Re: [CentOS] EL7, grub-crypt?

2014-08-27 Thread David Goldsmith 
On Aug 27, 2014, at 6:37 PM, Darod Zyree darodzy...@gmail.com wrote:

 2014-08-27 16:07 GMT+02:00 Baptiste Agasse baptiste.aga...@lyra-network.com
 :
 
 
 
 - Mail original -
 Hi,
 
 Whats the new way of creating sha512 passwords in EL7?
 
 
 https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-GRUB_2_Password_Protection.html#sec-Password_Encryption
 
 In Centos6 I used grub-crypt but that does not exist anymore.
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
 
 
 --
 Baptiste AGASSE
 Lyra Network, Service Systèmes et Réseaux
 109 Rue de l'innovation, 31670 Labège - France
 Tél: (+33)5.67.22.31.87
 Fax: (+33)5.67.22.31.61
 Mail: baptiste.aga...@lyra-network.com
 Site: http://www.lyra-network.com
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
 
 
 But this is for creating passwords for grub2, no?
 
 I was asking (altough might not have been clear enough) on how to get the
 encrypted values for the shadow file entries.
 grub-crypt used to be able to do that, returning with the encrypted value
 of a given passphrase starting with $6$
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos


Its the default hash used on EL7 by the “passwd” command.

[root@centos7 etc]# grep dgoldsmith /etc/shadow
dgoldsmith:$6$IoGARIF2$44lyu/9VjFmGsOW (line truncated)

[root@centos7 etc]# tail -3 /etc/login.defs
# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512

--
David Goldsmith



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] iostat results for multi path disks

2014-06-20 Thread David Goldsmith 
Here is a sample of running iostat on a server that has a LUN from a SAN with 
multiple paths.  I am specifying a device list that just grabs the bits related 
to the multi path device:

$ iostat -dxkt 1 2 sdf sdg sdh sdi dm-7 dm-8 dm-9
Linux 2.6.18-371.8.1.el5 (db21b.den.sans.org)   06/20/2014

Time: 02:30:23 PM
Device: rrqm/s   wrqm/s   r/s   w/srkB/swkB/s avgrq-sz avgqu-sz 
  await  svctm  %util
sdf   0.6652.32  3.57 34.54   188.38   347.5228.13 0.14 
   3.62   0.87   3.31
sdg   0.6652.29  3.57 34.56   189.79   347.4828.18 0.14 
   3.72   0.87   3.32
sdh   0.00 0.00  0.00  0.00 0.00 0.0014.19 0.00 
   2.90   2.90   0.00
sdi   0.00 0.00  0.00  0.00 0.00 0.0014.19 0.00 
   2.87   2.87   0.00
dm-7  0.00 0.00  8.46 173.75   378.17   695.0011.78 
3.41   18.68   0.35   6.46
dm-8  0.00 0.00  8.46 173.75   378.17   695.0011.78 
3.41   18.68   0.36   6.47
dm-9  0.00 0.00  8.46 173.75   378.17   695.0011.78 
3.41   18.68   0.36   6.48

Time: 02:30:24 PM
Device: rrqm/s   wrqm/s   r/s   w/srkB/swkB/s avgrq-sz avgqu-sz 
  await  svctm  %util
sdf   0.0054.00  7.00 48.0088.00   408.0018.04 0.12 
   2.11   1.20   6.60
sdg   0.0013.00  1.00 26.00 4.00   156.0011.85 0.01 
   0.52   0.48   1.30
sdh   0.00 0.00  0.00  0.00 0.00 0.00 0.00 0.00 
   0.00   0.00   0.00
sdi   0.00 0.00  0.00  0.00 0.00 0.00 0.00 0.00 
   0.00   0.00   0.00
dm-7  0.00 0.00  8.00 141.0092.00   564.00 8.81 
0.251.69   0.53   7.90
dm-8  0.00 0.00  8.00 141.0092.00   564.00 8.81 
0.251.70   0.54   8.00
dm-9  0.00 0.00  8.00 141.0092.00   564.00 8.81 
0.251.70   0.54   8.00


sdf,sdg,sdh,sdi - four paths for LUN (sdf and sdg are the active paths)
dm-7 - device-mapper pseudo device for the mpath device
dm-8 - device-mapper pseudo-device for the partition spanning the entire mpath 
device
dm-9 - device-mapper pseudo-device for the LVM LV created on the mpath device

The first sample from iostat is the historical data so lets ignore it.  The 
second sample are the stats for a 1 second interval.

I see the stats for sdf and sdg are roughly equal but they differ — they are 
the two active paths that are both being used.

I see the stats for dm-7, dm-8 and dm-9 are almost completely identical - makes 
sense as they really represent the same “disk”.

