Link

From Maryn McKenna of Wired:

“A couple of unpleasant and deeply dismaying things have happened in the science blogosphere in the past 36 hours or so. I’m posting on it, along with a growing number of other science bloggers, in order to stand in solidarity with a fellow blogger and to ensure her voice is not silenced.”

The treatment of women in science and technology needs to change. I stand with Dr Lee

Advertisements

CentOS: Eclipse and PyDev

I’ve usually just used a simple text editor like nano when writing python here and there, but I do like the visual aspect that a good IDE provides and though I’d give Eclipse + PyDev a try. Used yum to install eclipse and then added PyDev’s repo to eclipse to only then run into a problem when I tried to install PyDev. I got this long list of  “No repository found containing” messages. Searching the issue I did not find any useful answers as they were the usual, “Just start fresh,” or, “Don’t use the distribution version, always download from the web site,” kind of messages. Not helpful at all.

Luckily I found the following bug post and discovered the issue was with a missing package. Not really sure why it isn’t just installed be default but what is needed is the eclipse-pde package. That’s plugin development environment that is apparently needed to install other plugins, like PyDev. Once that was installed, I got PyDev installed and now I’m ready to go forth.

NSA and PRISM: Why privacy is not the only reason to be upset

When the news started circulating I was of course outraged, but as a sysadmin that little voice in the back of my head wasn’t all too surprised. Both at what the NSA is alleged to be doing and at Edward Snowden’s level of access. Since the commercialization of social networking, I knew there is no such thing as a free lunch and all that is posted is sifted through and analyzed for value, would be of great interest to governments. In an interview with The Verge, Chris Soghoian’s use of the quote, “if you build it, they will come,” gave me a smirk as it’s a great explanation.

This push for some perfect state of security and safety with a seemingly blind faith in the ability to data mine and perceive patterns in all this data disturbs me. The algorithms developed are just mathematical models, simplifications of the real world and as such are based on assumptions. Assumptions that can be wrong or the basis for making such assumptions can change over time. Also by its very nature, models cannot take everything into consideration nor is it always advisable to condense such vast data into simple numbers. Our current economical troubles are a great example of the blind faith put in such models.

Back to the second thoughts in my head, it’s not just this breach of trust that my privacy be respected, it is also how this news will affect our place in the world. Europe takes privacy possibly more serious then we do and as reported, is very bothered by this news. Will they take their business elsewhere if they cannot trust their data is safe from widespread snooping? Will businesses leave the US so they cannot be compelled to participate in these programs? Or worse yet, will their be a stronger push for relinquishing control of the Internet to the UN? Or even lead to a splintering of the Internet? I cannot even begin to answer these questions and that worries me as the future of a free and open Internet is possibly at stake.

Whatever your reasons might be for opposing this practice, I signed on with @stopwatchingUs and suggest signing their petition asking Congress to disclose the full details of this program.

Link

Supreme Court: police may take DNA samples after felony arrests, even before conviction | The Verge.

I’m left with mixed feelings about this ruling. On the one side I’m all for using DNA evidence to both prove innocence and guilt and once convicted of a felony, I have very little sympathy. Alternatively I’m left disappointed that this will open the way to abuse of the system if all it takes is a simple arrest to collect one’s DNA without any burden of proof. Sure this is why the courts are there, to clarify existing law, but I am then left to hope the legislature can get its act together and put protections in place.

This goes beyond just fingerprinting as DNA is arguably something much more personal and more revealing of ourselves then any other data someone could collect about one’s self. A database of innocent citizens’ DNA is something that is just asking to be used in the wrong way.

Roaming Profiles in Samba

I run primarily Linux but I do have a Windows server for those who need a bigger Windows machine to work on and make it available via remote desktop. To have it play nicely with the rest of our systems, I also run a domain via Samba. While I don’t like roaming profiles, my users are used to it and the messages about unable to load a profile bother them.

Recently a user needed access to the Window server but then had weird access denied errors when trying to logon. I had them in the remote desktop group and the only messages in the logs were with loading errors about the profile.

The error shown was “Group Policy Client Service Failed The Logon.” Searching show this was a symptom of a corrupted profile and thus I deleted it, but then after that it was never regenerated and thus the missing profile messages every time since. 

Thanks to a guy named Steve on the mailing list, I was able to determine what was going wrong. Within the registry, Windows stores some info about the profile, in particular is the location on the server. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowNT\CurrentVersion\ProfileList stores a list of user SIDs and they key CentralProfile was wrong. Deleting the entry from ProfileList fixed the profile errors and now its all good.

[Samba] Windows Profiles Not Being Created

Apache, SELinux, WebDAV, and cgi-bin

I had setup webdav access for a user to allow them the ability to upload and edit their web application and as part of that setup, they had their own cgi-bin. Not normally an issue, but as a way to prevent any security issues, I’ve kept SELinux enabled. Turns out this was causing a problem with uploading files into the cgi-bin directory. Sadly there wasn’t an easy boolean value I could set for this but the audit2allow command came in handy.

Now be sure you check the module code before enabling it to ensure nothing shady is there. Simply running audit2allow on all messages in the audit log would build a module that can include permissions to allow potential hacks through. I saw some weird permissions that I knew were not needed to allow webdav access to cgi-bin and removed them from the module file. Here is the module that finally allowed access to the cgi-bin directory:

module webdav-cgi-bin 1.0;

require {
type httpd_t;
type httpd_sys_script_t;
type httpd_sys_script_exec_t;
type httpd_sys_rw_content_t;
class dir { write remove_name create add_name };
class file { write create unlink execute setattr};
}

#============= httpd_sys_script_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t httpd_sys_rw_content_t:file execute;

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t httpd_sys_script_exec_t:dir { write remove_name create add_name };

#!!!! This avc is allowed in the current policy
allow httpd_t httpd_sys_script_exec_t:file { write create unlink setattr };

Now this allows the web server read/write access to cgi-bin, which might be an issue, but I do protect webdav access behind access controls and SSL.