Felipe Alfaro Solana

… que a veces se siente solo, que tiene una relación tragicomédica con las mujeres, y que cree que debe ser al único al que le pasan este tipo de cosas.

Resulta que, vagando por el ciberespacio, me he topado con un diario de alguien que creo se me parece mucho, y que no duda en expresar abiertamente sus pensamientos y emociones. Cuando leo alguno de sus apuntes me siento como si viera mi propia imagen reflejada en un espejo, como si mi propio inconsciente hubiera podido alguna vez haber dicho exactamente esas mis frases, con esas mismas palabras. Aún no puedo creerlo.

Anotaré aquí la dirección por si alguna vez vuelvo a sentir que soy el único…

Frustraciones sentimentales de un treintañero Heterosexual de treintaytantos desearía comprender a sus amigas.

The default Fedora Core 3 targeted SELinux policy is somewhat useless when trying to publish a bunch of files for public access. It seems the targeted policy does not define anything like that and, thus, it must be extended to add such functionality.

We will place all public Samba files into “/samba”. We will run the following commands to create it:

mkdir /samba
chmod 1777 /samba
chown root:root /samba

When we try to mount a Samba share, the following audit entry is generated into the kernel log:

audit(1105232730.949:0): avc: denied { getattr } for pid=4262
exe=/usr/sbin/smbd path=/samba dev=hda2 ino=9977859
scontext=root:system_r:smbd_t tcontext=system_u:object_r:default_t tclass=dir

Which means the “smbd” process is trying to access the directory (tclass=dir) called “/samba” whose inode is 9977859 in order to retrieve its attributes (getattr). The “smbd” process is running as “root:system_r:smbd_t”, but the currently loaded policy doesn’t allow it to retrieve attributes from an object labeled as “system_u:object_r:default_t”. All the files sitting beneath “/samba” are labeled, by default, as “system_u:object_r:default_t”.

So, we intend to create a new type that we will use to label all the files beneath “/samba”, then allow the “smbd” process to work with them with no restrictions at all except, of course, those imposed by the Discretionary Access Control (DACL) mechanisms.

1. Label all public Samba files with a dedicated SELinux type

   The “/samba” directory and all files beneath it will be labeled accordingly with an specific type: “user_samba_t”. We will create the “/etc/selinux/targeted/src/policy/file_contexts/misc/custom.fc” file with the following line:

   /samba(/.*)? system_u:object_r:user_samba_t

   which means “the /samba directory and any file beneath it, will be labeled as system_u:object_r:user_samba_t”.

2. Define a SELinux type used to label the public Samba files

   Next, we need to create the “system_u:object_r:user_samba_t” type as a normal file. We will create “/etc/selinux/targeted/src/policy/types/custom.fc” with the following line:

   type user_samba_t, file_type, sysadmfile;

3. Allow the Samba daemon process to access Samba public files with no restrictions

   Finally, we need to explicitly allow “smbd” to be able to read, write, lock and get attributes for any file located beneath “/samba”. Also, we need to allow “smbd” to be able to search, read, write, lock and get attributes for any directory beneath “/samba”. We will create “/etc/selinux/targeted/src/policy/domains/misc/custom.te” with the following lines:

   allow smbd_t user_samba_t:dir { search read write rename getattr
setattr lock add_name create remove_name rmdir };
allow smbd_t user_samba_t:file { read write rename getattr setattr
lock create unlink };

   The previous permissions were obtained by trial-and-error due to the fine-grained granularity of SELinux permissions: I tried creating a new directory, renaming a directory, removing a directory, creating a file, renaming a file.

4. Compile and load the resulting SELinux policy

   Once the previous changed are made, we need to run the following commands:

   cd /etc/selinux/targeted/src/policy
make load

   Should the last command run with no errors, the new policy will be compiled and loaded into memory. The final step is checking that Samba is working, and we can access all the public files from a remote computer with no problems at all.

FreeNX is based on NoMachine.com NX compression GPL components to allow a fast, graphical remote desktop terminal session for UNIX-based systems. NX uses SSH tunneling to perform authentication and link parameters negotiation.

NoMachine.com has NX viewer clients for Mac OS X and Linux. By default, the nxclient software uses a built-in private key to allow connecting to the remote NX server via SSH DSA public key. When using FreeNX, it’s recommeded to generate a new private-public DSA key pair and iinstall them onto the client machines and the remote NX servers.