What confuses me is the fact that all the stats for sdf/sdg don’t add up to be 
equivalent to the dm-[789] devices

For the rkB/s and wkB/s columns, the numbers for sdf and sdg add up to equal 
the numbers for dm-9.

But for the first four columns:

Column  sdf/sdg dm-9
==  =   
rrqm/s  0.0 + 0.0 = 0.0 0   
wrqm/s  54.0 +13.0 = 67.0   0   Very different
r/s 7.0 + 1.0 = 8.0 8.0
w/s 48.0 + 26.0 = 74.0  141.0   Very different

So read data matches and write data diverges


Which numbers should I go with?  The physical devices or the logical device?

Thanks

David Goldsmith


signature.asc
Description: Message signed with OpenPGP using GPGMail
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [CentOS-announce] CESA-2014:0626 Important CentOS 5 openssl097a Update

2014-06-05 Thread David Goldsmith 
We still haven’t seen the CentOS 5 openssl-0.9.8* RPM updates show up on the 
CentOS mirrors today.

Checked:

http://mirror.centos.org/centos-5/5.10/updates/x86_64/RPMS/
http://mirror.yellowfiber.net/centos/5.10/updates/x86_64/RPMS/
http://mirror.vcu.edu/pub/gnu+linux/centos/5.10/updates/x86_64/RPMS/

On Jun 5, 2014, at 12:24 PM, Karanbir Singh mail-li...@karan.org wrote:

 Hi,
 
 Its in the pipes, coming in the next few minutes.
 
 - KB
 
 On 06/05/2014 05:16 PM, Joe Pruett wrote:
 what about RHSA-2014:0624-1?
 
 On 06/05/2014 06:38 AM, Karanbir Singh wrote:
 CentOS Errata and Security Advisory 2014:0626 Important
 
 Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-0626.html
 
 The following updated files have been uploaded and are currently 
 syncing to the mirrors: ( sha256sum Filename ) 
 
 i386:
 28a83a987c35bf2297a33d7e75703d345953cbb4ab2033f2e06a8be94b7ded0e  
 openssl097a-0.9.7a-12.el5_10.1.i386.rpm
 
 x86_64:
 28a83a987c35bf2297a33d7e75703d345953cbb4ab2033f2e06a8be94b7ded0e  
 openssl097a-0.9.7a-12.el5_10.1.i386.rpm
 56e0b690fa9182cc84f3ae8d7a0062cb0789b0f4a39045953eae63419f5dbb57  
 openssl097a-0.9.7a-12.el5_10.1.x86_64.rpm
 
 Source:
 995d2c032cde0e3249e21f266e726217cbfe4ae7a0ed034855e4bc981407a890  
 openssl097a-0.9.7a-12.el5_10.1.src.rpm
 
 
 
 
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
 
 
 
 -- 
 Karanbir Singh
 +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
 GnuPG Key : http://www.karan.org/publickey.asc
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

--
David Goldsmith - Director of IT Systems
SANS Institute, (www.sans.org)
540.412.5099 x202 (w)
703.819.6197 (c)
540.412.5073 (f)

Don’t Miss SANSFIRE 2014 in Baltimore, MD, June 21-30, featuring bonus
talks from Internet Storm Center Handlers from around the world! Choose
from over 40 hands-on immersion courses in cyber defense, computer
forensics, pentesting, and more. http://www.sans.org/info/155480

SANS remains the gold standard in security training - technical, hands on and 
immediately useful and relevant. Robin Stuart, eBay



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 5.10, crashes

2013-11-01 Thread David Goldsmith 
On Nov 1, 2013, at 2:38 PM, m.r...@5-cent.us wrote:

 We've just started getting this. We're running 5.10, kernel
 2.6.32-358.18.1.el6.x86_64. Anyone else seen anything like this, or have
 any ideas?
 
