vsftpd: refusing to run with writable anonymous root

Today i was trying to setup a simple ftp to recover some logs from different machines (set top boxes at work).
I wanted to use a python script to enter machines and repeat some commands, because i’ve found really useful telnet libraries, but, anyway, main topic….
My laptop at work uses ubuntu 10.04, so i installed vsftpd, but it was not so easy for ready to use using anonymous login.

After enabling a lot of anonymous options commented i found i needed to create some directory by hand to allow anonymous upload.
being /srv/ftp home directory for ftp user....
sudo mkdir /srv/ftp/uploads

At at last. vsftpd: refusing to run with writable anonymous root
I found out why it wasn’t going through.
/srv/ftp CANNOT be writable.
/srv/ftp/incoming CAN be writable.
sudo chmod -w /srv/ftp/ and problem solved
So the root directory can’t be writable, but subdirectories within the root directory can.

Hope this helps for anyone using a search engine.

Jump over private corporate proxy with Firefox (or git, or any SOCKS ready app) through a SSH tunnel

Thanks a lot to text producers. I’ve just copied it here to promote them.

Making the ssh tunnel

Option 1: ssh and direct connect (SOCKS5) : The following line will start the ssh client and connect to username@remote_machine.com. Port 8080 on localhost (127.0.0.1) will listen for requests and send them to the remote machine. The remote machine will then send the packets out as if they originated from itself. The ssh options are in the man page of ssh, but to summarize them in order: Compression, SSH2 only, Quite, Force pseudo-tty allocation, Redirect stdin from /dev/null, and Place the ssh client into “master” mode for connection sharing.

ssh -C2qTnN -D 8080 username@remote_machine.com

Option 2: ssh to squid proxy (HTTP/SSL Proxy) : The following line will also start the ssh client and connect to username@remote_machine.com. Port 8080 on localhost (127.0.0.1) on the current machine will listen for requests and ssh tunnel them to the remote machine. On the remote machine ssh will forward the packets to localhost port 2020. If squid is listening on localhost port 2020 on the remote machine then all requests sent though the ssh tunnel will then be forwarded to squid. You can use squid to block ads and speed up web access. If you need assistance with squid, check out the Calomel.org Squid “how to” page.

ssh -C2qTnN -L 8080:localhost:2020 username@remote_machine.com

Using GIT through a SOCKS proxy

user@debian-machine:~$ cat /somepath/bin/proxy-wrapper
#!/bin/bash
# on Debian systems you will need netcat-openbsd package in order this options to work
nc -xPROXYMACHINE:PORT -X5 $*
user@debian-machine:~$ export GIT_PROXY_COMMAND=”/somepath/bin/proxy-wrapper”
user@debian-machine:~$ git clone git://git.debian.org/git/debian-eeepc/eeepc-acpi-scripts.git
Initialized empty Git repository in /blableblubla/codigo/git/eeepc-acpi-scripts/.git/
remote: Counting objects: 1050, done.
remote: Compressing objects: 100% (554/554), done.
remote: Total 1050 (delta 572), reused 848 (delta 475)
Receiving objects: 100% (1050/1050), 115.39 KiB | 37 KiB/s, done.
Resolving deltas: 100% (572/572), done.

Links and references

Charlas técnicas. Compartir el conocimiento es genial.

Imposible encontrar otra entrada con mayor calidad por palabra.

Academic Earth
Google Tech Talks

Para mí estos 2 enlaces tienen un valor difícil de calcular.
Sí, me encanta aprender, saber. Soy muy curioso.

PD: De momento recomiendo “Greg Kroah Hartman on the Linux Kernel” y “The Clean Code Talks — Unit Testing”

El programa para Linux más pequeño posible

Una curiosidad que permitirá conocer los entresijos de un ejecutable en Linux.
Lectura recomendable, aunque sea para una lectura rápida y a saltos. Cuenta cómo va optimizando el código para pasar de 3998 bytes a 45 bytes.

Referencias y enlaces

A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux

Howto to intercommunicate processes in different(remote) machines through DBus

Introduction

In this post I’m going to try to connect two processes in different machines through DBus. The method is a little bit complex, so be patient if you try.
Also is to advert that this has been the result of 3 days of tests (reference1). So maybe this method may be improved with time and use reference2.

