planet ddq

September 30, 2015 − Echoes

Kernel recipes 2015: Hardened kernels for everyone

As part of my ongoing effort to provide grsecurity patched kernels for Debian, I gave a talk this morning at Kernel Recipes 2015. Slides and video should be available at one point, but you can find the former here in the meantime. I'm making some progresses on #605090 which I should be able to push soon.

by Yves-Alexis ( at September 30, 2015 04:00 PM

August 09, 2015 − Echoes

WPS and Network Manager

So, everybody knows that WPS (Wi-Fi Protected Setup) is broken. But sometimes, you don't own the access point, and you'd just want the wireless to work. That happens for example when you're a guest in some place using an Orange Livebox and you don't have the WPA passphrase (usually because it's written somewhere you don't have access too, or because someone forgot to tell you).

Liveboxes WPS is the “press button” thing: you press a button on the front for one second, then any device can connect in the next two minutes. That works fine with Android devices, for example, but it didn't work with my laptop and NetworkManager, which doesn't support WPS at all.

Fortunately, the underlying piece of software (wpa_supplicant) does support WPS, and even the “push button” style. And you can nicely ask it to reveal the passphrase to you with the following trick.

  1. Disconnect NetworkManager from the network, disable the wireless link, stop it; just make sure wpa_supplicant is not running;
  2. Put a stub wpa_supplicant.conf file with only the following content:
  3. Start wpa_supplicant in the foreground with your stub config file: 
    wpa_supplicant -iwlan0 -c wpa_supplicant.conf
  4. Start wpa_cli
Inside wpa_cli:
  1. Scan the network:
  2. Get the results:
    and identity the bssid of the Livebox
  3. Press the WPS button on the Livebox
  4. Run
    wps_pbc <bssid>
    ; some text should appear in the wpa_cli window, and it should eventually connect successfully (at that point you can even run a dhclient on wlan0)
  5. Run

The last command will update your stub configuration file, adding a new network block with the passphrase in the clear. You can then use that passphrase inside Network Manager if it's more convenient for you.

There might be something easier, but at least it worked just fine for me during the holidays.

by Yves-Alexis ( at August 09, 2015 07:44 PM

May 21, 2015 − Echoes

Followup on Debian grsec kernels for Jessie

So, following the previous post, I've indeed updated the way I'm making my grsec kernels.

I wanted to upgrade my server to Jessie, and didn't want to keep the 3.2 kernel indefinitely, so I had to update to at least 3.14, and find something to make my life (and maybe some others) easier.

In the end, like planned, I've switched to the make deb-pkg way, using some scripts here and there to simplify stuff.

The scripts and configs can be found in my debian-grsec-config repository. The repository layout is pretty much self-explaining:

The bin/ folder contains two scripts:

  •, which will pick the latest grsec patch (for each branch) and applies it to the correct Linux branch. This script should be run from a git clone of the linux-stable git repository;
  • is taken from the src:linux Debian package, and can be used to merge multiple KConfig files

The configs/ folder contains the various configuration bits:

  • config-* files are the Debian configuration files, taken from the linux-image binary packages (for amd64 and i386);
  • grsec* are the grsecurity specifics bits (obviously);
  • hardening* contain non-grsec stuff still useful for hardened kernels, for example KASLR (cargo-culting nonwidthstanding) or strong SSP (available since I'm building the kernels on a sid box, YMMV).

I'm currently building amd64 kernels for Jessie and i386 kernels will follow soon, using config-3.14 + hardening + grsec. I'm hosting them on my apt repository. You're obviously free to use them, but considering how easy it is to rebuild a kernel, you might want to use a personal configuration (instead of mine) and rebuild the kernel yourself, so you don't have to trust my binary packages.

Here's a very quick howto (adapt it to your needs):

mkdir linux-grsec && cd linux-grsec
git clone git://
git clone git://
mkdir build
cd linux-stable
../debian-grsec-config/bin/ stable2 # for 3.14 branch
../debian-grsec-config/bin/ ../build/.config ../debian-grsec-config/configs/config-3.14-2-amd64 ../debian-grsec-config/configs/hardening ../debian-grsec-config/configs/grsec
make KBUILD_OUTPUT=../build -j4 oldconfig
make KBUILD_OUTPUT=../build -j4 deb-pkg

Then you can use the generated Debian binary packages. If you use the Debian config, it'll need a lot of disk space for compilation and generate a huge linux-image debug package, so you might want to unset CONFIG_DEBUG_INFO locally if you're not interested. Right now only the deb files are generated but I've submitted a patch to have a .changes file which can be then used to manipulate them more easily (for example for uploading them a local Debian repository).

Note that, obviously, this is not targeted for inclusion to the official Debian archive. This is still not possible for various reasons explained here and there, and I still don't have a solution for that.

I hope this (either the scripts and config or the generated binary packages) can be useful. Don't hesitate to drop me a mail if needed.

by Yves-Alexis ( at May 21, 2015 08:36 PM

May 09, 2015 − Echoes

Xfce 4.12 in Debian sid

So, following the Jessie release, and after a quick approval by the release team for the 4.12 transition, we've uploaded Xfce 4.12 to sid and have asked the RT to schedule the relevant binNMUs for the libxfce4util and xfce4-panel reverse dependencies.

It went apparently well (besides some hickups here and there, lilke some lag on sparc, and some build-failulres on hurd). So Xfce 4.12 is now in sid, and should migrate to Stretch in the following weeks, provided nothing release critical is found.

by Yves-Alexis ( at May 09, 2015 07:05 PM

March 30, 2015 − Echoes

3.2.68 Debian/grsec kernel and update on the process

It's been a long time since I updated my repository with a recent kernel version, sorry for that. This is now done, the kernel (sources, i386 and amd64) is based on the (yet unreleased) 3.2.68-1 Debian kernel, patched with grsecurity 3.1-3.2.68-201503251805, and has the version 3.2.68-1~grsec1.

It works fine here, but as always, no warranty. If any problem occurs, try to reproduce using vanilla 3.2.68 + grsec patch before reporting here.

And now that Jessie release approaches, the question of what to do with those Debian/grsec kernel still arrise: the Jessie kernel is based on the 3.16 branch, which is not a ( long term branch. Actually, the support already ended some times ago, and the (long term) maintainance is now assured by the Canonical Kernel Team (thus the -ckt suffix) with some help from the Debian kernel maintainers. So there's no Grsecurity patch following 3.16, and there's no easy way to forward-port the 3.14 patches.

At that point, and considering the support I got the last few years on this initiative, I don't think it's really worth it to continue providing those kernels.

One initiative which might be interesting, though, is the Mempo kernels. The Mempo team works on kernel reproducible builds, but they also include the grsecurity patch. Unfortunately, it seems that building the kernel their way involves calling a bash script which calls another one, and another one. A quick look at the various repositories is only enough to confuse me about how actually they build the kernel, in the end, so I'm unsure it's the perfect fit for a supposedly secure kernel. Not that the Debian way of building the kernel doesn't involves calling a lot of scripts (either bash or python), but still. After digging a bit, it seems that they're using make-kpkg (from the kernel-package package), which is not the recommended way anymore. Also, they're currently targeting Wheezy, so the 3.2 kernel, and I have no idea what they'll chose for Jessie.

In the end, for myself, I might just do a quick script which takes a git repository at the right version, pick the latest grsec patch for that branch, applies it, then run make deb-pkg and be done with it. That still leaves the problem of which branch to follow:

  • run a 3.14 kernel instead of the 3.16 (I'm unsure how much I'd lose / not gain from going to 3.2 to 3.14 instead of 3.16);
  • run a 3.19 kernel, then upgrade when it's time, until a new LTS branch appears.

There's also the config file question, but if I'm just using the kernels for myself and not sharing them, it's also easier, although if some people are actually interested it's not hard to publish them.

by Yves-Alexis ( at March 30, 2015 08:27 PM

March 25, 2015 − Echoes

LXCs upgrade to Jessie

So I started migrating some of my LXCs to Jessie, to test the migration in advance. The upgrade itself was easy (the LXC is mostly empty and only runs radicale), but after the upgrade I couldn't login anymore (using lxc-console since I don't have lxc-attach, the host is on Wheezy). So this is mostly a note to self.

auth.log was showing:

Mar 25 22:10:13 lxc-sync login[1033]: pam_loginuid(login:session): Cannot open /proc/self/loginuid: Read-only file system
Mar 25 22:10:13 lxc-sync login[1033]: pam_loginuid(login:session): set_loginuid failed
Mar 25 22:10:13 lxc-sync login[1033]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Mar 25 22:10:13 lxc-sync login[1033]: Cannot make/remove an entry for the specified session

The last message isn't too useful, but the first one gave the answer. Since LXC isn't really ready for security stuff, I have some hardening on top of that, and one measure is to not have rw access to /proc. I don't really need pam_loginuid there, so I just disabled that. I just need to remember to do that after each LXC upgrade.

