Re: Migration TeX/LaTeX: from teTeX -- TeXlive
On 09/15/2013 02:00 PM, Roland Smith wrote: Personally I don't think TeX is a good fit for the ports tree (because of duplication of effort). I installed TeXLive using its own installer long before it was present in the ports tree. Since TeXLive is very complete and self-contained, I don't have other ports that depend on TeX. +1 My TeX dependency and maintenance problems all but disappeared when I moved to the freestanding TeXLive installation. I run a nightly cron job to get the latest updates via tlmgr and it works like a charm. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Since SquirrelMail Looks Like It Will Never Be Supported Again...
SquirrelMail seems to be forever on hold because of an incompatibility with PHP 5. So I am going to have to replace it as our Webmail interface. So, I'm looking for recommendation from the tribe here on what I should use instead: 1) Easy to use. Mostly this gets used by people when they are away from the office and then only occasionally. 2) It would be really nice if the program could import the Thunderbird Address Book. 3) Easy to install and maintain. TIA, Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: texlive and package updating
On 08/09/2013 11:36 AM, Jerry wrote: Port: texlive-full-20120701 Path: /usr/ports/print/texlive-full Info: TeX Live, Full Version Maint: h...@freebsd.org With: TEX_DEFAULT=texlive placed in the /etc/make.conf file. My question is how do I update the packages since the package updater has apparently been deliberately disabled? I install/update dozens of packages each week on my Windows machine, so I know that they are available. Also. all of the *-freebsd-doc-* ports are bonked due to the use of texlive. Is there any headway being made on that front? I've given up on all OS distribution-based TexLive drops. I install texlive manually from their installer and then run tlmgr under cron control nightly to keep it up-to-date. I do this on FreeBSD (my primary dev and server platform) as well as all linux instances in my environment. It makes things a lot simpler. - Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
FreeBSD Appliance Questions
I am working on an NAS appliance built on FreeSBD. Several questions: - The vendor has rebranded everything so uname isn't helping me determine what exact branch of FreeBSD they used. Is there another canonical way to figure this out? - For any reasonably recent version of FBSD, is it likely that the Linux emulation will work correctly or are there certain versions of FreeBSD that do this better than others? Thanks, -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD Appliance Questions
On 06/28/2013 05:27 PM, Tim Daneliuk wrote: I am working on an NAS appliance built on FreeSBD. Several questions: - The vendor has rebranded everything so uname isn't helping me determine what exact branch of FreeBSD they used. Is there another canonical way to figure this out? - For any reasonably recent version of FBSD, is it likely that the Linux emulation will work correctly or are there certain versions of FreeBSD that do this better than others? Thanks, Oh one more thing - does anyone have experience - good or bad - with installing and running the Tivoli TSM Client software under the FreeBSD Linux emulation? -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD Appliance Questions
On 06/28/2013 05:31 PM, Outback Dingo wrote: On Fri, Jun 28, 2013 at 6:28 PM, Tim Daneliuk tun...@tundraware.com mailto:tun...@tundraware.com wrote: On 06/28/2013 05:27 PM, Tim Daneliuk wrote: I am working on an NAS appliance built on FreeSBD. Several questions: - The vendor has rebranded everything so uname isn't helping me determine what exact branch of FreeBSD they used. Is there another canonical way to figure this out? - For any reasonably recent version of FBSD, is it likely that the Linux emulation will work correctly or are there certain versions of FreeBSD that do this better than others? Thanks, Oh one more thing - does anyone have experience - good or bad - with installing and running the Tivoli TSM Client software under the FreeBSD Linux emulation? would help to know the manufacturer, might be able to help nail down the version of the OS It is an EMC/Isolon but I'm not sure which model. Still looking into it. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD Appliance Questions
On 06/28/2013 05:46 PM, Outback Dingo wrote: research shows http://en.wikipedia.org/wiki/OneFS_distributed_file_system D'oh. I looked it up under Isolon but not OneFS. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Cannot Update Source Tree After Move To Subversion 1.8
On 06/24/2013 04:58 PM, Tim Daneliuk wrote: On 06/24/2013 03:20 PM, Matthew Seaman wrote: On 24/06/2013 20:28, Tim Daneliuk wrote: After the update to svn 1.8, I did a new svn co of the FBSD 9-STABLE source branch. When I try to do an update to it, I see this now: svn: E155005: Working copy not locked at /usr/scr svn co svn://svn.freebsd.org/base/stable/9 /usr/src /usr/src is a symlink to another directory in a separate filesystem, but this historically worked, so I'm guess that is not the problem. Ideas? svn upgrade Hm [root] ozzie ~svn upgrade /usr/src [root] ozzie ~svn update /usr/src svn: E155004: Run 'svn cleanup' to remove locks (type 'svn help cleanup' for details) svn: E155004: Working copy '/usr1/src-9-STABLE' locked. svn: E155004: '/usr1/src-9-STABLE' is already locked. [root] ozzie ~svn cleanup /usr/src [root] ozzie ~svn update /usr/src Updating '/usr/src': svn: E155005: No write-lock in '/usr/src/sys' svn: E155005: Additional errors: svn: E155005: Working copy not locked at '/usr/src'. It seems that svn 1.8 does not like symlinks. I have this: /usr/src - /usr1/src-9-STABLE I can do this fine: svn update /usr1/src-9-STABLE But this causes svn to dump core: svn update /usr/src At which point I have to do a cleanup to get the locks cleared out. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Cannot Update Source Tree After Move To Subversion 1.8
After the update to svn 1.8, I did a new svn co of the FBSD 9-STABLE source branch. When I try to do an update to it, I see this now: svn: E155005: Working copy not locked at /usr/scr svn co svn://svn.freebsd.org/base/stable/9 /usr/src /usr/src is a symlink to another directory in a separate filesystem, but this historically worked, so I'm guess that is not the problem. Ideas? -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Cannot Update Source Tree After Move To Subversion 1.8
On 06/24/2013 03:20 PM, Matthew Seaman wrote: On 24/06/2013 20:28, Tim Daneliuk wrote: After the update to svn 1.8, I did a new svn co of the FBSD 9-STABLE source branch. When I try to do an update to it, I see this now: svn: E155005: Working copy not locked at /usr/scr svn co svn://svn.freebsd.org/base/stable/9 /usr/src /usr/src is a symlink to another directory in a separate filesystem, but this historically worked, so I'm guess that is not the problem. Ideas? svn upgrade Hm [root] ozzie ~svn upgrade /usr/src [root] ozzie ~svn update /usr/src svn: E155004: Run 'svn cleanup' to remove locks (type 'svn help cleanup' for details) svn: E155004: Working copy '/usr1/src-9-STABLE' locked. svn: E155004: '/usr1/src-9-STABLE' is already locked. [root] ozzie ~svn cleanup /usr/src [root] ozzie ~svn update /usr/src Updating '/usr/src': svn: E155005: No write-lock in '/usr/src/sys' svn: E155005: Additional errors: svn: E155005: Working copy not locked at '/usr/src'. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Suddenly Seeing Clamav Errors After MailScanner Update
I am working on a FBSD 9.1-STABLE mail machine that's been working fine. After upgrading to MailScanner 4.84.5_3, we are now suddenly seeing like this: Clamd::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed: Permission denied. ERROR :: /var/spool/MailScanner/incoming/68340 Any ideas what might cause this? I have fallen back to the previous MailScanner.conf file wherein the problem does NOT seem to happen. But, after diffing old and new config files I cannot see where anything relevant to this might have changed. Ideas anyone? -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bourne shell if syntax
On 06/10/2013 01:53 PM, lcon...@go2france.com wrote: script fragment: PTR=`dig @some.dns +short +norec -x a.b.c.d` echo $PTR if [ $PTR ==] ; then echo $PTR /path/to/PTR_absent.txt fi === output for an IP: a-b-c-d.domain.net. [: a-b-c-d.domain.net.: unexpected operator Try this instead and see if this fixes it: if [ _$PTR == _ ] ; then --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bourne shell if syntax
On 06/10/2013 01:59 PM, dte...@freebsd.org wrote: -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- questi...@freebsd.org] On Behalf Of lcon...@go2france.com Sent: Monday, June 10, 2013 11:53 AM To: freebsd-questions@freebsd.org Subject: Bourne shell if syntax script fragment: PTR=`dig @some.dns +short +norec -x a.b.c.d` echo $PTR if [ $PTR ==] ; then if [ $PTR = ]; then or if [ -z $PTR ]; then or if [ $PTR ]; then but _NOT_ if [ $PTR == ]; then I work across a bunch of different OSs and shells of many vintages. As I recall, the -z argument has problems of portability on older/broken shells and/or is not available in all environments (I cannot recall which at the moment). So I achieve the same results by using a character sentinel that guarantees that the comparison always works: f [ _$PTR == _ ] ; then -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bourne shell if syntax
On 06/10/2013 02:10 PM, dte...@freebsd.org wrote: -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- questi...@freebsd.org] On Behalf Of Tim Daneliuk Sent: Monday, June 10, 2013 12:06 PM To: freebsd-questions@freebsd.org Subject: Re: Bourne shell if syntax On 06/10/2013 01:59 PM, dte...@freebsd.org wrote: -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- questi...@freebsd.org] On Behalf Of lcon...@go2france.com Sent: Monday, June 10, 2013 11:53 AM To: freebsd-questions@freebsd.org Subject: Bourne shell if syntax script fragment: PTR=`dig @some.dns +short +norec -x a.b.c.d` echo $PTR if [ $PTR ==] ; then if [ $PTR = ]; then or if [ -z $PTR ]; then or if [ $PTR ]; then but _NOT_ if [ $PTR == ]; then I work across a bunch of different OSs and shells of many vintages. As I recall, the -z argument has problems of portability on older/broken shells and/or is not available in all environments (I cannot recall which at the moment). So I achieve the same results by using a character sentinel that guarantees that the comparison always works: f [ _$PTR == _ ] ; then Character sentinels are not required. FreeBSD's sh(1) knows (because [ is a built-in) that when you quote a parameter, that it is not (even if the value begins with -) not an operator. That wasn't really my point. I use sentinels because in the face of an empty string this: if [ $PTR = ] Actually evaluates to: if [ = ] Which throws an error. The character sentinel avoids this without having to use -z, which as I said, I've had problems with not being too portable across older machinery. All work as expected. It matters not the value of $foo. sh(1) in FreeBSD knows because of the double-quotes that it is not an operator. Furthermore... == is not the right operator. It's =. Portability would surely be compromised if you were using == (which doesn't work on FreeBSD; or many other OSes I gather from experience). Ooops, I did catch that and you're quite right. -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bourne shell if syntax
On 06/10/2013 02:21 PM, dte...@freebsd.org wrote: ctually, there's another reason you should also avoid the above (unquoted parameter), and that's in the case of a multi-word value. For example: Yup, that's the compelling case for using quoting. -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Can sasl/sendmail Report IP Of Failed Access?
