Category Archives: computer stuff

Dealing with ShellShock on our older mac servers

We have a couple of machines that are still running Snow Leopard, so the Apple patch won’t work. One option is to recompile bash and its patches from source, but why do that when I already have MacPorts on those machines.

Testing the vulnerabilities

From Stack Exchange, there are multiple vulnerabilities:
The first one is tested with this:
$env x='() { :;}; echo vulnerable' bash -c 'echo hello'
if the shell is vulnerable, it will echo vulnerable and hello. Otherwise it just echoes hello.

A second vulnerability is tested with
$env X='() { (a)=>\' sh -c "echo date"; cat echo
if you’re OK, you will see something like
date
cat: echo: No such file or directory

or
sh: X: line 0: syntax error near unexpected token `='
sh: X: line 0: `X () { (a)=>\'
sh: error importing function definition for `X'
date
cat: echo: No such file or directory

The important thing is that you don’t want to see an actual date and a file created called echo.

The third vulnerability redefines the ls command
$ env ls="() { echo 'Game over'; }" bash -c ls
Vulnerable systems will echo Game over.

Installing the fix

Getting it installed is easy after updating to the latest versions of the ports
sudo port selfupdate
sudo port upgrade outdated
sudo port install bash

But this only applies the MacPorts bash for the user. To make it the default, we have to make it the default shell for an intruder. To do this we need to edit /etc/shells to replace /bin/bash with /opt/local/bin/bash.

I think this is enough. But I still have some concerns. The bash version in MacPorts seems to be 4.3.28. Apple’s official release after the patch is 3.2.53 (apparently this is equivalent to 3.2.54 in terms of patches). The MacPorts version is still vulnerable to the second problem. I’ll be watching MacPorts for updates, but I am also looking at whether the machines, which are too old for Mavericks, can be updated to Lion or Mountain Lion.

Update: MacPorts pushed another bash update over the weekend

Mail in Mavericks is screwed up

MailScreenSnapz001

What’s going on here?

Around the same time that I got this new laptop, TAMU switched from hosting its own mail to a Google Apps-based system. As part of the changeover, you can import your mailboxes from the old system to the new system. After hooking up the new account in Mail.app as an IMAP account, there are messages where what you select is not what you get: The sender and subject are for a different message somewhere else in the mailbox. In fact, this is the case for all of the imported messages; new arrivals seem to match up. There are also many unrelated messages grouped as if they belong in the same thread.

Now, blaming this on Mavericks might seem unfair, as there are multiple partners involved here: A&M’s import system, Google, and Apple. But this mismatch doesn’t happen on the old laptop running Lion, or on my iPad or iPhone.

Various posts online suggest rebuilding the mailbox. This didn’t work for me. In the web gmail, I deleted the label for the import, unstarred everything and marked everything a not important. I did another rebuild… not joy. Rebuilt the Spotlight index. I think that may have fixed it.

New laptop

I’ve been working on a 2011 MacBook Air since Spring of 2012. A&M is really nice in having a program to subsidize computer purchases for faculty, but unfortunately I had do spend my faculty workstation funds a month or so before Apple updated the Airs, which meant that I got the version where 250G was the maximum SSD and the ports were USB2 instead of USB3. I’ve been meaning to replace it since I started getting close to filling up the disk. Plus I’ve actually worn the letters off several of the keycaps (as you can see in the picture)!

20140801-014543-6343286.jpg

The SSD was so full that I moved my iTunes and iPhoto libraries to an external Volume using a Nifty Minidrive microSD card holder. But Time Machine keeps marking that Volume as one to not back up, even though I could have sworn that I changed that setting many times.

