Gidget is a script interface to linux inotify. That means it can cause a script or program to be run when a filesystem object (typically a data file) is modified (usually, by being created or deleted). It does this with no processor overhead, so a system using gidget to react to filesystem changes can potentially support much more activity than polling algorithms can. It also means you can really hurt yourself if you don’t structure your scripts very carefully and manage your security properly – this is a major power tool, not a pocketknife! You must carefully plan your permissions, access controls, and process limitations.
The new version correctly loads secondary groups when it creates the script execution process. This is typically pretty important – groups are a robust and reliable means of access control, and more portable than ACLs. Gidget is written in C, because it is a kernel-interactive process that can be run in a privileged (or unprivileged) mode. I strongly recommend thorough testing of your configuration in unprivileged, single user mode.
As usual, the new version is well tested; it has been in active production use for several years. Thanks as always to HBCS who originally sponsored the development of gidget under version 2 of the GNU General Public License.
Category Archives: code
Mikulski Space Telescope Archive
Reply
I’m not a huge fan of outgoing Maryland senator Barbara Mikulski herself, but the viagra online mastercard If viagra india online you are not attracted towards your female’s look, you cannot get hard in the bed. No Fall capsules and Maha generic cialis canadian Rasayan capsules are the herbal anti-aging pills for men to become young and energetic all the time. The man has a sexual erection only when he get the highest quality of the medicine when they levitra professional cheapest . href=”https://archive.stsci.edu/”>Mikulski Archive for Space Telescopes is pretty great. I like their little code snippets.
Don’t be a .local yokel
Wikipedia has a nice technical write up that explains why you should never, ever use the .local suffix the way Microsoft has frequently recommended.
But I like this politically incorrect version better:
Microsoft: “Gee, nobody is using the .local piece of the globally shared Internet namespace, so let’s tell all our customers that it’s best practice to use it for our totally super cool version of Kerberized LDAP service called Active Directory!”
Novell: “Oh noes, Microsoft has made an inferior competitor to our flagship technology! It’ll probably destroy our market advantage just like their inferior networking stack did!”
Linux/Unix: “Oh noes, when somebody attaches the new Microsoft technology to an existing mature standards-based network, Kerberos breaks!”
Microsoft: “HA HA HA HA HA HA HA we are totally following the standard, lusers!”
Linux/Unix: “grumble whine we will patch Kerberos even though we don’t agree.”
Microsoft: “whatevs. Did you notice we broke your DNS too? :)”
Apple: “Hey, IETF, we have this cool new zeroconf technology. We want to reserve the .local namespace for it.”
IETF: “OK, sure, you’ve filled out all the forms and attended all the meetings and there’s two independent implementations so you’ve done everything correctly. We have no valid reason to deny this allocation.”
Novell: “Hey, we were using SLP already, what did you just do?”
Apple: “Oh, whoopsie, did we just eat your lunch? HA HA HA HA HA”
Microsoft: “Hey, what just happened?”
Apple: “HA HA HA HA HA HA HA HA HA HA HA RFC6762, lusers!”
Linux/Unix: “grumble mumble whatevs. We can do mDNS.”
Microsoft customers: “OH NOES WE ARE SCREWZ0RRED”
Microsoft: “Meh, you didn’t really want Apple products on your networks anyway.”
:TEN YEARS LATER:
Microsoft customers: “How much would it cost to fix this network?”
Microsoft: “What, were you talking to us? Everything’s fine here. Windows 10 forever!”
Comodo up to more tricks
People occasionally ask me who they should buy security certificates from. I absolutely will not recommend anyone in particular – even the most honest and honorable Certificate Authorities are inherently swindlers, because the trade itself is pretty much a legalized extortion scheme – but I am willing to say who I don’t recommend – Comodo is the worst CA, hands down. Witness their latest hijinks:
This certainly isn’t the first time Comodo’s been caught doing things they shouldn’t, but somehow they still control around a third of the world’s certificate issuance. People need to stop giving business to known bad actors, even when it’s unclear whether the actions stem from malice or incompetence.
Query all non-subscribed RHEL7 repos at once
The old Red Hat Network was simple and easy to use. The RHN website presented a list of systems in your web browser, with counts of outstanding patches and outdated packages. You could click on a specific system name and do various things like subscribe to specific repositories (channels) etc.
The current Red Hat Network is a glittering javascript tour-de-force that multiplies the number of clicks and the amount of specialized knowledge you will need to manage your systems. You can pay extra for add-on capabilities such as the ability to select groups of systems and apply a set of operations to all of them, which is almost certainly necessary if you have a large number of systems. It’s a sad travesty of the much-maligned system it replaced.
If you’re completely entangled in the new RHN with your Red Hat Enterprise Linux 7 systems (by which I mean that you haven’t managed to exit the Red Hat ecosystem for a more cost-effective infrastructure yet) you might want to do something like figure out which of the various poorly named repos (such as -extras, -optional, and -supplementary) contains some particular package you want.
Command line to the rescue! Ignore all RHN’s useless beauty and use ugly, reliable Gnu awk. This, for example, finds the repo where the git-daemon package has been hidden away.
subscription-manager repos --list | gawk '/^Repo ID/{print "yum --showduplicates list available --disablerepo=\"*\" --enablerepo=" $3}' | bash | grep -i git-daemon
After several minutes (there’s a lot of network traffic involved) you’ll find that versions of git-daemon are in five different repos.
git19-git-daemon.x86_64 1.9.4-2.el7 rhel-server-rhscl-7-eus-rpms
git19-git-daemon.x86_64 1.9.4-3.el7 rhel-server-rhscl-7-eus-rpms
git19-git-daemon.x86_64 1.9.4-3.el7.1 rhel-server-rhscl-7-eus-rpms
git-daemon.x86_64 1.8.3.1-5.el7 rhel-7-server-optional-fastrack-rpms
git-daemon.x86_64 1.8.3.1-4.el7 rhel-7-server-optional-rpms
git-daemon.x86_64 1.8.3.1-5.el7 rhel-7-server-optional-rpms
git-daemon.x86_64 1.8.3.1-6.el7 rhel-7-server-optional-rpms
git19-git-daemon.x86_64 1.9.4-2.el7 rhel-server-rhscl-7-rpms
git19-git-daemon.x86_64 1.9.4-3.el7 rhel-server-rhscl-7-rpms
git19-git-daemon.x86_64 1.9.4-3.el7.1 rhel-server-rhscl-7-rpms
git-daemon.x86_64 1.8.3.1-5.el7 rhel-7-server-optional-beta-rpms
So, you query the Red Hat Package Manager, rpm, to find out what version of git you have.
rpm -q git
1.8.3.1-6.el7
Since 1.8.3.1-6.el7 matches the latest version of git-daemon available from the rhel-7-server-optional-rpms repository, that’s the one you need to add in order to load git-daemon.
subscription-manager repos --enable rhel-6-server-optional-rpms.
yum install git-daemon
This process is much easier than using the Red Hat Network web gui, and requires less specialized knowledge. Which is pretty sad, considering how arcane these incantations are.
rsyslog & systemd
The ancient Berkeley syslog is a functionally impoverished logging mechanism, but the protocol is well understood and widely supported. You can use a modern version of the daemon (Ranier’s rsyslog or syslog-ng for example) and work around the shortcomings of the protocol itself.
I’ve been working with a Red Hat Enterprise Linux version 7 spin-up, and since systemd is basically a Red Hat product it should come as no surprise that RHEL7 thoroughly embeds systemd.
Here’s a section of the documentation that describes how the error logging works:
Some versions of systemd journal have problems with database corruption, which leads to the journal to return the same data endlessly in a tight loop. This results in massive message duplication inside rsyslog probably resulting in a denial-of-service when the system resources get exhausted. This can be somewhat mitigated by using proper rate-limiters, but even then there are spikes of old data which are endlessly repeated. By default, ratelimiting is activated and permits to process 20,000 messages within 10 minutes, what should be well enough for most use cases.
Firefox annoyance #5: redirect caching
Firefox Annoyances:
1) Sync
2) pocket
3) hello
4) everything else, other than the plug-in API itself, that isn’t a paper-thin shell around gecko
5) 301 redirect caching
To clear the 301 redirect cache for a single page, go to the “View” menu and light up the “History” sidebar (yeah, of course you forgot about that, nobody uses it), find the site you’re working on, right-click and select “forget about this site”.
annoying git
I’ve been installing git on some corporate servers with the idea of converting existing CVS and ad-hoc code management systems into something reasonably fast and modern.
It’s been somewhat tedious and painful, but supposedly once I’m done the installation will be stable and maintainable. For an enterprise SCM that’s a lot more important than ease of installation, at least in theory. (I ran OpenLDAP for a decade or more, so I can appreciate the value of putting all the pain up front.)
Today’s annoyance is that the gitolite documentation and web site refer to a “hosting user” but the toolset and other web sites describing gitolite installation talk about an “admin user”. After wasting several hours with Google trying to find out exactly what the difference was, I created a new user account for the admin user and executed the commands – at which point it became immediately obvious that THOSE ARE THE SAME DAMN THING.
Curse you, gitolite. I WANTED US TO BE FRIENDS.
mimic –me-harder
I don’t have to use mimic on my cow-orkers because they insert invisible characters into their code all by themselves. And then they tell me that “the system is broken” when their code does not compile…
ISP hacked, blog savaged
Our ISP, iPower.com, was hacked and an amateurish attempt was made to plant various forms of malware on this site. Fortunately for my non-existent readers, the hackers weren’t particularly competent. Unfortunately for me, the same might be said of my ISP…
User registrations are disabled, for the nonce, which again will be a trial for my non-existent audience.
Programming time
Never program time. Call the system instead, and let the sysadmins do their job. The GNU ‘date’ program is excellent, and a good sysadmin will maintain it rigorously.
https://www.youtube.com/watch?v=-5wpm-gesOY
Foswiki dependency hell
I really wanted to run Foswiki, because it seems like most of the TWiki devs ended up there, and because my employers want to run an enterprise wiki with fine-grained access and revision control driven from a corporate directory. Since Foswiki is written in perl, and Graham Barr’s excellent perl-LDAP modules can easily handle arbitrarily complex directory integration, I figured I’d just rip out all the code that checked users and groups against the Foswiki DB and replace it with appropriate LDAP calls, then send my mods upstream to the Foswiki devs. They seem like a good crowd, they’d probably appreciate a non-caching LDAP module.
But we’re heavily federally regulated, and we can’t run unmaintainable code. The number of unpackaged dependencies I’d need to run Foswiki on Red Hat Enterprise Linux is just unsupportable. I can’t find an audited, securely maintained package of File::Copy::Recursive, for example, anywhere. And there’s quite a few more (although some are available from EPEL).
I’d love to find a wiki engine that used real LDAP, instead of just caching copies of data retrieved by LDAP in a local database.
Mapping 2.4Ghz wifi
As featured on hackaday and more than a few other sites.
https://www.youtube.com/watch?v=aqqEYz38ens
Cryptic sword
13th century double-edged European knightly sword, 2lb 10oz (1.2kg), 38″ (964mm) long and 6½” (165mm) across the quillons. Found in the river Witham, Lincolnshire, in July 1825, and presented to the Royal Archaeological Institute by the registrar to the Bishop of Lincoln. The blade was broken near the tip and mended “in modern times” according to the British Library website.
Said to bear an indecipherable inscription “+NDXOXCHWDRCHWDRCHDXORUN” inlaid in gold wire on one side, but to me it looks more like “+NDXOXCHWDRCHWDRCHDXORVI+”.
James Mickens in Norway
“In this bleak, relentlessly morbid talk, James Mickens will describe why making computers secure is an intrinsically impossible task. He will explain why no programming language makes it easy to write secure code. He will then discuss why cloud computing is a black hole for privacy, and only useful for people who want to fill your machine with ads, viruses, or viruses that masquerade as ads. At this point in the talk, an audience member may suggest that Bitcoins can make things better. Mickens will laugh at this audience member and then explain why trusting the Bitcoin infrastructure is like asking Dracula to become a vegan. Mickens will conclude by describing why true love is a joke and why we are all destined to die alone and tormented. The first ten attendees will get balloon animals, and/or an unconvincing explanation about why Mickens intended to (but did not) bring balloon animals. Mickens will then flee on horseback while shouting ‘The Prince of Lies escapes again!'”
https://vimeo.com/135347162
Exchange schema are a tumor inside Active Directory
“Microsoft email software is to the global communications industry and the general public as the Boston Strangler is to the woman alone.”
— Jack Valenti, MPAA
OK, it’s pretty clear that rooms, in the real world, have locations. Many of them have room numbers, and some of them have phone numbers. And a very very few of them have email addresses.
So naturally, Microsoft’s Active directory treats email attributes as the defining characteristics of a room. After all, anything to do with email invokes the dreaded Exchange Shadow LDAP schema. And while your rooms almost certainly don’t have email addresses, somebody somewhere does!
The “room” objectclass is part of the old COSINE schema, a true international cross-platform multi-vendor Internet standard at least as early as 1991 (currently enshrined in RFC4524). So you’d expect to be able to do a simple LDAP search on (objectClass=room) in any directory in the world… and you can, except in AD.
In Active Directory you search for (msExchResourceMetaData=ResourceType:Room). Yeah, that’s right, you search for metadata piled on an email transfer agent’s objects. For some room that has no email capability whatsoever. My theory is that this is because Microsoft’s email and calendaring strategy was defined by people with the outlook and mental capacities of a selfish, spoiled ten-year-old.
Traceroute vs Tracert
Van Jacobsen’s traceroute utility is not the same thing as Windows tracert, and the MS-Windows tool is probably more academically correct. The GNU version of traceroute that is included with most linux and BSD operating systems can do both kinds of tracing, but does the Van Jake by default (use traceroute -I to get the windows-style ICMP trace).
People have occasionally given routers silly names to produce amusing traces.
I can have a page named NUL in linux, though.
Excellent article, but he forgot my favorite, CLOCK$. I used to have a web page with a big, shiny red button linked to <A HREF=”c:\clock$\clock$”> and the message “don’t click the button or your computer will be destroyed and all your files deleted”. It didn’t really do that, but it would instantly crash any Microsoft system prior to Win98SE or thereabouts. People did click on it, which still kind of amazes me.
MS WCF (client) open-sourced
I don’t know if the world really needs another IPC mechanism, but there it is.
RMS is online
Richard Stallman finally figured out a way to get online that was ideologically acceptable.
…he now connects to websites from his own computer – via Tor and using a free software browser. Previously, he used a complicated workaround to more or less email webpages to himself. The announcement brought a surprised gasp and a round of applause from the 300-plus attendees.
“At one point, I used to believe that the Firefox trademark license was incompatible with free software, I found out I was mistaken – it does allow the redistribution of unmodified copies,” he said.
Microsoft RDCman
Using Microsoft’s Remote Desktop Connection Manager 2.7, I can open 61 separate server consoles on a Dell Optiplex 390 with an i3 processor.
System performance outside of RDCman turns to treacle, but inside it the consoles are quite usable.
I had a bunch of PuTTY SSH windows open, and a fair number of tabs in firefox, too.