coldtobi's blog

Configure lighttp to simulate .htaccess rules (Deny From All)

Sat, 19 Jun 2010 13:14:31 +0200

Unfortunatly, lighhtpd does not support ".htaccess" rules directly. So if you want to use a script targeted for Apache, you have to implement your own rules. Luckily, the most needed rule is to forbid the serving of a whole directory, the "Deny From All" rule. This one can be emulated within the lighttpd.con -- but you have to list every affected directory. A tedious task to find out every .htaccess contianing the rule and then adding the path to the configuration. But this can be automated:

#!/bin/bash # run this script in the base directory of the web content # give a parameter the mapping to the webroot, eg. # if it is running under localhost/xyz/, say "/xyz/" found=$(find -name ".htaccess" ) echo $found >&2 for files in $found do f=$(echo $files | sed -e "s/^\.\///" -e "s/\.htaccess$//g" ) cat $files | grep -i "Deny" | grep -i "from" | grep -i -L "All" if [[ $? -eq 0 ]] then echo '# Detected deny from all in ' $files echo '$HTTP["url"] =~ "^'$1/$f'" {' echo -e "\\turl.access-deny = (\"\") \\n}" fi done Invoke this script in the root directory of your apache-flavoured webscript, giving it a parameter what the "webprefix" of the directory is. For example, if your script is located in /usr/share/squirellmail, the url is "http:///squirrel execute it in /usr/share/squirellmail with the parameter "squirrel" The output of the script can be directly appended to the lighttpd.conf (e.g piping it with >>) (Note: Always check the result before applying it! The script might not find all files to block, or failing to parse more complicated rules!)

WoW Money Laundering?

Sat, 19 Jun 2010 09:37:21 +0200

Today I want to share you a spam comment which was submitted some days ago. (I modified the comment and removed all external links. SPAM won't pay on this blog) It seems that WoW has some reached some money laundery scheme, at least with "virtual money." I'm not playing the game, but it could also be that they (gold traders?) Use some victim as money mule to hide traces? Anti-Cheat detection prevention (you know, buying gold is considered cheating). I don't know, but I think it is an interesting development, and it might make sense to use caution. Especially if this is a way to launder real money, this can cause you real trouble (this could send someone to jail, worst case. IANAL ! ) Disclaimer: I am not a lawyer! This is not legal advice! Entire guild got wow gold . So did 5,000 other people. We got a good laugh out of wow gold . Then reported the idiot.Over a billion Chinese, a good percentage of them I’m sure with enough creative juices to come up with something better than this crap, but I guess the good ones chose not to work for the RMT industry, so only the quasi-bots whose sole talent is copying-and-pasting are left to generate this laughable excuse of content.Well, you know the drill, kiddies. Don’t buy wow gold from the above seller. Visiting their website might give you the keylogging booboo-jeebies.This isn't about any particular wow gold -selling site. It’s about a common denominator - a complaint that’s cause for concern - in the several emails I received from different readers who have ordered wow gold from different sites. In fact, it’s a scary pattern that I think all legitimate and professional gold sellers should address; otherwise their reputation could be ruined.Here’s what’s been happening:1. Customer buys wow gold from seller.2. Seller delivers. Customer gets the goodies.3. Minutes later, customer gets a tell in-game to return the wow gold . Why? The reasons vary, ranging from "Blizzard has seen the transaction and you better give us back the gold so your account won’t be banned" to "Sorry I gave the gold to the wrong person, you are not my customer, please give me back the wow gold or else I will tell Blizzard you bought from us" (probably the lamest excuse in the book). What’s scary is that the toon name of the scammer telling the player to return the wow gold bears a near-resemblance to the delivery toon. Example: genuine delivery toon is named Justin…and scammer toon sending the tell happens to be a Jüstin - with an umlaut accent. Pretty tricky and difficult for the player to spot the difference.I’m just wondering how the hell the scammer could know about the transaction quick enough to create a character mimicking the name of the delivery toon and in a matter of minutes, launch their attack on the poor buyer. Have those scam artists started planting spies in the usual meeting places like Ratchet and the banks of Org and Stormwind? Aion gold sellers, you better do something about this shirt. (The text above is Comment received. It is verbatim quoted with just the external links changed to a local hook. It does not necessarly reflect coldtobi's opinion.) Disclaimer: I am not a lawyer! This is not legal advice!

Samba: No mount as user.

Mon, 05 Apr 2010 22:48:23 +0200

For security reasons (CVE-2009-2948) samba ceases to support setuid mount.cifs. Until at least a proper fix has been generated (saw patches for them, but at least in Debian they are not or defunc (Patches: http://archives.free.net.ph/message/20100326.142523.e959e38d.en.html, details of the problem http://www.samba.org/samba/security/CVE-2009-2948.html ) (IMHO the CVE is valid, but only makes sense in an multi-user enviorment and if you want to store your passwords in some files. Both are false for me. ) However, I need a working system. The other option is waiting until upstreams deciding what's better for me -- a security problem not touching my samba usage or no service at all. (Yes, I'm a little upset by this -- hitten cold by this "improvement" and finding out that they indeed choosen a way to "fix" it by disabling the execution at all. When I read the CVE notice from samba, it could also be done to disable the offending "information leaking" command options when run setuid... Well.) Well *taking deep breath* lets stop ranting: The quick-and-dirty do-as-before repair is to disable the setuid check. For this -- using debian apt-get source cifs-utils (also build-dependencies) and edit the mount.cifs.c file at line 88 so it reads: #define CIFS_DISABLE_SETUID_CHECK 1 dpkg-buildpackage -us -uc and install the generated package, and enjoy your working-again version.

Nice Links #1 -- How hardrives works and how they do recovery

Sun, 14 Mar 2010 10:07:58 +0100

I start a new series: Nice Links: Links I came around and I want to keep / share. Today: Harddisks low level functionality explained, some types of errors and some approach to repair. (Interesting, but don't try this at home.) http://www.myharddrivedied.com/presentations_whitepaper.html I came accross this site, as my laptop's hardrive showed some read erros in the log, and I wanted to know what the AMNF acrconym is all about. This was the error my drive showed. This also reminded me to do backups ;-) As an addional link for today (contained in the original one): http://hddguru.com/content/en/software/2005.10.02-MHDD/ is a tool I needed some time earlier: Instead I tried with the OEM's tool to remap one nasty bad block -- as I found out, they are only remapped when written to it... Another Xtra, link also stolen from the first site: A paper about HDD failure patterns: http://labs.google.com/papers/disk_failures.pdf

Squirrelmail and lighttpd -- An Installation Guide --

Sat, 09 Jan 2010 21:57:45 +0100

Today I installed the squirrel on my Thecus. The horde used before -- even if powerful -- was just to slow to make fun. As friends told me that the squirrel is slick and quick -- as its name suggests. (After installation, I can confirm this) The squirrel -- is a web interface for accessing your mail, written in PHP. It does -- by default -- needs not to have any database. It can access your mail both by IMAP and by POP3. As my setup is not the regular "Apache" based one, it might make sense to show how it has to be configured with lighttpd as web server. Lets start. (Assumptions: You have debian installed, and lighttpd is running as web server. It is set up to run PHP scripts. This is not covered here. Well I think, at least I once described installing debian on the Thecus... Please use the search button...) BTW, I use dovecot as IMAP provider. This one really pretty in terms of configuration and speed. Also its configuration is not explained here.

After the message from the advertiser, now lets really start: 1. Install the packages squirrelmail aptitude install squirrelmail Yes, this is why I love debian that much. One line pulls in everything you need for a program. Nevertheless, there are some optional plugins, which are not installed by default but available via debian packaging system. 2. Configure squirrelmail The Tool (Note: In this guide, I will not show every configuration option, just the most important ones. I guess you want to walk through every option by yourself.) The busy squirrel team supplied a tool for configuration: squirrelmail-configure When invoked, it will show you this menu: SquirrelMail Configuration : Read: config.php (1.4.0) --------------------------------------------------------- Main Menu -- 1. Organization Preferences 2. Server Settings 3. Folder Defaults 4. General Options 5. Themes 6. Address Books 7. Message of the Day (MOTD) 8. Plugins 9. Database 10. Languages D. Set pre-defined settings for specific IMAP servers C Turn color off S Save data Q Quit Command >> The program is self-explanatory. Just enter the number before the menu and follow the on screen instructions. Presetting your IMAP Server Using the tool your squirrel will be ready in no-time. First, you should apply some settings according your mail server setup. This would be Command "D": SquirrelMail Configuration : Read: config.php --------------------------------------------------------- While we have been building SquirrelMail, we have discovered some preferences that work better with some servers that don't work so well with others. If you select your IMAP server, this option will set some pre-defined settings for that server. Please note that you will still need to go through and make sure everything is correct. This does not change everything. There are only a few settings that this will change. Please select your IMAP server: bincimap = Binc IMAP server courier = Courier IMAP server cyrus = Cyrus IMAP server dovecot = Dovecot Secure IMAP server exchange = Microsoft Exchange IMAP server hmailserver = hMailServer macosx = Mac OS X Mailserver mercury32 = Mercury/32 uw = University of Washington's IMAP server quit = Do not change anything Command >> In my case, I entered "dovecot". The tool confirms what it changed. "2. Server Settings " One important menu is to check "Server Settings". I wrote "check" because the defaults given are usually fine. You should confirm if /etc/mailname is correct, containing the right mail domain. (Usually, on a right-setup linux, it will. If not, I suggest you spend a while with the debians installation guide to get it right) Usually – when your box is setup right – you can use the SMTP (localhost:25) to send out mails. Again, be referenced to some debian documentaion) Here are the setting I use: Server Settings General ------- 1. Domain : trim(implode('', file('/etc/'.(file_exists('/etc/mailname')?'mail':'host').'name'))) 2. Invert Time : false 3. Sendmail or SMTP : SMTP A. Update IMAP Settings : localhost:143 (dovecot) B. Update SMTP Settings : localhost:25 Global Address Book Squirrelmail also allows you to have a global address book, optionally writable by all your users. To use this feature, first you have to enable it via the options in " 6. Address Books".: Address Books 1. Change LDAP Servers 2. Use Javascript Address Book Search : false 3. Global file address book : /var/lib/squirrelmail/globladrbook/adr.csv 4. Allow writing into global file address book : true 5. Allow listing of global file address book : true 6. Allowed address book line length : 2048 R Return to Main Menu C Turn color off S Save data If you have an LDAP, you can use it here. For me LDAP is to way to much (and also read-only), I go with the "global file address book". To do this, select "3" and enter the file-name including path for the file where the addresses should be stored. Now you have to create the path and the file by yourself, adjusting the permissions: (adapt to the paths you're using) mkdir -p /var/lib/squirrelmail/ touch /var/lib/squirrelmail/adr.csv chown root:www-data /var/lib/squirrelmail/ chown www-data:www-data /var/lib/squirrelmail/adr.csv chmod 0770 /var/lib/squirrelmail/ /var/lib/squirrelmail/adr.csv Plugins Squirrelmail has a lots of plugins . Some of them are shipped already with the base version. Once installed, stop by the configuration option "8" and select everything you like. Saving & Testing If you are done configuring, don't forget to save. After you quit, squirrelmail tells you that you should test your configuration: Exiting conf.pl. You might want to test your configuration by browsing to http://your-squirrelmail-location/src/configtest.php Happy SquirrelMailing! But we are not yet ready: The lighttpd is not set up to serve for the squirrel. 3. Configure lighttpd Lighttpd does not yet know that it also should help you reading your mail. This is next. Open / etc/lighttpd/lighttpd.conf. M aybe around line175, add the (red) section shown below: This will tell the web server to which “directory” it should map the squirrel. (My setup maps the reader to the "http://example.com/squirrel".) #### handle Debian Policy Manual, Section 11.5. urls ## by default allow them only from localhost ## (This must come last due to #445459) ## Note: =~ "127.0.0.1" works with ipv6 enabled, whereas == "127.0.0.1" doesn't $HTTP["remoteip"] =~ "127.0.0.1" { alias.url += ( "/doc/" => "/usr/share/doc/", "/images/" => "/usr/share/images/" ) $HTTP["url"] =~ "^/doc/|^/images/" { dir-listing.activate = "enable" } } # For squirrelmail alias.url += ("/squirrel/" => "/usr/share/squirrelmail/" ) Check that out! Done? Reload lighty's configuration (invoke-rc.d lighttpd reload) and open up a browser to check your configuration.. Remember, it told us to load http://your-squirrelmail-location/src/configtest.php. Maybe it finds some non-perfect PHP setting, some tweaks, etc. The page is very verbatim, so fixing them should be not a problem. (I had to switch off two fetures in /etc/php5/cgi/php.ini) But eventually, you will see Congratulations, your SquirrelMail setup looks fine to me! and can start using your squirrel. Follow Up : Fixing htaccess for lighttpd Unfortunatly, lighttpd does not support .htaccess files. Squirrelmail does not depend on the support of these files, but protects source code files from being served by the web server. Even if squirrelsmail's developer are comortable with this (see quote), I'd prefer not to serve these files. Only a small subset of the SquirrelMail source code needs to be directly accessible to users' browsers. The rest of the source code is used internally by SquirrelMail. Leaving the entire source tree open to outside access is not a problem or vulnerability, but some attackers have been known to snoop for old versions of SquirrelMail by trying to inspect things such as the ChangeLog file. If you want to employ the maximum level of protection against snoops and would-be attackers, you can make use of the .htaccess files that come with the SquirrelMail source code by adding " AllowOverride AuthConfig " to the Directory settings for SquirrelMail in your Apache configuration file (if using the Apache web server), or you can use the Directory settings suggested in the Apache configuration section below. [Quoted from here ] In an follow up article, I will describe how you simulate the .htaccess with lighttpd's mod_access -- at least the "Deny from All" rule. So lets close for today with a word from the advertiser

Update: The follow up is now online.

Link Crosscompiling

Thu, 07 Jan 2010 20:59:44 +0100

In case I port solarpowerlog to arm hardware.... http://pocoproject.org/wiki/index.php/CrossCompiling

git cheat sheet

Thu, 07 Jan 2010 13:01:35 +0100

A Cheat-sheet for not-so-often used or some command I frequently forget.... Some commands you just use too seldom. When you need them, you just thinking how you did it before... So I need a cheat sheet to note these down...

Push to a remote branch (warning not tested) git push . origin/ Push one branch to another remote one (for example pushing it from the bleeding edge "trunk" to a staging area called "testing." git push origin trunk:testing explained: git push origin : Afterwards, the branches are at the same commit. Checkout tracked branches git checkout --track -b / e.g git checkout --track -b testing origin/testing of -- to delete and recreate it -- git branch -f origin/ A Git workflow explained This description is targeted for workgroups, but also works if you are alone on the project and want to use feature-branches dedicated for some well feature... http://reinh.com/blog/2009/03/02/a-git-workflow-for-agile-teams.html Link: Clone all branches http://stackoverflow.com/questions/67699/how-do-i-clone-all-remote-branches-with-git Link: Best practive for commit messages http://www.tpope.net/node/106 Link: Gitosis -- add a new repository http://bogdan.org.ua/2009/02/20/gitosis-how-to-add-new-repository.html Link: Gitosis -- Git and Gitosis under windows (windows users as client) http://blog.dmbcllc.com/2010/04/22/git-gitosis-putty-and-windows/