scripts mit edu
play

scripts.mit.edu Quentin Smith scripts@mit.edu Student Information - PowerPoint PPT Presentation

Mar 13, 2023 •461 likes •897 views

Services Backend Further Info scripts.mit.edu Quentin Smith scripts@mit.edu Student Information Processing Board October 29, 2019 Quentin Smith scripts@mit.edu scripts.mit.edu Services Backend Further Info Outline Services 1 Web Mail

  1. Services Backend Further Info scripts.mit.edu Quentin Smith scripts@mit.edu Student Information Processing Board October 29, 2019 Quentin Smith scripts@mit.edu scripts.mit.edu

  2. Services Backend Further Info Outline Services 1 Web Mail Cron (“Shortjobs”) SQL Version control Quentin Smith scripts@mit.edu scripts.mit.edu

  3. Services Backend Further Info Outline Services 1 Web Mail Cron (“Shortjobs”) SQL Version control Backend 2 AFS suEXEC Kerberos LDAP Apache modules LVS Ansible Quentin Smith scripts@mit.edu scripts.mit.edu

  4. Services Backend Further Info Outline Services 1 Web Mail Cron (“Shortjobs”) SQL Version control Backend 2 AFS suEXEC Kerberos LDAP Apache modules LVS Ansible Further Info 3 Quentin Smith scripts@mit.edu scripts.mit.edu

  5. Web Services Mail Backend Cron (“Shortjobs”) Further Info SQL Version control Outline Services 1 Web Mail Cron (“Shortjobs”) SQL Version control Backend 2 AFS suEXEC Kerberos LDAP Apache modules LVS Ansible Further Info 3 Quentin Smith scripts@mit.edu scripts.mit.edu

  6. Web Services Mail Backend Cron (“Shortjobs”) Further Info SQL Version control Apache Everyone wants Apache Apache’s default configuration isn’t safe for scripting Scripting requires code execution—mod php, mod perl, mod python, mod wsgi Apache normally runs everything as apache/nobody How to secure? Quentin Smith scripts@mit.edu scripts.mit.edu

  7. Web Services Mail Backend Cron (“Shortjobs”) Further Info SQL Version control Apache Everyone wants Apache Apache’s default configuration isn’t safe for scripting Scripting requires code execution—mod php, mod perl, mod python, mod wsgi Apache normally runs everything as apache/nobody How to secure? suEXEC—allows Apache to spawn a process as the user. . . . . . even for static content! Quentin Smith scripts@mit.edu scripts.mit.edu

  8. Web Services Mail Backend Cron (“Shortjobs”) Further Info SQL Version control suEXEC setuid program Passed the request by Apache Verifies that the script is in the web scripts directory Switches to the uid of the file and executes Even for static files! Quentin Smith scripts@mit.edu scripts.mit.edu

  9. Web Services Mail Backend Cron (“Shortjobs”) Further Info SQL Version control Postfix Standard Postfix server No local mailboxes All mail is passed to procmail mailbox_command = /usr/bin/procmail -t -p \ -a "${EXTENSION}" ~/mail_scripts/procmailrc Quentin Smith scripts@mit.edu scripts.mit.edu

  10. Web Services Mail Backend Cron (“Shortjobs”) Further Info SQL Version control procmail Reads ~/mail_scripts/procmailrc from user’s home directory Users can do whatever they want with messages AFS causes problems—No way to know if failure is temporary (file server is down) or permanent (user isn’t signed up for mail scripts) All procmail failures are treated as temporary, so mail is queued Quentin Smith scripts@mit.edu scripts.mit.edu

  11. Web Services Mail Backend Cron (“Shortjobs”) Further Info SQL Version control Cron (cronie) Crontabs are currently stored locally on scripts servers cronload command loads the crontabs from ~/cron_scripts/crontab Quentin Smith scripts@mit.edu scripts.mit.edu

  12. Web Services Mail Backend Cron (“Shortjobs”) Further Info SQL Version control Cron (cronie) Crontabs are currently stored locally on scripts servers cronload command loads the crontabs from ~/cron_scripts/crontab Needs improvement Cron does not fail over with Web and Mail Quentin Smith scripts@mit.edu scripts.mit.edu

  13. Web Services Mail Backend Cron (“Shortjobs”) Further Info SQL Version control sql.mit.edu Though scripts.mit.edu makes use of sql.mit.edu, it’s a separate SIPB service with different maintainers. sql.mit.edu provides MySQL databases to scripts users and anyone else SQL data is stored locally, replicated across multiple servers Nightly backups go into AFS Quentin Smith scripts@mit.edu scripts.mit.edu

  14. Web Services Mail Backend Cron (“Shortjobs”) Further Info SQL Version control SVN and Git hosting Not well documented svn:// username .scripts.mit.edu/ and git:// username .scripts.mit.edu/ Uses suEXEC to run a svnserve / git-daemon as the user /mit/ username /Scripts/ { svn,git } git:// is read-only, so future plans for svn+ssh:// and git+ssh:// Quentin Smith scripts@mit.edu scripts.mit.edu

  15. AFS suEXEC Services Kerberos Backend LDAP Further Info Apache modules LVS Ansible Outline Services 1 Web Mail Cron (“Shortjobs”) SQL Version control Backend 2 AFS suEXEC Kerberos LDAP Apache modules LVS Ansible Further Info 3 Quentin Smith scripts@mit.edu scripts.mit.edu

  16. AFS suEXEC Services Kerberos Backend LDAP Further Info Apache modules LVS Ansible AFS access controls AFS enforces server side access controls. On Athena systems: user’s password → Kerberos tickets → AFS tokens, which authenticate the client to the AFS server. On scripts, we don’t have the user’s password or tickets. User’s scripts are not publicly readable. Access is controlled through a single daemon.scripts AFS user. Quentin Smith scripts@mit.edu scripts.mit.edu

  17. AFS suEXEC Services Kerberos Backend LDAP Further Info Apache modules LVS Ansible Isolating users on scripts If all users share daemon.scripts AFS tokens, how are they prevented from accessing each other’s web scripts ? On scripts, we enforce additional restrictions in the AFS kernel module. afsAccessOK() in openafs/src/afs/VNOPS/afs vnop access.c Quentin Smith scripts@mit.edu scripts.mit.edu

  18. AFS suEXEC Services Kerberos Backend LDAP Further Info Apache modules LVS Ansible You can only use daemon.scripts credentials to access files in a volume with volume ID equal to your UID, int afs_AccessOK(struct vcache *avc, afs_int32 arights, struct vrequest *areq, afs_int32 check_mode_bits) { ... + if (!(areq->realuid == avc->fid.Fid.Volume) && + !((avc->anyAccess | arights) == avc->anyAccess) && + !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) && + !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) && + !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && + avc->m.Mode == 0100777 || avc->apache_access) && + !(PRSFS_USR2 == afs_GetAccessBits(avc, PRSFS_USR2, areq)) && + !(PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq) && + areq->realuid == 0) && + !(PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq) && + (areq->realuid == 0 || areq->realuid == SIGNUP_UID))) { + return 0; Quentin Smith scripts@mit.edu scripts.mit.edu

  19. AFS suEXEC Services Kerberos Backend LDAP Further Info Apache modules LVS Ansible or the file is system:anyuser readable anyway, int afs_AccessOK(struct vcache *avc, afs_int32 arights, struct vrequest *areq, afs_int32 check_mode_bits) { ... + if (!(areq->realuid == avc->fid.Fid.Volume) && + !((avc->anyAccess | arights) == avc->anyAccess) && + !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) && + !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) && + !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && + avc->m.Mode == 0100777 || avc->apache_access) && + !(PRSFS_USR2 == afs_GetAccessBits(avc, PRSFS_USR2, areq)) && + !(PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq) && + areq->realuid == 0) && + !(PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq) && + (areq->realuid == 0 || areq->realuid == SIGNUP_UID))) { + return 0; Quentin Smith scripts@mit.edu scripts.mit.edu

  20. AFS suEXEC Services Kerberos Backend LDAP Further Info Apache modules LVS Ansible or the apache or postfix users are doing a stat() , int afs_AccessOK(struct vcache *avc, afs_int32 arights, struct vrequest *areq, afs_int32 check_mode_bits) { ... + if (!(areq->realuid == avc->fid.Fid.Volume) && + !((avc->anyAccess | arights) == avc->anyAccess) && + !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) && + !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) && + !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && + avc->m.Mode == 0100777 || avc->apache_access) && + !(PRSFS_USR2 == afs_GetAccessBits(avc, PRSFS_USR2, areq)) && + !(PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq) && + areq->realuid == 0) && + !(PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq) && + (areq->realuid == 0 || areq->realuid == SIGNUP_UID))) { + return 0; Quentin Smith scripts@mit.edu scripts.mit.edu

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net May 10, 2017 Scriptless Scripts

Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net May 10, 2017 Scriptless Scripts

Scriptless Scripts Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net May 10, 2017 Scriptless Scripts Introduction Scriptless Scripts? Scriptless scripts: magicking digital signatures so that they can only be created by

298 views • 15 slides
Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net March 4, 2017 Scriptless Scripts

Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net March 4, 2017 Scriptless Scripts

Scriptless Scripts Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net March 4, 2017 Scriptless Scripts Introduction Scriptless Scripts? Scriptless scripts: magicking digital signatures so that they can only be created by

