development posts

xz backdoor

in

Reading this weekend about a backdoor introduced to the open source xz project. It doesn’t appear to affect my Ubuntu servers, so I had assumed it wasn’t relevant to me. However, the homebrew version on my Mac was “vulnerable”. It sounds like the exploit would only work on some versions of Linux, but if it does work on Macs, that could be bad. I do a lot of stuff on this computer, including banking, email, coding, etc. They know about it backdooring ssh, but if there’s something they don’t yet know about, it might be a problem.

I have a Fedora install as well. I haven’t checked it yet, but Fedora is usually on the bleeding edge, so if it’s on there, I’ll probably wipe and reinstall. I’ve been considering anyway. Luckily, I don’t do anything important on there.

Even if it didn’t actually do anything bad on the Mac, it may have done something. I had noticed some weeks or months ago (I can’t remember when) that running PHP on the command line was going slow. Running anything would take a minimum of about five seconds, including something simple like php -r 'echo "hello\n";'. I know when I had been making scripts in the past they hadn’t been taking long at all. I did some searches on the web for anybody mentioning something like that and couldn’t find anything. So I kinda just figured maybe it had something to do with the new opcode / whatever cacheing newer versions do or something, like it takes some initial setup that the server can reuse but not the command line. I assumed I was stuck with it and even started moving some scripts to bash partly because of it. When I downgraded xz via homebrew though, I decided to test it. time says the simple php -r line took 0.092 seconds. Nice and snappy. So maybe xz was doing some checks to see if the device was exploitable. It was in the dependency graph of PHP through curl and gd. Can’t say for sure that it just sped up though and if the xz change was what caused it.

I’m glad my scripts finally run quickly again, but hope that nothing was exploited here. I’ll keep an eye on the web to see if anything comes up about Macs being exploitable, and if so I’ll probably reinstall the OS to be safe.

Note: If you have used homewbrew to install PHP, curl, or anything else that might depend on xz, run brew update; brew upgrade to be safe. The dangers of being on the bleeding edge I guess.

Ansible, Vagrant, and Symfony `var` permissions

in

I have moved to using VirtualBox VM’s for my local web development. I use Vagrant and Ansible to set them up. For my site, I use synced folders to share the site files from the local machine to the dev VM. This limits what permissions can be set on the files though, and doesn’t work well for Symfony’s var folder stuff, eg cache and logs. The normal Symfony permissions for those folders use ACL’s, but those cannot be set on Vagrant synced files. My solution was to create a /var/www/var folder to store such folders for any sites on the VM, and symlink them into place in the shared folder location. I did this with Ansible so that it would be reproducible. Since I ran into some issues getting it working, I thought I’d blog about it.

Continue reading post "Ansible, Vagrant, and Symfony `var` permissions"

Vagrant network IP change

in

Apparently, an update to VirtualBox after version 6.1.26 limited the IP’s usable for network adapters on Mac / Linux hosts. They must now be in the 192.68.56.0/21 range, which is pretty limited and much less easy to remember or type than the 10.*.*.* that I had been using. I had to change my projects to all be in this range and spread out the IPs to avoid collisions between the various projects when I updated VirtualBox a while back.

Continue reading post "Vagrant network IP change"

git: MacOS default branch now “main”?

in

At some point recently, git init on my Mac has started to default to the branch name “main”. It did this for a repo I created today, but not for one created August 29th, so maybe Apple made a change in an update sometime between then and now. I haven’t been able to find anything about the change on the web though.

Continue reading post "git: MacOS default branch now “main”?"

Swap file for composer out of memory problems

in

PHP’s defacto package manager, composer, has long required large amounts of memory to do updates for larger projects, often more than servers or virtual machines have. The script will die with an out of memory error, or more recently, the simple message “Killed”, and do no work in these situations. The normal procedure is to develop locally, deploy local lock file (composer.lock) to the server, and run composer install instead of update. But I’ve recently moved to doing most of my development in VMs, so I have had to work around this problem to get things installed or updated. A swap file is the solution for Linux machines provided in the official docs and expanded in a StackOverflow answer.

Continue reading post "Swap file for composer out of memory problems"

JS: ES Modules and Node bare specifiers via response rewrite

in

I’ve been playing with JS lately, including ES modules and building with Rollup, Babel, and Terser, along with other accessories. One thing I’m disappointed with of ES modules in the Nodejs ecosystem is dealing with third party imports. Using the “bare” specifiers that Node expects works fine in that environment and thus tools running in it (possibly needing helpers), but they don’t work at all directly in the browser. This is discussed in this post by Jake Archibold, for instance.

Import maps are one solution in the works, but that requires explicitly mapping every dependency, which could get complicated fast when dependencies have dependencies. It also is only in draft stage and only works in Blink based browsers currently.

I eventually gave in to the idea of having server code rewrite the paths in the js file responses to point to a symlinked node_modules folder, similar to what is mentioned in this post by the Polymer project. I created a PHP test server for one of my projects that does this.

Continue reading post "JS: ES Modules and Node bare specifiers via response rewrite"