ocf / utils Goto Github PK
View Code? Open in Web Editor NEWUser and staff utilities for the Open Computing Facility
Home Page: https://www.ocf.berkeley.edu/
License: Other
User and staff utilities for the Open Computing Facility
Home Page: https://www.ocf.berkeley.edu/
License: Other
We've been getting emails about this from campus, and in the long run it will be easier to ask everyone to have it installed.
I propose we install https://wordpress.org/plugins/disable-wp-rest-api/ or https://wordpress.org/plugins/rest-api-toolbox/
after setting up the wordpress install.
We should document this happens on ocfweb and probably say something about it when easywp is being run.
#39 needs to have the awk stuff in volume() improved
also it bugs out on 0% due to some spacing issue. Might be useful to forget trying to parse anything and just dump the entire line.
It is currently unclear to the user that these commands cannot be used properly outside of supernova. This is made clear if 'usage' is viewed, but if you just enter a command unknowingly you will see a Python error on the command line. I would recommend that we implement a check to change the output and hide the error if the user is not on supernova.
the python error shouldn't happen as the request doesn't require authencate at all (just curl https://orapps.berkeley.edu/StudentGroupServiceV2/service.asmx/SignatoriesActiveStudentGroups?UID=1234567
).
The problems:
calnet_uid = int(calnet_uid)
return users_by_filter(
'(calnetUid={})'.format(escape_filter_chars(calnet_uid))
)
calnet_uid = int(calnet_uid)
actually escaped filter chars, and escape_filter_chars() only takes in str, int or list will all screw it up.
My suggestions:
This should prevent spelling errors from creeping in to the attendance list.
As mentioned in here, I guess this could be helpful in some case that the username is hard to type.
Right now they're worryingly prone to injection attacks, although at least users can't arbitrarily set SUDO_USER
...
ex. WordPress
This would help us fix WordPress compromises a lot faster.
Right now, the minutes
script leaves one giant Attendance block that lists everyone who showed up to BoD. This makes it hard to tell after the fact who joined BoD and who was just a visitor, makes it impossible to fully rebuild the membership
file if it gets corrupted, and makes things like bod ls
unreliable.
We should still have the minute-taker fill in a single attendance block, but after that, the script should split that block into three blocks: current BoD members, guests who joined BoD, and guests who didn't join BoD.
See subject
Ideally we would also list /root and /admin principals, and ensure these people are in appropriate LDAP groups. But not sure if we can do that easily without requiring ldap-lint to have a privileged kerberos bind
when moving VMs from hypervisors with incompatible CPU types, we should strip the CPU type field from the KVM XML domain metadata so we can just start VMs easily without having to virsh edit <domname>
to fix the CPU information.
We currently have an annoying manual process for taking printers in and out of rotation that's prone to error. We should have a script that does this properly.
The utils repository should be reserved for scripts called by a human. ldap-lint is called daily by firestorm, so it should be moved there.
We currently store the sorry reason and old shell in the ~/.sorry
and ~/.oldshell
files respectively of the sorried user. This is a dangerous practice, because:
~/.sorry
file, we overwrite it.~/.oldshell
file, we lose the info about the old shell.~/.sorry
could be a symlink created by an attacker to point to important system files. In that case, we would just overwrite those files. (And the scary thing is the script, running as root, actually has permissions to do this.)We should store this information elsewhere, preferably in a directory that only we control.
After #129 was merged, easywp does not work on new accounts because makemysql fails (since there is no existing config to update the DB password in).
The ability to give pages for just that day would be really handy.
This would mostly involve making a new PR that incorporates the feedback from #114
Extend ocf-kubernetes-deploy so that it will automatically create kubernetes secret resources for certain template files using the same secrets system as other resources. This is needed for config.js in thelounge (instead of ocf/thelounge#9) and homeserver.yaml in matrix.
When an account is sorried, any current processes running as that user should be kill -9
d on any machines they could potentially be running on (tsunami
, death
, vampires
, segfault
, corruption
, and maybe more?).
Also, user crontabs should be disabled on these machines. Cron won't be able to run anything as the user but will still try, filling our logs with garbage. A recent compromise included adding stuff to crontab.
If a user has a Wordpress website set up and resets their database password, the site becomes completely unusable (even to go into settings and change it). Fixing it requires SSHing in and changing the password in the configuration file.
Luckily, we can automate this with wpcli. The makemysql
script should also cd into the public_html
folder and run wp config set DB_PASSWORD newpasswordgoeshere
. It's OK if the command fails since that just means the user doesn't have a Wordpress site.
A message like x_user doesn't have any DNS records associated with them
is more human-friendly than an empty table.
Currently sorry and unsorry are pretty complicated scripts to be written in bash and have commented out sections, shellcheck-ignored warnings, etc. It's also tough to know if things done in the sorry
script are undone properly in the unsorry
script (setting file permissions for instance), so rewriting these two to use common functions and better error handling (maybe even be in the same script file) would be useful.
There are a few Python 2 scripts left; going with our broader migration to Python 3, we should convert these holdouts over to the current decade.
The specific scripts which aren't slated for removal according to my knowledge are:
./acct/chsh
./acct/update-email
./staff/acct/note
./staff/sys/apt-dated
./staff/web/bludgeon
./net/pyrc
Because of updates to ocf-tv, the current sink value will not work. This needs to be updated.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.