Re: lang/php5 port
Tom Worster wrote: is there any documentation or a helpful website for how to use ports to install php5? i'm used to compiling it with a pretty long configuration command for all the optional bits i need, e.g. --with-dom --with-dom-xslt --enable-dom --with-pear --with-gd etc. etc. on and on. i'm unclear how these options are handled in freebsd ports. is it a matter of identifying lots of individual ports, one for each of the configuration command options i'd normally use? Run make config on the php port to see if any configuration options you need are mentioned there. I normally utlise the php-extensions port - run make config in there for options. Cheers, Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: lang/php5 port
Steve Bertrand wrote: Brett Davidson wrote: Tom Worster wrote: is there any documentation or a helpful website for how to use ports to install php5? i'm used to compiling it with a pretty long configuration command for all the optional bits i need, e.g. --with-dom --with-dom-xslt --enable-dom --with-pear --with-gd etc. etc. on and on. i'm unclear how these options are handled in freebsd ports. is it a matter of identifying lots of individual ports, one for each of the configuration command options i'd normally use? Run make config on the php port to see if any configuration options you need are mentioned there. I normally utlise the php-extensions port - run make config in there for options. One of the reasons I've had to edit Makefile manually was because a client needed JPEG support. At the time, `make config' didn't provide that option. You make a couple of valuable points however. It would be easier if the OP's demands could be met with your method. Steve php-extensions supports jpg in the make config options - I use that too. It's a really elegant way of configuring almost every php option we need. Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Is there anything weird I should know about using ipfw on alias addresses?
Found the problem. Incorrect arp entry. Thanks for your help. Cheers, Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is there anything weird I should know about using ipfw on alias addresses?
Ian Smith wrote: On Mon, 01 Dec 2008 16:52:12 +1300 Brett Davidson [EMAIL PROTECTED] wrote: ifconfig shows the alias addresses correctly bound. Creating an ipfw rule and testing it from the command line works (connects out from master address, not alias) From website on alias address, the firewall blocks the packets. The weird thing is that it tags them (in the security log) as coming from the master address (not the alias) out the correct interface. In a normal world that would mean the packet would match! What's goin' on here Willis? Difficult to tell without seeing a) ifconfig b) netstat -rn c) at least the relevant firewall rule/s and d) log entries that illustrate your problem. Obscure sensitive information by all means, but otherwise pretend we haven't the slightest clue how your system is configured :) cheers, Ian Fair enough. ifconfig below: bce1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=3bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU inet 210.5.50.5 netmask 0xffe0 broadcast 210.5.50.31 inet 210.5.51.32 netmask 0x broadcast 210.5.51.32 inet 210.5.51.27 netmask 0x broadcast 210.5.51.27 inet 210.5.51.33 netmask 0x broadcast 210.5.51.33 inet 210.5.51.34 netmask 0x broadcast 210.5.51.34 inet 210.5.51.42 netmask 0x broadcast 210.5.51.42 inet 210.5.51.4 netmask 0x broadcast 210.5.51.4 ether 00:1c:c4:c0:56:94 media: Ethernet autoselect (1000baseSX full-duplex) status: active Relevant /etc/rc.conf entries : ifconfig_bce1=inet 210.5.50.5 netmask 255.255.255.224 ifconfig_bce1_alias0=inet 210.5.50.5 netmask 255.255.255.224 ifconfig_bce1_alias1=inet 210.5.51.4 netmask 255.255.255.255 ifconfig_bce1_alias2=inet 210.5.51.27 netmask 255.255.255.255 ifconfig_bce1_alias3=inet 210.5.51.32 netmask 255.255.255.255 ifconfig_bce1_alias4=inet 210.5.51.33 netmask 255.255.255.255 ifconfig_bce1_alias5=inet 210.5.51.34 netmask 255.255.255.255 ifconfig_bce1_alias6=inet 210.5.51.42 netmask 255.255.255.255 Relevant ipfw rules : ipfw -q add 02012 allow tcp from any to 208.69.123.164 80 out via bce1 setup keep-state ipfw -q add 02012 allow tcp from any to 208.69.123.164 443 out via bce1 setup keep-state Interesting entries in /var/log/security : Dec 1 16:42:25 servername kernel: ipfw: Deny TCP 210.5.50.5:49708 208.69.123.164:80 out via bce1 What makes this interesting is that I can connect to that port via the command line. It's the website that lives on 210.5.51.42 that is having problems. Why, if the rule is valid enough for the command line is it having problems from an aliased address? This MUST have something to do with the way ipfw is working with aliased addresses but I'm blowed if I know what is wrong. Cheers Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Is there anything weird I should know about using ipfw on alias addresses?
