Problems...

... and solutions by <creative.sysadms@chalmers.se>

Maintained by <appro@fy.chalmers.se>
P. MathLM, Mathematica License Manager, is vulnerable to trivial denial-of-service attack...
S. The LD_PRELOAD module below agressively timeouts transactions as well as fixes several other problems with mathlm, see commentary section in the source for further details.

mathlm.sentry.c

P. ICA Client for Unix, version 5.x and below disregards umask and ignorantly chmods all the files it touches to rwxrwxrwx...
S. Shortest module ever:-) Compile with gcc -shared and LD_PRELOAD to wfica.

wfica_chmod.c

P. Solaris lpq exhausts privileged ports...
S. We run SAMBA and export a bunch of printers, lpq is called rather often and privileged ports tend to get exhausted now and then. So I intercept calls to rresvport and set SO_LINGER option on allocated socket.

lpq_letitgo.c

P. VMware 2.x didn't support mounting of CD-ROM images, you had to burn a CD to access the data...
S. The module below intercepts open and ioctl system calls and emulates minimum set of CD-ROM ioctls on a plain file. See the source for details on usage.

vmcdimage.c
#if 0 # # http://fy.chalmers.se/~appro/linux/vmcdimage.c # # Copyright (c) 2001 by <appro@fy.chalmers.se> # # Permissions to copy and use are granted as long as the copyright # notice is retained. All warranties are however disclaimed. # # This module emulates CD-ROM ioctls on plain files and is ment to # be LD_PRELOAD-ed to VMware. Idea is to trick VMware to mount # CD-ROM images without burning a CD. Once preloaded (e.g. with # Ženv LD_PRELOAD=./vmcdimage.so vmwareŽ) the module intercepts a # number of system calls to /dev/cdrom and emulates responses # whenever appropriate. Note that /dev/cdrom is normally a symbolic # link and you can adjust it at your will on-the-fly! No VMware # restart is required! If you find the idea of using /dev/cdrom # disgusting, set _DEV_CDROM environmnet variable and adjust your # VMware guest configuration accordingly. Keep in mind that vmware # is a set-root-uid program, so that you have to be root in order to # LD_PRELOAD this module. # # Cheers, Andy:-) # /bin/sh << EOS MODNAME=\`basename "$0" .c\` set -x gcc -O -fbuiltin -fomit-frame-pointer -fPIC -shared -o \$MODNAME.so "$0" -ldl EOS exit # # Revision history: # # 20010822 Support for bootable CD images added. # 20010823 Support for mortal users(*) added. # # (*) as LD_PRELOAD works for root only, mortals has to pass a # set-root-uid wrapper of the following design (feel motivated # to rewrite it in C): # #!/usr/bin/perl -T foreach $i (%ENV) { if ($i !~ /^(DISPLAY|XAUTHORITY|TZ|USER|LOGNAME|HOME|_DEV_CDROM)$/) { delete $ENV{$i}; } } $ENV{LD_PRELOAD} ="/usr/lib/vmware/vmcdimage.so"; $ENV{_DROP_TO_RUID}="$<"; # instruct the .so to drop privileges $<=$>; exec ("/usr/bin/vmware",@ARGV); # #endif #ifndef __linux # error "Linux only" #endif #define _LIBC #define _LIBC_REENTRANT #include <errno.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <limits.