How To Patch The Debian 6 Squeeze Shellshock Bug

Debian I run a few webservers at work that are internal facing only (intranet) that run Debian 6 Squeeze.  I’ve been monitoring the Shellshock exploit since it was discovered a few weeks ago and have been looking for a way to get those few systems patched…despite them existing only internally.  Patches for Squeeze-lts (long term release) were released quickly and then just a last week, another patch was put into play as well.  I decided to go ahead and patch these internal systems and since I couldn’t find much out there for blog posts on how to do it…I decided to share how I did it.

Difference Between Squeeze and Squeeze-lts

The difference between Squeeze general and Squeeze-lts is that the LTS (long term support) repositories will continue to receive backported patches from the current release tree (which is version 7 for Debian).  I didn’t originally install/setup these two internal servers so the first thing I have to do is get the version of Debian these servers are running and then check to see if they are using the LTS repositories.

Finding Your Version of Debian

lsb_release -a

This command returns a vanilla squeeze install for me.

Changing Repositories to LTS

Now to see which repositories are enabled.

nano /etc/apt/sources.list

You should open your sources list with your favorite text editor.  If you just have vanilla sources like the two servers I have you can just comment out the sources listed there and paste the following:


deb http://http.debian.net/debian/ squeeze main contrib non-free
deb-src http://http.debian.net/debian/ squeeze main contrib non-free

deb http://security.debian.org/ squeeze/updates main contrib non-free
deb-src http://security.debian.org/ squeeze/updates main contrib non-free

deb http://http.debian.net/debian squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian squeeze-lts main contrib non-free

Now that your sources have changed, update and patch your system:

 apt-get update && apt-get upgrade && apt-get dist-upgrade

Checking To See if You still Vulnerable

You can use bash itself to see if you’re vulnerable to the bug.  Execute the following command:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

This should return the following if you are patched:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello

If you’re not patched…the word ‘vulnerable’ will appear in your results.

Further Reading on Shellshock

You can read further about how to switch to LTS repositories here:  https://wiki.debian.org/LTS/Using

For more reading on the Shellshock bug, how it is being exploited and the history/timeline, see here:  http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

Manjaro KDE Notes

manjaro kdeThis week I decided to step up from Window Manager Manjaro Openbox and give the latest version of the Desktop Environment in KDE try.  I’m one of those odd people who love minimalist desktops like openbox, xmonad, and i3 but still have a soft spot in their hearts for KDE.  We’re few in number and many with insanity. 🙂

So I downloaded Manjaro KDE edition and installed it onto my Dell Latitude D630 laptop.  Upon first boot, everything looks professional and nice.  The bootscreen is professional and the desktop has a common theme that is pleasant to look at.

 

Then I went into the menu to see what programs come installed by default.  Bleh…everything with a bag of chips, the receipt, and then even more.  Too much mess.  Multiple entries for single programs.  It’s a mess in there.

4 entries for the ‘Marble’ program greet me inside of the ‘Education’ area.  FOUR?  This is very simple to fix…you simply right click the menu button and choose ‘edit applications’ but how does something like that make it past the QA process?

Sound was muted across the board by default….I’m pretty sure this is just due to my sound hardware but it’s important to note that not everyone will know to look for that.

Desktop effects enabled by default means that things were DOG slow until I installed a video driver.  Not a good first experience.

I attempted to download a few torrents out of the gate to see what kind of throughput KTorrent would give me.  I use magnet links mostly and upon grabbing my first torrent I realized that nothing was happening.  The metadata wasn’t even downloading.  So I attempted a restart of the application with no fix.  I tried logging out and back on with no fix.  Then I tried a restart of the entire PC with no fix.  No matter what I did…torrents wouldn’t download.

So I switched to qBittorrent.  Still no fix.  No matter what happens, torrents don’t work for me with this version of Manjaro.  In my previous version they worked just fine.

