2002 06 20


                    LINUX NEWS
        Resources & Links From Cramsession.com
             Thursday, June 20, 2002


TABLE OF CONTENTS

1) Sean’s Notes

2) Linux News

Mandrake on WalMart PCs
Slackware 8.1 Released
Apache Security Advisory
Linux And Healthcare

3) Linux Resources

Templates Compared
Database Performance Tuning
Spam Prevention With Postfix
Handy Use of Diff
It's the Latency, Stupid

4) App o’ the Week

~~~~~~~~~~~~~~~~~~~~~~~~ ADVERTISEMENT ~~~~~~~~~~~~~~~~~~~~~~~~~~

Try Our IT Certification Courses FREE! SmartCertify Direct gives you classroom-quality IT training at a fraction of the cost of traditional courses. You’ll get 24-hour online mentoring from certified advisors, hands-on interactive exercises, the popular Test Prep exams and more! Choose from MCSE, Cisco, A+, CIW, Linux, and many other courses. Click below to try them all FREE and register to WIN a state of the art Dell PC!

http://ad.brainbuzz.com/?RC06&AIS89







For information on how to advertise in this newsletter
please contact mailto:adsales@CramSession.com or visit
http://cramsession.com/marketing/default.asp

-------------------------
1) Sean's Notes
-------------------------

It's a situation you're going to run into at least once in
your life -- you've got a Linux box, and you don't know what
the root password is.  Short of trying to crack into your
own machine (but you're up on your patches, aren't you?),
you won't be able to get that password back.

Fortunately, you can get back in by booting to single user
mode.  In single user mode, you're logged in as root
automatically, and you can change root's password.  (Note,
you can't recover the old password since it was hashed.
All you can do is change it).

Booting to single user mode is pretty easy, all you do is
pass "single" to the kernel.  In LILO, this is usually as
easy as typing "linux single" at the LILO prompt.  With
the newer GRUB, you have to hit 'e' to edit the boot entries,
and add in "single" by hand before booting.  It's all
documented here:

http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/custom-guid
e/s1-rescuemode-booting-single.html

The only security in this, though, is that you have to be at
the console to do it.  Get the procedure down pat, and it
only takes about a minute.  One minute for someone to walk
into your server room and have root level access to your
computer, either by changing the password or adding a new
root level user.  Something has to be done about it.

The solution is to lock down the options you can pass to your
kernel.  Doing so means that if anyone wants to change the
way the kernel is booted, then they'll need a password.

LILO is pretty easy to do.  In /etc/lilo.conf, simply add:

password=secret
restricted

to the top and then run /sbin/lilo to rebuild the boot sector.

That will make "secret" the password to boot into Linux.
Adding "restricted" only makes the password apply if options
were passed to the kernel.  If the box were rebooted for some
reason, then "restricted" will let it boot without a password.
However, if someone tries to type "linux single", then they'll
need to provide that password.

One thing to note about LILO is that the password is stored in
clear text.  chmod 700 /etc/lilo.conf to prevent anyone from
snooping that password!

GRUB is just as easy.  It uses MD5 password hashes, meaning
that the password is never stored in the file, just a one-way
representation of it.  If someone snarfs grub.conf, then the
password hash won't help them.

First, run /sbin/grub to enter the grub shell.  At the grub>
prompt, enter the command "md5crypt", and then give it your
password as follows (I used "secret" if you're following along)

grub> md5crypt

Password: \*\*\*\*\*\*
Encrypted: $1$xDuOL/$DM8lVGaSRqltmiUxQJhc..

In /etc/grub.conf, add the following line:

password --md5 $1$xDuOL/$DM8lVGaSRqltmiUxQJhc..

Save the file, and you're done (that's one thing I like about
GRUB--you don't have to rebuild the boot sector every time.)

Reboot, and you'll notice that the "press e to edit the
command line" is replaced with something like "press p to
enter a password and access advanced options".  Without that
password, you can't pass options to the kernel.

GRUB has a lot more security features, you can read about
them here:

http://www.gnu.org/manual/grub-0.90/html_chapter/grub_toc.html

Protecting your boot manager is only half the story.  Someone
with a few more minutes on their hands could use a boot disk
(either floppy or CD) with their own boot loader or kernel.
For PCs, the best thing to do is protect against this at the
BIOS level.  Make the hard drive the first bootable device,
and protect the BIOS settings with a password.

Of course, proper physical security of your servers is a
necessity.  The measures I described above will make a lot of
hassle for someone sitting at your console to get in, but the
best way to do it is to prevent them from getting there in
the first place.

Finally, write down the boot manager and BIOS passwords, and
keep them in a safe place.  If you lose those, it isn't going
to be any fun getting back into your system.  A sealed
envelope in a locked area is a good choice.

