Mimsy Were the Borogoves

Mimsy Were the Technocrats: As long as we keep talking about it, it’s technology.

42 Astoundingly Useful Scripts and Automations for the Macintosh

Work faster and more reliably. Add actions to the services menu and the menu bar, create drag-and-drop apps to make your Macintosh play music, roll dice, and talk. Create ASCII art from photos. There’s a script for that in 42 Astounding Scripts for the Macintosh.

Shared uidNumber? You have got to be kidding me!

Jerry Stratton, April 26, 2013

I was just about to do some work on the student life web account, and I had to sudo into it:

[jerry@files ~]$ cd /var/www/html/studentlife/
-bash: cd: /var/www/html/studentlife/: Permission denied
[jerry@files ~]$ sudo -u studentlife -s
[sudo] password for jerry:
[randomstudent@files ~]$

Wait, what? How could I sudo to “studentlife” and end up as “randomstudent”? I did a check in LDAP, and sure enough, the studentlife web account and randomstudent (yes, name redacted, it wasn’t their fault) share the same uidNumber. For those of you who aren’t familiar with Unix account systems, the uidNumber determines what the account has access to; two accounts with the same uidNumber are for all practical purposes one account. They can each do whatever they want to the other account: view its files, modify its files, run its software, etc.

I created a high priority security ticket, then realized I’d better see if any other conflicts exist.

One thousand, five hundred, fifty-five shared uidNumbers.

This went beyond a minor glitch in account creation. I went to talk to the guy in charge of identity management.

“Yes, we know, we’re waiting to move to the new system.”

The old system they’re waiting to move from is the same system I’ve been complaining about that silently truncates passwords.1 No wonder they don’t care that our students’ passwords are easily guessed. Some of them don’t even need passwords to hack someone else’s account. Four of them potentially have access to accounts on the main web server, and at least one has access to an IT developer’s account.

In response to Embarrassing password tricks: Never trust anyone over 30 characters.

  1. Yes, as of the time of writing this, passwords are still truncated to eight characters without telling the user.

  1. <- Brute-force hacking