About this time, i started to get rather irritated and stopped looking around for things that were wrong.  No offense to the Manjaro KDE guys…but this isn’t a very good implementation of KDE in my opinion….there is just too much installed by default and what is installed doesn’t seem to work well.  There were quite a few other oddities I experienced while exploring the desktop including multiple KWin crashes when launching specific applications.

Overall, I wasn’t happy.

So I’m heading over to Salix KDE now to see if a simplified approach to KDE will cleans the palate so to speak.  I neglected screenshots when testing Manjaro KDE out but I’ll take many with Salix and follow up here.

Manjaro Linux – My Current Distribution

manjaroI’ve been running Manjaro Linux Openbox Edition since about November of 2013.  I haven’t re-installed…since Manjaro rolls with it’s releases…I haven’t needed to re-install.  It’s been as steady as a rock for 2 releases and many months of torture and pain from yours truly.

The only other distribution I’ve ever put through its paces like this that remained stable and usable was Salix…which is Slackware based.  Manjaro is Arch based and benefits greatly from the fantastic package manager ‘pacman’.  Oddly enough, Salix has a lot in common with Manjaro in that they both attempt to bring simplicity with easy upgrades/updates.  They also both tap into the community for customized packages…Salix with the ability to install Slack builds and Manjaro with the ability to add on packages from the AUR (Arch User Repository).  Both provide tools that allow a user to interface with these user built repositories.  Both are lightning fast and use a very low amount of resources.

Even though I’d hadn’t noticed before….they do have a lot in common.

I’ve demanded a lot more from my Linux distributions lately…I haven’t picked the ones I use based on what everyone else is using.  I haven’t picked one that has recently released.  I picked one that doesn’t decide what’s best for you.  I think this approach is best…doing less is more.

I don’t want a distribution to install the entire KDE application suite out of the gate taking up tons of space on my hard drive and making my Kmenu a jumbled mess.  I don’t want a distribution that doesn’t install tons of applications but is so bloated and lethargic on the desktop that I can barely function.  I don’t want a distribution that does things the wrong way by requiring me to install more than what I need (thanks meta packages!).  The bottom line is, I want a simple distribution of Linux that truly and wholly supports the ‘less is more’ mantra.  The only two I’ve settled on are Manjaro and Salix.  I’m not saying these are the only ones that ascribe to this mantra…I’m just saying these are the only two I’ve used that I like.  I’m sure there are others you might have found do the same thing and I’d encourage you to leave a comment with this distribution so that I can check it out.

I don’t do a lot of Linux reviews…but I will be doing a Salix and Manjaro one in the near future.  I think they both deserve any amount of press they get because they are fantastically simple distributions.

I am a Linux User

There are some things you just are.

Painters are painters because they paint.  Writers are writers because they write.  Whatever you identify with being (writer, painter, et. al) you are that because of what you DO…what you produce.  I am Linux user because of what I produce with Linux…what I do with it.  I don’t simply use it…I create with it.  I make it do what I want.

People give me a screwdriver and I pry things open with it…I don’t just use it on screws.  If I wanted to just use a flathead screwdriver for screws I’d be using a Mac.  If I wanted attachments for my screwdriver to become a different tool, I’d use Windows.  Instead, I rewrite what my screwdriver is used for by using Linux.

I’m a thinker because of Linux.  I have to be.  I have to think outside of the box…the standard way of thinking.  I find solutions to tech problems more quickly than people around me because of Linux.  I don’t think just of linear solutions.  I’m not just one dimensional…Linux makes me multidimensional.  When a problem arises, I meet it head on instead of waiting for others to fix it.

Linux makes me all of these things.  Without it, I still am a thinker…but Linux makes me a multidimensional, deep thinker.  Without it, I still use tools like a screwdriver but I don’t use them in as many ways.  Without it, I can still solve problems…but I don’t solve them as fast or as creatively.  There are some things you just are.

Linux helps me to be who I am.  Linux just is.

