darkness

Thanks to Andy for figuring this one out. Sometimes when I get a PC to make into a firewall with two hard disks that are destined to be mirrored, I find that the geometry on one doesn’t match the geometry on the other according to fdisk, despite the drives being identical. As it turns out this has to do with Linux guessing the disk geometry by looking at the partition table, and is probably a result of a partition table made from DOS/Windows on one drive and not on the other. I dd if=/dev/zero of=/dev/hda bs=1k count=100 and repeat for the other drive, reboot, and then the geometries agree.

This is an update on the earlier entry about chrooted SFTP-only accounts.

When reading the material at http://chrootssh.sourceforge.net/ I realized that it was actually applying to sshd, not to sftp-server, which I wasn’t overly fond of for whatever reason.

One note: I’m installing this on a RH 7.2 box, and I don’t believe I’m using an OpenSSH version with privilege separation (I’m using 3.1 patched against some bugs, probably whatever Fedora Legacy hands out). If you’re using privilege separation I’d look at a recent version of OpenSSH, as I read that in versions prior to around October 2003’s (probably, based on the date of the post) don’t call PAM session modules as root so chroot is impossible. Disabling privilege separation is always an option too, of course, just not one I’m fond of.

Also, side note: for my clients to use this, they’re going to need an SFTP client program. PSFTP, PuTTY’s SFTP client, is CLI. No good: clients need GUI, I’m sure. WinSCP, despite its name, seems to fit the bill: SFTP and public key authentication support. Decent interface too I think, though I’ve used it for all of two minutes.

From observing some debug output, I think that even if a service like SFTP is requested, any command= option for a key used to authenticate the user will override the request. In other words, even if the user is trying to use SFTP, any command specified in command= will get executed instead of sftp-server. I am pleased.

After talking with Andy for a bit, I decided I should patch sftp-server to know how to chroot itself. Patches like http://mail.incredimail.com/howto/openssh/addons/sftp-chroot.diff and http://www.coding-zone.com/chroot+sftp-server.patch have some ideas, but nothing quite exactly what I was looking for.

So I wrote a patch for a chrooting sftp-server. This patch is, as the name implies, made against OpenSSH 3.8.1p1. I hope it’s simple enough that it’ll be applicable to other versions without change, but I haven’t tested that. This makes an sftp-server that’ll chroot to whatever is given as its first argument (if anything; if no first argument, no chroot) then drop privileges. Basically what I do is build sftp-server with this patch, then install it setuid root as /usr/libexec/openssh/chroot-sftp-server. For each user: create an account, put no password on it (user can’t log in), create the SSH keys, use command=/usr/libexec/openssh/chroot-sftp-server /foo/bar where /foo/bar is where I want the user to be chrooted to, and voila. No chroot jail creation necessary. Do remember to make sure ~user/.ssh and all files contained within aren’t writable by the user (I make mine owned by root; but remember the user will probably need access to read the files).

One idea I had for modifying the patch is to make it ignore any arguments that match argv<> or -c. By doing this you could set the user’s shell to /usr/libexec/openssh/chroot-sftp-server, then I think OpenSSH will run the command= with that, yielding something like: /usr/libexec/openssh/chroot-sftp-server -c /usr/libexec/openssh/chroot-sftp-server /foo/bar. I don’t know if making the user have an invalid shell adds particularly much security, though, and I think it is kind of ugly.

Update 2005-01-29: Just a quick note: don’t forget that chroot-sftp-server needs to be setuid root to use chroot(). I think I may have mentioned this earlier, but I ran into it again when setting this up. I am concerned (as I’m certain I have been before) about the security implications of making this SFTP server setuid root and 4511. It’s possible that I should restrict it to being executed by members of some sftp group or something like that. I’ll also note that I just applied the above patch cleanly to OpenSSH 3.9p1 without incident. I now have two servers using this patch.

So apparently there used to be a gnome-run command that would let you pop up the GNOME “Run Application” dialog. Then I guess this dialog got integrated into the panel, and then this program went away. On Gnome 2.6 (I think?) on FC2 there’s no obvious way to do this. I dug in gnome-panel sources a bit and found a CORBA interface… that I don’t know how to use. (Bonobo couldn’t find my desired component. I wonder if this interface is broken.) Then I looked at how Metacity did it and I made gnome-run.c. Compile it with something like gcc gnome-run.c -o gnome-run -L/usr/X11R6/lib -lX11. I then set Sawfish up to run that when I hit M-Esc and set up a matched window declaration for it that focuses it when it appears. All is well.

Shame on GNOME for making this so hard. I think I’m going to look at switching to KDE/Konsole later — with Sawfish as my WM still. Sawfish does rule.

