major.io - Words of wisdom from a Linux engineer focused on information security

Thunderbird changes fonts in some messages, not all

August 2, 2017 By Major Hayden 1 Comment

Thunderbird is a great choice for a mail client on Linux systems if you prefer a GUI, but I had some problems with fonts in the most recent releases. The monospace font used for plain text messages was difficult to read.

I opened Edit > Preferences > Display and clicked Advanced to the right of Fonts & Colors. The default font for monospace text was “Monospace”, and that one isn’t terribly attractive. I chose “DejaVu Sans Mono” instead, and closed the dialog boxes.

The fonts in monospace messages didn’t change. I quit Thunderbird, opened it again, and still didn’t see a change. The strange part is that a small portion of my monospaced messages were opening with the updated font while the majority were not.

I went back into Thunderbird’s preferences and took another look:

Everything was set as I expected. I started with some Google searches and stumbled upon a Mozilla Bug: Changing monospace font doesn’t affect all messages. One of the participants in the bug mentioned that any emails received without ISO-8859-1 encoding would be unaffected since Thunderbird allows you set fonts for each encoding.

I clicked the dropdown where “Latin” was selected and I selected “Other Writing Systems”. After changing the monospace font there, the changes went into effect for all of my monospaced messages!

Troubleshooting CyberPower PowerPanel issues in Linux

July 25, 2017 By Major Hayden 5 Comments

I have a CyberPower BRG1350AVRLCD at home and I’ve just connected it to a new device. However, the pwrstat command doesn’t retrieve any useful data on the new system:

# pwrstat -status

The UPS information shows as following:


    Current UPS status:
        State........................ Normal
        Power Supply by.............. Utility Power
        Last Power Event............. None

# pwrstat -status

The UPS information shows as following:

Current UPS status:

State........................ Normal

Power Supply by.............. Utility Power

Last Power Event............. None

I disconnected the USB cable and ran pwrstat again. Same output. I disconnected power from the UPS itself and ran pwrstat again. Same output. This can’t be right.

Checking the basics

A quick look at dmesg output shows that the UPS is connected and the kernel recognizes it:

[   65.661489] usb 3-1: new full-speed USB device number 7 using xhci_hcd
[   65.830769] usb 3-1: New USB device found, idVendor=0764, idProduct=0501
[   65.830771] usb 3-1: New USB device strings: Mfr=3, Product=1, SerialNumber=2
[   65.830772] usb 3-1: Product: BRG1350AVRLCD
[   65.830773] usb 3-1: Manufacturer: CPS
[   65.830773] usb 3-1: SerialNumber: xxxxxxxxx
[   65.837801] hid-generic 0003:0764:0501.0004: hiddev0,hidraw0: USB HID v1.10 Device [CPS BRG1350AVRLCD] on usb-0000:00:14.0-1/input0

[ 65.661489] usb 3-1: new full-speed USB device number 7 using xhci_hcd

[ 65.830769] usb 3-1: New USB device found, idVendor=0764, idProduct=0501

[ 65.830771] usb 3-1: New USB device strings: Mfr=3, Product=1, SerialNumber=2

[ 65.830772] usb 3-1: Product: BRG1350AVRLCD

[ 65.830773] usb 3-1: Manufacturer: CPS

[ 65.830773] usb 3-1: SerialNumber: xxxxxxxxx

[ 65.837801] hid-generic 0003:0764:0501.0004: hiddev0,hidraw0: USB HID v1.10 Device [CPS BRG1350AVRLCD] on usb-0000:00:14.0-1/input0

I checked the /var/log/pwrstatd.log file to see if there were any errors:

2017/07/25 12:01:17 PM  Daemon startups.
2017/07/25 12:01:24 PM  Communication is established.
2017/07/25 12:01:27 PM  Low Battery capacity is restored.
2017/07/25 12:05:19 PM  Daemon stops its service.
2017/07/25 12:05:19 PM  Daemon startups.
2017/07/25 12:05:19 PM  Communication is established.
2017/07/25 12:05:22 PM  Low Battery capacity is restored.
2017/07/25 12:06:27 PM  Daemon stops its service.

2017/07/25 12:01:17 PM Daemon startups.

2017/07/25 12:01:24 PM Communication is established.

2017/07/25 12:01:27 PM Low Battery capacity is restored.

2017/07/25 12:05:19 PM Daemon stops its service.

2017/07/25 12:05:19 PM Daemon startups.

2017/07/25 12:05:19 PM Communication is established.

2017/07/25 12:05:22 PM Low Battery capacity is restored.

2017/07/25 12:06:27 PM Daemon stops its service.

The pwrstatd daemon can see the device and communicate with it. This is unusual.

Digging into the daemon

If the daemon can truly see the UPS, then what is it talking to? I used lsof to examine what the pwrstatd daemon is doing:

# lsof -p 3975
COMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF      NODE NAME
pwrstatd 3975 root  cwd    DIR               8,68      224        96 /
pwrstatd 3975 root  rtd    DIR               8,68      224        96 /
pwrstatd 3975 root  txt    REG               8,68   224175 134439879 /usr/sbin/pwrstatd
pwrstatd 3975 root  mem    REG               8,68  2163104 134218946 /usr/lib64/libc-2.25.so
pwrstatd 3975 root  mem    REG               8,68  1226368 134218952 /usr/lib64/libm-2.25.so
pwrstatd 3975 root  mem    REG               8,68    19496 134218950 /usr/lib64/libdl-2.25.so
pwrstatd 3975 root  mem    REG               8,68   187552 134218939 /usr/lib64/ld-2.25.so
pwrstatd 3975 root    0r   CHR                1,3      0t0      1028 /dev/null
pwrstatd 3975 root    1u  unix 0xffff9e395e137400      0t0     37320 type=STREAM
pwrstatd 3975 root    2u  unix 0xffff9e395e137400      0t0     37320 type=STREAM
pwrstatd 3975 root    3u  unix 0xffff9e392f0c0c00      0t0     39485 /var/pwrstatd.ipc type=STREAM
pwrstatd 3975 root    4u   CHR             180,96      0t0     50282 /dev/ttyS1

# lsof -p 3975

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

pwrstatd 3975 root cwd DIR 8,68 224 96 /

pwrstatd 3975 root rtd DIR 8,68 224 96 /

pwrstatd 3975 root txt REG 8,68 224175 134439879 /usr/sbin/pwrstatd

pwrstatd 3975 root mem REG 8,68 2163104 134218946 /usr/lib64/libc-2.25.so

pwrstatd 3975 root mem REG 8,68 1226368 134218952 /usr/lib64/libm-2.25.so

pwrstatd 3975 root mem REG 8,68 19496 134218950 /usr/lib64/libdl-2.25.so

pwrstatd 3975 root mem REG 8,68 187552 134218939 /usr/lib64/ld-2.25.so

pwrstatd 3975 root 0r CHR 1,3 0t0 1028 /dev/null

pwrstatd 3975 root 1u unix 0xffff9e395e137400 0t0 37320 type=STREAM

pwrstatd 3975 root 2u unix 0xffff9e395e137400 0t0 37320 type=STREAM

pwrstatd 3975 root 3u unix 0xffff9e392f0c0c00 0t0 39485 /var/pwrstatd.ipc type=STREAM

pwrstatd 3975 root 4u CHR 180,96 0t0 50282 /dev/ttyS1

Wait a minute. The last line of the lsof output shows that pwrstatd is talking to /dev/ttyS1, but the device is supposed to be a hiddev device over USB. If you remember, we had this line in dmesg when the UPS was plugged in:

hid-generic 0003:0764:0501.0004: hiddev0,hidraw0: USB HID v1.10 Device [CPS BRG1350AVRLCD] on usb-0000:00:14.0-1/input0

