TIP: Installing untrusted packages without confirmation on Debian

Hello,

Maybe you are interested on installing untrusted packages on your Debian box, but by default you are prompted with this prompt:

Do you want to continue? [Y/n/?] y
WARNING: untrusted versions of the following packages will be installed!

Untrusted packages could compromise your system’s security.
You should only proceed with the installation if you are certain that
this is what you want to do.

untrusted_package

Do you want to ignore this warning and proceed anyway?
To continue, enter “Yes”; to abort, enter “No”:

This is fine, since it warns you about it, but it breaks non-interactive scripts, because needs user confirmation.

What then? the solution is easy, you only need to tell to aptitude that you want to use those packages without user confirmation.

From aptitude manual:
Option: Aptitude::CmdLine::Ignore-Trust-Violations
Default: false
Description: In command-line mode, causes aptitude to ignore the installation of untrusted packages. This is a synonym for Apt::Get::AllowUnauthenticated.

Just go!
# aptitude -o Aptitude::Cmdline::ignore-trust-violations=true -y install your_untrusted_package

WARNING: untrusted versions of the following packages will be installed!

Untrusted packages could compromise your system’s security.
You should only proceed with the installation if you are certain that
this is what you want to do.

untrusted_package

*** WARNING *** Ignoring these trust violations because
aptitude::CmdLine::Ignore-Trust-Violations is ‘true’!

Writing extended state information… Done

It does not use an interactive prompt and of course your script will continue :)

See you!

Removing Linux kernel capabilities

Hello,

As you may know, Linux has capabilities. Maybe you don’t need all capabilities, if this is your case, you are in luck, since you can remove it using the lcap tool.

To list all Linux capabilities:

~# lcap
Current capabilities: 0xFFFDFCFF
   0) *CAP_CHOWN                     1) *CAP_DAC_OVERRIDE
   2) *CAP_DAC_READ_SEARCH           3) *CAP_FOWNER
   4) *CAP_FSETID                    5) *CAP_KILL
   6) *CAP_SETGID                    7) *CAP_SETUID
   8) *CAP_SETPCAP                   9) *CAP_LINUX_IMMUTABLE
  10) *CAP_NET_BIND_SERVICE         11) *CAP_NET_BROADCAST
  12) *CAP_NET_ADMIN                13) *CAP_NET_RAW
  14) *CAP_IPC_LOCK                 15) *CAP_IPC_OWNER
  16) *CAP_SYS_MODULE               17)  CAP_SYS_RAWIO
  18) *CAP_SYS_CHROOT               19) *CAP_SYS_PTRACE
  20) *CAP_SYS_PACCT                21) *CAP_SYS_ADMIN
  22) *CAP_SYS_BOOT                 23) *CAP_SYS_NICE
  24) *CAP_SYS_RESOURCE             25) *CAP_SYS_TIME
  26) *CAP_SYS_TTY_CONFIG           27) *CAP_MKNOD
  28) *CAP_LEASE                    29) *CAP_AUDIT_WRITE
  30) *CAP_AUDIT_CONTROL
    * = Capabilities currently allowed

For example, I want to disable CAP_CHOWN, so I don’t want that any user (including root) has the possibility to change the file owner. So, in this case, the file is UNCHOWNABLE.

Usual way:
# touch file
# chown paul file
Now the file is owned by paul

My preferred way:
First, we remove CHMOD capability
(as root)
# lcap CAP_CHOWN
# touch file
# chown paul file
chown: changing ownership of `file’: Operation not permitted

As you can see, chmod does not work as expected, since we have removed that capability. To restore it, you need to reboot.

You can disable any capability at your own risk ;)

This tool is interesting on servers with a few changes/updates and you want to increase security, for example, to remove the possibility to load/unload a module use CAP_SYS_MODULE,  it helps a bit for rootkits,  for files that you don’t want to be modified in anyway, you can use CAP_LINUX_IMMUTABLE on /bin, /usr/bin, /sbin, /usr/sbin to have expected binaries (checksums). Try to play with any capabilitiy and see if is interesting for you.

