Archive for the ‘Linux’ Category
I host a bunch of Internet services. Some, like this site, are for public use but most are intended for personal use. And since I want to keep them personal, security is important.
Most Internet applications can be secured by SSL certificates. This includes HTTPS access for web sites, IMAPS instead of IMAP, encrypted access to subversion repositories. The list goes on.
For a number of years I have been creating my own certificates with the help of OpenSSL. Much can be said about OpenSSL but it is not exactly point-and-click. I created a few scripts to assist me but still I found myself looking through the documentation whenever I needed to create a new certificate or renew an existing one.
To solve this I have now created the attached Bash script to wrap OpenSSL to be able to set up a two-level certificate hierarchy. The result is a menu-driven text based application that will no doubt save me time in the future. Perhaps it can help you too.
I use this to create certificates to be used by Apache, Subversion, Postfix, Dovecot, Microsoft IIS, Microsoft Exchange and a few others.
There are some limitations to this. The hierarchy will be two levels deep, not more and not less. In other words you will get a root certificate authority and one or more subordinate certificate authorities. User certificates will be signed by one of the subordinate CAs. Also, while it supports subject alternative names it only does so for DNS names (I only needed that for Exchange 2007 support). For real-world certificate authorities the certificate signing requests (CRSs) are created outside the certificate authority. Since I will be handling everything myself I have set it up so that CSRs are created inside this application. For that reason it is imperative to keep access to the CA folder structure secure so that the private keys are not compromised.
To use this script just download and extract the attached file. Inside the folder which will be created there will be to files. The file ‘ca’ is the Bash script and the other is a template configuration file. Run the script from within the folder. Certificates will be available in the folder ‘all’ and backups of the certificate hierarchy will be placed in the folder ‘backup’. For more help, please comment.
The script has been verified on Ubuntu 9.04 and Mac OS X 10.5. I don’t think there are any dependencies that aren’t already met by standard OS installations.
Download: ca_v1.tar.gz
The -f switch to the tail command is a great help when it comes to keeping track of what is going on in some log file. But sometimes you just can’t keep your eyes on the output to see if something is happening. At those times it would help to have some other indication that there is activity. The following small Perl script emits a beep whenever there is a line of data being output.
#!/usr/bin/perl
while(<>)
{
print "\007" . $_;
}
Just tack the script somewhere in your path. Then, whenever you want some audio feedback just pipe the output to the Perl script (i.e. {some command} | beeper.pl).
I borrowed a brand new Netgear WNDR3300 from a colleague the other day. I quickly powered it up and accessed the internal configuration web page only to be met by the automatic update function which I hadn’t seen in previous Netgear wireless routers. Before I knew it I had mistakenly aborted the update and the router was more or less dead. The power LED just kept blinking, the router replied to ping but the configuration web page was nowhere to be seen.
I managed to solve the issue by downloading the firmware file from the Netgear site. It is a 3MB file with a .chk file extension.
I then uploaded the firmware using TFTP. The following step-by-step guide is from my Mac but should work on Linux. Start by connecting the wireless router to the computer but don’t power it up. Then open a terminal and type:
tftp 192.168.1.1
binary
rexmt 1
timeout 60
trace
put WNDR3300_V1.0.29_1.0.29NA.chk
Directly after the last line you should then power up the WNDR3300 and wait. Hopefully it will pick up the firmware file from the TFTP client. Once the file has been transferred it will take a few minutes while the router flashes its memory with the new firmware. This is normal. Just wait and hopefully you will have your wireless router back.
This is a follow-up article to a previous story on how to use the GPS in a Nokia phone. The last article described how to use a Python script to query the phone on the position. In this article we will add to the Python script to make it also dispatch position reports as UDP packets as well as a server script that saves the data to a sqlite3 database which is then used to display a web page with a map. The end result will look something like this:
All files are contained in the attached file at the end of this article. The server scripts have been written for Ubuntu 8.04 but will no doubt work on other distributions. Please note that you will need to install a couple of packages (php-sqlite3, php5-sqlite3 and libdbd-sqlite3-perl) to make the scripts run. The various scripts assume that they are all placed in the same location (i.e. in the web site folder). Read the security section below to ensure that the scripts are not publicly available.
Client script
The script ‘tracker.py’ should be copied to the phone according to the instructions in the previous article. Before copying it to the phone it must be edited. You will want to change the server host, the port and the secret.
Sqlite3 database
The data is kept in a sqlite3 database. The initial database is created by running the script create_database.sh. Do not run that script again as it will completely wipe the database.
Server script
Edit the file ‘tracker_server.pl’ and set the port number (line 8 ) and the secret (in the regexp on line 23) to the same values that you set in the client script. The server is then started by running the server script ‘./tracker_server.pl &’. Add the command to /etc/rc.local if you want it to start automatically when the server is restarted.
Web pages
Create a web site and point the document root to the folder where you put the files. Then reload the server.
Start the script
Finally, start the script on the phone and wait for it to acquire a GPS fix. This should cause the new position to be reflected on the web page.
Security
As mentioned above it a wise thing to prevent access to the script files if they are located in the same folder as the web pages. The easiest is to add an .htaccess file in the web folder with the following content:
<FilesMatch "\.(db|pl|sh|py)$">
Deny from all
</FilesMatch>
Attachments
tracker.zip
If you try to run an application with Passenger (mod_rails) and get the error “No such file or directory – /nonexistent” it could be due to some files in the Rails application being owned by root. To fix the issue just change the owner to some other user.
I have an Acer Aspire One 110 Ab that I have upgraded with 1 GB RAM (for a total of 1.5 GB) as well as upgrading the BIOS to version 3309.
