a simple case of the standard:
make; make install
This placed the binary in /usr/local/sbin, but messed up the etc structure.

All the config files were in etc and not a sub, so I created /usr/local/etc/openssh and moved all the files into the sub. This required an update to the sshd_config, however. I had to edit he HostKey parameters to include the sub in the path.

To test, we execute:
/usr/local/sbin/sshd -Dd \
  -f /usr/local/etc/openssh/sshd_config
Connect from remote. Test the keys. Bug gone. All good.

Now to symlink everything
cd /etc/
mv ssh ssh-redhat
ln -s /usr/local/etc/openssh ssh-openssh
ln-s ssh-openssh ssh
ls -ld ssh*
cd /etc/init.d
cp sshd sshd-openssh
mv sshd sshd-redhat
ln -s sshd-openssh sshd
This gives us a SysV startup script that points to the correct config files, but the wrong binaries. We need to change all the /usr/ entries to /usr/local/:
sed -i "s~/usr/~/usr/local/~" sshd-openssh
(There's actually only two lines, and the first shouldn't count.)

Oddly, on first try, it fails. The reason is that RedHat built the SysV script to check for the path of the config, but didn't provide the path. This means it fails and uses the default. Since we moved the config... it fails. The solution, which makes everything portable is the put the config path where RedHat expects it:
echo 'OPTIONS="-f /etc/ssh/sshd_config" ' > /etc/sysconfig/sshd
Optionally, recompile with the --sysconfdir=/etc/ssh such that both binaries point to the same sub.

One downside is that the binary is running unconfined by SELinux. If you're really ambitious:
chcon -t sshd_exec_t /usr/local/sbin/sshd
chcon -u system_u /etc/init.d/sshd*
chcon -t initrc_exec_t /etc/init.d/sshd*
Restart the service to confine.

Saturday, August 21, 2010

Casa Santosola Barbera D'asti

I went shopping for a Barolo, but couldn't find one in my price range. This was in the Piedmont section, so I gave it a try. It was a very good wine, but... it was not sufficiently different from a so many other Italian reds. When I looked it up on the chart, I found that the grape, the Barbera, is right next to Sangiovese.

The product was good, the price was good, but this one just did not stand out. 6 of 10.

Kim Crawford Sauvignon Blanc

I've recently seen several adds for Kim Crawford's wines, and saw a few positive reviews, so I went about $5 out of the budget and grabbed this Sauvignon Blanc. A few points: Kim also has chardonnay, but go with the sauvignon, since the vineyards are in Marlborough, New Zealand. And as we know, if your doing New Zealand, your doing screw top.

The verdict? You know how snooty wine reviews talk about "hints of pear"? This one takes aroma of pair and smacks you up side the head with it. There is no doubt about the pair flavor.

Unfortunately, I not real big on fruity wines. Decant this one and let it breathe. (That way no one else sees the screw cap.)

6 of 10

Valley of the Moon Chardonnay

After reading an interesting article about California versus European wines, I decided I give a few a try. The gist of the article was the thought that a 90 point wine was a 90 point wine regardless of its point of origin. This is to say that Californians are judged by the same standards as Europeans. As a result, if a California wine is highly rated, it should meet the same standards as its European counterparts.

I've always found Californians to be too flamboyant. The wines, that is. The people that run the wineries in California are always doing stuff to the wine to make it exciting. They want it to be memorable, but usually end up making it just plain bad. Europeans don't do that-- they let wine be itself, and enjoy it for what it is meant to be.

But this one was a 90 point chardonnay, and it was in my price range. And it was wine. Just wine. Not a bunch of pretentious flavoring to enhance the wine drinking experience. Just a good glass of wine. Not great... which was disappointing for a 90 pointer. If it had been unrated, it would have been a 7.

I'm going to say its a 6 of 10

Thursday, August 05, 2010

Bruised, But Better

I went a specialist at Union Memorial Hospital Sports Medicine center in Baltimore. (I know I talk down Baltimore, but this place is way better than anything in DC.) They took off the ER dressings and fit me with a Robocop boot, rather than a cast. Here's the bruising after 48 hours.

It was nearly black at the doctor's office, but moving around has helped circulated the blood and get it to a nice purple.

The cover story is that I fell down the stairs. I didn't figure the insurance would pay if they knew how this really happened. And if I admit what really happened, I'd have to explain why an almost 50, out of shape, computer nerd decided to take up street fighting and kickboxing as a hobby.

Monday, August 02, 2010

Breaking Your Foot is No Fun

It seems that breaking the fifth meta-tarsal of your foot is so common, it has its own name: Jones Fracture. I don't know who Jones is, but I'm glad to have a Jones fracture and not a Johnson Fracture!

No drugs... and they made me walk out of the ER. You bastards!

Now if you'll excuse me, I'm off to update my Facebook status and tweet the news.

Yeah, right.