Advantages using aptitude instead of apt-get

apt-get is a command-line package handling utility while aptitude is a high-level interface to the package manager. There isn’t much difference between the two except aptitude will remove unused package dependencies automatically whereas with apt-get you have to do it manually. Neither removes dependencies as that would cause problems. Dependencies are packages that are depended on by other packages. You don’t want to remove them.

To remove unused packages with apt-get use

sudo apt-get autoremove

With aptitude there is nothing to do as it’s automatic.

Debian backports and pinning

I’m running Debian Etch because I prefer the stable Debian package tree. This is all great but the software is a little outdated compared to other distributions like Ubuntu. That is where backports come in. Backports are recompiled packages from testing (mostly) and unstable (in a few cases only, e.g. security updates), so they will run without new libraries (wherever it is possible) on a stable Debian distribution. They recommend you to pick out single backports which fits your needs, and not to use all backports available here.

Using backports is simple

  1. Add this line to your /etc/apt/sources.list
  2. deb http://www.backports.org/debian etch-backports main contrib non-free
  3. Run
    apt-get update

    You might get a error message

    Reading package lists... Done
    W: GPG error: http://www.backports.org etch-backports Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EA8E8B2116BA136C
    W: You may want to run apt-get update to correct these problems

    This message comes on Debian Etch because you haven’t imported the backports keyring. It’s easily fixed by running the command

    apt-get install debian-backports-keyring
  4. Since all backports are deactivated by default you got to tell the package manager to use the backports repository. To install a newer version of nmap
    apt-get -t etch-backports install nmap

It is important to remember that if you forget to tell apt-get that nmap is installed from backports and run another apt-get install nmap it will remove my backports package.

A simple solution to this is to use pinning
Edit /etc/apt/preferences, the file has to be created if you haven’t used pinning before

Package: nmap
Pin: release a=etch-backports
Pin-Priority: 999

Now the system “remembers” that nmap is installed from the backports repository and you don’t have to worry about it anymore, nice.

Source: http://www.backports.org/

Enable DVD playback on Ubuntu 7.10

  1. Open a terminal window.
  2. Execute the following terminal command to install the necessary packages
    sudo apt-get install totem-xine libxine1-ffmpeg libdvdread3
  3. Execute the following terminal command
    sudo /usr/share/doc/libdvdread3/install-css.sh

After you have done the above excercise, insert a DVD into your drive. Totem will open and the movie will be played.

Making /tmp non-executable

Many simple exploits that are used against machines, (via vulnerable PHP applications or local users, etc), rely upon being able to execute commands in /tmp. If this is a seperate partition or file system you can gain some protection by marking it non-executable. The common problem with this is that apt-get fails to work with such a setup.

When you mount a partition there are many flags that can be used, two interesting ones are:

noexec
nosetuid

(A full list can be read as part of man mount).

The two flags are explained fully in the man page for mount, but briefly:

  • noexec
    • Do not allow execution of any binaries on the mounted file system.
  • nosuid
    • Do not allow set-user-identifier or set-group-identifier bits to take effect.

Mounting filesystems with these flags set raises the bar a little, but it doesn’t stop files from being executed. The Linux linker and loader will permit binaries to be run:

# Make /tmp non-executable
root@earth:~# mount -o remount,noexec /tmp

# Copy an executable into it
root@earth:~# cp /bin/ls /tmp
root@earth:~# chmod 755 /tmp/ls

# Test it - the execution should fail.
root@earth:~# /tmp/ls
bash: /tmp/ls: Permission denied

# But .. what's this?  It still runs?
root@earth:~# /lib/ld-linux.so.2 /tmp/ls
Mail  public_html  

# cleanup
root@earth:~# rm /tmp/ls
root@earth:~# mount -o remount,exec /tmp

With that in mind you might wonder what the point is? Well it foils any simplistic attack that relies upon putting a script in /tmp and running it. If they’ve got shell access they can probably figure it out, but an automated tool would be foiled – for the moment.

To make your system have a non-executable /tmp partition you must edit the way that it is mounted in the file /etc/fstab. Find the line that contains /tmp and change the defaults to read nosuid,noexec instead.

For example this is my updated /etc/fstab file:

/dev/sda3       /tmp              ext3  noexec,nosuid           0       2

This will take effect the next time you mount the filesystem, you can do this now with:

mount -o remount /tmp

Very if it by running:

root@earth:/tmp# mount |grep /tmp
/dev/sda3 on /tmp type ext3 (rw,noexec,nosuid)

The output line should contain the two words ‘noexec,nosuid’ in it. If this is in place then you’re covered.

The only problem now is that when apt-get upgrades your system it will sometimes place scripts inside the temp directory which will now not be executable.

The fix for this is to temporarily make the temporary directory executable before running apt-get and then remove the execution bits afterwards. This would be a troublesome thing to remember doing ourselves – but thankfully we can set it up to be automatic.

Add the following to the file /etc/apt/apt.conf:

DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount /tmp";};

In Debian Etch (4.0) the file is named /etc/apt/apt.conf.d/70debconf

This contains two lines, one running before any packing installation and one afterwards. They merely execute the commands required to add and remove the execute permissions on the /tmp

Source: http://www.debian-administration.org/articles/57

Install Geo::IP Perl Module on Debian Etch

This post describes how to install MaxMind Geo::IP perl module on Debian Etch.

You need the GeoIP C library (that includes also the free GeoLite Country database). This is fortunately available in the Debian repositories.

apt-get install libgeoip1 libgeoip-dev

To install the GeoIP perl module, we need to download the perl module locally from MaxMind or from CPAN. Uncompress the file and compile.

perl Makefile.PL
make
make test
make install