Howto set the Bacula Storage Daemon 's (bacula-sd) umask in Debian

The default Debian init script for the Bacula Storage Daemon is not providing a configuration option for the umask. Of cause it is possible to append a --umask to the start-stop-daemon lines init script but this is not update safe and last but not least it will change the checksums and intrusion detection scanners (debsums, tiger,...) will complain about this file. This leads to an ignore rule in the IDS which means more configuration, less security and more complexity.

The solution is to use a pam module named pam_umask. It is contained in the package libpam-modules which should be installed by default. After switching on the module the only thing that needs to be done is to add a umask setting to the Bacula users GECOS field.

For the copy paste fraction:

apt-get install libpam-modules
echo "session   optional   pam_umask.so" >> /etc/pam.d/common-session
usermod -c umask=027 bacula
/etc/init.d/bacula-sd restart

pam_umask can also be used this way to modify the umask of any specific daemon user without a shell.

TrueCrypt and Ubuntu 9

Today I installed True Crypt on an Ubuntu box. Tried apt-cache to search truecrypt without success. Cause I'm a damn good rftm'er I continued using google. Every page suggested to compile the sources. Not that I'm afraid of compiling source code but hey that's Ubuntu not Gentoo. So I stopped doing the rtfm stuff and had a look at the homepage of True Crypt. Downloaded a tar archive, extracted it and run the extracted executable. A few seconds later I got True Crypt running on the box. Why are all the linux guys always trying to compile things...

Debian Bacula vulnerability / security leak

Another shorty: Bacula is a neat backup tool and Debian provides maintained packages for it. But the install script opens a big security hole. It generates all the necessary configuration files for the file and storage daemons, the director and the console client. It also generates the user names depending on the host name. And it seems to do this job in a secure way cause the passwords for the Bacula users are long enough to be very secure. This is indeed very important cause the file daemon runs as root. This is necessary so the file daemon is able to backup the whole system. The only downside is that those passwords are neither generated nor is the installer asking for them. This makes many users believe that those passwords are generated and not have to be changed. Combining those facts leads to the following situation: Every default Bacula installation in Debian is using the same password to secure the file daemon which is capable of reading all the files of the system as root. So every non privileged user is able to use this daemon to get access to files he has no access to. |-|4\/3 4 L07 0Ph p|-|U|\|...

How to determine the size of all postgres databases

A manic Monday, reading log files, a big WTF: No space left on device external backups... WTF? .... 5 Minutes later: found a reason: The backups of the test database server... 30 databases on this machine.... which ones are the biggest?

This query to the rescue:
select databases.datname, pg_database_size(databases.datname)/1024/1024 as size from (SELECT datname as datname FROM pg_database) as databases ORDER BY size DESC;

One test database with 1,4GB ... another one with 0.9G... WTF? - Drop database... war is over

Disable IPv6 in Debian Lenny Linux

And here is how to do this:

• At first the stuff every web site is telling us: In /etc/modprobe.d/aliases replace/add the following mappings: alias net-pf-10 off alias ipv6 off (I found this at fak3r.com)
• If you are using a firewall script which loads all available module before setting up the firewall, add the following lines to /etc/modprobe.d/aliases: alias ip6_queue.ko off alias ip6table_filter.ko off alias ip6table_mangle.ko off alias ip6table_raw.ko off alias ip6table_security.ko off alias ip6_tables.ko off alias ip6t_ah.ko off alias ip6t_eui64.ko off alias ip6t_frag.ko off alias ip6t_hbh.ko off alias ip6t_hl.ko off alias ip6t_HL.ko off alias ip6t_ipv6header.ko off alias ip6t_LOG.ko off alias ip6t_mh.ko off alias ip6t_REJECT.ko off alias ip6t_rt.ko off alias nf_conntrack_ipv6.ko off You can do this by executing: for module in `ls /lib/modules/YOUR-KERNEL-VERSION/kernel/net/ipv6/netfilter/`; do echo "alias $module off" >> /etc/modprobe.d/aliases; done

Hope this helps :-)

