Go to content Go to navigation Go to search

More sudo goodness

2009-06-10 21:39 -

I’m working on a few projects at Google that require adding things to the sudoers file to permit a role user a very limited set of privileged commands on a very limited set of machines.

Unfortunately, the current way of handling this in anything but the very latest Debian Sid/Ubuntu Karmic is rather poor – one needs to add line by line to /etc/sudoers, removing any outdated entries, and then check the integrity using visudo.

Wouldn’t it be nice if there were a sudoers.d equivalent? Well, there is the #include directive in sudo 1.7.0, but none of the stable shipping debian-based distributions have anything newer than sudo 1.6.9.

Fortunately, Sid and Karmic now have sudo 1.7.0, meaning that it’s now sane to backport their sudo packages to the LTS editions of Ubuntu in use at Google. I’ve done this using prevu for Ubuntu dapper and hardy and verified that the packaging works without modification – just rebuild and deploy.

The bug is located at https://bugs.launchpad.net/hardy-backports/+bug/384100 should some kind souls wish to try the backport and report back on the results :) – instructions on using prevu are at https://wiki.ubuntu.com/Prevu should one not wish to trust me with building sudo binaries ;).

Words?

Announcing the newest member of my family

2009-01-17 20:00 -

I adopted Misty today from Pyles of Smiles, a rescue organization in Cottonwood, CA (near Redding, CA). She’s a Samoyed puppy, about a year old, weighs 45 pounds, and is the most adorable and precious thing I can imagine. Like me, she’s very inquisitive, strong-willed, and smart, but quiet and sometimes a little shy. She was abandoned by her original family prior to being found, rescued, and adopted :).

I’ve wanted to have another Samoyed in my life ever since I left for college and no longer had Blizzard, my parents’ Samoyed, as a companion; he died while I was away at college. For obvious reasons, taking on the responsibility of caring for a dog during college wasn’t an option, but now that I have an independent life of my own, I’m in a position to finally have a canine family member living under my roof. Thanks to Google’s dog-friendliness, I should be able to take her to work starting Tuesday assuming that I confirm that she’s been potty trained well.

Pics:

Words? [1]

Teaching an Intro to Game Design class

2008-09-14 00:52 -

I haven’t posted anything technical in a while, due to the fact that a good deal of my work at Google as an SRE is day-to-day maintenance and refactoring rather than projects that I can discuss publicly. However, here’s something that I can mention externally.

Standard disclaimer: any opinions expressed in the material posted below are mine alone and not necessarily those of my employer, etc. etc.

A month ago, I was asked to write and give a 1-hour presentation on game design to a class of students attending Google’s Computer Science Summer Institute – the goal of the class was to give the students an opportunity to learn about applications of computer science they might go into once they’ve graduated from school.

The slide show I produced, building on some preliminary draft material written by the CSSI organizers, will be made available as soon as I secure permission (working on it…); the source code for the corresponding 2d grid game engine I wrote for teaching purposes is at http://www.ctyalcove.org/~elizabeth/gameengine.zip (Google copyright on the code, but Apache licensed so you can do whatever you like with it within those terms)

The simple game engine is fairly rudimentary interface-wise, but is a reasonable teaching tool for demonstrating how one might build upon an engine to create a game of one’s own and provides a good deal of flexibility. A group of 3 students implemented connect-4 within about 60-90 minutes using it following my presentation, and the engine supplies working examples of tic-tac-toe and lights-out.

Words?

Liveblogging ROFLCon

2008-04-25 06:11 -

This post will be updated throughout this weekend – it’s excluded from RSS due to the stupidity of Facebook’s RSS puller.

So, having spent a week working on the guts of the intarwebz in Cambridge, I headed down to the MIT campus to revel in the awesomeness of the culture that’s been spawned.

Registration wasn’t terribly chaotic, thanks to the large numbers of volunteer staff. Schwag abounds, although the official ROFLCon shirts cost money. It is somewhat awkward, however, to be sitting around two and a half hours before the keynote without any organized activities. As we’re almost entirely geeks, it seems as if everyone is slightly socially inexperienced. The activation energy for starting conversations and getting to know a whole room full of strangers is slightly too high for much mixing to happen. Yet.

The crowd seems surprisingly gender-balanced; it’s mostly college students from the east coast, but there are people from all over. There’s the Mozilla Firefox and Tron Guy hanging around and mixing with the crowd, as well as a bunch of people from the press (Wired, G4 Tech TV, etc.).

Given the large number of people whose fame comes from video, there’s predictably video cameras all over the place, people giving interviews, and other media madness.

My friend Ken was attempting to do a survey of the operating systems of the people using laptops in the room. We counted mostly Macbooks, with a small smattering of Thinkpads.

With 10 minutes to go until the start of the Friday keynote, the room is starting to fill up, and people seem to be getting to know their neighbors a bit more.

Oh my god, Leeroy Jenkins. He is MCing.

David Weinberger is giving the keynote:

Broadcast media is a one to many system. The scarcity results in greed. Famous people become a special class that we are supposed to admire. Us vs. them, alienation.

What happens if fame is a network property instead of a broadcast property? Blogging is all about taking off the makeup. People are talking in a way the exposes them as fallible human beings. We have to preemptively forgive our bloggers. This carries into what’s famous on the web – it feels like it’s done by human beings, even though they may be mass.

/WE/ made Mahi (kiss you page) famous. This was our celebrity/fame. We can take someone who’s not on the face of it famous. People pass things around. People tell each other what’s worth watching. It’s an odd conversation we’re having with ourselves. Comments (60k on laughing baby on youtube). We’re inventing new forms all the time. This is an amazing thing we’ve done. Do it yourself fame is peer to peer fame. In the future, everyone will be famous to 15 people. Abundant fame – we don’t know how fame works when it’s everywhere.

The long tail! Plotting # of famous people/video, you get a curve. Obama girl video vs. music video of obama, less popular.

In broadcast world, it’s a binary phenomenon. People are instead making each other famous in smaller circles. All kinds of fame – various attributes, but flawed like all of us.

Panel:
Marmaduke explained – sells tshirts, has google ads; people send him money. It’s remarkable I haven’t gotten sued.
Jibjab – an online comedy site since 1999. Popularity in 2004 (‘this land’ with kerry/bush). 100 pieces of short content. Push for personalization of funny stuff (put your head on dancing figures). Sell credit for sendables. Yahoo/msn licensing deal. Promotional deals with pepsi, budweiser, verizon. Used to sell merchandise, but now focusing on content.
Chuck Norris Facts – most valuable thing in my wallet is a CharlieCard, I’m a college student. I run google ads on my site, I tried merchandising. We tried witty things on shirts.
One red paperclip – traded on craigslist for bigger and better things, posted to boingbong, 14 trades later, had house. Wrote a book, dreamworks picked up movie rights. Going on a speaking tour. Teach government people to think outside the box.
Rocketboom – daily 3-4 minute video blog. News-oriented, highlights the things you guys do. Primary revenue stream is advertising (video advertising) – little bit more valuable compared to TV. Mainstream advertisers.
Million dollar homepage – $1 per pixel, made a million bucks.

To what extent was success from flukes vs. doing something differently?

This land was a perfect storm – different demographic was starting to use the internet. The right people got hold of it and started mailing to others. It’s about being smart once lightning strikes. Take exposure and turn it into something else.

Be willing to do stupid ideas, instead of dismiss them as too stupid.
To what extent does the web inform things other than distribution?

Subject matter comes from the web, audience is specific kind of audience
Organic interest vs. dictated interest
People were doing million dollar homepage pixel buys for attention, pagerank
it was a 4-month story that people followed.
The people who did the trades got publicity

How does demographics (gender, race) play into internet fame?

How does being famous affect everyday life?

———————————————-

Will LOLcats still be around when we’re old?
Seems to have hit a peak a few months ago, we’ll be looking back at it on a nostalgic level though

LOLcode – creator is a grad student in CS, but turned over hashing out the language to the world via forums, wiki

cats have a very wide range of emotions

LOLcode: 80% male
LOLcats: 48% are women between 18-48; 60% female – became more female over time
LOLsecret: always mostly female

How do you feel about the repercussions LOLcats will have on the English language as they become more mainstream?
Linguists love it.

(I ran off to hear Noam Chomsky speak @ Google, will be back for PWNing for the good of mankind at 5)

——

The concert started off a little bit blah, but that’s probably because rap isn’t really my thing. The one thing that I found obnoxious was that a CBS reporter dressed in a tie actually got all the way onto the stage and started crowding it to get video on his camcorder.

People in the audience seem really enthusiastic about the guy, but yeah, not impressed.

(my phone battery died, so I’ll catch up on writing about the concert later.)

—-

Alice Marwick – Making it big
Social status/elitism in web 2.0
At SXSW, people all were talking about web celebrities instead
Fame as social recognition – desire to be recognized for uniqueness
Kids tend to overrate their chances of becoming famous, want to have the trappings of celebrity
Panacea – better, brighter, bigger self.

Myth of rags to riches is purported proof of hope that it could happen to us, celebrity being democratic

Larger than life public personas. pseudocelebrities – known only for fame, not for achievements
Publicity culture – we value what grabs the public’s attention
Path to advancement is public relations and extroversion
Microcelebrity – performance style to respond to fans, continue interaction, broadcast. Breaks down spectator dynamic of traditional celebrity; equality.

Awkwardness in a situation where someone can’t control his/her own image
“Internet Disease” with pictures getting cleaned up, etc. etc.
Press conference and ribbon cutting ceremony existed only to be televised – “Photo op”
We assume that microcelebrities are who they purport to be; they are less controlled than consumer-branded traditional celebrities

Backlash against internet celebrities can be severe when they are shown to be inauthentic; disappointment

Forbes’s “internet celebrity” list usually is tech bloggers; here, we probably have a different notion
Taxonomy:

Technologies such as youtube/myspace allow people to distribute content to audiences that would be unimaginable 10 years ago
Big media – yahoo, microsoft, google – internet culture embedded in it

Is internet media actually subversive to mainstream media?
It can be very sexist/racist/homophobic
Gay content often tagged as inappropriate no matter what
Most popular blog content is written by white guys despite women being the majority of bloggers
Internet celebrity rarely challenges the status quo

Internet of ROFLCon is a very particular subset of the internet
Each internet culture has set of properties that their celebrities embody
Internet humor isn’t universal humor
Fame as a drug of validation
Generation of narcissists – publicity and looks have replaced character
Always-on culture, continuous partial attention

Think about the voices that get heard – who do we want to hear? Think about responsibility, message.

———-
Panel is pretty inaudible, need to put all of my attention into figuring out what people are saying and who they are instead of blogging.

——-
Incubating the Mindvirus: Meme Infrastructures

Words?

sudo 1.6.9 interactions with PAM and libpam_afs_session

2007-11-22 14:01 -

For those using libpam_afs_session or any other PAM session modules on Debian Lenny or Sid:

sudo 1.6.9p6-1, which migrated into testing on 2007-11-04, introduced a change in which pam_open_session and pam_close_session are now called before and after command execution.

Previously, in the 1.6.8 branch of sudo, these calls were not made, and therefore there were no references to session modules in /etc/pam.d/sudo. The new calls resulted in the session entries being read from /etc/pam.d/other (the default PAM stack file); in Debian, this defaults to reading /etc/pam.d/common-session, etc. However, the Debian way is to explicitly @include PAM common-* files in files instead of just letting things fall through; it’s a bug that sudo now calls the session stack but doesn’t mention it in its PAM file (one reason it was so difficult for me to track this down).

