Mecrisp on the TI Stellaris Launchpad

albert@spenarnc.xs4all.nl (Albert van der Horst) writes:
> Not correct. The PATH for finding executables is fully under control.
> It is urban legend that there is a security leak by having de current
> directory in the PATH. ("someone could have sneaked an ls in your directory
> that installs a rootkit.")

No it wasn't an urban legend, it was a real issue.  In the old days "."
was the first thing on the path and there were actual incidents of what
you described.  E.g. you'd be a sysadmin of some university timesharing
system, you'd get told that some student had porn in his home directory,
you'd cd to the directory and type "ls" as root, and hilarity ensues.  I
think there is a paper by Fred Grampp about this, that introduced the
practice of getting "." off of the standard path.

> This is nonsensical for normal users.

I'd say it's still not nonsensical: you unpack an archive, cd to it and
type "ls", same situation.  Or even in non-malicious cases, someone
might have chosen a program name that wasn't a standard Unix command,
but that happened to match something that you used and was on your path.
Like I think there are at least 2 different Forth implementations called
pforth.  So maybe you use one of them and the directory you cd to has
the other one, so you type "pforth" and get the wrong one, etc.

On 17/04/15 16:56, Paul Rubin wrote:
> albert@spenarnc.xs4all.nl (Albert van der Horst) writes:
>> Not correct. The PATH for finding executables is fully under control.
>> It is urban legend that there is a security leak by having de current
>> directory in the PATH. ("someone could have sneaked an ls in your directory
>> that installs a rootkit.")
> 
> No it wasn't an urban legend, it was a real issue.  In the old days "."
> was the first thing on the path and there were actual incidents of what
> you described.  E.g. you'd be a sysadmin of some university timesharing
> system, you'd get told that some student had porn in his home directory,
> you'd cd to the directory and type "ls" as root, and hilarity ensues.  I
> think there is a paper by Fred Grampp about this, that introduced the
> practice of getting "." off of the standard path.
> 
>> This is nonsensical for normal users.
> 
> I'd say it's still not nonsensical: you unpack an archive, cd to it and
> type "ls", same situation.  Or even in non-malicious cases, someone
> might have chosen a program name that wasn't a standard Unix command,
> but that happened to match something that you used and was on your path.
> Like I think there are at least 2 different Forth implementations called
> pforth.  So maybe you use one of them and the directory you cd to has
> the other one, so you type "pforth" and get the wrong one, etc.
> 

And while it is true that when running under a standard user, you cannot
easily install a rootkit (the malicious program would have to persuade
you to do a "sudo" or similar), you can make a real mess without that.

Albert, try putting this in a file called "ls", with the executable flag
set:

#!/bin/bash
rm -rf ~/

In comp.arch.embedded Paul Rubin <no.email@nospam.invalid> wrote:
> albert@spenarnc.xs4all.nl (Albert van der Horst) writes:
>> Not correct. The PATH for finding executables is fully under control.
>> It is urban legend that there is a security leak by having de current
>> directory in the PATH. ("someone could have sneaked an ls in your directory
>> that installs a rootkit.")
 
> No it wasn't an urban legend, it was a real issue.  In the old days "."
> was the first thing on the path and there were actual incidents of what
> you described.  E.g. you'd be a sysadmin of some university timesharing
> system, you'd get told that some student had porn in his home directory,
> you'd cd to the directory and type "ls" as root, and hilarity ensues.  I
> think there is a paper by Fred Grampp about this, that introduced the
> practice of getting "." off of the standard path.

OK, so at least you should put the . at the end of the path.
That will still surprise you if you name your program the same
as a system program, though.
 
>> This is nonsensical for normal users.
 
> I'd say it's still not nonsensical: you unpack an archive, cd to it and
> type "ls", same situation.  Or even in non-malicious cases, someone
> might have chosen a program name that wasn't a standard Unix command,
> but that happened to match something that you used and was on your path.
> Like I think there are at least 2 different Forth implementations called
> pforth.  So maybe you use one of them and the directory you cd to has
> the other one, so you type "pforth" and get the wrong one, etc.

By now, I have gotten used to putting ./ in front of names. 
Especially interesting is:

./!$

for ordinary users on systems with no public users, and who don't
download files without looking at the names, . at the end should
be safe enough. For root, it probably isn't safe enough.

As far as I know, MSDOS and its successor, Windows, have an
implied . at the beginning of the path.

-- glen

On 4/17/2015 12:56 AM, Paul Rubin wrote:
> rickman <gnuarm@gmail.com> writes:
>> I was using a gadget to measure the voltage and current going into the
>> rPi.  That side is at 5.25 volts give or take with around 400 mA of
>> current.  I moved the meter to the launchpad and the output on the USB
>> port is only 4.95 volts.
>
> I remember reading somewhere (probably adafruit.com) that you should use
> a pretty beefy 5V power supply with the rpi especially if it's under any
> type of load.  They actually tweak their rpi power supplies to deliver
> 5.25 volts to compensate for some inevitable sag.
>
> I don't remember hearing that the USB ports themselves are out of spec
> but it's possible.  Despite popular misconception USB ports are only
> supposed to be able to deliver 100 mA unless they grant the client
> "permission" to draw more (up to 500ma), through a power negotiation
> protocol that's part of USB.  Most x86 motherboards can deliver 500 mA
> with no problem, so lots of badly designed client devices just assume
> the power is available, and try to draw it without bothering with the
> protocol.  Maybe something like that is going on here.