Tools (The actors)

  • dbus
  • gabriel
    • socat
    • libssh
  • ssh
  • your apps

Debian official packages are dbus libssh-2 socat
gabriel is not part of Debian yet (but I’ve build one for myself)

Knowledge (Actors curriculum)

In this section I will describe the basics about the tools we are going to use.

DBus. Extracted from DBus page:

D-Bus is a message bus system, a simple way for applications to talk to one another. In addition to interprocess communication, D-Bus helps coordinate process lifecycle; it makes it simple and reliable to code a “single instance” application or daemon, and to launch applications and daemons on demand when their services are needed.

D-Bus supplies both a system daemon (for events such as “new hardware device added” or “printer queue changed”) and a per-user-login-session daemon (for general IPC needs among user applications). Also, the message bus is built on top of a general one-to-one message passing framework, which can be used by any two apps to communicate directly (without going through the message bus daemon). Currently the communicating applications are on one computer, or through unencrypted TCP/IP suitable for use behind a firewall with shared NFS home directories.

Gabriel is a simple utility to enable D-Bus clients to connect to a D-Bus daemon running on a remote machine, through SSH.
This is the main piece of this puzzle. If you are interested in understanding how it works you should take a look at socat and libssh. As I’ve had to take a look at code, and make some modifications, you should read it as a punishment.

Extracted from socat man page:

socat – Multipurpose relay (SOcket CAT)
socat is a command line based utility that establishes two bidirectional byte streams and transfers data between them. Because the streams can be constructed from a large set of different types of data sinks and sources (see address types), and because lots of address options may be applied to the streams, socat can be used for many different purposes. It might be one of the tools that one ‘has already needed´.

Libssh. Extracted from libssh page:

The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl).

You should know about ssh and about your application.

Architecture

Local host will run gabriel and your application.
Remove host will need a running ssh server, a running dbus server and will need socat installed and ready to use.
We need to run gabriel, that will act as a server that will connect our host to the remote host through SSH. After that gabriel will use this SSH connection to intercommunicate our local application with remote DBus applications by using socat.

Remote DBus communication Architecture
Remote DBus communication Architecture

Howto (Main action)

At the moment I’ve only achieved to connect a process using session-bus, I’m still testing until I get connection through system-bus which was my initial purpose.
After reading next information, you will be able to connect using session bus and system bus.

As I commented somewhere else, I’ve made some modifications on gabriel code. I needed some common parameters as SSH port (my virtualbox testing environment ), better help explanations or add a verbose output.
Gabriel establish a connection with the remote ssh and by socat commands it communicates with the remote DBus “environment”. You should administrate ssh parameters and Dbus parameters to gabriel.

We have to put special attention to -d, –bus-address=BUS_ADDRESS because this info must be gotten from the REMOTE machine.
That address is the one used by processes to communicate through DBUS. It’s something “internal” and automatically done when you use DBus api/library. I’m going to show you where to get it.

DBUS_SESSION_BUS_ADDRESS, DBUS_SYSTEM_BUS_ADDRESS, DBUS_SYSTEM_BUS_DEFAULT_ADDRESS

Again, this info should be gotten from REMOTE machine.
At the moment I don’t know any nice command where to get this info.
We have two main options of DBus buses. System and Session (more info in DBus page).
If you need SESSION bus address, you can choose what it better fits you:

  • You can can get it from process environment
  • You can stole it from any other process suspicious from being involved in DBus activities…
  • You can create your own dbus-daemon (which, actually, I don’t know if it uses it’s own BUS_ADDRESS)

If you need SYSTEM bus address, you can choose what it better fits you:

  • You can can get it from process environment. If it’s not defined, take a look at /etc/dbus-1/system.conf where you should locate a string like <listen>unix:path=/var/run/dbus/system_bus_socket</listen>
  • You can stole it from any other process suspicious from being involved in DBus activities…

Examples:

This command gives you a dbus-daemon in your session with the one you can contact.

Howto (Main action): Back to local host

Those ugly unix:stri:ngs/asdkaj/numbers we have seen is what we need for -d, –bus-address=BUS_ADDRESS.
See a session example:

See a system example:

The moment we have or gabriel server running we (may have nothing) need to set DBUS_XXX_BUS_ADDRESS. Many apps would use, or have, this environment variable to connect to a DBus instance and intercommunicate with other process.
This is is easy, DBUS_XXX_BUS_ADDRESS should be the address gabriel shows few instants after being launched.
When we have defined this environment variable (in command line) we can execute our app, and it will happily communicate with the remote DBus world.
Example:

dbus-browser is a program that uses a session bus.

