Bad Security: Apache suexec restrictions.

If you look at the source code for “suexec” which comes with Apache, you’ll see the following comment near the top of the program:

 ***********************************************************************
 *
 * NOTE! : DO NOT edit this code!!!  Unless you know what you are doing,
 *         editing this code might open up your system in unexpected
 *         ways to would-be crackers.  Every precaution has been taken
 *         to make this code as safe as possible; alter it at your own
 *         risk.
 *
 ***********************************************************************

I always used to joke that it’s unfortunate that the author didn’t take his own advice. I’m not saying that the whole idea of the program is bad, nor that it’s horribly insecure, but it makes the big mistake made by a lot of people when implementing security measures: assuming that one security model is always better than some other model.

The biggest mistake made by the author, in my opinion, is the fact that it enforces the fact that directories and scripts cannot be group writable. This is not a problem for extremely small websites, where there’s just one developer running a website under one account. But what about websites managed by many users? This forces the maintainers to either share an account, or use root to update the site, both of which are generally bad ideas. This completely negates the use of groups to manage permissions for websites, and thus removes options to improve security.

Another mistake is the fact that it prevents programs from being SUID or SGID. Again, the application negates a security feature of the operating system. So now we’re forced to give one account access to do everything, rather than being able to divide it up and reduce exposure.

Overall, the attitude used by the author of suexec.c is that the best way to secure a system is to turn it off. It is not difficult to make a system secure, but it is very difficult to make a system both secure and usable at the same time. I would not claim that suexec is a complete failure, just that the author turned off a lot more than he should have, and as a result forces systems to be less secure than they could be.

Running multiple instances of mysql on the same machine

There are a lot of ways to run two instances of mysqld on one machine. Generally all you need to do is specify different ports and data directories. The method I describe below is basically to copy the default configuration shipped with Ubuntu Server into a different directory and name everything associated with the second instance “mysql-2”, creating new directories, and startup scripts with that name.

These commands create the directories needed:

mkdir /var/lib/mysql-2
mkdir /var/log/mysql-2
mkdir /var/run/mysqld-2
mkdir /etc/mysql-2
chown mysql.mysql /var/lib/mysql-2
chown mysql.mysql /var/log/mysql-2
chown mysql.mysql /var/run/mysql-2
cp -R /etc/mysql/* /etc/mysql-2

Now edit the /etc/mysql-2/my.cnf file and change all references of /mysql/ to /mysql-2/ (also /var/run/mysqld). Change the socket for the client and server to a different port (e.g. 3307).

By default, Ubuntu Server configures AppArmor to deny the mysql user access to anything it doesn’t need. So you’ll need to edit the /etc/apparmor.d/usr.sbin.mysqld file to allow it. Basically, just make a copy of each line referring to any of the directories above and add a “-2”.

Now, initialize the database (or you could just copy the contents of a different instance’s files to the data directory):

mysql_install_db --user=mysql --datadir=/var/lib/mysql-2

Next, copy the startup script:

cd /etc/init.d
cp mysql mysql-2

Edit the /etc/init.d/mysql-2 file. First change all instances of /mysql/ to /mysql-2/ and /mysqld/ to /mysqld-2/. Since a lot of commands by default are compiled to read from /etc/mysql/my.cnf, you have to add a –defaults-file=/etc/mysql-2/my.cnf to some commands where there is no indication of where it’s looking for configuration files. Namely any reference to mysqladmin, mysqld, and mysqld_safe.

Now you can start the new instance with:

/etc/init.d/mysql-2 start

By default, on Ubuntu Server, any errors will be logged to /var/log/daemon.log. After a successful start, you should see pid and sock files in /var/run/mysqld-2. And you can connect to the new instance using the following command:

mysql --defaults-file=/etc/mysql-2/my.cnf

Once you’ve got everything working, add symlinks in /etc/rc*.d /etc/init.d/mysql-2 to start and stop the new instance when the server is restarted. Additionally, I set up entries in logrotate and added an alias mysql2=’mysql –defaults-file=/etc/mysql-2/my.cnf’ for ease of use.