ifconfig shows the alias addresses correctly bound. Creating an ipfw rule and testing it from the command line works (connects out from master address, not alias) From website on alias address, the firewall blocks the packets. The weird thing is that it tags them (in the security log) as coming from the master address (not the alias) out the correct interface. In a normal world that would mean the packet would match! What's goin' on here Willis? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Getting PXE booting to work on FreeBSD 7.0
I have set up a Linux Boot DHCP server (for other reasons that hopefully will become obvious later) which points to the BSD based tftp server. I did try to recompile the BSD pxeboot program to use TFTP as per the following but this did not appear to work as booting it still prompted for an NFS path : echo LOADER_TFTP_SUPPORT=YES /etc/make.conf; cd /usr/src/sys/boot/; make clean; make depend; make; cp i386/pxeldr/pxeboot /tftpboot/freebsd So... I set up /etc/exports with /tftpboot/ -alldirs ro, and started up nfs. This works fine for manual mounting and for installing via nfs after booting off CD but I get the following errors when PXE booting... pxe_open: server addr: serverip pxe_open: server path: /tftpboot/freebsd pxe_open: gateway ip: subnetgatewayip \ can't load 'kernel' The /tftpboot/freebsd/boot/loader.rc file contents are given here ( I have tried full OS paths to these as well to no avail) : echo Loading Kernel load /boot/kernel/kernel load linux.ko echo Booting load -r /mfs_root/mfsroot.gz echo \007\007 echo initialiasing h0h0magic set vfs.root.mountfrom=ufs:/dev/md0c boot IMPORTANT: I am booting the client within a vmware-based instance (Vmware-server 1.0.4 on Centos 4.4) using bridged networking. I am obviously missing something obvious. Can you please point this out to me?! :-) -- Brett Davidson Systems Engineer -- Net24 Limited Web: www.net24.co.nz Phone: 0800 5000 24 | DDI: +64 3 962 9518 -- // web hosting / email hosting / data backup // our reputation for reliability precedes us This transmission is for the intended addressee only and is confidential information. If you have received this transmission in error, please delete it and notify the sender. Protected by Net24 Fortigate Anti-virus system ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Anyone know of complete hardware solution IDE Raid Controllers?
Years ago Accusys made IDE Raid Controllers that presented themselves as one drive in the BIOS, making themselves completely OS agnostic. Anything like that out there anymore? Regards, Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
[OT] who wrote this
Erich Dollansky wrote: Hi, eBoundHost: Artur wrote: T, I don't know any soft way to say this. The man, Hitler, was the most evil person that our generation has ever witnessed. The things he did this is why he has to be quoted so people see from where certain ideas originate. I live in a country where many things are - knowingly or unknowingly - copied from this guy. What really gets me is the fact that this is one of the examples put on the FreeBSD page. I'm all for freedom and libertarian ideals, but for You can promote freedom only if you are able to describe the opposite. Well said. I don't want to outlaw anything, but have some good taste. Learn to moderate yourselves, this is what freedom is all based on, being good to others. You must make people aware. If people are not aware - this was the most common excuse of Germans after the war - they will never ever support any actions against something. I would appreciate if someone would help me find the person who can help to modify the text on this page. I hope, you will not find this person. Just for your information. Parts of my family were active against Hitler until the collapse of the Third Reich. I think, that you are not able to understand the possible unawareness if you have not experienced it just after 1945. A very high percentage of Germans simply could not imagine or did not believe what was going on around them. Surpressing even quotes like them here, is the first step to make people feel as they live in a perfect world. Erich To give another reason against supression of quotes is that you tend to emulate the actions of the people's ideas that you wished suppressed. The opinion of this person/group is not worthy of being spread is but the thin edge of a fascist wedge. It effectively states that you know better than the rest of us and that you are entitled to prevent others from learning/doing something in their best interests. I wish more people would think about that before attempting to meddle in what others are allowed to do. Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Is there a way to compare what is in the ports tree with what is installed?
