(no subject)

Sep. 2nd, 2015 04:17 pm
phi: (Default)
[personal profile] phi
Hey. So, I have a new address. I emailed people who have sent me snail mail in the recent past, but I fear I may have missed somebody. So who here wants or needs my mailing address?

From the XKCD survey:

Sep. 2nd, 2015 11:04 am
azurelunatic: Teddybear that contains ethernet switch.  (teddyborg)
[personal profile] azurelunatic
When you think about stuff on the internet, where do you picture it being physically located? Even if you know it's not really how things work, is there a place you imagine websites and social media posts sitting before you look at them? If so, where is it?

A heavily air conditioned white room with large racks of equipment and a zillion cables and blinking lights. Some of the equipment is running programs that have been touched by people I know. The room is in a building that has one or two pieces of large construction equipment digging outside, ready to take down both of the redundant connections to the rest of the internet. There is an angry man with no cranial hair and a lot of tattoos with a mallet in a control booth, berating and occasionally beating people who interfere with those connections.


Reading Wednesday

Sep. 2nd, 2015 03:52 pm
naath: (Default)
[personal profile] naath
So I posted whilst away, but in no detail, because I was on my phone, I repeat those records here (so this is "read in the last three weeks"):


that was interesting enough,but not so hugely interesting that I'm desperate to read any of the sequels. In particular it was very annoying the way people were demanding respect just because of who they are, without demonstrating any reason that you might respect them

Of the October Daye series by Seanan McGuire:
*Late Eclipses
*One Salt Sea (contains mermaids, was reading when saw the little mermaid
*Ashes of Honour
*Chimes at Midnight
*The Winter Long
*Red Rose Chain (acquired from SF bookstore in Stockholm, lucky me)

Which is me completely caught up! Yay. Not much I can say about the later installments without spoiling the earlier. I find the writing seriously engaging and few of these took me more than 2 days (of vacation, so plenty of time to read) and all were very hard to put down. Now I need to read all the short-fiction... Predictably I love Tybalt best.

*The Philosopher Kings (afterword says author spent much time in Copenhagen
national museum was there when finished reading it) by Jo Walton
Sequel to the Just City, continues amazing.

*Chalion series by Bujold (all 3 novels and Penric's Demon).
I liked these, but not as much as I like Vorkosigan probably because there's less character-continuity between the books which makes them flow less well into each other.

*Pocket Apocalypse by Seanan McGuire
this is the latest InCryptid novel, which I waited to get until I could get a UK ebook. As with the previous it is very good although Riley is VERY ANNOYING and I want to thump him.

Next up:
I think the honest answer to this is "Shepherd's Crown" the last PTerry (*sniff*), although I have a whole bunch of stuff I've bought and not read yet to plow through so lots of choices.

(no subject)

Sep. 2nd, 2015 03:46 pm
naath: (Default)
[personal profile] naath
Died on this day in 1486 aged 80 Guy XIV de Laval (my toy,wikipedia). Father of Jeanne, who married Rene who was the father (by a different wife) of Margaret who married Henry VI. He was a companion of Joan of Arc.

Born on this day in 1243 to Richard de Clare and Maud de Lacy, Gilbert de Clare (my toy,wikipedia). Married Joan who was a daughter of Edward I. In April 1264, Gilbert de Clare led the massacre of the Jews at Canterbury. So I guess he was a vile sort of a person then. Also involved in a bunch of fighting over who got to be King.


Sep. 2nd, 2015 01:55 am
synecdochic: torso of a man wearing jeans, hands bound with belt (Default)
[personal profile] synecdochic
Alternity, the Harry Potter RP that's been running for the last seven years, has ended! I've talked about it before and how much I loved it, and now that the game is over, I can reveal that I have in fact been playing in it for the past three years. :) I played Antonin Dolohov, Severus Snape, and Charlie Weasley, and I loved all three of them to death.

(I did not share the fact that I was playing because if you knew I was playing, it became blatantly obvious who I was playing in, like, three seconds flat; both Tosha and Snape are variations on my quintessential character archetype. At least two of you twigged that I was playing just from me recommending the game and then thinking "You know, that sounds awfully familiar." I have a type.)

