Tuesday, October 25, 2016

Kernel Local Privilege Escalation - CVE-2016-5195

Taken from RedHat (https://access.redhat.com/security/vulnerabilities/2706661)

Background Information
A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.


This could be abused by an attacker to modify existing setuid files with instructions to elevate privileges. An exploit using this technique has been found in the wild. This flaw affects most modern Linux distributions.

Red Hat Product Security has rated this update as having a security impact of Important.

Impacted Products:
The following Red Hat Product versions are impacted:
•    Red Hat Enterprise Linux 5
•    Red Hat Enterprise Linux 6
•    Red Hat Enterprise Linux 7
•    Red Hat Enterprise MRG 2
•    Red Hat Openshift Online v2

Attack Description and Impact:This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set. This is achieved by racing the madvise(MADV_DONTNEED) system call while having the page of the executable mmapped in memory.

Take Action:All Red Hat customers running the affected versions of the kernel are strongly recommended to update the kernel as soon as patches are available. Details about impacted packages as well as recommended mitigation are noted below. A system reboot is required in order for the kernel update to be applied.

Mitigation:Please reference bug 1384344  - https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13 for detailed mitigation steps.

Updates for Affected Products:
A kpatch for customers running Red Hat Enterprise Linux 7.2 or greater will be available. Please open a support case to gain access to the kpatch.

For more details about what a kpatch is: Is live kernel patching (kpatch) supported in RHEL 7? - please refer to https://access.redhat.com/solutions/2206511



Monday, October 17, 2016

Offline Nodes in MOAB

Change State of MOAB Clients Nodes

To offline the nodes

# mnodectl -m state=drained node1

To flush the nodes
# mnodectl -m state=flush node1

To reserve the nodes
# mnodectl -m state=reserved node1

To delete nodes
# mnodectl -d node1

Friday, October 14, 2016

LAMMPS Tools and Packmol with Intel Fortran

PACKMOL information can be obtained from http://www.ime.unicamp.br/~martinez/packmol/userguide.shtml#conv

Installing can be found at http://www.ime.unicamp.br/~martinez/packmol/userguide.shtml#comp

 1. Compile Packmol with Intel Fortran
# tar -zxvf packmol.tar.gz
# cd packmol
# ./configure ifort
# make

2. LAMMPS Tools
# git clone https://github.com/jdevemy/lammps-tools.git
# cd lammps-tools
# python setup.py build
# sudo python setup.py install

3. Make sure the Python has the following libraries in create_conf (sys, os, logging, argparse, math random) 4. Make sure the Python (if you install lammps-tool)
# export PYTHONPATH=/home/user1/Downloads/lammps-tools-master/lib
# ./create_conf

Wednesday, October 12, 2016

Blank Screen with VNCServers on CentOS 6

I was getting a blank screen when I do a launch vncserver session and my /home/user1/.vnc/xstartup
is like this:
#!/bin/sh

[ -r /etc/sysconfig/i18n ] && . /etc/sysconfig/i18n
export LANG
export SYSFONT
vncconfig -iconic &
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
OS=`uname -s`
if [ $OS = 'Linux' ]; then
  case "$WINDOWMANAGER" in
    *gnome*)
      if [ -e /etc/SuSE-release ]; then
        PATH=$PATH:/opt/gnome/bin
        export PATH
      fi
      ;;
  esac
fi
if [ -x /etc/X11/xinit/xinitrc ]; then
  exec /etc/X11/xinit/xinitrc
fi
if [ -f /etc/X11/xinit/xinitrc ]; then
  exec sh /etc/X11/xinit/xinitrc
fi
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
gnome-session &

After I remodify the xstartup, it WORKED!
#!/bin/sh
# Uncomment the following two lines for normal desktop:
# unset SESSION_MANAGER
# exec /etc/X11/xinit/xinitrc

[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources

xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
gnome-session &

Tuesday, October 11, 2016

Resolve Leap Second Issues in Red Hat Enterprise Linux

Taken from Resolve Leap Second Issues in Red Hat Enterprise Linux

Leap seconds are a periodic one-second adjustment of Coordinated Universal Time(UTC) in order to keep a system's time of day close to the mean solar time. However, the Earth's rotation speed varies in response to climatic and geological events, and due to this, UTC leap seconds are irregularly spaced and unpredictable.

