~chuck/blog

I discovered Cyanide and Happiness on YouTube the other day. It’s hilarious.

Also, I found a way to use GPG signing and encryption in Apple’s Mail app.

First, quit Mail. I know it’s hard, but you can do it!

Second, back up your GPG keys and REMOVE YOUR EXISTING ~/.gnupg directory if it exists. The configuration file that already exists somehow conflicts with the pinentry app that prompts for your GPG password. I back up my keys this way:

$ gpg -a –export me@ozymo.com >> me_ozymo.com.asc

$ gpg -a –export-secret-key me@ozymo.com >> me_ozymo.com.asc

Note that this will store your PRIVATE key in the file as well. This is necessary for importing, but not ideal to keep around on some random computer. Use your head.

Third, download this file. If you don’t trust me, look here on page 6. Or here. Same file. Once it downloads, drag it into ~/Library/Mail/Bundles. If there is already a GPGMail.mailbundle there, remove it and drop the new one in place.

Fourth, open Mail.

Fifth, be happy. And check out Cyanide and Happiness. It’s REALLY funny. I laughed my ass off and sewed it to a chair.

/cs

Being a Linux user, I am quite accustomed to the netstat flags that I use most often (plant, or sometimes tupac). I recently acquired a MacBook Pro, and found the netstat flags quite different.

clstearns@olly:~$ netstat -ntpl
netstat: l: unknown or uninstrumented protocol
clstearns@olly:~$ netstat -ntl | wc -l
221

clstearns@eli:~$ netstat -ntl | wc -l
6

How annoying it is, having to change one’s habits.

Rather than learning the new flags, I pulled out my trusty lsof:

$ lsof -i tcp:22
COMMAND  PID      USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
ssh     8383 clstearns    3u  IPv4 0×060b0334      0t0  TCP olly.ozymo.com:56829->mail.ozymo.com:ssh (ESTABLISHED)

Using lsof, I can see in the NAME field I can see what kind of connections I have open.

According to the lsof man page, the -i flag takes an option [i] specified as an Internet address. From the man page:

An Internet address is specified in the form (Items in square brackets are optional.):

[46][protocol][@hostname|hostaddr][:service|port]

where:

46 specifies the IP version, IPv4 or IPv6 that applies to the following address. ‘6′ may be be specified only if the UNIX dialect supports IPv6.  If neither ‘4′ nor ‘6′ is specified, the following address applies to all IP versions.

protocol is a protocol name – TCP, UDP

hostname is an Internet host name.  Unless a specific IP version is specified, open
network files associated with host names of all versions will be selected.

hostaddr is a numeric Internet IPv4 address in dot form; or an IPv6 numeric address in
colon form, enclosed in brackets, if the UNIX dialect supports IPv6.  When an IP version is selected, only its numeric addresses may be specified.

service is an /etc/services name – e.g., smtp – or a list of them.

port is a port number, or a list of them.

At  least  one  address  component  -  4, 6, protocol, ,IR hostname , hostaddr, or service – must be supplied. These addresses can get hairy, according to this example, which means TCP, ports 1 through 10, service name smtp, port 99, host name foo:

tcp@foo:1-10,smtp,99

lsof allows me to gain the information I need pertaining to my network connections, and when combined with some of the simpler options for MacOS’s netstat version (Mach-O universal binary with 3 architectures; it’s also the BSD4.2 version, whereas my Ubuntu box reports that the installed netstat command version 1.42 is from the net-tools package) it makes for a very handy tool.

Thanks to Greg and the man for the information on lsof.

/cs

Check this out:

$ doexec yes lolbutts > /dev/null &
$ ps auxww | grep lolbutts
500      28962 96.8  0.2  58908   544 pts/1    R    11:00   0:06 lolbutts

OK, so now here this:

$ doexec /tmp/udp.pl /usr/sbin/httpd &
$ ps auxww | grep httpd
apache   27601  0.0 12.9 264324 34016 ?        S    07:44   0:08 /usr/sbin/httpd
apache   27887  0.0 12.6 265956 33264 ?        S    08:42   0:06 /usr/sbin/httpd
apache   28103  0.0 11.2 257932 29452 ?        S    09:24   0:03 /usr/sbin/httpd
apache   28108  0.0 11.8 262884 31040 ?        S    09:24   0:04 /usr/sbin/httpd
apache   28580  0.1 11.0 257296 28948 ?        S    10:56   0:01 /usr/sbin/httpd
apache   29015 90.8  0.2  58908   548 pts/1    R    11:07   0:04 /usr/sbin/httpd

Can you pick which one isn’t really Apache?

Thanks to Kale for pointing out this nifty utility.

/cs

I do simple DNS checks on the hosts that attempt to send mail to my server.

Wal-Mart fails:

Jan 4 23:07:18 oz postfix/smtpd[25560]: NOQUEUE: reject: RCPT from mail1.walmart.com[161.170.244.39]: 450 4.7.1 < ndc-mta1.walmart.com >: Helo command rejected: Host not found; from=< batch@ndc-fulmailapp1.walmart.com > to=< addy@ozymo.com > proto=ESMTP helo=< ndc-mta1.walmart.com >

/cs

UPDATE: I’ve been asked to provide some background on this. So here goes: My wife requested her password for her Wal-Mart online account, and didn’t receive any email. Looking at the logs, I found the above failure. I have my server configured to reject mail from servers whose hostname doesn’t map correctly via forward DNS, and thus, Wal-Mart failed. /cs

I recently rediscovered some interesting functionality in the yum application used by CentOS, Fedora, Red Hat, and others. Namely, meta-packages or “groups” that will install a set of packages geared toward a specific function.

For instance, to list installed and available groups, do as such:

# yum grouplist

This will provide a list of all installed and available meta-packages by name. To install, say, a LAMP stack on a base CentOS install, run the following:

# yum groupinstall ‘Web Server’ ‘MySQL Database’

Happy Hacking!

/cs

In the event that you need to disable PHP’s APC, Advanced PHP Cache, module for a single domain, add the following to the Apache configuration:

<Directory /path/to/docroot>
php_admin_flag apc.enabled “0″
</Directory>

If you want to do this on the fly for developers so they can actually see their changes before the cache updates, simply throw it into a .htaccess file in the DocumentRoot.

/cs

Thanks to somerandomstuff.com for their excellent article on disabling SSLv2 ciphers in qmail.

Create this file:

# cat /var/qmail/control/tlsserverciphers
ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM

Restart qmail, and done.

Happy hacking!

/cs

Here’s a little command line hack that will calculate the bandwidth for all maillogs on your Plesk server, for SMTP, and POP/IMAP send and receive:

(echo “smtp:  `(cat maillog maillog.processed && zcat maillog.processed.*) | grep bytes | grep qmail: | awk ‘{sum=sum+$11} END { print sum}’`” && (cat maillog maillog.processed && zcat maillog.processed.*) | grep pop3 | grep LOGOUT | awk ‘{print $13,$14}’ | sed ’s/,//g;s/….=//g’ | awk ‘{sumrcvd=sumrcvd+$1; sumsent=sumsent+$2} END {print “rcvd: “,sumrcvd,”\n” “sent: “,sumsent}’) | awk ‘{total=total+$2; print} END {print “total: “,total/1024/1024 “MB”}’

Run it from /usr/local/psa/var/log. It outputs something along these lines:

smtp: 397852373
rcvd: 228219
sent: 211813204
total: 581.64MB

Enjoy!
/cs

Rotating 2-sided Cube

I’ve been envious of a friend’s Visor app on her Mac for a while now, and finally decided to do something about it.

continue reading…

Yes, Google’s buttons got bigger.

/cs

Mostly just trying this bilbo thing out.

/cs

UPDATE: looks like it works pretty good.

So, I decided to add a little security to the mail system with SASL auth and TLS. We’ll discuss TLS configuration first because I set Postfix up to only allow TLS logins, so testing whether or not SASL is working later requires that TLS be set up, in this particular case.

continue reading…

My thanks to zulfikars.org for an excellent, easy-to-follow solution to the Pidgin-Yahoo problem. It worked like a champ, and I didn’t have to update to sid.

It’s also a great introduction to building packages in Debian.

/cs

UPDATE: After I implemented the above solution, I learned about Debian backports. zulfikars’s solution is excellent and informative, but backports.org’s is more user-friendly, and easier to handle for the noob.  /cs

While attempting to build HAL on Beyond Linux From Scratch (Currently the SVN version, scheduled to be the 6.4 release), I came across this error:

probe-storage.c: In function ‘main’:
probe-storage.c:462: error: dereferencing pointer to incomplete type
probe-storage.c:462: error: ‘VOLUME_ID_FILESYSTEM’ undeclared (first use in this function)
probe-storage.c:462: error: (Each undeclared identifier is reported only once
probe-storage.c:462: error: for each function it appears in.)
probe-storage.c:463: error: dereferencing pointer to incomplete type
probe-storage.c:463: error: ‘VOLUME_ID_RAID’ undeclared (first use in this function)
probe-storage.c:464: error: dereferencing pointer to incomplete type
probe-storage.c:464: error: ‘VOLUME_ID_OTHER’ undeclared (first use in this function)
probe-storage.c:465: error: dereferencing pointer to incomplete type
probe-storage.c:465: error: ‘VOLUME_ID_CRYPTO’ undeclared (first use in this function)

After some looking around, I had almost given up hope when I decided to take a look at /usr/include/libvolume_id.h where the particular VOLUME_ID structs are created. I also Googled for that file name, and came across koders.com’s enumeration of header files. The file listed on their site was 116 lines, and the file installed on my LFS box was only 54, and didn’t include the structs for the items listed in the above error.

After making a backup of the original libvolume_id.h file, I copied the file from koders.com (which, incidentally, is from CentOS) and catted it into place on my server.  I ran the compile for HAL again, and now enjoy the sweet and slightly spicy flavor of success.

Hoorah.

/cs

This nearly scared the life out of me:

[chuck@thom ~]$ gpg -v
Warning: using insecure memory!
gpg: Go ahead and type your message ...

I was on a FreeBSD virtual machine, and had just installed GnuPG.  As it turns out, I rtfm’d and found the solution:

In the “BUGS” section of the gpg(1) man page:

On  many systems this program should be installed as setuid(root). This is necessary to lock memory pages. Locking memory  pages  prevents  the operating   system   from  writing  memory  pages  (which  may  contain passphrases or other sensitive material) to disk. If you get no warning message  about  insecure  memory your operating system supports locking without being root. The program drops root privileges as soon as locked memory is allocated.

Here are the steps I took to make the gpg2 binary setuid:

$ which gpg
/usr/local/bin/gpg
$ ls -lah /usr/local/bin/gpg
lrwxr-xr-x  1 root  wheel     4B Feb  3 04:36 /usr/local/bin/gpg -> gpg2
$ chmod 4755 /usr/local/bin/gpg2
$ ls -lah /usr/local/bin/gpg2
-rwsr-xr-x  1 root  wheel   576K Feb  3 04:36 /usr/local/bin/gpg2

So, sure enough, after setting the gpg2 binary to be setuid, everything worked:

[chuck@thom ~]$ gpg -v
gpg: Go ahead and type your message ...

Now I can safely, securely use gpg on FreeBSD.

/cs