maelstrom

apache2 as a cygwin service

cygrunsrv -I apache2 \
  --path /usr/local/apache2/bin/httpd \
  --args "-D NO_DETACH -k start" \
  --dep cygserver --user www --shutdown

• "Deny access to this computer from the network"
• "Deny log on locally"
• "Log on as a service"

User www
# Group #-1

<IfModule mod_env.c>
  PassEnv SYSTEMROOT
</IfModule>

cygwin sshd and the "CYGWIN" variable

Weird thing I just ran across. Needed to modify the CYGWIN variable to be "ntsec tty server" rather than "ntsec tty." I changed the system environmental variable and restarted the cygwin sshd service. As we know, a process's environment is inherited from it's parent process at process initialization time, so sshd should have seen and used the new CYGWIN variable from its surroundings.

This didn't happen. Logging into the box and echoing CYGWIN showed the old setting. Rebooting also had no effect. Turns out that ssh-host-config manually overrides the CYGWIN variable when you first configure sshd. You can change this here in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshd\Parameters\Environment.

ssh pubkey auth one-liner

cat ~/.ssh/id_rsa.pub | ssh hostname "cat >> ~/.ssh/authorized_keys"

time for a real kernel build system

God I wish kernel builds used Cons or SCons (in a sensible way of course). I am so tired of changing one line in a kernel config file and watching everything get rebuilt, instead of only that-which-needs-rebuilding.

This goes for BSD as well as Linux. Today I'm getting my first in-depth Linux experience as I'm compiling a new kernel for a Knoppix hard disk install. Check this out from the make-kpkg man page:

"Please note that you must run a make-kpkg clean after configuring the kernel using ''make (x|menu)?config,'' since that creates the file include/linux/version.h without the append_to_version data (foo)."

Wait a second. I have to rebuild from scratch if I change the kernel config? Just so I can get some silly tag on end of the kernel version? What? FreeBSD doesn't require this--there's at least the possibility of some files not having to be rebuilt when you change the kernel config. (Though I'm not too sure this happens...it may be that every derived file is ultimately dependent on the kernel config file.)

But reading on:

"The simpliest solution is either to remove include/linux/version.h after configuring and before compiling, or running make-kpkg clean after configuring, before compiling."

Okay, so it's just a case of two tools fighting over a file, and resolving the problem requires a manual step. Which is sloppy automation, IMHO, but not as ridiculous a deal as I originally thought.

Somebody should write a tool to migrate Makefiles to Cons or SCons, then apply it to kernel builds & see how much gain there is in config tweak rebuilds. That could be the killer app for these tools.

trac, svn fsfs, mod_auth_external

Well I now have trac running on this server. So far it's just hosting one project which consists of all config files and shell scripts that I want to carry with me from machine to machine. This was somewhat inspired by an onlamp article.

I'm not ready to open up this project to the public yet, so I needed some access control mechanism for both the svn repo and the trac project interface. Following the advice in the trac installation guide, I've decided that all my future svn repositories will use FSFS, an alternative to the original Berkeley DB-based implementation. The problem with a Berkeley DB repository is that read-only access is not possible; either you grant users read+write permissions, or none at all. There's no possibility of CVS-style read-only anonymous access. FSFS on the other hand honors standard unix file permissions throughout the repository.

Now I needed access control to the svn web interface and trac project. I wanted to avoid introducing another set of usernames & passwords for this. Trac and svn access go hand in hand. Since svn access is over ssh, which requires a system account, I'd prefer to reuse system accounts for web authentication.

But how do you do this securely?

You definitely don't want plaintext transmission of unix passwords to even be a possibility for users. For that reason, the trac and svn web areas are https:// accessible only.

You also don't want to let an attacker bang on your /etc/password file without restriction. At first, I looked at mod_auth_pam, but it turns out you need to give www read access to /etc/passwd and /etc/group. Bad idea. Better idea: mod_auth_external. This Apache module can authenticate using a variety of external programs. It ships with one called pwauth, which is a setuid-root binary for authenticating against /etc/passwd. The author of pwauth is definitely security-conscious. Among other things, pwauth sleeps on login failures to thwart brute-force attacks, can use piping instead of the env as a means of ipc, and honors expired / disabled accounts. pwauth has been in use for a while at cyberspace.org "in the face of fairly intense hacker activity," according to the author.

serve up your own sprint pcs content

Recently I switched to Sprint. To my horror, I discovered that the phone shipped with only one screen saver: a bald eagle flapping its wings. Additional screen savers would cost me between $1 and $2. Unbelievably, there was no option to preview them first.

Casting about, I found docs on the gcd format, and how to use it to serve up your own content from a webserver. For each media file you want to serve up--ringtones, images, etc.--you need to write a corresponding "General Content Descriptor" file. Among the things you have to put in this gcd are the media file's size in bytes and its absolute url.

After writing my first by hand, the desire to do so again vanished. Instead I wrote cgi script that dynamically serves up gcds for all files in a directory. Download gcd-1.0.tar.gz.

Browse my pcs media files here. In particular check out my current screensaver:

Thanks and credit for this image go to Eric Bazan.

mancala variant: memorize this sequence

The other night I was introduced to another variant of Mancala, a game which has fascinated me for some time now. This variant is similar to American Mancala in that each player has 6 wells and a store. Stones are picked up and distributed similarly, skipping your opponent's store, wrapping around, etc. You get to go again from any of your 6 wells when your last stone ends up in your store. Like American Mancala, the game ends when one player's wells are all emptied.

However, there are no captures. When your last stone lands in a non-empty well, you pick up that well and continue going around from there. This "lap" phenomenon and the absence of captures makes the game much longer. In fact, my opponent told me she thought there was a sequence of moves that would win in one turn, without the second player ever getting a chance to play.

Here is the sequence: 1 5 9 2 7 1 3 9 11 1 2 5 8 4 1 3 6 4 2 5 8 11 3 4 0 10 9 3 1 3 4 8 11 2 7 4 2 3 0 4 2 3 5 4 0 1 2 4 3 4.

The wells are numbered from 0 to 11. Wells 0-5 are yours, and the board continues on the other side with your opponent's 6-11.

However many of these are mere continuation moves. The only time you have to make a decision is at the beginning, and when your last stone lands in your store. Here is the sequence of "decision" moves: 1 1 2 4 0 1 3 2 0 2 0 2 3 4. Not too bad, only 14 numbers to remember.

Perl not posted out of shame (it's an embarassing hack).

free signed ssl certs

Get your ssl cert signed for free from cacert.org. Of course, since they're not a root CA in any browser that I know of, users will get a popup warning. But it's slightly better than a self-signed cert: if people decide they trust CAcert, then they trust you by implication. Rather than the "I am what I am" of a self-signed cert.