Re: Established method to enable suid scripts?
On Thursday 12 May 2011 17:26:49 Chris Telting wrote: On 05/12/2011 07:57, Jonathan McKeown wrote: I'll say that again. It is inherently insecure to run an interpreted program set-uid, because the filename is opened twice and there's no guarantee that someone hasn't changed the contents of the file addressed by that name between the first and second open. It's one thing to tell people they need to be careful with suid because it has security implications. Deliberately introducing a well-known security hole into the system would in my view be dangerous and wrong. That race condition bug was fixed in ancient times. Before Freebsd or Linux ever existed I believe. It's a meme that just won't die. People accepted mediocrity in old commercial versions of Unix. I personally am unsatisfied by kludges. That seems somewhat unlikely given, as someone else pointed out upthread, that Perl still comes with a compile-time option SETUID_SCRIPTS_ARE_SECURE_NOW, suggesting that they often aren't. Yes, there are ways to avoid this race condition - the usual one is to pass a handle on the open file to the interpreter, rather than closing it and reopening it. This fix is not present in every Unix or Unix-like OS. In particular (although I'm happy to be corrected if I'm wrong) it's not present in FreeBSD, to the best of my knowledge. Whether there's a reason for that other than lack of developer time I don't know. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Maximum partition size
On 11 May 2011 08:37, Andrea Venturoli m...@netfence.it wrote: Hello. Sorry for the stupid questions, but Google only turns out very old answers which might be outdated (at least I hope so). What is the maximum partition size I can use on 7.3? I've used a 3TB gstripe on amd64, but now I'd like to gstripe two 2TB HDs on a i386. Will that work? bye Thanks av. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org It depends on partition schema you use. Stick with GPT and you will be fine for the foreseeable future. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On 13 May 2011 08:32, Jonathan McKeown j.mcke...@ru.ac.za wrote: On Thursday 12 May 2011 17:26:49 Chris Telting wrote: On 05/12/2011 07:57, Jonathan McKeown wrote: I'll say that again. It is inherently insecure to run an interpreted program set-uid, because the filename is opened twice and there's no guarantee that someone hasn't changed the contents of the file addressed by that name between the first and second open. It's one thing to tell people they need to be careful with suid because it has security implications. Deliberately introducing a well-known security hole into the system would in my view be dangerous and wrong. That race condition bug was fixed in ancient times. Before Freebsd or Linux ever existed I believe. It's a meme that just won't die. People accepted mediocrity in old commercial versions of Unix. I personally am unsatisfied by kludges. That seems somewhat unlikely given, as someone else pointed out upthread, that Perl still comes with a compile-time option SETUID_SCRIPTS_ARE_SECURE_NOW, suggesting that they often aren't. Yes, there are ways to avoid this race condition - the usual one is to pass a handle on the open file to the interpreter, rather than closing it and reopening it. This fix is not present in every Unix or Unix-like OS. In particular (although I'm happy to be corrected if I'm wrong) it's not present in FreeBSD, to the best of my knowledge. Whether there's a reason for that other than lack of developer time I don't know. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org what i cant understand is the complete aversion to sudo. Could you shed any light on why you are trying to avoid a tried and tested method. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On 05/13/2011 00:32, Jonathan McKeown wrote: On Thursday 12 May 2011 17:26:49 Chris Telting wrote: On 05/12/2011 07:57, Jonathan McKeown wrote: I'll say that again. It is inherently insecure to run an interpreted program set-uid, because the filename is opened twice and there's no guarantee that someone hasn't changed the contents of the file addressed by that name between the first and second open. It's one thing to tell people they need to be careful with suid because it has security implications. Deliberately introducing a well-known security hole into the system would in my view be dangerous and wrong. That race condition bug was fixed in ancient times. Before Freebsd or Linux ever existed I believe. It's a meme that just won't die. People accepted mediocrity in old commercial versions of Unix. I personally am unsatisfied by kludges. That seems somewhat unlikely given, as someone else pointed out upthread, that Perl still comes with a compile-time option SETUID_SCRIPTS_ARE_SECURE_NOW, suggesting that they often aren't. Yes, there are ways to avoid this race condition - the usual one is to pass a handle on the open file to the interpreter, rather than closing it and reopening it. This fix is not present in every Unix or Unix-like OS. In particular (although I'm happy to be corrected if I'm wrong) it's not present in FreeBSD, to the best of my knowledge. Whether there's a reason for that other than lack of developer time I don't know. Indeed. I think it's more of a case that since you can't count on it on other systems (especially closed source systems) to disable it for portability reasons although I would loved to be proved wrong. Happy Friday. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On 05/13/2011 01:32, krad wrote: what i cant understand is the complete aversion to sudo. Could you shed any light on why you are trying to avoid a tried and tested method. That I freely admit is for no rational reason. It's just annoying. But let me ask you.. is sudo ping acceptable? Please explain the logical reason why not. It would be the preferred method if suid didn't exist and sudo was part of the base system. Happy Friday. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On 13 May 2011 11:07, Chris Telting christopher...@telting.org wrote: On 05/13/2011 01:32, krad wrote: what i cant understand is the complete aversion to sudo. Could you shed any light on why you are trying to avoid a tried and tested method. That I freely admit is for no rational reason. It's just annoying. But let me ask you.. is sudo ping acceptable? Please explain the logical reason why not. It would be the preferred method if suid didn't exist and sudo was part of the base system. Happy Friday. Without knowing your security policy its difficult to say. However from an adhoc point of view I dont see why not assuming what you are doing with it needs root privilege. Its also far less risky than giving a user access to a box. Again without knowing your security policy, i dont see why sudo coming from ports vs base system is really relevant. As long as said port is audited to the same level or higher than the base system i dont see any problem. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: how to diagnose server freeze with ddb?
