Re: [CentOS] Dag's comment at linuxtag

[Michael A. Peters]

Les Mikesell wrote:
> Michael A. Peters wrote:
>> How it interacts with epel I don't really care about, but it should not 
>> update vendor packages, and anything that requires an updated vendor 
>> package will be broken on yum configurations that protect the base install.
> 
> I think you've confused rpmforge with something else.   If you are happy with 
> a 
> base install you probably shouldn't be using it.
> 

I only use rpmforge for a few packages, I use priorities and it is set 
to lowest. I think my nvidia driver is from them, and one dependency I 
need for xine non-free (private package) I think is from them. I use to 
maintain my own nvidia driver via the old kmod rebuild every update 
method but their packaging was superior.

I don't know what rpmforge has in general, I was just replying to the 
comment about needing to update python in order to get a package to 
build. Python really should not be updated. Parallel install OK, but 
updating the system python is asking for a fubar system.

If rpmforge does not do that, then it clearly isn't an issue.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Multiple Internet facing Nics - Gateway issue

[Doug Coats]

I am ecstatically confused.

After I entered the last two commands my routing is working the way that I
need it to.

ip rule add from 173.11.51.46 table Cable
ip rule add from 67.152.166.2 table T1

The problem is I don't know which actual commands worked.  I had just
rebooted.  The other ip commands were all in the rc.local file so they all
ran.

Why did the above commands make the Cable and T1 rules show up in the rules
list but the following two did not?

ip route add 173.11.51.44/30 dev eth2 src 173.11.51.45 table Cable
ip route add 67.152.166.0/27 dev eth3 src 67.152.166.2 table T1
Do I need all of the commands?  So that what is in rc.local looks like this?

ip rule add from 173.11.51.46 table Cable
ip route add 173.11.51.44/30 dev eth2 src 173.11.51.45 table Cable
ip route add default via 173.11.51.45 table Cable
ip route add 173.11.51.44/30 dev eth2 src 173.11.51.45
ip route add default via 173.11.51.46
ip rule add from 173.11.51.45 to default lookup Cable
ip rule add from 67.152.166.2 table T1
ip route add 67.152.166.0/27 dev eth3 src 67.152.166.2 table T1
ip route add default via 67.152.166.2 table T1
ip route add 67.152.166.0/27 dev eth3 src 67.152.166.2
ip rule add from 67.152.166.2 to default lookup T1
ip route flush cache
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Multiple Internet facing Nics - Gateway issue

[John R Pierce]

Doug Coats wrote:
> So if I run the following two commands the rules show up in the list.
>  
> ip rule add from 173.11.51.46 table Cable
> ip rule add from 67.152.166.2 table T1
>  
> # ip rule list
> 0:  from all lookup 255
> 32764:  from 67.152.166.2 lookup T1
> 32765:  from 173.11.51.46 lookup Cable
> 32766:  from all lookup main
> 32767:  from all lookup default
>
> So why does that work but my other command not?

what other command?  the rt_tables file just associates the names T1 and 
Cable with rule #s, it doesn't actually define the rules, for that you 
need to use the "ip rule add ..." commands.

me, I make one interface the 'default', and just define ONE extra route 
for the 'other' network


say eth0 is 100.100.16.15/24 with a default gateway of 100.100.16.1, and 
eth1 is 200.200.18.30/24 with a route of 200.200.18.1 ...

I'd setup the system so the global default gateway is the one on eth0 
via /etc/sysconfig/network

then, I'd define ONE extra rule, and one extra route table entry...

ip rule add from 200.200.18.30 table Alt
ip route add default via 200.200.18.1 dev eth1 table Alt

now, these commands are NOT persistent, and, AFAIK, RHEL has no 
provision for `ip route` or rule commands, so I end up sticking this 
stuff in /etc/rc.d/rc.local or something.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Multiple Internet facing Nics - Gateway issue

[Christopher Chan]

Doug Coats wrote:
> So if I run the following two commands the rules show up in the list.
>  
> ip rule add from 173.11.51.46 table Cable
> ip rule add from 67.152.166.2 table T1
>  
> # ip rule list
> 0:  from all lookup 255
> 32764:  from 67.152.166.2 lookup T1
> 32765:  from 173.11.51.46 lookup Cable
> 32766:  from all lookup main
> 32767:  from all lookup default
>
> So why does that work but my other command not?