Curiosity: DBus protocol messages interchanged

Modifying a couple of lines in gabriel can let you see DBus raw protocol messages. It’s a didactic info.
If you enable verbose code at least at level 2, you will get raw DBus protocol messages.

My modifications and hacks

Code will be publish under GLKM project page.

Links and references
  • dbus site
  • gabriel site
  • socat site
  • libssh site
  • reference 1. (informational note, it had implied jumping into gabriel, libssh, and dbus code and testing with a virtualbox machine)
  • reference 2. (personal note, take a look at “Securing traffic between two socat instances using SSL” article in socat page)

¿Escasez de informáticos? Ni de coña

Bien, bien, bien, gente de soitu, bien.

Hace un par de días leía el siguiente artículo en soitu: ¿Terminaremos contratando indios para paliar la falta de ingenieros?. Escrito por Margarita Lázaro (soitu.es) el 07-05-2008.

A lo cual deje un comentario anónimo (vago que es uno) mostrando mi indignación y mi breve opinión sobre el tema.

Pero que falta de rigor es esta.
¡¡QUE VERGÜENZA!!.
¿Dónde esta el contraste de opinión y de fuentes? ¿Por qué sólo hablan los empresarios?
La estrategia del empresario del sector informático es dar el sobo hasta que les permitan traer “carne barata”.
Están muy cabreados y enrabietados. No tienen la sartén por el mango y eso les repatea.
Como tienen que subir los sueldos para que la gente buena no se les vaya, lo que se llama fuga de cerebros, están montando todo este cirio.
Por otra parte, claro que la gente no quiere hacer carrera, para que estudiar si hay trabajos mejor pagados que requieren menos esfuerzo intelectual.
Por favor, si hay un periodista del otro lado, infórmese. Contraste. Hable con la otra parte implicada. Un poquito de por favor.

Pues esta mañana una reconfortante sensación de justicia y equilibrio me ha invadido cuando he leído el artículo que continuaba la senda del anterior ya citado: Los informáticos españoles huyen del país por los bajos salarios.. Escrito también por Margarita Lázaro (soitu.es) el 08-05-2008.

A lo cual se ha ganado mi reconocimiento y he dejado el siguiente comentario:

Enhorabuena Margarita Lázaro por el artículo y por contrastar información cómo pedí ayer en los comentarios del artículo relacionado (No hay ingenieros suficientes).

En cuestión de segundos un par de mis reflexiones, de las que ya no disfrutáis tan a menudo internautillas.

A pesar del tamaño del sector informático carecemos de unión y de unos sindicatos fuertes, e incluso de sindicatos. Creo que es consecuencia de la relativa juventud del sector y de la presión en las grandes y medianas empresas hacia la disolución de cualquier atisbo de organización sindical.
Todo esto conlleva la imposibilidad de plantear una huelga organizada y con una participación razonable.

Es que ahora, como están de moda las huelgas sería un buen momento. Tal y como están las hipotecas y los IPC la gente (sindicatos más bien) ha decidido huelguear y quejarse un poquito. Ya se celebraron las elecciones y justo tras ellas los sindicatos se han puesto manos a la obra. Tantos años sin apenas oír hablar de ellos y justo tras las elecciones, toma, todas las semanas alguien esta de huelga. Sólo en Madrid y Extremadura véanse transportes, sanidad, educación, justicia… Me huele a chamusquina le dijo el alguacil al sereno o alguno a otro.

WHYFLOSS Madrid Conference 08

¿Cuándo?

En los días 8 y 9 del mes de Mayo se celebrará la cuarta edición de la WhyFLOSS Conference, con entrada libre y gratuita.

Con un importante apoyo de la Escuela de Informática de la Universidad Politécnica de Madrid, Campus Sur se presentarán conferencias variadas entorno a las tecnologías abiertas de IT.

Estarán colaborando en la IV edición del evento compañí­as como SUN, Red Hat, OpenBravo, Andago, SIE, Liferay, Opentia, Monolabs, Accenture, Avanzada7 y universidades como la UPM y la URJC, así­ como comunidades de proyectos como LibreSoft, OpenSolaris y FFII.

¿Dónde?

El evento se realizará en la Escuela de Informática de la Universidad Politécnica de Madrid. Se encuentra ubicada en el Campus Sur de la UPM en la carretera de Valencia Km. 7 en la Ciudad de Madrid (España).
Información de localización de la Whyfloss Madrid 2008

Calendario

DIA 1

9:30
Inauguración WHYFLOSS Conference 08.
Alejandro Sánchez Acosta, Neurowork

10:00
Open-Cities: el reto de la administración electrónica
Guillermo Pastor, Ándago Ingeniería S.L.

11:00
VII Programa Marco en la UE: FLOSS Include y FLOSS Metrics
Jesús Gonzalez Barahona, LibreSoft

12:00
Modelos de negocio basados en Asterisk (la plataforma de VoIP basada en Software Libre)
Juan Ignacio Cabrera, Avanzada 7

13:00
Clustering Computacional en CSIC
Raul Diaz Medina, Sistemas Informáticos Europeos S.L.

14:00
Descanso para comer

16:00
La implicación de la FFII en los estándares abiertos en Europa
Alberto Barrionuevo, Presidente de Foundation for a Free Information Infrastructure (FFII) / OPENTIA, S.L.

17:00
Caso de exito OpenSolaris en Accenture
David Galan Ortiz, Accenture Outsourcing

18:00
¿Es viable el software Open Source en la Industria? El caso de Red Hat Linux y JBoss
Jesús González de Buitrago, Red-Hat

DIA 2

10:00
Evolución e influencia del Software Libre en los 10 últimos años
Juantomás García, Monolabs

11:00
Liferay Enterprise Portal: The project, the product, the community and how to extend it
Alvaro del Castillo San Félix, Liferay Inc.

12:00
Openbravo: las claves del éxito del desarrollo en las aplicaciones en software libre
Representative, OpenBravo Inc

13:00
Rocks: Distribucion para clusters computacionales
Jesús Espino García, Sistemas Informáticos Europeos

14:00
Descanso para comer

16:00
Seguridad en OpenSolaris
Victor M. Fernandez, SIA / OpenSolaris Hispano

17:00
Django: Framework MVC en Python
Jesús Espino García, Sistemas Informáticos Europeos

Notas personales (idem a la pasada edición):

  • He de decir que conozco al organizador principal.
  • Yo voy
Referencias y enlaces

Switch/Migration of Subversion repository without admin access (svn2svn)

Hello fellows.
My latest adventure was about moving a project (unmaintained) from its public subversion repository which of course I was not admin (which means no admin access) over to my own server.

Usually, to do this you’d dump the whole thing with svnadmin into one file (svnadmin dump > file_dump) and load it again at the new location (svnadmin load file_dump). After searching for any similar command without admin access into documentation I figured that something similar might exist for plain svn to svn migration.
I founded a ruby version and a python. I chose python one because it’s recent, it’s python and it’s under google code site.
There was other cause, the ruby version went through all revisions, from 1 till infinity, although many of them didn’t have any change. In the other hand, python version uses subversion logs and made a efficient use of it.

The real action

Create a repository in my server was easy:

root@aristoteles:/var/lib/svn$ rm -rf MY-PROJECT-PATH
root@aristoteles:/var/lib/svn$ svnadmin create MY-PROJECT-PATH
root@aristoteles:/var/lib/svn$ chgrp svn-user MY-PROJECT-PATH/ -R
root@aristoteles:/var/lib/svn$ chmod g+ws MY-PROJECT-PATH/ -R
root@aristoteles:/var/lib/svn$ chmod o-rx MY-PROJECT-PATH/ -R

After solving the problems I talk about, duplicating the repo was not so difficult.

user@othermachine:~$ mkdir tmp
user@othermachine:~$ cd tmp
user@othermachine:~$ svn co URL-DEST-MY-PROJECT-PATH
user@othermachine:~$ python svn2svn-0.1.1.py -r 7382 URL-ORIG URL-DEST-MY-PROJECT-PATH

This process took a while but the new directory was now ready for action.

Be careful with your subversion config files. It may cause conflicts with file in repositories.
As an example, I had some troubles because I use to ignore files like Makefile.in and so. The project I was trying to import did have files like that and svn2svn did bring svn errors because those files were not under revision. When I realized I modified my subversion config without that rules for a while.

References and links