No phone home

28.02.2010 20:20

A while ago I wrote about a method of sandboxing certain untrusted applications by using unprivileged user accounts.

Obviously Chrome browser and Skype from that example had to had access to the network to be useful. However applications today have a nasty habit of phoning home and sharing all sorts of data with its creators, some of which you might prefer to keep private. So for an untrusted application that has no business talking to the network its only logical to preemptively prevent it from doing that.

On a recent Linux system, it's really simple to do that, as long as the application is running under its own user ID:

# iptables -D OUTPUT -o \! lo -m owner --uid-owner foo -j DROP

What this does is drop all packets originating from a process owned by user foo and are not destined for the loopback interface. You can put this line into /etc/rc.local for instance to make the setting permanent.

Of course, just as with my previous post a warning is in order here. This will only prevent casual network transmissions from applications not specifically written to be resilient to such methods.

Actually, it's pretty easy to circumvent if you know what you're dealing with. Pings from /bin/ping for instance, will get through on my system, because that binary is set SUID root.

Posted by Tomaž | Categories: Code | Comments »

Lab power supply

26.02.2010 20:56

I've been wanting to design and build a new 50 W lab power supply for some time now. It has turned out to be one of those projects that you think will take a month tops and then the lack of time stretches it to half a year and counting.

The minimum requirements are 0 - 25 V and 2 A with an adjustable current limit. I've considered four approaches for such a design:

  • A plain linear regulator,
  • linear regulator combined with a transformer with multiple taps,
  • linear regulator with a thyristor pre-regulator and
  • switched-mode regulator.

These are pretty much sorted by ascending complexity and efficiency.

The power requirements are just barely within the reach of the first option. However that would require a big passive heat sink (I want to keep away as far away from unreliable fans as possible). Plus building a new device that would operate around 10 - 20% efficiency most of the time doesn't really feel right. So scratch that.

I spent quite a bit of time researching the second option. In fact, I have an almost completed design for it on the drawing board right now. It uses a two-tap transformer with a relay to switch between them - transformers with more taps aren't easy to find. The regulator part is roughly based on the 0-30 V power supply from Electronics lab.

Still, I'm not really happy with it. I have doubts about the longevity of the relay and worst-case heat dissipation is still uncomfortably high.

By the way, the original Electronics lab design is pretty broken in several ways and I strongly doubt that it meets its specifications - but that is perhaps a topic for another post.

I'm not going to even consider building a switcher for this purpose. It's noisy and has worse regulation characteristics than a linear design. Not really something I would want in a lab supply. Plus finding appropriate ferrite cores for switchers is always a pain.

So, right now I'm looking into a thyristor pre-regulator. There's a pretty good application note from Linear technology that has a basic circuit. It looks solid on paper and I'm going to give it a try tomorrow to see how it behaves in practice. If it works as advertised I'm more than prepared to go back to the drawing board with this.

Posted by Tomaž | Categories: Analog | Comments »

Catching own tail

22.02.2010 16:31

How to make a shell (er, Bash) script wait until a certain line appears in a log file? Sounds simple, but I have yet to find an elegant solution for this task.

A common use case for this is when you start a daemon that forks into background and you need to wait in the script until the daemon has finished doing something.

The following is the best I came up with:

tail -f $LOG | ( \
	IFS=""
	while read LINE; do
		if echo "$LINE" | grep "$CANARY" > /dev/null; then
			break
		fi
	done
	pkill -f "tail -f $LOG"
)

IFS is unset here because it appears to help with buffering for some reason. Without that line the script will sometimes wait even after the $CANARY has been appended to the file. That can be problematic when the line you're looking for is the last one that will be written to the log.

The most obvious flaw here is that pkill will kill all tail processes, even those that have not been started from this script.

Any better solutions are most welcome.

Update: Thanks to Nace here's a better version of the script that is more carefull at killing the tail process:

PARENT="$BASHPID"                 # (Bash 4.x)
PARENT=`$SHELL -c 'echo $PPID'`   # (Bash 3.x)
tail -f $LOG | ( \
	IFS=""
	while read LINE; do
		if echo "$LINE" | grep "$CANARY" > /dev/null; then
			break
		fi
	done
	pkill -P "$PARENT" -xf "tail -f $LOG"
)
Posted by Tomaž | Categories: Code | Comments »