Search This Blog

Thursday, December 22, 2011

Solving GCC Kernel error: ***mixed implicit and normal rules

I'm using an old kernel because is the last stable to use with the VServer patch.

evo src # ll
total 154344
lrwxrwxrwx  1 root root       15 Dec 22 20:07 linux -> linux-2.6.22.19
drwxrwxr-x 20 root root      840 Dec 22 20:07 linux-2.6.22.19
-rw-r--r--  1 root root 45108030 Nov 18  2009 linux-2.6.22.19.tar.bz2
-rw-r--r--  1 root root  1868800 Mar 17  2008 patch-2.6.22.19-vs2.2.0.7-grsec2.1.11-20080317.diff
evo linux # make
Makefile:1443: *** mixed implicit and normal rules.  Stop.
evo linux # make oldconfig
Makefile:1443: *** mixed implicit and normal rules.  Stop.
evo linux # vi Makefile 
.....
/ %/: prepare scripts FORCE
       $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
       $(build)=$(build-dir)
.....

Solution: here we have an implicit rule and an explicit rule in the same line, so we are going to split that rules.

# Modules #/ %/: prepare scripts FORCE # $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ # $(build)=$(build-dir) /: prepare scripts FORCE $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir) %/: prepare scripts FORCE $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir)

Wednesday, December 21, 2011

HowTo Clean and Re-build Squid cache

First, check your squid.conf file and locate the location of your cache directory, you should have a line starting with "cache_dir"

  1. Shutdown your squid server: squid -k shutdown
  2. Remove the cache directory: rm -r /squid/cache/*
  3. Re-Create the squid cache directory: squid -z
  4. Start the squid cache server
Thanks for reading.

Monday, December 12, 2011

IcePHP-3.2.1 Gentoo ebuild

The Internet Communications Engine, or Ice, is an object-oriented middleware that provides object-oriented Remote Procedure Call, grid computing and Publish/subscribe functionality developed by ZeroC and dual-licensed under the GNU GPL and a proprietary license. It supports C++, Java, . NET languages (such as C# or Visual Basic), Objective-C, Python, PHP, and Ruby on most major operating systems such as Linux, Solaris, Windows, and Mac OS X. A light variant of ICE runtime, called Ice-e, may run inside mobile phones. As its name indicates, the middleware may be used for internet applications without the need to use the HTTP protocol and is capable of traversing firewalls, unlike most other middleware.

Official Site: ICE
Wikipedia info: Wikipedia ICE info.


DEPRECATED HOW TO, CLICK HERE FOR THE CURRENT INFO.

Preparing the portage tree, more info HERE:

evo ~ # mkdir -p /usr/local/portage/profiles/ evo ~ # echo "Headup Overlay" > /usr/local/portage/profiles/repo_name evo ~ # mkdir -p /usr/local/portage/dev-php5/IcePHP/ evo ~ # echo "PORTDIR_OVERLAY=/usr/local/portage" >> /etc/make.conf evo ~ # cd /usr/local/portage/dev-php5/IcePHP/ evo IcePHP # wget http://headup.sytes.net/zbox/HeadupOverlay/dev-php5/IcePHP/IcePHP-3.2.1.ebuild evo IcePHP # ebuild IcePHP-3.2.1 manifest >>> Downloading 'http://www.zeroc.com/download/Ice/3.2/IcePHP-3.2.1.tar.gz' --2011-12-12 12:26:21-- http://www.zeroc.com/download/Ice/3.2/IcePHP-3.2.1.tar.gz Resolving www.zeroc.com (www.zeroc.com)... 184.73.227.248 Connecting to www.zeroc.com (www.zeroc.com)|184.73.227.248|:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://download.zeroc.com/Ice/3.2/IcePHP-3.2.1.tar.gz [following] --2011-12-12 12:26:21-- http://download.zeroc.com/Ice/3.2/IcePHP-3.2.1.tar.gz Resolving download.zeroc.com (download.zeroc.com)... 216.137.43.110, 216.137.43.163, 216.137.43.119, ... Connecting to download.zeroc.com (download.zeroc.com)|216.137.43.110|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 78072 (76K) [application/x-tar] Saving to: `/usr/portage/distfiles/IcePHP-3.2.1.tar.gz' 100%[=================================================================>] 78,072 103K/s in 0.7s 2011-12-12 12:26:23 (103 KB/s) - `/usr/portage/distfiles/IcePHP-3.2.1.tar.gz' saved [78072/78072] >>> Creating Manifest for /usr/local/portage/dev-php5/IcePHP

