Alex | | 123Unix!com

sudo or not sudo

Nothing prevents you from changing the username on this [root] account or from creating additional accounts whose UIDs are 0; however, these are both bad ideas.

That was the most profound saying in probably the most boring chapter of the “UNIX and Linux System Administration Handbook”, Chapter 3, about the root account and related topics.

Still, it provides some interesting points, notably about Mandatory Access Control (MAC) and Role-based Access Control (RBAC).

Interestingly, these are the areas where Linux has been lagging behind Microsoft Windows, only having discretionary access control facilities taken from the classic Unix. Proprietary Unix variants, like HP-UX, AIX and Solaris have been closer to leading the way here.

A cool approach at building SELinux policies is mentioned in the chapter. A tool (audit2allow) compiles a policy from the policy violations triggered and logged. Clever, though not foolproof.

Another controversial practice suggested in this chapter is the rule of using sudo for all administrative work.

It is a non-trivial question of what is ultimately more secure: entering a password every 5 minutes for sudo or having a root terminal on standby, authenticated just once at session startup and protected by generic Xwindow session protection mechanisms like screen auto lock and biometrics authentication.

init vs. systemd

Chapter 2 of the “UNIX and Linux System Administration Handbook” talks about the boot process. Nothing special here, except…ever so interesting debate of init vs. systemd.

The main points from systemd opponents being making the system more complex and less modular. Modularity, as we all know, is one of the Unix’ main merits.

OTOH, general Unix evolution trend of the last decade seems to emphasize booting stage ever more in the overall OS lifecycle. Just look at all those compartmentalization, virtualization, scaling and other cloud computing hypes. All of them imply growing application for short-lived OS instances, which in turn imply more proportion of instance lifetime spent in the boot process.

In legacy systems it was not uncommon to see uptimes in the range of 1 or 2 years and several whopping years sometimes. Today, with auto-scaling distributed HA systems, VMs often get spun up for a few hours a day to handle load spikes.

Comparing these two system classes, it is easy to see the importance of boot process optimization: it has become two (sometimes three) orders of magnitude more prominent time-wise nowadays.

Not only systemd cuts time wasted in bootstrapping by fostering parallelism, it also improves on load spikes response time, and streamlines configuration management by reducing shell scripting hackage required to configure complex boot processes.

Conceptually, this part of Unix evolution corresponds well to the general global information processing trends. Those trends lean towards collaborative, cross-disciplinary information processing and interpretation. Similarly, Unix processes and services can no longer remain “strictly modular” in a modern system, if the system architect seeks to optimize the system for best performance and value for the customer. Unix services need to collaborate between each other more closely to reach that target. For that, systemd is clearly suited much better that the venerated classic init.

System administration: How to start?

Today, a good friend of mine Nikolai Dyumin, a seasoned PhD in mathematics, asked me of a recommended book on the Unix system administration topic.

Immediately I recalled of the “Unix System Administration Handbook” by Evi Nemeth “and kids” paper back sample of the 2nd edition I have had and praised a lot since my early student years. It is a Russian translation (one of the best technical book translations I have ever read), pretty used already, nevertheless offering a good deal of timeless Unix philosophy inside.

While the book is still relevant in the terms of general administrator’s job approaches and concepts, a large part of it has become hopelessly obsolete over the past couple of decades of me owning it. Indeed, who still remembers the RS-232 cables or who does add user accounts directly on the host without any intermediary configuration management system or a centralized directory these days?

In an attempt to refine my book recommendation I went ahead and browsed a bit, and lo and behold! the 5th(!) edition of the book, modernly re-titled “UNIX and Linux System Administration Handbook”, just popped up on my screen.

Looking inside the new edition made me realize just how much time has passed!

The book starts by telling us Evi Nemeth, the most renowned SysAdmin ever who is also a sailor, is no longer with us.

One of the Evi’s mottoes listed in preface states “Be conservative in what you send and liberal in what you receive” truly summarizes the essence of the SysAdmin’s character. Think of it. Probably half of the rest of the Evi’s tenets are largely variations on this one. Take for example “Be liberal in who you hire, but fire early” – that’s the same thing, basically!

And then there was the 1st chapter. A few quotes warrant bringing up.

your response to these [stupid] issues [like “I spilled coffee on my keyboard! Should I pour water on it to wash it out?”] affects your perceived value as an administrator far more than does any actual technical skill you might possess. You can either howl at the injustice of it all, or you can delight in the fact that a single well-handled trouble ticket scores more brownie points than five hours of midnight debugging.

– indeed, a system administrator is a psychologist first. Most administrator’s customers just need someone to understand their problem, regardless of the problem’s nature.

Use it [the nano editor] discreetly; professional administrators may be visibly distressed if they witness a peer running nano.

– looks so familiar!

Gartner found that AWS is ten times the size of all competitors combined

Have you ever thought AWS is that large? I haven’t. Doesn’t it qualify AWS as a monopoly?

As a system administrator, it’s in your best interest to befriend data center technicians and bribe them with coffee, caffeinated soft drinks, and alcoholic beverages.

– interesting, why the authors take the hardware specialists for confirmed drunkards? Is the hand work considered easier than the scripting or security testing while drunk? Or is this type of work more depressing?

Anyway, having recommended such a profound book of about 1300 pages to someone who is a scientist, I thought why wouldn’t I read the new edition myself? If nothing else, this’ll:

make my Unix philosophy freshly organized,
update me on the current technology trends in a good systematic manner,
help me grow professionally by learning from great professionals,
entertain me once again with the cool writing style.

It just occurred to me that:

today is the 1st of the month,
the month has 31 days, and
this 5th edition of the book happens to have precisely 31 chapters, conveniently and sequentially numbered through the four book parts.

So what am I still waiting for?! I’m starting on the quest of “A chapter a day” today with this fine book!

SPF and SOHO privacy

SPF (Sender Policy Framework) is cool stuff and when implemented properly helps vanity domain owners play on par with big email service providers, like gmail.

However, in its basic form it presents privacy concerns for small offices operating out of their homes, or any other small mail senders.

The problem is that anyone on the Internet can look up a list of IP addresses allowed to send mail for a given domain. Some users may feel uneasy having their home IP address known to everybody.

Here is how this issue can be resolved while still reaping full benefits of SPF.

Cryptography expert needed

[This is my response to a job post on Upwork. Just for a record.]

Cover Letter

Hi there,

You seems to have quite large list of desirable skills up there. I suppose it is not expected to be covered by a single person, otherwise I wouldn’t dare applying for the position.

I have got a Bachelor in Computer Science degree and a Computer Systems Engineering degree from a National Technical University of Ukraine and some cryptography background as well.

At any rate, I see a number of familiar items in the list, so if you’re after hiring a team, I think I might bring value to your project as one of the team members.

Additional Questions:

what experience have you had with cryptography?

My professional cryptography experience is mostly organizational. I’ve been in charge of researching network security and cryptography best practices, setting up PKI systems, enforcing security policies, investigating breaches.

While studying for may degrees, I was caught by the marvels of machine learning and artificial intelligence, although I didn’t delve into it deeply.

In my childhood, when I didn’t have a computer yet, I had a great interest in popular cryptography: Cardan grille, secret spoken and written languages. I have also been reading popular science periodicals and books on combinatorial problems avidly.

why are you perfect for this job?

My path towards the Unix Administration field lay through the security related hacking experiments. That had founded substantial security grounds in my vision as a Unix Administrator for the whole of my career.

I am usually a little over-concerned about security in most of the projects I do. Sometimes it appears to be detrimental, but I see it as an advantage in your type of a project.

What are your thoughts on security?

There is nothing like an “absolute security”. Any system is only secure to some extent.

This also applies to cryptography: any cyphertext is only safe for a certain amount of time, be it a week or a century. It cannot be safe forever.

Also, I usually remind to my clients that “security = 1 / convenience”.

The art of cryptography and security in general is in striking the balance between the complexity (which is basically the price) of the system and the timeframe it is expected to be secure.

Shortest monitoring script on earth

Right after I got my quite elaborate Nagios setup running in my local network, I thought to myself “What if my network loses connectivity to the world and my GSM-SMS gateway fails? How am I going to be notified of such a grand disaster?”

Well, as usual, a shell one-liner comes to rescue.

Life Balance for Android (with improvements)

Life Balance is a really neat dynamic ToDo list manager. Ideally, if used appropriately it can almost exactly suggest you what you need (and would enjoy) to do at any given moment in your life.

Like all near-perfect things it has a number of drawbacks though:

TLS in postfix SMTP client

DreamHost changed SSL cert for mail once again.

There is a tricky way of adding CA certificates into Linux system’s certs repository:

Put CA certificates in /usr/local/share/ca-certificates/, and NOT the system directory /usr/share/ca-certificates/
run update-ca-certificates to update the compiled list of CA certificates.
Add the path to /etc/postfix/main.cf :
smtp_tls_CApath = /etc/ssl/certs

… but I was too lazy to pursue that way to the end, so I ended up just updating the fingerprint for use by the postfix SMTP client.

Steps to add (update) fingerprint checking to Postfix SMTP client:
Read More

32-bit or 64-bit for Linux desktop?

Various Linux distros have long been offering both 32- and 64-bit options for download.

While traditionally 64-bit was tout as “For more than 4GB of RAM”, those downloads are gradually becoming more common. So I decided to investigate a little deeper into what’s wrong with running 64-bit on smaller systems.

Multiple –exclude options to tar

The tar’s “–exclude=PATTERN” option has always had me perplexed. As this is mostly intended for automation scenarios, I have never paid much attention to this option resorting to its more “pro-batch” variant “–exclude-from FILE”.

But today, as I went about making some backups I thought it’s enough, I need to learn how to use this option effectively. Having realized that the documentation on the matter is quite lacking, I decided to make a simple experiment.

Here are the commands I typed (in a bash terminal) to learn more about the “–exclude=PATTERN” option:
Read More