Locking Down WordPress Admin and Login URLs

For those WordPress admins who are lucky enough to only access via certain defined IP addresses (IPv4 or IPv6) you can lock down access to the wp-admin and wp-login.php URLs in your Apache configuration with just:

<location /wp-admin/>
    Order deny,allow
    Deny from all
    Allow from 127.0.0.0/255.0.0.0 ::1/128 10.1.2.3/32 1234:5678:90ab:cdef::/64
</location>

<files wp-login.php>
    Order deny,allow
    Deny from all
    Allow from 127.0.0.0/255.0.0.0 ::1/128 10.1.2.3/32 1234:5678:90ab:cdef::/64
</files>

Hopefully that helps someone!

Paying for Freedom (Updated)

There has been much furore over the Microsoft Windows 8 Logo requirements, and how they require UEFI Secure Boot to be enabled, requiring the user to reconfigure their UEFI firmare (on x86 platforms) to be able to boot non-Windows 8 operating systems. People are concerned about the fact that this may be a slippery slope to systems that are locked down completely (as ARM powered Windows 8 systems already will be) with Secure Boot not being allowed to be disabled in order to get the MS Windows logo tick and thus the valuable marketing dollars from Redmond.

Now to me the solution seems obvious – don’t buy systems from people who sell such systems, but instead buy from vendors who believe in making systems that are under your control, and agree that it is you who gets to decide whether or not you want to turn Secure Boot on, or not. Go to companies like ZaReason (who sell around the world and have an Asia Pacific setup in New Zealand now) and System 76 (who used to be US only, but now apparently ship internationally).

The problem seems to be though that people complain that their systems tend to be a bit more expensive than the Dell’s of the world, companies who ship millions of PCs and have huge economies of scale (and power over their OEMs). Because ZaReason and System 76 work on much smaller volumes they don’t get the same deals and so of course their hardware will be more expensive – but that extra cost is actually an investment, a small downpayment on having vendors around in the future who will care about our freedoms to do with our computers as we see fit.

If we don’t make that investment in these companies then we will have no right to complain should we suddenly wake up one morning and find we have a choice between a beige PC that will only boot Windows 8 or later (and the ability to get your own code blessed so it will boot has gone away) and a shiny white Apple iProduct that will allow you to install any of the applications from the App store, but nothing outside of that walled garden.

So I have made my choices, when my desktop PC came a cropper and cooked itself due to the Linux leap second bug I bought a ZaReason Valta desktop and I then replaced my 9 year old laptop with a shiny new UltraLap 430 ultrabook which, I have to say, absolutely rocks with 8GB of RAM and an i5 Ivy Bridge CPU. πŸ™‚

I believe freedom is worth investing in.

Update:

As spufidoo mentions in the comments the situation for desktops is not too bad at present whilst you can build your own, though there is always the chance that you end up with motherboards shipping with Secure Boot enabled and only Microsofts key installed (“why would you want anything else?”).

More of an issue are laptops and tablets where you can’t really build your own and you rely on companies to sell you the finished product. This was really the issue I had in mind when I wrote the article but failed to articulate it. We’ve already seen examples of the issues around tablets being locked down with the Nook Tablet from Barnes and Noble (though as the linked article reports people have worked around that now) so unless we support projects like the ZaTab where the package includes the source code we are purely relying on the munificence of companies for whom freedom is not the first thing they are thinking about.

Problems getting stack traces from a Python program (Kubuntu 12.10 development version)

I’m trying to get to the bottom of this bug on Launchpad which completely breaks Synaptic touchpad configuration under KDE:

https://bugs.launchpad.net/ubuntu/+source/synaptiks/+bug/1039261

The tl;dr version is that the Python interpreter is somehow emitting two calls to the Xorg libXi function XIQueryVersion(), the first call sends a client XInput version number of 2.1 and then the second one sends 2.0 (seen using xtrace).

The second call causes a BadValue error, because you’re not meant to send a lower value on any later calls (as can be seen from this Xorg libXi git commit).

This causes the comical error:

The version of the XInput extension installed on your system is too old. Version 2.0 was found, but at least version 2.0 is required

The problem is that the Python code only has the second call sending the 2.0 version number, there is no other call in the package that will send anything else, let alone the 2.1 value.

So I want to generate a call trace every time the XIQueryVersion() function is called, but I’m struggling to get it to work.

The killer at the moment is that both ltrace and gdb (when told to trace children) hang when python runs dash to run ldconfig.real and that blocks – so I never get to the point where the function gets called the first time.

