Re: [CentOS] compilers a security risk?
On Mon, Mar 08, 2010 at 07:34:14AM -0700, Warren Young wrote: On 3/6/2010 4:04 PM, nate wrote: if you can upload source code, you can upload a precompiled binary True, but most attacks are automated, and try to attack as wide a range of machines as possible. If I were to write a bit of malware for *ix that needed a custom binary on the target machine, I'd at least consider distributing it as C code, banking on the fact that most *ix systems have a C compiler installed by default these days. It is no longer just the C compiler. Perl, Python, Ruby, php even bash all have rich libs and can do more quicker than most can accomplish with a C program and with more portability too. It makes sense to have a good firewall that limits all in and out paths as well as a proxy server for outgoing connections and other footprint tools. Logs and management should involve another box such that the system admin folk have a safe and different place to do their job from. -- T o m M i t c h e l l Found me a new hat, now what? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to find out promiscuous mode
On Thu, Feb 04, 2010 at 09:45:26AM +1100, Les Bell wrote: Vadkan Jozsef jozsi.avad...@gmail.com wrote: How can I find out that someone is using it's network card in promiscuous mode in a subnet? http://sourceforge.net/projects/prodetect/ Strictly you cannot tell if a remote card is in promiscuous mode. Some card drivers correctly switch to promiscuous mode when more than one multicast address is being listened to and there is no external clue that it has done so. For what it is worth the MAC of the card can see all the bits on the wire and above the MAC are a collection of hardware and software filters that gate the bits further up the stack. Switches limit the ability of a host to snoop but some traffic is still seen on all nodes. Once a host is seen some attacks become possible which is why the expensive switches have a market. -- T o m M i t c h e l l Found me a new hat, now what? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Serious Privileges Problem: Second Post!
On Tue, Nov 10, 2009 at 01:05:36AM -0600, Frank Cox wrote: On Tue, 10 Nov 2009 07:53:30 +0100 Mogens Kjaer wrote: The file command will verify that for you. Are you sure? Well, I guess not then. I assumed that file would treat a .py file as a text file. I don't do any programming with Python and haven't looked at it closely. file tells me that a file that's created with Borland Turbo C (DOS) is data, but a file of C source code that's created with Linux gedit is ASCII C program text. A text file that's created with the DOS edit command is ASCII English text, with CRLF line terminators, and a text file that's created with Linux gedit is ASCII text. So file can tell the difference in pretty much every case except for a Python file. Which may be an oversight in the magic definitions. I missed the early part so I am not sure what is Serious in this so excuse me for arriving late but it all appears normal and natural to me. Python programs are of two types.Text files that are interpreted at runtime and have a first line that specifies the interpreter: #! /usr/bin/python and bytecode python programs. A text file in DOS mode because the #! interpreter fails. If there is no white space after python the error makes more sense: $ ./bar.py bash: ./bar.py: /usr/bin/python^M: bad interpreter: No such file or directory If there is white space after the n in python in the #! escape line the error is less clear. The script with DOS mode or unix mode new line conventions can be compiled to python byte code or just executed with python. $ python ./bar.py Hello And compiled. $ ls -l bar* -rwxr-xr-x 1 bob bob 36 2009-11-13 20:25 bar.py $ py_compilefiles bar.py Compiling bar.py ... $ ls -l bar* -rwxr-xr-x 1 bob bob 36 2009-11-13 20:25 bar.py -rw-r--r-- 1 bob bob 108 2009-11-13 20:29 bar.pyc $ chmod +x bar.pyc $ ./bar.pyc Hello $ file ./bar.pyc ./bar.pyc: python 2.6 byte-compiled Since the #! escape for /usr/bin/python is seen in the text of the script by file it corretly notices that this is a python script. I say correctly because the python interpreter and compiler has no trouble with it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OMG! Microsoft patents sudo! Linux and MacOS dead!
On Thu, Nov 12, 2009 at 08:27:22AM -0500, Robert Heller wrote: At Thu, 12 Nov 2009 21:07:15 +0800 CentOS mailing list centos@centos.org wrote: http://blogs.computerworld.com/15082/omg_microsoft_patents_sudo_linux_and_macos_dead?source=CTWNLE_nlt_dailyam_2009-11-12 Is this for real? Blogs.computerworld.com seems to be down/dead/broken database... Yes real. But they have not patented sudo but a twist on it. As best I can tell they have solved one of the things I hate about WindowZ security. It is that it is opaque. This twist opens some windows of information to the user when privledge change is needed. i.e. and hints what account/ password to type and has the data and authentication methods to get there. The patent was filed in 2004 or so so ya got to reach back into the way back machine if you are going to find prior art. The best place to look is in retail software and the data base world perhaps banking software. If I understand it... this system has it all and I have seen it in action for years... Retail, Login enter coat #SKU12345 price $1234567.00 Customer has a coupon to get the coat for $5.00 enter price override #SKU12345 to $5.00 one time Bzzz- call manager override and approval required manger pass word ** entered Customer pays $5.00 and checks out. A common view of an operating system is a data base engine that manages data including authentication. The data base folk have been doing this for decades. I fail to see anything new here. Anyhow this was posted on /. and discussed in depth and to death. http://yro.slashdot.org/story/09/11/11/2055226/Microsoft-Patents-Sudos-Behavior http://patft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO1Sect2=HITOFFd=PALLp=1u=/netahtml/PTO/srchnum.htmr=1f=Gl=50s1=7,617,530.PN.OS=PN/7,617,530RS=PN/7,617,530 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Scripting help please....
On Wed, Oct 28, 2009 at 10:39:41PM +0530, Truejack wrote: Need a scripting help to sort out a list and list all the duplicate lines. My data looks somethings like this host6:dev406mum.dd.mum.test.com:22:11:11:no host7:dev258mum.dd.mum.test.com:36:17:19:no A key to your answer is the --all-repeated option for uniq on a sorted file. I call this find-duplicates -- this post makes it GPL #! /bin/bash #SIZER=' -size +10240k' SIZER=' -size +0' #SIZER= DIRLIST=. find $DIRLIST -type f $SIZER -print0 | xargs -0 md5sum |\ sort /tmp/looking4duplicates tput bel; sleep 2 cat /tmp/looking4duplicates | uniq --check-chars=32 --all-repeated=prepend | less ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: pager pay
On Tue, Oct 13, 2009 at 12:02:26PM -0700, Drew wrote: Like Max I don't have pager pay but I do get paid for call outs. My phone is fully paid for (approx $60/m) and call outs are paid at time and a half (Sunday is double time), minimum one hour. All travel time is considered call out time and mileage is eligible for $0.50/km. I'm on call 7am to 9pm Mon-Sat and I usually work 7am-5pm Mon-Fri. For goodness sake keep a log. On call jobs often violate state and federal rules for exempt and non-exmpt status. Mileage for the second trip to the office should be compensated in some cases. The reason for a log is multi-fold the most important one is at review time but also in the case of a restructuring ;-). In some cases the key is the nature of the leash. If they restrict your travel or lifestyle there may be a problem. You cannot travel down the road three hours to watch your kid play sports. Or if they restrict you from having a beer or make it impossible to go ice fishing If you fix it over the phone or Internet but do not get 'paid'. s Most of the issues have surfaced with nurses and other health care folk but if you are IT at a hospital and your on-call comp plan is widely different from other professionals -- pay attention. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help! i want to clone my Centos machine to another box..