Which other commands? The ip route ones?

ip route list table T1
ip route list table Cable
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Multiple Internet facing Nics - Gateway issue

[Christopher Chan]

Doug Coats wrote:
> So if I run the following two commands the rules show up in the list.
>  
> ip rule add from 173.11.51.46 table Cable
> ip rule add from 67.152.166.2 table T1
>  
> # ip rule list
> 0:  from all lookup 255
> 32764:  from 67.152.166.2 lookup T1
> 32765:  from 173.11.51.46 lookup Cable
> 32766:  from all lookup main
> 32767:  from all lookup default
>
> So why does that work but my other command not?


Hmm...I wonder if they have been changes to iproute2 from RHEL4 to RHEL5...

Now that your ip rules are in place...do things work for you?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Multiple Internet facing Nics - Gateway issue

[Doug Coats]

So if I run the following two commands the rules show up in the list.

ip rule add from 173.11.51.46 table Cable
ip rule add from 67.152.166.2 table T1

# ip rule list
0:  from all lookup 255
32764:  from 67.152.166.2 lookup T1
32765:  from 173.11.51.46 lookup Cable
32766:  from all lookup main
32767:  from all lookup default

So why does that work but my other command not?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Multiple Internet facing Nics - Gateway issue

[Christopher Chan]

Doug Coats wrote:
> I am convinced that my iproute2 tables are all messed upIn fact I 
> found some errors in my initial post.
>  
> # ip rule list
> 0:  from all lookup 255
> 32766:  from all lookup main
> 32767:  from all lookup default
Boy, did we miss that...

>  
> /etc/iproute2/rt_tables
> #
> # reserved values
> #
> 255 local
> 254 main
> 253 default
> 0   unspec
> #
> # local
> #
> #1  inr.ruhep
> 200 Cable
> 201 T1
> So Cable and T1 are not even showing up in the list.

I use lower values ( < 50 ) and I do not use CAPS. Don't know if the 
CAPS make a difference.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Multiple Internet facing Nics - Gateway issue

[Christopher Chan]

Doug Coats wrote:
> I am not understanding somethings very fundamental to me 
> troubleshooting this issue. 
>  
> How do I clear the iproute2's that I have created?

They are cleared by being deleted or a reboot takes place.

Try 'ip route help' and 'ip rule help'

>  
> How do I tell if they are in affect?

Now that is a good one...ping/telnet tests from another host...

>  
> What should they look like when listed if they are configured properly?
Here is my output from ip rule list

0:from all lookup local
32764:from 203.174.45.30 lookup wharf
32765:from 220.232.217.78 lookup pacific
32766:from all lookup main
32767:from all lookup default

Lower numbers mean higher priority.

Routing tables:

ip route list table wharf:
203.174.45.24/29 dev eth2  proto kernel  scope link  src 203.174.45.30
10.9.0.0/17 dev eth1  proto kernel  scope link  src 10.9.1.101
default via 203.174.45.25 dev eth2

ip route list table pacific
220.232.217.72/29 dev eth0  proto kernel  scope link  src 220.232.217.78
10.9.0.0/17 dev eth1  proto kernel  scope link  src 10.9.1.101
default via 220.232.217.73 dev eth0

ip route list will give you your main routing table which is the same 
one that route -n will report
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Multiple Internet facing Nics - Gateway issue

[Doug Coats]

I am convinced that my iproute2 tables are all messed upIn fact I found
some errors in my initial post.