Simple encryption and decryption of a string in c#

Here are some routines which are designed for simple use of Rijndael in C#. I’ve combined a test function in the class for simplicity of showing it’s use.

        private static byte[] salt = Encoding.ASCII.GetBytes("somerandomstuff");

        public static string Encrypt(string plainText, string keyString)
        {
            Rfc2898DeriveBytes key = new Rfc2898DeriveBytes(keyString, salt);

            MemoryStream ms = new MemoryStream();
            StreamWriter sw = new StreamWriter(new CryptoStream(ms, new RijndaelManaged().CreateEncryptor(key.GetBytes(32), key.GetBytes(16)), CryptoStreamMode.Write));
            sw.Write(plainText);
            sw.Close();
            ms.Close();
            return Convert.ToBase64String(ms.ToArray());
        }

        public static string Decrypt(string base64Text, string keyString)
        {
            Rfc2898DeriveBytes key = new Rfc2898DeriveBytes(keyString, salt);

            ICryptoTransform d = new RijndaelManaged().CreateDecryptor(key.GetBytes(32), key.GetBytes(16));
            byte[] bytes = Convert.FromBase64String(base64Text);
            return new StreamReader(new CryptoStream(new MemoryStream(bytes), d, CryptoStreamMode.Read)).ReadToEnd();
        }

        public static void Main(string[] args)
        {
            string key = "a text phrase";

            string encrypted = Encrypt("test", key);
            string decrypted = Decrypt(encrypted, key);

            Console.WriteLine("Encrypted: {0}\r\nDecrypted: {1}\r\n", encrypted,decrypted);
            Console.ReadLine();  //Just to keep the CMD console window from closing before you see the results.
        }

Here is the output of the program above:

Encrypted: +Ya4VL06hYVU7T4uAHJG2A==
Decrypted: test

The Towers of Hanoi in Erlang

I’m just playing with Erlang, below is my attempt at solving the Towers of Hanoi puzzle using it. Call it using hanoi:hanoi([1,2,3,4,5,6],[],[]) (a valid starting position is assumed).

-module(hanoi).
-export([hanoi/3]).

hanoi(A,B,C) ->
	Disk=lists:max(A),
	move(Disk,A,B,C).
	
move(Disk,[Disk|Source],Dest,Temp)->
	[Source,[Disk|Dest],Temp];
	
move(Disk, Source, Dest, Temp) ->
	[S1,T1,D1]=move(Disk-1,Source,Temp,Dest),
	[S2,D2,T2]=move(Disk,S1,D1,T1),
	[T3,D3,S3]=move(Disk-1,T2,D2,S2),
	[S3,D3,T3].

Solving the Towers of Hanoi puzzle in C#

I thought this would be a fun little exercise to try. This puzzle is generally used to teach recursion in CS classes, but I have never actually tried to implement it.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;

namespace TowersOfHanoiCs
{
    class Program
    {
        static List peg1;
        static List peg2;
        static List peg3;

        static void Main(string[] args)
        {
            peg1 = new List();
            peg2 = new List();
            peg3 = new List();

            for (int i = 1; i < 8; i++)
            {
                peg1.Add(i);
            }

            Display();
            MoveDisk(7, peg1, peg2, peg3);
            Console.ReadLine();
        }

        static void MoveDisk(int disk, List source, List destination, List temp)
        {
            int position = source.IndexOf(disk);

            if (position == 0)
            {
                source.Remove(disk);
                destination.Insert(0, disk);
                Display();
            }
            else
            {
                int nextDisk = source[position - 1];
                MoveDisk(nextDisk, source, temp, destination);
                MoveDisk(disk, source, destination, temp);
                MoveDisk(nextDisk, temp, destination, source);
            }
        }

        static void Display()
        {
            DisplayPeg(peg1);
            DisplayPeg(peg2);
            DisplayPeg(peg3);
            Console.WriteLine("----------");
        }

        static void DisplayPeg(List peg)
        {
            foreach (int x in peg)
            {
                Console.Write(x + " ");
            }
            Console.WriteLine();
        }
    }
}

Sending an email with syntax hightlighting for your source code

I resisted the switch to HTML e-mail for as long as I could, I know there are some who have managed to succeed in not switching to an HTML enabled email reader. But I just couldn’t hold out due to the fact that there were so many non-computer savvy people I communicated with who used it, and their e-mails were impossible to read without it, and I had to make the switch many years ago.

Since we’re all so used to reading code that has syntax highlighting in it, I like to have the source code contained in e-mails highlighted. Unfortunately, most syntax highlighters made for the web use CSS to style the code. And when you copy and paste the code into an email, the <style class=’…’> tags are copied, but not the actual style from the CSS, and what comes out on the other end is just text in the standard font. So the only way to get syntax highlighting in your email is to use a utility that embeds the styles into the HTML, rather than a CSS. I also wanted a utility that didn’t require me to save the source code and output as a file on my computer, creating a lot of unnecessary temp files that I’d probably never delete. So far, the only thing that actually fits the bill is this web based utility: http://tools.devshed.com/webmaster-tools/syntax-highlighting/

Basically, just paste your source code into the tiny little window, select the language, type the captcha, then cut and paste the result into your e-mail. It doesn’t have many options, and there’s lots of room for improvement, but it’s the best thing I’ve found so far.