On Thu, Oct 22, 2009 at 01:34:01PM +0200, RoLaNd RoLaNd wrote: Hello, thanks for your prompt reply.. i was leaving that option as a last resort... the problem is that this machine is a production machine so if i rsync, i need to turn off the services in order to copy files or else ill have permission denied errors... any other way? i;ll start the proccess of creating a fresh instalation today though i dunno how to do the followign: On 10/22/2009 04:06 AM RoLaNd RoLaNd wrote: Hello all, i've spent the last week trying to find something that will clone my existing Centos server to a more powerful box. i've used clonezilla though that resulted in a complete failure.. ... Since the destination machine is more powerful, the hardware is likely different, so cloning per se isn't an option. Instead, you should do a fresh install of the same version on the new (destination) box, then copy the data over from the weaker to the destination machine. Compare and contrast the two machines for us. It may be possible to just move the disks and reboot. HOWEVER Since this is a production environment that might be reckless. Make sure you have a LiveCD or LiveUSBstick for the new machine so you can fix things. I would start with a fresh install and migrate services and data, perhaps one service at a time. Plan on multiple reinstalls and clone data and config files with a script. With the fresh install in place you can see a lot that will help in the compare, contrast and planning process. Install; clone data;test Install; clone data;test ... Install; clone data;test Install; clone data;test switch ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Good md5sum snapshot tool?
On Wed, Jun 03, 2009 at 04:51:53PM -0500, Les Mikesell wrote: Sean Carolan wrote: I have a server that is undergoing some patching soon and would like to make note of any files that have changed after the patching is complete. Can you recommend a tool that uses md5sum snapshots to do a quick before and after test, showing anything that's changed on a particular file system? I always like brute force - and the ability to undo things... If you have space somewhere to rsync (-aH) a backup copy of the filesystems before the changes, repeating the rsync with -aHvn --delete, (don't forget that -n) will show what is different afterwards. I am looking at Aide mentioned by a previous reply because I do not know the details of how it works. On first glance I should be running it... Add tripwire to the list of tools too. Brute force will not work for a lot of objects. Consider that prelink can change the MD5sum of many objects and cause false triggers for rsync and other simple tools. Tools like aide and tripwire will find ALL the changes from the update so the number of changes may be very large depending on the patching process. In looking at aide while typing it is also clear to me that any interesting tool must also track file+dir ownership, file+dir permissions, SELinux context as well if the job is to be done correctly. Context for each file, each user and the policy itself. It is quite easy to find / -type f and build your own list of md5 checksums. No scripting will be needed to check it. See the --check flag for md5sum and also use split to build smaller chunks. $ md5sum /etc/passwd /tmp/foo $ md5sum -c /tmp/foo /etc/passwd: OK $ find /etc -type f -print0 | xargs -0 md5sum /tmp/foo $ md5sum --check /tmp/foo $ md5sum --check /tmp/foo | egrep -v \ OK$ Interesting tools should also look for 'extra' files. RPM is not too bad for some checks. rpm -qVa And find / -type f | slice and dice---| rpm -qf Something like this might be important... in all $PATH areas etc... along the lines of... # touch /tmp/isthisownedbyapackage # rpm -qf /tmp/isthisownedbyapackage file /tmp/isthisownedbyapackage is not owned by any package -- T o m M i t c h e l l Found me a new hat, now what? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] GFS and Small Files
On Wed, Apr 29, 2009 at 07:01:17PM +0800, Hairul Ikmal Mohamad Fuzi wrote: Hi all, We are running CentOS 5.2 64bit as our file server. Currently, we used GFS (with CLVM underneath it) as our filesystem (for our multiple 2TB SAN volume exports) since we plan to add more file servers (serving the same contents) later on. The issue we are facing at the moment is we found out that command such as 'ls' gives a very slow response.(e.g 3-4minutes for the outputs of ls to be printed out, or in certain cases, 20minutes or so) This is completely true especially in directories containing large number of small files (e.g 9+ of 1-4kb files). The thing is, most of system users are generating these small files frequently as part of their workflow. We tried emulating the same scenario (9+ of small files) on a ext3 partition and it gives almost the same result. This is likely related to the size of the ls process growing. To sort by date etc. ls pulls all the meta data into memory then reports. I believe most of the CLVM/GFS settings done are using the defaults parameters. Additionally, we would prefer to stick to GFS (or at least ext3) as it is part of CentOS / RHEL distribution rather than changing into other small-files 'friendly' filesystems (such as XFS, ReiserFS). I'm exploring whether is there anyway we can tune the GFS parameters to make the system more responsive? With 'gobs' of files you may find that find, xargs and stat are the tools of choice. I have read that we can apply 'dir_index' option to ext3 partition to speedup things, but I'm not so sure about GFS. Do look at ls with strace, top or a debugger. -- T o m M i t c h e l l Found me a new hat, now what? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 5.3 and XFS
On Thu, Apr 16, 2009 at 07:34:13AM -0700, Akemi Yagi wrote: On Thu, Apr 16, 2009 at 7:21 AM, Karanbir Singh mail-li...@karan.org wrote: Joseph L. Casale wrote: I never thought of that given that they come from the plus repo. So its only iirc, the xfs kmod's are not kernel ver dependant anymore, and havent been for a while. Tru / Akemi ? The kABI-tracking kmod-xfs for CentOS-5 started in Oct 2008. The CentOS-4 version has been tested and will be offered shortly (as soon as you/Tru builds it for release). :-D But the code is somewhat getting old. Maybe it's time to get the project xfs going again? Tru is the leader of this project. OLD? What is broken that needs fixing? XFS is in rather good shape and should not require much activity. As technology goes it was cutting edge technology when SGI designed it. It may be that ext4 will catch up but based on the clock the new ext4 may not be as stable as XFS is. A year from now... who knows. I do see xfs related patches going to Linus today ... so it is not idle. -- T o m M i t c h e l l Found me a new hat, now what? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] programs with no man pages?
