Paul « bosconet.org: chocolately writings

Author Archive

lighttpd and 403 error on tar.gz files

Thursday, May 20th, 2010

For about the past week I’ve been running into a problem where I create a nice tar’ed and gziped archive to using in the post install phase of a kickstart install I’ve been working on but it doesn’t get transferred over to the installed client and displays an HTTP error code of 403 when I look at the access.log.

My first though was permissions. I made sure the owner of the processe running lighttpd also owned the files in question and the read bit was set for anyone to access it. That didn’t do the trick. My work around was untar gzipping the archive and recreating it on the server. That worked until this afternoon. It was then that I did a little more testing and as it turned out lighttpd was not happy with tar gziped archives created using Fedora 12’s tar with the ‘z’ flag passed as an argument. So I decompressed all the tar files using gzip, then gzipped them again using gzip instead of the built in gzip functionality of tar. That did they trick.

Hopefully google will find this post, index it well and it can help someone else.

Posted in Uncategorized | Comments Off

PHP, exec(), perl, not output

Tuesday, November 10th, 2009

Yesterday in writing some PHP to put a pretty web based front end on a perl script I ran into a problem, no output was being returned from the perl script.

I tried all the PHP commands for calling external commands ( exec(), system(), passthru(), and shell_exec() ) and all failed to return output.

What was VERY frustrating was that I was effectively reusing some code that called a different perl script and returned output without any problems. All my various google searches were fruitless as none of them provided me with any solutions or ideas as to how to solve my problem. So I was left to my own devices to figure things out.

Ater much trial and error I discovered that if I displayed the script’s help text (which exits immediately after that) the exec call worked as expected. That lead me to the root cause of my problem. When I was using this script straight from the command like I opened a log file and appended some information to it as the script executed. Perhaps that was the cause….. Not wanting to loose that functionality I first explicitly made sure all my output was being directed to STDOUT. That did not help. Next I removed all instances to printing to the logfile. That also didn’t help. It was only when I removed the open() statement that the erl script began returning information to PHP as I expected.

Posted in Technical | Comments Off

“‘UCHAR_MAX’ undeclared (first use in this function)” solved

Thursday, October 22nd, 2009

In trying to compile an email testing tool on Fedora 11 I ran into error while make was compiling one of the programs.
I kept getting the error:
‘UCHAR_MAX’ undeclared (first use in this function)

While a googling of this error message did return a lot of results none of them had much useful content for actually solving it. There was a hint in one post on page 2 of my google results that helped me craft the right query to find the answer.

As it turn out UCHAR_MAX is declared in limits.h which for this particular program was not being included. Once that was added the program compiled with no complaints.

Posted in Technical | No Comments »

Yum error: “Error: Package tuple (…) could not be found in packagesack

Saturday, July 18th, 2009

I recently encountered this on my Fedora 10 machine. I looked and looked and found a bunch of advice that did not work. Among that advice was rebuild the RPM database, and clean the yum repository.

The answer though was I had a bad yum repository that I found by disabling all the yum repositories I had and re-enabling them 1 by one.

If you find this page b/c of the error above I suggest the same methodology for finding the offending repository.

Posted in Uncategorized | No Comments »

finally back up

Monday, June 1st, 2009

I finally took a few minutes this afternoon to get Apache back up and running.

It failed to come back after the server restarted a 2 weeks ago today. Why did the server restart you might ask. Because the collocation facility where it is house mucked up something with the back-up power. The story is they while doing a weekly test of the generator the switch back to main power failed and the UPS batteries failed before they could get the mains back online or the generators running again.

While I got the most critical functions of the server back as soon as I could (and it was non trivial thanks to an issue with my RAID 1 mirrored config and a corrupted boot file) and restarted critical functions (my mail server and a 2nd mailserver that is relied on for a business). The web server and blog could wait. And wait they did all the way until today.

Now it is back and I am happy.

Oh and two other things the power outage claimed 1 server immediately and I hold it responsible for a firewall failing last week. And I have to say I am no fan of software RAID 1 mirroring on this machine. It made recovering about 10x as hard b/c I had to unmirror the root partition.

