Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

June 14 2017

Grml 2017.05 – Codename Freedatensuppe

The Debian stretch release is going to happen soon (on 2017-06-17) and since our latest Grml release is based on a very recent version of Debian stretch I’m taking this as opportunity to announce it also here. So by the end of May we released a new stable release of Grml (the Debian based live system focusing on system administrator’s needs), known as version 2017.05 with codename Freedatensuppe.

Details about the changes of the new release are available in the official release notes and as usual the ISOs are available via grml.org/download.

With this new Grml release we finally made the switch from file-rc to systemd. From a user’s point of view this doesn’t change that much, though to prevent having to answer even more mails regarding the switch I wrote down some thoughts in Grml’s FAQ. There are some things that we still need to improve and sort out, but overall the switch to systemd so far went better than anticipated (thanks a lot to the pkg-systemd folks, especially Felipe Sateler and Michael Biebl!).

And last but not least, Darshaka Pathirana helped me a lot with the systemd integration and polishing the release, many thanks!

Happy Grml-ing!

May 26 2017

The #newinstretch game: dbgsym packages in Debian/stretch

Debug packages include debug symbols and so far were usually named <package>-dbg in Debian. Those packages are essential if you’ve to debug failing (especially: crashing) programs. Since December 2015 Debian has automatic dbgsym packages, being built by default. Those packages are available as <package>-dbgsym, so starting with Debian/stretch you should no longer look for -dbg packages but for -dbgsym instead. Currently there are 13.369 dbgsym packages available for the amd64 architecture of Debian/stretch, comparing this to the 2.250 packages which I counted being available for Debian/jessie this is really a huge improvement. (If you’re interested in the details of dbgsym packages as a package maintainer take a look at the Automatic Debug Packages page in the Debian wiki.)

The dbgsym packages are NOT provided by the usual Debian archive though (which is good thing, since those packages are quite disk space consuming, e.g. just the amd64 stretch mirror of debian-debug consumes 47GB). Instead there’s a new archive called debian-debug. To get access to the dbgsym packages via the debian-debug suite on your Debian/stretch system include the following entry in your apt’s sources.list configuration (replace deb.debian.org with whatever mirror you prefer):

deb http://deb.debian.org/debian-debug/ stretch-debug main

If you’re not yet familiar with usage of such debug packages let me give you a short demo.

Let’s start with sending SIGILL (Illegal Instruction) to a running sha256sum process, causing it to generate a so called core dump file:

% sha256sum /dev/urandom &
[1] 1126
% kill -4 1126
% 
[1]+  Illegal instruction     (core dumped) sha256sum /dev/urandom
% ls
core
$ file core
core: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, from 'sha256sum /dev/urandom', real uid: 1000, effective uid: 1000, real gid: 1000, effective gid: 1000, execfn: '/usr/bin/sha256sum', platform: 'x86_64'

Now we can run the GNU Debugger (gdb) on this core file, executing:

% gdb sha256sum core
[...]
Type "apropos word" to search for commands related to "word"...
Reading symbols from sha256sum...(no debugging symbols found)...done.
[New LWP 1126]
Core was generated by `sha256sum /dev/urandom'.
Program terminated with signal SIGILL, Illegal instruction.
#0  0x000055fe9aab63db in ?? ()
(gdb) bt
#0  0x000055fe9aab63db in ?? ()
#1  0x000055fe9aab8606 in ?? ()
#2  0x000055fe9aab4e5b in ?? ()
#3  0x000055fe9aab42ea in ?? ()
#4  0x00007faec30872b1 in __libc_start_main (main=0x55fe9aab3ae0, argc=2, argv=0x7ffc512951f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc512951e8) at ../csu/libc-start.c:291
#5  0x000055fe9aab4b5a in ?? ()
(gdb) 

As you can see by the several “??” question marks, the “bt” command (short for backtrace) doesn’t provide useful information.
So let’s install the according debug package, which is coreutils-dbgsym in this case (since the sha256sum binary which generated the core file is part of the coreutils package). Then let’s rerun the same gdb steps:

% gdb sha256sum core
[...]
Type "apropos word" to search for commands related to "word"...
Reading symbols from sha256sum...Reading symbols from /usr/lib/debug/.build-id/a4/b946ef7c161f2d215518ca38d3f0300bcbdbb7.debug...done.
done.
[New LWP 1126]
Core was generated by `sha256sum /dev/urandom'.
Program terminated with signal SIGILL, Illegal instruction.
#0  0x000055fe9aab63db in sha256_process_block (buffer=buffer@entry=0x55fe9be95290, len=len@entry=32768, ctx=ctx@entry=0x7ffc51294eb0) at lib/sha256.c:526
526     lib/sha256.c: No such file or directory.
(gdb) bt
#0  0x000055fe9aab63db in sha256_process_block (buffer=buffer@entry=0x55fe9be95290, len=len@entry=32768, ctx=ctx@entry=0x7ffc51294eb0) at lib/sha256.c:526
#1  0x000055fe9aab8606 in sha256_stream (stream=0x55fe9be95060, resblock=0x7ffc51295080) at lib/sha256.c:230
#2  0x000055fe9aab4e5b in digest_file (filename=0x7ffc51295f3a "/dev/urandom", bin_result=0x7ffc51295080 "\001", missing=0x7ffc51295078, binary=<optimized out>) at src/md5sum.c:624
#3  0x000055fe9aab42ea in main (argc=<optimized out>, argv=<optimized out>) at src/md5sum.c:1036

As you can see it’s reading the debug symbols from /usr/lib/debug/.build-id/a4/b946ef7c161f2d215518ca38d3f0300bcbdbb7.debug and this is what we were looking for.
gdb now also tells us that we don’t have lib/sha256.c available. For even better debugging it’s useful to have the according source code available. This is also just an `apt-get source coreutils ; cd coreutils-8.26/` away:

~/coreutils-8.26 % gdb sha256sum ~/core
[...]
Type "apropos word" to search for commands related to "word"...
Reading symbols from sha256sum...Reading symbols from /usr/lib/debug/.build-id/a4/b946ef7c161f2d215518ca38d3f0300bcbdbb7.debug...done.
done.
[New LWP 1126]
Core was generated by `sha256sum /dev/urandom'.
Program terminated with signal SIGILL, Illegal instruction.
#0  0x000055fe9aab63db in sha256_process_block (buffer=buffer@entry=0x55fe9be95290, len=len@entry=32768, ctx=ctx@entry=0x7ffc51294eb0) at lib/sha256.c:526
526           R( h, a, b, c, d, e, f, g, K(25), M(25) );
(gdb) bt
#0  0x000055fe9aab63db in sha256_process_block (buffer=buffer@entry=0x55fe9be95290, len=len@entry=32768, ctx=ctx@entry=0x7ffc51294eb0) at lib/sha256.c:526
#1  0x000055fe9aab8606 in sha256_stream (stream=0x55fe9be95060, resblock=0x7ffc51295080) at lib/sha256.c:230
#2  0x000055fe9aab4e5b in digest_file (filename=0x7ffc51295f3a "/dev/urandom", bin_result=0x7ffc51295080 "\001", missing=0x7ffc51295078, binary=<optimized out>) at src/md5sum.c:624
#3  0x000055fe9aab42ea in main (argc=<optimized out>, argv=<optimized out>) at src/md5sum.c:1036
(gdb) 

Now we’re ready for all the debugging magic. :)

Thanks to everyone who was involved in getting us the automatic dbgsym package builds in Debian!

