binfalse

Sitting on an almost well configured host, I experienced some authentication issues the last few days…

So for example I’m using xtrlock as default X locking mechanism, but if I try to run it on this machine I got the following error:

/tmp % xtrlock
password entry has no pwd
1 /tmp %

Mmh, that is crap. My workaround to temporarily avoid this problem: Connecting to another host via SSH, running xtrlock within a GNU screen session ;-) But that’s no solution for a longer time… So I started debugging. First of all I grabbed the sources from the apt repository and searched for this error message. Turned out to be this piece of code (beginning with line 94 of xtrlock.c ):

errno=0;  pw= getpwuid(getuid());
  if (!pw) { perror("password entry for uid not found"); exit(1); }
#ifdef SHADOW_PWD
  sp = getspnam(pw->pw_name);
  if (sp)
    pw->pw_passwd = sp->sp_pwdp;
  endspent();
#endif

  /* logically, if we need to do the following then the same 
     applies to being installed setgid shadow.  
     we do this first, because of a bug in linux. --jdamery */
  setgid(getgid());
  /* we can be installed setuid root to support shadow passwords,
     and we don't need root privileges any longer.  --marekm */
  setuid(getuid());

  if (strlen(pw->pw_passwd) < 13) {
    fputs("password entry has no pwd\\n",stderr); exit(1);
  }

Ok, seems that the provided password(-hash) is shorter than 13 characters… Going on debugging, the content of pw comes from getpwuid(getuid()) and seems to be ok (matches my users profile like it can be found in /etc/passwd ). At this time (line 1) pw->pw_passwd contains only an single x , more information can’t be retrieved from the passwd -file.. Next the code checks whether SHADOW_PWD is defined, means whether we use an additional shadow -file. Since thats the case this code is executed and the variable sp gets the broken-out fields of the record in the shadow password database that matches the username pw->pw_name (validated, my user). Checking this sp variable I recognized that it is null ! So pw->pw_passwd won’t be updated and still contains the single x from the passwd entry… First I thought about a bug in the getspnam () function, such things might happen due to the Debian unstable release I’m using, but after some further thoughts I checked the shadow file itself:

/tmp % l /etc/shadow
-rw-r----- 1 root root 2673 Feb 16 15:49 /etc/shadow

In comparison with other systems with working xtrlock instances I figured out, that this file shouldn’t only be owned by root. Instead the group has to be shadow! So here is the solution to this issue:

/tmp % chgrp shadow /etc/shadow

And everything is working fine again. Have no idea what or who changed the permissions for the shadow-file…

Update: By the way, afterwards I tried to use Xscreensaver instead of xtrlock, but I wasn’t able to unlock the screen when the shadow rights are wrong. The /var/log/auth.log held messages like that:

Feb 17 10:14:32 HOST xscreensaver: pam_unix(xscreensaver:auth): conversation failed
Feb 17 10:14:32 HOST xscreensaver: pam_unix(xscreensaver:auth): auth could not identify password for [USER]

But this is just for google-searchers ;-)

Yesterday I was a bit confused when I read this tweet. Manu Sporny, founder and CEO of Digital Bazaar, announced in his blog that he has published his genome..

He send some saliva to 23andme, they analyzed his DNA and provided his genetic code to him (let’s neglect the discussion whether data from 23andme-chips represent a fully sequenced genome..). This process is very smart and not expensive, so this part of his announcement is not spectacular. Lot’s of people are doing so.

The interesting part of this article: He published the results (roughly 1 million SNP markers) from 23andme as open source project to github, licensed under CC0! So he has released all his rights on this data.

In general a very impressing step, he might be the first person who published its DNA under such a license. His intentions are more than exemplary, providing access to genetic data to everyone that wants to work with it, i.e. researchers.

So far, so good, but there are some disadvantages, he still dealt with some of it. For example, what if anybody uses this information against him? I.e. healthcare provider, they might deny him to avoid high costs because they detected some pre-existing conditions in his DNA. It may also affect employment and can lead to discrimination. His reaction:

I’ve thought long and hard about each of those questions and the many more that you ask yourself before publishing this sort of personal data. There are large privacy implications in doing this. However, speaking solely for myself, I think the benefits outweigh the drawbacks.

Very nice, but there are also some ugly implications he apparently didn’t thought about! All these disadvantages don’t only affect himself, they may also affect relatives (children, parents, siblings..). Did they all agree with this publication?

I can’t see the advantages to an anonymously publication. Attach some demographic information like age, gender, educational background and everyone is satisfied. Then you don’t have to bear any consequences with bugs in your DNA.

With all due respect for his engagement, I think this step is not really sophisticated.

Yes, it’s that time again, Feb 14^th.. It’s Valentine’s Day.

Don’t know who has told my wife, but now I have to do some love, uuurgh..

How ever, this one is for my little valentine:

'            01110000  01101111
            01101100011011100110
           1001011100110110001101
            10100001100101001000
              0001101110011101
                010111010001
                 1101000110
                   010101
                    1011
                     10                                   '

Love you soo much, of course! ;-)

PS. If you are able to catch one of these flower or praline seller: beat the living daylights out of them!!

I was just contacted concerning this Java memory problem, here is how you can get rid of it.

