The Life of a Sysadmin

Got a bad feeling in the pit of my stomach this morning when I came back to work. I'd deliberately stayed away from the usual non-Slashdot news sources (Internet Storm Center, Bugtraq, Full Disclosure), so there was a lot of catching up to do. Let's see: eighty-four new remote holes in Windows -- always fun -- and it turns out the phpBB worm is no longer a phpBB worm but a PHP worm. Jesus Christ.

I checked the logs on my home server, and sure enough there were tons of the little bastards hitting me. (The server at work was completely clean.) It looked like there was nothing there, but I couldn't be sure without more time spent on it than a few minutes' grepping -- which meant leaving it 'til I got home tonight. (Update: looks like I was fine. I tried the URLs in the logs, and none of them tried to fetch anything. Dodged a bullet there.)

OpenBSD has the right idea when it chroots Apache, but there's also the matter of initiating connections out. And yes, I'm guilty of this: Thornhill + port 80 + tcp syn should be firewalled off, but was not. Changed now, of course. Still, it would be nice to have Thornhill not be locked down entirely. Why not let me initiate a connection out, but prevent Apache from doing the same?

This gets back to What's Wrong With Unix?, and I still say a good part of it is the lack of fine-grained permissions on both ports and files. (That, and my inability to type a good post when I'm in a hurry...God, that was incoherent.) The sheer idiocy of continuing to insist on root permissions to open a port under 1024 is just ridiculous. Why do we do this? In a world of Unix on the desktop, where anyone can get root, what does this mean anymore? Nothing at all: it's a totem, a fetish, and the Unix equivalent of knocking on wood for luck.

Worse, by insisting that you need to be root to open port 80, you invite all sorts of security problems. Better hope you drop privileges effectively; better hope no one figures out a way to extract r00t from any lingering privileges; better hope you didn't make one single mistake, or you'll get 0wned. Serving web pages, answering DNS queries or answering QOTD requests (ports 80, 53 and 17, respectively) do not require root permissions. (This is quite a different question from whether or not J. Random User should be able to modify web pages, zone files, or the QOTD database.) qmail, Postfix and others have shown that delivering mail doesn't need root, either. (Other applications can be taken on a port-by-port basis; the full extent of my hand-waving is left as an exercise to the reader.)

So why is there no way to let UID www send a syn+ack, but not a syn? Or to let some range of UIDs do both? Why, Lord, can't I change ownership, groups and permissions on /proc/net/ipv4/tcp/port/80 so that UID www can open this port and nothing else? How long, O Lord, how long?

There is a patch I came across today that supposedly offers this sort of thing, but again: it SHOULD NOT be an option; it SHOULD NOT be a patch; it SHOULD be built-in and used, just like we use UIDs to restrict privileges now. (The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" are to be interpreted as described in RFC 2119.)

Ahem. In other news: At Staples today I picked up a Network Everywhere BWR04B 802.11b wireless router. --I'm sorry, "Network Everywhere"? Looks like Cisco/Linksys in disguise. But it was 18 Soviet Canuckistan pesos! Boxing Day special! How could I possibly resist? Better yet, it turns out that the damn thing can run Linux. It's got 8MB of RAM, 2MB of flash memory, and something like a 60MHz ARM CPU.

The folks over at the Hardware Recycling Initiative are working on getting this and other broadband router boards running Linux. Sweet! Now to figure out how the hell to get it to work on this thing...I can identify a soldering iron six times out of ten, but that's about it.

So I went out today and got a MAX 232CPE and a MAX 232N, plus assorted wires and whatnot, in an attempt to get a serial port connection to the NWR04B. Got a couple wires soldered to the board, hooked up a CPE to a breadboard with some capacitors, distressed a null modem cable, and.... Well, results were decidedly mixed; minicom eventually showed some chatter, but nothing intelligible, and only when I rubbed two wires together. (Cue jokes here.) At least I know the level shifter is working (I was worried I'd picked up the wrong size/value/faradicitousness of capacitor), but it's frustrating not to see anything I can recognise (like, you know, some ASCII, or "press 1 to boot Linux"). Plus, I suspect I'm only seeing static coming from the connection, rather than anything from the damn board. Argh. Hints more than welcome, but dumb them down; this is about the sixth time I've soldered anything.

I've put in a few hours tonight working on the Network Everywhere NWR04B, with mixed results. (The NWRO04B is the 802.11b router I picked up for $18 on sale; I'm trying to duplicate this guy's luck getting Linux to work on the thing.

I took the time tonight to get a slightly more permanent version of the RS232 adapter put together. Previously I've been putting stuff together on a breadboard, with wires all over the place; tonight I soldered things together and put wires all over the place. I tried to be careful, and all the connections seemed good, but I still had no luck: I saw absolutely nothing over the serial port at all, and from what I've read it should be pretty damned obvious. I'll have to ask some people at work about this.

One thing I'm still trying to figure out is how to treat all the different ground connections; I'm assuming that they all get connected together, and together with pin 5 on the DB9 connector, but I'm not sure. (If anyone's got any hints, please chip in.) That was about two hours tonight, and if that was it I'd chalk it up to experience and go to bed. But I did manage to find this page, which had a Perl script which extracts GZip archives from files. And guess what? It works on the NWR04B firmware! Woohoo!

It's embarrassing how simple this script is; I've been trying to figure out some way of doing exactly this, once I'd figured out that there was an archive in there. I want to understand how this works, but in the meantime it's exciting (hoo, what a life) to see all the stuff in there. strings | fmt | less shows tons of stuff going on: HTML, a reference to /dev/uart0, clitask (some kind of command-line interface, or just a dirty joke?), an XML UPNP description of the device...all sorts of information. And that's enough for now. I've got just enough energy to eat something, then go to bed.

I'm still having no luck getting a serial port going on this thing. I thought it might be because I was using a MAX 232 chip, instead of a MAX 3232 ("...and an extra 3 cubits for Linus, whose kernel this is...").

I also took the time to try to make a more permanent assembly by doing it up on a bit of perfboard -- so now I've got yellow wires (distinguishable connectors are for the weak!) poking out from perfboard instead of from breadboard. And still, nothing...not a goddamned peep, excep for a weird y-plus-umlaut character that pops up every now and then in Minicom and I'm blaming on either noise or acid flashbacks.

I'm at a loss here. As far as I can tell the connections are good (my three bits of electronics equipment are a soldering iron, a plastic box with many subdivisions, and a multimeter), and the circuit looks more or less like the circuit listed at the HRI site. That leaves connecting at the wrong place on the board, or maybe grounding. Not sure.

But hey! I got an offer to collaborate from pck; his electronic skills would be nice. And I'm going to shoot off an email to the guy who got it running in the first place to see if, a year later, he can help out.

Gaw'bless you, Matt Johnson.

A year ago today I mentioned, almost in passing, that I had picked up a cheap wireless router and hoped to get Linux running on it shortly. Since then, I've learned an incredible amount about electronics, reverse-engineering, assembly language, compilers, the Linux kernel, and programming as I moved further up the abstraction ladder. I'm still no expert at any of this, but it astounds me how far I've managed to get along.

Currently I'm stuck at getting flash memory to work -- specifically, being able to erase and then program a chunk of flash memory. The trouble is that the magic numbers that the Linux drivers and the datasheet say are needed don't seem to be working. Previously, I was having the same sort of problem getting the kernel to detect the flash in the first place; the trick was figuring out that GPIO was involved in all this. But I'm doing that same trick now, and it's still not working. As always, I'm not sure what I'm doing wrong.

Still, though, I think I'm going to keep poking at it -- for a while, anyway. My interest is beginning to wane a bit (I flit a lot; a year is a long time to me), plus I got a kid on the way (ack!). I may move on to trying to make all the ethernet interfaces work, not to mention the wireless card, as a way of taking a bit of a break. And of course, I'm still aiming at making the world's first Beowulf cluster of wireless routers.

On another note: today's entry is brought to you by the fine, fine folks at the Free Software Foundation, to whom I've just paid my membership dues for another year. I owe these people a huge amount: not only do I get to use a staggering amount of world-class software, written by their members and with their support, for free (I'm writing this on Emacs right now), not only have I been able to earn a fucking living from what I've taught myself using GPL'd and BSD'd software, RMS has also given us the language to, I dunno, frame the whole question of why this is important: by starting the FSF, by naming the Free Software movement, by giving us the GPL. There are those who disagree, while still cherishing the freedom the FSF seeks -- but I think you'd be hard-pressed to deny the power that one pissed-off geek gained when he got pissed off about some closed-source printer drivers.

(Yes, that may be a big myth -- but that is not the same as being a lie, and the providing^Hsynthesis of motivating myths is important too.)

From their website:

Please support the work of the FSF bymaking a donation,joiningas anassociate member,ordering books and merchandise, or signing your organization up as acorporate patron.

Hate RMS? Fine by me. Give to others:

• The FreeBSD Foundation
• The OpenBSD folks (Don't use SSH? Liar.)
• NetBSD
• KDE
• Gnome
• Mozilla
• Gentoo
• Software in the Public Interest (Debian, among others)
• Slackware

Do it. We owe them.