Posted in Customer Service, Random, Technical | No Comments »

Hacking an APC9211

Sunday, March 22nd, 2009

This morning after being frustrated with getting a USB drive to function properly on linux machine I turned my attention to breaking into an APC Power Switch I had acquired but didn’t have the opportunity to do a reset and recover before I had to install it. This would be simple if I could reset the switch during a reboot, unfortunately in doing this I would reboot several servers that needed to stay up and available.

So I went searching a bit and found that this APC Power Switch is vulnerable to a local attack that would allow you to find what the current administrative user account is defined as as well as the current password associated with that account. The vulnerability was in a different, more recent, version of the software currently being run by the device. I was hopeful that my older version would also be vulnerable.

The first step is to connect to the serial port on the device using a standard null modem cable running at 2400baud 8-N-1. Once you get a User Name : prompt enter apc and the password: TENmanUFactOryPOWER

This will drop you to the Factory Menu that will look like this:

User Name : apc
Password  : *******************

Factory Menu
<ctrl -A> to exit

1AP9606
2WA0033002610
310
408/08/2000
500 C0 B7 63 FA F1
6v2.5.3
7A
8A
9198.180.62.87
A255.255.255.240
B198.180.62.81
C
D
E
F
G

The instruction I found indicated at this point to enter 13 which will drop you to this prompt:

Selection> 13

Enter byte address in Hex(XXXX):

The instructions further indicated that the address to view taht would contain the information was: 1d10. However in my version of the software this is what I saw:

Enter byte address in Hex(XXXX): 1d10

1D10   FF FF FF FF FF FF FF FF  ........
1D18   FF FF FF FF FF FF FF FF  ........
1D20   FF FF FF FF FF FF FF FF  ........
1D28   FF FF FF FF FF FF FF FF  ........
1D30   FF FF FF FF FF FF FF FF  ........
1D38   FF FF FF FF FF FF FF FF  ........
1D40   FF FF FF FF FF FF FF FF  ........
1D48   FF FF FF FF FF FF FF FF  ........
1D50   FF FF FF FF FF FF FF FF  ........
1D58   FF FF FF FF FF FF FF FF  ........
1D60   FF FF FF FF FF FF FF FF  ........
1D68   FF FF FF FF FF FF FF FF  ........
1D70   FF FF FF FF FF FF FF FF  ........
1D78   FF FF FF FF FF FF FF FF  ........
1D80   FF FF FF FF FF FF FF FF  ........
1D88   FF FF FF FF FF FF FF FF  ........

<sp>nxt,b-bck,p-pch,other-exit

Obviously there is no useful information there. So I started to systematically tr other address locations to see if the information I was seeking was someplace else. After about 5 minutes of trial and error I found the information I was seeking at 1c2:

Enter byte address in Hex(XXXX): 1c2

01C2   FF FF FF FF FF FF FF FF  ........
01CA   FF FF FF FF FF FF FF 50  .......P
01D2   46 61 64 6D 69 6E 00 64  Fadmin.d
01DA   6D 69 6E 00 68 69 68 61  min.hiha
01E2   74 31 31 00 00 00 FF 64  t11....d
01EA   65 76 69 63 65 00 FF FF  evice...
01F2   FF FF 61 70 63 00 FF FF  ..apc...
01FA   FF FF FF FF FF 72 6F 62  .....rob
0202   68 61 72 72 69 73 68 61  harrisha
020A   73 61 62 61 62 79 00 FF  sababy..
0212   FF FF FF FF FF FF FF FF  ........
021A   FF FF FF FF FF FF 64 65  ......de
0222   76 69 63 65 20 75 73 65  vice use
022A   72 20 70 68 72 61 73 65  r phrase
0232   00 FF FF FF FF FF FF FF  ........
023A   FF FF FF FF FF FF FF 00  ........

<sp>nxt,b-bck,p-pch,other-exit

In case you don’t see it the userid is admin and the password is hihat11

After gaining that information I was able to easily login, and reset the password to something I will easily remember as well as configuring the network interface to enable web management of the device.

Posted in Technical | 2 Comments »

Ostrich responses to an error message

Monday, February 23rd, 2009

I was looking at the DNS servers I admin last week and noticed, among other things, the following error message showing up frequently in the system logs:

Feb 23 10:23:08 baltimore named[14105]: [ID 873579 daemon.info] \
edns-disabled: info: too many timeouts resolving \
'171.221.32.207.sbl.spamhaus.org/TXT' \
(in 'sbl.spamhaus.org'?): disabling EDNS

This looks like a problem that should be fixed. I googled this error message and 9 out of 10 replies to people asking how to deal with this error was (and I’m paraphrasing)

“Oh just ignore it, and here’s how to configure logging to not log those errors”

WTF? How about some helpful information about why this is happening and how to fix it? Or more information why it is happening so a person can be informed about what is happening and the root causes.

here is a posting from Mark Williamson the bind-users mailing list that does provide some useful information that can be used to made an informed decision if you want to disable logging these events:

"disabling EDNS" is issued when named experiences too many
timeouts to EDNS queries and named decides to give up on
EDNS and revert to plain old DNS.   Now timeouts can be the
result of many things.  Broken nameservers that don't respond
to EDNS queries.  Firewalls that block EDNS queries.
Firewalls that block fragmented responses.  Firewalls/NATs
that don't handle out of order fragments.

Timeouts can also be due to other network problems including
unreachable servers.

If you are getting lots of these then you do have network /
firewall problems.  They may however *not* be caused by EDNS.

The message has the symptom "too many timeouts", what it
was trying to do "resolving 'ns.cmmail.com/AAAA' (in
'cmmail.com'?)" and what named doing "disabling EDNS" to
try to rectify the problem.

based on that information I think I will be disabling these messages.

Posted in Opinion, Technical, Uncategorized | No Comments »

VMWare Server 2.0 problems

Monday, February 9th, 2009

For the past few days at work I’ve been banging my head against my desk because I can’t see to get VMWare Server 2.0 to remember virtual machines after a reboot.

I tried many things including creating new directories and setting the permissions on them to 777 (accessible to all). None of those things helped. Then it dawned on me….maybe it was something else….

The what else was the file system I am using is a software RAID 5 array mounted to /export. This file system isn’t mounted until last in the boot process, after vmware started. Perhaps that was the problem. And after a restart of the vmware process it did indeed turn out to be the problem.

My quick and dirty solution is to restart the vmware service immediately after I mount /export.

This also indicates VMware does not dynamically read a data store but only once on boot and then just adds to it if you create a new Virtual Machine. Given my experience this doesn’t seem to be an ideal way to do this.

Posted in Technical | No Comments »

Can someone who understands MS Exchange explain this…..

Friday, February 6th, 2009

I mentioned recently that IMAPS is being shut off for my work email. Well they just sent out a 2nd notice with some justifications. The one that JUMPS out at me is that (and I’m paraphrasing): “in order to provide POP and IMAP services we use approximately 50 IPs on our DMZ. “

Can someone with some insight into the inner workings of exchange explain why so many IPs would be required to provide these services? Thanks.

Posted in Uncategorized | 3 Comments »

Empower your employees or handcuff them?

Saturday, January 24th, 2009

I work for a large consulting firm and my employer has decided that instead of empowering their employers they will handcuff them.

Specifically my employer has decided to limit its consultants to only access our email via internal access to an Exchange server, or external access via either Outlook Web Access (a web mail client for Exchange) or via our corporate Blackberry BES (Blackberry Enterprise Server). The later is only an option for connectivity if you are either senior enough and get a company issued Blackberry or have management sign off on allowing you access the company owned BES.

This means for the average consultant at my company we will no longer have easy access to their email outside of the office. Will this impact the rank and file’s ability to be responsive to both internal demands and our customers? In my ever so humble opinion, yes. Will this be noticed by the people who made this decision? Probably not because they are disconnected from the the people who actually generate revenue for our firm.

The sad part is that in the name of security they migh end up encouraging insecure practices. For instance some people might start using external email addresses for business purposes which exposes potentially sensitive corporate data to outside parties. This didn’t have to happen either it is entirely possible despite this statement “IMAPS - it turns out the “S” is pretty darned weak” [1] to allow for a publicly available email solution.

Sadder still is that unless this impacts someone senior enough, which it won’t because they all have company issued blackberries, it will happen no matter how much the rank and file might complain, which they won’t anyway.

[1] I asked for clarification on this statement on Tuesday and to date have not received a response.

Posted in Opinion, Uncategorized | 2 Comments »

Author Archive

Categories