Since we were invoking pam_afs_session.so and pam_unix.so in common-session, a new PAG was being created on every sudo, and the Unix logging of sessions was also being triggered unnecessarily. The creation of new PAG on sudo meant that we couldn’t read files in our own home directories after sudoing, so trying a dpkg -i ~/package_1.0.0-1_i386.deb, running nano (due to accesses to ~/.nano_history), etc. were all triggering all sort of nasty warnings.

For us, the fix was to add the entries from common-session to /etc/pam.d/sudo except for the pam_afs_session.so entry, causing the default common-session entries to not be invoked since there are now session entries in /etc/pam.d/sudo. However, I don’t see an easy default way for Debian to do things – using pam_permit might be a sensible default (and wouldn’t cause any /new/ behavior compared to 1.6.8), but the common-* defaults exist for a reason…

I’ve filed Debian Bug #452457 about this issue.

Words? [1]

A Phyrric victory

2007-11-08 00:10 -

First off, before I start getting bitter: thank you to Rep. Tammy Baldwin, for your efforts to salvage the mess of the non-inclusive ENDA. Thank you to Rep. Jerrold Nadler for standing by the LGBT community and making a principled stand against the bill.

Congressional leaders, especially Rep. Barney Frank, and the Human Rights Campaign have failed the entire LGBT community in the passage of H.R. 3685. I will not be celebrating tonight; instead, I am deeply saddened. I have not yet had a chance to read the debate in the Congressional Record, but I’ll be doing that tomorrow first thing.

Failing to even allow the Baldwin amendment to come to a vote for fear of having the vote held against oneself in a future election is pure and simple cowardice. Our Representatives should grow a pair and show some real Courage. I’m very tempted to read President John F. Kennedy’s Profiles in Courage again to reassure myself that at one point in the past, we had real leaders who stood on principle, rather than sacrificing the moral high ground to “save” their own necks. And it’s not even clear that voting for a trans bill is political suicide at all.

Passage of an incomplete bill that falls far short of providing real protections for gays, lesbians, bisexuals, and transgender people in the United States is far more harmful than helpful. The bill has sent a mixed message – that it’s okay to discriminate against people for their gender identity or expression. I do not want half a loaf.

H.R. 3685 only helps people that are able to ‘pass’ for straight in terms of their gender conformity. It does not protect those of us who work for small companies. It does not protect trans individuals.

Joe Solomonese is a hypocrite, a liar, and a manipulative bastard. By promising one thing to the LGBT community and delivering something very different, he has shown that he, and by proxy, the entire HRC, cannot be trusted. If you have a few minutes, I urge you to listen to his attempts to weasel his way out of being caught in a blatant lie regarding HRC’s commitment to trans inclusiveness.

I am certainly joining with many others in the LGBT community in calling for a boycott of the HRC. Do not give the HRC any donations, unsubscribe from their mailing lists, and refuse to volunteer for them. It is clear that they are not a human rights organization at all, but merely a petty advocacy group for the very narrow group of straight-passing gay men rather than the entire LGBT spectrum.

I would say more, but others in the community can probably say it better than I can. Pam’s House Blend and Donna Rose are speculating on where we go from here. I frankly don’t want to think about this now given how disgusted I am with the political system.

Words?

Review: Sidekick LX

2007-11-06 16:26 -

I’ve had my Sidekick LX now for two weeks. Keep in mind that I skipped the Sidekick 3 generation entirely, so it probably seems a lot more impressive to me than it would to a Sidekick 3 user.

Things I like:

Things I don’t like:

All in all, the Sidekick LX is an indispensable tool much like the Sidekick II was for the two years it survived in my hands. I definitely would buy the LX over an iPhone any day due to the sturdy construction and the keyboard, but if the iPhone ever were to get a physical keyboard, I’d spring for the iPhone instead. The iPhone has a much broader range of available software, as well as a full Safari browser.

