• Serious Bug with BASH ( CVE-2014-6271 )

     

    Note : Redhat updated this patch is incomplete and they are working with a new one at the moment ( CVE-2014-7169 ) , Refer for the details for CVE-2014-7169

    Affected platforms :-

    Red Hat Enterprise Linux 4 (ELS)/ 5 / 6 /7
    CentOs 5/6/7

    How to test  if your version of Bash is vulnerable to this issue or not ?

    [root@]# env x='() { :;}; echo vulnerable’  bash -c “echo this is a test”
    vulnerable
    this is a test
    [root@]#

    Resolution :-

    This issue affects all software that uses the Bash shell and parses values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.

    In order to avoid exploitation from CVE-2014-6271, ensure that your system is updated to at least  versions of Bash.

    # yum update bash

    Fix for CentOs platforms

    Centos 5

    bash-3.2-33.el5.1.i386.rpm / bash-3.2-33.el5.1.x86_64.rpm

    Centos 6
    bash-4.1.2-15.el6_5.1.i686.rpm / bash-4.1.2-15.el6_5.1.x86_64.rpm

    Note : Its always better to reboot your machine after upgrading to the latest bash package . If its a production critical machine and not able to do a quick reboot then please run ” /sbin/ldconfig “

    How to make sure your machine/server is secure after the package update ?

    Run the above command again

    [root@]# env x='() { :;}; echo vulnerable’  bash -c “echo this is a test”

    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x’
    this is a test

     

    Reference :-

    https://access.redhat.com/security/cve/CVE-2014-6271

    http://lists.centos.org/pipermail/centos/2014-September/146099.html

    https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

     

  • Serious bug with openssl : Heart Bleeding !!!

    Yesterday One of the Google Security Engineer ( Thanks for Neel Mehta of Google Security for discovering the bug)  reported a serious bug with current openssl . ( TLS heartbeat read overrun (CVE-2014-0160) )

    As per openssl , Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. And its advised to upgrade to OpenSSL 1.0.1g ( https://www.openssl.org/source/openssl-1.0.1g.tar.gz )  to fix this issue or recompile affected versions with the option -DOPENSSL_NO_HEARTBEATS.

    You may need to recompile other services which are associated with openssl like Apache , nginx , php etc . Also its better to renew your ssl cert’s to make sure everything is safe/fine.

    How to Check Whether your server/website is affected or not ?

    http://possible.lv/tools/hb

    References :-

    http://heartbleed.com/

    https://rhn.redhat.com/errata/RHSA-2014-0376.html

    http://www.spinics.net/lists/centos-announce/msg04911.html

    http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

  • Web Interface for CVS server

    In the previous post We have discussed how to setup a cvs server in ten steps ( cvs server setup ) , now its time for a GUI to browse your repo’s .  I have found a very nice gui opensource tool view vc ( www.viewvc.org ) and the Installation and configuration are documented as follows : –

    1) Download the viewvc and install it using the viewvc-install script .

    # wget http://viewvc.tigris.org/files/documents/3330/49264/viewvc-1.1.18.tar.gz

    # tar -zxf viewvc-1.1.18.tar.gz

    # cd viewvc-1.1.18

    # yum install rcs  ( To fix dependency issues )

    # ./viewvc-install

    2) Edit the viewvc conf and set the cvs root

    # vi /usr/local/viewvc-1.1.18/viewvc.conf

    >>> cvs_roots = cvsroot: /home/cvsroot

    >>> allowed_views = annotate, diff, markup, roots, co

    3) How to replace the default logo with your own company logo

    # cd /usr/local/viewvc-1.1.18/templates/docroot/images/

    # mv your-logo.png  viewvc-logo.png

    4 ) Apache configuration

    # vi /etc/httpd/conf/httpd.conf

    ServerName adminlogs.info:80

    DocumentRoot “/usr/local/viewvc-1.1.18”

    <Directory “/usr/local/viewvc-1.1.18”>
    Options +ExecCGI
    AddHandler cgi-script .cgi
    </Directory >

    ScriptAlias /cvsweb /usr/local/viewvc-1.1.18/bin/cgi/viewvc.cgi
    ScriptAlias /query  /usr/local/viewvc-1.1.18/bin/cgi/query.cgi

    5)  Apache conf entry to enable ldap authentication for cvs web GUI.

