Alex Rodriguez » IT

Subversion Backup and Recovery

alex — Thu, 29 Oct 2009 20:22:30 +0000

I wanted to convert one of our production machines from Fedora to Ubuntu server. One of the services this machine was running was subversion.

I both tarred up the repository directory and used ’svnadmin dump’ to backup the repository. I scp’ed both files to another server.

Upon recovery I wanted to use the dump but the dump file became corrupted.

Luckily, there’s an easy way to recover from a repository file backup. I just untarred the repository and used

1	svnadmin recover <repo path>

It worked great!

Turn Off Wordpress PHP Error Display

alex — Thu, 22 Oct 2009 21:23:52 +0000

After updating Wordpress and my devformatter plugin, I noticed some errors popping up from the geshi libraries:

1 2	[22-Oct-2009 14:00:12] PHP Warning: array_keys() [function.array-keys]: The first argument should be an array in */geshi.php on line 3502 [22-Oct-2009 14:00:12] PHP Warning: Invalid argument supplied for foreach() in */geshi.php on line 3502

This was actually displaying in the blog posts, which is bad for a number of reasons, including security.

You can turn off php error logging by finding your wp-config.php file, usually in your Wordpress document root, and adding the following lines:

1 2	@ini_set('log_errors','On'); @ini_set('display_errors','Off');

Windows XP Remote Desktop Broken

alex — Thu, 08 Oct 2009 00:06:13 +0000

After a recent windows update I found my remote desktop was broken. I did some troubleshooting and packet sniffing and still couldn’t track the problem down.

Finally I stumbled upon this post, which fixed my problem.

It turned out that an nvidia driver update broke RDP. Updating the driver to the latest WHQL fixed the problem.

I love windows updates, they usually break more than they fix.

Securing Sendmail

alex — Wed, 13 May 2009 22:01:41 +0000

I recently needed to setup TLS for my company’s email server. My primary goal was to reconfigure our sendmail server to negotiate TLS with other email servers that supported it. This would allow us to send secure information via email to company’s that also supported email over TLS.

The first step was to generate certificates. This is easily done with openssl. I already have a key and scripts setup to generate cert requests with all necessary info filled in. The script looks something like this:

1
2
3

#!/bin/bash
read -p "Hostname: " hostname
openssl req -new -nodes -days 365 -key company.key -config csr_config -out $hostname.csr

Take the output from that certificate request and provide it to your favorite signer to get a signed certificate. Take the key you used to generate the request and the signed certificate and put it somewhere on your server, say /etc/ssl/crt. Also make sure to put the cacerts bundle, or signing certificate chain, in that directory (or any other for that matter).

Next step is to configure sendmail. The following are the changes I needed to make to my sendmail.mc file under /etc/mail:

1
2
3
4
5
6
7
8
9
10

define(`confTLS_SRV_OPTIONS', `V')dnl
define(`confAUTH_OPTIONS', `A p y')dnl
define(`CERT_DIR', `/etc/ssl/crt')dnl
define(`confCACERT',`CERT_DIR/cacerts.crt')dnl
define(`confCACERT_PATH', `CERT_DIR/cacerts')dnl
define(`confSERVER_CERT',`CERT_DIR/your_signed_cert.crt')dnl
define(`confSERVER_KEY',`CERT_DIR/your_key.key')dnl
define(`confCLIENT_CERT',`CERT_DIR/your_signed_cert.crt')dnl
define(`confCLIENT_KEY',`CERT_DIR/your_key.key')dnl
define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl

Most of that config points sendmail to your keys and certificates to be used for server and client mode. The line

define(`confAUTH_OPTIONS’, `A p y’)dnl

tells sendmail to perform smtp authentication after TLS negotiation has completed. The line

define(`confTLS_SRV_OPTIONS’, `V’)dnl

tells sendmail to skip requests for clients’ certificates.

I would like to thank this site and this site for that helpful information.

Next, recompile the config file and restart sendmail with

1 2	make -C /etc/mail service sendmail restart

You can test your server using openssl:

1	openssl s_client -connect localhost:25 -CAfile /etc/ssl/crt/cacerts.crt -starttls smtp

You should see “Verify return code: 0 (ok)” near the end of the output. Type “quit” to end the communication.

To test that sendmail will communicate properly as a client with another server, you can use the great site test.smtp.org.

Bugzilla 3.5 Advanced Search Breaks When Bugzilla Reverse Proxied

alex — Tue, 21 Apr 2009 21:04:21 +0000

I recently upgraded my bugzilla installation to 3.5 to find my Eclipse-mylyn integration had broken.

After some traffic inspection and a look at buglist.cgi, I found that new code was added to “clean” advanced bug queries. This code cleans the query, then performs a redirect to the new clean query using the correct bugzilla hostname but using the local webserver port. Because I was proxying traffic to my actual bugzilla server through another server on a different port, this redirect was invalid.

I fixed this by commenting out the following code in buglist.cgi:

1
2
3
4
5
6
7

# If query was POSTed, clean the URL from empty parameters and redirect back to
# itself. This will make advanced search URLs more tolerable.
#if ($cgi->request_method() eq 'POST') {
#    $cgi->clean_search_url();
#    print $cgi->redirect(-url => $cgi->self_url());
#    exit;
#}

I’ll try to actually fix the redirect tomorrow to take advantage of the cleanup.