Updating Arch Linux — filesystem drama

Today I updated Arch Linux on a VM that I haven’t used in a while. When I first did this I received a mes­sage like:

:: Pro­ceed with instal­la­tion? [Y/n] y
(73/73) check­ing keys in keyring                     [######################] 100%
(73/73) check­ing pack­age integrity                   [######################] 100%
(73/73) load­ing pack­age files                        [######################] 100%
(73/73) check­ing for file con­flicts                  [######################] 100%
error: failed to com­mit trans­ac­tion (con­flict­ing files)
filesys­tem: /bin exists in filesys­tem
filesys­tem: /sbin exists in filesys­tem
filesys­tem: /usr/sbin exists in filesys­tem
Errors occurred, no pack­ages were upgraded.

Puz­zling… Every­one that’s writ­ten a script knows to call #!/bin/bash on the first line. How could /bin exist­ing be a problem?

I googled a bit and came across this won­der­ful post to get a list of pack­ages that owns files in /bin, /sbin, and /usr/sbin: https://bbs.archlinux.org/viewtopic.php?pid=1280576#p1280576

So I ran the command:

grep ‘^s\?bin/\|usr/sbin’ /var/lib/pacman/local/*/files | cut –d “:” –f 1 | uniq | cut –d “/” –f 6

The result was a list­ing of 20 some pack­ages. I then upgraded each them, one at a time, with pac­man –S , leav­ing filesys­tem to the end, along with bash and glibc.

So far so good. I updated bash. No prob­lems. Then I updated glibc…

/usr/bin/locale-gen: /bin/sh: bad interpreter

That isn’t promis­ing. So I tried to run /bin/sh, and it wasn’t there. Not only was /bin/sh gone, but the entire /bin direc­tory was gone. I poked around and found bash, sh, and the other usual sus­pects in /usr/bin. I cre­ated a sys­link for /bin -> /usr/bin with: ln –s /usr/bin /bin

Then I ran pac­man –S glibc and it worked. Next up filesys­tem. Same error as before, except this time it was just on /bin. I removed the sym­link, updated filesys­tem, and every­thing was in har­mony once again. The filesys­tem pack­age will actu­ally cre­ate /bin -> /usr/bin and /sbin -> /usr/bin so that all of your scripts will con­tinue to func­tion when you call #!/bin/bash at the top.

True to form, I didn’t come across this post by Arch Linux until after I’d writ­ten this blog entry. Take a look for another method of solv­ing the problem.

Binding Media Keys in i3 on Arch Linux to Control MPD

My Log­itech key­board has sev­eral but­tons at the top that I wanted to use to con­trol mpd (man|arch). They were Prev, Play/Pause, Next, and Mute/Unmute.

I knew that my win­dow man­ager i3 (man|arch) was able to bind key com­bi­na­tions to per­form func­tions such as exe­cut­ing a pro­gram, switch­ing the vis­i­ble work­space, or mov­ing a win­dow. The for­mat of the .i3/config file to launch a pro­gram on a cer­tain key com­bi­na­tion is:

bindsym <key com­bi­na­tion> exec <com­mand to execute>

With that known, we need to know how the sys­tem refers to those media keys. This is where xev (man|arch) is use­ful. Xev is a pro­gram that will print out data about mouse move­ments, key press events, and key release events. When the key is unbound you’ll get a Key­Press event like the below:

Key­Press event, ser­ial 32, syn­thetic NO, win­dow 0x4800001,
    root 0x28e, subw 0x0, time 654012911, (-169,-224), root:(1755,327),
    state 0x10, key­code 20 (keysym 0x2d, minus), same_screen YES,
    XLookup­String gives 1 bytes: (2d) “-“
    XmbLookup­String gives 1 bytes: (2d) “-“
    XFil­terEvent returns: False

Notice the sec­tion on the 2nd line, “(keysym 0x2d, minus)”, in this exam­ple, I had pressed the “-” key and found that the sys­tem refers to it as “minus”. I did this for each of the media keys and found their names to be:
Prev: XF86AudioPrev
Next: XF86AudioNext
Play/Pause: XF86AudioPlay
Mute/Unmute: XF86AudioMute

We can now fill in the key com­bi­na­tion sec­tion of the .i3/config:

bindsym XF86AudioPrev exec <com­mand to exe­cute>
bindsym XF86AudioNext exec <com­mand to exe­cute>
bindsym XF86AudioPlay exec <com­mand to exe­cute>
bindsym XF86AudioMute exec <com­mand to execute>

By read­ing the man page of mpc(man|arch), we know that it can per­form the fol­low­ing func­tions given the cor­re­spond­ing com­mand:
Prev: mpc prev
Next: mpc next
Play: mpc play
Pause: mpc pause

This makes two of the key bind­ings straight for­ward, but leaves us need­ing a tog­gle for Play/Pause, as we have one but­ton that must send one of two com­mands depend­ing on the cur­rent state of mpd. Here’s a bash script that will per­form just such a tog­gle: https://github.com/rarmknecht/utilities/blob/master/mpc_toggle

With the mpc_toggle script copied to /usr/local/bin our .i3/config now looks like:

bindsym XF86AudioPrev exec mpc prev
bindsym XF86AudioNext exec mpc next
bindsym XF86AudioPlay exec mpc_toggle
bindsym XF86AudioMute exec <com­mand to execute>

Next up, Mute/Unmute. Because I’m using the ALSA sound dri­vers I can use the tool amixer (man|arch) to con­trol the Mas­ter out­put. Again, here’s a bash script that allows for a tog­gle by read­ing the state of Mas­ter before set­ting it: https://github.com/rarmknecht/utilities/blob/master/my_mute

And that’s it once we drop the script in /usr/bin/local and update the i3 con­fig­u­ra­tion file. We can now play/pause, mute/unmute, go back a song, or skip to the next from the keyboard.

Final .i3/config snippet:

bindsym XF86AudioPrev exec mpc prev
bindsym XF86AudioNext exec mpc next
bindsym XF86AudioPlay exec mpc_toggle
bindsym XF86AudioMute exec my_mute

Rebuilt the Workstation

Today I decided to rebuild my per­sonal work­sta­tion again. I’d had Win­dows 7 installed since Novem­ber 2011 as I had started play­ing games like Skyrim, Dia­blo 3, and Guild Wars 2. I’ve real­ized that I haven’t really played a game in many months and have no spe­cific need for the Win­dows OS.

I’ve went with my old friend Arch and tried out a new win­dow man­ager (i3).

randr is now fully sup­ported within the nvidia binary dri­vers, so i3 had no trou­ble rec­og­niz­ing the mul­ti­ple mon­i­tors. Both .i3status.conf and .i3/config were straight-forward to edit to my liking.

So far so good!

Tracking SSHD Login Activity in SplunkStorm

After a night out with my wife I decided to cre­ate a search for SSHD logins in Splunk Storm. See­ing that port 22 is open to the world on 198.61.231.43, I won­der how long before ran­dom bots start attempt­ing to log into it. As a secu­rity prac­ti­tioner its always inter­est­ing to see the effects of just being on the inter­net; and SplunkStorm is a great way to mon­i­tor those effects.

SSHD — Logins (Accepts and Failures)

sshd | rex field=_raw ”]: (?<sshd_action>.*) pass­word for (?<sshd_username>.*) from (?<sshd_ip>.*) port” | search sshd_action=”*” | table _time host sshd_action sshd_username sshd_ip

Here’s a look at the result:
sshd_screenshot

If you’re run­ning syslog-ng, it’s super sim­ple to send your logs over to a Splunk instance. Below is what I added to my /etc/syslog-ng/syslog-ng.conf file where the X’s are val­ues pro­vided by your SplunkStorm admin console:

des­ti­na­tion d_splunk { tcp(logsX.splunkstorm.com” port(XXXXX)); };
log { source(src); destination(d_splunk); };

Unix Tools — Cool and Useful

From Hack­erNews:

gno­sis 14 hours ago | link

abcde — CD to mp3 rip­per
apg — ran­dom pass­word gen­er­a­tor
base64 — bet­ter than uuen­code
boxes — draw any kind of boxes around your text
bsd­iff — binary dif­fer
bspatch — binary patcher
bvi — binary vi (yet another hex edi­tor)
ccx2 — con­sole xmms2 client
clive — flash video down­loader
dvipdfmx — dvi to pdf con­verter
enfuse — poor man’s HDR
get_flash_videos — yet another flash video down­loader
glark — advanced grep
indent — code beau­ti­fier
lshw — list hard­ware con­fig­u­ra­tion
mcurl — mul­ti­ple part down­loader using curl
mktemp — safely cre­ate tem­po­rary files and direc­to­ries
msort — sort records in com­plex ways
net­brake — band­width lim­iter
od — octal dump
par — para­graph refor­mat­ter
par2 — archive ver­i­fi­ca­tion and repair tool
ped — sed done right with perl
pinfo — color info reader
pipe.vim — make vim part of a unix pipe and allow it to
edit the pipe con­tents
pv — Pipe Viewer: a tool for mon­i­tor­ing
the progress of data through a pipe
pydf — pretty df (disk space viewer)
qmv — use your favorite edi­tor to rename files
(part of renameu­tils)
qodem — modem pro­gram that can do ser­ial, tel­net, ssh,
zmo­dem, ker­mit, etc
rdiff-backup — like rsync, but can do incre­men­tal back­ups
recode — like dos2unix and unix2dos, but with many more encod­ings
record­my­desk­top — make screen­cast videos
remark — great log­file col­orizer (part of regex-markup)
rkhunter — find rootkit infec­tions
rlwrap — add read­line edit­ing sup­port to any com­mand
safe­copy — data recov­ery tool (bet­ter than dd)
sponge — soak up stdin and write to a file
(for things like pipeline edit­ing)
sux — su while trans­fer­ring X cre­den­tials
unbuffer — force flush­ing of std­out
upx — exe­cutable com­pres­sor
utimer — count­down timer and stop­watch
vared — edit shell vari­ables (part of zsh)
watch — run a com­mand mul­ti­ple times and dis­play the out­put
(with dif­fer­ences high­lighted)
xdo­tool — sim­u­late key­board and mouse activ­ity
xxd — hex dump
zargs — a ver­sion of xargs that makes the find com­mand redun­dant
(part of zsh)
zed — very small and fast vi-like edi­tor (part of zsh)
zrun — auto­mat­i­cally uncom­press argu­ments to command

More at: http://kkovacs.eu/cool-but-obscure-unix-tools