Book Review -- The Debian System: Concepts and Techniques | Linux Journal - interestingly sounding book about the concepts in Debian.
linux - 22.9.2004 - 2.2.2006
ApplicationCatalog - Maemo Wiki - Applications for the Nokia 770 Internet Tablet
FUDMachine SCO
One would think that SCO would eventually understand the signs of the times - but that is not the case.
Sams Teach Yourself Shell Programming in 24 Hours - A whole book about shell programming. And of course, a pretty good introduction to the various tools that Unix systems provide. Certainly recommended for anyone who, for example, has gotten a root server and now wants to do more with it - but otherwise knows Linux mainly from the GUI.
Linux Daemon Writing HOWTO - how to write a daemon under Linux (general information)
Just a Thought
What would actually happen if the GNOME developers went to the Linux Kernel Mainling list and announced that they recommend users to use FreeBSD because the chroot model of Linux is pathetic, and the kernel APIs are a mess anyway, and Linux still doesn't have really good filesystem notifications, and the development of Linux simply doesn't take GUI requirements into account enough. Therefore, they would suggest users to use FreeBSD, because the Linux kernel programmers are all idiots anyway.
What would Linus' reaction look like?
pyinotify - very nice, finally a usable wrapper for the notify function in Linux. With it, Python programs can be informed about changes in the file system - ideal for directory monitoring.
Ubuntu and Powerbook
Ok, since my Mac Mini is working hard and everything is functioning as it should, I took the opportunity to install Ubuntu on my Powerbook. I wanted to finally check out how well something like this works today - back in the day, notebooks were quite an adventure with Linux.
Overall, everything looks very good - just like the first impression from the Live DVD. Everything starts properly, the components are mostly well recognized, and the settings are mostly sensible - especially the simple installation (for a test drive, I like to use the DAU mode, just to see how well the people understand their job) leaves a well-set-up desktop system.
Unfortunately, I have a notebook. And not just any notebook, but a Powerbook.
Well, the software itself runs. The desktop is nicely set up, and the selection of software is very useful - even all the notebook features are mostly installed. What was missing?
Well, let's start with the simplest thing: a Powerbook has a fixed keyboard layout - the keys are labeled. I'm not planning to rub off the labeling and repaint it to match a PC. Why don't the Torfnasen provide a Powerbook keyboard layout? I did find something on the net, but to implement it, some major efforts are needed (either applying a not fully functional patch or adjusting the X start process - neither of which are particularly DAU-friendly). Why isn't something like this included with the system? After all, anyone who has seen a Mac keyboard up close knows that it's really not identical to PC keyboards. This is further complicated by the fact that there are quite a few Mac keyboard layouts included - but they only make sense with old ADB keyboards, as they have completely different keyboard codes.
Next up: power management. A lot of software is installed, most of which comes without useful documentation. That's fine - in theory, everything should just be set up. And for the most part, it is set up: when I close my display and open it again, the daemon.log properly records that pbbuttonsd was able to execute the appropriate script.
It would just be nice if the script actually did something...
People, power management is not just a nice-to-have feature for a notebook; it's essential. And everything necessary for it is actually present. Please include it and use it. The Ubuntu installation looks as if the part that would execute the actions was simply left out. And I haven't found out on the fly in which package this might be hidden.
Then there's Bluetooth. The system recognizes all sorts of things, and something is being done with someone - but how, what, and where you can now do something with Bluetooth, that's not really clear. Hey guys, Bluetooth is really not ultra-new anymore, and for Linux, there's been something for quite some time - how about at least some rudimentary tools that show the status?
WLAN still doesn't work - but that's not Ubuntu's fault, it's the stupid manufacturer of the cards. 3D acceleration of the graphics also doesn't work, which is why the desktop is a bit sluggish than it should be - same reason as with WLAN. It's really a shame that hardware manufacturers put extra obstacles in the way of a free operating system.
Minor annoyances: the trackpad is set to be ridiculously sensitive - almost unusable for people with motor problems. More conservative settings would be much more sensible. And Gnome is still quite wasteful with screen space - hey, my notebook only has 1024x768, I can't just add pixels!
All in all, Ubuntu confirms its good suitability as a desktop system - because the installed system itself is really useful. But notebooks are still the last adventure for the toughest.
And my notebook? Well, I'll probably just go back to Tiger.
Linux-Vserver on Debian Sarge - the title says it all. Bookmark for later - could be interesting for my server.
Mac-on-Linux - strangely never blogged about, so now. Running Mac operating systems in a virtual environment under Linux on Macs - ideal for Linux-powered Mac Minis where you still want to have the one or other OS X program ...
Mac-on-Mac is the inverse counterpart to Mac-on-Linux - a port of the virtual machine to OS X, with which you can then run Linux or other Mac systems under OS X in a virtual environment. Status is still very raw ...
Launch Box is a QuickSilver clone for Gnome. Seems a bit rough around the edges and the installation might be a bit hairy due to the hard dependencies.
Linux and RAW Digital Photography provides a lot of information about RAW formats and Linux.
Lphoto is a photo database for Linux, structured similarly to iPhoto for Mac.
Ubuntu Breezy Badger
I pulled the Live+Installation DVD (hey, T-DSL 3000 rules!) and must say, I'm really surprised. Okay, there are a few issues: the keyboard layout is suggested as the default for the PC - but a Mac notebook can have different layouts (externally a PC keyboard, but internally always a Mac keyboard), so the selection should be a bit more clever. If you switch to the Macintosh keyboard in the selection, special characters like the pipe symbol and curly and square brackets and AT and such no longer work - with PC allocation, however, the labeling of the Mac keyboard does not match. And there is no allocation for the Mac special characters.
What also doesn't work is the second monitor - it is simply not detected and activated, not even initialized. Too bad, because Macs do have multi-monitor support by default, at least the PowerBooks and PowerMac models (the iBooks and iMacs only partially and then only with hacks). That should also be included in my opinion.
But otherwise - nice thing. That WLAN is not recognized is normal - or it is recognized, but not usable. Apple's WLAN chips are often not supported there. I also don't know where Bluetooth is configured - I probably need to install packages first. But that could also be done automatically in my opinion if a Bluetooth adapter is detected. Nevertheless, Ubuntu seems quite nice overall - it starts with usable defaults and already supports a lot of the computer. And the extensive translation of at least menus and dialogs in Gnome is very pleasant.
And that a Debian architecture is working underneath is of course particularly dear to me.
However, it is catastrophic that in the Live CD it seems that no terminal can be started anywhere ...
Sooo cool!
BlackDog is a PowerPC computer with 64 MB of memory and a 512 MB flash disc in a mini case that you can plug into any PC with Windows or Linux via the USB port. The PowerPC processor then takes over the keyboard, mouse, and screen, and starts its Debian Linux, whose desktop you can then see on the PC.
The device runs solely on USB power and also has additional biometric access control via fingerprint. Wow. A nice little hacker kit for on the go, you just need to find a host computer.
And it is completely open and hackable in terms of architecture - there is even a hacking competition to develop interesting applications for it. Although I already know what I would put on it - all the necessary network tools. I think I need to motivate the boss at the company to take a closer look at what you can do with such a device. I haven't had such a strong desire to have something for a long time.
Oracle Cluster File System 2 for Linux
The Oracle Cluster File System could already be a nice alternative to GFS and Coda - at least if this really happens:
The Linux developer responsible for the Linux Kernel 2.6, Andrew Morton, wants to include the Oracle Cluster File System version 2 in the official Linux Kernel as soon as possible. Linux 2.6.14 could already contain OCFS 2 and would then be the first cluster component in the official Linux Kernel.
The previous cluster file systems suffer from the lack of integration - most of the time you can't use them in every kernel version. What is interesting to me is how independent the nodes really are and whether there is also a single point of failure in the Oracle Cluster File System, as there is e.g. the Locking daemon in OpenGFS. So far, we have not been very successful in evaluating cluster file systems in the company, actually they were all somehow stupid ...
And now, Mr. McBride?
Shit hits Fan for SCO:
A: There was a release of SCO LinuxWare release 7.1.2 that included the Linux kernel personality and SCO Linux-release 7.1.3 included the Linux kernel personality. At first when it first shipped it did include the Linux kernel packages which were subsequently removed.
I find this somehow fitting when SCO is caught using the Linux kernel - which is under GPL - in their products at least temporarily and delivered with them. Could be one reason why they are now trying to denounce the GPL as un-American and unconstitutional.
Hand Darl McBride the Frog Pills
Here's the translated Markdown body:
now he's really going off the deep end:
In detail, McBride lists ten points that speak for SCO and against Linux. Thus, OpenServer is supposedly much cheaper than Linux systems that work with hidden annual licenses, has a superior kernel, and offers significantly higher security than Linux systems where security gaps remain open for weeks. McBride repeatedly emphasizes that his company owns Unix and, for this reason, enjoys greater trust among customers. Furthermore, SCO, as the owner, ensures that there are no splinter groups of incompatible system variants.
Rarely seen such a compact block of bullshit
Crypt::PasswdMD5 is a Perl module that hashes MD5 passwords the same way Linux and Solaris do.
md5crypt.py is the same algorithm for MD5 passwords, this time in Python.
The equivalent to Apple FileSafe under Linux: Automatically mount dm-crypt encrypted home with pam_mount. Very useful for laptops, but also for workstations of administrators (due to the many security-relevant files that accumulate in the home directory).
And another Linux-on-Mac story. This time an iBook and Gentoo. Quite useful for a small and affordable Linux box for on the go.
The Linux on an Apple Powerbook HOWTO provides exactly what I would need if I wanted to switch my 12" Powerbook to Linux - the author even uses exactly my model. And no, I don't want to switch yet.
Novell will go for SCO's throat
And their considerations on the legal situation would - if they were to hold up in court - really deliver a significant blow to SCO.
The whole SCO-Linux movie is quite exciting, but quite honestly: the lengths between the action scenes are a bit exaggerated.
Linux-VServer is a kernel patch and a set of utilities that enable running a series of virtual Linux boxes on a base machine, with resources strongly isolated from each other. Chroot on steroids, or most comparable to BSD Jails. Interesting for hosting projects where virtual root servers are required. It's even included in the current Debian.
SCO trips over its own feet
At least that's how it seems when there is an email about No 'smoking gun' in Linux code.
The e-mail, which was sent to SCO Group CEO Darl McBride by a senior vice president at the company, forwards an e-mail from a SCO engineer. In the Aug. 13, 2002, e-mail, engineer Michael Davidson said "At the end, we had found absolutely nothing ie (sic) no evidence of any copyright infringement whatsoever."
The email has been known for some time but has only now been published - previously it was still under seal as part of the court records. Quite embarrassing for SCO when the sad details gradually come to light. Especially embarrassing: SCO argues with the same consultant who apparently found nothing here but previously claimed there was identical code. Somehow, SCO should get its argumentation in order soon, otherwise the whole lie and extortion won't last in the long run ...
Plash: the Principle of Least Authority shell
Interesting concept: Plash is a shell that inserts a library under programs through which all accesses to the file system are sent. This allows you to control which functions a program is actually allowed to execute. This time, it is not about protecting against user activities, but about protecting the user against activities of the program. Especially when installing programs that you do not know, you can sometimes catch Trojans - Plash helps here by explicitly only enabling the areas of the disk for the program that it actually needs.
For this purpose, all accesses to the file system are internally routed via a own mini-server - the actual program is executed under a freshly allocated user in a own chroot-jail, so it has no chance to do anything outside that is not explicitly allowed.
Very interesting concept, especially for system administrators. Unfortunately (as expected) it does not work with grsecurity - of course, grsecurity is supposed to help prevent some of the tricks used in Plash. In this case, it fails due to the requirement of executable stack.
Boot KNOPPIX from an USB Memory Stick - maybe an alternative to spblinux, especially with the c't-Knoppix variant?
SPB-Linux is a very small Linux that can be booted from a USB flash drive and enhanced with various extensions (X, Mozilla, XFCE Desktop). It should also be relatively easy to extend with various system administration tools.
Another Colored Study by Microsoft
Study: Windows security updates more cost-effective than open source - nothing new, just another Microsoft-funded and therefore pre-determined study with no value. The interesting part about the studies is only the name of the respective company that conducts the study - you can then add that to the corruption list and remember it in case you need to substantiate any statements with falsified and biased studies ...
Otherwise? Well, the standard errors, of course. First of all, no real evidence, but an unspecified list of companies that were asked what they think about it (as opposed to collecting hard facts). And of course, equating Red Hat with Linux - which is sheer nonsense in itself.
From personal experience with both systems, I can say that our Debian GNU/Linux systems are much easier to keep up to date and therefore much cheaper to patch than the Windows boxes. And this despite the fact that both use their integrated update mechanisms over the network (and for our Windows systems, even fueling stations and internal update servers exist). But I wouldn't be asked for such a study - I wouldn't fit into the Microsoft-funded picture ...
VIA releases EPIA driver - might interest Jutta - the entire X area and the special chips are so far quite poorly documented and supported.
Study Certifies Windows Better Security Than Linux
Study certifies Windows as more secure than Linux - of course, if I compare the security of RedHat and Windows and find out that the company RedHat is even slower than Microsoft, then I conclude that Linux is less secure than Windows. Because it is completely unthinkable that people who operate servers either run essential packages from upstream or get their patches from elsewhere. And there are naturally no other distributions than those of a company that charges exorbitant prices for open source and otherwise behaves in business more like Microsoft. And all of this financed by Microsoft. This is certainly a very relevant study.
The fact that it is nowhere considered whether the respective errors could actually be used for attacks and whether they are relevant for the scenario at all - who cares. Let's just throw everything into one pile. The fact that Microsoft does not publish all bugs and therefore an objective assessment of open bugs in Windows is completely impossible - who cares. The fact that it is nowhere independently documented when Microsoft was first aware of a bug and therefore an assessment of the actual duration during which one was unprotected from the respective bug is not possible - who cares. The fact that Microsoft has recently introduced bugs again (I recall the LAND attack), which had been around for a long time and that this casts a pretty bad light on their development methodology - who cares.
But how they now believe that anyone could see this as an objective measurement of vulnerability and why such things are labeled under the keyword "Research", I find really ridiculous ...
SCO Uses Legal Documents from Groklaw and Tuxrocks - wow, great, the advocates of their own intellectual property steal IP from other authors for their websites without citing the source. How embarrassing is that ...
Agata Report is something like Crystal Reports, but for Linux and Open Source. Could be quite practical at times, especially since it can also generate reports that can easily run on a web server.
FUD Campaign Against Linux
Linux Unsuitable for Large Enterprises? At least that's what the Agility Alliance claims. And who are they? Let's take a look at Pro-Linux:
The Agility Alliance, a coalition of various industry heavyweights such as EDS, Fuji Xerox, Cisco, Microsoft, Sun, Dell, and EMC, warns large enterprises against using Linux due to security concerns, scalability issues, and a lack of compelling cost advantages.
Ok. Microsoft. SUN. Cisco. These are, of course, three companies that are particularly predestined to recommend the use of Linux to enterprises.
Rasmussen's particular concern is the potential use of Linux on mainframes, so-called supercomputers. Here, the Agility Alliance believes that Linux does not have a compelling cost advantage over the operating systems promoted by the initiative and also has scalability issues.
Well. Where is IBM in this group - I mean, when it comes to mainframes, wouldn't it be practical if there was someone involved who actually offers real mainframes? Oh, I see, IBM does indeed promote the use of Linux on the mainframe. Well, well, the scoundrels ...
SCO OpenServer 6 with a lot of Open Source - yes, this also means Open Source: that companies like SCO are allowed to use it. It's also fine: when SCO customers have first switched to all the Open Source applications and platforms, the switch to Linux will be much easier for them.
Debian plans to reduce the number of architectures - I don't know if that's such a great idea. The many architectures were one of the pro-arguments for Debian. Of course, exotic architectures can cause problems - especially when they simply can't keep up during the recompile orgies that are due for a release (I'm thinking of the 68K architecture here). Nevertheless, it's a shame if this aspect of Debian is weakened.
Install grsecurity
I used to play around with grsecurity before, but the installation was a bit tricky - especially, you didn't know what to configure as a start and how to begin a reasonable rule-based security - the whole thing was more of a trial-and-error hopping than an understandable installation. However, for a security solution for an operating system, it is rather negative if you don't get the feeling of understanding what is happening there.
With the current versions of grsecurity, however, this has changed to a large extent. On the one hand, the patches run completely smoothly into the kernel, on the other hand there are two essential features that make the start easier: a Quick Guide and RBACK Full System Learning.
The Quick Guide provides a short and concise installation guide for grsecurity with a starting configuration for all the options that already offer a fairly good basis and excludes problematic options (which could exclude some system services). This way you get a grsecurity installation that offers a lot of protection but usually does not conflict with common system services. This is especially important for people with root servers - a wrong basic configuration could lock themselves out of the system and thus make the system unusable and a service case.
But the Full System Learning is really nice: here the RBAC engine is transformed into a logging system and it is logged which users execute what and what rights are needed for this. The whole thing is still controlled by corresponding basic configs that classify different system areas differently (e.g. ensure that the user can access everything in his home, but not necessarily everything in various system directories). You just let the system run for a few days (to also catch cron jobs) and then generate a starting configuration for RBAC from it. You can of course still fine-tune this (you should also do this later - but as a start it is already quite usable).
RBAC is basically a second security/rights layer above the classic user/group mechanisms of Linux. The root user does not automatically have all rights and access to all areas. Instead, a user must log in to the RBAC subsystem in parallel to his normal login (which happens implicitly through the system start for system services!). Rules are stored there that describe how different roles in the system have different access permissions.
The advantage: even automatically started system services are only allowed to access what is provided for in the RBAC configuration - even if they run under root rights. They only have limited capabilities in the system until they log in to the RBAC subsystem - but for this, a manual password entry is usually required for the higher roles. Attackers from the outside can indeed gain the user rights restricted by RBAC, but usually cannot get to the higher roles and therefore cannot interfere with the system as much as would be possible without RBAC.
The disadvantage (should not be concealed): RBAC is complex. And complicated. If you do something wrong, the system is locked - quite annoying for root servers that are somewhere out there in the network. You should always have fallback strategies so that you can still reach a blocked system. For example, after changes to the RBACs, comment out the automatic activation at system startup so that a reboot puts the system in a more open state in case of problems. Or have an emergency access through which you can still administer a blocked system to some extent. In general, as with all complex systems: Keep your hands off if you don't know what you're doing.
In addition to the very powerful RBAC, grsecurity offers a whole range of other mechanisms. The second major block is pax(important: here a current version must be used, in all older ones there is an evil security hole) - a subsystem that restricts buffer overflow attacks by removing the executability and/or writability from memory blocks. Especially important for the stack, as most buffer overflows start there. Pax ensures that writable areas are not executable at the same time.
A third larger block is the better protection of chroot jails. The classic possibilities for processes to break out of a chroot jail are no longer given, since many functions necessary for this are simply deactivated in a chroot jail. Especially for admins who run their services in chroot jails, grsecurity offers important tools, as these chroot jails were only very cumbersome to make really escape-proof.
The rest of grsecurity deals with a whole collection of smaller patches and changes in the system, many of which deal with better randomization of ports/sockets/pids and other system IDs. This makes attacks more difficult because the behavior of the system is less predictable - especially important for various local exploits, where, for example, the knowledge of the PID of a process is used to gain access to areas that are identified via the PID (memory areas, temporary files, etc.). The visibility of system processes is also restricted - normal users simply do not get access to the entire process list and are also restricted in the /proc file system - and can therefore not so easily attack running system processes.
A complete list of grsecurity features is online.
All in all, grsecurity offers a very sensible collection of security patches that should be recommended to every server operator - the possibility of remote exploits is drastically restricted and local system security is significantly enhanced by RBAC. There is no reason not to use the patch, for example, on root servers as a standard, given the rather simple implementation of the grsecurity patch in an existing system (simply patch the kernel and reinstall, boot, learn, activate - done). Actually, a security patch should be part of the system setup just like a backup strategy.
Now it would of course be even nicer if the actual documentation of the system was a bit larger than the man pages and a few whitepapers - and above all was up to date. This is still a real drawback, because the right feeling of understanding the system does not really set in without qualified documentation ...
SCO vs. Linux: SCO demands insight into IBM's construction plans - I would be interested in the medical term that describes what the SCO management team is suffering from
Virtualized Servers under Linux
rHype is an IBM project that was recently published under an Open Source license (GPL). This project is essentially a virtualization machine for Linux. Comparable to IBM's LPARs for mainframes, but naturally designed for much smaller machines.
It could be the ideal complement to Xen - another GPL project for virtualization based on Linux. Taken together, both could become an interesting open source alternative to VMWare.
Virtualized servers are very interesting for many purposes, as usually only a virtual machine is lost in case of problems and the migration of services on virtual machines is easier than moving around real hardware. Better to have a few large boxes with virtualized servers on them than many smaller boxes with dedicated systems.
Virtualized servers in real use can be done with User Mode Linux today. In this case, a Linux kernel is operated as its own process under the actual hardware kernel via special APIs in user mode instead of directly on the hardware. Each virtualized machine has its own user mode kernel, its own memory, and its own virtual disk areas.
LynuxWorks Introduces First User-Mode Linux Software for Apple PowerPC G5 Based on the Linux 2.6 Kernel - damit kann man jetzt auch auf PPC-Maschinen logisch getrennte virtuelle Umgebungen unter Linux aufbauen.
Zyklische Dependencies
Debian hat ein wunderschönes Paketsystem. Und es hat eine ganze Reihe von sehr brauchbaren Werkzeugen um Backports einfacher zu machen - zum Beispiel in dem man mit debootstrap ein chroot-Environment zusammenstellt in dem man gefahrlos die Pakete zusammentragen kann die man für den Build braucht und dann ein entsprechendes Paket erstellt. Ich habe das ganze schon mehrfach benutzt, es ist wirklich klasse.
Allerdings kann einen das auch manchmal in den Wahnsinn treiben. Ich wollte die neuste SQLite aus der Debian Testing installieren. Dazu brauche ich erstmal die nötigen Tools um das Paket builden zu können. Da ich ein neues chroot Environment aufgesetzt hatte, war noch nicht alles da - zum Beispiel fehlte mir cdbs, ein sehr mächtiges (und mitlerweile viel benutztes) Tool zur einfachen Erstellung von Debian Paketen. Das hatte ich schon mal vorher portiert, aber ich dachte mir die Gelegenheit sei günstig da mal eine aktuelle Version zu bauen.
Dachte ich. Fing auch ganz harmlos an - es braucht für die Dokumentation springgraph - ein Tool zur Formatierung von Grafen. Das Tool selber hat eigentlich keine Builddependencies (ausser den obligatorischen Debhelpern). Fein. Baut auch sehr schnell. Bei der Installation meckert es dann über fehlende Perlmodule für die GD2 Einbindung. Ok, Perlmodule zu portieren ist oft nervig, aber dieses sah eigentlich ganz simpel aus. Eine Reihe von Buildabhängigkeiten, klar, aber sonst harmlos. Bis auf den Fakt, das es zum Builden cdbs braucht.
Aaaaarghl!!!!
Okok, ich weiss was man machen muss. Trotzdem. Manchmal hab ich das Gefühl die Debian-Maintainer setzen sich heimlich zusammen um mich in den Wahnsinn zu treiben
Linux: Tuning The Kernel With A Genetic Algorithm
Cool - Genetische Algorithmen zur Kernel-Optimierung einzusetzen, das hat was.
Allerdings kommt dann irgendwann das Problem das der Kernel schlauer ist als sein Benutzer ...
Renaissance - GNUStep GUI Beschreibungssprache und Bibliothek auch für OS X Cocoa
freshmeat.net: Project details for Kernel TCP Virtual Server - Virtuelle Server (Performance- oder Failsafe-Cluster) auf Protokollinhalt aufbauend direkt im Linux Kernel
Index of /data/gnustep/ - GNUstep live CD - ähnlich wie Knoppix, aber ein anständiger Desktop
OpenPsion - Linux for Psion Computers - Linux auf Psion Serie 5 und Netbook
SFTP Chroot Howto - Erläuterung wie man ssh so einrichtet, das sftp chrooted läuft
:: radiant data :: - replizierendes Dateisystem auf P2P Basis für Linux