ie. If I had a particular version of the ports tree on a server, how could I check to see if any of the programs in that tree were actually installed? Is there a simple command or sequence of commands to do this? -- Brett Davidson Systems Engineer -- Net24 Limited Web: www.net24.co.nz Phone: 0800 5000 24 | DDI: +64 3 962 9518 -- // web hosting / email hosting / data backup // our reputation for reliability precedes us This transmission is for the intended addressee only and is confidential information. If you have received this transmission in error, please delete it and notify the sender. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is there a way to compare what is in the ports tree with what is installed?
Robert Huff wrote: Brett Davidson writes: ie. If I had a particular version of the ports tree on a server, how could I check to see if any of the programs in that tree were actually installed? Is there a simple command or sequence of commands to do this? dir /var/d/pkg | grep portname Robert Huff Ah. Not quite but thanks for telling me the location of the pkg directory (btw, it's var/db/ I've now worked out how to get what I want via : cd /var/db/pkg for i in * do MATCHES=`grep -c $i /usr/ports/INDEX-6` if [ $MATCHES -gt 0 ] then #echo Pattern $i Matched $MATCHES times else echo Pattern $i not matched fi done In my case I was looking for files that weren't at the same revision level as the ports tree but both options are accounted for. Thanks all. -- Brett Davidsonls -la Systems Engineer -- Net24 Limited Web: www.net24.co.nz Phone: 0800 5000 24 | DDI: +64 3 962 9518 -- // web hosting / email hosting / data backup // our reputation for reliability precedes us This transmission is for the intended addressee only and is confidential information. If you have received this transmission in error, please delete it and notify the sender. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Issues Installing ImageMagick on FreeBSD 6.2
Get this error... gdkdrawable-x11.c:32:24: cairo-xlib.h: No such file or directory gdkdrawable-x11.c: In function `_gdk_x11_drawable_update_size': gdkdrawable-x11.c:238: warning: implicit declaration of function `cairo_xlib_surface_set_size' gdkdrawable-x11.c: In function `gdk_x11_ref_cairo_surface': gdkdrawable-x11.c:1469: warning: implicit declaration of function `cairo_xlib_surface_create' gdkdrawable-x11.c:1472: warning: assignment makes pointer from integer without a cast gdkdrawable-x11.c:1474: warning: implicit declaration of function `cairo_xlib_surface_create_for_bitmap' gdkdrawable-x11.c:1477: warning: assignment makes pointer from integer without a cast gmake[4]: *** [gdkdrawable-x11.lo] Error 1 gmake[4]: Leaving directory `/usr/ports/x11-toolkits/gtk20/work/gtk+-2.12.1/gdk/x11' gmake[3]: *** [all-recursive] Error 1 gmake[3]: Leaving directory `/usr/ports/x11-toolkits/gtk20/work/gtk+-2.12.1/gdk' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/usr/ports/x11-toolkits/gtk20/work/gtk+-2.12.1/gdk' gmake[1]: *** [all-recursive] Error 1 gmake[1]: Leaving directory `/usr/ports/x11-toolkits/gtk20/work/gtk+-2.12.1' gmake: *** [all] Error 2 *** Error code 2 Tried different ports trees spaced a week apart and also tried to run pkg_add -r... All to no avail. Any ideas? -- Brett Davidson Systems Engineer -- Net24 Limited Web: www.net24.co.nz Phone: 0800 5000 24 | DDI: +64 3 962 9518 -- // web hosting / email hosting / data backup // our reputation for reliability precedes us This transmission is for the intended addressee only and is confidential information. If you have received this transmission in error, please delete it and notify the sender. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
If the mirror sites (all four I've tried now from all over the world) have the FreeBSD 6.1 downloads contain the FreeBSD4.11 image, how is one supposed to download V6.1?
I, for one, would really like to get a copy of FreeBSD 6.1. :-) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
A wee while ago, USB support on FreeBSD6.2 SMP systems was discouraged. Is that still the case?
If there are patches/updates to this issue I would REALLY like to know about them! :-) -- Brett Davidson Systems Engineer -- Net24 Limited Web: www.net24.co.nz Phone: 0800 5000 24 | DDI: +64 3 962 9518 -- // web hosting / email hosting / data backup // our reputation for reliability precedes us This transmission is for the intended addressee only and is confidential information. If you have received this transmission in error, please delete it and notify the sender. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Update Issue is with PAE, not SMP : A wee while ago, USB support on FreeBSD6.2 PAE systems was discouraged. Is that still the case?
If there are patches/updates to this issue I would REALLY like to know about them! :-) -- Brett Davidson Systems Engineer -- Net24 Limited Web: www.net24.co.nz Phone: 0800 5000 24 | DDI: +64 3 962 9518 -- // web hosting / email hosting / data backup // our reputation for reliability precedes us This transmission is for the intended addressee only and is confidential information. If you have received this transmission in error, please delete it and notify the sender. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: A wee while ago, USB support on FreeBSD6.2 SMP systems was discouraged. Is that still the case?
[EMAIL PROTECTED] wrote: On Wed, 1 Aug 2007, Brett Davidson wrote: If there are patches/updates to this issue I would REALLY like to know about them! :-) -- Brett Davidson Systems Engineer -- Net24 Limited Web: www.net24.co.nz Phone: 0800 5000 24 | DDI: +64 3 962 9518 -- // web hosting / email hosting / data backup // our reputation for reliability precedes us This transmission is for the intended addressee only and is confidential information. If you have received this transmission in error, please delete it and notify the sender. I may be wrong, but USB support has always been giant-locked, and continues to be giant-locked, at least until Hans work maybe gets integrated into 8-CURRENT after a major code review. -Garrett Thanks Garrett. By the way, my colleague informed me incorrectly that USB and SMP support was an issue. (Although I am keen for this to work!) :-) From the latest source, the Kernel PAE conf file mentions that USB and PAE are not known to play well together. This is my immediate concern. I presume giant-locking is one mutex that rules them all? As such, besides being inefficient under load, how would running USB under this be a problem with PAE? Cheers, Brett. -- Brett Davidson Systems Engineer -- Net24 Limited Web: www.net24.co.nz Phone: 0800 5000 24 | DDI: +64 3 962 9518 -- // web hosting / email hosting / data backup // our reputation for reliability precedes us This transmission is for the intended addressee only and is confidential information. If you have received this transmission in error, please delete it and notify the sender. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: A wee while ago, USB support on FreeBSD6.2 SMP systems was discouraged. Is that still the case?
[EMAIL PROTECTED] wrote: On Wed, 1 Aug 2007, Brett Davidson wrote: [EMAIL PROTECTED] wrote: On Wed, 1 Aug 2007, Brett Davidson wrote: If there are patches/updates to this issue I would REALLY like to know about them! :-) -- Brett Davidson Systems Engineer -- Net24 Limited Web: www.net24.co.nz Phone: 0800 5000 24 | DDI: +64 3 962 9518 -- // web hosting / email hosting / data backup // our reputation for reliability precedes us This transmission is for the intended addressee only and is confidential information. If you have received this transmission in error, please delete it and notify the sender. I may be wrong, but USB support has always been giant-locked, and continues to be giant-locked, at least until Hans work maybe gets integrated into 8-CURRENT after a major code review. -Garrett Thanks Garrett. By the way, my colleague informed me incorrectly that USB and SMP support was an issue. (Although I am keen for this to work!) :-) Heh :). From the latest source, the Kernel PAE conf file mentions that USB and PAE are not known to play well together. This is my immediate concern. Not sure if that's a problem. PAE is just an ugly ugly hack, but you probably know that by now... should have gone with amd64 ;). Indeed. I'd even say you're being a bit too polite in that indictment of PAE. However, a few of the apps we run here don't support 64 bit FreeBSD yet. We now require more memory than 4Gb, which in 32 bit land, means that the big ugly hack (still keeping with your terminology here - this is a family mailing list, after all) is necessary. I only really want USB so that the Intel Remote Management module we are running in our servers can actually control the system. (Yes, using USB to allow a daughterboard to control a server is a particular kludge that only Intel use but let's leave any discussion on that for another time, shall we?). Kinda important for me to have both working. Rock - Me - Hard Place. Uhm, it's sorta like that. Many drivers are still using giant-locks, but there's a lot of effort going into removing those giant locks for creating more SMP'goodness :) . That may be (and it sounds wonderful - I'll take three) but how does this affect PAE again? The PAE kernel notes tell me that USB and PAE may have issues with each other, but that's about it. What is the problem? Has anyone found a problem? Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IP Firewall disconnecting me after firewall changes
I keep firewall rules in a file that I then run via a sh command. You know, like /etc/rc.firewall. :-) Essentially the file does ipfw -q -f flush $cmd 0015 check-state $cmd set 31 rule# allow tcp from address/subnet to me 22 in via $pif setup keep-state where $cmd = ipfw -q add and $pif = em0. I understand that this set 31 rule should remain even after the flush action on the first line. This does not appear to be the case. If I run this script from an ssh session I get disconnected which is not what I expected. What am I doing wrong? Cheers, Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD Clustering?
Looking at running a Postfix and some sort of IMAP/POP3 mailserver with webmail. Would like to do this within a FreeBSD cluster if such a thing is possible. Where can I find out info on FreeBSD clustering options? Cheers, Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Are there ways of limiting user resources when a user process is run via suexec, rathern than via logon?
Obviously I could use the features in logon.conf to partially restrict user activitity if users actually logged on. Instead, the app concerned runs under suexec where (as I understand things) logon, per se, is not involved. Is there anything in FreeBSD equivalent to Solaris Resouce Manager? ie. a different share-weighted scheduler for instance? What I want is that all processes running under either a particular uid range or a particular gid range could be restricted to a certain amount of CPU and/or memory. Other systems (such as the Solaris product mentioned above) do this by implementing a different scheduler that weights allowed activity according to a set number of shares that that user's Resource group have had allocated to them. Cheers, Brett. -- -- Brett Davidson Systems Engineer -- Net24 Limited Web: www.net24.co.nz http://www.net24.co.nz/ Phone: 0800 5000 24 | DDI: +64 3 962 9511 -- // domain names / email hosting / web hosting // our reputation for reliability precedes us ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FW: Permissions advice needed.
-Original Message- From: Malcolm Kay [mailto:[EMAIL PROTECTED] Sent: Tuesday, 9 January 2007 6:03 p.m. To: freebsd-questions@freebsd.org Cc: Brett Davidson Subject: Re: Permissions advice needed. On Tue, 9 Jan 2007 06:13 am, Brett Davidson wrote: I have a curious problem. I need an executable file to be owned by a user's uid and gid so they can run it. Malcolm: A user does not need to own a file to be able to run it. All they need is execute permission. So what is the real problem? Brett: This file is being run via suexec in Apache, so yes, both uid and gid need to match in order for the file to be run. This particular system is running a shared-hosting webserver and utilising php-cgi and suexec appears to be the easiest way of providing inter-site isolation. The only problem with that is that you need a wrapper in order to provide customised php.ini settings for each site via the PHPRC environment variable. That wrapper is the file I am concerned about here. HOWEVER, I don't want them to be able to modify or delete the file and/or it's permissions. Another program will do that. Malcolm: Deleting or creating a file requires write access in the directory containg the file reference -- it has nothing to do with the permissions on the file itself. Brett:I only want one particular file in the directory to be untouchable so directory permissions aren't helpful. Directory permissions only go part of the way as the file has to be read-only as well. Anyway, for what it's worth, I have found a fix; in FreeBSD 6.2 the MAC_BSDEXTENDED filesystem firewall has been enhanced. If I use that, make the file suid (harmless since it's already owned by the user), then the ugidfw rule below all works well : ugidfw add subject not uid 0 object suid rx This works well as this is the only non-root suid file on the system. In other systems where this may not be the case the rule should still be harmless as these suid files SHOULD only have rx permissions for non-root users anyway. :-) The only gotcha to that would be during program upgrades performed via a non-root user; the rule will either need to be relaxed or an additional specific rule could be placed above it to allow suid modifications to any specific non-root owned programs that may be in place. Cheers, Brett. This, under standard Unix permissions, is a tad difficult. :-) ACL's don't help here as the owner of a file has the ability to change permissions. I could set the immutable bit (Linux term for the schg flag) but the modifying program does not recognise this flag and will thus fail to modify the file. (I have no control over the modifying program). Any ideas? I don't want to go down the line of using BSD MAC but I'm starting to think I may have too just to be able to prevent the user from modifying ONE file! (I'm not even sure I could implement this using MAC anyway). Cheers, Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Permissions advice needed.