    <Location “/cvsweb”>
    AuthType Basic
    AuthName “CVS Authentication”
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthLDAPURL ldap://yourldapserver.com:389/dc=ldapdomain,dc=com?uid
    Require valid-user
    </Location>

    6) Restart Apache

    7) Access the GUI using http://adminlogs.info/cvsweb

  • How to Setup a CVS server ?

    How to setup a cvs server in Ten Steps , its easy and straight forward !!!

    cvs is a commonly used version control system like git ( how to configure git server )
     1) yum install cvs  xinetd

    2) authconfig-tui

    ( enable ldap authentiaction if you want to use ldap credentials to access cvs )

    3) mkdir /home/cvsroot

    4) chown -R root:<ldap group > /home/cvsroot ;  chmod -R 770 /home/cvsroot

    5) cvs -d /home/cvsroot init

    ( create cvs root directory )

    6) vi /etc/xinetd.d/cvspserver

      service cvspserver
         {
              port        = 2401
              socket_type = stream
              protocol    = tcp
              wait        = no
              user        = root
              passenv     = PATH
              server      = /usr/bin/cvs
              server_args = -f –allow-root=/srv/cvsroot pserver
         }
    # End /etc/xinetd.d/cvspserver

     7) /etc/init.d/xinetd restart

    8) chkconfig xinetd on

    9)  iptables -I INPUT -s 0/0 -p tcp –dport 2401 -j ACCEPT
    ( opening cvspserver port for  CVS client/server operations )

    10 ) /etc/init.d/iptables save

    There are lots of Web interfaces to manage CVS repo and I have configured ViewVc . Its really useful .

  • How to login moin moin using ldap credentials

    After the successful integration of AD with moin moin   , I was trying to integrate moin moin with ldap . After making small changes to the AD integration configuration I was able to authenticating moin moin wiki using ldap credentials.

    ===========================================
        # LDAP authentication
        from MoinMoin.auth.ldap_login import LDAPAuth
        ldap_authenticator1 = LDAPAuth (
        server_uri=’ldap://adminlogs.info’,
        bind_dn = ‘cn=Manager,dc=adminlogs,dc=info’,
        bind_pw = ‘password’,
        base_dn = ‘dc=adminlogs,dc=info’,
        scope = ldap.SCOPE_SUBTREE,
        referrals = 0,
        search_filter = ‘(uid=%(username)s)’,
        givenname_attribute = ‘cn’,
        surname_attribute = ‘sn’,
        aliasname_attribute = ‘cn’,
        email_attribute = ‘mail’,
        email_callback = None,
        coding = ‘utf-8’,
        timeout = 10,
        autocreate = True,
        )
        auth = [ldap_authenticator1, ]
        cookie_lifetime = (1, 1)
       # no anon user sessions, 1h session lifetime for logged-in users
    ===========================================

    Here also I have used the ldap manager user to query LDAP .

    Add the above lines in your moin moin configuration file ( wikiconfig.py ) and restart Apache .

  • Vmware ESXI can’t detect network adapter on HP proliant DL380p G8 server

     

    Today I was trying to install vmware esxi 5.1 on a new Hp proliant DL380p G8 server and was getting the following message

    ” No network adapters were detected. Either no network adapters are physically connected to the system, or a suitable driver could not be located. A third party driver may be required. ”

    After searching in HP forums , I found that HP released a patch for this issue and this helped me to setup ESX server.

    You can download the patched iso from here .

    Hope that this will help you and save some time !! 🙂

  • Special days for me , got promoted with out hike ;)

    These are very very special days for me ..Me and my wife got a very cute sweet baby girl .  Meenakshi is born on Jan 5th 2013 and she is our first kid . By Gods grace and the prayers from our dearest people both baby and mom are fine .. !!  Additionally my sister got a baby girl on Dec 31st 2012 and that gave me an another responsible promotion as uncle 😉 .

    Hope that this new year will be a fantastic year for all of us.

                I am wishing you all a fantastic and prosperous Happy New Year 2013 !! 

  • Setting up of GitWeb : Web interface for Git

              Setup a web Interface for Git ( GitWeb With Ldap Authentication )

    Pre Requests :-

    1) Git and Gitolite should be installed ( Refer here )
    2) Git web is installed using yum
    3) You should have the root privileges and webserver should be Apache .If you are fine with the above requirements then lets proceed !!