May 25 2017

The #newinstretch game: new forensic packages in Debian/stretch

Repeating what I did for the last Debian releases with the #newinwheezy and #newinjessie games it’s time for the #newinstretch game:

Debian/stretch AKA Debian 9.0 will include a bunch of packages for people interested in digital forensics. The packages maintained within the Debian Forensics team which are new in the Debian/stretch release as compared to Debian/jessie (and ignoring jessie-backports):

  • bruteforce-salted-openssl: try to find the passphrase for files encrypted with OpenSSL
  • cewl: custom word list generator
  • dfdatetime/python-dfdatetime: Digital Forensics date and time library
  • dfvfs/python-dfvfs: Digital Forensics Virtual File System
  • dfwinreg: Digital Forensics Windows Registry library
  • dislocker: read/write encrypted BitLocker volumes
  • forensics-all: Debian Forensics Environment – essential components (metapackage)
  • forensics-colorize: show differences between files using color graphics
  • forensics-extra: Forensics Environment – extra console components (metapackage)
  • hashdeep: recursively compute hashsums or piecewise hashings
  • hashrat: hashing tool supporting several hashes and recursivity
  • libesedb(-utils): Extensible Storage Engine DB access library
  • libevt(-utils): Windows Event Log (EVT) format access library
  • libevtx(-utils): Windows XML Event Log format access library
  • libfsntfs(-utils): NTFS access library
  • libfvde(-utils): FileVault Drive Encryption access library
  • libfwnt: Windows NT data type library
  • libfwsi: Windows Shell Item format access library
  • liblnk(-utils): Windows Shortcut File format access library
  • libmsiecf(-utils): Microsoft Internet Explorer Cache File access library
  • libolecf(-utils): OLE2 Compound File format access library
  • libqcow(-utils): QEMU Copy-On-Write image format access library
  • libregf(-utils): Windows NT Registry File (REGF) format access library
  • libscca(-utils): Windows Prefetch File access library
  • libsigscan(-utils): binary signature scanning library
  • libsmdev(-utils): storage media device access library
  • libsmraw(-utils): split RAW image format access library
  • libvhdi(-utils): Virtual Hard Disk image format access library
  • libvmdk(-utils): VMWare Virtual Disk format access library
  • libvshadow(-utils): Volume Shadow Snapshot format access library
  • libvslvm(-utils): Linux LVM volume system format access librar
  • plaso: super timeline all the things
  • pompem: Exploit and Vulnerability Finder
  • pytsk/python-tsk: Python Bindings for The Sleuth Kit
  • rekall(-core): memory analysis and incident response framework
  • unhide.rb: Forensic tool to find processes hidden by rootkits (was already present in wheezy but missing in jessie, available via jessie-backports though)
  • winregfs: Windows registry FUSE filesystem

Join the #newinstretch game and present packages and features which are new in Debian/stretch.

May 19 2017

Debian stretch: changes in util-linux #newinstretch

We’re coming closer to the Debian/stretch stable release and similar to what we had with #newinwheezy and #newinjessie it’s time for #newinstretch!

Hideki Yamane already started the game by blogging about GitHub’s Icon font, fonts-octicons and Arturo Borrero Gonzalez wrote a nice article about nftables in Debian/stretch.

One package that isn’t new but its tools are used by many of us is util-linux, providing many essential system utilities. We have util-linux v2.25.2 in Debian/jessie and in Debian/stretch there will be util-linux >=v2.29.2. There are many new options available and we also have a few new tools available.

Tools that have been taken over from other packages

  • last: used to be shipped via sysvinit-utils in Debian/jessie
  • lastb: used to be shipped via sysvinit-utils in Debian/jessie
  • mesg: used to be shipped via sysvinit-utils in Debian/jessie
  • mountpoint: used to be shipped via initscripts in Debian/jessie
  • sulogin: used to be shipped via sysvinit-utils in Debian/jessie

New tools

  • lsipc: show information on IPC facilities, e.g.:
root@ff2713f55b36:/# lsipc
RESOURCE DESCRIPTION                                              LIMIT USED  USE%
MSGMNI   Number of message queues                                 32000    0 0.00%
MSGMAX   Max size of message (bytes)                               8192    -     -
MSGMNB   Default max size of queue (bytes)                        16384    -     -
SHMMNI   Shared memory segments                                    4096    0 0.00%
SHMALL   Shared memory pages                       18446744073692774399    0 0.00%
SHMMAX   Max size of shared memory segment (bytes) 18446744073692774399    -     -
SHMMIN   Min size of shared memory segment (bytes)                    1    -     -
SEMMNI   Number of semaphore identifiers                          32000    0 0.00%
SEMMNS   Total number of semaphores                          1024000000    0 0.00%
SEMMSL   Max semaphores per semaphore set.                        32000    -     -
SEMOPM   Max number of operations per semop(2)                      500    -     -
SEMVMX   Semaphore max value                                      32767    -     -
  • lslogins: display information about known users in the system, e.g.:
  • root@ff2713f55b36:/# lslogins 
      UID USER     PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS
        0 root        2        0        1            root
        1 daemon      0        0        1            daemon
        2 bin         0        0        1            bin
        3 sys         0        0        1            sys
        4 sync        0        0        1            sync
        5 games       0        0        1            games
        6 man         0        0        1            man
        7 lp          0        0        1            lp
        8 mail        0        0        1            mail
        9 news        0        0        1            news
       10 uucp        0        0        1            uucp
       13 proxy       0        0        1            proxy
       33 www-data    0        0        1            www-data
       34 backup      0        0        1            backup
       38 list        0        0        1            Mailing List Manager
       39 irc         0        0        1            ircd
       41 gnats       0        0        1            Gnats Bug-Reporting System (admin)
      100 _apt        0        0        1            
    65534 nobody      0        0        1            nobody
    
  • lsns: list system namespaces, e.g.:
  • root@ff2713f55b36:/# lsns
            NS TYPE   NPROCS PID USER COMMAND
    4026531835 cgroup      2   1 root bash
    4026531837 user        2   1 root bash
    4026532473 mnt         2   1 root bash
    4026532474 uts         2   1 root bash
    4026532475 ipc         2   1 root bash
    4026532476 pid         2   1 root bash
    4026532478 net         2   1 root bash
    
  • setpriv: run a program with different privilege settings
  • zramctl: tool to quickly set up zram device parameters, to reset zram devices, and to query the status of used zram devices
  • New features/options

    addpart (show or change the real-time scheduling attributes of a process):

    --reload reload prompts on running agetty instances
    

    blkdiscard (discard the content of sectors on a device):

    -p, --step <num>    size of the discard iterations within the offset
    -z, --zeroout       zero-fill rather than discard
    

    chrt (show or change the real-time scheduling attributes of a process):

    -d, --deadline            set policy to SCHED_DEADLINE
    -T, --sched-runtime <ns>  runtime parameter for DEADLINE
    -P, --sched-period <ns>   period parameter for DEADLINE
    -D, --sched-deadline <ns> deadline parameter for DEADLINE
    

    fdformat (do a low-level formatting of a floppy disk):

    -f, --from <N>    start at the track N (default 0)
    -t, --to <N>      stop at the track N
    -r, --repair <N>  try to repair tracks failed during the verification (max N retries)
    

    fdisk (display or manipulate a disk partition table):

    -B, --protect-boot            don't erase bootbits when creating a new label
    -o, --output <list>           output columns
        --bytes                   print SIZE in bytes rather than in human readable format
    -w, --wipe <mode>             wipe signatures (auto, always or never)
    -W, --wipe-partitions <mode>  wipe signatures from new partitions (auto, always or never)
    
    New available columns (for -o):
    
     gpt: Device Start End Sectors Size Type Type-UUID Attrs Name UUID
     dos: Device Start End Sectors Cylinders Size Type Id Attrs Boot End-C/H/S Start-C/H/S
     bsd: Slice Start End Sectors Cylinders Size Type Bsize Cpg Fsize
     sgi: Device Start End Sectors Cylinders Size Type Id Attrs
     sun: Device Start End Sectors Cylinders Size Type Id Flags
    

    findmnt (find a (mounted) filesystem):

    -J, --json             use JSON output format
    -M, --mountpoint <dir> the mountpoint directory
    -x, --verify           verify mount table content (default is fstab)
        --verbose          print more details
    

    flock (manage file locks from shell scripts):

    -F, --no-fork            execute command without forking
        --verbose            increase verbosity
    

    getty (open a terminal and set its mode):

    --reload               reload prompts on running agetty instances
    

    hwclock (query or set the hardware clock):

    --get            read hardware clock and print drift corrected result
    --update-drift   update drift factor in /etc/adjtime (requires --set or --systohc)
    

    ldattach (attach a line discipline to a serial line):

    -c, --intro-command <string>  intro sent before ldattach
    -p, --pause <seconds>         pause between intro and ldattach
    

    logger (enter messages into the system log):

    -e, --skip-empty         do not log empty lines when processing files
        --no-act             do everything except the write the log
        --octet-count        use rfc6587 octet counting
    -S, --size <size>        maximum size for a single message
        --rfc3164            use the obsolete BSD syslog protocol
        --rfc5424[=<snip>]   use the syslog protocol (the default for remote);
                               <snip> can be notime, or notq, and/or nohost
        --sd-id <id>         rfc5424 structured data ID
        --sd-param <data>    rfc5424 structured data name=value
        --msgid <msgid>      set rfc5424 message id field
        --socket-errors[=<on|off|auto>] print connection errors when using Unix sockets
    

    losetup (set up and control loop devices):

    -L, --nooverlap               avoid possible conflict between devices
        --direct-io[=<on|off>]    open backing file with O_DIRECT 
    -J, --json                    use JSON --list output format
    
    New available --list column:
    
    DIO  access backing file with direct-io
    

    lsblk (list information about block devices):

    -J, --json           use JSON output format
    
    New available columns (for --output):
    
