CRON.WEEKLY

I respect your privacy and you won't get spam. Ever.
Just a weekly newsletter about Linux and open source.

cron.weekly issue #38: Apache, astsu, Biscuit, Python, Puppet 4, systemd & more!

July 24, 2016 - Mattias Geniar

Welcome to cron.weekly issue #38 for Sunday, July 24st, 2016.

This episode is very security minded with news on Xen, OpenSSH, Apache and others. I hope you enjoy your Sunday!

News

Spawn your shell like it’s 90s again!

This post makes use of a privilege escalation vulnerability in NetBSD by using SUID files. There’s lots of exploit code involved, but it also shows the value & dangers of SUID files on *BSD and Linux.

EC to audit Apache HTTP Server and Keepass

The European Commission is going to audit the Apache webserver and Keepass. I’m looking forward to the results and security improvements coming to both projects!

Kubernetes at Box: Microservices at Maximum Velocity

The team behind box.com has transitioned their monolithic PHP application to microservices running on containers with Kubernetes. The entire project took over 18 months and has caused immense speedups in terms of deployment and time-to-market.

Xen Security Announcement

Heads-up: on July 26th 2016 the Xen team will reveal a new security vulnerability. It’s serious enough to have major players like Linode schedule ahead-of-time maintenances to patch systems before things are revealed. The rest of us mortals have to wait until July 26th.

10 Modern Software Over-Engineering Mistakes

Some good tips when writing software, applicable to writing Ansible, Chef or Puppet modules in config management too.

Stack Exchange Outage Postmortem

This isn’t meant to highlight their downtime, but more to encourage more post mortems like this: honest, technical and valuable. The Stack Exchange platform suffered a small 30 minute outage due to a bad regex and failing healthchecks in their load balancers. A good lesson for all of us to not only monitor the state of the homepage as a healthcheck.

OpenSSH enumeration bug

Due to a timing difference between a response for an existing vs. non-existing user, an attacker can use very large passwords to find all existing users on a system by brute force.

HTTPoxy

Due to the way (Fast)CGI protocols work, by passing client-provided HTTP headers directly to the app, there is a vulnerability that can let the attacker insert a proxy of its own to sniff internal HTTP & HTTPs calls. There is a fix we as sysadmins can implement, by stripping the “PROXY” header in our webservers.

Pets vs Cattle

Technically, this isn’t news, as it’s from 2014. But it’s a nice reminder on how our industry is evolving, from “pet” servers that we assign names and cherish to “cattle” servers that we run en-masse, have no feelings for and can create/destroy at our own will in the cloud.

Linux commands “astu” and “astsu” in Mr. Robot

Mr. Robot is a TV series with one of the most accurate appearances of “hackers”. In the series, they use the commands “astu” and “astsu” at the terminal and this blogpost tries to explain what they do.

Tools & Projects

Prometheus 1.0

Prometheus is the monitoring solution in use by SoundCloud and last week, the release their first point release: 1.0. This post has some of the history and highlights the different contributions.

Engintron: nginx on cPanel

Engintron is a free extension for cPanel that introduces the Nginx proxy for static content.

Biscuit

Biscuit is a multi-region HA key-value store for your AWS infrastructure secrets.

Notepad++ 6.9.2: tail -f support

This is essentially a Windows tool, but the latest release has a remarkable feature: it can now “tail -f” a logfile or debug file when using notepad++. So if you’re on a Windows machine, notepad++ just made it slightly easier to work.

Guides & Tutorials

Docker Storage: An Introduction

A very good introduction to the Docker container image, its copy-on-write filesystem, the multiple storage drivers and mounted volumes.

Building Highly Scalable V6 Only Cloud Hosting

This article is about building a new high scalable cloud hosting solution using IPv6-only communication between commodity servers, what problems the team faced with IPv6 protocol and how they tackled them for handling more than ten millions active users.

Puppet 4 upgrade guide

The Puppet team published an updated guide to transition a Puppet 3 codebase into the Puppet 4 era.

The Hitchhiker’s Guide to Python!

An excellent guide on writing Python code: very practical with lots of examples, for both beginners and experts.

View Hardware Information Using the Command Line on Linux

A good reminder on using lscpulshw, lsusb and the likes.

A HAProxy segfault adventure

This technical in-depth article shows how the author debugged HAProxy that segfaulted inside a Docker container. Since Docker containers inherit kernel settings like Apport but may be running an “OS” like Alpine linux that doesn’t have Apport, this can get tricky.

Terraform: Cloud made easy (Part 1 of 4)

Ever wanted to try Terraform, to spin up containers and VMs? This guide has you covered: the first part is very hands-on and sets the structure of the Terraform code you’ll be writing.

systemd: masking units

There’s a fair bit of complexity and possibilities in systemd’s dependencies for service management. One way of ensuring a service is never started, even as a result of a dependency, is to “mask” them. This post makes a very clear point when and how to use that method.

Browse log files using multitail

multitail allows you to tail multiple files at once (hence the name). This post explains how it works and looks and introduces a couple of shortcuts.


I respect your privacy and you won't get spam. Ever.
Just a weekly newsletter about Linux and open source.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!