Filed under: tricks | The Old Monk

Debugging python Windows services

2010-02-11T13:08:49+05:30

Python makes it easy to write Windows services (via pywin32 extensions). That part is easy. The problems sometimes happen when you try to run them, with a commonly reported error - "The service did not respond to the control...", which is error 1503.

If one runs the service compiled as an exe (via py2exe for example), there are a bunch of issues like the module import paths changing. I haven't had the time to dig really deep into that. But this might strike even if the service is being run uncompiled (from a .py file).

One of the first things to check is whether pythonservice.exe (from the win32 module) executes cleanly - this is the binary responsible for actually loading your service script/module. If pywin32 was installed in the usual way, it should be located at C:\Python26\Lib\site-packages\win32\pythonservice.exe

Running this should give an immediate idea of what's going wrong. It usually turns out to be a "msvcr90.dll" or a "python26.dll" error. (Of course, all this is Python 2.6). When that is running alright, then it's time for some debug fun.

To debug the python service, just run pythonservice.exe with the '-debug' option and the service name as the argument. This attaches the stdout/stderr to the terminal. For example, if the service uses BaseHTTPServer, all the request/response logs will show up.

Windows XP file ownership

2009-08-17T17:01:16+05:30

As part of a cleanup of someone's notebook, I created a non-admin account and copied the docs/shortcuts. Thankfully, the data was already in a separate drive. Trouble is, the non-admin user would see all of it as read-only.

I tried changing the perms on the content (via the gui as well as via attrib.exe), but the non-admin user still wasn't able to write.

It turned out that the issue was file ownership. I'm not too sure what the patchlevel of the XP system was, but a right click -> properties menu didn't bring up any tab where I could see or change file ownership.

The solution: download and install Cygwin, and then a simple "chown -R /cygdrive//*".

Reinforces my opinion that one really *needs* cygwin to make Windows usable!

ssh authentication via mysql (pam_mysql)

2009-02-24T13:39:30+05:30

There's not much info on the interwebs on why ssh authentication via pam_mysql fails, and there are definitely some misleading answers like

when logging in via ssh, the ssh daemon checks some files in ~/,
so it can be done if the user already have a valid home directory.

from this thread.

The real reason why it doesn't successfully authenticate is because ssh does a getpwent() call to check if the user exists on the system. If you're using just a PAM solution (which doesn't provide accounts), that call fails if there isn't any such local user. sshd then sets the password to '^H ^M INCORRECT' before passing it to PAM, which obviously thinks it's the wrong password. The simple (and probably unscalable - but then you should be using something like nss_mysql) solution is to add local accounts to the machines for these users. That will make the getpwent() call succeed, and sshd will authenticate successfully via PAM.

I've mentioned this earlier.

Graphviz awesomeness

2009-02-23T12:17:12+05:30

Graphvizis my newest discovery. I used to meddle with Diaand xfigwhenever I needed to publish any diagrams (network diagrams for example), but they have their problems - one has to worry about the layout and spacing among other things. The content becomes secondary to the layout. That's exactly the reason why I don't use word processors. Systems like Textile, Markdown, reStructured Textand the king of them all, TeXlet you focus on the content and figure out an appropriate layout (some of them with a little help - but the focus still remains on the content).

Graphviz does that for graphs and it's just awesome! Examples speak louder than words, so here they are:

graph g {
        foo -- bar;
        bar -- baz;
        baz -- spam;
        eggs -- spam;
        spam -- bar;
        foo -- spam;

        label="The foo bar graph"
}

graph g {
        foo;
        {rank=same; bar; baz; spam; eggs;}

        foo -- bar;
        bar -- baz;
        baz -- spam;
        eggs -- spam;
        spam -- bar;
        foo -- spam;

        label="The flatter foo bar graph"
}

digraph G {
        foo;
        {rank=same; bar; baz;}
        {rank=same; spam; eggs;}

        foo -> bar;
        bar -> baz [arrowhead=vee];
        baz -> spam [arrowhead=diamond];
        spam -> eggs [label=" an edge " arrowtail=diamond arrowhead=vee color=red];
}

Trac, MySQL and authentication

2008-09-27T19:06:10+05:30

What we needed at work:

A wiki
VPN
A bug/issue tracker

Tracgave us the first and the last, and OpenVPNgave us the middle. The newer versions of Trac can use MySQL as a database instead of SQLite and have a nice AccountManagerplugin.

And it all comes together with pam_mysql. The only problem was that Trac likes to store passwords hashed as HTTP-Digest style hashes (not the most secure, I know) with an empty realm, and pam_mysql doesn't work for that. The solution was a simple patch to pam_mysql which adds support for such hashes. I'll publish that soon - I'm making it more general by adding support for realms rather than assuming that realm would be empty.

OpenVPN (and apache - via mod_auth_pam) etc. can authenticate via PAMand adding authentication to anything is a simple matter of placing the right .htaccess file. And this is a *common* password across all services, which users can change on the wiki, in their browsers, with a nice polished interface. No unix shells for people who can't deal with them.

This is no Kerberos, but is infinitely simpler - which means a lot for a small startup.

