Grumpy thots on SELinux

I just spent an hour trying to get a Samba share running on Fedora 20.
It used to not take that long, I’m familiar with how to get Samba running,
how to create shares, and how to manage valid users and masks.

But when it still doesn’t work? Well, what other thing do you do–you
TURN OFF SELinux. Why do the Fedora guys wonder at the SELinux hate?
Because SELinux doesn’t return any hint that SELinux policy violations
are the root cause of the strange errors you get when doing even mild
customizations of services…like adding a Samba share.

Please…why cannot I see something like:

smbd: SELinux policy prohibits read of /home/jed/3plibs


Would that be so difficult? I guess those things get reported in SOME log, but
NOT IN THE LOG YOU LOOK AT, which is the logs for the service you are configuring.

Your passwords are at risk

Your website and email passwords might have been captured. Your website sessions can be impersonated because cookies can be captured. If you haven’t heard about this the last few days, this is a real uproar on the Internet.

I’ve spent the last two days listening to podcast after podcast describing the technical details of the computer programming flaw that allows attackers slurp unprotected memory from websites, Tor nodes, and IMAP email servers. Thousands of websites have patched their web servers but millions more email and web servers are going to be slow to patch their services.

Go install Lastpass. Use it’s Security Report feature. Create new passwords for sites that have fixed themselves against the Heartbleed bug.

Return of the 007 SSH Agent

Years ago when I first stared listening to podcasts when I had barely worked at PRWeb for a year even, I came up with a piece of shell script to automatically start up an ssh-agent and ask for your passphrase.

Unfortunately, the code created tons of ssh-agents, which was unfortunate.

Here is a version that behaves much better:

  1 #!/bin/bash
2 export SSH_RECENT="$HOME/.ssh/recent"
3 [ -f $SSH_RECENT ] && eval `cat $SSH_RECENT`
5 if [ ! -z "$SSH_AGENT_PID" ]
6 then
7 RUNNING_AGENTS=`ps -p $SSH_AGENT_PID | grep -v CMD | wc -l`
8 fi
9 if [ $RUNNING_AGENTS -lt 1 -a $UID -ne 0 ]
10 then
11 eval `ssh-agent`
14 fi
16 [ `ssh-add -l | fgrep -v ' no ' | wc -l` -lt 1 ] && ssh-add

Can you tell me why I’m choosing to evaluate $UID for zero?

And, will this work if I switch from an Xterm to a virtual terminal?

Linuxfest Northwest 2011 Prize

Here’s the Bruce Schneier doll that Modwest donated to the Linuxfest Northwest world famous raffle. What a great prize! Bruce is decked out Matrix style to defeat all your security-thru-obscurity talk and send you packing back to your world of security theater. I wonder what Modwest will donate next year…I know a Leo LaPorte doll would not fly with this crowd ;-) A steampunk Ada doll would rock!

jed and bruce, tag team!

jed and bruce, tag team!

Lock It or Lose It (Bike Commuters)

I’ve had brakes stolen and neighbors have had their bikes stolen out of garages. I’m lucky that I don’t need to park my bike downtown or outside. I carry a spare shifter cable and I’d consider spare brake pads if I had to park outside as well.
I’d also avoid commuting with an attractive bike–good looks create more of a target.

There’s also a guide out there describing how to lock your front wheel to your back wheel and frame with a U-lock.