Re: CGI Perl Security
On Wed, 25 Jul 2001, Jason Thomas wrote: not that I know of, but I would suggest turning on tainted mode and passing all external variables through a regex. , those that are set by the client. DOCUMENT_ROOT is set by the server, so it's just unneccessary overhead. you can of course do that, but if you don't trust your webserver, why are you running it at the first place ? : -- [-] you're wasting my time, chatterbox. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: CGI Perl Security
Tamas TEVESZ [EMAIL PROTECTED] wrote: DOCUMENT_ROOT is set by the server, so it's just unneccessary overhead. you can of course do that, but if you don't trust your webserver, why are you running it at the first place ? : If you don't have taint mode on when coding perl scripts that must run in hostile environments (eg. CGIs), you're an idiot, and you're going to have problems sooner or later. If you *do* have taint mode on, then you need to untaint everything you want to use, including environment variables that you would normally trust anyway. -- Sam Couter | Internet Engineer | http://www.topic.com.au/ [EMAIL PROTECTED]| tSA Consulting | OpenPGP key ID: DE89C75C, available on key servers OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C PGP signature
Re: Unidentified subject!
hi, I got a similar problem on a machine running IPCHAINS. after an upredictable time period the machine suddenly forgets the ethernet card and results 100% packet loss even ifconfig shows the interface is there and then crashes. I can see the card starts blinking and packets are coming but there is nothing in the log about that and the interface is there but it is not. I tried dist-upgrade ( only the base system was installed on it and mc nothing else ) and it did not help. I have changed the ethernet card and it did not help and as a result I changed the distribution to lame Redhat 6.2 for trial and it works, no problem after that my manager said never touch a running system so I could not switch back to debian. My kernel was 2.2.19 pre 17 and nothing unstable. I believe the problem is with the 2.2.19 kernel since the only difference between the base systems of redhat and debian 2.2r3 is 2.2.14 and 2.2.19 not much else. I recommend you to upgrade your sys to 2.2.4 kernel. --- Nick Name [EMAIL PROTECTED] wrote: Hi all. I run a stable with some package from testing (XFree86 4.02 and konqueror). Some week ago in the morning I found my computer had been rebooted by night and found some zeroes in my syslog, just before the reboot. I first thought of a worm, the latest ramen variant (don't remember the name right now), but I didn't find any sign of it. I have changed my passwords, however I am using ipchains. Today my computer has freezed (!!! Its a debian it really shouldn't :) ) and I found those zeroes again after pressing that big red button. Do someone know something about this all? May this be a security problem? Thanks for your attention and sorry for my bad english Vincenzo Ciancia -- Nick Name - [EMAIL PROTECTED] - UIN 94982698 - Vincenzo Ciancia - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] _ Get your free e-mail account: http://www.petekmail.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Unidentified subject!
I think you mean 2.4.2 not 2.2.4 =) - k On Wednesday 25 July 2001 07:59 am, John DOE wrote: hi, I got a similar problem on a machine running IPCHAINS. after an upredictable time period the machine suddenly forgets the ethernet card and results 100% packet loss even ifconfig shows the interface is there and then crashes. I can see the card starts blinking and packets are coming but there is nothing in the log about that and the interface is there but it is not. I tried dist-upgrade ( only the base system was installed on it and mc nothing else ) and it did not help. I have changed the ethernet card and it did not help and as a result I changed the distribution to lame Redhat 6.2 for trial and it works, no problem after that my manager said never touch a running system so I could not switch back to debian. My kernel was 2.2.19 pre 17 and nothing unstable. I believe the problem is with the 2.2.19 kernel since the only difference between the base systems of redhat and debian 2.2r3 is 2.2.14 and 2.2.19 not much else. I recommend you to upgrade your sys to 2.2.4 kernel. --- Nick Name [EMAIL PROTECTED] wrote: Hi all. I run a stable with some package from testing (XFree86 4.02 and konqueror). Some week ago in the morning I found my computer had been rebooted by night and found some zeroes in my syslog, just before the reboot. I first thought of a worm, the latest ramen variant (don't remember the name right now), but I didn't find any sign of it. I have changed my passwords, however I am using ipchains. Today my computer has freezed (!!! Its a debian it really shouldn't :) ) and I found those zeroes again after pressing that big red button. Do someone know something about this all? May this be a security problem? Thanks for your attention and sorry for my bad english Vincenzo Ciancia -- Nick Name - [EMAIL PROTECTED] - UIN 94982698 - Vincenzo Ciancia - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] _ Get your free e-mail account: http://www.petekmail.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Unidentified subject!