Alternity has been an amazing collaborative endeavor, and it's been a hell of a solace for me in the past three years as I've struggled with disability eating all my spoons and with meds-induced writing problems (the style of play, deus gratia, managed to bypass a lot of the worst "WHAT IS WORDS"). Even when I haven't been able to give it anywhere near as much attention as I wanted, it's still been fabulous to have that outlet.

If you're interested in reading, the first six years are all available in PDF form on the game's website, as well as much of year 7. (Massive props to [personal profile] zorkian, who sat down and wrote me a Dreamwidth-to-PDF script when I started whining about there not being a good way for people to read the older bits of the game.) The final round of PDFs will be along in a week or so. You can also read it on Dreamwidth by using the 'recaps' tag on [community profile] alt_fen -- each year's recaps are also tagged with the year.

Mad Max: Fury Road, again and always

Sep. 1st, 2015 10:03 pm
sasha_feather: the back of furiosa's head (furiosa: back of head)
[personal profile] sasha_feather
Comparing Mad Max: Fury Road to Snowpiercer. This post contains small spoilers for both films.

Read more... )

"Dream a Little Bigger, Darling."

Sep. 1st, 2015 06:52 pm
emceeaich: A close-up of a pair of cats-eye glasses (Default)
[personal profile] emceeaich

How To Geek decides to retaliate against ad blocking by displaying the site in Comic Sans.

@howtogeek: If you visit http://howtogeek.com with Adblock enabled now, it will switch the font to Comic Sans (desktop only) http://t.co/9316Ag6Y0s

Oh really? Let’s launch FontBook and disable Comic Sans.

Screenshot of MacOS Font Book app showing dialog before disabling Comic Sans.

Then restart Safari, leaving AdBlock installed.

Screenshot of HowToGeek website after disabling ComicSans, and keeping AdBlock on.


But maybe it’s time you reconsidered your business model instead of being rude to people who value their privacy and security.

@KuraFire: @emceeaich You out-How to Geek'ed How To Geek. I think you deserve the Inception award.

(no subject)

Sep. 1st, 2015 11:37 am
staranise: A star anise floating in a cup of mint tea (Default)
[personal profile] staranise
The event is over, but I thought anyone in need of a pick-me-up could use this anyway: The Calgary Humane Society's PRE-OWNED FELINES sale!

Learning to Nurture My Alien Baby

Sep. 1st, 2015 11:45 am
jesse_the_k: Photo of baby wearing huge black glasses  (eyeglasses baby)
[personal profile] jesse_the_k
Alien spore entered my body when I was young. In my teens, it blossomed, crawled out and sunk its pincers into my shoulders. I've been carrying it ever since. This "alien baby"[1] may be easier to recognize as my atypical bodymind, where the goulash of pain and limitation resides.alien psych insights )

(no subject)

Sep. 1st, 2015 04:29 pm
naath: (Default)
[personal profile] naath
Died on this day in 1067 aged 55 Baldwin Flanders V, Count of Flanders (my toy,wikipedia). Father of Matilda who married William I. Spent 10 years at war with the Holy Roman Emperor.

Born on this day in 1647 to King Frederick III of Denmark and Norway and Sophie of Brunswick-Luneburg, Princess Anna of Denmark (my toy,wikipedia). Sister of George who married Queen Anne. Anna's marriage was arranged, and not apparently happy. Inspite of having met first-hand the downsides of such arrangements she forced her son into a marriage he didn't want... that didn't go so well either.

getting out of the house a bit!

Aug. 31st, 2015 04:37 pm
badgerbag: (Default)
[personal profile] badgerbag
very exciting. I had that poetry reading, then went out again yesterday afternoon to a thing happening in the street (well, in a "parklet") with people alternately ranting, event announcing, and poeting. by the time we were there and I got up to read, I was very tired. Saturday evening I went with the kids to a jazz age murder mystery game. Everyone's outfits were amazing!