Other than that, I have to boot using SystemV init, since apparently systemd doesn't cope too well with the various restrictions I enforce on my LXCs:

lxc-start -n sync
Failed to mount sysfs at /sys: Operation not permitted

(which is expected, since I drop CAP_SYS_ADMIN from my LXCs). I didn't yet investigate how to stop systemd doing that, so for now I'm falling back to SystemV init until I find the correct customization:

lxc-start -n sync /lib/sysvinit/init   
INIT: version 2.88 booting
[info] Using makefile-style concurrent boot in runlevel S.
hostname: you must be root to change the host name
mount: permission denied
mount: permission denied
[FAIL] udev requires a mounted sysfs, not started ... failed!
mount: permission denied
[info] Setting the system clock.
hwclock: Cannot access the Hardware Clock via any known method.
hwclock: Use the --debug option to see the details of our search for an access method.
[warn] Unable to set System Clock to: Wed Mar 25 21:21:43 UTC 2015 ... (warning).
[ ok ] Activating swap...done.
mount: permission denied
mount: permission denied
mount: permission denied
mount: permission denied
[ ok ] Activating lvm and md swap...done.
[....] Checking file systems...fsck from util-linux 2.25.2
[ ok ] Cleaning up temporary files... /tmp.
[ ok ] Mounting local filesystems...done.
[ ok ] Activating swapfile swap...done.
mount: permission denied
mount: permission denied
[ ok ] Cleaning up temporary files....
[ ok ] Setting kernel variables ...done.
[....] Configuring network interfaces...RTNETLINK answers: Operation not permitted
Failed to bring up lo.
[ ok ] Cleaning up temporary files....
[FAIL] startpar: service(s) returned failure: udev ... failed!
INIT: Entering runlevel: 2
[info] Using makefile-style concurrent boot in runlevel 2.
dmesg: read kernel buffer failed: Operation not permitted
[ ok ] Starting Radicale CalDAV server : radicale.
Yes, there are a lot of errors, but they seem to be handled just fine.

by Yves-Alexis ( at March 25, 2015 09:26 PM

March 14, 2015 − Echoes

ThinkPad X250

So, I also got myself a new toy. My current ThinkPad is a bit ancient, but still sturdy. It's an X201s from 2010 (brought refurbished), and it's still working pretty fine, but eh, I couldn't resist.

The X230 was nice, but didn't have a large resolution screen (1366×768). The X240 brought a full HD (1920×1080) IPS screen, but lost the hardware trackpoint buttons. Finally, the X250 brings back the buttons, still have a nice screen (not qHD or some other trendy resolutions, but still FHD and IPS). And on top of that, it comes with Broadwell, so that means I get smap.

It runs mostly fine out of the box on Debian sid, but for full support some tuning is needed. I've setup a page with more information on the laptop, and some images can be found over there.

by Yves-Alexis ( at March 14, 2015 03:59 PM

January 03, 2015 − Echoes

Blues Bar-b-q

Alors c'est testé et validé : le Blues Bar-b-q, dans le 11ème (M. Bréguet Sabin). Petit restau texan, tenu par une texane (du coup il parait nettement plus naturel de parler anglais).

Les usual suspects de la cuisine sud états-uniennes : cornbread, bbq beef brisket, ribs, plus quelques découvertes (les Outlaw Chili Cheese Fries). Une sauce barbecue qui déchire, un beef brisket hyper tendre. Sans oublier les desserts : leur cheesecake est le plus dense que je connaisse (à part peut être celui de Marie) et la southern pecan pie déchire bien aussi.

