Unix


0

Okay, just did some playing around, and I now have wireshark/dumpcap configured to use a password from my user account. (This is to prevent someone from using a trojan running as you to sniff your packets, if you’ve set up dumpcap to run setuid root, or with linux capabilities.)

To start wireshark, I run:

$ sudo -g netcap /usr/bin/wireshark

This prompts me for my own password the first time I run it, then sudo credentials take effect for whatever policy you have set on your system.

Instructions for making this happen on Linux Mint 17.2:

0) Read all these instructions and make sure you understand them before actually running them. If you have any concerns about them, check with someone you trust. If you break your system, you get to keep both parts, etc.

1) create a netcap system user:

$ sudo addgroup netcap

*don’t add yourself to the group* — by default, you _don’t_ want to be in the netcap group.

2) You can either use sudoers or newgrp to acquire group netcap permissions. Here’s the sudoers way:

In /etc/sudoers.d, create a text file with no “~” or “.” in the name (for instance, “netcap”), and add a line like this:

scott ALL = (:netcap) /usr/bin/dumpcap, /usr/bin/wireshark

(Replace “scott” with your own username.)

What this does is tells sudo that you can sudo to the netcap group for running either dumpcap directly, or running wireshark.

3) Use Linux permissions to only allow users in the group “netcap” to run /usr/bin/dumpcap or /usr/bin/wireshark (for good measure):

$ cd /usr/bin
$ sudo chgrp netcap dumpcap wireshark
$ sudo chmod o-rwx dumpcap wireshark

4) Enable the necessary Linux capabilities on dumpcap:

$ sudo setcap ‘CAP_NET_RAW+eip CAP_NET_ADMIN+eip’ /usr/bin/dumpcap

5) Double check that dumpcap is set up properly:

$ ls -l /usr/bin/dumpcap
-rwxr-x— 1 root netcap 77080 Mar 10 2014 /usr/bin/dumpcap

$ getcap /usr/bin/dumpcap
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

6) Finally, make sure it works:

$ sudo -g netcap /usr/bin/wireshark

Note:

You could also make dumpcap setuid root, but that’s overkill, and not recommended. wireshark uses dumpcap to access interfaces, so wireshark doesn’t require any special permissions on its own. DON’T RUN WIRESHARK AS ROOT.

Let me know what you think.

[EDIT]

An acquaintance has brought up the possibility of keyloggers grabbing sudo passwords.  Prevent that with:

$ SUDO_ASKPASS=/usr/bin/ssh-askpass sudo -A -g netcap wireshark

Script it, and you’re good to go. :)

 

4

Recently, a blogger over at Radar.oreilly.com posited his “Five Reasons iPhone vs. Android isn’t Mac vs. Windows“.  There, the gentleman states:

“As the title underscores, I am a big believer that to understand what makes mobile tick, you really need to look beyond a device’s hardware shell (important, though it is), and fully factor in the composite that includes its software and service layers; developer tools and the ecosystem “surround.”

The gentleman, bless him, seems unaware that iPhone vs. Windows Mobile (or even WINCE) would be a more apt comparison, since Android doesn’t have much of anything to do with Windows or Microsoft.

Or perhaps he had considered that touting the superiority of the embedded OS X in iPhones,over the embedded Linux in Android could not be defended, even off-handedly.

But first, a caveat:  readers of this blog know that I am a fierce Linux advocate.  And OS advocacy, like Unix editor advocacy, can quickly devolve into religious discussions.  Nevertheless, I see the need, and usefulness, of both OS X and MS Windows on desktops, despite my misgivings about their development and distribution models.  Not to belabor the point:  this is a specific application of “Toleration” found at the Stanford Encyclopedia of Philosophy.

Indeed, I am more than just “tolerant” of OS X, since I use Snow Leopard on my not-often-used Mac mini.  But all my other desktops are Linux, as well as all of my servers hosted over at our datacenter, because:  I find Linux superior to all other solutions for these uses.

This includes the embedded realm.  I’ve incorporated embedded Linux in my networks:  I’ve used a Meraki for wireless services, and my current wireless router (Ubiquiti Bullet) uses embedded Linux.  And — knock on wood — I’ve found these to be very stable solutions.

So it really is no small matter that my Motorola Droid runs an embedded Linux distro as its OS:  I would daresay there are far more person-hours invested in embedded Linux development than embedded OS X development.  When we consider this, it’s no surprise that Google would select Linux as the OS upon which to build their Android platform.

But when it comes to Android itself, it’s only recently that it has become a true contender as a mobile platform.  Before the Moto Droid was released, there wasn’t any way to use Android on anything but a gsm mobile network:  leaving one with the choice of T-Mobile or AT&T as their mobile provider.  Since these carriers do not have the 3g coverage that I need, I wasn’t willing to switch from Verizon to these alternate carriers…and if that sounds like a Verizon ad, let it be known that I’d much rather use a ubiquitous, open carrier than anything available on the U.S. market.

So, many folks — myself included — couldn’t take Android seriously, until it was available on Verizon’s network.  Indeed, there were no mobile devices in the Droid’s class offered on Verizon’s network until last October — and until then, I was a die-hard user of my Palm Treo 755p running PalmOS 5.  (Poor Palm:  If a WebOS phone had been available before the Moto Droid on Verizon’s network, that’s probably where I would have jumped, along quite a few other Verizon customers.)

Having said all that, let’s consider what the Droid’s interface has, which can’t be found on an iPhone:

  • Folders
  • One-Touch Contact Icons
  • Multi-Screen Desktop
  • Extreme Social Media Integration
  • Integration with Google Contacts
  • Integration with Google Calendar
  • Ability to use Google Voice as voicemail (including email/sms of voicemail transcripts)
  • Can spawn a terminal /bin/sh session via USB connection, as well as a whole slew of developer assistances

etc.

In short:  These are only part of a tsunami of capabilities, which only recently begun gaining momentum in the mobile space.

This year should be interesting for Android advocates.

2
ITX Media PC Case

ITX Media PC Case

First, the setup:  For my entertainment center, I built a small media PC, which runs Fedora Linux.

Hardware:

Missing from this list was Arctic Silver thermal compound, which I had to apply to keep the processor from overheating.  Also missing: the HDMI cable, which carries the audio & video to a Sony digital tuner.

And also missing:  a Blu-ray/DVD  drive would be nice, but I have a Sony Blu-Ray player that handles the playback chores separately from the media PC.  Eventually it will have a drive, but I don’t need one at the moment…and in a pinch, you can use a DVD drive from another computer over NFS.

So I installed Fedora Linux on the unit from a “live” image on a USB flash drive.  Once that was installed, I added the Livna and Rpmfusion yum repositories with commands similar to the following (run as root):


# rpm -ivh http://rpm.livna.org/livna-release.rpm
# rpm -ivh http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm
# yum update

Once all that is up-to-date, you’ll probably want to install some extras off the repositories that make media handling much easier…

# yum install akmod-nvidia # drivers for Nvidia chipsets only
# yum install mplayer # media player/converter with massive capabilities
# yum install vlc # videolan client -- video player/converter w/gui controls
# yum install pavucontrol # pulseaudio advanced control application
# yum install pulseaudio-utils # needed for pasuspender, if using AC3 passthrough to a digital tuner
# yum install compiz-fusion ccsm emerald # needed for GPU-enabled zoom and other desirable features

Since wordpress takes issue with my formatting above, I’ve put the commands into a script, which should be run as root.

The latter package is a matter of personal preference.  I like the flexibility of compiz’s zoom feature, but all the video clients I use can be fullscreened.

One package I’ve left out is Adobe Flash — something I’ll address in another post.  But!  There is 64-bit Adobe Flash for Linux, found here.

Share and enjoy!

Mini Remote Keyboard/Mouse

Mini Remote Keyboard/Mouse

2

So I’ve built a media pc from a Zotac itx mobo, and it lives in my entertainment center.  An HDMI cable carries the video AND audio from the Nvidia video and audio chipsets to my Sony digital tuner, which is capable of decoding and playing back all manner of digital audio formats.

The media pc doesn’t have an optical drive, though — if I want to play a Blu-Ray or DVD disc, I just use the Sony Blu-Ray player.  The media pc, instead, is for those times I want to play youtube videos, hulu, or other such online formats.

The new pulseaudio system in Fedora 12 handles the audio beautifully… just as long as I don’t try to play back a file with digital audio.  An example situation would be my .avi file of Star Trek IX with 5.1 audio, which I ripped from the dvd for playback alongside the rifftrax .mp3 companion audio.

But to play the movie with the 5.1 soundtrack, I have to suspend pulseaudio and use alsa’s ac3 passthrough capability.

Here’s how to do that:

First, install the pulseaudio-utils package:

# yum install pulseaudio-utils

This gives you the “pasuspender” program…with that, you can run your playback application with pulseaudio suspended, giving you direct access to the alsa device itself.  The command line looks like this:

$ pasuspender — mplayer -ac hwac3 -ao alsa:device=hw=0.3 yourfilehere.avi

Note the double dash right after the pasuspender command — this tells pasuspender to stop interpreting switches, so that the switches only have meaning to mplayer.

You’d use the same command to play a dvd (if your media pc has a dvd drive — mine doesn’t, I was trying to keep moving parts to a minimum).  For instance, after inserting the Star Trek dvd, you’d use the following:

$ pasuspender — mplayer -ac hwac3 -ao alsa:device=hw=0.3 dvdnav://21

BTW, most dvd’s will let you playback with “dvd://21″ — but the Star Trek dvd tries to get in your way, if you try to play back the content that you’ve bought.  “dvdnav:” gets around such idiocy.

And finally, you might be wondering why I’m fiddling around with the legacy DVD, when I could be using the HD video content of a Blu-Ray.  I do own the Blu-Ray, but a) I can’t play it from Linux yet, and b) I’m not ramped-up on ripping Blu-Ray just yet…and I wanted to put together a Star Trek/rifftrax viewing party relatively soon.

But this particular issue — as well as today’s nonsensical balderdash from “Bono” regarding ISP’s and digital content — only serve to underline that there are a lot of folks out there that really don’t understand the digital landscape.  But suffice to say that the content providers are so wound-up about possible unlawful use of their content, they screw-up one-off, lawful, and legal, uses of the content for folks who have these capabilities.

And I see a great need for another post about this.  Coming soon…

0

A recent 30 Rock episode had a great send-up of social media, as found with the website “Youface”.

On Youface, we learned, participants “fingertagged” each other…which is funny for this old-school Unix guy, since we used to “finger” each other from a Unix command line.  This would display info about you, as well as anything in your .plan file.

In fact, some folks used their .plan files as ways to publish information — gamers may remember fingering id Software for updates about Doom and Quake, for example.

It’s fairly easy to set up a finger server on Linux using xinetd.  For security’s sake, though, I suggest anyone wanting to do this not accept any input from the network, unless they know what they’re doing.  Finger servers have been a classic vector for remote attacks on hosts, including remote-root attacks.  Caveat Emptor.

Since I don’t know any better, I decided to set one up myself:  Sample files can be found here:

http://tech.ponzo.net/fingerfiles/

If you have a finger client:  finger @tech.ponzo.net to try it out.

And for another network protocol that nobody uses anymore, try:

gopher://gopher.sonic.net/