Sudo: Windowsifying unix, step by step!

Submitted by gwolf on Thu, 03/20/2008 - 01:13

Like many people interested in bringing computer security awareness to the public at large, some eight years ago I was thrilled to get acquinted with sudo. A great tool for giving specific admin rights to specific users in a very granular way, with great semantics... And allowing for a degree of flexibility much higher than my needs, honestly.
I think it was the Canonical crew who first thougt of using it backwards, "solving" (for some definition of solution, of course) the long-known problem that desktop users cannot be bothered to understand they are using a normal account which is, for their own personal security, completely separated from the priviledged account.
So, in short, Ubuntu uses a passwordless sudo to grant users (at least I understand it is limited to the first system user, am I right?) access to whatever and whatnot... And most users seem to like this.
Yes, the same way they like Windows: Because it is the no-brainer solution. Now, give a person with no brains some choices... Guess which choice they will pick.
Now, it's assumed by most semi-newbie Linux users that sudo basically means "go ahead". I have tried to get this point across to people complaining that Debian ships a b0rken sudo because it is not basically a ALL ALL = NOPASSWD: ALL
So, as it is currently used... I do feel sadness: Unix systems tend to Windowsification, where real administrator privileges are just a matter of asking whether you are sure. Assuming single, local users for local machines.
[update] Oops! lots of comments explaining my world-view is somewhat flawed... Anyway, I'll reply to the comments themselves.

( categories: )


Submitted by gwolf on Mon, 03/17/2008 - 23:30

It is hard. Some parts of life are just continuous joy. Some are hard.
This is a hard part for me. At one time, I feel the urge to come to my dearest and closest people -and even to the complete unknown ones, such as probably you are, anonymous reader- and speak of whatever comes to my mind. At times, I just want to shut up. Completely shut up, not even talk with myself.
And that is a big problem. My stupid self does not shut up, and keeps thinking over and over.
Anyway... Good friends, anonymous bystanders: A new epoch dawns for me. For bad? For worse? Who knows?
For different? Hell, yes.
[update]: Thanks for the support, here and off-band :)

( categories: )

German and APT::Acquire::Translation

Submitted by gwolf on Mon, 03/10/2008 - 13:25


The webinterface for it doesn't require any authentication at all, leading technically to anonymous translations all over the place. The so-called "review" process consists of the same not-existing authentication, leading to a situation where unknown people can put in whatever they like and have other (or potentially the same) unknown people acknowledge that.
The language team has actively chosen that way because it was said that bad translations simply won't happen and that the review (three people opening the page and clicking onto a button) will not let that happen. Well, it happened. And is happening all over the place.

Hmmm... That sounds quite like a definition of Wiki in my book. Just add a version-control layer underneath, and...
Oh, you didn't? Umh... Tough luck! :-(

( categories: )

Dreamhost: Honest about mistakes. And that's _good_!

Submitted by gwolf on Sun, 03/09/2008 - 18:31

I have been maintaining several minor sites hosted at Dreamhost for about a year. And since over one month ago, my personal website is with them as well. And I must say, I am very pleased with them. No, not (well, not only) because they run Debian on their servers, nor because they are probably the cheapest game in town (I paid something like US$200 for a basically unlimited package , for three years), but because of their degree of responsability and personal service.
Responsability? Aren't they well-known for their network outages? Why, yes, of course - Today's example is paramount: Somebody edited the wrong firewall entry, and all of Dreamhost became unavailable. In general terms, Dreamhost has a great blog-like structured page where they inform customers of every network or server problem they have - No, you don't have to dig in to understand why your site is down: They bring it up to you. Upfront. And in a familiar, very non-formal style.
Whenever I have submitted an issue to their request tracker, I get prompt reply. Does it always solve the situation? no, by far. I'm often told to, basically, go screw myself if I really need such feature... But they are straightforward with that, they are good, nice BOFHs (if such thing ever existed), and they don't present you with corporate-minded studies backing up their solution. Yes, I know that in their servers, it's plainly their way or the highway. But hey, that's what I paid for, right?
That is what wins my heart. Yes, Dreamhost is no good for many, many tasks - including, for example, anything that requires a real RDBMS (forgodssake, they offer MySQL but not PostgreSQL, damnit! WTF!?), nor any legendary five-nines reliability. But they are great for the vast majority of the Internet sites' needs. They even exceed what a simple person like me would ever dream of.
So, my hat off to you guys. Again.
(No, and I'm not getting paid or discounted on services because of this blog post. Although maybe I should! ;-) )

( categories: )

And you call them abusive?

