Sep 142011
 

This is my personal Top 8 of worst suggestions I’ve read, took or gave to other Linux users so far, feel free to add your as comment.

Legend: Q: Question, BA: The bad answer, GA : What could have been a good answer

1) Q: I have a file i can’t read/write/execute with the user i want!

Bad: “chmod 666 file” – This makes the file editable and destroyable by anyone.
Worse: “chmod 777 file” – This makes the file editable by anyone AND sets execute permissions for anyone. This means that any user can edit the file to do something malicious for the next user to (accidentally?) execute it.
Worst: “chmod 7777 file” – Also gives setuid and setgid permission. With this you’ve just given any user permission to fubar your machine, especially if the file is owned by root.

GA: Check which user and group have permission to do the operations you need on that file, subscribe the user to that group and/or change the owner or the group of that file.


2) This is a small variant of the number 1.

Q: My daemon (apache, tomcat, put your here) cannot access all files and/or directories our developers use for deploying the applications.

BA: Same as point 1, this usually finish in having all files in a document root with 777

3) Q: At some time my server starts using the Swap space and all goes really slow. what can i do ?

BA: Remove the swap, in this way the system will not use it. The effect of this is usually a server in hang for out of memory

GA: Investigate on what’s using your memory, there should be a memory leak in some running programs, while you are investigating it could be a good idea to double your swap space.

4) Again on the swap and witnessed live by me (as a spectator)

Q: We have the swap almost full, what can we do to empty it?

BA: Give as root a swap off, the kernel will think to claim it. And 1 second later another system in hang, the memory of the machine was heavily used and turning off the swap we had lost important information of running programs.

5) Q: My ext3 filesystem it’s a bit slow, what can i do ?

BA: Transform it in a ext2, you’ll have less overhead and your applications will be faster. This suggestion could be true (depend on application that uses the FS), but don’t tells that ext2 it’s much more fragile and so you risk to lose all your information on a ext2 much more than on a ext3 (or ext4).

GA: ext3 filesystem can be mounted with some particular options like noatime that can help you in getting better performance, check the man page of mount for the oprions.

6) Q: The boot of my desktop it’s a bit slow

BA: It’s your kernel, configure it by hand and remove all the hardware you don’t need. I’ve took this suggestion, and I spent about 2 days in removing and adding back options to the kernel, trying to get all the pieces of my computer working and at the same time the kernel as small as possible, to improve by something like 2 or 3 seconds at the startup.

GA: Install bootchart this will show if there is some point that can be improved during your boot.

7) Q: The user need a new library/program/whatever that is not packaged for the distribution, what can we do ?

BA: If the package it’s availabe in an unofficial repository add that to the list of repository used by the machine and install from there.
BA2 : Download the source and compile it.

I’m not sure on which one is worst, install a package with your package manager but without any security ? or don’t use your package manager and install some binary from the source ?

GA: Download the source and do a package that we’ll install with the package manager of the distribution. The longest but safest way.

8) Q: There seem to be a problem between the application XX and the local firewall

BA: Stop the firewall. This usually has 2 effects, the first is taht you lose security on that server, teh second is that if you forgot to remove the autostart of the firewall at boot time, at the next reboot the application will not work.

GA: try to understand which ports the application uses, or turn on verbose logging for the firewall, once you have understood which ports are used modify the firewall.

Waiting now for the worst Linux suggestions that you have heard.


Popular Posts:

Flattr this!

  9 Responses to “Top 8 worst suggestions on Linux”

  1. Once read an article that said to use “su; gedit /etc/sudoers” and then instructions on how to give yourself “no password required” sudo privileges. SO many things wrong in that article…

  2. Q7: Downloading a binary from an unknown repository vs. compiling (and packaging) from an unknown source repository is really no different, unless you’re willing to invest in performing a source code audit to ensure there are no fatal errors or malcode in the source.

    Since most people who compile from source won’t bother to look through the source code, they’re not getting any benefit over those people who just install the binary directly.

    Worst suggestion I’ve ever heard? From fellow IT workers to end-users: “Just tell me your password so I can fix your problem”. An IT worker with sufficient privileges to fix the problem never needs to know end-users passwords. They’ll have sufficient access rights to get the job done. At worst, they can always reset the end-users password without asking what it is. Asking end-users for their passwords just trains them to be susceptible to phishing and social engineering attacks.

    –Bob.

    • Do you audit the sources from a known repo? So what’s the point? Either you trust it (and need to use it) – then install it. Otherwise don’t.
      I am running Debian/testing and the latest FF from mozilla.org. Very, very risky, isn’t it? Also hard to handle and causing all sorts of trouble. like having to type “cd /usr/local/share; tar -jxf firef*bz2” every some weeks…

  3. For question 7, I think you could mention checkinstall in the answer as a suggestion.
    I wish I found that long before I did… so much trouble avoided…

  4. Not exactly the worst of all the “Top foos of bar” I’ ve read, but also not a very good one.

    1. Yes. Right. Also don’t “rm -rf /”…
    2. Same. There’s some trickery with virtual users and ftpd/httpd UIDs. But better not tell anyone…
    3-5 Nobody on earth would do that,
    6. Learn to handle your kernel config. You might be in a situation where you need to build your own one.You suppose people should just keep their hands off. Why not just Windoze. XP is booting quite fast. No kernel compiling needed.
    7. Bullshit.
    8. Yes, right. What’s the date, again – 1998?

    • 3-5 I’ve saw these things done, you know after many hours of works a bad idea can seem not so bad 😉
      6 Now i compile my kernel for every single update, but it’s not a great tip for a newbie, just this.

      • Well, I’ve seen people do the most ridiculous things with their computers (I have been into these things since 1983) but these things are funny anecdotes at best – or, well, ok “x of n worst practices”. Point made. swapoff 🙂
        But I still strongly disagree with the “don’t install binaries or sources theory”. I’d be unable to run my sketchpad, if I hadn’t compiled the xorg module from a (well trusted) source. I couldn’t play bzflag, as Debian is still including 2.0.x in testing, so I built my own binaries from sourceforge. Bz has been around for more than 10 years, so I definitely trust them. Same with RSSOwl, GoogleEarth and a dozen of small utilities like $proprietary_image_format to ISO translators.
        And during the times when I was using Solaris/sparc self-compiling was quite oftenly the only way to get things done at all.
        The firewall thing at last: I think in the times of DSL-routers and UPnP you should definitively try to get your stuff secure on the application level, not rely on netfilters. Actually this is how it always was, but “firewalls” were very trendy (and considered falsely as universal security magick) quite some time ago.
        Sorry for harsh words, but they are always good to get discussing – and IMHO better than nice words with no effect.
        Cheers,
        Tom

        • Well i understand that sometimes you have to use sources, and this is fine, what i don’t like as sysadmin it’s the use of “any” repository.
          I’ve saw using PPA (and not big one, just some personal archive of an user) for Ubuntu on server with Debian 6, this is a bad practice IMO.

          Bye Tom.

  5. The chmod 777 one is particularly popular with WordPress kiddies and amateur script monkeys. Well….I hope someone trashes their server and teaches them a valuable lesson before they attempt to work on anything more important than their Pokemon fansite.

Leave a Reply to Tom Cancel reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

*