1	hid-generic 0003:0764:0501.0004: hiddev0,hidraw0: USB HID v1.10 Device [CPS BRG1350AVRLCD] on usb-0000:00:14.0-1/input0

Things are beginning to make more sense now. I have a USB-to-serial device that allows my server to talk to the console port on my Cisco switch:

[   80.389533] usb 3-1: new full-speed USB device number 9 using xhci_hcd
[   80.558025] usb 3-1: New USB device found, idVendor=067b, idProduct=2303
[   80.558027] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[   80.558028] usb 3-1: Product: USB-Serial Controller D
[   80.558029] usb 3-1: Manufacturer: Prolific Technology Inc. 
[   80.558308] pl2303 3-1:1.0: pl2303 converter detected
[   80.559937] usb 3-1: pl2303 converter now attached to ttyUSB0

[ 80.389533] usb 3-1: new full-speed USB device number 9 using xhci_hcd

[ 80.558025] usb 3-1: New USB device found, idVendor=067b, idProduct=2303

[ 80.558027] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[ 80.558028] usb 3-1: Product: USB-Serial Controller D

[ 80.558029] usb 3-1: Manufacturer: Prolific Technology Inc.

[ 80.558308] pl2303 3-1:1.0: pl2303 converter detected

[ 80.559937] usb 3-1: pl2303 converter now attached to ttyUSB0

It appears that pwrstatd is trying to talk to my Cisco switch (through the USB-to-serial adapter) rather than my UPS! I’m sure they could have a great conversation together, but it’s hardly productive.

Fixing it

The /etc/pwrstatd.conf has a relevant section:

# The pwrstatd accepts four types of device node which includes the 'ttyS',
# 'ttyUSB', 'hiddev', and 'libusb' for communication with UPS. The pwrstatd
# defaults to enumerate all acceptable device nodes and pick up to use an
# available device node automatically. But this may cause a disturbance to the
# device node which is occupied by other software. Therefore, you can restrict
# this enumerate behave by using allowed-device-nodes option. You can assign
# the single device node path or multiple device node paths divided by a
# semicolon at this option. All groups of 'ttyS', 'ttyUSB', 'hiddev', or
# 'libusb' device node are enumerated without a suffix number assignment.
# Note, the 'libusb' does not support suffix number only.
#
# For example: restrict to use ttyS1, ttyS2 and hiddev1 device nodes at /dev
# path only.
# allowed-device-nodes = /dev/ttyS1;/dev/ttyS2;/dev/hiddev1
#
# For example: restrict to use ttyS and ttyUSB two groups of device node at
# /dev,/dev/usb, and /dev/usb/hid paths(includes ttyS0 to ttySN and ttyUSB0 to
# ttyUSBN, N is number).
# allowed-device-nodes = ttyS;ttyUSB
#
# For example: restrict to use hiddev group of device node at /dev,/dev/usb,
# and /dev/usb/hid paths(includes hiddev0 to hiddevN, N is number).
# allowed-device-nodes = hiddev
#
# For example: restrict to use libusb device.
# allowed-device-nodes = libusb
allowed-device-nodes =

