Log in

No account? Create an account
Lindsey Kuper [entries|archive|friends|userinfo]
Lindsey Kuper

[ website | composition.al ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

For every Win, there is an equal and opposite Fail. [Sep. 3rd, 2009|08:52 pm]
Lindsey Kuper

After my initial audition, I got called back for two choirs, Contemporary Vocal Ensemble and University Chorale. Nice!

I did terribly in my callback audition. Terribly! They knew I knew it, too. They were like, "Don't worry, we know you're probably better than this." But do they? Sigh.

All kinds of people keep on complimenting me on the C311 and B521 websites!

One of our students found a really embarrassing security issue with the websites. You see, on our CS department's CGI server, PHP runs as the 'cgi' user, which is in the 'cgid' group. I, of course, am 'lkuper' in the 'students' group. I can't join the 'cgid' group, but I needed the files to be writable by PHP -- so I had write permissions on everything wide open and I thought there was nothing I could do about it. But our student (who had done network security for a while in the Air Force before coming to grad school) pointed out that our excellent IUCS sysadmin folks had already thought of this problem and provided a workaround -- after demonstrating how he could have screwed my stuff up, had he been malicious. It's fixed now, but jeez. I suck.

Apparently, people now think I'm good enough at monads that they ask me questions about them!

Apparently, people now think I'm good enough at monads that they ask me questions about them!


[User Picture]From: keturn
2009-09-04 07:13 pm (UTC)

you are not your code. but also, yay cgi.

This is really a "locks keep out honest people" type of scenario. The workaround isn't even that awesome, because anyone who can run CGI scripts on that server still has full access to those files. (Or anyone who can crack any of the other CGI scripts. Given a PHP & CGI environment in the hands of a department full of CS undergrads, it's pretty likely that someone's running one with a hole.)

It's also true that, despite all we unix users worry about the root password and partitioning users in to groups and whatnot, it's generally accepted that if you can get a shell account on which you can run arbitrary code, you can crack the whole machine. Even Matasano Chargen, which is some holy pantheon of computer security, got cracked through a loose shell account.

So while it's handy to know about your school's quirky little chgrp wrapper scripts, you didn't really put the fate of the world at risk when getting it "wrong".
(Reply) (Thread)