I'm not 100% certain of this, but I believe the rPi runs input power 
through a Polyfuse which does have some noticeable resistance and so 
voltage droop.  I've cross-posted this to the rPi group to see if anyone 
will confirm it.

-- 

Rick

On 4/17/2015 9:36 AM, Blajrs Jrolrsen wrote:
> On 2015-04-17, rickman <gnuarm@gmail.com> wrote:
>> On 4/16/2015 6:11 PM, Paul Rubin wrote:
>>> rickman <gnuarm@gmail.com> writes:
>>>> compile, but I can't seem to figure out how to run it.  I type
>>>> lm4flash at the command line, but it says "command not found".  The
>>>> file has no visible extension.  Is that expected?  What am I missing?
>>>
>>> Try ./lm4flash
>>
>> Yes, I figured that out.  It seems the current working directory is not
>> considered under Linux for finding executables... really!?
>
> Why would it be? Most of the directories where binaries are stored are
> called bin or sbin. For example
>
> /bin
> /sbin
> /usr/bin
> /usr/sbin
> /usr/local/bin
> /usr/local/sbin
>
> It is really not appropriate or orderly to have binaries in your home
> directory. The home directory is the top level directory for each user. It
> is expected to contain other directories in an organized manner. If you want
> to make a directory for binaries the normal way to do that is
>
> mkdir ~/bin              # one time only
> export PATH=$PATH:~/bin  # this goes in your logon proc depending on shell

Do you not understand what I was doing?  I was working on compiling an 
executable to see if it worked.  Before I went to the bother of (if I 
was ever going to) copying the exe to one of the bin directories, I 
wanted to test it.  I likely won't move it to a bin directory because it 
is likely not more than a one time use thing.

-- 

Rick

On 4/17/2015 2:47 PM, rickman wrote:
> On 4/17/2015 12:56 AM, Paul Rubin wrote:
>> rickman <gnuarm@gmail.com> writes:
>>> I was using a gadget to measure the voltage and current going into the
>>> rPi.  That side is at 5.25 volts give or take with around 400 mA of
>>> current.  I moved the meter to the launchpad and the output on the USB
>>> port is only 4.95 volts.
>>
>> I remember reading somewhere (probably adafruit.com) that you should use
>> a pretty beefy 5V power supply with the rpi especially if it's under any
>> type of load.  They actually tweak their rpi power supplies to deliver
>> 5.25 volts to compensate for some inevitable sag.
>>
>> I don't remember hearing that the USB ports themselves are out of spec
>> but it's possible.  Despite popular misconception USB ports are only
>> supposed to be able to deliver 100 mA unless they grant the client
>> "permission" to draw more (up to 500ma), through a power negotiation
>> protocol that's part of USB.  Most x86 motherboards can deliver 500 mA
>> with no problem, so lots of badly designed client devices just assume
>> the power is available, and try to draw it without bothering with the
>> protocol.  Maybe something like that is going on here.
>
> I'm not 100% certain of this, but I believe the rPi runs input power
> through a Polyfuse which does have some noticeable resistance and so
> voltage droop.  I've cross-posted this to the rPi group to see if anyone
> will confirm it.

I'm appending this OT post because I don't often look at my own posts, 
but did this one.  I'm using Thunderbird and it seems to do odd things 
with line breaking.

It is common that I reply to ("Followup" in T-bird parlance) a post only 
to find quoted lines extending off the page.  Ok, so T-bird doesn't 
always figure out that it needs to wrap lines for display.

But looking at my own post, I see the lines wrapping, but at the edge of 
the screen, not at the 72 column point where line breaks should be 
inserted when sending a message.  Changing the size of the window 
confirms this.

Then to make it even more confusing, in this reply it would appear that 
line breaks are inserted in the quoted text!  WTF????!!!!  Anyone 
understand how T-bird handles the line breaks, word wrap features?  Do 
you see my posts with line breaks at 72 columns?  I have that turned 
on... at least I thought I did.  I can't find the setting now.