cronfy cro...@gmail.com writes: I have a server that freezes under high load sometimes. It is on FreeBSD 7.3. It does not respond neither by network nor to keyboard. In the same time I can hit Ctrl-Alt-ESC and go to debugger - it works. What can I try to do in DDB to find out the reason of server freezing? There are a lot of ddb(4) commands that show the state of the system, and there isn't a lot to go on here. show locks, show alllocks, show intr, show pcpu are some of the commands that occur to me as ones I would look at first. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
Chris Telting christopher...@telting.org writes: On 05/13/2011 01:32, krad wrote: what i cant understand is the complete aversion to sudo. Could you shed any light on why you are trying to avoid a tried and tested method. That I freely admit is for no rational reason. It's just annoying. But ...a shebang can be written with sudo in mind, e.g. #! /usr/bin/env -S sudo sh id $ ./foo.sh uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) $ ls -l -rwxr-xr-x 1 luser luser 31 May 13 21:36 foo.sh let me ask you.. is sudo ping acceptable? Please explain the logical reason why not. It would be the preferred method if suid didn't exist and sudo was part of the base system. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD 9.0-RELEASE
Hi All, If I install FreeBSD-9.0-CURRENT, I will be able to upgrade to FreeBSD-9.0-RELEASE (once available) via the freebsd-update utility, right? That's what I'm getting from the following link: http://www.freebsd.org/relnotes/CURRENT/relnotes/upgrade.html BTW, does anyone know of any major problems with the following snapshot: ftp://ftp.freebsd.org/pub/FreeBSD/snapshots/201101/FreeBSD-9.0-CURRENT-201101-amd64-dvd1.iso Thanks, Mike On 05/03/2011 02:33 PM, Jerry McAllister wrote: On Tue, May 03, 2011 at 12:11:07PM -0700, Mike Seda wrote: Hi All, When will FreeBSD 9.0-RELEASE be available? I remember reading that it would be ready in May 2011. I just wanted to see if it was on schedule or not. I don't remember seeing that. Anyway, go to the FreeBSD Release Engineering web site for information. http://www.freebsd.org/releng/index.html jerry Thanks, Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD 9.0-RELEASE
On May 13, 2011, at 11:29 AM, Mike Seda wrote: If I install FreeBSD-9.0-CURRENT, I will be able to upgrade to FreeBSD-9.0-RELEASE (once available) via the freebsd-update utility, right? There isn't a supported RELENG_9 branch, yet. Once it exists, it is likely that you could use freebsd-update to move from the published betas or RC versions of 9.0 to 9.0-RELEASE, but you're not going to be able to move from some arbitrary snapsnot from HEAD to 9.0-RELEASE with freebsd-update. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How do you install utility built using gnu toolchain?
On 13/05/2011 05:29, Dale Scott wrote: D It's pretty general question, but is it typically standard procedure for D a utility building using the GNU tool chain to be able to install itself D into /usr/local/bin? On Fri, 13 May 2011 06:39:30 +0100, Matthew Seaman m.sea...@infracaninophile.co.uk said: M 'gmake install' should put binaries into appropriate locations. Make M sure that you specify /usr/local as the prefix when running configure. I usually do two builds: me% mkdir /tmp/local me% configure --prefix=/tmp/local ...whatever... me% gmake me% gmake -n install 21 | grep -v /tmp/local shows if something's going to be installed elsewhere, but that's only happened to me once in a blue moon (typo in Makefile.in). root# gmake install me% cd /tmp/local me% ls -lR provides a list of exactly what'll be installed, with ownership and permissions, in case you ever want to know where a given file came from. The clean, realclean, and distclean targets can behave slightly differently, depending on who put the source together. To make cleanup consistent, I make a TOC of the pristine directory before and after configuration/build: me% cd /path/to/source me% find . -print | sort | tail +2 /tmp/BEFORE ... configure, build, test, install, whatever ... me% find . -print | sort | tail +2 /tmp/AFTER me% comm -23 /tmp/AFTER /tmp/BEFORE TARGETS me% rm /tmp/AFTER /tmp/BEFORE Running xargs rm TARGETS (and/or rmdir) gives me a pristine source directory. Sure, you can just remove the whole thing and unpack a clean tarball, but this is easier if you have local patches or you'd like to keep part of the generated output, like the configuration stuff. -- Karl Vogel I don't speak for the USAF or my company No, I really can't recover any files from your thumb drive, even if you did find it after it passed through your dog. --actual IT support question ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Unable to boot installer
I'm trying to install FreeBSD on my new laptop (Lenovo ThinkPad X220), and it dies in the middle of the boot, using either the memstick image or the DVD image. (That's all I've tried so far.) I'm using the 8.2 images. The last two lines it shows are: atkbdc0: Keyboard controller (i8042) port 0x60,0x64 irq 1 on acpi0 atkbd0: AT Keyboard irq 1 on atkdbc0 Then it just stops. Any ideas? Any chance I'll be able to get FreeBSD on this laptop? Daniel T. Staal --- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
C On Friday, 13 May 2011, Pan Tsu iny...@gmail.com wrote: Chris Telting christopher...@telting.org writes: On 05/13/2011 01:32, krad wrote: what i cant understand is the complete aversion to sudo. Could you shed any light on why you are trying to avoid a tried and tested method. That I freely admit is for no rational reason. It's just annoying. But ...a shebang can be written with sudo in mind, e.g. #! /usr/bin/env -S sudo sh id $ ./foo.sh uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) $ ls -l -rwxr-xr-x 1 luser luser 31 May 13 21:36 foo.sh let me ask you.. is sudo ping acceptable? Please explain the logical reason why not. It would be the preferred method if suid didn't exist and sudo was part of the base system. I'm still bemused to why unless it just an academic exercise ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
ZFS Deduplication (was Re: FreeBSD 9.0-RELEASE)
All, Currently, I'm really only interested in using FreeBSD so that I can leverage ZFS Deduplication (available in ZFS v21 and higher) on one server. What is the best (most stable) way to get this functionality at the moment? Should I just install FreeBSD-8.2-RELEASE and then apply the backported ZFS v28 patch such as the one below: http://people.freebsd.org/~pjd/patches/zfs_20100831.patch.bz2 Mike On 05/13/2011 11:35 AM, Chuck Swiger wrote: On May 13, 2011, at 11:29 AM, Mike Seda wrote: If I install FreeBSD-9.0-CURRENT, I will be able to upgrade to FreeBSD-9.0-RELEASE (once available) via the freebsd-update utility, right? There isn't a supported RELENG_9 branch, yet. Once it exists, it is likely that you could use freebsd-update to move from the published betas or RC versions of 9.0 to 9.0-RELEASE, but you're not going to be able to move from some arbitrary snapsnot from HEAD to 9.0-RELEASE with freebsd-update. Regards, ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ZFS Deduplication (was Re: FreeBSD 9.0-RELEASE)
On May 13, 2011, at 1:47 PM, Mike Seda wrote: Currently, I'm really only interested in using FreeBSD so that I can leverage ZFS Deduplication (available in ZFS v21 and higher) on one server. What is the best (most stable) way to get this functionality at the moment? By definition, HEAD isn't stable (or -STABLE). How about running Solaris instead...? Should I just install FreeBSD-8.2-RELEASE and then apply the backported ZFS v28 patch such as the one below: http://people.freebsd.org/~pjd/patches/zfs_20100831.patch.bz2 That might be a more reasonable course, but you haven't mentioned anything about the purpose or scope of the system involved; the lack of any such information makes specific recommendations infeasible. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ZFS Deduplication (was Re: FreeBSD 9.0-RELEASE)