I am seeing login dictionary attacks on a FreeBSD mail server being reported. Is there a way to determine the IPs that are doing this so they can be blocked at the firewall? auth.log only notes the attempted user name, not the IP of origin. -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can sasl/sendmail Report IP Of Failed Access?
On 06/04/2013 04:51 PM, Doug Hardie wrote: On 4 June 2013, at 08:47, Tim Daneliuk tun...@tundraware.com wrote: I am seeing login dictionary attacks on a FreeBSD mail server being reported. Is there a way to determine the IPs that are doing this so they can be blocked at the firewall? auth.log only notes the attempted user name, not the IP of origin. -- I wrote some code to find the appropriate maillog entries which do include the IP addresses. It automagically adds the IP addresses to the pf blackhole table if certain criteria is met. The criteria is changeable. If you would like a copy, let me know. Yes, I'd love a look at that, thanks. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: check variable content size in sh script
On 05/18/2013 10:09 AM, Quartz wrote: However, if the OP wanted to actually truncate $FOO to 51 characters: NEWFOO=$( echo $FOO | awk -v max=51 '{print substr($0,0,max)}' ) You don't need all that for a simple truncation/substring, you can do it with a direct assignment: newfoo=${foo:0:51} That works for bash, not sh. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: check variable content size in sh script
#foo works with sh On May 18, 2013 10:58:30 AM Quartz qua...@sneakertech.com wrote: newfoo=${foo:0:51} That works for bash, not sh. Ok granted, but I don't think that ${#foo} is straight sh either, so I assumed things bash/tcsh/ksh/whatever accept when running in sh emulation were ok. __ it has a certain smooth-brained appeal ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: check variable content size in sh script
On 05/16/2013 10:08 AM, Joe wrote: Hello Have script that has max size on content in a variable. How to code size less than 51 characters? FOO=Some string you want to check length of FOOLEN=`echo $FOO | wc | awk '{print $3}'` You can then use $FOOLEN in a conditional. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: check variable content size in sh script
On 05/16/2013 10:45 AM, Dan Nelson wrote: In the last episode (May 16), Tim Daneliuk said: On 05/16/2013 10:08 AM, Joe wrote: Hello Have script that has max size on content in a variable. How to code size less than 51 characters? FOO=Some string you want to check length of FOOLEN=`echo $FOO | wc | awk '{print $3}'` You can then use $FOOLEN in a conditional. Much better way: FOO=Some string you want to check length of FOOLEN=${#FOO} D'Oh, you're right ... what was I thinking ... Slinks off in shame ... -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: what commands show memory usage
On 05/14/2013 08:56 PM, Joe wrote: Tim Daneliuk wrote: On 05/14/2013 08:32 PM, Joe wrote: When stopping vnet jails get message about lost memory pages. What console commands show available memory pages so I can determine the lost memory pages after 100 stopped jails? Want to find out if that lost memory page message is bogus or not. Look at 'vmstat' and 'free' commands. can't find any free command Sorry Joe (and everyone), I had a brief bit flip. The command is actually called freebsd-memory and is not in the base system. It's an addon from Ralph Engelshall and can be found here: http://people.freebsd.org/~rse/utils/ (If you care, the 'free' command is how you do this on Linux.) -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Looks Like New Changes To 'install' Break Mergemaster
$ mergemaster -Fi *** The directory specified for the temporary root environment, /var/tmp/temproot, exists. This can be a security risk if untrusted users have access to the system. Use 'd' to delete the old /var/tmp/temproot and continue Use 't' to select a new temporary root directory Use 'e' to exit mergemaster Default is to use /var/tmp/temproot as is How should I deal with this? [Use the existing /var/tmp/temproot] d *** Deleting the old /var/tmp/temproot *** Creating the temporary root environment in /var/tmp/temproot *** /var/tmp/temproot ready for use *** Creating and populating directory structure in /var/tmp/temproot install: illegal option -- l usage: install [-bCcMpSsv] [-B suffix] [-f flags] [-g group] [-m mode] [-o owner] file1 file2 install [-bCcMpSsv] [-B suffix] [-f flags] [-g group] [-m mode] [-o owner] file1 ... fileN directory install -d [-v] [-g group] [-m mode] [-o owner] directory ... *** FATAL ERROR: Cannot 'cd' to /usr/src and install files to the temproot environment ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Looks Like New Changes To 'install' Break Mergemaster
On 03/17/2013 02:36 PM, Tim Daneliuk wrote: $ mergemaster -Fi *** The directory specified for the temporary root environment, /var/tmp/temproot, exists. This can be a security risk if untrusted users have access to the system. Use 'd' to delete the old /var/tmp/temproot and continue Use 't' to select a new temporary root directory Use 'e' to exit mergemaster Default is to use /var/tmp/temproot as is How should I deal with this? [Use the existing /var/tmp/temproot] d *** Deleting the old /var/tmp/temproot *** Creating the temporary root environment in /var/tmp/temproot *** /var/tmp/temproot ready for use *** Creating and populating directory structure in /var/tmp/temproot install: illegal option -- l usage: install [-bCcMpSsv] [-B suffix] [-f flags] [-g group] [-m mode] [-o owner] file1 file2 install [-bCcMpSsv] [-B suffix] [-f flags] [-g group] [-m mode] [-o owner] file1 ... fileN directory install -d [-v] [-g group] [-m mode] [-o owner] directory ... *** FATAL ERROR: Cannot 'cd' to /usr/src and install files to the temproot environment More specifically, running 'sh -x mergemaster' show us this: ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org + cd /usr/src + od=/var/tmp/temproot/usr/obj + make -m /usr/src/share/mk DESTDIR=/var/tmp/temproot distrib-dirs + MAKEOBJDIRPREFIX=/var/tmp/temproot/usr/obj make -m /usr/src/share/mk _obj SUBDIR_OVERRIDE=etc + MAKEOBJDIRPREFIX=/var/tmp/temproot/usr/obj make -m /usr/src/share/mk everything SUBDIR_OVERRIDE=etc + MAKEOBJDIRPREFIX=/var/tmp/temproot/usr/obj make -m /usr/src/share/mk DESTDIR=/var/tmp/temproot distribution install: illegal option -- l usage: install [-bCcMpSsv] [-B suffix] [-f flags] [-g group] [-m mode] [-o owner] file1 file2 install [-bCcMpSsv] [-B suffix] [-f flags] [-g group] [-m mode] [-o owner] file1 ... fileN directory install -d [-v] [-g group] [-m mode] [-o owner] directory ... + echo '' + echo ' *** FATAL ERROR: Cannot '\''cd'\'' to /usr/src and install files to' *** FATAL ERROR: Cannot 'cd' to /usr/src and install files to + echo ' the temproot environment' the temproot environment + echo '' + exit 1 -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Looks Like New Changes To 'install' Break Mergemaster
On 03/17/2013 02:52 PM, Tim Daneliuk wrote: PR 177055 submitted. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
NFS Performance: Weirder And Weirder
This is really weird. A FreeBSD 9.1 system mounts the following: /dev/ad4s1a989M625M285M69%/ devfs 1.0k1.0k 0B 100%/dev /dev/ad4s1d7.8G 1G6.1G14%/var /dev/ad4s1e 48G9.4G 35G21%/usr /dev/ad4s1f390G127G231G35%/usr1 /dev/ad6s1d902G710G120G86%/usr1/BKU /usr1/something (under ad4s1f) and /usr1/BKU (all of ad6s1d) are exported for NFS mounting on the LAN. I have tested the speeds of these two drives locally doing a 'dd if=/dev/zero '. Their speeds are quite comparable - around 55-60 MB/s so the problem below is not an artifact of a slow drive. The two mounts are imported like this on a Linux Mint 12 machine: machine:/usr1/BKU /BKU nfs rw,soft,intr 0 0 machine:/usr1/shared /shared nfs rw,soft,intr 0 0 Problem: When I write files from the LM12 machines to /BKU the writes are 1/10 the speed of when writing to /shared. Reads are fine in both cases, at near native disk speeds being reported. Someone here suggested I get rid of any symlinks in the mount and I did that to no avail. Incidentally, the only reason I just noticed this is that I upgraded the NIC on the FreeBSD machine and the switch into which it connects to 1000Base because the LM12 machine had a built in 1000Base NIC. I also changed the cables on both machines to ensure they were not the problem. Prior to this, I was bandwidth constrained by the 100Base so I never saw NFS performance as an issue. When I upgraded, I expected faster transfers and when I didn't get them, I started this whole investigation. So ... I'm stumped: - It's not the drive or SATA ports because both drives show comparable performance. - It's not the cables because I can get great throughput on one of the NFS mountpoints. - It's neither NIC for the same reason. Does anyone: A) Have a clue what might be doing this B) Have a suggestion how to track down the problem Thanks, -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NFS Performance: Weirder And Weirder
On 03/16/2013 04:20 PM, Mehmet Erol Sanliturk wrote: With respect to your mount points : /usr1 is spanning TWO different partitions : /dev/ad4s1f390G127G231G35%/usr1 /dev/ad6s1d902G710G120G86%/usr1/BKU because /usr1/BKU is a sub-directory of /usr1 . If you create a new directory , for example /usr2 , and /usr2/BKU , and using this new separate directory for sharing , such as : /dev/ad6s1d902G710G120G86%/usr2/BKU and machine:/usr2/BKU /BKU nfs rw,soft,intr 0 0 will it make difference ? Mehmet Erol Sanliturk I just tried this and it made no difference. The same file copied onto the NFS mount on /usr1/shared takes about 20x as long when coppied on to /usr[1|2]/BKU. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NFS Performance: Weirder And Weirder
On 03/16/2013 05:43 PM, Mehmet Erol Sanliturk wrote: Michael W. Lucas in Absolute FeeBSD , 2nd Edition , ( ISBN : 978-1-59327-151-0 ) , is suggesting the following ( p. 248 ) : In client ( mount , or , fstab ) , use options ( -o tcp , intr , soft , -w=32768 , -r=32768 ) tcp option will request a TCP mount instead of UDP mount , because FreeBSD NFS defaults to running over UDF . This subject may be another check point . Another very good suggestion but ... to no avail. Thanks for pointing this out. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NFS Performance: Weirder And Weirder
On 03/16/2013 10:15 PM, Mehmet Erol Sanliturk wrote: On Sat, Mar 16, 2013 at 6:46 PM, Tim Daneliuk tun...@tundraware.com mailto:tun...@tundraware.com wrote: On 03/16/2013 05:43 PM, Mehmet Erol Sanliturk wrote: Michael W. Lucas in Absolute FeeBSD , 2nd Edition , ( ISBN : 978-1-59327-151-0 ) , is suggesting the following ( p. 248 ) : In client ( mount , or , fstab ) , use options ( -o tcp , intr , soft , -w=32768 , -r=32768 ) tcp option will request a TCP mount instead of UDP mount , because FreeBSD NFS defaults to running over UDF . This subject may be another check point . Another very good suggestion but ... to no avail. Thanks for pointing this out. -- --__--__ Tim Daneliuk tun...@tundraware.com mailto:tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ I have read messages once more . There is a phrase : Linux Mint 12 machineS ( plural ) . In your descriptions , there is no any information about network setup : Single client , multiple clients , etc . Then , with some assumptions : If there is ONLY ONE client , and all of the tests are performed on this ONLY client , problem may be attributed to FreeBSD server or kind of file(s) in different directories : One of the is encrypted ( requires decryption ) , another is plain file , etc. . There is one server - FreeBSD, and one client - LM12. Both have had their cables replaced with new CAT6 wiring. Copying the exact same file to each of the NFS mounts exhibits the problem. Reading from the two NFS mount is fast and as expected, so I do not suspect network issues. The two drives used on the server show similar disk performance locally. The server side exports are identical for both mounts as are the client side mounts. The ONLY difference is that the fast NFS mount has server side permissions of 777 whereas the slow NFS mount has server side permissions of 775. Both are owned by root:wheel. The contents of each filesystem are owned by a user in the wheel group. The one other difference is that all the contents of the slow mount are in a particular user group, and all the ones in the fast mount are in the wheel group. Changing the group ownership of all the stuff in the slow mount to wheel makes no difference. The problem appears to be size related on the slow mount. When I copy, say, a 100MB file to it, performance is just fine. When I copy a 1G file, it's 1/20 the throughput (45MB/sec vs 2MB/sec). This feels like some kind of buffer starvation but the fact that I can run at full speed against another mount point leaves me scratching my head as to just where. It's almost like there's some kind of halting going on during the transfer. Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Weird NFS Performance Problem
