If you like to block network access for certain users on a linux box it’s as simple as that:
/sbin/iptables -I OUTPUT -m owner --uid-ower <USERNAME> -j DROP
Username might also be the username of a running service.
Category Archives: Linux
APT sources list
Problem: when debian goes from “testing” to “stable” to “oldstable” the package sources change. eg. jessie-updates are remove, same happened to jessie-backports
The current file /etc/apt/sources.list for jessie (currently oldstable) could look like this
deb http://ftp.debian.org/debian/ jessie main contrib non-free
deb http://security.debian.org/ jessie/updates main contrib non-free
Configure WLAN Statically in Debian/Linux
If you want to configure WLAN settings on a Linux machine statically you can use the normal /etc/network/interfaces configuration method of Debian. For WPA-PSK you can use this 3 steps:
Install the “wpasupplicant” package
Generate a psk line with “wpa_passphrase” and copy the hex string after “psk=”
root@server:~# wpa_passphrase WLANNAME
# reading passphrase from stdin
thepassword
network={
ssid="WLANNAME"
#psk="thepassword"
psk=fe5409c4831b3daafff41fe2e6ed15ba7ed18c87bab254315e0be5f9180573d3
}
Add some lines to /etc/network/interfaces using this hex string
allow-hotplug wlan0
iface wlan0 inet dhcp
metric 4
wpa-essid WLANNAME
wpa-scan-ssid 1
wpa-psk fe5409c4831b3daafff41fe2e6ed15ba7ed18c87bab254315e0be5f9180573d3
The line “wpa-scan-ssid 1” allows to use hidden WLAN that are not broadcasted. With “metric 4” you can make WLAN less preferred if there is a second LAN connection that should be preferred (default is “metric 1”).
No Text Console After NVME Storage Upgrade
Problem: After upgrading a system to NVME, Linux boots without textconsole, or sends the text console to the wrong graphics card.
Discussion: The NVME upgrade needed to change from BIOS boot to UEFI boot. UEFI boot disables the pure text console, and the kernel uses whatever frame buffer is available, or without text console if no frame buffer is available. That means the kernel config item “CONFIG_VGA_CONSOLE” does not work any longer in UEFI, at least on my hardware.
Solution: I activated a framebuffer console driver with this kernel config item: CONFIG_FB_EFI
Versions: Debian9, Linux 4.9, ASUS Z170-A, Nvidia GPU
Huawei Mate Book Pro X
I bought a new notebook, and installed a minimal Linux distribution on it.
While setting everything up, I put together a collection of configuration files and scripts,
and compiled them in this github repository:
New Vim 8 on Debian 9 Stretch has buggy Mouse/Paste/Syntax handling
The new Vim 8 on Debian tries again to appeal to the 95% of the people (the noobs) and adds features the are annoying to professionals. When these new features are buggy it’s even worse.
Problem: vim 8 on debian 9 has some annoying default settings for vim
- paste uses a vim internal clipboard instead the system clipboard (when not using shift). This is totally stupid because if you copy something from the browser to the editor you get something else. It might even be some thing you copied hours ago from a different file logged in from a different client
- The cursor jumps to the mouse cursor when clicking into vim. This sounds correct for non professional geeks but it’s actually annoying because I use “hjkl” to move the cursor and use the mouse to copy/paste and I hate it when I loose the cursor position when selecting text for copy/paste
- Syntax highlighting is so ugly and hard to read. Noobs may like this but again for professional geeks that’s annoying.
Changing this system wide should be easy by adding these two lines to /etc/vim/vimrc. But this fails.
syntax off
set mouse=
Settings in /etc/vim/vimrc are ignored because settings in /etc/vim/vimrc are overruled by “/usr/share/vim/vim80/defaults.vim”
Workaround: until Debian fixes this bug, you have two ways to change this.
Add the lines from above to “/usr/share/vim/vim80/defaults.vim” directly.
Remember that this change might be over written when vim is updated.
When you don’t like the autoindent feature you can also add this line:
filetype plugin indent off
If you want to be save for system updates you can ignore default.vim all together by adding “/etc/vim/vimrc.local” to your system with this content:
let g:skip_defaults_vim = 1
set mouse=””
Boot ISO from USB Stick
Many Linux distribution builders like Devuan and Debian produce hybrid ISO image that work on discs and USB sticks. You can make bootable USB sticks by simply copying the image to the USB device with this command
dd if=isoimage of=/dev/sdX bs=10240
You can find the device name (X) by looking into dmesg oder lsscsi, and looking for newly plugged scsi/block devices.
But some companies still don’t know about hybrid images and provide ISO images the need to be on disk. (like samsung SSD updater).
Workarround: You can use SysLinux to make an USB stick that can boot an ISO image
Install SysLinux using standard procedures, in my case: aptitude install syslinux (currently 3:6.03-dfsg-5-deb8u1)
Do the following steps:
- (optional) wipe the USB stick: dd if=/dev/zero of=/dev/sdX
- make a bootable vfat partition: eg with fdisk /dev/sdX (“n”), set the partition type to VFAT (“t” “c”) and make it active (“a”)
- format the partition to vfat: mkfs.vfat /dev/sdX1
- install SysLinux on it: syslinux /dev/sdX1
- mount the newly created partition: mount /dev/sdX1 /mnt/usb
- copy the memdisk feature to syslinux: cp /usr/lib/syslinux/memdisk /mnt/usb/
- make a syslinux.cfg file on the USB stick: vi /mnt/usb/syslinux.cfg
LABEL iso LINUX memdisk INITRD image.iso APPEND iso - copy the iso image to the usbstick: cp isoimage.iso /mnt/usb/image.iso
- unmount the USB strick: umount /mnt/usb
You can even put different ISO images to one stick by copying multiple ISO images and making multiple entries in syslinux.cfg.
Source IP Address Based on User
If you want to use different source IP addresses based on the logged in user or running service on a Linux computer you can use these simple commands:
/sbin/ifconfig eth0:1 NEW-IP-ADDRESS netmask YOUR-NORMAL-NETMASK /sbin/iptables -t nat -A POSTROUTING -m owner --uid-owner USERNAME -j SNAT --to-source NEW-IP-ADDRESS
You can use this if the source IP is necessary for remote firewall filter lists, or to separate IP traffic from services that don’t allow to configure the outgoing source IP.
Add these lines to /etc/rc.local to make it permanent.
Version: Should work on every Linux kernel of the last 10 years, tested on Linux 4.11.1
Multi Seat Linux Workstation
Current computers are fast enough to handle more than one user at a time. So I started the project to setup my workstation to support two seats, one for me and one for my gf.
Tasks:
- Two concurrent Xorg sessions both with one keyboard, one mouse, and two monitors
- Separate audio for both seats
- Auto mounting of USB storage sticks for the secondary seat. When connected to a specific USB port the usb stick is mounted in the home directory of the logged in user of the second seat.
All this has to work while still keeping root privileges strictly separated. For security reasons I don’t use systemd polkit and other tools that allow normal users to gain root privileges. (Un)Mounting, Shutdown, Printersetup, Hardwaresetup are root tasks, normal users must not be able to do these tasks because it would compromise system security.
A normal user must not be able to shut down the system or see other users USB storages just because she is sitting in front of the local console.
Two Xorg Sessions
The workstation has two graphics cards one nvidia PEG card and an onboard Intel CPU graphics. I had to activate the onboard graphics in BIOS to be able to use it on Linux. The xorg-server-intel driver on Debian Jessie was to old to support the Intel Skylake HD530 graphics, so I upgraded the package “xserver-xorg-video-intel” from jessie-backports (“aptitude -t jessie-backports install xserver-xorg-video-intel”).
Then I configured the Xservers. Xorg can run multiple times with some configuration tweaking. I built two simple Xorg.conf. One for the first seat
# /etc/X11/Xorg.first-desk.conf
Section “Device”
Identifier “Nvidia Graphics”
Driver “nvidia”EndSection
Section “InputClass”
Identifier “Dell Keyboard”
MatchVendor “DELL”
MatchIsKeyboard “true”
Option “Ignore” “true”EndSection
Section “InputClass”
Identifier “Logitech Mouse”
MatchVendor “Logitech”
MatchIsPointer “true”
Option “Ignore” “true”EndSection
And one for the second seat:
# /etc/X11/Xorg.second-desk.conf
Section “Device”
Identifier “Intel Graphics”
Driver “intel”
BusID “PCI:0:2:0”EndSection
Section “InputClass”
Identifier “TheRest”
Option “Ignore” “true”EndSection
Section “InputClass”
Identifier “Dell Keyboard”
MatchVendor “DELL”
MatchIsKeyboard “true”
Option “Ignore” “false”EndSection
Section “InputClass”
Identifier “Logitech Mouse”
MatchVendor “Logitech”
MatchIsPointer “true”
Option “Ignore” “false”EndSection
Xorg tries take the first graphics card. To force one Xserver to the second card you need the BusID line. You can find this BusID with lspci:
# lspci
00:00.0 Host bridge: Intel Corporation Device 191f (rev 07)
00:01.0 PCI bridge: Intel Corporation Device 1901 (rev 07)
00:02.0 Display controller: Intel Corporation Device 1912 (rev 06)
00:14.0 USB controller: Intel Corporation Device a12f (rev 31)
00:16.0 Communication controller: Intel Corporation Device a13a (rev 31)
…
The sepration of mouse and keyboard works by blacklisting (“Ignore”) one keyboard and one mouse on the primary Xsession and an inverted blacklist on the secondary seat that blacklists all input devices except this one keyboard and mouse.
Two start two Xorg Xservers I added changed the file /etc/X11/xdm/Xservers to this:
:0 local /usr/bin/X :0 vt7 -config /etc/X11/Xorg.first-desk.conf -novtswitch -nolisten tcp
:1 local /usr/bin/X :1 -sharevts -config /etc/X11/Xorg.second-desk.conf -novtswitch -nolisten tcp
“-sharevts” and “-novtswitch” were the magic settings that allowed to run Xorg concurrently. Without this option the Xservers could only run one at a time by switching between VT7 and VT8 (Ctrl-Alt-F7 / Ctrl-Alt-F8).
Separate Audio
The onboard sound card has 8 channel output for surround sound. ALSA can split this multichannel output to multiple soundcards with this /etc/asound.conf file:
# /etc/asound.conf
pcm_slave.fourchannels {
pcm "hw:0"
period_time 0
period_size 1024
buffer_size 8192
channels 4
}
pcm.jack1 {
type plug
slave.pcm {
type dmix
ipc_key 2381
ipc_perm 0666
slave "fourchannels"
bindings [ 0 1 ]
}
}
pcm.jack2 {
type plug
slave.pcm {
type dmix
ipc_key 2381
ipc_perm 0666
slave "fourchannels"
bindings [ 2 3 ]
}
}
This configuration splits the front from the surround (back) speaker output. Per user you can set the default output to either jack1 or jack2 with this ~/.asoundrc file:
pcm.!default {
type plug
slave.pcm "jack2"
}
Currently I hard wired this configuration per user. If me and my GF would change seats frequently I would write a “.asoundrc” file during Xsession startup every time a users logs in on the first or second seat (DISPLAY :0 or :1).
Automounting USB Storage for Second Seat
I used udevd and a small shell script to do the job.
Udevd can start scripts on USB events:
# /etc/udev/rules.d/10-multiseat-usb.rules
#
# filter on SD* (scsi events) of the blockdevice subsystem
# filter on events with the sub device tree (ATTRS) of the second seat's USB Hub idVender==05e3 named "USB2.0 Hub"
# for these events start: /root/user_usb_mounter
# which mounts the device for the logged in user and opens a filebrowser
#
KERNEL=="sd*", SUBSYSTEM=="block", ACTION=="add", ATTRS{idVendor}=="05e3", ATTRS{product}=="USB2.0 Hub", RUN+="/root/user_usb_mounter"
The script /root/user_usb_mounter looks like this:
#!/bin/bash
(
# logfile output
echo "================================"
date
if [ "$ID_FS_USAGE" != "filesystem" ]; then
echo "ignoring udev event without FS_USAGE == filesystem"
else
echo "new files system"
# look which user is logged in on seat :1
second_user=`who | grep " :1 " | cut -d " " -f 1`
if [ "$second_user" == "" ]; then
echo "No user Session on :1 found, giving up"
else
# get userid of logged in user
muid=`grep -- "^$second_user:" /etc/passwd | cut -d ":" -f 3`
if [ "0$muid" -le 99 ]; then
echo "No Userid for User $second_user on :1 found, giving up"
else
i=1
# find an non existant directory mountpoint and create it
while [ -e /home/$second_user/media/usb$i ]; do
i=$(( $i + 1 ))
done
mkdir /home/$second_user/media/usb$i
chown $second_user /home/$second_user/media/usb$i
# mount the filesystem in the users home directory
echo mount -o noatime,nodev,noexec,nosuid,uid=$muid,gid=100 "$DEVNAME" "/home/$second_user/media/usb$i"
mount -o noatime,nodev,noexec,nosuid,uid=$muid,gid=100 "$DEVNAME" "/home/$second_user/media/usb$i" || exit
echo "usbstick mounted to /home/$second_user/media/usb$i"
echo "starting xfe for $second_user"
# Starting xfe for the user and wait for xfe close. unmount the usb device, inform the user
( su "$second_user" -l -c "DISPLAY=:1 xfe /home/$second_user/media/usb$i"
umount "/home/$second_user/media/usb$i" && rmdir "/home/$second_user/media/usb$i" && sync &&
su "$second_user" -l -c "DISPLAY=:1 xmessage \"USB Stick is save to remove!\"" && exit
su "$second_user" -l -c "DISPLAY=:1 xmessage \"USB Stick umount failed. DANGER!\""
) &
fi
fi
fi
) >> /tmp/udevtest.log 2>&1
This script checks if the udev event is from a filesystem. Then it checks which user is logged in, gets it’s user ID. Then it mounts the USB device in the users context and home directory. Then it opens a file browser for the user and waits until it’s closed. Then it unmounts the stick and informs the user. This script is not very pretty but it’s a quick and working hack.
Versions: Skylake Intel CPU i5-6500 64bit mode, on ASUS motherboard Z170, Debian 8 (Nov 2017), NVidia GT 640 Nvidia Drivers 375.66, Xorg Intel Drivers 2:2.99.917+git20161206
CPU Bug on Intel Skylake and Kabylake
I had two or three system crashes on my Linux workstation after upgrading to a new mother board and CPU within some months. This is very unusual for me because stability is the main objective when I build a new a workstation. So I tried to find the reason.
Some weeks ago I found this bug report: https://lists.debian.org/debian-devel/2017/06/msg00308.html
Hyperthreading on Skylake and Kabylake CPUs is buggy!
If your processor model (listed in /proc/cpuinfo) is 78 or 94, and the stepping is 3 you are lucky because Intel already provides a microcode update. My workstation is processor level 94 which is Intel Core i5 6500. So I installed the debian packages intel-microcode 3.20170511.1 from jessie-backports.
Since this update I had no System crash and hang up.