Before upgrading the BIOS, which was done in an attempt to improve the stability of 802.11 networking, the acerfand program worked wonders to keep the fan running as little as possible.
Once I upgraded the BIOS to 3309 the acerfand program no longer worked. Instead of turning the fan off the fan was running at full speed for a second every other second.
On March 14th, version 0.07 of acerfand was released and I tried it out in the hope that it would fix the fan issue for by BIOS version. While it did turn off the fan, it caused the computer to reboot after a few minutes. Clearly, this was even worse than the alternative.
I did some trial and error and changed the value 0×20 to 0×21 (two places) for the 3309 specific values. In other words, roughly half-way down in the file, my acerfand file now looks like this:
"${BIOS_VERSION_3309}")
#change: handle 3309 seperate 0xAF -> 0x20
R_FAN=55
R_TEMP=58
FAN_CMD_OFF=21
FAN_CMD_AUTO=00
RAW_FAN_STATE_OFF="0x21"
;;
This has completely solved the issue. The fan now stays off as long as the temperature is below 70 degrees Celsius. The rest of the time (which is virtually always) it is dead silent. Case closed. For now.
Statpress Reloaded by Manuel Grabowski is a nice and simple plugin that helps to keep track of the hit rate to Wordpress blogs and is something I personally use it for this site.
Apart from the fact that the plugin is a bit slow it miscalculates the monthly target hit rates. This has been mentioned to the plugin maintainer but until that fix gets added, here is a short description and fix.
The following sections in statpress.php are repeated in four places and is used to normalise the number of hits so far this month over the entire month.
/ date("d", current_time('timestamp')) * date('d', mktime(0, 0, 0, date('m', current_time('timestamp'))+1, 0, date('Y', current_time('timestamp'))))
However, this uses entire days which leads to incorrect results. The error is more predominant early in the month and early in the days.
I have replaced the above segment (four instances) with this:
/ (time() - mktime(0,0,0,date('m'),date('1'),date('Y'))) * 86400 * date('t')
This uses seconds since the beginning of month as the basis for normalisation which is more precise. It is not perfect – among other things it will fail exactly on midnight on the first of each month due to a divide by zero.
If you run a Drupal site and want to upload big files you may have run into the default file size limit of 1 MB. While this is probably fine for most blogs it is way too small for most intranet deployments.
The limit for PHP is by default set to 2 MB for file uploads.
To increase this to 10 MB, add the following to the .htaccess file in your Drupal directory or to the Apache site definition:
php_value upload_max_filesize 10M
php_value post_max_size 20M
More information can be found here.
I have been looking for ways to replace a Sharepoint driven intranet with something else. The driving force behind this has mainly been one of platform compatibility. Sharepoint is great if you use Office and Internet Explorer on Windows. For all other users it is a usability nightmare.
There are lots of hosted or shrink-wrapped solutions for sale but the market of intranet solutions is now so mature that I felt there had to be open source solutions.
I found Alfresco, LifeRay and a few others and installed most of them. I was perplexed, however, by the sheer amount of features that were enabled out of the box. I really prefer something that starts off light and can then expand according to my needs. KnowledgeTree felt lighter but didn’t do much more than document management and I knew I also wanted a wiki as well as forums.
For a while I tried to integrate KnowledgeTree with MediaWiki and phpBB for a best-of-breeds solution. I couldn’t get all of the them to play nicely together and allow users to authenticate using accounts from a Windows Active Directory.
In the end I settled on Drupal. Why? It starts off light but has a truck-load of modules that can be added. I like the structure of the code. And it feels fresh – perhaps almost too light. I would have liked to see some professional free themes targeted for intranets, they would have helped to sell in the concept internally in competition with professional offerings.
The question of the authentication integration with Active Directory was solved very nicely by the module “Webserver authentication” and adding HTTP authentication to the web site in Apache where the web server is configured to use the bindings provided by Samba’s WinBind. The only thing to remember is to set the Drupal administrator to the the same login name as the administrator in the Windows domain. After that you should disable the log out menu option in Drupal. The only thing remaining is to add some Javascript code to be able to provide a link to make the browser forget the cookie in order to force a relogin.
In the previous post I described how to install the Oracle Database 10g Express Edition on Ubuntu and to add some data. In this article I will show how to access that data from a Perl script.
I assume you already have Perl installed, together with the DBI framework for generic database support. We will need to add DBD::Oracle which is available from CPAN. To install this module, run this as root:
# perl -MCPAN -e shell
cpan> install DBD::Oracle
Two things are worth noting. First, the root user must have the same Oracle environment set as described in the previous article. Just issue ’source /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/oracle_env.sh’ to fix that. The second thing to note is that you will most likely get errors during testing of the newly built module which will prevent it from being installed. To override that you will need to add ‘force’ before the command, i.e.:
cpan> force install DBD::Oracle
Now, the groundwork is done and we just need to write the script. Save this in oracle_read.pl and make it executable.
#!/usr/bin/perl -w
use strict;
use DBI;
my $dbh = DBI->connect( 'dbi:Oracle:xe',
'scott',
'tiger',
) || die "Database connection not made: $DBI::errstr";
my $sql = qq{ SELECT id,name,age FROM persons };
my $sth = $dbh->prepare($sql);
$sth->execute();
my($id, $name, $age);
$sth->bind_columns(\$id, \$name, \$age);
print "List of persons:\n";
while( $sth->fetch() ) {
print "$name [$age]\n";
}
$sth->finish();
$dbh->disconnect;
