Skip navigation

Monthly Archives: January 2013

The school I work at has a dedicated wifi network for student use, along with networks for guests and faculty/staff/laptop carts. In order to join any network other than our guest wifi, your device’s MAC address must be in our system and associated with the right SSID, and in order for students to get their MACs in the system, they (and their parents) have to sign an Acceptable Use agreement which states that they have read and understand sections of the student handbook concerning cyber-bullying, appropriate content and use, etc.

This document is easily available. It can be downloaded from the student and parent portals. It can be found in the student handbook itself, a copy of which I assume all students have at least seen at some point in their lives, whether or not they’ve actually read the thing. Once they’ve had the form signed once, they never have to touch the thing again.

And yet, there seems to be a sizable contingent of students who can’t be bothered to get the form signed.

The problem is that our guest network is only secured with a password. The official policy is that the guest network is only for guests, and faculty and staff are not to give the password out to students, but, as many students will attest, there are many members of the faculty who are all too willing to give the password out to students they trust. Of course these are middle and high school students, and no matter how much you trust them, they’re still going to give the wifi password to at least one of their friends, and there’s no expectation of secrecy at that point. If one student has the wifi password, every student who wants it will be able to get it.

What’s the big deal, though? Can’t I just change the password?

Well, yes, but we have sixteen access points on campus, and because we don’t have a wireless controller unit, they have to be managed individually. If I’m especially speedy, I can get the password changed on all of them in about twenty minutes, and even if it’s a good policy to change such passwords regularly, it’s a bit silly to have to change it twice in three days. That’s most of an hour that I could better spend doing other things.

When I brought this up with my partner, she suggested a change to the network policy that I like more every time I think about it. Any member of the faculty or staff who gives out the guest wifi password to any number of students will, on their first offense, owe the sysadmin (that’s me) lunch. On the second offense, they will owe the sysadmin lunch and a pan of brownies. Every subsequent offense will be worth one pizza party for the entire tech office.

While I work to make this an official policy (and try to figure out a way to police it so I can actually claim those lunches), I suggest that anyone who is in a similar situation (one in which non-compliance with a stated or written policy causes otherwise unnecessary drudgery for one or more people) try to institute such a policy themselves, and if you figure out a good way to police it, please let me know in the comments.

Advertisements

Shell scripting!

I’ve been coding off and on in a number of different languages (around seven by my count) since I got my first graphing calculator back in 1999, but I’d never written a shell script before today. I mean, yes, I’d copied other people’s shell scripts from the internet when it’s suited me, but I’d never written my own before.

That all changed today when I was reading an article in Scientific American on the subject of internet comment threads. In the article, the author mentions the concept of disemvoweling trolls, which struck me as a good thing to automate. Thus, my first shell script was born.

I’ll give you the code in a moment, but before I do, in debugging the program (who would have thought that you needed to debug two lines of code?), I learned something useful: when writing shell scripts, your variable names should not have trailing whitespace before the = or they will not be seen as variables (something that will take some adjusting to for me, since aesthetically I prefer to have whitespace surrounding my equals signs). Maybe I should have twigged that something was off when Vim didn’t turn my variable a different color when I initialized it, but I’m new to this, so give me a break.

And now, the script (well commented and maybe not as elegant as it could be, but, again, it’s my first time, so give me a break):

#!/bin/bash

# This script will disemvowel its input and feed it into a new file

# Create a disemvoweled version of the file being read
DSMVLD=dsmvl.$1

# Disemvowel file with sed and feed into new file
sed -e 's/[AEIOUaeiou]//g' $1 >> "$DSMVLD"

Of course, I could easily make it so this could to batch disemvowelment, butI can always do that later if I actually see the need to disemvowel more than a few files at a time.

If you want and if you can, feel free to share your first scripts, or any fun scripts you’ve written in the comments.

Don’t get me wrong, Vim is very powerful and well worth knowing if you’re going to spend any time at all on the command line, but I’m far from an expert. You could read the man page, sure, but Vim is one of those things you need to learn by using it.

Here are two resources, the first platform-independent.

The Interactive Vim tutorial

On Linux, you can also just type in vimtutor on the command line. If you get an error and you didn’t mistype the command, you’ll probably need to install a couple of packages. On Ubuntu, run the following:

sudo apt-get install vim vim-runtime

Now go learn some Vim.

