My Friend: Dude our Linux Server is not working anymore!

Me: What? What did you do?

My friend: Nothing I swear!

Me: But you were last on it?

My friend: Yes. I just wanted to run a bash file and needed to give it permissions.

Me : WHAT DID YOU ENTER???!

My Friend: Chill man, just this command I found on the internet
chmod -R 600 /
chown -R root:root /

Me: WHY ARE YOU EVEN IN ROOT AND GOD DAMMIT WHY ARE YOU EVEN USING SOME RANDOM COMMAND FROM THE INTERNET. YOU KNOW YOU SHOULD NOT DO THIS OR JUST ASK!

My friend: Ok I did something wrong, how can I fix it?

Me: Did you make a backup or rsync of the server?

My friend: No. I just wanted to run this file.

Me: You holocausted the server. FUCK MY LIFE

So I maintain a open source PHP app that wraps youtube-dl, providing an UI for it basically. Some guy on a forum DMd me saying it's not working for him. I asked him what php version he used and if the file permissions are correct (the script makes and switches directories, so the permissions can't be root but need to be www-data).

He answers with PHP 7.2 (the newest that's rare) and says the file permissions are correct.

After 2 weeks the problem still persists and ofc I am doubting my code here. We finally get online together and I can use anydesk to work on his machine.

I discovered 2 things.

1) File permissions were just completely wrong.

2) PHP WASN'T EVEN INSTALLED

So what did I learn?

Never trust the user and I am glad that I work as a dev, not as a tech support.

My first day in a Linux admin and security course. I went all confident and cocky waiting for some bullshit like "type in your term: ls, cd, pwd, see you tomorrow"
Suddenly the teacher starts to configure lampp, then jumps to bind, and thirty minutes leater , when everyone has their ssl keys under control, I was still struggling to correctly forward my mate. The rest of the day was smooth and easy for those who finished their servers, and there I was, unable to find my own ass in the middle of that mess made of bad assigned permissions and wrong placed addresses. Even worse, he came to me when I asked for help, took my chair and fixed everything in one beautiful single bash line. I started to ask "what's this? Where is that? Is it a config file or a directory?" And with all his patience he keep telling me the obvious answers that where right there at the screen but I couldn't see. Took me two weeks to catch his pace, and another two weeks to understand fully his classes. He never said a word about my terrible first day (first couple weeks). When course finished, I saw he was going to teach a really hard security module, and I signed up without hesitate.

Dev : Can you change permissions for conf file please ?
Me : Yeah sure, what permissions set do you need ?
Dev : 667
Me: ...

A sidebar.
Literally just a sidebar.
And yes, this was in Hell.

Its code was spread across at least 40 files, and it used a bunch of freaking global variables to unfurl accordion sections, hide other sections/items, highlight the active item, etc. These were set (and unset!) in controller actions, so if you didn’t unset one, it remained open and highlighted until another action unset it.

Some of the global variable checks (and permissions checks) were done in the individual views, some outside of the `render` statements that include them. Some of them inherited variables from the parent, some from the controller, some from globals. Getting a view to work was trial and error. Oh, and some had their own inline css, some used css classes.

Subsections were separate views, so were some individual items, both sometimes rendered using shared templates, and all of the views and templates had the exact. same. filename. (They were located in different directories, and thus located automagically via implicit relative paths.) So, it was a virtually endless parade of`render partial => “sidebar”`. Which file does that point to? Good luck figuring it out!

Also, comments in several places said adding a new section required a database migration. I never did figure out why.

Anyway, I discovered this because I had an innocuous-sounding ticket to rearrange the sidebar, group some sections/items under different permissions, move some items to another menu, and nest some others differently.

It took me two bloody weeks, and this was when I was extremely productive every day.

Afterward, I was so disgusted by it that I took a day and removed every trace of the sidebar I could find, and rewrote it. I defined the sidebar in a hash, and wrote a simple recursive builder to generate the markup. It supported optional icons, n-level nesting, automatic highlighting of the current item and all parent nodes, compound and inherited permissions, wrapping of long names, hover and unfurl animations, etc. Took me a couple hundred lines of Ruby at the most, plus about the same of css.

Felt so good to remove that blight.

Every step of this project has added another six hurdles. I thought it would be easy, and estimated it at two days to give myself a day off. But instead it's ridiculous. I'm also feeling burned out, depressed (work stress, etc.), and exhausted since I'm taking care of a 3 week old. It has not been fun. :<

I've been trying to get the Google Sheets API working (in Ruby). It's for a shared sales/tracking spreadsheet between two companies.

The documentation for it is almost entirely for Python and Java. The Ruby "quickstart" sample code works, but it's only for 3-legged auth (meaning user auth), but I need it for 2-legged auth (server auth with non-expiring credentials). Took awhile to figure out that variant even existed.

After a bit of digging, I discovered I needed to create a service account. This isn't the most straightforward thing, and setting it up honestly reminds me of setting up AWS, just with less risk of suddenly and surprisingly becoming a broke hobo by selecting confusing option #27 instead of #88.

I set up a new google project, tied it to my company's account (I think?), and then set up a service account for it, with probably the right permissions.

After downloading its creds, figuring out how to actually use them took another few hours. Did I mention there's no Ruby documentation for this? There's plenty of Python and Java example code, but since they use very different implementations, it's almost pointless to read them. At best they give me a vague idea of what my next step might be.

I ended up reading through the code of google's auth gem instead because I couldn't find anything useful online. Maybe it's actually there and the past several days have been one of those weeks where nothing ever works? idk :/

But anyway. I read through their code, and while it's actually not awful, it has some odd organization and a few very peculiar param names. Figuring out what data to pass, and how said data gets used requires some file-hopping. e.g. `json_data_io` wants a file handle, not the data itself. This is going to cause me headaches later since the data will be in the database, not the filesystem. I guess I can write a monkeypatch? or fork their gem? :/

But I digress. I finally manged to set everything up, fix the bugs with my code, and I'm ready to see what `service.create_spreadsheet()` returns. (now that it has positively valid and correctly-implemented authentication! Finally! Woo!)