Enfin du personnel adorable, de la tenancière au cuistot en passant par la serveuse (dont c'était le premier jour). Et de la musique du coin aussi, histoire d'accompagner. Bref, que du bon, allez-y.

by Corsac ( at January 03, 2015 08:52 PM

December 21, 2014 − Echoes

December 20, 2014

West Coast News

Le val de Loire, ses “podas” et ses châteaux

Pas possible de partir tous ensemble une semaine en vacances à la Toussaint, alors pour faire un break et fêter la fin du marathon de dépôt de thèse (more on this later), nous avons tout de même décidé de prendre un long week end, pas trop loin, mais pour se dépayser un peu. Au départ, on voulait aller voir la mer (on ne se change pas), mais la météo n’était pas d’accord. Alors direction les châteaux de la Loire, une destination qui avait le bon goût de combiner plaisir des parents (châteaux, nature, vin) et des enfants (Châteaux de princesses, nature, zoo-parc de Beauval).

Nous avions trouvé une chambre d’hôtes charmante in extremis et pas trop chère non loin du zoo parc, et notre premier jour a consisté à nous rendre sur place en passant tout simplement par la case bon repas en face de Notre Dame de Cléry et balade à vélo-draisienne (une première pour Léa !) autour de Chambord. Nous avions loué une mini-voiture, mais une fois n’est pas coutume, on nous a sur-classé (c’est plutôt l’inverse d’habitude, surtout quand on doit partir trois semaines avec la montagne de bagages).

La journée s’est terminée par des rillettes et des grillades – et un vin “de la maison” pas tout à fait au niveau de nos habitudes récentes, mais bon, ça n’allait pas être un week end oenologique ce coup-ci.

Notre chambre d’hôte, en plus d’être tout à fait coquette, servait un excellent et copieux petit déj maison. Ses oeufs brouillés, bien que trop salés (les filles les ont remplacés par des oeufs à la coque le deuxième matin), nous ont permis de tenir de longues matinées d’aventures.

Le premier jour, ça devait fatalement être Beauval, les fille se faisant narguer par les affiches depuis les aires de l’autoroute (même depuis le métro parisien, en fait). On leur avait promis les “podas” (comme disait Léa) et les “tig’ blancs”, l’impatience était de mise. De fait, nous y avons passé un très bon moment. Les filles ont même profité de l’animation maquillage qui a transformé Chloé en un ravissant poda et Léa en un tig’blanc, justement. Léa a eu un coup de coeur pour les gorilles, dont elle ne pouvait pas détacher son regard. Un peu moins fans du spectacle des oiseaux, elles ont été ravies par celui des otaries, comme on pouvait s’y attendre. Les Podas étaient tout au fond du parc, il fallait les mériter. Ils faisaient tranquillement la sieste… Pour Manue, on est aussi passés voir l’éléphant, et les filles ont couru après les petites chèvres en liberté du coin ferme. Sans oublier les tigres blancs, les zèbres etc. Last but not least, la boutique de souvenirs dont les filles sont ressorties avec un panda chéri et un koala chéri.

Le parc a aussi la bonne idée de proposer un manège *gratuit* à côté des buvettes/cafet’: malin pour que les enfants s’amusent pendant que les parents font la queue pour des délicieux (cela va sans dire) croque monsieur et autres ‘dwichs ou café.

Le soir on a du coup fait la cuisine au gîte, histoire de pouvoir se poser tranquillement.

Le lendemain, on a commencé par visiter le château de Chenonceau. Le charme château de princesse a bien fonctionné, à peu près un quart d’heure. Même les immenses cuisines, avec tous les casseroles, moules, plats, ustensiles, n’ont pas complètement convaincu les demoiselles qui ne pensaient qu’à aller au labyrinthe. On a même eu un peu de mal à aller voir les jardins et faire la photo du chateau dans sa rivière, mais heureusement, il y avait des carpes dans le bassin…En tout cas, nous nous somme effectivement fort amusés dans le labyrinthe, bien que les haies aient été taillées un tout petit peu basses pour les adultes. Petit pique nique au bord du canal (non sans avoir salué les ânes au passage), et en route pour Amboise, visiter le Clos Lucé de Léonard de Vinci et ses incroyables machines. Là encore, c’est le jardin (ses machines et ses jeux) que les filles ont préféré. Amboise nous promettait quelques bons restaus, mais un dimanche soir, nous nous sommes malheureusement rabattus sur la brasserie du coin, avec tout de même vue sur le château d’Amboise.

