How to fix security loophole in Gentoo


Security is an ongoing matter for all the open system. So it’s upto the guy who in charge of it and some company forces it too.In this article I will show you how you can fix the security hole in Gentoo.

Say you come to know that an security vulnarability has found on some particular and that software were loaded in your box.Here is how you can fix those:

bhaskar@bhaskar-laptop_15:03:56_Tue Jan 25:~> sudo glsa-check -f all
fixing 200812-12
fixing 200802-11
fixing 200705-23
fixing 200406-17
fixing 200804-13
fixing 200409-20
fixing 200708-01
fixing 200801-18
fixing 201001-04
fixing 201011-01
fixing 200909-11
fixing 200509-13
fixing 200612-16
fixing 200606-25
fixing 200405-22
fixing 200711-17
fixing 200510-19
fixing 201006-20
fixing 200602-08
fixing 200310-03
fixing 200506-16

….output is omitted for the sake of brevity, Yes,you spotted it right,glsa-check is an utility in Gentoo system to check security.Once it finished running then just run this command with different arguments; like below:

bhaskar@bhaskar-laptop_15:05:34_Tue Jan 25:~> sudo glsa-check -l affected
[A] means this GLSA was already applied,
[U] means the system is not affected and
[N] indicates that the system might be affected.

Now let me tell you that those alphabet in the left side within square bracket come with different colors. The A will be on normal white,the U will be green and the N in red.Important part to check how many N you have .

So,one tiny utility can do wonder,indeed.You can put it into the cron to run it periodically.

Hope this will help.



Gentoo : How to add USE flags permanently

As usual I was trying to update my Gentoo system (quite routine check) and found that emerge throwing some problem to me.Here is the output of that problem:

bhaskar@bhaskar-laptop_10:19:11_Thu Jan 13:~> sudo emerge --ask --verbose --newuse --deep --update world

These are the packages that would be merged, in order:

Calculating dependencies… done!

emerge: there are no ebuilds built with USE flags to satisfy “=dev-lang/php-5.3.5[gd]”.
!!! One of the following packages is required to complete your request:
– dev-lang/php-5.3.5 (Change USE: +gd)
(dependency required by “dev-lang/php-5.3.5” [ebuild])
(dependency required by “virtual/httpd-php-5.3” [ebuild])
(dependency required by “www-apps/dokuwiki-20091225c” [installed])
(dependency required by “@selected”)
(dependency required by “@world” [argument])

So it is complaining about some software need some specific flags to be set,otherwise it won’t allow you get past it.

Now in Gentoo you can set the USE flag for a particular software in the commandline itself with the emerge invoking the software.Clear?? If not then take a look at how you can:

bhaskar@bhaskar-laptop_10:39:43_Thu Jan 13:~> sudo USE="whatever_flag" emerge -av packagename

It will work fine! but the problem is with this method is that the USE flag contents are forget by the os once the execution of this command over!! .Means if the os try to update the same software second time it wouldn’t able to determine that it was compiled with some specific flags.

Now the solution to this problem can be cured like this: If not already present create a file called package.use in /etc/portage directory. Like below:

bhaskar@bhaskar-laptop_10:39:43_Thu Jan 13:~> ls -al /etc/portage
total 44
drwxr-xr-x 5 root root 4096 Jan 13 10:19 .
drwxr-xr-x 100 root root 4096 Jan 13 10:32 ..
-rw-r--r-- 1 root root 0 Dec 28 09:59 .keep_sys-apps_portage-0
drwxr-xr-x 2 root root 4096 Jun 14 2010 bin
-rw-r--r-- 1 root root 56 Nov 12 2009 modules
-rw-r--r-- 1 root root 14 Sep 22 08:34 package.keywords
-rw-r--r-- 1 root root 174 Jan 13 09:15 package.license
-rw-r--r-- 1 root root 22 Jan 13 08:09 package.mask
-rw-r--r-- 1 root root 62 Jan 13 08:09 package.provided
-rw-r--r-- 1 root root 50 Jan 13 10:19 package.use
drwxr-xr-x 2 root root 4096 Jun 14 2010 postsync.d
drwxr-xr-x 3 root root 4096 Jan 8 2010 savedconfig

Now whatever software you need to update with a special or particular flags ;those thing you put into this file like this:

bhaskar@bhaskar-laptop_10:47:49_Thu Jan 13:~> sudo cat /etc/portage/package.use
dev-db/sqlite extensions
dev-lang/php apache2 gd

Format of this file is packagename space flagname, which can be separated by spaces.Now once you have done that and try to update then it will smoothly do the thing for you.

Hope this will help.


MySQL : A little security tip

>In this article I am going to show you a little trick about MySQL ,which might help you to prevent some attack on production database server.Every MySQL server has a root user attached to it and for intruders it’s very easy to guess that and launch attack on it.

Here is how you can change the root user name for that MySQL server :

bhaskar@bhaskar-laptop_08:55:51_Thu Jan 13:~> sudo mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 26
Server version: 5.1.51-log Gentoo Linux mysql-5.1.51

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>use mysql;
mysql> update user set password=PASSWORD("NEWPASSWORD") where
mysql> flush privileges;
mysql> quit

That’s all!!

Hope this will help.


Vi/Vim : Few mundane note about it

I am very much comfortable with vi/vim,because I ignore or lack of interest to learn Emacs(what a sin !!!!).Anyway I have been using it from the moment I started to working with open system years back.And I found vi/vim good enough for me to go ahead and do something productive.Specifically when I write script to enhance the systems and automate thing in the server and other places.You should glean over the resources section at the bottom of the post to know more.

I am going show your few very mundane trick to deal with vi/vim; oh yeah I do too…

#1 : Put the required thing in .exrc

When you install vi/vim it would not have all the facility you would like to have in it.Because it’s turned off.Now you can put the customized thing in this file so it can take effect when you fire the editor.You need to create this file in your home directory.It has got hell number of options available.My .exrc file looks like below:

1  se nu
3 se ai

Now you can put so many things in it ,those two entry is enough for me. And it suggest,the first one is for setting the line number and the second one is for autoindentation.You can put thing like set showmode,which show you the which mode you are in i.e insert or command et al. I would highly recommend you guys give a stab at it’s manual or online tutorial.

#2 : Encrypt file through vi/vim

Sound arcane? not worry I will explain it to you in a moment.On open system you can do same thing many ways,but the impact would be different.In this case,suppose you want password protect a file without going out of vi/vim then please follow:

You need to pass

vim -x filename

It will ask you for the key(which you might have created early),then please key in that key. Now second time it will ask you the same key to entered at the prompt below and you need to do that.Please see below:

bhaskar@bhaskar-laptop_10:57:49_Fri Jan 07:~> vim -x testencrypt

Now look at the bottom of the screen:

Now once I entered the key it will ask me to enter it again like below:

Once entered the same key the edition put me to the insert mode to enter the text. Ok,Once entered some text in it and save the file I am done with it.Now that particular file is encrypted with a specific key.Now it I try to open the file in vi/vim it will ask me to enter the key to get a view of that file like below:

Once I put the key it will open the file in that editor like below:

So ,I hope you got a clear picture about the encryption through vi/vim ,but having said that it is a very weak encryption ,please don’t depend on it.





Hope this will help.