# ip rule list
0:  from all lookup 255
32766:  from all lookup main
32767:  from all lookup default

/etc/iproute2/rt_tables
#
# reserved values
#
255 local
254 main
253 default
0   unspec
#
# local
#
#1  inr.ruhep
200 Cable
201 T1
So Cable and T1 are not even showing up in the list.

When I run my ip commands from the command line I get the following results
for each line.

# ip route add 173.11.51.44/30 dev eth2 src 173.11.51.45 table Cable
# ip route add default via 173.11.51.45 table Cable
# ip route add 173.11.51.44/30 dev eth2 src 173.11.51.45
RTNETLINK answers: File exists
# ip route add default via 173.11.51.46
RTNETLINK answers: File Exists
# ip rule add from 173.11.51.45 to default lookup Cable
RTNETLINK answers: Numerical result out of range

# ip route add 67.152.166.0/27 dev eth3 src 67.152.166.2 table T1
# ip route add default via 67.152.166.2 table T1
# ip route add 67.152.166.0/27 dev eth3 src 67.152.166.2
RTNETLINK answers: File Exists
#  ip rule add from 67.152.166.2 to default lookup T1
RTNETLINK answers: Numerical result out of range
So the first few lines run fine for each table and then I start getting
errors.  Are these all the commands that I need to use to set this up?  I
know that when I first entered them by hand the T1 and Cable showed up in
the tables list.  Am I going crazy?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Multiple Internet facing Nics - Gateway issue

[Christopher Chan]

Doug Coats wrote:
> Thanks for your responce!
>  
> If I open up Iptables to accept everything on eth3 and eth2 or turn it 
> off all together I get the same results.
>  
> I will have to look through your iproute2 commands to see how they 
> match up to mine.  Do you see anything different in mine that would 
> indicate the issue?
Well, besides the differences in ip route command parameters nothing 
sticks out at the moment.

What do get when you run 'ip rule list'?

Are you doing any NATing on this box too?
>  
>  
> On Wed, Jul 1, 2009 at 9:25 PM, Christopher Chan 
>  > wrote:
>
> Hello Doug,
>
> Here are the iproute2 commands for a multigateway setup I did.
>
> ip route add 220.232.217.72/29  dev eth0
>  proto kernel  scope link src
> 220.232.217.78 table pacific
> ip route add 10.9.0.0/17  dev eth1  proto
> kernel  scope link src
> 10.9.1.101 table pacific
> ip route add default via 220.232.217.73 dev eth0 table pacific
> ip route add 203.174.45.24/29  dev eth2
>  proto kernel  scope link src
> 203.174.45.30 table wharf
> ip route add 10.9.0.0/17  dev eth1  proto
> kernel  scope link src
> 10.9.1.101 table wharf
> ip route add default via 203.174.45.25 dev eth2 table wharf
> ip route add 59.152.193.16/29  dev eth2
>  proto kernel  scope link src
> 59.152.193.22 table frahw
> ip route add 10.9.0.0/17  dev eth1  proto
> kernel  scope link src
> 10.9.1.101 table frahw
> ip route add default via 59.152.193.17 dev eth2 table wharf
> ip route add 10.9.0.0/17  dev eth1  proto
> kernel  scope link src
> 10.9.1.101 table saurer
> ip route add 10.0.0.0/8  via 10.9.0.1 dev eth1
> table saurer
>
> ip rule add from 220.232.217.78 to default lookup pacific
> ip rule add from 203.174.45.30 to default lookup wharf
>
>
>
> You may also want to check your firewall rules too.
>
>
> I must also say that there are no GATEWAY entries in my
> ifcfg-ethx. Only
> one in network.
> ___
> CentOS mailing list
> CentOS@centos.org 
> http://lists.centos.org/mailman/listinfo/centos
>
>
> 
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>   

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] server is always getting hacked

[Michael A. Peters]

Robert Heller wrote:
> At Wed, 01 Jul 2009 16:08:08 -0600 CentOS mailing list  
> wrote:
> 
>> On Wed, 01 Jul 2009 15:05:58 -0700
>> Gary Greene wrote:
>>
>>> . With sudo,
>>> you get a record of what command was executed with superuser rights by whom
>>> at whenever given hour.
>> sudo bash
> 
> Which in turn is logged.  Such a log entry might raise a red flag.
> 
> 

Speaking of logged - I don't do this but Dad set up his systems 
(solaris) to immediately boot the user and send an alert to the operator 
if the root user issued the id command and had not become root from a 
member of the wheel group.

He was a university admin, they had to have telnet open because of grad 
students doing research in countries that did not allow secure 
connections. Most of the time, that single action got the hacker off 
before any damage was done. Those were primarily Solaris systems he 
dealt with.

They also had a log server that everything was logged to (off the 
network, fed I think by serial cable if I recall but it may have been 
cat 5 - sun had funny looking serial ports that took a cat 5 jacks to 
me), as local logs are easily modified once you have a root shell.

But I don't personally deal with any systems that big and complex.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] server is always getting hacked

[Michael A. Peters]

Warren Young wrote:
> Michael A. Peters wrote:
>> I still don't understand how using sudo instead of su makes it more secure.
> 
> Let's start with the simple case where only one person needs superuser 
> type privileges on a given machine.  What, then, is the difference 
> between sudo and su -?  There has to be one all-powerful superuser on 
> such a machine, right?

The difference is that the root user (when sshd is properly configured) 
can not log in remotely even if the root password is guessed. While it 
is possible to set a different password for sudo, if a brute force gets 
your password the remote use can then sudo login or sudo sh.

I remember one of my passwords that I thought was good, I typed it in 
some web form that checks the security of password, and it turned out my 
password was one character off of a leet speak translation of a klingon 
word, and therefore while not super weak, was vulnerable to brute force 
by someone using a klingon dictionary (and they are readily available).

Requiring a pass phrase works to mitigate that, but on multiuser 
systems, unless everyone using it is a geek, requiring pass phrase just 
isn't possible. It is too difficult for the common user to set up.

> 
> That's true, but it ignores human nature.  Human nature, in a world 
> without sudo, is to leave a root terminal up all the time so you don't 
> have to keep su'ing up to root and then logging back out.  The default 
> configuration for sudo ameliorates this problem by remembering your 
> password for a short time, so you can do another sudo command shortly 
> after without giving your password again.  Once the user stops invoking 
> sudo long enough to let the timer expire, root privileges are 
> automatically revoked.

That is a valid point, but only really matters if you make a habit of 
leaving your workstation without locking your screen, which if you have 
root access, is the kind of thing that should get you fired because all 
kinds of nasties can be done while you are at the bathroom. I use to 
screw with the .bashrc file of the web developers when they went to 
lunch w/o locking their screen. None of them had root on sensitive 
systems though.

It was funny to watch one of them reinstall because his cdrom kept 
ejecting every time he used the ls command - but he did not wipe /home 
after his reinstall.

> 
> This has two main benefits to security:
> 
> 1. On walking away from your computer, you're less likely to leave it in 
> a state that gives anyone walking up to it root access.
> 
> 2. The extra "sudo" prefix you need in front of every command you want 
> run as root makes it less likely that you will accidentally run a 
> command as root that you should only run as a regular user.

That's what su --command is for.
I very rarely have a root shell open because most things can be done via

su -c 'foo'

> 
> Now take the more common case for an enterprise distro like CentOS, 
> where more than one person needs some level of superuser access.  sudo 
> provides more benefits in that case:

Yes it does, but should be not be configured to allow spawning of a 
shell, as almost every single sudo install I have ever seen does, 
effectively creating numerous root passwords.

Saying that using sudo instead of su makes a box more secure is only 
true if your system administrator knows how to configure sudo. If they 
do, then they probably don't need to be told to use sudo. If they don't, 
then they should be pointed to documentation that explains the inherent 
dangers.

Otherwise, human nature is to allow sudo to do anything, because it 
work, but is not secure - just like almost every freaking php web app 
out there in the install file tells users to chmod 777 directories and 
files. It works for both mod_php and php-cgi, but is not secure (and is 
not the best way in either scenario, especially on shared hosts, which 
really should run php as a cgi negating the need for chmod all together)

Another option is to properly set up the system to begin with - a lot of 
what junior admins need to do can be done with wrappers, and some things 
don't need root access at all - IE set up a texlive user for texlive 
administration and your tex guy doesn't need root to update the system 
tex install (either via the tlmgr or rsync).

Using sudo instead of su does not make a system more secure. It can, but 
it can also make it less secure.

// gets of soap box

-=-=-=-=-

With respect to pam management of su - that's cool, wasn't aware there 
was a pam module that did that.

Still not as good as bsd su IMHO as it relies on pam, but it's something 
I'm definitely going to start using.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Multiple Internet facing Nics - Gateway issue

[Doug Coats]

I am not understanding somethings very fundamental to me troubleshooting
this issue.

How do I clear the iproute2's that I have created?

How do I tell if they are in affect?

What should they look like when listed if they are configured properly?

Thanks for holding my hand in this!
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] server is always getting hacked

[Robert Heller]

At Wed, 01 Jul 2009 16:08:08 -0600 CentOS mailing list  
wrote:

> 
> On Wed, 01 Jul 2009 15:05:58 -0700
> Gary Greene wrote:
> 
> > . With sudo,
> > you get a record of what command was executed with superuser rights by whom
> > at whenever given hour.
> 
> sudo bash

Which in turn is logged.  Such a log entry might raise a red flag.

> 

-- 
Robert Heller -- 978-544-6933
Deepwoods Software-- Download the Model Railroad System
http://www.deepsoft.com/  -- Binaries for Linux and MS-Windows
hel...@deepsoft.com   -- http://www.deepsoft.com/ModelRailroadSystem/

 
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Multiple Internet facing Nics - Gateway issue

[Doug Coats]

Thanks for your responce!

If I open up Iptables to accept everything on eth3 and eth2 or turn it off
all together I get the same results.

I will have to look through your iproute2 commands to see how they match up
to mine.  Do you see anything different in mine that would indicate the
issue?


On Wed, Jul 1, 2009 at 9:25 PM, Christopher Chan <
christopher.c...@bradbury.edu.hk> wrote:

> Hello Doug,
>
> Here are the iproute2 commands for a multigateway setup I did.
>
> ip route add 220.232.217.72/29 dev eth0  proto kernel  scope link src
> 220.232.217.78 table pacific
> ip route add 10.9.0.0/17 dev eth1  proto kernel  scope link src
> 10.9.1.101 table pacific
> ip route add default via 220.232.217.73 dev eth0 table pacific
> ip route add 203.174.45.24/29 dev eth2  proto kernel  scope link src
> 203.174.45.30 table wharf
> ip route add 10.9.0.0/17 dev eth1  proto kernel  scope link src
> 10.9.1.101 table wharf
> ip route add default via 203.174.45.25 dev eth2 table wharf
> ip route add 59.152.193.16/29 dev eth2  proto kernel  scope link src
> 59.152.193.22 table frahw
> ip route add 10.9.0.0/17 dev eth1  proto kernel  scope link src
> 10.9.1.101 table frahw
> ip route add default via 59.152.193.17 dev eth2 table wharf
> ip route add 10.9.0.0/17 dev eth1  proto kernel  scope link src
> 10.9.1.101 table saurer
> ip route add 10.0.0.0/8 via 10.9.0.1 dev eth1 table saurer
>
> ip rule add from 220.232.217.78 to default lookup pacific
> ip rule add from 203.174.45.30 to default lookup wharf
>
>
>
> You may also want to check your firewall rules too.
>
>
> I must also say that there are no GATEWAY entries in my ifcfg-ethx. Only
> one in network.
>  ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Multiple Internet facing Nics - Gateway issue