I went out to lunch today by myself. Ramen place, looked unpromising from the outside but then it was extremely good.

It is good to be out of the house reliably!

Work OK. I feel more mentally "on" than in the past few weeks. My vision still gets bad by the end of the day. I get disheartened with exhaustion too, but mornings are good again.

Cat still slowly dying of kidney failure and not eating. we are hydrating her twice a day now. I am glad to cuddle her a bit more but it is stressful to deal with her peeing everywhere. Though, I can also do the laundry now more or less.

That's new and I dont' want to mess it up! It's been months since I have dared waste my ankles and knees on laundry doing!

Sink still leaking so I have a choice of doing the dishes with the leak or leaving the sink full of smelly dishes for another day. I think it will be towels and bowls under the sink and more laundry. Plumber may or may not come at 8am tomorrow. They are a bit unreliable. (both ones that I called.)

I am going to Paris in early November for work. Looking at maps, feeling excited. It will be an adventure in inaccessibility. But at least, only 5 co-workers, small team meeting, I hope low key. The office is in the 9th arrondissement on a broad street with curb cut sidewalks. Kind of between the opera houses and a lot of fancy department stores. It is very close to a covered passageway or two, sort of an early mall (Jouffrey and Panorama).

Paris is laid out in a clockwise spiral from the center with numbered districts and I read that they are often written in roman numbers on signs. IXeme! As I study the maps I am zooming in to see street level views. I have found some sort of feministy queer space with a zine library.

I got a nice extra bonus at work. I like this place. Bonus!!!!

Getting Fancy with Omnifocus

Aug. 31st, 2015 11:40 pm
compilerbitch: That's me, that is! (Default)
[personal profile] compilerbitch

As some of you may know, but most won’t, I’ve been a user of Omnifocus through various versions for several years now. At a superficial level, it’s a to-do listing app that cloud-syncs across Macs, iPads and iPhones, so your to-do items can follow you from device to device. Integration with Siri on mobile devices also works out nicely, letting you say ‘Siri, remind me to buy the cat a new Ferrari,’ which will automagickally create a reminder to bat the car a new ferrite, or something.

If you look at Omnifocus as ‘just’ a to-do list app, you’re not quite getting the point. For me, I’m way over my head on multiple projects at once much of the time. I literally have so many to do items that it’s impossible to remember them, let alone track them, and am well into the territory that makes a linear list long enough that finding anything isn’t really feasible.

Yes, I’ve read Getting Things Done, by David Allen. I found many of his ideas really interesting, and I think I’m now using most of them.

So what’s this GTD thing all about?

Well, the basic idea is that it isn’t sufficient to just divide your to-do items into projects — rather, you also divide them into contexts, giving you a second view into the mess of items. What’s meant by a project is pretty obvious — something like, ‘Remodel the kitchen’ would be a great example. Individual tasks should be things like, ‘Order a new stove,’ something that is essentially a single thing that needs done that doesn’t break down finer than that. Importantly, tasks should not be split up between personal and work — the system really works best when you glom all of your tasks into it. Contexts indicate where the task is to be carried out (with a loose definition of ‘where’). Email, Home Depot, In The Garage, At Work, etc., are simple examples of contexts. I like to break down both projects and contexts hierarchically. Breaking down projects makes immediate sense, e.g.:

Home : Kitchen Remodel

Work : Project Alpha : Presentations : How to Pickle your Ooblefetzer

Some real(ish) examples of broken-down contexts would be:

Computer : Internet : Facebook

Work : Bldg 123 : Conference Room 6

Computer : Purchasing : Amazon

Outdoors : Mall : Home Depot

Outdoors : Mall : Safeways

What this lets you do is things like deciding to head to Home Depot and then easily pick up a list of everything you need to do while you’re there, even if those things are spread across many projects. That’s the Getting Things Done level. But you can kick it up a notch — if you are going to the mall, you can easily see everything that needs doing under every context that derives from that. Really, GTD and GTD-like systems can’t ever make time where none exists, but they are brilliant at not forgetting things and avoiding wasting time repeating things that didn’t really need to be repeated.