    HOTPLUG  removable or hotplug device (usb, pcmcia, ...)
    SUBSYSTEMS  de-duplicated chain of subsystems
    

    lscpu (display information about the CPU architecture):

    -y, --physical          print physical instead of logical IDs
    
    New available column:
    
    DRAWER  logical drawer number
    

    lslocks (list local system locks):

    -J, --json             use JSON output format
    -i, --noinaccessible   ignore locks without read permissions
    

    nsenter (run a program with namespaces of other processes):

    -C, --cgroup[=<file>]      enter cgroup namespace
        --preserve-credentials do not touch uids or gids
    -Z, --follow-context       set SELinux context according to --target PID
    

    rtcwake (enter a system sleep state until a specified wakeup time):

    --date <timestamp>   date time of timestamp to wake
    --list-modes         list available modes
    -r, --reorder <dev>  fix partitions order (by start offset)
    

    sfdisk (display or manipulate a disk partition table):

    New Commands:
    
    -J, --json <dev>                  dump partition table in JSON format
    -F, --list-free [<dev> ...]       list unpartitioned free areas of each device
    -r, --reorder <dev>               fix partitions order (by start offset)
        --delete <dev> [<part> ...]   delete all or specified partitions
    --part-label <dev> <part> [<str>] print or change partition label
    --part-type <dev> <part> [<type>] print or change partition type
    --part-uuid <dev> <part> [<uuid>] print or change partition uuid
    --part-attrs <dev> <part> [<str>] print or change partition attributes
    
    New Options:
    
    -a, --append                   append partitions to existing partition table
    -b, --backup                   backup partition table sectors (see -O)
        --bytes                    print SIZE in bytes rather than in human readable format
        --move-data[=<typescript>] move partition data after relocation (requires -N)
        --color[=<when>]           colorize output (auto, always or never)
                                   colors are enabled by default
    -N, --partno <num>             specify partition number
    -n, --no-act                   do everything except write to device
        --no-tell-kernel           do not tell kernel about changes
    -O, --backup-file <path>       override default backup file name
    -o, --output <list>            output columns
    -w, --wipe <mode>              wipe signatures (auto, always or never)
    -W, --wipe-partitions <mode>   wipe signatures from new partitions (auto, always or never)
    -X, --label <name>             specify label type (dos, gpt, ...)
    -Y, --label-nested <name>      specify nested label type (dos, bsd)
    
    Available columns (for -o):
    
     gpt: Device Start End Sectors Size Type Type-UUID Attrs Name UUID
     dos: Device Start End Sectors Cylinders Size Type Id Attrs Boot End-C/H/S Start-C/H/S
     bsd: Slice Start  End Sectors Cylinders Size Type Bsize Cpg Fsize
     sgi: Device Start End Sectors Cylinders Size Type Id Attrs
     sun: Device Start End Sectors Cylinders Size Type Id Flags
    

    swapon (enable devices and files for paging and swapping):

    -o, --options <list>     comma-separated list of swap options
    
    New available columns (for --show):
    
    UUID   swap uuid
    LABEL  swap label
    

    unshare (run a program with some namespaces unshared from the parent):

    -C, --cgroup[=<file>]                              unshare cgroup namespace
        --propagation slave|shared|private|unchanged   modify mount propagation in mount namespace
    -s, --setgroups allow|deny                         control the setgroups syscall in user namespaces
    

    Deprecated / removed options

    sfdisk (display or manipulate a disk partition table):

    -c, --id                  change or print partition Id
        --change-id           change Id
        --print-id            print Id
    -C, --cylinders <number>  set the number of cylinders to use
    -H, --heads <number>      set the number of heads to use
    -S, --sectors <number>    set the number of sectors to use
    -G, --show-pt-geometry    deprecated, alias to --show-geometry
    -L, --Linux               deprecated, only for backward compatibility
    -u, --unit S              deprecated, only sector unit is supported
    

    May 18 2017

    Debugging a mystery: ssh causing strange exit codes?

    XKCD comic 1722

    Recently we had a WTF moment at a customer of mine which is worth sharing.

    In an automated deployment procedure we’re installing Debian systems and setting up MySQL HA/Scalability. Installation of the first node works fine, but during installation of the second node something weird is going on. Even though the deployment procedure reported that everything went fine: it wasn’t fine at all. After bisecting to the relevant command lines where it’s going wrong we identified that the failure is happening between two ssh/scp commands, which are invoked inside a chroot through a shell wrapper. The ssh command caused a wrong exit code showing up: instead of bailing out with an error (we’re running under ‘set -e‘) it returned with exit code 0 and the deployment procedure continued, even though there was a fatal error. Initially we triggered the bug when two ssh/scp command lines close to each other were executed, but I managed to find a minimal example for demonstration purposes:

    # cat ssh_wrapper 
    chroot << "EOF" / /bin/bash
    ssh root@localhost hostname >/dev/null
    exit 1
    EOF
    echo "return code = $?"
    

    What we’d expect is the following behavior, receive exit code 1 from the last command line in the chroot wrapper:

    # ./ssh_wrapper 
    return code = 1
    

    But what we actually get is exit code 0:

    # ./ssh_wrapper 
    return code = 0
    

    Uhm?! So what’s going wrong and what’s the fix? Let’s find out what’s causing the problem:

    # cat ssh_wrapper 
    chroot << "EOF" / /bin/bash
    ssh root@localhost command_does_not_exist >/dev/null 2>&1
    exit "$?"
    EOF
    echo "return code = $?"
    
    # ./ssh_wrapper 
    return code = 127
    

    Ok, so if we invoke it with a binary that does not exist we properly get exit code 127, as expected.
    What about switching /bin/bash to /bin/sh (which corresponds to dash here) to make sure it’s not a bash bug:

    # cat ssh_wrapper 
    chroot << "EOF" / /bin/sh
    ssh root@localhost hostname >/dev/null
    exit 1
    EOF
    echo "return code = $?"
    
    # ./ssh_wrapper 
    return code = 1
    

    Oh, but that works as expected!?

    When looking at this behavior I had the feeling that something is going wrong with file descriptors. So what about wrapping the ssh command line within different tools? No luck with `stdbuf -i0 -o0 -e0 ssh root@localhost hostname`, nor with `script -c “ssh root@localhost hostname” /dev/null` and also not with `socat EXEC:”ssh root@localhost hostname” STDIO`. But it works under unbuffer(1) from the expect package:

    # cat ssh_wrapper 
    chroot << "EOF" / /bin/bash
    unbuffer ssh root@localhost hostname >/dev/null
    exit 1
    EOF
    echo "return code = $?"
    
    # ./ssh_wrapper 
    return code = 1
    

    So my bet on something with the file descriptor handling was right. Going through the ssh manpage, what about using ssh’s `-n` option to prevent reading from standard input (stdin)?

    # cat ssh_wrapper
    chroot << "EOF" / /bin/bash
    ssh -n root@localhost hostname >/dev/null
    exit 1
    EOF
    echo "return code = $?"
    
    # ./ssh_wrapper 
    return code = 1
    

    Bingo! Quoting ssh(1):

         -n      Redirects stdin from /dev/null (actually, prevents reading from stdin).
                 This must be used when ssh is run in the background.  A common trick is
                 to use this to run X11 programs on a remote machine.  For example,
                 ssh -n shadows.cs.hut.fi emacs & will start an emacs on shadows.cs.hut.fi,
                 and the X11 connection will be automatically forwarded over an encrypted
                 channel.  The ssh program will be put in the background.  (This does not work
                 if ssh needs to ask for a password or passphrase; see also the -f option.)
    

    Let’s execute the scripts through `strace -ff -s500 ./ssh_wrapper` to see what’s going in more detail.
    In the strace run without ssh’s `-n` option we see that it’s cloning stdin (file descriptor 0), getting assigned to file descriptor 4:

    dup(0)            = 4
    [...]
    read(4, "exit 1\n", 16384) = 7
    

    while in the strace run with ssh’s `-n` option being present there’s no file descriptor duplication but only:

    open("/dev/null", O_RDONLY) = 4
    

    This matches ssh.c’s ssh_session2_open function (where stdin_null_flag corresponds to ssh’s `-n` option):

            if (stdin_null_flag) {                                            
                    in = open(_PATH_DEVNULL, O_RDONLY);
            } else {
                    in = dup(STDIN_FILENO);
            }
    

    This behavior can also be simulated if we explicitly read from /dev/null, and this indeed works as well:

    # cat ssh_wrapper
    chroot << "EOF" / /bin/bash
    ssh root@localhost hostname >/dev/null </dev/null
    exit 1
    EOF
    echo "return code = $?"
    
    # ./ssh_wrapper 
    return code = 1
    

    The underlying problem is that both bash and ssh are consuming from stdin. This can be verified via:

    # cat ssh_wrapper
    chroot << "EOF" / /bin/bash
    echo "Inner: pre"
    while read line; do echo "Eat: $line" ; done
    echo "Inner: post"
    exit 3
    EOF
    echo "Outer: exit code = $?"
    
    # ./ssh_wrapper
    Inner: pre
    Eat: echo "Inner: post"
    Eat: exit 3
    Outer: exit code = 0
    

    This behavior applies to bash, ksh, mksh, posh and zsh. Only dash doesn’t show this behavior.
    To understand the difference between bash and dash executions we can use the following test scripts:

    # cat stdin-test-cmp
    #!/bin/sh
    
    TEST_SH=bash strace -v -s500 -ff ./stdin-test 2>&1 | tee stdin-test-bash.out
    TEST_SH=dash strace -v -s500 -ff ./stdin-test 2>&1 | tee stdin-test-dash.out
    
    # cat stdin-test
    #!/bin/sh
    
    : ${TEST_SH:=dash}
    
    $TEST_SH <<"EOF"
    echo "Inner: pre"
    while read line; do echo "Eat: $line"; done
    echo "Inner: post"
    exit 3
    EOF
    
    echo "Outer: exit code = $?"
    

    When executing `./stdin-test-cmp` and comparing the generated files stdin-test-bash.out and stdin-test-dash.out you’ll notice that dash consumes all stdin in one single go (a single `read(0, …)`), instead of character-by-character as specified by POSIX and implemented by bash, ksh, mksh, posh and zsh. See stdin-test-bash.out on the left side and stdin-test-dash.out on the right side in this screenshot:

    screenshot of vimdiff on *.out files

    So when ssh tries to read from stdin there’s nothing there anymore.

    Quoting POSIX’s sh section:

    When the shell is using standard input and it invokes a command that also uses standard input, the shell shall ensure that the standard input file pointer points directly after the command it has read when the command begins execution. It shall not read ahead in such a manner that any characters intended to be read by the invoked command are consumed by the shell (whether interpreted by the shell or not) or that characters that are not read by the invoked command are not seen by the shell. When the command expecting to read standard input is started asynchronously by an interactive shell, it is unspecified whether characters are read by the command or interpreted by the shell.

    If the standard input to sh is a FIFO or terminal device and is set to non-blocking reads, then sh shall enable blocking reads on standard input. This shall remain in effect when the command completes.

    So while we learned that both bash and ssh are consuming from stdin and this needs to prevented by either using ssh’s `-n` or explicitly specifying stdin, we also noticed that dash’s behavior is different from all the other main shells and could be considered a bug.

    Lessons learned:

    • Be aware of ssh’s `-n` option when using ssh/scp inside scripts.
    • Feeding shell scripts via stdin is not only error-prone but also very inefficient, as for a standards compliant implementation it requires a read(2) system call per byte of input. Instead create a temporary script you safely execute then.
    • When debugging problems make sure to explore different approaches and tools to ensure you’re not relying on a buggy behavior in any involved tool.

    Thanks to Guillem Jover for review and feedback regarding this blog post.

    June 14 2017

    Grml 2017.05 – Codename Freedatensuppe

    The Debian stretch release is going to happen soon (on 2017-06-17) and since our latest Grml release is based on a very recent version of Debian stretch I’m taking this as opportunity to announce it also here. So by the end of May we released a new stable release of Grml (the Debian based live system focusing on system administrator’s needs), known as version 2017.05 with codename Freedatensuppe.

    Details about the changes of the new release are available in the official release notes and as usual the ISOs are available via grml.org/download.

    With this new Grml release we finally made the switch from file-rc to systemd. From a user’s point of view this doesn’t change that much, though to prevent having to answer even more mails regarding the switch I wrote down some thoughts in Grml’s FAQ. There are some things that we still need to improve and sort out, but overall the switch to systemd so far went better than anticipated (thanks a lot to the pkg-systemd folks, especially Felipe Sateler and Michael Biebl!).

    And last but not least, Darshaka Pathirana helped me a lot with the systemd integration and polishing the release, many thanks!

    Happy Grml-ing!

    May 26 2017

    The #newinstretch game: dbgsym packages in Debian/stretch

    Debug packages include debug symbols and so far were usually named <package>-dbg in Debian. Those packages are essential if you’ve to debug failing (especially: crashing) programs. Since December 2015 Debian has automatic dbgsym packages, being built by default. Those packages are available as <package>-dbgsym, so starting with Debian/stretch you should no longer look for -dbg packages but for -dbgsym instead. Currently there are 13.369 dbgsym packages available for the amd64 architecture of Debian/stretch, comparing this to the 2.250 packages which I counted being available for Debian/jessie this is really a huge improvement. (If you’re interested in the details of dbgsym packages as a package maintainer take a look at the Automatic Debug Packages page in the Debian wiki.)

    The dbgsym packages are NOT provided by the usual Debian archive though (which is good thing, since those packages are quite disk space consuming, e.g. just the amd64 stretch mirror of debian-debug consumes 47GB). Instead there’s a new archive called debian-debug. To get access to the dbgsym packages via the debian-debug suite on your Debian/stretch system include the following entry in your apt’s sources.list configuration (replace deb.debian.org with whatever mirror you prefer):

    deb http://deb.debian.org/debian-debug/ stretch-debug main
    

    If you’re not yet familiar with usage of such debug packages let me give you a short demo.

    Let’s start with sending SIGILL (Illegal Instruction) to a running sha256sum process, causing it to generate a so called core dump file:

    % sha256sum /dev/urandom &
    [1] 1126
    % kill -4 1126
    % 
    [1]+  Illegal instruction     (core dumped) sha256sum /dev/urandom
    % ls
    core
    $ file core
    core: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, from 'sha256sum /dev/urandom', real uid: 1000, effective uid: 1000, real gid: 1000, effective gid: 1000, execfn: '/usr/bin/sha256sum', platform: 'x86_64'
    

    Now we can run the GNU Debugger (gdb) on this core file, executing:

    % gdb sha256sum core
    [...]
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from sha256sum...(no debugging symbols found)...done.
    [New LWP 1126]
    Core was generated by `sha256sum /dev/urandom'.
    Program terminated with signal SIGILL, Illegal instruction.
    #0  0x000055fe9aab63db in ?? ()
    (gdb) bt
    #0  0x000055fe9aab63db in ?? ()
    #1  0x000055fe9aab8606 in ?? ()
    #2  0x000055fe9aab4e5b in ?? ()
    #3  0x000055fe9aab42ea in ?? ()
    #4  0x00007faec30872b1 in __libc_start_main (main=0x55fe9aab3ae0, argc=2, argv=0x7ffc512951f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc512951e8) at ../csu/libc-start.c:291
    #5  0x000055fe9aab4b5a in ?? ()
    (gdb) 
    

    As you can see by the several “??” question marks, the “bt” command (short for backtrace) doesn’t provide useful information.
    So let’s install the according debug package, which is coreutils-dbgsym in this case (since the sha256sum binary which generated the core file is part of the coreutils package). Then let’s rerun the same gdb steps:

    % gdb sha256sum core
    [...]
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from sha256sum...Reading symbols from /usr/lib/debug/.build-id/a4/b946ef7c161f2d215518ca38d3f0300bcbdbb7.debug...done.
    done.
    [New LWP 1126]
    Core was generated by `sha256sum /dev/urandom'.
    Program terminated with signal SIGILL, Illegal instruction.
    #0  0x000055fe9aab63db in sha256_process_block (buffer=buffer@entry=0x55fe9be95290, len=len@entry=32768, ctx=ctx@entry=0x7ffc51294eb0) at lib/sha256.c:526
    526     lib/sha256.c: No such file or directory.
    (gdb) bt
    #0  0x000055fe9aab63db in sha256_process_block (buffer=buffer@entry=0x55fe9be95290, len=len@entry=32768, ctx=ctx@entry=0x7ffc51294eb0) at lib/sha256.c:526
    #1  0x000055fe9aab8606 in sha256_stream (stream=0x55fe9be95060, resblock=0x7ffc51295080) at lib/sha256.c:230
    #2  0x000055fe9aab4e5b in digest_file (filename=0x7ffc51295f3a "/dev/urandom", bin_result=0x7ffc51295080 "\001", missing=0x7ffc51295078, binary=<optimized out>) at src/md5sum.c:624
    #3  0x000055fe9aab42ea in main (argc=<optimized out>, argv=<optimized out>) at src/md5sum.c:1036
    

