Archlinux 终于把Kernel3.0放到[Core]里了
这是一件好事,虽然3.0更新的内容不多,但是作为linux这么久以来难得的一次大版本号变更总还是让人兴奋的。
不过高兴归高兴,该发生的悲剧总还是要发生的。。。。
刚才兴冲冲的把Kernel升级到了3.0,结果重启之后发现无线木有了。。。
之前虽然在linuxsir里貌似看到过有人说这事,但是没想到居然真这么不靠谱。。。难道发布的人不用笔记本么?。。。郁闷郁闷。。。
我是趁这个机会自己编译个内核呢还是去[AUR]里找个现成的驱动先用着呢?
纠结啊。。。
Read: 46
版权声明:转载时请以超链接形式标明文章原始出处和作者信息及本声明
http://wtxawr.blogbus.com/logs/17714526.html
CHROOT就是Change Root,也就是改变程式执行时所参考的根目录位置。
一般的目录架构:
/
/bin
/sbin
/usr/bin
/home
CHROOT的目录架构:
/hell/
/hell/bin
/hell/usr/bin
/hell/home
* 为何要CHROOT?
1.限制被CHROOT的使用者所能执行的程式,如SetUid的程式,或是会造成Load 的 Compiler等等。
2.防止使用者存取某些特定档案,如/etc/passwd。
3.防止入侵者/bin/rm -rf /。
4.提供Guest服务以及处罚不乖的使用者。
5.增进系统的安全。
* 要如何建立CHROOT的环境?
1.chroot()这个function:
chroot(PATH)这个function必须具有 root 的身份才能执行,执行後会将根目录切换到 PATH所指定的地方。
2.login的过程:
使用者无论是从console或是telnet进入,都必须执行/usr/bin/login来
决定是否能进入系统,而login所做的动作大致是:
(1)印出login的提示符号,等待使用者输入密码。
(2)检查密码是否正确,错误的话回到(1)。
(3)正确的话以setuid()来改变身份为login_user。
(4)以exec()执行user的shell。
因此我们必须先修改/usr/bin/login的source code,让login在(2)到(3)
的中间执行chroot($CHROOT_PATH)的动作,已达到CHROOT的目的,并以修
改过的login替代原先的/usr/bin/login。
(5)稍微好一点的方法必须在做chroot()之前检查login
user的group,如果有某个特定的group(如chrootgrp)
才执行chroot(),不然所有的人都会被chroot了。
3.建立CHROOT所需的环境:
(1)必须具备的目录:(假设$CHROOT为希望建立的路径)
$CHROOT/etc $CHROOT/lib $CHROOT/bin
$CHROOT/sbin $CHROOT/usr/lib $CHROOT/usr/bin
$CHROOT/usr/bin $CHROOT/usr/local $CHROOT/home
(2)仔细审查/etc中的档案,需具备执行程式时所需的档
案,如passwd,groups,hosts,resolv.conf等等。
(3)拿掉不想给的执行档,如su,sudo等SetUid的程式,
以及compiler甚至telnet。
(4)测试一下,以root身份执行 chroot $CHROOT /bin/sh
即可进入CHROOT环境中。(man chroot for details)
4.在console或是以telnet进入试试。
5.Username/Password Resolve的考量:
在CHROOT时你可能不希望被CHROOT的使用者(以後简称CHROOTer)能拿到/etc/passwd或是/etc/shadow等档案,尤其是有root密码的。以下有三种情形:
(1)/etc/passwd跟 $CHROOT/etc/passwd相同:
这是最差的作法,因为一来被CHROOTer有机会得到root
的encrypted password,二来要保持/etc/passwd及
$CHROOT/etc/passwd的同步性是个大问题。因为
/usr/bin/login参考的是/etc/passwd,可是一旦
CHROOTer被chroot後执行passwd时,他所执行的
passwd所更改的将是$CHROOT/etc/passwd。
(2)/etc/passwd跟$CHROOT/etc/passwd不同:
你可以把$CHROOT/etc/passwd中的重要人物(如root)
的密码拿掉,然後以比较复杂的方法修改
/usr/bin/login:
if (has_chroot_group) {
re-load $CHROOT/etc/passwd
if (password is valid) {
chroot($CHROOT)
exec(shell)
} else logout()
}
此法的好处是你可以将/etc/passwd跟
$CHROOT/etc/passwd分开来。/etc/passwd只影响
CHROOTer在login时所使用的username,其他如
password甚至uid,gid,shell,home等等都是参
考$CHROOT/etc/passwd的。
缺点是你其他的daemon如ftpd,httpd都必须做相同
的修改才能正确取的CHROOTer的资讯,而且你在把一
个user加入或移出chroot_group时都必须更改
/etc/passwd跟$CHROOT/etc/passwd。
(3)使用NIS/YP:
此法大概是最简单,且麻烦最少的了。因为一切的user
information都经过NIS Bind来取得,不但可以保护住
root的密码,也省去/etc/passwd跟
$CHROOT/etc/passwd同步管理上的问题。不只是
passwd,连其他如groups,hosts,services,
aliases等等都可以一并解决。
* 其他必须考虑的问题:
1.执行档的同步性:
再更新系统或是更新软体时,必须考虑到一并更换
$CHROOT目录下的档案,尤其如SunOS或是BSD等会用
nlist()来取得Kernel Information的,在更新kernel
时必须更新$CHROOT下的kernel。
2./dev的问题:
一般而言你必须用local loopback NFS将/dev read-write mount到$CHROOT/dev以使得一般user跟CHROOTer可以互相write以及解决devices同步性的问题。
3./proc的问题:
在Linux或是SYSV或是4.4BSD的系统上许多程式会去
参考/proc的资料,你必须也将/proc mount到
$CHROOT/proc。
4./var的问题:
一般而言/var也是用local loopback NFS read-write
mount到$CHROOT/var下,以解决spool同步性的问题,
否则你可能必须要修改lpd或是sendmail等daemon,
不然他们是不知道$CHROOT/var下也有spool的存在。
5.Daemon的问题:
你必须修改一些跟使用者相关的Daemon如ftpd,httpd
以使这些daemon能找到正确的user home。
* CHROOT无法解决的安全问题:
1.不小心或是忘记拿掉SetUid的程式:
CHROOTer还是有机会利用SetUid的程式来取得root的
权限,不过因为你已经将他CHROOT了,所以所能影响到
的只有$CHROOT/目录以下的档案,就算他来个
“/bin/rm -rf /” 也不怕了。
不过其他root能做的事还是防不了,如利用tcpdump来
窃听该localnet中的通讯并取得在该localnet上其他
机器的帐号密码,reboot机器,更改NIS的资料,更改
其他没有被CHROOT的帐号的密码藉以取得一般帐号(所
以root不可加入NIS中)等等。
(此时就必须藉由securetty或是login.access或是将
wheel group拿出NIS来防止其login as root)
2.已载入记忆体中的Daemon:
对於那些一开机就执行的程式如sendmail,httpd,
gopherd,inetd等等,如果这些daemon有hole(如
sendmail),那hacker只要破解这些daemon还是可以取
得root权限。
* 结论:
CHROOT可以增进系统的安全性,限制使用者能做的事,
但是CHROOT Is Not Everything,因为还是有其他的
漏洞等著hacker来找出来。
Read: 1010
Read: 912
QEMU/Images
Once
QEMU has been installed, and kqemu compiled and configured, it should
be ready to run a guest OS from a virtual disc image. A disc image is a
file that represents the data on a hard disc. From the perspective of
the guest OS, it actually is a hard disc, and the guest OS can actually
create its own filesystem on the virtual disc.
You can download a few guest OS images from the QEMU website, including a simple 8MB image of a Linux distro. To run it, download and unzip the image in a folder and run the QEMU command.
qemu linux-0.2.img
Replace linux-0.2.img
with the name of your guest OS image file. If it has a GUI and you want
to use your mouse with it, double-click on the window and QEMU will
grab your mouse. To make QEMU release your mouse again, hold down the
Control and Alt keys simultaneously, then let go – your mouse will be
released back to X.
|
Contents[hide]
|
Image types
QEMU supports several image types. The “native” and most flexible type is qcow2, which supports copy on write, encryption, compression, and VM snapshots.
If you need to copy files to and from the image directly from the host, however, you need to use the raw image type.
QEMU currently supports these image types or formats:
raw
Creating an image
To set up your own guest OS image, you first need to create a blank disc image. QEMU has the qemu-img
command for creating and manipulating disc images, and supports a
variety of formats. If you don’t tell it what format to use, it will use
raw files. The “native” format for QEMU is qcow2, and this format
offers some flexibility. Here we’ll create a 3GB qcow2 image to install
Windows XP on:
qemu-img create -f qcow2 winxp.img 3GB
The
easiest way to install a guest OS is to create an ISO image of a boot
CD/DVD and tell QEMU to boot off it. Many free operating systems can be
downloaded from the Internet as bootable ISO images, and you can use
them directly without having to burn them to disc.
Here
we’ll boot off an ISO image of a properly licensed Windows XP boot
disc. We’ll also give it 256MB of RAM, but we won’t use the kqemu kernel
module just yet because it causes problems during Windows XP
installation.
qemu -m 256 -hda winxp.img -cdrom winxpsp2.iso -boot d
To boot from a real CD or DVD, tell QEMU where to find it. On Linux systems, you can usually use a logical device name like /dev/cdrom or /dev/dvd, or the physical name of the device, e.g. /dev/sr0
qemu -m 256 -hda winxp.img -cdrom /dev/cdrom -boot d
QEMU
will boot from the ISO image or CD/DVD and run the install program. If
you have two screens, move the QEMU screen off to the spare one where
you can keep an eye on the installer, but get on with something else –
it will take a while!
Once
the guest OS has installed successfully, you can shutdown the guest OS
(e.g. in Windows XP, click on Start and then Shutdown). Once it has
shutdown, start QEMU up with the kqemu kernel module to give it a little
more speed.
qemu -m 256 -hda winxp.img -cdrom winxpsp2.iso -kernel-kqemu
If you are running an x86-64 Linux (i.e. 64-bit), you will need to run the x86-64 version of QEMU to be able to utilise kqemu:
qemu-system-x86_64 -m 256 -hda winxp.img -cdrom winxpsp2.iso -kernel-kqemu
Using multiple images
QEMU
can utilise up to four image files to present multiple virtual drives
to the guest system. This can be quite useful, as in the following
examples:
a pagefile or swapfile virtual disc that can be shared between QEMU guests
Bear in mind that only one instance of QEMU may access an image at a time – shared doesn’t mean shared simultaneously!
To utilise additional images in QEMU, specify them on the command line with options -hda, -hdb, -hdc, -hdd.
qemu -m 256 -hda winxp.img -hdb pagefile.img -hdc testdata.img -hdd tempfiles.img -kernel-kqemu
NB:
QEMU doesn’t support both -hdc and -cdrom at the same time, as they
both represent the first device on the second IDE channel.
Copy on write
The “cow” part of qcow2 is an acronym for copy on write,
a neat little trick that allows you to set up an image once and use it
many times without changing it. This is ideal for developing and testing
software, which generally requires a known stable environment to start
off with. You can create your known stable environment in one image, and
then create several disposable copy-on-write images to work in.
To start a new disposable environment based on a known good image, invoke the qemu-img
command with the option -b and tell it what image to base its copy on.
When you run QEMU using the disposable environment, all writes to the
virtual disc will go to this disposable image, not the base copy.
qemu-img create -f qcow2 -b winxp.img test01.img 3GB
qemu -m 256 -hda test01.img -kernel-kqemu &
NB:
don’t forget to copy any important data out of the disposable
environment before deleting it. When developing and testing software in
copy-on-write virtual environments, it is a good idea to use version control software like Subversion or CVS
on a server external to your virtual environment. Not only is it easy
to keep copies of your work outside your virtual environment, it is also
very easy to set up a new virtual environment from version control.
Mounting an image on the host
Sometimes
it is helpful to be able to mount a drive image under the host system.
For example, if the guest doesn’t have network support, the only way to
transfer files into and out of the guest will be by the storage devices
it can address.