Another thing GTD is awesome at is C. A. R. Hoare’s concept of ‘waiting faster.’ Everyone hates waiting — I’m sure I, like most people, feel like I waste half my life waiting for things: stuff to be delivered, other people to reply to emails, applications to be processed, etc. Tony Hoare (admittedly in the context of the mathematics of concurrent processes, but hey, I’ll steal anything that works!) suggested that by waiting for as many things to happen at once, then acting on whichever one completes first, you end up waiting as little as possible and being as efficient as possible. I use Omnifocus to track everything and everyone I’m waiting on, which means that I don’t need to get stressed out by asking lots of people for lots of things all at once. The difference this makes to my effectiveness is pretty surprising.

Omnifocus also lets you tag every task with your estimate of the time it will take. This takes a bit of work to maintain, but it gives you a very important third route into the data. I use this to create a ‘Fast Attack’ view of my to-dos, which cuts across all my projects and contexts, limited to tasks taking no more than an hour and sorted so that the fastest things happen first. With this, if I’m told I have half an hour before a takeaway shows up, for example, lets me rattle off a few emails or update my timesheet or whatever with time I’d otherwise probably spend staring mindlessly at Facebook.

Setting deadlines on tasks is really important. It’s a GTD principle, but Omnifocus does this really well. You can defer a task, which means that it will be hidden until a specific date and time, or set a due date, which will start warning you when it’s coming up and nag you when the date has passed. From personal experience, I have learned only to ever set due dates when there really is a due date for the task — if I ever get carried away and start creating a schedule for myself, all that happens is that everything gets out of hand and nothing really gets done, and I’m too scared to open OmniFocus because there are 58 red tasks staring me in the face. No, don’t do that. If it’s something like a paper that’s due on a particular date and time, go for it. That’s what this is for. But don’t ever use due dates when there isn’t really a hard deadline, or you’re missing the point of the system. Omnifocus has some very nice features for creating repeating tasks — I can, for example, have it remind me to suggest going to see a film. If I check this off, the reminder goes away for 2 weeks, then starts popping up again. The other kind of repeating tasks have a hard interval, so I have reminders to submit my time sheets, do my weekly and monthly reporting, pay my rent, etc.

Omnifocus implements GTD’s recommendation to regularly review your task lists. You can set, per task, an interval over which you want to review everything. Some people like to set this to 1 week, but I actually like it do it daily. If I don’t have time, it can wait until tomorrow, but by going through my task lists even very cursorily once a day, ruthlessly putting projects on hold if I can’t work on them yet, deferring tasks until later when I can, fixing things up as plans change, is really the only way I can keep everything on track.

So far, this is all standard(ish) Omnifocus and GTD. I have some of my own tweaks and brain-hacks, however.

My Omnifocus Kanban hack

One other feature I’ve had a love/hate relationship with in Omnifocus is flags. You can flag an item, which visibly shows its importance, and can be sorted against or shown in its own query. I find this psychologically bad — if I have flagged items, it stresses me out, and I also don’t necessarily make good decisions about what to work on if something is nagging at me. Flags are an invitation to procrastinate, in my opinion. Instead, I abuse the flag system for something completely different — Kanban. The Kanban idea comes from manufacturing, where the idea is that you have a table with (nominally) 3 columns — the left column is things to do, the right column is things that are completed and the middle column is things that are in progress. So much so obvious, but Kanban’s magic special sauce is that only a fixed number of things at most are allowed into the middle column at once. The idea is that this stops manufacturing processes from getting gridlocked or producing lots of stuff that isn’t really needed yet. Omnifocus doesn’t really support Kanban, but it’s possible to abuse the flag system for it. Basically, if something isn’t flagged, it’s in the ‘left’ column. If it’s flagged, it’s in the middle column. If I’ve already checked it off, it’s in the right column, logically speaking, though I never actually get to see something that looks like a traditional Kanban board. So basically, I let myself flag 3 to 5 things I’m ‘doing’ at once. Even this is really too many, but what it does is give me a one button view of the stuff I Really Am Getting On With Right Now. My ‘Fast Attack’ query covers all the little faffy short tasks that aren’t really even worth flagging because they get done really quickly anyway. Between those two, and just these two, I know what I should be doing, and don’t forget anything. Psychologically, this really helps, because these lists never have more than 4 or 5 items in the Flagged/In Progress view and maybe a couple of dozen in the fast attack view, so it doesn’t get overwhelming.