Words? [1]

Reps. Frank and Pelosi throw transpeople under the bus

2007-09-29 23:38 -

The very same day that the Matthew Shepard Act passed the Senate, extending protection against hate crimes to crimes motivated by sexual orientation and gender identity, the Democratic House leadership was gutting transgender rights from the Employment Non-Discrimination Act.

In 31 states in the United States, it is legal to fire someone merely for his or her sexual orientation. In 39 states in the United States, it is legal to fire someone due to his or her gender identity. A Federal ENDA would prohibit this type of outrageous discrimination from occurring in all 50 states.

Rep. Barney Frank, who is both an out gay man and a transphobe, claimed that it would be impossible for a trans-inclusive ENDA to pass, and has moved to separate the bill into two separate bills – one in which sexual orientation would be protected, and the other in which gender identity would be protected (with the latter being infinitely stalled and never being brought for a vote). All but one of the major LGBT lobbying groups have withdrawn their support for a non-trans-inclusive ENDA.

Rep. Frank has made numerous statements demonstrating his ignorance and contempt such as “There are workplace situations – communal showers, for example – when the demands of the transgender community fly in the face of conventional norms and therefore would not pass in any Congress. I’ve talked with transgender activists and what they want – and what we will be forced to defend – is for people with penises who identify as women to be able to shower with other women.” and his concern about “[...]
schoolteachers, and what happens when the kid comes back from summer vacation and teachers change gender. We just lost enough Democrats and we couldn’t be sure of the Republicans.”

Rabid transphobic voices in the gay community are whitewashing the history of Stonewall and claiming that transgender people do not deserve protection because we have not fought as hard as they have for rights. If a non-trans-inclusive ENDA passes, will gay rights organizations stand behind transpeople to continue the fight for equal employment for transgender Americans, or will they proceed to divert the entirety of their resources into issues such as marriage, etc. and ignore transpeople?

Recent order of magnitude estimates have it that about 1% of Americans are transgender, and that approximately 10% of Americans are lesbian, gay, or bisexual. Gender identity affects many more people than the ancient, grossly incorrect “1 in 30,000” figure sometimes reported in the media. And transgender Americans and bisexual and gay Americans have thus far stood side by side in crusading for equal rights. I feel extremely betrayed by those in positions of power, supposed allies, who have cast aside one group in favor of another for the sake of political expediency.

Thankfully, Congressman Adam Schiff, the representative for Pasadena, cosponsored the original trans-inclusive bill and has pledged his continued support for it. But many other congressmen and congresswomen (and, ironically, the Human Rights Campaign) sadly need to be persuaded in order for them to truly understand the meaning of human rights.

Please call your representative in Congress and/or take 5 minutes to sign these petition to tell Congress that transgender people do matter:
http://www.ipetitions.com/petition/transgender_inclusive_ENDA/
http://www.nosubstitutes.org/

I do not think that I can believe in a country dominated by those who wish to allow my rights to be stripped away simply due to who I am.

Thanks,

Liz

P.S. also, incidentally, I was on British TV last week when I talked to Lucy Parker’s grandfather Kevin on camera about 2/3 of the way through the recent documentary that aired about her journey to Thailand for SRS.

P.P.S. A quote I’m stealing from a friend:

The Civil Rights Act of 1964 did NOT only give protections to African-Americans and Hispanics – with a “promise” to work real hard for protecting Asian-American and Native Americans “at a later date”. That’s what they are proposing to do this time.

P.P.S. http://cbs5.com/video/?id=26888@kpix.dayport.com&tr=y&auid=3016956 is a very moving and courageous stand by the mayor of San Diego in favor of gay marriage. I think it’s definitely worth watching the 5 minute length – it pretty succinctly sums up a lot of what I feel as well. Love is love, and that’s all that should matter.