    As you can see it’s reading the debug symbols from /usr/lib/debug/.build-id/a4/b946ef7c161f2d215518ca38d3f0300bcbdbb7.debug and this is what we were looking for.
    gdb now also tells us that we don’t have lib/sha256.c available. For even better debugging it’s useful to have the according source code available. This is also just an `apt-get source coreutils ; cd coreutils-8.26/` away:

    ~/coreutils-8.26 % gdb sha256sum ~/core
    [...]
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from sha256sum...Reading symbols from /usr/lib/debug/.build-id/a4/b946ef7c161f2d215518ca38d3f0300bcbdbb7.debug...done.
    done.
    [New LWP 1126]
    Core was generated by `sha256sum /dev/urandom'.
    Program terminated with signal SIGILL, Illegal instruction.
    #0  0x000055fe9aab63db in sha256_process_block (buffer=buffer@entry=0x55fe9be95290, len=len@entry=32768, ctx=ctx@entry=0x7ffc51294eb0) at lib/sha256.c:526
    526           R( h, a, b, c, d, e, f, g, K(25), M(25) );
    (gdb) bt
    #0  0x000055fe9aab63db in sha256_process_block (buffer=buffer@entry=0x55fe9be95290, len=len@entry=32768, ctx=ctx@entry=0x7ffc51294eb0) at lib/sha256.c:526
    #1  0x000055fe9aab8606 in sha256_stream (stream=0x55fe9be95060, resblock=0x7ffc51295080) at lib/sha256.c:230
    #2  0x000055fe9aab4e5b in digest_file (filename=0x7ffc51295f3a "/dev/urandom", bin_result=0x7ffc51295080 "\001", missing=0x7ffc51295078, binary=<optimized out>) at src/md5sum.c:624
    #3  0x000055fe9aab42ea in main (argc=<optimized out>, argv=<optimized out>) at src/md5sum.c:1036
    (gdb) 
    

    Now we’re ready for all the debugging magic. :)

    Thanks to everyone who was involved in getting us the automatic dbgsym package builds in Debian!

    May 25 2017

    The #newinstretch game: new forensic packages in Debian/stretch

    Repeating what I did for the last Debian releases with the #newinwheezy and #newinjessie games it’s time for the #newinstretch game:

    Debian/stretch AKA Debian 9.0 will include a bunch of packages for people interested in digital forensics. The packages maintained within the Debian Forensics team which are new in the Debian/stretch release as compared to Debian/jessie (and ignoring jessie-backports):

    • bruteforce-salted-openssl: try to find the passphrase for files encrypted with OpenSSL
    • cewl: custom word list generator
    • dfdatetime/python-dfdatetime: Digital Forensics date and time library
    • dfvfs/python-dfvfs: Digital Forensics Virtual File System
    • dfwinreg: Digital Forensics Windows Registry library
    • dislocker: read/write encrypted BitLocker volumes
    • forensics-all: Debian Forensics Environment – essential components (metapackage)
    • forensics-colorize: show differences between files using color graphics
    • forensics-extra: Forensics Environment – extra console components (metapackage)
    • hashdeep: recursively compute hashsums or piecewise hashings
    • hashrat: hashing tool supporting several hashes and recursivity
    • libesedb(-utils): Extensible Storage Engine DB access library
    • libevt(-utils): Windows Event Log (EVT) format access library
    • libevtx(-utils): Windows XML Event Log format access library
    • libfsntfs(-utils): NTFS access library
    • libfvde(-utils): FileVault Drive Encryption access library
    • libfwnt: Windows NT data type library
    • libfwsi: Windows Shell Item format access library
    • liblnk(-utils): Windows Shortcut File format access library
    • libmsiecf(-utils): Microsoft Internet Explorer Cache File access library
    • libolecf(-utils): OLE2 Compound File format access library
    • libqcow(-utils): QEMU Copy-On-Write image format access library
    • libregf(-utils): Windows NT Registry File (REGF) format access library
    • libscca(-utils): Windows Prefetch File access library
    • libsigscan(-utils): binary signature scanning library
    • libsmdev(-utils): storage media device access library
    • libsmraw(-utils): split RAW image format access library
    • libvhdi(-utils): Virtual Hard Disk image format access library
    • libvmdk(-utils): VMWare Virtual Disk format access library
    • libvshadow(-utils): Volume Shadow Snapshot format access library
    • libvslvm(-utils): Linux LVM volume system format access librar
    • plaso: super timeline all the things
    • pompem: Exploit and Vulnerability Finder
    • pytsk/python-tsk: Python Bindings for The Sleuth Kit
    • rekall(-core): memory analysis and incident response framework
    • unhide.rb: Forensic tool to find processes hidden by rootkits (was already present in wheezy but missing in jessie, available via jessie-backports though)
    • winregfs: Windows registry FUSE filesystem

    Join the #newinstretch game and present packages and features which are new in Debian/stretch.

    May 19 2017

    Debian stretch: changes in util-linux #newinstretch

    We’re coming closer to the Debian/stretch stable release and similar to what we had with #newinwheezy and #newinjessie it’s time for #newinstretch!

    Hideki Yamane already started the game by blogging about GitHub’s Icon font, fonts-octicons and Arturo Borrero Gonzalez wrote a nice article about nftables in Debian/stretch.

    One package that isn’t new but its tools are used by many of us is util-linux, providing many essential system utilities. We have util-linux v2.25.2 in Debian/jessie and in Debian/stretch there will be util-linux >=v2.29.2. There are many new options available and we also have a few new tools available.

    Tools that have been taken over from other packages

    • last: used to be shipped via sysvinit-utils in Debian/jessie
    • lastb: used to be shipped via sysvinit-utils in Debian/jessie
    • mesg: used to be shipped via sysvinit-utils in Debian/jessie
    • mountpoint: used to be shipped via initscripts in Debian/jessie
    • sulogin: used to be shipped via sysvinit-utils in Debian/jessie

    New tools

    • lsipc: show information on IPC facilities, e.g.:
    root@ff2713f55b36:/# lsipc
    RESOURCE DESCRIPTION                                              LIMIT USED  USE%
    MSGMNI   Number of message queues                                 32000    0 0.00%
    MSGMAX   Max size of message (bytes)                               8192    -     -
    MSGMNB   Default max size of queue (bytes)                        16384    -     -
    SHMMNI   Shared memory segments                                    4096    0 0.00%
    SHMALL   Shared memory pages                       18446744073692774399    0 0.00%
    SHMMAX   Max size of shared memory segment (bytes) 18446744073692774399    -     -
    SHMMIN   Min size of shared memory segment (bytes)                    1    -     -
    SEMMNI   Number of semaphore identifiers                          32000    0 0.00%
    SEMMNS   Total number of semaphores                          1024000000    0 0.00%
    SEMMSL   Max semaphores per semaphore set.                        32000    -     -
    SEMOPM   Max number of operations per semop(2)                      500    -     -
    SEMVMX   Semaphore max value                                      32767    -     -
    
  • lslogins: display information about known users in the system, e.g.:
  • root@ff2713f55b36:/# lslogins 
      UID USER     PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS
        0 root        2        0        1            root
        1 daemon      0        0        1            daemon
        2 bin         0        0        1            bin
        3 sys         0        0        1            sys
        4 sync        0        0        1            sync
        5 games       0        0        1            games
        6 man         0        0        1            man
        7 lp          0        0        1            lp
        8 mail        0        0        1            mail
        9 news        0        0        1            news
       10 uucp        0        0        1            uucp
       13 proxy       0        0        1            proxy
       33 www-data    0        0        1            www-data
       34 backup      0        0        1            backup
       38 list        0        0        1            Mailing List Manager
       39 irc         0        0        1            ircd
       41 gnats       0        0        1            Gnats Bug-Reporting System (admin)
      100 _apt        0        0        1            
    65534 nobody      0        0        1            nobody
    
  • lsns: list system namespaces, e.g.:
  • root@ff2713f55b36:/# lsns
            NS TYPE   NPROCS PID USER COMMAND
    4026531835 cgroup      2   1 root bash
    4026531837 user        2   1 root bash
    4026532473 mnt         2   1 root bash
    4026532474 uts         2   1 root bash
    4026532475 ipc         2   1 root bash
    4026532476 pid         2   1 root bash
    4026532478 net         2   1 root bash
    
  • setpriv: run a program with different privilege settings
  • zramctl: tool to quickly set up zram device parameters, to reset zram devices, and to query the status of used zram devices
  • New features/options

    addpart (show or change the real-time scheduling attributes of a process):

    --reload reload prompts on running agetty instances
    

    blkdiscard (discard the content of sectors on a device):

    -p, --step <num>    size of the discard iterations within the offset
    -z, --zeroout       zero-fill rather than discard
    

    chrt (show or change the real-time scheduling attributes of a process):

