Tims Blog

sudo is a pretty cool command because it lets you control, in a granular way, who can execute what commands as who.

Well, while this method is all well and great, it doesn’t subscribe to central authentication. So in the event that an account gets compromised, and that account is used on multiple machines, you have to go to all the machines and remove the user from the sudoers file.

In the Kerberos world, there is a nifty feature called the .k5users file which provides a means of doing sudo-like things.

Joe first clued me in on this feature but it didn’t click until recently. With nagios, we have some checks that can be fixed programatically. The problem is that nagios doesn’t have any privileges on the box and it will need root privileges to accomplish its task.

First I thought to use sudo. It logs usage of sudo, but it doesn’t subscribe to our central auth policy. Next I remembered about k5users. It just so happens that you can do the same sort of thing.

First, make a file called .k5users inside the home directory of the user who you want to be able to run commands as.

Next, add lines to that file. The format is

• prin...@fully.qualified.domain@DOMAIN.FOO    /path/to/command

After that, you can use the ksu command to run that command as that user, like so.

• ksu user -n prin...@fully.qualified.domain@DOMAIN.FOO -e /path/to/command

And just like that, it will work if you have a valid kerberos ticket. The trick to making stuff like this word from cron and automated things is to store your principal in a keytab and refresh your ticket cache every now and then (like every night at midnight) using the keytab. This isn’t hard either though, and only requires a simple crontab entry for the user who will own the credential cache. Something like this

• kinit -kt /path/to/keytab prin...@fully.qualified.domain@DOMAIN.FOO

Best of all, you get the benefits of kerberos and sudo with this example

• limit elevated access to a single command
• ksu logs usage
• kinit logs refreshing of creds
• central killswitch at the KDC to disable this princ if it gets compromised

Neato

hehe, check out this 711 gas station near my house, that I snapped a picture of. Look at the price of regular, then at the caption on the sign above the price. Care to venture a guess at what the cost of a barrel of oil would need to be costing them to get that price? : )

A friend let me borrow the complete series of Batman the Animated Series on DVD (ya know, when cartoon Batman was good). It has left me overjoyed.

• lockpicking 101
• datarecovery
• cipher
• dennis nedry clip
• adeona
• linux app finder
• minerva
• 10 best free chart apis

This time it’s pwreset. Gawd the bullshit. Look at me! Look at me! I’m a bunch of whiny little bitches that want to have 3 or 4 people develop 3 or 4 different tools because I don’t like that there Unix stuff.

I’m starting to see why turnover in IT is so high. A person can quickly be driven nuts by staying at a company for more than 3 years. I wonder what the job pool looks like in Plainfield and Oswego…

Looks like my 0% CC card was only 0% on that first purchase. Meh, time to cancel it. Losers. Don’t buy products from Circuit City.

I have more-or-less finished by room transfer vent project. The blower is in the wall and moving air into the garage. Now, to give it a little while to do it’s thing and hopefully it will work.

The drywall removal part was a mess! I don’t have the right tools, so I had to make the best of a bad situation with what I had, but man, that stuff gets everywhere and was a PITA to clean up.

Recently I had an itching to use memcached. I’ve looked at it a number of times to see if I could use it for something neat, and I think I’ve finally found a damn good use; the CST API. There are several functions in CST API that are sloooooow. They mainly involve LDAP and a fair amount of static data. Memcached to the rescue. I’ve sped up some most of the account queries; some by an astronomical amount. I had an certain LDAP call that, when used extensively, took upwards of half an hour to finish. That was cut down to roughly 7 seconds with memcached. I love it!

• howto capture the screen using vlc for screencasting
• introduction to php pdo
• sphinx
• ypops
• urwid
• pypi
• u.s. domestic airline fee chart
• processing
• python – 50 modules for all needs
• cocoa dev central
• jbidwatcher
• airline fare watchdog
• dont be afraid to spend
• generate data
• x509 pki login with php and apache
• grassfire

Ok, so it’s ~11:15 at night, I’m a bit too loaded up on Summer Shandy, White Russians, and Jameson and Crowl Royal whiskey, and driving home.

When all of a sudden this douche on Eola decides to stop on a yellow light instead of coasting through it like normal people would. Reason he stops, it turns out, is cause there is a cop turning left. Well way to not make a scene buddy.

In his valiant attempt to stop, he screeches his tires and slides for ~10 feet. I’m behind him and I’m like “surely this guy isnt going to stop at this yellow light”; surely…I was wrong.

So I’m like “jesus fuck!” and proceed to lay on my brakes to keep from rear ending the guy. Luckily, the Sonata is well equipped, so I save myself the call to State Farm tomorrow. Unluckily for the guy in front of me, the cop gets his left turn signal.

I see the cop look at me as he turns. I can only imagine the disgusted look on my face as I raised my hand off the steering wheel in one of those “what the fuck are you doing you asshole, why didnt you take the light” looks. The cop does a u-turn (gee…cant imagine who he’s going to follow now) and pulls behind a car right behind me.

We move through the light and the guy in front of me kinda speeds up with what I can only imagine is that  “oh great…caught” thought going through his mind. The cop burns around me and takes his spot right behind the douche that decided to almost cause an accident.

Well, they turned off the rode, and lets hope that guy got a good rattling by the cop. This type of shit doesnt happen very often, but when it does, it makes me so content. The shit being “man wheres the cop when you need him”; you know those times. Well, tonight the cop was right there and the dumbass behind the wheel hopefully got what was coming to him.

Hooray, the laptop and media stuff is set up and working on my TV. I ran into a small snag with TV out and Ubuntu, but found an ubuntu forum post that fixed it. To celebrate I watched a couple eps of the original X-Men cartoon :p.

I beat No More Hereos. It was an awesome game. I started on Metroid Corruption which, at this point, is also a cool game.

I have all this vacation that I need to take before September. And why oh why are all these people retiring and now we’re stopping involuntary layoffs. Damn them all. I was so looking forwarding to Donald Trumping the whole lot of them.

I saw two movies this past week. The new Hulk movie and Wanted. I thought Hulk was pretty good. I didn’t see the first one, but I heard that it was crap. Wanted was an ok movie. It was really far fetched at a lot of times, but it had a whole lot of gratuitous violence and I like that kind of stuff every now and then. I guess Wanted had some comic book history associated with it too???

Now, to get some techno-babble out of the way, I picked up a new APC UPS to sit next to my entertainment center. I also got my hands on a Wii, and Joe let me borrow Warioware (amazing). Dan let me borrow No More Hereos (more amazing) and today I just bought Metroid Corruption (heard it was amazing).

I bought a couple more pieces for the vent I’m going to put in my crawlspace. Man, it gets super hot in there with those servers. I really need to punch this hole quickly.

One last thing. My cousin gave me her old computer because she had gotten a new one. She forgot to tell me that it was broken. Well, it just so happens that it still has a year of warrenty left on it, so yoink, brand new computer. It’s an Inspiron 600m. It needed a new mobo and cdrom, but those are covered under warrenty. Free computer ftw. It’ll be the media hub for my entertainment center. Woot.

• correcting tv out on ubuntu for videos