I open the console... set up the auth... and give it a try.

... six seconds pass ...

... another two seconds pass ...

... annnd I get a lovely "unauthorized" response.

asjdlkagjdsk.

> Pic related.

So I made an android app for a client. It's a newspaper type of app for the clients webpage, as he has a lot of traffic on it and about 50-51% is from mobile. Which is all good an everything.

And so I've been working on it for a while now as it wasn't a primary focus, more of a like side project.

I was able to make full working build (publish ready) and sent it to the client for a review.

After about an hour I received an email saying that the app is requesting too many permissions from the user. So I started looking trough my manifest file and all of the 3rd party libs to see what were those permissions.

Well, when I finally installed the app on a physical device and looked trough the permissions in the settings all I found were permissions for the internet and prevent the phone from sleeping.

After asking the client to tell me in detail which permissions raised concerns he told me it were those 2 and if they could be removed.

So I just wasted an hour of my life trying to explain why the app that is losing content from the internet needs internet permissions.

Fml and ignorant people who think they know everything and won't accept anything else.

And all of this because he read on some click bait website how a "real" app doesn't need any permissions and every other is just trying to steal all of your data and money.

I was called over by a colleague. She needed help because her computer kept telling her that she did not have permission to run certain programs or access certain files.

She logged in to Windows in front of me. The first thing that I noticed that the username was her office email address. I asked her about it.

Me: Why is your username your email address?
Her: It was this way when I got it.
Me: That is impossible. I made every Windows installation here and I always use the same username which is [companyname] as it is our policy.
Her: I'm telling you, this is the way it was when I got it.
Me: Are completely sure?
Her: Well.... someone else must have renamed it.
Me: So someone fired up your laptop, used your password to log in and changed the username to your email?
Her: I don't understand it either. Is it possible that it happened accidentally, on its own?
Me: ...

Then I explained to her that changing the username on Windows 10 may result in problems with file permissions.

I am not mad because she didn't know about this. I am mad because of her idiotic lies.

Never mess with a motivated developer. I will make your life difficult in return.

Me: we need server logs and stats daily for analysis
DBA: to get those, you need to open a ticket
Me: can't you just give me SFTP access and permissions to query the stats from the DB?
DBA: No.

*OK.... 🤔🤔🤔*

*Writes an Excel Template file that I basically just need to copy and paste from to create a ticket*

This process should not take me more than 2mins 👍😁😋🙂😙😙😙😙😙😙😙😙

For them.... 😈😈😈😈😈😈😈😈😈😈😈

Online applications are so much worse than the classic snail mail ones, because some companies just don't seem to give a single fuck about the quality of their application application (hehe).

This results in such joyous things like:

• "Allowed file types: doc, docx, pdf, jpg, zip"
• "Max filesize 3mb"
• "One of your files does not meet the requirements" (doesn't tell you which)
• "Upload timed out, please try again"
• 403 forbidden
• "Your account does not have the necessary permissions to upload more than 4 files at once"
• clicking the submit button leads to a 404
• "Please explain why you want to work for us." 500 character limit
• Google forms

Only touching the topic slightly:

In my school time we had a windows domain where everyone would login to on every computer. You also had a small private storage accessible as network share that would be mapped to a drive letter so everyone could find it. The whole folder containing the private subfolders of everyone was shared so you could see all names but they were only accessible to the owner.

At some point, though, I tried opening them again but this time I could see the contents. That was quite unexpected so I tried reading some generic file which also worked without problems. Even the write command went through successfully. Beginning to grasp the severity of the misconfiguration I verified with other userfolders and even borrowed the account of someone else.

Skipping the "report a problem" form, which would have been read at at least in the next couple hours but I figured this was too serious, I went straight to the admin and told him what I found. You can't believe how quickly he ran off to the admin room to have a look/fix the permissions.

I have a few of these so I'll do a series.
(1 of 3) Public privates

We had a content manager that created a content type called "news item" on a Drupal site. There where two file fields on there. One called "attachments" and the other called "private attachments". The "private attachments" are only for members to see and may contain sensitive data. It was set to go trough Drupals security (instead of being directly hosted by the webserver) but because the permissions on the news items type where completely public everybody had access. So basically it was a slow public file field.

This might be attibuted to ow well Drupal is confusing. Howerver weeks earlier that same CM created a "private article". This actually had permissions on the content type correctly but had a file field that was set to public. So when a member posted the URL to a sensitive file trough unsafe means it got indexed by google and for all to read. When that happend I explained in detail how the system worked and documented it. It was even a website checklist item.

We had two very embarrassing data leaks :-(

Our project at work goes live in 3 weeks.

The code base has no automated tests, breaks very often, has never had any level of manual testing

will not be releasing with any form of enforced roles or permissions in our first release now due to no time to enforce, however there is a whole admin api where you can literally change anything in our database including roles.

We also have teams in various countries all working separately on the same solution using microservices with shared nuget packages and they aren't using them properly.

Our pull requests are so big - as much as, 75 file changes - in our fe app that I can't keep up with it and I honestly have no idea if it even works or not due to no automated tests and no time to manually test.

We have no testing team, or qa team of any sort.

Every request into the system has to hit a minimum of 3 different databases via 3 different microservices so 1 request = 4 requests with the load on the servers.

We don't use any file streams so everything is just shoved in the buffer on the server.

Most of the people working on the angular apps cba to learn angular, no one across 2 teams cba to learn git. We use git so they constantly face problems. The guy in charge has 0 experience in angular but makes me do things how he wants architecturally so half the patterns make no sense.