794 views • 40 slides
perf scripts jiri olsa 1 PERF SCRIPTS | JIRI OLSA HI basics perf in python post

perf scripts jiri olsa 1 PERF SCRIPTS | JIRI OLSA HI basics perf in python post

perf scripts jiri olsa 1 PERF SCRIPTS | JIRI OLSA HI basics perf in python post process scripts 2 PERF SCRIPTS | JIRI OLSA COUNTING perf stat CPU 0 CPU 1 CPU 2 start $ perf stat -e ' cycles,instructions ' WORKLOAD

1.2k views • 59 slides
Using Python for shell scripts Peter Hill Using Python for shell scripts | January 2018 | 1/29

Using Python for shell scripts Peter Hill Using Python for shell scripts | January 2018 | 1/29

Using Python for shell scripts Peter Hill Using Python for shell scripts | January 2018 | 1/29 Outline Advantages/disadvantages of Python Running a parameter scan example Command line arguments Working with filesystem paths Working with

554 views • 29 slides
Collaboration Scripts for CSCL Frank Fischer, Ingo Kollar, Christof Wecker Introduction

Collaboration Scripts for CSCL Frank Fischer, Ingo Kollar, Christof Wecker Introduction

Collaboration Scripts for CSCL Frank Fischer, Ingo Kollar, Christof Wecker Introduction www.kloster-seeon.de 2 Outline 1. Internal collaboration scripts 2. External collaboration scripts 3 Internal collaboration scripts What they are play

247 views • 24 slides
Listing Presentation Scripts Agent Scripts & Dialogues Listing Presentation Script for Real

Listing Presentation Scripts Agent Scripts & Dialogues Listing Presentation Script for Real

Listing Presentation Scripts Agent Scripts & Dialogues Listing Presentation Script for Real Estate Agents Learn the listing presentation scripts and dialogues that top agents use in listing consultations to list more homes for sale. An

325 views • 4 slides
COMP 2718: Shell Scripts: Part 1 By: Dr. Andrew Vardy Outline Shell Scripts: Part 1 Hello

COMP 2718: Shell Scripts: Part 1 By: Dr. Andrew Vardy Outline Shell Scripts: Part 1 Hello

COMP 2718: Shell Scripts: Part 1 By: Dr. Andrew Vardy Outline Shell Scripts: Part 1 Hello World Shebang! Example Project Introducing Variables Variable Names Variable Facts Arguments Exit Status Branching:

526 views • 36 slides
What is Unicode? Universal Character Set All of the major scripts Sinhala Unicode

What is Unicode? Universal Character Set All of the major scripts Sinhala Unicode

What is Unicode? Universal Character Set All of the major scripts Sinhala Unicode Simple and consistent manner Developer Workshop Alphabetic, syllabic and ideographic scripts Version 4.0 Muthu Nedumaran 50,000

686 views • 4 slides
Scriptless Scripts Andrew Poelstra Research Director, Blockstream scriptless@wpsoftware.net May

Scriptless Scripts Andrew Poelstra Research Director, Blockstream scriptless@wpsoftware.net May

Scriptless Scripts Andrew Poelstra Research Director, Blockstream scriptless@wpsoftware.net May 18, 2018 1 / 11 Mimblewimble and Scriptless Scripts Mimblewimble, proposed in 2016 by Tom Elvis Jedusor No scripts, only signatures. What

509 views • 11 slides
SQL110 Transact SQL Essentials Scripts Doug Shook Scripts Series of SQL Statements

SQL110 Transact SQL Essentials Scripts Doug Shook Scripts Series of SQL Statements

SQL110 Transact SQL Essentials Scripts Doug Shook Scripts Series of SQL Statements Grouped into batches Batches are executed when a GO statement is hit Why are these batches necessary? Certain commands cannot be

452 views • 21 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
Cloud of Suspicion Scaling Up Phishing campaigns Using Google Apps Scripts MAOR BIN NOVEMBER

Cloud of Suspicion Scaling Up Phishing campaigns Using Google Apps Scripts MAOR BIN NOVEMBER

Cloud of Suspicion Scaling Up Phishing campaigns Using Google Apps Scripts MAOR BIN NOVEMBER 2017 Overview Google Apps Scripts Overview Google Apps Scripts A scripting language based on JavaScript that lets you automate actions with

268 views • 15 slides
E-Scripts A Pharmacist Perspective Workflow IS Changing In transition prescriptions come

E-Scripts A Pharmacist Perspective Workflow IS Changing In transition prescriptions come

E-Scripts A Pharmacist Perspective Workflow IS Changing In transition prescriptions come many ways telephone fax e-script paper Not allowed for scheduled meds E-Scripts Workflow Script shows on Work queue

95 views • 6 slides
Bro Package Manager Why arent scripts being shared? Secret techniques? Organizational

Bro Package Manager Why arent scripts being shared? Secret techniques? Organizational

Bro Package Manager Why arent scripts being shared? Secret techniques? Organizational momentum against sharing? Difficulty in making scripts generally applicable? Difficulty in discovery and installation? We can solve this one!

484 views • 23 slides
More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell

More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell

More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell Scripts Shell Variables and the Environment Simple Shell Scripting More Advanced Shell Scripting Start-up Shell Scripts Shells and Shell

367 views • 17 slides
Jonathan Shaw How does Fable use Lua? AI Quest scripts Camera Start-up settings

Jonathan Shaw How does Fable use Lua? AI Quest scripts Camera Start-up settings

Jonathan Shaw How does Fable use Lua? AI Quest scripts Camera Start-up settings Miscellaneous scripts Debugging Patching A (very) brief history The original Fable used C++ as its scripting language, using

449 views • 29 slides
High Performance HTML5 stevesouders.com/docs/qcon-2011118.pptx Disclaimer: This content does not

High Performance HTML5 stevesouders.com/docs/qcon-2011118.pptx Disclaimer: This content does not

High Performance HTML5 stevesouders.com/docs/qcon-2011118.pptx Disclaimer: This content does not necessarily reflect the opinions of my employer. flickr.com/photos/djbiesack/85833076/ YSlow Cuzillion SpriteMe Hammerhead

758 views • 60 slides
A Cross-Language Approach to Historic Document Retrieval Marijn Koolen, Frans Adriaans, Jaap

A Cross-Language Approach to Historic Document Retrieval Marijn Koolen, Frans Adriaans, Jaap

A Cross-Language Approach to Historic Document Retrieval Marijn Koolen, Frans Adriaans, Jaap Kamps, Maarten de Rijke University of Amsterdam and Utrecht (2006) http://staff.science.uva.nl/~kamps/publications/2006/kool:cros06.pdf Context:

509 views • 20 slides
IMGD 1001: Game Design Documents by Mark Claypool (claypool@cs.wpi.edu) Robert W. Lindeman

IMGD 1001: Game Design Documents by Mark Claypool (claypool@cs.wpi.edu) Robert W. Lindeman

IMGD 1001: Game Design Documents by Mark Claypool (claypool@cs.wpi.edu) Robert W. Lindeman (gogo@wpi.edu) Types of Game Design Docs Concept Document Proposal Document Technical Specification Game Design Document Level Designs

193 views • 7 slides
Who needs Pandoc when you have Sphinx? An exploration of the parsers and builders of the Sphinx

Who needs Pandoc when you have Sphinx? An exploration of the parsers and builders of the Sphinx

Who needs Pandoc when you have Sphinx? An exploration of the parsers and builders of the Sphinx documentation tool FOSDEM 2019 @stephenfin reStructuredText, Docutils & Sphinx 1 A little reStructuredText =========================

1.31k views • 87 slides
Introduction To Machine Learning David Sontag New York University Lecture 21, April 14, 2016

Introduction To Machine Learning David Sontag New York University Lecture 21, April 14, 2016

Introduction To Machine Learning David Sontag New York University Lecture 21, April 14, 2016 David Sontag (NYU) Introduction To Machine Learning Lecture 21, April 14, 2016 1 / 14 Expectation maximization Algorithm is as follows: 1 Write

334 views • 14 slides
Howdy! 38 38 th th Int Interna nationa nal C l Conf nferenc nce on S n Software E

Howdy! 38 38 th th Int Interna nationa nal C l Conf nferenc nce on S n Software E

38 38 th th Int Interna nationa nal C l Conf nferenc nce on S n Software E Eng ngine neering ng May 1 y 1421 Howdy! 38 38 th th Int Interna nationa nal C l Conf nferenc nce on S n Software E Eng ngine

656 views • 30 slides
XQuery Language Introduction to databases CSCC43 Spring 2012 Ryan Johnson Thanks to Manos

XQuery Language Introduction to databases CSCC43 Spring 2012 Ryan Johnson Thanks to Manos

XQuery Language Introduction to databases CSCC43 Spring 2012 Ryan Johnson Thanks to Manos Papagelis, John Mylopoulos, Arnold Rosenbloom and Renee Miller for material in these slides 2 Quick review of XPath Strengths Compact syntax

757 views • 28 slides
Kuali ali f for or Ste teve vens Fiscal Officer / Organization Reviewer Training

Kuali ali f for or Ste teve vens Fiscal Officer / Organization Reviewer Training

Welcome to Kuali ali f for or Ste teve vens Fiscal Officer / Organization Reviewer Training 8.4.11.version Welcome and Introductions Presenters: Randy Greene, CFO, VP for Finance, and Treasurer Mary Hallstead, Communications

422 views • 31 slides

More recommend