Category: Tech

I’ve discovered unknown terrors while researching and writing PAM Mastery. Well, terrors previously unknown to me, at least. I’m certain that the OpenPAM and Linux-PAM developers are very much aware of them. (I’m also certain that they’re part of the reason DES keeps his hair cut so short, so that he can’t yank it out of his head in bloody chunks.)

Part of the writing process was building a giant spreadsheet listing operating systems, PAM versions, and which modules appear in each OS. Strictly speaking, OpenPAM proper contains very few modules. Most “OpenPAM” modules actually originate from FreeBSD. But people are free to use them, so they generally get lumped into the “OpenPAM module” bucket.

One module that’s conspicuous by its absence in pam_listfile. Pam_listfile.so lets you accept or reject access based on the username’s presence in a file. It’s much like the traditional BSD /etc/ftpusers functionality.

It’s a reasonable enough module. And I’m told that pam_listfile.so can be compiled to work on FreeBSD, but nobody’s bothered to submit a port. How to make it work is a perennial question on the FreeBSD mailing lists.

The good news is, you can easily emulate pam_listfile.so on FreeBSD using pam_exec. Pam_exec runs a command as part of the PAM chain. If the command returns 0, the module says to grant access. If the command returns 1, the module says to deny access. (Whether PAM obeys this instruction or not depends on the type of statement.)

Here I implement basic pam_listfile.so functionality in a shell script, pam_listfile.sh.

Enable pam_listfile.sh as an auth rule.

auth required pam_exec /usr/local/scripts/pam_listfile.sh

Now all you need is a script. This version of the script permits access if the username appears in /etc/validusers.

#!/bin/sh
/usr/bin/grep ^$PAM_USER$ /etc/validusers
return $?

And here’s a version that rejects access if the username appears in /etc/validusers, exactly like /etc/ftpusers. It’s a huge change, adding an entire exclamation point.

#!/bin/sh
! /usr/bin/grep ^$PAM_USER$ /etc/validusers
return $?

You could add more functions as you need. The important thing is to return either 0 or not-zero.

PAM Mastery is over half finished. I’ve completed the parts on “this is how PAM works” and have moved on to “here are some cool PAM modules that you might want to use.”

And my marketing department says I need to mention that I’m taking sponsors on the print and ebook versions of PAM Mastery.

I’m slated to present at the next SemiBUG meeting.

By unpopular demand, I’ll offer “FreeBSD Filesystem Fun,” also known as “odd stuff I learned as I’ve written the FreeBSD storage books.” You’ll get content on UFS, ZFS, unionfs, various memory filesystems, and some of the really odd corners I discovered while writing the book. Warning: will contain actual math and ZFS tuning know-how.

15 March. 7 PM. Altair Engineering!

To be followed by dining at Leo’s Coney Island right next door. (We’re flexible on dinner, but somehow it always turns out to be Leo’s.)

Future meetings of note include two special guests:

On 19 April, Tom Lawrence is coming to talk about pfSense.

And on 17 May, Isaac Levy is flying in from New York City to talk about FreeBSD jails. I’d really like to fill our space for this one, as Ike is both a great speaker and making a special flight exclusively for us. Knowing Ike, I suspect that the dinner afterwards will involve beer.

June will be a BSDCan trip report, and July, Josh Grosse on porting software to OpenBSD.

The first meeting for theSoutheast Michigan BSD User Group, aka SEMIBUG, will be next Tuesday, 17 November 2015, at the Hazel Park Raceway restaurant.

We’ll discuss what sort of meeting we want, when the regular meeting will happen, where it will be, and suchlike. We’ll probably also draft someone to fix the website. (By fix, I mean “burn it to the ground and try again.”)

The restaurant menu is very minimal thanks to the season, but after the meeting interested parties can head out to one of the local places for actual food. Buy a soda or a beer at HPR to justify our presence.

This morning, I finally updated my web server to FreeBSD 10.2-p6 using freebsd-update. Normally I like freebsd-update, but this morning it decided to be cranky.

As usual, it was cranky because I didn’t know what I was doing.

First, I should say that I don’t need to update my hosts that often. If there’s, say, a mountd(8) security advisory, I don’t bother. And when I ran bunches of FreeBSD boxes, I ran freebsd-update through ansible.

This means I’m not terribly familiar with the output.

So, I run:

# freebsd-update -F -r 10.2-RELEASE upgrade

There’s the usual “downloading metadata” messages, then a bunch of stuff on updating patches.

I then get presented with an /etc/mail/sendmail.cf diff, saying some of the innards of that file has changed. Fine.

Then I get:

The following file will be removed, as it no longer exists in
FreeBSD 10.2-RELEASE: /etc/ntp.conf
Does this look reasonable (y/n)?

Wait… FreeBSD dropped /etc/ntp.conf? What, did they drop ntpd? Who do they think they are, OpenBSD? I’m sure that’s in the release notes, had I bothered to read the release notes. Fine, I’ll install openntpd from packages after the upgrade. No biggie. But I want /etc/ntp.conf to stick around, as I have custom twiddles in there. I think. It’s been a while.

So I answer n. Just like I would with mergemaster.

And freebsd-update ends.

Fine. That’s all the updates, right? I saw stuff download. I then do:

# freebsd-update install
No updates are available to install.
Run '/usr/sbin/freebsd-update fetch' first.

What fresh hell is this? I saw all sorts of stuff download!

I rerun the freebsd-update command, and this time I notice in the output:

/usr/sbin/freebsd-update: cannot open files/.gz: No such file or directory

Something’s missing.

I add -F, to say “hey, re-download everything.”

Same result.

Eventually, I let freebsd-update take /etc/ntp.conf. The upgrade kept running after that, downloading a bunch more stuff and finally telling me to reboot and run freebsd-update install.

The takeaways here are:

1) freebsd-update is not mergemaster. Answering n anywhere makes the update stop before it’s finished.
2) Read the release notes.

BTW, ntpd is still part of FreeBSD 10.2. I don’t know why the update wanted to blow away my ntp.conf rather than point out any diffs.

I recently migrated my web site to a new FreeBSD install, configured so I could use ZFS boot environments. This upgrade crossed FreeBSD versions (10.0->10.1), filesystems (UFS -> ZFS), and PHP versions (5.5 -> 5.6).

And my WordPress pointy-clicky upgrades stopped working. Every time I ran an upgrade, the web gui hung with:

Updating Plugin Honketyblatt (1/1)

The web site would site there, forever. Enabling WP debugging gave me no error messages.

If I had the job of running WordPress sites, I would have an automatic tool that processed the upgrades for me. It’s not, so I don’t.

I use the FreeBSD WordPress package to get all of the dependencies, but manage my actual WordPress sites in a separate directory. It turns out that the FreeBSD WordPress package doesn’t list all of the modules that you need for a self-maintaining WordPress install. My old server had a few packages that the new one didn’t.

If you want to use WordPress’ self-updating features, be sure to install the following packages in addition to the FreeBSD-recommended defaults.

php56-tokenizer
php56-zlib
php56-zip

I installed these packages, and everything started working.

To design “FreeBSD Mastery: Jails” I need to look at the existing jail management tools. Jails have been around about fifteen years now, and FreeBSD has accumulated a whole bunch of wrappers and supporting tools. Many of these have wound up in the ports collection.

Jails have evolved over the years. Some of these add-on tools are not useful for FreeBSD 9.1 and later.

Here’s a few things I discovered in my research. I’m hoping that you lot will offer your own comments and help me decide which tools to cover in the book.

It seems we have five major jail management toolkits.

ezjail – perhaps the best known jail management tool. Written entirely in shell.

qjail – Designed for managing lots of jails at the command line, based on templates. The examples use ipfilter, which is my third choice of FreeBSD firewall. Does not need ZFS.

iocage – supports resource limiting, thin provisioning, cloning, and either vimage or NAT from the host’s main IP.

jadm – Python-based jail command shell, uses a bridge interface. Can migrate jails between hosts. ZFS integration. Lets you set global settings for all jails, per-jail settings, jail groups, and so on.

cbsd – web-based management of jails. Supports HAST, migration, CARP, etc.

The question for me is: which should I cover in the jails book? I’ll mention that all of them exist, but I can only give attention to one or two.

CBSD seems an obvious choice. It integrates CARP and HAST and vimage and just about everything. Plus, people like web GUIs. It seems to be the giant ape of jail management tools.

But I want to cover a command-line toolkit. Between ezjail, qjail, iocage, and jadm, I find myself leaning towards iocage.

There’s some other jail-related software in the ports collection. Here’s those I plan to investigate and possibly include. I might find that their functionality is now included in mainline FreeBSD, however.

jps and jtop – external wrappers that add jail info to ps and top.

jkill – shuts down a running jail and all its processes from outside the jail. I don’t know that this is still needed, but the functionality is important.

bsnmp-jails – feed jail info into snmpd.

Here are some jail-related ports I don’t plan to include, and why.

py-ploy_ezjail, bsdploy – ploy for jails. I don’t ploy.

py-ezjailremote – a python wrapper around ezjail. I don’t Python.

p5-BSD-Jail-Object – a Perl interface for jail management. I do Perl, but… no.

pkg_jail – build packages inside a jail. This looks like an old poudriere.

jailrc – improved startup/shutdown scripts for pre-9.1 jails. The key words here are “pre 9.1.”

pam_jail – drops the user into a jail upon successful login

jailme – a modified version of jexec with more sanity checking. Is setuid, lets normal users run jails.

jaildaemon – lets the jail talk to the host? I’m sure this solved a problem for someone, but not me.

jailctl – for FreeBSD 4.x and 5.x

jailaudit – portaudit for inside jails. I’d say this is superceded by pkg audit.

jail2 – advanced jail script. Uses /etc/jail.conf. I’m kinda, sorta sure that this or its descendant is the default FreeBSD 9.1 and later.