 mark
 
 Nov  1 14:34:21 server kernel: WARNING: at block/ll_rw_blk.c:543
 blk_do_ordered()
 Nov  1 14:34:21 server kernel:
 Nov  1 14:34:21 server kernel: Call Trace:
 Nov  1 14:34:22 server kernel:  [8014defa]
 blk_do_ordered+0x27a/0x2b3
 Nov  1 14:34:22 server kernel:  [8014ac82]
 elv_next_request+0x13e/0x178
 Nov  1 14:34:22 server kernel:  [8807b335]
 :scsi_mod:scsi_request_fn+0x6a/0x392
 Nov  1 14:34:22 server kernel:  [8005abd2]
 generic_unplug_device+0x22/0x32
 Nov  1 14:34:22 server kernel:  [8004d957]
 run_workqueue+0x9e/0xfb
 Nov  1 14:34:22 server kernel:  [8004a1aa]
 worker_thread+0x0/0x122
 Nov  1 14:34:22 server kernel:  [800a3d4a]
 keventd_create_kthread+0x0/0xc4
 Nov  1 14:34:22 server kernel:  [8004a29a]
 worker_thread+0xf0/0x122
 Nov  1 14:34:22 server kernel:  [8008f4a9]
 default_wake_function+0x0/0xe
 Nov  1 14:34:22 server kernel:  [800a3d4a]
 keventd_create_kthread+0x0/0xc4
 Nov  1 14:34:22 server kernel:  [800a3d4a]
 keventd_create_kthread+0x0/0xc4
 Nov  1 14:34:22 server kernel:  [80032c68] kthread+0xfe/0x132
 Nov  1 14:34:22 server kernel:  [8005dfc1] child_rip+0xa/0x11
 Nov  1 14:34:22 server kernel:  [800a3d4a]
 keventd_create_kthread+0x0/0xc4
 Nov  1 14:34:23 server kernel:  [80032b6a] kthread+0x0/0x132
 Nov  1 14:34:23 server kernel:  [8005dfb7] child_rip+0x0/0x11

Have you added a kernel from an option CentOS or 3rd-party repo?

Our patched CentOS 5.10 servers are running kernel-2.6.18-371.1.2.el5

--
David Goldsmith


signature.asc
Description: Message signed with OpenPGP using GPGMail
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] LVM

2012-03-20 Thread David Goldsmith 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 3/20/2012 5:25 AM, Markus Falb wrote:
 On 19.3.2012 10:14, Peter Kjellström wrote:
 On Sunday 18 March 2012 19.40.21 Ray Van Dolson wrote:
 On Sun, Mar 18, 2012 at 08:04:14PM +0100, Markus Falb wrote:
 
 What filesystem? Assuming ext3, this cannot shrunk without
 unmounting. I believe the following *should* work for ext3
 
 $ umount /home $ e2fsck -f /dev/vg_web/lv_home $ resize2fs
 /dev/vg_web/lv_home 150g $ lvresize -L 150g
 /dev/vg_web/lv_home $ mount /home
 
 I am not sure how safe it is. Take care!
 
 I'd like to add that it's probably good paranoia not to size the
 lv down too tightly (should it happen to become smaller than the
 fs then ooops). That is, I'd size the lv down to a comfortable
 margin above the fs size (and then size the fs up to the device
 size).
 
 Hmm. I did that too a couple of times in the past. But why? What
 are the reasons for the paranoia?

I think he means don't resize/shrink the filesystem *and* the LVM LV
to the exact same size.  If the LVM lvresize command were to truncate
the end of the existing filesystem, now you have issues.

Instead do this: first shrink the filesystem a little smaller than you
want, then resize the LVM LV down to the desired size, then resize the
filesystem again to grow to use the remaining space.  This way you
ensure you don't snip of the end of the filesystem.

# umount /home
# e2fsck -f /dev/vg_web/lv_home
# resize2fs /dev/vg_web/lv_home 149g
# lvresize -L 150g /dev/vg_web/lv_home
# resize2fs /dev/vg_web/lv_home  (will default to the LV size of 150g)
# mount /home

- -- 
David Goldsmith
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9obXgACgkQ417vU8/9QfnyvgCgp67Z1TdMA/Yj/e96EC7CbJL4
XtgAnAq+H/KMqrROuEy6XYN8UNMed3hp
=tbIZ
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Isues with YUM Update

2012-03-15 Thread David Goldsmith 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 3/15/2012 8:09 PM, Robert Spangler wrote:
 Hello all,
 
 Is this a known issue?
 From what I can tell it started on Tuesday.
 
  ~ $ sudo yum -y update Password: 
 Setting up Update Process Setting up repositories dag
 100% |=| 1.1 kB00:00 kbs-CentOS-Extras
 100% |=| 1.9 kB00:00 kbs-CentOS-Misc
 100% |=| 1.9 kB00:00 
 http://www.gtlib.gatech.edu/pub/centos/4.9/updates/i386/repodata/repomd.xml:
  [Errno 14] HTTP Error 404: Not Found Trying other mirror. 
 http://ftp.osuosl.org/pub/centos/4.9/updates/i386/repodata/repomd.xml:
 [Errno 14] HTTP Error 404: Not Found Trying other mirror.

- From one of those mirror sites:

http://www.gtlib.gatech.edu/pub/centos/4/readme

  This directory (and version of CentOS) is depreciated.