Apache2 httpd, Apache Tomcat6 and rewrite problems

While configuring a Apache2 as Proxy for a bunch of Tomcats behind I found many postings that says "Use mod_rewrite and this set of rules" or "you have to use ajp and mod_jk". After some rtfm I found out that setting up a Apache2 httpd with multiple Apache Tomcats behind mapped using mod_proxy is pretty simple and straight forward. here is the HowTo:
1. Add a site to the apache2:

cat /etc/apache2/sites-enabled/artifactory
<Location /artifactory/>
    ProxyPass http://127.0.0.1:8100/artifactory/
    Order deny,allow
    Allow from all
</Location>

2. Enable mod_proxy by creating the following links (ln -s target) in /etc/apache2/mods-enabled/

proxy.conf -> ../mods-available/proxy.conf
proxy_http.load -> ../mods-available/proxy_http.load
proxy.load -> ../mods-available/proxy.load

3. Modify the content of /etc/apache2/mods-enabled/proxy.conf :

<IfModule mod_proxy.c>
ProxyRequests Off

<Proxy *>
    Order deny,allow
    Allow from all
</Proxy>

</IfModule>

4. reload the apache2 server:

/etc/init.d/apache2 reload

5. modify $TOMCAT_HOME/conf/server.xml
Change from:

<Connector port="8100" protocol="HTTP/1.1"
connectionTimeout="20000" redirectPort="8443" />

to

<Connector port="8100" protocol="HTTP/1.1"
connectionTimeout="20000" redirectPort="8443"
proxyName="YourDomain.YourTLD" proxyPort="80"/>

DragImagePainter or Getting Around isDragImageSupported() on Windows

Last week I had an interesting conversation with a project manager at a meeting of the Scrum User Group in Dresden. He asked me why so many common tasks need to be reprogrammed in every project. I tried to answer that question and argued that things need to be implemented in a different way for different purposes... But today I came to the conclusion the he's right. Reimplementing common tasks is expensive and it happens too often. "The customer wants to relayout some components on the fly using Drag and Drop. While dragging a small drag image of the dragged component should be visible near the mouse pointer." - Sounds like a common use case to me. But Drag and Drop (DnD) in Swing does not support this. Of course Swing supports Drag and Drop out of the box - but only for a small amount of components. I don't know why this feature is missing in a framework which is in use since a decade. On my way implementing this feature I stumble upon the method isDragImageSupported() of the class java.awt.dnd.DragSource. Windows does not support adding a DragImage to the mouse pointer. Google told me to look at Geertjan's Blog. He wrote a nice and informative article how to implement this feature. Nicely done! But doing it the way he did means doing it again and again and the poor customer needs to pay for this :) As I want customers of IT companies to be happy I tried to save the world. First of all I called my brother in arms rosh. With combined holy hand grenades we wrote a kewl class called DragImagePainter. It needs to be instantiated in the java.awt.dnd.DragSourceListener. In method dragOver of the java.awt.dnd.DragSourceListener a call to the function paintDragImage will do the magic. Feel free to use AND REUSE the following piece of code:

/**
* Utility class for painting a scaled and opaque image representation of a
* dragged component while it's being dragged.
*
* @author Richi
*
*/
public class DragImagePainter {
private final AlphaComposite ALPHA_COMPOSITE = AlphaComposite.getInstance(AlphaComposite.SRC_OVER, 0.5f);
private final JComponent rootComponent;
private final JComponent draggableComponent;
private final int offsetY;
private final int imageWidth;

private Point lastKnownCursorPosition;

/**
 * @param rootComponent
 *            the root component of the current window
 * @param draggableComponent
 *            the component which is going to be dragged
 */
public DragImagePainter(JComponent rootComponent, JComponent draggableComponent) {
 this.rootComponent = rootComponent;
 this.draggableComponent = draggableComponent;
 this.offsetY = -15;
 this.imageWidth = 50;
}

/**
 * Paints a scaled and opaque image representation of the draggableComponent
 * provided in the constructor near the current mouse pointer position.
 *
 * @param currentCursorPositionX
 * @param currentCursorPositionY
 */
public void handleDragOver(int currentCursorPositionX, int currentCursorPositionY) {
 boolean imagePositionChanged = imagePositionChanged(currentCursorPositionX, currentCursorPositionY);
 if (imagePositionChanged) {
  double scaleFactor = calculateScaleFactor();
  int imageHeight = calculateImageHeight(scaleFactor);
  if (!isFirstRun())
   repaintLastKnownImageArea(imageHeight);
  Graphics2D rootComponentGraphics = (Graphics2D) rootComponent.getGraphics();
  paintDragImage(currentCursorPositionX, currentCursorPositionY, scaleFactor, rootComponentGraphics);
  lastKnownCursorPosition = new Point(currentCursorPositionX, currentCursorPositionY);
 }
}

