Re: Who is maintainer of kerberos/heimdall/sendmail?
tlambert They appear to use SOMAXCONN, incorrectly. Do you specify which files for sendmail(8) use SOMAXCONN ? There is src/contrib/sendmail/libmilter/main.c, but it is NOT a part of sendmail(8) (and never be used in other components installed). In sendmail, the default second argument of listen(2) should be '10' which is defined statically. You can change with 'DaemonPortOptions' option (see /usr/share/doc/smm/08.sendmailop/paper.ascii.gz), IIRC. *** Speaking of tweaking SOMAXCONN value in kernel config file, why /etc/sysctl.conf is not enough to do? -- - Makoto MATSUSHITA To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: incorrect subclass?
Matthew Jacob([EMAIL PROTECTED])@2001.04.09 16:42:05 +: FBSD-I-I do not think you should do that. FBSD-W-Do not do that again. FBSD-E-I told you not to do that. FBSD-F-panic, freeing free identifier of known type when you implemted it, remind me to get a stack of blank punhcards to create a boot stack for /boot/loader and /kernel ;-) /k -- cd /pub; more beer KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
NFS export to netgroup with duplicate hosts
Hi -CURRENT users,
I wonder what should happen when a volume is exported through NFS
to a netgroup that contains duplicate hosts.
At this site, we have a number of netgroups which contain both
qualified and unqualified host names, as in
MyNetgroup(somehost,-,-) (somehost.dom.ain,-,-) ...
and I have the following line in /etc/exports:
/usr -alldirs MyNetgroup
(/usr is a ffs file system mount point).
When mountd attempts to register the export list with the kernel,
the first attempt to export to somehost succeeds, and then the
second fails with EPERM ("can't change attributes for /usr"),
and I am left with an empty kernel export list.
This used to work with 5.0-CURRENT as of a few months ago.
Shouldn't such an export work as expected?
Thomas.
--
Thomas Quinot ** Dpartement Informatique Rseaux ** [EMAIL PROTECTED]
ENST // 46 rue Barrault // 75634 PARIS CEDEX 13
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: NFS export to netgroup with duplicate hosts
Hi, Of course you are right. Netgroup support got in some area broken when I did the IPv6 merge of NetBSD code. It will be fixed soon, sorry ! Another issue with mountd is, that it allows still one set of flags for one mountpoint. This is done per radix entry in the kernel and tied to each file-system mount point. If we manage it, mountd should soon be able to allow different mount flags for each path you export in /etc/exports. Martin Martin Blapp, [EMAIL PROTECTED] Improware AG, UNIX solution and service provider Zurlindenstrasse 29, 4133 Pratteln, Switzerland Phone: +41 79 370 26 05, Fax: +41 61 826 93 01 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: it seems last changes broke sound.
At Thu, 12 Apr 2001 13:30:07 +0400, Juriy Goloveshkin wrote: Hello, sound in my box had been dead after last sound-drivers commit FreeBSD 5.0-CURRENT #44: Thu Apr 12 12:57:24 MSD 2001 pcm0: Yamaha DS-1E (YMF744) mem 0xfecf-0xfecf7fff irq 9 at device 9.0 on pci0 ds1: setmap (48a000, 3de4), nseg=1, error=0 pcm0: ac97 codec id 0x414b4d02 (Asahi Kasei AK4543) pcm0: ac97 codec features headphone, 18 bit DAC, 18 bit ADC, 5 bit master volume, AKM 3D Audio pcm: setmap 4a5000, 1000; 0xc923b000 - 4a5000 pcm: setmap 4b5000, 1000; 0xc924b000 - 4b5000 pcm: setmap 4c7000, 1000; 0xc925b000 - 4c7000 pcm: setmap 4d7000, 1000; 0xc926b000 - 4d7000 pcm: setmap 4ea000, 1000; 0xc927b000 - 4ea000 pcm: setmap 4fa000, 1000; 0xc928b000 - 4fa000 when I want to listen to my mpegs via mpg123, it happend nothing but pcm0: play interrupt timeout, channel dead Same here. (Either that, or some rather strange sounds.) Not only that, but there are even stranger problems with the interrupt. pcm0 and uhci0 share irq9: uhci0: Intel 82371AB/EB (PIIX4) USB controller port 0x1020-0x103f irq 9 at device 7.2 on pci0 pcm0: Yamaha DS-1E (YMF754) mem 0xfc108000-0xfc10 irq 9 at device 9.0 on pci0 Attempting to play sound doesn't register any interrupts (as reported by vmstat -i). Activity on the USB port causes the interrupt count to go up for pcm0, but not for uhci0. interrupt total rate stray irq0 10 ata0 irq14 2783407 uhci0 irq9 10 pcm0 irq9 230 ... -Peter- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
ISO image available?