So, I finally decided to pull the trigger and order a new MacBook Air (spending my own money, as I’m not eligible for another workstation yet, and I don’t have the matching grant money right now anyway). It arrived today, so now I’m setting it up. This post is for notes on what worked and what didn’t

Migration assistant

The old Air was still running Lion while the new one came with Mavericks. I was running Lion because I didn’t want to deal with reinstalling MacPorts for the web development I do on my laptop, and I also figured that I was going to get a new machine anyway.  This meant that even though I attached the two laptops to each other using a thunderbolt cable, they didn’t handshake, so the transfer started using WiFi. Time estimate: more than 8 hours!  Attaching ethernet cables (I have one USB to ethernet and one thunderbolt to ethernet adaptor) during the transfer didn’t work, so I aborted the transfer and restarted it after I had created a temporary user on the new Mac. Using Ethernet the time was closer to 4 hours.

Interestingly, after the transfer, the old MacBook renamed itself because both machines had the same network names. The aborted transfer also did something very weird to the Applications folder. There is now a nameless folder with copies of all the Applications and a symlink to Applications. Deleted that.

Migration assistant seems to have moved my ssh keys.

iWork apps

Launching the App Store, I was prompted to accept the iWork apps. Cool. Got them.

Xcode

Xcode does not automatically update, so I did that in the App store. Based on this post and the MacPorts documentation, it seems that I also needed to reinstall the command line tools, using

sudo xcode-select --install

but then I discovered that updating Xcode via the App Store isn’t good enough; it just updated to a higher version of 4.x instead of going to 5.x. I had to trash the old one and reinstall from the App store. The command line tools have to be downloaded from the Apple Developer Site. I really don’t understand why Apple took these outside of the XCode installation.

MacPorts

MacPorts recommends reinstalling, so I downloaded the package installer and installed it.  The migration guide suggests uninstalling everything. After confirming that

sudo port selfupdate
sudo port upgrade outdated

failed, I went ahead and did

port -qv installed > myports.txt  
sudo port -f uninstall installed  
sudo port clean all

and then reinstalled the things I think I need.  This was not straightforward as it should be. I think it turned out that I needed to reset xcode-select to use the Command Line tools that are separate from XCode.

xcode-select -r

This allows me to install the desired modules in MacPorts, even though every one of them gives a warning about how it will probably fail because XCode is not installed (even though it is).

Mail.app

On launching, it updated the database… badly for the IMAP account used by TAMU’s recent migration to Gmail. I’m seeing problems where messages have to be clicked multiple times in order to go to the trash, and worse, there are cases where the sender and subject of the email selected in the mail browser doesn’t match the one in the preview window. This has been seen by others.  Rebuilding didn’t help, but deleting the account and recreating it seems to have worked.

Time Machine

There isn’t anything in the Time Machine Preference Panel to set the backup to inherit the history from the old machine, but the first time I started a backup, it prompted me to ask if I wanted to do that.  I’m wondering how long the first backup will take… I started on Saturday afternoon and it’s been preparing backup for at least a couple of hours.

UPDATE: despite estimating that it would take much longer, the backup completed sometime earlier than 9:20 PM on Saturday. Sweet!

Microsoft Office

As expected, Word complained about needing a product key. Once I found it in my Amazon account, things seem to work.

Websites

I use MacPorts php with the Apple Apache2 to do web development (mostly in Mediawiki and WordPress). It seems that the Migration Assistant didn’t move files owned by the www user.  Rather than dig the desired files out of the old machine (by this time the new laptop and I were at work and the old laptop is at home), I downloaded new versions and installed fresh.

WordPress shortcode plugins with multiple instances

I’ve been working on the JSmol2wp plugin used in these previous posts. There have been a couple of challenges associated with putting multiple copies of the JSmol viewer applet in the same post, and in having multiple posts with viewers.

The WordPress shortcode API doesn’t provide an obvious way for a shortcode to know its position in a post. For most shortcodes, this doesn’t matter; they return content to WordPress to put in place of the shortcode. The reason it’s important for JSmol2wp (and perhaps to other plugin developers) is that JSmol2wp needs to assign each applet a unique identifier so that commands are channeled to the correct applet. Googling “wordpress shortcode multiple instances” reveals other developers having the same problem.

My solution(s)

Various versions of JSmol2wp used variations on the same solution based on the idea that knowing the integer value for which copy of the shortcode I had is valuable. In hindsight, there are two easier solutions:

  • create a unique id that does not depend on anything else, based on something like a timestamp or an md5 of various passed parameters
  • make the user encode the uniqueID (I don’t like this one, but I ended up having it available as a fallback

The solution I used is to pull the entire content of the post and search for the shortcode markup  using either string functions or regexes. The current version is clunky because I was not sure whether PCRE was causing problems for some installations.

$p = get_post();
# determine the instance if there are multiple copies
# of the shortcode in this post
# we want to do this without preg_match to work on different PHP versions
$m = explode('[jsmol', get_the_content());
array_shift($m);
foreach($m as $i => $match){
     $t = explode(']', $match);
     # there could be nested shortcodes or other shortcodes in the text
     # but trim off what is safe to trim off
     if(count($t) > 1){
        array_pop($t);
        $match = implode(']]', $t);
     }
     # odd bug requires recasting as a string to get stripos to work
     $match = (string)$match;
     # catenate the post_id to the instance to make the id unique
     # when displaying multiple posts per page
     if( ($acc == '' || stripos($match, $acc) > 0 ) &&
        ($caption == '' || stripos($match, $caption) > 0) &&
        ($fileURL == '' || stripos($match, $fileURL) > 0) &&
        ($isosurface == '' || stripos($match, $isosurface) > 0) &&
        ($id == '' || stripos($match, $id) > 0)
     ) $this->instance = $p->ID."_$i";
}

This would be better with the right regex, but my regex skills are not that good at thinking about how to handle the possibility of [ and ] inside the parameters passed by the shortcode, since these are legal characters in Jmol scripting.

Note that the unique id includes the post ID. This prevents clashes when multiple posts are displayed on a single page.

The

 # odd bug requires recasting as a string to get stripos to work
$match = (string)$match;

was to fix a problem where spaces in one of the parameters (caption) caused stripos to return false, even though var_dump showed $match was already a string.

Testing JSmol2wp

lambda repressor headpiece

About/Help

Last week we had a meeting to discuss enhancements for the department website. One thing that came up was the idea of better eye candy to highlight the research we are doing.  As a biochemistry department where many people are doing structures and structure-function studies, an obvious capability to add is a molecular graphics viewer. Fortunately, I had some experience through EcoliWiki with Robert Hanson’s Jmol project, which uses a Java Applet to embed viewers in websites.

Of course, the Jmol developers recognized several years ago that alternatives to Java were needed, especially for viewing molecules on phones and tablets that lack Java. As a Mac user, I also find Java to be problematic. So Jmol spawned a sister project: JSmol, based on javascript. Since I have some experience with writing WordPress plugins, I adapted JSmol for a plugin, which I call JSmol2wp.  Here’s what it looks like:

Dragging should rotate the model, which is embedded via a shortcode that passes a bunch of parameters, including the PDB accession, the caption, and code to create custom buttons and other interface elements. The buttons run Jmol scripts to select, zoom, recolor etc. The plugin detects multiple instances of the shortcode that creates the applets as long as they use different pdb accessions.

This is the structure of the CynR DNA binding domain from a local file

About/Help

Updating to Mavericks Server

We have a mini that we got to support a program to train undergrads in bioinformatics. Over the past week or so I’ve been working on updating it to run Mavericks and Mavericks Server.  I first decided to go with OSX servers back when I had a G5 blade running Panther Server for the user-friendly GUI management system. But since then OSX server has gotten to be steadily more annoying in that:

  • The Server and Server Admin apps have never been backward compatible with earlier versions. This means I have to do remote administration of older machines – some of which cannot be updated to the latest OK – through either ssh or vnc. The former defeats the purpose of having the GUI. The latter is sluggish.
  • The amount of control the admin gets over things has been steadily declining. In the first versions of Server, there that gave you pretty fine-grained control over configuration. That’s all gone.

So, as with Lion Server, which is what I’m upgrading from, I think I’m going to end up running everything via MacPorts, and not use the Server.app. Or look into converting it to a Linux Box.