Turbo Pascal 5.5 is available for download for free

Firing up ole’ TP7 for the last post put me in a nostalgic mood, and I went looking to see where Turbo Pascal stands today. It doesn’t look like you can still buy it, and the only version available is Turbo Pascal 5.5 which you can download for free from: http://edn.embarcadero.com/article/20803

I believe my first experience with Pascal was at Indiana University when I started my first CSCI class in 1990. I believe we were using version 5. I also remember the first time I fired up version 7 and saw that certain keywords where highlighted in different colors. I was so amazed I almost wanted to do cartwheels, I was so impressed with such an amazing idea. IDEs have come a long way since then, but the Lord only know how many hours I spent staring at the old blue and yellow screen of the Turbo Pascal DOS IDE.

Below are two screenshots from TP7. The first is the default layout of 80×25 chars with the default colors, the second is my custom layout with the amazing 80×50 char layout showing twice the number of lines! (Hey it was a big deal back in the day). The pop up box in the blue one shows a successful compile. I’m not sure where the program came from that’s shown in the second image, I’m pretty sure it’s not something I wrote, but it’s what popped up automatically when I started the IDE. I do remember I spent a lot of time playing with interfacing to Netware servers back then, this program appears to be an attempt to log in without using the API (which was just a series of INT calls). I think it’s either the reverse engineered source code that a fellow Netware “hacker” developed who I had the pleasure of exchanging many e-mails with: Willem Jan Hengeveled. If it’s not his code, it’s probably something based off of it. Now I think I’m going to have to install an old Netware server in a VM to play with.

Borland Turbo Pascal 7 IDE - Default
Turbo Pascal 7 IDE - Custom Colors

Statements in most languages can be empty

I was looking through some code that was posted for review when someone had pointed out a statement like the following:

int x=5;;

Note the two semi-colons. I initially thought “Great, someone has us reviewing code they didn’t even try to compile.” But to my amazement, it does compile, and it compiles in pretty much every language. I’ve tested it on the newest and oldest stuff I have, the oldest/obscurest thing I could come up with was Borland Turbo Pascal 7 (the EXE has a date of 10/30/1992). I’m sure there’s some deep theoretic reason parsers need to accept it, but to a human, it looks like an obvious error.

A really tough puzzle

100 prisoners are each locked in a room with three pirates, one of whom will walk the plank in the morning. Each prisoner has 10 bottles of wine, one of which has been poisoned. And each pirate has twelve coins, one of which is counterfeit and weighs either more or less than a genuine coin. In the room is a single switch which the prisoner may either leave as it is or flip. Before being led into the rooms, the prisoners are forced to wear either a red had or a blue hat. They can see all the other prisoner’s hats, but not their own. Meanwhile a six digit prime number of monkeys multiply until their digits reverse. Then all have to get across a river using a canoe that can hold at most two monkeys at a time. But half the monkeys always lie and the other half always tell the truth. Given that the nth prisoner knows that one of the monkeys doesn’t know that a priate doesn’t know product of two numbers between 1 and 100 without knowing that n+1th prisoner has flipped the switch in his room or not after having determined which bottle of wine was poisoned and what color his hat is. What is the solution to this puzzle?

This was played on the July 18, 2009 edition of Car Talk on NPR and attributed only to “Alan”. If you download the podcast, the puzzler starts at the 36:00 minute mark.

Getting confused between closures and eval()

I just saw a question regarding closures in JavaScript regarding code similar to the following:

for (i=0;i<n;i++){
     foo.bind( function() { bar(i); } );
}

The question was why does every closure execute bar(i) with i as the value of n for every instance, rather than whatever the value of i was when the closure was defined. He had reckoned that i was being passed by reference than by copy and found that making a copy of i in a variable local to the closure solved the problem.

But what he’s really done is confused a closure with an eval() statement. If he had written the code similar to eval(“function(){bar(“+i+”);”); he would have gotten what he wanted. The difference being that when you use eval() the variable i is determined when the eval() is executed. But with a closure, i is determined when the closure is executed, and every time the closure is executed.

It’s also important to note that the i referenced inside the enclosure is not a reference to the i in the outer loop, rather it actually IS the same i in the outer loop. No parameter passing is going on.

One other possible solution is to define the closure to take a parameter, and pass i in as a parameter to the enclosure:

for (i=0;i<n;i++){
     foo.bind( function(x) { bar(x); } )(i);
}