Instead of just a spec file, I now have a whole strongSwan userland SRPM. This includes the patch that was missing with just the spec file, in addition to a little script I use to run GRE over IPsec.

Today I was again faced with a need to put a Visio diagram into a LaTeX document via LyX. I’ve had this problem before, and I’ve worked it out, but I think I’ve always forgotten to write down how. (If I’m wrong, please give me a link to the entry where I wrote it down, by all means.)

On a side note, I tried using Dia but I just couldn’t bring myself to use it again. I’ve gotten the update version from Dag or FC2 or whatever, compared to the relatively ancient version I used to be running in RH9, but I still can’t get used to it. I can’t seem to transform the rulers from metric into imperial units. I thought there was an option for this, but I can’t find it now. I’m also not sure if it has auto-routing connectors like Visio, but I think it does. Anyway, it generally didn’t seem as easy to use and the little diagram I quickly produced didn’t seem as pretty.

So back to Visio 2003 for me. Here’s how I got my Visio diagram into a LaTeX document through LyX. For starters, my document was only about 3″x3″ so it fit easily on the page. If you need a diagram that takes up the whole page, check on LyX’s site for tips, or maybe the LyX mailing list; I think I saw something about it. Moving on, first you probably want to clip the page size to encompass only your document. Go to File->Page Setup, then the Page Size tab, then “Size to fit drawing contents.” Hit OK and the page size should shrink to the exact size it needs to be. Now save this as a “Windows Metafile (.WMF)” file. WMF is apparently a vector graphics format, as is EPS. I arrived at the need for vector graphics when I wanted to have a graphic at 600 DPI so it would be suitable for printing, but then found that it wasn’t downsampled to whatever resolution LyX/LaTeX/dvips/whatever was using for printing or displaying in a PDF. Sigh.

Here’s the kind of weird part. There’s a libwmf for converting WMF to EPS (among other formats) but it didn’t work very well on my document. So I ended up using wmf2eps which is a Win32 application. Bizarre part: go into its help files and read about how you have to add a printer, and continue reading about how you have to go into the advanced options for the printer and change something or another to “Enhanced Postscript.” In Win2k, the exact setting for that last part is reached through the printer’s properties page, “Advanced” tab, “Printing Defaults” button at the bottom, “Advanced” button again at the bottom of that dialog, then Document Options->PostScript Options->PostScript Output Option from there, and select “Encapsulated PostScript (EPS).” If wmf2eps was running when you made this change, you may need to restart it (I did). Anyway, once you’ve got that set up and selected that “WMF2EPS” printer in wmf2eps, you can tell it to convert your WMF to EPS. This worked fine for me, and then I was able to include the EPS file in LyX. Don’t be super concerned if LyX makes it look like there’s some huge white border around the image: I saw this, but when I did a DVI preview of it (C-d in LyX) everything was right as rain.

wmf2eps (the Win32 application) might have some sort of registration limitation. I notice there’s a pause whenever I start it up. I can’t tell if it’s getting longer. I’m sure if I were to just read the documentation I could find out if there will be further penalties on me if I keep using it. Instead of going to all that trouble, next time I need to do this I’ll seriously consider looking at Adobe Illustrator, which I think I have lying around somewhere. I wouldn’t be surprised if it could open WMF, and I would be surprised if it couldn’t write out EPS.

Update: I tried Illustrator CS and it works like a charm for converting EMF generated by Visio 2003 into EPS. Based on these instructions for embedding an Adobe Illustrator file in LaTeX, I figured out I just needed to turn off thumbnails and set preview to none. (Don’t worry about the ‘version 6 compatibility’ thing there. Also, I had no real success exporting to EPS from File->Export->Adobe Illustrator EPS Legacy.)

Update 2: I have had some problems with going EPS->PDF in LyX. It uses epstopdf which, in FC2 at least, has some problems with Illustrator-generated EPS I guess. Really I suspect Illustrator PS has some problems that epstopdf doesn’t fix. The symptom was gs hanging around for like six minutes spinning the CPU with nothing in strace. Then I found a Debian teTeX bug report that talks about an apparently substitute/replacement program called a2ping. So I downloaded a2ping.pl from http://tug.ctan.org/tex-archive/graphics/a2ping/, stuffed it in my path, reconfigured LyX’s EPS->PDF translation to use it (slightly different command line: a2ping $$i pdf: $$o), and all was right. On a side note, I’ll also note that my old method of going through ps2pdfwr to get a good looking PDF may not be necessary nor working on my FC2 box. Now I just use LyX’s pdflatex output path and I get a nice looking PDF. Look at the curve at the bottom of your lowercase letter ‘T’ closely and make sure it doesn’t look screwed up, as happened with everything except pdflatex, I think.