The NX server software uses the “nx” user account, configured to allow for public key authentication, which is then used to start up the remote agent and proxy components used by the NX protocol. The NX client starts a remote SSH session against the NX server using this “nx” user. Thus, we need to manually generate a DSA pair key. The private DSA key will get installed into the client, while the public key will get installed into the NX server.

FreeNX can be obtained from the following sites:

For Fedora Core:

http://fedoranews.org/contributors/rick_stout/freenx/freenx-0.2.7-0.fdr.1.noarch.rpm

http://fedoranews.org/contributors/rick_stout/freenx/nx-1.4.0-0.fdr.3.i386.rpm

For Debian:
By adding the following to “/etc/apt/sources.list”:

deb http://kanotix.com/files/debian/ ./

the running

# apt-get install freenx

1. Generating the DSA private-public key pair.

   We must use the “ssh-keygen” command line tool to create a private-public key pair. For example, by issuing the following command on the client machine:

   # ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/Users/falfaro/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/falfaro/.ssh/id_dsa.
Your public key has been saved in p.pub.
The key fingerprint is:
76:f1:09:07:f3:ef:4d:0a:a9:b7:ac:48:49:93:67:fe falfaro@mac.local

   The private key should NOT be protected by a passphrase, as it will be directly used by the NX client software before any authentication is performed.

2. Installing the private key into the NX client software

   The next step is replacing the NX client software built-in private key with the one we have just created. NoMachine’s NX client software stores the DSA private key in “/usr/NX/share/client.id_dsa.key”:

   # ls -l /usr/NX/share/client.id_dsa.key
-rw-r--r-- 1 root wheel 668 27 Dec 13:59 /usr/NX/share/client.id_dsa.key

   Thus, we should execute the following command:

   # mv /usr/NX/share/client.id_dsa.key /usr/NX/share/client.id_dsa.key.OLD
# mv /Users/falfaro/.ssh/id_sa /usr/NX/share/client.id_dsa.key
# chown root:wheel /usr/NX/share/client.id_dsa.key
# chmod 644 /usr/NX/share/client.id_dsa.key

3. Installing the public key into the NX server software

   The last step is installing the public key, which corresponds to the “nx” user, into remote server. The public key will be installed as an “authorized_keys2″ file inside the home directory for the “nx” user. The OpenSSH service will use this file to store the “nx” user public key the NX client software uses to authenticate against the NX server.

   Depending on the distribution and FreeNX implementation, the home directory for the “nx” user will be located in different places. In Fedora Core, this is usually “/var/lib/nxserver/nxhome”. In Debian, this is usually “/home/.nx”.

   The last step is distributing the “id_dsa.pub” file to the remote NX server machine and authorize it:

   # scp /Users/falfaro/.ssh/id_dsa.pub root@NXSERVER:
# rm /Users/falfaro/.ssh/id_dsa.pub
# ssh root@NXSERVER
# mv /root/id_dsa.pub /home/.nx/.ssh/authorized_keys2
# chown nx:root /home/.nx/.ssh/authorized_keys2
# chmod 600 /home/.nx/.ssh/authorized_keys2

4. Testing public key authentication

   Before using the NX client software to connect to the remote NX server, it’s recommended to check whether we can connect remotely to the NX server using an SSH client using public key authentication for the “nx” user:

   # ssh -i /usr/NX/share/client.id_dsa.key nx@NXSERVER
Linux NXSERVER 2.6.10 #1 Sat Dec 25 05:20:24 CET 2004 i686 GNU/Linux
...
HELLO NXSERVER - Version 1.4.0-02 OS_(GPL)
NX> 105 quit
quit
Quit
NX> 999 Bye
Connection to ubuntu closed.

   If this works, we can be pretty sure the NX client will allow us to establish a remote session against the NX server.

5. Configuring FreeNX server to support resuming of suspended sessions

   In file “/usr/bin/nxserver”:

   Replace the line that reads:

   ENABLE_AUTORECONNECT="0"

   with

   ENABLE_AUTORECONNECT="1"

   Replace the line that reads:

   session_list_user_suspended "$USER" 'Suspended' "$(getparam geometry)" "$(getparam type)" | log_tee

   with

   session_list_user_suspended "$USER" 'Suspended$|^status=Running$' "$(getparam geometry)" "$(getparam type)" | log_tee

   This is very important as sometimes, when the NX client is disconnected from the NX server, the session is not marked as suspended.