    ==> Add user ‘apache’ and ‘gitolite’ into the group ‘gitolite’

    # usermod -a -G gitolite apache
    # usermod -a -G gitolite gitolite

    # id apache
    uid=48(apache) gid=48(apache) groups=48(apache),157(gitolite)
    # id gitolite
    uid=103(gitolite) gid=157(gitolite) groups=157(gitolite)

    ==> Change $REPO_UMASK config in ‘.gitolite.rc’ file to 0027 around line 30

    # cd /srv/git/
    # cat .gitolite.rc | grep REPO_UMASK
    $REPO_UMASK = 0027;

    ==> Edit /etc/gitweb.conf and set the value for $projectroot and $projects_list
    $projectroot = “/srv/git/repositories”;
    $projects_list = “/srv/git/projects.list”;
    @git_base_url_list = qw(ssh://gitolite@gitserver); # replace gitserver with your gitserver ip

    Apache Virutal Host section ( Ldap authentication )

    <VirtualHost  *:80>
    ServerName adminlogs.info
    ServerAdmin admin@adminlogs.info
    DocumentRoot /usr/share/gitweb
    <Directory /usr/share/gitweb>
    Options FollowSymLinks ExecCGI
    DirectoryIndex gitweb.cgi
    AddHandler cgi-script cgi
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^.* /gitweb.cgi/$0 [L,PT]
    </Directory>
    <Location "/">
    AuthType Basic
    AuthName "Git Authentication"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthLDAPURL ldap://ldapserver.com:389/dc=domain,dc=com?uid
    Require valid-user
    </Location>
    </VirtualHost>

    ==> Also we need to provide read access to gitweb user to all the repo’s using gitolite.conf as follows

    #  cat gitolite.conf
    @developers = root hari william
    @qa = jack lilly
    repo    gitolite-admin
    RW+ = @developers
    repo    new-project
    R = @qa  gitweb daemon
    repo    testing
    RW+ = @all
    R =  gitweb daemon

    ==> Restart Apache

    Now just access the ip/hostname of the git server in browser , you can browse the repo’s using the ldap credentials.

    Common Errors : –

    1)  (13)Permission denied: exec of ‘/usr/share/gitweb/gitweb.cgi’ failed .Premature end of script headers: gitweb.cgi

    Fix : –

    chgrp apache /usr/sbin/suexec
    chgrp apache /usr/sbin/suexec
    cp -r /usr/share/gitweb /var/www
    chown -R gitolite.gitolite /var/www

    2)      404 – no projects found gitweb

    Fix : –    chmod -Rf g+rx /srv/git

     

  • Setup your own git server !

                              Git server setup with with gitolite

    Git is a distributed version control system which is developed by Linux Torvalds ( 2005) for the development of Linux Kernel project.  Performance wise I felt its far better than other version control systems like cvs and svn .

    Here we have used two other tool to use the git function in more controlled way

    1)      Gitolite : which will work with git and allow us to make a good control over the repositories and the users who are accessing on this projects.

    2)       Gitweb : This is a nice front end for Git ( gitweb )

    Installation of Git : –

    # As root:

    – Red Hat Enterprise Linux 5 / i386:

    rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

    – Red Hat Enterprise Linux 5 / x86_64:

    rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm 

    # yum -y install git

    Install Gitolite : –

    # yum –enablerepo=epel-testing install gitolite

    We should install epel repo via :

    rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-7.noarch.rpm  http://fedoraproject.org/wiki/EPEL/FAQ#How_can_I_install_the_packages_from_the_EPEL_software_repository.3F

    Setup Gitolite environment : –  ( on Server )

    # usermod -d /srv/git gitolite
    # cd /srv/ ; mkdir git
    #  chown gitolite:gitolite git/

    Create the Administrator user to manage the Git repositories .

    On any of you client machine , generate the pub key and copy this to the Git server

    [git-admin@gitclient ~]$ ssh-keygen -t rsa -b 2048 -C “Admin”
    # cp .ssh/id_rsa.pub   .ssh/git-admin.pub
    # scp   .ssh/git-admin.pub  root@gitserver:/tmp

    Login back to the git server and switch the user as “gitolite “

    # su – gitolite
    # gl-setup /tmp/ git-admin.pub

    After successful completion of this command , it will create two folders  “repositories and projects.list “
    Now the git-admin ( from client machine ) can create his own repositories and users to access the repos .

