Archive for the ‘openbsd’ Category

Update 20100209 – Debian Lenny, TinyCore, emacs, ratpoison, oroborus, and security of small distros

February 9, 2010

AA1
I’ve intended to sell this thing but haven’t yet. I updated my AA1 page last week to reflect the fact that I really don’t run Linux on it anymore. I still have {Tiny,Micro}Core set up on it, but I’ve booted that maybe three times in the past few months including once this morning to get my emacs-related files. I don’t know if the issues with wireless were related to the network stack, the ath5k driver itself, wpa-supplicant, or a combination of factors. For the last time, it’s NOT a hardware issue because the problem never happened (meaning started) under Windows; it only happened (started) under Linux and persisted after rebooting. I occasionally boot TinyCore from a USB stick on my other computers (see below).

New Desktop/Workstation
It came with Windows XP Pro installed. I first installed Scientific Linux 5.4 via the live CD, which provides a Gnome desktop. I’ve already posted about adding an old hard drive that had OpenBSD 4.3 on it, on which I installed NetBSD 5.0.1 after backing up $HOME. I’ve been too busy to even update SL54 (which I know has updates because I was also running it on my new-old laptop for a while), let alone configure NetBSD beyond the basics (e. g., setting up my network card even though it’s not yet networked, SSH, etc.). I’d hoped to set it up further this past weekend but I’ve been eye-deep in a stack of reports to edit and charts to generate.

New-Old Laptop
I’m still using Debian Lenny, which I installed using net install. I let it go ahead and install the default Gnome desktop even though I initially thought about just doing a minimal installation and adding what I wanted. One of the reasons I did that is because life has been so hectic the past 18-24 months that I care a lot less about bloat than I do about the convenience factor and having everything ready to roll. Otherwise I’d already have the other computer set up and ready to roll, no?

I have switched some apps around, though. I was using xemacs but decided instead to revert to GNU emacs 21.4 from backports so I’ll have more of the modes I’ve come to take for granted and which require either finding via apt or from their developers. I’m posting this now via weblogger.el (which I’ll have to clean up later) from within emacs. I’ve also installed oroborus and am using it instead of metacity within Gnome (edit ~/.gnomerc to include a line “export WINDOW_MANAGER=oroborus”); this is RAM-sparing to some degree but not nearly enough. I already have ratpoison installed as well, and will more likely than not start paring down on the Gnome bloat as I find time. I’ve been running ratpoison mostly under another user account.

Other Computers
My ancient ThinkPad got a minimal install of Debian Lenny several months ago but hasn’t been booted in at least a month. I may use it for TinyCore. Or as I’d intended with Lenny just to be a temporary HTML/blog server for home use. I may just use MicroCore if I do that.

Nothing to report on my old MMX box. I haven’t booted it in so long I don’t even remember what it has on it.

Unfinished Business
Speaking of {Tiny,Micro}Core, I started on a screencast/presentation back before Christmas that I alluded to at least once here. I’ve been too busy to finish it. It’s in response to a question that was asked at the TCL forums about using TCL as an enterprise Linux replacement. I wanted to demonstrate beyond the more obvious answers why I thought it was unsuitable and worked out a quick and dirty concept to show how vulnerable such a distro — based basically on one file — could be. This kind of goes beyond the security of the image being read-only and, accordingly, being able to reboot into its original state; instead, I wanted to see how difficult it would be to take advantage of the fact that the image is on a read-write partition which can be mounted by user tc locally or remotely and then replaced. My little POC requires user interaction at this stage (which was in maybe 20 minutes’ work) to basically get a corrupt image to replace the original so that each subsequent booting of it isn’t actually the “pristine” original tinycore.gz image but instead the corrupted one (which could have any variety of “reconfigurations” in it, but mine basically pings another computer when it has an IP and has a message stored in a file stating what changes have been made to the original image).

I haven’t decided if I’ll go through and see if I can get it to work remotely without user interaction. Even if I do that, I won’t post it here. Sorry, kiddies.

Since these small image-based distros typically lack logging facilities, it would be trivial to pull this off and possibly leverage vulnerabilities in various packages to further make a mess of it. The smaller the distro’s base image, I think the less noticeable it would be. With my download speed, I can download the TinyCore image in just a few seconds.