Le lundi, notre dernier jour, nous sommes passé voir Blois, essentiellement pour une mini-balade jusqu’au café de la place du château, où nous avons fini par déjeuner avec vue sur le musée de la magie et ses dragons qui sortent des fenêtres sous les yeux médusés (et un peu inquiets) des enfants. Puis, nous avons filé à un “château des jeux” que nous avions repéré dans le guide, plutôt vers la Sologne et Orléans, à la Ferté Saint Aubin. Comme c’était les vacances, il y avait même un atelier cuisine dans les sous-sols du château. Par ailleurs, c’est un château encore tout aménagé, dont on peut se servir des cartes et du billard. Il y a aussi beaucoup de jeux d’adresse dehors, soit dans la gare reconstituée des années 30, soit dans les écuries.

C’était enfin l’heure du retour, qui aurait dû être bref, mais sans compter sur les embouteillages, qui ont doublé notre temps de trajet.

Mais au final, un très bon week end, avec un bon bol d’air frais et de chouettes moments en famille.

Bal de Voire


by Manue at December 20, 2014 05:40 PM

November 26, 2014 − Echoes

October 11, 2014

West Coast News


Une fois n’est pas coutume, l’océan nous a, une fois encore, attiré et ravi. Mais pas que.

Du camping “upgraded” par rapport à l’année dernière, dans une Dordogne ravissante bien qu’un peu fraîche. L’occasion pour tous (y compris Manue) de faire de la pré-Histoire, entre un toboggan aquatique et une expédition en canoë.

Une maison à 300 m de la plage, des moules, un chat en miette, des épuisettes des méduses à marée basse, des châteaux et des vagues, encore des moules, un aquarium bondé, une frégate du 18è, des cornes qui pleuvent, toujours des moules.

Un morceau de cross-country bien trempé, des cousins(-de-cousins) au rendez-vous, du bon vin, des dinosaures, du barbeq’ et du jokari.

Un mariage dans les vignes, des grenouilles, et les potes.

Bref, les ouacances, c’est quand même bien cool, et c’est toujours trop court (et vice et versa).



by Alex at October 11, 2014 07:09 PM

September 29, 2014 − Echoes


So, sometimes, you had a somehow rough day, it's raining and you're tired.

And then, in your mailbox, out of the blue, there's a “thank you” mail.

That really enlightens the day…

by Corsac ( at September 29, 2014 07:16 PM

July 19, 2014

West Coast News

C’est l’été

1 an plus tard, c’est encore l’été. On se prépare on se prépare… merci les soldes !

by Alex at July 19, 2014 05:59 PM

June 11, 2014 − Echoes

Debian, Xfce, policykit and permissions

So, it seems that for a lot of people using unstable, hardware-related permissions (shutdown/reboot, suspend/hibernate, devices mount/umount etc.) have been broken since some times.

That's usually the case for people using GNOME with lightdm display manager, Xfce with either gdm or lightdm.

It seems that recently, policykit (which is used by GNOME and Xfce) switched from consolekit backend to logind backend (yeah, systemd-logind). So applications using policykit needs to handle that correctly, and that means beeing sure a logind session is correctly setup, which is done by installing the package libpam-systemd.

For now, it's still possible to not switch to systemd as init system, by installing the systemd-shim package before libpam-systemd. Be aware that (at least with the current state of affairs), this is only true with logind before 204. When systemd maintainers start transitionning to a later version, only systemd-sysv (so, systemd as init system) will work.

For people reluctant to switch to systemd, they can use systemd-shim for now. Then when systemd 205+ enters the archive, either lose those hardware permissions, or try to improve systemd-shim to handle that situation.

There's not much we (Xfce/LightDM maintainers) can do about that.

by Yves-Alexis ( at June 11, 2014 06:51 PM

April 07, 2014 − Echoes

CVE-2014-0160 / heartbleed

Short version:

  • yes we're affected;
  • we're currently working on it;
  • we didn't have an early warning so we're doing as fast as we can.

DSA should be in your INBOX in a few moments, and the updates on the mirror a moment later.

