Humor Archive

Very amusing :).

Be the first to comment

Verizon | – Arbitration and Mediation

Posted January 19, 2013 By Landis V

At Verizon, customer satisfaction is a priority.

via Verizon | – Arbitration and Mediation.

This was good for a chuckle.  At Verizon, customer satisfaction exists only as a byproduct of customer sedation.  As long as you’re not an immediate flight risk or a very loud complainer, and continue to pay your bills regularly even if you grumble a little, Verizon satisfaction is a priority at Verizon.  If you’re too annoying or actually want things fixed, customer severance becomes a priority.

Be the first to comment

Be the first to comment

I don’t think you should be using sudo and maybe you shouldn’t be using Linux at all.

The money quote.  Love this.  Article was well written with clear and helpful examples.  Thanks, Tony.

via Understanding and using sudo in Unix or Linux (with examples).

Nobody has told me much about Linux, but I have learned vast amounts from the community.  There is a downside to that, however.  In an interactive conversation, certain things may come up that generate further discussion by their nature, whereas simple consumption from the web (or any other medium) may leave a vague hunch without actually provoking the “deeper dive”, if you will.

Such is the case, for me, with sudo and setuid.  I’ve always had the impression that setuid was a “bad thing to do”™, because (in an overly broad and general sense) if your setuid application was compromised by a security flaw, your system was effectively compromised.  sudo was “a good thing”™, because you could perform administrative functions easily without having to log out, log in as root, take care of the task at hand, and then return to your normal user shell.

Fast forward to today.  I’ve been doing some testing with check_mk, and ran into an issue where the default host check utilizes the Nagios check_icmp plugin.  When check_mk attempts to run same, it fails with an error indicating that the executable must be run as root or have setuid root set.  I presume the reason Nagios (or “nagios”, if you want to call the process by its username) is able to perform the checks is because the process is initiated as root and drops privileges, but maintains the permissions required to interface with the network stack.  In this case, (I think… haven’t proved it yet) it’s irrelevant.  What I really want to know is – which is the better option to use, given that I can change the command used for the default check to use sudo if needed.

Jump... to conclusions!

Jump... to conclusions!

After reading Tony’s article and taking into consideration that the sudo application itself is a setuid binary, I’m going to make a quick jump to  conclusions that probably doesn’t much matter in any case, since the executable will be effectively running as root.  I’m going to go with an edit to /etc/sudoers that will permit just the webserver account to run the plugin as root.  I have two reasons for this approach, one or both of which may be wrong.

First, I suspect there have been a lot more eyes on the code for the sudo binary than on the Nagios plugin binary, and if there’s going to be a flaw in one, it’s probably the latter (n.b. – I would not expect to see a flaw in the Nagios code, either… monitoring systems are, by their very purpose, allowed to converse with very critical infrastructure and best practices in development and security should be priorities).

Second, using sudo I can allow limited access to run the plugin as root, restricting that ability to just the webserver user account.  With setuid, any user who has the ability to execute the program (given a mask of 755, effectively everyone) can A.) run the program, and B.) do so as root.

In a perfect world – or maybe just a parallel dimension to this one – I could (and perhaps should) set the user and group ownership of the file more specifically, chmod o-x the plugins, and then chmod u+s the particular check_icmp plugin I needed.  This would likely be a more achievable solution in cases where it is difficult or impossible to control how the binary is called.

EDIT:  So, there’s an interesting new problem with this approach.  While the return code from the executed plugin is provided as the return code from sudo, the data returned by the plugin is sadly missing.  This makes sense, and it should have occurred to me.  There are a few ways I could get it back:  Fun with pipes, PID’s, and file descriptors using GDB (example here); parsing and passing the results as a passive host check to the Nagios external command file (might make sense since check_mk submits results as passive checks anyway).  Probably others.  At this juncture, I will probably at least test with the setuid bit set, and perhaps just leave it that way.

2 Comments so far. Join the Conversation

Too good not to share

Posted January 4, 2012 By Landis V

How to Explain Gay Rights To an Idiot

Simple, humorous, straightforward.  Could probably be stretched to include other rights, but it would dilute the simplicity and the clarity.

Be the first to comment


Posted May 19, 2011 By Landis V Looks like an amusing read. Wooden gears A great idea for a honeypot FTP

Really, really need to take some time to play with cfengine.

Had a funny thought about Apple (of the garden) being treated like a religion, “meticulous management of customer experience” (i.e., “herding the flock”), and suddenly it’s now the Rapture.

openssl s_client -connect #Command-line SSL connections

Would be nice to have a ping command with a configurable (via command line switches) exponential weighted moving average for packet loss. That way, you could watch some statistics on loss over intervals while running from a command line, and not just be interpreting loss for the time since you started the command an hour (day/week/whatever) earlier. I’m a little more interested in the spectrometer.  I always thought it would be interesting to have one of those.

Be the first to comment


Posted April 15, 2011 By Landis V

Voluntary Simplicity by Duane Elgin

n2h2p on sourceforge – finally, a way to convert a proxy to allow URL filtering on Cisco routers.

Be the first to comment