There are a few gotchas though :

Apache doesn't like empty realms. This can be worked around by switching to Basic authentication where passwords are passed on to PAM and we ignore realm. Yes, Basic is worse, but there's always SSL. Thus, one can supply _any_ value of realm (the AuthName in .htaccess). The situation might improve if my pam_sql patch accepts realms and we manage to modify the Trac AuthManager plugin to use the same realm.
SSH doesn't like to authenticate users which don't have an account on the machine. It does a getpwent() call, and if it fails, it sets the password to '^H ^M INCORRECT' (the ^H and ^M represent the control chars here, but this is what you see in your logs if you debug PAM). One (ugly, in my opinion) way out is to LD_PRELOAD your own getpwent() method for sshd. The other is to grant ssh access to people on a machine by machine basis. This doesn't scale beyond a point but is good enough for small setups and the most secure. We use this. The cleaner solution of course, is to use something like nss_mysql. This might be our next step, but not in the immediate future.

Patch to come Real Soon Now.

SPG - Simple Password Generator

2008-07-22T21:40:42+05:30

I have been using unique passwords for (almost) all the websites I have accounts on, and have a handy script to do the task for me. The idea is simple and came from a comment on a blog post. You just need to remember one secret passphrase. Every time you need a unique password, append that secret to a unique string identifying the use (the website URL, or the domain name), hash the result and use the first n characters of it as the password. Unique, and there's only one thing to remember.

The script is useful enough, and I'm finally getting around to releasing it. There are other password generators (like Crypt::RandPasswd, Data::SimplePassword, String::MkPasswd, Text::Password::Pronounceable, Crypt::PassGenetc.), but they focus on creating random passwords - leaving it upon the user to manage and remember them.

This might be useful as a firefox extension as well. I eventually plan to convert it to one, but if someone else wants to do it, or has already done so - even better. It's a very simple idea, and I'm sure it can be implemented purely in chrome/javascript.

I need a place to announce it and I will let this be that place.

Gutsy to Hardy - upgrade hiccups

2008-07-12T12:52:53+05:30

So I decided to upgrade to Hardy after doing a Wubiinstall on a couple of machines. With some gotchas of course.

I couldn't login. Not even as root. It wouldn't even ask for a password, but straightaway said "login failed" (on the console) and "authentication failed" (gdm).

That seemed like a PAM problem and it was. My encrypted HOME setupuses pam_encfswhich had a problem loading into PAM.

The fix : a recompile, but after the patch mentioned in this bug.

Also, my network profilesstopped working - which turned out to be because of sudo. Adding a 'env_keep=NETSCHEME' to the Defaults in sudoers fix that too.

Location aware GTD trick

2008-07-05T12:20:17+05:30

I have my gtdoto manage the TODOs, and it shows me the list every time I open a terminal (via a 't ls' in my .bashrc). But what to do when my '@work' TODO list grows long and is shown to me on every terminal spawn, even at home?

what I also have is my network profiles setup. Till today, my office profile was called "office" - which I changed to "work". This makes my profile name the same as my context name ('work' and '@work' - we can manage the @ in the context). Do I need to say more? :)

Every time I do a 'NETSCHEME="work" sudo ifup ath0' and the network comes up, the '/var/run/network/ifstate' contains a line like 'ath0=ath0-home'. Which means, I can get the profile I'm using. Which means, if I name my profiles carefully, I can get the location I'm at. Which then means, if I name my contexts carefully, I can get the relevant context.

Adding this:

LOCATION=`grep -m 1 '-' /var/run/network/ifstate | awk -F '-' '{ print $2 }'`
t ls @$LOCATION

to my .bashrc works like magic.

By the way, I *could* scan for known SSIDs and select a network (and hence a location and a context) automagically, but I don't do that yet - one of the reasons being that I *think* there might be an information leak hidden somewhere. But I haven't thought it through. But I might, and then I might get around to doing it.

Being too smart is annoying

2008-06-25T19:19:20+05:30

Some people have been saying that Firefox tries to emulate other browsers and be Windows-like in general. Some people have been saying that about Linux/Ubuntu as well. I don't know how correct they are and what they're based on, but there's one thing that comes in the category of being too smart and too user friendly which ends up annoying the regulars.

I was on my machine and wanted to run a remote instance on Firefox, with the display forwarded back to my machine. I had X forwarding over SSH and my DISPLAY enviroment variable all set up. But when I started 'firefox' on the remote commandline, it opened up an instance of firefox *locally*. WTF!!?

The fixto this is a 'MOZ_NO_REMOTE' env variable. Duh.

Widescreen monitors and modelines

2008-03-19T20:28:26+05:30

I got a new widescreen LCD for using with my Eee. Everything went on fine, but the default resolution of 1024x768 kinda sucked. The monitor (Acer AL1516W) supports a max of 1280x800, so I tried that, but I needed a custom modeline to get it working. The monitor specs say that it supports "1280x800@60Hz", but a lot of modeline generation tools don't support that odd widescreen resolution. This onedoes. The catch is the 60Hz - which is more like 59.91, which goes in as 59.73 in the textbox on that page. It does tell you the different values ("actually 59.91"), but you have to keep an eye. Another important thing is the monitor's 'Dot Clock' frequency. If you're exceeding that (and the tool will warn you if you are), it's most probably a mistake. Go re-read the specs of the monitor again.

FWIW, here's the modeline for the Acer AL1516W that I generated for the Eee :

"1280x800@59" 83.44 1280 1312 1624 1656 800 816 824 841