Wednesday, August 21, 2013

SUDO - sudo: /etc/sudoers is mode 0755, should be 0440 error

Sudoers is a policy file to determine who and what you can run with sudo command. When sudo command is executed, it will check it permission and make sure it is only at read only mode 0440.

Sudoers file is owned by Root and should only be changed by Root. So, if you encounter error such as

sudo: /etc/sudoers is mode 0755, should be 0440

That means someone, most likely Root, had changed the permission of Sudoers file.

A lot of post said that you need reboot PC, boot into recovery mode, etc.. but they are overkill.

If you are a normal user, report this to your Root administrator.

If you have access to Root account, do the following

1. Login to Root as super user via su command. It will require you to enter Root password

su root

2. cd to /etc

cd /etc

3. Change the permission for the file

chmod 0440 sudoers

4. Exit super user mode

exit

That all. You do not need to reboot or boot into recovery mode at all.

Tuesday, August 20, 2013

NTP Timestamp Reloaded

As I am still getting questions regarding NTP Timestamp calculation, I should reload this topic and provide more detail information 

About NTP Timestamp

1. NTP timestamp uses 64 bits representation and consists of 2 parts, first 32-bits is the Integer Part that represent the seconds and the next 32-bits is the Fraction Part that represent fractional of a second

According and referencing RFC 958 for point 2 and 3

 NTP timestamps are represented as a 64-bit fixed-point number, in
 seconds relative to 0000 UT on 1 January 1900 (See Point 2). The integer 
 part is in the first 32 bits and the fraction part in the last 32 bits, as
 shown in the following diagram.

  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                         Integer Part                          |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                         Fraction Part                         |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

 This format allows convenient multiple-precision arithmetic and
 conversion to Time Protocol representation (seconds), but does
 complicate the conversion to ICMP Timestamp message representation
 (milliseconds).  The low-order fraction bit increments at about
 0.2-nanosecond intervals (See point 3), so a free-running one-millisecond 
 clock will be in error only a small fraction of one part per million, or
 less than a second per year.


2. First 32-bits is simply seconds. 2^32 bits seconds means it will rolls over every 136 years. NTP elapse since epoch of Jan 1, 1900

3. Next 32-bits is fractional of a second. In theory, it can have a resolution of 2^-32 seconds (233 picoseconds)

Calculating NTP Timestamp

In order to calculate NTP timestamp, you need the following step

1. Break your time value into 2 parts
     a) Integer Part that represent in seconds
     b) Fraction Part that represent in microsecond. (Note, you can use millisecond or others and simply do     the conversion)

2. Calculate the Integer Part. All you need is to make sure your seconds is represented since 1 January 1900 and assign it to the first 32-bits of NTP timestamp

3. Calculate the Fraction Part. This is the part that is most confusing. Let's think in this way. Imagine you save $10 when your original cost is $50 and  you want to know dollar discount in percentage, you will do the following: $10 / $50 * 100 = 20%. That actually means to represent your dollar discount in 100 parts. Same to calculating Fraction Part of NTP. Since NTP has a theoretical resolution of picoseconds, it is common to convert the fractional part of time value to picoseconds and represent the picoseconds in 2^32 parts. So, the generic formula will be (N in microseconds) / 10^6 * 2^32. After the calculation, assign the value to the next 32-bits of NTP timestamp.

Useful Link

Unix Timeval is very commonly used to compute NTP timestamp. Please note the following

1. tv_sec elapse since 1 Jan 1970, thus, you need to do a conversion to NTP second representation since 1 Jan 1900
2. tv_usec is in microsecond which is good for Fractional Part calculation
 

RFC 958 describe NTP Protocol http://tools.ietf.org/html/rfc958

Wiki provide a good overview of NTP http://en.wikipedia.org/wiki/Network_Time_Protocol

Monday, August 19, 2013

SUDO - Retain Root Environment Variable

Just a note to remind myself instead of searching on Google all the time

As always, when I tried to sudo a command that requires Root environment variable, the OS will tell me that environmental variable is not set. This is because sudo reset environment variable to prevent leakage of Root information due to security reason

If you have some environment variable such as

export XXX=/usr/local/XXX/

and if you perform a command require XXX environment variable

sudo xxx_cmd

you will have problem running it.

2 ways to solve this issue

Using sudo -E

You can use -E options in sudo to preserve environment variable. This will override env_reset option in sudoers.

sudo -E xxx_cmd

This is a quick one time command to execute a command that require Root environment variable

Modifying /etc/sudoers

sudoers file contains a list of rules on which users may execute what when sudo command is executed.

There is a whole list of things you can do with sudoers file, but, I will not be going through here. Please see http://www.sudo.ws/sudoers.man.html

If you take a look at /etc/sudoers, you will see a line

Defaults env_reset

This tell sudo to run in minimal environment and only keep any variables in the caller's environment that match the env_keep and env_check lists are then added.

So, to make things works, do the following

1. Open /etc/sudoers with any editors

2. Add the following to append XXX environment variable to env_keep

Defaults env_keep += "XXX"

3. Make sure your user environment variable contain XXX as well.

4. Execute sudo xx_cmd will work now

This solution provide a long term fix if your environment variable are used frequently.




Friday, August 16, 2013

Cygwin - Install SSH Server in Cygwin

Sometime, you will want to have SSH server running in Cygwin. In order to run SSH server in Cygwin, you will need SSH Daemon (sshd) to be configured.

Below are some steps to configure Cygwin to run sshd

1. Open Cygwin and run ssh-host-config

2. During the configuration, it will ask the following question

a) Should privileges separation be used?

Enter yes

b) New local account 'sshd'?

Enter yes

c) Do you want to install sshd as a service?

Enter yes. This will allow you to log into Cygwin even when Cygwin window is not running

d) Enter the value of Cygwin for the daemon?

Enter ntsec

e) "cyg_server' will only be used by registered services. Do you want to use a different name?

Enter no. Default work well

f) Please enter the password

Enter a password for cyg_server user

g) After this, the installation should be complete.

h) Type net start sshd to start the service

i) Now, you can use any SSH client to connect to your Cygwin sshd via localhost with port 22

Troubleshooting

1. SSH client cannot connect to Cygwin sshd

Make sure sshd is running. You can check your Windows services to ensure the sshd service is running.

If sshd is not running, check the sshd service vis Services -> Logon. Change to Logon as Local System Account may help

2. Able to connect sshd vis SSH Client, however, authentication failed.

Use mkpassword to configure Cygwin account by creating a /etc/passwd from your system information

ie, mkpasswd -l -p "$(cygpath -H)" > /etc/passwd

See http://www.cygwin.com/cygwin-ug-net/using-utils.html#mkpasswd

mkpasswd may bring over your system password to /etc/passwd, however, the password may not be usable/understand by Cygwin.

So, you may need to use passwd command to change the user password. After this, you should be able to log into Cygwin via SSH client

Sed - Example guide

sed is a very useful stream editor to perform search and replace. Below are some useful tip 1. Usage sed 's/apple/orange/' file...