Contempt

It seems to be all the rage, lately, to eschew root shells and run all administative commands with sudo. Sudo is a great tool for allowing otherwise unprivileged users to perform certain tasks for themselves (and thus not having to annoy the sysadmin regularly) and it's also good for keeping logs of what tasks were performed.

However, what I'm seeing is a general trend towards educating people to administer servers by using sudo non-interactively. Eg:

$ sudo /etc/init.d/networking restart

instead of

$ sudo su -
# /etc/init.d/networking restart

Ubuntu documentation is notorious for this.

The first method is bad practice because it will automatically drop root privileges as soon as the command has completed. This means that if you've made a mistake, you can potentially lock yourself out of your own server.

The second method will return you to a root prompt after you've run the command, and - importantly - will allow you to check that everything still works. You should always be checking that changes you've made work, before you drop root.

Sounds unlikely? Hardly. Even with the best intentions, mistakes occur. I've seen this problem happen; a person using sudo accidentally nulled the /etc/passwd file and managed to lock himself out of the root account. If this had been able to be done using sudo su - instead, then he would have been able to test that he could still access root, from another window, before logging out of the root account in his original window. Unfortunately, site policies prevented this (although it could be worked around by copying /bin/bash to /tmp and then running sudo /tmp/bash).

And it's not limited to just nulling the password file. There's plenty of things that you can screw up that will lock you out of your server if you don't have a chance to check them first - /etc/shadow, anything under /etc/pam.d, /etc/sudoers, /lib/libpam-ldap.conf to name just a few. In Ubuntu's case, if you make a mess of the sudoers file, you might not even have a root password to fall back on, due to their insane insistence on not creating one at installation time.

Dear ${BIG_COMPANY}. Did you know that you employ developers who write web applications that fail because my web browser's user-agent string contains "Iceweasel" and not "Firefox"?

Is that really necessary? Is it cost-effective? Is it LEAN?

There must surely be some system administrators from Optusnet who read Planet Linux Australia. If there are, could one of you please drop a comment (anonymously, if you need to) into my weblog about your news server?

The Optusnet Usenet news server has mysteriously stopped receiving new posts a number of times this year. Every time it has gone down, it has been off the air for at least a week, sometimes two. It has now happened again.

There is rarely any acknowledgement of the problem to customers, and dealing with the Optusnet helpdesk is an exercise in futility; take for example the response given to a user on the Whirlpool forums:

"I got a reply from technical support about this. They recommend power cycling my modem."

Those two sentences indicate to me that the person on the helpdesk probably doesn't even know what Usenet is.

I've sent in a note to the helpdesk also, but from previous experiences, I know I won't get a response for several days and I have my doubts that it will even get to the right place.

Now, I know it's likely not to be your fault. I've worked for a big ISP myself, and I understand the pressures and the lack of interest that management have in Usenet and the hardware that goes with it. But I'd just love to know what is going wrong with it so often, and whether the helpdesk messages ever even make it to the sysadmin section...

It's nice to know that just occasionally, I'm ahead of the curve. Canonical have announced that they are planning to port Ubuntu to ARMv7. I'm not sure what differences there are between ARMv7 and previous versions, but I had ported Ubuntu Dapper to ARM over a year ago (actually, two years ago, but I didn't release it until August 2007).

I've taken down the binaries since then, as Nokia started a more professional porting effort than I could do on my own, but if anyone wants them, then just let me know.

Just so that it is blindingly obvious how easy it will be to work around Australia's impending ISP-level internet filter (which, I might add, is expanding its blacklist ever further), I thought I would sum it up in three simple steps. It's not the cheapest way to bypass a filter - and the information below isn't going to be new to my blog's regular readers - but from where I stand (as someone who has access to an offshore Linux server), it certainly beats messing with Tor.

1. Obtain an account on a Linux or similar Unix-like system in a country outside Australia, preferably one without reactionary politicians who are trying to curry favour with a conservative religious party that shares the balance of power in parliament. If you can't get access to a server for free, then there are plenty of low-cost virtualized hosting sites such as Mythic Beasts (User Mode Linux) in the UK and Linode (Xen) in the US.



2. Use ssh's application-level port forwarding and log in to your new remote system. ssh will act as a SOCKS server on your local machine:
   
   

   ssh -N -D 1080 your.remote.host.co.uk

   
   
   Under Windows, you can do this with the ssh client provided in Cygwin. I would imagine that Putty provides a similar feature.



3. Configure your web-browser to talk to the ssh socks proxy on your local machine. For Firefox users, this would mean going to Edit -> Preferences -> Advanced -> Network -> Settings, choosing "Manual Proxy Configuration" and putting localhost and 1080 in the SOCKS fields, and then selecting SOCKS version 5. You can now browse as you would normally, and all HTTP requests will be sent from the remote host, and all Australia's internet filters will see is a stream of encrypted ssh traffic.

Of course, I am assuming that the Australian government doesn't plan to block ssh connections out of the country. It would be almost amusing to see the smouldering ruins of Australia's IT industry if they tried.

While I don't want to divert attention from today's thorough repudiation of eight years of neoconservative, fundamentalist Christian wingnuttery, it has to be asked: what the frell were 104000 Alaskans thinking when they voted for Senator Ted Stevens (and likely re-elected him), when he's just been convicted of seven corruption charges? Very short memories, sheer bloody-mindedness, or - as I suspect - blatant ignorance?

Geez. And people wonder why I have so much contempt for backwards, rural communities.

...as to just how the UK government's Communications Data Bill is going to work, and how it might affect my own server, which is a slow little user-mode-linux installation, sitting in a London datacentre.

Are they just going to snoop all SMTP traffic, and suck the From and To headers from that? Good luck with TLS-SMTP...

Will they by requiring everyone who runs a mail-server to keep their logs for later inspection? Logs are easily faked or changed, so there wouldn't be much point in that.

Perhaps they will only target ISPs, and ignore small-fry individuals running their own mail-server? That's not going to achieve much; I'm sure that it is not beyond the capabilities of the average terrorist organisation to run their own mail-server.

Or maybe anyone running their own mail-server will be obligated to install a closed source mail filter that submits logs to a central server somewhere? Easily overridden, of course ... and I hope they provide me a binary for my future mail-server, which I intend to be running NetBSD on an SGI Indy.

Maybe mail-servers will just be declared too dangerous for the average peasant to operate, and will be legislated out of existence, forcing everyone to sign up to a mass-mail provider somewhere (yes, I'm getting silly now, but then, so is the notion that this legislation is workable).

Whatever option they take, it strikes me as a very large invasion of privacy, which is more likely to affect the innocent than those who may be planning on committing crimes...