Plasma desktop can't unlock session?

If you tried this topic and didn't help, you're probably using gentoo. I came across this bug with ~5.3.1.

Stracing gave me following sequence:

$ cat dafuqtrace.out | grep pam.d
stat("/etc/pam.d", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
open("/etc/pam.d/kde", O_RDONLY) = 3
open("/etc/pam.d/other", O_RDONLY) = 3
read(3, "auth required\\n"..., 4096) = 128

What the hell? Looking for kde pam module and skips right to "other", which denies auth without a question.

If you have the same problem, try symlinking:

$ ln -s /etc/pam.d/system-auth /etc/pam.d/kde

Portable servers w/ questionable security benefits

I've discovered systemd added a container utility called systemd-nspawn. It's basically chroot on steroids. I don't think it's comparable with Docker. (I think Docker is an overengineered solution on the microkernel path anyway)
Well, I decided to give it a shot even they don't consider it stable yet.

I tried to implement encryption a bit. Data normally sitting duck on bare-metal unencrypted servers (mainly because encryption seems hard or you trust your data center & country). If someone reboots the server and adds "rescue" to grub kernel line, (s)he will get a root user prompt, bye to personal/commercial sensitive info!

I'm not sure about the security aspect, yet I'm still exploring possibilities. But at least I can say it's "good enough".

Here is the plan;

  • Install your favorite distro on the server (with systemd) (Let's call it L0)
  • Create and mount an encrypted block device large enough for you (use luks for example)
  • Create a chrooted install inside this partition (L1)
  • Dive in and setup your apps inside this chroot. Everything is inside; your apps, your configs, your data.
  • Backup this block device in binary form (from L0). rsync's "copy-devices" parameter can use diffs on the encrypted files.
  • Profit!?

This prevents someone with a physical touch to interfere with data. If someone reboots the server, (s)he will need to remount encrypted partition manually (needs decryption password). You can also copy the partition n times (L2, L3...) for other services (lol Docker?!).

Also moving your fully-working server will be copying one big file with this method, a.k.a. portability.
One other plus should be using cgroups-related benefits on containers (didn't try this one) for example: resource-limiting!!

Maybe you can create more secure/easy solution with an encrypted lvm partition and even Docker/LXC but hey, we're experimenting here!

So far, my experiment works (you can access my blog, right?).


S██████ Sansürü! - [Tr]


TTNet'in Gezinti saçmalığı, durduk yere beni tuhaf reklam sayfalarına götürmeye başladı. Dikizlemeye çalışıp onu bile beceremiyorlar. Dün gece kriz geçirip, artık büyük download'larım hariç tüm bağlantıları OpenVPN üzerinden, DNS sorgularımı da dnscrypt ile halletmeye karar verdim. Neler döndüğü ile ilgili detaylı bilgiyi kame'den alabilirsiniz.


Binary fun

I like using Zsh. Today I've accidentally entered the command "yop" and Zsh asked:

$ zsh: correct 'yop' to 'top' [nyae]?

I'm familiar with this question and pressing y afterwards. But I thought pressing just Enter should be fine. Checked for some configuration option on documents, nope. Some even suggests recompiling zsh.

Then I tried to open zsh binary with hexedit, changing 2 "nyae" strings I've found to "ynae". It worked:

$ zsh: correct 'yop' to 'top' [ynae]?