Archive

"Warum gabst du uns die tiefen Blicke" Translated

I searched for this in English and couldn’t find it with a Google once-over. So I decided to translate Warum gabst du uns die tiefen Blicke myself (with the help of leo.org). This translation is a bit creative, especially with the punctuation. But I think Goethe would understand.

Why give us insight?
by Johann Wolfgang von Goethe, translated from the German by me.

Why give us the ability
to see consciously our destiny:
our love, our earthly happiness,
and to blissfully fancy
that we can ignore our foreboding?

clam readme

To create individual clamd-instance take the following files and
modify/copy them in the suggested way:

clamd.conf:
  * set LogFile, PidFile, LocalSocket and User to suitable values
  * place this file into /etc/clamd.d with an unique service-name;
    e.g. as /etc/clamd.d/<SERVICE>.conf

  To make logfile rotation work properly, the LogFile should be
  writable for the assigned User. Recommended way to reach this, is
  to:
  * make it owned by the User's *group*
  * assign at least 0620 (u+rw,g+w) permissions

  A suitable command might be
  | # touch <logfile>
  | # chgrp <user> <logfile>
  | # chmod 0620   <logfile>

  NEVER use 'clamav' as the user since he can modify the database.
  This is the user who is running the application; e.g. for mimedefang
  (https://www.roaringpenguin.com/products/mimedefang), the user might be
  'defang'.Theoretically, distinct users could be used, but it must be
  made sure that the application-user can write into the socket-file,
  and that the clamd-user can access the files asked by the
  application to be checked.


clamd.logrotate:
  * set the correct value for the logfile
  * place it into /etc/logrotate.d

clamd.sysconfig:
  * set the name of the config-file and the local socket
  * copy it to /etc/sysconfig/clamd.<SERVICE>

clamd.init:
  * set the service-name
  * place it into /etc/init.d/ with an unique name and activate it
    (e.g. with /sbin/chkconfig clamd.<SERVICE> on)

Additionally, a symlink must be set to clamd in a way like
  | # ln -s clamd /usr/sbin/clamd.<SERVICE>
and the directory for the socket file must be created (see 'LocalSocket'
in clamd.conf)
  | # mkdir -p /var/run/clamd.<SERVICE>


This directory must be writable by the 'User' chosen in the config-file.



[Disclaimer:
 this file and the script/configfiles are not part of the official
 clamav package.

 Please send complaints and comments to
 mailto:enrico.scholz@informatik.tu-chemnitz.de!]

/var/log/maillog qmail-scanner error

We were getting this series of errors when running the qmail-scanner test script (/downloads/qmailrocks/qmail-scanner-1.25/contrib/test_installation.sh -doit):

spamd[18368]: spamd: connection from localhost.localdomain [127.0.0.1] at port 51721 
spamd[18368]: spamd: setuid to qscand succeeded 
spamd[18368]: spamd: creating default_prefs: /home/qscand/.spamassassin/user_prefs 
spamd[18368]: config: cannot write to /home/qscand/.spamassassin/user_prefs: Permission denied 
spamd[18368]: spamd: failed to create readable default_prefs: /home/qscand/.spamassassin/user_prefs 
spamd[18368]: spamd: checking message <20061020172304.21308.qmail@leikata.softpixel.com> for qscand:509 
spamd[18368]: locker: safe_lock: cannot create tmp lockfile /home/qscand/.spamassassin/auto-whitelist.lock.leikata.softpixel.com.18368 for /home/qscand/.spamassassin/auto-whitelist.lock: Permission denied 
spamd[18368]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /home/qscand/.spamassassin/auto-whitelist.lock.leikata.softpixel.com.18368 for /home/qscand/.spamassassin/auto-whitelist.lock: Permission denied 
spamd[18368]: bayes: locker: safe_lock: cannot create tmp lockfile /home/qscand/.spamassassin/bayes.lock.leikata.softpixel.com.18368 for /home/qscand/.spamassassin/bayes.lock: Permission denied 
spamd[18368]: spamd: clean message (-0.0/5.0) for qscand:509 in 0.0 seconds, 327 bytes. 
spamd[18368]: spamd: result: . 0 - NO_RECEIVED,NO_RELAYS scantime=0.0, size=327,user=qscand,uid=509, required_score=5.0,rhost=localhost.localdomain, raddr=127.0.0.1, rport=51721,mid=< 20061020172304.21308.qmail@leikata.softpixel.com>, autolearn=failed 
spamd[18366]: prefork: child states: II 
qmail-scanner[21309]: Clear:RC:1(127.0.0.1):SA:0(0.0/5.0): 0.068512 327 <> postmaster@softpixel.com Qmail-Scanner_test_(1/4):_inoffensive_message <20061020172304.21308.qmail@leikata.softpixel.com> 1161364984.21311-0.leikata:68 orig-leikata116136498477521309:327 
X-Antivirus-MYDOMAIN-1.25-st-qms: [leikata116136498577521320] clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 512/2 

I had to manually create the .spamassassin directory for user spamd:

# cd /home/qscand
# mkdir .spamassassin
# chown qscand:qscand .spamassassin/
# chmod 700 .spamassassin/

This solved the first few errors.