We spend so much time worrying about network based attackers
that we forget about the damage that people can do with their
hands. Protecting your system from a console-based attacker
is relatively painless, and goes a long way toward better
security.

Long live the Penguin,

Sean
mailto:swalberg@cramsession.com


-------------------------
2) Linux News
-------------------------

-----------------------
Mandrake on WalMart PCs
-----------------------
As you've probably heard from other sources, WalMart is
selling PCs without an OS in their stores. Mandrake will
soon become an option for these. Lindows, which promises
Microsoft Windows integration on a Linux platform, was also
recently announced as an option.

http://newsforge.com/article.pl?sid/06/19/1519219


----------------------
Slackware 8.1 Released
----------------------
Slackware is the oldest distribution of Linux, known for its
bare bones approach to the installation process. The latest
release, 8.1, features JFS and XFS filesystems, the latest
GUIs, and a revamped package manager. Also of note is
ZipSlack, a 38MB .ZIP file that promises to let any FAT
partition be up and running with Linux in 5 minutes (no GUI,
but all the networking is there). It also fits on a ZIPdisk,
to make your Linux box portable.

http://www.slackware.org/


------------------------
Apache Security Advisory
------------------------
Incorrect parsing of some invalid requests leads to some
problems. On most platforms it leads to the child process
dying, but on 64-bit UNIX platforms, it could possibly be
exploited to execute arbitrary code. Pick up 1.3.26 or 2.0.39
depending on which stream you're following.

http://httpd.apache.org/info/security_bulletin_20020617.txt


--------------------
Linux And Healthcare
--------------------
The modularity of Linux makes it a natural fit for embedded
applications. This time, a medical device was developed using
Linux called EasyDose. It is "a unit that monitors, displays
and manages X-ray exposure data automatically through hospital
networks." It also supports standards like DICOM, which is
handy to have when linking different hospital systems together.

http://zdnet.com.com/2100-1104-935737.html


-------------------------
3) Linux Resources
-------------------------

------------------
Templates Compared
------------------
Templates let you build web pages more efficiently, either
by embedding some logic on the server side, or reusing code.
Not surprisingly, there is a lot of template software out
there. This document compares some of the better ones with
an eye to how they are built, and the relative performance
you can expect.

http://perl.apache.org/features/tmpl-cmp.html


---------------------------
Database Performance Tuning
---------------------------
Here is another article from SUN, this time it is on
database tuning. Again, it's for Solaris, but many of the
things in the article still apply.

http://www.sun.com/solutions/blueprints/0602/816-7191-10.pdf


----------------------------
Spam Prevention With Postfix
----------------------------
This article is the first in a three-part series on spam
prevention using Postfix. Postfix is a sendmail alternative
that is gaining popularity because of its focus on security
and simplicity. This installment looks at using some of the
static maps to filter out undesirable sites. Future articles
will deal with procmail to perform context based filtering.

http://online.securityfocus.com/infocus/1593


-----------------
Handy Use of Diff
-----------------
diff is a utility I've written about before that reports
the differences between versions of files. This article
shows a pretty interesting way of using it to make changes
to multiple files, which looks a bit easier than using patch.

http://linux.oreillynet.com/pub/a/linux/lpt/33_06.html


------------------------
It's the Latency, Stupid
------------------------
The difference between "bandwidth" and "latency" is rarely
well understood. This piece tries to point out the ill
effects of latency on a network connection. It's a bit dated
(it's rather funny to see his predictions on cable modems),
but the concepts are sound.

http://www.stuartcheshire.org/rants/Latency.html


-------------------------
4) App o' the Week
-------------------------

I'm always on the lookout for cool groupware applications,
especially those that take advantage of the web. This one is
a group calendaring system. Its big draw is that it only
requires Perl, which means you'll be up and running in no
time at all.

http://www.math.utexas.edu/webcalendar/


-------------------------
(C) 2002 BrainBuzz.com, Inc. All Rights Reserved.
-------------------------
-------------------------

          This message is from CramSession

You are currently subscribed to the following list
   Hottest Linux News and Resources
   as: sean@ertw.com

To un-subscribe from this newsletter by e-mail,
   send a blank email message to:
   mailto:leave-linuxnews-3825955Y@list.cramsession.com

To subscribe to this newsletter and many others visit
our site at:
http://newsletters.cramsession.com/signup/default.asp

-------------------------------------------------------