openid – domain ownership verification in OIDC

I am building an application where we want to allow our users to sign in using their own IDPs, and we’re using okta.

We don’t want our users to have to:

  • Create all their organization users manually
  • Be dependent on SCIM (or any other synchronization)
  • Maintain many users that most of them will probably not use our system

Since our user ids are email addresses and all of our customers are enterprises, we want to map domains to IDPs.

Meaning that if example.com is a customer of ours, then all email addresses like alice@example.com or bob@example.com should be handled by their IDP. the thing is we want to make sure that they own the domain example.com before adding their IDP to our discovery logic.

We were thinking about doing a DNS validation using a TXT record, but we aren’t sure that this is the correct practice for this.

So finally my questions are:

  1. Is there a common practice for this?
  2. Are there downsides to the DNS record validation method?
  3. Are there any caveats we should be aware of? should we re-validate the ownership periodically?

apache2 – Apache file ownership and envvars

I use Ubuntu 20.04. I have edited /etc/apache2/envvars to change the run user to “userA”: export APACHE_RUN_USER=userA

When I run this PHP script from W3 Schools to upload a file, the upload works – but the owner of the file is not “userA” as I intend. It remains www-data. Yet this command: sudo apache2ctl -S reports User: name="userA" id=1002, as set in envvars. So why does www-data own the file, and not userA? What is determining file ownership? FWIW, the permissions of the directory into which the file is uploaded are 774, and ownership is userA:www-data. “Set UID” and/or “Set GID” on the directory had no impact either.

team – GitHub source of truth describing repo ownership

I want to create a source of truth describing which team in my organisation owns which GitHub repo. In theory, the team who owns a repo may not be the same team who created it. Ideally I would like this information to live inside GitHub for convenience.

When I go to a repo, I want to quickly be able to see which team owns it. And for a given team, I want to be able to see all the repos they own.

I know that teams can be assigned read/write access to repos, but I don’t want the code owners to have any special permissions. Anyone in my org should be able to read/write to any repo, irrespective of being a code owner – the idea of ownership here is purely informational.

How can I do this?

signature – How to prove wallet ownership?

Context

I would like to verify being A has access to a wallet and hence would like to ask them to pay a minimum amount to a particular wallet address owned by someone other than me, e.g. 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa, with a signature ThisIsUnexpected that I gave to the being A.

The basic concept I believe is quite simple, if being A agrees, they share with me their bitcoin wallet address:being_A_bitcoin_wallet_address. Next, I would share the expected signature, and selected recipient address (e.g. 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa) with being A. Being A then pays a minimal amount of bitcoin to 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa. After the transaction is completed, I look at the transaction history of the received donations to 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa and find the transaction made by being_A_bitcoin_wallet_address. Next, I look at the signature of that particular transaction and verify it reads: ThisIsUnexpected. If the transaction indeed has that signature I have a high certainty being A has access to being_A_bitcoin_wallet_address and I can verify their amount of funds.

Challenge

Though the idea may be relatively simple, I am experiencing some challenges in the execution.

To test the verification procedure, I thought I would look up the signatures of past transactions to that address. Hence I went to: https://www.blockchain.com/btc/address/1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa and looked at the list of transactions. At the moment of writing, this is the most recent transaction, so I thought I could perhaps take the Sigscript of the transaction (with index 1) and put it into this signature verification tool to get a human-readable signature. However that tool does not seem to provide a human-readable signature, nor do I know whether the arbitrary transaction I selected contains a “Thank you Satoshi”-like signature.

Question

How could I practically verify the signature of a bitcoin transaction (if it has one)?

Subquestions

I think this question could be segmented in the following sub-questions:

  • How can I verify that an arbitrary transaction contains a human-readable signature?
  • Which information of the transaction data should I use to obtain a human readable form of the transaction signature?
  • Which online resources could be used to verify a signature?
  • Is there a python script that provides a function: being_has_access_to_wallet(claimed_wallet_access_address, recipient_wallet_address,human_readable_signature, amount=0.0001) that returns True or False using something like a block explorer?

audit – Do the organisational policies need to have ownership to ensure accountability?

Policies are the high-level statement from Senior Management. It’s a philosophy for the management to be guided by, and management has the direction to plan, build, run and monitor the activities to achieve the enterprise objectives from the policies.

Is it possible to judge/assign accountability on the policy level?

My company hired a consultant who made the statement, and I’m looking for perspectives that will justify it.

permission – sshd: Authentication refused: bad ownership or modes for directory /Users/Foo

permission – sshd: Authentication refused: bad ownership or modes for directory /Users/Foo – Ask Different

oracle – TNS-00534: Failed to grant connection ownership to child

when I tried to connect to my oracle instance with sql developer, I see this error in logs

TNS-12518: TNS:listener could not hand off client connection
 TNS-12560: TNS:protocol adapter error
  TNS-00534: Failed to grant connection ownership to child
   64-bit Windows Error: 10022: Unknown error

Can someone give me a poit how to solve this error. Note I have 64b client installed.

security – Is it safe to change ownership of several sub directories in /usr/local on MacOS Big Sur?

When trying to install some support for FORTRAN on my macBook running Big Sur and using brew I get an error that some /usr/local folders are not writeable and am asked to use chown to change ownership to me as a user.

Is this safe? (and will the change persist through an update?)

sudo chown -R $(whoami) /usr/local/bin /usr/local/include /usr/local/lib /usr/local/share /usr/local/share/info /usr/local/share/man /usr/local/share/man/man1 /usr/local/share/man/man7

and

chmod u+w /usr/local/bin /usr/local/include /usr/local/lib /usr/local/share /usr/local/share/info /usr/local/share/man /usr/local/share/man/man1 /usr/local/share/man/man7

DreamProxies - Cheapest USA Elite Private Proxies 100 Private Proxies 200 Private Proxies 400 Private Proxies 1000 Private Proxies 2000 Private Proxies ExtraProxies.com - Buy Cheap Private Proxies Buy 50 Private Proxies Buy 100 Private Proxies Buy 200 Private Proxies Buy 500 Private Proxies Buy 1000 Private Proxies Buy 2000 Private Proxies ProxiesLive Proxies-free.com New Proxy Lists Every Day Proxies123