Tuesday, October 04, 2011

Using samba 3.6 with RHEL 6 and SELinux (OBSOLETE)

Update 2: No, it doesn't work with sernet samba, but I'll look at where it fails; perhaps I need a relabel.

Update 1: This used to be a problem when RHEL 6 came out. They have since updated the samba policies and it now works out of the box.

I have a default installation of RHEL 6, yet want to use samba 3.6 from sernet on it. This doesn't work -- nmbd gets killed by the samba selinux policy installed on RHEL 6.

A simple workaround is to change the smbd_t policy to permissive, this way you can investigate and create an additional policy module to fix it (admittedly I never bothered, RedHat fixed their policy to work with samba 3.6).

semodule -d sambagui
semanage permissive -a smbd_t
semanage permissive -a nmbd_t
semodule -l | grep '[sn]mb'
# should show permissive_[sn]mbd_t...

A somewhat more overreaching, and thus not recommended, workaround was to disable the samba policy modules:

# semodule -d sambagui
# semodule -d samba
# semodule -l | grep samba
# should show sambagui and samba as Disabled

As a reference, Dan Walsh's blog entry may be one of the references for writing selinux policy modules.

The audit.log entry looks like following:

avc:  denied  { create } for  pid=3815 comm="nmbd" name="unexpected" scontext=unconfined_u:system_r:nmbd_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=sock_file

Saturday, October 01, 2011

No X11 ssh Forwarding from an RHEL Server

I've done a recent sever-style installation of RHEL 6, and tried to use system-config tools via ssh -X connection. This silently fails. It turns out you need to yum install xorg-x11-xauth. Easy peasy if you figure it out, that is :)

Monday, September 19, 2011

Batch File Renaming in bash with Regexes/Regexps

The bash shell has a built-in POSIX regular expression matching facility. It also lets you extract parenthesized matching subexpressions within the regexp. Here's how to use it to rename a bunch of JPGs to jpegs:

for f in *.JPG; do [[ $f =~ ([^.]+)\.JPG ]] && mv $f ${BASH_REMATCH[1]}.jpeg; done

The [[ .. ]] test ensures that the rename is only executed when the file name matches the regexp. The BASH_REMATCH array is populated while the regexp match operator =~ does its job. The regular expression within the [[ .. ]] cannot be quoted, or else it won't work.

Thursday, July 21, 2011

Migrating Zimbra 6 to Zimbra 7

I have a Zimbra 6.0.13 server running on a 32 bit CentOS 4 box. The goal is to migrate it Zimbra 7.1.1 on 64 bit CentOS 6.

I have got a bare installation of Zimbra 7.1.1 running on a CentOS 6 VM. I reused the /opt/zimbra/config.#### file from the old server to do a "kickstart" installation. The config file required a couple of tweaks. First of all, rpm package installs will fail if apache-core is not the first package listed in the set of packages that are to be installed. You also need to switch to a non-upgrade install, and add a quarantine account -- all of that belongs in the config file. You can simply run the installation once, let it fail, but it will create an updated config file. Then grab the config file before it disappears once you uninstall, and tweak with all the new settings now visible.

I have tried the direct migration path using admin console's migration wizard on Zimbra 7. It works great to copy user accounts over, but it uses LDAP and is very lossy when moving mailbox data. Thus I used the wizard to pre-provision user accounts, and then did zmztomig to move individual mailboxes over. This retains most of the things, save for aliases, shared calendars, and such miscellany.

It turns out that the migration-by-updates across 32-to-64 bits and then up the versions is a bit tedious. Our server has been in constant upgrade treadmill since very early Zimbra versions, and there is some cruft in the settings that one has to fight with on every update. It wasn't worth it.

I've ended up copying the account list using the migration system, followed by filters and account contents using export/import.

Monday, June 20, 2011

Two Analog Circuit Design Greats are Lost

What a sad week it was. Bob Pease has passed away on June 18th, 2011, in a car crash. Jim Williams has passed away on June 12th, 2011, two days after suffering a stroke. Two analog circuit design legends, great educators and explainers. I'll miss you, guys!

Bob Pease; below working on LM131 breadboard in the year I was born.

Jim Williams; above in front of Minuteman guidance package;
below in his lab.

Tuesday, May 24, 2011

On Running tftpd (in.tftpd) as a Non-root User (DEPRECATED)

The preferred way of securing tftpd is to use the tftp SELinux targeted policy module. This post is now of historic interest only, I have SELinux enabled, using the targeted policy in enforcing mode. That is the right way of doing things.

On RHEL systems, tftpd is started from xinetd as a root user. The configuration is stored in /etc/xinetd.d/tftp. You may wish to run it as a different user for security purposes.  Let's assume that the tftpd user has been created, with login directory set accordingly to /tftpboot.

