linux – Page 2 – Misc Stuff

PBS, FD_CLOEXEC and Java

The PBS/Torque scheduler that ships w/ Ubuntu 12.04 uses an interesting method to verify that user requests from a submission node cannot impersonate anyone else. In a nutshell, any Torque command (qsub, qstat, etc) calls a suid program (pbs_iff) which connects to the pbs server from a privileged port and notifies the server the client port and what user will be sending commands from that port. pbs_iff receives this information by looking at the source port on the file handle passed to if during its clone. The whole handshake looks like this:

Unprivileged client opens a socket to the pbs server
Client calls clone and passes the file handle number to a suid pbs_iff as an argument
pbs_iff reads the source port off of the file handle
pbs_iff opens a socket from a priviliged port to the pbs server and sends invoking user and source port .
The pbs server now trusts that commands from the initial socket belong to the user passed by pbs_iff
pbs_iff terminates and the original client sends whatever commands it desires.

This works nice in C where the default is to pass all file handles to the child process on a fork. However, many languages frown on this file handle leaking for a number of reasons and have decided this default is a bad idea. Java is one of these, so it nicely sets FD_CLOEXEC on all file handles it opens. This means when you use the ProcessBuilder or call Runtime.exec, you can’t see any file handles you previously had open thereby breaking Torque’s security mechanism.

Sympa and Active Directory

Some basic steps on running sympa on Ubuntu 12.04 and using Active Directories Global Directory to auto-populate groups.

Ubuntu Notes

apt-get install sympa will give you a ‘mostly’ working version
Chown -R /var/lib/sympa sympa
The suid wrapper does not work on 12.04. You will need to create a sudo wrapper instead:
set use_fast_cgi 1 in /etc/sympa/wwsympa.conf
/usr/lib/cgi-bin/sympa/wwsympa_sudo_wrapper.fcgi

#!/usr/bin/perl

exec '/usr/bin/sudo', '-E', '-u', 'sympa', '/usr/lib/cgi-bin/sympa/wwsympa.fcgi';

In apache/conf.d/sympa, change:

ScriptAlias /wws /usr/lib/cgi-bin/sympa/wwsympa_sudo_wrapper.pl

add the following line to your sudoers file:

www-data ALL = (sympa) SETENV: NOPASSWD: /usr/lib/cgi-bin/sympa/wwsympa.fcgi

References:
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682562
- https://bugs.launchpad.net/ubuntu/+source/sympa/+bug/977828

LDAP/AD Bound Lists

If you only have one domain, then you can just use the following and point at one of your domain controllers.
If you want to use forest-wide groups, you have two options for accessing those groups.
This will work this either security or distribution groups, however will NOT include nested membership.
- In the ldap config for the group, point at the dc the group resides in. CHange suffix, host and user as appropriate, set use_ssl to yes, drop the :3268
- Make the group universal and use the global directory (route I chose)

LDAP Configuration

include_ldap_query
attrs mail
filter memberof=Some Group,OU=...,OU=...,DC=research,DC=domain,DC=org
ssl_ciphers ALL
name any_name
host dc1.mydomain.org:3268
use_ssl no
passwd your_password
timeout 30
suffix DC=domain,DC=org
user   CN=Read Account,OU=...,DC=domain,DC=org
ssl_version sslv2
scope sub
select first
ssl_version tls

References
- http://portal.gnenc.org/knowledge-base/-/wiki/Main/Sympa-Dynamic%20List%20Membership

Isolating Big Blue Button Video

This is a quick how to on manually connecting to a BBB video stream. Before we begin, here’s a very, very quick background.

Video streams are grouped under a conference-room specific url that has for format rtmp://host/video/roomID
Each streaming component under BBB is available as a separate stream (ie, video, desktop, sip/audio, etc)
BBB uses red5 under the hood to manage these streams
Grab flowplayer here and the flowplayer rtmp client here

Connect to your room and start your webcam.

Tail /usr/share/red5/log/bigbluebutton.log and uou should see the following log lines:

2011-07-11 18:14:54,871 [NioProcessor-1] DEBUG o.b.c.s.p.ParticipantsEventRecorder - A participant's status has changed 141 streamName 640x480141
2011-07-11 18:14:54,919 [NioProcessor-1] DEBUG o.b.c.s.p.ParticipantsService - Setting participant status ec0449a0-b5d1-4ca5-bfdf-d118d8bc2299 141 hasStream true

ec0449a0-b5d1-4ca5-bfdf-d118d8bc2299 or similar is the room id
640×480141 is the stream id you need

Download and place flowplayer-…swf, flowplayer.rtmp-…swf, and flowplayer-…min.js into a directory.
Create a web page as follows:


       
       Minimal Flowplayer setup

Load up your web page and you should see the streaming video.