Language Selection

English French German Italian Portuguese Spanish

Custom scripting gives users a safe-du

Filed under
HowTos

My company has a Linux cluster with a terabyte of attached storage. Over time we noticed the head node was becoming more overloaded. Inspection of the system showed that users were starting dozens of copies of the du utility to determine disk space usage. This was a natural thing for them to do, because they had a need to know how much disk space was available. A lack of disk space would cause their software builds and tests to fail. The problem was that it takes five to seven hours for a du of the entire shared filesystem. Thus, when the filesystem was nearly full (as it of course usually was), the number of du processes would increase almost exponentially.

To address this problem, we first set up automated nightly disk space reports, so that users could check the status without running du. This still did not solve the problem, as the amount of used space could fluctuate dramatically over the course of 24 hours. Users still wanted and needed to run their own du processes throughout the workday.

While adding more disk space would have solved the problem, we are using a large disk array that is already filled to maximum capacity. In general, users tend to fill up all available disk space anyway, no matter how much you give them.

We then developed a policy: users could run du on any directory they owned. In addition, user du processes would be allowed to run for a maximum of one hour of wall time. Users in the wheel group would be exempt from these restrictions.

I was given the task of developing a tool to implement this policy. Some sort of wrapper around the existing du seemed like an obvious choice: the script could validate the input, abort if an invalid path was given, and terminate the du process if it ran too long.

I wrote a basic bash script in perhaps an hour's time. Then I thought about how to run it, and that is where I ran into trouble. I had thought that I would make the script set user id (setuid) or set group id (setgid) root, i.e. when run by any user it would actually run in the root group. Then, I could change the permissions on the real du so that only root could run it. The result would be that normal users could only access the real du through the wrapper script.

Of course that would make a pretty boring article, and in reality it didn't turn out to be that simple:

Full Story.

More in Tux Machines

Avidemux 2.6.13 Open-Source Video Editor Gets AAC/ADTS Import and Export

The developers of the Avidemux open-source and cross-platform video editor software have announced a new maintenance update in the 2.6 series, bringing multiple improvements, bug fixes, and a handful of new features. Read more

5 Best Linux Distros for Security

Security is nothing new to Linux distributions. Linux distros have always emphasized security and related matters like firewalls, penetration testing, anonymity, and privacy. So it is hardly surprising that security conscious distributions are common place. For instance, Distrowatch lists sixteen distros that specialize in firewalls, and four for privacy. Most of these specialty security distributions, however, share the same drawback: they are tools for experts, not average users. Only recently have security distributions tried to make security features generally accessible for desktop users. Read more

Linux Foundation and Linux

  • How IoTivity and AllJoyn Could Combine
    At the Embedded Linux Conference in April, Open Connectivity Foundation (OCF) Executive Director Mike Richmond concluded his keynote on the potential for interoperability between the OCF’s IoTivity IoT framework and the AllSeen Alliance’s AllJoyn spec by inviting to the stage Greg Burns, the chief architect of AllJoyn. Burns briefly shared his opinion that not only was there no major technical obstacle to combining these two major open source IoT specs, but that by taking the best of both standards, a hybrid could emerge that improves upon both. Later in the day, Burns gave a technical overview of how such a hybrid could be crafted in “Evolving a Best-of-Breed IoT Framework.” (See video below.) Burns stated in both talks that his opinions in no way reflect the official position of OCF or the AllSeen Alliance. At the time of the ELC talk in April, Burns had recently left his job as VP of Engineering at Qualcomm and Chair of the Technical Steering Committee at the AllSeen Alliance to take on the position of Chief IoT Software Technologist in the Open Source Technology Center at Intel Corp.
  • ​Linus Torvalds' love-hate relationship with the GPL
    Linux's founder appreciates what the GNU General Public License has given Linux, but he doesn't appreciate how some open-source lawyers are trying to enforce it in court.
  • Linus Torvalds reflects on 25 years of Linux
    LinuxCon North America concluded in Toronto, Canada on August 25th, the day Linux was celebrating its 25th anniversary. Linus Torvalds, the creator of Linux, and Dirk Hohndel, VP and chief of open source at VMware, sat down for a conversation at the event and reflected upon the past 25 years. Here are some of the highlights of that conversation.
  • 6 things you should know from Linux's first 25 years
    Red Hat was founded in 1993, two years after Linux was announced and the company has been one of the top contributors to Linux. There is a symbiotic relationship between the company and the project. Whitehurst pointed out that it’s hard to talk about the history of Red Hat without talking about Linux and vice versa.
  • There Is Talk Of Resuming OpenChrome VIA KMS/DRM Driver Development
    Two or so years back or so it was looking hopeful that the mainline Linux kernel would finally have a proper VIA DRM/KMS driver for the unfortunate ones still have VIA x86 hardware and using the integrated graphics. However, that work was ultimately abandoned but there is talk of it being restored.

Security News

  • New FairWare Ransomware targeting Linux Computers [Ed: probably just a side effect of keeping servers unpatched]
    A new attack called FaireWare Ransomware is targeting Linux users where the attackers hack a Linux server, delete the web folder, and then demand a ransom payment of two bitcoins to get their files back. In this attack, the attackers most likely do not encrypt the files, and if they do retain the files, probably just upload it to a server under their control.
  • How do we explain email to an "expert"?
    This has been a pretty wild week, more wild than usual I think we can all agree. The topic I found the most interesting wasn't about one of the countless 0day flaws, it was a story from Slate titled: In Praise of the Private Email Server The TL;DR says running your own email server is a great idea. Almost everyone came out proclaiming it a terrible idea. I agree it's a terrible idea, but this also got me thinking. How do you explain this to someone who doesn't really understand what's going on? There are three primary groups of people. 1) People who know they know nothing 2) People who think they're experts 3) People who are actually experts
  • Why the term “zero day” needs to be in your brand’s cybersecurity vocabulary
    Linux is “open source” which means anyone can look at the code and point out flaws. In that sense, I’d say Linus Torvalds doesn’t have to be as omniscient as Tim Cook. Linux source code isn’t hidden behind closed doors. My understanding is, all the Linux code is out there for anyone to see, naked for anyone to scrutinize, which is why certain countries feel safer using it–there’s no hidden agenda or secret “back door” lurking in the shadows. Does that mean Android phones are safer? That’s up for debate.