Feb 292012
 

According to the news, James Murdoch has decided to resign from his post as the head of News International. About time! But :-

  1. Why was he allowed to resign rather than being fired ?
  2. Why is he being allowed to take up a cushy number with News Corp ? It hardly seems much of a punishment for him to resign from a job in an industry he dislikes only to take another job in an industry that he likes in what is effectively the same corporate empire.
  3. Why didn’t he go ages ago ?
  4. And when is Rupert Murdoch going ?

The two Murdochs (and their countless minions at News International) were the people in charge of a corporate empire that allowed one part of it to break the law not just occasionally but routinely for stories that were not in the public interest (in the sense of stories that the public should know rather than just what they want to know). Whether or not they knew what was happening, they set the tone for a corporation that apparently valued results over ethical behaviour.

They are responsible for allowing such a corporate culture to grow unchallenged for at least a decade.

Did they know what was going on ? Perhaps not – particularly in the case of Rupert Murdoch, but they should have known. And in the case of James Murdoch, it seems probable that if he did not know what was going on, he intentionally avoided knowing.

Both should go.

Jan 072010
 

For various reasons I have decided that I need to install mod_security2 on my personal web server. This is a Solaris zone running on an OpenSolaris global zone with various bits of software provisioned by OpenCSW. Unfortunately (or fortunately at least from the point of view that I get to do something interesting), mod_security2 is not something provided by OpenCSW.

For even more various reasons, I decided to “formalise” my notes on building, installing, and configuring mod_security2.

Before attempting to build mod_security2, it is important to have a functional build environment. This includes :-

  • Installing the apache2_devel package from OpenCSW (pkg-get -i apache2_devel)
  • Installing the gcc3 package from OpenCSW
  • Installing the following OpenSolaris packages (pkg install XXX) :- SUNWhea, SUNWarc, SUNWbtool
  • Installing the SunStudio package from Sun. It may be possible that gcc3 is not necessary with this installed, but I ended up with both so advise you too as well. In addition to installing it in the standard location (/opt/SUNWspro) it is also necessary to create a symlink in the place where the OpenCSW developer placed his/her copy of SunStudio :- mkdir -p /opt/studio/SOS11; ln -s /opt/SUNWspro /opt/studio/SOS11/SUNWspro

The next step is to setup a shell environment appropriate to configuring and compiling mod_studio2 :-

export PATH=$PATH:/opt/SUNWspro/bin
export PATH=$PATH:/opt/csw/bin
export PATH=$PATH:/usr/ccs/bin
export PATH=$PATH:/opt/csw/gcc3/bin
export CC=gcc

(The above presumes the use of a shell that understands the above syntax)

The next step is to unpack the module source code, and configure it  :-

cd /var/tmp
gunzip -c modsecurity-apache_2.5.11.tar.gz | tar xvf -
cd modsecurity-apache_2.5.11
cd apache2
./configure --with-apxs=/opt/csw/apache2/sbin/apxs \
   --with-pcre=/opt/csw \
   --with-apr=/opt/csw/apache2 \
   --with-apu=/opt/csw/apache2//bin/apu-config

That should successfully general a Makefile. Edit this makefile and remove all references to “-Wall” (for APSX_EXTRA_CFLAGS, also remove the proceeding “-Wc,”). This is because modules will compile with SunStudio’s compiler no matter what we try to do to stop it, and SunStudio does not understand “-Wall”.

Now finally you can compile the software :-

make
sudo make install

Now we are at the point where we can start configuring mod_security2.

In the main httpd.conf file, add the following two directives somewhere appropriate (i.e. close to the other “LoadModule” directives) :-

LoadFile /opt/csw/lib/libxml2.so
#   Check that this library is installed!
LoadModule unique_id_module libexec/mod_unique_id.so
#   This will be already in the file but may be commented out
LoadModule security2_module libexec/mod_security2.so
#   And this is the one we're interested in.

At this point, try a graceful restart (/opt/csw/apache2/sbin/apachectl graceful) to be sure that the relevant code loads. Now onto enabling the module and configuring it with the “Core Rule Set” …

First copy the rules subdirectory to an appropriate place and fix the permissions :-

cp -rp rules /opt/csw/apache2/etc/modsecurity
chown -R root:root /opt/csw/apache2/etc/modsecurity
chmod -R o+r /opt/csw/apache2/etc/modsecurity
find /opt/csw/apache2/etc/modsecurity -type d -exec chmod o+x {} \;

In the file modsecurity/modsecurity_crs_10_global_config.conf, change SecDataDir to /var/tmp.

In the file modsecurity/modsecurity_crs_10_config.conf :-

  1. Change SecAudditLog to var/log/modsec_audit.log
  2. Change SecDebugLog to var/log/modsec_debug.log

Now add the following to httpd.conf :-

Include etc/modsecurity/modsecurity_crs_10_global_config.conf
Include etc/modsecurity/modsecurity_crs_10_config.conf
Include etc/modsecurity/base_rules/*conf

And gracefully restart Apache.

At this point, mod_security2 is running and blocking stuff, but has not been finely “tweaked” to the local applications – at the very least it partially breaks WordPress, and may well break other applications.

Jan 072007
 

I recently replaced an elderly SGI Octane2 workstation which had 2 CPUs (400MHz MIPS-based), 1.5Gbytes of memory, and 3 elderly SCSI disks with a nice new Sun Ultra40 … 2 AMD Opteron 248s, 2Gbytes memory, and 2 mirrored SATA drives. It is interesting to compare the difference between an old-fashioned workstation originally designed in the middle to late 1990s with a 21st century PC. Not that I’m going to produce hard numbers from useful benchmarks … that is just too much work, and in some ways it is the feel of the differences that are important.

Of course this is not really a fair comparison. Whilst the SGI Octane is now very elderly and due to SGI managerial incompetence has not kept pace with PC performance as it should have done, it is after all a machine that originally cost 10-20 times the cost of the PC I am comparing it to. In car terms, I’m comparing a 20-year old Mercedes with a new and cheap Ford. I should point out that much of the software I am using is very much the same on both machines … the Enlightenment window manager, Sylpheed Claws as the mail client, Firefox as the browser, LyX as the word processor, and a text terminal for much of the remainder.

The PC is considerably quicker than the SGI of course. The graphic user interface is a good deal snappier, and most of the applications offer very welcome improvements in performance. With the exception of GIMP however, none of this performance increase is really essential; my old SGI ran pretty much everything my PC does, fast enough to get the job done. GIMP performance is the reason I upgraded, and here the difference is quite dramatic … filters that previous required patience now run almost instantly; when you are repeatedly trying things out in GIMP on quite large images this performance increase makes some things feasible that simply were not before.

There is one area where the SGI does offer some advantage over the PC; something I was expecting. The PCs disks are overall somewhat faster the the disks in the SGI (and of course I don’t have to pay to mirror my disks!), but the SGI tends to work more smoothly under high load. I’ve noticed before with the ‘low end’ on disks in PCs, that if you start to drive your disks very hard, the computer will sometimes stutter. Essentially the SGI was slower, but smoother under high disk load than the PC.

If was not for the need to run GIMP extensively (and the appeal of more standard add-on hardware like USB hard disks), there is no reason why I could not continue with the SGI. The tendency we have in the computing arena of replacing computers every few years is not a healthy one.