Re: FreeBSD, BSDi differences
On Sat, 23 Sep 2000, steveb99 wrote: I'm still new to FreeBSD and like it so far, but I'm thinking of ways I can use it at work. I hear about BSDi and that it is used in many network appliances like f5's BigIP load balancers and other similar products. What I've read BSDi is used because of it excellent TCP stack and other networking. So how different is FreeBSD TCP stack and networking from BSDi's? Very little. Both FreeBSD and BSDi are derived from the same code. There are no doubt a few differences, but based on what I've seen in other parts of the BSD/OS code I'd be surprised if theirs had received as much work as our network code has. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Executable packages (long, sorry)
On Wed, 20 Sep 2000, Koster, K.J. wrote: Riding on the wave of the unified BSD packages effort, this might be a good time to rekindle that idea. Say that we agree on some form of uniform package layout. You'd say that man pages go into $PKG_BASE/$PKG_NAME/man, and that libraries go into $PKG_BASE/$PKG_NAME/lib, and that there is probably a script named $PKG_BASE/$PKG_NAME/etc/rc that takes the arguments "start" and "stop" for system startup. A script named $PKG_BASE/$PKG_NAME/bin/run is invoked when a user types $PKG_NAME at the command prompt (triggered by a script in /usr/local/bin, which is symlinked to $PKG_NAME. It's not possible to determine where a lot of packages install, at run-time - they need compile-time settings. Our packages should mostly (with some notable exceptions where it's just too damn hard) be PREFIX-clean, meaning you can install them wherever you like, but you have to specify that at port compile-time. A similar idea has come up in the past about using something like stow to keep ports in sepoarate directories with symlinks from a master /usr/local/bin, but no-one's done the work to allow it. Hint. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: 4.1 make world and cvsup release field
On Mon, 18 Sep 2000, Christopher Stein wrote: I would like to do this via cvsup and `make world'. My understanding is that `make world' is just buildworld followed by installworld, each a single monolithic step. Hhmm.. it seems to me that some build stages will not work without some other elements being installed. For example, my current modified 4.1 kernel will not build on a 3.3 system due to the old binutils (2.9.1 vs. 2.10). So how can a `make world' work in a monolithic build then install sequence? See the /usr/src/UPDATING file after updating your source and be sure to follow the directions precisely. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: installing ...
On Wed, 13 Sep 2000, Danny Braniss wrote: after i made a 'make buidlworld' how can i get it to install in /5.0-CURRENT? i compiled on a 4.1. I respectfully suggest that if you dont know how to install FreeBSD from source, you shouldn't be using 5.0-CURRENT, which can and will screw up your system unless you already know how to fix it yourself. See http://www.freebsd.org/handbook/current-stable.html Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: installing ...
On Thu, 14 Sep 2000, Danny Braniss wrote: In message [EMAIL PROTECTED]you write: }On Wed, 13 Sep 2000, Danny Braniss wrote: } } after i made a 'make buidlworld' how can i get it to install in /5.0-CURRENT? } i compiled on a 4.1. } }I respectfully suggest that if you dont know how to install FreeBSD from }source, you shouldn't be using 5.0-CURRENT, which can and will screw up }your system unless you already know how to fix it yourself. well, it shouldn't screw up my system, if, for example, the install is not to a live system but to another partition, or disk which i could later boot from. i only asked, since i saw that one can compile to /usr/obj, which is fine, so what happend to that extra mile? Current can screw up anything and everything :-) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Token Ring ??
On Wed, 6 Sep 2000, Len Conrad wrote: If I am not mistaking Token Ring _is_ supported in FreeBSD. Stealthy support it is, then, as I cannot find it here: http://www.freebsd.org/releases/4.1R/notes.html Unfortunately, the release notes tend to lag behind the actual state of the system, sometimes significantly. This may be improving. As always, the code is the definitive reference :-) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: How to stop problems from printf
On Thu, 7 Sep 2000, Warner Losh wrote:
In message [EMAIL PROTECTED] "John Doh!" writes:
: Issue is must be getting format string from "untrusted" place, but want to
: limit substitution of %... to the substitution of say in example the
: argv[0], but to not do others so that say given "usage: %s filename %p" %p
: not interpret but to be print instead as literally so we get output of
: (saying to be argv[0] as test just for example) usage: test filename %p
:
: any hints you have I am very greatful for.
Fix gettext to only allow N arguments in the same order that the
original message had.
gettext() doesnt take any additional arguments, AFAIK it just munges the
string. The argument substitution was being done by printf() in the
example given.
"usage: %s filename" - "blurgle: %s flobodob"
But if you're looking up in an untrusted catalog, then it could return
"blurgle: %s flobodob %n%n%n%n%n" in which case your function might be
insecure.
The only possibilities I immediately see are:
1) Don't do that (look up in untrusted catalogs)
2) Write a vgettext(char *buf, int size, const char *fmt...) which a)
looks up the message in the catalog, b) verifies the returned string has
the same number and type of format strings, and c) substitutes the
arguments passed to it using vsnprintf() into the passed buffer. The
resulting string should then be handled using function("%s", buf) to deal
with escaped format strings ("%%s" which would be parsed to %s by the
vsnprintf()). I don't think you can do it securely otherwise, unless I'm
missing something.
The problem is that you want gettext to substitute arguments into the
string, but it doesn't do that, and the string it returns has an unknown
number of format strings so it's not safe to use in a varargs function.
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
Re: How to stop problems from printf
On Thu, 7 Sep 2000, Warner Losh wrote:
In message [EMAIL PROTECTED] Kris
Kennaway writes:
: gettext() doesnt take any additional arguments, AFAIK it just munges the
: string. The argument substitution was being done by printf() in the
: example given.
Right. You know how many args are expected, since you know printf.
: The only possibilities I immediately see are:
:
: 1) Don't do that (look up in untrusted catalogs)
:
: 2) Write a vgettext(char *buf, int size, const char *fmt...) which a)
: looks up the message in the catalog, b) verifies the returned string has
: the same number and type of format strings, and c) substitutes the
: arguments passed to it using vsnprintf() into the passed buffer. The
: resulting string should then be handled using function("%s", buf) to deal
: with escaped format strings ("%%s" which would be parsed to %s by the
: vsnprintf()). I don't think you can do it securely otherwise, unless I'm
: missing something.
:
: The problem is that you want gettext to substitute arguments into the
: string, but it doesn't do that, and the string it returns has an unknown
: number of format strings so it's not safe to use in a varargs function.
3) figure out how many args a string needs and forbid strings with
more than that in them. It knows from the original number of
% args, can apply the printf rules. It would be trivial to write
one function to do must of this. You get the number of args in the
key, you get the number of args in the new string using the same
routine. If the two numbers aren't equal, you return the original
key string, or abort.
It also needs to check they are all of the same type, as changing a %d to
a %s for example could conceivably be exploitable. And you would have to
forbid escaped % characters as well. Yeah, I think that would be
doable. We probably should talk to the gnu gettext guys.
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
Re: How to stop problems from printf
On Fri, 8 Sep 2000, Jan Knepper wrote:
I don't know what you are doing with the 'gettext' in the call to 'printf'.
Translate the string into a localized version. You can't just printf("%s",
gettext(...), args) because the arguments won't be printed, only the raw
string returned from gettext will, which contains operators you wanted to
be substituted for. See the original example.
