Code Bus

For the past few months I've been using DWM by the good folks over at Suckless.org, I've finally found a window manager where I use perhaps 90% of it's features on a daily basis, yet I'm never left wanting more.

I've been admiring the simplicity in combination with the `dmenu` program, my status bar is a simple `rc` script which prints the time, load and my wifi status on a single line every few seconds. Gone are the days of desktop status widgets taking up the resources better suited for other productive work.

#!/usr/bin/env rc
# start `dwm` like: $HOME/this-script.rc | dwm
while ( true ) { 
  {
    echo -n 'time: '
    uptime | cut -f 2 -d ' ' 

    echo -n 'load: '
    cat /proc/loadavg | cut -f 1 -d ' ' 

    echo -n 'wifi: '
    iwconfig eth1 | grep 'Link Quality' | cut -f 2 -d '=' | cut -f 1 -d ' ' 
  } | column | tr "\t" '  '

  sleep 2
}

The menu being another simple shell script which spits out the contents of my $HOME/.dmenu/ directory, containing all the scripts or symlinks to programs I use on a regular basis, to `dmenu` and executes whichever one I choose.

#!/bin/sh
if [ -d $HOME/.dmenu ]; then
  cmd=`ls -1 $HOME/.dmenu | dmenu $*`
  if [ "x$cmd" != "x" ]; then
    exec "$HOME/.dmenu/$cmd"
  fi  
fi

There are bugs that I've not been able to track down yet which are only apparent with Windows applications running in `wine` like Photoshop®, while the application works flawlessly, whenever I click on tool windows they jump a few pixels to the right. Odd, but still usable.

While it's all up and running it looks something like this.

One tiny problem I found with MPC is that it didn't integrate as nicely with Firefox/Opera as I would wish, for example when I download a .m3u or .pls file I can't have the streams it points to added to the MPC playlist.

So the solution is:

#!/bin/bash
if [ -z "$1" ]; then
  echo "Usage: `basename $0` " > /dev/sdterr
  exit
fi

url=$1
# Presumed to be a remote URL
if [ ! -f "$1" ]; then
  tmpfile=`mktemp`
  wget --quiet -O "$tmpfile" "$1" && url=$tmpfile
fi

if [ ! -f "$url" ]; then
  echo "Error: cannot retrieve playlist" > /dev/stderr
  exit
fi

cat $url | grep -E '^File' | cut -f 2 -d '=' | xargs mpc add 

Takes either a local file or a URL to the playlist as the first parameter and adds all streams/files to the MPC playlist.

I finally got round to solving my per-user chrooting issues by hacking suPHP to read the /etc/security/chroot.conf file if no global chroot is specified, allowing individual users to be chrooted.

The patch is against 0.6.3 with all the Debian patches (or perhaps it's 0.6.2-3) and is running in production at the moment, but I wouldn't really consider it ready for production use elsewhere.

Download: suphp-0.6.3-chroot.diff

Recently I've been helping with locking down Debian server for a friend to allow many untrusted users and websites to be let loose on the system without worrying too much about a system compromise and without the overhead of virtual servers.

Currently our software stack consists of:

• grsecurity for system & chroot hardening
• Global Apache instance
• Multiple Debian instances in /var/chroot created with debootstrap
• pam_chroot to jail individual users
• SuPHP (with chroot support)

Cron Support

Because we'd like users to have everything they'd normally use that means cron is a must-have feature, Vixie cron uses PAM on Debian so it can take advantage of individual user chroot preferences by default.

The only problem was: How do chrooted users edit their crontab? Simple, just bind mount the global cron spool inside each of the chroots, and we can avoid information leakage with correct directory permissions.

Currently each of the chroot environments has mounts setup which look like this:

proc-chroot     /var/chroot/www/proc            proc    defaults        0       0
devpts-chroot   /var/chroot/www/dev/pts         devpts  defaults        0       0
/var/spool/cron /var/chroot/www/var/spool/cron  none    bind            0       0

SuPHP

My only major gripe with SuPHP (and others like cgiwrap) is that they don't support PAM (or pam_chroot) which makes my life as a sysadmin much more difficult.

Our hacky workaround for this is to have one specific chroot for websites for PHP and CGI scripts to execute in, but I'll probably end up adding PAM support to cgiwrap and SuPHP out of sheer frustration with their inflexibility as it stands.

Automation

Unfortunately all this requires a few extra steps when creating the user to keep the system secure, and then a few more things to jail the new user in a chroot.

I'll be providing my scripts later on which move system users in and out of chroot environments while keeping the system regular with a helping of symlinks and tweaks.

Limited Directory Accounts

Sometimes we're required to setup new users with access to only a single directory (e.g. the templates directory of a web application) and this presents a problem: setup a full chroot for that user with only the required directory access? That's often way too much effort and overhead.

As a result we're still running a legacy FTP daemon which allows virtual chroot to a specific directory on a per-user or per-group basis.

Things To Do?

Other than PAM support for SuPHP and cgiwrap, the disk space overhead for each chroot is around 180mb which at any rate is quite costly. Ideally I would like to bring this down to under 5 MiB with the help of UnionFS or AuFS, this would also reduce the management overhead allowing us to maintain a single secure base chroot with possibly hundreds of others based on that.

Sending local e-mail from the main server to chrooted users works (when using the ~/Maildir format), however it's currently not possible to send e-mail from within a chroot until we have something like ssmtp setup to do local proxying to the main Exim instance.