Kilala.nl - Personal website of Thomas Sluyter

Unimportant background
Login
  RSS feed

About me

Blog archives

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

> Weblog

> Sysadmin articles

> Maths teaching

<< 11 / 2011 1 / 2012 >>

Preparing for the next step in kendo

2011-12-29 19:36:00

The design for my zekken

In the new year things will get serious!

My kendo glasses are being made, so I can start wearing my men. That completes my bogu, as I've already been wearing the do, kote and tare. Which means that yes, I'm going to get into real geiko and I can compete in shiai! And as I have mentioned before I'll jump into the deep end in 2012! January will see our next kyu examinations and in February I'll join the kyu-grade tournament.

This will require a few last preparations:

The design for my zekken is shown on the left. Along the top is the name of our dojo, Renshinjuku (錬心塾) and along the bottom is my surname. The middle is a repeat of my surname, but in katakana, which reads SURATA. The fine folk at kendo24 are on holiday this week and my favored shinai (the "kenshi" model) is sold out, so I hope my order will reach Almere in time. 


kilala.nl tags: , ,

View or add comments (curr. 5)

New (kendo) glasses ordered

2011-12-24 11:26:00

kendo glasses

This morning I walked into the local SpecSavers to get measured for new glasses. My current glasses have never really worked out properly for me, so now it's within two years instead of three. I have to say that today's measurement was worrisome for me. I'll soon make an appointment with an optometrist, because I wonder if there's something rather wrong with my eyes. Time to get over my fear of eye doctors :(

Left: Sp = -10.25, was -9.50 in december 2009 and -9.00 in december 2006.

Right: Sp = -10.25, was -9.75 in december 2009 and -9.50 in december 2006.

Today I ordered lenses for my kendo glasses, which have priority as my first tournament is up in february. In January I'll go back to the shop with Marli, so we can pick out frames for new day-to-day pairs. At least the price is right at SpecSavers! I'm getting lenses with an RI of 1.6 and they come at 95 euro for the pair. Not a-piece, but for the pair! The SpecSavers will charge me 50 bob to cut them and install them in my frame. That's -still- half of what we used to pay at Pearl! 

Kris, if you're reading this: with some luck you'll get to really knock me around, come January! ^_^


kilala.nl tags: , , , ,

View or add comments (curr. 3)

BOKS: Mind your log files, part 2

2011-12-19 00:00:00

A few months back we discussed how incorrect log settings can mess with your auditing and logging in "Mind your log files!". Today we'll take a look at another way your logging can go horribly wrong.

Case in point: keystroke logs.

BoKS' suexec facility comes with optional keystroke logging, which allow you to capture a user's input and output. This is particularly handy when providing suexec su - user access to an applicative or super user. These keystroke logs are stored locally on the client system, where they are hashed and filed. The master server will then pull these log files from each client for centralized storage, after which the files will be cleaned from the clients. Optionally, these log files will then be pushed to replica servers for backup purposes.

Things go awfully wrong when the master server's kslog storage is underdimensioned. Once the storage location for keystroke logs is filled, the master server will stop pulling and cleaning files from client systems. This means that $BOKS_var/kslog, which is meant for temporary storage, now becomes rather permanent storage. And since many BoKS administrators leave $BOKS_var as part of the /var file system you are now filling up /var. If the BoKS client system is not protected against a 100% filled /var you are now looking at a very, very nasty situation. You might end up crashing client systems, or causing other erratic behaviour.

TLDR:


kilala.nl tags: , ,

View or add comments (curr. 0)

Closing 2011 at Renshinjuku Kendo Almere

2011-12-17 19:09:00

Today was the closing of 2011 at Renshinjuku Kendo in Almere (錬心塾剣道 アルメレ). And for this occasion our trainers had set up an interesting day :)

The suburi for warming up were changed dramatically. After the usual jogeburi, we were explained a new "game". Every member of the school would sound off ten strikes in turn and everybody would chime in with a shout of "men!". Since there were fifteen people, that makes for a hundred and fifty strikes. Did I mention it was haya suburi?! (short video of haya suburi) I failed right after my turn, which was after fifty I believe ;_;

I did my best to have great kiai and was one of the few whose counting resounded loudly through the hall ^_^

After that was another fun little game: everybody would take turns hitting fast kote on motodachi for ten seconds straight. The challenge was to do as many good strikes, combining fumikomi, kiai and strike. I managed to get up to 32 although that could've been more had I paid more attention to footwork and relaxation. 

After that: kiri kaeshi (another short video), which didn't go too well at all. The kendoka without full bogu were taken apart by Kris to focus on the basics: footwork and strikes. We were all quite sloppy :( Then, more and more basics, including stuff to focus on reaction times and snappiness. It was a great last class for the year and I felt awesome in the end. 

Today's big learning points!

I'm very much looking forward to 2012. In january we will have our next exams and in february I plan on taking part in the kyu-grade tournament with Martijn. That means I'd better get a move on with my kendo glasses as I'll need to be in full bogu for the tourney!


kilala.nl tags: , ,

View or add comments (curr. 2)

BoKS debugging example

2011-12-16 00:00:00

 

Yesterday served as a reminder that we can all fall prey to stupid little things :)

Symptom: A customer of mine could use suexec su - oracle on a few of his systems, but not on some of his others.

Troubleshooting: Everything seemed to check out just fine. The customer's account was in working order and neither root, nor the target account were locked or otherwise problematic. And of course the customer had the required access routes.

$ suexec lsbks -aTl *:customer | grep SXSHELL
suexec:*->root@HOSTGROUP%CUSTOMER-PG-SXSHELL (kslog=3)

$ suexec pgrpadmin -l -g CUSTOMER-PG-SXSHELL | grep oracle
/bin/su - oracle
/usr/bin/su - oracle

So, why does BoKS keep saying that this user isn't allowed to use suexec su - oracle on one box, but it's okay on the other?

12/13/11 10:00:57 HOST1 pts/1 customer suexec Successful suexec (pid 16867) from customer to root, program /bin/su
12/13/11 10:00:57 HOST1 pts/1 customer suexec suexec args (pid 16867): - oracle
12/13/11 10:01:12 HOST2 pts/5 customer suexec Unsuccessful suexec from customer to root, program /bin/su. No terminal authorization granted.

I thought it was odd that the logging for the failed suexec seemed "incomplete", but wrote it off as a software glitch. However, this is where alarm bells should've gone off!

So I continued and everthing seemed to check out: on both hosts /bin/su was used, on both hosts oracle was the target user and the BoKS logging supported it all. So let's try something exciting! Boksauth simulations!

Obviously the simulation for HOST1 went perfectly. But then I tried it for HOST2:

$ suexec boksauth -L -Oresults -r 'SUEXEC:customer@pts/1->root@HOST2%/bin/su#20-#20oracle' -c FUNC=auth TOUSER=root FROMUSER=customer TOHOST=HOST2 FROMHOST=HOST2 PSW="iascfavvcfHc"

ROUTE=SUEXEC:customer@pts/1->root@HOST2%/bin/su#20-#20oracle
FUNC=auth
TOUSER=root
FROMUSER=customer
TOHOST=HOST2
FROMHOST=HOST2
PSW=iascfavvcfHc
$HOSTSYM=MASTER
$ADDR=192.168.10.20
$SERVCADDR=192.168.10.20
WC=#$*-./?_
FKEY=CUSTOMER-HG:customer
UKEY=HOST2:root
RMATCH=suexec:*->root@CUSTOMER-HG%CUSTOMER-PG-SXSHELL,kslog=3
MOD_CONV=1
AMETHOD=psw
$PSW=ok
VTYPE=psw
RETRY=0
MODLIST=kslog=3,prompt=+1,su=+1,passroot=+1,use_frompsw=+1,su_fromtoken=+1,chpsw=-1,concur_limit=-1
$STATE=9
$SERVCVER=6.5.3

What I was expecting to see was STATE=6 and ERROR=203. But since the ERROR= field is absent and the STATE=9, this indicates that the simulation was successful. Now things get interesting! So I asked my customer to try the suexec su - oracle with me online, while I ran a trace on the BoKS internals. This resulted in a file 10k lines long, but it finally got me what I needed.

In the course of the debug trace, BoKS went through table 37 (suexec program group entries) to verify whether my customer's command was amongh the list. It of course was, but BoKS said it didn't match!

wildprogargscmp_recurse: wild = /usr/bin/su#20-#20oracle, match = /bin/su^M
wildprogargscmp_recurse: is_winprog = 0^M
wildprogargscmp_docmp: Called, wild /usr/bin/su#20-#20oracle match /bin/su^M
wildprogargscmp_docmp: Progs do not match^M
wildprogargscmp_docmp: return 1 (0 means match)^M
wildprogargscmp_recurse: wild = /bin/su#20-#20oracle, match = /bin/su^M
wildprogargscmp_recurse: is_winprog = 0^M
wildprogargscmp_docmp: Called, wild /bin/su#20-#20oracle match /bin/su^M
wildprogargscmp_docmp: fnamtch wild - sumdev, match did not match^M
wildprogargscmp_docmp: return 1 (0 means match)^M

This threw me for a loop. So I went back to the original BoKS servc call that was received from client HOST2.

servc_func_1: From client (HOST2) {FUNC=auth01TOHOST=?HOST01FROMHOST=?HOST01TOUSER=root01FROMUSER=customer01FROMUID=181801FROMTTY=pts/5201ROUTE=SUEXEC:customer@pts/52->root@?HOST%/bin/su}^M

And then it clicked! One final check confirmed that I'd been overthinking the issue!

$ suexec cadm -l -f ENV -h HOST2 | grep ^VERSION
VERSION=6.0

It turns out that HOST2 was still running BoKS version 6.0. While the suexec facility was introduced into BoKS aeons ago, only per version 6.5 did suexec become capable of screening command parameters! So a v6.5 system would submit the request as suexec su - oracle, while a v6.0 host sends it as suexec su. And of course that fails.

It's awesomely fun to dig around BoKS' internals, but in this particular case it'd have been better if I'd spent the hour on something else :)

 


kilala.nl tags: , ,

View or add comments (curr. 0)

Sports, kendo, perseverance and such

2011-12-03 20:52:00

The past few weeks I have been a bit frustrated with myself. Since coming home from Japan I haven't properly gotten back to my sports regime. Only last week have I tried to get back to running on a daily basis, which aggravates me because I walk the same piece of road on a daily basis. So why not run instead of walking?! Well, at least I'm not taking the buss to the office.

Same for kendo. Before the holiday I used to train at home at least once a week, together with Martijn. Of course, these days the weather outside is awful, but I can still train by myself in the attic like I did when I just got started. But I haven't...

But! I'm not quitting kendo! I enjoy this way too much and it's very educational, both physically and mentally. The social aspect of it is also very pleasant, as my classmates are cool guys.

Points to take away from today's lesson:

 


kilala.nl tags: , , ,

View or add comments (curr. 5)

<< 11 / 2011 1 / 2012 >>