I am developing a node.js/express server application on Debian platform. I need to allow users to view and, importantly, change basic network settings: static/IP vs. auto/DHCP. I suppose I could use (and write the supporting code for):
cp.exec('ifconfig', function (err, ifConfigOut, stderr)
But I was wondering what the best practices are for doing this and if there was a recommended npm module (didn't seem to find any active ones)?
Short answer, given the lack of responses and my googling: there appears to be no 'de facto' node module that provides the necessary services for managing network interfaces. I did find two that had some promise but are incomplete: https://github.com/FGRibreau/network-config and https://www.npmjs.com/package/ife.
EDIT: Of course you can always use https://nodejs.org/api/os.html#os_os_networkinterfaces to view existing interfaces, but if you want to change anything, core node does not appear to have the functionality.
Maybe is a bit past the expiration date, but here's my take on it:
The main problem on writing it using in-built config tools like "ifconfig" is that many modern OSes are bypassing ifconfig for other modules (like netplan) so you may find that upgrading the system breaks your network config app, like it happened to me (I wrote a parser for the /network/interfaces but now I have to modify it for netplan).
node-ife brings interface management for Linux, BSD and MacOS (does not work on windows though) that is not dependent on OS config tools, but doesn't seem to be compatible with Node 10, and seems to be a bit dead. Wireless tools, though the name is a bit misleading, seems to incorporate ifconfig capabilities that may suit you better
Related
I'm looking for a way to output traces to a log file in my code, which runs on linux.
I don't want to include the printing information in the binary, in every place I deploy it.
It windows, I simply used WPP to trace without putting the actual traces strings in my binary.
How can this by achieved in Linux?
I'm not very familiar with Linux tools in this area, so maybe there is a better system. However, since nobody else has made any good suggestions, I'll make a suggestion. (Probably not a very good suggestion, but the best I can think of right now.)
In theory, you could continue to use wpp. Wpp is simply a template system. It scans the configuration and input files to create data structures. Then it runs a template, fills in the data values it got from the scan, producing the tmh files. You could create a new set of templates that would use Linux apis instead of Windows apis, and would record the message strings in a way that works with some other log decoder system.
I noticed this question only now and would like to add my two cents to the story just for a case. Personally, I truly appreciate Windows WPP Tracing and consider it probably the best engineering solution for practical development troubleshooting among similar tools.
It happened I extended WPP use to Unix-like platforms twice. We wanted to use strong sides of WPP concept in general and yet use it in a multi-platform pieces of code. This was not a porting but rather a wrapper to specific WPP use we configured on Windows. One time we had a web service to perform actual WPP pre-processing on Windows; it may sound a bit insane but it worked fine and effective within the local network. A wrapper script that was executed before each compilation sent a web request, got a processed file and post-processed the generated include file to make it suitable for Unix-like platforms. The second time we implemented a simplified WPP pre-processor of our own (we found yet additional use for it - we could generate the tracing statements differently for production and unit testing, for example). This was a harsh solution: you anyway need to use some physical tracing framework behind the wrapper on non-Windows platform (well, the first time we apparently implemented our own lower level).
I do not think the Linux world has a framework comparable to WPP. Once I even thought it could be a great idea to make an open source porting project for WPP. I am not sure it would be much requested though. I said it is a great engineering solution. But who wants to do dirty engineering work? Open source community prefer abstract object-oriented and generic solutions, streaming and less necessity in corresponding tools (WPP requires special management tools and OS support).Ease of code writing is the today's choice.
There could be Microsoft fault (or unwillingness) in the lack of WPP popularity too. They kept it as an internal framework that came out just by a case with Windows DDK because they have to offer some logging/tracing solution for driver developers. Nobody even noticed much that WPP is well suitable for the user-space code too. And WPP pre-processor for C#, for example, has never been exposed to public at all.
Nevertheless, I still think that WPP porting to Unix/Linux work can be a challenging, interesting and maybe even useful attempt. If someone decides to lead it. :)
I've been using the MonoTorrent library for a couple of weeks now and am looking for any kind of feedback or recommended alternatives.
The only issue I have with the library so far is that it is MUCH slower than uTorrent, I am not sure if this is a configuration issue or whether it doesnt support a required feature etc, but I require higher speeds for my needs and I found that for the exact same file I can get a major difference (times 100) in terms of the numbers of seeders and speeds.
I wanted to give libtorrent a try as well but have not been able to even compile the windows dll, let alone write the required code to use it :-)
I probably don't know much about the history of the torrent protocol but found it strange to find so little support in the C#/.Net world.
Was even considering wrapping the uTorrent client somehow, but it might be 'frowned upon' lol
Ended up using the libtorrent C++ library (running on a seperate process with added REST api to communicate with the main program) it works well and the torrent performance is excellent.
I'd like to sandbox a native code and use hooking of WinAPI and system functions to block or allow this program to perform some operations like reading/writing files, modify Windows registry, using an Internet connection. Is it a good and secure way to do so? How difficult would it be for that program to bypass such a security layer?
I've checked your questions and they all are related to the task that seems to be invalid from the very beginning, and here's why: you are trying to secure one application and you are ready to reinvent the wheel for this. There exist several approaches (and many ready-made solutions) to solve your problem. So instead of coding you need to look at existing solutions.
The approaches are:
use Windows permissions to restrict
access of your application to
resources
take take VMWare or Parallels or
other virtualization platform and
run your program there
take sandboxing SDK (such as
BoxedApp) and "wrap" your
application.
+1 to Hans, however if you are really into it then I can recommend Easyhook. I have personally used it successfully in Win XP, Vista and 7. I don't know how bypassable it is but other alternatives do exist - madSHI hooks, and, if you want to go the official way, try Detours from Microsoft.
Antivirus apps try to solve nearly the same problem, without much success.
1. You'd never know how even most common operations can be used.
2. There're syscalls, so the program doesn't have to use winapi at all.
I am aware of the Hardened Linux from Scratch project which is a project that provides you with step-by-step instructions for building your own customized and hardened Linux system entirely from source. I would like to know what is the equivalent in BSD?
As Richard said OpenBSD is definitely worth a go, it is my #1 choice for everything that is dedicated for firewalls and gateways. For other services I tend to stick to FreeBSD although there is no obvious reason for it just a personal preference.
But I would like to point out that the from 'scratch part' concept if you want to do more secure hosting of a service can be much better done using Jails. In essence you create a limited FreeBSD environment on an a full FreeBSD install. In that limited environment you only copy/link those binaries and files that the service requires to run.
Because the hosted service has no access to any other files/binaries, all the potential security flaws in those things aren't open to exploit. If by chance your application gets 'rooted' it will not go beyond the boundaries of the jail.
See it like a sandbox on steroids with neglectable performance penalties.
OpenBSD is hardened "by default" from the installation. Only the admin opens it up... component by component.
[UPDATE] while I have not read the document for hardening linux... some of the same things might apply... for example they both use OpenSSH so the strategies would be the same. So where there is module overlap the same would apply.
You don't really do bsd 'from scratch'. All of the major projects come with a complete system in a single source repository so you're not grabbing a kernel from here, binutils and compiler from over there and c libraries and standard utilities from somewhere else and X from yet another place.
They are generally easier to get all the source for and to rebuild the entire system than your average linux distro, but that's not really customizing anything.
You could try to do something nuts, like perhaps trying to get the OpenBSD userland to run on a NetBSD kernel with FreeBSD ports, but you'd be on your own and it certainly wouldn't be 'hardened'.
HardenedBSD is a fork of the FreeBSD project with the aim of implementing PIE, RELRO, SAFESTACK, CFIHARDEN. Some goals are there, others are extreme-WIP. I wouldn't consider it as "ready for production" yet, but usable as desktop (also depends on production env requirements).
Repo: https://github.com/HardenedBSD
Everything, including "make buildworld/buildkernel" is the same as on FreeBSD and the Handbook does a good job of explaining this. You'll have a bit of reading to do though even coming from linux-land. Building your own ports is an entire topic in it's self.
Re jails, the statement is not entirely correct. While certainly adding an important security layer, Unix systems (IDK about Linux) [quoting here] "lack kernel exploit mitigations. If an attacker gains access to a jail, it's not too much work to pivot to other jails or escalate privileges via a kernel exploit." Don't misunderstand me, I place almost every service in a jail as much possible.
As to "Hardened by default" comment: It's all in the sysctl settings which can be tweaked on every *BSD flavor, but sec measures are pretty much useless if the sysadmin does not take time to read the docs.
If you are interested, your homework: https://www.freebsd.org/doc/handbook/
I was thinking about this the other day and wanted to see what the SO community had to say about the subject.
As it stands right now Common Lisp is getting some attention as a web development platform, and with good reason (of which I'm sure you are already convinced).
I was wondering how one would go about using a library in a shared environment in a similar fashion to PHP.
If I set up something like SBCL as an interperter to interpret FASL files like Python or PHP, what would be the best way to use libraries (like clsql for instance).
Most come as asdf installable libraries, but it would be a stupid amount of overhead to require and install the library each and every time a request is made.
Keeping in mind this is for shared hosting; would it be best to ..
1) Install system wide copies of the libraries for use in applications; reduces space, but there may be problems with using the correct version of the library.
2) Allow users (through a control panel) to install local copies for themselves; more space, no version problems.
3) Tell them to wrap it into a module and load it on demand like Python does (I'm not sure if/how this can be done with Lisp). Just being able to load a library for use would be the best option, but I don't think a lot of them are designed to be used this way.
Anyways, looking to hear your opinions, thanks.
There are two ways I would look at it:
start a Lisp for each request
This way it would be much better that the Lisp is a saved image with all necessary libraries and data loaded. But that approach does not look very promising to me.
run a Lisp and let a frontend (web browser, another web server, ...) connect to it
This way you can either start a saved image or a Lisp that loads a bunch of stuff once and serves the requests.
I like to use saved images/applications in a deployment scenario. They can be quickly started, contain all the necessary software and are independent of library changes.
So it might be useful to provide pre-configured Lisp images that contain the necessary software or let the user configure and save an image.