The permissive mode exists mainly for testing. In this mode, the auditing mechanism generates notices (AVC Denials) about the action/event that was blocked, but without actually blocking that action/event. It is just a way to check what would have happened if SELinux had been running in enforcing mode. There are two ways to switch SELinux to permissive mode. One is to configure it through its configuration file (/etc/selinux/config on EL) to start in permissive mode on boot and the other is to use the aforementioned utility, setenforce, to switch modes while the system is live.

When performing tests on a live system, I usually take all precautions to minimize the risk of failure and usually, if possible, I am around to monitor the progress of the test. But, this time I had to use the custom SELinux policy for some days to see if it is actually effective or it needs further fine-tuning.

The Mistake: I used setenforce to set SELinux into permissive mode (/usr/sbin/setenforce 0). setenforce is for temporary changes and it is definitely not suitable for testing the policy for a long period of time. This is because if for any reason the system reboots, SELinux will be set back into the mode that is defined into its configuration file. The mode set by setenforce does not survive a reboot. So, if the custom policy happens to be incomplete, it will block the server’s normal operation after the reboot. And such reboots can happen…

This is exactly what I experienced yesterday. The datacenter on which my virtual server is hosted had problems with its main power supply. This caused one hour of downtime. But G-Loaded’s outage was a lot greater, because my custom SELinux policy was incomplete. SELinux was started in enforcing mode, so my faulty policy blocked my www service.

This should be a lesson to anyone who performs tests on live systems. The Right Thing™ was simple: boot the server into permissive mode and do as many tests as desired. I can blame the datacenter for the one-hour downtime, but for the 7-hour unavailability of G-Loaded I am the only one to blame.

Related Articles

• SELinux audit reports script
• Using a switch to prevent system shutdown/reboot/suspend
• Server upgraded to Fedora 6
• Use the Alternatives System to switch to a custom Firefox release
• How to integrate seaudit-report in logwatch

Two days ago, I decided to upgrade the program to the latest version and, during installation and without giving it much thought, I installed the application’s plugin system and a plugin called “Document Monitor” or something like that. This morning my system experienced another Notepad++ freeze, but this time a Virtual Machine, which run under VirtualBox, froze too. There was heavy disk I/O at that time. The virtual system was meant to be an RPM Build Server, so I re-deployed it just to be sure that everything was all right without risking any data loss during the freeze.

After that, I disabled Notepad++’s plugin system entirely and do not intend to use any of the plugins ever again. I continue to use the core editor, but I am also looking for alternatives. So far, PSpad (freeware) and TwistPad (commercial editor at a very reasonable price) are among the candidates. I mainly use a text editor for plain text and HTML documents, Python, PHP and BASH scripts. Any other suggestions are welcome and appreciated.

Related Articles

• Dictionary Lookups Anywhere
• Zim – a Desktop Wiki
• Best Practices of Software Licensing
• Break-Out-Of-Frames WordPress Plugin
• WordPress Meta Tags plugin stable release

All current certificate owners will be offered a free one-year digital certificate for email encryption/signing by Verisign. Renewals of those certificates will cost $19.95 per email address (at the time of writing), while using Thwate’s program you could just pay an initial fee in order to verify your identity and then get your name to appear on all your digital certificates that had been issued by that service for your email addresses.

Although I believe that taking back what you have given is usually either a sign of greed and irresponsibility or proof of bad planning, I do understand Thawte’s given reasons for such a decision:

[...] for the ever-expanding standards and technology requirements will outpace our ability to maintain these services at the high level of quality we require [...]

When it comes to secure authentication or digital identification, quality is not negotiable. On the other hand, what is questionable is the high price of the certificate renewals, which do not involve any kind of paperwork and could also require no human intervention at all, provided that the initial verification of the certificate owner’s identity and the renewal procedure itself are being done correctly.

I am quite certain that there are other Certificate Authorities that offer free email certificates or email certificate programs at reasonable prices, but I didn’t have the time to check. Perhaps, a reader who has done some research on this could contribute some info.

I’ll be posting about this topic again soon. Stay tuned!

Related Articles

• Root Certificate Programs – The root of all trust
• Be your own Certificate Authority (CA)
• High traffic on the email server
• Email Notifications from a Linux System
• Free Software Inc.

Second, but equally important, is the deletion of user accounts created automatically by bots. The characteristic of those accounts is that they have never posted any posts. All the advertising information existed in the user profile fields. After inspecting the database structure for a while, I deleted all the users with zero number of posts from the bb_users table using the following MySQL query:

DELETE FROM bb_users WHERE id IN (
  SELECT id FROM (
    SELECT DISTINCT(u.id)
    FROM bb_users AS u LEFT JOIN bb_posts AS p ON p.poster_id=u.id LEFT JOIN bb_usermeta AS m ON m.user_id=u.id
    WHERE m.meta_value LIKE "%\"member\"%" AND p.post_time IS NULL
  ) AS bb_non_posters
);

Then I deleted all the user metadata for non-existent users from the bb_usermeta table using the following query:

DELETE FROM bb_usermeta WHERE umeta_id IN (
  SELECT umeta_id FROM (
    SELECT m.umeta_id
    FROM bb_usermeta AS m LEFT JOIN bb_users AS u ON u.id=m.user_id
    WHERE u.id IS NULL
  ) AS bb_unlinked_meta
);

The above will eventually delete all user accounts and their meta data when no posts have been published by those users. That means that even legitimate users with no posts will be deleted, but such users are very rare. If your account has been deleted, please make a new one.

Normally, further clean up of the tags tables should be performed, but since those users hadn’t posted anything, it is very unlikely that they had created any tags, so I think the above are just enough.

Using the above queries I got rid of thousands of user accounts created by bots. Make sure you have backed up your database before attempting any manipulation of the data.

Related Articles

• Permanently remove deleted posts and topics in bbPress
• User management from the command line
• Lock out a user after N failed login attempts
• Bot-Allow-Content and CC-Configurator plugin updates
• bbPress for WordPress

I use the bike to move around in the city, go to the university, library, gym, etc. During the last five months, it had become a necessity. But there is one really big problem. It is impossible to keep it indoors. I have to leave it outside, in the wild.

Now, I have bought a new MTB. I really wouldn’t like it to be stolen again. That would make me extremely pissed off. During the last two weeks, I’ve read various articles about bicycle theft, about ways to properly protect a bike, et cetera. I even went out late one night, as if I was about to steal a bike, just trying to see things through a thief’s eyes and realize what the weaknesses of leaving a bike outdoors are.

I won’t be writing about any things you do not know already. A determined soul or a sophisticated thief will always get what he wants. There is nothing you can do about it. But, the good news is that sophisticated thieves are not really interested in bike theft, unless we are talking about a very expensive bike. On the other hand, a very expensive bike is very unlikely to be left outdoors at night. Sophisticated thieves are of course a problem, but not the real problem. The real problem in such cases is opportunist thieves. Usually, such thieves do not know whether the bike they have stolen is an expensive or a cheap one, whether it is in good condition or not, and they usually sell it for almost nothing afterwards. They are usually victims themselves. Junkies or people in great need for some money who would steal anything that is an easy target.

Below you will find a very small checklist with the things one should take into account in order to protect a bike which is left outside. These of course represent my own thoughts after evaluating all the things I’ve read and seen. If you can contribute to the list, be my guest. I will really appreciate it.

• Buy a real lock. Most of the locks I’ve seen in bike shops are not locks upon which you can rely for more than a few minutes. From what I’ve read, it is very easy even for opportunist thieves to bypass or destroy them and get your bike. I would say that 40-50 EUR should be the absolute minimum you should spend on a lock. Don’t waste your money on 10-15 EUR locks. Invest. Go to a motorcycle shop and buy the best lock you can afford. If you cannot afford a decent lock, buy a cheaper bike. It is (collectively) cheaper to upgrade your bike’s parts at a later time than to upgrade a lock. Opportunist thieves aim for easy targets. If they realize that the strength of the lock is beyond their abilities, they will not bother with your bike and go for an easier target. Of course, you should learn how to properly lock your bike. Even if you use the best of the locks, but attach the bike to a fixed object which is not reliable, then a thief would destroy the fixed object and get your bike. All locks can be opened. But some locks are a lot harder to be opened. Get a good lock and lock your bike wisely. It is the least you can do to protect it. I now use a lock from ABUS.
• A thief needs privacy. Do not give it to him. Locking up the bike in a shady corner may be an advantage for the thief as he will be able to work on the lock being unnoticed for a longer period of time. Make him feel uncomfortable with the spot at which you have locked your bike. Make him feel unsafe. A regular opportunist thief will not bother to steal the bike if he does not feel secure enough.

Of course, this list is not complete. There are many other things you can do to further protect the bike, but most of them really depend on the location and any other special conditions of the area you live in. Bike theft is a problem of all big cities. I will be glad to read your thoughts on what else should be done in order to protect a bike which is left outdoors at night.

Related Articles

• Operating Systems do not matter any more

Related Articles

• Adobe Reader 8 for Linux
• Creative Commons v3.0 Licenses Launched
• Evince instead of Adobe Reader in Linux
• Best Practices of Software Licensing
• Bot-Allow-Content and CC-Configurator plugin updates

shred: change default number of overwrites from 25 to 3

* src/shred.c: The concensus is that a default of 3
passes is appropriate for current drive technologies.
* src/TODO: Reference Paul Eggert's suggestion
of enhancing shred to conform to DoD 5220 rules.

I would like to publicly thank Pádraig for the feedback. There are times that the open source development model takes me by surprise.

Related Articles

• Software that detects violations of open source licenses

Refering to the myth, the author of the article writes:

One of the reasons behind this idea is that the positioning of a hard disk drive’s head is not precise enough to ensure that the data is overwritten with new information from the exact same byte.

A study, published on December 2008, claims that tests performed on both last and older generation hard drives have shown that recovering even a single byte of data after a complete overwrite is practically impossible.

Security researchers from Heise Security, who have reviewed the paper presented at last year’s edition of the International Conference on Information Systems Security (ICISS), explain that a single byte of data can be recovered with a 56 percent probability, but only if the head is positioned precisely eight times, which in itself has a probability of occurring of only 0.97%.

Since I was one of those who believed the statement about the multiple overwrites, I found the article very interesting. I haven’t read the study itself though.

Related Articles

• Partition Misalignment Slows Down 4096-Byte Sector Hard Disks
• Choosing a format for data backups – tar vs cpio
• Shred changes default number of passes to 3
• Build a single native kernel module
• The Complete Fedora Kernel Headers

One way to resolve the issue mentioned above is to inject our own authorization code into the relevant phase of the HTTP request processing. What this authorization code is going to do is to dynamically construct the path to the requested repository’s authz file, parse the authz file, determine the level of access the user may get in accordance to the HTTP request type and, finally, return an OK or an error code back to Apache.

Tonight I’ve spent several hours on this. Although, the appropriate approach would be to patch mod_authz_svn, I am not that excited about such an approach as I would need several days of hard work to modify an existing apache module. Instead, I have almost finished an authorization handler and an authz file parser (only basic syntax is supported), both written in python, which can be used by apache with the help of mod_python.

This is not finished yet. As you might have assumed I need this piece of code for Project CodeTRAX. Although, I had decided not to release anything related to that project until it is finished, I might make an exception and release this piece of python code in order to get some valuable feedback about if and how secure it is.

Related Articles

• Strange mod_dav_svn error
• Search for a string in multiple files
• A change of plans regarding a web-based VCS manager
• VeriTAR – Verify checksums of files within a TAR archive
• Optimize and Compress CSS Files

Note: in a previous post I had tried to implement a shutdown/reboot/suspend prevention switch using various inefficient methods. After receiving some pointers from members of the Linux-Greek-Users mailing list, I studied the initscript mechanism and wrote this solution. It has been tested on Fedora only and is released for Fedora and RedHat based linux distributions. I would appreciate feedback about its compatibility with Debian or Gentoo based systems.

Manual Installation

As user ‘root‘ follow the instructions to install the file in your initscripts directory:

cp delayed-shutdown /etc/init.d/
chmod +x /etc/init.d/delayed-shutdown

For RedHat and relatives run:

chkconfig --add delayed-shutdown

For Debian and relatives run:

update-rc.d delayed-shutdown defaults

Manual De-installation

If for any reason you need to remove ‘delayed-shutdown’ from your system do the following:

For RedHat and relatives run:

chkconfig --del delayed-shutdown

For Debian and relatives run:

update-rc.d -f delayed-shutdown remove

Delete the initscript:

rm /etc/init.d/delayed-shutdown

Usage

In order to delay the shutdown process until your software finishes its operation, you should create the no-shutdown lock file:

/var/lock/noshutdown.lock

Then let your software do its job and, when finished, delete the no-shutdown lock file. In case of a script that would be:

lockfile /var/lock/noshutdown.lock
... [script is working] ...
rm -f /var/lock/noshutdown.lock

Test

A test script, test.sh, is included in the distribution package. In order perform a test, do the following:

• Make sure you have installed the delayed-shutdown initscript as described in the “installation section.
• Run test.sh: ./test.sh &
• Reboot or shutdown the machine

Test.sh will acquire the lock, sleep in the background for 90 seconds and then release the lock. The shutdown/reboot procedure will continue after the lock has been released.

Download

All versions of the software, including the latest stable release, are available from the development web site’s download area.

Misc

The initscript delayed-shutdown is released under the terms of the MIT license.

Related Articles

• Using a switch to prevent system shutdown/reboot/suspend
• Redmine deployment delayed
• Using setenforce to switch SELinux mode wisely
• Lock out a user after N failed login attempts
• Xen DomU using dynamic IP and hostname