Hi folks .. just to confirm that some members of the CentOS crew will be present for the next Fosdem event in Belgium. We’ll (as usual) have a dedicated booth and share the DevRoom with our friends of Fedora. If you want to come and talk, feel free to drop at the booth and/or attend one of the presentations. If you want to participate (at the booth and/or Devroom) feel free to add your name to the list on the CentOS Wiki : http://wiki.centos.org/Events/Fosdem2009 . More details on that wiki page in the following weeks.

View original post | Add to del.icio.us | Share

Here are Six articles on Vim which have been widely read by the visitors to this blog. These articles on Vim will surely motivate you to try out this powerful text editor.

View original post | Add to del.icio.us | Share

Fedora 10 codenamed "Cambridge" has been released. This new version of the community oriented, Red Hat backed Linux distribution comes with new features which enhance the end user experience. Read on ...

View original post | Add to del.icio.us | Share

Yes, many people seem to have that, so you are not alone. When first confronted with that rather large and underdocumented framework, it also took me a while to not give up and then a bit more time to understand most of the basics. And with the lack of documentation it doesn’t really get easier.

Looks like someone at Red Hat had the same feeling and funded Murray McAlliser to write The Security-Enhanced Linux User Guide. After skimming over it it looks like it builds up on the SELinux policy which is in Fedora 9 and 10, which is a good step forward from the policy set in CentOS 5 (and let us not talk about CentOS 4). So not everything mentioned in that guide can be used directly on CentOS 5, but the basics are explained somewhat better than in the Deployment Guide.

So if you want to or have to work with SELinux for the first time this guide definitely is worth a read.

I just stumbled over this on Dan Walsh’s SELinux blog and thought I’d share it. This also has a plethora of SELinux knowledge in it.

View original post | Add to del.icio.us | Share

• Edward Gorey House Store
  Any Edward Gorey fans out there?

View original post | Add to del.icio.us | Share

I wanted a quick way to be able to find out what files weren’t visible to others (and therefore, not visible to website visitors).  Messing with arguments and the file command, you can do the following:

find -type f ! -perm -444

This locates all files not visible to ‘others’ in the current directory.  You can apply this to directories as well:

find -type d ! -perm -111

Hope this helps people like it helped me.

Related posts:

1. Host Your Own Domain and Webserver using Apache Doesn’t sound like anything new right? Well, some people may...
2. BASH Prompt Fun ...
3. KDE: Right Click, Extract Here I’ve been hunting for a post on how to have...

[Asides Tips bash linux script tricks Webserver ]
View original post | Add to del.icio.us | Share

Demasiado Personal writes

“There’s a game studio made by only two people, that released an excellent game for Windows, called World of Goo. I recently saw that the piracy on this game is over 95%, and it’s only a 20 dollars game.”

The blog brings up another valid point

“Now, the fun begins. Some of you will ask, what does this have to do with Linux anyway? Easy to answer. Lately this programmers are working in a Linux native port, and that gives us an amazing opportunity.  Imagine for a moment what would happen if Linux users bought more original copies than Windows users. I can answer what could happen. Those innovative programmers will make next game for Linux, and not Windows.”

So if you can afford 20 Dollars for an Award Winning game that will provide hours of entertainment, let your MONEY do the talking for you :)  Afterall, these guys won awards with a fantastic game and are taking the time to port it to Linux…I think of it as a donation…and if Linux sells more than Windows, it may show validity for Linux as a platform!  The Linux version is currently in Beta, but your 20 dollars will get you access to the Beta AND the release when it is made ready.

World of Goo Trailer 2 Director’s Cut
Uploaded by 2dboy

<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="480" height="381" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0"><param name="allowFullScreen" value="true"/><param name="allowScriptAccess" value="always"/><param name="src" value="http://www.dailymotion.com/swf/k40dgcvdWElN4UNNRc&amp;related=1&amp;canvas=medium"/><embed type="application/x-shockwave-flash" width="480" height="381" src="http://www.dailymotion.com/swf/k40dgcvdWElN4UNNRc&amp;related=1&amp;canvas=medium" allowscriptaccess="always" allowfullscreen="true"></embed></object>

Related posts:

1. Some Random Linux Observations Ubuntu is the only Linux distro I know of...
2. Empowering the Linux Community From a Linux Developer point of view, when users are...
3. Experiment: Initial Impressions of Mandrake 10.1 Community This is my first entry in the experiment that I...

[Featured Misc community games linux ]
View original post | Add to del.icio.us | Share

• Featured Download: Spicebird 0.7 Beta Adds Google Gadgets and Instant Messaging
  SPICEBIRD. I've been waiting for the .7 version of this application to see how it works. I used the previous version on Foresight Linux but will need to see how this one works sometime this weekend.