With GDB I’m using:

set detach-on-fork off
set follow-fork-mode child
set follow-exec-mode new
catch load /libXi/
break XIQueryVersion

…and this is what happens:

chris@chris-ultralap:~/Code/Ubuntu$ gdb /usr/bin/python
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /usr/bin/python...Reading symbols from /usr/lib/debug/usr/bin/python2.7...done.
done.
(gdb) set detach-on-fork off
(gdb) set follow-fork-mode child
(gdb) set follow-exec-mode new
(gdb) catch load /libXi/
Catchpoint 1 (load)
(gdb) break XIQueryVersion
Function "XIQueryVersion" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 2 (XIQueryVersion) pending.
(gdb) run /usr/bin/synaptiks
Starting program: /usr/bin/python /usr/bin/synaptiks
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New process 3788]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Thread 0x7ffff6ccc700 (LWP 3788) is executing new program: /bin/dash
[New process 3789]
process 3789 is executing new program: /bin/dash
process 3789 is executing new program: /sbin/ldconfig.real

…and there it hangs, forever. We never even get to the point where the Python interpreter loads libXi.so, let alone calls the function. πŸ™

Any ideas?

Upgraded to Twitter Tools 3.0 and Social plugin

The latest Twitter Tools upgrade (v3.0) now has a dependency on the Social plugin from MailChimp to take advantage of the open source “don’t reinvent the wheel” philosophy.

Having now installed Social and upgraded Twitter Tools you should be able to now login with your Twitter account (should you so wish) to leave comments. It also claims comments get tweeted too, but no idea how that works yet so I’ll use this post as a test.. πŸ™‚

Patch for Modules to use shell functions with BASH, not aliases

Whilst the Modules system is awesome in making life easy to maintain multiple versions of packages and their dependencies (and is heavily used in HPC centres like VLSCI) it can have some annoyances (and seems to be fairly half-heartedly maintained looking at the bugtracker on SourceForge). One thing that’s bitten us from time to time is that you can’t really use its “set-alias” functionality as the bash shell does not expand aliases in non-interactive shells and that includes jobs that are launched from an HPC queuing system like Torque, PBSPro, etc.

It does have the compile time option “--disable-shell-alias” but annoyingly the condition is only applied when your shell is “sh“, not “bash“, so I’ve ended up having to patch Modules to make this work for bash as well. This patch is against 3.2.9c:

--- utility.c.orig      2011-11-29 08:27:13.000000000 +1100
+++ utility.c   2012-05-16 15:08:34.012038000 +1000
@@ -1422,7 +1422,7 @@
         **  Shells supporting extended bourne shell syntax ....
         **/
        if( (!strcmp( shell_name, "sh") && bourne_alias)
-               ||  !strcmp( shell_name, "bash")
+               || ( !strcmp( shell_name, "bash") && bourne_alias )
                 ||  !strcmp( shell_name, "zsh" )
                 ||  !strcmp( shell_name, "ksh")) {
            /**
@@ -1471,7 +1471,7 @@
 
            fprintf( aliasfile, "'%c", alias_separator);
 
-        } else if( !strcmp( shell_name, "sh")
+        } else if( ( !strcmp( shell_name, "sh") || !strcmp( shell_name, "bash") )
                &&   bourne_funcs) {
        /**

Hopefully this patch will be of use to people..

Brett Smith (Free Software Foundation) talks on the TPP in Melbourne – March 5th!

Updated: new (larger) venue now finalised.

Brett Smith is in Melbourne to talk to government negotiators about the Trans-Pacific Partnership Agreement (TPP) and the impact on free software. This public lecture will introduce free software and discuss recent issues in free software licensing, including the TPP. Members of the public are welcome. No technical knowledge is required.

It will be on Monday 5 March, 2012, 6 p.m. in Theatre 1, ICT Building, Barry Street, Carlton.

This talk will introduce free software, explain why it’s important, and explore the many places where free software interacts with the law. Brett Smith will illustrate how copyright, licenses, patents, trade agreements, and other laws all play a role in deciding whether and how we can create, use, and share free software β€” and by extension, who controls our computers. Members of the public are welcome. No technical knowledge is required.

Brett is a GPL Ninja. He works in the Free Software Foundation’s Licensing Compliance Lab, as license compliance engineer. Brett answers complex licensing questions from the public, writes widely read and timely posts for the FSF’s blogs, codes up Python programs, and dashes across the country to give input to policy makers. Brett also ran the GPL version 3 drafting process.

Please register here: http://apps.freesoftware.asn.au/invite/brett-smith-fsf/

Vacation 1.2.7.1 Released

Vacation 1.2.7.1 is a bug fix only release which now complies with RFC-3834 “Recommendations for Automatic Responses to Electronic Mail”. A big shout of thanks to Dr. Tilmann Bubeck, the Fedora packager, for bug fixes and a German translation of the manual page.

You can download this latest version of Vacation from: http://sourceforge.net/projects/vacation/files/vacation/1.2.7.1/

It includes:

  • a fix from Dr. Tilmann Bubeck to stop Vacation from munging the GECOS information of users and instead pass it quoted to the MTA for it to deal with (fixes Fedora bug #553505 and SourceForge issue #2928189).
  • Vacation now adds the Auto-Submitted: header as per RFC3834 (fix from Dr. Tilmann Bubeck).
  • Vacation now abides by the RFC 3834 header “Auto-Submitted:” (fixes SourceForge issue #3062665).
  • Fixes up some Coverity grumbles (a redundant fopen() and others).
  • Compiles cleanly with GCC 4.6.2.
  • Now includes a vacation.spec file contributed by Magnus Stenman.
  • The old HTML version of the manual page was out-of-date and so it has been removed (along with html2man) leaving the nroff version the master.
  • Added German translation of the nroff manual page (Dr. Tilmann Bubeck).
  • Note that the English man page has been renamed to vacation-en.man and vacation.man is a symlink to it, so German speakers can just change that symlink before installing to pick up the German translation.
  • Clean up of some old directories in the source code that have been made obsolete by source code control (they contained old, applied, patches).

You can be involved in the development of Vacation by subscribing to the vacation-announce and vacation-list mailing lists and/or logging bugs and feature requests on the SourceForge tracker.

First Release Candidate for Vacation 1.2.7.1

Vacation 1.2.7.1 rc1 is the first release candidate for the first bug fix only release in the 1.2.7 branch.

This release fixes up a warning for orighdr in GCC 4.6.x. It also includes a German translation of the manual page courtesy of Dr. Tilmann Bubeck, the Fedora packager, and some cleanup work (removing obsolete directories).

Note that the English man page has been renamed to vacation-en.man and vacation.man is a symlink to it, so German speakers can just change that symlink before installing to pick up the Dr. Bubecks translation.

Please do grab this and test it out!

If I don’t hear any problems before next weekend I intend to release this as the official Vacation 1.2.7.1.

Old patch for Bonnie++ to use random data rather than 0’s

Way back in 2007 I posted a blog about testing ZFS/FUSE with Bonnie++ using random data rather than 0’s, and I said:

it’s not ready for production use as it isn’t controlled by a command line switch and relies on /dev/urandom existing. yes, I’m going to send the patch to Russell to look at

I didn’t get any feedback on the patch, so I’ve decided to post it here in case people are interested.

diff -ur bonnie++-1.03a/bonnie++.cpp bonnie++-1.03a-urand/bonnie++.cpp
--- bonnie++-1.03a/bonnie++.cpp 2002-12-04 00:40:35.000000000 +1100
+++ bonnie++-1.03a-urand/bonnie++.cpp   2007-01-01 13:03:41.644378000 +1100
@@ -41,6 +41,9 @@
 #include <string.h>
 #include <sys/utsname.h>
 #include <signal.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
 
 #ifdef AIX_MEM_SIZE
 #include <cf.h>
@@ -148,6 +151,28 @@
   }
 }
 
+void load_random_data(char *temp_buffer,int length)
+{
+       int filedes, numbytes;
+
+       filedes=open("/dev/urandom",O_RDONLY);
+       if(filedes<0)
+       {
+               perror("Open of /dev/urandom failed, falling back to 0's");
+               memset(temp_buffer, 0, length);
+       }
+       else
+       {
+               numbytes=read(filedes,temp_buffer,length);
+               if(numbytes!=length)
+                       {
+                               perror("Read from /dev/urandom failed, falling back to 0's");
+                               memset(temp_buffer, 0, length);
+                       }
+               close(filedes);
+       }
+}
+
 int main(int argc, char *argv[])
 {
   int    file_size = DefaultFileSize;
@@ -477,7 +502,8 @@
       return 1;
     globals.decrement_and_wait(FastWrite);
     if(!globals.quiet) fprintf(stderr, "Writing intelligently...");
-    memset(buf, 0, globals.chunk_size());
+    // memset(buf, 0, globals.chunk_size());
+    load_random_data(buf, globals.chunk_size());
     globals.timer.timestamp();
     bufindex = 0;
     // for the number of chunks of file data

Second beta release of Vacation 1.2.7.1

Vacation 1.2.7.1 beta2 is the second beta for the first bug fix only release in the 1.2.7 branch.

This release just fixes up some issues that Coverity revealed, none of which appeared to be harmful.

NB: If you compile with GCC 4.6 and see a complaint about orighdr being set but never used in rfc822.c don’t worry, its already fixed in git and will be in the first RC (assuming nothing bad is found in this version).

Please grab this beta release and test it and report any problems!