[Server-devel] Ceibal scripts explained

Greg Smith (gregmsmi) gregmsmi at cisco.com
Mon Feb 18 11:47:06 EST 2008


Hi Tony and Ivan,
 
Thanks for the nice write up! That saves me a lot of time.
 
I understand we don't want to use this security implementation. Still,
the more examples of scripts we can see the better. If its a security
issue then don't post them.  Otherwise we need to see best practices or
even rejected ideas, if not for security or SSO, then for backup of XOs,
config of default home page in the XO browser, and any other ideas.
 
Aside from tracking the XOs, one new idea stands out here. You can see
if the XO is connecting via Mesh of Wifi and you can pick which AP it
connects to. That may come in handy as we try to test and protect the
mesh from overload.
 
Also, I wonder why they use USB sticks instead of having a script on the
server log in, configure it, then log out. That seems more efficient
when configuring thousands of devices but maybe there's a good reason
its not done.
 
I noticed Walter mentioned in the weekly news that Pakistan and South
Africa will bring up school servers soon. It would be very helpful to
see any proposed install and configure scripts from there too. 
 
Thanks,
 
Greg S
 
________________________________

From: Tony Pearson [mailto:tpearson at us.ibm.com] 
Sent: Sunday, February 17, 2008 11:43 AM
To: Greg Smith (gregmsmi)
Cc: sulochan acharya; server-devel at lists.laptop.org
Subject: Ceibal scripts explained



Greg wrote: 
>Did anyone get a chance to read the Ceibal scripts
>(http://dev.laptop.org/git?p=projects/ceibal-scripts;a=tree)? I tried
to
>scan them. I think they grab the MAC addres of the XO register it (hash
>it?), then watch connections to the XS and can block Xos when needed.
We
>may be able to use the MAC address/registration key stuff to create
user
>specific directories for backup but not sure you need to block Xos.

>Tony, if you get a chance to summarize what they are doing briefly that
>would be interesting. It's the sed and awk more than the Spanish that
>makes it hard for me to understand :-) 

Greg, 
You are lucky I read both "Spanish" and "bash" fluently. 

Here goes: 

It appears that these five files would be on a USB stick to be applied
against 
an XO laptop to customize it. 

install --- 
        This program creates directories and copies the other USB files
over to the right spots 
        (acutalizador and policia are copied into /home/local/bin
directory) 
        It schedules "actualizador" to run every 15 minutes in CRON
scheduler. 
        It adds "python monitoreo.py &" to rc.local to run as a started
background task at boot 
        It installs the gnupg encryption program and imports an
actualizador key 
        It adds "service NetworkManagerDispatcher start" as part of the
rc.local boot sequence 
        It computes a date approximately one month term into the future
and saves as "plazo" 

        The "sed" is the stream editor, and this line inserts a new line
into /etc/rc after "set -m" near 
        the top of the file.  This will run /home/local/bin/policia at
boot startup time. 

        actualizador --> updater 
        plazo --> term 
        seguridad --> security 
        policia --> police 

atualizador --- 
        create a working directory /home/local/actualizaciones 
        creates an empty log file, or if log file exists, erases it and
mades it empty 
        sets the Serial number "serie" to the serial number of this XO
laptop it is running on. 

        Note: you can embed python language into a bash shell using the
following technique 
        /usr/bin/python << MARKER 
        === python code === 
        MARKER 

        Checks to see if this was already run today, if so quit.
Basically, if you turned on your 
        XO in the morning, shut down for lunch, then restarted it, won't
go through this a second 
        time.   

        /sbin/ip route issues two lines.  On my XO laptop it says: 

        172.18.10.0/23 dev msh0 proto kernel scope link src
172.18.11.254 
        default via 172.18.10.1 dev msh0 

        The script checks if the line containing "default" also contains
"eth0" if not, quit.   

        It pings server (172.18.10.1) for 20 packets.  If this fails,
quit. 

        Find an IPv4 address in eth0.  In my case, eth0 has only IPv6,
and msh0 has both. 

        wget to download the server's "plazo" and copy to this XO's
local /home/local/seguridad/plazo file. 

        Downloads the black-list unique to this XO's laptop serial
number, and confirms using GPG. 
        if the GPG confirmation fails, quits.  If it is successful, the
macine is blacklisted, and shuts down. 

        wget download file /actualizaciones/actualizaciones (updates).
If not found, quits. 
        If the file was downloaded, N_ACT is set to the number of lines
in the file.  For each line, 
        if the "version" on the line is greater than the XO's current
version, save it in /tmp/instalables file. 
        If the XO is already at the latest version, no newer updates
found, the quit. 

        For each version xxxxx  that is more recent version, download
ceibal-xxxxx.tar.gz and sig files. 
        Use "GPG" to confirm sig file.  If correct, untar the file in
/tmp/actualizaciones directory 
        Unless file indicates "noinstall" run the "instalar" to process
the update, and udate the XO's 
        current version to match the version just installed. 

        Telnet back to the server, reporting this XO's MAC, Updated
Version and Serial number. 


monitoreo.py -- 

        The purpose of this is to telnet to port 5000 on the nameserver
found in /etc/resolv.conf 
        Check to see if the connection is made via eth0 (Wi-Fi) or msh0
(Mesh).   The telnet sends 
        information about the XO laptop to the server, sleeps for 10
minutes, then does it again. 

policia --- 
        If this XO laptop was identified to be black-listed, display the
"maqbloq" banner file and 
        perform the following:  scan all networks accessible through
eth0.  For each one where 
        encryption is off, save the ESSid, Channel, and Signal power
level.  In my case, I had 
        ESSid "school-mesh-0" Channel 1 and Signal power =27 dBm.  It
also found my neighbor's 
        ESSid "Apple Network" Channel 1 and Signal power=87 dBm but that
was encrypted. 

        For each un-encrypted channel, create file /tmp/ap0 ap1, ap2,
ap3, etc. 
        Find the connection with the strongest signal (lowest dBm = best
signal) 

        For the strongest signal, save the ESSid and Channel from above.

        Use "iwconfig" to set eth0 to this ESSid and channel. (I imagine
this is the equivalent of 
        finding the strongest signal on Neighborhood screen and
selecting it) 

        Determine the school server, if not found, shut down this XO
laptop. 
        Otherwise, try to ping the server, and if successful, send the
XO's MAC, Serial Number and 
        Access point information.  Then shutdown. 

        If we were not black-listed, check the "term" date in PLAZO.
This was the future date set 
        in "Install" above as a future date 30 days from now, so if
today is beyond that date, it is 
        time to block the machine.  A telnet to the schoolserver via
port 5000 provides the MAC 
        address, serial number and AP, with the "GETBLOCKED" identifier.


So, Greg, you were correct.  It was reporting the MAC and Serial Number
of each XO that connects 
to the school server.  There is an option to provide automatic file
updates, and options to block out 
XO laptops.  However, this only works for laptops that actually have
this code installed on them. 
A regular XO would not be running these scripts, and therefore be never
blocked nor udpated.  The 
status of being blacklisted is stored on the XO itself, so simply a
matter of editing that particular file 
from "1" to "0". 

If we can combine the Mac/SN with the Nickname stored in Sugar, we might
have something to work 
with here. 



	Tony Pearson
Senior Storage Consultant, IBM System Storage(tm)
Telephone: +1 520-799-4309 |  tie 321-4309 |  Cell: +1 520 990-8669
email: tpearson at us.ibm.com |  GSA: http://tucgsa.ibm.com/~tpearson
Blog: http://www.ibm.com/developerworks/blogs/page/InsideSystemStorage
AKA: 990tony Paravane, eightbar specialist 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.laptop.org/pipermail/server-devel/attachments/20080218/0d0332be/attachment.htm 


More information about the Server-devel mailing list