No one looks at the pull requests, they just click approve so they may as well push directly to master.

Unfinished work gets put in for pull request so we don't know if the app is in a release state since aall teams are working independently, but on the same code base.

I sat down and tested the app myself for an hour and found 25 fe only issues, and 5 breaking cross browser issues.

Most of our databases are not normalised. Most of our databases make no sense. 99% of our tables have no indexing since there is no expertise with free time to do it.

No one there understands css properly. Or javascript.

Our. Net core microservices all directly use ef in the controller actions so there is no shared code there.

Our customer facing fe app is not dry because no tests so it was decided it was better this way.

Management has no idea on code state, it seems team lead is lieing to them about things like having any level of tests.

Management hire devs that claim to be experts but then it turns out they have basically no knowledge of what they were hired to do, even don't know what json is or the framework or language they are hired for, but we just leave them to get on with it and again make prs too big to review.

Honestly I have no hope that this will go well now but I am morbidly curious to watch. I've never seen anything like the train wreck that we are about to get experience.

I have come across the most frustrating error i have ever dealt with.
Im trying to parse an XML doc and I keep getting UnauthorizedAccessException when trying to load the doc. I have full permissions to the directory and file, its not read only, i cant see anything immediately wrong as to why i wouldnt be able to access the file.
I searched around for hours yesterday trying a bunch of different solutions that helped other people, none of them working for me.
I post my issue on StackOverflow yesterday with some details, hoping for some help or a "youre an idiot, Its because of this" type of comment but NO.
No answers.
This is the first time Ive really needed help with something, and the first time i havent gotten any response to a post.
Do i keep trying to fix this before the deadline on Sunday? Do i say fuck it and rewrite the xml in C# to meet my needs? Is there another option that i dont even know about yet?
I need a dev duck of some sort :/

When i made a little web prototype platformer game using js and then wanted to show my friends as they all wanted to play.

1. Setup all the files on my phone.
2. Made a web server on my phone with relevant file permissions.
3. Setup a web server on my phone and joined the network
4. Smile as it worked when they all connected through the browser to the relevant IP/port

This post just made me realise i need to get another phone lol

Ahh.. there is nothing like the joyous feeling of writing a working piece of code for your own personal projects.

I spent several weeks and a few hours today to finally get my Python automation script working and I am very proud of myself.

Here's what it does:
* open a text file, extract a specific string from it using rather complicated xpath
* open another text file and do the same
* replace result 1 with result 2
* log results
* close file
* automate the process

Even though it looks easy, I had to mess around with a lot of problems such as permissions, indentation, stream writing, file status, etc.

Now, instead of having to manually do this job, I can just let my machine do it!

At work one morning, I was asked in chat for a way to edit an xml file on a Mac. They couldn't open it due to permissions. I told them to open Terminal and run sudo vi /path/to/file.xml. Never got a message back about it, so I assumed everything was OK. Later that afternoon, I received another question: "I'm in, I've made the changes, now what? How do I get out?" It wasn't funny until I realized how many memes existed for this. I'd imagined they'd quickly opened and edited it and spent hours unable to exit it; though, realistically, it probably wasn't attempted until the afternoon. Truthfully, I was new to it, too, and have no idea why I suggested vi over something else.

Am I the only developer in existence who's ever dealt with Git on Windows? What a colossal train wreck.

1. Authentication. Since there is no ssh key/git url support on Windows, you have to retype your git credentials Every Stinking Time you push. I thought Git Credential Manager was supposed to save your credentials? And this was impossible over SSH (see below). The previous developer had used an http git URL with his username and password baked in for authentication. I thought that was a horrific idea so I eventually figured out how to use a Bitbucket App password.

2. Permissions errors
In order to commit and push updates, I have to run Git for Windows as Administrator.

3. No SSH for easy git access
Here's where I confess that this is a Windows Server machine running as some form of production. Please don't slaughter me! I am not the server admin.
So, I convinced the server guy to find and install some sort of ssh service for Windows just for the off times we have to make a hot fix in production. (Don't ask, but more common than it should be.)
Sadly, this ssh access is totally useless as the git colors are all messed up, the line wrap length and window size are just weird (seems about 60 characters wide by 25 lines tall) and worse of all I can't commit/push in git via ssh because Permissions. Extremely aggravating.

4. Git on Windows hangs open and locks the index file
Finally, we manage to have Git for Windows hang quite frequently and lock the git index file, meaning that we can't do anything in git (commit, push, pull) without manually quitting these processes from task manager, then browsing to the directory and deleting the .git/index.lock file.

Putting this all together, here's the process for a pull on this production server:
Launch a VNC session to the server. Close multiple popups from different services. Ask Windows to please not "restart to install updates". Launch git for Windows. Run a git pull. If the commits to be pulled involve deleting files, the pull will fail with a permissions error. Realize you forgot to launch as Administrator. Depending on how many files were deleted in the last update, you may need to quit the application and force close the process rather than answer "n" for every "would you like to try again?" file. Relaunch Git as Administrator. Run Git pull. Finally everything works.

At this point, I'd be grateful for any tips, appreciate any sympathy, and understand any hatred. Windows Server is bad. Git on Windows is bad.

Why are clients so brain dead?

I've had a client insist for the last two weeks that I provide them with a high level technical specification for fucking OneDrive because our product is able to embed HTML inputted into the CMS.

I've literally had hours of meetings with over a dozen people where I'm trying to explain that just because they're embedding some PowerPoint HTML into our CMS doesn't mean we need to or even can provide technical documents.

This is a huge company with an equity of over £50 billion by the way. I swear the bigger the company the more incompetent the employees get.

Their whole issue stems from one guy not understanding how basic logins and file sharing permissions work + their IT doing security fuckery to screw up which machines can login or access what. So I made and sent them a flow diagram explaining it, out of some naive hope that they'll now leave me alone.