Also, I tested this on USB. It’s trivial to test if something has been booted from sd{a,b} and contains a directory named boot containing a file called tinycore.gz. The same applies to other small distros which similarly use one file to store the operating system, allows full sudo (or, in the case of some like Puppy, root only), etc. Even though something is running from RAM, it’s still found on a storage device attached to the computer and can be mounted (unless it’s quickly removed). So I don’t think this is inherently more secure than anything else (or inherently secure at all), and the smaller size could be a disadvantage since it would take less time to download and be less likely to be detected by most users.

As improbable as it is that such things can be accomplished without some kind of user interaction or physical contact with a USB stick to install a corrupted image, it’s still possible. Add in potential vulnerabilities from various packages — including browsers, improperly set up servers, etc. — and the possibilities increase both locally and remotely.

No, the sky is not falling, but there is a potential for risk even though the image itself is read-only. The image may be, but its partition isn’t. The risk may be acceptable for most uses. It isn’t acceptable for enterprise use — not without some kinds of safeguards that enterprise distros have to help reduce problems like this from occurring.

I’m not knocking these small distros. I think they have a special niche, but too many people think they can be one-size-fits-all. Enterprise-grade distros — including RHEL and its clones, SLED, etc. — have a variety of safeguards that would be “bloat” in something designed to be small and minimal. Adding those things to a minimalist distro would seem to be counter to their very purposes. That includes everything from security enhancements to logging facilities (you really do want to know who logged into which computer at what time on what day, and having every user named “tc” can’t be of much use if you need a chain of custody for various computer records, file records, changes, etc.). Moreover, the packages or extensions these small distros offer typically don’t undergo the same level of testing as in enterprise distros, are more often than not bleeding edge rather than tested and stable versions, and aren’t signed. Even signed/trusted repositories aren’t free from trouble as the RedHat/Fedora people found out a couple years ago when their mirrors were compromised.

I’ll see if I can finish the presentation and get it posted soon. Then again, I thought I would’ve had that done a month ago. Stay tuned.

Advertisements

Oh Boo Fucking Hoo

February 1, 2010

I just read a “review” of GNOBSD over at a certain website. It was less a review than a timeline of the guy creating a live Gnome-based live DVD using OpenBSD 4.6 and how some in the OpenBSD community reacted when he advertised it in their mailing lists. He withdrew his ISO due to server traffic and less than positive feedback from the community.

He’s not the first to fork from or base something on OpenBSD. He won’t be the last. He’s also not the first person to receive a rebuke of some form from those in the OpenBSD development (and user) community.

I looked through the thread. I didn’t think any of the comments in the thread were incendiary. Some had smilies. Some directed the poster to another thread from last year about a similar issue. I’ve seen much harsher treatment where it’s more deserving. This was all fair and even-handed.

I also think the reaction of the OpenBSD development community might have been a bit different if this GNOBSD guy had first become involved within their community rather than working outside their ecosystem and then advertising a derivative out of the blue in their email lists. Dittos for the guy in the other thread for his “remix” last year. For starters, it would’ve given him an understanding of the community his work is potentially disrupting.

Yes, disrupting. I don’t buy the argument that separate, forked projects like this are of benefit to the upstream project. OpenBSD development is funded by sale of their release CD sets. People downloading an ISO are unlikely to go to the upstream project and support it (just like all the software, music, and movie pirates have a disincentive to go buy more software, music, and movies despite all the fucktards who think they’re acting in the interest of artists when they take it upon themselves to violate copyrights); unfortunately, they are likely to go to the upstream project and ask inane rudimentary questions the developer teams have already answered in their documentation — from their own guides to their man pages. Dumbing the process down brings in dummies. That’s not beneficial to their project.

(Yes, dummies. What’s the fucking purpose of installing something like OpenBSD with a graphical desktop preconfigured if you can do that already with Linux or something else? If you’re unwilling to understand what you’re doing and unwilling to configure it to work exactly the way you want, then you’re looking at the wrong operating system. Stick to your Ubuntu, stick to something that you don’t have to or want to comprehend. Gnome and KDE aren’t Linux or BSD, they’re Gnome and KDE. Most apps can be compiled to run in Windows, so your “friends and family” don’t even have to switch operating systems to see, try, or use them.)

So this is a lose-lose proposition for OpenBSD developers. If they wanted to expand their market share, they already know what they could do — and they’re not doing it. OpenBSD developers are talented enough to assemble such a project if they wanted to. The fact that they haven’t should demonstrate that they’re really not interested in a market-share or dick-measuring contest with other BSDs or with Linux. Accept it.

And to the whiners and bitchers (10, 19, 22, etc.) over at Distrowatch who say they’ll either stop using OpenBSD or never try it over this episode, good riddance. You’re probably not the kind of users Theo&Co would want anyway. Grow a pair.

Update 20100130: Musical Hard Drives, NetBSD, Scientific Linux

January 30, 2010

I’d alluded last weekend that I’d installed NetBSD on a spare hard drive in my new workstation. That drive was the last (I think) OpenBSD 4.3 install I had before I had to go care for family in 2008. Hard to remember anymore, I only know that when I ran last it showed my last reboot was a couple days after I returned last year. Anyway, I’d already installed Scientific Linux 5.4 on another spare hard drive I put in the workstation and set up separate partitions on it. My only nitpick about SL’s installer on the live CD version is that it doesn’t allow many options as far as partitioning or filesystems but that’s not a big deal to set up afterward. (Note: the full install/net install CDs use anaconda.)

I switched drives around so my old OpenBSD 4.3 one would be master. Once I logged in (after finally remembering my root password and changing my user password), I looked around and saw a few things I wanted to make sure I backed up before using that drive for something else. I added entries to my fstab for the other drive so I could copy them to my user account on it (that drive is eventually going into another computer; sorry about image quality but I didn’t have the computer networked when I set up).

I recently said some unkind things about the reviewer of a NetBSD-based live CD on a certain website because he complained that it didn’t automatically mount things for him. The BSDs — excluding possibly desktop-oriented projects based on any of the BSDs — don’t enable such things by default. I also recall in a simulated install of KDE packages one time that directions flew up my screen about enabling various daemons to get it all working if so desired. It’s just a different perspective on things. The BSDs are true to their Unix roots, and Linux distros by and large are true to their “GNU’s Not Unix” (heavy emphasis on “not”) roots. Let me be a little more constructive than I was at that website and show how easy this stuff is (especially if you bother to read the documentation).

I installed NetBSD from CD. The installation took a few minutes. Granted, it’s not like installing the average Linux distro — it doesn’t have a graphical installer, it doesn’t have all kinds of apps to install. It’s pretty basic, but you add what you want on top of it instead of whatever some developer decides to include. It’s fast, it’s easy (RTM), painless. It takes a bit of time to configure and set up but it’s a blank slate and you’ll know exactly what’s going on because you’re the one turning all the stuff on that you want to be on.

I wanted to get my files I copied over to the SL54 drive from the OpenBSD install so I decided to set up /etc/fstab to include my SL54 drive. The first command I ran was dmesg | grep wd1 to make sure the drive was detected as wd1 (the next step would tell you the same thing but I usually look at dmesg first). Then I did disklabel wd1 to get information (man disklabel if you want specific options) about the partitions on that drive.

Once I had that, I could edit fstab accordingly and/or mount the partition I need. In this case, the partitions I wanted were g and i and I needed to make directories (mkdir /mnt/wd1{g,i}) for them and then mount them. Then I was able to get my stuff I’d copied from my old OpenBSD install as well as the few things I’ve had time to get on the other SL54 drive. Hardly a hassle.

I haven’t had time to do anything else with that drive (meaning with NetBSD) yet because things are hectic with family and work. Funny how that works out sometimes — get a new computer, fiddle around with a couple of hard drives, and then have to get back to them in a week or two or three (I’ve only been using SL54 on it). For what it’s worth, I’m very pleased with Scientific Linux 5.4, which is compiled from RHEL5 sources. I’ll write a review of it soon — and probably before I get back to setting up NetBSD.

