Are any of you interested in the following deals?
* Orlando: 3 nights for $69
* Las Vegas: 2 nights for $89
* Waikiki: 4 nights for $699
Fair warning: The catch is that you have to attend a timeshare sales presentation (2 hours). The timeshare is a nice one, M and I have been happy with ours, it’s very flexible and tradeable and the rooms are very high-quality. Email me if you’re interested…
[Note: as of this writing, Greg is still unable to kill selected Wisconsin residents with the power of his mind.]
Monday
More information on this outage. According to the log, it looks like the dhcp service stopped running about 21:37. I think I figured out why the service stopped.
The logs show a login as “root” from “maintain” at 21:30, a few minutes before the outage. This root session is still open as of this email. Additionally, there is a log file in /home/[username redacted] showing whether the daemon is running and who is logged in once per minute, and that file starts at the same time as the outage.
So, given that we have a limited track record in this configuration, it’s a bit early to make generalizations, but our first and only official outage of dhcp appears to be self-inflicted. Here’s a quick breakdown of root cause and solution.
Problem: dhcpd dying for any reason
Solution: Monitoring for this condition is still our first and best defense. We will be adding a cron-based script to check for this condition and automatically restart, but this is not a replacement for monitoring, since there are cases where a restart script won’t work (machine out of resources, config file fatal error). We will have the restart cron in place before pushing all ranges to production.
Problem: root access on maintain affords root access on dhcp1-2
Solution: If there are people who need root access on maintain but not on dhcp1-2, then we need to lock down the config-push process so that trusted users on maintain can’t gain privileged access on dhcp1-2. Our current implementation isn’t locked down to this level because we assume the access lists can easily be made consistent. If the access lists need to be different, we will assess the risk and act accordingly.
Problem: staff members taking advantage of security holes
Solution: This is a behavior problem and should be addressed by management. If someone has been granted user access and not root access, taking advantage of a loophole to gain root access should be pretty clearly off-limits as well. Please clarify the access policy as appropriate.
Problem: staff members with root access killing production services
Solution: Any changes to a running production server that might affect the service should be announced ahead of time and done during an appropriate maintenance window. Please clarify the policy and take any appropriate action.
Tuesday
Two more root shells were open on dhcp1. I have killed them.
These are the files that were accessed at the time the root shells were started (showing access time, not mod time):
-rwsr-xr-x 1 root root 29788 May 24 07:39 /sbin/dnsqa
-rwsr-xr-x 1 root root 7836 May 24 07:39 /usr/bin/rsh
Of these, “dnsqa” is probably the suspicious one, so I have chowned it back to [username redacted] so that file won’t have root privileges.
There are probably more exploits we will find over time that allow non-root users to gain root, but I don’t know how much effort we should expend trying to find and close all of them. Our policy so far has been that we trust non-root users not to abuse the system to try and gain more access than they have been given, so this type of local-user exploit is normally not much of a concern. This is also typical of other non-SGI locations, so we are not alone. We should make a decision as to what direction to go:
1. we assume that local users are trustworthy
2. we expend more resources trying to make the system more bulletproof (similar to ISPs who give shell accounts)
3. we decide not to have any local accounts at all for non-root users
Let me know what you think…
gregc
As mentioned before, Miche and I are hosting an Ice Cream Social here at our place today between 2pm and 6pm. If you are in the area, please feel free to come by. Drop in any time in that range, stay as short or as long as you want. Directions are here: click me.
(Posting this for folks on my friends list who I believe I have actually met in person at least once. If you are reading this, you’re invited!)
I have made the following:
Strawberry: Cream, milk, diced strawberries, sugar, splenda, vanilla extract
Peach: Cream, milk, frozen peaches, sugar, peach preserves
Melon sorbet: Honeydew melon, sugar, lemon juice, peach schnapps
Supervanilla: Cream, milk, sugar, vanilla bean, vanilla extract
Banana: Cream, milk, sugar, bananas, vanilla extract
Frozen Yogurt: Yoplait strawberry yogurt
We have various toppings as well.
OK, I have gone a bit crazy with the new Ice Cream Machine and have made far more ice cream than I think I can eat.
As a result, Miche and I would like to throw an Ice Cream Social here at our place this coming Saturday. If you are in the area (or might be on Saturday) feel free to come by. I’m thinking it will probably be Saturday afternoon between 2pm and 6pm. Drop in any time in that range, stay as short or as long as you want. Watch this space for directions
1) Total number of books I’ve owned?
Probably fewer than 50, most of them game books. Count comics and
I’m pushing close to 100. But Miche’s collection, that’s another
story, probably 1000+. I don’t tend to collect books unless they
were especially meaningful.
2) The last book I bought? I think it was First Things First, an audiobook in the Seven Habits series.
3) The last book I read? Seven Habits of Highly Effective People
by Steven Covey. It is an excellent read, and I recommend it for
anyone and everyone. It combines the best of getting organized,
self-help, and having rewarding interpersonal relationships. It
combines a lot of stuff I already knew, and a few things I didn’t, and
makes a lot of great ideas work well together/complement each
other. If it’s true that there is nothing new under the sun, this
is at least a new way of looking at and organizing a number of timeless
and valuable principles.
4)
5 books that mean a lot to me:
Split Infinity by Piers
Anthony: Read this when I was in high school, and the main character
Stile became my hero for many years, and still is in many ways.
Seven Habits of Highly Effective People by Steven Covey: see above :)
Perl for System Administration by Blank/Edelman via O’Reilly
Dungeon Master’s Guide and Players Handbook by Gygax et al
5) Tag 5 people and have them fill this out on their ljs
I’m choosing 5 random users who are unlikely to ever read
this: weejay, cflam, meddle_84, sofawawayfromu, and
baby_cakes24. Is that cheating? I don’t know :)
We made a modified version of Alton’s Melon Sorbet on Sunday. It turned out wonderfully. This sorbet meets with the misty_shadows seal of approval.
Our modified version contained:
1 lb 10 oz diced melon
10 oz sugar
2 Tbs peach schnapps
All ingrdients into bar blender. Pulse until visible chunks are gone, then blend low for about 30 more seconds. Chill mixture for about 30-60 min in fridge. Process in ice cream machine (with our machine we broke it into 2 batches at about 20 min each) until it is slushy and holds its shape. Relocate the mixture to the freezer for 2 hours.
I don’t think the type/proof of liquor is important, as long as it’s about 2T of a liquid which doesn’t freeze at the temp of your freezer. The peach schnapps we used is about 30 proof.
OK, here is something to try if you’re bored and happen to be in front of a browser. I was clicking around on the Netflix site and I was looking at the Jim Carrey page, and I thought to myself, gee, I would like to get to the John Cleese page, I wonder if I can get there just by clicking links?
Here’s what I came up with on the first try (without using the Back button at all):
Jim Carrey, Batman Forever, Nicole Kidman, Eyes Wide Shut, Tom Cruise, Mission Impossible, Ving Rhames, Lilo and Stitch, David Ogden Stiers, Spirited Away, Hayao Miyazaki, Princess Mononoke, Billy Crudup, Big Fish, Danny DeVito, Get Shorty, Gene Hackman, Antz, Danny Akroyd, Trading Places, Jamie Lee Curtis, A Fish Called Wanda, and finally John Cleese. That’s 11 degrees of separation, so that means I kind of suck at this. I probably would have done better if I had allowed myself to use the Back button, but c’est la vie.
Here’s the second try:
Jim Carrey, The Mask, Cameron Diaz, Shrek II, John Cleese. 2 degrees of separation, much better.
I bet this would work a lot better with IMDB, but at least with Netflix I can rate a bunch of movies as I go…