Re: netstat -i
On 06/12/2012 05:51, Olivier Nicole wrote: I used netstat -i for the first time and I saw something I cannot understand: # netstat -ibh -I em1 NameMtu Network Address Ipkts Opkts em19000 Link#2 00:0e:0c:5c:32:29 92M 129M em19000 10.41.170/24 ufo2000 924K 926K I understand that the line reporting MAc address means the traffic seen at layer2, while the line reporting IP address means the traffic seen at layer3. How would that be possible to have suh a difference (on a switched network)? It's certainly possible -- arp (and dhcp to some extent) involve sending broadcast packets at layer 2. There can be a lot of arp traffic on a well-populated network, or if you're going things like running multiple layer 3 networks over the same physical infrastructure. There can be other forms of Ethernet-only (rather than IP traffic) -- switches often speak to each other like that. Generally it is not a problem unless it is affecting performance, at which point the answer is to segment the network into smaller broadcast domains by sub-netting and/or using VLANs. Cheers, Matthew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: netstat -i
Matthew, NameMtu Network Address Ipkts Opkts em19000 Link#2 00:0e:0c:5c:32:29 92M 129M em19000 10.41.170/24 ufo2000 924K 926K I understand that the line reporting MAc address means the traffic seen at layer2, while the line reporting IP address means the traffic seen at layer3. How would that be possible to have suh a difference (on a switched network)? It's certainly possible -- arp (and dhcp to some extent) involve sending broadcast packets at layer 2. There can be a lot of arp traffic on a well-populated network, or if you're going things like running multiple layer 3 networks over the same physical infrastructure. There can be other forms of Ethernet-only (rather than IP traffic) -- switches often speak to each other like that. Generally it is not a problem unless it is affecting performance, at which point the answer is to segment the network into smaller broadcast domains by sub-netting and/or using VLANs. There is only one layer 3 network on that physical infrastructure (at least in that VLAN). And there are only 8 machines in that VLAN, no routing, as the VLAN is primarily designed for NFS. I did not sjow the most disturbing figure where at output bytes is 3.7 TB at MAC level but only 156 GB at IP level (2000 times less). The large amount of output bytes is understandable for the machine is an NFS server. 3TB is not big, but is at IP level, not at MAC level. Best regards, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Somewhat OT: Is Full Command Logging Possible?
On Dec 6, 2012, at 12:47 AM, Tim Daneliuk tun...@tundraware.com wrote: On 12/05/2012 05:42 PM, Damien Fleuriot wrote: On 6 Dec 2012, at 00:19, Tim Daneliuk tun...@tundraware.com wrote: sudo chown root:wheel my_naughty_script sudo chmod 700 my_naughty script sudo ./my_naughty_script The sudo log will note that I ran the script, but not what it did. wow, way to complicate matters. Hey, I didn't dream up this problem :) sudo csh So Gentle Geniuses, is there prior art here that could be applied to give me full coverage logging of every action taken by any person or thing running with effective or actual root? P.S. I do not believe Now would be a good time to start, then. Well ... does auditd provide a record of every command issued within a script? I was under the impression (and I may well be wrong) that it noted only the name of the script being executed. While it won't log every single command invoked from inside a script, it *can* log every single file access that's made. Apart from IBM z/Series and i/Series mainframes, there is no hardware/software combination that I am aware of which will do that. The Audit framework is your next best bet IMHO. The only things you need to ensure are: - auditd cannot be killed off (this is an interesting bit actually, anyone knows how to do that ?) - the audit trail files can only be appended to ; man chflags An alternative would be lshell, however you'll have to whitelist commands people can execute. Remember that we want admins to be able to do *anything* but we just want to log what they do, in fact do. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Somewhat OT: Is Full Command Logging Possible?
