<br><tt><font size=2>Greg wrote:</font></tt>
<br><tt><font size=2>>Did anyone get a chance to read the Ceibal scripts<br>
>(http://dev.laptop.org/git?p=projects/ceibal-scripts;a=tree)? I tried
to<br>
>scan them. I think they grab the MAC addres of the XO register it (hash<br>
>it?), then watch connections to the XS and can block Xos when needed.
We<br>
>may be able to use the MAC address/registration key stuff to create
user<br>
>specific directories for backup but not sure you need to block Xos.<br>
<br>
>Tony, if you get a chance to summarize what they are doing briefly
that<br>
>would be interesting. It's the sed and awk more than the Spanish that<br>
>makes it hard for me to understand :-)</font></tt>
<br>
<br><font size=2 face="sans-serif">Greg,</font>
<br><font size=2 face="sans-serif">You are lucky I read both "Spanish"
and "bash" fluently.</font>
<br>
<br><font size=2 face="sans-serif">Here goes:</font>
<br>
<br><font size=2 face="sans-serif">It appears that these five files would
be on a USB stick to be applied against</font>
<br><font size=2 face="sans-serif">an XO laptop to customize it.</font>
<br>
<br><font size=2 face="sans-serif">install ---</font>
<br><font size=2 face="sans-serif"> This
program creates directories and copies the other USB files over to the
right spots</font>
<br><font size=2 face="sans-serif"> (acutalizador
and policia are copied into /home/local/bin directory)</font>
<br><font size=2 face="sans-serif"> It
schedules "actualizador" to run every 15 minutes in CRON scheduler.</font>
<br><font size=2 face="sans-serif"> It
adds "python monitoreo.py &" to rc.local to run as a started
background task at boot</font>
<br><font size=2 face="sans-serif"> It
installs the gnupg encryption program and imports an actualizador key</font>
<br><font size=2 face="sans-serif"> It
adds "service NetworkManagerDispatcher start" as part of the
rc.local boot sequence</font>
<br><font size=2 face="sans-serif"> It
computes a date approximately one month term into the future and saves
as "plazo"</font>
<br>
<br><font size=2 face="sans-serif"> The
"sed" is the stream editor, and this line inserts a new line
into /etc/rc after "set -m" near</font>
<br><font size=2 face="sans-serif"> the
top of the file. This will run /home/local/bin/policia at boot startup
time.</font>
<br>
<br><font size=2 face="sans-serif"> actualizador
--> updater</font>
<br><font size=2 face="sans-serif"> plazo
--> term</font>
<br><font size=2 face="sans-serif"> seguridad
--> security</font>
<br><font size=2 face="sans-serif"> policia
--> police</font>
<br>
<br><font size=2 face="sans-serif">atualizador ---</font>
<br><font size=2 face="sans-serif"> create
a working directory /home/local/actualizaciones</font>
<br><font size=2 face="sans-serif"> creates
an empty log file, or if log file exists, erases it and mades it empty</font>
<br><font size=2 face="sans-serif"> sets
the Serial number "serie" to the serial number of this XO laptop
it is running on.</font>
<br>
<br><font size=2 face="sans-serif"> Note:
you can embed python language into a bash shell using the following technique</font>
<br><font size=2 face="sans-serif"> /usr/bin/python
<< MARKER</font>
<br><font size=2 face="sans-serif"> ===
python code ===</font>
<br><font size=2 face="sans-serif"> MARKER</font>
<br>
<br><font size=2 face="sans-serif"> Checks
to see if this was already run today, if so quit. Basically, if you
turned on your</font>
<br><font size=2 face="sans-serif"> XO
in the morning, shut down for lunch, then restarted it, won't go through
this a second</font>
<br><font size=2 face="sans-serif"> time.
</font>
<br>
<br><font size=2 face="sans-serif"> /sbin/ip
route issues two lines. On my XO laptop it says:</font>
<br>
<br><font size=2 face="sans-serif"> 172.18.10.0/23
dev msh0 proto kernel scope link src 172.18.11.254</font>
<br><font size=2 face="sans-serif"> default
via 172.18.10.1 dev msh0</font>
<br>
<br><font size=2 face="sans-serif"> The
script checks if the line containing "default" also contains
"eth0" if not, quit. </font>
<br>
<br><font size=2 face="sans-serif"> It
pings server (172.18.10.1) for 20 packets. If this fails, quit.</font>
<br>
<br><font size=2 face="sans-serif"> Find
an IPv4 address in eth0. In my case, eth0 has only IPv6, and msh0
has both.</font>
<br>
<br><font size=2 face="sans-serif"> wget
to download the server's "plazo" and copy to this XO's local
/home/local/seguridad/plazo file.</font>
<br>
<br><font size=2 face="sans-serif"> Downloads
the black-list unique to this XO's laptop serial number, and confirms using
GPG.</font>
<br><font size=2 face="sans-serif"> if
the GPG confirmation fails, quits. If it is successful, the macine
is blacklisted, and shuts down.</font>
<br>
<br><font size=2 face="sans-serif"> wget
download file /actualizaciones/actualizaciones (updates). If not
found, quits.</font>
<br><font size=2 face="sans-serif"> If
the file was downloaded, N_ACT is set to the number of lines in the file.