Check the files

evo IcePHP # ll total 8 -rw-r--r-- 1 root root 994 Dec 2 15:04 IcePHP-3.2.1.ebuild -rw-r--r-- 1 root root 394 Dec 12 12:26 Manifest

 

Searching in our portage tree and portdir overlay:


evo IcePHP # emerge IcePHP -s Searching... [ Results for search key : IcePHP ] [ Applications found : 1 ] * dev-php5/IcePHP [ Masked ] Latest version available: 3.2.1 Latest version installed: [ Not Installed ] Size of files: 76 kB Homepage: http://www.zeroc.com Description: PHP bindings for the ICE middleware License: GPL-2

Preparing and making our system consistent (good practice):

evo IcePHP # echo dev-php5/IcePHP ~x86 >> /etc/portage/package.keywords evo IcePHP # emerge IcePHP -pv Calculating dependencies... done! >>> Verifying ebuild manifests >>> Emerging (1 of 1) dev-php5/IcePHP-3.2.1 from Headup-Overlay >>> Installing (1 of 1) dev-php5/IcePHP-3.2.1 >>> Jobs: 1 of 1 complete Load avg: 0.82, 1.89, 2.63 * Messages for package dev-php5/IcePHP-3.2.1: * Package: dev-php5/IcePHP-3.2.1 * Repository: Headup-Overlay * USE: elibc_glibc kernel_linux userland_GNU x86 * FEATURES: preserve-libs sandbox userpriv usersandbox * Package: dev-php5/IcePHP-3.2.1 * Repository: Headup-Overlay * USE: elibc_glibc kernel_linux userland_GNU x86 * FEATURES: preserve-libs sandbox userpriv usersandbox * * You must check the extensions configuration under the php.ini * file, and don't forget to restart your apache web server!! * * Removing /usr/share/info >>> Auto-cleaning packages... >>> No outdated packages were found on your system. * IMPORTANT: config file '/etc/dispatch-conf.conf' needs updating. * See the CONFIGURATION FILES section of the emerge * man page to learn how to update config files. * IMPORTANT: 6 news items need reading for repository 'gentoo'. * Use eselect news to read news items.

Configure the ICE extension in the PHP extension language.

evo IcePHP # cat /etc/php/apache2-php5/php.ini ... extension_dir = /etc/php/apache2-php5/ext extension = IcePHP.so ice.profiles = /etc/php/apache2-php5/profiles.ini ...

Configure the project profile.

evo IcePHP # cat /etc/php/apache2-php5/profiles.ini [IceProject] ice.config=/home/to/project/configure/client.configure ice.slice=-I/usr/share/Ice/slice /usr/share/Ice/slice/Glacier2/Router.ice /home/to/project/Slice/project.ice

And restart the apache web server

evo IcePHP # /etc/init.d/apache2 restart * Stopping apache2 ... [ ok ] * Starting apache2 ... [ ok ]

Wednesday, November 30, 2011

PostgreSQL: ERROR: new encoding (UTF8) is incompatible with the encoding of the template database (SQL_ASCII)

Error:

sqlalchemy.exc.DataError: (psycopg2.DataError) new encoding (UTF8) is incompatible with the encoding of the template database (SQL_ASCII)
HINT: Use the same encoding as in the template database, or use template0 as template.

[SQL: CREATE DATABASE hydra ENCODING 'utf8' TEMPLATE template1]
(Background on this error at: http://sqlalche.me/e/9h9h)

Solution:
First, we need to drop template1. Templates can’t be dropped, so we first modify it so it's an ordinary database:

UPDATE pg_database SET datistemplate = FALSE WHERE datname = 'template1';

Now we can drop it:

DROP DATABASE template1;

Now its time to create a database from template0, with a new default encoding:

CREATE DATABASE template1 WITH TEMPLATE = template0 ENCODING = 'UNICODE';

Now modify template1 so it’s actually a template:

UPDATE pg_database SET datistemplate = TRUE WHERE datname = 'template1';

Now switch to template1 and VACUUM FREEZE the template:

\c template1

VACUUM FREEZE;

The problem should be resolved now.

Tuesday, November 8, 2011

GRSecurity + Java = Killed + Headup = Running App

 When we work with hardened kernels and tools like grsecurity and PaX, we face problems like:

  1. The kernel kills applications.
  2. Some applications can not start.
  3. We can't compile applications.
  4. And many others.....

This problem depends on the security level configured in the kernel. We need to configure and tell the system that some blocked applications are reliable and trusted, this is because some legitimate applications will attempt to generate code at run time which is executed out of memory. PaX does not allow this and will promptly kill the offending application.

The most notable of these applications are XFree/Xorg, mplayer, and multimedia tools based on xine-lib and Java virtual machine.

homero / # java -version
Killed
homero / # uname -a
Linux homero 2.6.27.15-grsec-2.1.12-vs2.3.0.36.4 #11 SMP Fri Mar 25 17:30:38 CST 2011 i686 Intel(R) Xeon(TM) CPU 3.20GHz GenuineIntel GNU/Linux
homero ~ # tail -f /var/log/pax.log 
Aug  8 13:06:23 homero kernel: [7748633.853670] PAX: From X.X.X.X: execution attempt in: , 48f7f000-48fa7000 48f7f000
Aug  8 13:06:23 homero kernel: [7748633.853683] PAX: terminating task: /usr/local/jdk1.6.0_26/bin/java(java):18549, uid/euid: 0/0, PC: 48f7f040, SP: 4b05dddc
Aug  8 13:06:23 homero kernel: [7748633.853695] PAX: bytes at PC: f0 83 04 24 00 8b 44 24 0c c3 00 00 00 00 00 00 00 00 00 00 
Aug  8 13:06:23 homero kernel: [7748633.853718] PAX: bytes at SP-4:
homero bin # pwd
/usr/local/jdk1.6.0_26/bin

To solve this problem we need to work with some PaX utils and applications, such as paxctl and chpax, in order to change the rules of security but only with some applications.

homero bin # emerge pax-utils pax paxctl paxtest -pv These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] sys-apps/paxctl-0.5 0 kB [ebuild R ] app-misc/pax-utils-0.2.2 USE="caps" 0 kB [ebuild R ] app-arch/pax-3.3.4 0 kB [ebuild R ~] app-admin/paxtest-0.9.9-r2 0 kB Total: 4 packages (4 reinstalls), Size of downloads: 0 kB * IMPORTANT: 4 news items need reading for repository 'gentoo'. * Use eselect news to read news items.

First, we need to create the PT_PAX_FLAGS

homero bin # paxctl -C *
file ControlPanel is not a valid ELF executable
file HtmlConverter is not a valid ELF executable
file appletviewer got a new PT_PAX_FLAGS program header
file apt got a new PT_PAX_FLAGS program header
file extcheck got a new PT_PAX_FLAGS program header
file idlj got a new PT_PAX_FLAGS program header
file jar got a new PT_PAX_FLAGS program header
file jarsigner got a new PT_PAX_FLAGS program header
file java got a new PT_PAX_FLAGS program header
file java-rmi.cgi is not a valid ELF executable
file javac got a new PT_PAX_FLAGS program header
file javadoc got a new PT_PAX_FLAGS program header
file javah got a new PT_PAX_FLAGS program header
file javap got a new PT_PAX_FLAGS program header
file javaws got a new PT_PAX_FLAGS program header
file jconsole got a new PT_PAX_FLAGS program header
file jcontrol is not a valid ELF executable
file jdb got a new PT_PAX_FLAGS program header
file jhat got a new PT_PAX_FLAGS program header
file jinfo got a new PT_PAX_FLAGS program header
file jmap got a new PT_PAX_FLAGS program header
file jps got a new PT_PAX_FLAGS program header
file jrunscript got a new PT_PAX_FLAGS program header
file jsadebugd got a new PT_PAX_FLAGS program header
file jstack got a new PT_PAX_FLAGS program header
file jstat got a new PT_PAX_FLAGS program header
file jstatd got a new PT_PAX_FLAGS program header
file jvisualvm is not a valid ELF executable
file keytool got a new PT_PAX_FLAGS program header
file native2ascii got a new PT_PAX_FLAGS program header
file orbd got a new PT_PAX_FLAGS program header
file pack200 got a new PT_PAX_FLAGS program header
file policytool got a new PT_PAX_FLAGS program header
file rmic got a new PT_PAX_FLAGS program header
file rmid got a new PT_PAX_FLAGS program header
file rmiregistry got a new PT_PAX_FLAGS program header
file schemagen got a new PT_PAX_FLAGS program header
file serialver got a new PT_PAX_FLAGS program header
file servertool got a new PT_PAX_FLAGS program header
file tnameserv got a new PT_PAX_FLAGS program header
file unpack200 got a new PT_PAX_FLAGS program header
file wsgen got a new PT_PAX_FLAGS program header
file wsimport got a new PT_PAX_FLAGS program header
file xjc got a new PT_PAX_FLAGS program header
homero bin # paxctl -v java
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team 

- PaX flags: -------x-e-- [java]
    RANDEXEC is disabled
    EMUTRAMP is disabled

The problem is the mprotect flag, because it is enabled.

Name
mprotect - control allowable accesses to a region of memory

Synopsis
#include 
int mprotect(const void *addr, size_t len, int prot);

Description
The function mprotect() specifies the desired protection for the memory page(s) containing part or all of the interval [addr,addr+len-1]. If an access is disallowed by the protection given it, the program receives a SIGSEGV. 

The goal of MPROTECT is to help prevent the introduction of new executable code into the task’s address space. This is accomplished by restricting the mmap() and mprotect() interfaces.

The restrictions prevent:
     - Creating executable anonymous mappings.
     - Creating executable/writable file mappings.
     - Making an executable/read-only file mapping writable except for performing relocations on an ET_DYN ELF file (non-PIC shared library).
     - Making a non-executable mapping executable.

So we need to disable it.

homero bin # paxctl -m *
file ControlPanel is not a valid ELF executable
file HtmlConverter is not a valid ELF executable
file java-rmi.cgi is not a valid ELF executable
file jcontrol is not a valid ELF executable
file jvisualvm is not a valid ELF executable
homero bin # paxctl -v java
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team 

- PaX flags: -----m-x-e-- [java]
    MPROTECT is disabled
    RANDEXEC is disabled
    EMUTRAMP is disabled
homero bin # java -version
java version "1.6.0_26"
Java(TM) SE Runtime Environment (build 1.6.0_26-b03)
Java HotSpot(TM) Client VM (build 20.1-b02, mixed mode)

And now we can run any java application on our hardened system.

Sunday, November 6, 2011

Timezone configuration guide for Mexico

This guide is to learn how to set correctly the timezone in a Gentoo Linux and Mexico/General timezone.

First copy or link the proper zone to localtime:

pluton ~ # ln -sf /usr/share/zoneinfo/Mexico/General /etc/localtime pluton ~ # ls -l /etc/localtime lrwxrwxrwx 1 root root 23 Jun 6 18:13 /etc/localtime -> /usr/share/zoneinfo/GMT

Now specify your timezone:

pluton ~ # cat /etc/conf.d/hwclock TIMEZONE="Mexico/General" clock="UTC" clock_systohc="YES" clock_hctosys="YES" clock_args=""

Restart the service:

pluton ~ # /etc/init.d/hwclock restart * WARNING: you are stopping a boot service * Caching service dependencies ... [ ok ] * Setting hardware clock using the system clock [UTC] ... [ ok ] * Setting system clock using the hardware clock [UTC] ...

And that's it:

pluton ~ # date Mon Jun 6 18:24:57 GMT 2011

Tuesday, October 25, 2011

Check 32 and 64 bits compatibility on 64bits Kernel

First, we need to check if we have a 64Bits Kernel running.

Some Linux distros use a release file to save the version, codename, and other information

alvaro@linux-a77o:~> cat /etc/SuSE-release openSUSE 11.4 (x86_64) VERSION = 11.4 CODENAME = Celadon

Or check the system information using uname

alvaro@linux-a77o:~> uname -a Linux linux-a77o 2.6.37.1-1.2-desktop #1 SMP PREEMPT 2011-02-21 10:34:10 +0100 x86_64 x86_64 x86_64 GNU/Linux

Or something a little more standard...

alvaro@linux-a77o:~> perl -MConfig -e 'print $Config{longsize}*8 . "\n";' 64

With this code, we are going to be testing system libraries and support.

alvaro@linux-a77o:~> cat test-bits.c #include int main() { long z; printf("Long int size is %i bytes long!\n", sizeof(z)); return 0; }

Without the 32bits support, we can only compile the 64bits binary.
The 32bits compilation will show some fatal errors, like this one:

alvaro@linux-a77o:~> gcc -m64 -o output64 test-bits.c alvaro@linux-a77o:~> gcc -m32 -o output32 test-bits.c In file included from /usr/include/features.h:371:0, from /usr/include/stdio.h:28, from test-bits.c:1: /usr/include/gnu/stubs.h:7:27: fatal error: gnu/stubs-32.h: No such file or directory compilation terminated.

In this example I used OpenSuse, so these are the steps to solve the problem in this version:

  • Software Management ->
  • View ->
  • Patterns ->
  • Search "Base Technologies" and then "32-bit runtime Library" ->
  • Activate some or all the checkboxes (you maybe need the CD, DVD or ISO image).

After installing or configuring the 32bits library support, we successfully compile and execute the binaries.

alvaro@linux-a77o:~> source /etc/profile alvaro@linux-a77o:~> rm output* alvaro@linux-a77o:~> gcc -m32 -o output32 test-bits.c alvaro@linux-a77o:~> gcc -m64 -o output64 test-bits.c alvaro@linux-a77o:~> ./output32 Long int size is 4 bytes long! alvaro@linux-a77o:~> ./output64 Long int size is 8 bytes long!