On Dec 6, 2012, at 1:35 AM, Kurt Buff kurt.b...@gmail.com wrote: On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk tun...@tundraware.com wrote: On 12/05/2012 05:44 PM, Kurt Buff wrote: On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk tun...@tundraware.com wrote: I am working with an institution that today provides limited privilege escalation on their servers via very specific sudo rules. The problem is that the administrators can do 'sudo su -'. snip sudo is misconfigured. man 5 sudoers and man 8 visudo Kurt I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're saying. Are you suggesting that there is a way to configure sudo so that if someone does 'sudo su -' to become an admin, sudo can be made to log every command they execute thereafter? No, I'm saying that sudo should not be configured to allow 'sudo su -'. This is an ineffective solution. So what, you're going to forbid sudo su - Fine, I'll just run sudo csh . If you forbid csh, I'll just copy the existing `which csh` to ~/toto and sudo ~/toto . Basically, anything short of actually whitelisting what people can run won't do. And apparently that's not in Tim's list of desirable things ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfwNG project?
On 12/4/2012 4:24 PM, Rick Miller wrote: I came across the wiki doc for ipfwNG (http://wiki.freebsd.org/IpfwNg) and wondered if any of the concepts of this project are currently being developed for FreeBSD and when we might start seeing those concepts included in releng/ code. Hi, I would ask first ipfw@, then net@ and last and most importantly the author of the wiki page directly. HTH, Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: netstat -i
Hello Oliver, NameMtu Network Address Ipkts Opkts em19000 Link#2 00:0e:0c:5c:32:29 92M 129M em19000 10.41.170/24 ufo2000 924K 926K Use tcpdump to find out what traffic do you have there. There are a lot of protocols that work on the top of Ethernet and has nothing to do with IP. Ilya. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Login class and limit
Hi all! I need help configuring limits for users at FreeBSD 8.3. I set next options and parametrs at login.conf(5): mydaemon:\ :cputime=5s:\ :memoryuse=500m:\ :vmemoryuse=500m:\ :tc=default: changed class for user, running cap_mkdb(1). But if i running process a user with the class mydaemon, which uses cpu time 5s , process not finished. # sudo -u daemon limits Resource limits (current): cputime infinity secs but: # su - daemon -c 'limits' Resource limits (current): cputime 5 secs Why? And how can i running process without su(1) to apply limits for my user class? Thx! -- Respectfully, Stanislav Putrya System administrator FotoStrana.Ru Ltd. ICQ IM: 328585847 Jabber-GoogleTalk: root.vagner mob.phone SPB: +79215788755 mob.phone RND: +79525600664 email: vag...@bsdway.ru email: put...@playform.ru email: root.vag...@gmail.com site: bsdway.ru site: fotostrana.ru ( ) ASCII ribbon campaign X - against HTML, vCards and / \ - proprietary attachments in e-mail ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Resizing HAST volumes
Hi, I was looking at setting up a HAST volume that gets exported by iSCSI. the HAST volume was going to sit on top of a ZFS managed zpool. I know that using ZFS I can grow the size of a volume by adding more vdevs and then any ZFS or UFS filesystem on top of that can expanded to accommodate the extra available space (for example using growfs for ufs filesystems). However as I plan to have a HAST volume on top of the zvolume, then I would need to expand the size of that to make use of the extra volume capacity. Is there any way to non-destructively resize a HAST volume once the underlying storage has been expanded? Scott -- Scott Hilleard sc...@netsight.co.uk Netsight Internet Solutions, Ltd.Business Vision on the Internet http://www.netsight.co.uk +44 (0)117 9090901 Web Design | Zope/Plone Development Consulting | Co-location | Hosting ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