unsubscribe __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
On Wed, 25 Jul 2001, Mike Fedyk wrote: Yes, make the default configurable if you have your debconf setting to medium or low and default to Don't start otherwise. THAT is actually a good idea. Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... Well, now we're getting into heavy policy stuff I think it would be hard enough to get all the daemon postinst scripts to work in run and no-run mode. Actually, if we could get them all to source an sh script that contains that logic, all changes to policy would be self-contained. Please you two, do your homework. Search for invoke-rc.d in debian-policy; Since the sysvinit maintainer is MIA, you probably got a few weeks to give suggestions. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
On Wed, Jul 25, 2001 at 01:37:00PM -0300, Henrique de Moraes Holschuh wrote: On Wed, 25 Jul 2001, Mike Fedyk wrote: Yes, make the default configurable if you have your debconf setting to medium or low and default to Don't start otherwise. THAT is actually a good idea. Thanks Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... Well, now we're getting into heavy policy stuff I think it would be hard enough to get all the daemon postinst scripts to work in run and no-run mode. Actually, if we could get them all to source an sh script that contains that logic, all changes to policy would be self-contained. Please you two, do your homework. Search for invoke-rc.d in debian-policy; Since the sysvinit maintainer is MIA, you probably got a few weeks to give suggestions. Actually, Steve posted the URL on the 23rd, and I'm just reading it now. Let's see if we can get some progress out of this flame thread... Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
On Sat, Jul 21, 2001 at 11:59:17PM -0700, Mike Fedyk wrote: Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... On Sun, Jul 22, 2001 at 03:27:10AM -0400, Steven Barker wrote: Well, now we're getting into heavy policy stuff I think it would be hard enough to get all the daemon postinst scripts to work in run and no-run mode. Mike Fedyk [EMAIL PROTECTED] writes: Actually, if we could get them all to source an sh script that contains that logic, all changes to policy would be self-contained. On Wed, Jul 25, 2001 at 11:05:25AM -0700, Dale Southard wrote: I think I've shot this one out before, but... Why not use something like the IRIX ``chkconfig'' system: Provide a simple program that takes the ``name'' of a service and then checks an external file/files for ``on'' or off status of each service, and returns 0 if on, 1 if off. Then have each init.d script do something like: case $1 in 'start') if /etc/chkconfig myservice; then ... start myservice ... fi Very nice, even better than sourcing... Though, source file is a one line change, and doesn't add logic to each package. But, that could lead to another flame war on what should go in that sourced file... [In IRIX, the /etc/config directory has a file for each name chkconfig knows about that contains either ``on'' or ``off'' so adding a new service is as simple as `echo on /etc/config/newservice`, though IRIX actually allows viewing and changing things with the chkconfig program itself (eg, `chkconfig` with no arguments lists every service known to chkconfig, `chkconfig service on|off` changes the state of a service, with a -f flag to ``force'' creation of a new service.)] This prevents ``uptdate surprises'' since updating everything including the init.d script doesn't change the on|off status of the service in the config directory. Of course it also means putting the above bit of logic in every init.d script that is put under chkconfig control and adding the necessary logic to the postinst script to create the config entry if it doesn't exist yet... I think we would probably default to off if there isn't a file, or if it doesn't contain on. That way, all you have to do is touch the file on install... Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
Mike Fedyk [EMAIL PROTECTED] writes: On Sun, Jul 22, 2001 at 03:27:10AM -0400, Steven Barker wrote: On Sat, Jul 21, 2001 at 11:59:17PM -0700, Mike Fedyk wrote: On Sun, Jul 22, 2001 at 02:50:14AM -0400, Steven Barker wrote: Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... Well, now we're getting into heavy policy stuff I think it would be hard enough to get all the daemon postinst scripts to work in run and no-run mode. Actually, if we could get them all to source an sh script that contains that logic, all changes to policy would be self-contained. I think I've shot this one out before, but... Why not use something like the IRIX ``chkconfig'' system: Provide a simple program that takes the ``name'' of a service and then checks an external file/files for ``on'' or off status of each service, and returns 0 if on, 1 if off. Then have each init.d script do something like: case $1 in 'start') if /etc/chkconfig myservice; then ... start myservice ... fi [In IRIX, the /etc/config directory has a file for each name chkconfig knows about that contains either ``on'' or ``off'' so adding a new service is as simple as `echo on /etc/config/newservice`, though IRIX actually allows viewing and changing things with the chkconfig program itself (eg, `chkconfig` with no arguments lists every service known to chkconfig, `chkconfig service on|off` changes the state of a service, with a -f flag to ``force'' creation of a new service.)] This prevents ``uptdate surprises'' since updating everything including the init.d script doesn't change the on|off status of the service in the config directory. Of course it also means putting the above bit of logic in every init.d script that is put under chkconfig control and adding the necessary logic to the postinst script to create the config entry if it doesn't exist yet... -- /* Dale Southard Jr. [EMAIL PROTECTED]925-422-1463 */ /* Computer Scientist, Accelerated Strategic Computing Initiative */ /* L-550, Lawrence Livermore National Lab, Livermore CA 94551 */ /* AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving */ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: CGI Perl Security
On Wed, 25 Jul 2001, Jason Thomas wrote: not that I know of, but I would suggest turning on tainted mode and passing all external variables through a regex. , those that are set by the client. DOCUMENT_ROOT is set by the server, so it's just unneccessary overhead. you can of course do that, but if you don't trust your webserver, why are you running it at the first place ? : -- [-] you're wasting my time, chatterbox.
Re: Unidentified subject!
hi, I got a similar problem on a machine running IPCHAINS. after an upredictable time period the machine suddenly forgets the ethernet card and results 100% packet loss even ifconfig shows the interface is there and then crashes. I can see the card starts blinking and packets are coming but there is nothing in the log about that and the interface is there but it is not. I tried dist-upgrade ( only the base system was installed on it and mc nothing else ) and it did not help. I have changed the ethernet card and it did not help and as a result I changed the distribution to lame Redhat 6.2 for trial and it works, no problem after that my manager said never touch a running system so I could not switch back to debian. My kernel was 2.2.19 pre 17 and nothing unstable. I believe the problem is with the 2.2.19 kernel since the only difference between the base systems of redhat and debian 2.2r3 is 2.2.14 and 2.2.19 not much else. I recommend you to upgrade your sys to 2.2.4 kernel. --- Nick Name [EMAIL PROTECTED] wrote: Hi all. I run a stable with some package from testing (XFree86 4.02 and konqueror). Some week ago in the morning I found my computer had been rebooted by night and found some zeroes in my syslog, just before the reboot. I first thought of a worm, the latest ramen variant (don't remember the name right now), but I didn't find any sign of it. I have changed my passwords, however I am using ipchains. Today my computer has freezed (!!! Its a debian it really shouldn't :) ) and I found those zeroes again after pressing that big red button. Do someone know something about this all? May this be a security problem? Thanks for your attention and sorry for my bad english Vincenzo Ciancia -- Nick Name - [EMAIL PROTECTED] - UIN 94982698 - Vincenzo Ciancia - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] _ Get your free e-mail account: http://www.petekmail.com
Re: Unidentified subject!
I think you mean 2.4.2 not 2.2.4 =) - k On Wednesday 25 July 2001 07:59 am, John DOE wrote: hi, I got a similar problem on a machine running IPCHAINS. after an upredictable time period the machine suddenly forgets the ethernet card and results 100% packet loss even ifconfig shows the interface is there and then crashes. I can see the card starts blinking and packets are coming but there is nothing in the log about that and the interface is there but it is not. I tried dist-upgrade ( only the base system was installed on it and mc nothing else ) and it did not help. I have changed the ethernet card and it did not help and as a result I changed the distribution to lame Redhat 6.2 for trial and it works, no problem after that my manager said never touch a running system so I could not switch back to debian. My kernel was 2.2.19 pre 17 and nothing unstable. I believe the problem is with the 2.2.19 kernel since the only difference between the base systems of redhat and debian 2.2r3 is 2.2.14 and 2.2.19 not much else. I recommend you to upgrade your sys to 2.2.4 kernel. --- Nick Name [EMAIL PROTECTED] wrote: Hi all. I run a stable with some package from testing (XFree86 4.02 and konqueror). Some week ago in the morning I found my computer had been rebooted by night and found some zeroes in my syslog, just before the reboot. I first thought of a worm, the latest ramen variant (don't remember the name right now), but I didn't find any sign of it. I have changed my passwords, however I am using ipchains. Today my computer has freezed (!!! Its a debian it really shouldn't :) ) and I found those zeroes again after pressing that big red button. Do someone know something about this all? May this be a security problem? Thanks for your attention and sorry for my bad english Vincenzo Ciancia -- Nick Name - [EMAIL PROTECTED] - UIN 94982698 - Vincenzo Ciancia - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] _ Get your free e-mail account: http://www.petekmail.com
Re: Unidentified subject!