On Wed, Feb 25, 2009 at 10:07:12AM -0800, Scott Silva wrote: Subject: Re: [CentOS] programs with no man pages? Upstream (debian then Fedora ) there seems to be a man page. SS(8)SS(8) NAME ss - another utility to investigate sockets SYNOPSIS ss [options] [ FILTER ] DESCRIPTION ss is used to dump socket statistics. It allows showing information similar to netstat. It can dis- play more TCP and state informations than other tools. -- T o m M i t c h e l l Found me a new hat, now what? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ext3 heavy file fragmentation with NFS write
On Fri, Feb 27, 2009 at 08:31:01AM +0100, Andrzej Szymański wrote: Does anybody know how to avoid the file fragmentation when a file is created over NFSv3? A file created locally is OK: dd bs=32k if=/dev/zero of=test count=32x1024 conv=fsync filefrag test test: 10 extents found, perfection would be 9 extents When I create the file in the same dir, but from another machine, mounted over NFS: filefrag test test: 4833 extents found, perfection would be 9 extents With such a file a sequential read is quite slow (~76MB vs 200MB on my raid card). I can just suspect that this is a problem of block allocation when the same file is appended by different processes (8 NFS threads). I've tried mounting ext3 with -o reservation and switch to NFS over TCP, with no improvement. Both systems are Centos 5.2 with kernel 2.6.18-92.1.22.el5 The ext3 is mounted with rw,nosuid,nodev,usrquota,grpquota,acl NFS export: rw,sync,no_root_squash 8 NFS threads. Remotely mounted with options rw,intr,nfsvers=3,proto=udp,rsize=32768,wsize=32768 I would be very grateful for any help. Andrzej First watch out for comparing sparse files and real files. dd bs=32k if=/dev/zero of=test count=32x1024 conv=fsync Note that dev/zero combined with dd may be building a sparse file (or not) Sparse file block allocation is very different. I would build up a large file of binary data and dd it into test having been bitten by sparse file filesystem tricks. Also a local filesystem can have a very different free list than your NFS file system's underlying FS. You need to do the comparison on the exact same filesystem with the only difference being that one case is local and the other NFS. If I run your dd on my /tmp I get 18 extents while on /var/tmp I get 582 extents. Both are local to this system. So 18 local and 582 local tells me that you must test exactly the same FS with the only difference is that the creation was local .vs. NFS. All in all this is a don't care -- extents are not exactly equivalent to disk seeks and other disk I/O issues. Some of this can be improved only if you rebuild the file system. mkfs has a lot of flags and choices... You might also need to switch filesystems -- xfs, ext2, ext3, ext4, jfs, reiser... To some extent if you make an ideal local copy of a badly fragmented file you can improve the layout on disk/ filesystem. This should only be considered for very long lived very large files. Making a copy and comparing the original and copy with filefrag can tell you if this is worth doing. Backup and restore can help. As a filesystem gets full this will get worse and worse. If you are +60% full do not bother. -- T o m M i t c h e l l Found me a new hat, now what? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to debug hardware lockups?
On Sat, Nov 15, 2008 at 08:13:24PM +0200, Rudi Ahlers wrote: On Sat, Nov 15, 2008 at 7:26 PM, Vandaman [EMAIL PROTECTED] wrote: Rudi Ahlers wrote: We have a server which locks up about once a week (for the past 3 .. How do I debug the server, which runs CentOS 5.2 to see why it locks up? Jumping in the middle of a long list of good ideas. Other things to try -- change the run level if 5 switch to 3 if 3 switch to 5 Reinstall the processor-- remove the processor clean the heat sink and processor of thermal compound correctly apply the best thermal grease you can get (I like Arctic Silver) reinstall the heat sink consider upgrading the processor heat sink if the chassis permits (more Cu is good). Add thermal spreaders to your RAM. You want all the chips on a RAM stick at the same temp. Chkconfig cpuspeed off if it is on (powersaved on some distros) if off toggle to on. Turn off any special system monitoring software tools. Things like I2C serial buses do not isolate simple read only activity from things that might modify (shut down) the system. I have see sites install bluesmoke tools yet the kernel had EDAC installed. The two tools had overlapping uncoordinated interactions with the hardware and would randomly shut down the system. Very new boards are almost never supported well so consider going blind. Read EDAC info on CentOS and RH sites. Inspect then tidy all cables they can mess up air flow and cause thermal issues. Reset the BIOS and check all the BIOS options. Check for a BIOS update from the vendor. When updating the BIOS do a NVRAM reset. The data structures of the old BIOS and new may differ. The keyboard sequence to reset a BIOS to all defaults may require a call to tech support. Call the vendor.. you have a warranty on a new board. Since a hardware tty is not possible login (ssh) and run a while /bin/true script that lets you see memory, processes and the exact time things fail or just top. It is possible to have syslog also log to the pty of a ssh session. When you return to the cage plugin a terminal. If there is no screen saver or screen blanking the GFX card may still display the last key bits of info so long as X is not running. -- T o m M i t c h e l l Found me a new hat, now what? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Terminal emulation scripting
On Sat, Nov 15, 2008 at 11:31:23AM +1100, Amos Shapira wrote: I'm not near a computer to dig this but there should be a way to tell unix telnet to change the chars it sends for enter, read telnet(1). Hope this helps. --Amos On 11/15/08, Frank M. Ramaekers [EMAIL PROTECTED] wrote: Okay, here are some things I found out. 1) Linux telnet is sending a 0x0a for the enter key 2) Windows putty program is sending a 0x0d for the enter key 3) Windows telnet is sending a 0x0d0a for the enter key 4) The device (don't ask) I'm working with doesn't like the Linux telnet I've tried coding the expect with 0x0d: expect send m2 send \x0d But, this doesn't seem to work. I'm starting to run out of ideas. Look at stty and the notion of cooked and raw tty devices. This is a key difference with Windows and Linux text. Windows newline is a pair Unix/Linux is 0ALF ’\n’ (new line) and the line discipline expands the LF to the pair. In you may need to set the tty to raw and then revisit your expect code. Also terminals can be wonkey. If you set $TERM to dumb you may find some sanity in your problem. You can telnet to local host and run od -xc to see what you are sending. By tinkering with the stty setting you can toggle from cooked to half cooked to raw... I think your problem is that your expectation is that the tty will reflect what you type and not cook it to something else. In the early days of Unix the ability to have a newline not advance the roll permits overstrikes and simple line edits. LF need not imply a CR+LF pair. Thus this can be printed with seven bytes on the old yellow roll. a b c d If you tinker with stty settings in scripts or programs save the initial settings so you can restore them. See stty's man page for stuff like: [-]icrnl translate carriage return to newline ... [-]igncr ignore carriage return ... [-]inlcr translate newline to carriage return ... etc. -- T o m M i t c h e l l Found me a new hat, now what? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CPU benchmarking tools
On Thu, Nov 13, 2008 at 05:40:04PM +, Tom Brown wrote: measure your application performance. anything else is BS. h well not really as we have different CPU's from Intel and AMD and we want to see how these benchmark without benchmarking the apps(s) as apps are many and benchmarking them all against all the apps is not possible. Published Spec benchmarks are valuable in this fuzzy context. Once you have your application benchmarked, tools like lmbench may help you understand what the win/loss keys are. http://sourceforge.net/projects/lmbench More important than hardware can be your choice of compiler and IO (disk)... When looking at 'spec' benchmark results pay attention to the choice of compiler AND the hardware bits surrounding the CPU. -- T o m M i t c h e l l Found me a new hat, now what? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bonding theory question
On Mon, Nov 10, 2008 at 11:17:57PM -0500, Mag Gam wrote: So, I decided to go with mode 6 since my network admin says thats supported at my college. I have everything working perfectly however I still get an occasional packet drop which is not good. Occasional??? Except on a dedicated point to point link, packet drop is normal up to a point. What is the rate of loss and your expectation. -- T o m M i t c h e l l Found me a new hat, now what? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Check my math please
