Polk St. Improvements

To: MayorEdwinLee@sfgov.org, David.Chiu@sfgov.org, Ed.Reiskin@sfmta.com
From: Mike Fogel <mike … at … fogel.ca>
Subject: Polk St. Improvements

Dear Mayor Lee, Supervisor Chiu, Director Reiskin,

I wasn’t able to attend either of the latest Polk st. meetings held this week. I work full time and go to school part time in the evenings at CCSF. I hope you’ll take my input all the same. I’ve been living in San Francisco for nearly 10 years, and throughout that time, Polk St has always been something of a special jewel to me. I don’t think there’s a street more ‘San Francisco’ than Polk St.

While I was not able to make the latest meetings, I’ve reviewed the options that were presented to the public there. (http://sf.streetsblog.org/wp-content/uploads/2013/04/Polk-designs-Sat.-Open-House.pdf) From my perspective I see a painful imbalance. As someone who uses Polk St several times a week, spends $50-$100 along the corridor per week, I feel the most important uses of the street are (in sorted order):

1. Safety and accessibility for pedestrians
2. Safety and accessibility for people on bicycles
3. Efficient movement of Muni and taxis
4. Efficient movement of private automobiles
5. Public storage of private automobiles

As you know, the options that were presented at the latest community meetings don’t exhibit this same order of priorities. In particular, we are bending over backwards to preserve #5 (public storage of private automobiles) at the expense of our other priorities. In particular, we’re sacrificing Muni and bicycle safety and access to provide public storage of private automobiles.

As you know, Polk St. is not only an official San Francisco bicycle route, it’s actually one of the most important routes in town. From my perspective, it is ridiculous that we are considering designs that don’t provide dedicated space for people on bicycles along this key route. Adding space for bicycles on a dozen less-traveled streets would have less effect than on this one street.

As you know, the recent study the SFMTA commissioned to learn about how people get to polk street and how much money they spend (http://www.sfmta.com/cms/opolk/documents/PolkIntereptSurveyFindings.pdf) revealed that 85% of people on Polk street arrive by some method other than private vehicle. Again, from my perspective it is ridiculous that we are proposing to sacrifice the safety and mobility of 85% of the people in order to continue to provide the 15% with public storage of private automobiles. To continue re-iterating what you already know, that study also demonstrated that not only do only 15% of the people on Polk arrive via private automobile, those 15% also spend less money per visit that people arriving by any other mode of transportation. It just doesn’t make financial sense to continue prioritizing public storage of private automobiles.

With specific respect to the options presented at latest Polk St. meetings, I encourage you to:

* drop options A and B from the Union <-> Geary segment. Those do not provide dedicated space for people on bicycles and hence are not appropriate for one of the most important bicycle routes in the city.
* carry forward option C for the Union <-> Geary segment In addition, add one or more options that provide physically separated bicycle space (as was discussed and endorsed at the first community meeting) to this segment.
* for the Geary <-> McAllister segment, all options are acceptable. My preference is for Option B.

Thank you for your consideration. Please feel free to contact me if I can help out in any way.

Michael Fogel
Co-founder & Director of Engineering, Prism Skylabs
(415) 874-5464

April 30, 2013 | Mike Fogel | No Comments »

Fixing Apache’s “could not determine server’s FQDN” without redundantly specifying ServerName directive

A common annoyance with a standard Debian/Ubuntu install of Apache is that you’ll see these warnings on server restart:

mfogel@myhost:~$ sudo apache2ctl restart
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName

And, if you google around for this you’ll see lots of advice telling you to specify a default ServerName directive. You can put this in /etc/apache2/httpd.conf, /etc/apache2/apache2.conf, or (hackishly, IMHO) in /etc/apache2/sites-enabled/.

The downside to this is that if you rename your sever, you then have to remember to alter your Apache config. Silly! Come on now.

Here’s a better way. Whatever the name of your server is…

mfogel@myhost:~$ hostname -f
myhost.mydomain.com

Then make sure this is the first entry for 127.0.0.1 in /etc/hosts.

mfogel@myhost:~$ cat /etc/hosts
127.0.0.1 myhost.mydomain.com myhost
127.0.0.1 localhost

With the myhost.mydomain.com being the first entry for 127.0.0.1, you’ll never see that warning again.

June 23, 2011 | Mike Fogel | No Comments »

10mph speed limit for bikes on Golden Gate?

Not a good idea if you were actually planning to get anywhere on your bike.

Cyclelicious posted a nice overview of the situation. Send your own email here.

To: DistrictSecretary@goldengate.org
From: Mike Fogel <mike … at … fogel.ca>

Subject: proposed golden gate bicycle speed limit – too low
Dear Golden Gate Bridge district,

I’m a San Francisco resident and a common Marin county weekender. I live on two wheels. I use my bicycle for nearly all my transportation needs and I find myself riding across the golden gate every few weekends.

I’m concerned about the proposed 10mph speed limit for bicycles across the golden gate. I don’t know if you’ve ever ridden a bike at 10mph – it’s not a speed where you actually _get_ anywhere. It’s a speed akin to a lazy stroll.

For comparison, the city of SF recently set up a ‘green wave’ of timed signals along Valencia st. These lights were timed at 13mph. This speed is intended for the “8-80″ crowd – meaning that most anyone, from 8 to 80 years old, can safely and comfortably navigate a bicycle at 13mph. This would suggest an appropriate speed limit for the bridge to be more like 17mph – a speed most healthy adults, while riding a bike for general transportation, will find themselves safely cruising at.

The “average” bicycle speeds published by the “Bicycle Safety Study for the GG Bridge” are painfully misleading. Half the riders on the golden gate are tourists not actually trying to get anywhere. A closer analysis would reveal a bi-modal distribution of speeds – one peak for those not actually trying to get anywhere, another one for those of us using the bridge for its original utilitarian purpose – get my rear end from one side of the water to the other.

For those of us who are using a bicycle for real transportation the issue of 10mph versus 17mph is huge. That’s the difference between biking being competitive with driving – and not.

Thanks for your time.


Mike Fogel
510 220 3903 | mike@fogel.ca

April 20, 2011 | Mike Fogel | Tags: , , | 2 Comments »

Commute Mode DeathMatch: San Francisco -> Half Moon Bay

Another deadly commute mode deathmatch. Oh boy!

For the time analysis part of this exercise, here are the assumptions I’m going with:

  • Transfers between any two segments have a 2 min window on each side of %0 efficiency time, cause it takes a while to get situated
  • Bus: %30
  • Bart: %50
  • Driving: %0

Also, I’m considering walking to be ‘light exercise’ and biking to be ‘moderate exercise’. All times are AM, all money in USD.

The Route, Driving

  • Walk, house -> Car: 5 min
  • Drive to Work: 45 min (24 miles) according to google maps in traffic

Direct Monetary Cost

Assuming 30mpg and $3.00 per gallon of gas:
24/30 * 3 = $2.40

Time Analysis

0 min effective 100% efficiency time
45 min wasted time
5 min light exercise

The Route, via Transit

  • Walk, house -> Bart station: 20 min
  • Bart, Civic Center ->; Colma: 6:44 -> 7:01, $3.25
  • SamTrans 118: Colma -> Linda Mar Park and Ride: 7:05 -> 7:24, $2
  • SamTrans 294: Linda Mar Park and Ride -> stop near HMB airport: 7:25 -> 7:46 $2
  • Walk, HMB airport stop -> Work: 10min

Direct Monetary Cost

3.25 + 2.00 + 2.00 = $7.25

Time Analysis

Effective 100% Efficiency Time

(bart) + (samtrans 118) + (samtrans 294) =
(12 – 2*2) * 0.3 + (17 – 2*2) * 0.5 + (19 – 2*2) * 0.3 + (21 – 2*2) * 0.3 =
18 min effective 100% efficiency time

Exercise Time

(walk 1) + (walk 2) = 20 + 10 = 30 min light exercise

Wasted Time

Total Travel Time – 100% effective efficiency time – Exercise Time =
(1 hr 34 min) – (18 min) – (30 min) = 46 min wasted time

The Route, via Cycling and Transit

  • Prep for ride, 10 min
  • Ride, home to Linda Mar Park and ride: 70 min
  • SamTrans 294: Linda Mar Park and Ride -> stop just over devil’s slide: 7:25 -> 7:35, $2
  • Ride to work: 12min

Direct Monetary Cost

SamTrans 294: $2.00

Time Analysis

Effective 100% Efficiency Time

(samtrans 1) = (10 – 2*2) * 0.3 = 6 * 0.3 ~= 2 min effective 100% efficiency time

Exercise Time

(bike 1) + (bike 2) = 70 + 12 = 82 min moderate exercise

Wasted Time

Total Travel Time – 100% effective efficiency time – Exercise Time =
(1 hr 42 min) – (2 min) – (82 min) = 18 min wasted time

So who wins? Well, it’s clear that plain transit does not win – it costs the most, wastes almost as much time as driving and is the least reliable. Clearly, transit here attracts no ‘choice riders’.

Between driving and biking + transit, the key factor is how much value is placed on moderate exercise time. The direct cost of both routes is similar, and while biking + transit wastes less time (18 min vs. 45 min) the total amount of moderate exercise time is perhaps excessive at 82 min. So this one’s gonna get called as a draw.

Final Results

  • Transit + Cycling: 0.5
  • Driving: 0.5
  • Transit: 0
January 23, 2011 | Mike Fogel | Tags: , , , | No Comments »

HOWTO: ubuntu/debian + mobile broadband + local wired subnet = internet access

This post describes one way to quickly set up a two-computer network such that both machines on the network can access the outside internet. The use case in mind here is you’re at a cafe with a friend, the wifi there sucks, you have your mobile broadband connection and you want to share it with your friend.

Note that there are many ways to get to the desired end result here. This solution has your local laptop doing NAT and forwarding packets at the IP layer.

Supplies:

  • your debian/ubuntu laptop
  • a “mobile broadband” connection with some provider, like Verizon or T-Mobile
  • an ethernet cord

Step 0: Get your mobile broadband connection working, possibly with T-Mobile.

Step 1: Set up your machine to run a dhcp server for your local wired network

  • sudo apt-get install isc-dhcp-server
  • Edit /etc/dhcp/dhcpd.conf. Here are the relevant parts of mine. (Yes, the ‘authoritative’ directive is commented out, I’m not sure how essential this is or not – but I’m trying avoid the dhcp server from taking over my local machine’s default route.) 
    default-lease-time 600;
max-lease-time 7200;
#authoritative;
log-facility syslog;
subnet 172.16.16.0 netmask 255.255.255.0 {
  range 172.16.16.10 172.16.16.250;
  option domain-name-servers 208.67.222.222; # opendns
  option routers 172.16.16.1;
}
  • Edit /etc/defaults/isc-dhcp-server: 
    mike@110psi:$ cat /etc/default/isc-dhcp-server | tail -n 1
INTERFACES="eth4"
  • sudo ifconfig eth4 172.16.16.1 netmask 255.255.255.0
  • sudo /etc/init.d/isc-dhcpd-server restart

At this point you should physically connect your friend’s laptop to yours using an ethernet cable. To watch the connection happen: tail -f /var/log/syslog. You should be able to go between the two computers and ping each other. If you can’t, then you want to debug this until you can… the rest of this recipe won’t have any effect if your local wired net is broken.

Step 2: Fix up your routing table

Between pppd, your local dhcp server, and you issuing manual ifconfig commands, it’s easy for your local routing table to get in a bad state. Here’s what you want it to look like:

mike@110psi:~$ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.0.0.1        0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
172.16.16.0     0.0.0.0         255.255.255.0   U         0 0          0 eth4
0.0.0.0         0.0.0.0         0.0.0.0         U         0 0          0 ppp0

If you need to remove/add/edit routes, the tool you want to use is ‘route’. For example:

sudo route del default
sudo route add default gw 10.0.0.1

Step 3: Set up your computer to do some NAT

I scripted this out. Here’s the script:

#!/bin/sh
# nat and firewall
# for now, just nat.

ipt=/sbin/iptables
EXTIF=ppp0
INTIF=eth4

case "$1" in
	start)
		echo "Starting firewall:"

		echo -ne "\tClearing existing rules..."
		$ipt -F INPUT
		$ipt -F OUTPUT
		$ipt -F FORWARD
		$ipt -t nat -F
		echo " done."

		echo -ne "\tInput / Output rules..."
		$ipt -P INPUT ACCEPT
		$ipt -P OUTPUT ACCEPT
		echo " done."

		echo -ne "\tForwarding rules, and /proc/sys/net/ipv4/ip_forward..."
		echo "1" > /proc/sys/net/ipv4/ip_forward
		#$ipt -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
		$ipt -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
		$ipt -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
		echo " done."

		echo -ne "\tEnabling MASQUERADE on $EXTIF..."
		$ipt -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
		echo " done."

		echo "Firewall.sh is up."
	;;
	stop)
		echo -n "Stopping firewall...";
		$ipt -F INPUT
		$ipt -F OUTPUT
		$ipt -F FORWARD
		$ipt -P INPUT ACCEPT
		$ipt -P FORWARD ACCEPT
		$ipt -P OUTPUT ACCEPT
		$ipt -t nat -F
		echo "0" > /proc/sys/net/ipv4/ip_forward
		echo " done.";
		echo "Firewall.sh is down."
	;;
	*)
		N=/etc/init.d/firewall.sh
        	echo "Usage: $N {start|stop}" >&2
		exit 1
	;;
esac

Start your NAT up with “sudo ./nat-script-name.sh start”.

Step 4: debug it because it doesn’t work.

Break the problem into pieces:

  • debug the connection between the two computers (/var/log/syslog, ifconfig, isc-dhcp-server and ping are your friends here)
  • debug your local routing table (using netstat and route commands)
  • debug your connection to your mobile broadband provider (pppd, wvdial, minicom, ping, etc)

If you find some variant of this recipe works better for your local machine, please post it in the comments so we can all share. Good luck.

November 15, 2010 | Mike Fogel | Tags: , , , , | 2 Comments »

2010 Endorsements

sidewalks are for people - NO on sit/lie

In case you were wondering what the right answers are ;) here’s a subset of them:

San Francisco

  • Bart Board of Directors District 8 –> Bert Hill
    Bert Hill is a local urbanist who is running on a platform of re-focusing Bart on improving existing facilities and service, rather than spending more on costly suburban expansions that serve comparatively few people. He’s running against incumbent James Fang, San Francisco’s only elected Republican. James has happily kept Bart focused on expanding deeper and deeper out into the suburbs, rather than investing in our urban core. Eric Fischer over at transbay blog has a good writeup on Bert and James.
  • Prop AA (Vehicle registration fee) –> Yes
    Adding a $10 annual vehicle fee is a miniscule step in the right direction of reducing our subsidization of private vehicle ownership. Nothing wrong with me having my own car, but there is something wrong with everybody else paying for my car and its associated infrastructure.
  • Prop E (Same-day voter registration) –> Yes
    Making it easier to vote is a good thing.
  • Prop G (Fix Muni) –> Yes
    Muni operator salaries are currently set by formula in the city charter to the 2nd highest in the nation. This is such a joke I don’t know where to start. And it’s in the city charter. Prop G will remove this, and hopefully set things up so Muni can hire part-time operators and reform some “work rules”, which as far as I can decipher, is a code word for “loopholes that allow some operators to game the system into getting more $$ for less work”.
  • Prop I (Saturday voting trial) –> Yes
    This one’s important. I spent some time collecting signatures to get it on the ballot.

    It’s a historical artifact dating back to horse-and-buggy days that has us voting on Tuesday. Voting on Tuesday gives people who have have weekdays off an easier time voting than those that don’t. This consistently skews the results of our voting process away from the actual sentiment of the population. You see this effect in polls all the time – the difference between “all respondents”, “registered voters” and “likely voters”. Each time you step down this chain, you generally find the result turning more to match the views older, whiter, wealthier voters. The result is systematic over-representation of some population groups and systematic under-representation of others. And the effect is not insignificant – 5% is a common differential between the views of “all respondents” and “likely voters”.

    The Saturday trial voting would occur in the next election cycle, SF only. There would be voting on both Tuesday and Saturday. The Saturday election would be completely privately funded. Afterward, the results would be analyzed to see if there was any noticeable effect on voter turnout.

    Learn more about the local campaign here, and the national one here.

  • Prop L (Sit/lie) –> No
    Another important one. If you vote on two things this election, vote on this one and Prop I.

    This would make sitting on the sidewalk a crime. Are you joking? Look, we all understand the upper haight has a problem with annoying street punks. The solution isn’t to restrict our right to use public space. The solution isn’t to give the police another “we can fuck with whoever we want” tool. I’m not sure what the solution is but it would have the following properties: 1) specific to the upper haight 2) implemented on a trial basis with an automatic expiration 3) would NOT restrict our right to use general public space!

California

  • Governor –> Jerry Brown
    Streetsblog DC did a good writeup of why Meg Whitman would be a step backwards for California.
  • Prop 19 (Pot legalization) –> Yes
    Just like I don’t like the government telling me who I can and can’t marry, I don’t like it telling me what I can and can’t smoke.
  • Prop 23 (Oil Industry thinks you’re an idiot) –> No
    Tell the dirty oil companies to f*ck off.
  • Prop 25 (Budgetary legislative vote requirement reduction) –> Yes
    One of the reasons California has continuously yearly budgetary problems is that we are one of the few states to require 2/3 of the legislature to agree on a budget in order for it to move forward. Thus any political party or coalition with control 1/3 or more of the legislature has the power to hold up the budgetary process as much as they’d like. This creates a situation ripe for abuse – the minority party is able to slow the state government down to a halt, thus increasing voter disenchantment with the political establishment, thus making it more likely the majority party will be voted out on the next election cycle. Prop 25 would fix this by reducing the legislative vote requirement to a simple majority.

That’s everything that’s on the ballot that I feel a) is important and b) I know at least something about. There’s plenty on there that I don’t know much about that looks important. For those issues, I encourage you not to just try to figure it out on your own – I think you’re better off outsourcing that process to organizations you trust. Here are a few of my go-to’s:

Remember to vote on Tuesday (so that next election you can do it on Saturday!)

October 30, 2010 | Mike Fogel | Tags: , | No Comments »

T-Mobile webConnect Rocket 2.0 on Debian/Ubuntu

It is possible – I’m writing this post via T-Mobile and my new webConnect Rocket.

Step 0: see if your webConnect Rocket is actually the same as mine.

mike@110psi:~$ lsusb
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 002: ID 19d2:1201 ONDA Communication S.p.A.
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

If you don’t have the “19d2:1201 ONDA Communication S.p.A.” line, then likely you have a different version of the webConnect Rocket than I do and this guide may or may not apply.

Step 1: usb_modeswitch. This is necessary because the webConnect, like many usb dongles these days, actually has its windows (and mac?) drivers loaded directly on it. When the dongle is first inserted into a windows machine, it appears as a hard drive with its driver on it. Windows installs the driver, then magically changes the device into a modem. We need to use usb_modeswitch to do that magic change ourselves.

sudo apt-get install usb-modeswitch

As of this writing, you need to manually add the file /etc/usb_modeswitch.d/19d2:1201 with text:

# t-mobile ZTE MF691  Rocket 2

DefaultVendor=  0x19d2
DefaultProduct= 0x1201

TargetVendor=   0x19d2
TargetProduct=  0x1203

MessageContent="5553424392020000000000000000061B000000020000000000000000000000"

For more details, see this forum post and this one. Hopefully this file will be included directly in the usb-modeswitch-data package soon, but for the meantime it looks like the maintainer is currently traveling.

Now, we need to configure udev to run usb_modeswitch automatically when it sees the webConnect hard drive. Add the following lines to the file /lib/udev/rules.d/40-usb_modeswitch.rules:

# t-mobile ZTE MF691  Rocket 2
ATTRS{idVendor}=="19d2", ATTRS{idProduct}=="1201", RUN+="usb_modeswitch '%b/%k'"

(Before you add those lines check that they haven’t already been added by upstream since this writing. No need to have them in there twice.)

At this point I’d recommend a) restarting your machine and the b) inserting your webConnect Rocket. To test everything’s good so far, you should be able to use minicom to connect to both /dev/ttyACM0 and /dev/ttyACM1 and issue some basic AT commands.

Step 2: I haven’t been able to get network-manager to work correctly with the webConnect rocket. I get a lot of “modem-manager: Got failure code 100: Unknown error” in the logs. If you’ve got the time, the relevant source is here.

However, we can use wvdial and pppd to connect. If you haven’t already:

sudo apt-get install wvdial pppd

You can run ‘wvdailconf’ as root to generate a basic /etc/wvdial.conf. Then you want to edit it to look like mine:

[Dialer Defaults]
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
Modem Type = USB Modem
ISDN = 0
New PPPD = yes
Phone = *99***1#
Modem = /dev/ttyACM0
Username = user
Password = pass
Baud = 460800
Stupid Mode = 1

I suspect there may be other options that should be in here that would be helpful. But in any case, this is a working base case. If you find any additional helpful options, please let me know in the comments.

Step 3: Connect to T-Mobile! To connect, run

sudo wvdial

Wvdial will manage the connection process to T-Mobile, spawning an instance of pppd to maintain the connection. Once the connection is established, you can hit cntrl-c to kill the instance of wvdial while still leaving pppd alive and your connection to T-Mobile active.

To disconnect:

sudo pkill pppd

does the trick.

It’ll be nice once modem-manager (and hence network-manager) has functioning support for this device. I’ll update this post once it does. In the meantime… good luck!

October 5, 2010 | Mike Fogel | Tags: , , | 19 Comments »

Stanford Video MMS Commander

A while ago I posted a short greasemonkey script to make saving a Stanford class video to disk a little easier. I’ve cleaned it up a little and posted in on userscripts.org as the Stanford Video MMS Commander. Same disclaimers as before apply, namely, this script is not to be used in any way to help violate Stanford’s terms and conditions.

September 26, 2010 | Mike Fogel | Tags: , , , , , | No Comments »

AutoTracOnDreamhost v1.2, final release

AutoTracOnDreamhost is a short set of shell scripts I wrote up to automate the install of Trac on a Dreamhost account. I’m going to stop maintaining them. Why?

  • Dreamhost now has a one-click install for Trac (though it currently claims to install the outdated v0.11.4 of Trac, v0.12 having been released a few months ago)
  • As of v0.12, Trac supports multiple repositories for each project. The previous lack of support for this feature in earlier versions of Trac was a big motivating factor for me to write up AutoTracOnDreamhost in the first place, as I like to have completely separate source control repositories for each of the different projects I’m working on.

So, while it was always open source (under GPLv3) I’ve now released AutoTracOnDreamhost on GitHub to make access that much easier. I’ve also released what will likely be the final release of AutoTracOnDreamhost, version 1.2. The changes from v1.1 are pretty minor:

  • Bumped up the version numbers of the software packages the scripts install.
  • README updates
  • Did a test install to make sure it all still works. As of today (Sept. 10, 2010) AutoTracOnDreamhost completes a default install of Trac and friends without any problems on my Dreamhost machine (spilotro.dreamhost.com).
September 10, 2010 | Mike Fogel | Tags: , , , , | 1 Comment »

Elegantly dropping priviledge in an /etc/cron.daily script

Debian-based distributions have a really useful series of directories to run cron scripts from. Any executable you place in /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly or /etc/cron.monthly will get run with that frequency. I like these for two reasons: 1) it’s file-based, which I find a lot easier to manage and keep track of than each user’s crontabs and 2) this eliminates one possible source of bugs in my work – namely, the scheduling of my cron tasks.

However, there is a downside to /etc/cron.daily and friends. All scripts in there run as root. It’s generally bad practice to run anything as root that doesn’t have to run as root… and this is especially true if your script has scary lines like “rm -rf $SOME_VAR” in it. You’re asking for trouble.

Unfortunately, AFAIK there is no way to drop privilege within a script. However, this can be done by spanning a whole new child process. So, let’s add a short preamble to all the scripts we place in /etc/cron.daily and friends:

#!/bin/sh

USER='some-low-privilege-user'
if [ `whoami` != "$USER" ]; then
  sudo -u $USER "$0"
  exit
fi

... rest of the script ...

Now we have some extra assurance our cron job isn’t going to go haywire and screw the whole machine!

August 7, 2010 | Mike Fogel | Tags: , , | No Comments »
« Older Entries