For further info: man lcap

See you!

Create/modify user passwords in batch mode

Hello again,

Sometimes, you need to put a non-interactive passwords using scripts, as you can see, you can’t use passwd tool, because it only works using interactive way.

On Debian, and of course lot of distros, you can use chpasswd instead (create, update & modify)

From chpasswd manual:

chpasswd reads a list of user name and password pairs from standard input and uses this information to update a group of existing users, so you can update passwords in batch mode.

echo “user:pass” | chpasswd

Regards,

Mod_Rewrite forbidden 403 with Apache 2.2.8

If you get a message like this and you are sure that your mod_rewrite rules are OK:

Tue Jun 10 11:18:59 2008] [error] [client 192.168.1.85] Options FollowSymLinks or SymLinksIfOwnerMatch is off which implies that RewriteRule directive is forbidden: /var/www/enterprise/file.html

You need to enable FollowSymLinks in the directory that uses mod_rewrite, if not, you will get a friendly 403 error message :)

<Directory /path/of/your/dir>
Options -All
Options +FollowSymLinks
</Directory>

To enable globally, use httpd.conf with

<Directory />
 Options +FollowSymLinks
</Directory>

See you!

Where is DHCP RAS scope option on Windows 2003?

This is not a howto/tip, it is only to remember the location of this hide option :D

Adding DNS entries with command line on Windows

Hello,

If you are lazy (as we are) or you don’t want to waste all your time adding DNS entries manually, you can use dnscmd via command line on Windows. It’s a nice way to put a large entries from a file or something that needs further configuration.

PROMPT> dnscmd help
dnscmd yourdnsserver /RecordAdd yourdomain.com mynewrecord A ip
so
(creates ftp.domain.com that points to 192.168.1.20)
dnscmd localhost /RecordAdd domain.com ftp A 192.168.1.20

(creates http://www.domain.com that points to 192.168.1.21)
dnscmd localhost /RecordAdd domain.com www A 192.168.1.21

You can use A, CNAME, PTR, TXT etc.

An example of a batch file putting entries in the same IP using loops.

PROMPT> type records.txt
record1
record2
record2
etc …

type dns.bat
@echo off

set dnshost=localhost
set domain=yourdomain.com
set type=A (dns type, PTR, CNAME etc)
set ipserver=192.168.1.20

echo “We are reading line by line records.txt”
for /f %%record in (records.txt) do dnscmd %dnshost% /RecordAdd %domain% %%record %type% %ipserver%

See you!

Copy a table with MySQL

Hello,

If you want to copy all content from one table to another table with the same structure and data, it’s easy using MySQL syntax.

mysql> CREATE TABLE new_destination_table SELECT * FROM source_table;

It will create a new table with the same content of the source table.

See you!

EDIT: As Arjen Lentz said in his blog, this is not the best way to copy a table in Mysql. So, ignore this post if you don’t need to copy just the simple structure without indexes :)

Domainkeys/Dkim with Postfix

Hello,

If you want to use postfix to use domainkeys or dkim you can do it using dkimproxy http://dkimproxy.sourceforge.net

In this setup, we only want that outgoing mail are signed. As we known, yahoo and gmail uses it with spam checks.

http://dkimproxy.sourceforge.net/postfix-outbound-howto.html

First, change your master.cf from postfix file
master.cf:
submission inet n – y – – smtpd
-o smtpd_etrn_restrictions=reject
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,reject

// put this in the same file, for example, at bottom is a good place
dksign unix – – n – 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime,starttls

127.0.0.1:10028 inet n – n – 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject

Now, is time to setup dkimproxy, since we are only interested in outgoin mail, we use dkimproxy.out instead, please, use devel version, at moment, stable version can’t sign both signatures at the same time. Tested using dkimproxy-1.0beta1.tar.gz
This example show how to sing more than one domain.