I still don't understand how any of this is my responsibility just because these idiots don't understand that our product is separate from the HTML they've decided to put into the CMS. I don't think any of these people know what they're asking me for when they keep insisting I send them technical documents for a Microsoft owned product that we have nothing to do with.

I'm sure I'll be stuck telling them to talk to their own IT team over and over again as they schedule meetings every few days until the heat death of the universe. Then I'll finally have peace. Either that or somehow one of them finds this post and I get fired.

Motherfucker, do you even review your own code, never mind getting anyone else to do it?

"Hi" randomly added on a new line in the middle of a switch block, a syntax error, as the only change in a file?

Breaking two methods by misunderstanding which database object a variable identifies- but making no other change to those functions? And not adding permissions checks to the new API methods you added in that file?

Overwriting the email template that goes out to users who were added straight to the CRM, by reusing the same file for a template for users that have been invited to an event?

Adding your new fields to the old CRM sync code, again leaving me to figure it out, thereby leaving users' changes likely to be overwritten every morning?

And pushing this to master, supposedly tested, without a heads-up?

How often does your mum need to buy you a new box of crayons? Because these ones are chewed to pieces.

Suck my balls. Or rather don't, you probably don't know you're not meant to use your teeth.

I spent hours trying to figure out why imagettftext() in PHP wasn't working...
Damn file permissions!!

I want to call out the absolute retard at Oracle who decided that file modes should be read from the envvar called UMASK and be in decimal by default.
They probably never cared about file permissions.

Just as an extension of last rant to explain how much fun it is to keep up with Apple's security through obscurity bullshit.
AFAIK this full disk access (FDA) feature was touted to protect a user's data on macOS. Programs that want to access those files need to request the user's permissions to do so. Now to the fun part: Apple is not providing any API. A staff member suggested, that you should only try to access the files your app needs and if you can't as for the user's allowance. One should not use some fixed files and try to access them, because their locations might change, as well as their (UNIX file) access rights (ACL), or if they fall under FDA. Not to speak about the other security features that might hinder you accessing files (you might be sandboxed, or the files might be subject to SIP/rootless).
Honestly, you should be starting to take drugs, if you want to stay sane. I mean UNIX ACL are weird enough: e.g. you can make a directory only readable for root such that a user cannot list the files inside, but you can place files inside that the user can read (if she knows about their existence). On macOS you'll never know. You may have all the rights to access a file,.. but Apple will only give you the finger.
As they always do to us developers.

My boss keeps looking into the system log file and being scared of some totally irrelevant messages (for him). Time to introduce permissions in the control panel...

Any Windows Sysadmins here? I have a question for you - How do you do it?

I only very rarely have to do something that would fall under "Windows System Administration", but when I do... I usually find something either completely baffling, or something that makes me want to tear our my hair.

This time, I had a simple issue - Sis brought me her tablet laptop (You know, the kind of tablets that come with a bluetooth keyboard and so can "technically" be called a laptop) and an SD card stating that it doesn't work.

Plugging it in, it did work, only issue was that the card contained file from a different machine, and so all the ACLs were wrong.

I... Dealt with Windows ACLs before, so I went right to the usual combination of takeown and icacls to give the new system's user rights to work with the files already present. Takeown worked fine... But icacls? It got stuck on the first error it encountered and didn't go any further - very annoying.

The issue was a found.000 folder (Something like lost+found folder from linux?) that was hidden by default, so I didn't spot it in the explorer.

Trying to take ownership of that folder... Worked for for files in there, safe for one - found.000\dir0000.chk$Txf; no idea what it is, and frankly neither do I care really.

Now... Me, coming from the Linux ecosystem, bang my head hard against the table whenever I get "Permission denied" as an administrator on the machine.

Most of the times... While doing something not very typical like... Rooting around (Hah... rooting... Get it?! I... Carry on) the Windows folder or system folders elsewhere. I can so-so understand why even administrators don't have access to those files.

But here, it was what I would consider a "common" situation, yet I was still told that my permissions were not high enough.

Seeing that it was my sister's PC, I didn't want to install anything that would let me gain system level permissions... So I got to writing a little forloop to skip the one hidden folder alltogether... That solved the problem.

My question is - Wtf? Why? How do you guys do this sort of stuff daily? I am so used to working as root and seeing no permission denied that situations like these make me loose my cool too fast too often...

Also - What would be the "optimal" way to go about this issue, aside for the forloop method?

The exact two commands I used and expected to work were:
takeown /F * /U user /S machine-name /R
icacls * /grant machine-name\user:F /T

Trying to use authenticate a JWT token from an Azure service, which apparently needs to use Azure AD Identity services (Microsoft Entra ID, Azure AD B2C, pick your poison). I sent a request to our Azure admin. Two days later, I follow up, "Sorry, I forgot...here you go..."
Sends me a (small) screenshot of the some of the properties+GUIDs I need, hoping I don't mess up, still missing a few values.
Me: "I need the instance url, domain, and client secret."
<hour later>
T: "Sorry, I don't understand what those are."
Me: "The login URL. I assume it's the default, but I can't see what you see. Any shot you can give me at least read permissions so I can see the various properties without having to bother you?"
T: "I don't see any URLs, I'll send you the config json, the values you need should be in there."
<10 minutes later, I get a json file, nothing I needed>
<find screenshots of what I'm looking for, send em to T>
Me: "The Endpoints, what URLs do you see when you click Endpoints?"
<20 minutes later, sends me the list of endpoints, exactly what I'm looking for, but still not authenticating the JWT>
Me: "Still not working. Not getting an error, just that the authentication is failing. Don't know if it's the JWT, am I missing a slash, or what. Any way I can get at least read permissions so I don't have to keep bugging you to see certain values?"
T: "What do you need, exactly?"
Me: "I don't know. I don't know if I'm using the right secret key, I can't verify if I'm using the right client id. I feel like I'm guessing trying to make this work."
T: "What exactly are you trying to get working?"
<explain, again, what I'm trying to do>
T: "That's probably not going to work. We don't allow AD authentication from the outside world."
Me: "Yes we do. Microsoft Teams, Outlook, the remote access services. I can log into those services from home using my AD credentials."
T: "Oh yea, I guess we do. I meant what you are trying to do. Azure doesn't allow outside services to authenticate using a JWT. Sorry."