too many dots too many numbers and confusion ;) you are rigth :). --- kath [EMAIL PROTECTED] wrote: I think you mean 2.4.2 not 2.2.4 =) - k On Wednesday 25 July 2001 07:59 am, John DOE wrote: hi, I got a similar problem on a machine running IPCHAINS. after an upredictable time period the machine suddenly forgets the ethernet card and results 100% packet loss even ifconfig shows the interface is there and then crashes. I can see the card starts blinking and packets are coming but there is nothing in the log about that and the interface is there but it is not. I tried dist-upgrade ( only the base system was installed on it and mc nothing else ) and it did not help. I have changed the ethernet card and it did not help and as a result I changed the distribution to lame Redhat 6.2 for trial and it works, no problem after that my manager said never touch a running system so I could not switch back to debian. My kernel was 2.2.19 pre 17 and nothing unstable. I believe the problem is with the 2.2.19 kernel since the only difference between the base systems of redhat and debian 2.2r3 is 2.2.14 and 2.2.19 not much else. I recommend you to upgrade your sys to 2.2.4 kernel. --- Nick Name [EMAIL PROTECTED] wrote: Hi all. I run a stable with some package from testing (XFree86 4.02 and konqueror). Some week ago in the morning I found my computer had been rebooted by night and found some zeroes in my syslog, just before the reboot. I first thought of a worm, the latest ramen variant (don't remember the name right now), but I didn't find any sign of it. I have changed my passwords, however I am using ipchains. Today my computer has freezed (!!! Its a debian it really shouldn't :) ) and I found those zeroes again after pressing that big red button. Do someone know something about this all? May this be a security problem? Thanks for your attention and sorry for my bad english Vincenzo Ciancia -- Nick Name - [EMAIL PROTECTED] - UIN 94982698 - Vincenzo Ciancia - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] _ Get your free e-mail account: http://www.petekmail.com _ Get your free e-mail account: http://www.petekmail.com
Unidentified subject!
unsubscribe __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/
Daemon init scripts and apt-get [was: Re: red worm amusement]
On Sun, Jul 22, 2001 at 03:27:10AM -0400, Steven Barker wrote: On Sat, Jul 21, 2001 at 11:59:17PM -0700, Mike Fedyk wrote: On Sun, Jul 22, 2001 at 02:50:14AM -0400, Steven Barker wrote: I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. But that doesn't change the default. If you do something like this, you should add an option apt-get --run install foo Yes, that would make sense. Both --run and --no-run could be avalable as options with the default behavior determined by apt/dpkg configuration. As for what the default for apt/dpkg's config, that's for us to flame each other over... ;-) Yes, make the default configurable if you have your debconf setting to medium or low and default to Don't start otherwise. I really don't want to have to type something more every time just to keep the daemons from starting... If you have -run and --no-run what happens when you don't specify either? Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... Well, now we're getting into heavy policy stuff I think it would be hard enough to get all the daemon postinst scripts to work in run and no-run mode. Actually, if we could get them all to source an sh script that contains that logic, all changes to policy would be self-contained. Mike
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
On Wed, 25 Jul 2001, Mike Fedyk wrote: Yes, make the default configurable if you have your debconf setting to medium or low and default to Don't start otherwise. THAT is actually a good idea. Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... Well, now we're getting into heavy policy stuff I think it would be hard enough to get all the daemon postinst scripts to work in run and no-run mode. Actually, if we could get them all to source an sh script that contains that logic, all changes to policy would be self-contained. Please you two, do your homework. Search for invoke-rc.d in debian-policy; Since the sysvinit maintainer is MIA, you probably got a few weeks to give suggestions. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
On Wed, Jul 25, 2001 at 01:37:00PM -0300, Henrique de Moraes Holschuh wrote: On Wed, 25 Jul 2001, Mike Fedyk wrote: Yes, make the default configurable if you have your debconf setting to medium or low and default to Don't start otherwise. THAT is actually a good idea. Thanks Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... Well, now we're getting into heavy policy stuff I think it would be hard enough to get all the daemon postinst scripts to work in run and no-run mode. Actually, if we could get them all to source an sh script that contains that logic, all changes to policy would be self-contained. Please you two, do your homework. Search for invoke-rc.d in debian-policy; Since the sysvinit maintainer is MIA, you probably got a few weeks to give suggestions. Actually, Steve posted the URL on the 23rd, and I'm just reading it now. Let's see if we can get some progress out of this flame thread... Mike