Unfortunately, as I expounded to Malcolm Lay, in this application (a shared-hosting webserver) suexec is being used which does not traverse symbolic links. :-( MAC_BSDEXTENDED in Bsd6.2 solves the problem very nicely. Cheers, Brett. From: George Vanev [mailto:[EMAIL PROTECTED] Sent: Tuesday, 9 January 2007 7:42 p.m. To: Brett Davidson Subject: Re: Permissions advice needed. Brett, Why don't you make a symbolic link to that file. You may set read, write and execute permissions if you wish... doesn't matter. The users will be able to run your executable via the link, but they won't be able to modify it. On 1/8/07, Brett Davidson [EMAIL PROTECTED] wrote: I have a curious problem. I need an executable file to be owned by a user's uid and gid so they can run it. HOWEVER, I don't want them to be able to modify or delete the file and/or it's permissions. Another program will do that. This, under standard Unix permissions, is a tad difficult. :-) ACL's don't help here as the owner of a file has the ability to change permissions. I could set the immutable bit (Linux term for the schg flag) but the modifying program does not recognise this flag and will thus fail to modify the file. (I have no control over the modifying program). Any ideas? I don't want to go down the line of using BSD MAC but I'm starting to think I may have too just to be able to prevent the user from modifying ONE file! (I'm not even sure I could implement this using MAC anyway). Cheers, Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- George Vanev ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Permissions advice needed.
To clarify a point, the following line, This works well as this is the only non-root suid file on the system should be replaced with This works well as this is the only non-root accessable suid file on the system. Cheers, Brett. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Davidson Sent: Wednesday, 10 January 2007 8:53 a.m. To: freebsd-questions@freebsd.org Subject: FW: Permissions advice needed. -Original Message- From: Malcolm Kay [mailto:[EMAIL PROTECTED] Sent: Tuesday, 9 January 2007 6:03 p.m. To: freebsd-questions@freebsd.org Cc: Brett Davidson Subject: Re: Permissions advice needed. On Tue, 9 Jan 2007 06:13 am, Brett Davidson wrote: I have a curious problem. I need an executable file to be owned by a user's uid and gid so they can run it. Malcolm: A user does not need to own a file to be able to run it. All they need is execute permission. So what is the real problem? Brett: This file is being run via suexec in Apache, so yes, both uid and gid need to match in order for the file to be run. This particular system is running a shared-hosting webserver and utilising php-cgi and suexec appears to be the easiest way of providing inter-site isolation. The only problem with that is that you need a wrapper in order to provide customised php.ini settings for each site via the PHPRC environment variable. That wrapper is the file I am concerned about here. HOWEVER, I don't want them to be able to modify or delete the file and/or it's permissions. Another program will do that. Malcolm: Deleting or creating a file requires write access in the directory containg the file reference -- it has nothing to do with the permissions on the file itself. Brett:I only want one particular file in the directory to be untouchable so directory permissions aren't helpful. Directory permissions only go part of the way as the file has to be read-only as well. Anyway, for what it's worth, I have found a fix; in FreeBSD 6.2 the MAC_BSDEXTENDED filesystem firewall has been enhanced. If I use that, make the file suid (harmless since it's already owned by the user), then the ugidfw rule below all works well : ugidfw add subject not uid 0 object suid rx This works well as this is the only non-root suid file on the system. In other systems where this may not be the case the rule should still be harmless as these suid files SHOULD only have rx permissions for non-root users anyway. :-) The only gotcha to that would be during program upgrades performed via a non-root user; the rule will either need to be relaxed or an additional specific rule could be placed above it to allow suid modifications to any specific non-root owned programs that may be in place. Cheers, Brett. This, under standard Unix permissions, is a tad difficult. :-) ACL's don't help here as the owner of a file has the ability to change permissions. I could set the immutable bit (Linux term for the schg flag) but the modifying program does not recognise this flag and will thus fail to modify the file. (I have no control over the modifying program). Any ideas? I don't want to go down the line of using BSD MAC but I'm starting to think I may have too just to be able to prevent the user from modifying ONE file! (I'm not even sure I could implement this using MAC anyway). Cheers, Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Permissions advice needed.
I have a curious problem. I need an executable file to be owned by a user's uid and gid so they can run it. HOWEVER, I don't want them to be able to modify or delete the file and/or it's permissions. Another program will do that. This, under standard Unix permissions, is a tad difficult. :-) ACL's don't help here as the owner of a file has the ability to change permissions. I could set the immutable bit (Linux term for the schg flag) but the modifying program does not recognise this flag and will thus fail to modify the file. (I have no control over the modifying program). Any ideas? I don't want to go down the line of using BSD MAC but I'm starting to think I may have too just to be able to prevent the user from modifying ONE file! (I'm not even sure I could implement this using MAC anyway). Cheers, Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Advice on which FreeBSD firewall package to choose.
Thanks to everyone who responded. It looks like pfsense will do the job nicely. Cheers, Brett. -Original Message- From: Eric [mailto:[EMAIL PROTECTED] Sent: Friday, 5 January 2007 10:52 a.m. To: Brett Davidson Cc: [EMAIL PROTECTED] Subject: Re: Advice on which FreeBSD firewall package to choose. Brett Davidson wrote: Before I start, I'm familiar with IPTables from Linux but am wanting to use FreeBSD as a firewalling router after seeing it in action on a heavily-loaded webserver. I like the efficiency of the TCP stack. Upon reading the handbook I found that I can have my choice of three firewalls; pf, iptables and ipfw. What would be the most useful (and easiest) package to use given the following scenario: A FreeBSD router comprising of four physical interfaces - Eth0 is the outside 10Mbyte/s cable connection to the Internet. Eth1 is a 100Mbit DMZ housing a webserver. Eth2 is a 100Mb DMZ housing a 802.11g Wireless Access Router. (My normal preference is to isolate Wireless LANs from physical LANS). Eth3 is the inside LAN. Software-based VPN connections out from both the Inside LAN and Wireless DMZ are required. (Allowing VPN tunnels through the firewall; not tunnels terminated at the firewall). Against prudence, they wish to allow torrent connections to the inside lan and ICQ connections to both the Inside LAN and the Wireless DMZ. The torrent and ICQ connections will need to be bandwidth-managed so that is a major consideration for the choice of which firewall to use. Is there an equivalent to HTB on FreeBSD? I look forward to your answers... Regards, Brett. i believe pf is the most modern and cleanest/easiest syntax to use. it is actively developed and lots of people use it. You can set up priority on bandwidth in pf as well, so it should meet all your requirements nicely. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Advice on which FreeBSD firewall package to choose.
Before I start, I'm familiar with IPTables from Linux but am wanting to use FreeBSD as a firewalling router after seeing it in action on a heavily-loaded webserver. I like the efficiency of the TCP stack. Upon reading the handbook I found that I can have my choice of three firewalls; pf, iptables and ipfw. What would be the most useful (and easiest) package to use given the following scenario: A FreeBSD router comprising of four physical interfaces - Eth0 is the outside 10Mbyte/s cable connection to the Internet. Eth1 is a 100Mbit DMZ housing a webserver. Eth2 is a 100Mb DMZ housing a 802.11g Wireless Access Router. (My normal preference is to isolate Wireless LANs from physical LANS). Eth3 is the inside LAN. Software-based VPN connections out from both the Inside LAN and Wireless DMZ are required. (Allowing VPN tunnels through the firewall; not tunnels terminated at the firewall). Against prudence, they wish to allow torrent connections to the inside lan and ICQ connections to both the Inside LAN and the Wireless DMZ. The torrent and ICQ connections will need to be bandwidth-managed so that is a major consideration for the choice of which firewall to use. Is there an equivalent to HTB on FreeBSD? I look forward to your answers... Regards, Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Problem with USB DVD drive.
First post to the list! I have a CD-rom drive attached to an Intel Server but required some data from a DVD. So I attached my USB DVD-rom drive and got the following in dmesg after I disconnected and reconnected the device : umass0: at uhub4 port 4 (addr 2) disconnected (cd0:umass-sim0:0:0:0): lost device (cd0:umass-sim0:0:0:0): removing device entry umass0: detached umass0: USB2.0 External Mass Storage Device, rev 2.00/0.01, addr 2 umass0: Get Max Lun not supported (STALLED) umass0: BBB reset failed, IOERROR umass0: BBB bulk-in clear stall failed, IOERROR umass0: BBB bulk-out clear stall failed, IOERROR umass0: BBB reset failed, IOERROR umass0: BBB bulk-in clear stall failed, IOERROR umass0: BBB bulk-out clear stall failed, IOERROR umass0: BBB reset failed, IOERROR umass0: BBB bulk-in clear stall failed, IOERROR umass0: BBB bulk-out clear stall failed, IOERROR (cd0:umass-sim0:0:0:0): got CAM status 0x4 (cd0:umass-sim0:0:0:0): fatal error, failed to attach to device (cd0:umass-sim0:0:0:0): lost device umass0: at uhub4 port 4 (addr 2) disconnected (cd0:dead_sim0:0:0:0): removing device entry umass0: detached umass0: USB2.0 External Mass Storage Device, rev 2.00/0.01, addr 2 umass0: Get Max Lun not supported (STALLED) cd0 at umass-sim0 bus 0 target 0 lun 0 cd0: IMATION IMW8844DL8E VSI3 Removable CD-ROM SCSI-0 device cd0: 40.000MB/s transfers cd0: cd present [890560 x 2048 byte records] g_vfs_done():acd0[READ(offset=32768, length=2048)]error = 5 To me, it looks like the usb device is attempting to map the USB DVD drive over the top of the existing cd0 CD device. (that device is seen in the last few lines above) Is that a correct reading of the dmesg output? If so, is there a map file that would allow me to force any devices to map to, say, the cd1 device instead? (cd1 is present within the /dev directory). Cheers, Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Problem with USB DVD drive
First post to the list! I have a CD-rom drive attached to an Intel Server but required some data from a DVD. So I attached my USB DVD-rom drive and got the following in dmesg after I disconnected and reconnected the device : umass0: at uhub4 port 4 (addr 2) disconnected (cd0:umass-sim0:0:0:0): lost device (cd0:umass-sim0:0:0:0): removing device entry umass0: detached umass0: USB2.0 External Mass Storage Device, rev 2.00/0.01, addr 2 umass0: Get Max Lun not supported (STALLED) umass0: BBB reset failed, IOERROR umass0: BBB bulk-in clear stall failed, IOERROR umass0: BBB bulk-out clear stall failed, IOERROR umass0: BBB reset failed, IOERROR umass0: BBB bulk-in clear stall failed, IOERROR umass0: BBB bulk-out clear stall failed, IOERROR umass0: BBB reset failed, IOERROR umass0: BBB bulk-in clear stall failed, IOERROR umass0: BBB bulk-out clear stall failed, IOERROR (cd0:umass-sim0:0:0:0): got CAM status 0x4 (cd0:umass-sim0:0:0:0): fatal error, failed to attach to device (cd0:umass-sim0:0:0:0): lost device umass0: at uhub4 port 4 (addr 2) disconnected (cd0:dead_sim0:0:0:0): removing device entry umass0: detached umass0: USB2.0 External Mass Storage Device, rev 2.00/0.01, addr 2 umass0: Get Max Lun not supported (STALLED) cd0 at umass-sim0 bus 0 target 0 lun 0 cd0: IMATION IMW8844DL8E VSI3 Removable CD-ROM SCSI-0 device cd0: 40.000MB/s transfers cd0: cd present [890560 x 2048 byte records] g_vfs_done():acd0[READ(offset=32768, length=2048)]error = 5 To me, it looks like the usb device is attempting to map the USB DVD drive over the top of the existing cd0 CD device. (that device is seen in the last few lines above) Is that a correct reading of the dmesg output? If so, is there a map file that would allow me to force any devices to map to, say, the cd1 device instead? (cd1 is present within the /dev directory). Before anyone suggests this, I don't want to remove the existing CD drive. Cheers, Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]