    [ From Client machine ]

    Just introduce yourself to the Git server and this will provide you nice logs

    # git config –global user.name “Admin”
    # git config –global user.email “hari@adminlogs.info “

    Playing with Git : – ( git clone , git add and git push )

    #  git clone git-admin@gitserver:/ gitolite-admin
    #  cd repositories/gitolite-admin

    This Admin repository  contains two files , one config folder and one Key folder .  config/ gitolite.conf will help you to manage the repos and users as follows

    #  cat gitolite.conf
    @developers = root hari william
    @qa = jack lilly

    repo    gitolite-admin
    RW+ = @developers

    repo    adminlogs.com
    RW+ = @developers
    R = @qa

    repo    adminlog.info
    RW+ = @all

    Note that you can specify the projects groups like @developers and @qa etc .

    Also you can add any number of public keys from your project members inside key directory . Copy the keys like “hari.pub , jack.pub, William.pub etc .  Please note that you need to specify the same in gitolte.conf .

    For example if the key name is lilly.pub then the allowed user in configuration file must be “lilly” ( with out .pub )

    Once you complete the changes then update /push the files to master repo

    # git remote –v
    # git add .
    # git commit –a –m “Added new entries in gitolite.conf and added new pub keys in key dir “
    # git push origin master

    That’s it ..You have successfully configured git with gitolite.  Now all your team members who have added the keys to git admin repo can create and push their own project !!

    Just try , Its an awesome tool !!!

  • libtool error with sysbench-0.4.12

    Sysbench is a very good tool to test your database performance .

    I got the following error today while setting up sysbench version 0.4.12

    Error : –

    /bin/sh ../libtool --tag=CC   --mode=link gcc -pthread -g -O2      -o sysbench sysbench.o sb_timer.o sb_options.o sb_logger.o db_driver.o tests/fileio/libsbfileio.a tests/threads/libsbthreads.a tests/memory/libsbmemory.a tests/cpu/libsbcpu.a tests/oltp/libsboltp.a tests/mutex/libsbmutex.a drivers/mysql/libsbmysql.a -L/usr/local/mysql/lib/ -lmysqlclient_r   -lrt -lm
    ../libtool: line 838: X--tag=CC: command not found
    ../libtool: line 871: libtool: ignoring unknown tag : command not found
    ../libtool: line 838: X--mode=link: command not found
    ../libtool: line 1004: *** Warning: inferring the mode of operation is deprecated.: command not found
    ../libtool: line 1005: *** Future versions of Libtool will require --mode=MODE be specified.: command not found
    ../libtool: line 2231: X-g: command not found
    ../libtool: line 2231: X-O2: command not found
    ../libtool: line 1951: X-L/usr/local/mysql/lib/: No such file or directory
    ../libtool: line 2400: Xsysbench: command not found
    ../libtool: line 2405: X: command not found
    ../libtool: line 2412: Xsysbench: command not found
    ../libtool: line 2420: mkdir /.libs: No such file or directory
    ../libtool: line 2547: X-lmysqlclient_r: command not found
    ../libtool: line 2547: X-lrt: command not found
    ../libtool: line 2547: X-lm: command not found
    ../libtool: line 2629: X-L/root/sysbench-0.4.12/sysbench: No such file or directory
    ../libtool: line 2547: X-lmysqlclient_r: command not found
    ../libtool: line 2547: X-lrt: command not found

    Confused ?

    After getting the above error , I tried to run ” autogen.sh ” and its leads to the fix

    sysbench/drivers/mysql/Makefile.am:17: library used but `RANLIB' is undefined
    sysbench/drivers/mysql/Makefile.am:17:   The usual way to define `RANLIB' is to add `AC_PROG_RANLIB'
    sysbench/drivers/mysql/Makefile.am:17:   to `configure.ac' and run `autoconf' again.
    sysbench/drivers/oracle/Makefile.am:17: library used but `RANLIB' is undefined
    sysbench/drivers/oracle/Makefile.am:17:   The usual way to define `RANLIB' is to add `AC_PROG_RANLIB'
    sysbench/drivers/oracle/Makefile.am:17:   to `configure.ac' and run `autoconf' again.
    sysbench/drivers/pgsql/Makefile.am:17: library used but `RANLIB' is undefined

    How to fix ?  : –

    1) Edit configure.ac  file and hash the  75th line and add a new entry as follows

    vi sysbench-0.4.12/configure.ac

    #AC_PROG_LIBTOOL
    AC_PROG_RANLIB

    2)  ./autogen.sh

    3)  ./configure

    4)  make & make install

    That’s it !!!  😉