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
On Sat, Jul 21, 2001 at 11:59:17PM -0700, Mike Fedyk wrote: Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... On Sun, Jul 22, 2001 at 03:27:10AM -0400, Steven Barker wrote: Well, now we're getting into heavy policy stuff I think it would be hard enough to get all the daemon postinst scripts to work in run and no-run mode. Mike Fedyk [EMAIL PROTECTED] writes: Actually, if we could get them all to source an sh script that contains that logic, all changes to policy would be self-contained. On Wed, Jul 25, 2001 at 11:05:25AM -0700, Dale Southard wrote: I think I've shot this one out before, but... Why not use something like the IRIX ``chkconfig'' system: Provide a simple program that takes the ``name'' of a service and then checks an external file/files for ``on'' or off status of each service, and returns 0 if on, 1 if off. Then have each init.d script do something like: case $1 in 'start') if /etc/chkconfig myservice; then ... start myservice ... fi Very nice, even better than sourcing... Though, source file is a one line change, and doesn't add logic to each package. But, that could lead to another flame war on what should go in that sourced file... [In IRIX, the /etc/config directory has a file for each name chkconfig knows about that contains either ``on'' or ``off'' so adding a new service is as simple as `echo on /etc/config/newservice`, though IRIX actually allows viewing and changing things with the chkconfig program itself (eg, `chkconfig` with no arguments lists every service known to chkconfig, `chkconfig service on|off` changes the state of a service, with a -f flag to ``force'' creation of a new service.)] This prevents ``uptdate surprises'' since updating everything including the init.d script doesn't change the on|off status of the service in the config directory. Of course it also means putting the above bit of logic in every init.d script that is put under chkconfig control and adding the necessary logic to the postinst script to create the config entry if it doesn't exist yet... I think we would probably default to off if there isn't a file, or if it doesn't contain on. That way, all you have to do is touch the file on install... Mike
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
Mike Fedyk [EMAIL PROTECTED] writes: On Sun, Jul 22, 2001 at 03:27:10AM -0400, Steven Barker wrote: On Sat, Jul 21, 2001 at 11:59:17PM -0700, Mike Fedyk wrote: On Sun, Jul 22, 2001 at 02:50:14AM -0400, Steven Barker wrote: Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... Well, now we're getting into heavy policy stuff I think it would be hard enough to get all the daemon postinst scripts to work in run and no-run mode. Actually, if we could get them all to source an sh script that contains that logic, all changes to policy would be self-contained. I think I've shot this one out before, but... Why not use something like the IRIX ``chkconfig'' system: Provide a simple program that takes the ``name'' of a service and then checks an external file/files for ``on'' or off status of each service, and returns 0 if on, 1 if off. Then have each init.d script do something like: case $1 in 'start') if /etc/chkconfig myservice; then ... start myservice ... fi [In IRIX, the /etc/config directory has a file for each name chkconfig knows about that contains either ``on'' or ``off'' so adding a new service is as simple as `echo on /etc/config/newservice`, though IRIX actually allows viewing and changing things with the chkconfig program itself (eg, `chkconfig` with no arguments lists every service known to chkconfig, `chkconfig service on|off` changes the state of a service, with a -f flag to ``force'' creation of a new service.)] This prevents ``uptdate surprises'' since updating everything including the init.d script doesn't change the on|off status of the service in the config directory. Of course it also means putting the above bit of logic in every init.d script that is put under chkconfig control and adding the necessary logic to the postinst script to create the config entry if it doesn't exist yet... -- /* Dale Southard Jr. [EMAIL PROTECTED]925-422-1463 */ /* Computer Scientist, Accelerated Strategic Computing Initiative */ /* L-550, Lawrence Livermore National Lab, Livermore CA 94551 */ /* AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving */