News aggregator

Mick Morgan: punctuation matters

Planet ALUG - Mon, 28/07/2014 - 15:12

There is a nice tweet over at @NSA_PR. It reads:

We take your privacy, seriously.

Beyond parody.

Categories: LUG Community Blogs

Chris Lamb: start-stop-daemon: --exec vs --startas

Planet ALUG - Mon, 28/07/2014 - 14:15

start-stop-daemon is the classic tool on Debian and derived distributions to manage system background processes. A typical invokation from an initscript is as follows:

start-stop-daemon \ --quiet \ --oknodo \ --start \ --pidfile /var/run/daemon.pid \ --exec /usr/sbin/daemon \ -- -c /etc/daemon.cfg -p /var/run/daemon.pid

The basic operation is that it will first check whether /usr/sbin/daemon is not running and, if not, execute /usr/sbin/daemon -c /etc/daemon.cfg -p /var/run/daemon.pid. This process then has the responsibility to daemonise itself and write the resulting process ID to /var/run/daemon.pid.

start-stop-daemon then waits until /var/run/daemon.pid has been created as the test of whether the service has actually started, raising an error if that doesn't happen.

(In practice, the locations of all these files are parameterised to prevent DRY violations.)

Idempotency

By idempotence we are mostly concerned with repeated calls to /etc/init.d/daemon start not starting multiple versions of our daemon.

This might not seem to be particularly big issue at first but the increased adoption of stateless configuration management tools such as Ansible (which should be completely free to call start to ensure a started state) mean that one should be particularly careful of this apparent corner case.

In its usual operation, start-stop-daemon ensures only one instance of the daemon is running with the --exec parameter: if the specified pidfile exists and the PID it refers to is an "instance" of that executable, then it is assumed that the daemon is already running and another copy is not started. This is handled in the pid_is_exec method (source) - the /proc/$PID/exe symlink is resolved and checked against the value of --exec.

Interpreted scripts

However, one case where this doesn't work is interpreted scripts. Lets look at what happens if /usr/sbin/daemon is such a script, eg. a file that starts:

#!/usr/bin/env python # [..]

The problem this introduces is that /proc/$PID/exe now points to the interpreter instead, often with an essentially non-deterministic version suffix:

$ ls -l /proc/14494/exe lrwxrwxrwx 1 www-data www-data 0 Jul 25 15:18 /proc/14494/exe -> /usr/bin/python2.7

When this process is examined using the --exec mechanism outlined above it will be rejected as an instance of /usr/sbin/daemon and therefore another instance of that daemon will be incorrectly started.

--startas

The solution is to use the --startas parameter instead. This omits the /proc/$PID/exe check and merely tests whether a PID with that number is running:

start-stop-daemon \ --quiet \ --oknodo \ --start \ --pidfile /var/run/daemon.pid \ --startas /usr/sbin/daemon \ -- -c /etc/daemon.cfg -p /var/run/daemon.pid

Whilst it is therefore less reliable (in that the PID found in the pidfile could actually be an entirely different process altogether) it's probably an acceptable trade-off against the case of running multiple instances of that daemon.

This danger can be ameliorated by using some of start-stop-daemon's other matching tests, such as --user or even --name.

Categories: LUG Community Blogs

Chris Dennis: Website version control with Git

Planet HantsLUG - Sat, 26/07/2014 - 21:59

Some notes on using git to manage development and production versions of a website on a Linux server, based on Using Git to manage a web site.  There seem to be several web pages with similar ideas out there: I don’t know who wrote it down first.  And also with reference to Version Control with Git by Jon Lodger.

I’ve adapted those ideas for the way I like to do things:

  • I SSH in to the server, and do the editing there, using vim.
  • I have separate domains for development and production versions of my sites.  For the purposes of these notes, they’re called dev.example.org and www.example.org.  So the development version is also an active real-world website: my nginx configuration makes it only visible to me.
  • The document roots are /var/www/website and /var/www/website-dev respectively.
  • The ‘bare’ production git repository can be anywhere on the server.  I’ll put it at /var/www/website.git.  It’s a git convention to use the .git extension for bare repositories.

The steps for setting it up are as follows.  I’ll leave the setting of suitable permissions and use of sudo as an exercise for the reader.

  1. Put some web pages in /var/www/website-dev.
  2. mkdir /var/www/website cd /var/www/website-dev git init git add <all the appropriate files and directories> git commit -a -m "a message" mkdir /var/www/website.git cd /var/www/website.git git --bare init
  3. Create /var/www/website.git/hooks/post-receive containing:
#!/bin/bash GIT_WORK_TREE=/var/www/website git checkout -f
  • In the following, I’ve used ‘live’ as an alias for the production environment; you could use ‘prod’ or whatever you fancy.
  • chmod +x /var/www/website.git/hoots/post-receive cd /var/www/website-dev git remote add live file:///var/www/website.git git push live +master:refs/heads/master git push --set-upstream live master git push live
  • And, as if by magic, the files from the master branch of /var/www/website-dev are now in /var/www/website.
  • Then whenever you’ve got new code ready to into production, all that’s required is:
  • git push live
    Categories: LUG Community Blogs

    Steve Kemp: The selfish programmer

    Planet HantsLUG - Fri, 25/07/2014 - 14:16

    Once upon a time I wrote a piece of software for scheduling the classes available to a college.

    There was a bug in the scheduler: Students who happened to be named 'Steve Kemp' had a significantly higher chance (>=80% IIRC) of being placed in lessons where the class makeup was more than 50% female.

    This bug was never fixed. Which was nice, because I spent several hours both implementing and disguising this feature.

    I'm was a bad coder when I was a teenager.

    These days I'm still a bad coder, but in different ways.

    Categories: LUG Community Blogs

    The department of dirty

    Planet SurreyLUG - Thu, 24/07/2014 - 10:03

    I quite like the Open Rights Group‘s new campaign against internet filtering

    The Department of Dirty is working with internet and mobile companies to stop the dirty internet. We are committed to protecting children and adults from online filth such as:

    • Talk to Frank: This government website tries to educate young people about drugs. We all know what ‘education’ means, don’t we? Blocked by Three.
    • Girl Guides Essex: They say, ‘guiding is about acquiring skills for life’. We say, why would young girls need skills? Blocked by BT.
    • South London Refugee Association: This charity aims to relieve poverty and distress. Not on our watch they don’t. Blocked by BT, EE, Sky and VirginMedia
    We need you to help us take a stand against blogs, charities and education websites, all of which are being blocked [1]. It’s time to stop this sick filth. Together, we can clean up the internet.www.departmentofdirty.co.uk
    Categories: LUG Community Blogs

    Anton Piatek: The department of dirty

    Planet HantsLUG - Thu, 24/07/2014 - 10:03

    I quite like the Open Rights Group‘s new campaign against internet filtering

    The Department of Dirty is working with internet and mobile companies to stop the dirty internet. We are committed to protecting children and adults from online filth such as:

    • Talk to Frank: This government website tries to educate young people about drugs. We all know what ‘education’ means, don’t we? Blocked by Three.
    • Girl Guides Essex: They say, ‘guiding is about acquiring skills for life’. We say, why would young girls need skills? Blocked by BT.
    • South London Refugee Association: This charity aims to relieve poverty and distress. Not on our watch they don’t. Blocked by BT, EE, Sky and VirginMedia
    We need you to help us take a stand against blogs, charities and education websites, all of which are being blocked [1]. It’s time to stop this sick filth. Together, we can clean up the internet.www.departmentofdirty.co.uk
    Categories: LUG Community Blogs

    Mick Morgan: department of dirty

    Planet ALUG - Wed, 23/07/2014 - 13:42

    Like most ‘net users I get my fair share of spam. Most of it gets binned automatically by my email system, but of course some still gets through so I am used to hitting the delete button on random email from .ru domains offering me the opportunity to “impress my girl tonight”.

    Most such phishing email relies on the recipient being dumb enough, naive enough, or (possibly) drunk enough to actually click through the link to the malicious website. I was therefore more than a little astonished at an email I received today from the open rights group. That email is given below in its entirety (I have obfuscated my email address for obvious reasons).

    From: Department of Dirty
    To: xxxxxxxx@yyy.zzz
    Subject: Cleaning up the Internet
    Date: Wed, 23 Jul 2014 07:14:18 -0400 (EDT)

    Dear Mick,

    Ever thought the internet was just too big? Want to help clean up online filth?

    *Welcome to the Department of Dirty*

    Watch the Department tackling its work here: www.departmentofdirty.co.uk and share our success, as we stop one man try to get one over us with his ‘spotted dick recipe’:

    Department of Dirty Video: http://www.departmentofdirty.co.uk/

    The Department of Dirty is working with internet and mobile companies to stop the dirty internet. We are committed to protecting children and adults from online filth such as:

    *Talk to Frank: This government website tries to educate young people about drugs. We all know what ‘education’ means, don’t we? Blocked by Three.
    *Girl Guides Essex:
    They say, ‘guiding is about acquiring skills for life’. We say, why would young girls need skills? Blocked by BT.
    *South London Refugee Association:
    This charity aims to relieve poverty and distress. Not on our watch they don’t. Blocked by BT, EE, Sky and VirginMedia

    This is just the tip of the iceberg.

    We need you to help us take a stand against blogs, charities and education websites, all of which are being blocked [1]. It’s time to stop this sick filth. Together, we can clean up the internet.

    http://www.departmentofdirty.co.uk

    Sincerely,

    Your Department of Dirty representative

    [1] You can find out what we’re blocking at this convenient website: https://www.blocked.org.uk/

    [DISCLAIMER] This email has come from the Open Rights Group. This email was delivered to: xxxxxxxx@yyy.zzz If you wish to opt out of future emails, you can do so here.

    Now, I’m an ORG supporter (i.e. I am a paying member) and I am sure that someone, somewhere in ORG thought that this email campaign was a great idea. After all, it follows up the ORG’s earlier research on the fairly obvious stupidities arising from the implementation of Dave’s anti-porn campaign, it looks “ironic”, and it uses a snappy domain name which has shades of Monty Python about it. But I’m sorry, in my view this most certainly is not a good idea and I’m sure that ORG will come to regret it.

    One of the most fundamental pieces of advice any and every ‘net user is beaten up with is “do not click on links in unsolicited emails”. In particular, the advice normally goes on – “if that email is from an unknown source, or has in any way a supicious from address you should immediately bin it”.

    This email comes from an unknown address with a wonderfully prurient domain name. Even if it is successful and gets to the intended email inbox [1], it then relies on the recipient breaking a fundamental security rule. It does this by encouraging him (this looks to be male targeted) to click on a link which the naive might believe leads to a porn video.

    How exactly is that going to help?

    ([1] Note. It got to my email inbox because the email system at e-activist.com which sent it is allowed by my filters.)

    Categories: LUG Community Blogs

    MJ Ray: Three systems

    Planet ALUG - Tue, 22/07/2014 - 04:59

    There are three basic systems:

    The first is slick and easy to use, but fiddly to set up correctly and if you want to do something that its makers don’t want you to, it’s rather difficult. If it breaks, then fixing it is also fiddly, if not impossible and requiring complete reinitialisation.

    The second system is an older approach, tried and tested, but fell out of fashion with the rise of the first and very rarely comes preinstalled on new machines. Many recent installations can be switched to and from the first system at the flick of a switch if wanted. It needs a bit more thought to operate but not much and it’s still pretty obvious and intuitive. You can do all sorts of customisations and it’s usually safe to mix and match parts. It’s debatable whether it is more efficient than the first or not.

    The third system is a similar approach to the other two, but simplified in some ways and all the ugly parts are hidden away inside neat packaging. These days you can maintain and customise it yourself without much more difficulty than the other systems, but the basic hardware still attracts a price premium. In theory, it’s less efficient than the other types, but in practice it’s easier to maintain so doesn’t lose much efficiency. Some support companies for the other types won’t touch it while others will only work with it.

    So that’s the three types of bicycle gears: indexed, friction and hub. What did you think it was?

    Categories: LUG Community Blogs

    Chris Lamb: Disabling internet for specific processes with libfiu

    Planet ALUG - Mon, 21/07/2014 - 19:26

    My primary usecase is to prevent testsuites and build systems from contacting internet-based services. This, at the very least, introduces an element of non-determinism and malicious code at worst.

    I use Alberto Bertogli's libfiu for this, specifically the fiu-run utility which part of the fiu-utils package on Debian and Ubuntu.

    Here's a contrived example, where I prevent Curl from talking to the internet:

    $ fiu-run -x -c 'enable name=posix/io/net/connect' curl google.com curl: (6) Couldn't resolve host 'google.com'

    ... and here's an example of it detecting two possibly internet-connecting tests:

    $ fiu-run -x -c 'enable name=posix/io/net/connect' ./manage.py text [..] ---------------------------------------------------------------------- Ran 892 tests in 2.495s FAILED (errors=2) Destroying test database for alias 'default'...

    Note that libfiu inherits all the drawbacks of LD_PRELOAD; in particular, we cannot limit the child process that calls setuid binaries such as /bin/ping:

    $ fiu-run -x -c 'enable name=posix/io/net/connect' ping google.com PING google.com (173.194.41.65) 56(84) bytes of data. 64 bytes from lhr08s01.1e100.net (17.194.41.65): icmp_req=1 ttl=57 time=21.7 ms 64 bytes from lhr08s01.1e100.net (17.194.41.65): icmp_req=2 ttl=57 time=18.9 ms [..]

    Whilst it would certainly be more robust and flexible to use iptables—such as allowing localhost and other local socket connections but disabling all others—I gravitate towards this entirely userspace solution as it requires no setup and I can quickly modify it to block other calls on an ad-hoc basis. The list of other "modules" libfiu supports is viewable here.

    Categories: LUG Community Blogs
    Syndicate content