We still got the qmail-scanner error, however:

spamd[21615]: spamd: connection from localhost.localdomain [127.0.0.1] at port 52795 
spamd[21615]: spamd: checking message <20061020174801.21726.qmail@leikata.softpixel.com> for root:510 
spamd[21615]: spamd: clean message (-0.0/5.0) for root:510 in 0.1 seconds, 327 bytes. 
spamd[21615]: spamd: result: . 0 - NO_RECEIVED,NO_RELAYS scantime=0.1,size=327,user=root,uid=510, required_score=5.0, rhost=localhost.localdomain, raddr=127.0.0.1,rport=52795, mid=< 20061020174801.21726.qmail@leikata.softpixel.com>, autolearn=ham 
spamd[21612]: prefork: child states: II 
qmail-scanner[21727]: Clear:RC:1(127.0.0.1):SA:0(0.0/5.0): 0.105559 327 <> postmaster@softpixel.com Qmail-Scanner_test_(1/4):_inoffensive_message < 20061020174801.21726.qmail@leikata.softpixel.com> orig-leikata116136648177521727:327 1161366481.21729-0.leikata:68 
X-Antivirus-MYDOMAIN-1.25-st-qms: [leikata116136648177521738] clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 512/2 

By turning on debugging in qmail-scanner.pl, I determined that this was a permissions issue: qmail-scanner was running clamd as user qscand, but user qscand didn’t have privileges to see the files qmail-scanner wanted it to scan.

Making qmail-scanner run as root by disabling the setuid line in /etc/clamd.conf…

# Run as a selected user (clamd must be started by root).
# Default: disabled
#User qscand

…causes it to work (and the qmail-scanner test script to execute successfully), but we really shouldn’t be doing this.

Instead we need to make qmail-scanner write the files to scan with appropriate permissions.

qmail setup, 2006.10.20

Here’s the path I took to install http://www.qmailrocks.org/ on fedora core 5 x86_64 running on an Athlon 64.

  • pre-install
    • yum install php-imap
    • yum install php-mysql
    • cpan Digest::SHA1
    • cpan Digest::HMAC
    • cpan Net::DNS
    • cpan Time::HiRes
    • cpan HTML::Tagset
    • cpan HTML::Parser
  • downloaded, compiled, etc. according to the qmailrocks redhat howto with the following exceptions:
    • skipped installing the autoresponder – we don’t want any autoresponder functionality.
    • installed vpopmail WITH mysql integration.
    • mysql integration failed with some compilation errors. It looks like this is a 64-bit compatibility issue – it seems to be trying to link against 32-bit libraries and the ld line is failing. I don’t have time to troubleshoot this now.
    • went back and installed autoresponder because it was required for another install. Sigh.
    • skipped vqadmin because it gave us inscrutable compile errors and wouldn’t install.
  • tested SMTP with no problems
  • Post-install add-ons
    • Clam Antivirus
      • Clam is not installing properly due to dependency conflicts. Upon further investigation, certain perl modules were missing. ran:
        • cpan Time::HiRes — for some reason this did an install when i ran it this time, although earlier it had said it was UTD.
        • cpan The Pod::Usage
        • cpan Parse::Syslog
        • cpan Statistics::Distributions
      • Clam is now not able to install because the qmailrocks RPMs won’t work on the 64-bit processor, so i’m yumming them.
        • yum install perl-suidperl
        • yum install clamav clamav-milter clamav-server clamav-update
      • ClamReadMe
        • [root@leikata etc]# mv /etc/clamd.conf /etc/clamd.d/softpixel.conf
        • [root@leikata etc]# ln -s /etc/clamd.d/softpixel.conf /etc/clamd.conf
        • replaced all “<SERVICE>” tags with “softpixel” (also removing brackets) in the clamd.conf file.
        • [root@leikata template]# mv clamd.logrotate /etc/logrotate.d
        • replaced all “<SERVICE>” tags with “softpixel” (also removing brackets) in the clamd.logrotate
        • [root@leikata clamd.d]# mkdir /var/log/clamav/
        • [root@leikata clamd.d]# touch /var/log/clamav/clamd.softpixel
        • [root@leikata clamd.d]# chgrp qscand /var/log/clamav/clamd.softpixel
        • [root@leikata clamd.d]# chmod 0620 /var/log/clamav/clamd.softpixel
      • Setting the updater:
        • [root@leikata clamav]# touch /var/log/clamav/clam-update.log
        • [root@leikata clamav]# chmod 775 /var/log/clamav/clam-update.log
        • [root@leikata clamav]# chown qscand:qscand /var/log/clamav/clam-update.log
        • [root@leikata log]# chown qscand:qscand -R /var/lib/clamav
        • [root@leikata log]# /usr/bin/freshclam -l /var/log/clamav/clam-update.log
        • it updated.
    • SpamAssasin
    • Qmail Scanner
      • [root@leikata qlogtools-3.1]# vi /usr/local/qmailanalog/bin/zfailures <— replaced the “sort +2” pipe with “sort -n -r -k 2” – the version of sort included with fedora doesn’t support the “+2” syntax.
      • [root@leikata qlogtools-3.1]# vi /usr/local/qmailanalog/bin/zdeferrals <— replaced the “sort +2” pipe with “sort -n -r -k 2”