:wq

What have I been puzzling over on and off for the last few weeks? Enabling AirPlay discovery across VLANs.

The school I work at has been deploying Apple TVs to a lot of classrooms in the last several months, initially to solve a problem that Apple themselves had caused with buggy firmware for the Thunderbolt ports on their new MacBooks. Our teachers rely a lot on projectors, and the fact that around 30 of our teachers were suddenly unable to project from their brand new computers caused a huge problem. Enter Apple TV. The fact that you can use an Apple TV to mirror your computer’s display wirelessly was a huge hit with a lot of teachers who were tired of having to plug and unplug cables every time they wanted to put something up on the projector. Of course, the introduction of around 30 Apple TVs was not without its problems as well, especially as our wireless network started taking a hit from all the added traffic, especially when teachers wanted to stream video from their computer (over wireless) onto the Apple TV in their room (never mind the fact that Apple TVs have Netflix, Youtube, and Vimeo apps installed which would allow users to cut out the middleman of the computer).

Along with the influx of Apple TVs has come a wave of iPads and a lot of smart people thinking about educational uses for iPads.

Now all of this is great, and a lot of the kinks have been worked out or are being worked out by getting the Apple TVs hooked up to ethernet ports rather than going over the wire and by trying to figure out who still needs Apple TVs since the release of Apple’s Thunderbolt firmware 1.1 update, which solved the problem that got us so many Apple TVs in the first place. The big problem now is figuring out how to make our Apple TVs available to guest presenters during conferences and the like.

Our network is split up into several VLANs based on function, with students and faculty on networks that have their access controlled by a RADIUS server that looks at MAC addresses. We also have a WPA2-secured guest network for guests (duh). For individual guests who need access to functions on the access-controlled networks, it’s not too difficult to put their MAC in the system temporarily and remove them again when they leave, but that becomes impractical with high volumes of guests on campus. Logistically, it’s just too difficult to collect a thousand MAC addresses or even just a hundred for all the presenters at a conference, let alone spending the time, even with a script automating the process, to add and later remove all these clients from our RADIUS server.

Now if things were simple, we could just put a temporary hole in the firewall to allow traffic between the guest network and the network that has our Apple TVs on it. Unfortunately, Apple, in their desire to make everything as simple as possible, uses Bonjour (their implementation of multicast DNS) to make AirPlay-capable devices work together with almost zero user-intervention. Bonjour advertisement and discovery messages go out over link-local multicast, making it impossible, at least in an IPv4 setting, to ever get them out beyond Layer 2.

So what’s the solution?

Avahi.

Avahi is a FOSS implementation of mDNS that can, with the flip of a boolean switch in its config file, can reflect Bonjour packets between subnets.

I’m still reading through documentation and seeing how Avahi can be implemented in our network with as little extra strain to the infrastructure as possible, but in the mean time, here are a couple of articles touching on the subject from packetmischief.ca and Prolixium dot com.

A little gem I learned today when needing to get a file from a remote system that I’d sshed into onto my local machine so that I could manipulate it while offline: the scp command.

There are a lot of switches for scp, but if you’re trying to get a file to or from a remote machine, or even between two remote machines, both of which you are able to ssh into, here’s the syntax:

scp -P 22 [user@source.machine.address.if.remote:]/directory/of/file/to/copy [user@target.machine.if.remote:]/target/directory

In the above example, the -P flag is indicating the port (in this case, we’re using port 22 because we’re logging in using ssh).

If you’ve typed everything correctly, you’ll then be prompted for the password of the user at the remote machine (or the first one, if you’re moving files between two remote machines). After entering everything correctly, you should see a new line indicating the current file being transferred, the percentage transferred (this will update live), number of bytes transferred, transfer speed, and elapsed time. If you’re just copying a small text file, this will flash by faster than you can really comprehend, and you’ll be deposited back at the command prompt before you know it.

If you’ve ever sat in front of a computer giving you one of those dreaded “no network connection” messages, you’ve probably clicked everything that looks like it might bring the Internet back at one point or another, and in your quest for connectivity, you’ve probably run across the term “subnet mask” at least once. If you don’t know a lot about networking, subnet masks might look kind of intimidating. I mean, there’s a lot of numbers and dots going on there.

A typical subnet mask that you’re likely to encounter in a home network should look like 255.255.255.0 unless whoever configured the network did something unusual. If you’ve encountered subnet masks at your office, they might look like 255.255.0.0 instead, but those are just typical subnet masks. Your mileage may vary.

So what the hell is a subnet mask, anyway? To put it simply, a subnet mask tells your network if traffic is going around locally or if it needs to go out onto a wider network.

Let’s break that down a bit more. At its heart, every IP address is a 32-bit binary number. Let’s take an IP address that most people have seen if they’ve ever set up a home wireless router; 192.168.0.1 is 11000000.10101000.00000000.00000001 in binary (though the dots are just there for us silly humans to see so that we can comprehend what we’re seeing). This address has a subnet mask of 255.255.255.0 (which is 11111111.11111111.11111111.00000000 in binary or, as the computer sees it, 11111111111111111111111100000000). Now if you or I were on this network and went looking for the address 192.168.0.42, it’s as plain as day that it’s on the same network and subnet, but a computer has to hold the address up against its assigned subnet mask and does a bit of binary math on it.

If you’re not familiar with the logical/binary AND operator, all you need to know is that it takes two one-bit binary arguments (a 1 or a 0) and compares them. If you pass in two 1s, you get back a 1, otherwise, you get a 0. Therefore, if you AND an address against a subnet mask, you will get back the network ID (in the case of the example I’ve been using, that’s the first three octets–192.168.0) followed by zeroes for the client ID. If the network ID of the address in question matches the address the traffic is coming from, then the system knows the traffic is local, otherwise, it needs to go outside of the local network.

I know what you’re saying right now–this is obvious stuff–why would I need to know about subnet masks? Well, if you’re dealing with simple networks, you mostly don’t. However, if you’re interested in splitting up your network into several subnets or VLANs (Virtual Local Area Networks). Let’s say that we have a network what starts at 192.168.8.0 and we want to split it into several subnets, say to isolate network traffic between an administrative office and a public segment of your network. The base network is 192.168.8 /24 (the /24 indicates the number of bits in the subnet mask). Let’s split that into two networks. To do that, we add 1 bit to the subnet mask, making it /25 and creating two subnets with address ranges of 192.168.8.1 - 192.168.8.127 and 192.168.8.128 - 192.168.8.254 (the 0 and the 255 addresses in the last octet are reserved addresses).

Now if you look at two addresses for traffic on this network, it becomes a bit harder to tell which subnet traffic belongs to. (Of course in this example, it’s still easy to tell, but bear with me; I didn’t want to make more subnets.) Your subnet mask is /25, which is 25 1s and seven 0s totaling 32 bits. AND that subnet mask against your target address and presto! There’s your answer.

Now you know, and knowing is half the battle.

If you’ve spent any amount of time in the terminal, you’ve probably had to look up some specific function of a command–if you’re like me and basically self-taught in the ways of Linux, you’ve probably spent a lot of time with man pages. If you’re like me, you probably also never knew that there are switches, though I suppose options is the more correct term on Linux systems, to go along with man.

Running man with the -k option (or --apropos) is something I wish I’d known about long ago. man -k, which has the same function as the apropos command (which I also wish I’d known about long ago) allows you to look up a command when you know what you want to do, but don’t know the command name. Simply type man -k followed by your search term to pop up a list of commands whose names or synopses match what you’re looking for.

In the case that you know the name of a command–maybe you heard some wizards tossing it around–but don’t actually know what it does and don’t want to read through the whole man page, there’s an option for that, too. man -f or whatis will give you the synopsis of the command. Now you don’t have to wonder anymore.

Finally, if you want to read up on a command but don’t want to spend any more time in front of a computer screen, there is a way for you to print out man pages. Using the -t option in conjunction with some things I don’t fully understand yet, you can send a man page to a printer or, if you do want to read off a screen after all, you can make a PDF version of a man page. The commands for this are man -t grep | lpr -P [some printer set up on your system] to print and man -t nslookup > nslookup.ps && ps2pdf nslookup.ps && rm nslookup.ps to create a PDF.

Soon, I will have a better understanding of what those last things I just typed mean, but I thought they were too interesting to pass up right now.

I’ve been using Linux casually for a number of years now running several Ubuntu variants, and I would put myself firmly in the category of self-taught user.  I’m comfortable using the command line, and there are a number of tasks that I would rather use it for than go through a GUI.  There are also some tasks I perform regularly at work that require me to use the command line, and I rarely flinch at diving into commands if that’s what I need to do to get a job done, but some of the more advanced things I’m doing I’ve learned by rote memorization.

I read the man pages a lot when I want to figure out how to do something, but those don’t always have examples, and sometimes there are things that a command can do that I didn’t know about.

Wildcards

I know about wildcards insofar as I know they exist, and most of the time I can remember that * means any character (including no characters at all), but ask me what ? means or how to use square brackets, and I may just plead the fifth.

So.  The ? wildcard.  It stands in for any one character.  Given a list of files:

butts.txt
butts1.rtf
butts2.rtf
butts3.rtf
walrus.jpg
narwhal.png

The code rm butts?.rtf would match butts1.rtf through butts3.rtf but wouldn’t touch butts.txt, walrus.jpg, or narwhal.png.

The [] wildcard matches a set of single characters (for example [23]) or a range of characters separated by a hyphen (such as [5-9]).

If I wanted to get at those other files without touching the rich-text files, I could use rm [a-z].* where the [a-z] will get any lowercase words not separated by capital letters, underscores, hyphens, etc. The . is just that–there’s nothing special, it just means that after that sequence of lower-case characters, the next expected thing is a dot. After that, there’s the * wildcard, which means anything. In the above example, then, butts1.rtf et al won’t be touched because after the string of letters, the next thing expected is a dot, not a number.

It’s worth noting that in the above example, if there had been a file named tricky.example_7.txt in the same directory, rm would have gotten that one, too, because of that * wildcard, which says “anything is game.”

Some Switches for ls

Recursion. If you’ve ever take a programming class, you’ve probably encountered the term before. For the ls command, recursion, signified by the -R switch, not only lists all files in a given directory, but also lists all files in every subdirectory and so on down the line. Turtles all the way down!

The other useful switch I want to talk about, because it’s one that I just recently came to fully understand, is the -l switch (that’s a lowercase L, not a one–that does something different), which lists, among other things, file permissions and ownership. Let’s look at a couple of examples from life, shall we? Below are a couple of examples of the output from running ls -l on a directory on my closest Linux box.

drwxrwxr-x 4 hilary hilary 4096 Sep 12 15:29 A+
-rw-rw-r-- 1 hilary hilary 1580414 Mar 8 2012 LFS-BOOK-7.1.pdf

There’s a lot of stuff going on there, right? Let’s start from the right and move left, just to be contrary. On the far right, we have the name of the file (on Linux systems, everything is a file, even directories). Next, we get the time and date that it was last modified. Moving left again, we see the size of the file in bytes. Since the top entry is a directory, we see how much space is taken up by the list of files the directory points to, in the bottom entry, we see that it’s a large PDF document. Left of that we have (moving from right to left still) the file’s group and its owner. Following that, we have a number. In the case of directories, this number tells you how many items the directory contains, and in the case of files, the number of hard links that exist for that file (I’ll cover hard links at a later time when I have a better understanding of them myself). Finally, we have a possibly confusing string of letters that tell you about the file’s type and permissions. Starting from the left of that string, the first character tells us what the file is. Regular files and executables are both indicated by -, a d tells you that it’s a directory, l is for link, s for socket, b for block device, c for character device, and p for named pipe.

After that information, you get the permissions for, from left to right, the file’s owner, the file’s group, and everyone else on the system. In the case of A+ we see that it’s a directory, and I, the owner, have r read, w write, and x execute permissions. The file’s group has the same permissions, and everyone else in the world of this system has read and execute, but not write. Given the above information, you should be able to suss out that the bottom file is a regular file to which the owner and group have read and write permissions, and everyone else has read only.

So what does it mean to have execute permissions on a directory? For directories, the execute permission means that a given user has the ability to access files within that directory for the purpose of running commands that access or otherwise use them.

That’s it for this time. Check back in next time for who knows what.