-- 

Rick

In article <mgr288$4dr$1@speranza.aioe.org>,
Blajrs Jrolrsen  <boegre@no.com> wrote:
>On 2015-04-17, rickman <gnuarm@gmail.com> wrote:
>> On 4/16/2015 6:11 PM, Paul Rubin wrote:
>>> rickman <gnuarm@gmail.com> writes:
>>>> compile, but I can't seem to figure out how to run it.  I type
>>>> lm4flash at the command line, but it says "command not found".  The
>>>> file has no visible extension.  Is that expected?  What am I missing?
>>>
>>> Try ./lm4flash
>>
>> Yes, I figured that out.  It seems the current working directory is not
>> considered under Linux for finding executables... really!?
>
>Why would it be? Most of the directories where binaries are stored are
>called bin or sbin. For example
>
>/bin
>/sbin
>/usr/bin
>/usr/sbin
>/usr/local/bin
>/usr/local/sbin
>
>It is really not appropriate or orderly to have binaries in your home
>directory. The home directory is the top level directory for each user. It
>is expected to contain other directories in an organized manner. If you want
>to make a directory for binaries the normal way to do that is

I never work in my home directory, always in PROJECT/<whatever> or $HOME/euler
or sometimes in /tmp.
But I do make programs there that I want to run, all the time, up to a hundred
times a day, easily.
Need a test version of lina with a cramped 2M dictionary space?
"
    lina64 -i linaG forth.lab   \ install copy in current dir
    linaG -g -7998 lina         \ "grow by" minus 7998 Megabyte.
    rm linaG
"

>
>mkdir ~/bin              # one time only
>export PATH=$PATH:~/bin  # this goes in your logon proc depending on shell

That is indispensable for all kind of utilities.

Groetjes Albert



>
>Blajrs
>
-- 
Albert van der Horst, UTRECHT,THE NETHERLANDS
Economic growth -- being exponential -- ultimately falters.
albert@spe&ar&c.xs4all.nl &=n http://home.hccnet.nl/a.w.m.van.der.horst

On Fri, 17 Apr 2015 15:12:13 -0400, rickman wrote:

> Then to make it even more confusing, in this reply it would appear that
> line breaks are inserted in the quoted text!  WTF????!!!!  Anyone
> understand how T-bird handles the line breaks, word wrap features?  Do
> you see my posts with line breaks at 72 columns?  I have that turned
> on... at least I thought I did.  I can't find the setting now.
>
This has been rewrapped by Pan because it needed to add "> " at the 
beginning of each line, but as received, your appended text was wrapped 
at between 71 and 74 characters. I think it wraps whenever the next word 
would make the line longer that 74 chars, which is a bit odd seeing that 
you set the limit at 72. The last word at the end of each line in the 
para were:

that
Anyone
you
at
now.


-- 
martin@   | Martin Gregorie
gregorie. | Essex, UK
org       |

On 17/04/2015 19:47, rickman wrote:
> On 4/17/2015 12:56 AM, Paul Rubin wrote:
>> rickman <gnuarm@gmail.com> writes:
>>> I was using a gadget to measure the voltage and current going into the
>>> rPi.  That side is at 5.25 volts give or take with around 400 mA of
>>> current.  I moved the meter to the launchpad and the output on the USB
>>> port is only 4.95 volts.
>>
>> I remember reading somewhere (probably adafruit.com) that you should use
>> a pretty beefy 5V power supply with the rpi especially if it's under any
>> type of load.  They actually tweak their rpi power supplies to deliver
>> 5.25 volts to compensate for some inevitable sag.
>>
>> I don't remember hearing that the USB ports themselves are out of spec
>> but it's possible.  Despite popular misconception USB ports are only
>> supposed to be able to deliver 100 mA unless they grant the client
>> "permission" to draw more (up to 500ma), through a power negotiation
>> protocol that's part of USB.  Most x86 motherboards can deliver 500 mA
>> with no problem, so lots of badly designed client devices just assume
>> the power is available, and try to draw it without bothering with the
>> protocol.  Maybe something like that is going on here.
>
> I'm not 100% certain of this, but I believe the rPi runs input power
> through a Polyfuse which does have some noticeable resistance and so
> voltage droop.  I've cross-posted this to the rPi group to see if anyone
> will confirm it.
>

When in doubt check the spec... USB2.0 ports are 5v +/- 5% so 4.75V to 
5.25V between the pins on the connector.

4.95 is almost perfectly in the middle.

On 4/17/2015 4:14 PM, Martin Gregorie wrote:
> On Fri, 17 Apr 2015 15:12:13 -0400, rickman wrote:
>
>> Then to make it even more confusing, in this reply it would appear that
>> line breaks are inserted in the quoted text!  WTF????!!!!  Anyone
>> understand how T-bird handles the line breaks, word wrap features?  Do
>> you see my posts with line breaks at 72 columns?  I have that turned
>> on... at least I thought I did.  I can't find the setting now.
>>
> This has been rewrapped by Pan because it needed to add "> " at the
> beginning of each line, but as received, your appended text was wrapped
> at between 71 and 74 characters. I think it wraps whenever the next word
> would make the line longer that 74 chars, which is a bit odd seeing that
> you set the limit at 72. The last word at the end of each line in the
> para were:
>
> that
> Anyone
> you
> at
> now.

Thanks.  The 72 columns was just my recollection.  I can't find the 
setting now.

-- 

Rick