Welcome to cron.weekly issue #38 for Sunday, July 24st, 2016.

This episode is very security minded with news on Xen, OpenSSH, Apache and others. I hope you enjoy your Sunday!

News

This post makes use of a privilege escalation vulnerability in NetBSD by using SUID files. There’s lots of exploit code involved, but it also shows the value & dangers of SUID files on *BSD and Linux.

The European Commission is going to audit the Apache webserver and Keepass. I’m looking forward to the results and security improvements coming to both projects!

The team behind box.com has transitioned their monolithic PHP application to microservices running on containers with Kubernetes. The entire project took over 18 months and has caused immense speedups in terms of deployment and time-to-market.

Heads-up: on July 26th 2016 the Xen team will reveal a new security vulnerability. It’s serious enough to have major players like Linode schedule ahead-of-time maintenances to patch systems before things are revealed. The rest of us mortals have to wait until July 26th.

Some good tips when writing software, applicable to writing Ansible, Chef or Puppet modules in config management too.

This isn’t meant to highlight their downtime, but more to encourage more post mortems like this: honest, technical and valuable. The Stack Exchange platform suffered a small 30 minute outage due to a bad regex and failing healthchecks in their load balancers. A good lesson for all of us to not only monitor the state of the homepage as a healthcheck.

Due to a timing difference between a response for an existing vs. non-existing user, an attacker can use very large passwords to find all existing users on a system by brute force.

Due to the way (Fast)CGI protocols work, by passing client-provided HTTP headers directly to the app, there is a vulnerability that can let the attacker insert a proxy of its own to sniff internal HTTP & HTTPs calls. There is a fix we as sysadmins can implement, by stripping the “PROXY” header in our webservers.

Technically, this isn’t news, as it’s from 2014. But it’s a nice reminder on how our industry is evolving, from “pet” servers that we assign names and cherish to “cattle” servers that we run en-masse, have no feelings for and can create/destroy at our own will in the cloud.

Mr. Robot is a TV series with one of the most accurate appearances of “hackers”. In the series, they use the commands “astu” and “astsu” at the terminal and this blogpost tries to explain what they do.

Prometheus is the monitoring solution in use by SoundCloud and last week, the release their first point release: 1.0. This post has some of the history and highlights the different contributions.

Engintron is a free extension for cPanel that introduces the Nginx proxy for static content.

Biscuit is a multi-region HA key-value store for your AWS infrastructure secrets.

This is essentially a Windows tool, but the latest release has a remarkable feature: it can now “tail -f” a logfile or debug file when using notepad++. So if you’re on a Windows machine, notepad++ just made it slightly easier to work.

Guides & Tutorials

A very good introduction to the Docker container image, its copy-on-write filesystem, the multiple storage drivers and mounted volumes.

This article is about building a new high scalable cloud hosting solution using IPv6-only communication between commodity servers, what problems the team faced with IPv6 protocol and how they tackled them for handling more than ten millions active users.

The Puppet team published an updated guide to transition a Puppet 3 codebase into the Puppet 4 era.

An excellent guide on writing Python code: very practical with lots of examples, for both beginners and experts.

A good reminder on using lscpu, _lshw, lsusb _and the likes.

This technical in-depth article shows how the author debugged HAProxy that segfaulted inside a Docker container. Since Docker containers inherit kernel settings like Apport but may be running an “OS” like Alpine linux that doesn’t have Apport, this can get tricky.

Ever wanted to try Terraform, to spin up containers and VMs? This guide has you covered: the first part is very hands-on and sets the structure of the Terraform code you’ll be writing.

There’s a fair bit of complexity and possibilities in systemd’s dependencies for service management. One way of ensuring a service is never started, even as a result of a dependency, is to “mask” them. This post makes a very clear point when and how to use that method.

multitail allows you to tail multiple files at once (hence the name). This post explains how it works and looks and introduces a couple of shortcuts.