For each line,</font>
<br><font size=2 face="sans-serif"> if
the "version" on the line is greater than the XO's current version,
save it in /tmp/instalables file.</font>
<br><font size=2 face="sans-serif"> If
the XO is already at the latest version, no newer updates found, the quit.</font>
<br>
<br><font size=2 face="sans-serif"> For
each version xxxxx that is more recent version, download ceibal-xxxxx.tar.gz
and sig files.</font>
<br><font size=2 face="sans-serif"> Use
"GPG" to confirm sig file. If correct, untar the file in
/tmp/actualizaciones directory</font>
<br><font size=2 face="sans-serif"> Unless
file indicates "noinstall" run the "instalar" to process
the update, and udate the XO's</font>
<br><font size=2 face="sans-serif"> current
version to match the version just installed.</font>
<br>
<br><font size=2 face="sans-serif"> Telnet
back to the server, reporting this XO's MAC, Updated Version and Serial
number.</font>
<br>
<br>
<br><font size=2 face="sans-serif">monitoreo.py --</font>
<br>
<br><font size=2 face="sans-serif"> The
purpose of this is to telnet to port 5000 on the nameserver found in /etc/resolv.conf</font>
<br><font size=2 face="sans-serif"> Check
to see if the connection is made via eth0 (Wi-Fi) or msh0 (Mesh).
The telnet sends</font>
<br><font size=2 face="sans-serif"> information
about the XO laptop to the server, sleeps for 10 minutes, then does it
again.</font>
<br>
<br><font size=2 face="sans-serif">policia ---</font>
<br><font size=2 face="sans-serif"> If
this XO laptop was identified to be black-listed, display the "maqbloq"
banner file and</font>
<br><font size=2 face="sans-serif"> perform
the following: scan all networks accessible through eth0. For
each one where</font>
<br><font size=2 face="sans-serif"> encryption
is off, save the ESSid, Channel, and Signal power level. In my case,
I had</font>
<br><font size=2 face="sans-serif"> ESSid
"school-mesh-0" Channel 1 and Signal power =27 dBm. It
also found my neighbor's</font>
<br><font size=2 face="sans-serif"> ESSid
"Apple Network" Channel 1 and Signal power=87 dBm but that was
encrypted.</font>
<br>
<br><font size=2 face="sans-serif"> For
each un-encrypted channel, create file /tmp/ap0 ap1, ap2, ap3, etc.</font>
<br><font size=2 face="sans-serif"> Find
the connection with the strongest signal (lowest dBm = best signal)</font>
<br>
<br><font size=2 face="sans-serif"> For
the strongest signal, save the ESSid and Channel from above.</font>
<br><font size=2 face="sans-serif"> Use
"iwconfig" to set eth0 to this ESSid and channel. (I imagine
this is the equivalent of</font>
<br><font size=2 face="sans-serif"> finding
the strongest signal on Neighborhood screen and selecting it)</font>
<br>
<br><font size=2 face="sans-serif"> Determine
the school server, if not found, shut down this XO laptop.</font>
<br><font size=2 face="sans-serif"> Otherwise,
try to ping the server, and if successful, send the XO's MAC, Serial Number
and</font>
<br><font size=2 face="sans-serif"> Access
point information. Then shutdown.</font>
<br>
<br><font size=2 face="sans-serif"> If
we were not black-listed, check the "term" date in PLAZO. This
was the future date set</font>
<br><font size=2 face="sans-serif"> in
"Install" above as a future date 30 days from now, so if today
is beyond that date, it is</font>
<br><font size=2 face="sans-serif"> time
to block the machine. A telnet to the schoolserver via port 5000
provides the MAC</font>
<br><font size=2 face="sans-serif"> address,
serial number and AP, with the "GETBLOCKED" identifier.</font>
<br>
<br><font size=2 face="sans-serif">So, Greg, you were correct. It
was reporting the MAC and Serial Number of each XO that connects</font>
<br><font size=2 face="sans-serif">to the school server. There is
an option to provide automatic file updates, and options to block out</font>
<br><font size=2 face="sans-serif">XO laptops. However, this only
works for laptops that actually have this code installed on them.</font>
<br><font size=2 face="sans-serif">A regular XO would not be running these
scripts, and therefore be never blocked nor udpated. The</font>
<br><font size=2 face="sans-serif">status of being blacklisted is stored
on the XO itself, so simply a matter of editing that particular file</font>
<br><font size=2 face="sans-serif">from "1" to "0".</font>
<br>
<br><font size=2 face="sans-serif">If we can combine the Mac/SN with the
Nickname stored in Sugar, we might have something to work</font>
<br><font size=2 face="sans-serif">with here.</font>
<br>
<table>
<tr>
<td>
<tr>
<td><font size=1><br>
</font>
<table>
<tr>
<td>
<td><font size=1 color=#0060a0 face="Microsoft Sans Serif"><b>Tony Pearson</b></font><font size=1 face="Microsoft Sans Serif"><br>
Senior Storage Consultant, IBM System Storage™<br>
Telephone: +1 520-799-4309 | tie 321-4309 | Cell: +1 520 990-8669<br>
email: tpearson@us.ibm.com | GSA: http://tucgsa.ibm.com/~tpearson<br>
Blog: http://www.ibm.com/developerworks/blogs/page/InsideSystemStorage
AKA: 990tony Paravane, eightbar specialist </font></table>
<br>
<tr>
<td></table>
<br>