  CentOS-4 is now past EOL

  You can get the last released version of centos 4.9 here:

  http://vault.centos.org/4.9/

- -- 
David Goldsmith
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9ii3sACgkQ417vU8/9QfmvzgCfc1yB69FukQMxAwJrF04cj9DN
FmoAni6OZMcHKgdd35E1PnHyWKIX1r9o
=L26L
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] build postfix spec w/ mysql

2011-11-19 Thread David Goldsmith 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/19/2011 1:11 PM, Tim Dunphy wrote:
 hello list!
 
 I am attempting to build an rpm of postfix that includes support
 for mysql. I've done this before with earlier versions on postfix
 but I am staring at this spec file until my eyes bleed and I just
 don't see why when I build the spec with rpmbuild mysql support
 isn't there.
 
 After I install the rpm I have a look at the modules as such: ldd
 $(which postfix) | grep -i mysql
 
 and nothing's there.
 
 I was hoping someone out there might not mind having a look at the
 spec file and let me know what I'm missing.

One of these two lines likely needs to be set to 1

%define with_mysql0
%define with_mysql_redhat 0


They control two conditional blocks later in the spec file

%if %{with_mysql_redhat}
Requires: mysql
BuildRequires: mysql, mysql-devel
%endif

%if %{with_mysql}
Requires: MySQL-shared
BuildRequires: MySQL-shared, MySQL-devel
%endif


I'm guessing you added the following line:

%define MYSQL 1

because that define name does not appear to be referenced anywhere
else in the spec file.

- -- 
David Goldsmith
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7H+aQACgkQ417vU8/9QfnppACfUOFG05KqoN6s8rsrHHrNAvvX
OscAn3WMAHWStJgYPrIDTpXSr/rkq1H0
=xEFq
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Feed a list of filenames to vim

2011-05-17 Thread David Goldsmith 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 5/17/2011 12:19 PM, Jussi Hirvi wrote:
 There are some googlable ways to feed a list of filenames to vim, but I 
 stumble on weird results.
 
 With my filelist, I try to do
 
   cat list | xargs vim
 
 ...to edit the files listed in the file list. Here's what happens:
 
 [root@lasso2 tempdir]# ls -l
 total 8
 -rw-r--r--  1 root root  0 May 17 18:28 a
 -rw-r--r--  1 root root  0 May 17 18:28 b
 -rw-r--r--  1 root root  3 May 17 18:31 c
 -rw-r--r--  1 root root 12 May 17 18:43 list
 [root@lasso2 tempdir]# cat list
 ./a
 ./b
 ./c
 [root@lasso2 tempdir]# cat list | xargs vim
 3 files to edit
 Vim: Warning: Input is not from a terminal
 
 Ok, so far, so good. And after this, the file a opens, as expected. 
 However, the contents show as all uppercase. And everything I write is 
 uppercase too. I can move to the next file (:n) even though the command 
 shows as uppercase (:N). I cannot quit vim, however. When I do :q, I 
 get blank screen, and I have to close the terminal window.
 
 If I do instead
   cat list | xargs less
 ...it works as expected.
 
 And with
   cat list | xargs vi
 ...(in a fresh terminal window), the editing goes just perfect, but when 
 I quit vi, the terminal will not show the commands I write, and the 
 display gets garbled (no newlines etc.).
 
 What is happening?

Do this instead:

vi `cat list`

cat list   - gives the output of the file which is the three filenames
`cat list` - executes this command and feeds its output to the input of
 your next command

So the resulting command ends up being vi ./a ./b ./c which opens up
the 'a' file and you will be able to move to the next file with the :n
option.

xargs is effectively running a for loop on each unique item in the
output of the previous command (cat list).  vi expects to be run on one
file at a time and needs to be associated with a terminal session in
prder to be able to get input from you (either text or commands) to
apply to the file.

- -- 
David Goldsmith
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3SpE0ACgkQ417vU8/9QflaoQCdH0YmjkeVG4QypCWRZFPpDBD4
N0QAn3dCourgI97OpthGJFa7FTWS/f5t
=lkQA
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo 1.6.9 versus sudo 1.7.2 behavioral differences with umask settings

2010-10-08 Thread David Goldsmith 
On 10/8/2010 4:42 AM, John Doe wrote:
 From: David Goldsmith dgoldsm...@sans.org
 
 On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5  (from
 base), here are the results of touching a file as a user, as root and  as
 a user sudoing to root:
 On the second server (CentOS  x86-64) running sudo 1.7.2p1-7 (from
 updates), here are the results of the  same actions:
 
 Maybe check the release notes...
 http://www.sudo.ws/sudo/stable.html
 A quick look got:
 A new Defaults option umask_override will cause sudo to set 
 the umask specified in sudoers even if it is more permissive  than 
 the invoking user's umask. 
 
