Archive

Archive for the ‘Technology’ Category

ssh-pageant 1.0

September 21, 2010 Comments off

ssh-pageant now has its first release, version 1.0 — fulfill your authentication agent needs between Cygwin’s OpenSSH and Pageant today!  It’s documented, and pre-built binaries are available.  And there will be cake, of course.

Any “1.0” feels like it must have some magical aura, but in the end it is just a number.  The program works as expected, and has the features I felt were needed to be complete, so 1.0 it is.  The next step is to get this packaged and included in the official Cygwin repositories, which I would welcome volunteer help in doing.

Two tiny additions to FOSS

August 21, 2010 Comments off

The quietness around here shows that I’m not much of a blogger.  That’s ok, I guess — it’s not like I wanted to make a living from it.  Well anyway, I’ve published a couple of tools I wrote a while ago, and they deserve at least a tiny announcement.  So here are two new contributions from me to the FOSS world.

ssh-pageant is an SSH authentication agent for Cygwin that links OpenSSH to PuTTY’s Pageant.  It acts very much like ssh-agent, except it leaves the key storage to Pageant.  You can use ssh-pageant to automate SSH connections from the Cygwin shell, and I find this is most helpful for those services built on top of SSH, like SFTP file transfers or pushing to secure git repositories.  It is even said to be literally life-saving.

MouseWinX is a Windows tray application that lets you quickly toggle X-mouse window activation, where the window focus follows position of the mouse cursor without having to click anything.  I wrote this back in college when I was using Magic VLSI for one of my classes, and I’ve also found it helpful for navigating GIMP.  Both are applications with multiple windows to interact with, and hot-tracking the mouse makes them a bit easier to use.  But the rest of the time I don’t like having the window focus jump around, so MouseWinX gives a simple icon in the tray which toggles the setting when clicked.

Both of these projects are in an unpolished state, like so many open source projects.  They work perfectly well, as far as I know, but I haven’t done the finishing touches, like writing documentation and packaging releases.  For now, at least the source code is out there, and hopefully this post will help them be found by those in need of such tools.

Hacking Linux Filenames

April 8, 2009 2 comments

I recently read an LWN article on David A. Wheeler’s essay, “Fixing Unix/Linux/POSIX Filenames.”  The gist is that he thinks the filename rules are too permissive — we have ‘/’ as the path separator, and a raw 0 terminates the path, but anything else is fair game.  On the surface, this has a certain beautiful simplicity to it.  However, there are characters that have special meaning depending on the context, so almost any code that actually tries to interpret a filename will have to add a lot of complexity to be robust.  The essay delves into many ways that things can go wrong.

Filenames have been this way in for a long time though, and I don’t expect that this will change officially anytime soon.  Still, my day job now is developing SystemTap, and this sort of problem is one of many sorts that SystemTap can address.  Here’s a script to show how a system administrator could patch the kernel with their own addendum to the filename rules:

#!/usr/bin/stap -g
# badname.stp
# Prevent the creation of files with undesirable names.

# return non-zero if the filename should be blocked
function filter:long (name:string)
{
  return euid() && isinstr(name, "XXX")
}

global squash_inode_permission
probe kernel.function("may_create@fs/namei.c")
{
  # screen out the conditions which may_create will fail anyway
  if ($child->d_inode || $dir->i_flags & 16) next

  # check that the new file meets our naming rules
  if (filter(kernel_string($child->d_name->name)))
    squash_inode_permission[tid()] = 1
}
probe kernel.function("inode_permission@fs/namei.c").return !,
      kernel.function("permission@fs/namei.c").return
{
  if (!$return && squash_inode_permission[tid()])
    $return = -13 # -EACCES (Permission denied)
  delete squash_inode_permission[tid()]
}

The script starts by defining a filter function.  It first check whether the effective user ID is non-zero, so the root user can bypass the filter.  Then, for the prude admins out there, I’ve chosen to block filenames that contain the string “XXX”.  I intentionally kept this part small for this example, but you could easily write a function covering all of the new rules that Wheeler suggests.

After that is a probe on the may_create function, which is what the kernel calls to validate permissions for new files.  We can call our filtering function from here to see if the filename is OK, but since may_create is an inline, we don’t have a direct way to influence its result.  The last thing may_create does though is copy the result of inode_permission (or permission in earlier kernels), which we can override.  So, we save the filtering decision in a global, and then in a return probe on inode_permission, we can change the successful $return code to our own error value.  Now, any attempt to create a file that doesn’t pass our rules will get an error of “Permission denied”.

This sort of script is really just a band-aid, and it doesn’t do anything to deal with files that already have “bad” names.  Still, I hope this is an interesting example of how easily one can modify kernel behavior with SystemTap.  This script can be a starting point to define and try out your own filename rules, and changes can be reloaded and tested without ever having to reboot.  Once your policy has been decided, you can configure the script to load as soon as the system boots, so you’re always running with your improved filename rules, even across kernel upgrades.

It’s powerful stuff, but don’t let it get to your head… 🙂

Free Wireless

February 27, 2009 Comments off

I made an upgrade on my netbook today.  Can you spot the difference?

netbook before

netbook after

If you guessed that it’s now 100% open-source compatible, you are correct!

Even though I ordered the Linux package, Dell cheaped out with a Broadcom wireless card that doesn’t have very good Linux support.  Broadcom does have drivers available, but you have to download and compile the wrapper yourself.  Downloading a new driver and all of the kernel-devel packages is a little harder when your network is not connected…

So to replace the Broadcom, I ordered an Intel 3945ABG card, because it is well supported in Linux.  The kernel has the right drivers already included, so Fedora works right out of the box, even booting off of a live cd.  And not only are the drivers open-source, but they even work better.  My connection time shrunk from 20-30 seconds down to about 5 seconds.  I can live with that!

%d bloggers like this: