environment

Patch ShellShock Vulnerability

ShellShock is a Bash vulnerability, which allows bypassing environment restrictions in certain environments. See Ubuntu Security Notice USN-2363-1. And for more detailed description, see CVE-2014-7169.

This Bash bug can be potentially bigger than the Heartbleed bug, because Bash shell is usually the default shell for the user, and many commands will also spawn Bash to execute. See this answer http://askubuntu.com/a/528102 from StackOverflow.

Running the following command will determine if the system is vulnerable or not:

1
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Source: http://t.co/nfDCUdRnb5

Luckily, this is relatively easy to patch. Simple apt-get update && apt-get upgrade will patch the Bash with the latest security fix. For example, this is a patched Bash version:

1
2
$ bash --version
GNU bash, version 4.2.25(1)-release

This is for Ubuntu 12.04 LTS. If you are running Ubuntu 14.04 LTS, you have to
upgrade to Bash 4.3-7ubuntu1.3.

Defining Correct Environment for CoffeeScript in Cron

I have written a bunch of CoffeeScript scripts that I would like to run them regularly. Cron is certainly the right choice in many situation.

The default executable path recognized by cron is limited:

* * * * * echo $PATH > /tmp/log/cron.log

This cron job will recognize the following path:

/usr/bin:/bin

However the default executable path for Node.js is usually at:

$ which node
/usr/local/bin/node

Therefore, if you attempt to run a cron job:

* * * * * node -v > /tmp/log/cron.log 2> /tmp/log/cron.err.log

It will return an error, where the executable is not found:

bin/sh: 1: node: not found

The easiest way to solve it is by specifying the fully qualified path:

* * * * * /usr/local/bin/node -v > /tmp/log/cron.log

To ensure the process is installed, we can check the file existence and permission before launching it:

* * * * * test -x /usr/local/bin/node && /usr/local/bin/node -v

But when working with CoffeeScript, the same method does not working:

* * * * * /usr/local/bin/coffee -v 2> /tmp/log/cron.err.log

Because CoffeeScript binary (coffee) use the following format:

#!/usr/bin/env node

Which does not specify fully qualified path on the shebang line, and will result in:

/usr/bin/env: node: No such file or directory

We can compile CoffeeScript into JavaScript and use fully qualified node executable. But this is not necessary. Since we are using Debian based system, which uses Vixie cron. It allows environment variables to be defined. We can make Cron aware of the custom path in environment variable:

* * * * * PATH=$PATH:/usr/local/bin coffee -v > /tmp/log/cron.log

Now the executable path include the one where both node and coffee commands reside.

We can also move it to its own line. But Cron is not shell, it does not expand the variable, so you have to specify all paths:

# Error: `PATH=$PATH:/usr/local/bin`
PATH=/usr/bin:/bin:/usr/local/bin
* * * * * coffee -v > /tmp/log/cron.log

The good practice is to set environment variables in a script:

1
2
3
4
5
6
#!/usr/bin/env bash
#
# This script is intended to be run as a cron job.
PATH=$PATH:/usr/local/bin
coffee -v

and run the script as a cron job:

* * * * * /path/to/script > /tmp/log/cron.log 2>> /tmp/log/cron.err.log

Configuration Setup and Loading Precedence

Loading precedence (latter overrides former):

  1. Load application default settings (config/default.yml)
  2. Load environment settings
  3. Load custom settings

Default settings of the application is provided by the upstream, therefore, it should not be modified.

There are four types of environments: development, testing, staging and production. Environment can be set by using the shell environment variable: ENV. If the environment variable is not specified, it is set to development as default. Environment settings override default settings.

Custom settings override environment settings. The search path for custom settings is:

  1. Environment variable SETTINGS
  2. config/settings.yml

If both paths are not available, that means the custom settings are not specified.

config/settings.yml is a custom settings, therefore, it will be ignored by git in .gitignore file:

config/settings.yml

The complete directory structure regarding to the configuration setup:

config/
├── default.yml
├── environments
│   ├── development.yml
│   ├── production.yml
│   ├── staging.yml
│   └── testing.yml
└── settings.yml

Quick start command:

$ node app

Fully customized start command:

$ ENV=production SETTINGS=/path/to/settings.yml node app