/**
 * Needs to be called on {@link DragSourceListener}.dragEnd() to repaint the
 * area of the last painted drag image
 */
public void handleDropEnd() {
 double scaleFactor = calculateScaleFactor();
 int imageHeight = calculateImageHeight(scaleFactor);
 repaintLastKnownImageArea(imageHeight);
}

double calculateScaleFactor() {
 return (double) imageWidth / draggableComponent.getWidth();
}

private int calculateImageHeight(double scaleFactor) {
 return (int) Math.ceil(draggableComponent.getHeight() * scaleFactor);
}

boolean imagePositionChanged(int currentCursorPositionX, int currentCursorPositionY) {
 return isFirstRun() || lastKnownCursorPosition.x != currentCursorPositionX
   || lastKnownCursorPosition.y != currentCursorPositionY;
}

void repaintLastKnownImageArea(int height) {
 rootComponent.paintImmediately(lastKnownCursorPosition.x, lastKnownCursorPosition.y + offsetY, imageWidth,
   height);
}

boolean isFirstRun() {
 return lastKnownCursorPosition == null;
}

void paintDragImage(int currentCursorPositionX, int currentCursorPositionY, double scaleFactor,
  Graphics2D rootComponentGraphics) {
 Graphics2D dragPictureGraphics = (Graphics2D) rootComponentGraphics.create();

 dragPictureGraphics.translate(currentCursorPositionX, currentCursorPositionY + offsetY);
 dragPictureGraphics.scale(scaleFactor, scaleFactor);
 dragPictureGraphics.setComposite(ALPHA_COMPOSITE);

 draggableComponent.paint(dragPictureGraphics);
}

}

Use in this way:

@Override
public void dragDropEnd(DragSourceDropEvent dragSourceDropEvent) {
dragImagePainter.handleDropEnd();
}
@Override
public void dragOver(DragSourceDragEvent dragSourceDragEvent) {
dragImagePainter.handleDragOver(dragSourceDragEvent.getX(), dragSourceDragEvent.getY());
}

Who is doing QA on selfhtml.org?

Not many words on this:
if (document.Testform.Art[0].checked == true) { ... }

Sony Ericsson W995, Google Calendar and Google Sync

After a long time a shorty:
I'm using gmail and the google calendar. I was searching for a cell phone which is able to sync with my google accounts. I've chosen the W995 since its price is the half of a G-Phone/I-Phone or Palm Pre and it fits my needs. Its fast, has a good battery AND since today it's able to synchronize my google calendar items and mails. All you have to do is to go to menu>organizer>synchronisation and set up a new Exchange Active Sync account:

• Server address : https://m.google.com
• Domain : Empty - this means leave this field blank
• Username : your.name@googlemail.com (your full email address)
• Password : 31337

Stripes Image Streamingresolution

I'm often asked how to stream an image from sources like a database blob or a folder which is not shared by the servlet container to the client using stripes. This is done by extending the class net.sourceforge.stripes.action.StreamingResolution. The most simple way:

public Resolution view( ) {
  ...
  String mimeType = getContext().getServletContext().getMimeType(fileName);
  final byte[] file = readFileToByteArray(absolutFilePath);//this method needs to be implemented
  return new StreamingResolution(mimeType) {
     @Override
     protected void stream(HttpServletResponse response) throws Exception {
        response.getOutputStream().write(file);
     }
  };
}

When streaming static content I'd recommend a more complex solution using headers to modify file names or caching behavior of the browser:

public Resolution view( ) {
  ...
  String mimeType = getContext().getServletContext().getMimeType(fileName);
  final byte[] file = readFileToByteArray(absolutFilePath);//this method needs to be implemented
  return new StreamingResolution(mimeType) {
     @Override
     protected void stream(HttpServletResponse response) throws Exception {
        setFilename("TheHolyHandGranade.gif");
        Calendar calendar = Calendar.getInstance();
        calendar.add(Calendar.DAY_OF_YEAR, 30);
        Date expires = calendar.getTime();
        response.setDateHeader("Expires", expires.getTime());
        response.getOutputStream().write(file);
     }
  };
}

Hope this helps :-)