Archive for the ‘Uncategorized’ Category

Bash -o pipefail can have pitfails^Wpitfalls

July 23, 2018

Using `-o pipefail` is generally a good idea. However it can contain some surprises. For example the following shell script:

set -e
set -o pipefail

output="$(cat /etc/passwd)"
for i in $(seq 100000); do
    echo "$output" | grep -q "^root" || res=$?
    if [ -n "$res" ]; then
        echo "failed: $i $res"
        exit 1
echo "done"

Does fail at different points in the loop. Why? Because grep is greedy and will exit as soon as it found a pattern. If the echo in the pipe did not finish writing to the pipe it will get a SIGPIPE when it tries to write the remaining data.

A better pattern is:

   grep -q -E "^root" <<< "$output"

Note that “-o pipefail” is already a bashism so adding “<<<" (which is also a bashism) does not make things worse 🙂

Building minimal binaries

July 10, 2017

As part of my snapd work I was writing testcode to ensure the seccomp confinement we build is working correctly. One of the challenges is that even the most simple program (like /bin/true) uses a lot of syscalls (check with strace!) so targeted testing is a bit difficult. So I decided to build a really minimal binary that avoids as many syscalls as possible.

After some experimentation the following code is ideal for our testing of the seccomp confinement:

// build with:  gcc -Wall -Werror syscall_runner.c -o syscall_runner -static -static-libgcc -nostartfiles -nostdlib -lc
#define _GNU_SOURCE
void __syscall_error() {};
void _start() {
  // syscall under test with argument filtering, in this example "setpriority"
  syscall(SYS_setpriority, 1, 1, 0, 0, 0, 0);
  syscall(SYS_exit, 0, 0, 0, 0, 0, 0);

The above code only uses just two extra syscalls in addition to the one we want to test for:

$ strace ./syscall_runner 
execve("./syscall_runner", ["./syscall_runner"], [/* 67 vars */]) = 0
setpriority(PRIO_PGRP, 1, 0)            = -1 EPERM (Operation not permitted)
exit(0)                                 = ?


my libproxy-golang

June 22, 2017

Sometimes it is necessary to write cgo based wrappers for existing libraries. Golang makes this pretty painless, writing was really quick and a fun Saturday morning project.

The only slight annoyance is the lack of convenience helpers around dealing with C `char**`. Fortunately there are some tricks like creating an “overlay” go-slice of `*C.char` which makes working with `char**` easier:

p := C.thing_that_returns_char**()
// go provides no pointer arithmetic, so make a new huge
// go slice of char* and iterate over that
tmpSlice := (*[1<<30]*C.char)(unsafe.Pointer(p))

It would be nice though if cgo had some better helpers for this.

Sysreq on Lenovo x250

May 24, 2017

I sometimes find myself in the situation that I need magic sysreq on my machine. Especially when running the development version of Ubuntu it is sometimes useful to do the magic “sync,umount,boot” sequence.

The new Lenovo keyboards do not have a dedicated sysreq key anymore. But after some searching and fiddling I is possible to emulate the behaviour:

Press “Fn”+”Ctrl”+”Alt”+”s” all at the same time. Then release “Fn”+”s” but keep “Ctrl”+”Alt” pressed. The keys you press next (while keeping “Ctrl”+”Alt” pressed) are now the systreq keys. So e.g. when pressing “s” next (while keeping “Ctrl”+”Alt” pressed) the system will do a emergency sync, pressing “u” next (while keeping “Ctrl”+”Alt” pressed) will do the emergency umount etc.

This should also work on any of the “new” Lenovo keyboard.

Booting the samsung 840 SSD firmware update iso from grub2

December 13, 2015

In order to apply a firmware update for my Samsung 840 SSD I had to boot an iso image with the firmware updater. My laptop does not have an optical drive so I decided to to use my grub2 and it’s loopback support.

So I added to


the following lines:

menuentry "firmware" {
  set isofile="/boot/ssd840.iso"
  loopback loop (hd0,1)$isofile
  legacy_kernel (loop)/isolinux/memdisk (loop)/isolinux/memdisk
  legacy_initrd (loop)/isolinux/btdsk.img

This works quite well. The firmware update process itself is a bit of a pain. At the end it asked to power cycle the SSD. Which is pretty much impossible because it is inside my laptop. After I continued without power-cycling the drive it warned me that applying failed. However that is a false scary message. After power off and power on of the laptop the firmware update was applied.

Passhash sha512crypt

November 28, 2015

I added sha512crypt support to the PassHash firefox extension a while ago to make attacking PassHash even more difficult. It uses the glibc 5000 rounds default. If you happen to use PassHash you should consider upgrading to this schema.

PassHash sha512 support

June 9, 2013

I added sha512 support to the PassHash firefox extension here (and added pull request to get it into the upstream branch). I felt its important to do this after reading this article.

ansible ad-hoc data gathering

June 1, 2013

When using ansible and its “setup” module to gather ad-hoc facts-data about multiple hosts, remember that it runs the jobs in parallel which may result in out-of-order output. With “ansible -f1” the number of parallel processes can be limited to one to ensure this won’t happen. E.g.:

$ ansible all -f1 -m setup -a filter=ansible_mounts

(the filter argument for the facts module is also a nice feature).

git fast-import apt

May 16, 2013

Due to popular demand I moved debian apt and python-apt from bzr to git today. Moving was pretty painless:

$ git init
$ bzr fast-export --export-marks=marks.bzr -b debian/sid /path/to/debian-sid | git fast-import --export-marks=marks.git

And then a fast-import for the debian-wheezy and debian-experimental branches too. Then a

$ git gc --aggressive

(thanks to Guillem Jover for pointing this out) and that was it.

The branches are available at:

Webkitgtk & SSL

April 30, 2013

For a project of mine I created a small app based on webkitgtk that talks to a SSL server.

And I almost forgot about the libsoup default behavior for SSL certificates checking. By default libsoup and therefore webkitgtk will not do any SSL certificate checks. You need to put something like the following snippet into your code (adjust for your language of choice):

from gi.repository import WebKit

session = WebKit.get_default_session()
session.set_property("ssl-use-system-ca-file", True)

If you don’t do this it will accept any certificate (including self-signed ones).

This is documented behavior in libsoup and they don’t want to change it for compatiblity reasons in libsoup. But for webkit its unexpected behavior (at least to me) and I hope the webkitgtk developers will consider changing this default in webkit. I filed a bug about it. So if you use webkitgtk and SSL, remember to set the above property.