[Server-devel] Ceibal scripts explained

[Tony Pearson]

Greg wrote:
>Did anyone get a chance to read the Ceibal scripts
>(http://dev.laptop.org/git?p=projects/ceibal-scripts;a=tree)? I tried to
>scan them. I think they grab the MAC addres of the XO register it (hash
>it?), then watch connections to the XS and can block Xos when needed. We
>may be able to use the MAC address/registration key stuff to create user
>specific directories for backup but not sure you need to block Xos.

>Tony, if you get a chance to summarize what they are doing briefly that
>would be interesting. It's the sed and awk more than the Spanish that
>makes it hard for me to understand :-)

Greg,
You are lucky I read both "Spanish" and "bash" fluently.

Here goes:

It appears that these five files would be on a USB stick to be applied 
against
an XO laptop to customize it.

install ---
        This program creates directories and copies the other USB files 
over to the right spots
        (acutalizador and policia are copied into /home/local/bin 
directory)
        It schedules "actualizador" to run every 15 minutes in CRON 
scheduler.
        It adds "python monitoreo.py &" to rc.local to run as a started 
background task at boot
        It installs the gnupg encryption program and imports an 
actualizador key
        It adds "service NetworkManagerDispatcher start" as part of the 
rc.local boot sequence
        It computes a date approximately one month term into the future 
and saves as "plazo"

        The "sed" is the stream editor, and this line inserts a new line 
into /etc/rc after "set -m" near
        the top of the file.  This will run /home/local/bin/policia at 
boot startup time.

        actualizador --> updater
        plazo --> term
        seguridad --> security
        policia --> police

atualizador ---
        create a working directory /home/local/actualizaciones
        creates an empty log file, or if log file exists, erases it and 
mades it empty
        sets the Serial number "serie" to the serial number of this XO 
laptop it is running on.

        Note: you can embed python language into a bash shell using the 
following technique
        /usr/bin/python << MARKER
        === python code ===
        MARKER

        Checks to see if this was already run today, if so quit. 
Basically, if you turned on your
        XO in the morning, shut down for lunch, then restarted it, won't 
go through this a second
        time. 

        /sbin/ip route issues two lines.  On my XO laptop it says:

        172.18.10.0/23 dev msh0 proto kernel scope link src 172.18.11.254
        default via 172.18.10.1 dev msh0

        The script checks if the line containing "default" also contains 
"eth0" if not, quit. 

        It pings server (172.18.10.1) for 20 packets.  If this fails, 
quit.

        Find an IPv4 address in eth0.  In my case, eth0 has only IPv6, and 
msh0 has both.

        wget to download the server's "plazo" and copy to this XO's local 
/home/local/seguridad/plazo file.

        Downloads the black-list unique to this XO's laptop serial number, 
and confirms using GPG.
        if the GPG confirmation fails, quits.  If it is successful, the 
macine is blacklisted, and shuts down.

        wget download file /actualizaciones/actualizaciones (updates).  If 
not found, quits.
        If the file was downloaded, N_ACT is set to the number of lines in 
the file.  For each line,
        if the "version" on the line is greater than the XO's current 
version, save it in /tmp/instalables file.
        If the XO is already at the latest version, no newer updates 
found, the quit.

        For each version xxxxx  that is more recent version, download 
ceibal-xxxxx.tar.gz and sig files.
        Use "GPG" to confirm sig file.  If correct, untar the file in 
/tmp/actualizaciones directory
        Unless file indicates "noinstall" run the "instalar" to process 
the update, and udate the XO's
        current version to match the version just installed.

        Telnet back to the server, reporting this XO's MAC, Updated 
Version and Serial number.


monitoreo.py --

        The purpose of this is to telnet to port 5000 on the nameserver 
found in /etc/resolv.conf
        Check to see if the connection is made via eth0 (Wi-Fi) or msh0 
(Mesh).   The telnet sends
        information about the XO laptop to the server, sleeps for 10 
minutes, then does it again.

policia ---
        If this XO laptop was identified to be black-listed, display the 
"maqbloq" banner file and
        perform the following:  scan all networks accessible through eth0. 
 For each one where
        encryption is off, save the ESSid, Channel, and Signal power 
level.  In my case, I had
        ESSid "school-mesh-0" Channel 1 and Signal power =27 dBm.  It also 
found my neighbor's
        ESSid "Apple Network" Channel 1 and Signal power=87 dBm but that 
was encrypted.

        For each un-encrypted channel, create file /tmp/ap0 ap1, ap2, ap3, 
etc.
        Find the connection with the strongest signal (lowest dBm = best 
signal)

        For the strongest signal, save the ESSid and Channel from above.
        Use "iwconfig" to set eth0 to this ESSid and channel. (I imagine 
this is the equivalent of
        finding the strongest signal on Neighborhood screen and selecting 
it)

        Determine the school server, if not found, shut down this XO 
laptop.
        Otherwise, try to ping the server, and if successful, send the 
XO's MAC, Serial Number and
        Access point information.  Then shutdown.

        If we were not black-listed, check the "term" date in PLAZO.  This 
was the future date set
        in "Install" above as a future date 30 days from now, so if today 
is beyond that date, it is
        time to block the machine.  A telnet to the schoolserver via port 
5000 provides the MAC
        address, serial number and AP, with the "GETBLOCKED" identifier.

So, Greg, you were correct.  It was reporting the MAC and Serial Number of 
each XO that connects
to the school server.  There is an option to provide automatic file 
updates, and options to block out
XO laptops.  However, this only works for laptops that actually have this 
code installed on them.
A regular XO would not be running these scripts, and therefore be never 
blocked nor udpated.  The
status of being blacklisted is stored on the XO itself, so simply a matter 
of editing that particular file
from "1" to "0".

If we can combine the Mac/SN with the Nickname stored in Sugar, we might 
have something to work
with here.





Tony Pearson
Senior Storage Consultant, IBM System Storage?
Telephone: +1 520-799-4309 |  tie 321-4309 |  Cell: +1 520 990-8669
email: tpearson at us.ibm.com |  GSA: http://tucgsa.ibm.com/~tpearson
Blog: http://www.ibm.com/developerworks/blogs/page/InsideSystemStorage 
AKA: 990tony Paravane, eightbar specialist 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.laptop.org/pipermail/server-devel/attachments/20080217/928fa472/attachment.htm