Create a new file.
/etc/postfix/ssl/domainkeys/domainkeyfile:
# sign both mydom1.com and mydom2.com mail with both a domainkeys and dkim signature (put a new domain for each line)
mydom1.com domainkeys(a=rsa-sha1,c=nofws), dkim(a=rsa-sha256,c=relaxed)
mydom2.com domainkeys(a=rsa-sha1,c=nofws), dkim(a=rsa-sha1,c=relaxed)

As user root, is time to launch dkimproxy (change your values if necessary), in this case we run dkimproxy with user/group dkim
# groupadd -g 4321 dkim
# useradd -u 4321 -s /bin/false -d /dev/null -g dkim dkim

// launch it as a daemon
# dkimproxy.out –user=dkim –group=dkim –keyfile=/etc/postfix/etc/ssl/domainkeys/private.key –selector=yourselector –sender_map=/etc/postfix/ssl/domainkeys/domainkeyfile –daemonize –pidfile=/var/run/dkim.pid 127.0.0.1:10027 127.0.0.1:10028

Of course, it’s very important that you keep you port 25 for ‘normal’ mail and change it to port 587 if you want to use dkimproxy, check your mail client how to do that.

Now, your mail uses domainkeys/dkim headers :)

this is a mail headers example:
———-

DomainKey-Signature: a=rsa-sha1; c=nofws; d=mydom1.com; h=date:subject:from:to:mime-version:content-type:message-id:content-transfer-encoding; q=dns; s=ireth; b=

KPaZ5d7olrcJ62GwFyOAGGuiWe/+6ffW+b+ne24t3+mlUyUgU7kYHRedPphfTa4e

AtdKW/l9B+TFnZs3WOFpaB1fkkwohQIHUJrINhMlm6NVgcEy3wolOXx2QKmDQdzl

4cRo0x6q8DTjl9ThVwaOdL89Xj6gG8RecOx9wCKjnXO=

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=mydom1.com; h=

date:subject:from:to:mime-version:content-type:message-id:

content-transfer-encoding; q=dns/txt; s=myhost1; bh=gbf05R7SXafOIY

pmOvZ6JHiCsUiIu94mbMnHdz31av0=; b=jh8AB9KJUF2yarL9etKNcdCsICPssS

Hz314WM/0KliaooehfanU+dxn/FIbvdeVc+ztTA9OkefWCj2SBfx/xi3sMDTy6gj

ue+BYGvS9GJ9tYCKUvW4lk5wwk70JcCSpwQAbjsyf1pPBW3I6NFPtk2G5LrykEs+

yizGa5g3x9rdg=

———-

This setup assumes that you have created you private/public cryptographic keys, also you have configured your dns, if not, then check main site for how to do it.

http://dkimproxy.sourceforge.net/ (read about openssl)

See you!

HOWTO: mount samba shares in fstab using a credential file

Hello,

If you want to mount share files using samba but you don’t want to put the username or password on fstab file, you could use an external file, this is useful if you want to increase a little security since fstab usually is world readable.

Using /etc/fstab

# insecure and common usage
//share/dir /mnt/myshare cifs username=user,password=pass

# more secure usage
mkdir /path/securedir
chmod 0700 /path/securedir
chown root /path/securedir
//share/dir /mt/myshare cifs credentials=/path/securedir/fileshare

cat /path/securedir/fileshare
username=yourusername
password=youpass

As you can see, it’s easy and increase a little security if more users can access in you machine.

of course you can use smbmount too:

smbmount //share/dir /mnt/myshare -o credentials=/path/securedir/fileshare

See you!

Deleting dos chars using Vim (^M)

Hello,

IF you want to delete dos chars using Vim instead of installing external tools like dos2unix,tr,sed,awk etc.. you can do that using Vim syntax like this:

:set ff=unix //to unix file
:set ff=dos //to windows file

See you!

UPDATE
If you want to do mass conversions, you can use this command lines switches and let vim do the work :)


vim +"set ff=unix" +wq $DOS_FILE