Technology Archive

Livefyre | Powering the World’s Conversations

Posted April 17, 2012 By Landis V

http://www.livefyre.com/

Looks interesting.  It has sometimes felt like there’s a lack of bidirectionality between blogging and social media accounts, and Livefyre looks like it might be one piece in completing the circle.  Of course, there are other things that would help with that as well, but finding the time to learn and understand them is sometimes challenging.

Be the first to comment

Symantec gripe

Posted March 29, 2012 By Landis V

Symantec Endpoint Protection’s logging seriously sucks. Every event might as well be “Something happened somewhere” for what they are worth. They don’t even provide definition versions on content updates, nor a decent method if drilling into a report to see what hosts are currently running a particular version of the software – or, if they do, it’s the most unintuitive design I have ever encountered and they need to get some new UI designers. /rant

Be the first to comment

ICSI Netalyzr

Posted March 28, 2012 By Landis V

http://netalyzr.icsi.berkeley.edu/index.html

Be the first to comment

I don’t think you should be using sudo and maybe you shouldn’t be using Linux at all.

The money quote.  Love this.  Article was well written with clear and helpful examples.  Thanks, Tony.

via Understanding and using sudo in Unix or Linux (with examples).

Nobody has told me much about Linux, but I have learned vast amounts from the community.  There is a downside to that, however.  In an interactive conversation, certain things may come up that generate further discussion by their nature, whereas simple consumption from the web (or any other medium) may leave a vague hunch without actually provoking the “deeper dive”, if you will.

Such is the case, for me, with sudo and setuid.  I’ve always had the impression that setuid was a “bad thing to do”™, because (in an overly broad and general sense) if your setuid application was compromised by a security flaw, your system was effectively compromised.  sudo was “a good thing”™, because you could perform administrative functions easily without having to log out, log in as root, take care of the task at hand, and then return to your normal user shell.

Fast forward to today.  I’ve been doing some testing with check_mk, and ran into an issue where the default host check utilizes the Nagios check_icmp plugin.  When check_mk attempts to run same, it fails with an error indicating that the executable must be run as root or have setuid root set.  I presume the reason Nagios (or “nagios”, if you want to call the process by its username) is able to perform the checks is because the process is initiated as root and drops privileges, but maintains the permissions required to interface with the network stack.  In this case, (I think… haven’t proved it yet) it’s irrelevant.  What I really want to know is – which is the better option to use, given that I can change the command used for the default check to use sudo if needed.

Jump... to conclusions!

Jump... to conclusions!

After reading Tony’s article and taking into consideration that the sudo application itself is a setuid binary, I’m going to make a quick jump to  conclusions that probably doesn’t much matter in any case, since the executable will be effectively running as root.  I’m going to go with an edit to /etc/sudoers that will permit just the webserver account to run the plugin as root.  I have two reasons for this approach, one or both of which may be wrong.

First, I suspect there have been a lot more eyes on the code for the sudo binary than on the Nagios plugin binary, and if there’s going to be a flaw in one, it’s probably the latter (n.b. – I would not expect to see a flaw in the Nagios code, either… monitoring systems are, by their very purpose, allowed to converse with very critical infrastructure and best practices in development and security should be priorities).

Second, using sudo I can allow limited access to run the plugin as root, restricting that ability to just the webserver user account.  With setuid, any user who has the ability to execute the program (given a mask of 755, effectively everyone) can A.) run the program, and B.) do so as root.

In a perfect world – or maybe just a parallel dimension to this one – I could (and perhaps should) set the user and group ownership of the file more specifically, chmod o-x the plugins, and then chmod u+s the particular check_icmp plugin I needed.  This would likely be a more achievable solution in cases where it is difficult or impossible to control how the binary is called.

EDIT:  So, there’s an interesting new problem with this approach.  While the return code from the executed plugin is provided as the return code from sudo, the data returned by the plugin is sadly missing.  This makes sense, and it should have occurred to me.  There are a few ways I could get it back:  Fun with pipes, PID’s, and file descriptors using GDB (example here); parsing and passing the results as a passive host check to the Nagios external command file (might make sense since check_mk submits results as passive checks anyway).  Probably others.  At this juncture, I will probably at least test with the setuid bit set, and perhaps just leave it that way.

2 Comments so far. Join the Conversation

Mapping Icons

Posted March 20, 2012 By Landis V

I maintain a Google map of Nebraska State Parks so I can keep track of locations I have visited and have yet to visit (available here if you are interested.  This evening, I ran across this site, which provides the ability to generate a variety of icons with different background colors.  This is handy, as it allows me to use the same icon for sites I have already visited and those I have yet to visit.  Unfortunately, I think I’m going to need to do some additional work to see all the things I would like to see in the map, and I suspect what I will really need to do is generate several different maps to allow me to sort and view as I would like.

I tried making notes within the individual placemarkers on my map to indicate such things as primitive campsites, lakes, and places  I have visited.  Unfortunately, it doesn’t appear that you can search within a particular user-created map, with or without including a general search.  For example, I have noted my marker/description for my Gallagher Canyon location with “Lake”.  Unfortunately, it doesn’t appear to be indicated in the search results, or if it is, it’s too buried in the overall results to be apparent.

I’ll have to see what I can make work when I get further time, as I think that’s at an end for tonight.  Always a shortage of that commodity.

In any case, I will now be using the following icons in the map to help at least differentiate between unimproved and regular sites, and sites with lakes or ponds where possible.   Hopefully more to come later, and eventually I guess I’ll have to break the lake sites, primitive sites, visited sites, and the like out into their own individual maps.

   

 

Be the first to comment

Rundeck.org – Open Source Automation

Posted March 20, 2012 By Landis V

http://rundeck.org/

Be the first to comment

http://baheyeldin.com/linux/setting-up-autofs-automount-for-a-linux-network.html

Also in my list of plans to get set up.  Looks like an interesting blog to read more of as well.

Be the first to comment