PPPoE
Hi, how do I have to set up PPPoE? This doesn't work: [1] Regards, Ralf [1] [rocketmouse@freebsd] /usr/home/rocketmouse# ppp -ddial alice Working in ddial mode Using interface: tun0 [rocketmouse@freebsd] /usr/home/rocketmouse# cat /etc/ppp/ppp.conf # # PPP Sample Configuration File # Originally written by Toshiharu OHNO # Simplified 5/14/1999 by ws...@cdrom.com # # See /usr/share/examples/ppp/ for some examples # # $FreeBSD$ # default: set log Phase Chat LCP IPCP CCP tun command ##ident user-ppp VERSION # Ensure that device references the correct serial port # for your modem. (cuau0 = COM1, cuau1 = COM2) # ##set device /dev/cuau1 set device PPPoE:re0 ##set speed 115200 ##set dial ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \ ## \\ AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT ##set timeout 180 # 3 minute idle timer (the default) ##enable dns # request DNS info (for resolv.conf) ##papchap: alice: # # edit the next three lines and replace the items in caps with # the values which have been assigned by your ISP. # ##set phone PHONE_NUM ##set authname USERNAME ##set authkey PASSWORD set authname [*!SNIP!*] set authkey [*!SNIP!*] set dial set login set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 add default HISADDR# Add a (sticky) default route [rocketmouse@freebsd] /usr/home/rocketmouse# ifconfig re0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=389bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC ether 00:1e:8c:80:2a:eb inet6 fe80::21e:8cff:fe80:2aeb%re0 prefixlen 64 scopeid 0x1 inet 0.0.0.0 netmask 0xff00 broadcast 255.255.255.255 nd6 options=3PERFORMNUD,ACCEPT_RTADV media: Ethernet autoselect (100baseTX full-duplex) status: active fwe0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8VLAN_MTU ether 02:11:d8:84:b5:f7 ch 1 dma -1 fwip0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500 lladdr 0.11.d8.0.1.84.b5.f7.a.2.ff.fe.0.0.0.0 plip0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST metric 0 mtu 1500 pflog0: flags=0 metric 0 mtu 33152 pfsync0: flags=0 metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 options=3RXCSUM,TXCSUM inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 nd6 options=3PERFORMNUD,ACCEPT_RTADV lo1: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 options=3RXCSUM,TXCSUM inet 10.1.1.1 netmask 0xff00 tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST metric 0 mtu 1492 options=8LINKSTATE inet 92.224.211.44 -- 213.191.89.25 netmask 0xff00 Opened by PID 21614 [rocketmouse@freebsd] /usr/home/rocketmouse# uname -a FreeBSD freebsd 8.2-RELEASE FreeBSD 8.2-RELEASE #7: Wed Feb 16 13:33:10 PST 2011 r...@build8x64.pcbsd.org:/usr/obj/usr/pcbsd-build82/fbsd-source/8.2/sys/PCBSD amd64 [rocketmouse@freebsd] /usr/home/rocketmouse# cat /var/log/ppp.log Dec 3 23:57:17 freebsd newsyslog[1569]: logfile first created Dec 6 15:09:12 freebsd ppp[21604]: Phase: Using interface: tun0 Dec 6 15:09:12 freebsd ppp[21604]: Phase: deflink: Created in closed state Dec 6 15:09:12 freebsd ppp[21604]: tun0: Command: default: set device PPPoE:re0 Dec 6 15:09:12 freebsd ppp[21604]: tun0: Command: alice: set authname [*!SNIP!*] Dec 6 15:09:12 freebsd ppp[21604]: tun0: Command: alice: set authkey Dec 6 15:09:12 freebsd ppp[21604]: tun0: Command: alice: set dial Dec 6 15:09:12 freebsd ppp[21604]: tun0: Command: alice: set login Dec 6 15:09:12 freebsd ppp[21604]: tun0: Command: alice: set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 Dec 6 15:09:12 freebsd ppp[21604]: tun0: Command: alice: add default HISADDR Dec 6 15:09:12 freebsd ppp[21614]: tun0: Phase: PPP Started (ddial mode). Dec 6 15:09:12 freebsd ppp[21614]: tun0: Phase: bundle: Establish Dec 6 15:09:12 freebsd ppp[21614]: tun0: Phase: deflink: closed - opening Dec 6 15:09:13 freebsd ppp[21614]: tun0: Phase: deflink: Connected! Dec 6 15:09:13 freebsd ppp[21614]: tun0: Phase: deflink: opening - dial Dec 6 15:09:13 freebsd ppp[21614]: tun0: Phase: deflink: dial - carrier Dec 6 15:09:14 freebsd ppp[21614]: tun0: Phase: Received NGM_PPPOE_ACNAME (hook HN-XDSL) Dec 6 15:09:14 freebsd ppp[21614]: tun0: Phase: Received NGM_PPPOE_SESSIONID Dec 6 15:09:14 freebsd ppp[21614]: tun0: Phase: Received NGM_PPPOE_SUCCESS Dec 6 15:09:14 freebsd ppp[21614]: tun0: Phase: deflink: carrier - login Dec 6 15:09:14 freebsd ppp[21614]: tun0: Phase: deflink: login - lcp Dec 6 15:09:14 freebsd ppp[21614]: tun0: LCP:
