-
Cryptography everywhere
Last summer, while looking for a new mail client, I stumbled upon Trojitá, a lightweight IMAP client based on Qt. The largest drawback from my point of view was the missing support for PGP and S/MIME. After looking at the code I figured I could try to implement the missing features.
The result was a partially working branch full of little hacks, which supported sending of encrypted and signed PGP messages. Checking of signatures worked most of the time and reading of encrypted messages required looking at the debug output most of the time.
Following the development and fixing some small bugs provided me with more insight on the code base of Trojitá and the idea of a clean rewrite of my code came up. As the clean solution required the design of a new model representing the parts of a message, a task I didn’t really feel up to, it didn’t evolve any further for quite some time.
The turning point was the announcement of KDE taking part in this years Google Summer of Code. As Trojitá is part of the KDE project this provided a great opportunity. I am able to use my participation in GSoC for my studies in computer science and with this I can concentrate on the required changes better and invest more time in a clean solution.
In the past few weeks I was able to develop a model that can provide the original, unencrypted message parts as well as decrypted ones. I was able to reuse most of the PGP related code and I am currently working on cleaning up my code so it can me merged into Trojitá’s master branch.
After that I’ll start integrating the decryption of S/MIME messages as well as checking PGP and S/MIME signatures. I’ll try to keep you posted on my progress.
-
How I found an integer overflow in PHP-FPM
This week I solved a stange problem I had with my personel ownCloud instance. When uploading a file I always got an error that the uploaded file was larger than MAX_FILE_UPLOAD.
After some digging in the ownCloud PHP code I tracked this down to an error 2 ( UPLOAD_ERR_FORM_SIZE) in the PHP built-in array $_FILES used for file uploads. This indicates that the uploaded file was larger than MAX_FILE_UPLOAD.
At this point I was stuck to a while. I looked for a solution and only found people with low values for upload_max_filesize in their php.ini. This was definitely not the issue in my case as this value was set to 8G in my php.ini.
Finally a friend of mine brought up an idea I had once but didn’t investigate: What if the MAX_FILE_SIZE is not to small but to large. Meaning there is an overflow somewhere. Dividing that value by about 1000 in a test form I wrote showed it was a good trail. Suddenly I could upload files.
After some binary search I had the largest value for MAX_FILE_SIZE that worked: 2147483647 (2^31-1). This looks a lot like an integer overflow of a signed int. Using my test form and my test php script on a different machine (CentOS with an Apache2 and mod-php) didn’t show that error so I assume it’s a bug in the implementation of php-fpm.
Setting upload_max_filesize to 2000M (2G is just to large) fixed the problem and I can upload files to my server now. As a final action I filed a bug in the bug tracker of php and now I’m waiting for it to be fixed.
Update: The bug report can be found here
-
Setting up your own Gitorious installation
In the following I will describe how to install gitorious on a server running Ubuntu Server 10.04.4 LTS. This article describes my way of installing gitorious based on the howto on silly-science.co.uk
Run the following commands as root if not stated otherwise.
-
Install ALL teh dependencies
aptitude update aptitude install build-essential zlib1g-dev tcl-dev libexpat-dev libcurl4-openssl-dev apache2 mysql-server mysql-client apg geoip-bin libgeoip1 libgeoip-dev sqlite3 libsqlite3-dev imagemagick libpcre3 libpcre3-dev zlib1g zlib1g-dev libyaml-dev libmysqlclient15-dev apache2-dev libonig-dev libmagick++-dev zip unzip memcached git-core git-svn git-doc git-cvs irb sphinxsearch libxslt-dev libxml2-dev
(optionally also install postfix and phpmyadmin. as I’m already running a postfix on another machine I don’t need it and I don’t need phpmyadmin at all)
-
Install ActiveMQ
aptitude install uuid uuid-dev openjdk-6-jre cd /tmp wget http://www.powertech.no/apache/dist/activemq/apache-activemq/5.5.1/apache-activemq-5.5.1-bin.tar.gz tar xzvf apache-activemq-5.5.1-bin.tar.gz -C /usr/local/ echo "export ACTIVEMQ_HOME=/usr/local/apache-activemq-5.5.1" >> /etc/activemq.conf echo "export JAVA_HOME=/usr/" >> /etc/activemq.conf adduser --system --no-create-home activemq chown -R activemq /usr/local/apache-activemq-5.5.1/data
-
Disable multicasting of ActiveMQ. Open /usr/local/apache-activemq-5.5.1/conf/activemq.xml and change the following lines:
<transportConnectors> <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/> </transportConnectors>
to something like this:
<transportConnectors> <transportConnector name="openwire" uri="static://(tcp://127.0.0.1:61616)"/> </transportConnectors>
-
Setup the startup script for ActiveMQ and start it
wget http://launchpadlibrarian.net/15645459/activemq mv activemq /etc/init.d/activemq chmod +x /etc/init.d/activemq update-rc.d activemq defaults service activemq start
-
Download and install Ruby Enterprise Edition
wget http://rubyenterpriseedition.googlecode.com/files/ruby-enterprise_1.8.7-2012.02_amd64_ubuntu10.04.deb dpkg -i ruby-enterprise_1.8.7-2012.02_amd64_ubuntu10.04.deb
-
Download and install RubyGems
wget http://rubyforge.org/frs/download.php/75856/rubygems-1.8.17.tgz tar xzvf rubygems-1.8.17.tgz cd rubygems-1.8.17 ruby setup.rb
-
Install the required Gems
gem install -b --no-ri --no-rdoc rmagick chronic geoip daemons hoe echoe ruby-yadis ruby-openid mime-types diff-lcs json rack ruby-hmac rake stompserver passenger rails ultrasphinx mysql gem install -b --no-ri --no-rdoc -v 1.0.1 rack gem install -b --no-ri --no-rdoc -v 1.3.1.1 rdiscount gem install -b --no-ri --no-rdoc -v 1.1 stomp
-
Clone the gitorious repository (in the following we assume that /var/www/gitorious is the installation path of gitorious)
cd /var/www/ git clone git://gitorious.org/gitorious/mainline.git /var/www/gitorious git submodule init git submodule update
-
Copy the required init-scripts
cp /var/www/gitorious/doc/templates/ubuntu/git-daemon /etc/init.d/ cp /var/www/gitorious/doc/templates/ubuntu/git-ultrasphinx /etc/init.d/
-
Change the paths in /etc/init.d/git-daemon to fit your installation.
RUBY_HOME="/usr/local" GIT_DAEMON="bundle exec $RUBY_HOME/bin/ruby $GITORIOUS_HOME/script/git-daemon -d"
-
It is advised to use bundle exec for rake so change the following lines in /etc/init.d/git-ultrasphinx
START_CMD="cd $GITORIOUS_HOME && bundle exec rake ultrasphinx:daemon:start RAILS_ENV=production" STOP_CMD="cd $GITORIOUS_HOME && bundle exec rake ultrasphinx:daemon:stop RAILS_ENV=production" RESTART_CMD="cd $GITORIOUS_HOME && bundle exec rake ultrasphinx:daemon:restart RAILS_ENV=production" STATUS_CMD="cd $GITORIOUS_HOME && bundle exec rake ultrasphinx:daemon:status RAILS_ENV=production"
-
Create the init-scripts for git-poller and stomp from the gitorious tutorial
-
Change the path of stompserver in /etc/init.d/stomp to /usr/local/bin/stompserver
-
Set the correct permissions and activate the initialisation files:
chmod 755 /etc/init.d/git-ultrasphinx /etc/init.d/git-daemon /etc/init.d/stomp /etc/init.d/git-poller update-rc.d stomp defaults update-rc.d git-daemon defaults update-rc.d git-ultrasphinx defaults update-rc.d git-poller defaults
-
Run apache setup script and follow the instructions. When asked to edit the Apache config copy the stated config into /etc/apache2/mods-available/passenger.load:
/usr/local/bin/passenger-install-apache2-module
-
Enable the required Apache2 modules
a2enmod passenger a2enmod rewrite a2enmod ssl a2ensite default-ssl
-
Restart apache:
service apache2 restart
-
Add a ‘git’ user to MySQL with global create privileges. Also give it all privileges on gitorious_production.
mysql -p > CREATE USER 'git'@'localhost' IDENTIFIED BY '\*\*\*\*\*\*\*\*'; > GRANT CREATE ON \*.\* TO 'git'@'localhost'; > GRANT ALL ON 'gitorious_production'.\* TO 'git'@'localhost'; > EXIT
-
Create /etc/apache2/sites-available/gitorious and /etc/apache2/sites-available/gitorious-ssl using the listings on the gitorious tutorial (the SSL is required for login!)
a2dissite default a2dissite default-ssl a2ensite gitorious a2ensite gitorious-ssl
-
Add a user ‘git’ to the system:
adduser --system --home /var/www/gitorious/ --no-create-home --group --shell /bin/bash git
-
Set permissions on the gitorious tree:
chown -R git:git /var/www/gitorious
-
Now run the following sequence of commands:
su - git cd /var/www/gitorious mkdir .ssh touch .ssh/authorized_keys chmod 700 .ssh chmod 600 .ssh/authorized_keys mkdir tmp/pids mkdir repositories mkdir tarballs cp config/database.sample.yml config/database.yml cp config/gitorious.sample.yml config/gitorious.yml cp config/broker.yml.example config/broker.yml
-
If you have a seperate partition or disk for the repositories create the corresponding entry in /etc/fstab and run
mount -a
-
Edit config/database.yml: Remove every section but production and change the database parameter to fit your setup (i.e. change username and password)
-
Edit config/gitorious.yml: Remove every section but production (so at the top tab level only production: should exist)
-
Check the settings in config/gitorious.yml and modify the following lines:
gitorious_client_host: localhost gitorious_host: example.org repository_base_path: "/var/www/gitorious/repositories" archive_cache_dir: "/var/www/gitorious/tarballs" archive_work_dir: "/tmp/tarballs-work" cookie_secret: ssssht (use `apg -m 64` to generate a key) exception_notification_emails: notify@example.org sender_email_address: "Example.org <no-reply@example.org>"
-
To use an external mail server change the following lines in config/environments/production.rb
config.action_mailer.delivery_method = :smtp config.action_mailer.smtp_settings = { :address => "mail.comsound.de", :port => 25, :domain => "kitty" }
-
Run the following as root:
cd /var/www/gitorious bundle install
-
Insert the following line at the beginning of Rakefile and config/environment.rb
require 'thread'
-
Run the following as git user (note if you have to drop out to root again because it tells you that you missed some gems then remember to do the export again when you have su’d back into the git user!):
export RAILS_ENV=production bundle exec rake db:create mysql -u root -p > GRANT ALL ON 'gitorious_production'.* TO 'git'@'localhost'; > EXIT bundle exec rake db:migrate bundle exec rake ultrasphinx:bootstrap
-
Add the following line to the crontab (run
crontab -e
as user ‘git’ to edit the crontab):* * * * * cd /var/www/gitorious && /usr/bin/rake ultrasphinx:index RAILS_ENV=production
-
Now create an admin user. Therefore run the following as git user:
bundle exec ruby script/create_admin
-
Restart apache as root
service apache2 restart
-
Start the daemons
service stomp start service git-daemon start service git-ultrasphinx start service git-poller start
Troubleshooting:
-
If css and js are missing it’s likely you forgot to run
git submodule init
andgit submodule update
. Do that now and run bundle exec rake assets:clear -
If you see something like ‘Mysql::Error: Lock wait timeout exceeded’ in the log files, stompserver isn’t running. Check if it’s running and if you updated all paths in /etc/init.d/stomp
-