Re: switching from linux to freebsd

2006-08-02 Thread Yuan, Jue 
On Wednesday 02 August 2006 14:23, Erik Norgaard wrote:

> > On Tuesday 01 August 2006 23:18, Erik Nørgaard wrote:
>
> I thought you wanted to know what the first question was (since I had
> deleted that from my reply), if you had accidentially deleted OP.
>
> Obviously, I didn't answer it because I don't have the answer, so asking
> me for the answer to the first question is pretty much useless. If this
> was what you meant, the reply is: sit back and see if someone else
> responds on that.
>

I got it. It is my misunderstanding. Thanks for your kindly explanation. :-)

-- 
Best Regards
Yuan, Jue @ http://www.yuanjue.net
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: switching from linux to freebsd

2006-08-01 Thread Erik Norgaard 

Yuan, Jue wrote:

On Tuesday 01 August 2006 23:18, Erik Nørgaard wrote:

Yuan, Jue wrote:

What about the first question? curious too :-)

http://lists.freebsd.org/pipermail/freebsd-questions/

is a good bookmark to have when you accidentially delete a post you
later want to look at.


Hi.

Thanks for your reply first.

To be frank, I just don't get what you mean. I don't see any previous post of 
this thread that talking about the first question. Am I wrong?


If you refered to STFW, then I could get your idea. And after google, gvinum 
is the substitue, right? :-)


I thought you wanted to know what the first question was (since I had 
deleted that from my reply), if you had accidentially deleted OP.


Obviously, I didn't answer it because I don't have the answer, so asking 
me for the answer to the first question is pretty much useless. If this 
was what you meant, the reply is: sit back and see if someone else 
responds on that.


Cheers

--
Ph: +34.666334818  web: http://www.locolomo.org
X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt
Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: switching from linux to freebsd

2006-08-01 Thread Yuan, Jue 
On Tuesday 01 August 2006 23:18, Erik Nørgaard wrote:
> Yuan, Jue wrote:
> > What about the first question? curious too :-)
>
> http://lists.freebsd.org/pipermail/freebsd-questions/
>
> is a good bookmark to have when you accidentially delete a post you
> later want to look at.
>
Hi.

Thanks for your reply first.

To be frank, I just don't get what you mean. I don't see any previous post of 
this thread that talking about the first question. Am I wrong?

If you refered to STFW, then I could get your idea. And after google, gvinum 
is the substitue, right? :-)

-- 
Best Regards
Yuan, Jue @ http://www.yuanjue.net
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: switching from linux to freebsd

2006-08-01 Thread Freminlins 

On 01/08/06, Erik Nørgaard <[EMAIL PROTECTED]> wrote:

If you configure your server using LDAP or NIS for user management then

you only need to mount the root file system rw when updating the base
system or changing root password. Add the MAC and you will likely be
able to protect further against the attack you mention.




Or when you want to patch or install other software, unless you put
/usr/local on its own partition. And put /usr/ports somewhere else. And
don't tinker with anything in /etc/mail. I think we're just going to
disagree on this.

I have never yet seen a situation where mounting the OS disk ro proved to be
useful. I have seen it hinder perfectly normal sysadmin work.

I have seen one instance in 10 years where it would have stopped a silly
mistake (someone moved libc on Solaris). But as that person was doing
something they were supposed to be doing and just made a mistake, they would
have made the same mistake after mounting the disk rw if it had been mounted
ro.

Cheers, Erik


Cheers,
Frem.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: switching from linux to freebsd

2006-08-01 Thread Freminlins 

On 01/08/06, Robert Huff <[EMAIL PROTECTED]> wrote:


On my system, "additional software" goes under the separate
partition /usr.  Or are we using different definitions of
"additional"?




/usr includes a large part of the base installation. /usr/local is the usual
place for additional software, though you can of course install stuff where
you want to.


   Robert Huff



Frem.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: switching from linux to freebsd

2006-08-01 Thread Erik Nørgaard 
Freminlins wrote:

> You made the point with reference to security, not system recovery. That
> is what I am contradicting.

Security is often misunderstood to mean protecting against unauthorized
access. But this is only part of information security.

You need to protect your information assets such as to ensure continuity
of business operations, and this covers:

* Confidentiality
* Integrity
* Availability

The last two evidently have to do with data and system recovery, and
this was the question being raised in OP.

Which is more important depends on the data. In some cases unauthorized
disclosure is less costly than downtime. The security professional
evaluates the potential losses for each breach against the cost of
protecting against that breach.

Integrity of the base installation is important because it ensures
integrity of the base system against the most common failures - say
power out, and provides for faster recovery of systems hence addressing
availability - and not to mention it is cheap!

If you configure your server using LDAP or NIS for user management then
you only need to mount the root file system rw when updating the base
system or changing root password. Add the MAC and you will likely be
able to protect further against the attack you mention.

Cheers, Erik
-- 
Ph: +34.666334818  web: http://www.locolomo.org
X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt
Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9


smime.p7s
Description: S/MIME Cryptographic Signature

Re: switching from linux to freebsd

2006-08-01 Thread Robert Huff 

Freminlins writes:

>  Except for useful things like installing additional software. That is
>  something I do do regularly.

On my system, "additional software" goes under the separate
partition /usr.  Or are we using different definitions of
"additional"?


Robert Huff
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: switching from linux to freebsd

2006-08-01 Thread Freminlins 

On 01/08/06, Erik Nørgaard <[EMAIL PROTECTED]> wrote:

You usually don't patch up your system everyday. Remount rw do the

patching and remount ro. The problem is more that some 3rd party
applications assume that /usr is writeable. I found the problem more
annoying with / whenever I need to change some system file.




I still disagree. The base OS files which need protecting are already
protected sufficiently. If you don't agree with this then simply remounting
ro is not sufficient. Only with elevated securelevels would this be useful.
Else, anyone who gets root on the box can simply remount rw and do what they
will.

However, most important is to have /tmp on a separate partition. Then

there will only be few writes on /.



Except for useful things like installing additional software. That is
something I do do regularly.

I think it is very valuable to get the system up so I can rescue my

data. Having base system go down along with my data doesn't seem to have
any clear advantages




Mounting / and/or /usr ro will get your systems up faster and that

seemed to be the issue.



You made the point with reference to security, not system recovery. That is
what I am contradicting.

Cheers, Erik




Cheers,
Frem.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: switching from linux to freebsd

2006-08-01 Thread Erik Nørgaard 
Freminlins wrote:
> On 01/08/06, *Erik Norgaard* <[EMAIL PROTECTED]
> > wrote:
>  
> 
> you may
> even want to mount it read-only for security. (I think these are good
> advises on any system).
> 
> 
> I used to agree with this (specifically the mantra was "mount /usr read
> only") - until I tried to patch anything! Then it's useless.

You usually don't patch up your system everyday. Remount rw do the
patching and remount ro. The problem is more that some 3rd party
applications assume that /usr is writeable. I found the problem more
annoying with / whenever I need to change some system file.

However, most important is to have /tmp on a separate partition. Then
there will only be few writes on /.

> What you end up with is a machine which in which the base install is
> more secure, but all your data isn't. The base install is the one thing
> I know I can get back (i.e. reinstall) in 5 minutes. The data I cannot.

I think it is very valuable to get the system up so I can rescue my
data. Having base system go down along with my data doesn't seem to have
any clear advantages.

Mounting / and/or /usr ro will get your systems up faster and that
seemed to be the issue.

Cheers, Erik
-- 
Ph: +34.666334818  web: http://www.locolomo.org
X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt
Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9


smime.p7s
Description: S/MIME Cryptographic Signature

Re: switching from linux to freebsd

2006-08-01 Thread Erik Nørgaard 
Yuan, Jue wrote:
> What about the first question? curious too :-)

http://lists.freebsd.org/pipermail/freebsd-questions/

is a good bookmark to have when you accidentially delete a post you
later want to look at.

Erik

-- 
Ph: +34.666334818  web: http://www.locolomo.org
X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt
Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9


smime.p7s
Description: S/MIME Cryptographic Signature

Re: switching from linux to freebsd

2006-08-01 Thread Freminlins 

On 01/08/06, Erik Norgaard <[EMAIL PROTECTED]> wrote:


you may

even want to mount it read-only for security. (I think these are good
advises on any system).



I used to agree with this (specifically the mantra was "mount /usr read
only") - until I tried to patch anything! Then it's useless.

What you end up with is a machine which in which the base install is more
secure, but all your data isn't. The base install is the one thing I know I
can get back (i.e. reinstall) in 5 minutes. The data I cannot.


Cheers, Erik




Frem.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: switching from linux to freebsd

2006-08-01 Thread Yuan, Jue 
What about the first question? curious too :-)

On Tuesday 01 August 2006 14:51, Erik Norgaard wrote:
> Tyler Spivey wrote:
> > Hello. I'm interested in moving my server from linux to freeBSD, but
> > have several questions:
> > 2. Can Ufs handle crashes very well, or is a very long fsck needed like
> > the old ext2 days?
>
> Usually fsck will run in the background after boot has finished. On very
> hard crashes you may have to boot into single user to fix it. To avoid
> this, make sure that the base system is on a separate partition, you may
> even want to mount it read-only for security. (I think these are good
> advises on any system).
>
> > 3. is the restriction of NFS-servers only mounting on partition
> > boundaries going to be removed in the future, if it even still exists?
>
> You can export an entire partition, with -alldirs option you can mount
> any sub directory with the permissions for that partition, eg:
>
>/home -alldirs -network 192.168.0.0/24
>
> You can also export directories individually, but there are some
> restrictions, exporting two directories on the same filesystem to the
> same host must have the same permissions. Eg:
>
>/var/diskless/FreeBSD -ro -maproot=root:wheel -network 192.168.0.0/24
>/var/diskless/clt-1/var -maproot=root:wheel 192.168.0.1
>/var/diskless/clt-1/tmp -maproot=root:wheel 192.168.0.1
>
> This works fine despite the first being -ro and the others -rw, because
> the first line exports to a network and not the host, and the second two
> have same permissions and mappings. But
>
>/var/diskless/FreeBSD -ro -maproot=root:wheel -network 192.168.0.0/24
>/var/diskless/clt-1/var -maproot=root:wheel 192.168.0.1
>/var/diskless/clt-1/tmp 192.168.0.1
>
> doesn't, because of the missing maproot in the last export line.
>
> Cheers, Erik

-- 
Best Regards
Yuan, Jue @ http://www.yuanjue.net
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: switching from linux to freebsd

2006-07-31 Thread Erik Norgaard 

Tyler Spivey wrote:

Hello. I'm interested in moving my server from linux to freeBSD, but
have several questions:
2. Can Ufs handle crashes very well, or is a very long fsck needed like
the old ext2 days?


Usually fsck will run in the background after boot has finished. On very 
hard crashes you may have to boot into single user to fix it. To avoid 
this, make sure that the base system is on a separate partition, you may 
even want to mount it read-only for security. (I think these are good 
advises on any system).



3. is the restriction of NFS-servers only mounting on partition
boundaries going to be removed in the future, if it even still exists?


You can export an entire partition, with -alldirs option you can mount 
any sub directory with the permissions for that partition, eg:


  /home -alldirs -network 192.168.0.0/24

You can also export directories individually, but there are some 
restrictions, exporting two directories on the same filesystem to the 
same host must have the same permissions. Eg:


  /var/diskless/FreeBSD -ro -maproot=root:wheel -network 192.168.0.0/24
  /var/diskless/clt-1/var -maproot=root:wheel 192.168.0.1
  /var/diskless/clt-1/tmp -maproot=root:wheel 192.168.0.1

This works fine despite the first being -ro and the others -rw, because 
the first line exports to a network and not the host, and the second two 
have same permissions and mappings. But


  /var/diskless/FreeBSD -ro -maproot=root:wheel -network 192.168.0.0/24
  /var/diskless/clt-1/var -maproot=root:wheel 192.168.0.1
  /var/diskless/clt-1/tmp 192.168.0.1

doesn't, because of the missing maproot in the last export line.

Cheers, Erik
--
Ph: +34.666334818  web: http://www.locolomo.org
X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt
Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"