The amount of Ram for an Java application is limited by the JVM. To provide more memory to a single application you can start your Java process with two more parameters, like:

java -Xms1024m -Xmx1024m YOUR_JAVA_CALL

This allows Java to use up to 1024 MB. Here -Xms specifies the initial heap size, while -Xmx determines the maximum size. For machines with much more mem you might use g instead of m to set the size in gig’s. So -Xmx10g limits the amount of RAM to 10 GB.

Of course it’s annoying to apply these parameters to all your Java runs, so to change this behavior user-wide, you may create an alias like:

alias java='java -Xms1024m -Xmx1024m'

or better: Tell it to the Java Plugin Control Panel! Using Xfce you can find this tool in your panel’s menu in the Settings section. Gnome users may look in System > Preferences. If you don’t want to move your mouse you can also run ControlPanel from your terminal. This opens a window, default parameters can be applied in the tab Java, click View… and add your parameters to the Runtime Parameters column. This tool afterwards writes something like the following line to $HOME/.java/deployment/deployment.properties :

deployment.javaws.jre.0.args=-Xmx9234m -Xms9234m

So advanced users craving for trouble may edit this file on it’s own :-P

Still upgrading some of our servers from lenny to squeeze, actually I run into MySQL trouble…

While upgrading from the package mysql-server 5.0.51a-24+lenny5 -> 5.1.49-3 aptitude told me the following:

Setting up mysql-server-5.1 (5.1.49-3) ...
Stopping MySQL database server: mysqld.
Starting MySQL database server: mysqld . . . . . . . . . . . . . . failed!
invoke-rc.d: initscript mysql, action "start" failed.
dpkg: error processing mysql-server-5.1 (--configure):
 subprocess installed post-installation script returned error exit status 1
dpkg: dependency problems prevent configuration of mysql-server:
 mysql-server depends on mysql-server-5.1; however:
  Package mysql-server-5.1 is not configured yet.
dpkg: error processing mysql-server (--configure):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 mysql-server-5.1
 mysql-server

Mmh, a look into the /var/log/syslog pointed to the following errors:

Feb 11 20:50:11 HOST /etc/init.d/mysql[13219]: 0 processes alive and '/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf ping' resulted in
Feb 11 20:50:11 HOST /etc/init.d/mysql[13219]: ^G/usr/bin/mysqladmin: connect to server at 'localhost' failed
Feb 11 20:50:11 HOST /etc/init.d/mysql[13219]: error: 'Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)'
Feb 11 20:50:11 HOST /etc/init.d/mysql[13219]: Check that mysqld is running and that the socket: '/var/run/mysqld/mysqld.sock' exists!
Feb 11 20:50:11 HOST /etc/init.d/mysql[13219]:
[...]
Feb 11 20:50:59 HOST mysqld_safe: Starting mysqld daemon with databases from /var/lib/mysql
Feb 11 20:50:59 HOST mysqld: 110211 20:50:59 [Note] Plugin 'FEDERATED' is disabled.
Feb 11 20:50:59 HOST mysqld: /usr/sbin/mysqld: Table 'mysql.plugin' doesn't exist
Feb 11 20:50:59 HOST mysqld: 110211 20:50:59 [ERROR] Can't open the mysql.plugin table. Please run mysql_upgrade to create it.
Feb 11 20:50:59 HOST mysqld: 110211 20:50:59  InnoDB: Started; log sequence number 0 657837804
Feb 11 20:50:59 HOST mysqld: 110211 20:50:59 [ERROR] /usr/sbin/mysqld: unknown option '--skip-bdb'
Feb 11 20:50:59 HOST mysqld: 110211 20:50:59 [ERROR] Aborting
Feb 11 20:50:59 HOST mysqld:
Feb 11 20:50:59 HOST mysqld: 110211 20:50:59  InnoDB: Starting shutdown...
[...]
Feb 11 20:51:05 HOST mysqld: 110211 20:51:05  InnoDB: Shutdown completed; log sequence number 0 657837804
Feb 11 20:51:05 HOST mysqld: 110211 20:51:05 [Note] /usr/sbin/mysqld: Shutdown complete
Feb 11 20:51:05 HOST mysqld:
[...]
Feb 11 20:51:05 HOST mysqld_safe: mysqld from pid file /var/run/mysqld/mysqld.pid ended
Feb 11 20:51:14 HOST /etc/init.d/mysql[13584]: 0 processes alive and '/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf ping' resulted in
Feb 11 20:51:14 HOST /etc/init.d/mysql[13584]: ^G/usr/bin/mysqladmin: connect to server at 'localhost' failed
Feb 11 20:51:14 HOST /etc/init.d/mysql[13584]: error: 'Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)'
Feb 11 20:51:14 HOST /etc/init.d/mysql[13584]: Check that mysqld is running and that the socket: '/var/run/mysqld/mysqld.sock' exists!
Feb 11 20:51:14 HOST /etc/init.d/mysql[13584]:

Many messages at once.. To make a long story short the main problem is this line:

Feb 11 20:50:59 vs-inf-www mysqld: 110211 20:50:59 [ERROR] /usr/sbin/mysqld: unknown option '--skip-bdb'

So edit your /etc/mysql/my.cnf and comment the following line (in my configuration it’s line 94):

skip-bdb

That’s it, retry to configure the new version and everything will turn out all right.