College of Science IT Blog

Slashdot had an discussion yesterday regarding an exploit that makes it possible for any locally logged-in user to execute arbitrary shell commands as root.  This exploit uses the Apple Remote Desktop Agent and AppleScript to execute the shell command(s) specified.  Slashdotters have confirmed that it works on both Leopard and Tiger, but only when executed as the user currently logged in to Aqua.

After this message was posted to the pmac-l mailing list yesterday, Steve Hunter noticed that his machine was not affected.  He determined, and was backed up by several others on the list, that if Remote Management or Remote Desktop is enabled in System Preferences, the exploit does not work.  Those who are currently using ARD in their environment won’t see this problem.  Machines that aren’t set to allow ARD connections can be protected by enabling it, but not allowing any users.  You can also protect your machine by changing the permissions on ARDAgent or by making it into a tarball, but I make no guarantees that it won’t break something else.

ONEPURDUE issues have been solved. Login with abandon.

CAS is a single sign-on authentication protocol and server software package originally developed by Yale University and now maintained by JA-SIG under a (open source) BSD-style license.

ITAP recently announced the availability of Purdue’s CAS server. You can request access to this CAS server by emailing accounts@purdue.edu and filling out the resultant form.

Many web servers on campus already use I2A2 for Purdue Career Account authentication, so why use this CAS service?

CAS:

• mitigates risk by allowing Career Account authentication without dealing with your user’s passwords/credentials
• reassures users and increases security by providing the same login screen across web applications across campus
• potentially unifies Purdue’s web applications by providing single sign-on. Upon authenticating to CAS once, username/password needn’t be re-entered for each web application.
• is relatively easy for a web developer or system administrator to integrate into an application or web server.
  • multiple client libraries are available in native code
  • multiple webserver modules/filters are freely available
    
  • isn’t Purdue specific - larger support environment
  • doesn’t require importing Purdue’s certificate authority public key into your web server or ldap stack’s CA bundle!
• allows web servers to immediately take advantage of additional authentication methods. (As soon as CAS supports digital certificates, security tokens, smart cards, biometrics, etc so will every CASified application!
• keeps Purdue Career Account authentication assistance where it belongs, and directs users to: the ITAP helpdesk!

It’s pretty easy to CASify a web application, such that the app uses the CAS server for authentication. There are many CAS client integration resources available under liberal licenses, including Apache2, Java, Perl, PHP, Coldfusion, Zope, Ruby on Rails and other web applications and web application frameworks and languages.

Why shouldn’t I use CAS?

• Unlike I2A2, CAS is strictly an authentication service. This means that the only information available about an authenticated user from CAS is his/her Purdue username. CAS is not an authorization service. CAS doesn’t provide an authenticated user’s PUID. Many applications utilize PUIDs as unique identifiers instead of usernames.
• That said, the Purdue Identity and Access Management Office (IAMO) has both a web service and an ldap interface available to translate the username from CAS into a puid, name and even I2A2 characteristics. (You can email accounts@purdue.edu for details.)

Note:

• If you’re using one of the many CAS client libraries, the immediate temptation is to see the CAS server as an über-session handler and to simply write application code to re-validate your user’s CAS ticket at every page request. This will significantly slow down your application. Your application should create and use its own sessions, with their own time-out values (which then re-require CAS validation). Additionally, once a user logs out of your application, the application’s session should destroyed, not the user’s CAS session. If every CASified application’s logout process calls the CAS logout, there’s no single sign on functionality.
• Regardless of the client integration method, you’ll need these settings:
  • loginUrl: https://www.purdue.edu/apps/account/cas/login
  • validateUrl: https://www.purdue.edu/apps/account/cas/serviceValidate
  • logoutUrl: https://www.purdue.edu/apps/account/cas/logout
  • CAS Version: 2

This post demonstrates how to add content to the College of Science subversion repository.

I’ve got a local directory named localscripts containing a single file, edu.purdue.math.softwareupdate.pl, that I want to place in the repository at cos/macosx.

• svn mkdir https://svn.science.purdue.edu:9443/cos/macosx/scripts -m “Adding a subdirectory to the mac folder just for scripts.”
  • Accept the incorrect/self-signed ssl certificate.
  • Enter Purdue Career Account password.
  • Authentication realm: <https://svn.science.purdue.edu:9443> i2a2
    Password for ‘ivetter’:
    Committed revision 29.
• svn ls https://svn.science.purdue.edu:9443/cos/macosx
  • scripts/
• svn import localscripts/ https://svn.science.purdue.edu:9443/cos/macosx/scripts -m “Initial import of the edu.purdue.math.softwareupdate.pl script.”
  • Adding scripts/edu.purdue.math.softwareupdate.pl
    Committed revision 30.
• svn ls https://svn.science.purdue.edu:9443/cos/macosx/scripts
  • edu.purdue.math.softwareupdate.pl

To make a change to this file, just check it out and start working on it.

Ed Finkler has been kind enough to share his .ics parser made by modifying the opensource PHPiCalendar web application.

This post contains the steps needed to checkout Ed’s software from the science subversion repository, modify the code and check those modifications back into the repository, using the svn comand line client.

• svn co https://svn.science.purdue.edu:9443/cos/web/php/iCalendar_Parser/
  • accept the incorrect/self-signed ssl certificate
  • enter your Purdue Career Account password

    • Authentication realm: <https://svn.science.purdue.edu:9443> i2a2
      Password for ‘ivetter’:
      A iCalendar_Parser/trunk
      A iCalendar_Parser/trunk/iCalendar_Parser.php
      A iCalendar_Parser/trunk/README
      A iCalendar_Parser/trunk/examples
      A iCalendar_Parser/trunk/examples/import_secsem_calendar.php
      Checked out revision 22.
• cd iCalendar_Parser/trunk
• Make a change to iCalendar_Parser.php
• svn status produces:
  • M iCalendar_Parser.php
    • This shows that the iCalendar_Parser.php file has been modified.
• svn diff iCalendar_Parser lists the actual differences between the server and local version of the given file.
• svn commit -m “This is a descriptive comment.”

  • Authentication realm: <https://svn.science.purdue.edu:9443> i2a2
    Password for ‘ivetter’:
    Sending trunk/iCalendar_Parser.php
    Transmitting file data .
    Committed revision 22.

We have successfully updated the iCalendar_Parser.php file in the CoS subversion repository. We can see our changes on the web interface. Even though others can revert our changes, they will always be ours and will never disappear.

New(ish) in OSX Leopard is support for ACLs (Access Control Lists) on files and folders. Unfortunately, the implementation is not perfect and users could easily hose themselves if not careful. (For example, I have a user who recently managed to set “group:everyone deny delete” for his entire profile.)

Fortunately, Leopard’s chmod utility allows you to change (or delete) ACLs. Below is a short chunk of code to strip ACLs from folders and files (starting from the current path, recursively):

#for folders
find . -type d -exec chmod -a# 0 {} \;
#for files
find . -type f -exec chmod -a# 0 {} \;

This will leave you with only the normal UNIX/POSIX style permissions.

Source: http://unbounded.org/leopard-acls/

Adium is a popular instant messaging client that can use multiple im protocols, including Jabber. It’s easy to setup Adium to use the Purdue College of Science’s Jabber server:

For those not interested in the screen shots, here’s the important information:

• Jabber ID: PurdueCAUsername@chat.science.purdue.edu
• Password: PurdueCAPassword
• Connect Server: chat.science.purdue.edu

————–

Select the File menu, hover over “Add Account”, and click on “Jabber”:

From the resulting screen, enter your Jabber ID and Password. You Jabber ID is your Purdue Career Account username, followed by “@chat.science.purdue.edu”, your Password is your Purdue Career Account password.

Now select the Options tab. Set the Connect Server to “chat.science.purdue.edu”. Although the chat server does not accept unencrypted connections, go ahead and check the “Require SSL/TLS” checkbox:

Now click the OK button, and you should be connected to the Science Chat server!

DWM.EXE is the Desktop Window Manager in Windows Vista.When you’re using Aero Glass in Vista, DWM owns an offscreen bitmap for every open window, the size of the window, with a rendering of that window’s contents.

DWM needs this so it can quickly show you thumbnails of all the open windows, and so it can do things like composing and animating quickly. But it requires a lot of memory.

On my system, for example, opening a single full-screen Notepad window causes DWM.EXE to allocate an additional 4.8mb of memory.

Close Notepad and DWM gives this memory back.

I opened a hundred Notepad windows to test, and yep, it allocated almost half a gig of RAM for the bitmaps.

If you can’t afford this much RAM, don’t use the Aero Glass theme in Vista.

The Motion Picture of Association of America is urging some of the nation’s largest universities to deploy custom software designed to pinpoint students who may be using the schools’ networks to illegally download pirated movies. A closer look at the MPAA’s software, however, raises some serious privacy and security concerns for both the entertainment industry and the schools that choose to deploy the technology. read more

The Department of Mathematics at Purdue University offers online readiness tests for incoming students that attempt to help academic advisors place students in the appropriate level of mathematics courses.

The application authenticates both students and advisors using IT@P’s I2A2 LDAP interface. So far this year, 3216 students have taken the Algebra Readiness Test and 4264 students have taken the Calculus Readiness Test.

Currently, the largest problem with the system is the identification of incoming students. I’d love to see an I2A2 macro that identified incoming students.

Due to the difficulty of reliably displaying mathematical symbols on the internet, both the questions and the multiple choice answers are images. (Both assistance and paper-based exams are available to students that need them.) Within a question, answers are re-ordered. Within a mathematical topic, questions are selected per exam. Within the exam questions are re-ordered. This functionality, allows the system to generate different exams per student, on-the-fly.

An interface exists for advisors to authenticate and view both a broad overview of students’ results within their school and an individual student’s results, for whom they are responsible.

Isaac Vetter