The Input/Output Hack

This one is due to me personally as best I can tell. I had 3 or 4 false starts implementing GTD which kind of worked but always ended up failing. In a couple of cases, the amount of stuff just got out of hand and I couldn’t really cope with it, to the point that the system just fell apart. In a couple of cases, it worked so well that I ran myself into physical exhaustion that took weeks to recover from. This is the most recent version of my personal system that, so far, seems to be working really well for me.

I have a very strong work ethic. In work time I tend to do work stuff. That means that I tend to prioritize things that I need to deliver to someone or do for someone extremely highly, to the extent that this dominates. In extremis, I’ve found myself working crazy hours on a project and literally only eating, sleeping or doing work directly on that project, never allowing myself to prioritize anything else. As a consequence, I tend to build up what I have come to call infrastructure debt. By never really allowing myself time to build infrastructure — to do the things that you need to do that allow the things to get done, I’m always way more stressed than is OK, and tend to be cobbling together ways of working rather than having everything to hand. It occurred to me that I needed a brain hack to fix this, and it was going to take something like Omnifocus to pull it off. Thing is, I have no difficulty figuring out what needs done to put all this infrastructure in place, it’s just that, normally, I was not allowing myself to spend any time on it. The mythical ‘free time’ never actually occurred, because I was either working or flat out exhausted.

Here’s the hack. I think it’s pretty cool.

I now divide all my projects, without exception, into the following four categories:

  1. Always. These are the things that always need to be done, regardless, because a wheel will fall off my life if they don’t. This includes things like paying the rent, regular paperwork that can’t be delayed, etc. This category should be used very sparingly.

  2. Recreation. Things I would like to do when I need to switch off. I list things like, go see a film, go to the beach, watch Netflix, etc. Stuff that gets done both when my brain is turned off and in order to cause my brain to switch off. I don’t include personal projects in this list, because personal projects are still work within this system. By way of an example, I might have a something in this category like, ‘Go play music for a couple of hours,’ but definitely wouldn’t have something like, ‘Finish mastering those last 3 tracks for my next album.’ The decision is brain off or brain on, basically.

  3. Output. An output task is something that is directly needed. These are ‘day job’ tasks, as well as any chores that are an end in themselves rather than enabling something else. Effectively, these are all the tasks I used to obsessively work on in the exclusion of all else. Output tasks create infrastructure debt because they need to be supported.

  4. Input. An input task is something that isn’t directly needed, but that builds the infrastructure necessary to support an output task. Input tasks by definition pay down infrastructure debt. An input task would be something like, install a new piece of equipment, tidy up the lab bench before a new project starts, order and install some shelving from Home Depot to support a remodeling project, etc.

These are the four folders at the top of my project hierarchy. Work projects mostly go into Output. Personal projects that create something also go into Output. Stuff I need to do so that I can effectively work on Output tasks goes into Input. I can use the perspectives feature in Omnifocus (Pro version only, but well worth the $$$) to create myself a set of 3 buttons:

  1. Rest Day. This shows recreation tasks, plus any Always tasks that are currently due.

  2. Output Day. This shows all my Output tasks, as well as any Always tasks.

  3. Input Day. This shows all my Input tasks, as well as any Always tasks.

So basically, on a morning, I can decide. Am I exhausted? Then I should click Rest Day, use that as a suggestion for something to do and a reminder of things that Must Get Done Or Else. If I’m feeling really ‘On’, I’ll click Output Day, which houses the tasks that typically need the most braining. If I’m kind of in the middle, not really feeling focused enough for detailed work, I’ll click Input Day, whose tasks tend more toward the physical. My work ethic guilt makes it hard to hit anything other than Output Day, but I know the consequences of that all too well. In all cases, if I decide to do a task that’s really brief, I’ll do it and just check it off. If it’s something more substantial (more than an hour typically), I’ll flag it and add it to my Kanban-hack-repurposed Flagged list — by keeping this list to no more than 3 – 5 items, it stops me from being overambitious and running myself into the ground with overwork. Also, I know I really suck at multitasking, so the best hack for dealing with that is to only do things one at a time, which is kind of the point of all this.