On Wed, Nov 05, 2008 at 03:59:34PM -0600, Sean Carolan wrote: Don't forget that the data speed != line speed. A line will only carry about 70% of the line speed as data because of packet overheads. Thanks for pointing this out. I believe I have enough information to make my case. My guesstimate before seeing the actual file sizes was that this would never work with less than a 2Mb/s connection, turns out I was pretty close! Also compute the error recovery and lost packet detection and recovery issues in terms of buffering. In general you want a pad and flow control strategy. Some streams do well and others not. If you use a reliable stream you will depend on the protocol for error recovery. Reliable data streams may not match your data's data structures and may require larger buffers than an initial back of envelope computation will indicate. see http://en.wikipedia.org/wiki/Sorcerer%27s_Apprentice_Syndrome -- T o m M i t c h e l l Found me a new hat, now what? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] The relationship between udev and MAKEDEV
On Tue, Oct 28, 2008 at 09:54:07AM -0400, Filipe Brandenburger wrote: On Tue, Oct 28, 2008 at 00:21, Clint Dilks [EMAIL PROTECTED] wrote: 2. Is modifying /etc/makedev.d/01linux-2.6.x likely to cause me issues in future ? Possibly, since this file is owned by the MAKEDEV rpm. If there is an upgrade in MAKEDEV, it may overwrite this file. Or if it doesn't, but there was an addition of a new device there, you would not get the new device. I would say it would be safer to create a separate file instead of modifying those. In the future may include a clean install. Thus the change needs to be entered in your off line notebook so you can recall the magic you are building in your box. Check to see if the RPM builder marked it as a config file. rpm -qc MAKEDEV rpm -qV MAKEDEV If it is a config file it will be paired with or as an *rpmnew or *rpmsave file. http://www.redhat.com/docs/books/max-rpm/max-rpm-html/s1-rpm-install-additional-options.html If it is not a config file you will need to be able to regenerate it from your notes. Adding a local file still requires a notebook entry and also eliminates the ability to do a simple search for *rpmnew or *rpmsave files. Sysadmins need to watch for and as needed clean up these files $ sudo updatedb; locate -i rpm | egrep rpmnew\|rpmsave . The key to udev is that it is udev - userspace device management. Today in Linux most devices are under udev.Some devices are critical to system operation and need to be in place before the user space 'udev' tools can picks up the ball. The bonds depend on the distro.. http://git.kernel.org/?p=linux/hotplug/udev.git;a=blob;hb=HEAD;f=README http://en.wikipedia.org/wiki/Udev Another key is that the list of possible devices in a system is large, very large. If you look at all the possible devices the list can burst the limits imposed by major and minor device numbers. A number of solutions surfaced to address and manage this overflow -- udev is one of the solutions that seems to work. -- T o m M i t c h e l l Found me a new hat, now what? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] External ext3 USB Hard drive and selinux
On Wed, Oct 29, 2008 at 11:23:28AM -0400, Al Freundorfer wrote: I was directed to post this on the mailing list. See the following forum post as a reference. http://www.centos.org/modules/newbb/viewtopic.php?topic_id=16710forum=42 I formatted my external ext3 372GB USB hard drive in ubuntu and now want to use it in Centos. I made sure that my group/user numbers were the same. I was not able to write to the mounted USB hard drive (HD). I suspected selinux and shut it of and I was able to copy the file! I set selinux back to enforce and rebooted. I like the security features of selinux. I tried: 1) chcon -v 2) restorecon -Rv /media/disk 3) cp -P and still am not able to write to the USB HD. The sad part is I can delete files from the USB HD. See forum post for details. I tried it in fedora 9 and it is able to write to the USB HD I tried an 32GB USB memory stick in Centos 5.2 and it worked! I am wondering why it doesn't work for my USB HD? The only difference is the the size. Try rebooting in permissive mode then inspect the avc messages. Double check the permissions of the mount point before and after mounting the device. -- T o m M i t c h e l l Found me a new hat, now what? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Re: Ole Fossils [ was Re: ls and rm: argument list too long]
On Sat, Oct 25, 2008 at 12:16:23PM -0400, William L. Maltby wrote: On Sat, 2008-10-25 at 12:14 -0400, William L. Maltby wrote: snip Circa 1971/2(?), we had an IBM S360/30 with 64K (that's right, K, M) s/M/not M/ I wish I still had some of my 789 and 6789 cards. If only to use as bookmarks when I nod off in the middle of the afternoon drooling. -- T o m M i t c h e l l Found me a new hat, now what? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Shipping CentOS as part of a solution
On Fri, Oct 17, 2008 at 11:21:14AM +0200, Niki Kovacs wrote: Mark Maskery a écrit : We develop and sell a server based application as an appliance in which, in general, the customer does not have direct access to the operating system. My question is, are we allowed to use CentOS as the underlying operating system and if so what license considerations are there or what license information would we need to include for our customers? Yes, you are allowed to do that. And if your business runs well, consider a donation to CentOS. Review the GPL, BSD, X11 and other licenses as outlined on the CentOS web site (see also Red Hat's web site). You may need to make it very visible that there is CentOS under the hood. You need to make available the source to the CentOS bits you deliver to your customer including changes you make. Your application need not be GPL as long as you are 100% the sole author. Give special attention to derived work in the GPL. If part of your application is GPL then it may well all be GPL. To simplify your package requirements collect all the CentOS iso images and deliver them to your customer (both source and binary iso images). Then add media for the changes you make to CentOS. Lastly add separate media for the application you are selling. Lastly pay attention to updates and security fixes that you deliver from CentOS or other repo. If the customer does not download them then you have some obligations -- T o m M i t c h e l l Found me a new hat, now what? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Reformatting a USB drive
On Thu, Sep 25, 2008 at 05:05:54PM -0400, Robert Moskowitz wrote: Found this old message about formatting a USB drive and it leaves a few questions for me: I am going to format it as ext3 to keep permissions. I don't need to use this drive on any M$ system. Do I unmount the drive after inserting it before I issue: mkfs.ext3 /dev/sda1 BTW, when I do a 'man mkfs.ext3' it takes me to the man pages for mke2fs. After the format is done, do I have to do anything to make sure everything is 'written' to the drive before pulling it from the system? After the format is finished give it time to push all the bits to the device. Run fsck on it at least once as a test... Since mkfs operates on the raw device there is 'little' risk if you count to 15 after fsck exits and remove... In use, always sync, umount it. The graphical tools to unmount the volume do this for you. Also consider asking if ext2 or another FS is a better choice than ext3. The journal is a busy place and might be a hot spot on the USB flash memory. The journal may also use more blocks than you expect. Ext3 on spinning disks is more reliable because of the way spinning disks work but a flash disk might go goofy with half a flash block write in progress. There are some flash memory specific filesystems out there... web search for stuff like: JFFS2 · Journaling Flash File System 'LogFS, a scalable flash filesystem' etc... Some of the issues do not matter on a $9.00 USB key but the big USB keys are more expensive than I like. -- T o m M i t c h e l l Found me a new hat, now what? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] buying the right cpu fan
On Tue, Sep 16, 2008 at 03:51:17PM -0700, MHR wrote: On Tue, Sep 16, 2008 at 10:51 AM, Craig White [EMAIL PROTECTED] wrote: (I sent this yesterday but it never made it through) I've got a remote system where I think I need to replace the CPU fan. Then why do I get the feeling that it is still Monday? Or the foreboding sense of deja vu? ;^) It was here, and answered, yesterday - look it up. It was answered One addition to the answer is to inspect dmidecode output. It is possible that there is enough vendor info (including serial numbers) to communicate with the vendor for the correct replacement part. -- T o m M i t c h e l l Found me a new hat, now what? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Changing hostname?
On Sat, Sep 13, 2008 at 08:06:46AM +0200, Niki Kovacs wrote: I recently made a CentOS install on a machine with an unsupported network card. I had to add the driver for it later, once I finished the install. For now I have this: [EMAIL PROTECTED] ~]$ hostname --fqdn localhost.localdomain Q: how would I change this to something like calimero.local? Here's what I *would* do, but I prefer to ask before. 1) edit /etc/sysconfig/network and edit this line: HOSTNAME=calimero.local 2) add a line to /etc/hosts like this: # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost 127.0.0.1 calimero.local calimero ::1 localhost6.localdomain6 localhost6 Please correct me if I'm wrong. Lots of replies to this already. The critical thing to understand is that it is the network interfaces that have names not the box. Sendmail and some other tools look for host names that have at least one dot in them. Thus localhost.localdomain gets paired with localhost as a CNAME. This line: 127.0.0.1 localhost.localdomain localhost associated the ipaddress 127.0.0.1 with the name localhost.localdomain and its CNAME/ alias localhost. This second line is interesting 127.0.0.1 calimero.local calimero It appears to redefine the relationship with 127.0.0.1 If you were programing and had two lines foo=this foo=that You would expect the second assignment for foo to win and the second to be lost. It is possible that the pair of lines acts a bit like a =+ assignment I would have to check. A better line would be 127.0.0.1 localhost.localdomain calimero.local calimero or perhaps... 127.0.0.1 localhost.localdomain calimero.localdomain calimero These make it clear that you want all four names (long and short) associated with 127.0.0.1 Having HOSTNAME set in places like /etc/sysconfig/network with a line like: HOSTNAME=calimero has advantages in lots of ways... with wireless and other dynamic situations where plugging a wire in or wired connection to hot spots and more are possible keeping the 'hostname' handy makes sense for a handful of reasons. Link local zeroconfig It also permits the host to have the 'short' CNAME of calimero and still discover its fully qualified (lots of dots) host name. One advantage of caching the name of the host permits the like of dynamic DNS to work and lots more like on line off line operation for mail composition and more. In the case of swapping out the network card you need to look at /etc/sysconfig/network.scripts and /etc/modprobe.conf with a multiple network card admin hat on. It may be as simple as removing the old network interface (old hardware) and adding a new one with the same name. The graphical tools may make this way easy... In the system and in the internet there are commonly aliases for things. For example eth0 is the common alias (sometimes defined in /etc/modprobe.conf) for ethernet ports. See also /etc/sysconfig/network-scripts/ifcfg-eth0 for lines like DEVICE=eth0 Aliases permit lots of layers of scripts to run without knowing the specific driver name. If you reflect back on your initial install, you were asked if the host name was obtained from DHCP or was set (known) locally. So it depends... on decisions you made and also external decisions. -- T o m M i t c h e l l Found me a new hat, now what? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Standby Issue
On Fri, Sep 12, 2008 at 06:58:46PM +0200, Test wrote: I'm running Centos 5.2 on an Pentium III-1000 The box has been running for almost a year without any (hardware) issues. SInce a few weeks the box goes into standby (power led flashes) without any obvious reason (ie. i cannot find anything). . Check for dust and gunk in the air flow. CPU cooler, Power supply, Airinlets to the box. Fans not spinning. Other posters had good input as well. -- T o m M i t c h e l l Got a great hat... now what. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Proxy with no cache
On Wed, Sep 03, 2008 at 11:53:28AM -0300, Sergio Belkin wrote: Hi, I'd want to install a proxy server but I no need cache, what software do you recommend me? Use squid with a small cache and also configure it to cache only small objects. While you do not need a cache now you might in the future. In the process of seting up clients to use your proxy you might find that the scope of your need will change. The key advantage of squid is that you can just install it from standard RPMs and the documentation is integrated. -- T o m M i t c h e l l Got a great hat... now what. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT - Offline uncorrectable sectors
On Tue, Aug 26, 2008 at 04:02:22PM +0200, Lorenzo Quatrini wrote: William L. Maltby ha scritto: From man badblocks: -n Use non-destructive read-write mode. By default only a non- destructive read-only test is done. This option must not be combined with the -w option, as they are mutually exclusive. Note the phrase beginning with By default only I'll admit it could be more clearly stated. The Italian translation of the man page is outdated... I guess I sould stick with the original version of man pages, or at least remember to check them. Consider filing a bug -- One goal for the user community is to turn the old phrase RTFM to be Read The Fine Manual in contrast to the historic profanity. You can file it against either the English, the Italian translation or both. As an alternative you can post a difference file to a list like this for discussion and ask ONE person to help you file the bug. Translations are commonly not done by the maintainer so a bug can be the best path. If you need help with the mechanics of filing a bug ask... -- T o m M i t c h e l l Got a great hat... now what. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT - Offline uncorrectable sectors
On Mon, Aug 25, 2008 at 10:43:01AM +0200, Lorenzo Quatrini wrote: William L. Maltby ha scritto: Yep. Only a few copies of the superblock and the i-node tables are written by the file system make process. That's why it's important for files systems in critical applications to be created with the check forced. Folks should also keep in mind that the default check, read only, is really not sufficient for critical situations. The full write/read check should be forced on *new* partitions/disks. So again my question is: can I use dd to test the disk? what about dd if=/dev/sda of=/dev/sda bs=512 Is this safe on a full running system? Has to be done at runlevel 1 or with a live cd? I think this is better than the manufactureur way, as dd is always present and works with any brand. It is not safe on a mounted filesystem or devices with mounted filesystems. File system code on a partition will have no coherency interaction with the entire raw device. See the -f flag in the badblocks man page: -fNormally, badblocks will refuse to do a read/write or a non- destructive test on a device which is mounted, since either can cause the system to potentially crash and/or damage the filesys- tem even if . It is also not 100% clear to me that the kernel buffer code will not see a paired set of dd commands as a no op and skip the write. Vendor tools on an unmounted disk operate at a raw level and also have access to the vendor specific embedded controller commands bypassing buffering and directly interacting with error codes and retry counts and more. In normal operation the best opportunity to spare a sector or track is on a write. At that time the OS, and disk both have known good data so a read after write can detect the defect/ error and take the necessary action without loss of data. Some disks have read heads that follow the write heads to this end. Other disks require an additional revolution When mke2fs -c -c is invoked the second -c flag is important because the paired read/write can let the firmware on the disk map detected defects to spares. With a single -c flag the Linux filesystem code can assign the error blocks to non files . A system admin that does a dd read of a problem disk may find that the OS hurls on the errors and takes the device off line. i.e. this command: dd if=/dev/sda of=/dev/sda bs=512 might not do the expected because the first read can take the device off line negating the follow up write intended to fix things. The tool hdparm: is rich in info -- some flags are dangerous. Bottom line... use vendor tools Vendors like error reports from their tools for RMA processing and warranty... BTW: smartd is a good thing. For me any disk that smartd had made noise about has failed... often with weeks or months of warning... -- T o m M i t c h e l l Got a great hat... now what. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT - Offline uncorrectable sectors
On Mon, Aug 25, 2008 at 07:24:24AM -0400, William L. Maltby wrote: Badblocks (which really should be invoked via mke2fs or e2fsck rather than manually) has useful, but limited, utility in ensuring reliability. And it does require some small storage space in the file system. And it does *not* assign alternate blocks (that is, it does not take advantage of the hardware alternate block capability). And it is not predictive, thereby being useful only for keeping an FS usable *after* data has been (potentially) lost on an existing file system. It's best utility is at FS creation and check time. It also has use if you can un-mount the FS (ignoring the force capability provided) but cannot take the system down to run manufacturer-specific diagnostic and repair software. It might be interesting to add a catch 22 story. I once added -c flags to /fsckoptions and touched /forcefsck. I had to take the disk to the lab and fix it on a bench system. -- T o m M i t c h e l l Got a great hat... now what. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT - Offline uncorrectable sectors
On Mon, Aug 25, 2008 at 03:43:18PM -0400, William L. Maltby wrote: On Mon, 2008-08-25 at 12:03 -0700, Nifty Cluster Mitch wrote: On Mon, Aug 25, 2008 at 07:24:24AM -0400, William L. Maltby wrote: snip (potentially) lost on an existing file system. It's best utility is at FS creation and check time. It also has use if you can un-mount the FS (ignoring the force capability provided) but cannot take the system down to run manufacturer-specific diagnostic and repair software. It might be interesting to add a catch 22 story. I once added -c flags to /fsckoptions and touched /forcefsck. I had to take the disk to the lab and fix it on a bench system. YOIKS! Any explanation why such a reliable process would cause such a result? Was it a long time ago with a buggy e2fsck maybe? Did you mean to say you added the -f flag and the FS was mounted and active at the time? Is it just one of those Mysteries of the Universe? I hate those! The removal of /forcefsck would never happen when badblocks was run. Something wonkey perhaps because I did have a disk with defects.. Might be worth a retry next time I need to clean and reload a machine but I do not know how to reproduct the disk hardware issue. Gone are the days where disk controllers gave you the ability to 'expose' defects. -- T o m M i t c h e l l Got a great hat... now what. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Disabling IPv4
On Tue, Aug 19, 2008 at 10:52:52AM -0400, Robert Moskowitz wrote: Darryl Ross wrote: Robert Moskowitz wrote: So looks like I am stuck with IPv4 no matter what. Unless there is some magic glue in rc.sysinit. Build a custom kernel and remove ipv4 support (or make it a module). It really isn't that hard. It really is not worth it. The desire to disable IPv4 was to clear out any 'confusion' while getting apps working on IPv6. Since this is a mobile project using HIP, I plan on using Teredo when on networks not providing native IPv6. So at some point IPv4 is needed again. Just an eye-opener that IPv4 is like, forever. At least right now. But you now, I remember the fights back in the early '90s to get IP into OSs. One item to check and disable is IPv6 tunneling via IPv4. Today this is the common way to connect to the IPv6 network. The next thing to chech and flush are any DNS references for IPv4 resources. I am not convinced that enough of the common Linux applications are IPv6 ready to build and run a pure IPv6 test host without a lot of tinkering. This is a CentOS list and CentOS will lag distros like Fedora and GenToo. I do recall a host of performance issues a while back with major sites like yahoo and google where the IPv6 records and such were missing. If DNS lookups find both IPv4 and IPv6 answers I am not sure which dominates and will then trigger a module load. You may need to build an isolated IPv6 world. -- T o m M i t c h e l l Got a great hat... now what? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] df to get total disk usage on all filesystems?
On Thu, Aug 14, 2008 at 10:09:23AM -0700, MHR wrote: On Thu, Aug 14, 2008 at 3:50 AM, Stephen Harris [EMAIL PROTECTED] wrote: On Thu, Aug 14, 2008 at 01:12:58AM -0700, MHR wrote: On Wed, Aug 13, 2008 at 8:56 PM, Lunix1618 [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] ~]# df -kPl Filesystem 1024-blocks Used Available Capacity Mounted on /dev/mapper/VolGroup00-LogVol00 274405432 18584656 241656808 8% / /dev/sda2 101105 19096 76788 20% /boot tmpfs 1682508 0 1682508 0% /dev/shm and with the command of Stephen : [EMAIL PROTECTED] ~]# df -Pkl | awk '/^\/dev\// { avail += $3/1024 } END { printf(%d Mb used\n,avail)} ' 18173 Mb used Well, I get 18167, but that's not too far off. And, remember, that the output of df might have changed in between times you ran df and you ran the awk command; there's only 7Mbytes difference. Did someone delete a 7Mbyte file? Send email? Finish a print job? Or... could be plenty of reasons for the used amount to go down. Clarification - I just took the numbers above and used a calculator - my system would never produce numbers anything like that for any of my machines One trick is to sent the df -Pkl info to a file. Then cat that file into the awk script. Also cat that file to stdout during debugging. Sending the df output to a file does a number of things. It removes any race risk that you might be seeing. And it lets you and the community check yer work. When in this discussion did the variable name avail get assigned to the Used col header in the line atributed to Stephen? Something like: $ cat /tmp/checkspace #!/bin/bash df -Pkl /tmp/checkingdiskspce echo -e \nInput is: cat /tmp/checkingdiskspce echo -e \nAdding up the bits cat /tmp/checkingdiskspce | awk '/^\/dev\// { used += $3/1024 } END { printf(%d Mb Used\n, used)} ' echo -e \nNow df with a human flag df -h -- T o m M i t c h e l l Got a great hat... now what. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] df to get total disk usage on all filesystems?