It was almost 10 years ago that I started recording my thoughts, tips and tricks on this blog.  I blog less frequently today then I did back then thanks to more professional responsibility with my work…but just the same, Linux still plays a major part in my every day life.  This website is hosted on a Linux server that I built from the ground up.  I use Linux for my Network Attached Storage at home that contains all of my movies, music and pictures.  My phone runs Linux.  I stay in touch with my friends and family because Linux is so versatile.

This blog has been through 4 major hosting changes and 3 changes of content management systems.  It’s gone through DDOS attacks, smear campaigns and even bumped heads with Groklaw before they shut their doors.  Through all of that, the one constant that remained is that Linux is.  For those of us that use it…Linux is what we use to shape our lives.  I’m glad to be a Linux user and a blogger of all things Linux.  Despite my infrequency of posting, I try to provide original content instead of just recycled news/how-to’s.  I don’t plan on changing this goal in the future…and I plan on being here for as many years as I can.

I want to personally thank each and every one of you who subscribe to my RSS feed and have my content delivered to you there…and those that subscribe to the blog via email.  Thanks to all of you who read the content I produce.  I appreciate your patronage and your support.  I began this journey with many of you over 10 years ago…here’s to the future path we’ll be travelling.  No telling where Linux will take us!

 

HostGator, Linux and The Dukes of Hazzard

If you’re old, like me…let’s say, over 30 years old…you might remember the television show “The Dukes of Hazzard”.  Waylon Jennings, a popular country music singer during the late 70’s and early 80’s sang the theme song.  The lyrics are:

Just the good ol boys, never meaning no harm

Beats all you ever saw, been in trouble with the law

since the day they was born

Many times in IT job settings, you’ll find that you need to become one of ‘the good ole boys’ in order to accomplish your job.  You have to like the things others’ like (or pretend to), you have to laugh at the things others’ laugh at.  In other words, you may have to become all things to all people.  It’s stupid that things are this way…but if you don’t change, you’ll find yourself on the outside looking in.  I’ve always been one to try and strike the right balance between becoming what my coworkers wanted me to become versus what I want to be.  Through the almost 10 years I’ve been blogging here, I’ve both sponsored and at one time hosted Ken Starks (aka Helios) blogging efforts and even his Lobby4Linux initiative…and I still consider him to be a great friend as well as an uncompromising voice in the world of Linux.  Over at his blog, he gave the anonymous experience of one HostGator employee.  You can read her experience over at his blog but here is an excerpt:

But my friend did have trouble answering a question and she dutifully IM’ed her tier two technician for help…. Twice. Then three times. And finally a fourth. She didn’t even get a response from a tier three tech or a supervisor. And I’ve been a tier three technician…I played a lot of online games. Help requests were infrequent. We mostly helped supervisors keep track of call times. She was a nervous wreck…and the customer wasn’t happy. She had to take down the customer’s number and promise to call them back when she found the answer to their question. A callback counted against her in her call stats and bonuses can be earned or lost on customer callbacks. She was close to tears, but nothing like she was when she found out why she being ignored when she asked for help. It seems that there is a little initiation when you go to work in that particular call center. It’s a game of sorts and it all boils down to this.

I’ve experienced things just like this in my career in the world of IT…not to the level above…but in some form or another, I’ve been hindered at performing my job by someone else who wanted to ‘initiate’ me into working where they do…or someone who just didn’t like that I spoke in an accent.  It’ seems rather stupid that someone would want you to become part of their ‘good ole boys’ network before they give you the help you need.  It’s unprofessional and counterproductive.  The only real permanent damage it does happens to the end user.

One can’t get too mad at companies though…they may not even know it is going on.  It starts at the mid-management level.  Managers who enable and allow this sort of behavior on their teams or ignore this sort of behavior are to blame.  Having a workplace that isn’t fun to work at unless you’re a part of the ‘good ole boys’ or that makes the end user suffer just for a laugh isn’t a good workplace.  Turnover will be high.  Ego’s will be allowed to cultivate and grow.  Cliques will form.  Boundaries will be crossed. In the end, your workplace suffers because it becomes hostile to those who refuse to adapt their behavior to jive with the few who behave in this way.  If you’re an IT Manager, take note of the story I linked to above.  Don’t be that guy.  Don’t let your employees set the tone for the work environment.  Make it your mission to set the tone yourself.  Making your work environment an inviting and supporting place to work isn’t hard to do.