View original post | Add to del.icio.us | Share

• Interop: Authenticate Linux Clients with Active Directory
• 50 Incredible Fonts for Professional Web & Print Design

View original post | Add to del.icio.us | Share

I just discovered a small “homepage uptime benchmark” done by Pingdom. They compared Corporate Linux and Community Linux distros homepage uptime versus Apple and Microsoft .. what are the results ?

More informations on their analysis page

View original post | Add to del.icio.us | Share

• Screenshot Tour: DimDim Hosts Your Webinars for Free

View original post | Add to del.icio.us | Share

Browsing through the top500 supercomputers list, I noticed that in the OS listing, 5 supercomputers are running specifically CentOS (1%) while 389 are running some sort of Linux (not specified).

From the Linux list undoubtedly more are using CentOS, but the remarkable fact is that this known 1% CentOS is the same amount as the 5 Windows supercomputers.

So if we assume from the 389 Linux supercomputers, more are using CentOS, CentOS outnumbers Windows for supercomputers. We simply don't know by what factor.

If only more organisations would be more specific to what exactly they are running.

View original post | Add to del.icio.us | Share

Sometimes when I’m troubleshooting a PHP error and a function is called in the debugger that gives me a line number of a file to look at, I want to know what that line says without opening up the file.  Using the command line, you can accomplish this in the following way:

head -n 96 filename.php | tail -n 1

This allows you to quickly display the 96th line of filename.php. Hope this helps someone like it has me.

Related posts:

1. Find Files & Directories Not Visible to Others for Webserver I wanted a quick way to be able to find...
2. Print Readable Man Pages Ever wonder how you can get a man page in...
3. KDE and Xorg, Fonts and DPI Today, I’d like to share a tip I found out...

[Asides Tips cli php shell ]
View original post | Add to del.icio.us | Share

• 9h3m0i.gif (GIF Image, 320x240 pixels)
  Just a little something to post to those people who need a hand....
• New MythTV Interface Preview | Gunaxin

View original post | Add to del.icio.us | Share

It’s a given that the world population is growing. It’s also a given that the world economy is currently slowing.  This overall slowing of the economy is triggering job cuts across many levels of industry, and IT is at the heart of many such trimmings. When IT itself is not being cut, the IT professionals are often tasked with finding ways to make things more efficient or to automate various processes so that other positions can be cut. Just how deep should these cuts go, and should IT professionals get any say in the matter? A speaker from Cisco once said that Linux was the lens through which he found the flaws in his networks.  I believe this metaphor can be carried further, and that IT as a whole exposes more about humanity than we realize.  With this in mind, just how far should we carry our automation endeavors?

Is it acceptable to script system management such that 3 admins are needed instead of 4? Should we automate a line of factory jobs to save the company some money, or increase shareholder profits?  Is making a product cheaper an acceptable reason to eliminate jobs?

How much responsibility does IT have in these actions, and how much responsibility should we take for them? Should we seek out ways to trim down the company and take a ’survival of the fittest’ mentality, or do we seek out a way to preserve the jobs of those around us? Should we question the corporate officers who direct the action, or is our job simply to follow orders and let the company’s leadership decide what’s best?

From automotive plants and wall street offices to the California budget there are examples on both sides of the issue. Where do you stand, and do your actions correspond to your beliefs? I’m genuinely interested in how people feel about this one, so please take a moment and let me know what you think.

View original post | Add to del.icio.us | Share

• Blog Community
  A plugin for Simple Machines Forum that I would have killed to have about 3 months ago. I guess I can't be everywhere at everytime. :(

View original post | Add to del.icio.us | Share

Dateline: U.S. Department of Labor
The largest increases in initial claims for the week ending Nov. 1 were in Ohio (+3,885), Michigan (+2,619), Pennsylvania (+2,155), Wisconsin(+2,119) ...
-- UNEMPLOYMENT INSURANCE WEEKLY CLAIMS REPORT (week ending Nov. 8 2008)
A friend wrote:
All this proves is that when someone crosses a state line to register to vote it is just as easy to register for unemployment while you're at it.
I think it is probably much worse than that

It is easy enough for anyone to set up a (several!) new 'employers' and then walk away from them 8 weeks later with no individual financial responsibility for the 'tail' -- after all, we encourages formation of 'small business, the engine of economic growth' and barriers to entry should be small, right?