 JD

Ok, I missed that last bullet on changes from 1.7.0 to 1.7.1.  However,
on both servers, there is no umask_override line in the /etc/sudoers
file and if I run sudo -V as root and grep for umask, I get the same
output on both versions:

  # sudo -V | grep -i umask
  Umask to use or 0777 to use user's: 022

So that would seem to me that it ought to have been using a umask of 022
resulting in test files with 644 permissions.

These sections from the sudoers man page on the each version seems to
explain the difference:

1.6.9 man page:

   umask   Umask to use when running the command.  Negate this
   option or set it to 0777 to preserve the userâs
   umask.  The default is 0022.

1.7.2 man page:

   umask_override  If set, sudo will set the umask as specified by
   sudoers without modification.  This makes it
   possible to specify a more permissive umask in
   sudoers than the userâs own umask and matches
   historical behavior.  If umask_override is not set,
   sudo will set the umask to be the union of the
   userâs umask and what is specified in sudoers.  This
   flag is off by default.

   umask   Umask to use when running the command.  Negate this
   option or set it to 0777 to preserve the userâs
   umask.  The actual umask that is used will be the
   union of the userâs umask and 0022.  This guarantees
   that sudo never lowers the umask when running a
   command.  Note on systems that use PAM, the default
   PAM configuration may specify its own umask which
   will override the value set in sudoers.

If I add Defaultsumask_override in /etc/sudoers on the system with
sudo 1.7.2, then the umask behavior I was expecting occurs -- sudo
touch file results in a file with 644 perms (based on root's umask).

Since the sudo 1.6.9 systems don't like seeing that line in their config
file, I either need to get all the systems upgraded to 1.7.2 or modify
Puppet to push different versions of the /etc/sudoers depending on what
version of sudo is installed.

Thanks for the responses.

David Goldsmith
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] sudo 1.6.9 versus sudo 1.7.2 behavioral differences with umask settings

2010-10-07 Thread David Goldsmith 
Two servers, each have normal user umask values of 0077 and root umask
values on 0022.

On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from
base), here are the results of touching a file as a user, as root and as
a user sudoing to root:

user: touch file- result is 600
root: touch file- result is 644
user: sudo touch file   - result is 644

On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from
updates), here are the results of the same actions:

user: touch file- result is 600
root: touch file- result is 644
user: sudo touch file   - result is 600 ** this differs **

On the second system, if I downgrade sudo to the base version, it
behaves the same as on the first server, so this appears to be sudo
version specific rather than an i386 vs x86-64 difference.


Looking at the changelogs at the package home site, I don't see anything
obvious that covers this change:

http://www.courtesan.com/sudo/stable.html#1.7.0
http://www.courtesan.com/sudo/stable.html#1.7.1
http://www.courtesan.com/sudo/stable.html#1.7.2

Does anyone know how to change the behavior with the umask values when
using the newer version of sudo?

This is causing us some issues when sudoing to update an SVN working
directory used by our Puppet server.

Thanks,
David Goldsmith
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo 1.6.9 versus sudo 1.7.2 behavioral differences with umask settings

2010-10-07 Thread David Goldsmith 
On 10/7/2010 9:25 PM, Tom H wrote:
 On Thu, Oct 7, 2010 at 7:20 PM, David Goldsmith dgoldsm...@sans.org wrote:
 Two servers, each have normal user umask values of 0077 and root umask
 values on 0022.

 On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from
 base), here are the results of touching a file as a user, as root and as
 a user sudoing to root:

 user: touch file- result is 600
 root: touch file- result is 644
 user: sudo touch file   - result is 644

 On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from
 updates), here are the results of the same actions:

 user: touch file- result is 600
 root: touch file- result is 644
 user: sudo touch file   - result is 600 ** this differs **

 On the second system, if I downgrade sudo to the base version, it
 behaves the same as on the first server, so this appears to be sudo
 version specific rather than an i386 vs x86-64 difference.

 Looking at the changelogs at the package home site, I don't see anything
 obvious that covers this change:

 http://www.courtesan.com/sudo/stable.html#1.7.0
 http://www.courtesan.com/sudo/stable.html#1.7.1
 http://www.courtesan.com/sudo/stable.html#1.7.2

 Does anyone know how to change the behavior with the umask values when
 using the newer version of sudo?

 This is causing us some issues when sudoing to update an SVN working
 directory used by our Puppet server.
 
 Check for a umask variable/line in the two installs' /etc/sudoers file.

grep -i mask /etc/sudoers on both servers gets no hits.

David Goldsmith
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sudo 1.6.9 versus sudo 1.7.2 behavioral differences with umask settings

2010-10-07 Thread David Goldsmith 
On 10/7/2010 9:59 PM, Tom H wrote:
 On Thu, Oct 7, 2010 at 9:48 PM, David Goldsmith dgoldsm...@sans.org wrote:
 On 10/7/2010 9:25 PM, Tom H wrote:
 On Thu, Oct 7, 2010 at 7:20 PM, David Goldsmith dgoldsm...@sans.org wrote:
 Two servers, each have normal user umask values of 0077 and root umask
 values on 0022.

 On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from
 base), here are the results of touching a file as a user, as root and as
 a user sudoing to root:

 user: touch file- result is 600
 root: touch file- result is 644
 user: sudo touch file   - result is 644

 On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from
 updates), here are the results of the same actions:

 user: touch file- result is 600
 root: touch file- result is 644
 user: sudo touch file   - result is 600 ** this differs **

 On the second system, if I downgrade sudo to the base version, it
 behaves the same as on the first server, so this appears to be sudo
 version specific rather than an i386 vs x86-64 difference.

 Looking at the changelogs at the package home site, I don't see anything
 obvious that covers this change:

 http://www.courtesan.com/sudo/stable.html#1.7.0
 http://www.courtesan.com/sudo/stable.html#1.7.1
 http://www.courtesan.com/sudo/stable.html#1.7.2

 Does anyone know how to change the behavior with the umask values when
 using the newer version of sudo?

 This is causing us some issues when sudoing to update an SVN working
 directory used by our Puppet server.

 Check for a umask variable/line in the two installs' /etc/sudoers file.

 grep -i mask /etc/sudoers on both servers gets no hits.
 
 Any differences in the env_keep, env_delete, env_check settings (if
 they are used) in sudoers?


Both servers have the same defaults settings:

# Defaults specification
Defaultslog_year, logfile=/var/log/sudo.log
Defaultsloglinelen=0
Defaultsenv_reset
Defaultsenv_keep = COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION \
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME
LC_NUMERIC \
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE
LINGUAS \
_XKB_CHARSET XAUTHORITY


David Goldsmith
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Newsletter release

2010-03-31 Thread David Goldsmith 
On 3/31/2010 10:30 PM, Geerd-Dietger Hoffmann wrote:
 Hey

 Could everyone please proofread and add last changes to the Newsletter[1].

 Cheers Didi

 [1] http://wiki.centos.org/Newsletter/1002

Went to [1]  - got this:

 * Newsletter
 * 1002

You are not allowed to view this page.

Link to prior post works - http://wiki.centos.org/Newsletter/1001

David Goldsmith
SANS NOC
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Partitionning for future.

2009-06-28 Thread David Goldsmith 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Yaovi Atohoun wrote:
 Hi all,
 
 I have a disk of 146Gb in a machine intended to have mainly mysql
 database, apache and some web data.  I didn't use LVM for / and /boot
 during the installtion
 
 Could I extend  easily in the future the /var partition  when I add
 another disk?
 
  FilesystemSize  Used Avail Use% Mounted on
 /dev/cciss/c0d0p6  23G  432M   22G   2% /
 /dev/mapper/VolGroup00-LogVol00
   5.0G  139M  4.7G   3% /home
 /dev/mapper/VolGroup00-LogVol03
98G  275M   93G   1% /var
 /dev/mapper/VolGroup00-LogVol02
   5.0G  2.9G  1.9G  61% /usr
 /dev/cciss/c0d0p1  99M   19M   75M  20% /boot
 tmpfs 470M 0  470M   0% /dev/shm
 
 I would like to have your comments before I continue installin MySQL and
 others.
 
 Thanks
 Yaovi

Yes, add a new disk to the system, then run commands such as:

pvcreate /dev/whatever device it is

vgextend VolGroup00 /dev/whatever device it is

lvextend (either -l +## to add extents or -L +## to add size)
/dev/VolGroup00/LogVol03

resize2fs /dev/VolGroup00/LogVol03

- --
David Goldsmith
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpHjogACgkQ417vU8/9QfkM9QCeIAcvH5Bgkwgv96D50rmAXVbt
MOkAn0MFj0F5SixH/Lnsu63j1X4Dr7JX
=8vaY
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Partitionning for future.

2009-06-28 Thread David Goldsmith 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jorge Fábregas wrote:
 On Sunday 28 June 2009 11:38:48 am David Goldsmith wrote:
 resize2fs /dev/VolGroup00/LogVol03
 
 Does it performs the resizing while the filesystem is mounted? 

Resizing to make an ext2/ext3 filesystem larger can be done while the
filesystem is mounted.  Resizing to shrink a filesystem requires the
filesystem to not be mounted.

Example of online resizing:

# df -h /var
FilesystemSize  Used Avail Use% Mounted on
/dev/mapper/vg0-varlv
  2.0G  605M  1.3G  33% /var
# lvextend -L +1G /dev/vg0/varlv
  Extending logical volume varlv to 3.00 GB
  Logical volume varlv successfully resized

# resize2fs /dev/vg0/varlv
resize2fs 1.39 (29-May-2006)
Filesystem at /dev/vg0/varlv is mounted on /var; on-line resizing required
Performing an on-line resize of /dev/vg0/varlv to 786432 (4k) blocks.
The filesystem on /dev/vg0/varlv is now 786432 blocks long.

# df -h /var
FilesystemSize  Used Avail Use% Mounted on
/dev/mapper/vg0-varlv
  3.0G  605M  2.2G  22% /var

- --
David Goldsmith
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpHkcQACgkQ417vU8/9Qfl1wQCfTvtzeYz6xeDNC6sHyt4A6dT2
W7oAoIHVnagZmxOfjuUGqYmzUmFEOTU3
=wnz+
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Filesystem backup?

2009-06-22 Thread David Goldsmith 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rafał Radecki wrote:
 Could You please explain what exactly that line means:
 
 # dump 0f - / | (cd /seconddisk; restore -rf -)

As root, do a level 0 (or full) backup of the root / filesystem. Rather
than write the backup output to a regular file, send it to standard out.

Pipe the standard output to a new process.  For the new process, change
your working location to be another directory where you have another
filesystem mounted.  It will be best if this second filesystem was
formatted prior to running this command.

Run a restore of the dump results in a non-interactive mode taking as
input the output of the dump command.

- --
David Goldsmith
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAko/dJwACgkQ417vU8/9QflgFQCfWQRtRe/CP1yCyKbkSyf2o2Ig
XGgAn1xAtnq7sTUtnF2chBAAjtD80fR3
=rk26
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Simple Shell Script (while loop)

2009-06-06 Thread David Goldsmith 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

James Bensley wrote:
 Hey Guys,
 
 I can not find the corrent syntax for what I am trying to acheive with a
 while loop. Having said that I'm not exactly sure what you would call it
 so I have been googling with no success probably for that reason.
 
 I am just working with some sub directories except there is one I don't
 want to use so I have a while loop like the following; if we stubmle
 into the sub directory I wish to leave alone then there is an IF
 statement and I have used the break command which is wrong, I don't want
 to end this whole loop I just want to skip onto the next increment of
 the loop as it were skipping this sub directory. Break is the wrong
 command but what should it be? Sorry I can't be any clearer but I don't
 know exactly what you would call this (which is why I am having no
 success finding it for my self!)
 
 #!/bin/bash
 find ./ -maxdepth 1 -type d | while read FOLDER
 do
 if [ $FOLDER == ./not_this_folder_oh_no! ]; then
 break
 fi
 otherwise do some magic here
 done
 
 Many thanks for your time and input.
 Regards,
 James ;)

Reverse the logic in the test and consolidate further

#!/bin/bash
find ./ -maxdepth 1 -type d | while read FOLDER
do
if [ $FOLDER != ./not_this_folder_oh_no! ]; then
do some magic here
fi
done


Or exclude the directory in the find command itself

#!/bin/bash
find ./ -maxdepth 1 -type d -wholename './not_this_folder' -prune -o
- -print | while read FOLDER
do
do some magic here
done

- --
David Goldsmith
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoqsu4ACgkQ417vU8/9QfkyXQCfXXeVhiREuESbs5aV4qXPXLi+
ZKkAoKfqqytzt8GBwf7CCVxrwooL5Ouu
=Av57
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Minimal Install?

2009-03-28 Thread David Goldsmith 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Norberto Bensa wrote:
 On Sat, Mar 28, 2009 at 12:05 PM, Jim Wildman j...@rossberry.com wrote:
 rpm -qf `which command`
 
 Nice. Thanks Frank and Jim
 
 What about the minimal install? Is it possible? I don't need kerberos,
 ldap, and a lot of other things.
 
 Best regards,
 Norberto
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

I was just playing with this myself this week.  For CentOS 5.2, the very
minimal install is 88 RPMs.  This is missing things you will need (like
openssh, passwd, yum, etc) but its basically the bare-bones install.  If
you statically assign IP addresses and don't care about DHCP, you can
reduce the list one more and get rid of 'dhclient'.

All other RPMs are required because of the dependencies that are laid
out.  Various other things will be required as you add some of the
useful utilities back in.