By default, Fink’s TeTeX installation does not enable Spanish language support, like hyphenation and translation of english strings in macros to spanish.

By default, fink’s TeTeX installation does not enable Spanish language support, like hyphenation and translation of english strings in macros to spanish. To enable support for Spanish, edit the following file:

/sw/share/texmf/tex/generic/config/language.dat

and change the line that reads

%! spanish sphyph.tex

to

spanish sphyph.tex

Now, we need to tell TeTeX to reconfigure itself to accomodate the changes by running the following command as root:

# texconfig init

The output resulting from running the previous command should give no errors and look like this:

...
0 words of font info for 0 preloaded fonts
0 hyphenation exceptions
Hyphenation trie of length 256 has 0 ops out of 35111
No pages of output.
Transcript written on mptopdf.log.
fmtutil: /sw/var/lib/texmf/web2c/lambda.oft installed.
fmtutil: /sw/var/lib/texmf/web2c/omega.oft installed.
fmtutil: /sw/var/lib/texmf/web2c/latex.fmt installed.
fmtutil: /sw/var/lib/texmf/web2c/pdflatex.fmt installed.
fmtutil: /sw/var/lib/texmf/web2c/pdftex.fmt installed.
fmtutil: /sw/var/lib/texmf/web2c/tex.fmt installed.
fmtutil: /sw/var/lib/texmf/web2c/cont-en.efmt installed.
fmtutil: /sw/var/lib/texmf/web2c/elatex.efmt installed.
fmtutil: /sw/var/lib/texmf/web2c/etex.efmt installed.
fmtutil: /sw/var/lib/texmf/web2c/mptopdf.efmt installed.
fmtutil: /sw/var/lib/texmf/web2c/pdfelatex.efmt installed.
fmtutil: /sw/var/lib/texmf/web2c/pdfetex.efmt installed.
fmtutil: /sw/var/lib/texmf/web2c/metafun.mem installed.
fmtutil: /sw/var/lib/texmf/web2c/mpost.mem installed.
fmtutil: /sw/var/lib/texmf/web2c/mf.base installed.
install_link failed for /sw/bin/mf. File already exists.

The last step is trying to parse a TeX file using pdflatex and the Spanish language to see if it works. For example, try feeding the following TeX file to pdflatex:

\documentclass[11pt,a4size,twoside]{report}
%Incluye soporte para graficos.
\usepackage{graphicx}
%Controla que el primer parrafo despues de una seccion este indentado.
\usepackage{indentfirst}
%Incluye soporte para los comandos \verb y \url.
\usepackage{url}
%Cambia el tipo de letra a Palatino con soporte para simbolos matematicos.
\usepackage{palatcm}
\usepackage[spanish]{babel}
\setlength{\parskip}{3pt}
\newcommand{\cliente}{\textit{Asociaci'on de Estaciones de Esqu'i del Pirineo}}
\begin{document}
\title{Estudio de Viabilidad del Sistema}
\author{Felipe Alfaro Solana\Ricardo Osses Da Silva}
\date{\today}
\maketitle
\chapter{Estudio de Viabilidad del Sistema}
\section{Establecimiento del alcance del sistema}
Nuestro cliente, de ahora en adelante \cliente, pretende implantar un sistema de informaci'on integral que le permita automatizar la operativa diaria derivada de la gesti'on y mantenimiento de los servicios de la Estaci'on de Esqu'i, entre los que se incluyen:

Gesti'on integral de reservas, tanto en lo referente a la estancia de usuarios en un hotel, como la compra o alquiler de equipo, contrataci'on de un seguro m'edico o de accidentes, etc.

\subsection{Estudio de la solicitud}

El cliente pretende implantar un sistema de informaci'on integral que automatice la operativa correspondiente a la parametrizaci'on del sistema, la gesti'on de intervinientes (clientes de la estaci'on de esqu'i, proveedores, etc.), gesti'on de compras y ventas de material (de esqu'i, sanitario, alimentaci'on, fungible, etc.), planificaci'on de cuadrantes horarios para los empleados, gesti'on de servicios (clases e instructores de esqu'i, alquiler de equipo, contrataci'on de seguro m'edico y atenci'on en pista, etc), soporte m'inimo de informes dirigidos a facilitar la toma de decisiones y evaluar la sitaci'on y la solvencia de la empresa.

Actualmente, no se han detectado restricciones de car'acter econ'omico, aunque la oferta presentada al cliente determinar'a si 'este acepta el desarrollo.

Respecto a las restricciones t'ecnicas y operativas, el cliente ha especificado las siguientes:

\begin{itemize}
\item El sistema de informaci'on deber'a ser transportable e independiente, en la medida de lo posible, de la arquitectura hardware. Si en un principio se opta por una plataforma basada en procesadores IA-32 de Intel, deber'a ser posible, por ejemplo, poder migrar el sistema de informaci'on a una plataforma basada en un sistema iSeries de IBM, por ejemplo.
\item El sistema de informaci'on deber'a permitir especificar distintos niveles de acceso al sistema, tales que permitan distinguir entre operadores de cada una de las distintas 'areas o departamentos (administraci'on, tienda, hotel, etc.), gerencia y administradores del sistema.
\end{itemize}

No se han detectado restricciones de car'acter legal, exceptuando aquellas derivadas de la vigente ley de la protecci'on de las comunicaciones telem'aticas como la LSSI y leyes de protecci'on de datos de car'acter privado como la LOPD.

\end{document}

pdflatex should generate a beautiful typesetted PDF document as the result, formatted cleanly, translated into Spanish and with the correct hyphenation.

What’s more weird is that I tried logging in onto my Gentoo 2004.3 Linux system using all capitals and, to my surprise, the whole session switch to an all-caps mode: the output of the “ls” command, even the “vi” editor.

While reading the UNIX-HATERS Handbook, I read the following phrase:

No, those were the real days of computing. And those were the days of Unix. Look at Unix today: the remnants are still there. Try logging in with all capitals. Many Unix systems will still switch to an all-caps mode. Weird.

What’s more weird is that I tried logging in onto my Gentoo 2004.3 Linux system using all capitals and, to my surprise, the whole session switch to an all-caps mode: the output of the “ls” command, even the “vi” editor. Astonishing.

Many modern operating systems are too permissive with respect to potentially malicious network traffic. By default, many of them respond to ICMP echo requests sent at the broadcast address, take any IP source-route information into account, and do process ICMP router redirects with no checking:

Many modern operating systems are too permissive with respect to potentially malicious network traffic. By default, many of them respond to ICMP echo requests sent at the broadcast address, take any IP source-route information into account, and do process ICMP router redirects with no checking:

Responding to ICMP echo requests sent at the broadcast address may allow for smurf-like, amplifier attacks that try to flood the network, or collapse a host with a great amount of useless traffic. Source-route information in IP packets is usually suspicious, as routing decisions should be, usually, taken on the fly using the router’s routing table. ICMP router redirect messages allow telling a host to replace its current default route by a different one, which is usually used by sniffers to defeat Layer-2 Ethernet switches, and mount a man-in-the-middle attacks.

Here are a few sysctl entries that can be added to “/etc/sysctl.conf” in order to prevent these usually dangerous facilities:

# Ignore ICMP echo requests targeted to the broadcast address
net.inet.icmp.bmcastecho=0
# Disable ICMP router redirect support
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=1
net.inet.ip.redirect=0
net.inet6.ip6.redirect=0
# Ignore source routes
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0

Files purchased through the iTunes Music Store are digitally protected so they can only be played on the computer where they were purchased from, or any legal iPod attached to the system.

FairPlay is Apple’s Digital Rights Management (DRM) technology used to protect music files bought from the iTunes Music Store. Files purchased through the iTunes Music Store are digitally protected so they can only be played on the computer where they were purchased from, or any legal iPod attached to the system.

However, there’s a GPL-licensed program called Hymn which is able to remove this DRM protection from files purchased via iTMS (iTunes Music Store) with no quality lose. This little jewel can be downloaded from:

http://hymn-project.org

and it’s available both in source code and pre-compiled for Mac OS X and Windows.

Hymn requires an iPod to be attached to the system in order to extract the keys used to encrypt the music files content. Thus, the easiest way to use Hymn is attaching my iPod to my PowerBook, downloading hymn’s binary image for Mac OS X from the web site, launch hymn and then drop into it the protected music files (Hymn sports a nice Cocoa interface),.

A protected music file has a “.m4p” extension meaning the content is protected. When dropping a file with a “.m4p” extension into Hymn, the file will be decrypted and a corresponding, unprotected “.m4a” file will be stored at the same location. This new “.m4a” file can be played on any system which supports the AAC encoding audio format. Any Mac OS X computer or iPod will do.

It is possible to use several e-mail addresses for a single mail account in Mail.app. This can be very useful, for example, when using the new Aliases feature present in .Mac, or else using different addresses multiplexed on the same account (i.e. aaa@domain.com, bbb@domain.com).

To assign multiple e-mail addresses to a single account, simply select that account in the Accounts tab of the Preferences Pane and enter all the e-mail addresses separated by commas in the “Email Address” field. Once the changes are saved, you’ll be able to choose among all addresses when composing a new mail by selecting the desired one from the “Account” drop-down box.

LaunchServices contains a big, long list of all the Applications, and which ones accept documents of which type.

Basically, OS X LaunchServices is how an application is found to run when you double-click on a document. If the program is in /Applications, or you launch it at least once, then LaunchServices should detect it. LaunchServices contains a big, long list of all the Applications, and which ones accept documents of which type. So if you have an Application that is not “registering” correctly with LaunchServices how do you check it’s information? Try this in the Terminal:

/System/Library/Frameworks/ApplicationServices.framework/Versions/A/
Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump

You should be able to copy and paste that, thanks to the backslash. But if you can’t, just make it one long line with no added spaces. This command will list all LaunchServices information. The output will look something like this:

B00001572 APPL/ddsk Thu Aug 5 21:25:59 2004 DiskImageMounter.app
-pad----hn---s--A---- v76.4.0 DiskImageMounter
Contents/Resources/diskcopy.icns com.apple.DiskImageMounter
Contents/MacOS/DiskImageMounter 12556, 1728655, Mach-O
V00000008 /System/Library/CoreServices/DiskImageMounter.app

....

The B entries list the programs’ basic info (in this case, for DiskImageMounter.app). The C entries below that show which file types the program will accept, with both a description and a list of extensions. So there you have it; everything your machine know about. But the question is … how do you clean out all the applications registered on unmounted DMG volumes which show at the end of the list?

While bundles are easy to uninstall (by dragging them to the Thrash), packages are difficult to uninstall since Mac OS X doesn’t have a native uninstall facility (like in GNU/Linux).

In Mac OS X applications can be packaged as bundles (a directory tree, like Mail.app/) or as packages using “Installer” or the command line “installer” tool.

While bundles are easy to uninstall (by dragging them to the Thrash), packages are difficult to uninstall since Mac OS X doesn’t have a native uninstall facility (like in GNU/Linux). Instead, the application package must supply an uninstaller. Some packages don’t provide an uninstaller, so how do we can uninstall them?

The answer lies in the “/Library/Receipts”, where every installed package creates a subdirectory with the same name as the package. For example, Fondu creates a receipt named “/Library/Receipts/Fondu-021223.pkg/”. Inside this receipt directory, we should be able to find a file with a “.bom” extension, which holds the list of files installed by the package. We can use the “lsbom” command-line tool to reveal what the contents of an installed package are. For example, to list the contents of the Fondu package:

# lsbom //Library/Receipts/Fondu-021223.pkg/Contents/Archive.bom
. 40755 501/20
./usr 40755 501/20
./usr/local 40755 501/20
./usr/local/bin 40755 501/20
./usr/local/bin/dfont2res 100755 501/20 22692 1924128762
./usr/local/bin/fondu 100755 501/20 80828 3987236398
./usr/local/bin/frombin 100755 501/20 26612 1252278923
./usr/local/bin/showfond 100755 501/20 48732 2572856512
./usr/local/bin/tobin 100755 501/20 34892 1234820618
./usr/local/bin/ufond 100755 501/20 96660 523810372
./usr/local/man 40755 501/20
./usr/local/man/man1 40755 501/20
./usr/local/man/man1/dfont2res.1 100644 501/20 599 1712045017
./usr/local/man/man1/fondu.1 100644 501/20 1677 2399414942
./usr/local/man/man1/frombin.1 100644 501/20 602 3676561646
./usr/local/man/man1/showfond.1 100644 501/20 568 2643007451
./usr/local/man/man1/tobin.1 100644 501/20 1315 3726043
./usr/local/man/man1/ufond.1 100644 501/20 1988 585312571

Using this list, we can manually remove the Fondu package by removing every listed entry. If it’s a file, it can be deleted, but if it’s a directory, we must be sure it’s empty and not being used by any other package.