[UPDATE Tue, 08 Apr 2014 01:06:42 +0200]

After the upgrade, you really need to restart all TLS application using libssl1.0.0 to get the fix. Usual suspects are webservers, mailservers etc. Don't forget to restart clients too. Easiest way is to completely reboot the sever, but in case that's not a solution, you can check the process still using the old library with the following snippet:

grep -l 'libssl.*deleted' /proc/*/maps | tr -cd 0-9\\n | xargs -r ps u

Some people seem to indicate that the 64kB leak can enable an attacker to get pretty much anything from the process memory space, including the certificate private key. While we weren't able to confirm that yet, that's not really impossible, so you might also want to regenerate those private keys, although that's not something you should do in a rush either.

by Yves-Alexis ( at April 07, 2014 09:35 PM

March 08, 2014 − Photos − Echoes


Avec les semaines pourries qu'on s'est tapé ces derniers temps, ça fait quand même plaisir :

by Corsac ( at March 08, 2014 10:10 AM

January 05, 2014 − Echoes

Films 2013

La cuvée 2013, donc, comme d'habitude en début d'année suivante. Une année pas très prolifique (17 films) mais bon. À noter une forte concentration au début de l'année (il fallait écluser les congés 2012 avant la fin mars) ainsi que fin octobre (suite à mon marathon).

  • Django Unchained : 22 janvier 2013, MK2 Beaubourg
  • Zero Dark Thirty : 7 février 2013, UGC Ciné Cité les Halles
  • Gangster squad : 13 février 2013, UGC Ciné Cité les Halles
  • Die Hard 5 : 1er mars 2013, UGC Montparnasse
  • No : 22 mars 2013, MK2 Quai de Seine
  • Cloud Atlas : 25 mars 2013, MK2 Quai de Loire
  • Mariage à l'anglaise : 12 avril 2013, MK2 Quai de Loire
  • Iron Man 3 : 19 mai 2013, UGC Ciné Cité Bercy
  • Prisoners : 26 octobre 2013, UGC Montparnasse
  • Sheriff Jackson : 26 octobre 2013, UGC Ciné Cité Les Halles
  • Malavita : 27 octobre 2013, UGC Ciné Cité Les Halles
  • Omar : 27 octobre 2013, UGC Ciné Cité Les Halles
  • La vie d'Adèle : 27 octobre 2013, UGC Ciné Cité Les Halles
  • Jeune & jolie : 28 octobre 2013, MK2 Parnasse
  • Blue Jasmine : 29 octobre 2013, UGC Ciné Cité Les Halles
  • Gravity : 30 octobre 2013, UGC Maillot
  • The lunchbox : 30 décembre 2013, UGC Ciné Cité Les Halles

Dans l'ensemble, là encore, un plutôt bon cru. Faut dire que quand on va moins souvent au cinéma, on sélectionne aussi plus, évidemment. Quelques petites déceptions (plus ou moins attendues, disons), mais aussi quelques pétites. J'ai déjà parlé de de la série PrisonersMalavitaOmarLa vie d'Adèle et Gravity, mais j'ai aussi vraiment beaucoup apprécié The lunchbox, et évidemment Django Unchained.

by Corsac ( at January 05, 2014 06:01 PM

December 27, 2013 − Echoes

On the road

Aujourd'hui, sur l'autoroute, trois voitures sur la file de gauche, derrière moi, m'ont gentiment cédé le passage alors que j'étais sur la file de droite, afin de me permettre de faire un dépassement.

J'en reviens toujours pas. C'est Noël ?!

by Corsac ( at December 27, 2013 08:36 PM

December 21, 2013 − Echoes

December 20, 2013 − Photos − Echoes

Tour Eiffel

Je suis pas raide dingue de la Tour Eiffel, mais à force de la voir tous les jours, voire à passer devant, on finit quand même par l'apprécier.

Et comme j'aime bien le principe des photos du jour, j'ai profité l'été dernier d'aller/retour sur le champ de mars pour en prendre, et monter ça en petite vidéo pour rigoler.

Évidemment il aurait fallu que ça dure un peu plus longtemps, mais ça rend pas si mal que ça…

by Corsac ( at December 20, 2013 09:47 PM

November 26, 2013 − Echoes

Parce que sinon elle râle !

Ne soustrayons pas à la tradition.

Bonne fête Delphine !

by Corsac ( at November 26, 2013 08:58 AM

November 15, 2013 − Photos