• Wikibooks. Why I didn't find this earlier? :)
• vnc2swf. Nice and handy tool.
• Self-Healing in Modern Operating Systems

Posted by Simas |

This tip is extremely simple, yet I find it useful. I assume you know how to get "make update" on /usr/ports working. Then, add it to root's cron before daily periodic is run:

0 23 * * * cd /usr/ports && /usr/bin/make update >/dev/null 2>&1

Install vxquery ( cd /usr/ports/security/vxquery && make install). Then, make a simple periodic script, name it /etc/periodic/daily/510.vuxml, for example:

#!/bin/sh

vxquery="/usr/local/bin/vxquery"
vulns="/usr/ports/security/vuxml/vuln.xml"

if [ -r /etc/defaults/periodic.conf ]
then
  . /etc/defaults/periodic.conf
  source_periodic_confs
fi

case "${daily_vuxml_enable}" in
  [Yy][Ee][Ss])
      echo ""
      echo "Ports security status:"
      if [ ! -x ${vxquery} ]
      then
        echo "daily_vuxml_enable is set, but vxquery is not executable"
        rc=2
      else
        /bin/ls /var/db/pkg | ${vxquery} -f - ${vulns}
        rc=0
      fi
      ;;
  *)
      rc=0
      ;;
esac

exit $rc

As you see, in /etc/periodic.conf set daily_vuxml_enable="YES". Also, if you want to get these by email everyday, check that daily_output is set to your mail (and sendmail can send mail, of course). That's it.

Posted by Simas |

Ok, I hope this bit will be interesting for you. Do you know, how passwords are encrypted on FreeBSD or Linux systems using md5? You can read manuals, but manuals are not that interesting :)

Ok, so md5 is a one-way encryption algorithm, no wonder. That means, that once your password is encrypted, it can't be decrypted in any way. If you'll look at /etc/master.passwd ( that's /etc/shadow for Linux users), you'll see encrypted password on second field, begining with $1$. That's md5 ( blowfish is identified with $2$, and DES passwords are a long forgotten dream, I hope ).

So, now is a natural question - how the system knows, is your password correct if it's one-way encryption. The answer is also natural - when you enter your password at login prompt, system takes it, encrypts and does strcmp() to look if your entry matches password field on passwd. Pretty easy, huh?

Now this is where the fun begins. Let's create user test with password test on two hosts - host1 and host2:

host1# pw useradd test
host1# passwd test
Changing local password for test
New Password:
Retype New Password:

host2# pw useradd test
host2# passwd test
Changing local password for test
New Password:
Retype New Password:

Now, let's check how these encrypted passwords look. Oh, and use awk, just to impress everyone and feel l337:

host1#  cat /etc/master.passwd | awk -F: '/^test/{print $2}'

$1$0fsdwehr$kEIXECc/fokqQiRiLs4h81

If you run the same command on host2 though, your output will be different:

host2#  cat /etc/master.passwd | awk -F: '/^test/{print $2}'

$1$pQ/TC9P5$qZWnv7BhKPNhISPK/2dQA0

And if you'll change password to the same on some host, once again you'll see the different value of the field. Also, if you copy that field from host1, and change on host2, user test still be able to login with his password (test, that is). Now, here's the question: how this password can be different each time and the system still knows is it correct on login, if this is a one-way encryption algorithm? How can it be, that you get different md5 value each time, and still be able to strcmp() your login password and the value stored on passwd file?

If, by any accident, you went to university to study computer science or math and, by any accident, you managed to go to more than one lecture on the semester, you'll probably know, that usually encryption algorithms have seeds (huh, huh... Hey Beavis, he said seed). Seed is some random value, which is used in algorithm, to randomize result. That way, without knowing specific seed, even having algorithm which was used, it's not an easy task to decrypt (if algorithm can be decrypted) result.

So, by now, you can guess - password field stores not only encrypted password value, but it also has the seed. Now look again at the password fields above. If you'll look long enough and don't fall asleep, you'll probably see, that actually there are 3 dollar signs. Yup, they are used as a separators, and the last $ separates seed from actual encrypted password value.

Mkay, and now probably the last question: why the hell do we need to have a seed and a password in that field. Why we can't use standard seed for the system? Because it's not fun. Because having a seed, it's more easy for someone to make a database with original passwords and their crypted equivalents (you know what that means, don't you?).. There are some such databases, but are they worthy, having all of the above?

Posted by Simas |

Please, don't get me wrong. I love Solaris as a system. I really do, and I think most of these opensource, unix-like systems lag behind. But it's good until it comes to package management. Maybe it's just me, but I really do think, that Solaris package management sucks, and sucks a lot. Or maybe I'm too sentimental for FreeBSD ports system..

Because of this crippled Solaris package management I decided to stick with these only for a base system, and for most freeware I need to try some alternatives. And yes, I hate that smpatch requires java (and by the way, on my Solaris 10 build it fails with java exception, but maybe it's just too old and not enough tested build ).

I found three alternatives - pkg-get, NetBSD pkgsrc and Gentoo portage (if you know more, please comment :) ). And none of them suits me enough. pkg-get seems to be most mature and stable solution, binary updates and all that. But it smells like Debian, and I hate that :) NetBSD doesn't have binary packages, although supports them. They are just gone from ftp server, it seems. And gentoo portage... It's some bad joke on Solaris, but maybe sometime in future it will reach pretty stable status ( AFAIK it's developed by only one person). So, I see only two solutions - use pkg-get and feel some bad taste in the mouth, or use pkgsrc on dedicated machine to build packages for production...

Comments, ideas?

Posted by Simas |

This is interesting. Yet there's no word what these patents really are, I suppose if you don't "open" something these days, you're out of fashion. Mmmm, what will be next in line? Microsoft will open source Internet Explorer? :)

Posted by Simas |

Well, that I didn't expect... I use delicious for some time, but to appear this on newsweek... I wonder what content this will bring up to my RSS reader.. I just hope this won't become some sort of another pr0n/warez posting portal :)

Posted by Simas |

So, finally, my old homepage was deleted. I don't mind, i guess, but still, there was some really important information ( which now is missing). I hate when that happens... Ok, whatever, it's about time (considering that this page was on one of servers at previous job, which i left two years ago)...

Posted by Simas |

Mkay... So, I cleared all my previous entries to start a brand new weblog (it's not that previous entries were important, they were just some random crap i filled in some blog editors for testing). Welcome ;-)

Posted by Simas |