Words? [1]

AFS, Apache, and pseudo-SuExec

2007-09-22 02:45 -

It’s been an exceptionally busy week for me on the UGCS front, despite my being on vacation and traveling.

On Monday morning, we migrated everyone’s mail over to our nice new shiny 8-core Xeon server (hermes) and forced everyone into using our new Kerberos infrastructure to authenticate against IMAP and POP. There have been quite a large number of problems we discovered after the migration which we didn’t quite catch during initial testing, but as of Thursday we had everyone’s legacy mail converted and mail delivery was finally stable. I’ll blog separately about that when I have working configs to post should someone attempt to do an effort similar to UGCS in the future (I’m currently debugging an issue with mail forwarding at the moment). In short, we’ve set up delivery to maildirs on AFS, postfix, dovecot, GSSAPI auth (Kerberos), LDAP mail delivery settings and nss info, mailman, amavisd, clamd, and spamassassin all happily playing with each other now.

We also ended up moving over web services to the new ‘service’ machine (poseidon) on Thursday because the old webservers had finally had it and were timing out and refusing to function.

Inspired by this post by Todd Lewis from the University of North Carolina, but lacking his source code, I endeavored to create an equivalent for SuEXEC for our users. The problem is that Apache does not run with the Kerberos tokens of users, so it cannot execute sensitive read or write operations on user data, only read the data in ~/public/www. Many of our users rely on using CGI to manipulate flat file databases, etc., so this was somewhat of a priority to get them some level of control over their data using CGI without opening them up to cross-user scripting vulnerabilities from malicious users.

http://www.ugcs.caltech.edu/~elizabeth/cgi-wrapper is the result of my efforts – it’s meant to be run setuid as root and executable only by Apache when Apache matches “ScriptAliasMatch ^/~(.+)/cgi-bin/(.*) /usr/local/sbin/cgi-wrapper”. $10 security bug bounty, payable via Paypal to the first person who finds a security hole in it. The script was largely written according to Todd’s spec, and essentially pulls the tokens for a user from a root-only file, sets environment variables so the wrapped script won’t notice the aliasing, and then changes uid/gid to the user and creates a new PAG context with the tokens for that user’s cgi subuser. The cgi subuser can be assigned very limited permissions using AFS acl’s so a vulnerable cgi script can’t wipe out one’s homedir or mail (unless of course given permission to do so).

Now that our webservices are up, I’ve migrated the UGCS development wiki over to poseidon, but it currently requires a Kerberos login to view (sorry, guys). I used mod_auth_krb plus Extension:AutomaticREMOTE_USER to make it work.

All in all, a very productive week on my side project :) – we’re definitely going to make the September 29th switchover date to shut down the old cluster and convert old cluster’s servers into shell machines in the new cluster.

Words? [1]

Review: But I'm a Cheerleader (1999)

2007-09-09 02:37 -

I watched But I’m a Cheerleader tonight. It was pretty awesome, although the ending was kind of a bit contrived. Mmm, hot femme chicks. I definitely agree with the critics about the gay guys being excessively stereotypical, and there definitely wasn’t as much depiction of the relationship between Graham and Meghan as I would have liked. All in all, I’m really glad that I’ve started to have a pretty good sense of humor about gender stereotypes and movie quotes such as “we can’t allow you to live an unhealthy lifestyle under our roof” and “you’re choosing to cut us out of your life”. The scene in the film that resounded the most with me involved Meghan putting all of the pieces together about her orientation being different – the fact that she enjoys looking at the bodies of other women, that she’s very touchy-feeley with women, that she is revulsed by the idea of her boyfriend french-kissing her, and that she likes to keep photographs of women in her locker and bedroom.

I may need to go on a moviewatching binge and see some of the other LGBT themed movies out there that I’ve been missing out on.

Grade: B+

Words? [1]

Previous