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
Re: FYI: RSA Donated to the public domain
On Wed, 6 Sep 2000, Warner Losh wrote: In message [EMAIL PROTECTED] Warner Losh writes: : RSA Security Releases RSA Encryption Algorithm into Public Domain Note that other information at the site says that RSAREF isn't released into the public domain. Its use is still governed by copyright law, so we'll have to use the international version of RSAREF if we want to get RSA into -current. There's no reason why we would want to continue to use RSAREF, except perhaps for source code compatability with something that was written to link against it. The OpenSSL implementation is much better, and basically we just have to build it by default now. I'm not sure whether it's okay to build a shim for OpenSSL which translates the RSAREF API into the native one (the reverse of the OpenSSL - RSAREF code which currently exists), but it would be mildly useful for those legacy apps. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: /usr/include/openssl/rsaref.h not installed, Why ?
On Wed, 30 Aug 2000, Julian Stacey wrote: On 4.1 (built by `all` from 4.0, not via `world`, as that host is tooo slow!) I had to do cd /usr/src; cp crypto/openssl/rsaref/rsaref.h /usr/include/openssl/ (The rest of src/ makes OK though.) Have people been living on hand enhanced /usr/includes ? or is it just me ? Is it my mistake ? Or something to fix ? Don't know..never heard this complaint before so I'm forced to conclude it's probably an artifact of the way you're building your sources. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Moving FreeBSD towards glibc (or: FreeBSD and Hurd/Mach)
On Sat, 26 Aug 2000, Farid Hajji wrote: Hello, [please Cc: to me, since I'm not subscribed to this list. Thanks] are there plans to replace FreeBSD's libc with GNU glibc in the near or medium future? I think I can safely say: "No." Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: COMPAT_43 and kernel compiles.
On Sun, 13 Aug 2000, John Baldwin wrote: Usually when testing a kernel compile, GENERIC is the kernel to test. If your changes are intrusive enough, you might also want to make sure that LINT builds ok. The LINT config file is generated from NOTES by typing 'make LINT' in /sys/i386/conf/. I thought LINT was always supposed to be built because by definition not everything is in GENERIC, and your changes might have broken something else you didnt test. Of course, testing LINT can't catch all bugs since problems may result from the lack of a kernel option, but it's a good start. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Logging changes in files.
On Wed, 9 Aug 2000, [iso-8859-1] Jesús Arnáiz wrote: Hi Everyone! I'm using FreeBSD and I'm interesting in log when a user modifies some file and the changes made on it. See the kqueue(2) manpage in FreeBSD 4.1. It would be a trivial matter to write a utility that watches files for activity and logs it, although finding out who modified the file would be harder. The "proper" way to do this is using a kernel event audit system, which is something the TrustedBSD project (www.trustedbsd.org) will provide, but AFAIK no code is available for this yet. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: vmware changes result in nasty bridging mess
On Sun, 6 Aug 2000, Robert Watson wrote: Un-announced, the vmware port enabled bridging between the ethernet interfaces on my notebook This is bad - ethernet segments should not be bridged without explicit user confirmation, because they are commonly separated precisely for security reasons. Someone please fix the port appropriately..thanks. Kris FreeBSD Security Officer Team -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Virtual interaces and tunneling stuff over SSH
On Tue, 1 Aug 2000, Steve Hocking wrote: Is is possible to use an SSH connection with a tun interface at either end, such that one could have a VPN? I'm tired of waiting for people here to make a decision on a package and would like to have a proof of concept up and running. Extra points for those who can do the same thing with a Linux box at one end. Use ppp(8) or pppd(8) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: CRACK - Dreamweaver (fwd)
On Fri, 28 Jul 2000, Kris Kennaway wrote: Hi Can you tell me where I can get Crack for Dreamweaver 3 ?/ Go to http://2130706433/crackz/index.html for all of your 0-day cracks. The site is busy though, you might have to keep retrying for a while before you get in. Since there was some confusion about this in private mail, and one of the people who responded didn't even provide a valid return address, I'd just like to clue these people in on the joke so they don't continue to think I'm a warez monkey: # ping 2130706433 PING 2130706433 (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.331 ms 64 bytes from 127.0.0.1: icmp_seq=1 ttl=255 time=0.218 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=255 time=0.240 ms i.e. 2130706433 == 127.0.0.1 in 32-bit notation. Geddit? *sigh* Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: How to make *real* random bits.
On Mon, 31 Jul 2000, Poul-Henning Kamp wrote: [3] Feel free to analyze: Could you post a larger sample (say, 10MB) somewhere for statistical analysis? The 1939 bytes here look pretty good at first glance: 1939 samples, total weight 7729, average weight per sample 3.986075 Bit 0 average weight 0.502837 Bit 1 average weight 0.482723 Bit 2 average weight 0.490975 Bit 3 average weight 0.521919 Bit 4 average weight 0.496132 Bit 5 average weight 0.484786 Bit 6 average weight 0.504899 Bit 7 average weight 0.501805 Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: CRACK - Dreamweaver
On Fri, 28 Jul 2000, Richard Stoodley wrote: Hi Can you tell me where I can get Crack for Dreamweaver 3 ?/ Go to http://2130706433/crackz/index.html for all of your 0-day cracks. The site is busy though, you might have to keep retrying for a while before you get in. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: ELF rtld and environment variables...
On Wed, 26 Jul 2000, Julian Stacey wrote: That laptop has now gone to 4.0, aout to elf, a 1.5G disc, so no incentive to do it all again to see how much FreeBSD-4 gzipped aout binary tree might save/waste on a whole tree. BTW I was `strip'ing gzexe(1) is your friend :-) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Benchmark oddities
On Wed, 26 Jul 2000, [iso-8859-1] Tommy Hallgren wrote: I'm reading http://www-scf.usc.edu/~akhavans/Linux_vs_FreeBSD.pdf and have a couple of questions I hope someone here could answer. I thought this paper was quite poorly written, in general - for example, the author is unable to stop gushing about Linux during the first half of the paper (he talks about how standards-compliant it is, the "exemplary performance" it achieves, etc) but then seems to switch abruptly mid-stream, and comes to the conclusion that neither is better than the other. There are several outright fallacies in his reasoning which invalidate some of the conclusions and testing methodologies (such as the getpid() thing, the claim (allegedly from a Linux manpage, no less!) that FreeBSD copies the entire address space on fork(), the claim that FreeBSD can "run fewer copies of the Apache binary" since the binary size is larger, that it is unable to run on 2 CPUs), etc. Basically, it's so poorly done it's not worth worrying about (until it shows up on slashdot, sigh) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Problems with 6-in-4 tunnels in 4.1-RC?
On Mon, 24 Jul 2000, Nick Sayer wrote: My -stable machine just turned deaf on its gif0 interface. I can see the encapsulated packets coming in and out and they look correct... Hmm. It works fine for me. Can you show me your routing table? Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: problem on 4.1-RC (4.0-stable)
On Thu, 20 Jul 2000, Ulf Zimmermann wrote: and still: fourtytwo ulf home/ulf ps ps: bad namelist You're not bypassing the loader when you boot are you? Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: PATCH src/etc/root : more-less
On Tue, 11 Jul 2000 [EMAIL PROTECTED] wrote: -alias la ls -a -alias lf ls -FA -alias ll ls -lA +alias la ls -aG +alias lf ls -FAG +alias ll ls -lAG Rage..rising...blood..seething! Must not..thump..submitter! Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: OpenSSH 2.X problem with escape chars?
On Sat, 8 Jul 2000, Adrian Filipi-Martin wrote: The same problem exists under 4-STABLE from 07/04/00. I haven't had timt to dig into it for real, but running ssh with -v, seemed to make me believe that the client end was pasing along the ~ to the remote end. IIRC, the ~ should be dealt with on the client end. You should report this to the OpenSSH guys: see www.openssh.com for list of mailing lists. It doesn't sound like a bug we've introduced in our version, and if it's a generic OpenSSH bug then it should be fixed at the source. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: latest news concerned crypto stuff
On Wed, 5 Jul 2000, Max Khon wrote: do the latest news concerned crypto stuff mean that we can now always have DES in base system? and what's about a possibility to select Crypt Format (DES/MD5/SHA/whatever) per user or per login class? No, that code is still not finished. I'm currently sidetracked working on KAME integration in current and trying to get it merged in time for 4.1 Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: VPNs and FreeBSD
On Sun, 2 Jul 2000, Nick Rogness wrote: On Sun, 2 Jul 2000, Stephen Hocking wrote: Has anyone done this yet? I've just acquired this shiny new cable modem and would like to have secure access to my place of work (even though they're only 10 minutes walk away!) I have done just that with nos-tun and Road Runner service. I That's a Virtual Public Network, then..better not log into your work machines via telnet over that link :-) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: VPNs and FreeBSD
On Sun, 2 Jul 2000, Stephen Hocking wrote: Has anyone done this yet? I've just acquired this shiny new cable modem and would like to have secure access to my place of work (even though they're only 10 minutes walk away!) Well, yeah..ipsec, SSH tunnel, all sorts of SSL-based stuff in ports, SKIP, ... Go for ipsec is my recommendation. See the handbook. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: What, exactly, does this mean?
On Sun, 11 Jun 2000, Dave Hayes wrote: Kelly Yancey [EMAIL PROTECTED] writes: If you up PMAP_SHPGPERPROC, you increase the number of pv_entries created at boot time. However, I am not informed enough to say how high you can safely increase PMAP_SHPGPERPROC. What is the upper bound related to? What are the dangers in increasing it too much? At a guess, running out of kernel memory. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Non-promiscuous tcpdump on 4.0-STABLE doesn't see outgoingtraffic
On Fri, 9 Jun 2000 [EMAIL PROTECTED] wrote: tcpdump -p does *not* show outgoing traffic in 4.0-STABLE. Incoming is fine. Is this intended? Actually I think I've seen the same thing in 5.0 on a PPP (tun) interface. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Needed: suid library calls (was Re: cvs commit: src/crypto/openssh sshd_config)
On Wed, 24 May 2000, Nick Sayer wrote: What we _really_ need is some mechanism to recognize the difference between a user program and a system library, with an eye towards granting privileges to trusted libraries without letting those privileges leak past the library in question. Let's think about this for a minute. In order to do that securely, the unprivileged code should not be able to read from, or write to, memory used by the "privileged library". If you can read from it you can potentially snarf the contents of buffers as it reads privileged files, and if you can write you can probably hijack it and cause arbitrary code to be executed with privileges. So the library needs to run in its own memory protection domain. Except for the matter of co-scheduling, you're basically talking about a separate process communicating via IPC. This is what has already been suggested :-) User authentication is only one example. There are many things that only root can do where letting non-root do the job is not dangerous, but granting non-root permission in a general way is. Another good example is daemons that must bind listening sockets 1024, but don't need root otherwise. The entire binary must be suid up to the bind, at which point the program may renounce the suid bit (setreuid(getuid(),getuid());). Wouldn't it be more secure if a library could selectively grant low ports to _selected_ non-suid programs (perhaps with a config file)? This is an example of a capability. Capabilities provide elevated kernel privileges to processes in discrete chunks, i.e. as a subset of what root can do. The TrustedBSD project (led by Robert Watson) is developing code to provide POSIX.1e capabilities to FreeBSD (among other nifty things). Your other example doesn't fit well into the capabilities model, because authenticating against private credential databases (e.g. /etc/master.passwd) is a privileged userland operation, not a kernel one. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Needed: suid library calls [or pkey's?]
On Thu, 25 May 2000, Garance A Drosihn wrote:
It was called program keys, or 'pkey's. When a program
was running, there was this pkey attribute (in addition
to uid and gid). The pkey was a 16-character value (if
I remember right). Each executable had a pkey associated
with it, and that value became the current pkey when the
program started to execute. Users could change the pkey
There's an inherent security weakness to beware of in this system under
UNIX: (non-set[ug]id) processes are inherently untrustable things - for
example you can attach to the running program with a debugger and make it
run your own code no matter what was already there. So you'd have to
realise that allowing a particular process to read/write from a file means
that anyone who can attach a debugger to the process can read/write
however they want, not just using the interface defined in the on-disk
instance of that program.
The alternative is to prevent attaching debuggers to any process which
runs with one of these extended credentials, like we do for set[ug]id
binaries (this is probably the sensible solution).
Such a system could probably be implemented fairly easily within the
framework of the "extended attributes"/ACL system already in FreeBSD along
with what's being developed for TrustedBSD. Specifically, you'd store a
credential ("pkey") as an extended attribute on a binary, and have an ACL
system which knows about these credentials as well as whatever other
access policies you want (POSIX.1e ACLs, traditional UNIX file
permissions, etc).
One of the TrustedBSD design goals is to allow alternative security
policies to be dynamically loaded so that you aren't constrained to e.g.
only use the "POSIX.1e" style of ACL, or whatever policy is hardwired into
FreeBSD.
Kris
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
Re: FreeBSD kernel as a replacement for Linux kernel
On Tue, 23 May 2000, Mohit Aron wrote: Yes, which is why I'd rather use GNU utilities running on FreeBSD than spend hours figuring out how to make a Linux binary work. As someone pointed out, Debian is making some effort in this direction. I'll check that out. Oh I see, you're looking for a replacement FreeBSD userland, not a retargetted FreeBSD kernel. It's been a while since I've done it, but if you just install e.g. a Debian snapshot and chroot to it then just about everything should work. Some of the "system administration" syscalls may not work (have not been implemented), but once someone identifies what they are they could be in theory be implemented without too much trouble. This is different to the Debian/FreeBSD effort, which was aiming to get source-code compilation of Linux userland under FreeBSD and is therefore harder (I suspect that project has kind of died). Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: FreeBSD kernel as a replacement for Linux kernel
On Tue, 23 May 2000, Mohit Aron wrote: I believe even to make netscape plugins (for Linux) work, you need to use the linux version of netscape - not the FreeBSD one (at least this used to be true some time back). All these nifty things really scare any new users away from FreeBSD. You can't mix and match Linux syscalls and FreeBSD syscalls in the same program - the kernel has no way to know how it should interpret them. But seriously, I think the problem can be fixed with a more transparent interface for Linux programs. Rather than requiring Linux libraries to be put in /compat/linux, it would be much easier if everything could be put in /usr/lib. Which probably means having the SAME interface as Linux. No thanks. Firstly there's the fact that many files exist in both Linux and FreeBSD versions, but don't work the same (e.g. GNU versions of system utilities), and secondly there's the fact that I don't want my system being spammed by a zillion linux files amongst my "native" ones with no way to tell which is which. Then there's the issue of shared libraries, which combines with problem #2 and leads to the problem in my first paragraph mentioned above. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: eBones really dead?