Re: PPPoE
On Thu 2012-12-06 16:13:40 UTC+0100, Ralf Mardorf (ralf.mard...@rocketmail.com) wrote: how do I have to set up PPPoE? This doesn't work: [1] In what way does it not work? In your example, at the very least you should be able to ping 213.191.89.25: tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST metric 0 mtu 1492 options=8LINKSTATE inet 92.224.211.44 -- 213.191.89.25 netmask 0xff00 Opened by PID 21614 Dec 6 15:09:15 freebsd ppp[21614]: tun0: IPCP: myaddr 92.224.211.44 hisaddr = 213.191.89.25 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Login class and limit
Hi-- On Dec 6, 2012, at 6:32 AM, Vagner vag...@bsdway.ru wrote: Hi all! I need help configuring limits for users at FreeBSD 8.3. I set next options and parametrs at login.conf(5): [ … ] # sudo -u daemon limits Resource limits (current): cputime infinity secs but: # su - daemon -c 'limits' Resource limits (current): cputime 5 secs Why? And how can i running process without su(1) to apply limits for my user class? su -, su -l, and sudo -i provide a login shell, which gets the limits setup by login.conf. Normally daemons are started at boot via rc mechanism (or perhaps get spawned from inetd) and do not have a login shell associated with them to setup the limits. Either use one of the su/sudo flavors I mention above, or /bin/sh -l to provide a login env to the process… Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: PPPoE
On Thu, 06 Dec 2012 16:13:40 +0100 Ralf Mardorf wrote: ##enable dns # request DNS info (for resolv.conf) You probably need this if you haven't set resolv.conf manually set dial set login I don't think you need these. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
kdialog error message
FreeBSD 8.3-STABLE kde Platform Version 4.8.4 (4.8.4) I am attempting to create a custom action in claws-mail. The action command line reads: | kdialog --msgbox Characters: $(wc -c) This works fine except it also issues an error message: --- Ended: kdialog --msgbox Characters: $(wc -c) kdialog(26489)/KSharedDataCache: Unable to find an appropriate lock to guard the shared cache. This *should* be essentially impossible. :( kdialog(26489)/KSharedDataCache: Unable to perform initial setup, this system probably does not really support process-shared pthreads or semaphores, even though it claims otherwise. kdialog(26489)/KSharedDataCache: Unable to unmap shared memory segment 0x8095c3000 Since this works on other OSs, it appears to be a problem with FreeBSD. Can anyone elaborate on it? -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Somewhat OT: Is Full Command Logging Possible?
On Thu, Dec 6, 2012 at 12:47 AM, Tim Daneliuk tun...@tundraware.com wrote: ... Well ... does auditd provide a record of every command issued within a script? I was under the impression (and I may well be wrong) that it noted only the name of the script being executed. Even if you configured auditd to record every command issued within a script, you'd still have a problem if a malicious user put the same commands inside a binary. As some people already pointed out, there is practically no way to control users once you give them root privileges. The only thing that would really solve your problem is probably something like http://www.balabit.com/network-security/scb/features (no personal experience with it, but seems it does what you need). -- Nino ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Somewhat OT: Is Full Command Logging Possible?
On 12/06/2012 12:55 PM, n j wrote: On Thu, Dec 6, 2012 at 12:47 AM, Tim Daneliuk tun...@tundraware.com wrote: ... Well ... does auditd provide a record of every command issued within a script? I was under the impression (and I may well be wrong) that it noted only the name of the script being executed. Even if you configured auditd to record every command issued within a script, you'd still have a problem if a malicious user put the same commands inside a binary. As some people already pointed out, there is practically no way to control users once you give them root privileges. I understand this. Even the organization in question understands this. They are not trying to *prevent* any kind of access. All they're trying to do *log* it. Why? To meet some obscure compliance requirement they have to adhere to in order to remain in business. rant I know all of this is silly but that's our future when you let Our Fine Government regulate pretty much anything. /rant The only thing that would really solve your problem is probably something like http://www.balabit.com/network-security/scb/features (no personal experience with it, but seems it does what you need). -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Fwd: Somewhat OT: Is Full Command Logging Possible?
Sorry, forgot to replay all... Kurt -- Forwarded message -- From: Kurt Buff kurt.b...@gmail.com Date: Thu, Dec 6, 2012 at 11:53 AM Subject: Re: Somewhat OT: Is Full Command Logging Possible? To: Fleuriot Damien m...@my.gd On Thu, Dec 6, 2012 at 1:26 AM, Fleuriot Damien m...@my.gd wrote: On Dec 6, 2012, at 1:35 AM, Kurt Buff kurt.b...@gmail.com wrote: On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk tun...@tundraware.com wrote: On 12/05/2012 05:44 PM, Kurt Buff wrote: On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk tun...@tundraware.com wrote: I am working with an institution that today provides limited privilege escalation on their servers via very specific sudo rules. The problem is that the administrators can do 'sudo su -'. snip sudo is misconfigured. man 5 sudoers and man 8 visudo Kurt I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're saying. Are you suggesting that there is a way to configure sudo so that if someone does 'sudo su -' to become an admin, sudo can be made to log every command they execute thereafter? No, I'm saying that sudo should not be configured to allow 'sudo su -'. This is an ineffective solution. So what, you're going to forbid sudo su - Fine, I'll just run sudo csh . If you forbid csh, I'll just copy the existing `which csh` to ~/toto and sudo ~/toto . Basically, anything short of actually whitelisting what people can run won't do. And apparently that's not in Tim's list of desirable things ;) Whitelisting commands is exactly what the sudoers file is for. If he wants to do otherwise, then he's using the wrong tool. Kurt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
SMS application
Can anyone recommend a good SMS application that works on FreeBSD? I have used several different ones on MS Windows; however, I cannot find one that works on FreeBSD. There doesn't appear to be a fully functional one in the ports system either, although I might have missed it. -- Carmel carmel...@hotmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Somewhat OT: Is Full Command Logging Possible?
--On December 6, 2012 1:19:00 PM -0600 Tim Daneliuk tun...@tundraware.com wrote: I understand this. Even the organization in question understands this. They are not trying to *prevent* any kind of access. All they're trying to do *log* it. Why? To meet some obscure compliance requirement they have to adhere to in order to remain in business. rant I know all of this is silly but that's our future when you let Our Fine Government regulate pretty much anything. /rant I sent this last night, but for some reason it never showed up. /usr/ports/security/sudoscript I believe this will meet your requirements. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead. Thomas Jefferson There are some ideas so wrong that only a very intelligent person could believe in them. George Orwell ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: grep -Dskip doesn't skip FIFOs
David Xu wrote on 06.12.2012 04:46: On 2012/12/06 11:28, David Xu wrote: On 2012/12/06 07:07, Marco Steinbach wrote: Hi there, grep(1) does not seem to skip FIFOs when told to. snip I think you need a patch to fix it, the bug is in ggrep, it tries to open a FIFO before checking if it is a FIFO, then blocked. http://people.freebsd.org/~davidxu/patch/grep.c.diff ___ or the patch: http://people.freebsd.org/~davidxu/patch/grep.c.diff2 The patch opens file with O_NONBLOCK, then turns off O_NONBLOCK, and only checks if a file is a FIFO in reset() function. This patch also seems to fix it. I can't comment on the patches themselves, though. Anyway, thank you again for taking care of this. MfG CoCo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Login class and limit
On 06:53 Thu 06 Dec , Charles Swiger wrote: Hi-- On Dec 6, 2012, at 6:32 AM, Vagner vag...@bsdway.ru wrote: Hi all! I need help configuring limits for users at FreeBSD 8.3. I set next options and parametrs at login.conf(5): [ ? ] # sudo -u daemon limits Resource limits (current): cputime infinity secs but: # su - daemon -c 'limits' Resource limits (current): cputime 5 secs Why? And how can i running process without su(1) to apply limits for my user class? su -, su -l, and sudo -i provide a login shell, which gets the limits setup by login.conf. Normally daemons are started at boot via rc mechanism (or perhaps get spawned from inetd) and do not have a login shell associated with them to setup the limits. Either use one of the su/sudo flavors I mention above, or /bin/sh -l to provide a login env to the process? Regards, -- -Chuck ie means to implement restrictions limits(1) and login.conf(5) for daemons is not possible? -- Respectfully, Stanislav Putrya System administrator FotoStrana.Ru Ltd. ICQ IM: 328585847 Jabber-GoogleTalk: root.vagner mob.phone SPB: +79215788755 mob.phone RND: +79525600664 email: vag...@bsdway.ru email: put...@playform.ru email: root.vag...@gmail.com site: bsdway.ru site: fotostrana.ru ( ) ASCII ribbon campaign X - against HTML, vCards and / \ - proprietary attachments in e-mail ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: what replaces javaws? using icedtea-web and openjdk6.
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/173603 I apply the suggested fix: $ sh -x `which itweb-javaws` jviewer.jnlp + JAVA=/usr/local/openjdk6/jre/bin/java + LAUNCHER_BOOTCLASSPATH=-Xbootclasspath/a:/usr/local/share/icedtea-web/netx.jar + LAUNCHER_FLAGS=-Xms8m + CLASSNAME=net.sourceforge.jnlp.runtime.Boot + BINARY_LOCATION=/usr/local/bin/itweb-javaws + PROGRAM_NAME=itweb-javaws + CP=/usr/local/openjdk6/jre/lib/rt.jar /usr/local/bin/itweb-javaws: 11: Syntax error: Bad function name I try once more on another machine not 64 bit, it returns the same error and java web start does not work :( $ sh -x `which itweb-javaws` jviewer.jnlp + JAVA=/usr/local/openjdk6/jre/bin/java + LAUNCHER_BOOTCLASSPATH=-Xbootclasspath/a:/usr/local/share/icedtea-web/netx.jar + LAUNCHER_FLAGS=-Xms8m + CLASSNAME=net.sourceforge.jnlp.runtime.Boot + BINARY_LOCATION=/usr/local/bin/itweb-javaws + PROGRAM_NAME=itweb-javaws + CP=/usr/local/openjdk6/jre/lib/rt.jar /usr/local/bin/itweb-javaws: 11: Syntax error: Bad function name Any other ideas as to how to fix this? TIA, Antonio ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Somewhat OT: Is Full Command Logging Possible?
On Dec 5, 2012, at 3:19 PM, Tim Daneliuk wrote: This is a little bit outside the strict boundaries of a FreeBSD question, but I am hoping someone in this community has solved this problem and that I might be able to adapt it for non-FreeBSD systems (AIX and Linux, specifically). I am working with an institution that today provides limited privilege escalation on their servers via very specific sudo rules. The problem is that the administrators can do 'sudo su -'. The fact that they became root is logged, *but everything thereafter they do is not*. What these people need is something that does the following things - this need not be sudo based, any FOSS or commercial solution would be considered: - Log the fact that someone became effective root - Log every command they execute *as* root - If they run a script as root, log the individual actions of that script - Have visibility into all this no matter how they access the system - console, ssh, xterm …. There's a kernel module floating around the Intarwebs… lrexec We used it for some years to satisfy governance regulations. But let me tell you… it got so noisy, it was ultimately disabled for sanity. But don't let that stop You. … Quick search of lrexec module yields the following: http://freebsd.munk.me.uk/archives/112-Installed-and-Configured-lrexec-module-For-Logging-System-Calls.html NOTE: Our plan for replacing this functionality in our organization was to use the praudit fire-hose available in FreeBSD-8.x. It too could be a solution to your problem. -- Devin Nothing I have found so far meets all these criterion. Verbose syslogging will not catch the case where you start a subshell from the main shell. Keylogging seems to only have limited coverage and does not appear it would work if, say, I log in via ssh and then kick off an xterm. Other solutions fail if I start an editor and shell out from there. The current proposal is to install sudo rules such that NO one is allowed 'sudo su -' and *every single command* you want to run as root has to start with 'sudo'. This has two big drawbacks: - It's an enormous pain for the admins and fundamentally changes their workflow - It cannot see into scripts. So I can circumvent it pretty easily with: sudo chown root:wheel my_naughty_script sudo chmod 700 my_naughty script sudo ./my_naughty_script The sudo log will note that I ran the script, but not what it did. So Gentle Geniuses, is there prior art here that could be applied to give me full coverage logging of every action taken by any person or thing running with effective or actual root? P.S. I do not believe auditd does this either. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SMS application
In article blu0-smtp19ad48d80755ecda768cb193...@phx.gbl you write: Can anyone recommend a good SMS application that works on FreeBSD? I have used several different ones on MS Windows; however, I cannot find one that works on FreeBSD. There doesn't appear to be a fully functional one in the ports system either, although I might have missed it. What do you want to do? If you just want to send SMS, there are plenty of vendors that have http interfaces that you can script with wget or www libraries in perl, python, and the other usual suspects. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: what replaces javaws? using icedtea-web and openjdk6.
In the last episode (Dec 06), Antonio Olivares said: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/173603 I apply the suggested fix: $ sh -x `which itweb-javaws` jviewer.jnlp + JAVA=/usr/local/openjdk6/jre/bin/java + LAUNCHER_BOOTCLASSPATH=-Xbootclasspath/a:/usr/local/share/icedtea-web/netx.jar + LAUNCHER_FLAGS=-Xms8m + CLASSNAME=net.sourceforge.jnlp.runtime.Boot + BINARY_LOCATION=/usr/local/bin/itweb-javaws + PROGRAM_NAME=itweb-javaws + CP=/usr/local/openjdk6/jre/lib/rt.jar /usr/local/bin/itweb-javaws: 11: Syntax error: Bad function name I try once more on another machine not 64 bit, it returns the same error and java web start does not work :( $ sh -x `which itweb-javaws` jviewer.jnlp + JAVA=/usr/local/openjdk6/jre/bin/java + LAUNCHER_BOOTCLASSPATH=-Xbootclasspath/a:/usr/local/share/icedtea-web/netx.jar + LAUNCHER_FLAGS=-Xms8m + CLASSNAME=net.sourceforge.jnlp.runtime.Boot + BINARY_LOCATION=/usr/local/bin/itweb-javaws + PROGRAM_NAME=itweb-javaws + CP=/usr/local/openjdk6/jre/lib/rt.jar /usr/local/bin/itweb-javaws: 11: Syntax error: Bad function name Any other ideas as to how to fix this? Don't try and run it through /bin/sh . The script uses bash-isms (array syntax specifically). Just run itweb-javaws jviewer.jnlp. -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Login class and limit
On Dec 6, 2012, at 12:36 PM, Vagner wrote: [ ... ] Either use one of the su/sudo flavors I mention above, or /bin/sh -l to provide a login env to the process? ie means to implement restrictions limits(1) and login.conf(5) for daemons is not possible? Sure, it's possible: run the daemon within a login shell. However, normally, daemons aren't started from a login shell and do not inherit the limits setup by login.conf. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Login class and limit
Vagner vag...@bsdway.ru writes: On 06:53 Thu 06 Dec , Charles Swiger wrote: su -, su -l, and sudo -i provide a login shell, which gets the limits setup by login.conf. Normally daemons are started at boot via rc mechanism (or perhaps get spawned from inetd) and do not have a login shell associated with them to setup the limits. Either use one of the su/sudo flavors I mention above, or /bin/sh -l to provide a login env to the process? ie means to implement restrictions limits(1) and login.conf(5) for daemons is not possible? It's possible, but you would have to use a login shell, which is usually inconvenient for a daemon (not having an attached terminal for I/O). The usual way to do this is to start the daemon in a script that explicitly sets the limits with /usr/bin/limits (or maybe ulimit, but limits(1) seems more common). Several ports do this, for example. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
List all hard drives on system (with capacities)... How?