There are two ways you could try to set tftpd to run as non-root, and only one of them works. You may try to change the user entry in the xinetd configuration file. This will fail when in.tftpd tries to set its supplementary group to nobody, thus -- if you strace -- the following call fails:
[pid 16429] setgroups32(1, [99]) = -1 EPERM (Operation not permitted)

Instead, you should add the -u parameter to the tftpd's command line in its xinetd config file.
server_args = -s /tftpboot -u tftpd -v
where tftpd should be replaced with whatever username you chose for tftpd. That way in.tftpd changes its effective user upon startup.

If you don't want the files served by tftpd to be visible by unprivileged users from the local host (say, if tftpd serves to devices on an isolated, secure network), you should make the /tftpboot directory not world-readable (# chmod o-rwx /tftpboot). Do not change permissions on the files in that directory, though: in.tftpd insists that they be world-readable. This makes sense, since -- in a way -- they do become world-readable via in.tftpd, and the latter doesn't know what other restrictions there may be in place due to network architecture. The files should also be owned by root, that way you can control write access by granting it to others: in this case only the tftpd user will be able to access them anyway, do to permissions on the /tftpboot directory. Remember: tftpd offers no protections from unauthorized access. It is up to your firewall and network architecture to limit access as appropriate.

You can strace a running xinetd process and all its children like so:
# strace -p $(ps -o pid= -C xinetd) -fF

Sunday, May 22, 2011

Qt Compilation Woes on Windows

I've had some tough luck compiling latest Qt 4.7.3 on Windows using VS 2008. I wanted to accomplish following:

  • compile both debug and release builds,
  • have the release build optimized with link time code generation (LTCG),
  • include OpenSSL support,
  • include PostgreSQL support.
Nokia offers a prebuilt Qt package, but I wanted to make sure that the build references the most recent VC runtime, and this requires recompilation of everything.

My setup is a VMware Fusion VM with 32 bit Windows XP.

First of all, LTCG requires plenty of memory, and linking/code generation for WebKit will fail on 32 bit windows unless you do the following:

  1. set the VM to have at least 2G of memory,
  2. boot with the /3g option in boot.ini -- to do that go to System Properties, Advanced, Startup and Recovery.Settings, Edit the startup options file, and duplicate the existing entry in [operating systems] section, adding /3gb switch before /fastdetect, and change the name of the new entry.
  3. save boot.ini, reboot the VM, bootloader will ask you to select the OS, choose the entry you just created.
Then install Qt Libraries for Windows (VS 2008) from Nokia's downloads. It doesn't matter if you use a different version of Visual Studio as you will not be reusing any prebuilt binaries; the package mentioned above includes all the infrastructure needed to rebuild Qt. I can't guarantee that the compilation will succeed with /3G switch on anything else but VS 2008; ideally you should use 64 bit Windows to avoid possibility of a problem. You do need to give plenty of RAM to the VM; my system has 6GB of RAM and I give half of that to the VM while I compile Qt. Ordinarily 1GB is plenty enough.

Since we don't want to retype all the configuration settings each time you run configure, create a file configure_config.cache in your %QTDIR% (say C:\Qt\4.7.3). The file should have contents as follows:
Then you have to download the PostgreSQL source code. Decompress it into the folder that matches the entry from your config cache above. To compile libpq, follow directions in psql documentation chapter 16.2, namely go to C:\\src and issue nmake /f win32.mak. This command has to be issued from the Visual Studio Command Prompt, available from the Microsoft Visual Studio entry in your start menu.

The next step is to download and decompress the OpenSSL-WIN32 binaries provided by Shining Light Productions. Again, decompress it into a folder that must match the entry in the config cache. I wasn't brave enough to attempt recompilation from the source.

The last step is to fire up the Qt build proper. Make sure that nothing else is running in your VM besides the Explorer shell. Turn off virus protection. Then start up Qt Command Prompt -- it is available from the start menu folder created by the Qt installer. Then issue following commands:
configure -loadconfig config
This is all it takes to build Qt. Note that if the argument to -loadconfig  is foo, then your config cache file  in %QTDIR% must be named configure_foo.cache .

Friday, February 11, 2011

Wire Stripper, Who Art Thou?

There is an 8-34AWG self-adjustable stripper, offered under Thomas&Betts, Molex and Cooper/Xcelite brands.

The prices offered for each of those can vary by a factor of 2 and more, even though every row in the table below seems to be exactly the same part.

The table below should help searching for the best deal out there.

Stripper w/Straight BladeERG1-WS63817-0000SAS3210
Straight Blade
for regular wire
SBC-1 63817-0070SAS3210RB
V-Shaped Blade
for teflon wire

Saturday, January 15, 2011

Restoring a Mac to (almost) Factory State

This post has been retired. The most up-to-date information is at http://apple.stackexchange.com/a/150659/45058.