Upcoming Leap Second Events:
The next leap second will occur on 2016 December 31, 23h 59m 60s UTC.

Environment:

Red Hat Enterprise Linux versions 4
Red Hat Enterprise Linux versions 5
Red Hat Enterprise Linux versions 6
Red Hat Enterprise Linux versions 7

Scope:
Customers running highly time-sensitive or un-patched RHEL servers.

Severity:
The severity depends on how far behind the customer in on updating RHEL and how sensitive their operations are to time adjustments. Some customers will just appreciate the news. Others running un-patched servers may experience kernel hangs.

Description:
Another leap second will be added on December 31, 2016.
Customers running RHEL servers that are completely patched and running NTP should not be concerned. (Applications should be fine, too, but it is always best to check with one's vendors.)
Customers running completely patched RHEL servers but not NTP will find their systems' times off by 1 second. Customers will need to manually correct that.
Customers running un-patched servers that cannot update their kernel, ntp and tzdata packages to at least the latest versions listed in the below document's "Known Issues" section's links should contact our Support Center for further assistance.

Resource:
Resolve Leap Second Issues in Red Hat Enterprise Linux: https://access.redhat.com/articles/15145#event

Monday, October 3, 2016

Compiling MEEP with Intel-15.0.6, Intel-MPI 5.0.3 and HDFT-1.8.17

Meep (or MEEP) is a free finite-difference time-domain (FDTD) simulation software package developed at MIT to model electromagnetic systems, along with our MPB eigenmode package. The latest official version is 1.3 and can be found at Download Page for Meep Before you compile Meep 1.2.1, you need to first compile the libctl library. Compiling the libctl library is quite straightforward. After downloading, Step 1: Compiling libctl-3.2.1
# tar -zxvf libctl-3.2.1.tar.gz
# cd libctl-3.2.1
# ./configure --prefix=/usr/local/libctl-3.2.1
# make -j8
# make install

Step 2: Other Prerequisites include guile and guile-devel. Do make sure you install these 2 packages which can be done
# yum install guile guile-devel

Step 3: Prepare Intel Compilers and Intel MPI environment
$ vim .bashrc

source /usr/local/intel_2015/bin/compilervars.sh intel64
source /usr/local/intel_2015/impi/5.0.3.049/bin64/mpivars.sh intel64
source /usr/local/intel_2015/mkl/bin/mklvars.sh intel64
export CC=icc
export CXX=icpc
export F77=ifort
export MPICC=mpicc
export MPICXX=mpiicpc
export CFLAGS="-O3 -xHost -fno-alias -align"
export FFLAGS="-O3 -xHost -fno-alias -align"
export CXXFLAGS="-O3 -xHost -fno-alias -align"
export FFlags="-I/usr/local/intel_2015/impi/5.0.3.049/include64 -L/usr/local/intel_2015/impi/5.0.3.049/lib64"

Step 4: Compiling hdf5-1.8.17 See Compiling HDF5-1.8.17 with Intel-15.0.6 and Intel-MPI-5.0.6

Step 5: Compiling MEEP-1.3
$ ./configure --prefix=/usr/local/meep-1.3.1_impi-5.0.3 --with-mpi \
--with-libctl="/usr/local/libctl-3.2.1/share/libctl" \
LDFLAGS="-L/usr/local/libctl-3.2.1/lib -L/usr/local/hdf5-1.8.17/lib" \
CPPFLAGS="-I/usr/local/libctl-3.2.1/include -I/usr/local/hdf5-1.8.17/include"
$ make -j 12
$ make install