Open Source Geek

OK, so Dropbox isnt 100% Open Source but Im a pragmatic kinda guy and I do love Dropbox. However it (Dropbox) doent seem to like SELinux it seems.

I know its so tempting to reach for the “turn off SELinux” switch but wait, its actually very simple to make SELinux allow Dropbox to work.

It turns out that Dropbox tries to do some naughty stuff that SELinux is there to protect us from – namely executing out of the memory buffer. This type of thing is usually done by programs trying to do malicious things on the system and happily SELinux protects us from this – but that prevents Drop from running.

How to Fix It

There is a nice and simple way to fix this and no I dont mean disable SELinux

There is a boolean that you could flip that turns off this protection – namely allow_execstack

sudo setsebool allow_execstack 1

However this is going way to far as you all now allowing any process to execute from stack, which isnt a good idea.

The best way is to tell SELinux that you just want Dropbox to be able to do this and nothing else. The way that you do this is you label the executable file, in this case /usr/bin/dropbox, as type execmem_exec_t

You can do this with a quick chcon, but thats not the best way to do it, the following two lines will fix Dropbox to work with SELinux

sudo semanage fcontext -a -t unconfined_execmem_exec_t /usr/bin/dropbox
sudo restorecon -v /usr/bin/dropbox

Now if you take a look at the SELinux contetxt of the file, you can see its got the right label

ls -lZ /usr/bin/dropbox
-rwxr-xr-x. root root system_u:object_r:execmem_exec_t:s0 /usr/bin/dropbox

If you spend a little time to understand the basics of SELinux (file contexts and booleans) you will find it is quite straight forward to work on a system with SELinux turned on

If you are interested in learning more about this stuff, check out the Dan Walsh blog

OSG

It NEVER ceases to amaze me that when selecting an operating system for a critically important role, that people still chose Windows. Now this isnt a rant about how Linux or BSD are better or more secure than Microsoft Windows. I mean I think its quite an easy argument but one thing that is not up for debate is that Microsoft Windows is the most targeted operating system when it comes to Malware.

So why, for the love of all things good in the world, do you chose the most targeted OS for your critical systems. Here are just three recent incidents/reports that prompted this rant

1. The investigation into the recent Spanish air crash noted that a critical ground system, that was designed to spot problems and alert people was actually switched off as it was infected with malware

http://www.technewsdaily.com/malware-implicated-in-fatal-spanair-crash-1078/

2. The latest worm currently doing the rounds and allegedly targeted at Irans Nuclear Reactor. Iran have admitted that some of their systems are indeed infected with this malware. Its a nuclear reactor for gawd sake.

http://www.computerworld.com/s/article/9188147/Iran_admits_Stuxnet_worm_infected_PCs_at_nuclear_reactor

3. My favorite though was the recent announcement about an infection in a United States military network – their worst infaction ever, was caused by an infected USB drive.

That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control.

http://www.itpro.co.uk/626428/infected-usb-caused-biggest-us-military-breach-ever

For gawd sake people, if its a critical system, dont chose the most malware targeted operating system. It makes no sense at all.

Google are developing a new operating system, aimed squarely at the netbook market. The ethos behind it, like with most things at Google in the last 12 months, is speed – they want it to take no more than 7 seconds to boot.

Once logged in you will only have access to a web browser – the browser will be Googles Chrome Browser, as you may expect. There will be no desktop or other apps, everything will be done from the browser. They are going to build in functionality for  working offline, for when you are not connected to the net.

Many people, even in the Linux world, seemed to be opposed to this but I can only see it as a good thing. Under the hood its based on Linux, Google have said they have been working with Ubuntu in this respect. Google have stated that Chrome OS will be Open Source and released the current dev version on Chromium.org. From my point of view I think its going to be good for the Linux platform. The improvement in boot speed and hardware drivers alone can only be good.

I really dont know why Google seem to have so much opposition. I understand peoples concerns about a company that knows so much about its users but they are the only company to have a “do no evil” moto. Whats more Google are also a very transparent company, the information that they have on you can easily be found and deleted if you so wish. For example, if you want to view or delete your web history, just go here and do so.

I do wonder how many people know about the Data Liberation Front, a team of Google engineers who work solely on making sure that you can easily get your data in or out of as many Google products as possible, as simply as possible.

I really do feel that Google are a friend of open source. Their Android phone OS is Open Source and while I know there was some concern over their reation to the Cyanogen mod, when you read into it, you can understand their point of view – plus they worked with the Cyanogen guy to come up with a work arround.

Also, lets not forget the Google Summer of Code. Each year they make this great contribution to Open Source. Im sure its not entirely altruistic but never the less it is a very valuable contribution.

Recenlty Google seemed to cause some more negative ripples with their aquistion of the Etherpad Project. I think anyone who has tried both Wave and EtherPad will understand why Google wanted Etherpad. Etherpads real time document editing is much better than the current Google Wave client. So the Etherpad team have been pulled off Etherpad and put to work on Wave. The controvesy was not so much about this but that the fact they closed Etherpad, a product that many people use and find invaluable. They gave people about a months notice to trasition away from it. The thing I will say about this is that as soon as they became aware of the communities concern, they re-examined the decision and have re-opened EtherPad – in a matter of days. They then said, in a very open way “what were we thinking”.

UPDATE: They have also released the sourcecode for Etherpad under the Apache Licence

This brings me on to Google Wave.I know that people who have been able to try this out are not that overwhelmed with it. What I will say is that its very early days in this products development. I would also so that Wave is all about the protocol underneath that lets you collaborate on document editing and the current Wave client is just the first implementation of a client – there will be other clients. In other words, think of Wave as SMTP and the current client as Outlook Express. There will be better clients

My main point about Wave though is how Google have gone about this. They said, from the outset, that they wanted to create an open protocol, just like SMTP. They also built federation in and they have also desinged it to be extensible, so that people can develope their own plugins. This shows that they are a company that just seem to get it. The understand why Openess is important.

So whats the point of this article, well what Im really saying is give Google a break. Yes they have a lot of information about us and its right to be concerned but their every action to date seems to have been honorable. Lets save the paranoia for companies that treat us and our data appallingly on a daily basis

I’d love to hear your opinion of this subject, please leave a comment or use the contact form

OSG