FRACK FRACK FRACK!!

Whew! Putting the flamethrower away.

Thanks devrant for letting me rant.

Malwares are nasty applications, that can spy on you, use your computer as an attacker or encrypt your files and hold them on ransom.

The reason that malware exists, is because how the file system works. On Windows, everything can access everything. Of course, there are security measures, like needing administrator permissions to edit/delete a file, but they are exploitable.

If the malware is not using an exploit, nothing is there to stop a user from unknowingly clicking the yes button, when an application requests admin rights.

If we want to stop viruses, in the first place, we need to create a new file-sharing system.

Imagine, that every app has a partition, and only that app can access it.

Currently, when you download a Word document, you would go ahead, start up Word, go into the Downloads folder and open the file.

In the new file-sharing system, you would need to click "Send file to Word" in your browser, and the browser would create a copy of the file in a transfer-partition. Then, it would signal to Word, saying "Hey! Here's a file that I sent to you, copy it to your partition please!". After that, Word just copies the file to its own partition, signals "Ok! I'm done!", and then the browser deletes the file from the shared partition.

A little change in the interface, but a huge change in security.

The permission system would be a better UAC. The best way I can describe it is when you install an app on Android. It shows what permission the app wants, and you could choose to install it, or not to.

Replace "install" with "grant" and that's what I imagined.

Of course, there would be blacklisted permissions, that only kernel-level processes have access to, like accessing all of the partitions, modifying applications, etc.

What do you think?

Company created an FTP account for me on one of their servers as they were lazy to fix file permissions.

24 hours later, they monitored a breach and closed the FTP account.

Just to add that the initial password that they sent me was super weak.

!$rant

So I kept running into permission problems last night when trying to use move_uploaded_file() in php to upload images to my virtual server. Maybe today I'll finally figure it out.

I love Docker but I'm almost always screwing around with permissions and file ownership when it comes to secrets, bind mounts and making sure shit doesn't run as root while also making sure secrets are exposed and volumes aren't owned by root

Perhaps my frustration comes from the fact that I'm still learning and sometimes get impatient when things don't work within an hour or two, but still

Client be like:
Pls, could you give the new Postgres user the same perms as this one other user?

Me:
Uh... Sure.

Then I find out that, for whatever reason, all of their user accounts have disabled inheritance... So, wtf.

Postgres doesn't really allow you to *copy* perms of a role A to role B. You can only grant role A to role B, but for the perms of A to carry over, B has to have inheritance allowed... Which... It doesn't.

So... After a bit of manual GRANT bla ON DATABASE foo TO user, I ping back that it is done and breath a sigh of relief.

Oooooonly... They ping back like -- Could you also copy the perms of A on all the existing objects in the schema to B???

Ugh. More work. Lets see... List all permissions in a schema and... Holy shit! That's thousands of tables and sequences, how tf am I ever gonna copy over all that???

Maybe I could... Disable the pager of psql, and pipe the list into a file, parse it by the magic of regex... And somehow generate a fuckload of GRANT statements? Uuuugh, but that'd kill so much time. Not to mention I'd need to find out what the individual permission letters in the output mean... And... Ugh, ye, no, too much work. Lets see if SO knows a solution!

And, surprise surprise, it did! The easiest, simplest to understand way, was to make a schema-only dump of the database, grep it for user A, substitute their name with B, and then input it back.

What I didn't expect is for the resulting filtered and altered grant list to be over 6800 LINES LONG. WHAT THE FUCK.

...And, shortly after I apply the insane number of grants... I get another ping. Turns out the customer's already figured out a way to grant all the necessary perms themselves, and I... No longer have to do anything :|

Joy. Utter, indescribable joy.

Is there any actual security reason for disabling inheritance in Postgres? (14.x) I'd think that if an account got compromised, it doesn't matter if it has the perms inherited or not, cuz you can just SET ROLE yourself to the granted role with the actual perms and go ham...

So today's conversation with my co-worker who built our build system...

Me:OS X build server is not building valid installs.
Him:What's the problem?
Me:The KEXT is not rebuild... I think that Jenkins isn't capable of updating the file because of the permissions the script set when you test compiled it manually... Could you please add Jenkins user to sudoers file or something?
Him:Yes of course, but what should I google?

WTF dude? Do you even think yourself? And for some reason no-one has acces to the build servers configs exept for him and he shows up like 3 times a week...

Infrastructure took away our read access in S3 to data that we own and our ability to manually delete/upload to S3 in that prefix (which we own). Without waiting for us to confirm that we have alternative means to read and change what is in there. And I had no warning about this, so here I am doing a midnight mod on an existing solution of mine in hopes that I can finish it before tomorrow morning for some legal reporting deadline.

Things would be so much easier if the infrastructure team let the emergency support role have those permissions for emergencies like this, but they didn't. I guess "least privilege" means "most time spent trying to accomplish the most trivial of things, like changing a file".

I. Hate. Windows. Apps. UGH.

I may never be able to play FS2020 from the Xbox Game Pass again as... Its unable to install, gives a helpful 0x1 error code, and the help page link goes to a 404.

Now, I caused this myself... Partially... Er, no, fully, but I had a good reason!

I wanted to install something larger again and didn't have enough disk space. Fired up WinDirStat and there was a huge, like... 45 GB file in C:\Program Files\WindowsApps\Somedir\

Googling around, I found some people saying its a temp file so that Windows Store could reserve enough space for the app instalation... Okay, so... It got stuck, and I had no way to remove it?

Of course I didn't want to remove all apps of the windows market... So, I did something any *sane* person would never do - Took ownership of the whole WindowsApps and gave myself full control. Then I removed the file and... FS2020 never launched again.

I couldn't even uninstall it! It would give me no error either. It just lagged and then did nothing.

I tried resetting all the ACLs, tried giving ownership back to TrustedInstaller, nothing worked. Failed on some of the files, wtf?

Launching the game only ever told me there was an update in progress.

Tried booting a windows iso image and fix the ACLs from there, nope, also failed for the same bunch of files of FS2020. (Permission Denied while on a live image? Wow)

Last resort, I booted up Linux and tried removing the offending folders from there, only to find out that... Huh. The NTFS module labelled the offending folders as... broken links leading to an "unsupported reparse point". But hey, it let me remove it at least.

Since then, it no longer appeared as installed, but... Now, anytime I want to install it, it just throws an error 0x00000001 with no further details.

So yeah, I know I caused this myself, but after fiddling with the permissions and ACLs and NTFS dark magic, I feel justified in saying - Fuck you WindowsApps DRM.

I was writing some JS files, and each time I tried to run them, the browser gave me errors on multiple lines. After looking at the source code, editing tons of lines and still not getting any result, I opened the source through the Chromium console and noticed it was different from mine. I thought there was a problem saving the file. Checked folder permissions, restarted Atom and Chromium, but still nothing.
What happened? I had opened the backup file in Chromium. 😩

In the past, apps I've written have used a flat file backend. It's very fast, but obviously clunky to have a big structure of flat files for an app. It ran circles around framework-based RDBMS backends, as performance is concerned, but again, it was clunky. Managing backups and permissions on tens or hundreds of thousands of small files was no fun. Optimizing code for scaling was fun- generating indexes, making shortcuts -but something was still missing. Early in 2017 I discovered redis. A nosql backend that just stores variables and lives almost entirely in memory. Excellent modules and frameworks for every language. It was EXACTLY what I'd needed, even though I didn't know I did. I spent a good deal of time in 2017 converting apps from flat files to redis, and cackled with glee as they became the apps I wanted them to be. Earlier this week, I started building my first app that started with redis, instead of flat files, and I can't stop gushing to anyone who will listen. Redis for president!

Sometime last year I had an internship at a small company.

Test servers weren't a thing, and after local testing, it would go to production with a backup of the files that we would put back as soon as we notice something was broken or off.

We used symfony and sonata admin was part of the bundle.

One day, boss asks me to show all the items in a table on the admin page instead of 30 rows.

Me being good guy intern say "sure no problem" so after finding the magic number, I set it to 0 instead of 30.

I gave my work reviewed by my supervisor (senior dev there) and he approved it.

I try to upload the file over FTP. No permissions.

Ask the other dev what it's about, his response: "no idea"

So he tries, fails and decides to try SSH.

Somehow, after fiddling for 20 minutes with ssh, we managed to upload the file.
As soon as we did we hear a scream from the boss's office, we refresh the site, and no matter what page we went to, all we saw was white and the logo of the company in the top left corner.

So this time, we fiddled around with ssh to restore the file for 20 minutes.

Finally succeed all goed back to normal.

A little while later, we call a meeting with the bosses and ask to rewrite the website, BAM, we get approval.

We said "two weeks tops", well that lasted 3 months.

In the end bosses are Uber happy with the work and everything ended well.
Also, development speed has multiplied.

Question about permission in `docker-compose`

So far, I've usually used vagrant for local dev. It was nice, as I was able to specify `wack:wack` as owner of all files. However with docker compose, if I connect with exec and use `/bin/bash` I'm logged in as `root`. When I then run composer, it kind of fucks with the file permissions, as after it all new files are owned by root and thus can't be edited with an ide on the "host" system.

One hack that I found suggested creating an user and a group with same uid as on the host and use that instead of root. This just doesn't sound right to me. Any advice on how to handle this situation?

So I inherited this buggy application my company developed to process state rosters for health care. The daily process fails often and I haven’t been able to figure out why. Then I notice one little thing... it’s essentially using SQL injection as a method of updating records from a file that we receive from outside... there’s no checking for validity of the statements or making sure they’re safe to execute. Just a for in loop and calling a sp to execute the query text under elevated permissions.

Built an application real fast that rename files you drag into a specified folder and spits them out into a folder on your desktop. I had a bunch of file permissions issues because it was in a “while(true)” loop and it constantly watched the folder. Instead of checking whether Windows was done moving the file or whatever so I could take control of it, I just threw a try/catch block in there.

It worked perfectly.

So, today I was very happy with my new chromecast. I can hold a button on remote and tell him what to search on youtube. But it's impossible to let it search forward tsoding. It just doesn't understand. So, very confident I spelled tsoding and expected it to understand correctly. No! From all freaking miles we made to AI, it can't fucking understand spelling? How hard could that be. So now, I still often have to use my phone. Big downer.

Also: you never know if it will answer a question you made or if it'll search for videos. Seems very random.

I should be able to add things to Callender by just speaking to it but it says that it doesn't have permissions and can't find them nowhere.

Besides that, this new one is usable as network drive of 4Gb. Good source file backup network drive. I already try to contribute to the webdav server on it. The implementation is a bit sad and I already wrote a whole full featured webdav server myself. Also offered Dutch translation.

I remember the day I used Linux to enforce size quotas on user directories oh what a day
I was surrounded by horrible monsters wearing manho suits that made them appear superficially human... though the sounds screeching forth from their many toothed mouths in whining jarring tones would suggest otherwise and I used this wonderful feature : you can call most of the file systems commands on files !

did a dd to create a disk image specified to the correct size made an fs inside and mounted it straight into the home directory adding entries to the fstab to auto mount and setting the io permissions
It was so wonderful and the little bastards refused to use the server !

I like the people I work with although they are very shit, I get paid a lot and I mostly enjoy the company but..

Our scrum implementation is incredibly fucked so much so that it is not even close to scrum but our scrum master doesn't know scrum and no one else cares so we do everything fucked.

Our prs are roughly 60 file hangers at a time, we only complete 50% of our work each sprint because the stories are so fucked up, we have no testers at all, team lead insists on creating sql table designs but doesn't understand normalisation so our tables often hold 3 or 4 sets of data types just jammed in.

Our software sits broken for months on end until someone notices (pre release), our architecture is garbage or practically non existent. Our front end apps that only I know the technology have approaches dictated by team lead that has no clue of the language or framework.

Our front end app is now about 50% tech debt because project management is so ineffectual and approaches are constantly changing. For instance we used to use view models for domain transfer objects... Now we use database entities, so there is no commonality between models but the system used to have shared features relying on that..sour roles and permissions are fucked since a role is a page regardless of the pages functionality so there is no ability to toggle features, but even though I know the design is fucked I still had to implement after hours of trying to convince team lead of it. Fast forward a few months and it's a huge cluster fuck to enforce.

We have no automated testing of any sort or manual testing in place.

I know of a few security vulnerabilities I can nuke our databases with but it got ignored.

Pr reviews are obviously a nightmare since they're so big.

I just tried to talk to scrum master again about story creation since any story involving front end ui as an aspect of it is crammed in under one pointed story as sub tasks, essentially throwing away any ability to calculate velocity. Been here a year now and the scrum master doesn't know what I mean by velocity... Her entire job is scrum master.

So anyway I am thinking about leaving because I like being a developer and it is slowly making me give up on doing things to a high standard and I have no chance of improving things, but at the same time the pay is great and I like the people.

One of the worst practices in programming is misusing exceptions to send messages.

This from the node manual for example:

> fsPromises.access(path[, mode])

> fsPromises.access('/etc/passwd', fs.constants.R_OK | fs.constants.W_OK)
> .then(() => console.log('can access'))
> .catch(() => console.error('cannot access'));

I keep seeing people doing this and it's exceptionally bad API design, excusing the pun.

This spec makes assumptions that not being able to access something is an error condition.

This is a mistaken assumption. It should return either true or false unless a genuine IO exception occurred.

It's using an exception to return a result. This is commonly seen with booleans and things that may or may not exist (using an exception instead of null or undefined).

If it returned a boolean then it would be up to me whether or not to throw an exception. They could also add a wrapper such as requireAccess for consistent error exceptions.

If I want to check that a file isn't accessible, for example for security then I need to wrap what would be a simple if statement with try catch all over the place. If I turn on my debugger and try to track any throw exception then they are false positives everywhere.

If I want to check ten files and only fail if none of them are accessible then again this function isn't suited.

I see this everywhere although it coming from a major library is a bit sad.

This may be because the underlying libraries are C which is a bit funky with error handling, there's at least a reason to sometimes squash errors and results together (IE, optimisation). I suspect the exception is being used because under the hood error codes are also used and it's trying to use throwing an exception to give the different codes but doesn't exist and bad permissions might not be an error condition or one requiring an exception.

Yet this is still the bane of my existence. Bad error handling everywhere including the other way around (things that should always be errors being warnings), in legacy code it's horrendous.

For the love of god developers/programmers, don’t put version numbers to your softwares file paths!

It’s the worst when you have to configure permissions and rules, then the folder path changes in every update!

Are native Android apps easier to write now than like back in KitKat days?

I need a app that gets root permissions and reads a db file of another app (Yes my phone is rooted).

Anyone can give a gist, I forget do I need to create a Service background worker to do the DB reads... Or just need to send the op to a bg thread with a UI callback sorta like Node...

I did try writing a ReactNative app maybe last year just to try it out but can't seem to easily get root access... And the SQLite package is buggy, couldn't npm install on Win10...

I had the funniest thing today... So our company has some servers off somewhere in a VPN, as well as one server in our own office.

So, for simplicity, S1 is my own laptop, S2 is our office server, S3 is one VPN server, and S4 another.

I want to get a file from S2 to S4. S1 can SSH into S2 and S3, S2 can't ssh into any server, S3 can ssh into S2 and S3, and S4 can't ssh into any server.

So to get a file from S2 to S4, I took the path

S1 pull from S2 -> S1 push to S3 -> S3 push to S4

Part of it was preexisting keys meaning it was easier to send S1 to S4 via S3 than get my pubkey from S1 onto S4, but also S2 not being on the VPN meant I couldn't go straight from S2 to S3 or S4, so I had to route through S1, which I could add to the VPN (I'd sshed into S2 from home and thus couldn't put it on the VPN not to mention permissions, whereas I could put S1 easily onto it)

Twas certainly a fun time :P

Plus, port forwarding from a Docker container on S2 to S2's port to S1's port via ssh was fun to get set up.

Time to document this process :)

> Be me
> Fresh out of school
> Do some volunteer work for 1 year before starting to work
> Start work at local hospital
> One day get assigned new task
> "We have this directory where there is a file for every employee who has a key - File contains legal stuff"
> Current naming scheme "MaxMustermann"
> Desired naming scheme "Max Mustermann"
> Task: rename every file.
> 1974 Files
> OHNONONONO.JPG
> Hol up buddy
> A repetetive automatable task?
> I know this
> Im a hackerman
> Let's write a script....

> *SMASHES WINDOWS BUTTON*
> "Python"
> No results

> I could have guessed that

> *SMASHES WINDOWS BUTTON*
> "Java"
> No Java compiler

> OH no

> *SMASHES WINDOWS BUTTON*
> "Powershell"
> "tHe eXEcUTIon oF poWeRsheLL sCriPts Is dIsAbLeD"

> REEEEEEEE

> *SMASHES WINDOWS BUTTON*
> "cmd"
> "YOu dO noT haAV thE rEqUiReD peRmIsSionS To oPeN tHis proGrAm"

> DAFUQ

> Wait this is windows.
> Windows ships with .NET

> *SMASHES WINDOWS BUTTON*
> "csc"
> No results

> OHHELLONO.gif

> mfw I have to rename 1794 files by hand.

( Please send help )

This happened to me sometime back.

I want to try out a WordPress plugin in my local machine before installing on a production server. It is an Ubuntu machine. Downloaded and installed Xampp, then setup WordPress with MySQL. Now tried uploading the plugin zip file, it throws some permission error, asking to fix permissions or use FTP. I thought of just chmod 777 recursively for the WordPress directory to fix this easily.

Ran the command, looks like it is hung. Terminated using Ctrl+C and then ran the same command. Again it is taking much time. It should not take so much time to recursively change the permission of just a WordPress directory. Thought something was wrong. Before I realized the damage is already done.

Looks like I ran the command

sudo chmod -R 777 /

instead of

sudo chmod -R 777 ./

Fuck, I missed a dot in the command and it is changing permissions of everything in my machine. Saw the System monitor, CPU usage spiked to 100%. I can't close or open any program. Force shutdown the machine using the power key. It didn't boot again. Recovery mode didn't help. Looks like there is no easy way to restore back from this damage. Most of the files I need are backed up in the cloud, still, need a few more personal files so that I can format and reinstall Ubuntu. Realised I have Windows in dual booting. Boot into Windows and used some ext4 reader to recover the files, formatted and reinstalled the OS. Took a few hours to get back to my previous setup.

Lesson Learned: Don't use sudo unnecessarily.
Double check the command while executing.
Running a wrong command with root permission can fuckup your entire machine.

Another great website error code fail (dumped its full error output to the website):
Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/trac/web/api.py", line 436, in send_error
data, 'text/html')
File "/usr/lib/python2.4/site-packages/trac/web/chrome.py", line 808, in render_template
template = self.load_template(filename, method=method)
File "/usr/lib/python2.4/site-packages/trac/web/chrome.py", line 768, in load_template
self.templates = TemplateLoader(
File "/usr/lib/python2.4/site-packages/trac/web/chrome.py", line 481, in get_all_templates_dirs
for provider in self.template_providers:
File "/usr/lib/python2.4/site-packages/trac/core.py", line 78, in extensions
return filter(None, [component.compmgr[cls] for cls in extensions])
File "/usr/lib/python2.4/site-packages/trac/core.py", line 213, in __getitem__
component = cls(self)
File "/usr/lib/python2.4/site-packages/trac/core.py", line 119, in maybe_init
init(self)
File "/usr/lib/python2.4/site-packages/authopenid/authopenid.py", line 157, in __init__
db = self.env.get_db_cnx()
File "/usr/lib/python2.4/site-packages/trac/env.py", line 335, in get_db_cnx
return get_read_db(self)
File "/usr/lib/python2.4/site-packages/trac/db/api.py", line 90, in get_read_db
return _transaction_local.db or DatabaseManager(env).get_connection()
File "/usr/lib/python2.4/site-packages/trac/db/api.py", line 152, in get_connection
return self._cnx_pool.get_cnx(self.timeout or None)
File "/usr/lib/python2.4/site-packages/trac/db/pool.py", line 172, in get_cnx
return _backend.get_cnx(self._connector, self._kwargs, timeout)
File "/usr/lib/python2.4/site-packages/trac/db/pool.py", line 105, in get_cnx
cnx = connector.get_connection(**kwargs)
File "/usr/lib/python2.4/site-packages/trac/db/sqlite_backend.py", line 180, in get_connection
return SQLiteConnection(path, log, params)
File "/usr/lib/python2.4/site-packages/trac/db/sqlite_backend.py", line 255, in __init__
user=getuser(), path=path))
TracError: The user apache requires read _and_ write permissions to the database file /home/trac/morituri/db/trac.db and the directory it is located in.

How to write programs on Android 10 that work with files/directories? Have used a number of JVM-based languages like Groovy, Clojure and Kotlin.

My last try was with Groovy. I ran it under Dcoder which has to be cloud-, based as it supports numerous languages. I gave it permission to access storage but got a file not found error from Java. Copied this excerpt for the file path.

import java.io.File

class Example {

static void main(String[] args) {

new File("/storage/emulated/0/read_file.grvy").eachLine {

line -> println "line : $line";

}

}

}
Do I need root? Do I need to change file permissions using Termux? Why can't I find a way to write simple software on a Motorola Super, 3 GB RAM and 8 cores? I hate using a phone for a computer but a seizure has me in a nursing home with only one usable hand.

Any help is greatly appreciated.

PR done and dusted. Welp! Somehow all permissions on files have been changed. I didnt change it. Wtf happened? Log search turns up I did change it while resolving merge conflicts. I don't know how. Anyway now I am spending my afternoon working on the vaguest fucking issue and reverting back all file permissions. Might have somehow fucked up two repos and will have to fix them all. Kill me. Now

Have you ever stuck between user permissions, docker, Jenkins and Linux?

Running a docker with a particular user that doesn't have permission to folder inside container. user permissions should be same on host and inside container. When I did that container user does have permission of certain file on the host.

Successfully wasted my day on fucking things.

I have to again start with this tomorrow wish me a luck.

Someone asked me to check on his Wordpress site. Can't upload media. 'Failure to write to disk' Updating fails too. Directory and file permissions are ok. Server has enough space. Cleared tmp. Any more ideas?