    -d, --deadline            set policy to SCHED_DEADLINE
    -T, --sched-runtime <ns>  runtime parameter for DEADLINE
    -P, --sched-period <ns>   period parameter for DEADLINE
    -D, --sched-deadline <ns> deadline parameter for DEADLINE
    

    fdformat (do a low-level formatting of a floppy disk):

    -f, --from <N>    start at the track N (default 0)
    -t, --to <N>      stop at the track N
    -r, --repair <N>  try to repair tracks failed during the verification (max N retries)
    

    fdisk (display or manipulate a disk partition table):

    -B, --protect-boot            don't erase bootbits when creating a new label
    -o, --output <list>           output columns
        --bytes                   print SIZE in bytes rather than in human readable format
    -w, --wipe <mode>             wipe signatures (auto, always or never)
    -W, --wipe-partitions <mode>  wipe signatures from new partitions (auto, always or never)
    
    New available columns (for -o):
    
     gpt: Device Start End Sectors Size Type Type-UUID Attrs Name UUID
     dos: Device Start End Sectors Cylinders Size Type Id Attrs Boot End-C/H/S Start-C/H/S
     bsd: Slice Start End Sectors Cylinders Size Type Bsize Cpg Fsize
     sgi: Device Start End Sectors Cylinders Size Type Id Attrs
     sun: Device Start End Sectors Cylinders Size Type Id Flags
    

    findmnt (find a (mounted) filesystem):

    -J, --json             use JSON output format
    -M, --mountpoint <dir> the mountpoint directory
    -x, --verify           verify mount table content (default is fstab)
        --verbose          print more details
    

    flock (manage file locks from shell scripts):

    -F, --no-fork            execute command without forking
        --verbose            increase verbosity
    

    getty (open a terminal and set its mode):

    --reload               reload prompts on running agetty instances
    

    hwclock (query or set the hardware clock):

    --get            read hardware clock and print drift corrected result
    --update-drift   update drift factor in /etc/adjtime (requires --set or --systohc)
    

    ldattach (attach a line discipline to a serial line):

    -c, --intro-command <string>  intro sent before ldattach
    -p, --pause <seconds>         pause between intro and ldattach
    

    logger (enter messages into the system log):

    -e, --skip-empty         do not log empty lines when processing files
        --no-act             do everything except the write the log
        --octet-count        use rfc6587 octet counting
    -S, --size <size>        maximum size for a single message
        --rfc3164            use the obsolete BSD syslog protocol
        --rfc5424[=<snip>]   use the syslog protocol (the default for remote);
                               <snip> can be notime, or notq, and/or nohost
        --sd-id <id>         rfc5424 structured data ID
        --sd-param <data>    rfc5424 structured data name=value
        --msgid <msgid>      set rfc5424 message id field
        --socket-errors[=<on|off|auto>] print connection errors when using Unix sockets
    

    losetup (set up and control loop devices):

    -L, --nooverlap               avoid possible conflict between devices
        --direct-io[=<on|off>]    open backing file with O_DIRECT 
    -J, --json                    use JSON --list output format
    
    New available --list column:
    
    DIO  access backing file with direct-io
    

    lsblk (list information about block devices):

    -J, --json           use JSON output format
    
    New available columns (for --output):
    
    HOTPLUG  removable or hotplug device (usb, pcmcia, ...)
    SUBSYSTEMS  de-duplicated chain of subsystems
    

    lscpu (display information about the CPU architecture):

    -y, --physical          print physical instead of logical IDs
    
    New available column:
    
    DRAWER  logical drawer number
    

    lslocks (list local system locks):

    -J, --json             use JSON output format
    -i, --noinaccessible   ignore locks without read permissions
    

    nsenter (run a program with namespaces of other processes):

    -C, --cgroup[=<file>]      enter cgroup namespace
        --preserve-credentials do not touch uids or gids
    -Z, --follow-context       set SELinux context according to --target PID
    

    rtcwake (enter a system sleep state until a specified wakeup time):

    --date <timestamp>   date time of timestamp to wake
    --list-modes         list available modes
    -r, --reorder <dev>  fix partitions order (by start offset)
    

    sfdisk (display or manipulate a disk partition table):

    New Commands:
    
    -J, --json <dev>                  dump partition table in JSON format
    -F, --list-free [<dev> ...]       list unpartitioned free areas of each device
    -r, --reorder <dev>               fix partitions order (by start offset)
        --delete <dev> [<part> ...]   delete all or specified partitions
    --part-label <dev> <part> [<str>] print or change partition label
    --part-type <dev> <part> [<type>] print or change partition type
    --part-uuid <dev> <part> [<uuid>] print or change partition uuid
    --part-attrs <dev> <part> [<str>] print or change partition attributes
    
    New Options:
    
    -a, --append                   append partitions to existing partition table
    -b, --backup                   backup partition table sectors (see -O)
        --bytes                    print SIZE in bytes rather than in human readable format
        --move-data[=<typescript>] move partition data after relocation (requires -N)
        --color[=<when>]           colorize output (auto, always or never)
                                   colors are enabled by default
    -N, --partno <num>             specify partition number
    -n, --no-act                   do everything except write to device
        --no-tell-kernel           do not tell kernel about changes
    -O, --backup-file <path>       override default backup file name
    -o, --output <list>            output columns
    -w, --wipe <mode>              wipe signatures (auto, always or never)
    -W, --wipe-partitions <mode>   wipe signatures from new partitions (auto, always or never)
    -X, --label <name>             specify label type (dos, gpt, ...)
    -Y, --label-nested <name>      specify nested label type (dos, bsd)
    
    Available columns (for -o):
    
     gpt: Device Start End Sectors Size Type Type-UUID Attrs Name UUID
     dos: Device Start End Sectors Cylinders Size Type Id Attrs Boot End-C/H/S Start-C/H/S
     bsd: Slice Start  End Sectors Cylinders Size Type Bsize Cpg Fsize
     sgi: Device Start End Sectors Cylinders Size Type Id Attrs
     sun: Device Start End Sectors Cylinders Size Type Id Flags
    

    swapon (enable devices and files for paging and swapping):

    -o, --options <list>     comma-separated list of swap options
    
    New available columns (for --show):
    
    UUID   swap uuid
    LABEL  swap label
    

    unshare (run a program with some namespaces unshared from the parent):

    -C, --cgroup[=<file>]                              unshare cgroup namespace
        --propagation slave|shared|private|unchanged   modify mount propagation in mount namespace
    -s, --setgroups allow|deny                         control the setgroups syscall in user namespaces
    

    Deprecated / removed options

    sfdisk (display or manipulate a disk partition table):

    -c, --id                  change or print partition Id
        --change-id           change Id
        --print-id            print Id
    -C, --cylinders <number>  set the number of cylinders to use
    -H, --heads <number>      set the number of heads to use
    -S, --sectors <number>    set the number of sectors to use
    -G, --show-pt-geometry    deprecated, alias to --show-geometry
    -L, --Linux               deprecated, only for backward compatibility
    -u, --unit S              deprecated, only sector unit is supported
    

    June 14 2017

    Grml 2017.05 – Codename Freedatensuppe

    The Debian stretch release is going to happen soon (on 2017-06-17) and since our latest Grml release is based on a very recent version of Debian stretch I’m taking this as opportunity to announce it also here. So by the end of May we released a new stable release of Grml (the Debian based live system focusing on system administrator’s needs), known as version 2017.05 with codename Freedatensuppe.

    Details about the changes of the new release are available in the official release notes and as usual the ISOs are available via grml.org/download.

    With this new Grml release we finally made the switch from file-rc to systemd. From a user’s point of view this doesn’t change that much, though to prevent having to answer even more mails regarding the switch I wrote down some thoughts in Grml’s FAQ. There are some things that we still need to improve and sort out, but overall the switch to systemd so far went better than anticipated (thanks a lot to the pkg-systemd folks, especially Felipe Sateler and Michael Biebl!).

    And last but not least, Darshaka Pathirana helped me a lot with the systemd integration and polishing the release, many thanks!

    Happy Grml-ing!

    May 26 2017

    The #newinstretch game: dbgsym packages in Debian/stretch

    Debug packages include debug symbols and so far were usually named <package>-dbg in Debian. Those packages are essential if you’ve to debug failing (especially: crashing) programs. Since December 2015 Debian has automatic dbgsym packages, being built by default. Those packages are available as <package>-dbgsym, so starting with Debian/stretch you should no longer look for -dbg packages but for -dbgsym instead. Currently there are 13.369 dbgsym packages available for the amd64 architecture of Debian/stretch, comparing this to the 2.250 packages which I counted being available for Debian/jessie this is really a huge improvement. (If you’re interested in the details of dbgsym packages as a package maintainer take a look at the Automatic Debug Packages page in the Debian wiki.)

    The dbgsym packages are NOT provided by the usual Debian archive though (which is good thing, since those packages are quite disk space consuming, e.g. just the amd64 stretch mirror of debian-debug consumes 47GB). Instead there’s a new archive called debian-debug. To get access to the dbgsym packages via the debian-debug suite on your Debian/stretch system include the following entry in your apt’s sources.list configuration (replace deb.debian.org with whatever mirror you prefer):

    deb http://deb.debian.org/debian-debug/ stretch-debug main
    

    If you’re not yet familiar with usage of such debug packages let me give you a short demo.

    Let’s start with sending SIGILL (Illegal Instruction) to a running sha256sum process, causing it to generate a so called core dump file:

    % sha256sum /dev/urandom &
    [1] 1126
    % kill -4 1126
    % 
    [1]+  Illegal instruction     (core dumped) sha256sum /dev/urandom
    % ls
    core
    $ file core
    core: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, from 'sha256sum /dev/urandom', real uid: 1000, effective uid: 1000, real gid: 1000, effective gid: 1000, execfn: '/usr/bin/sha256sum', platform: 'x86_64'
    

    Now we can run the GNU Debugger (gdb) on this core file, executing:

    % gdb sha256sum core
    [...]
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from sha256sum...(no debugging symbols found)...done.
    [New LWP 1126]
    Core was generated by `sha256sum /dev/urandom'.
    Program terminated with signal SIGILL, Illegal instruction.
    #0  0x000055fe9aab63db in ?? ()
    (gdb) bt
    #0  0x000055fe9aab63db in ?? ()
    #1  0x000055fe9aab8606 in ?? ()
    #2  0x000055fe9aab4e5b in ?? ()
    #3  0x000055fe9aab42ea in ?? ()
    #4  0x00007faec30872b1 in __libc_start_main (main=0x55fe9aab3ae0, argc=2, argv=0x7ffc512951f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc512951e8) at ../csu/libc-start.c:291
    #5  0x000055fe9aab4b5a in ?? ()
    (gdb) 
    

    As you can see by the several “??” question marks, the “bt” command (short for backtrace) doesn’t provide useful information.
    So let’s install the according debug package, which is coreutils-dbgsym in this case (since the sha256sum binary which generated the core file is part of the coreutils package). Then let’s rerun the same gdb steps:

    % gdb sha256sum core
    [...]
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from sha256sum...Reading symbols from /usr/lib/debug/.build-id/a4/b946ef7c161f2d215518ca38d3f0300bcbdbb7.debug...done.
    done.
    [New LWP 1126]
    Core was generated by `sha256sum /dev/urandom'.
    Program terminated with signal SIGILL, Illegal instruction.
    #0  0x000055fe9aab63db in sha256_process_block (buffer=buffer@entry=0x55fe9be95290, len=len@entry=32768, ctx=ctx@entry=0x7ffc51294eb0) at lib/sha256.c:526
    526     lib/sha256.c: No such file or directory.
    (gdb) bt
    #0  0x000055fe9aab63db in sha256_process_block (buffer=buffer@entry=0x55fe9be95290, len=len@entry=32768, ctx=ctx@entry=0x7ffc51294eb0) at lib/sha256.c:526
    #1  0x000055fe9aab8606 in sha256_stream (stream=0x55fe9be95060, resblock=0x7ffc51295080) at lib/sha256.c:230
    #2  0x000055fe9aab4e5b in digest_file (filename=0x7ffc51295f3a "/dev/urandom", bin_result=0x7ffc51295080 "\001", missing=0x7ffc51295078, binary=<optimized out>) at src/md5sum.c:624
    #3  0x000055fe9aab42ea in main (argc=<optimized out>, argv=<optimized out>) at src/md5sum.c:1036
    

    As you can see it’s reading the debug symbols from /usr/lib/debug/.build-id/a4/b946ef7c161f2d215518ca38d3f0300bcbdbb7.debug and this is what we were looking for.
    gdb now also tells us that we don’t have lib/sha256.c available. For even better debugging it’s useful to have the according source code available. This is also just an `apt-get source coreutils ; cd coreutils-8.26/` away:

    ~/coreutils-8.26 % gdb sha256sum ~/core
    [...]
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from sha256sum...Reading symbols from /usr/lib/debug/.build-id/a4/b946ef7c161f2d215518ca38d3f0300bcbdbb7.debug...done.
    done.
    [New LWP 1126]
    Core was generated by `sha256sum /dev/urandom'.
    Program terminated with signal SIGILL, Illegal instruction.
    #0  0x000055fe9aab63db in sha256_process_block (buffer=buffer@entry=0x55fe9be95290, len=len@entry=32768, ctx=ctx@entry=0x7ffc51294eb0) at lib/sha256.c:526
    526           R( h, a, b, c, d, e, f, g, K(25), M(25) );
    (gdb) bt
    #0  0x000055fe9aab63db in sha256_process_block (buffer=buffer@entry=0x55fe9be95290, len=len@entry=32768, ctx=ctx@entry=0x7ffc51294eb0) at lib/sha256.c:526
    #1  0x000055fe9aab8606 in sha256_stream (stream=0x55fe9be95060, resblock=0x7ffc51295080) at lib/sha256.c:230
    #2  0x000055fe9aab4e5b in digest_file (filename=0x7ffc51295f3a "/dev/urandom", bin_result=0x7ffc51295080 "\001", missing=0x7ffc51295078, binary=<optimized out>) at src/md5sum.c:624
    #3  0x000055fe9aab42ea in main (argc=<optimized out>, argv=<optimized out>) at src/md5sum.c:1036
    (gdb) 
    

    Now we’re ready for all the debugging magic. :)

    Thanks to everyone who was involved in getting us the automatic dbgsym package builds in Debian!

    May 25 2017

    The #newinstretch game: new forensic packages in Debian/stretch

    Repeating what I did for the last Debian releases with the #newinwheezy and #newinjessie games it’s time for the #newinstretch game:

    Debian/stretch AKA Debian 9.0 will include a bunch of packages for people interested in digital forensics. The packages maintained within the Debian Forensics team which are new in the Debian/stretch release as compared to Debian/jessie (and ignoring jessie-backports):

    • bruteforce-salted-openssl: try to find the passphrase for files encrypted with OpenSSL
    • cewl: custom word list generator
    • dfdatetime/python-dfdatetime: Digital Forensics date and time library
    • dfvfs/python-dfvfs: Digital Forensics Virtual File System
    • dfwinreg: Digital Forensics Windows Registry library
    • dislocker: read/write encrypted BitLocker volumes
    • forensics-all: Debian Forensics Environment – essential components (metapackage)
    • forensics-colorize: show differences between files using color graphics
    • forensics-extra: Forensics Environment – extra console components (metapackage)
    • hashdeep: recursively compute hashsums or piecewise hashings
    • hashrat: hashing tool supporting several hashes and recursivity
    • libesedb(-utils): Extensible Storage Engine DB access library
    • libevt(-utils): Windows Event Log (EVT) format access library
    • libevtx(-utils): Windows XML Event Log format access library
    • libfsntfs(-utils): NTFS access library
    • libfvde(-utils): FileVault Drive Encryption access library
    • libfwnt: Windows NT data type library
    • libfwsi: Windows Shell Item format access library
    • liblnk(-utils): Windows Shortcut File format access library
    • libmsiecf(-utils): Microsoft Internet Explorer Cache File access library
    • libolecf(-utils): OLE2 Compound File format access library
    • libqcow(-utils): QEMU Copy-On-Write image format access library
    • libregf(-utils): Windows NT Registry File (REGF) format access library
    • libscca(-utils): Windows Prefetch File access library
    • libsigscan(-utils): binary signature scanning library
    • libsmdev(-utils): storage media device access library
    • libsmraw(-utils): split RAW image format access library
    • libvhdi(-utils): Virtual Hard Disk image format access library
    • libvmdk(-utils): VMWare Virtual Disk format access library
    • libvshadow(-utils): Volume Shadow Snapshot format access library
    • libvslvm(-utils): Linux LVM volume system format access librar
    • plaso: super timeline all the things
    • pompem: Exploit and Vulnerability Finder
    • pytsk/python-tsk: Python Bindings for The Sleuth Kit
    • rekall(-core): memory analysis and incident response framework
    • unhide.rb: Forensic tool to find processes hidden by rootkits (was already present in wheezy but missing in jessie, available via jessie-backports though)
    • winregfs: Windows registry FUSE filesystem

    Join the #newinstretch game and present packages and features which are new in Debian/stretch.

    June 14 2017

    Grml 2017.05 – Codename Freedatensuppe

    The Debian stretch release is going to happen soon (on 2017-06-17) and since our latest Grml release is based on a very recent version of Debian stretch I’m taking this as opportunity to announce it also here. So by the end of May we released a new stable release of Grml (the Debian based live system focusing on system administrator’s needs), known as version 2017.05 with codename Freedatensuppe.

    Details about the changes of the new release are available in the official release notes and as usual the ISOs are available via grml.org/download.

    With this new Grml release we finally made the switch from file-rc to systemd. From a user’s point of view this doesn’t change that much, though to prevent having to answer even more mails regarding the switch I wrote down some thoughts in Grml’s FAQ. There are some things that we still need to improve and sort out, but overall the switch to systemd so far went better than anticipated (thanks a lot to the pkg-systemd folks, especially Felipe Sateler and Michael Biebl!).

    And last but not least, Darshaka Pathirana helped me a lot with the systemd integration and polishing the release, many thanks!

    Happy Grml-ing!

    May 26 2017

    The #newinstretch game: dbgsym packages in Debian/stretch

    Debug packages include debug symbols and so far were usually named <package>-dbg in Debian. Those packages are essential if you’ve to debug failing (especially: crashing) programs. Since December 2015 Debian has automatic dbgsym packages, being built by default. Those packages are available as <package>-dbgsym, so starting with Debian/stretch you should no longer look for -dbg packages but for -dbgsym instead. Currently there are 13.369 dbgsym packages available for the amd64 architecture of Debian/stretch, comparing this to the 2.250 packages which I counted being available for Debian/jessie this is really a huge improvement. (If you’re interested in the details of dbgsym packages as a package maintainer take a look at the Automatic Debug Packages page in the Debian wiki.)

    The dbgsym packages are NOT provided by the usual Debian archive though (which is good thing, since those packages are quite disk space consuming, e.g. just the amd64 stretch mirror of debian-debug consumes 47GB). Instead there’s a new archive called debian-debug. To get access to the dbgsym packages via the debian-debug suite on your Debian/stretch system include the following entry in your apt’s sources.list configuration (replace deb.debian.org with whatever mirror you prefer):

    deb http://deb.debian.org/debian-debug/ stretch-debug main
    

    If you’re not yet familiar with usage of such debug packages let me give you a short demo.

    Let’s start with sending SIGILL (Illegal Instruction) to a running sha256sum process, causing it to generate a so called core dump file:

    % sha256sum /dev/urandom &
    [1] 1126
    % kill -4 1126
    % 
    [1]+  Illegal instruction     (core dumped) sha256sum /dev/urandom
    % ls
    core
    $ file core
    core: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, from 'sha256sum /dev/urandom', real uid: 1000, effective uid: 1000, real gid: 1000, effective gid: 1000, execfn: '/usr/bin/sha256sum', platform: 'x86_64'
    

    Now we can run the GNU Debugger (gdb) on this core file, executing:

    % gdb sha256sum core
    [...]
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from sha256sum...(no debugging symbols found)...done.
    [New LWP 1126]
    Core was generated by `sha256sum /dev/urandom'.
    Program terminated with signal SIGILL, Illegal instruction.
    #0  0x000055fe9aab63db in ?? ()
    (gdb) bt
    #0  0x000055fe9aab63db in ?? ()
    #1  0x000055fe9aab8606 in ?? ()
    #2  0x000055fe9aab4e5b in ?? ()
    #3  0x000055fe9aab42ea in ?? ()
    #4  0x00007faec30872b1 in __libc_start_main (main=0x55fe9aab3ae0, argc=2, argv=0x7ffc512951f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc512951e8) at ../csu/libc-start.c:291
    #5  0x000055fe9aab4b5a in ?? ()
    (gdb) 
    

    As you can see by the several “??” question marks, the “bt” command (short for backtrace) doesn’t provide useful information.
    So let’s install the according debug package, which is coreutils-dbgsym in this case (since the sha256sum binary which generated the core file is part of the coreutils package). Then let’s rerun the same gdb steps:

    % gdb sha256sum core
    [...]
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from sha256sum...Reading symbols from /usr/lib/debug/.build-id/a4/b946ef7c161f2d215518ca38d3f0300bcbdbb7.debug...done.
    done.
    [New LWP 1126]
    Core was generated by `sha256sum /dev/urandom'.
    Program terminated with signal SIGILL, Illegal instruction.
    #0  0x000055fe9aab63db in sha256_process_block (buffer=buffer@entry=0x55fe9be95290, len=len@entry=32768, ctx=ctx@entry=0x7ffc51294eb0) at lib/sha256.c:526
    526     lib/sha256.c: No such file or directory.
    (gdb) bt
    #0  0x000055fe9aab63db in sha256_process_block (buffer=buffer@entry=0x55fe9be95290, len=len@entry=32768, ctx=ctx@entry=0x7ffc51294eb0) at lib/sha256.c:526
    #1  0x000055fe9aab8606 in sha256_stream (stream=0x55fe9be95060, resblock=0x7ffc51295080) at lib/sha256.c:230
    #2  0x000055fe9aab4e5b in digest_file (filename=0x7ffc51295f3a "/dev/urandom", bin_result=0x7ffc51295080 "\001", missing=0x7ffc51295078, binary=<optimized out>) at src/md5sum.c:624
    #3  0x000055fe9aab42ea in main (argc=<optimized out>, argv=<optimized out>) at src/md5sum.c:1036
    

    As you can see it’s reading the debug symbols from /usr/lib/debug/.build-id/a4/b946ef7c161f2d215518ca38d3f0300bcbdbb7.debug and this is what we were looking for.
    gdb now also tells us that we don’t have lib/sha256.c available. For even better debugging it’s useful to have the according source code available. This is also just an `apt-get source coreutils ; cd coreutils-8.26/` away:

    ~/coreutils-8.26 % gdb sha256sum ~/core
    [...]
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from sha256sum...Reading symbols from /usr/lib/debug/.build-id/a4/b946ef7c161f2d215518ca38d3f0300bcbdbb7.debug...done.
    done.
    [New LWP 1126]
    Core was generated by `sha256sum /dev/urandom'.
    Program terminated with signal SIGILL, Illegal instruction.
    #0  0x000055fe9aab63db in sha256_process_block (buffer=buffer@entry=0x55fe9be95290, len=len@entry=32768, ctx=ctx@entry=0x7ffc51294eb0) at lib/sha256.c:526
    526           R( h, a, b, c, d, e, f, g, K(25), M(25) );
    (gdb) bt
    #0  0x000055fe9aab63db in sha256_process_block (buffer=buffer@entry=0x55fe9be95290, len=len@entry=32768, ctx=ctx@entry=0x7ffc51294eb0) at lib/sha256.c:526
    #1  0x000055fe9aab8606 in sha256_stream (stream=0x55fe9be95060, resblock=0x7ffc51295080) at lib/sha256.c:230
    #2  0x000055fe9aab4e5b in digest_file (filename=0x7ffc51295f3a "/dev/urandom", bin_result=0x7ffc51295080 "\001", missing=0x7ffc51295078, binary=<optimized out>) at src/md5sum.c:624
    #3  0x000055fe9aab42ea in main (argc=<optimized out>, argv=<optimized out>) at src/md5sum.c:1036
    (gdb) 
    

    Now we’re ready for all the debugging magic. :)

    Thanks to everyone who was involved in getting us the automatic dbgsym package builds in Debian!

    June 14 2017

    Grml 2017.05 – Codename Freedatensuppe

    The Debian stretch release is going to happen soon (on 2017-06-17) and since our latest Grml release is based on a very recent version of Debian stretch I’m taking this as opportunity to announce it also here. So by the end of May we released a new stable release of Grml (the Debian based live system focusing on system administrator’s needs), known as version 2017.05 with codename Freedatensuppe.

    Details about the changes of the new release are available in the official release notes and as usual the ISOs are available via grml.org/download.

    With this new Grml release we finally made the switch from file-rc to systemd. From a user’s point of view this doesn’t change that much, though to prevent having to answer even more mails regarding the switch I wrote down some thoughts in Grml’s FAQ. There are some things that we still need to improve and sort out, but overall the switch to systemd so far went better than anticipated (thanks a lot to the pkg-systemd folks, especially Felipe Sateler and Michael Biebl!).

    And last but not least, Darshaka Pathirana helped me a lot with the systemd integration and polishing the release, many thanks!

    Happy Grml-ing!

    Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
    Could not load more posts
    Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
    Just a second, loading more posts...
    You've reached the end.

    Don't be the product, buy the product!

    Schweinderl