Linux and other Unix-like hosts can mount images created with the raw format type using a loopback device. From a root login (or using sudo), mount a loopback with an offset of 32,256.
mount -o loop,offset=32256 /path/to/image.img /mnt/mountpoint
For example, to copy some files across to a FreeDOS hard drive image:
mkdir -p /mnt/freedos
mount -o loop,offset=32256 freedos-c.img /mnt/freedos
cp oldgames /mnt/freedos
umount /mnt/freedos
NB: never mount a QEMU image while QEMU is using it, or you are likely to corrupt the filesystem on the image.
Note:
if you have an image without partitions you should omit the
,offset=32256 part. This is for instance the case if you want to mount
linux-0.2.img (which can be found at the qemu web site at the time of
writing)
Getting information
The qemu-img program can tell you about the format, virtual size, physical size, and snapshots inside an image.
$ qemu-img info test.vmdk
(VMDK) image open: flags=0x2 filename=test.vmdk
image: test.vmdk
file format: vmdk
virtual size: 20M (20971520 bytes)
disk size: 17M
Converting image formats
The qemu-img
program can be used to convert images from one format to another, or
add compression or encryption to an image. Specify the source and target
files for the image, and select from the following options:
-f – optional, specify the format of the input file (QEMU can usually detect it)qemu-img convert -O qcow2 test.vmdk test.qcow2
Exchanging images with VirtualBox
To convert a QEMU image for use with VirtualBox, first convert it to raw
format, then use VirtualBox’s conversion utility to convert and compact
it in its native format. Note that the compact command requires the
full path to the VirtualBox image, not just the filename.
qemu-img convert -O raw test.qcow2 test.raw
(1) VBoxManage convertdd test.raw test.vdi
VBoxManage modifyvdi /full/path/to/test.vdi compact
(1) or try :
VBoxManage convertfromraw -format VDI test.raw test.vdi
VBoxManage
doesn’t have the capability to convert an image back to raw format.
However, an older tool was available for download off the VirtualBox
website, vditool, can apparently convert from .vdi to raw format. UPDATE – Feb 2009 – current installations of VirtualBox should already include vditool. Kvditool is a GUI for managing vditool.
(2) or try :
VBoxManage internalcommands converttoraw file.vdi file.raw
Read: 969
最近在开发后台的时候用到了swfupload做文件上传,以前用一直都没问题,但是现在在HTTPS下就一直出现HTTPS错误,查了一下据说Flash的SSL验证用的居然是IE的验证程序。
。。。 真是郁闷啊,只要把ca.crt导入到IE的 受信任的根证书发布者 里就行了,什么FF2 FF3 全都没问题了就。。。
TMD。。。FF里的FLASH居然也走IE的SSL验证。。。这让我抓了半天脑袋。。
参考
地址:http://swfupload.org/forum/generaldiscussion/347
原文:
puika Says:
October 30, 2008 – 3:11am
I think Flash under Windows uses certificate authorities that are trusted by IE (Windows).
If you have you own CA or using certificate signed by CACert.org, you need to import this CA certificate in IE as “Trusted Root Certification Authority”. OK – i know that this is a problem for public servers to tell clients do this.
But if you have corporate network there should be no problem to do this automatically.
One more reason to push OS and browser developers to add CACert.org to trusted root authorities.
Hope this helps somebody:)
Linux 下的解决办法:
kriner Says:
September 30, 2009 – 9:45am
Flashplayer does’nt read the firefox certificates store, but the default CA certificates store located in the /etc/ssl/certs/ directory.
You can add your own CA certificate with the following shell command:
update-ca-certificates
Exemple (for Debian or Ubuntu users):
(obviously, you need to be root)
your organization is named ‘myorg’ and your CA certificate ‘myorgCA.crt’
Create ‘myorg’ directory under /usr/share/ca-certificates
Copy your CA certificate in the new created directory
Edit /etc/ca-certificates.conf and add the following two lines (first line is for comemnt):
# My organization CA
myorg/myorgCA.crt
Then run:
update-ca-certificates -v
That’s all.
Now it works with firefox.
Read: 2317