# The pwrstatd accepts four types of device node which includes the 'ttyS',

# 'ttyUSB', 'hiddev', and 'libusb' for communication with UPS. The pwrstatd

# defaults to enumerate all acceptable device nodes and pick up to use an

# available device node automatically. But this may cause a disturbance to the

# device node which is occupied by other software. Therefore, you can restrict

# this enumerate behave by using allowed-device-nodes option. You can assign

# the single device node path or multiple device node paths divided by a

# semicolon at this option. All groups of 'ttyS', 'ttyUSB', 'hiddev', or

# 'libusb' device node are enumerated without a suffix number assignment.

# Note, the 'libusb' does not support suffix number only.

# For example: restrict to use ttyS1, ttyS2 and hiddev1 device nodes at /dev

# path only.

# allowed-device-nodes = /dev/ttyS1;/dev/ttyS2;/dev/hiddev1

# For example: restrict to use ttyS and ttyUSB two groups of device node at

# /dev,/dev/usb, and /dev/usb/hid paths(includes ttyS0 to ttySN and ttyUSB0 to

# ttyUSBN, N is number).

# allowed-device-nodes = ttyS;ttyUSB

# For example: restrict to use hiddev group of device node at /dev,/dev/usb,

# and /dev/usb/hid paths(includes hiddev0 to hiddevN, N is number).

# allowed-device-nodes = hiddev

# For example: restrict to use libusb device.

# allowed-device-nodes = libusb

allowed-device-nodes =

We need to explicitly tell pwrstatd to talk to the UPS on /dev/hid/hiddev0:

allowed-device-nodes = /dev/usb/hiddev0

1	allowed-device-nodes = /dev/usb/hiddev0

Let’s restart the pwrstatd daemon and see what we get:

# systemctl restart pwrstatd
# pwrstat -status

The UPS information shows as following:

    Properties:
        Model Name................... BRG1350AVRLCD
        Firmware Number..............
        Rating Voltage............... 120 V
        Rating Power................. 810 Watt(1350 VA)

    Current UPS status:
        State........................ Normal
        Power Supply by.............. Utility Power
        Utility Voltage.............. 121 V
        Output Voltage............... 121 V
        Battery Capacity............. 100 %
        Remaining Runtime............ 133 min.
        Load......................... 72 Watt(9 %)
        Line Interaction............. None
        Test Result.................. Unknown
        Last Power Event............. None

# systemctl restart pwrstatd

# pwrstat -status

The UPS information shows as following:

Properties:

Model Name................... BRG1350AVRLCD

Firmware Number..............

Rating Voltage............... 120 V

Rating Power................. 810 Watt(1350 VA)

Current UPS status:

State........................ Normal

Power Supply by.............. Utility Power

Utility Voltage.............. 121 V

Output Voltage............... 121 V

Battery Capacity............. 100 %

Remaining Runtime............ 133 min.

Load......................... 72 Watt(9 %)

Line Interaction............. None

Test Result.................. Unknown

Last Power Event............. None

Success!

Photo credit: Wikipedia

Apply the STIG to even more operating systems with ansible-hardening

July 21, 2017 By Major Hayden 2 Comments

Tons of improvements made their way into the ansible-hardening role in preparation for the OpenStack Pike release next month. The role has a new name, new documentation and extra tests.

The role uses the Security Technical Implementation Guide (STIG) produced by the Defense Information Systems Agency (DISA) and applies the guidelines to Linux hosts using Ansible. Every control is configurable via simple Ansible variables and each control is thoroughly documented.

These controls are now applied to an even wider variety of Linux distributions:

CentOS 7
Debian 8 Jessie (new for Pike)
Fedora 25 (new for Pike)
openSUSE Leap 42.2+ (new for Pike)
Red Hat Enterprise Linux 7
SUSE Linux Enterprise 12 (new for Pike)
Ubuntu 14.04 Trusty
Ubuntu 16.04 Xenial

Any patches to the ansible-hardening role are tested against all of these operating systems (except RHEL 7 and SUSE Linux Enterprise). Support for openSUSE testing landed this week.

Work is underway to put the finishing touches on the master branch before the Pike release and we need your help!

If you have any of these operating systems deployed, please test the role on your systems! This is pre-release software, so it’s best to apply it only to a new server. Read the “Getting Started” documentation to get started with ansible-galaxy or git.

Photo credit: Wikipedia

Customize LDAP autocompletion format in Thunderbird

July 18, 2017 By Major Hayden Leave a Comment

Thunderbird can connect to an LDAP server and autocomplete email addresses as you type, but it needs some adjustment for some LDAP servers. One of the LDAP servers that I use regularly returns email addresses like this in the thunderbird interface:

username <firstname.lastname@domain.tld>

1	username <[email protected]>

The email address looks fine, but I’d much rather have the person’s full name instead of the username. Here’s what I’m looking for:

Firstname Lastname <firstname.lastname@domain.tld>

1	Firstname Lastname <[email protected]>

In older Thunderbird versions, setting ldap_2.servers.SERVER_NAME.autoComplete.nameFormat to displayName was enough. However, this option isn’t used in recent versions of Thunderbird.

Digging in

After a fair amount of searching the Thunderbird source code with awk, I found a mention of DisplayName in nsAbLDAPAutoCompleteSearch.js that looked promising:

      // Create a minimal map just for the display name and primary email.
      this._attributes =
        Components.classes["@mozilla.org/addressbook/ldap-attribute-map;1"]
                  .createInstance(Components.interfaces.nsIAbLDAPAttributeMap);
      this._attributes.setAttributeList("DisplayName",
        this._book.attributeMap.getAttributeList("DisplayName", {}), true);
      this._attributes.setAttributeList("PrimaryEmail",
        this._book.attributeMap.getAttributeList("PrimaryEmail", {}), true);
    }

// Create a minimal map just for the display name and primary email.

this._attributes =

Components.classes["@mozilla.org/addressbook/ldap-attribute-map;1"]

.createInstance(Components.interfaces.nsIAbLDAPAttributeMap);

this._attributes.setAttributeList("DisplayName",

this._book.attributeMap.getAttributeList("DisplayName", {}), true);

this._attributes.setAttributeList("PrimaryEmail",

this._book.attributeMap.getAttributeList("PrimaryEmail", {}), true);

}

Something is unusual here. The LDAP field is called displayName, but this attribute is called DisplayName (note the capitalization of the D). Just before that line, I see a lookup in an attributes map of some sort. There may be a configuration option that is called DisplayName.

In Thunderbird, I selected Edit > Preferences. I clicked the Advanced tab and then Config Editor. A quick search for DisplayName revealed an interesting configuration option:

ldap_2.servers.default.attrmap.DisplayName: cn,commonname

1	ldap_2.servers.default.attrmap.DisplayName: cn,commonname

Fixing it

That’s the problem! This needs to map to displayName in my case, and not cn,commonname (which returns a user’s username). There are two different ways to fix this:

# Change it for just one LDAP server
ldap_2.servers.SERVER_NAME.attrmap.DisplayName: displayName
# Change it for all LDAP servers by default (careful)
ldap_2.servers.default.attrmap.DisplayName: displayName

# Change it for just one LDAP server

ldap_2.servers.SERVER_NAME.attrmap.DisplayName: displayName

# Change it for all LDAP servers by default (careful)

ldap_2.servers.default.attrmap.DisplayName: displayName

After making the change, quit Thunderbird and relaunch it. Compose a new email and start typing in the email address field. The user’s first and last name should appear!

Old role, new name: ansible-hardening

June 27, 2017 By Major Hayden 2 Comments

The interest in the openstack-ansible-security role has taken off faster than I expected, and one piece of constant feedback I received was around the name of the role. Some users were unsure if they needed to use the role in an OpenStack cloud or if the OpenStack-Ansible project was required.

The role works everywhere — OpenStack cloud or not. I started a mailing list thread on the topic and we eventually settled on a new name: ansible-hardening! The updated documentation is already available.

The old openstack-ansible-security role is being retired and it will not receive any additional updates. Moving to the new role is easy:

Install ansible-hardening with ansible-galaxy (or git clone)
Change your playbooks to use the ansible-hardening role

There’s no need to change any variable names or tags — they are all kept the same in the new role.

As always, if you have questions or comments about the role, drop by #openstack-ansible on Freenode IRC or open a bug in Launchpad.