Hi, I'd like to try -current on a few machines. Is there a recent snapshot available as an ISO image somewhere? It'd be much faster than cvsup'ing and making world. Which leads to a more generic question: Wouldn't daily ISO snapshots of -stable and -current be nice to have? (On days when the makes go through.) There's probably some good reason why we don't have this; it'd make it a lot easier to test-drive bug-fixes though. Lars PS: Please CC me personally on responses, I'm not on -current. Thanks! -- Lars Eggert [EMAIL PROTECTED] Information Sciences Institute http://www.isi.edu/larse/University of Southern California S/MIME Cryptographic Signature
Re: ISO image available?
On Thu, 12 Apr 2001 09:10:55 -0700 Lars Eggert [EMAIL PROTECTED] wrote: Hi, I'd like to try -current on a few machines. Is there a recent snapshot available as an ISO image somewhere? It'd be much faster than cvsup'ing and making world. Which leads to a more generic question: Wouldn't daily ISO snapshots of -stable and -current be nice to have? (On days when the makes go through.) There's probably some good reason why we don't have this; it'd make it a lot easier to test-drive bug-fixes though. Lars PS: Please CC me personally on responses, I'm not on -current. Thanks! -- Lars Eggert [EMAIL PROTECTED] Information Sciences Institute http://www.isi.edu/larse/University of Southern California Theres not a iso for -CURRENT .. It changes too much. you can make your own iso though. ports/sysutils/mkisofs To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ISO image available?
Michael Johnson wrote: Theres not a iso for -CURRENT .. It changes too much. Too bad. you can make your own iso though. ports/sysutils/mkisofs Yes, I've done that before for -stable, but it involves a make world :-) Grabbing an ISO from somewhere and quickly doing a CD install to test some bugfixes would be much faster. (I'm not that interested in actively tracking -current; I just want to be able to quickly run it whenever someone asks for feedback on a change that'd affect our setup.) Isn't someone out there doing a nightly scripted make world? How about doing a make release after? Lars -- Lars Eggert [EMAIL PROTECTED] Information Sciences Institute http://www.isi.edu/larse/University of Southern California S/MIME Cryptographic Signature
Re: ISO image available?
In the last episode (Apr 12), Michael Johnson said: On Thu, 12 Apr 2001 09:10:55 -0700 Lars Eggert [EMAIL PROTECTED] wrote: I'd like to try -current on a few machines. Is there a recent snapshot available as an ISO image somewhere? It'd be much faster than cvsup'ing and making world. Which leads to a more generic question: Wouldn't daily ISO snapshots of -stable and -current be nice to have? (On days when the makes go through.) There's probably some good reason why we don't have this; it'd make it a lot easier to test-drive bug-fixes though. Theres not a iso for -CURRENT .. It changes too much. There are no ISO images, but there's something even better. Download the boot floppies for your favorite date and do a net install. ftp://current.freebsd.org/pub/FreeBSD/snapshots/i386/ There used to be a similar snapshot server for -stable, but it seems to have disappeared. -- Dan Nelson [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ISO image available?
On Thu, 12 Apr 2001, Dan Nelson wrote: In the last episode (Apr 12), Michael Johnson said: On Thu, 12 Apr 2001 09:10:55 -0700 Lars Eggert [EMAIL PROTECTED] wrote: I'd like to try -current on a few machines. Is there a recent snapshot available as an ISO image somewhere? It'd be much faster than cvsup'ing and making world. Which leads to a more generic question: Wouldn't daily ISO snapshots of -stable and -current be nice to have? (On days when the makes go through.) There's probably some good reason why we don't have this; it'd make it a lot easier to test-drive bug-fixes though. Theres not a iso for -CURRENT .. It changes too much. There are no ISO images, but there's something even better. Download the boot floppies for your favorite date and do a net install. ftp://current.freebsd.org/pub/FreeBSD/snapshots/i386/ There used to be a similar snapshot server for -stable, but it seems to have disappeared. -- Dan Nelson [EMAIL PROTECTED] ftp://releng4.freebsd.org/pub/FreeBSD/snapshots/i386 -- stable. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Who is maintainer of kerberos/heimdall/sendmail?
tlambert Who is the maintainer of this code? I maintain sendmail. tlambert They appear to use SOMAXCONN, incorrectly. tlambert The value of SOMAXCONN is not valis; the valid limit is only tlambert obtainable from sysctl (kern.ipc.somaxconn). We (Sendmail) will look at integrating your fix into 8.12 (which will be the first to actually use it -- it's #ifdef'ed out in 8.11). To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ISO image available?
Dan Nelson wrote: There are no ISO images, but there's something even better. Download the boot floppies for your favorite date and do a net install. I didn't know that - perfect, thanks! -- Lars Eggert [EMAIL PROTECTED] Information Sciences Institute http://www.isi.edu/larse/University of Southern California S/MIME Cryptographic Signature
Re: ISO image available?
In [EMAIL PROTECTED], Lars Eggert wrote: There's probably some good reason why we don't have this; it'd make it a lot easier to test-drive bug-fixes though. You can get binary snapshots via anonymous ftp at current.freebsd.org in /pub/FreeBSD/snapshots ciao, -robert To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Who is maintainer of kerberos/heimdall/sendmail?
On Thu, 12 Apr 2001 09:24:46 -0700, Gregory Neil Shapiro [EMAIL PROTECTED] said: tlambert The value of SOMAXCONN is not valis; the valid limit is only tlambert obtainable from sysctl (kern.ipc.somaxconn). We (Sendmail) will look at integrating your fix into 8.12 (which will be the first to actually use it -- it's #ifdef'ed out in 8.11). No code should ever examine kern.ipc.somaxconn; it is there for sysadmin use only. If the desire is to express ``the most this system will allow'', the correct use is to pass the value -1 as the backlog parameter to listen(). All systems which implement kern.ipc.somaxconn also implement this feature. -GAWollman To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: NFS export to netgroup with duplicate hosts
If we manage it, mountd should soon be able to allow different mount flags for each path you export in /etc/exports. I'm sorry. But now after some investigations and talks with Robert Watson it seems to be clear that this is not possible due the way nfs works. It would be easy to fix mountd, and to store somewhere the path where the export is tied to, but how should nfsd handle this ? He get's a request for a inode (the namei translation is done on the client side). The server has now to look which flag set belongs the inode. How can he see which set of flags belongs to that inode ? man share_nfs on solaris 7: Unlike previous implementations of share_nfs(1M), access checking for the window=, rw, ro, rw=, and ro= options is done per NFS request, instead of per mount request. In suns implementation of nfs is written (man share) If share commands are invoked multiple times on the same filesystem, the last share invocation supersedes the previous-the options set by the last share command replace the old options. For example, if read-write permission was given to usera on /somefs, then to give read-write permis- sion also to userb on /somefs: That means that it's not possible as I get it. I'll do further investigations to be sure how it works on Solaris exactly. Martin To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ISO image available?
Dan Nelson wrote: There are no ISO images, but there's something even better. Download the boot floppies for your favorite date and do a net install. The 5.0-20010410-CURRENT installer doesn't recognize my "3Com 3c905C-TX Fast Etherlink XL", which in 4.2 is handled by the xl driver. I guess the netinstall will have to wait... -- Lars Eggert [EMAIL PROTECTED] Information Sciences Institute http://www.isi.edu/larse/University of Southern California S/MIME Cryptographic Signature
Re: ISO image available?
Lars Eggert [EMAIL PROTECTED] writes: Hi! The 5.0-20010410-CURRENT installer doesn't recognize my "3Com 3c905C-TX Fast Etherlink XL", which in 4.2 is handled by the xl driver. I guess the netinstall will have to wait... Uh, is there so much difference between 3c905(B|C)-TX? I ask, because I have xl0: 3Com 3c905B-TX Fast Etherlink XL port 0xd000-0xd07f mem 0xdd00-0xdd7f irq 11 at device 12.0 on pci0 in a build on FreeBSD lycius.LF.net 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Wed Apr 11 06:09:53 CEST 2001 [EMAIL PROTECTED]:/usr/local/obj/usr/local/src/sys/LYCIUS i386 just wondering, norbert. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ISO image available?
larse I'd like to try -current on a few machines. Is there a recent larse snapshot available as an ISO image somewhere? It'd be much larse faster than cvsup'ing and making world. URL:ftp://current.jp.FreeBSD.org/pub/FreeBSD/snapshots/i386/ISO-IMAGES/ It's not the same of current.FreeBSD.org's distribution (to show the diference, its version string is named '5.0-CURRENT-MMDD-JPSNAP'), but it SHOULD be the same thing. Slow connection? try the mirror site: URL:ftp://ftp.kddlabs.co.jp/FreeBSD-current-jp/snapshots/i386/ISO-IMAGES/ larse Which leads to a more generic question: Wouldn't daily ISO larse snapshots of -stable and -current be nice to have? (On days larse when the makes go through.) ISO images mentioned above are generated twice a week. -- - Makoto `MAR' MATSUSHITA To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: NFS export to netgroup with duplicate hosts
* Martin Blapp [EMAIL PROTECTED] [010412 10:11] wrote:
If we manage it, mountd should soon be able to allow different mount flags
for each path you export in /etc/exports.
I'm sorry. But now after some investigations and talks with Robert
Watson it seems to be clear that this is not possible due the way nfs
works.
It would be easy to fix mountd, and to store somewhere the path where
the export is tied to, but how should nfsd handle this ? He get's a
request for a inode (the namei translation is done on the client side).
The server has now to look which flag set belongs the inode. How can he
see which set of flags belongs to that inode ?
man share_nfs on solaris 7:
Unlike previous implementations of share_nfs(1M), access
checking for the window=, rw, ro, rw=, and ro= options is
done per NFS request, instead of per mount request.
In suns implementation of nfs is written (man share)
If share commands are invoked multiple times on the same
filesystem, the last share invocation supersedes the
previous-the options set by the last share command replace
the old options. For example, if read-write permission was
given to usera on /somefs, then to give read-write permis-
sion also to userb on /somefs:
That means that it's not possible as I get it. I'll do further
investigations to be sure how it works on Solaris exactly.
It's actually relatively trivial to "implement". The reason I
say "implement" is because it's fake when done unless you keep
a contiguous parent mapping of all files being accessed through
NFS.
You simply encode the perms in the NFS filehandle then hang that
in the exports list.
Let's take a v2 filehandle:
struct nfs_fh {
opaque data[NFS_FHSIZE];
};
This is 32 bytes.
Let's encode the "mount point" in the top byte.
Ok, now what we have to do is reply to each request with the same top
byte to indicate that it came from the same mount point.
In the export lists hung off the mount point we now have a
data structure that looks like this:
{ client_addr, magic_perm_byte, perms }
So now, you just search until you match {client_addr, magic_perm_byte}
then check {perms} for access.
...
student: "Ok master we have multiple export types with different
permissions!"
master: "Well, actually grasshopper we've just introduced a security
hole for the uninitiated."
s: "How can this be???"
m: "What if the administrator was to grant a non trusted client
read-only access to a share, then at a later date give the same
non trusted client write access to another share on the same
paritition?"
s: "I'm not following you dude."
m: "Don't call me dude." *thwack* "The point is that if the
workstation is untrusted, what's the stop the mallicious hacker
from taking a read-only filehandle and swapping the top byte with
the byte required for write access?"
s: "Well, why not make sure it's a valid handle for that mountpoint?"
m: "That's where it gets tricky, you see, then you need to keep a
cache of root nodes, meaning the mount points exported by mountd
in the kernel, as well as cache each opened item attaching the
{magic_perm_byte} to it along with {client_addr}, since NFS is
stateless we really never know when it's safe to retire these cached
filehandles, but let's just LRU them and return ESTALE when a
filehandle not in the cache comes in"
s: "Master, this sounds like hella work!"
m: "A, you are correct, now get cracking!"
s: ...
-Alfred
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: NFS export to netgroup with duplicate hosts
Le 2001-04-12, Alfred Perlstein crivait : m: "Don't call me dude." *thwack* "The point is that if the workstation is untrusted, what's the stop the mallicious hacker from taking a read-only filehandle and swapping the top byte with the byte required for write access?" The kernel could include a 'signature' in the handle, e.g. in the form of a hash of (perm-bytes,handle-bytes,secret-key). (But the following still holds:) s: "Master, this sounds like hella work!" (plus some crypto algorithm right in kernel space...) m: "A, you are correct, now get cracking!" Thomas. -- Thomas Quinot ** Dpartement Informatique Rseaux ** [EMAIL PROTECTED] ENST // 46 rue Barrault // 75634 PARIS CEDEX 13 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: incorrect subclass?
"Karsten W. Rohrbach" wrote: Matthew Jacob([EMAIL PROTECTED])@2001.04.09 16:42:05 +: FBSD-I-I do not think you should do that. FBSD-W-Do not do that again. FBSD-E-I told you not to do that. FBSD-F-panic, freeing free identifier of known type when you implemted it, remind me to get a stack of blank punhcards to create a boot stack for /boot/loader and /kernel ;-) No, no, no, that's a VAXism, so you will want to load your kernel, or perhaps even microcode, from a DECtape. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC [EMAIL PROTECTED] http://softweyr.com/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: NFS export to netgroup with duplicate hosts
:Hi, : :Of course you are right. Netgroup support got in some area broken :when I did the IPv6 merge of NetBSD code. It will be fixed :soon, sorry ! : :Another issue with mountd is, that it allows still one set of flags :for one mountpoint. This is done per radix entry in the kernel and tied :to each file-system mount point. : :If we manage it, mountd should soon be able to allow different mount flags :for each path you export in /etc/exports. : :Martin : :Martin Blapp, [EMAIL PROTECTED] You can't do that. You could manage different perms for different hosts (i.e. /usr is rw for host A and /usr is ro for host B), but you can't mix perms for subdirectories within a mount to the same host. The reason is that the file handles passed to nfsd could then be trivially faked to gain rw access on a ro-exported subdirectory. For example, if you export /usr read-only and /usr/local read-write, you can then construct an NFS request using /usr/local's mount point but with a file handle that represents a file in /usr, and then be able to write to that file. This is because the file handle representing file X will be almost identical no matter which mount point X is accessed relative to. -Matt To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: NFS export to netgroup with duplicate hosts
The reason is that the file handles passed to nfsd could then be trivially faked to gain rw access on a ro-exported subdirectory. For example, if you export /usr read-only and /usr/local read-write, you can then construct an NFS request using /usr/local's mount point but with a file handle that represents a file in /usr, and then be able to write to that file. This is because the file handle representing file X will be almost identical no matter which mount point X is accessed relative to. Yes I see. I'd also like to see what happens if you move some directory, or if you are doing hardlinks and also move them ... :-) Your explanation is logical to me. Maybe we should fix the exports(5) manpage. This is not a bug, it's a security restriction. It seems to me that we have a really good nfs implementation here on BSD, and we can do more finetuning than on Solaris itself. Also mountd and export seems to support more features than in Solaris, according to the manpage. Could this export restriction change in future with nfsv4, when nfs does get stateful (I've heard about that the stateless behaviour will go away with nfsdv4) ... ? I do not know much about the internals of nfsv4 ... Martin To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: SOMAXCONN -- not tunable?
In article local.mail.freebsd-current/[EMAIL PROTECTED] you write: Here are patches to make SOMAXCONN tunable from the config files. Right now, it's not possible to override SOMAXCONN. sysctl -w kern.ipc.somxconn=1024 SOMAXCONN is just a compile time default, and yes it is not currently tunable at config time. Does it really have to be? Just stick it in /etc/sysctl.conf, and it gets set before most things are started in the system. -- Jonathan To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ISO image available?
the only difference I know of between the 905b and c is wake on lan. I thought I heard something about a 905c II that had problems with freebsd, but I don't remember much more. - Original Message - From: "Lars Eggert" [EMAIL PROTECTED] To: "Norbert Koch" [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, April 12, 2001 2:14 PM Subject: Re: ISO image available? Norbert Koch wrote: The 5.0-20010410-CURRENT installer doesn't recognize my "3Com 3c905C-TX Fast Etherlink XL", which in 4.2 is handled by the xl driver. I guess the netinstall will have to wait... Uh, is there so much difference between 3c905(B|C)-TX? I ask, because I have xl0: 3Com 3c905B-TX Fast Etherlink XL port 0xd000-0xd07f mem 0xdd00-0xdd7f irq 11 at device 12.0 on pci0 I don't know. :-) All I can say is that it is recognized fine under 4.2. -- Lars Eggert [EMAIL PROTECTED] Information Sciences Institute http://www.isi.edu/larse/University of Southern California To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: SOMAXCONN -- not tunable?
On Thu, 12 Apr 2001, Jonathan Lemon wrote: In article local.mail.freebsd-current/[EMAIL PROTECTED] you write: Here are patches to make SOMAXCONN tunable from the config files. Right now, it's not possible to override SOMAXCONN. sysctl -w kern.ipc.somxconn=1024 SOMAXCONN is just a compile time default, and yes it is not currently tunable at config time. Does it really have to be? Of course it doesn't have to be tunable at config time. Just stick it in /etc/sysctl.conf, and it gets set before most things are started in the system. Changing the actual limit using either the sysctl or an option breaks SOMAXCONN. I think the correct fix is to never define it change whatever uses it to use sysconf(_SC_SOMAXCONN). Similarly for all other manifest constants that aren't actually constant. Bruce To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
