Trac on FreeBSD6.2 w/ Subversion.

Recently I investigated using Trac (http://trac.edgewall.org/) integrating subversion built on FreeBSD front ended by Apache22. The reason behind this is simple, several of the projects that I am involved with need to use svn and also house web / wiki / forum capabilities. I have written this with the intent of helping FreeBSD users get a base functional install using the aforementioned technologies.

First things first, let's build Apache and Subversion with the appropriate options:

secure# cd /usr/ports/www/apache22
secure# make WITH_AUTH_MODULES=yes WITH_DAV_MODULES=yes \
WITH_SSL_MODULES=yes WITH_BERKELEYDB=db42 install clean
secure# cd /usr/ports/devel/subversion
secure# make -DWITH_SVNSERVE_WRAPPER -DWITH_MOD_DAV_SVN \
-DWITH_APACHE2_APR install clean

Now, let's prepare and build or repository

secure# mkdir -p /svn/repos
secure# svnadmin create /svn/repos
secure# chown -R www:www /svn/repos

After we build our repo and set permissions for www to access them, we need to setup our apache to use dav_svn_module and authz_svn_module. You will need to edit /usr/local/etc/apache22/httpd.conf and modify as noted in the excerpt from mine. Note the commented out dav_module (don't forget to do this or it's gonna break stuff later on)

.....
LoadModule usertrack_module libexec/apache22/mod_usertrack.so
LoadModule unique_id_module libexec/apache22/mod_unique_id.so
LoadModule setenvif_module libexec/apache22/mod_setenvif.so
LoadModule version_module libexec/apache22/mod_version.so
LoadModule ssl_module libexec/apache22/mod_ssl.so
LoadModule mime_module libexec/apache22/mod_mime.so
LoadModule dav_module libexec/apache22/mod_dav.so
LoadModule status_module libexec/apache22/mod_status.so
LoadModule autoindex_module libexec/apache22/mod_autoindex.so
LoadModule asis_module libexec/apache22/mod_asis.so
LoadModule info_module libexec/apache22/mod_info.so
.......
LoadModule alias_module libexec/apache22/mod_alias.so
LoadModule rewrite_module libexec/apache22/mod_rewrite.so
#LoadModule dav_module libexec/apache22/mod_dav.so
LoadModule dav_svn_module libexec/apache22/mod_dav_svn.so
LoadModule authz_svn_module libexec/apache22/mod_authz_svn.so

Next we will be creating our /usr/local/etc/apache22/Includes/svn.conf

secure# vi /usr/local/etc/apache22/Includes/svn.conf

DAV svn
SVNPath /svn/repos
AuthType Basic
AuthName "Feloo Subversion Repository"
AuthUserFile /etc/svn-auth-file
Require valid-user

Create our auth file using htpasswd

secure# htpasswd -cm /etc/svn-auth-file JJC

Build Trac from the ports tree

secure# cd /usr/ports/www/trac && make install clean

Create and initialize our environment

secure# mkdir -p /trac/projects/
secure# trac-admin /trac/projects initenv
secure# chown -R www:www /trac/projects/

Build mod_python3

secure# cd /usr/ports/www/mod_python3 && make install clean

Add one last module to our /usr/local/etc/apache22/httpd.conf

secure# vi /usr/local/etc/apache22/httpd.conf
LoadModule python_module libexec/apache22/mod_python.so

Define our trac location in /usr/local/etc/apache22/Includes/trac.conf (you'll have to create it)

secure# vi /usr/local/etc/apache22/Includes/trac.conf


SetHandler mod_python
PythonHandler trac.web.modpython_frontend
PythonOption TracEnv /trac/projects
PythonOption TracUriRoot /trac


AuthType Basic
AuthName "JJC Trac Projects"
AuthUserFile /etc/svn-auth-file
Require valid-user

Now, start (or restart) your apache daemon

apachectl start

You should now be able to access Trac at http://theinstallediporhostname/trac

Cheers,
JJC

Pidgin on Linux w/ jabberd2 on FreeBSD...sasl issues?

Not entirely security related, but I find if of interest and will be digging into it a bit further and posting additional info, there seems to be a compatibility issue between Cyrus SASL and gsasl (what FreeBSD uses). If you try running a pidgin(Linux) with the Cyrus SASL, it will produce a generic error "SASL error", the debug information shows that it's not actually a problem with pidgin...