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/ioctl.h> #include <fcntl.h> #include <dlfcn.h> #include <linux/cdrom.h> #ifdef __GNU_LIBRARY__ # if __GNU_LIBRARY__==6 # define LIBC_SO "libc.so.6" # else # define LIBC_SO "libc.so.5" # endif #else # error "what's your libc?" #endif static int (*__libc_open)(const char *path,int flags, ...); static int (*__libc_close)(int f); static int (*__libc_ioctl)(int f, int request, ...); static char _dev_cdrom_path[1024]="/dev/cdrom"; static fd_set _dev_cdrom_fds; static int _dev_cdrom_fd=-1; static struct stat _dev_cdrom_stat; asm (" .section \".init\" call _dev_cdrom_init "); static _dev_cdrom_init() { char *env; uid_t uid; void *libh; if (getuid()==0 && (env=getenv("_DROP_TO_RUID"))) { if (uid = strtoul (env,NULL,10)) setresuid (uid,-1,-1); } if (!(libh = dlopen (LIBC_SO,RTLD_LAZY))) { fprintf (stderr,"can't dlopen(\"%s\").",LIBC_SO); exit (1); } if (!(__libc_close = (int (*)(int))dlsym (libh,"close"))) { fprintf (stderr,"can't link to \"close\" from %s",LIBC_SO); exit (1); } if (!(__libc_open = (int (*)(const char *,int,...))dlsym (libh,"open"))) { fprintf (stderr,"can't link to \"open\" from %s",LIBC_SO); exit (1); } if (!(__libc_ioctl = (int (*)(int,int,...))dlsym (libh,"ioctl"))) { fprintf (stderr,"can't link to \"ioctl\" from %s",LIBC_SO); exit (1); } if (env=getenv ("_DEV_CDROM")) strncpy (_dev_cdrom_path,env,sizeof(_dev_cdrom_path)-1); } static int safer_open (const char *path,int flags) { uid_t uid; int fd; setresuid (-1,0,-1); fd = (*__libc_open) (path,flags); if (uid=getuid()) /* mortal user running */ { setresuid (-1,uid,-1); if (fd>=0) { /* make sure it's a cdrom device! */ if ((*__libc_ioctl) (fd,CDROM_DRIVE_STATUS,INT_MAX) == -1) { close (fd); fd = (*__libc_open) (path,flags); } } else /* might happen in NFS environment */ { fd = (*__libc_open) (path,flags); } } return fd; } static int my_open (const void *ra,const char *path,int flags,mode_t mode) { int fd; if (strcmp (path,_dev_cdrom_path)) return -ENOSYS; if (_dev_cdrom_fd==-1) { flags &= ~O_CREAT; if ((fd=safer_open (path,flags))>=0) { FD_SET(fd,&_dev_cdrom_fds); fstat (_dev_cdrom_fd=fd,&_dev_cdrom_stat); } return fd; } else { if ((fd=dup(_dev_cdrom_fd))>=0) { FD_SET(fd,&_dev_cdrom_fds); } return fd; } return -ENOSYS; } static int my_close (const void *ra,int fd) { FD_CLR(fd,&_dev_cdrom_fds); if (fd == _dev_cdrom_fd) _dev_cdrom_fd=-1; return -ENOSYS; } static int my_ioctl (const void *ra,int fd,int request,int arg) { static int cdrom_options=0xd,media_changed=1; struct stat sb; int newfd,i,ret; off_t size; if (((request>>8)&0xff) == 'S') { if (fd >= 0 && FD_ISSET(fd,&_dev_cdrom_fds)) { fprintf (stderr,"CDROM ioctl(%d,0x%x,0x%08x): ",fd,request,arg); switch (request) { case CDROMPAUSE: case CDROMRESUME: case CDROMPLAYMSF: case CDROMPLAYTRKIND: case CDROMVOLREAD: case CDROMSUBCHNL: fprintf (stderr,"discarding audio ioctls\n"); __set_errno(ENOSYS); return -1; case CDROM_MEDIA_CHANGED: if (media_changed) { fprintf (stderr,"\"media\" changed\n"); cdrom_options = 0xd; media_changed = 0; return 1; } /* no break; */ case CDROM_DRIVE_STATUS: if (stat (_dev_cdrom_path,&sb) != 0) { fprintf (stderr,"\"tray\" is open\n"); return CDS_TRAY_OPEN; } if (sb.st_dev != _dev_cdrom_stat.st_dev || sb.st_ino != _dev_cdrom_stat.st_ino ) { newfd = safer_open (_dev_cdrom_path,O_RDONLY|O_NONBLOCK); if (newfd < 0) { fprintf (stderr,"close the \"tray\"\n"); return CDS_TRAY_OPEN; } dup2 (newfd,_dev_cdrom_fd); (*__libc_close) (newfd); fprintf (stderr,"changing \"media\", "); memcpy (&_dev_cdrom_stat,&sb,sizeof(struct stat)); media_changed = 1; } else if (sb.st_size != _dev_cdrom_stat.st_size) { /* use with extreme caution */ fprintf (stderr,"\"media\" is changing, "); memcpy (&_dev_cdrom_stat,&sb,sizeof(struct stat)); media_changed = 1; } /* no break; */ default: if (!S_ISREG(_dev_cdrom_stat.st_mode)) { fprintf (stderr,"assuming hardware %s\n",_dev_cdrom_path); return -ENOSYS; } } switch (request) /* minimum ioctl set to mount CD-ROM image under VMware 2.0.4 */ { case CDROMMULTISESSION: fprintf (stderr,"emulating single session\n"); i=((struct cdrom_multisession *)arg)->addr_format; memset ((void *)arg,0,sizeof(struct cdrom_multisession)); ((struct cdrom_multisession *)arg)->addr_format=i; if (i==CDROM_MSF) ((struct cdrom_multisession *)arg)->addr.msf.second=2; else if (i==CDROM_LBA) ((struct cdrom_multisession *)arg)->addr.lba=0; else { __set_errno(EINVAL); return -1; } return 0; case CDROMREADTOCHDR: fprintf (stderr,"emulating single track\n"); ((struct cdrom_tochdr *)arg)->cdth_trk0=1; ((struct cdrom_tochdr *)arg)->cdth_trk1=1; return 0; case CDROMREADTOCENTRY: { struct cdrom_tocentry *te=(struct cdrom_tocentry *)arg; /* I'm not sure about these three, suggestions appreciated! */ te->cdte_adr = 1; te->cdte_ctrl = 4; te->cdte_datamode = 0; switch (te->cdte_track) { case 1: /* the track at LBA #0 */ if (te->cdte_format == CDROM_MSF) te->cdte_addr.msf.frame = 0, te->cdte_addr.msf.second = 2, te->cdte_addr.msf.minute = 0; else if (te->cdte_format == CDROM_LBA) te->cdte_addr.lba = 0; else { __set_errno(EINVAL); return -1; } fprintf (stderr,"track #0 at 0\n"); break; case 0xaa: /* the lead-out at st_size */ if (te->cdte_format == CDROM_MSF) size = _dev_cdrom_stat.st_size + 150, te->cdte_addr.msf.frame = size%75, te->cdte_addr.msf.second = (size/=75)%60, te->cdte_addr.msf.minute = (size)/60; else if (te->cdte_format == CDROM_LBA) te->cdte_addr.lba = _dev_cdrom_stat.st_size; else { __set_errno(EINVAL); return -1; } fprintf (stderr,"track #aa at %d\n",_dev_cdrom_stat.st_size); break; default: fprintf (stderr,"bad track #%x\n",te->cdte_track); __set_errno(EINVAL); return -1; } return 0; } case CDROM_DRIVE_STATUS: fprintf (stderr,"\"disk\" is always in\n"); return CDS_DISC_OK; case CDROM_MEDIA_CHANGED: fprintf (stderr,"\"media\" not changed\n"); return 0; case CDROM_DISC_STATUS: fprintf (stderr,"emulating generic data cd\n"); return CDS_DATA_1; case CDROM_LOCKDOOR: fprintf (stderr,"locking, doing nothing...\n"); return 0; case CDROMEJECT: fprintf (stderr,"ejecting, doing nothing...\n"); media_changed = 1; return 0; case CDROM_SET_OPTIONS: cdrom_options |= arg; fprintf (stderr,"emulated uopt is 0x%x\n",cdrom_options); return cdrom_options; case CDROM_CLEAR_OPTIONS: cdrom_options &= ~arg; fprintf (stderr,"emulated uopt is 0x%x\n",cdrom_options); return cdrom_options; default: fprintf (stderr,"unimplemented"); __set_errno(ENOSYS); return -1; } } } return -ENOSYS; } asm (" .text .type __open,@function .global __open .type open,@function .global open .align 4 __open: open: call my_open cmpl $-38,%eax jne 1f jmp *__libc_open 1: ret .size __open,.-__open .size open,.-open .text .type __close,@function .global __close .type close,@function .global close .align 4 __close: close: call my_close cmpl $-38,%eax jne 1f jmp *__libc_close 1: ret .size __close,.-__close .size close,.-close .type ioctl,@function .global ioctl .align 4 ioctl: call my_ioctl cmpl $-38,%eax jne 1f jmp *__libc_ioctl 1: ret .size ioctl,.-ioctl ");

P. VMware 3.x doesn't support mounting of DVD-ROM images. Well, you can mount it, but it fails to read beyond 2GB...
S. I've started by extending vmcdimage.c above with minimum support for CDROM_SEND_PACKET ioctls, to make it possible to mount the image as "raw" CD-ROM... But it turned out that following is more than sufficient to cross the 2GB limit.

open64.c

P. It's impossible to get VMware 4.x working with ESD, Enlightenment Sound Daemon...
S. VMware recommends to get rid of it, but I see no reason why should I do that:-) But there is a catch! esddsp is the very same kind of fiddler as myself. It plays on LD_PRELOAD-ing modules intercepting calls to open(2) and couple of others. Setting LD_PRELOAD variable prior esddsp vmware invocation wouldn't work, as it will be [ignorantly] overridden by the esddsp script. Therefore, LD_PRELOAD variable has to be set according to the example in attached code. Order is important! In case you wonder what's the heck with VMware 4.x. As the code implies the problem is that VMware 4.x calls open64(2) while libesddps.so re-implements open(2). So the snippet simply forwards calls to open64(2) to open(2) enforcing in O_LARGEFILE flag, so that the result is equivalent.

64open.c

P. SCSI analyzers cost thousands of dollars...
S. If you have VMware, you can easily spy on SCSI "traffic" by exporting "Generic" SCSI devices to the guest OS and pre-loading this module to vmware binary. You most likely want to customize it for your own particular needs.

sgiosniffer.c

P. Solaris doesn't recognize HOSTALIASES environment variable:-(
S. Compile and LD_PRELOAD this libhost.c module of Johan Rudholm's design. See the source for further details. Posted with explicit Johan's permission.

libhost.c

P. Adobe PDF Writer requires LPT1: to be present, while nowadays you can run into a PC without parallel port (laptops and slim-line servers)
S. Yes, this is a Windows thing! The code targets Windows 2000/XP/.NET and requires DLL_PRELOAD module loaded. The idea is to create a symbolic link from LPT1 to \Devices\Null before Print Spooler service starts. The module is therefore can be pre-loaded to SERVICES.EXE, parent to all services.

lptone.c

P. Sometimes it takes 2 minutes to logout Windows 2000/XP (yes, Windows again)
S. If you're observant enough, you'll also notice that when it happens, your [roaming] profile will not be updated and the recent changes will consequently be lost. The problem is recognized by Microsoft, and several attempts to work it around were actually made, but none of them was successful. The problem is that Win32 Subsystem server, CSRSS.EXE, (well, rather one of DLLs dynamically loaded to its address space) leaks handle[s] to your personal registry hive, which makes it improssible to unload the latter. So we do it the hard way:-) In order to catch the moment of logout, I intercept call to UnloadUserProfile in WINLOGON.EXE (yes, this means that module in question is to be pre-loaded to WINLOGON.EXE). Upon call to this function, I list processes to identify my Win32 Subsystem server, "attach" to it, then "steal" the handles to my registry hive and just close them. Needless to mention that it requires DLL_PRELOAD module loaded.

WINLOGOUT.c

P. Sometimes I/O buffers are required to be aligned in a specific manner (most notably when accessing /dev/raw/raw* in Linux)
S. This module maintains single common intermediate buffer aligned at page boundary and makes sure all I/O requests are aligned. This is very quick-n-dirty hack! But it does the job if all you want to do is to fool around with such programs as tar, dd, cpio, ... and /dev/raw/raw*. See the code for an example...

aligned_io.c

P. Tru64 clu_upgrade(8) floods root file system when performing preinstall procedure for rolling TruCluster upgrade...
S. Tru64 tar exhibits [annoying] quality to follow symbolic links at autofs(8) mount point(s) even if instructed not to. Apparently it's intentional (they probably want to maintain an illusion of loopback mount point), but in this particluar case is totally inappropriate. Ideally clu_upgrade should explicitly backup files without crossing the device boundary. Meanwhile it's possible to work around the problem by tricking tar to cache first device being returned by lstat(2) and return failure upon cache miss...

tardeviceonly.c

P. Sometimes you have to maintain virtual identity...
S. Imagine you have a virtual interface or cluster alias set up. Most network server programs allow you to bind their incoming sockets to the interface of interest [e.g. "bind interfaces only" in Samba]. But there come occasions when you have to maintain virtual identity even on outgoing sockets, maybe without having the luxuary or not willing to modify the source code to suit your needs. TruCluster for example provides for this on per target port basis [out_alias parameter in /etc/clua_services], but this affect all applications and applies to default cluster alias only, which is not necessarily what you had in mind. Therefore attached module:-) If pre-loaded into target application's address space, this module maintains virtual identity on all sockets opened by that particular process and its direct siblings.

bind_to.c

P. Why not per-executable environment variables?
S. Yet another DLL_PRELOAD Windows module. Idea is to set environment variables on per-executable basis. E.g. _CLUSTER_NETWORK_NAME_ set to %USERNAME% in ICA Client context on Terminal Server can become very handy;-) But why not a wrapper script [such as we used to do in Unix] you ask? Well, then you might have to re-associate application CLSID, which is nothing but boring... And if you use simpler interpretator (such as CMD or Perl), you might end up with an ugly black window instantly popping up and disappe.a..r...

environ.c

P. Ever tried to access files with zapped ACL on NTFS volume? Doesn't work even for privileged user, does it?
S. Here is yet another DLL_PRELOAD Windows module which allows commodity programs executed by privileged user to bypass access control mechanisms [therefore the name: BYPass ACcess Control]. With this module pre-loaded you [being a privileged user!] can traverse directories, open files and manipulate ACLs on NTFS objects without regard to their effective permissions. This is achieved by "unlocking" the Backup privilege for current process and patching a system call to open all files "for Backup." This is essentially what NTBACKUP.EXE does... A reminder that DLL_PRELOAD works only with programs linked with USER32.DLL is due here. Because [X]CACLS.EXE are not linked with it and don't work:-( So don't ask... Explorer works fine, but it's tricky to pre-load the module on temporary need-for-a-moment basis. I personally recommend [and stick to] following procedure:
  • open Folder Options control panel -> View pane and make sure you "Launch folder windows in a separate process,"
  • close all folder views and double-check that you have only one explorer.exe process left running,
  • open Command Prompt window and issue "set DLL_PRELOAD=bypacc.dll" command followed by "explorer,"
  • at this point you should have unconstrained Explorer window...
  • proceed to step 2 when done!

bypacc.c

P. ActiveSync 4.1 does not work in Citrix Presentation Server [nor "vanilla" Terminal Server] environment.
S. Yes, Windows again. Gr-r-r-r... This module is designed to modify behaviour of ActiveSync components, wcescomm.exe, wcesmg.exe and rapimgr.exe, in following manner. First of all the module places itself between KERNEL32.DLL and NTDLL.DLL and strips Global\ prefix from mutex and semaphore objects created/opened by either component. This makes ActiveSync adhere to session-specific object name space. Secondly it places itself between WS2_32.DLL and currently registered WSP, Windows Socket Provider, and re-bias references to 127.0.0.1 to a session-specific address from 127. subnet. This effectively isolates concurrently executing instances of the application suite in question in every given session, which is the key to successful application deployment in Terminal Server environment. It should be noted that Citrix already arranges for the latter, per-session loopback communication interface, so one can wonder why did I do it? Well, because we've found that it's actually possible to make ActiveSync work [at least] with rdesktop COM-port redirection even without Citrix! Reliable and seamless deployment, in particular of USB-connected PDAs, requires some Linux kernel as well as rdesktop patching. We plan to publish these patches as we make progress.

vsync.c

P. Adobe Acrobat [Reader] 9 for Windows crashes upon startup...
S. Crash occurs if there is an unreadable yet traversable directory on your %APPDATA% path. I.e. such directory where you can not run 'dir' in, but can 'chdir' to a subdirectory. In our particular case %APPDATA% is redirected through a DFS root, where we forbid users to list referrals for security and primarily performance reasons. Crash takes places in MSVCRT and is worked around [naturally with DLL_PRELOAD's help] by pulling directory status information for '...\unreadable\subdir\.' instead of '...\unreadable\subdir'.

statpatch.c

P. Low-traffic TCP connections tend to hang and ultimately break in NAT-ed environment...
S. For TCP to work through a NAT device, such as residential gateway, latter maintains table of active TCP connections. The table is periodically traversed and connections that are considered stale are removed from the table. This means that if there was no activity on a given TCP connection for certain period of time, chances are that it will be evicted from the NAT table, i.e. will be effectively broken. And given current state of busyness it takes inapproriately long time to detect that it's broken. This poses major irritation for remote interactive sessions, such as SSH or RDP. Periodic TCP keep-alive can come to rescue, but in addition to the fact that the default system-wide interval is surrealistically high, 2 hours, application has to explicitly set SO_KEEPALIVE socket option. In other words in addition to setting kernel parameter (net.ipv4.tcp_keepalive_time on Linux and Services\Tcpip\Parameters\KeepAliveTime on Windows) to lower value you might have to modify application code. Naturally you might find yourself in position of not being able to do the latter, especially on Windows. Therefore below Windows-specific DLL_PRELOAD module that sets up keep-alive on all sockets opened by chosen application. Example suggests to pre-load it to mstsc.exe, Windows RDP client...

keepalive.c

To be continued...