After this, we discovered clamd wasn’t starting properly at boot-time. SELinux was bitching:

kernel: audit(1161390036.976:4): avc: denied { search } for pid=2356 comm="clamd.softpixel" scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir kernel: audit(1161390036.976:5): avc: denied { search } for pid=2356 comm="clamd.softpixel" name="sys" dev=proc ino=4026531867 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir kernel: audit(1161390037.268:6): avc: denied { append } for pid=2356 comm="clamd.softpixel" name="clamd.softpixel" dev=dm-0 ino=2851961 scontext=system_u:system_r:clamd_t:s0 tcontext=root:object_r:var_log_t:s0 tclass=file kernel: audit(1161390037.272:7): avc: denied { sys_tty_config } for pid=2356 comm="clamd.softpixel" capability=26 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:system_r:clamd_t:s0 tclass=capability

Clamd started happily when we disabled SELinux protection for it:

  • in system-config-securitylevel, under SELinux / Modify SELinux Policy, I checked:
    • Other / clamscan_disable_trans
    • SELinux Service Protection / Disable SELinux protection for clamd daemon

Of course, I first tried to create a new policy allowing exactly what clamd was needing (which would be way preferable to disabling SELinux), but I got the following error…

# audit2allow -M local -l -i aud [root@leikata ~]# semodule -i local.pp libsepol.permission_copy_callback: Module local depends on permission search in class file, not satisfied libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed!

… and haven’t been able to figure this out yet.

Whiter than a Hatfield Family Reunion

[Editor’s note: This post (including the above title) was written by mradcliffe immediately following a day spent with project ruori. It is unedited and uncensored, and is presented to the reader as a demonstration of the deleterious effects of association with said collective.]

It was brought to my attention a couple of weeks ago that I would be “performing” with project ruori at PURE. I wouldn’t say “brought to my attention.” More like “forced upon my sleepy eyes as I sat entrapped away from my own home.” I had only planned on seeing Phung before he left, but poor logistics and fate led me to PURE.

"An interesting musical opportunity...

…is in your near future.”
    – fortune cookie from tonight’s dinner.

Near indeed.

The fortune I discovered in my wallet yesterday – “We are here to create / not merely survive” – was inspiring. This one was just scary.

We have a little over a week before we’re performing in Boston

Metasacrifice for Art

To the ruoriJews reading this: Shanah Tovah, and I hope you had a meaningful fast. To everyone else: Happy Monday.

My Yom Kippur was very hectic – I compressed this year’s atonement into a few hours this morning. Then for the afternoon, I headed over to the softpixel/ruori megalab to convert snack foods into mental energy and mental energy into a set of chaotic probability-driven sonatas for three theremin-like light-sensing instruments we’re almost done building.

So I guess I sacrificed my sacrifice for my art.

Purity! Contagion! Acrylic Glass!

It’s been about three weeks since we heard that we will be going to Boston to do a performance and installation at PURE.

Our proposal included an acrylic glass plinko machine (a la The Price is Right) and three hanging fabric cocoons. There will be a performer in each cocoon and a fourth performer dropping ping pong balls into the plinko machine. As the balls come out the three holes in the bottom of the machine, they will trigger the performers to change an ongoing soundscape in some way. Eventually, the person dropping the ping pong balls will replace himself with an automated device, the automated device will run out of balls, and the performers in the cocoons will leave behind the soundscape controllers for the audience to play with.