Summarizing my System

To sum up, the way I work this is each morning, with my coffee, I generally do a daily review of all my tasks, so by the end of that I have checked off anything I missed and have a pretty good idea where I’m at. I mercilessly put projects on hold if I can’t work on them because I’m waiting for something — this is key to keeping things manageable, as is using Defer to throw something forward in time to pick up on again later. By looking at my Flagged/In Progress button, I can remind myself what I’m in the middle of, and add one or two more things to that list from my Input or Output perspectives. If I have a few minutes to spare, I can use my Fast Attack perspective to kick out a few emails or whatever. I capture new tasks straight into Omnifocus wherever possible, but I do heavily use the ability to create tasks via email otherwise, then I file that task appropriately next time I do a review.

Right now, I have 3 concurrent major projects, a fourth semi-unpaid work project, a musical personal project, social stuff and other stuff I wouldn’t mention here all going on at once, and amazingly it’s not really stressing me too much and I’m pretty much staying on top of it all. Considering that I am someone who always regarded themselves as really sucking at this kind of being-organized, this says a lot.


YMMV. IANAL. I am not your mother. GTD doesn’t work for everyone, particularly if you don’t have much leeway in organizing your time. GTD has a cultlike following, for sure, but I’m not a true believer — I junked it several times before hitting on this approach, particularly the Input / Output hack. I am not inherently awesome, and do screw up sometimes.

Please note: this was cross-posted from my main blog at http://www.mageofmachines.com/main/2015/08/31/getting-fancy-with-omnifocus/ -- If you want me to definitely see your replies, please reply there rather than here.

#GTD/Omnifocus, #MoMBlog, #Musings

monday just keeps rolling around

Aug. 31st, 2015 06:36 pm
synecdochic: torso of a man wearing jeans, hands bound with belt (Default)
[personal profile] synecdochic
Mondays, every week, let's celebrate ourselves, to start the week right. Tell me what you're proud of. Tell me what you accomplished last week, something -- at least one thing -- that you can turn around and point at and say: I did this. Me. It was tough, but I did it, and I did it well, and I am proud of it, and it makes me feel good to see what I accomplished. Could be anything -- something you made, something you did, something you got through. Just take a minute and celebrate yourself. Either here, or in your journal, but somewhere.

(And if you feel uncomfortable doing this in public, I've set this entry to screen any anonymous comments, so if you want privacy, comment anonymously and I won't unscreen it. Also: yes, by all means, cheer each other on when you see something you want to give props to!)

let's plant a tree

Aug. 31st, 2015 01:42 pm
sasha_feather: white woman in space suit (Astronaut)
[personal profile] sasha_feather
My breathing was crappy yesterday due to wildfire smoke coming in from the West. The sky was gray and hazy at 5 pm and the sun was orange. Today seems a bit better.

The internet still randomly cuts out on me, but the good news is the upstairs neighbor wants to share so at least it isn't costing us as much.

Trees are being cut down in our neighborhood; I think they are Ash trees, at risk from Emerald Ash borer.

Have a Teen Wolf Rec!

Electricity in the Contact by ladyblahblah

Derek/Stiles, Pretend Relationship, 27K.

One thing I loved about this story is that in their pretend relationship-- which is for the benefit of making Derek appear less vulnerable at a werewolf event-- Derek and Stile have safe words which they use to express their discomfort with something in front of others who are not in the loop. Then they go away in private and discuss the thing. It's a very healthy approach to a pretend relationship! Heh. I loved this story.