On Mon, 22 May 2000, Doug Barton wrote: I read this weekend that eBones is dead, but I still see it in my src tree on -Current, so I'm curious as to what the status really is. All of the files are in the attic in my repo. Are you sure this isn't just a leftover from a machine which was updated from 2.2.(6)? Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: your mail
On Fri, 19 May 2000, Manny Obrey wrote: I saw the following near the end of running "make depend;make" during a kernel re-config ... seriously, is this something to be concerned about? I No. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: ASN.1 parsing in OpenSSL (Apache+mod_ssl problem)
On Thu, 18 May 2000, Milon Papezik wrote: When I try to connect with Netscape 4.x or Exploder 5 to Apache over SSL I get the following errors in apache_ssl_engine.log: I need to compare the contents of a working and non-working certificate - my suspicion is that theres something off about the ASN.1 encoding of the certificate that causes netscape to barf (IE will apparently still read it fine, or it can at least for some people's certs). Install the converters/dumpasn1 port, and run the following on your certificate.pem file: openssl asn1parse -in cert.pem -out cert.der dumpasn1 cert.der cert.out and mail me cert.out. Do this for both certificates if you have a working and non-working one. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: mktemp() vs. mkstemp()
On Sun, 14 May 2000, James Howard wrote: I was preparing a port which uses mktemp(). Of course, the linker complained and suggested using mkstemp(). Except mkstemp() returns an integer file descriptor whereas normal people use FILE * pointers, including the author of this port. How about an mkftemp() which wraps around mkstemp() and does an fdopen()? This would be completely non-portable - if you really need this, make one yourself and add it to a library distributed with your code. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: mktemp() vs. mkstemp()
On Sun, 14 May 2000, Tim Vanderhoek wrote: It's certainly not like it would be the first non-portable function we've added. Where adding functions to libraries encourages better coding practices, I'm (often) in favour of it, especially if it encourages more secure coding practices. Ultimately everyone benefits, and the pain is short-term. True, but I'd venture that in most of those cases they did something a little less trivial than one line of code. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
RE: Double buffered cp(1)
On Fri, 12 May 2000, Koster, K.J. wrote: Unless this has been changed from 3.4 to 4.0, gcc defaults to /var/tmp. I never understood why, and the gcc manual page claims that it's /tmp (I think). MFS users, synchronize your TMPDIR variables ... now. :-) It did. Compiling a simple test program just now shows: + -rw--- 1 root wheel0 May 12 00:16 /tmp/ccl22910.i + -rw--- 1 root wheel0 May 12 00:16 /tmp/ccc22910.s + -rw--- 1 root wheel0 May 12 00:16 /tmp/ccP22910.o - -rw--- 1 root wheel0 May 12 00:16 /tmp/ccl22910.i - -rw--- 1 root wheel0 May 12 00:16 /tmp/ccc22910.s - -rw--- 1 root wheel0 May 12 00:16 /tmp/ccP22910.o (incidentally, another reason to use -pipe is that the above filenames are predictable and probably handled insecurely so that another user can cause any of your files to be overwritten when you compile something. This is on my list of things to fix). Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
RE: ipfw and verbose mode
On Fri, 12 May 2000, Gianmarco Giovannelli wrote: I am missing these kind of logging which I require with the "log" keyword: Check your syslog.conf settings - ipfw didn't change the logging behaviour with 4.0, AFAIK. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: ipsec 'replay' syslog error messages after reboot of one host
On Thu, 11 May 2000, Matthew Dillon wrote: I had to fix up /etc/rc.network a little to load the ipsec rules at the appropriate point (just after the interface and ipfw setup, but before any services (like NFS) are run). I am going to put the (relatively simple) patch for rc.network up for a quick review and then commit it along with an example file and a reference to the example file in the man page. Please submit this to the KAME folks ([EMAIL PROTECTED]) as well so we can keep in sync. I'm in the process of merging the latest KAME snapshot into 5.0 with the aim of trying to update our IPv6/IPSec support (Currently our IPSec code dates to November 1999), so keeping the two codebases in sync as much as possible will help my job - I don't want the FreeBSD IPv6/IPsec code to get ahead of the KAME code, or I'm likely to miss the change locally and blow it away. I'm not sure whether or not the problem you had was a bug - again, you'd be best off speaking to the KAME guys directly (although given the age of our ipsec code I don't know how much they'd be able to help) Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Double buffered cp(1)
On Mon, 24 Apr 2000, Kent Stewart wrote: This is what I see on a buildworld with 4.0-Stable Modified /etc/make.conf and commented out CFLAGS= -Os -pipe 3707.4u 799.6s 1:35:52.46 78.3% 1374+1477k 56974+173232io 2337pf+0w 3693.9u 800.5s 1:29:45.73 83.4% 1375+1477k 55201+173224io 2160pf+0w Modified /etc/make.conf and added CFLAGS= -pipe 3559.2u 807.2s 1:28:00.05 82.6% 1608+1286k 56499+174033io 2516pf+0w This is an old message, but what you're seeing here is that if CFLAGS is not overridden, it is set by sys.mk to "-O -pipe" Setting CFLAGS explicitly to "-pipe" is faster because it does no optimization, "-Os -pipe" would be slower because it does more. Leaving out -pipe would be slower still, because the compiler does data passing using temporary files in /tmp instead of via a pipe. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: ps does not work after a cvsupdate to 4.0-STABLE
On Tue, 9 May 2000, Oscar Ricardo Silva wrote: And then after you do both (or you could just run "make world"), you'll need to recompile the kernel. I ran both and then had problems with "ps" and found several references saying that the kernel needed to be recompiled afterwards. The rule of thumb is that they both need to be compiled with precisely the same sources. In other words, if you build and install world, then cvsup, then build kernel, you're asking for trouble. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Adding -maxdepth and -mindepth options to find(1)
On Sat, 29 Apr 2000, Ben Smithurst wrote: any other people who might want it? I've attached a patch to implement this, if I don't get any feedback I'll send-pr it instead, I thought I might get a few opinions here first. Good idea - haven't reviewed the patch, though. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Shell games
On Tue, 18 Apr 2000, James Howard wrote: I don't get a lot of time to pay attention to the lists, so this might have been asked before. Does the csh-tcsh move imply that sh-ksh will be happening soon? Didn't NetBSD do that a while ago? No, it doesn't automatically mean that. The csh-tcsh update was a version upgrade (tcsh is a newer version of csh), which is a separate issue to replacing a shell with a completely different shell. There has been annoying discussion on -arch about this which you should read before replying further, though. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: OpenSSL and IDEA.
On Sun, 16 Apr 2000, David Malone wrote: I notice that the IDEA code in OpenSSL is in the Attic and not in the regular source tree. I know that OpenSSL is compiled with something like -DNO_IDEA by default, but that doesn't mean IDEA shouldn't be in the source tree for people who can use it. Would it be possible to get idea reinstated and make it's compilation a documented knob? (According to Applied Cryptography, IDEA is free for non-comercial use. As the source code is being distributed via cvs anyway, I can't see a reason why it isn't being included in any of the branches.) I was under the impression it was restricted (patented) in the US and in some parts of europe - not having a clearer idea about where it was safe to use, I thought it better not to include it at all. If you can point me to something which explains where it's restricted and not, and under what terms, I'd be most appreciative :) Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: OPEN SSH PROBLEM
On Sat, 15 Apr 2000, p_a_r wrote: Hello i have installed open ssh on my freeBSD 3.3-stable machine. But i will not work, i cant login, below is an output whit ./sshd -d. You aren't telling us anything about the client, which seems like it might be the one causing the problems from the error message. Either that or there could be PAM problems on the server end - how did you configure this? Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Authorization broken in 4.0 REL/XDM?
On Thu, 13 Apr 2000, Robert Withrow wrote: Any other ideas? Do you have an up to date /etc? /etc/pam.conf contains: # XDM is difficult; it fails or moans unless there are modules for each # of the four management groups; auth, account, session and password. xdm authrequiredpam_unix.so #xdmauthsufficient pam_kerberosIV.so try_first_pass xdm account requiredpam_unix.so try_first_pass xdm session requiredpam_deny.so xdm password required pam_deny.so Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: desire for ftp.internat.freebsd.org mirror
On Mon, 10 Apr 2000, John Hay wrote: Why not just use cvsup? It is already installed and running on internat and the firewall is already configured to allow it through. The question was about mirroring the FTP site, i.e. all of the binary packages and stuff which are also there. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: need help
On Fri, 7 Apr 2000, Mourad Lakhdar wrote: when loading the kernel , i have the following error : ** the following file system had an unnexpected inconsistency: /dev/rwd0s1e(/var) You have file system problems/corruption of some kind. Enter single-user mode and try running fsck -p by hand, or failing that perhaps restore from a backup. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: fork test
On Wed, 5 Apr 2000, Alexey N. Dokuchaev wrote: Well, after very short time, both boxes responded to console switchings and things like that, but trying to run something like "ps", "w", "uptime" put machine quite on hold (about 2 minutes). The thing is that Linux finished runnig commands about 3 times faster than FreeBSD. What the heck does that suppose to mean?! I thought FreeBSD whould kick linux butt? FreeBSD spawned many more processes than Linux before it started being unable to fork and was thus running many more live copies of the program? You haven't really given/collected enough information to decide. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: chmod (gnu version) -c switch
On Wed, 5 Apr 2000, Christoph Kukulies wrote: While adapting a script that was originally written for Linux I came across an option -c --changes to chmod which verbosely lists the files whose permissions are actually changed by chmod. Is there a way to have this under FreeBSD also? Like another set of these elementary utilities one can switch over temporarily? You mean like chmod -v? Of course, neither -c nor -v are portable so care should be taken in their use. Do /compat/linux/bin programs work? Yes, but there's no need. Would changing the path towards picking these binaries first be a solution in that case? I don't recommend that. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Dreamweaver 2
On Sat, 25 Mar 2000, VR Dredge wrote: Hi, my name is Robert. I came across your address while trying to find a crack for Dreamweaver 2.I've got to admit I'm pretty green at this sort of thing, so I guess I'm asking if you have or know where I can it. Also are there any programs for generating cracks, passwords and so on You can download the dreamweaver 2 crack by installing FreeBSD and installing the /usr/ports/cracks/drmwvr2 port. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: gmake pb's
On Thu, 23 Mar 2000, Len Conrad wrote: Really axious to give Listar a whirl, please help me get through gmake. The code needs some kind of patch to compile on FreeBSD, from the error you gave. Talk to the listar developers about it or convince someone over on -ports to do the work and make a port for it (and submit back their changes to the developers). Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: 3.4 - large file - seek problems
On Thu, 23 Mar 2000, Dan Nelson wrote: The tail bug has been reported as PR bin/14786, and it looks like there's a patch in there. See if it fixes your problem. As for less, you can contact the author and see if he can fix it; it's not a stock FreeBSD program. This is certainly the path to pursue, although I'm not sure how much luck it would have. The GNU maintainers typically are focussed mainly on linux, which I believe does not have support for 64-bit file sizes at the kernel level (perhaps this has been fixed). Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: openssh + krb5 (followup)
On Wed, 22 Mar 2000, Sheldon Hearn wrote: Interoperability with MIT krb5 still seems to be an issue. Bleh, more FUD. The problem is in operability with non-FreeBSD openssh! We use supported_authentication values for KRB5 that neither Datafellows SSH nor OpenBSD SSH use. :-( Hmm..I thought OpenBSD's OpenSSH didn't support krb5, only krb4. Regardless, we should fix this to bring ourselves in line (preferably with both). Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: 3,4
On Wed, 22 Mar 2000, sdf dsg wrote: When are the 3.4 release comming, and i dont want some beta things? 3.4 has been out for 4 months now. Please don't post this kind of thing to FreeBSD-hackers - it's not on-topic. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: swap
On Sun, 19 Mar 2000, Micke wrote: enable the swap file in /etc/rc.conf swapfile="/usr/swap0" # Set to name of swapfile if aux swapfile desired. Did you reboot? Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: 5.0 features?
On Sun, 12 Mar 2000, Ted Sikora wrote: What kind of features and additions can we expect from the merged systems in 5.0? It looks as though this has been in the works for sometime. I think I read somewhere that SMP support would be much improved? Since no-one else seems to have replied about this, 5.0 only started development about 2 hours ago when the 5.0-CURRENT branch split from 4.0-RELEASE. I'm sure there will be lots of exciting features added during the course of the branch, but exactly what those are remains to be seen. I'd expect to see improved SMP support in some form however - whether that comes from BSD/OS or internally. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Getting CPU usage in FreeBSD
On Sun, 12 Mar 2000, Oliver Fromme wrote: Then look up the definition of kread() in the same file, and how the contents of cur.cp_time are used in the cpustats() function. Note that "cur" is a "struct statinfo", which is defined in /usr/include/devstat.h. The CPU states are defined in /usr/include/sys/dkstat.h. We probably should make this into a sysctl to divorce the binaries from having to read kvm. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Getting CPU usage in FreeBSD
On Sun, 12 Mar 2000, Pedro A M Vazquez wrote:
We probably should make this into a sysctl to divorce the binaries from
having to read kvm.
it's already there:
vm.loadavg: { 1.40 1.33 1.23 }
Thats the system load average. The question referred to CPU usage
percentages.
Kris
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
Re: inner workings of the C compiler
On Wed, 8 Mar 2000, Alfred Perlstein wrote: I'm pretty sure this can be done a hell of a lot easier by using shared libraries and using the enviornment variables LD_LIBRARY_PATH and LD_PRELOAD, see the rtld manpage for more help. Yes, I've done this when trying to track down buffer overflows in libc..stick them in their own directory and use LD_LIBRARY_PATH, which tells the dynamic linker where to search. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: DeCSS
On Sat, 4 Mar 2000, Sheldon Hearn wrote: http://www.totse.com/DeCSS/ Screw the cascading style sheets business, I wanna distribute the real thing. I'd like to see these wankers try to sue me. Especially if it means a free plane trip to the States. :-) You know, I half want to add a note in the release notes that "FreeBSD 4.0 now ships with DeCSS included", but that might be a bit political :-) Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: d: /kernel: malformed input file (not rel or archive) ??
On Wed, 1 Mar 2000, Johan Kruger wrote: If i try to load the example in /usr/src/share/exaples/lkm/misc/module/misc_mod.o i get the following. Pleeaaas help ? LKMs are deprecated in favour of KLDs. Do you have options LKM in your kernel if you really wnt to play with the old technology? Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: DeCSS
On Mon, 21 Feb 2000, Peter Wemm wrote: I would love to make a port of this, for reasons that become obvious once you see the page. (Think of all the mailing list archives and mirrors) http://www.totse.com/DeCSS/ Be sure to read it before commenting, it's not what you might think. Port committed :-) Kris "How many roads must a man walk down, before you call him a man?" "Eight!" "That was a rhetorical question!" "Oh..then, seven!" -- Homer Simpson To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: My daughter bought Digital Research USB Card
On Sun, 20 Feb 2000, Beverly H Barnhart wrote: The book said she could get the driver off of Windows 98 CD or www.microsoft.com but I could not get the driver from any of those places any ideas? Which version of FreeBSD is she using? Kris Bev "How many roads must a man walk down, before you call him a man?" "Eight!" "That was a rhetorical question!" "Oh..then, seven!" -- Homer Simpson To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Y2K: groff in the tree out of date
On Wed, 16 Feb 2000, Ted Faber wrote: The groff in 3.4-stable is out of date. Be sure to catch 4.0-RELEASE. :-) I was planning on it. Just so I understand, 3.x will not have it's groff updated? I think it would be premature to say that. Your best bet is to ask the person who did the groff upgrade in 4.0 to MFC. Kris "How many roads must a man walk down, before you call him a man?" "Eight!" "That was a rhetorical question!" "Oh..then, seven!" -- Homer Simpson To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: accounting, ppp
On Sat, 12 Feb 2000, Egervary Gergely wrote: I'm running a PPP dialup server. (mgetty-autoppp) Is there any way to do login accounting (like solaris' PAM modules, or linux pam_limits.so) A FreeBSD PAM module? ;) We use the same PAM code as linux, so grab the source of the module you use under linux and compile it on FreeBSD. Kris To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: bonnie still trustable?
On Tue, 15 Feb 2000, Greg Lehey wrote: http://www.simon-shapiro.org/st_d/index.html I don't see anything that jumps out and tells me where to get this software, nor where I can get a printable version of the documentation. Shimon, can you help? The above URL links to the documentation, section 1.2.1 of which points to ftp://simon-shapiro.org/pub/st.d/ and contains multiple versions of the documentation (.ps, .dvi, .lyx, .tex, ...) as well as the code itself :-) Kris "How many roads must a man walk down, before you call him a man?" "Eight!" "That was a rhetorical question!" "Oh..then, seven!" -- Homer Simpson To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Better fixit (was: Why was rsh removed from the fixit floppy?)
On Mon, 24 Jan 2000, Peter Jeremy wrote: On Fri, 21 Jan 2000 18:01:34 +0530, Greg Lehey [EMAIL PROTECTED] wrote: If you want a better fixit floppy, you should consider the new custom disk pair with PicoBSD ... There's still space on there; what else could we put there? ssh or OpenSSH (though this might cause distribution problems - how did Jordan's visit to WC's Counsel go?) Unfortunately openssh is quite a bit bigger than the standard ssh, because openssl isn't exactly the slimmest crypto library in the world :-) But, it would definitely be a cool thing. Kris "How many roads must a man walk down, before you call him a man?" "Eight!" "That was a rhetorical question!" "Oh..then, seven!" -- Homer Simpson To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: disappearing mount points after install
On Sun, 23 Jan 2000, Wes Peters wrote: OK, let's quickly hack the VM system to allow swapping on a DOS partition. dd if=/dev/zero of=/c/swap vnconfig -c -e /dev/vn0 /c/swap swap Kris "How many roads must a man walk down, before you call him a man?" "Eight!" "That was a rhetorical question!" "Oh..then, seven!" -- Homer Simpson To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Encryption rules changes coming up - win for open source
On Thu, 13 Jan 2000, Oliver Fromme wrote: But then, at the end: People posting ``open source'' programs would be required to send the code, or a Web site address where the code was displayed, to the government. Basically, does this mean something like tar cf - /usr/src/crypto | mail [EMAIL PROTECTED] ? :-) Oh come on, where's your imagination? tar cf - /usr/src/crypto | openssl enc -des-cbc -a -e -k TheOwlFliesAtMidnight | mail [EMAIL PROTECTED] Kris To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: GLIDE for FreeBSD
On Fri, 24 Dec 1999, Theo van Klaveren wrote: Will grab new tarball shortly... (at least you know someone's testing it). He he... To me, that's worth a hundred bug reports :) You should submit this stuff as a port - it's not hard, and this will ensure that it gets mainstream testing/use, instead of drifting out of the public view like so much cool stuff which gets coded :-( Kris To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: DES routines?
On Thu, 23 Dec 1999, Ptacek wrote: Thanks for the info, by the way I found the ecb_crypt by doing a man des_crypt. Are you sure this was on a FreeBSD box? I can't see ecb_crypt listed in our des_crypt(3) manpage, though it is on e.g. Solaris. Kris To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: DES routines?
On Sun, 19 Dec 1999, Ptacek wrote: I am looking for some routines to perform DES encryption in electronic code book mode. I assume you have some reason for wanting ECB, and not the usual (more secure) CBC mode.. I have found the ecb_cyrpt function, however when I try and use it the buffer is not encrypted. Am I missing something, do these functions not work, and is there a better way of doing this? Hmm..I can't find any documentation (manpages) on ecb_crypt, which suggests it's a deprecated interface. You should use the des_ecb_encrypt function and related calls as described in that manpage, as these are the "standard FreeBSD API". Note the different calling syntax. Kris To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Crypto in the kernel: where how?
On Fri, 10 Dec 1999, Dan Moschuk wrote: | our users (by geography) from accessing it. However at least in the case | of OpenSSL (which I'm planning to import into internat when I go home to | australia next week :-) the two will have to be divergent due to the | patent restrictions on RSA. The RSA patent makes things a lot more difficult. If we do add some crypto into the kernel I suggest we use patent-free algorithms to start with. This was actually part of an unrelated point I was making - RSA will definitely not be going into the kernel anywhere at this point! In general, we want the two crypto repositories to stay in sync which generally means propagating from internat - freefall, but we can't do it for RSA. Kris To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Human readable df
On Mon, 29 Nov 1999 [EMAIL PROTECTED] wrote: Not sure if -hackers is the place for this, but here goes. Here's a patch to add -h flag to df to produce human readable output. This makes it easier to read if the disk is big. You should submit this as a PR so it doesn't fall through the cracks (although it looks like Chris might take care of it, he seems to like adding options to commands :-) Kris To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Test code...
On Sat, 27 Nov 1999, Brian J. McGovern wrote: Anyone have any suggestions (or feel like writing) code to exercise the following subsystems? - Virtual Memory - The threads library - mmap() and friends We want to try to bang on them a little more for 3.4 than we have in the past. Search the PR database and the mailing list archives for regression tests (things which at one time used to break things, but which are claimed to have been fixed). There are quite a few of these, although some bugs have only been fixed in -current because of the intrusive nature of the required changes. Kris Just remember, as you celebrate Thanksgiving with your family feasts of turkey, cranberries, stuffing, gravy, mashed potatoes, squash, corn, cornbread, apples, pickles, dumplings, fish, orangutans, fruitbats, breakfast cereals, and so forth, to keep in mind the true reason for the season: The birth of Santa. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
RE: PCI DMA lockups in 3.2 (3.3 maybe?)
On Sun, 21 Nov 1999, Christopher Stein wrote: Dennis has a good point. Dennis has no point unless he provides some numbers to quantify his claim. Witness: FreeBSD 3.X is the fastest thing I have ever seen: it's so much faster than 2.X, I can only guess what 4.X is going to be like! There, now we're neutral again :-) Kris Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
RE: PCI DMA lockups in 3.2 (3.3 maybe?)
On Sun, 21 Nov 1999, Christopher Stein wrote: Dennis has a good point. Dennis has no point unless he provides some numbers to quantify his claim. His point was not a claim about performance, rather he was bringing into question whether performance was improving with successive releases. Sounded very much to me like he was just vaguely griping about how slow and unstable newer versions of FreeBSD are compared to the good old days. Dennis will be able to clarify this for us all when he posts his benchmark specs. Witness: FreeBSD 3.X is the fastest thing I have ever seen: it's so much faster than 2.X, I can only guess what 4.X is going to be like! There, now we're neutral again :-) What do you mean by fastest? What does it do so much faster than 2.x? Fast at what? Ah, good, now I see you understand :-) Kris Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: fsck_ext2fs and fsck_msdos from Open/NetBSD
On Fri, 12 Nov 1999, Alex wrote: Both Open- and NetBSD seem to have separate fsck programs for each filesystem type - fsck_ffs, fsck_ext2fs and fsck_msdos - the actual /sbin/fsck program calling the appropriate one for a given filesystem (in a way similar to our `mount' command). The last two (fsck_ext2fs and _msdos) are nonexistent in FreeBSD. I think that would be a good thing..unless I'm mistaken, we don't have the ability to fsck those types of partition currently. Kris Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: module names
This kind of stuff is better suited to the arch mailing list..cross-posting. Kris On Tue, 26 Oct 1999, Pascal Hofstee wrote: Hi, With the recent addition of more and more KLDs to the /modules directory i was wondering if perhaps it would be a good idea to name these modules more consistantly: if_*: For all network modules (done already) ng_*: For all netgraph related modules (done already) fs_*: For all filesystem modules saver_* : For all screensavers (probably would prefer a shorter prefix) emu_* : For binary compatibilty modules like linux/ibcs2/svr4 of course this is just a suggestion ... just thought i would voice it here. Pascal Hofstee - [EMAIL PROTECTED] -BEGIN GEEK CODE BLOCK- Version: 3.1 GCS d- s+: a-- C++ UB P+ L- E--- W- N+ o? K- w--- O? M V? PS+ PE Y-- PGP-- t+ 5 X-- R tv+ b+ DI D- G e* h+ r- y+ --END GEEK CODE BLOCK-- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message XOR for AES -- join the campaign! To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: --enable-haifa
On Wed, 13 Oct 1999, W Gerald Hicks wrote: Just curious what effect using the --enable-haifa flag for building gcc-2.95.1/x86 would have so I did a comparison using the Dhrystone benchmark from /usr/ports/benchmarks/bytebench. This seems marginal, in other words. How did the results vary when you ran the tests multiple times? Kris XOR for AES -- join the campaign! To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Search a symbol in the source tree
On Tue, 12 Oct 1999, bush doctor wrote: Have you taken a look at global, gtags, or htags. They are part of the base system. Also 'http://lxr.linux.no/freebsd/source' is rather helpful ... or the glimpse port. or grep -R, which is recursive grep. Kris XOR for AES -- join the campaign! To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Apple's planned appoach to permissions on movable filesystems
Here's a passing thought I had which may be relevant. Make uids randomly assigned. This solves the problem of collision between uids on an introduced medium and the ones on the local system by making it statistical (if the uid space is large enough). In order to manage this among multiple machines, you'd probably need a synchronisation facility, both online (connect to some network database), and by an "export/import" facility which lets you dump a DB and import (parts of) it on another machine. Storing the large uid in the inode is probably not feasible w/o breaking compatability, but you could indirect it through a mapping table loaded from elsewhere on disk when the FS is mounted. The downside to this is not being able to assign the uids according to your own numbering scheme. Perhaps what could be done is to have a lookup table which maps between in-system uids and on-disk ones, such that the kernel presents the translated uid to the system, and remaps the unknown ones. Kris XOR for AES -- join the campaign! To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
RE: updating packages automatically, etc.pp.
On Thu, 30 Sep 1999, Robert Huff wrote: The script relies on you having an up-to-date INDEX file; do "make index" first to be sure (which reminds me, why is the INDEX file always out of sync after a cvsup?). It only tries to upgrade ports Because it's only generated periodically, not every time someone adds or modifies a port, which would be very wasteful. How often is periodically? While I read the output of my CVSup sessions, it had been my impression that INDEX was an accurate (+/- epsilon) snapshot of the ports tree. Are you telling me it could be, oh, two or three weeks out of date ...? Yes. Check the commit logs. Kris To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
RE: updating packages automatically, etc.pp.
On Wed, 29 Sep 1999, Conrad Sabatier wrote: The script relies on you having an up-to-date INDEX file; do "make index" first to be sure (which reminds me, why is the INDEX file always out of sync after a cvsup?). It only tries to upgrade ports Because it's only generated periodically, not every time someone adds or modifies a port, which would be very wasteful. Kris To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: A new package fetching utility, pkg_get
On Fri, 24 Sep 1999, Jaakko Salomaa wrote: It's designed to be easy to use, so it first checks -s parameter, then PKGSERVER environment variable, then the machine's toplevel domain. If the toplevel domain contains only two letters it attemps to use ftp.tld.freebsd.org, else it defaults to ftp.freebsd.org and prompts whether the user wants to use it. Do all ftp.xx.freebsd.org mirrors contain a full set of packages? Kris To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: NetWare client in -current
On Fri, 10 Sep 1999, Matthew N. Dodd wrote: On Fri, 10 Sep 1999, Kris Kennaway wrote: I tend to agree. If we bring in all of this stuff (even though I appreciate it's very useful) we should also bring in samba into the base tree by symmetry. Thats the idea. Once Boris gets a chance to finish cifsfs the plan is to import it into the tree the same as the Netware client stuff. Okay. If that's the plan, then I don't have any objections. I do hate the idea of having to reimplement samba because of the licensing though - it already does quite a good job at SMB serving, it seems a waste to duplicate the effort instead of just adding kernel support to the existing code. Kris To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: NetWare client in -current
On Fri, 10 Sep 1999, Matthew N. Dodd wrote: Okay. If that's the plan, then I don't have any objections. I do hate the idea of having to reimplement samba because of the licensing though - it already does quite a good job at SMB serving, it seems a waste to duplicate the effort instead of just adding kernel support to the existing code. SAMBA implements an SMB/CIFS server. We're talking about client support. It also does that (smbclient), though not as an FS, and there's sharity-light for a (n)fs interface. Kris To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: NetWare client in -current
On Fri, 10 Sep 1999, Ruslan Ermilov wrote: Is there any reason to not have it as a port? IMHO, only the basic IPX/SPX functionality should be included into the source tree. Anything else could be available as ports/net/nw-utils. I tend to agree. If we bring in all of this stuff (even though I appreciate it's very useful) we should also bring in samba into the base tree by symmetry. Kris To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: NetWare client in -current
On Fri, 10 Sep 1999, Matthew N. Dodd wrote: On Fri, 10 Sep 1999, Kris Kennaway wrote: I tend to agree. If we bring in all of this stuff (even though I appreciate it's very useful) we should also bring in samba into the base tree by symmetry. Thats the idea. Once Boris gets a chance to finish cifsfs the plan is to import it into the tree the same as the Netware client stuff. Okay. If that's the plan, then I don't have any objections. I do hate the idea of having to reimplement samba because of the licensing though - it already does quite a good job at SMB serving, it seems a waste to duplicate the effort instead of just adding kernel support to the existing code. Kris To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: NetWare client in -current
On Fri, 10 Sep 1999, Matthew N. Dodd wrote: Okay. If that's the plan, then I don't have any objections. I do hate the idea of having to reimplement samba because of the licensing though - it already does quite a good job at SMB serving, it seems a waste to duplicate the effort instead of just adding kernel support to the existing code. SAMBA implements an SMB/CIFS server. We're talking about client support. It also does that (smbclient), though not as an FS, and there's sharity-light for a (n)fs interface. Kris To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
RE: TCP sequence numbers
On Thu, 2 Sep 1999, Geoff Rehmet wrote:
How do OpenBSD do it?
They use arc4random(), to add a random increment.
And you do ISN = C + f(state) where C is a 250KHz counter and f is your
cut-down MD5? And state = {random secret, src addr, src port, dst addr,
dst port, ?}
I haven't had time to read through the patch yet, I'm sorry.
Just curious whether you have a reference for doing this or
whether it was an ad-hoc change. Playing with cryptographic
algorithms isn't usually a good idea unless you're sure, as I'm
sure you know.
Yup - dead right. The requirements in this instance are however
also slightly different to what you normally use a cryptographic
hash for. I want to let the code be picked at a bit before
it goes into the tree though.
What speed difference is there between MD5 and your cut-down version? Have
you benchmarked performance differences in general?
I'm also still curious about your rationale/references for modifying MD5
in that way.
The other comment I have is that this should probably be hidden behind a
sysctl for configurability and to appease folks who might not like it.
I'd expect Yarrow to be (perhaps quite a bit) slower than our existing
PRNG - it's a more conservative design and uses primitives
like SHA-1 (for
yarrow-160). I don't know how much of an impact this would be for
network performance.
If it is only used to generate a secret every 5 minutes, that should
not be a problem.
Sounds reasonable.
Kris
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
RE: TCP sequence numbers
On Thu, 2 Sep 1999, Geoff Rehmet wrote: I'd expect Yarrow to be (perhaps quite a bit) slower than our existing PRNG - it's a more conservative design and uses primitives like SHA-1 (for yarrow-160). I don't know how much of an impact this would be for network performance. If it is only used to generate a secret every 5 minutes, that should not be a problem. Hrm. RFC 1948 seems to warn against changing the secret while "live". It's not immediately obvious to me why this is so. Kris To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
RE: TCP sequence numbers
On Thu, 2 Sep 1999, Geoff Rehmet wrote:
How do OpenBSD do it?
They use arc4random(), to add a random increment.
And you do ISN = C + f(state) where C is a 250KHz counter and f is your
cut-down MD5? And state = {random secret, src addr, src port, dst addr,
dst port, ?}
I haven't had time to read through the patch yet, I'm sorry.
Just curious whether you have a reference for doing this or
whether it was an ad-hoc change. Playing with cryptographic
algorithms isn't usually a good idea unless you're sure, as I'm
sure you know.
Yup - dead right. The requirements in this instance are however
also slightly different to what you normally use a cryptographic
hash for. I want to let the code be picked at a bit before
it goes into the tree though.
What speed difference is there between MD5 and your cut-down version? Have
you benchmarked performance differences in general?
I'm also still curious about your rationale/references for modifying MD5
in that way.
The other comment I have is that this should probably be hidden behind a
sysctl for configurability and to appease folks who might not like it.
I'd expect Yarrow to be (perhaps quite a bit) slower than our existing
PRNG - it's a more conservative design and uses primitives
like SHA-1 (for
yarrow-160). I don't know how much of an impact this would be for
network performance.
If it is only used to generate a secret every 5 minutes, that should
not be a problem.
Sounds reasonable.
Kris
To Unsubscribe: send mail to majord...@freebsd.org
with unsubscribe freebsd-hackers in the body of the message
RE: TCP sequence numbers
On Thu, 2 Sep 1999, Geoff Rehmet wrote: I'd expect Yarrow to be (perhaps quite a bit) slower than our existing PRNG - it's a more conservative design and uses primitives like SHA-1 (for yarrow-160). I don't know how much of an impact this would be for network performance. If it is only used to generate a secret every 5 minutes, that should not be a problem. Hrm. RFC 1948 seems to warn against changing the secret while live. It's not immediately obvious to me why this is so. Kris To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: TCP sequence numbers
On Wed, 1 Sep 1999, Geoff Rehmet wrote: After a bit of work on TCP sequence numbers, and generating initial sequence numbers which are difficult to predict, I have put some code together, which I belive makes the way in which FreeBSD generates initial send sequence numbers more secure. How do OpenBSD do it? The patch I have developed is based on RFC1948, and also takes some ideas from the way in which Linux calculates TCP ISS values. However, unlike Linux, I am keeping the code true to RFC793's requirement for a fictitious 250kHz clock. Instead of uising a cut-down MD4 transform, (which is what Linux does), I have used a cut-down MD5 transform, with round 4 removed. Just curious whether you have a reference for doing this or whether it was an ad-hoc change. Playing with cryptographic algorithms isn't usually a good idea unless you're sure, as I'm sure you know. As with the Linux code, I am using 9 32-bit words of random secret, which is rekeyed every 5 minutes. The remainder of the sequence number generation is based on our existing code. I have placed the diff in http://www.freebsd.org/~csgr/tcp_sequence.diff The diff was taken against -current as at approximately 0600 GMT 1 September 1999. testing, comments would be appreciated. Once Mark has completed his work in devrandom, I will rather use devrandom as a source of randomness. I'd expect Yarrow to be (perhaps quite a bit) slower than our existing PRNG - it's a more conservative design and uses primitives like SHA-1 (for yarrow-160). I don't know how much of an impact this would be for network performance. Kris To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: [mount.c]: Option user-patch
On Sun, 29 Aug 1999, Chris Piazza wrote: # set sysctl variables early as we can if [ -f /etc/rc.sysctl ]; then . /etc/rc.sysctl fi Mind you it doesn't look like it was merged into releng_3 Could someone do this before 3.3? It's useful functionality. Kris To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
