Tuesday, May 24, 2011

On Running tftpd (in.tftpd) as a Non-root User (DEPRECATED)

The preferred way of securing tftpd is to use the tftp SELinux targeted policy module. This post is now of historic interest only, I have SELinux enabled, using the targeted policy in enforcing mode. That is the right way of doing things.

On RHEL systems, tftpd is started from xinetd as a root user. The configuration is stored in /etc/xinetd.d/tftp. You may wish to run it as a different user for security purposes.  Let's assume that the tftpd user has been created, with login directory set accordingly to /tftpboot.

There are two ways you could try to set tftpd to run as non-root, and only one of them works. You may try to change the user entry in the xinetd configuration file. This will fail when in.tftpd tries to set its supplementary group to nobody, thus -- if you strace -- the following call fails:
[pid 16429] setgroups32(1, [99]) = -1 EPERM (Operation not permitted)

Instead, you should add the -u parameter to the tftpd's command line in its xinetd config file.
server_args = -s /tftpboot -u tftpd -v
where tftpd should be replaced with whatever username you chose for tftpd. That way in.tftpd changes its effective user upon startup.

If you don't want the files served by tftpd to be visible by unprivileged users from the local host (say, if tftpd serves to devices on an isolated, secure network), you should make the /tftpboot directory not world-readable (# chmod o-rwx /tftpboot). Do not change permissions on the files in that directory, though: in.tftpd insists that they be world-readable. This makes sense, since -- in a way -- they do become world-readable via in.tftpd, and the latter doesn't know what other restrictions there may be in place due to network architecture. The files should also be owned by root, that way you can control write access by granting it to others: in this case only the tftpd user will be able to access them anyway, do to permissions on the /tftpboot directory. Remember: tftpd offers no protections from unauthorized access. It is up to your firewall and network architecture to limit access as appropriate.

You can strace a running xinetd process and all its children like so:
# strace -p $(ps -o pid= -C xinetd) -fF

Sunday, May 22, 2011

Qt Compilation Woes on Windows

I've had some tough luck compiling latest Qt 4.7.3 on Windows using VS 2008. I wanted to accomplish following:

  • compile both debug and release builds,
  • have the release build optimized with link time code generation (LTCG),
  • include OpenSSL support,
  • include PostgreSQL support.
Nokia offers a prebuilt Qt package, but I wanted to make sure that the build references the most recent VC runtime, and this requires recompilation of everything.

My setup is a VMware Fusion VM with 32 bit Windows XP.

First of all, LTCG requires plenty of memory, and linking/code generation for WebKit will fail on 32 bit windows unless you do the following:

  1. set the VM to have at least 2G of memory,
  2. boot with the /3g option in boot.ini -- to do that go to System Properties, Advanced, Startup and Recovery.Settings, Edit the startup options file, and duplicate the existing entry in [operating systems] section, adding /3gb switch before /fastdetect, and change the name of the new entry.
  3. save boot.ini, reboot the VM, bootloader will ask you to select the OS, choose the entry you just created.
Then install Qt Libraries for Windows (VS 2008) from Nokia's downloads. It doesn't matter if you use a different version of Visual Studio as you will not be reusing any prebuilt binaries; the package mentioned above includes all the infrastructure needed to rebuild Qt. I can't guarantee that the compilation will succeed with /3G switch on anything else but VS 2008; ideally you should use 64 bit Windows to avoid possibility of a problem. You do need to give plenty of RAM to the VM; my system has 6GB of RAM and I give half of that to the VM while I compile Qt. Ordinarily 1GB is plenty enough.

Since we don't want to retype all the configuration settings each time you run configure, create a file configure_config.cache in your %QTDIR% (say C:\Qt\4.7.3). The file should have contents as follows:
-opensource 
-debug-and-release 
-ltcg 
-plugin-sql-psql 
-openssl 
-no-qt3support 
-qt-libpng 
-qt-libjpeg 
-fast 
-D 
_BIND_TO_CURRENT_CRT_VERSION=1 
-I 
C:\OpenSSL-Win32\include 
-I 
C:\Postgresql-9.0.4\src\interfaces\libpq
-I
C:\postgresql-9.0.4\src\include
-L 
C:\OpenSSL-Win32\lib 
-L 
C:\Postgresql-9.0.4\src\interfaces\libpq\Release
Then you have to download the PostgreSQL source code. Decompress it into the folder that matches the entry from your config cache above. To compile libpq, follow directions in psql documentation chapter 16.2, namely go to C:\\src and issue nmake /f win32.mak. This command has to be issued from the Visual Studio Command Prompt, available from the Microsoft Visual Studio entry in your start menu.

The next step is to download and decompress the OpenSSL-WIN32 binaries provided by Shining Light Productions. Again, decompress it into a folder that must match the entry in the config cache. I wasn't brave enough to attempt recompilation from the source.

The last step is to fire up the Qt build proper. Make sure that nothing else is running in your VM besides the Explorer shell. Turn off virus protection. Then start up Qt Command Prompt -- it is available from the start menu folder created by the Qt installer. Then issue following commands:
configure -loadconfig config
nmake
This is all it takes to build Qt. Note that if the argument to -loadconfig  is foo, then your config cache file  in %QTDIR% must be named configure_foo.cache .