The list of RPMS are:

audit-libs basesystem bash beecrypt bzip2-libs centos-release
centos-release-notes chkconfig coreutils cpio cracklib cracklib-dicts
db4 device-mapper device-mapper-event device-mapper-multipath dhclient
diffutils dmraid e2fsprogs e2fsprogs-libs elfutils-libelf ethtool expat
filesystem findutils gawk gdbm glib2 glibc glibc-common grep grub gzip
info initscripts iproute iputils kernel keyutils-libs kpartx krb5-libs
less libacl libattr libcap libgcc libselinux libsepol libstdc++ libsysfs
libtermcap lvm2 m2crypto MAKEDEV mcstrans mingett mkinitrd mktemp
module-init-tools nash ncurses net-tools openssl pam pcre popt procps
psmisc python readline redhat-logos rootfiles rpm rpm-libs sed setup
shadow-utils sqlite sysklogd SysVinit tar termcap tzdata udev util-linux
vim-minimal zlib


If you are building a Kickstart file, here are useful %packages and
%post sections:

%packages --nobase
kernel-PAE
- -audit-libs-python
- -checkpolicy
- -dhcpv6-client
- -ecryptfs-utils
- -ed
- -file
- -gnu-efi
- -gpm
- -hdparm
- -kbd
- -libhugetlbfs
- -libselinux-python
- -libsemanage
- -nspr
- -nss
- -openssh
- -openssh-clients
- -openssh-server
- -perl
- -policycoreutils
- -prelink
- -selinux-policy
- -selinux-policy-targeted
- -setools
- -setserial
- -sysfsutils
- -tcl
- -udftools
- -vim-enhanced

%post
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
yum -y remove kernel iptables slang usermode wireless-tools
yum -y remove cryptsetup-luks dbus dmidecode hwdata libgpg-error libusb
yum -y remove libvolume_id libxml2-python pciutils
yum -y remove cyrus-sasl-lib logrotate

Packages that are in the Core group tagged as 'mandatory' will get
installed even if you specify them with '-' in the %packages section
thus the need to explicitly remove them in the %post section.

Packages in the Core group tagged as 'default' can be configured to not
be installed by subtracting them in the %packages section.

After the install finishes, you can run the following rpm command to get
rid of yum stuff if desired:

rpm -e libxml2 python-elementtree python-iniparse python-sqlite
python-urlgrabber rpm-python yum yum-metadata-parser

This 'minimal' load is mainly for educational purposes just to see how
small it can get (about 300MB) -- its not very useful.  A useful minimal
load will be somewhere around 150-200 packages depending on what
utilities you want to include.

- --
David Goldsmith
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJzqJV417vU8/9QfkRAjYPAKC3k6UMS2qKA6P8BcXYEtDnOWczJQCcCGLG
lpoKd9kbkc3Hw6HyKgmdf30=
=3/Px
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] mysql 5.1 rpm spec file?

2007-12-13 Thread David Goldsmith 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Karanbir Singh wrote:
 Johnny Tan wrote:
 Does Red Hat make available spec files for future releases? I took the
 existing mysql 5.0 spec file and, with a few mods here and there, was
 able to build the 5.1 rpm. But there are some new things which I am
 curious how they will deal with (ndb stuff, primarily), and was
 wondering if they have available the beta SRPMs or spec files for
 future versions of software.
 
 Well, Johnny maintains mysql-enterprise in centos-plus, and he has most
 of this stuff sorted out. You can start there.
 
 I have mysql-5.1.22-rc built based on something similar, if there is
 interest, i can put that in dev.centos.org for people to use /abuse -
 but I am hoping there is a more formal and usable mysql-5.1.x release soon.

I see various MySQL RPMs in 4.5/centosplus/i386/RPMS but nothing under
the 5.0 or 5.1.  Are there newer RPMs available or should the 4.5 RPMs work?

- --
David Goldsmith
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHYgcD417vU8/9QfkRAuM/AKC0qovx25OGKi1qVDddn0X1T+of9QCgq+W4
UILChIoA54C6pPs4ZQesVR0=
=v1ZI
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum --security and staying with 5.0

2007-12-11 Thread David Goldsmith 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Karanbir Singh wrote:
 Amos Shapira wrote:
 1. If I read the FAQ correctly, in order to force yum to stay with 5.0
 should I just manually edit /etc/redhat-release from:

 CentOS release 5 (Final)
 to:
 CentOS release 5.0 (Final)
 
 no, there is no such mention abut anything in the FAQ or anywhere else
 that I can find. What made you believe that changing stuff in that text
 file will change the repo's your machine is looking at ?

Possibly this:  http://wiki.centos.org/FAQ/CentOS5#q8

- --
David Goldsmith, SANS NOC
SANS Institute (www.sans.org)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHX2Hs417vU8/9QfkRAs/RAJ97SpViDVo5glViEQgFnOcEyyGnIACfVOk7
YlZdsWY+q0l4DNCY47LKc1A=
=YRNh
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos