General WLUG

Trouble playing movies with Totem?

I’ve never really liked totem. It’s set up as the default movie player, but I always had problems getting it to play movies – some would play fine, others wouldn’t. It always worked for quicktime movies however.

Today, Craig asked about playing quicktime under Totem. This suprised me, because it was the one thing I had working well. We both run Ubuntu Dapper.

After closer inspection, it seems we had different gstreamer plugins installed. There’s quite a few of these packages in Ubuntu, so missing one or another is probably quite easy.

  • gstreamer0.10-plugins-base – GStreamer plugins from the “base” set
  • gstreamer0.10-plugins-good – GStreamer plugins from the “good” set
  • gstreamer0.10-plugins-bad – GStreamer plugins from the “bad” set
  • gstreamer0.10-plugins-ugly – GStreamer plugins from the “ugly” set
  • gstreamer0.10-plugins-ugly-multiverse – GStreamer plugins from the “ugly” set (Multiverse Variant)
  • gstreamer0.10-plugins-bad-multiverse – GStreamer plugins from the “bad” set (Multiverse Variant)

These are described better at

So now I have gstreamer0.10-plugins-bad-multiverse installed which includes the xvid codec. All good!

Tool of the Week WLUG

Building Debian packages with YADA

I have recently had to build some debian packages for software we distribute to our clients. I’ve built debian packages in the past, but I was a bit rusty so was looking at a similar package to the one I was working on at the time, a collection of php scripts for a web based tool. As it happened, the debian package I chose to inspect, phpmyadmin, used a program called YADA as an aid for building the deb.
YADA stands for Yet Another Debianisation Aid. I can’t find a decent definitive website for it (it’s not, btw!), but it’s in sarge and ubuntu. YADA takes two input files – debian/changelog and debian/packages, and generates a suitable set of files inside the debian/ subdir so that you can create your .deb package. The format of the debian/packages file is quite simple and gives, as far as I can tell, full control over the resulting configuration.

There is good documentation in the yada-doc package, including example packages files take from a range of debian packages that make use of YADA already.

General Tool of the Week


If you have computer on a public-facing IP address, and it runs an SSH server on port 22, chances are pretty good you’ll be subjected to a number of dictionary attacks. Compromised hosts will try to login with a list of common user names and passwords.

Now, this isn’t a problem for most of us, right? We have secure passwords after all, and these attacks are just trying dictionary lists of words – username root, password of ‘password’ or ‘root’, for example. However, they are still annoying – if only because they fill up the logfiles. Also, it’d be better to just not have the connections, just in case they manage to get through.
I recently came across a tool called denyhosts. Denyhosts monitors your ssh log file and modifies /etc/hosts.deny to disallow SSH (or all access to tcpwrapped services) from hosts that have a significant number of failed login attempts. It also has a synchronised mode in which hosts running denyhosts on the internet share their list of denied IP addresses.

I set it up a week or so ago and get an email every couple of hours with a new IP address that has been blacklisted. I also managed to blacklist one of my own IP addresses while testing, which proved hard to remove – denyhosts kept adding the block back in. Fortunately I set it to purge entries after 3 days, so I can now ssh in again :)

advocacy WLUG

2.6.16 sensibleness

From a post on Ian McDonald’s Blog:
Is it me or is it crazy the pace of point releases at the moment? Do we really need four kernels in three days?

Actually it’s just you, and perhaps a few others, who for some reason still don’t see any point in the 2.6.x.y release of kernels.

We haven’t had 4 new kernels in 3 days. We’ve had 4 small patchsets covering regressions and security flaws. In each case, the patches are less than 100 lines of code, and are considered “simple”. The fact that there are 4 of them represents the high level of effort the stable tree maintainer, and people submitting patches, is putting into the kernel.

I’d much rather have 4 security releases in 3 days, then be told to wait until the next stable kernel. Or have to track down and find the patch myself, only to discover that it doesn’t apply cleanly. I’m capable of doing these things, but there are plenty of people who aren’t, and the 2.6.x.y stable series provides a great infrastructure for the announcement and dissemination of timely security and regression patches.

At the end of the day, the chances are fairly good you’ll never need any of the patches in the stable series. What’s more, the 2.6.x.y patches all get rolled into 2.6.x+1 anyway, so you’ll get them all then. So feel free to ignore these “crazy” “kernel releases”

General Tool of the Week

SSH + LDAP Public Key (LPK)

SSH public key management can be a real pain. Adding or removing a user to your system, and distributing the account details and ssh keys is time consuming. Revoking keys is the bigger issue. Has a user added an ssh public key to the root account? To other people’s accounts?

Enter SSH LPK.

The LDAP Public Key patch for ssh allows you to set up a Public Key Infrastructure (PKI) using LDAP. It consists of an ldap schema and a diff against openssh, which inserts an LDAP lookup for the public key into the authentication path. Combine this with libnss-ldap and pam_mkhomedir, and provisioning a new user on your network is as easy as creating an entry in LDAP and inserting their public key.

The patch also allows group checks. It will check for standard posix group membership in LDAP, and if the user is in the group specified, they are allowed in. There doesn’t seem to be any way to nest groups, but this could be fixed eventually by making it a query rather than an attribute to test.
In terms of security, this is fine. We’re exporting SSH public keys via LDAP, but that’s the whole point of a public key. Perhaps more concerning is exporting UIDs and other account information via LDAP. This could be tied down by creating a CA for infrastructure and requiring that connecting clients have a certificate signed by the CA.
One can enforce LPK public keys only by setting AuthorizedKeysFile to /dev/null. This prevents users from inserting their own ssh public key onto the filesystem and bypassing any revocations you might issue. It also means if the LDAP tree is unavailable, you will fall back to password auth. If you really want to be able to completely revoke a user’s permission to log in, it’s best to disable password authentication as well. Couple this with some pam configuration to only allow admin or root accounts, and perhaps OTP or S/KEY authentication to eliminate root password leakage, and this becomes a fairly tight system.


Tool of the Week WLUG

Assigning rights to users with Samba

In a recent Linux Journal article I noticed an interesting piece of information: as of Samba 3.0.11, you can assign rights to users and groups. This eliminates the need to have samba account with the uid of 0 (eg, root), or mapping the Administrator to local uid 0 (which is practically the same thing). In particular it means that the ‘Administrator’ user, and anyone in the ‘Domain Admins’ group, can be given rights to add machines to the domain. This was a major part of a Samba backed windows domain that troubled me.

I’m running Samba 3.0.21c, packaged by

file:~# net rpc rights
net rpc rights list [{accounts|privileges} [name|SID]] View available or assigned privileges
net rpc rights grant Assign privilege[s]
net rpc rights revoke Revoke privilege[s]

Both ‘grant’ and ‘revoke’ require a SID and a list of privilege names.
For example

net rpc rights grant ‘VALE\biddle’ SePrintOperatorPrivilege SeDiskOperatorPrivilege

would grant the printer admin and disk manager rights to the user ‘VALE\biddle

file:~# net rpc rights list -U root
SeMachineAccountPrivilege Add machines to domain
SeTakeOwnershipPrivilege Take ownership of files or other objects
SeBackupPrivilege Back up files and directories
SeRestorePrivilege Restore files and directories
SeRemoteShutdownPrivilege Force shutdown from a remote system
SePrintOperatorPrivilege Manage printers
SeAddUsersPrivilege Add users and groups to the domain
SeDiskOperatorPrivilege Manage disk shares

file:~# net rpc rights grant Administrator SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPriviledge -U root
Successfully granted rights.

file:~# net rpc rights list Administrator -U root

And now my ‘Administrator’ user can perform any of the tasks related to those rights. I’ve only used this to add machines to the domain so far, as I’ve not worked out how to make Windows tie into the samba add user functionality.


Printing IP addresses in C

Printing out IP addresses in C isn’t too hard- you can use inet_ntoa for easy results. inet_ntoa uses a static buffer however, so trying to use it more than once in the same printf statement causes problems. You can split each inet_ntoa call into a new printf, or you can write some macros to do the job

[code lang=”cpp”]

#define IPFMT “%i.%i.%i.%i”
#define IP(a) ((ntohl(a.s_addr) >> 24) & 0xff),\
((ntohl(a.s_addr) >> 16) & 0xff),\
((ntohl(a.s_addr) >> 8) & 0xff),\
(ntohl(a.s_addr) & 0xff) [/code]

You might use this like:
[code lang=”cpp”]
printf(IPFMT ” -> ” IPFMT “\n”, IP(ipptr->ip_src), IP(ipptr->ip_dst));

The preprocessor turns this into something like the following:

[code lang=”cpp”]

printf(“%i.%i.%i.%i” ” -> ” “%i.%i.%i.%i” “\n”,
((ntohl(ipptr->ip_src.s_addr) >> 24) & 0xff),
((ntohl(ipptr->ip_src.s_addr) >> 16) & 0xff),
((ntohl(ipptr->ip_src.s_addr) >> 8) & 0xff),
(ntohl(ipptr->ip_src.s_addr) & 0xff),
((ntohl(ipptr->ip_dst.s_addr) >> 24) & 0xff),
((ntohl(ipptr->ip_dst.s_addr) >> 16) & 0xff),
((ntohl(ipptr->ip_dst.s_addr) >> 8) & 0xff),
(ntohl(ipptr->ip_dst.s_addr) & 0xff));

Looks a bit messy, and the IPFMT macro might throw a few people off at first, but anyone familiar with PRIu64 and the like should manage it ok. I’ll probably through this into libtrace at some point, as a helper function.