tech stuff.

Archive for the ‘Linux’ Category

Ubuntu, systemd-resolver and DVE-2018-0001

leave a comment »

I noticed that systemd is spamming syslog with:

Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.

DVE-2018-0001 is a workaround for some captive portals that respond to DNSSEC queries with NXDOMAIN. systemd-resolver in Ubuntu retries every one of these NXDOMAIN responses without EDNS0.

In practice this means one syslog entry every time a domain isn’t resolvable. This is surprising, so I dug further.

Ubuntu pulled in a PR to systemd implementing DVE-2018-0001 in systemd-resolved. It’s not configurable, except that it’s not attempted in DNSSEC strict mode.

As an aside, I feel like Ubuntu integrating unmerged upstream patches isn’t fair to systemd. I incorrectly assumed that it was systemd that was introducing these spammy log messages. Maybe they will eventually, but they haven’t yet.

I’m pretty sure it’s a terrible idea, but I enabled DNSSEC strict mode by setting DNSSEC=yes in /etc/systemd/resolved.conf. I’ll have to try to remember I did this in a few days when I can’t browse the web.

There’s a really good write-up at askubuntu.com of the underlying problem.

Written by Lee Verberne

2020-02-28 at 09:15

Posted in Linux

Tagged with ,

x509 hash changes in Ubuntu Oneiric

leave a comment »

Did your commands with custom -CApath stop working after upgrading to Oneiric? Mine did. It turns out Oneiric introduced a change (via OpenSSL 1.0.0, maybe?) that changed the subject hash algorithm used to index certificates in a -CApath directory. Look for a handy code snippet after the jump.
Read the rest of this entry »

Written by Lee Verberne

2011-11-10 at 17:27

Posted in Linux

scp and POSIX ACLs

leave a comment »

scp doesn’t play well with POSIX filesystem ACLs, and as far as I can tell there’s nothing to be done about it.

The problem is that the server side explicitly calls open(2) with the mode of the file on the client side in all cases.  Since the file’s group permissions are linked to the mask ACL, this means that — for a mode 644 file — the file gets set mask::r-- instead of inheriting the default mask from the directory.

In my opinion, the correct way to do it would be to create the file without an explicit mode unless the -p command line option was used.  In fact, I would have thought that was the point of the -p flag.

This issue isn’t exclusive to ACLs, really.  It seems like it would cause problems with standard unix permissions as well.  Anyway, the only way around it seems to be changing the mode on the client side prior to the scp.  bummer.

Note: I determined this by examining the version of OpenSSH distributed with Ubuntu Lucid, which is 5.3p1.  Please let me know if you’ve had a different experience.

Written by Lee Verberne

2011-07-07 at 13:21

Posted in Linux

Tagged with , ,

Dell OMSA quick links

leave a comment »

In my recent web scour, here are the most useful links for a minimal install of Open Manage Server Administrator to keep an eye on storage status.

Random Notes for OMSA & Dell Update Packages on CentOS 5:

  • Use the more recent OpenIPMI package from Dell’s yum repo
  • Dell Update Packages rely on libstdc++-33.i386 (which is documented) but also libxml2.i386 & procmail (which is not)

Written by Lee Verberne

2011-03-14 at 13:44

Posted in Linux

Tagged with , ,

Dell embraces and extends command line utilities

leave a comment »

From Dell’s OMSA Manual:

Use the omreport -? command to get a list of the available commands for omreport.

Really, Dell?  You’ve decided to go another way on the whole CLI thing?  That’s cool, I’m sure there wasn’t any good reason every other Unix utility uses -h for help.  Oh wait…

# ./omreport -?
zsh: no matches found: -?
zsh: exit 1 ./omreport -?

Thanks Dell. What I needed was another special case in my life.

Written by Lee Verberne

2011-03-14 at 11:04

Posted in Linux

Tagged with

Fix your drifting pointer in GNOME

leave a comment »

Plagued with a drifting pointer? I sure am.

For me this happens when I accidentally zoom using an accessibility “feature” in GNOME. Actually, it’s in Compiz and ambushes me when I accidentally hit Super (windows key) instead of Alt when resizing a window using the Alt+middle click+drag combination.

Compiz seems to be a little particular about getting the screen fully zoomed out again, but here’s a method that’s (so far) always reset the zoom without leaving me with a randomly drifting cursor.

To zoom out again, hold the super key and scroll down using your scroll wheel. I’m sure there’s a better way, but I don’t know it. Disabling zoom hotkeys in gconf-editor didn’t seem to work for me. If you’ve figured this out, please leave a comment!

Written by Lee Verberne

2011-01-04 at 12:47

Posted in Linux

Tagged with ,

ecryptfs mount options

leave a comment »

I was having trouble tracking down the ecryptfs mount options that can be used to stop the mount.ecryptfs helper utility from prompting quite so much.  I tested this on Ubuntu 10.10.  ecryptfs_verbosity claims to be the option that I really want to change, but I couldn’t get this one working.

You can add these options to your /etc/fstab.  Their values are partially documented here: http://ecryptfs.sourceforge.net/README

Here’s what I added to my /etc/fstab to stop mount.ecryptfs from prompting for anything besides the password on Ubuntu 10.10:

/root/.crypto /root/crypto ecryptfs noauto,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n 0 0

Read the rest of this entry »

Written by Lee Verberne

2010-11-05 at 14:56

Posted in Linux

Tagged with