On Thu, Aug 14, 2008 at 02:45:43PM -0700, MHR wrote: On Thu, Aug 14, 2008 at 2:36 PM, Nifty Cluster Mitch [EMAIL PROTECTED] wrote: $ cat /tmp/checkspace #!/bin/bash df -Pkl /tmp/checkingdiskspce echo -e \nInput is: cat /tmp/checkingdiskspce echo -e \nAdding up the bits cat /tmp/checkingdiskspce | awk '/^\/dev\// { used += $3/1024 } END { printf(%d Mb Used\n, used)} ' This is simpler (and does not involve as many execs forks) as: awk '/^\/dev\// { used += $3/1024 } END { printf(%d Mb Used\n, used)} ' /tmp/checkingdiskspce True, yet if the goal is df | awk with no tmp file at all the final edit and cleanup is cleaner. If the goal is to present the result of df combined with a bottom line summary your line may be better. I did notice in this discussion that no one looked at inode counts. A filesystem might be full for want of an inode I cannot recall if ext[23] will allocate additional inodes dynamically like xfs will. Since xfs will allocate them but not delete then a run-away could cause a lot to be allocated on xfs confusing space use. Other interesting system admin topics not addressed includes sparse files. For some knowing about sparse files is important for backup tools. Also allocation block size mismatch to average file sizes. Lots of small byte count files on a large allocation block causes book keeping confusion. Some tiny files never allocate a block as the inode can contain some data on some filesystems. Just looked at the mk2fs man page the -N, -i and -I flags answer my question about dynamic inode allocation (Answer=no). -- T o m M i t c h e l l Got a great hat... now what. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] learning centos
On Tue, Aug 12, 2008 at 05:41:17AM -0700, Akemi Yagi wrote: On Tue, Aug 12, 2008 at 5:11 AM, pedro henrique antunes de oliveira [EMAIL PROTECTED] wrote: Hello, I'm new to CENTOS and I'd like to learn how to use it from ground up. Can anyone recommend me books on it? I already have the documentation from the web site, can I start with it? I've already done very basic stuff on archlinux and slackware. Take a look at #4 of http://www.centos.org/modules/newbb/viewtopic.php?topic_id=14273forum=47 (for example) And do recall that CentOS draws from Redhat. There are many 'books' about RedHat -- from the ground up. -- T o m M i t c h e l l Got a great hat... now what. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Suggestion on Network Management software with troubleticket system
On Tue, Aug 12, 2008 at 07:52:45AM +0700, Fajar Priyanto wrote: Subject: [CentOS] Suggestion on Network Management software with -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I'm looking for a network management software. And as the network grows it clearly becomes that manual notes is getting too tedious. Also an integrated troube ticketing systemm would be great. Any reference is really appreciated. Network management is an area worth some thought. For tracking events to closure... Look at Bugzilla, Eventium and the other suggestions posted I suspect you need tracking, ownership, states (new, assigned, working, OMGH, fixed), attached documents, the ability to generate reports and also solve the do you remember games when systems are down (documentation). Network management is interesting If there is a problem with the network, bug systems and other tools may also be off line.The classic way to monitor a network is to live on it and have a phone, Rolodex and pager handy to contact the other end of the wire. -- T o m M i t c h e l l Got a great hat... now what. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Re: gcc editor for newbie (Emacs or vim or ?)
On Mon, Aug 11, 2008 at 07:20:22PM -0500, Lanny Marcus wrote: On Mon, Aug 11, 2008 at 1:30 PM, Scott Silva [EMAIL PROTECTED] wrote: on 8-11-2008 9:06 AM Lanny Marcus spake the following: snip I will look at Eclipse, but one of my goals is to be able to fix problems on a remote box and that will probably require vi. Then you shouldn't go wrong, because I have yet to be on a linux box or a bsd box that didn't have some form or emulation of vi installed. vi is everywhere! But, apparently, I need to learn how to use Emacs or another IDE too, so there's another learning curve. A good IDE can help you manage and organize a local project. Stick with vi/vim/gvim and make for a while. Next add a revision control system (RCS) and patch to your tool kit. Some class material takes advantage of a specific IDE to manage the various bits in a class. In a 'good' class they begin with small components. Then they begin to reuse those components and build larger projects. If you are working through such a tutorial -- go with the flow and use what ever tool set they do. Eclipse is nice in that it can run both on Linux and Windows For a Java class it is a natural... Does anyone out there use Eclipse or another IDE with a distributed revision control system like, git, mecurial, cvs, bitkeeper, etc...? -- T o m M i t c h e l l Got a great hat... now what. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] gcc editor for newbie (Emacs or vim or ?)
On Sun, Aug 10, 2008 at 05:04:16PM -0500, Lanny Marcus wrote: I downloaded the .pdf version of Thinking in C++ and I've begun to read that and I did yum groupinstall 'Development Tools' I'm a Newbie Desktop user, jumping into the deep end of the pool. Should I try to learn vi (Vim) (which obviously will help me, if I ever need to administer a remote box) or install Emacs or something else, for the gcc editor? An easy learning curve is strongly preferred, but, I am 100% aware of the advantages of vi. Recommendations? TIA! gvim There is almost no pain if you stick with gvim (vim). The help is full of helpfull stuff, the mouse works, syntax and keyword aware You might also look at Eclipse. -- T o m M i t c h e l l Got a great hat... now what. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Restricting User Rights massively
On Tue, Jul 29, 2008 at 05:59:37PM +0200, Dirk H. Schulz wrote: Thanks to all whio helped - rbash seems to be a good starting point since selinux is quite complex and takes some time to get into. Dirk In this same list is a discussion worth a review. [CentOS] Re: securing rsync over ssh This may address your problem. While this use of ssh is new to me a quick read and there is a facility to run a specific command and associate that specific command with a specific ssh public/private key pair. In that post the OP was looking for ways to expand the limitations i.e. he was trying to work around a natural action that it sounds like the OP on this thread was looking for. So his problem looks like the solution to the initial post on this thread. Give it a look... It should also work with a Putty so an external windows user like your manager could use it too. -- T o m M i t c h e l l Looking for a place to hang my hat. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 5.0 package updater asking me to update more than I installed
On Tue, Jul 29, 2008 at 07:26:12AM -0500, Johnny Hughes wrote: Subject: Re: [CentOS] Centos 5.0 package updater asking me to update more than I installed From: Johnny Hughes [EMAIL PROTECTED] To: CentOS mailing list centos@centos.org Date: Tue, 29 Jul 2008 07:26:12 -0500 Reply-To: CentOS mailing list centos@centos.org Delivered-To: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] Delivered-To: centos@centos.org Message-ID: [EMAIL PROTECTED] Organization: The CentOS Project OpenPGP: id=6AC163B3 Sender: [EMAIL PROTECTED] Kai Schaetzl wrote: Mark Walker wrote on Mon, 28 Jul 2008 17:58:37 -0700: When I get the list of packages to be updated, there are things that I don't recognize having installed. Nevertheless, they probably *are* installed. There's a lot been installed during setup and because of dependencies. rpm -q packagename tells you more. These can all tell you more: rpm -qa | sort installed_rpms then edit that file ... this is everything installed on you machine. or perhaps... #! /bin/bash rpm -qa | while read it do echo echo == rpm -qi $it done /tmp/listofstuffonmachine You can also look at the file named: /root/install.log (that is what is installed by anaconda). Just for the record, the absolutely minimal install you can do in centos-5 from the installer (if not using a special kickstart file) has 169 RPM packages and is 670MB (and this install has no real gui software at all) ... my current workstation has 921 RPM packages installed, and there are 2458 RPM packages in the Base CentOS-5 OS repository. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- T o m M i t c h e l l Looking for a place to hang my hat. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Restricting User Rights massively
On Tue, Jul 29, 2008 at 05:59:37PM +0200, Dirk H. Schulz wrote: Thanks to all who helped - rbash seems to be a good starting point since selinux is quite complex and takes some time to get into. Dirk --On 29. Juli 2008 09:40:31 -0400 William L. Maltby [EMAIL PROTECTED] wrote: On Tue, 2008-07-29 at 13:05 +0200, Dirk H. Schulz wrote: Hi folks, is it possible to restrict the rights of a user to only do few, defined actions, e.g. only look up cpu and memory usage, but not walk around in the file system, not see any other hardware details, run any binaries/scripts? I know several different techniques to achieve parts of this (like chrooting him), but is there one technique to get it all? Man bash. /-r and /RESTRICTED SHELL It'll take a little setup to custom taylor it. Permissions, PATH and a user or group specific bin directory (new one, not one of the standards) in their PATH. Some copy/symlink (careful with that) of existing executables may be useful. Be careful with scripts made available. There is a caveat that restrictions are removed when a script is being processed. Carefully constructed .bashrc, bash_profile. IMO, this is easier to setup than selinux, *may* meet all your needs and will not be affected by upgrades. Dirk -- Dirk H. Schulz Thanks to all who helped - rbash seems to be a good starting point since Getting this stuff correct correct is hard. Starting rbash is a good place to start but since you did not specify anything about the user (hostile, friendly) temporary or what sort of data or interation will be involved it is hard to be more helpful. Absolutly require or set a good pass word on your rbash user account. It may be possible to set up a web page that has a CGI script that only lets them see what you permit and has an access control list. Apache CGI scripting errors over time has educated the community on good (and bad ways) to address some of this stuff.Does this box already have a web server running? While CGI scripts can be hard to get correct, script generated static pages are not as hard and can be updated with cron. -- T o m M i t c h e l l Looking for a place to hang my hat. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
On Tue, Jul 22, 2008 at 10:16:44AM -0500, David Dyer-Bennet wrote: On Tue, July 22, 2008 09:34, Rudi Ahlers wrote: By changing the ports on all our servers to a high (above 1024) port, we have eliminated SSH scans altogether - been running like that for a few years now without any problems. . On the other hand, why are people so worried about SSH scans? I'm worried about who actually gets in, not who connects to the port. Strong password quality enforcement, or maybe requiring public-key authentication, seem like a more useful response. For me it is signal to noise ratio. The longer the password file (valid users) the longer the list of connections and corresponding events (good and bad) that needs to be watched. Switching to another port with a large user community requires that the entire community be informed, configured and supported. I like 'denyhosts' as a tool to limit these attacks, other good solutions also exist. Most distros now have 'denyhosts' as a prebuilt RPM which is a plus IMO (+). As others remarked disable root logins. Manage the 'su, sudo' list with care and populate the illegal user list agressivly based on the attack list observed in the logs.Users with su, sudo privledge should be limited to those that use sshkey login and understand what a strong pass word is. Later, mitch (+) a prebuilt RPM does present the issue that any flaw in the prebuilt can be widely exploited. As such updates should be watched for, tested and deployed promptly. -- T o m M i t c h e l l Looking for a place to hang my hat :-( ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] prevent runaway PID taking down server (RAM/swap)
On Wed, Jul 23, 2008 at 02:36:11PM -0400, Ed Donahue wrote: Sender: [EMAIL PROTECTED] Is there a way I can prevent processes from taking up all the ram then swap until the box crashes/freezes? I'm using IEs4Linux and the wineserver seems to start taking up RAM until my box dies, it happens slowly. I am able to kill the sucker now, but I'd like to not have to worry about that. sar -r 01:00:01 PM kbmemfree kbmemused %memused kbbuffers kbcached kbswpfree kbswpused %swpused kbswpcad 01:10:01 PM 5812 949580 99.39 5560 67688189912184169690.6533300 01:20:01 PM 4736 950656 99.50 4832 119364 0 2031608 100.0046104 01:30:02 PM 8788 946604 99.08 1004 32360 4 2031604 100.00 10672 01:52:50 PM LINUX RESTART If wineserver has no hook for limiting its own footprint add a ulimit to the startup script or use a wrapper with one. Look at ulimit -a for all the limits and the man page. There are multiple shared commons resources that may apply. core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 20463 max locked memory (kbytes, -l) 32 max memory size (kbytes, -m) unlimited open files (-n) 1024 pipe size(512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 10240 cpu time (seconds, -t) unlimited max user processes (-u) 20463 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited You can check limits on a running process too. $ cat /proc/29906/limits Limit Soft Limit Hard Limit Units Max cpu time unlimitedunlimitedms Max file size unlimitedunlimited bytes Max data size unlimitedunlimited bytes Max stack size10485760 unlimited bytes Max core file size0unlimited bytes Max resident set unlimitedunlimited bytes Max processes 2046320463 processes Max open files1024 1024 files Max locked memory 3276832768 bytes Max address space unlimitedunlimited bytes Max file locksunlimitedunlimited locks Max pending signals 2046320463 signals Max msgqueue size 819200 819200 bytes Max nice priority 00 Max realtime priority 00 Max realtime timeout unlimitedunlimitedus -- T o m M i t c h e l l Looking for a place to hang my hat :-( ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos