![[new-stuff!]](../new.gif){kind=small}
This web page is an attempt to promote some of the freeware projects I currently work on.
Here are more detailed project pages for some of the freeware projects I'm working on:
For a rather long time now I've been maintaining a set of mostly
cross-platform startup scripts for my login shell (usually , editor
(Emacs), X11 window manager (twm and
ctwm) configurations, as well as various other little
configuration files. These have grown over the years to quite a
substantial collection of nifty tricks and handy little trinkets, and
together at times have more than once been called a project with a life
of its own! You can find them all here:
ftp://ftp.weird.com/pub/local/dotfiles.tar.gz
I've created a local release of the
inetd
program. This version incorporates several new features, including:
libwrap support for UDP connections (as best
as can be done — no IDENT, etc. of course)
libwrap
is now only relied upon to log refused connections)
-DMULOG
option (per-service logging and IDENT logging) (and
corresponding removal of the MULOG #ifdefs)
fd_set arrays from OpenBSD
This version of inetd has beeen submitted to the
NetBSD project in
PR#18955.
fopen_as_user()
Traditional UNIX offered a system call known as access()
that could be used by a process started from a setuid binary to
check if a filesystem object could be accessed by the real-user
(as opposed to the effective-user that the program was
set-user-ID to). Unfortunately it took a pathname parameter and has
since been made almost completely useless by the fact it is vulnerable
to a race condition. While several other system calls were provided
with variants accepting file descriptors (f*(2)),
there has never, to the best of my knowledge, been an implementation of
faccess() provided in any popular UNIX variant. However
the utility of this call, along with one other approach to the problem,
have been discussed in several places, including this paper by: Matt
Bishop: ``Race Conditions, Files, and Security Flaws: or, The Tortoise
and the Hare Redux,'' Technical Report 95-9, Department of
Computer Science, University of California at Davis (Sep. 1995).
[PS]
[PDF]
Some time ago I faced a similar but slightly more generic issue in Smail
and implemented the more-or-less standard and portable solution in a
function I called fopen_as_user(). It opens the file with
open(), stats it via the open file descriptor with
fstat(), then while still holding the file open it forks a
child process which first lowers its privileges and then does the same
thing. If the child succeeds to open and stat the file it then compares
the second struct stat contents with the first one from the
parent process and if all was well it exits with a status code of zero
indicating to the parent process that the indicated user had access to
the file in question. Previously Smail had used setreuid()
or some variant to temporarily lower its privileges, but of course this
ability is not possible to use securely, and neither is it portable.
Even seteuid() is not portable since sane operating systems
do not allow privileged processes to lower and then regain their
privileges as this would open a whole can of worms that we've recently
seen discussed in CERT and similar security advisories.
Here's another slightly more efficient, elegant, and reliable way to
implement fopen_as_user() using kernel file descriptor
passing through AF_LOCAL socket, derived mostly from code
provided by the late W. Richard Stevens in his book
``
UNIX Network Programming, Volume 1, Second Edition: Networking APIs: Socketsand XTI''
(Prentice Hall, 1998.)
ftp://ftp.weird.com/pub/local/fopen_as_user.c
http://www.weird.com/~woods/projects/fopen_as_user.c
So far I've used this code successfully to replace the
seteuid() calls in NetBSD's
lib/libc/net/rcmd.c, and I plan to use it for the same
purpose in usr.bin/login/login.c as well. Both of these
are examples of having a privileged process having to drop privileges to
even get anywhere near an NFS-mounted file that might be protected from
any kind of root access by the remote server. One of these days I may
even implement open_as_user() as a true system call.
For a short period of time in the fall of 2003 Verisign, the registrar in charge of the .net and .com global top level domains had publised a wildcard A record as an attempt to hijack every non-existant domain for advertising purposes (though ostensibly they claimed it was only for assisting people searching for things without using a search engine). The response from both ICANN and from the maintainers of BIND was swift and sure. However this has not stopped other gTLD operators from implementing similar stupid tricks (often far more poorly).
I've integrated some patches for BIND-8 to provide the equivalent of an access control list (ACL) to block A records which point to the specified list of IP addresses. This isn't quite as generic as the BIND-9 fix, but it suffices. The patches are available here as part of a larger set of fixes and tweaks for BIND-8:
ftp://ftp.weird.com/pub/local/bind-8.4.7-REL-Planix-1.diff
I've also written a little script that helps me keep the list of naughty IP addresses up to date. It is available here:
ftp://ftp.weird.com/pub/local/gtld-wildhosts.sh
http://www.weird.com/~woods/projects/gtld-wildhosts.sh
On occasion I've had to aggregate CIDR netblocks, i.e. make sure only the minimum number of widest-possible blocks are specified (e.g. when writing filter rules, etc.). Normally I've done this by hand, but recently I encountered a list of nearly a thousand routes and I wanted to be able to aggregate it into the smallest inclusive number of routes accruately and repeatedly and so I wrote this little program:
ftp://ftp.weird.com/pub/local/netagg.c
http://www.weird.com/~woods/projects/netagg.c
I've made some major changes and improvements to
vm-bogofilter, and interface between Emacs ViewMail (VM)
and bogofilter.
ftp://ftp.weird.com/pub/local/vm-bogofilter.el
http://www.weird.com/~woods/projects/vm-bogofilter.el
I've also written a couple of nifty tape copy scripts that several people have asked for. They're available for ftp from here:
ftp://ftp.weird.com/pub/local/tapestuff.shar.
I've written a BSD device driver for the National Semiconductor LM78
environmental monitoring ASIC chip often found on modern system
motherboards, such as the Asus P297L (Intel Pentium-II board). This
chip monitors power supply voltages, fan rotation speeds, as well as
on-board temperature. The driver was originally designed on
FreeBSD-2.2.8 using a very primitive Linux driver as the primary source
of ideas. Since then the driver has been migrated to NetBSD-1.3.3 and
-current as of about 1.3K. You can download a copy of the
LM7X.shar file
and try it out on your system. Note that you'll have to apply the diffs
after unpacking the archive.
If/when I ever get around to working on hardware monitoring again I'll create a project page with lots more information, not just about the software I have written, but about hardware monitoring in general.
You may also find some other neat stuff on this weird FTP server, such as local versions of various software packages.
I keep locally patched versions of various packages, including all of the above, on the Planix, Inc. FTP server too.
Another project of sort (really it's a whole class of related projects) which deserves mentioning, but which does not (yet) have its own project page either, is my custom NetBSD release work. My first experiments with building custom OS releases were with the FreeBSD-2.2 branch where I produced several customised releases for a client. Since beginning in late in 1998 I've produced two highly customised NetBSD releases that have been used in production both for my own systems as well as at a couple of client sites. The first of these was based on the official NetBSD 1.3.3 release. The second is a cut from from NetBSD-current as of 2001/06/24.
Since the release of 1.6 I've been working on following the NetBSD-release branch (stable, aka netbsd-1-6). With the integration of a unified buffer cache to the virtual memory system NetBSD-1.6 is the first NetBSD release with most of the core kernel features necessary to make a really viable good performance production quality system. As of 2003/09/14 I now have a full test release of NetBSD/alpha, NetBSD/sparc, and NetBSD/i386 built with all of the relevant changes from my previous -current release integrated and this new release, along with significant new development efforts as well. This new release is now running on both of my development servers, as well as on our main Internet (mail, web, DNS, etc.) server. I can make complete CD-ROM ISO images available to anyone interested in trying it out.
I also maintain a local variant of the NetBSD pkgsrc system. I build binary packages from this tree and use them to support various client sites running my custom NetBSD release. Once upon a time a great deal of effort was necessary to ensure binary packages prodced from pkgsrc were correct, complete, and usable. Vast improvements in pkgsrc have made exclusive use of official binary packages much more viable of course, but I still need to be able to provide more timely support. My pkgsrc tree also has the beginnings of support for building static-linked packages, which greatly improves performance of some software and drastically reduces the run-time interdependency maze many packages suffer greatly from.
Anyone interested in influencing, by way of monetary remuneration or other considerations such as hardware donations or connectivity offers, etc., how and when I do this work is welcome to contact me for further details.
woods-freeware-proj@weird.com