I have a FreeBSD 9.1-STABLE exhibiting weird NFS performance issues and I'd appreciate any suggestions. I have several different directories exported from the same filesystem. The machine that mounts them (a Linux Mint 12 desktop) writes nice and fast to one of them, but writes to the other one are dreadfully slow. Both are mounted on the LM machine using 'rw,soft,intr' in that machine's fstab file. Any ideas on what might be the culprit here? -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Fun Scripting Problem
I know how to do this in Python, but I really want to do it in straight Bourne shell. I have some ideas, but I thought I'd give you folks a crack at this Big Fun: a) You have a directory of files - say they're logs - generated at nondeterministic intervals. You may get more than one a day, more than one a month, none, or hundreds. b) To conserve space, you want to keep the last file generated in any given month (the archive goes back for an unspecified number of years), and delete all the files generated prior to that last file in that same month. c) Bonus points if the problem is solved generally for either files or directories generated as described above. These are not actually logs, and no, I don't think logrotate can do this ... or can it? -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Fun Scripting Problem
On 02/13/2013 12:38 PM, Teske, Devin wrote: (apologies for top-post) As tempted as I am, I think newsyslog(8) may be what you want. Missing information in your post is how you intend to timestamp the files -- by filename? by content? If by-content, then is it a good assumption that the data is one entry per-line? ... and if-so, is the timestamp in that line? These are all questions that would be needed to script what you're asking for (not that I'm volunteering or anything like that). The only way to determine the date of the file is by looking at its stat info. There is nothing the file name or content that could be used to infer this. -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Fun Scripting Problem
On 02/13/2013 03:13 PM, Robert Bonomi wrote: Date: Wed, 13 Feb 2013 12:27:31 -0600 From: Tim Daneliuk tun...@tundraware.com Subject: Fun Scripting Problem I know how to do this in Python, but I really want to do it in straight Bourne shell. I have some ideas, but I thought I'd give you folks a crack at this Big Fun: a) You have a directory of files - say they're logs - generated at nondeterministic intervals. You may get more than one a day, more than one a month, none, or hundreds. b) To conserve space, you want to keep the last file generated in any given month (the archive goes back for an unspecified number of years), and delete all the files generated prior to that last file in that same month. c) Bonus points if the problem is solved generally for either files or directories generated as described above. These are not actually logs, and no, I don't think logrotate can do this ... or can it? here's a one-liner: rm ` \ stat -f %SB %B %N * \ | sort -k5nr \ | cut -c1-7,17-20,32- \ | awk 'BEGIN {a=;b=0;c=0} $1==a $2==b $3=c {print $4;}{a=$1;b=$2;c=$3}' \ ` This selects on creation date. change the B (both of them) in the stat call to use a different timestamp Thanks to all that took the time. Interesting responses. It will be fun to cook up my own version. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Was I Sourced?
Is there a way for script to determine whether is was sourced or forked off as a subprocess when it was invoked? I have a script that needs to be sourced to work properly and I want to warn the luser if they exec or subshell it instead. TIA, -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Was I Sourced?
On 02/12/2013 11:10 AM, Robert Bonomi wrote: Date: Tue, 12 Feb 2013 08:53:37 -0600 From: Tim Daneliuk tun...@tundraware.com To: FreeBSD Mailing List freebsd-questions@freebsd.org Subject: Was I Sourced? Is there a way for script to determine whether is was sourced or forked off as a subprocess when it was invoked? I have a script that needs to be sourced to work properly and I want to warn the luser if they exec or subshell it instead. a 'sourced' script does -not- honor a shebag line. you can exploit that. The executable script /usr/local/bin/source_only; #!/bin/sh echo Error: this script must be sourced Your script: #!/usr/local/bin/source_only {cmd} {cmd} {cmd} {cmd} {cmd} {cmd} ... ... Trying to do it totally self-contained is not easy. Actually, it's not that hard. Setting the shebang line to this does the trick: #!/bin/echo This Script Must Be Sourced Thanks to all who replied on this one ... -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OT: What Might Break getbostbyname() ?
On Thu, January 17, 2013 6:49 am, Dan Nelson wrote: First, check /etc/nsswitch.conf and verify that dns is listed on the hosts: line. Next, try disabling nscd (svcadm disable name-service-cache) , and then running truss ping www.google.com (make sure to reenable nscd when you're done debugging). You should see syscalls to open /etc/resolv.conf, read the contents, and then open a socket to the nameserver listed in that file. Dan and Robert - Thanks for your replies. It seems that someone removed DNS from the hosts line in nsswitch.conf and this is what was breaking ordinarily userland resolver calls. WHY they did this is unclear to me. I appreciate you folks taking the time here... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OT: What Might Break getbostbyname() ?
On Thu, January 17, 2013 6:49 am, Dan Nelson wrote: First, check /etc/nsswitch.conf and verify that dns is listed on the hosts: line. Next, try disabling nscd (svcadm disable name-service-cache) , and then running truss ping www.google.com (make sure to reenable nscd when you're done debugging). You should see syscalls to open /etc/resolv.conf, read the contents, and then open a socket to the nameserver listed in that file. Dan and Robert - Thanks for your replies. It seems that someone removed DNS from the hosts line in nsswitch.conf and this is what was breaking ordinarily userland resolver calls. WHY they did this is unclear to me. I appreciate you folks taking the time here... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OT: What Might Break getbostbyname() ?
On Thu, January 17, 2013 6:49 am, Dan Nelson wrote: First, check /etc/nsswitch.conf and verify that dns is listed on the hosts: line. Next, try disabling nscd (svcadm disable name-service-cache) , and then running truss ping www.google.com (make sure to reenable nscd when you're done debugging). You should see syscalls to open /etc/resolv.conf, read the contents, and then open a socket to the nameserver listed in that file. Dan and Robert - Thanks for your replies. It seems that someone removed DNS from the hosts line in nsswitch.conf and this is what was breaking ordinarily userland resolver calls. WHY they did this is unclear to me. I appreciate you folks taking the time here... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
OT: What Might Break getbostbyname() ?
This is not really a FreeBSD problem ... in fact, it's happening on a Solaris 10 machine. But because the TCP stack and its userland interface came from BSD, I am hoping some kind soul might have an insight into what's going on ... The machine in question does DNS lookups fine via dig or nslookup. I believe these connect directly to the DNS server(s) specified in /etc/resolv.conf. However, any program that uses gethostbyname() - like ping - fails and says it cannot resolve the name. I'm looking for hints here on why or how gethostbyname() and/or the network stack could get clobbered so as to not be able to talk to the DNS servers which I know are reachable via dig and nslookup. TIA, -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: manpage - html
On 01/12/2013 06:24 PM, Fbsd8 wrote: Is there any command line command to convert a port's manpage to html? Well really any manpage. In the ports under: textproc/man2html -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Syncing Two Dirs With Rsync
I have used rsync for many years to make sure a destination machine:directory is kept up-to-date with some source master directory. I now need to find a way to keep two different machine:dirs in sync with each other. But for any given file, I don't know which of these is newer so I don't know which way to sync. For example given: machineA::/dir/foo machineB:/dir/foo machineA::/dir/bar machineB:/dir/bar Say the machineA has the newest foo, but machineB has the newest bar. At the end of syncing, I want both machines to have the latest copies of everything. I'm guessing there's a way to do this with rsync but I'm kind of stumped. Ideas? -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Somewhat OT: Is Full Command Logging Possible?
On 12/18/2012 06:53 PM, John Hein wrote: Tim Daneliuk wrote at 17:48 -0600 on Dec 5, 2012: On 12/05/2012 05:44 PM, Kurt Buff wrote: On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk tun...@tundraware.com wrote: I am working with an institution that today provides limited privilege escalation on their servers via very specific sudo rules. The problem is that the administrators can do 'sudo su -'. snip sudo is misconfigured. man 5 sudoers and man 8 visudo Kurt I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're saying. Are you suggesting that there is a way to configure sudo so that if someone does 'sudo su -' to become an admin, sudo can be made to log every command they execute thereafter? See log_input and log_output in sudoers(5) Thanks so much John, that's the secret sauce I was looking for... -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Somewhat OT: Is Full Command Logging Possible?
On 12/18/2012 07:09 PM, Tim Daneliuk wrote: On 12/18/2012 06:53 PM, John Hein wrote: Tim Daneliuk wrote at 17:48 -0600 on Dec 5, 2012: On 12/05/2012 05:44 PM, Kurt Buff wrote: On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk tun...@tundraware.com wrote: I am working with an institution that today provides limited privilege escalation on their servers via very specific sudo rules. The problem is that the administrators can do 'sudo su -'. snip sudo is misconfigured. man 5 sudoers and man 8 visudo Kurt I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're saying. Are you suggesting that there is a way to configure sudo so that if someone does 'sudo su -' to become an admin, sudo can be made to log every command they execute thereafter? See log_input and log_output in sudoers(5) Thanks so much John, that's the secret sauce I was looking for... One further question, if I may. If I do this: sudo su - Will log_input record everything I do once I've been promoted to root? I ask because my initial experiments seem to show that all that's getting recorded is the content of the sudo command itself, not the subsequent actions... -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Somewhat OT: Is Full Command Logging Possible?
On 12/18/2012 07:33 PM, Devin Teske wrote: On Dec 18, 2012, at 5:18 PM, Tim Daneliuk wrote: One further question, if I may. If I do this: sudo su - Will log_input record everything I do once I've been promoted to root? I ask because my initial experiments seem to show that all that's getting recorded is the content of the sudo command itself, not the subsequent actions… Correct, sudo is blind to the actions performed once the command requested is executed (in this case, su and subsequently a shell followed by more actions). Actually, I just tried this with both log_input and log_output options enabled. It seems that it *can* see into the promoted shell with a few caveats: - Command output is logged immediately, but command inputs appear to only be written to the log when you exit the promoted shell. This may be not quite right - there may have not been enough input to cause a write flush to the log. - The logging seems to be able to see into a spawned subshell, but I don't think it can see input/output if you, say, kick off an xterm. I've suggested the lrexec module for catching everything, or you can look into the auditdistd (distributed auditing collection/collation to a remote/central server) approach, the praudit approach, or any of the other pieces of software mentions. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Somewhat OT: Is Full Command Logging Possible?
On 12/18/2012 08:03 PM, Devin Teske wrote: On Dec 18, 2012, at 5:43 PM, Tim Daneliuk wrote: On 12/18/2012 07:33 PM, Devin Teske wrote: On Dec 18, 2012, at 5:18 PM, Tim Daneliuk wrote: One further question, if I may. If I do this: sudo su - Will log_input record everything I do once I've been promoted to root? I ask because my initial experiments seem to show that all that's getting recorded is the content of the sudo command itself, not the subsequent actions… Correct, sudo is blind to the actions performed once the command requested is executed (in this case, su and subsequently a shell followed by more actions). Actually, I just tried this with both log_input and log_output options enabled. It seems that it *can* see into the promoted shell with a few caveats: - Command output is logged immediately, but command inputs appear to only be written to the log when you exit the promoted shell. This may be not quite right - there may have not been enough input to cause a write flush to the log. - The logging seems to be able to see into a spawned subshell, but I don't think it can see input/output if you, say, kick off an xterm. What about if you do sudo vim and then type :sh ? Yep, I just tried that too. It catches that. It also catches the in/output of subshells - like, say, kicking off sh interactively. Similarly, if you're running text-based emacs, it catches the output of spawning to a shell from there and doing things. The only restriction I have run into so far, it that - for obvious reasons - sudo cannot see into what you're doing if you kick off an X application like xterm or graphical emacs, for instance. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Somewhat OT: Is Full Command Logging Possible?
On 12/18/2012 08:20 PM, Tim Daneliuk wrote: On 12/18/2012 08:03 PM, Devin Teske wrote: On Dec 18, 2012, at 5:43 PM, Tim Daneliuk wrote: On 12/18/2012 07:33 PM, Devin Teske wrote: On Dec 18, 2012, at 5:18 PM, Tim Daneliuk wrote: One further question, if I may. If I do this: sudo su - Will log_input record everything I do once I've been promoted to root? I ask because my initial experiments seem to show that all that's getting recorded is the content of the sudo command itself, not the subsequent actions… Correct, sudo is blind to the actions performed once the command requested is executed (in this case, su and subsequently a shell followed by more actions). Actually, I just tried this with both log_input and log_output options enabled. It seems that it *can* see into the promoted shell with a few caveats: - Command output is logged immediately, but command inputs appear to only be written to the log when you exit the promoted shell. This may be not quite right - there may have not been enough input to cause a write flush to the log. - The logging seems to be able to see into a spawned subshell, but I don't think it can see input/output if you, say, kick off an xterm. What about if you do sudo vim and then type :sh ? Yep, I just tried that too. It catches that. It also catches the in/output of subshells - like, say, kicking off sh interactively. Similarly, if you're running text-based emacs, it catches the output of spawning to a shell from there and doing things. The only restriction I have run into so far, it that - for obvious reasons - sudo cannot see into what you're doing if you kick off an X application like xterm or graphical emacs, for instance. I should clarify that I tested this not on FreeBSD but on a Mint Linux desktop I had handy. I would expect the same behavior everywhere, though, since sudo itself is reasonably portable... -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Somewhat OT: Is Full Command Logging Possible?
On 12/18/2012 10:10 PM, Devin Teske wrote: On Dec 18, 2012, at 6:20 PM, Tim Daneliuk wrote: On 12/18/2012 08:03 PM, Devin Teske wrote: On Dec 18, 2012, at 5:43 PM, Tim Daneliuk wrote: On 12/18/2012 07:33 PM, Devin Teske wrote: On Dec 18, 2012, at 5:18 PM, Tim Daneliuk wrote: One further question, if I may. If I do this: sudo su - Will log_input record everything I do once I've been promoted to root? I ask because my initial experiments seem to show that all that's getting recorded is the content of the sudo command itself, not the subsequent actions… Correct, sudo is blind to the actions performed once the command requested is executed (in this case, su and subsequently a shell followed by more actions). Actually, I just tried this with both log_input and log_output options enabled. It seems that it *can* see into the promoted shell with a few caveats: - Command output is logged immediately, but command inputs appear to only be written to the log when you exit the promoted shell. This may be not quite right - there may have not been enough input to cause a write flush to the log. - The logging seems to be able to see into a spawned subshell, but I don't think it can see input/output if you, say, kick off an xterm. What about if you do sudo vim and then type :sh ? Yep, I just tried that too. It catches that. It also catches the in/output of subshells - like, say, kicking off sh interactively. Similarly, if you're running text-based emacs, it catches the output of spawning to a shell from there and doing things. The only restriction I have run into so far, it that - for obvious reasons - sudo cannot see into what you're doing if you kick off an X application like xterm or graphical emacs, for instance. What about screen or tmux? (wondering if the transition into multiplexed shell is anywhere as opaque as X11). It definitely works if you are in a screen session and sudo su - from there. I have not tried promoting myself to root and THEN starting the screen session (I don't use tmux). -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Mounting a samba share on boot?
On 12/11/2012 10:25 AM, Hanafi Syahroini wrote: This can be done with appropriate entries in /etc/fstab. However, I'd recommend against doing so because, if the SMB server is unreachable when the FreeBSD system boots, the FreeBSD box will hang looking for the SMB connection. A better way is to put a custom script in /usr/local/etc/rc.d/ that initiates the SMB mounts there. This too could fail, but it doesn't prevent the OS From booting fully. -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Somewhat OT: Is Full Command Logging Possible?
On 12/06/2012 12:55 PM, n j wrote: On Thu, Dec 6, 2012 at 12:47 AM, Tim Daneliuk tun...@tundraware.com wrote: ... Well ... does auditd provide a record of every command issued within a script? I was under the impression (and I may well be wrong) that it noted only the name of the script being executed. Even if you configured auditd to record every command issued within a script, you'd still have a problem if a malicious user put the same commands inside a binary. As some people already pointed out, there is practically no way to control users once you give them root privileges. I understand this. Even the organization in question understands this. They are not trying to *prevent* any kind of access. All they're trying to do *log* it. Why? To meet some obscure compliance requirement they have to adhere to in order to remain in business. rant I know all of this is silly but that's our future when you let Our Fine Government regulate pretty much anything. /rant The only thing that would really solve your problem is probably something like http://www.balabit.com/network-security/scb/features (no personal experience with it, but seems it does what you need). -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: List all hard drives on system (with capacities)... How?
On 12/06/2012 05:30 PM, Ronald F. Guilmette wrote: I'd like to write a small program or shell script that simply lists all of the physical hard drives attached to the local system, along with their product identifiers and their respective capacities. The following simple script works well for both PATA/SATA and USB hard drives, but it does not list drive capacities: #!/bin/sh atacontrol list | grep ': ad[0-9]' | sed 's/^.*: //' camcontrol devlist | grep '(da[0-9]' | sed -E 's/^(.*) \((da[0-9]+).*$/\2 \1/' How can I modify the script above in order to get it to print out the respective drive capacities? Look into fdisk -s -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Somewhat OT: Is Full Command Logging Possible?
This is a little bit outside the strict boundaries of a FreeBSD question, but I am hoping someone in this community has solved this problem and that I might be able to adapt it for non-FreeBSD systems (AIX and Linux, specifically). I am working with an institution that today provides limited privilege escalation on their servers via very specific sudo rules. The problem is that the administrators can do 'sudo su -'. The fact that they became root is logged, *but everything thereafter they do is not*. What these people need is something that does the following things - this need not be sudo based, any FOSS or commercial solution would be considered: - Log the fact that someone became effective root - Log every command they execute *as* root - If they run a script as root, log the individual actions of that script - Have visibility into all this no matter how they access the system - console, ssh, xterm Nothing I have found so far meets all these criterion. Verbose syslogging will not catch the case where you start a subshell from the main shell. Keylogging seems to only have limited coverage and does not appear it would work if, say, I log in via ssh and then kick off an xterm. Other solutions fail if I start an editor and shell out from there. The current proposal is to install sudo rules such that NO one is allowed 'sudo su -' and *every single command* you want to run as root has to start with 'sudo'. This has two big drawbacks: - It's an enormous pain for the admins and fundamentally changes their workflow - It cannot see into scripts. So I can circumvent it pretty easily with: sudo chown root:wheel my_naughty_script sudo chmod 700 my_naughty script sudo ./my_naughty_script The sudo log will note that I ran the script, but not what it did. So Gentle Geniuses, is there prior art here that could be applied to give me full coverage logging of every action taken by any person or thing running with effective or actual root? P.S. I do not believe auditd does this either. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Somewhat OT: Is Full Command Logging Possible?
On 12/05/2012 05:42 PM, Damien Fleuriot wrote: On 6 Dec 2012, at 00:19, Tim Daneliuk tun...@tundraware.com wrote: sudo chown root:wheel my_naughty_script sudo chmod 700 my_naughty script sudo ./my_naughty_script The sudo log will note that I ran the script, but not what it did. wow, way to complicate matters. Hey, I didn't dream up this problem :) sudo csh So Gentle Geniuses, is there prior art here that could be applied to give me full coverage logging of every action taken by any person or thing running with effective or actual root? P.S. I do not believe Now would be a good time to start, then. Well ... does auditd provide a record of every command issued within a script? I was under the impression (and I may well be wrong) that it noted only the name of the script being executed. The only things you need to ensure are: - auditd cannot be killed off (this is an interesting bit actually, anyone knows how to do that ?) - the audit trail files can only be appended to ; man chflags An alternative would be lshell, however you'll have to whitelist commands people can execute. Remember that we want admins to be able to do *anything* but we just want to log what they do, in fact do. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Somewhat OT: Is Full Command Logging Possible?
On 12/05/2012 06:35 PM, Kurt Buff wrote: On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk tun...@tundraware.com wrote: On 12/05/2012 05:44 PM, Kurt Buff wrote: On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk tun...@tundraware.com wrote: I am working with an institution that today provides limited privilege escalation on their servers via very specific sudo rules. The problem is that the administrators can do 'sudo su -'. snip sudo is misconfigured. man 5 sudoers and man 8 visudo Kurt I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're saying. Are you suggesting that there is a way to configure sudo so that if someone does 'sudo su -' to become an admin, sudo can be made to log every command they execute thereafter? No, I'm saying that sudo should not be configured to allow 'sudo su -'. Since you say that the users are provided limited privilege escalation on their servers via very specific sudo rules, it seems to me that one of three things is going wrong: o- Something is wrong with the configuration of sudoers if they can su to root when they shouldn't be able to do so o- Someone has misconceived what limited privilege escalation on their servers via very specific sudo rules actually means, and deliberately has it configured to allows users to su to root o- The users' accounts are already root equivalent, which, depending on the version and configuration of sudo, might give them the ability to sudo to root regardless of the contents of the sudoers file (see, for instance, the screen in FreeBSD when you perform 'cd /usr/ports/security/sudo' and then 'make config') Kurt Oh, OK, I wasn't being clear: - *Some* users are granted the ability to do sudo su - These are the sysadmins. - All other user are given selective ability to run only a few things via sudo. This varies by department and is controlled through a combination of sudo rules and central LDAP group membership control. This is necessary because, for example, some DBAs need this when installing a particular client. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: When Is The Ports Tree Going To Be Updated?
On 11/25/2012 11:17 PM, Warren Block wrote: On Sun, 25 Nov 2012, Matthew Seaman wrote: On 25/11/2012 23:10, Tim Daneliuk wrote: After the recent security scare, I know the ports tree was temporarily frozen. Does anyone know when it will again be updates. I just upgraded to 9.1-PRE and need to rebuild Firefox Thunderbird against the new libraries and ... they're broken, marked as security hazards... It's been being updated normally since near enough a week ago. Normally means subject to the pre-9.1-RELEASE restrictions on sweeping changes as is usual at this point in a release cycle. FireFox 17 and Thunderbird 17 updates were committed to ports on 20th November. Hmm. Is the index file being rebuilt? With FF16 installed, and 17 in the port directory, portsdb -Fu portversion -vl'' shows nothing to update. After 'make index', it does show. The problem was that I was missing the 'fetch' verb in my portsnap command. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: When Is The Ports Tree Going To Be Updated?
On 11/26/2012 01:30 AM, Matthew Seaman wrote: On 26/11/2012 00:59, Tim Daneliuk wrote: I use portsnap fetch update and it works... Ah, maybe that was the problem. That works for me as well. Ummm... how long have you been using portsnap? If you haven't been running 'portsnap fetch' or 'portsnap cron' then you won't have received any updates to your ports tree, ever. This is all explained quite clearly in the portsnap(8) man page. Cheers, Matthew I just switched from csup last week and am still learning the ropes. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
When Is The Ports Tree Going To Be Updated?
After the recent security scare, I know the ports tree was temporarily frozen. Does anyone know when it will again be updates. I just upgraded to 9.1-PRE and need to rebuild Firefox Thunderbird against the new libraries and ... they're broken, marked as security hazards... TIA, -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: When Is The Ports Tree Going To Be Updated?
On 11/25/2012 05:25 PM, Matthew Seaman wrote: On 25/11/2012 23:10, Tim Daneliuk wrote: After the recent security scare, I know the ports tree was temporarily frozen. Does anyone know when it will again be updates. I just upgraded to 9.1-PRE and need to rebuild Firefox Thunderbird against the new libraries and ... they're broken, marked as security hazards... It's been being updated normally since near enough a week ago. Normally means subject to the pre-9.1-RELEASE restrictions on sweeping changes as is usual at this point in a release cycle. FireFox 17 and Thunderbird 17 updates were committed to ports on 20th November. Cheers, Matthew Hmmm, something is amiss: [root] ~portsnap update Ports tree is already up to date. [root] ~cd /usr/ports/www/firefox [root] /usr/ports/www/firefoxmake === firefox-16.0.2,1 has known vulnerabilities: Affected package: firefox-16.0.2,1 Type of problem: mozilla -- multiple vulnerabilities. Reference: http://portaudit.FreeBSD.org/d23119df-335d-11e2-b64c-c8600054b392.html = Please update your ports tree and try again. *** [check-vulnerable] Error code 1 Stop in /usr1/ports/www/firefox. ** [build] Error code 1 Stop in /usr1/ports/www/firefox. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: When Is The Ports Tree Going To Be Updated?
On 11/25/2012 06:56 PM, ajtiM wrote: On Sunday 25 November 2012 17:30:15 Tim Daneliuk wrote: On 11/25/2012 05:25 PM, Matthew Seaman wrote: On 25/11/2012 23:10, Tim Daneliuk wrote: After the recent security scare, I know the ports tree was temporarily frozen. Does anyone know when it will again be updates. I just upgraded to 9.1-PRE and need to rebuild Firefox Thunderbird against the new libraries and ... they're broken, marked as security hazards... It's been being updated normally since near enough a week ago. Normally means subject to the pre-9.1-RELEASE restrictions on sweeping changes as is usual at this point in a release cycle. FireFox 17 and Thunderbird 17 updates were committed to ports on 20th November. Cheers, Matthew Hmmm, something is amiss: [root] ~portsnap update Ports tree is already up to date. [root] ~cd /usr/ports/www/firefox [root] /usr/ports/www/firefoxmake === firefox-16.0.2,1 has known vulnerabilities: Affected package: firefox-16.0.2,1 Type of problem: mozilla -- multiple vulnerabilities. Reference: http://portaudit.FreeBSD.org/d23119df-335d-11e2-b64c-c8600054b392.html = Please update your ports tree and try again. *** [check-vulnerable] Error code 1 Stop in /usr1/ports/www/firefox. ** [build] Error code 1 Stop in /usr1/ports/www/firefox. I use portsnap fetch update and it works... Ah, maybe that was the problem. That works for me as well. Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Is FreeBSD 9 Production Ready?
I am currently running FBSD 8.3-STABLE on a production server that provides http, dns, smtp, and so on for a small domain. This is not a high arrival rate environment but it does need to be rock solid (which FBSD 4-8 have been). I am contemplating moving to the FBSD 9 family. Is this branch ready for production or should I wait a while yet? I ordinarily avoid x.0 releases of anything and I know 9.1 is soon going to be with us. In a related note, if I do move to 9.x is it sufficient to grab the appropriate source tree and compile world and kernels, install and reboot? That is, it is reasonable to do an in-place upgrade. This is how I migrated 4-6, 6-7, and 7-8 and I am hoping this is till the case since a complete reinstall is painful and slow. TIA, -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Is FreeBSD 9 Production Ready?
On 11/24/2012 11:19 AM, Lucas B. Cohen wrote: I wouldn't blindly trust and drop an operating system on production servers, no matter how good the feedback from outside my organization sounds. In general, I'd agree with you. Certainly, that's been the case with Linux, AIX, and so on over the years. But I have had essentially no problems doing in-place major rev updates with FreeBSD thus far. The only breakage I am worried about now is whether the new compiler change breaks things that used to work just fine. For example, will my make.conf settings be properly observed by the new tool chain? -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
I Guess I Don't Understand NFS As Well As I Thought
Can someone kindly explain what is going on here: Machine A: FreeBSD - was running 8, just upgraded to 9.1-PRE (I don't recall seeing the behavior described below in V8, but then, I don't think I ever tried it). Machine B: Linux Mint Desktop - Machine A acts as an NFS server for Machine B. - Machine A exports a particular directory like this: /usr/foo -maproot=myid -network ... - /usr/foo/bar is owned by root on Machine A and has files therein owned as root:root with permissions of 600. - If I access /usr/foo/bar/file1 from Machine B, I cannot read it but - and this is the part I don't get - I CAN *rename* it. What's going on? Since /foo/bar/ is owned by root and everything in it is 600 root:root, I would not expect a remote access to allow things like renaming. Clearly I am missing something here, but I don't get it. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: I Guess I Don't Understand NFS As Well As I Thought
On 11/24/2012 03:25 PM, Doug Hardie wrote: On 24 November 2012, at 12:32, Tim Daneliuk wrote: Can someone kindly explain what is going on here: Machine A: FreeBSD - was running 8, just upgraded to 9.1-PRE (I don't recall seeing the behavior described below in V8, but then, I don't think I ever tried it). Machine B: Linux Mint Desktop - Machine A acts as an NFS server for Machine B. - Machine A exports a particular directory like this: /usr/foo -maproot=myid -network ... - /usr/foo/bar is owned by root on Machine A and has files therein owned as root:root with permissions of 600. - If I access /usr/foo/bar/file1 from Machine B, I cannot read it but - and this is the part I don't get - I CAN *rename* it. What's going on? Since /foo/bar/ is owned by root and everything in it is 600 root:root, I would not expect a remote access to allow things like renaming. Clearly I am missing something here, but I don't get it. What are the permissions on the directory /usr/foo/bar? 775 Let me correct something. The files in that directory are owned by root:wheel (not root:root - I got my *nixes confused), but they definitely have 600 perms. On Machine A, user 'myid' is IN the wheel group but I still don't see how he's getting permission to rename the file. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Is FreeBSD 9 Production Ready?
On 11/24/2012 03:48 PM, Matthew Seaman wrote: It is not however sufficient to get you a completely upgraded system: you will still have to re-install all of your ports. Otherwise, as you end up trying to upgrade ports by ones and twos over time, you'll end up with a complete rat's nest of contradictory shared library dependencies and programs crashing left, right and centre. So I am discovering. I moved the system to 9.1-PRE today with a source compile. After I then did a make remove-old, the system started complaining about missing libraries. So ... I temporarily fixed this with appropriate /etc/libmap.conf entires. I am now about to do a portupgrade -aARrvf to redo the ports. We'll see how that goes... -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: I Guess I Don't Understand NFS As Well As I Thought
On 11/24/2012 05:13 PM, Doug Hardie wrote: On 24 November 2012, at 14:37, Tim Daneliuk wrote: On 11/24/2012 03:25 PM, Doug Hardie wrote: On 24 November 2012, at 12:32, Tim Daneliuk wrote: Can someone kindly explain what is going on here: Machine A: FreeBSD - was running 8, just upgraded to 9.1-PRE (I don't recall seeing the behavior described below in V8, but then, I don't think I ever tried it). Machine B: Linux Mint Desktop - Machine A acts as an NFS server for Machine B. - Machine A exports a particular directory like this: /usr/foo -maproot=myid -network ... - /usr/foo/bar is owned by root on Machine A and has files therein owned as root:root with permissions of 600. - If I access /usr/foo/bar/file1 from Machine B, I cannot read it but - and this is the part I don't get - I CAN *rename* it. What's going on? Since /foo/bar/ is owned by root and everything in it is 600 root:root, I would not expect a remote access to allow things like renaming. Clearly I am missing something here, but I don't get it. What are the permissions on the directory /usr/foo/bar? 775 Let me correct something. The files in that directory are owned by root:wheel (not root:root - I got my *nixes confused), but they definitely have 600 perms. On Machine A, user 'myid' is IN the wheel group but I still don't see how he's getting permission to rename the file.\ Renaming a file does not change the file itself. It updates the directory. Any user in group wheel has the authority to write to the directory (e.g., change a file's name). The directory permissions are rwx for group wheel. You can either try a user on machine B who is not in group wheel or change the directory permissions to 755 on /usr/foo/bar. Then it would work as you expect. D'oh ... of course that's it. Thanks. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Is FreeBSD 9 Production Ready?
On 11/24/2012 05:58 PM, Erich Dollansky wrote: Hi, On Sat, 24 Nov 2012 10:38:35 -0600 Tim Daneliuk tun...@tundraware.com wrote: I am currently running FBSD 8.3-STABLE on a production server that provides http, dns, smtp, and so on for a small domain. This is not a high arrival rate environment but it does need to be rock solid (which FBSD 4-8 have been). why would you like to break a running system? That's exactly what I don't want to do. I am contemplating moving to the FBSD 9 family. Is this branch ready I would stay with 8.x until the end of its support and move only then to a new branch. It could be then 9.x or 10.y. I would then - but only then - prefer the 10.y branch. I retired my 7.4 only because of lightning strike this spring. Robustness is my main goal here. Any change which brings only the risk is avoided. I used to take this approach. However, I discovered the pain of fixing a configuration that jumped several major releases was way higher than tracking them each as they became stable. I did the 9.1-PRE upgrade today and - once the new system was compiled and ready to be installed - had only very minor conversion issues. In my case, the most painful part of conversion is the mail infrastructure. The server in question is the domain's mail server and it has a LOT of moving parts with custom configurations: sendmail, greylisting, mailscanner, spam assassin, mailman, SASL ... That is pretty much always what breaks. Doing smaller leaps tends to make this more tractable to control. Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Is FreeBSD 9 Production Ready?
On 11/24/2012 06:16 PM, Shane Ambler wrote: On 25/11/2012 04:06, Tim Daneliuk wrote: But I have had essentially no problems doing in-place major rev updates with FreeBSD thus far. The only breakage I am worried about now is whether the new compiler change breaks things that used to work just fine. For example, will my make.conf settings be properly observed by the new tool chain? If you want to build with clang wait for 9.1 http://www.freebsd.org/cgi/query-pr.cgi?pr=threads/165173 I plan to stay conservative and only switch to clang when it is THE way to build everything. i.e., When GCC is finally retired for use in the base OS. Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Somewhat OT: Using Pipes Inside a GNU Make File
On 09/05/2012 09:15 PM, Warren Block wrote: On Wed, 5 Sep 2012, Tim Daneliuk wrote: On 09/05/2012 07:24 PM, Bryan Drewery wrote: On 9/5/2012 7:02 PM, Tim Daneliuk wrote: A bit off topic, but I'm kind of stuck. I am using gmake and want to do something like this: FOO := $(shell a | b | c) But this appears not to work. Only the 'a' command is executed. The remainder of the pipeline is ignored. Is there some clean way to implement this kind of thing? I use this in a GNUMakefile and it works fine. BRANCH := $(shell git branch --no-color | grep ^* | sed -e 's/^\* //') You may need to post a more specific example. Bryan ___ Here's the line that is failing: 2LATEX = $(shell which rst2latex.py rst2latex | tr '\012' ' ' | awk '{print $1}') --stylesheet=parskip Bryan's example is using := for assignment. That wasn't it, as it turned out. The problem was in the awk statement. Instead of: awk '{print $1}' I had to use: awk '{print $$1}' This is necessary because $1 is a *make* variable but $$1 is the awk variable I wanted ($1) D'uh --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Somewhat OT: Using Pipes Inside a GNU Make File
A bit off topic, but I'm kind of stuck. I am using gmake and want to do something like this: FOO := $(shell a | b | c) But this appears not to work. Only the 'a' command is executed. The remainder of the pipeline is ignored. Is there some clean way to implement this kind of thing? -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Somewhat OT: Using Pipes Inside a GNU Make File
On 09/05/2012 07:24 PM, Bryan Drewery wrote: On 9/5/2012 7:02 PM, Tim Daneliuk wrote: A bit off topic, but I'm kind of stuck. I am using gmake and want to do something like this: FOO := $(shell a | b | c) But this appears not to work. Only the 'a' command is executed. The remainder of the pipeline is ignored. Is there some clean way to implement this kind of thing? I use this in a GNUMakefile and it works fine. BRANCH := $(shell git branch --no-color | grep ^* | sed -e 's/^\* //') You may need to post a more specific example. Bryan ___ Here's the line that is failing: 2LATEX = $(shell which rst2latex.py rst2latex | tr '\012' ' ' | awk '{print $1}') --stylesheet=parskip -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Tangental And OT: Commercial Support For 'sudo'
Please forgive the OTishness of this, but I'm hoping some of my fellows in the large data center space may have a hint or two here ... I am working with a firm that needs to run sudo in a variety of OS environments. A few of these - noteably IBM AIX - do not provide vendor support and legal indemnification of many open source packages, sudo among them. This is official a Big Deal (tm) for this company. So ... does anyone know of a commercial concern that provide sudo support and legal indemnification? GratiSoft - the keeper of sudo - were apparently going to do this at one point but decided not to. TIA, Now back to your regularly scheduled discussion of the World's Finest OS... -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best file system for a busy webserver
On 08/16/2012 01:16 PM, Paul Schmehl wrote: Paul Schmehl pschmehl_li...@tx.rr.com wrote: Does anyone have any opinions on which file system is best for a busy webserver (7 million hits/month)? Is anyone one system noticeably better than any other? With only 15G of data, I'd recommend a pair of 60G SSD drives like the OCZ Vertex IIIs (About $1/G these days) wired into a *hardware* RAID controller setup to mirror them. This gives you blazing speed and reliability. If you want to add another drive, you can make it RAID 5 which - with the right cabinet and mounting hardware - would give you hotswap capability. I know people are fond of software RAID but I personally do not consider this a very high reliability technology unless you're running true datacenter class hardware with redundant everything (disk, NIC, fiber ...) and that's probably overkill in this case. Good RAID controllers are available from a number of manufacturers. I dunno if FreeBSD supports them, but Rocket has a good reputation (though I've never used them) as do both Adaptec and LSI. In any case, a controller plus 3 drives would probably only set you back in the $500-ish area which seems like a reasonable price point. Furthermore, depending on the amount of stuff that you're serving that is static vs. dynamic, you may get benefit from increasing memory (thereby increasing the likelihood of a cache hit) and increasing the minimum/threshold values for the number of httpd processing running all the time. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: shell scripting: grepping multiple patterns, logically ANDed
On 06/27/2012 10:25 AM, Tim Daneliuk wrote: On 06/27/2012 09:25 AM, Aleksandr Miroslav wrote: hello, I'm not sure if this is the right forum for this question, but here goes. I have the following in a shell script: #!/bin/sh if [ $# -eq 0 ]; then find /foo fi if [ $# -eq 1 ]; then find /foo | grep -i $1 fi if [ $# -eq 2 ]; then find /foo | grep -i $1 | grep -i $2 fi if [ $# -eq 3 ]; then find /foo | grep -i $1 | grep -i $2 | grep -i $3 fi Is there an easier/shorter way to do this? If there are 15 arguments supplied on the command line, I don't necessarily want to build 15 if statements. Thanks in advance for your answers. The following solution relies on the fact that you can include multiple patterns for grep to match with the '-e' argument: #!/bin/sh PATTERNS=`echo $* | sed s/\ /\ -e\ /g` find /foo | grep $PATTERNS Notice that when constructing the $PATTERNS string out of the command line args, you have to quote them with a prepended space character. That's because the subsequent 'sed' substitution needs to find a space *before* each argument which it then replaces with -e . Whoops, I just realized that I ORed them and you want them ANDed. Hmmm ... must go think on that... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: shell scripting: grepping multiple patterns, logically ANDed
On 06/27/2012 09:25 AM, Aleksandr Miroslav wrote: hello, I'm not sure if this is the right forum for this question, but here goes. I have the following in a shell script: #!/bin/sh if [ $# -eq 0 ]; then find /foo fi if [ $# -eq 1 ]; then find /foo | grep -i $1 fi if [ $# -eq 2 ]; then find /foo | grep -i $1 | grep -i $2 fi if [ $# -eq 3 ]; then find /foo | grep -i $1 | grep -i $2 | grep -i $3 fi Is there an easier/shorter way to do this? If there are 15 arguments supplied on the command line, I don't necessarily want to build 15 if statements. Thanks in advance for your answers. The following solution relies on the fact that you can include multiple patterns for grep to match with the '-e' argument: #!/bin/sh PATTERNS=`echo $* | sed s/\ /\ -e\ /g` find /foo | grep $PATTERNS Notice that when constructing the $PATTERNS string out of the command line args, you have to quote them with a prepended space character. That's because the subsequent 'sed' substitution needs to find a space *before* each argument which it then replaces with -e . --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: shell scripting: grepping multiple patterns, logically ANDed
On 06/27/2012 10:33 AM, Tim Daneliuk wrote: On 06/27/2012 10:25 AM, Tim Daneliuk wrote: On 06/27/2012 09:25 AM, Aleksandr Miroslav wrote: hello, I'm not sure if this is the right forum for this question, but here goes. I have the following in a shell script: #!/bin/sh if [ $# -eq 0 ]; then find /foo fi if [ $# -eq 1 ]; then find /foo | grep -i $1 fi if [ $# -eq 2 ]; then find /foo | grep -i $1 | grep -i $2 fi if [ $# -eq 3 ]; then find /foo | grep -i $1 | grep -i $2 | grep -i $3 fi Is there an easier/shorter way to do this? If there are 15 arguments supplied on the command line, I don't necessarily want to build 15 if statements. Thanks in advance for your answers. The following solution relies on the fact that you can include multiple patterns for grep to match with the '-e' argument: #!/bin/sh PATTERNS=`echo $* | sed s/\ /\ -e\ /g` find /foo | grep $PATTERNS Notice that when constructing the $PATTERNS string out of the command line args, you have to quote them with a prepended space character. That's because the subsequent 'sed' substitution needs to find a space *before* each argument which it then replaces with -e . Whoops, I just realized that I ORed them and you want them ANDed. Hmmm ... must go think on that... OK, here is an ANDing version: #!/bin/sh PATMATCH=`echo $* | sed s/' '/' | grep '/g` eval find ./ $PATMATCH -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
[ANN] tperimeter 1.113 Released And Available
'tperimeter' Version 1.113 is released and available at: http://www.tundraware.com/Software/tperimeter/ The last public release was 1.112 What's New -- Changed the wrapper file rebuild logic to delete outstanding access requests independently of how often the script is run (either by cron, or manually). This means that the 'cron' frequency now determines the average waiting time before a user's request is fulfilled. The '${DURATION}' variable in 'rebuild-hosts.allow.sh' sets how long access will be permitted (The default value is 10 minutes). Minor documentation updates, typo fixes, and housekeeping. What Is 'tperimeter'? - Have you ever been away from the office and needed, say, ssh access to your system? Ooops - you can't do that because in your zealous pursuit of security, you set your TCP wrappers to prevent outside access to all but a select group of hosts. Worse still, everywhere you go, your local IP address changes so there is no practical way to open up the wrappers for this situation. 'tperimeter' is a dynamic TCP wrapper control system that gives you (limited) remote control of your TCP wrapper configuration. It does this via a web interface that you've (hopefully) secured with https/SSL. You just log in, specify your current IP address and one of the services you want to access. 'tperimeter' will then briefly open a hole in your wrappers long enough to let you in. It then automatically closes the hole again. Voila! Remote access to your system, wherever you are. You get much of the facility of a VPN or so-called port knocking without most of the aggravation. As a side benefit, 'tperimeter' will also simplify management of your standard /etc/hosts.allow TCP wrapper control file. 'tperimeter' is written in python, shell script, and html. It is very small and easy to maintain. It was developed and tested on FreeBSD 4.x/8.x, and apache 1.x/2.x, but should run with very minor (or no) modification on most Unix-like systems like Linux or Mac OS X hosts. It comes complete with documentation in html, pdf, dvi, and Postscript formats. There is no licensing fee for any use, personal, commercial, government, or institutional. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Somewhat OT - A Makefile Question
On 06/07/2012 12:19 AM, Parv wrote: in message4fcf48af@tundraware.com, wrote Tim Daneliuk thusly... ... Within a makefile, I need to assign the name of a program as in: FOO = bar. The problem is that 'bar' may also be know as, say, bar.sh. ... Is there a simple way to determine which form bar or bar.sh on on a given system *at the time the make is run*? If both exist, I will pick one arbitrarily, ... For example I don't think this works when both are there: FOO = $(shell `which bar bar.sh) Modify the subshell command to ... which bar bar.sh | head -n 1 ... as in (for FreeBSD make) ... shell=`which zsh sh tcsh csh 2/dev/null | fgrep -v 'not found' | head -n 3` all: @printf %s\n ${shell} - parv Thanks. I came up with something similar, but I think your recipe is a bit more elegant ... -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Somewhat OT - A Makefile Question
Not strictly FBSD, but ... Within a makefile, I need to assign the name of a program as in: FOO = bar. The problem is that 'bar' may also be know as, say, bar.sh. Worse still both bar and bar.sh can exist with one linked to the other. Is there a simple way to determine which form bar or bar.sh on on a given system *at the time the make is run*? If both exist, I will pick one arbitrarily, I just don't want the detection mechanism to fail when this is the case. For example I don't think this works when both are there: FOO = $(shell `which bar bar.sh) Thanks, -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Possible /bin/sh Bug?
Given this script: #!/bin/sh foo= while read line do foo=$foo -e done echo $foo Say I respond 3 times, I'd expect to see: -e -e -e Instead, I get: -e -e Linux appears to do the right thing here, so this seems like it is a bug ... or am I missing something? -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Possible /bin/sh Bug?
On 06/05/2012 11:35 AM, Dan Nelson wrote: In the last episode (Jun 05), Tim Daneliuk said: Given this script: #!/bin/sh foo= while read line do foo=$foo -e done echo $foo Say I respond 3 times, I'd expect to see: -e -e -e Instead, I get: -e -e Linux appears to do the right thing here, so this seems like it is a bug ... or am I missing something? echo takes a -e flag, so it eats the first one. Bash does the same thing, so any Linux that uses bash as /bin/sh will also. You must be testing on a Linux that uses something else as /bin/sh. Better to use the printf command if you are worried about compatibility. echo [-e | -n] [string ...] Print a space-separated list of the arguments to the standard output and append a newline character. -n Suppress the output of the trailing newline. -e Process C-style backslash escape sequences. The echo command understands the following character escapes: Ah, OK, that makes sense, thanks... -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Somewhat OT: CVS Question
Forgive the OT nature of this, but FBSD tends to be a big CVS user, so I am hoping someone has an answer for this. Feel free to reply privately if you do not wish to inflict your answer up on the whole list... Is there a way to checkout a project from a CVS repo *into the current directory*? If I do this: cvs co -d . foo Or this: cvs co -d ./ foo I get this: cvs checkout: existing repository /usr/cvs/... does not match /usr/cvs/.../foo cvs checkout: ignoring module waccess Ideas? -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: editor that understands CTRL/B, CTRL/I, CTRL/U
On 04/24/2012 12:50 PM, Anton Shterenlikht wrote: My daughter is doing a touch typing course that presumes MS Word. So far she was fine with pico, but now they want the kids to practice CTRL/B (bold), CTRL/I (italic), CTRL/U (underline). She really needs to use these particular combinations because that is how the on-line assessment tool is set out. I use nothing but vi, so have no clue which, if any, editor from ports/editors will have these particular combinations implemented. Please recommend one, preferably as simple and as small as possible. Thanks I am not certain, but I think it is possible to create your own keyboard maps in both joe and vim... -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: fxp0 Link Going Up And Down
On 04/02/2012 03:52 PM, Mike Tancsa wrote: On 4/1/2012 4:21 PM, Tim Daneliuk wrote: I am seeing this intermittently: Apr 1 14:48:36 host kernel: fxp0: link state changed to DOWN Apr 1 14:52:27 host kernel: fxp0: link state changed to UP There were some fixes to the fxp driver on ~ March 26th that fixed the NIC bouncing up and down when it went into promisc mode. But those bounces were very short lived (a few seconds to transition). Your up/down events are minutes. Perhaps the cable modem is going into some sort of sleep mode ? Or perhaps just a hardware issue. If you can, I don't think so. The modem has a built in hub and I am not observing this problem on other devices plug in there. try and put a simple hub or switch between the cable modem and your NIC and see if you still get bounces. Also, there are many variants of fxp hardware. Post the output of egrep -i fxp|phy /var/run/dmesg.boot fxp0: Intel Pro/100 946GZ (ICH7) Network Connection port 0x1100-0x113f mem 0x9004-0x90040fff irq 20 at device 8.0 on pci4 miibus0: MII bus on fxp0 ukphy0: Generic IEEE 802.3u media interface PHY 1 on miibus0 ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow fxp0: Ethernet address: ... fxp0: [ITHREAD] and sysctl -a dev.fxp dev.fxp.0.%desc: Intel Pro/100 946GZ (ICH7) Network Connection dev.fxp.0.%driver: fxp dev.fxp.0.%location: slot=8 function=0 dev.fxp.0.%pnpinfo: vendor=0x8086 device=0x1094 subvendor=0x8086 subdevice=0x0001 class=0x02 dev.fxp.0.%parent: pci4 dev.fxp.0.int_delay: 1000 dev.fxp.0.bundle_max: 6 dev.fxp.0.rnr: 0 dev.fxp.0.stats.rx.good_frames: 2004295 dev.fxp.0.stats.rx.crc_errors: 0 dev.fxp.0.stats.rx.alignment_errors: 0 dev.fxp.0.stats.rx.rnr_errors: 0 dev.fxp.0.stats.rx.overrun_errors: 0 dev.fxp.0.stats.rx.cdt_errors: 0 dev.fxp.0.stats.rx.shortframes: 0 dev.fxp.0.stats.rx.pause: 0 dev.fxp.0.stats.rx.controls: 0 dev.fxp.0.stats.rx.tco: 0 dev.fxp.0.stats.tx.good_frames: 1701132 dev.fxp.0.stats.tx.maxcols: 0 dev.fxp.0.stats.tx.latecols: 0 dev.fxp.0.stats.tx.underruns: 0 dev.fxp.0.stats.tx.lostcrs: 0 dev.fxp.0.stats.tx.deffered: 0 dev.fxp.0.stats.tx.single_collisions: 0 dev.fxp.0.stats.tx.multiple_collisions: 0 dev.fxp.0.stats.tx.total_collisions: 0 dev.fxp.0.stats.tx.pause: 0 dev.fxp.0.stats.tx.tco: 0 Thanks for taking time to look into this... ---Mike This is observed both on some 8.2-STABLE and 8.3-PRERELEASE versions on the same server. I have replaced the ethernet cable as well as the device on the other end (a cable internet box), but the problem intermittently persists. It appears not to be a mechanical issue insofar as I can wiggle the cable at each end and not introduce this problem. fxp0 in this case is the on-board NIC of an Intel mobo. Ideas anyone? Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
fxp0 Link Going Up And Down
I am seeing this intermittently: Apr 1 14:48:36 host kernel: fxp0: link state changed to DOWN Apr 1 14:52:27 host kernel: fxp0: link state changed to UP This is observed both on some 8.2-STABLE and 8.3-PRERELEASE versions on the same server. I have replaced the ethernet cable as well as the device on the other end (a cable internet box), but the problem intermittently persists. It appears not to be a mechanical issue insofar as I can wiggle the cable at each end and not introduce this problem. fxp0 in this case is the on-board NIC of an Intel mobo. Ideas anyone? Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Editor With NO Shell Access?
On 03/13/2012 01:39 AM, Joshua Isom wrote: On 3/12/2012 5:23 PM, Polytropon wrote: On Mon, 12 Mar 2012 15:19:51 -0700, Edward M. wrote: On 03/12/2012 03:10 PM, Polytropon wrote: /etc/shells to work, but a passwd entry like bob:*:1234:1234:Two-loop-Bob:/home/bob:/usr/local/bin/joe I think this would not let the user to login,etc I'm not sure... I assume logging in is handled by /usr/bin/login, and control is then (i. e. after successful login) transferred to the login shell, which is the program specified in the shell field (see man 5 passwd) of /etc/passwd. How is login supposed to know if the program specified in this field is actually a dialog shell? From man 1 login I read that many shells have a built-in login command, but /usr/bin/login is the system's default binary for this purpose if the shell (quotes deserved if it is an editor as shown in my assumption) has no capability of performing a login. Are they logging in from the console or from ssh? If it's from a console, I'd send them directly into a jail with limited file system access, so that excecutables don't matter. If it's from ssh, I'd do the same thing. Assume they can break out of the editor or that something will happen. Make it minimalist about what they can do. Use the /rescue/vi in an empty jail with the files available. Don't think about changing editors, change the system. That's a really good idea, but we're talking about almost 1000 systems here. That's a whole bunch of configuration... -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Editor With NO Shell Access?
I have a situation where I need to provide people with the ability to edit files. However, under no circumstances do I want them to be able to exit to the shell. The client in question has strong (and unyielding) InfoSec requirements in this regard. So ... are there editors without this feature? Can I compile something like joe or vi to inhibit this feature? TIA, -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Editor With NO Shell Access?
On 03/12/2012 03:13 PM, Thomas Dickey wrote: On Mon, Mar 12, 2012 at 02:19:06PM -0500, Tim Daneliuk wrote: I have a situation where I need to provide people with the ability to edit files. However, under no circumstances do I want them to be able to exit to the shell. The client in question has strong (and unyielding) InfoSec requirements in this regard. So ... are there editors without this feature? Can I compile something like joe or vi to inhibit this feature? man vi (see -S) It turns out you can still work around this if your know the trick. I am still researching this, but restricted vi appears to be compromised. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Raspberry Pi
On 03/08/2012 12:46 PM, Chad Perrin wrote: On Thu, Mar 08, 2012 at 08:51:03AM +, Arthur Chance wrote: On 03/07/12 21:40, Chad Perrin wrote: If anyone has more information about planned BSD Unix ports to Raspberry Pi, or comes up with more in the next few weeks, I'd appreciate it if someone would let me know (perhaps with URIs or contact information for people and projects working on this). There was a discussion about it over on hackers@ last November. The thread starts at http://lists.freebsd.org/pipermail/freebsd-hackers/2011-November/036742.html TL;DR summary: some are wildly in favour of it, others are completely negative. I.e. the usual network response to anything :-} I'm curious about the reasoning for the negative. I'll have to go skim that thread. Thanks for pointing it out to me. The complaints seemed to center around a lack of docs, but I don't think this is still relevant. The fact that several Linux variants are ported suggests plenty of available doc. Also, there is a detailed doc on the Broadcom chip on the RP website. Now, if we could just actuall GET the silly things it would be nice :) -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
FreeBSD And ARM
I'm not quite sure where to ask this so even a pointer to the right place would be appreciated: Is there any intent/work underway to port FBSD to the Raspberry PI ARM SBC? At $35 this thing looks perfect for firewall/DNS/dhcp boundary machines. Thanks, --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Asymmetric NFS Performance
Server:FBSD 8.2-STABLE / MTU set to 15000 Client:Linux Mint 12 / MTU set to 8192 NFS Mount Options: rw,soft,intr Problem: Throughput copying from Server to Client is about 2x that when copying a file from client to server. The client does have a SSD whereas the server has conventional SATA drives but ... This problem is evident with either 100- or 1000- speed ethernet so I don't think it is a drive thing since you'd expect to saturate 100-BASE with either type of drive. Things I've Tried So Far: - Increasing the MTUs - This helped speed things up, but the up/down ratio stayed about the same. - Fiddling with rsize and wsize on the client - No real difference Ideas anyone? --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Perl Upgrade And Mailscanner Woes
Almost every time there is a perl upgrade, it manages to break Mailscanner even after running perl-after-upgrade. The solution ends up being a reinstall of Mailscanner, but this is a real pain, because you have to delete and reinstall every dependent perl package used by Mailscanner. Does anyone have a better way? -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Perl Upgrade And Mailscanner Woes
On 12/21/2011 09:28 AM, Matthew Seaman wrote: On 21/12/2011 14:59, Tim Daneliuk wrote: Almost every time there is a perl upgrade, it manages to break Mailscanner even after running perl-after-upgrade. The solution ends up being a reinstall of Mailscanner, but this is a real pain, because you have to delete and reinstall every dependent perl package used by Mailscanner. Something is going wrong with your upgrade process. If you're doing a minor version upgrade of perl (eg. from 5.x.y to 5.x.y+1), then almost all perl modules (including XS) only need to be moved into the new ${LOCALBASE}/lib/perl5/site-perl/5.x.y+1 directory tree, which is basically what perl-after-upgrade does. A few packages which embed a perl interpreter would need recompiling, but you could count those on the fingers of one hand. Are you sure you are using perl-after-upgrade correctly? You do understand that just running: # perl-after-upgrade doesn't actually modify anything on disk: instead it shows you what needs to be done. To actually effect the change you need to run: # perl-after-upgrade -f Aha! And the lights go on ... Nevermind. Slinks away in shame ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
SOLVED: ipfw And ping
I have a fairly restrictive firewall but I wanted to open a hole for ping and traceroute - both outbound from a NATed LAN as well as inbound to the boundary FreeBSD machine. The magic sauce turned out to be: ipfw add allow icmp from any to any icmptypes 0,3,4,8,11,12 The other insight here was that this rule had to occur *after* NAT got setup or internal users on the LAN would not be able to ping. Many thanks especially go to Robert Bonomi and Ian Smith for their help and patience with my foolish questions... Tim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw And ping
On 12/04/2011 01:04 AM, Ian Smith wrote: SNIP For one, google 'icmp redirect attack' But isn't that handled by setting: net.inet.icmp.drop_redirect=1 # This is the ICMP rule we generally use: # ipfw add 10 allow icmp from any to any in icmptypes 0,3,4,11,12,14,16,18 Hmmm I just tried this and it seems to break ping... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw And ping
On 12/01/2011 05:45 PM, Jon Radel wrote: On 12/1/11 6:25 PM, Tim Daneliuk wrote: I have a fairly restrictive ipfw setup on a FBSD 8.2-STABLE machine. Pings were not getting through so I added this near the top of the rule set: # # Allow icmp # ${FWCMD} add allow icmp from any to any It does work but, two questions: 1) Is there a better way? Consider allowing only the ICMP that does things you want to do. Google something like icmp types to allow for some hints and opinions. Just as an example, you can independently control being able to ping others and others being able to ping you. 2) Will this cause harm or otherwise expose the server to some vulnerability? Well, if you allow all ICMP types, it's possible to make your little packets go places you didn't really want them to go, and similar network breakage. You can also find those who feel strongly that allowing others to ping your machines gives them way too much information about what you have at which IP address. On the other hand, working ping and traceroute can be very handy to figure out what's wrong when the network breaks. But do you open up access on your server?---well not so much, though having said that I'm ready for somebody to remind me of some obscure attack that uses ICMP for more than information gathering. :-) --Jon Radel j...@ratdel.com I have been so advised by a number of people to do just this and I am investigating. I am not horribly concerned about this, though, because the machine in question is a NATing front end for a private, non-routable LAN and the associated nameserver uses split-horizon DNS to make all the internal name-ip associations invisible outside the LAN. So ... I don't really see much threat here. I am throttling ICMP rates via sysctl because - AFAIK - the only overt ICMP attack is to flood a target in hopes of getting Denial Of Services. As with you, I remain open to someone presenting a scenario wherein a particular ICMP protocol could actually cause harm... Thanks for your time. -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
ipfw And ping
I have a fairly restrictive ipfw setup on a FBSD 8.2-STABLE machine. Pings were not getting through so I added this near the top of the rule set: # # Allow icmp # ${FWCMD} add allow icmp from any to any It does work but, two questions: 1) Is there a better way? 2) Will this cause harm or otherwise expose the server to some vulnerability? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw And ping
On 12/01/2011 08:56 PM, Robert Bonomi wrote: From owner-freebsd-questi...@freebsd.org Thu Dec 1 17:27:19 2011 Date: Thu, 01 Dec 2011 17:25:04 -0600 From: Tim Daneliuktun...@tundraware.com To: FreeBSD Mailing Listfreebsd-questions@freebsd.org Subject: ipfw And ping I have a fairly restrictive ipfw setup on a FBSD 8.2-STABLE machine. Pings were not getting through so I added this near the top of the rule set: # # Allow icmp # ${FWCMD} add allow icmp from any to any It does work but, two questions: 1) Is there a better way? 2) Will this cause harm or otherwise expose the server to some vulnerability? FIRST question: Are you trying to make _outgoing_ ping work, or let the outside world 'ping' internal machines on your network? What you wrote is not clear on this point. Both. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw And ping
On 12/01/2011 08:56 PM, Robert Bonomi wrote: SNIP Similarly, I let the firewall respond to pings adressed to it's _external_ interface, but silently drop anything addressed any further inside my network. (If they can _reach_ my firewall, then a problem, whatever it is, *is* 'my problem' and that's all anybody on the outside needs to know, or to tell me, if reporting a problem. :) I NAT behind the FW so they're not getting anywhere behind it... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
8-STABLE And fxp Driver
Is there are known recent problem with the fxp driver and 8-STABLE. I buildworld/kernel every 7-10 days and I have recently begun to see a bunch of Link Down/Link Up messages. Before I tear through cables, switches, and other hardware, I want to make sure this isn't some recently introduced driver artifact... Thanks, -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Very large swap
On 10/14/2011 11:43 AM, Nikos Vassiliadis wrote: On 10/14/2011 8:08 AM, Dennis Glatting wrote: This is kind of stupid question but at a minimum I thought it would be interesting to know. What is the limitations in terms of swap devices under RELENG_8 (or 9)? A single swap dev appears to be limited to 32GB (there are truncation messages on boot). I am looking at a possible need of 2-20TB (probably more) with as much main memory that is affordable. The limit is raised to 256GB in HEAD and RELENG_8 http://svnweb.freebsd.org/base?view=revisionamp;revision=225076 I am working with large data sets and there are various ways of solving the problem sets but simply letting the processors swap as they work through a given problem is a possible technique. I would advise against this technique. Possibly, it's easier to design your program to user smaller amounts of memory and avoid swapping. After all, designing your program to use big amounts of swapped out memory *and* perform in a timely manner, can be very challenging. Nikos Well ... I dunno how much large dataset processing you've done, but it's not that simple. Ordinarily, with modern machines and architectures, you're right. In fact, you NEVER want to swap, instead, throw memory at the problem. But when you get into really big datasets, it's a different story. You probably will not find a mobo with 20TB memory capacity :) So ... you have to do something with disk. You generally get two choices: Memory mapped files or swap. It's been some years since I considered either seriously, but they do have some tradeoffs. MM files give the programmer very fine grained control of just what might get pushed out to disk at the cost of user space context switching. Swap gets managed by the kernel which is about as efficient as disk I/O is going to get, but that means what and how things get moved on- and off disk is invisible to the application. What a lot of big data shops are moving to is SSD for such operations. SSD is VERY fast and can be RAIDed to overcome the tendency of at least the early SSD products' tendency to, um ... blow up. As always, scale is hard, and giant data problems are Really Hard (tm). That's why people like IBM, Sun/Oracle, and Teradata make lots of money building giant iron farms. 'Just my 2^1 cents worth ... -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: limit number of ssh connections
On 9/19/2011 2:05 PM, James Strother wrote: Does anyone know a good way of limiting the number of ssh attempts from a single IP address? I found the following website, which describes a variety of approaches: http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins But I am honestly not really happy with any of them. Continuously polling log files for regex hits seems...well crude. Just to give you an idea of what I mean, here were some of the issues I had. The sshd-scan.sh script allows IPs to be reinstated, but the timing is dependent on how frequently you rotate logs. sshguard has a pretty website, but I can't actually find much useful documentation on how to configure it. fail2ban looks like it might work with sufficient work, but the defaults are terrible. By default, every time an IP is reinstated, all IPs are reinstated. Not to mention, at present I can't seem to get it to trigger any hits. I suppose I could keep shopping, but the truth is I just think polling log files is the wrong way to solve the problem. Anything based on this approach is going to have a long latency and be highly dependent on the unspecified and unstable formatting of log files (see http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) and the troubles an exclamation point can cause). I would much much rather do something like this: http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ Does anyone know a way to do something similar with ipfw? Thanks in advance, Jim ___ They cannot attack what they cannot see. That's why I wrote this: http://www.tundraware.com/Software/tperimeter/ It allows you to restrict access to a fixed set of hosts (via tcpwrappers) but to dynamically request access from any host (via wrapper rewriting) so long as you have credentials to do so. The current version has a worst-case latency of 5 minutes from the time you remotely request ssh access be granted until it actually is. I am working toward an update that will grant the request immediately. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org