Skip to main content

(Ab)using Samba and inotify to implement simple menu of privileged actions [Part 2: Proof of Concept Implementation]

In my last post, I ran through the design; this post is shows the result of my initial proof-of-concept. It was interesting to play with some new modules in Python I hadn't previously used, including Python's threading.Timer and of course pyinotify, and the subprocess and shlex modules, which I'm already familiar with, but it rates a mention.

Here's the code. Needless to say, it needs some tidying up, but I think the basic principles and threading correctness seem okay.

#!/usr/bin/env python

import pyinotify
import os
import time
from threading import Timer
import shlex
import subprocess

trigger_directory = '/home/cameron/tmp/fui/triggers/'
command = r''' /bin/echo 'Oh my gosh it was deleted' '''

def remove_resultant_moniker(trigger):
    print "Removing ressultant moniker from ", trigger

class EventHandler(pyinotify.ProcessEvent):
    def process_IN_DELETE(self, event):
        print "Removing ", event.pathname
        args = shlex.split(command)
        print "Args: ", args
        Timer(2.0, remove_resultant_moniker, ['TODO']).start()
    def process_IN_CREATE(self, event):
        print "Created ", event.pathname
        Timer(2.0, remove_resultant_moniker, ['TODO']).start()

mask = pyinotify.IN_DELETE | pyinotify.IN_CREATE

watch_manager = pyinotify.WatchManager()

handler = EventHandler()
notifier = pyinotify.Notifier(watch_manager, handler)
wdd = watch_manager.add_watch(trigger_directory, mask, rec=True)
print 'Ending'

Running this in a terminal, with rm -f triggers/deleteme && sleep 3 && touch triggers/deleteme in another window, I get the following output (with output appearing at the times I expect)
Removing  /home/cameron/tmp/fui/triggers/deleteme
Args:  ['/bin/echo', 'Oh my gosh it was deleted']
Oh my gosh it was deleted
Removing ressultant moniker from  TODO
Created  /home/cameron/tmp/fui/triggers/deleteme
Removing ressultant moniker from  TODO
I haven't done anything Yaml at the moment, its too early for that. The next step is to verify that this works when the user deletes the trigger via SMB / CIFS. I'm already confident that it won't work if the trigger files are stored on SMB/CIFS, as Linux doesn't have inotify support for that. Samba should be able to pick up the changes (I hope) and (with a client that support Directory Change Notifications) have the client reflect any new state. But that is the prime objective of the next step: Proof of Concept


Popular posts from this blog

Use IPTables NOTRACK to implement stateless rules and reduce packet loss.

I recently struck a performance problem with a high-volume Linux DNS server and found a very satisfying way to overcome it. This post is not about DNS specifically, but useful also to services with a high rate of connections/sessions (UDP or TCP), but it is especially useful for UDP-based traffic, as the stateful firewall doesn't really buy you much with UDP. It is also applicable to services such as HTTP/HTTPS or anything where you have a lot of connections...

We observed times when DNS would not respond, but retrying very soon after would generally work. For TCP, you may find that you get a a connection timeout (or possibly a connection reset? I haven't checked that recently).

Observing logs, you might the following in kernel logs:
kernel: nf_conntrack: table full, dropping packet. You might be inclined to increase net.netfilter.nf_conntrack_max and net.nf_conntrack_max, but a better response might be found by looking at what is actually taking up those entries in your conne…

ORA-12170: TNS:Connect timeout — resolved

If you're dealing with Oracle clients, you may be familiar with the error message
ERROR ORA-12170: TNS:Connect timed out occurred I was recently asked to investigate such a problem where an application server was having trouble talking to a database server. This issue was blocking progress on a number of projects in our development environment, and our developers' agile post-it note progress note board had a red post-it saying 'Waiting for Cameron', so I thought I should promote it to the front of my rather long list of things I needed to do... it probably also helped that the problem domain was rather interesting to me, and so it ended being a late-night productivity session where I wasn't interrupted and my experimentation wouldn't disrupt others. I think my colleagues are still getting used to seeing email from me at the wee hours of the morning.

This can masquerade as a number of other error strings as well. Here's what you might see in the sqlnet.log f…

Getting MySQL server to run with SSL

I needed to get an old version of MySQL server running with SSL. Thankfully, that support has been there for a long time, although on my previous try I found it rather frustrating and gave it over for some other job that needed doing.

If securing client connections to a database server is a non-negotiable requirement, I would suggest that MySQL is perhaps a poor-fit and other options, such as PostgreSQL -- according to common web-consensus and my interactions with developers would suggest -- should be first considered. While MySQL can do SSL connections, it does so in a rather poor way that leaves much to be desired.

UPDATED 2014-04-28 for MySQL 5.0 (on ancient Debian Etch).

Here is the fast guide to getting SSL on MySQL server. I'm doing this on a Debian 7 ("Wheezy") server. To complete things, I'll test connectivity from a 5.1 client as well as a reasonably up-to-date MySQL Workbench 5.2 CE, plus a Python 2.6 client; just to see what sort of pain awaits.

UPDATE: 2014-0…