That's really the quick and dirty of it. If you want to use a FreeBSD jabberd2 server and have Linux clients, then said Linux clients must be compiled with the --disable-cyrus-sasl option. Here are the args that I used on my Ubuntu box when compiling pidgin to make it work with my FreeBSD 6.2 test box running jabberd2, I used a similar set to get FC6 to work also by disabling Cyrus SASL:

Arguments to ./configure: '--build=i486-linux-gnu' '--prefix=/usr' '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/lib/pidgin' '--disable-maintainer-mode' '--disable-dependency-tracking' '--enable-perl' '--disable-silc' '--with-zephyr=/usr' '--enable-dbus' '--enable-gnutls=no' '--enable-nss=yes' '--disable-cyrus-sasl' '--enable-nm' '--enable-mono' 'build_alias=i486-linux-gnu' 'CC=cc' 'CFLAGS=-g'

should produce the following output (or similar), pay special attention to the bolded SASL section:

pidgin 2.2.1

Build GTK+ 2.x UI............. : yes
Build console UI.............. : yes
Build for X11................. : yes

Enable Gestures............... : yes
Protocols to build dynamically : bonjour gg irc jabber msn myspace novell oscar qq sametime simple yahoo zephyr
Protocols to link statically.. :

Build with GStreamer support.. : yes
Build with D-Bus support...... : yes
D-Bus services directory...... : /usr/share/dbus-1/services
Build with NetworkManager..... : no
SSL Library/Libraries......... : Mozilla NSS and GnuTLS
Build with Cyrus SASL support. : no
Use kerberos 4 with zephyr.... : no
Use external libzephyr........ : no
Has you....................... : yes

Use XScreenSaver Extension.... : yes
Use X Session Management...... : yes
Use startup notification...... : yes
Build with GtkSpell support... : yes

Build with plugin support..... : yes
Build with Mono support....... : no
Build with Perl support....... : yes
Build with Tcl support........ : yes
Build with Tk support......... : yes

Print debugging messages...... : no

So, evidently the built in SASL stuff that the pidgin team wrote, works with gsasl and Cyrus SASL doesn't, go figure.

Cheers,
JJC

Updated InProtect 0.22.5JC Patch

Thanks to all that have been installing and using the patch, I will continue to work on items and release updates, please provide any suggestions / requests etc as you have them...

I have just fixed a bug that manifested in certain installs w/ specific php.ini options. The download links are the same but I'll still provide them...there is a new md5sum for the file though since I modified some things and repackaged.

Credit to progma in #inprotect for finding the bug!

New MD5 (InProtect_0.22.5JC.tar.gz) = cef93620ebaef7d4f2406e6133ff6e4e

Download Here
MD5 Verification

Enjoy,
JJC

InProtect 0.22.5JC Patch

So, finally I threw something together that should get your InProtect into a more shiny and multi-user friendly version. Granted I did not have a ton of time to properly package and document everything but it is what it is right now.

The download location is listed below.

0.22.5JC patch includes the following updates but is not limited to them

• Report enhancements (additional pdf reports for only serious, critical, medium and low vulns)
• User Group capabilities (notes on this will be posted at http://global-security.blogspot.com)
• Reports viewing (give non-administrative users the capability to see other reports, either globally or based on their group membership)
• Report limiting on the report screen (sort by 5, 10 or 20 results at a time, for those larger and more frequently scanned nets)
• Set jpgraph options to use AA for prettier charts / graphs (this will run a bit slower, I'm not gonna lie but it's better!)
• * Removed the "informational" findings from the stats on the Main page.

I'll be writing more on the specific functions and how to use them shortly. Also in the next small patch will be the database optimizations as well as page loading splash for those impatient multi-clickers in your organization.

Download Here
MD5 Verification

Please test this out (backup your stuff first) and let me know what you think etc... I can be found lurking around #inprotect on irc.freenode.net or post a comment here!

Cheers,
JJC

Pending InProtect Patch

Despite multiple attempts over the past 6 months to contact the team that is developing the InProtect (Nessus frontend) project, I have been unsuccessful. Resulting from this, I have built some modifications that I'll be releasing within the next week in the form of a patch that contains the following enhancements:

• Database optimizations for enhanced performance
  
• Report enhancements (additional pdf reports)
  
• User Group capabilities
• Reports viewing (give non-administrative users the capability to see other reports, either globally or based on their group membership)
• Report limiting on the report screen (sort by 5, 10 or 20 results at a time, for those larger and more frequently scanned nets)
• A few more things that will be in the rel documentation...

Please feel free to join us on irc.freenode.net in #inprotect to answer any questions, or if you would like to beta-test the patch prior to it's release. Also, if you have any contrib that you would like added, please come to #inprotect and we can discuss.

Regards,
JJC

HeX LiveCD 1.0 Beta 2

The rawpacket.org team has released Beta 2 of Hex LiveCD 1.0 The only real update / difference is that chl4gs_ has added the BSD Installer and that MetaSploit is now included in this version.

Boot up the LiveCD and "su" to root and type "installer" or "sudo installer" to start the installation. cpdup might take 10-30 minutes depending on you CDROM drive speed.

The only problem is BSD installer ncurses looks a bit weired under X. We still have no solution/workaround to that. However that shouldn't affect the installation process.

More information can be found at the rawpacket site, or from geek00l. I have included US based download mirrors in addition to the Malaysia site.

Malaysia Site | MD5
US Mirror 1 | MD5
US Mirror 2 | MD5

Cheers,
JJC