I'd like to write a small program or shell script that simply lists all of the physical hard drives attached to the local system, along with their product identifiers and their respective capacities. The following simple script works well for both PATA/SATA and USB hard drives, but it does not list drive capacities: #!/bin/sh atacontrol list | grep ': ad[0-9]' | sed 's/^.*: //' camcontrol devlist | grep '(da[0-9]' | sed -E 's/^(.*) \((da[0-9]+).*$/\2 \1/' How can I modify the script above in order to get it to print out the respective drive capacities? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: List all hard drives on system (with capacities)... How?
On 12/06/2012 05:30 PM, Ronald F. Guilmette wrote: I'd like to write a small program or shell script that simply lists all of the physical hard drives attached to the local system, along with their product identifiers and their respective capacities. The following simple script works well for both PATA/SATA and USB hard drives, but it does not list drive capacities: #!/bin/sh atacontrol list | grep ': ad[0-9]' | sed 's/^.*: //' camcontrol devlist | grep '(da[0-9]' | sed -E 's/^(.*) \((da[0-9]+).*$/\2 \1/' How can I modify the script above in order to get it to print out the respective drive capacities? Look into fdisk -s -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: List all hard drives on system (with capacities)... How?
In message 50c12b6c.5020...@tundraware.com, Tim Daneliuk tun...@tundraware.com wrote: On 12/06/2012 05:30 PM, Ronald F. Guilmette wrote: I'd like to write a small program or shell script that simply lists all of the physical hard drives attached to the local system, along with their product identifiers and their respective capacities. The following simple script works well for both PATA/SATA and USB hard drive s, but it does not list drive capacities: #!/bin/sh atacontrol list | grep ': ad[0-9]' | sed 's/^.*: //' camcontrol devlist | grep '(da[0-9]' | sed -E 's/^(.*) \((da[0-9]+).*$/\2 \1 /' How can I modify the script above in order to get it to print out the respective drive capacities? Look into fdisk -s Thank you Tim. Silly me! Before I even got your reply, I had already doen a bit more research and I had found what I think may perhaps be an even better answer. I never knew about this utility program called diskinfo, but I just now found it, and it seems to do the trick. There appears to be a small problem with using fdisk -s... It looks like it hiccups when and if the drive in question has not actually been partitioned yet: # fdisk -s /dev/ad6 fdisk: invalid fdisk partition table found (The diskinfo utility apparently does not suffer from this problem.) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: List all hard drives on system (with capacities)... How?
On 12/7/2012 1:34 AM, Tim Daneliuk wrote: On 12/06/2012 05:30 PM, Ronald F. Guilmette wrote: I'd like to write a small program or shell script that simply lists all of the physical hard drives attached to the local system, along with their product identifiers and their respective capacities. The following simple script works well for both PATA/SATA and USB hard drives, but it does not list drive capacities: #!/bin/sh atacontrol list | grep ': ad[0-9]' | sed 's/^.*: //' camcontrol devlist | grep '(da[0-9]' | sed -E 's/^(.*) \((da[0-9]+).*$/\2 \1/' How can I modify the script above in order to get it to print out the respective drive capacities? Look into fdisk -s I think fdisk should need a valid partition table, or not? diskinfo works nice with all disk-like devices be it a physical disk, a slice, a partition, a swap-backed device etc. Its output is easily parsable using a single line per device and if you use -v you will get the same info in human-readable form. HTH, Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: List all hard drives on system (with capacities)... How?
On Thu, Dec 06, 2012 at 04:23:54PM -0800, Ronald F. Guilmette wrote: if ($bytes = (1024 * 1024 * 1024 * 1024)) { You know about the exponentiation operator in Perl -- right? if ($bytes = (1024 ** 4)) { I don't think typing 1024 four times with * between each pair is really a helpful form of verbosity. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] signature.asc Description: Digital signature