Working with the kernel keyring

Aug. 31st, 2015 01:18 pm
[personal profile] mjg59
The Linux kernel keyring is effectively a mechanism to allow shoving blobs of data into the kernel and then setting access controls on them. It's convenient for a couple of reasons: the first is that these blobs are available to the kernel itself (so it can use them for things like NFSv4 authentication or module signing keys), and the second is that once they're locked down there's no way for even root to modify them.

But there's a corner case that can be somewhat confusing here, and it's one that I managed to crash into multiple times when I was implementing some code that works with this. Keys can be "possessed" by a process, and have permissions that are granted to the possessor orthogonally to any permissions granted to the user or group that owns the key. This is important because it allows for the creation of keyrings that are only visible to specific processes - if my userspace keyring manager is using the kernel keyring as a backing store for decrypted material, I don't want any arbitrary process running as me to be able to obtain those keys[1]. As described in keyrings(7), keyrings exist at the session, process and thread levels of granularity.

This is absolutely fine in the normal case, but gets confusing when you start using sudo. sudo by default doesn't create a new login session - when you're working with sudo, you're still working with key posession that's tied to the original user. This makes sense when you consider that you often want applications you run with sudo to have access to the keys that you own, but it becomes a pain when you're trying to work with keys that need to be accessible to a user no matter whether that user owns the login session or not.

I spent a while talking to David Howells about this and he explained the easiest way to handle this. If you do something like the following:
$ sudo keyctl add user testkey testdata @u
a new key will be created and added to UID 0's user keyring (indicated by @u). This is possible because the keyring defaults to 0x3f3f0000 permissions, giving both the possessor and the user read/write access to the keyring. But if you then try to do something like:
$ sudo keyctl setperm 678913344 0x3f3f0000
where 678913344 is the ID of the key we created in the previous command, you'll get permission denied. This is because the default permissions on a key are 0x3f010000, meaning that the possessor has permission to do anything to the key but the user only has permission to view its attributes. The cause of this confusion is that although we have permission to write to UID 0's keyring (because the permissions are 0x3f3f0000), we don't possess it - the only permissions we have for this key are the user ones, and the default state for user permissions on new keys only gives us permission to view the attributes, not change them.

But! There's a way around this. If we instead do:
$ sudo keyctl add user testkey testdata @s
then the key is added to the current session keyring (@s). Because the session keyring belongs to us, we possess any keys within it and so we have permission to modify the permissions further. We can then do:
$ sudo keyctl setperm 678913344 0x3f3f0000
and it works. Hurrah! Except that if we log in as root, we'll be part of another session and won't be able to see that key. Boo. So, after setting the permissions, we should:
$ sudo keyctl link 678913344 @u
which ties it to UID 0's user keyring. Someone who logs in as root will then be able to see the key, as will any processes running as root via sudo. But we probably also want to remove it from the unprivileged user's session keyring, because that's readable/writable by the unprivileged user - they'd be able to revoke the key from underneath us!
$ sudo keyctl unlink 678913344 @s
will achieve this, and now the key is configured appropriately - UID 0 can read, modify and delete the key, other users can't.

This is part of our ongoing work at CoreOS to make rkt more secure. Moving the signing keys into the kernel is the first step towards rkt no longer having to trust the local writable filesystem[2]. Once keys have been enrolled the keyring can be locked down - rkt will then refuse to run any images unless they're signed with one of these keys, and even root will be unable to alter them.

[1] (obviously it should also be impossible to ptrace() my userspace keyring manager)
[2] Part of our Secure Boot work has been the integration of dm-verity into CoreOS. Once deployed this will mean that the /usr partition is cryptographically verified by the kernel at runtime, making it impossible for anybody to modify it underneath the kernel. / remains writable in order to permit local configuration and to act as a data store, and right now rkt stores its trusted keys there.


tim: Tim with short hair, smiling, wearing a black jacket over a white T-shirt (Default)
Tim Chevalier

July 2015

262728 293031 

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags