Thursday, March 29, 2007

Apple's Mac 10.4.9 Update breaks CPAN access to Fink when using sudo

The short story: as a new security measure, the latest version of sudo strips out various environment variables pertaining to perl. If you have been using an older version of sudo on any *NIX (certainly if you're using Mac OS X) your old version of sudo did not behave this way. This may change the behavior of any scripts you run with sudo.

More explanation:

Apple's latest OS X update, Mac OS X 10.4.9 Combo Update, includes Security Update 2007-003.

If you have installed either of these updates, you have a new version of sudo, which will prevent CPAN (and any other perl script you run as root via sudo) from accessing any libraries you have installed with Fink. For that matter, this would apply to any custom installations into non-default directories, such as /usr/local/, possibly projects other than Fink are affected including GnuDarwin - I don't use any of the others so I'm not sure.

The real source of the problem (which will probably end up affecting users of many other operating systems and programs, not just Mac/Perl) is that the latest version of sudo has a new security check which stripping out all environment variables except a few. Apparently older versions of sudo have been doing this for a while (perhaps always, I'm not sure) but the latest change is that PERL5LIB, PERLLIB and PERL5OPT are now included amongst the variables that get stripped out.

I have my .profile loading the fink script that sets the PERL5LIB variable up for both my regular user and root (which is the way Fink is configured by default), but in spite of this (and even when I manually set PERL5LIB in .profile), my custom PERL5LIB does not get picked up when I run CPAN with sudo anymore.

The solution I found, is to edit my sudoers config and add the following:

Defaults env_delete-="PERLLIB PERL5LIB PERL5OPT"

Which "subtracts" those variable from sudo's list of vars to remove (this in effect "undoes" the latest security update with a configuration override. Consider carefully if you want to override it or not).

I tried adding:

Defaults env_keep+="PERLLIB PERL5LIB PERL5OPT"

( env_keep is in the sudoers manpage), but apparently env_keep doesn't work that way.

I'm sure that overall, sanitizing the environment variables for sudo is a good thing, but the unexpected change sure threw me for a loop when things suddenly started breaking.

This is a classic example of why you shouldn't install any updates of any kind, including security updates, on production servers, without first analyzing exactly what the update is going to change! :-)

Friday, March 23, 2007

KDE Konsole Usage Survey

Robert Knight (Konsole lead maintainer) has posted a useage survey concerning the Konsole application. To quote the survey:

" The aim of this survey is to collect information about the needs of Konsole's current users, and how they use the software. This information will be used to design the facilities for setting up the terminal and saving / restoring the state of the terminal in KDE 4.

This survey has 28 questions spread over 5 pages. All of the questions are optional. Question number 28 allows you to provide any additional comments which you would like the developers to read. "

So if you're KDE Linux user and you like the Konsole, why don't you head on over to the survey and help Robert out?

Wednesday, March 21, 2007

CPU reviews for the average Linux Desktop user

I had a look around the net trying to find some useful reviews comparing CPUs for the average Linux office-progam desktop user.

There are a great deal of articles on the web reviewing CPUs, but they tend to have several problems.

The worst problem by far is that most articles tend to compare the CPU being reviewed with either the last ones reviewed, or the last few previous releases of any given CPU (and it's competitor).

Now in the 90's, that would have been ok, but nowadays there are new CPUs being released practically every month (if not more often), and there's also an incredible number of CPU families that are not usually compared to each other in a review.

So, for example reviews that take the two very latest Intel and AMD DualCores and compre them to each other are pretty much worthless for a lot people - it's like comparing apples from different sides of the same tree (or off the same branch). How does the latest CoreDuo compare to last year's 64 bit Opteron? Best wishes on the hunt to find articles like that.

Like many office users, I don't care how fast a CPU runs 3D programs, games and video/audio encoding.

What runs KDE the fastest when you have all the standard office applications running (FireFox, OpenOffice, Kontact) and SpamAssassin starts sucking the life out of your box while Kontact checks for new mail?

Yes, there are plenty of CPU reviews out there, but most of them do not tell me if the latest Dual-Core 64-bit Whoopie runs Kcalc, emacs or apache faster than my P4 2.8 Ghz. Most of them focus on gaming, 3D, floating point intensive Windows applications. I'm not interested in that.

To my relief I found that Tom's Hardware does in fact have a database with the last few years worth of processors compared at http://www23.tomshardware.com/cpu.html.

Best of all, they let you pick what benchmark you want to use to compare the CPU, including some more "normal" comparisons such as printing a 200 or 950 page MS office file to PDF, and even some multi-tasking benchmarks such as running PDF making while AVG Antivirus is scanning, or decompressing a file while photoshop is running.

If anyone else knows of some good basic CPU reviews (not 3D, game and video oriented), please leave a comment - I'd love to hear about it.

- JW

Tuesday, March 6, 2007

An Easy Linux-VServer Tutorial

At work we are always needing "one more computer . . ." for endless tasks, tests, development environments, secure areas, workspace for "untrusted" personnel that does not give them access to the rest of our project areas - the list is endless.

We've tried quite a lot of things over the years, including attempting to roll my own secure "jailed" system using SELinux on SuSE combined mini Debian install in a chrootjail (it didn't work :-) ).

Other projects that deserve honorable mention include bochs, xen, various jails and restricted shell, VMWare, VirtualBox.

Recently I've come across "Linux-VServer", which gave me a refreshing surprise: it is easy to install and use, resonably secure, and certainly self-contained.

I found a pretty good, brief article describing how to setup Linux_VServer under Debian Etch, but it left out a few important details (like how to get ssh access to your new install!), so I wrote a "helper" article describing in more detail the steps for a quick, easy install.

If you are interested you can read my article here:

http://www.cedarcreeksoftware.com/articles/general/an-even-easier-linux-vserver-tutorial.html