On Fri, May 13, 2011 at 3:47 PM, Mike Seda mas...@stanford.edu wrote: All, Currently, I'm really only interested in using FreeBSD so that I can leverage ZFS Deduplication (available in ZFS v21 and higher) on one server. What is the best (most stable) way to get this functionality at the moment? Should I just install FreeBSD-8.2-RELEASE and then apply the backported ZFS v28 patch such as the one below: http://people.freebsd.org/~pjd/patches/zfs_20100831.patch.bz2 I use the mfsbsd v28 installer which works pretty well and I have overall stability. However you should note there is a reason(s) it hasn't been MFC'd yet and there has been some reported issues with v28. -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ZFS Deduplication (was Re: FreeBSD 9.0-RELEASE)
On 05/13/2011 02:20 PM, Chuck Swiger wrote: On May 13, 2011, at 1:47 PM, Mike Seda wrote: Currently, I'm really only interested in using FreeBSD so that I can leverage ZFS Deduplication (available in ZFS v21 and higher) on one server. What is the best (most stable) way to get this functionality at the moment? By definition, HEAD isn't stable (or -STABLE). How about running Solaris instead...? We have not completely ruled out Solaris 10 (U9 and up). Should I just install FreeBSD-8.2-RELEASE and then apply the backported ZFS v28 patch such as the one below: http://people.freebsd.org/~pjd/patches/zfs_20100831.patch.bz2 That might be a more reasonable course, but you haven't mentioned anything about the purpose or scope of the system involved; the lack of any such information makes specific recommendations infeasible. The box will act the disk target in a D2D2T backup scenario. Regards, ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: automounting of usb disks not working how to troubleshoot
On Thu, May 12, 2011 at 7:33 PM, Antonio Olivares olivares14...@gmail.com wrote: Dear folks, I have recently successfully updated an amd 64 bit machine from 8.1 to 8.2 release and reinstalled most of the previously installed ports. Now, I tried to use my usb disk and it is not automounting :( I like the convenience of automounting and I checked hal and dbus and they are both enabled and to be safe I deinstalled and installed them again and still does not automount. ugen5.2: HP at usbus5 umass0: HP c310w, class 0/0, rev 2.00/1.00, addr 2 on usbus5 umass0: SCSI over Bulk-Only; quirks = 0x umass0:2:0:-1: Attached to scbus2 da0 at umass-sim0 bus 0 scbus2 target 0 lun 0 da0: HP c310w 1.00 Removable Direct Access SCSI-2 device da0: 40.000MB/s transfers da0: 3819MB (7823296 512 byte sectors: 255H 63S/T 486C) [olivares@grullahighschool ~]$ ls /media/.hal-mtab /media/.hal-mtab [olivares@grullahighschool ~]$ cat /usr/local/etc/PolicyKit/PolicyKit.conf ?xml version=1.0 encoding=UTF-8? !-- -*- XML -*- -- !DOCTYPE pkconfig PUBLIC -//freedesktop//DTD PolicyKit Configuration 1.0//EN http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd; !-- See the manual page PolicyKit.conf(5) for file format -- config version=0.1 define_admin_auth group=operator/ match action=org.freedesktop.hal.storage.mount-removable return result=yes/ /match match action=org.freedesktop.hal.storage.mount-fixed return result=yes/ /match match action=org.freedesktop.hal.storage.eject return result=yes/ /match /config Thank you for any pointers/advice/suggestions. Regards, Antonio Dear folks, I am trying out several things and reading and I have found several sites: http://gezeiten.org/post/2011/01/Xfce-4.8-on-BSD-flavors http://www.unix.com/unix-dummies-questions-answers/117249-using-usb-sticks-freebsd.html http://forums.freebsd.org/showthread.php?t=19410 Have not found any relevant information. Installed automounter from ports in sysutils/automount but still does not work. dbus and hald are enabled and installed. I just like the convenience of using automounting. If it is not going to be working, then I am fine with it. Thanks, Antonio ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: automounting of usb disks not working how to troubleshoot
On Fri, May 13, 2011 at 5:53 PM, Antonio Olivares olivares14...@gmail.comwrote: Dear folks, I am trying out several things and reading and I have found several sites: http://gezeiten.org/post/2011/01/Xfce-4.8-on-BSD-flavors http://www.unix.com/unix-dummies-questions-answers/117249-using-usb-sticks-freebsd.html http://forums.freebsd.org/showthread.php?t=19410 Have not found any relevant information. Installed automounter from ports in sysutils/automount but still does not work. dbus and hald are enabled and installed. I just like the convenience of using automounting. If it is not going to be working, then I am fine with it. You may want to use devd(8)/devd.conf(5) for this. -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org