New-Old Laptop Update – 20091106

November 6, 2009

I looked at Distrowatch to see what was happening with various distros and downloaded a few ISOs. Among the candidates for my new-old laptop were Debian (Xfce/lxde), OpenBSD 4.6, Slackware 13, and Mandriva-One KDE 2010. I narrowed it down after a little thinking and only burned the images for Slackware and OpenBSD. I was open to looking at KDE on this and wish I could live with it, but I think I’ll be happier without it.

I decided to install Slackware 13 on my laptop yesterday afternoon and did some minor tweaking and configuration while I watched Survivor. I only burned the first two images because I didn’t want to use KDE, but I did go ahead and install Xfce as my only desktop. I may eventually change that to either ion3 or ratpoison even though I have a lot more room on my desktop now (17″). 

In addition to installing Adobe Flash and something else I won’t mention, I compiled the most recent release of GNU emacs. I also installed slapt-get and gslapt though I’ve yet to configure for any repository beyond the defaults. I still have to compile mew, and I need to install my office software (I think I can get away with IBM Lotus Symphony now, else I’ll have to install OOo). At some point, I’ll compile a custom kernel. The big one from Slackware has xfs, jfs, and all kinds of other things built in it that I don’t need and I’d like to reclaim every little bit of RAM I can.

I’ve yet to test things like my beloved Samsung S3 (libmtp is installed) to see what’s working or not. I did a fast basic configuration to get wifi working and moved a few things over via SSH; I do know that audio and X are working without any additional tweaking. Hopefully I’ll have time soon to turn this into my primary computer, whether or not I sell the Acer Aspire One.

No time frame for anything but the office suite and mew (ASAP) because I still am catching up on work from September and October. And no screen shots because it’s just the vanilla Xfce desktop with a solid blue background rather than the default (but quite tasteful, I’ll admit) striped Xfce wallpaper — like it should be without someone else’s muddled idea of how it should be branded with a distro name (or worse). That’s one of the great things about Slackware. That and the fact it has some of the best documentation available so setting it up is straightforward (second in all respects only to OpenBSD in my book).

More when I get time.

Major League Downtime

November 17, 2008

It’s been quite a while since I’ve had a chance to update either of my blogs. I’m currently in Houston taking care of family and have my hands full with that. I’m pretty much taking the rest of the year off under accumulated comp, vacation, and family leave. I’m doing a little work remotely and as I get co-workers and clients passing through Houston — but that’s the exception to the rule. Most (all) my time is spent caring for ailing and dying family members.

Here’s a little update on my systems and what I’m doing:

emacs
I noted in a reply to Frederic Culot, author of the excellent calcurse calendar application, that I’d been using emacs again. That was shortlived because I really do prefer vim and viper mode really doesn’t cut it for me. I really wish emacs could do all I want and need but there’s so much in it that I don’t need that I can’t justify the trade-offs (bloat). Yes, it can do everything I need. It just does it with more resources than I care to use at once — my same argument against KDE. It’s great if that’s all you want to use, but the overhead is too significant if you use heterogeneous (with respect to libraries) applications.

OpenBSD
I dragged my router and laptop with me because I knew I was looking at spending several weeks here (at least). I may run back home to get more computing power if it extends beyond the current time frame.

I’m still using OpenBSD 4.3 on my laptop because I really haven’t had time to burn a CD and install 4.4. I never got to file a bug report about an ACPI issue I had with the two snapshots I tried installing on this, and I don’t yet know if I’ll get time between now and the end of the year to update (I honestly have had less than half an hour a day to tend to my own “needs” for about the past three weeks).

Other cool stuff
I saw that libarchive 2.6 will be out shortly. Among the usual bugfixes, it will include LZMA support. I’ve used that in BSD and Linux, even replacing GNU tar/cpio.

I’ve been using calcurse 2.3 since Frederic’s comment. Nice. Unfortunately, I haven’t had many opportunities to export calendar files because I’ve dropped my work schedule. And pretty much the rest of my life. At least for a few months.

I may get myself a new laptop for Christmas. I’ve had a little time to play with an Eee but I think I need a bigger computer than that. I like the weight and can manage with the small screen, but I have huge hands and those tiny keyboards suck.

Finally, I’m used to seeing uptime measured in weeks and months. These days it’s rarely hours and seldom more than a few minutes here or there, most often at times when everyone else is sleeping and I can’t. I’m not used to going stretches without posting much. This will be one of them.