Finding Files Modified in the Past Few Days

It’s said that with age comes distinction and wisdom. If we believe that, then we’re talking about people and not files.  Working with older files doesn’t make you wise beyond your years…one could argue that it makes you a glutton for punishment :).  That doesn’t always have to be the case as we can solve finding and working with older files using the ‘find’ command.

Recently, I was tasked with finding files that had been modified in the past 5 days. I was to copy these files from a SAN Snapshot and move them over to a recover area that anyone could get to (read: Windows File Share).

We were doing this in Linux because the snapshot, which was a NTFS filesystem would only mount in Linux.  It seems that Linux is more forgiving of errors on a hard disk than Windows is when dealing with NTFS.

So, the snapshot was located on a server designated as X.X.X.X below.  I decided to use the find command to locate all files that were modified in the past 5 days.  The find command can be summarized succinctly using the following logic statement:  find where-to-look criteria what-to-do.  Keeping this logic in mind, I used the following command to get what I needed:

find . -mtime 4 -daystart -exec cp -a {} /home/devnet/fileshare\$ on\ X.X.X.X/RECOVER/ \;

Let’s break down what the above command is doing.  First and foremost, the find command when used in conjunction with a period means to search the current directory (where-to-look in logic statement above).  If you need to specify where to search via path, replace the period with the path to the directory you’ll be searching in  Next, I’ve added the following flags (criteria in logic statement above) which I’ll define:

  1. -mtime:  stands for ‘modified time’.  This means I’m searching for only files modified in the past 4 days.
  2. -daystart:  This flag is used to measure time from the beginning of the current day instead of 24 hours ago which is default.  So in the example above, it would find files 4 days from the start of today (which equates to 5 days from midnight versus 4 days from 24 hours ago for my task)
  3. -exec:  specifies that with the results, a new command should be executed.

The {} above is where the results of our find command are passed.  It will do the command after -exec for each result from the find command.

So, we’re copying with the cp -a command and flag, which will copy recursively, preserving file structure and attributes thanks to our -a flag.  That command copies all the files we’ve found using the find command to the path stated next (what-to-do in our logic statement above).  The last symbols \; are the end statement for our -exec flag.  This must always be present for our -exec command…and the exec flag should be the last option given in the find command as well.

It’s important to note above that I mounted the NTFS SAN snapshot using the GUI like I would any NTFS volume on a Linux desktop and that I executed this find command while I was located in the root of the directory I wanted to search on that snapshot.  The server I was copying the files to noted as X.X.X.X above was a Windows File Server on our network that had open permissions for me to copy to.  I used Samba to mount this server in the directory ‘fileshare’ in my home directory.  The RECOVER directory was made by me to house all the files I’ve found so I could keep them separate from any other files in the root of the file server directory.  I had to manually create this folder prior to issuing the command.

There are more than a couple of different ways to do what I did above.  There are also numerous ways to alter the command and adapt it for your needs.  For example, perhaps you want to find all files that are 3 days old and delete them…and you’re not a stickler for the -daystart option.  In this case:

find . -mtime -3 -exec rm -rf {} \;

Maybe you want to copy mp3’s from a directory to a separate location:

find . -name '*.mp3' -exec cp -a {} /path/to/copy/stuff/to \;

There are lots of ways to adapt this to help locate and deal with files.  The command line/shell are always more than powerful enough to help you get what you need.  I hope this helps you and if you have questions or just want to say thanks…please don’t hesitate to let me know in the comments below.

Creative Commons License
Except where otherwise noted, the content on this site is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.