Submitted by gwolf on Wed, 03/05/2008 - 18:06

Madduck complains about the lack of attractive data plans for mobile phone providers in Switzerland. Madduck: As always, you will have to remember there are many people confronted with a much worse situation than yours.
Up to a month ago, I never envisioned using my phone for anything besides... Well, talking. But yes, since I got my new gadget, I keep playing with GPS or using it for simple things that require Web access and do not require much interactivity (the suckiness of a 12-key keyboard is überhuge!) - Provided, of course, that I am near a WiFi hotspot, of course. My mobile service provider, Telcel, just publicly launched its 3G network - this means, of course, prices are well over the roof:
The cheapest plan starts at MX$59 (around US$5.5) a month, and gives you a whooping 1MB of allowed transfer - Anything you do over 1MB will cost you MX$0.06 per kilobyte. Yes, Telcel offers a 1.5Mbps connection, so it'd theoretically take only 6 seconds to exceed the monthly plan. After the joyful first seconds of network access, each second of full-fledged data transfer will cost you 9 pesos - Around US$0.85. How nice!
Now, there are plans for 1, 3, 5, 10, 15, 20, 30, 50, 100 and 1000MB. Their price increases at a slow pace up to MX$459, which is still somewhat expensive if you even thought on using your cell phone as a gateway (say, over Bluetooth) for your regular computer's connectivity. Of course, if I buy 1GB of data transfer, I'd expect a much lower price for each additional Kb. Well, no, it only goes down to MX$0.03. Per Kilobyte, yes, you read right. Those little things your Vic20 was full of.
There is even an unlimited plan. Well, yes, unlimited but limited - For MX$579 (~US$55) you get a nice deal, right? After all, I pay MX$350 for my 1024/128 DSL connection - it is on the right range. Well, no - If you get over 3GB in one month, your data rate will drop to 128Kbps for the rest of the month. Nice. No good as a gateway either.
So, I'm not hiring a 3G plan at all. But that's also a danger - If I open a net-using program at the wrong moment, I'll be billed at MX$0.14 per Kilobyte.
[update] There is another similar service in Mexico, IUSAcell's BAM. Pricing is equivalent, though.

( categories: )

Keep the simplest things DRY and rolling

Submitted by gwolf on Mon, 03/03/2008 - 14:32

What's the best way to join a community, any community? Little by little.
I have been working with Ruby on Rails for well over a year already, even given a talk (at Encuentro Nacional Linux y Software Libre ENLi) inviting other people to use this very nice and well thought out environment. But, so far, I've been only a end-user, not really giving anything back besides minor bug reports.
Well, it's not as much as to say that I'm now a contributor - this is just a first statement of intent. I have worked a bit on several bits of code I keep repeating and hand-copying over my different Rails projects. Of course, that's completely not DRY - And completely not nice. So I decided to stop advancing on several projects, and learn my way on stting those bits of code as Rails plugins.
So far, it's been quite simple - and a good excercise on proper separation. I started, of course, with the easiest bit of code I could think of as useful in a general sense, and packaged it up as acts_as_catalog (of course, proper SVN tree and very basic, introductory README. And, of course, as I keep progressing with this work, I'll keep adding some plugins to my currently quite empty RubyForge page.
Anyway... Little by little, time will come where we have to think more seriously on how to properly bring together the Ruby on Rails style to work more tightly with Debian. Currently, the two have such different points of view on how to manage and ship components that I am not sure we will be able to truly bridge them together... But it is definitively worth trying. Hmh, looks like a task for Debconf! ;-)

( categories: )

I. Feel. Dirty.

Submitted by gwolf on Wed, 02/20/2008 - 19:27

I just spent the productive part of the last couple of days going over several alternatives, as I didn't want to do the most obvious thing.
But I ended up doing it.
I think I did it carefully... And in a restricted system.
Still, having a Web-facing script that executes a password-changing script running with Sudo-granted privileges... No matter how much correctness and sanity checking it involves...
Makes me feel dirty.

( categories: )

cat STDERR | rot13

Submitted by gwolf on Fri, 02/08/2008 - 11:52

Cannot help but laugh and share.
I've been triaging and trying to reproduce some oldish bugs on pkg-perl's packages. Some bugs are no longer there, some have to be forwarded upstream, and so on. Usual tasks, yes.
Until I stumbled with #406227. I just have to laugh and share! Hope nobody feels ashamed - The bug is the result of different people coding maybe under pressure and with quite different mindsets :)
For some reason I fail to understand, the submitter's test case (rot13 implemented over a HTTP proxy) is invoked in the report as ./rot13 2>/dev/null. Of course, when trying to debug a bug report, the first thing to do is not to ignore STDERR. So, off goes the 2>/dev/null. What happens next?

  1. 0 gwolf@mosca[2]/tmp$ perl ./rot13 &
  2. [1] 4394
  3. 0 gwolf@mosca[3]/tmp$ GET -p <a href="http://localhost:8080/" title="http://localhost:8080/">http://localhost:8080/</a> <a href="<br />
  4. Can't" title="<br />
  5. Can't"><br />
  6. Can't</a> locate object method "filter" via package "UGGC::Cebkl::ObqlSvygre::fvzcyr=UNFU(0k604160)" (perhaps you forgot to load "UGGC::Cebkl::ObqlSvygre::fvzcyr=UNFU(0k604160)"?) at /usr/share/perl5/HTTP/Proxy/ line 126.
  7. 500 EOF when chunk header expected

WTF... Well, at least the program name gives me a clue... Lets try to "decrypt" the error message...

  1. gwolf@mosca[4]/tmp$ echo 'UGGC::Cebkl::ObqlSvygre::fvzcyr=UNFU(0k604160)' | rot13
  2. HTTP::Proxy::BodyFilter::simple=HASH(0x604160)

hrm... How comes the filter is filtering its own code and only then refusing to find itself!? Ok, time to open up the manpage - Remember, I'm only group-maintaining this pacakge, I am not yet at all familiar with it! Ok, so the core of the filter is when the submitter states:

  1. my $proxy = new HTTP::Proxy();
  2. $proxy->push_filter(response => new HTTP::Proxy::BodyFilter::simple(sub { tr/a-zA-z/n-za-mN-ZA-M/; }));

While the manpage states it should be invoked as:

  1. my $filter = HTTP::Proxy::BodyFilter::simple->new( sub { ${ $_[1] } =~ s/foo/bar/g; } );
  2. $proxy->push_filter( response => $filter );

Of course, once looking at it, the answer is simple: The submitter left out which element to act on in the anonymous function body - The ${ $_[1] } =~ part. Adding it makes gur svygre jbex nf rkcrpgrq... Err, sorry - makes the filter work as expected.

Now, bonus points: For the non-Perlers out ther: How come we get the namespace translated as well? Oh, that's very simple: In Perl, as in Python (and concievably other languages I'm unaware of), the object is passed to any of its methods as the first argument. Functions in Perl receive their arguments via @_ (read: the default array). And, of course, the tr (regex-based transliteration) takes by default the first thing it sees - the object itself. And what happens when you apply a (string-oriented) regex to an object? Of course, it gets stringified - which, by default, in Perl means converting it to the closest possible description: "a hash reference blessed as an object of the class such-and-such at this memory location". That string gets worked on, and we get UGGC::Cebkl::ObqlSvygre::fvzcyr=UNFU(0k604160). This proxy does not die on very-very-short web pages, where the whole content fits on one iteration of the code (although it does not work correctly - the text remains unaltered, of course, as it was not worked on), but if the request spans several chunks, the second time the filter is called, it will be... just gibberish.

Oh, and what about the extra ${ (...) } around $_[1]? Oh, simple: The string is passed as a scalar reference, so it can be modified in place. Yes, it's the Perl way of pass-by-reference instead of pass-by-value (the default behaviour): Of course the parameter is only passed as a value. Only that the value is incidentally a reference - but who cares? ;-)

Anyway... Many oddities. I would implement the module in a completely different way, and it looks quite backwardish in my book. But then again, TIMTOWTDI.

( categories: )

Converting incoherent sets of data between charsets

Submitted by gwolf on Mon, 02/04/2008 - 23:33

Dato complains that converting changelogs to be UTF8-clean is not always as simple as running iconv - One of the reasons that took me so long to migrate my blog is that, due to having migrated (at different points in time) my previous CMS (Jaws 0.4->0.5->0.7), its underlying database (MySQL 3.4 -> 4.0 -> 5.0 IIRC), the distribution (Debian Woody -> Sarge -> Etch+backports), several reinstalls and all... Well, I had a completely mixed-up database, with some tables in UTF, some tables in latin1, some tables with mixed rows, some tables that for some strange reason had double-mixed rows (that is, that had UTF8 misrepresented as latin1 and then re-encoded into UTF8)... No, it was not fun to sort out.

( categories: )


Submitted by gwolf on Mon, 02/04/2008 - 10:54

Ok, the time has come. I have postponed this change too much - But finally, after three months of having hired my Dreamhost account (and stating so in this very blog), I finally made the switch from Jaws to Drupal.
Now I only hope I don't flood any planets with my RSS (I was careful to check the dates are consistent, but you never know), finish moving over my static content (I carried over about half of it already), play a bit with the theme, and... that's it! :D
Anyway, I promised my oh-so-not-generic-but-what-the-heck Jaws (0.7 at least) to Drupal (5.x) migration script. It worked like a charm - Ok, I only used it to move blog and photo albums/entries, but that's at least the most typical use AFAICT.
Now, I'll have to understand still some more terms and details in Drupal. For example, WTF? Why was renamed to (stated content-type, I guess) Why do my uploaded tar.gz files get renamed to tar_.gz even if I explicitly requested to allow .tar.gz suffix uploads? (same thing, I guess)

( categories: )

Yet Another Ciclotón

Submitted by gwolf on Sun, 01/27/2008 - 23:44

Call me reiterative, but yes, it is this time of the month again: Last Sunday. Today we went cycling to my city's Ciclotón. Although Nadezhda already took part in the August 2007 ciclotón, I was flying in from Europe that day. When I did the Ciclotón in October, she was in Monterrey. Then in December, Rodrigo reminded us that we missed it. So, this is the first time I do the Ciclotón with Nadezhda! (To my defense: Yes, I sent a SMS to Rodrigo... But too late - He probably didn't plan it on time, so we just didn't meet once again).

And what, am I going to come and brag each time I take my bike out for a longer-than-usual ride? (40Km is no small feat. Well, not for me at least!) Probably not. But if you remember, I just got a new toy, and I can now prove it to you all:

( categories: )

Introspection in Perl

Submitted by gwolf on Thu, 01/24/2008 - 11:19

Some days ago, my RSS reader found Mark Jason Dominus' - Yes, the module is (so far, at least - I could not find it on CPAN) only published as a blog post. But don't let that fool you - It's a beautiful (and simple!) Perl module that can help developers that are too lazy to go look up methods in the man pages.

Perl's introspection capabilities are not behind other dynamic languages' (i.e. Python's or Ruby's, speaking only about what I'm familiar with). However, it's used much more seldom, partly because Perl does not ship by default with an interactive console (such as Ruby's irb or Python's regular behaviour when called without an input script). Of course, writing a Perl console is an easy task, and good Perl consoles exist, although its use is not part of the Perl culture.

But of course, just glancing over MJD's code made me come up with a simple, yet useful, way to use introspection in Perl, usable as a simple one-liner. Say you want to look at all of the methods provided by IO::File:

gwolf@mosca[25]/tmp$ perl -e 'use IO::File; print join(", ", grep {defined &{"IO::File::$_"}} sort keys %{"IO::File::"}), "\n"'
binmode, carp, confess, croak, gensym, new, new_tmpfile, open, qualify, qualify_to_ref, ungensym
Want the scalar variables? Of course:
gwolf@mosca[26]/tmp$ perl -e 'use IO::File; print join(", ", grep {defined ${"IO::File::$_"}} sort keys %{"IO::File::"}), "\n"'
Same goes for arrays and hashes. And, of course, leaving out the grep gives you anything. Yup, it's the magic package-name hash trick. Main difference between this and MJD's That goes up the inheritance chain, and is thus much more correct.

Of course, I'll be uploading to Debian very soon - And, why not, I think I'll add a way for it to query on different symbols, not just on methods. And the simple binary to call from the command line. Sounds very much worth it ;-) Thanks, MJD!

( categories: )

Don't need a weatherman to know which way the wind blows

Submitted by gwolf on Wed, 01/23/2008 - 19:59

This could have just been a nice Summer morning, uneventful as they usually are, were it not for the fact that it was already 19:00, and it was mid-winter. (with due apologies, of course, to Bob Dylan and Les Luthiers)

Nadezhda called me, warning me about a very dark sky and strong winds, and went off for her meeting. I told her weather looked decent from mx office... But started paying attention. And yes, wind was crazed. Hints of an upcoming power outage were felt in the Institute. I left my office as soon as I could. Cycling back home was quite a challenge - The 3.1Km route back home, usually much easier than the way there as it's mostly downhill, was quite a challenge: Biking with eyes almost-closed because of the flying leaves and dust, and little but menacing raindrops... Scary, all in all.

Anyway, it gets scary... At least one person was killed because of the winds not far from here. This city has the fame that febrero loco y los vientos otro poco (February is crazy, but the winds are even more). And the first crazy wind of the season are always scary.

[update] One person dead because of the strong winds in Mexico City; Power outages in several areas; Three more hours of strong winds expected; Heavy winds caused by the #24 cold front(?); Winds cause mayhem on DF streets;

( categories: )

Yay, new gadget!

Submitted by gwolf on Mon, 01/21/2008 - 08:25
A week ago, I got my fourth cell phone so far. This is the first time, however, that I pay for it - even though the first one I had was a very nice smartphone for its time (basically, a not-really-well-integrated Palm Vx and a bulky phone very worthy back in its time. Anyway - Some months ago, I decided I wanted a Wifi-able phone, in order not to need to carry around my laptop for simple tasks such as checking my mail. Shortly after I started looking for phones which fit my needs, I found Nokia's N95. The map-maniac in me found it had a GPS, and... Well, it just became matter of waiting until my phone company brought it to the Mexican market (as I paid about half its street-price... Y'know, points for customer loyalty, blah blah).
Anyway... I've been extensively playing with my new toy, and although I am still often frustrated by Symbian's so very-very-propietary-minded OS and general culture (it's amazing the number of for-a-fee very simple applications!), I'm very happy. So far, my favorite application (and, of course, the one that made me jump for it) is Nokia's Sports Tracker. While it does have some issues (particularly the web application - at least its interaction with firefIceWeasel is somewhat buggy; it abuses AJAX interaction and some pieces of information are just not linkable, they lack a proper URL), I'm delighted at using it - tracking my theoretically daily excercise sessions, be they excercising per se or my bike rides to work, linking photos taken during those sessions, tagging them to the point and moment they were taken (although, I must admit, it is awkward to take photos while running - And next to impossible while biking, of course).
Yes, to many this is not so impressive... But it is really the toy I was looking for.
( categories: )

World Social Forum 2008 - Another world is possible

Submitted by gwolf on Sun, 01/20/2008 - 23:10
A phone call in December made me very proud: A colleague I met thanks to the Espora collective told me she was involved in the Mexican activities for this year's World Social Forum (FSM Mexico 2008 site). The Mexican activities? Yes. This year, the World Social Forum will not be held at one -or several- distinct places, but it will happen globally. There will be activities in tens of countries. The activity program for Mexico (full PDF version) is quite loaded - And I was invited to give one of the talks, this Friday (Jan 25) at 12:00, about Free Software for a Free Society, in the Foro Derecho a la Comunicación track.
I am very honored by this invitation! I just spent a couple of hours organizing/going through the topics I will be presenting. I hope to be able to be at some other of the forum's activities, as it just is too important and interesting to miss out!
Syndicate content