I get a lot of utility out of these tools. My normal use case is to write an execlineb script that terminates in to Python code. I put environment handling like default paths, virtual environments, or resource limits in the execline script and leave the Python code to handle data.
skarnet is active in #s6 on Freenode and has helped me debug an unexpected behavior in the access rules code. I’ve been enjoying watching the fd-holding code mature here, recently. I haven’t deployed anything with that component yet.
Is it possible to start a supervisor as a user? Think docker-compose but without the containers. For now only supervisord seems to handle that use-case.
It is. I have an ~/svc directory I use, amongst other things, for starting ssh “tunnels.” That is, ssh connections that exist purely to port forward.
my boot script is more-or-less taken from the docs and customized to this circumstance. Here I define a lockfile where I place the process id of s6-svscan and set up s6-log as a catch-all logger. The script exits once s6-log has come up:
ssh by itself doesn’t strictly need all this hair: I have additional services other than ssh I’m not showing here. It does permit me to start more than one ssh session to a particular host concurrently (i.e., as a side effect in a script) which s6 turns in to a single start. That lets me bring a tunnel up every time I need it without worrying about whether it’s started or not. Or even whether s6 has been started yet.
I’ve only had a few interactions with him, and nothing offensive. I’m willing to give everyone the benefit of the doubt, especially because I’m often guilty of immediately reacting and attacking and being ‘difficult’.
rain1 actually knows this about me first hand, from having some discussions with me and providing a listening ear for my rantings. :)
As an anecdote- back when Theo De Raadt used be a regular on EFnet, he patiently and humbly spent many hours helping me get an early OpenBSD release working on a non-standard 486SX embedded board - and once it finally worked, he absolutely refused to commit the changes back to support my “broken-ass crap hardware”, or similar. And he /quit. :)
He probably doesn’t remember the interaction, but I sure do, and it left a lasting impression on me as an strongly opinionated but good and decent guy. Theo is historically known as a “difficult” personality. The moral here is to always give people a second chance.
Here is an excerpt from my #s6 Freenode IRC log from June 19th 2018. It contains rain1’s report about a security issue, but doesn’t contain the follow-up conversation. Given the implication of rain1’s now deleted comment, I think it is worth clearing the air over precisely what was reported:
[10:51:42] <rain1> if i try ssh '`evilcommand`@my-s6-system'
[10:52:09] <rain1> @400000005a5803150fca7ec6 Failed keyboard-interactive/pam
for invalid user `evilcommand` from 127.0.0.1 port 46200 ssh2
[10:52:11] <rain1> is in the logs
[10:52:36] <rain1> and if i try to run that as a script it executes the evil command,
then errors saying @400000005a5803150fca7ec6: command not found
[10:54:04] <rain1> so based on this I wonder if we should think about a different way
that s6 log can express status without using the +x bit as a signal?
https://skarnet.org/software/s6/s6-log.html
The report is observing that s6-log uses the execute bit to track state during log rotation, and that if one executes a log file you might run a command embedded in your log file by an attacker.
I don’t consider this a security issue in s6-log, though I do consider it reasonable to discuss using file permissions for non-permission like state. djb did this with .qmail files, using the sticky bit to indicate whether delivery to a mailbox is enabled.
I get a lot of utility out of these tools. My normal use case is to write an execlineb script that terminates in to Python code. I put environment handling like default paths, virtual environments, or resource limits in the execline script and leave the Python code to handle data.
skarnet is active in #s6 on Freenode and has helped me debug an unexpected behavior in the access rules code. I’ve been enjoying watching the fd-holding code mature here, recently. I haven’t deployed anything with that component yet.
Is it possible to start a supervisor as a user? Think docker-compose but without the containers. For now only supervisord seems to handle that use-case.
It is. I have an ~/svc directory I use, amongst other things, for starting ssh “tunnels.” That is, ssh connections that exist purely to port forward.
my boot script is more-or-less taken from the docs and customized to this circumstance. Here I define a lockfile where I place the process id of s6-svscan and set up s6-log as a catch-all logger. The script exits once s6-log has come up:
I have a wrapper around pstree I use to show my service process tree:
Which produces output like:
ssh by itself doesn’t strictly need all this hair: I have additional services other than ssh I’m not showing here. It does permit me to start more than one ssh session to a particular host concurrently (i.e., as a side effect in a script) which s6 turns in to a single start. That lets me bring a tunnel up every time I need it without worrying about whether it’s started or not. Or even whether s6 has been started yet.
[Comment removed by author]
I’ve only had a few interactions with him, and nothing offensive. I’m willing to give everyone the benefit of the doubt, especially because I’m often guilty of immediately reacting and attacking and being ‘difficult’.
rain1 actually knows this about me first hand, from having some discussions with me and providing a listening ear for my rantings. :)
As an anecdote- back when Theo De Raadt used be a regular on EFnet, he patiently and humbly spent many hours helping me get an early OpenBSD release working on a non-standard 486SX embedded board - and once it finally worked, he absolutely refused to commit the changes back to support my “broken-ass crap hardware”, or similar. And he /quit. :)
He probably doesn’t remember the interaction, but I sure do, and it left a lasting impression on me as an strongly opinionated but good and decent guy. Theo is historically known as a “difficult” personality. The moral here is to always give people a second chance.
Like all free software s6 comes with no warranty. What security issue did you discover how was the author rude?
Here is an excerpt from my #s6 Freenode IRC log from June 19th 2018. It contains rain1’s report about a security issue, but doesn’t contain the follow-up conversation. Given the implication of rain1’s now deleted comment, I think it is worth clearing the air over precisely what was reported:
The report is observing that s6-log uses the execute bit to track state during log rotation, and that if one executes a log file you might run a command embedded in your log file by an attacker.
I don’t consider this a security issue in s6-log, though I do consider it reasonable to discuss using file permissions for non-permission like state. djb did this with .qmail files, using the sticky bit to indicate whether delivery to a mailbox is enabled.