Google Code Jam (18 Oct 2003)

Great picture: Found Nemo

The film is not fantastic, but a good way to spend a couple of hours.

A while ago Google announced the Google CodeJam which is basically another coding competition. This one is a little different to anything else I've done because it's a sit at home competition. This presents some advantages; it's most comfortable and you get a vim working the way you want. It also means there is a lot of scope for cheating.

Once you look at the first problem you have 60 minutes to submit solutions. You can only submit once, but they do have a reasonable testing framework.

The score you get for a problem is based on how long you take to submit it. Once the coding phase (this weekend) is over they go and test the programs and anything that fails a test is discounted.

The top 500 go onto the next round.

It's obvious that a single user could in fact be a team of coders working on the problem. It's also quite possible to be many users and to read the questions well ahead of your `time' starting. The latter problem is slightly resolved because there are 10 sets of questions. But that just increases the work needed by a factor of 10 and creating 11 users isn't a lot of work.

Personally I didn't understand what the hell the second problem was asking and, looking back on it, I still don't. And the second problem is worth 80% of the marks so I've failed this one. Maybe they will run it next year.

C&G Ball

In crewing news - the City and Guilds Ball went very well even if I did get home at 7am the following morning and the punters arrived 3 hours before we were expecting them.

Webserver for User CGI

Running CGI scripts for users on your webserver is a dangerous game. Not only do users test their runaway fork-bombing scripts but they also install known buggy versions of phpBB and the like and let your webserver get compromised.

And even if they cannot get root, crackers can use your >1Gps of bandwidth to turn your poor webserver into the central warez site for the whole of Europe over the weekend. I know. It's happened to us.

And so, tweetypie is born. The first thing to do is get rid of modphp and force all users to run php via the CGI binary and build Apache with SuEXEC support.

User may complain about not having modphp, but just slap them with rack rails until they go away. Then install this patch which sets resource limits on all CGI scripts and configure iptables to block all outgoing non-system packets:

:INPUT ACCEPT [89251:15855936]
:OUTPUT ACCEPT [85660:11402157]
-A OUTPUT -d -p udp -m udp --dport 53 -j ACCEPT 
-A OUTPUT -d -p udp -m udp --dport 53 -j ACCEPT 
-A OUTPUT -d -p tcp -m tcp --dport 5432 -j ACCEPT 
-A OUTPUT -m owner --uid-owner sshd -j ACCEPT 
-A OUTPUT -m owner --uid-owner wwwnot -j ACCEPT 
-A OUTPUT -m owner --uid-owner root -j ACCEPT 
-A OUTPUT -m owner !--uid-owner root -j DROP 

Then setup 2000 bind mounts to work around a race condition in the kernel (you almost certainly don't have the kind of load that would trigger this - so you can ignore it) and voila!

Simple eh?