Unemployment benefits may be had at full rate for 6 months after 6 weeks employment at a given 'employer' if one is otherwise qualified; when an 'employer' goes out of business, the employees are eligible for benefits Several telephone poles in central Ohio had signs, with differing phone numbers, for what appeared to be short term 'jobs' working to elect Obama and 'make Change'. I snapped a picture with my mobile device, and will see if I can find it for the exact text; I recall thinking at the time:
-- Don't the 'employee candidates' KNOW they will be let go the day after the election
Now, I think the answer is:
-- Sure -- indeed they were TOLD by the recruiter at the other end of the phone, that this was a way to get rid of a pesky 'termination for cause' {disqualifying} black mark which was keeping them from what they were 'entitled to'
As the One won, and 'We can do it!' if the system is properly 'gamed', I think there will be no investigations after Jan 20 to 'connect the dots', and the Lame One will just snooze out his term. 'No law will prevent it'

And so the Republic was lost. "Meet the new boss; same as the old boss"

View original post | Add to del.icio.us | Share

I was interested in testing Spacewalk on CentOS 5.2 .. in fact it was on my (already too long) TODO list . So i followed the instructions from the Spacewalk Wiki but it failed during the yum process : “Public key for asm-1.5.3-1jpp.ep1.1.el5.2.noarch.rpm is not installed”

Hmm, i imported both EPEL and Spacewalk rpm signing keys so i had a look on the key used to sign that package : “asm-1.5.3-1jpp.ep1.1.el5.2.noarch.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#37017186)”

Hey, that’s the Red Hat security team signing key ! Why was it used to sign a package in the Spacewalk repo ? I guess that it’s imported by default on RHEL5 but you have of course to import it (and first verify it of course) : see the key 37017186 on the http://www.redhat.com/security/team/key/

And now the fun begins ..

View original post | Add to del.icio.us | Share

• 30+ Creative Hi-Res Wallpapers Only for Designers | Noupe
• OpenGoo: An Open Source Web Office

View original post | Add to del.icio.us | Share

I might be the last person on this planet to join twitter, but sign up I have. And my username there is *drumroll* CentOS *drumroll*. And since people who read my blog might actually want to follow whats on there, here is a link to the feed CentOS on twitter.

First question though, how do I follow a search ? eg. I want to follow what everyone is saying about 'kung fu dancing' ? I hate to need to now *also* look at a rss reader to keep track of stuff on http://search.twitter.com/

- KB

Original post.

View original post | Add to del.icio.us | Share

• Lifehacker Top 10: Top 10 Ways to Get Cables Under Control

View original post | Add to del.icio.us | Share

Okay, I guess I covered too much too fast last time I discussed adding a signing key to RPM. Let's do it again with more annotation and color commentary.

The RPM package manager (see: the old RPM.ORG website, which I maintained as 'rpm.org' for several years; JBJ's 'way forward' for RPM development site; and the rather sparse, intentionally stale, and to me useless site controlled by and populated to suit the Red Hat corporate agenda -- details of the fork in RPM are out of scope here) has the capability to verify through strong cryptography that a package is intact, and is counter-signed by a person in possession both halves of an asymmetric public and private keypair. Assuming that reasonable care (where 'reasonable' is a very large and paranoid number) is used to protect the confidential nature of the private half, the chances of a successful substitution are vanishingly small.

Anyone can examine and inventory the keys in RPM's trusted keystore. The process of additions, changes, and deletions of keys is an operation requiring root level privileges, and so assuming a machine can be trusted (both network level and local physical level attacks need to be considered)

Enumerate the keys present:

$ rpm -qa gpg\*

Examine a specific key:

$ rpm -qi gpg-pubkey-e8562897-459f07a4

If we know or can determine the 'fingerprint' of the public half of a signing key, and if that key has been placed at a public keyserver, we can retrieve it, examine it, or even directly import it. For the sake of this example, we again consider the Raw Hide SRPM signing key (with the re-organizations over time, Red Hat presently signs Raw Hide content with key: 0x4F2A6FD2 which the MIT keyserver identifies thus)

The CGI query on the link above used the 'op=index' modifier; the next uses the 'op=get' -- one assumes 'op' is shorthand for the type of query operation made -- terse, or key-bearing. In any event, we retrieve the key into a local file thus:

$ wget -O fedora-key "http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4F2A6FD2"

and then may examine it with the conventional 'nix tools:

$ less fedora-key
<title>Public Key Server -- Get ``0x4F2A6FD2
''</title><p>
<h1>Public Key Server -- Get ``0x4F2A6FD2
''</h1><p>
<pre>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP Key Server 0.9.6

mQGiBD+dnTsRBACwnlz4AhctOLlVBAsq+RaU82nb5P3bD1YJJpsAce1Ckd2sBUOJ
D11NUCqH8c7EctOquOZ5zTcWxHiWWbLyKQwUw2SUvnWa5SSbi8kI8q9MTPsPvhwt
... snip ...
r/T7zLrJeiljDxvX+6TyawyWQngF6v1Hq6FRV0O0bOp9Npt5zqCbDGs/iE4EGBEC
AAYFAj+dnTwAEgkQtEJp0E8qb9IHZUdQRwABAf/+AJwNVicN6A0I7EOfWx50PDHD
7SHw5wCfUJkeh/XlCrGdPASe/AXZB44jl2c=
=aXEw
-----END PGP PUBLIC KEY BLOCK-----
</pre>

The important thing to notice, amid the HTML markup, is that the key is 'armoured text' well set off with start and end markers, so that GnuPG (and also RPM) may pick the key out of the chaff.

We discussed previously the chain of steps we used to decide that the key was authentic, and worthy of trust; as such we do not repeat them here.

Then, using the 'sudo' command to temporarily attain 'root' rights for the importation step, we can insert (import into the RPM database) the locally checked key:

$ sudo rpm -import fedora-key

Or, assuming that we will do a post-insertion check, we can do the import directly from the keyserver:

$ sudo rpm -import "http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4F2A6FD2"

Then we can re-inventory keys, and see the new one present, and the full name under which it may be found; part of the name is, conveniently, the 'fingerprint' of that key.

$ rpm -qa gpg\*
$ rpm -qi gpg-pubkey-4f2a6fd2-3fcdf8c9

Hopefully this clears things up a bit.

View original post | Add to del.icio.us | Share

The latest prepatch for the 2.4 Linux kernel tree is:

2.4.37-rc2

2008-11-09 23:10 UTC

B

V

VI

C

Changelog

View original post | Add to del.icio.us | Share

• Wayland | Google Groups
  This is the Wayland Google Group used for development of the new Wayland display server.
• 30+ Exceptional GIMP Tutorials and Resources | Noupe
• 1000+ FREE High Resolution GIMP Brushes | Noupe

View original post | Add to del.icio.us | Share

While most shops keep their nagios installs protected, folks with a publicly available nagios instance should update as soon as possible. There’s an interesting pair of security vulnerabilities which admins should be aware of. The first allows for users to submit commands to cmd.cgi that they would not ordinarily have permission to submit. This is basically a priviledge escalation issue and its severity depends on who has access to your nagios instance, and just how disgruntled they are.

The second is the more serious of the issues, and was described best by Andreas Ericsson, a major nagios contributor.  Quoting from Andreas:

Nagios CGI's are vulnerable to a Cross Site Request Forgery attack (csrf). A CSRF attack requires a couple of things for it to work, and it relies on the webs abilities (or rather, the browser's abilities) of posting form-data to a site which is other than that of the site presenting the form. Here's how it works: Unsuspecting Nagios Admin (UNA from now on) logs on to the Nagios server and checks the status of his/her network. Since everything's ok, UNA decides to leisurely browse evilsite.com, controlled by Dr Evil. On evilsite.com, there's a page containing a bog-standard web form, but with some hidden variables and an 'action' tag that points to UNA's cmd.cgi on UNA's Nagios server. When UNA submits the form, Dr Evil has all of a sudden sent data of his/her choice to the responding page on UNA's site. It's important to note that UNA's browser is being used, as it leads to a couple of interesting things: * UNA sees the output from cmd.cgi. It's never sent to evilsite.com, which can only guess if the attack was successful or not. * Firewalls can not be used to defend against this, as UNA requires access to the Nagios server in order to work. * Cookies can't be used either, as they are helpfully sent to the Nagios server whenever the browser loads a page from it. Why is this bad, then? Well, it's not so evil in itself, and the most horrible thing that it should have lead to was Dr Evil being able to enable / disable notifications or stuff like that, but in Nagios 3 we gained the ability to change checkcommand arguments and suchlike, which, combined with the csrf above, ultimately led to Dr Evil being able to run any command of his/her (who says girl's can't be evil?) choice on UNA's preacious Nagios server as the Nagios user. So what's the remedy? Well, a proper remedy is to implement in-form session tokens, which makes sure that the form submitted by the user came from the site we would like it to have come from (namely our humble selves). I'm working on that right now, and hope to have it done by this afternoon. It's been loads of fun implementing that in super-paranoid C, by the way. In the mean-time, we've blocked use of the CHANGE_ commands from the CGI's, and also made sure that multiple commands can't be submitted as one (fe by using comments with newlines). This interim remedy brings the worst-case scenario down from remote command execution to a more prank-like level (acknowledging problems, adding or deleting comments, etc, etc). A couple of things to note: * Information disclosure is not possible. No remote user can see anything from your authentication-protected Nagios servers. * Invalid commands read from the FIFO are always dropped flat by Nagios. * Since commands must be valid, it's not very easy to submit a command that has all the information required. Social engineering is required. * You *will* notice if this happens to you, since you all of a sudden will end up with cmd.cgi (not in a frame either) saying "Command submitted successfully" or some such.

For the full details of this,  you can follow the thread here.  Mostly, If you’re currently using nagios 3, you should update.

View original post | Add to del.icio.us | Share