[Christopher Chan]

Hello Doug,

Here are the iproute2 commands for a multigateway setup I did.

ip route add 220.232.217.72/29 dev eth0  proto kernel  scope link src 
220.232.217.78 table pacific
ip route add 10.9.0.0/17 dev eth1  proto kernel  scope link src 
10.9.1.101 table pacific
ip route add default via 220.232.217.73 dev eth0 table pacific
ip route add 203.174.45.24/29 dev eth2  proto kernel  scope link src 
203.174.45.30 table wharf
ip route add 10.9.0.0/17 dev eth1  proto kernel  scope link src 
10.9.1.101 table wharf
ip route add default via 203.174.45.25 dev eth2 table wharf
ip route add 59.152.193.16/29 dev eth2  proto kernel  scope link src 
59.152.193.22 table frahw
ip route add 10.9.0.0/17 dev eth1  proto kernel  scope link src 
10.9.1.101 table frahw
ip route add default via 59.152.193.17 dev eth2 table wharf
ip route add 10.9.0.0/17 dev eth1  proto kernel  scope link src 
10.9.1.101 table saurer
ip route add 10.0.0.0/8 via 10.9.0.1 dev eth1 table saurer

ip rule add from 220.232.217.78 to default lookup pacific
ip rule add from 203.174.45.30 to default lookup wharf



You may also want to check your firewall rules too.


I must also say that there are no GATEWAY entries in my ifcfg-ethx. Only 
one in network.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dag's comment at linuxtag

[Les Mikesell]

Michael A. Peters wrote:
> 
> How it interacts with epel I don't really care about, but it should not 
> update vendor packages, and anything that requires an updated vendor 
> package will be broken on yum configurations that protect the base install.

I think you've confused rpmforge with something else.   If you are happy with a 
base install you probably shouldn't be using it.

-- 
   Les Mikesell
 lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dag's comment at linuxtag

[Michael A. Peters]

Radu-Cristian FOTESCU wrote:
>> Buildlogs are available from:
>>
>> http://packages.sw.be/comix/_buildlogs/
>>
>> I hope you come back and tell me what was your problem.
> 
> I have to be back on my continent before addressing this issue.
> So far, I can see that the build of Comix seems to have been done
> by Dries, and that it was successful in April 2009.
> 
> I am pretty much sure I can prove it *won't* compile on any EL5 clone
> with the officially available versions of:
> BuildRequires: python, python-imaging, pygtk2-devel
> 
> I am not sure what mushrooms were installed on the build machine.
> It *doesn't* build with:
>   pygtk2-devel-2.10.1-12.el5.i386
>   python-imaging-devel-1.1.5-5.el5.i386
> Which is whatever EL5 has.
> 
> I can see that RF has a slightly newer version of 
>   python-imaging-1.1.6-2.el5.rf.i386
> but as long as the SPEC file doesn't require a newer version
> than 1.1.5, nor does the tarball's Makefile, I *don't* pull
> updates from RF.

I don't find updating something like python acceptable.
If I have to update the CentOS provided python, then the newer python 
had better be packaged as a compat package that does not conflict with 
the vendor supported version of python, or I don't want it.

I'd run Fedora or Ubuntu if I wanted to break RHEL compatibility.

If the issue of it building is the python version, then it should be 
backported or not included in the repo. That's my opinion.

I've had enough stuff I build on my system break when an EPEL package 
updates the version (IE xine-lib which had several updates to version in 
past 6 months or so), updating versions is not something an enterprise 
distribution should do without careful thought, and neither should third 
party general repos.

Third party specific repos (IE a repo dedicated to newer php) - that's a 
different story, and requires the user add excludes to things like base 
and updates yum configuration. But a general purpose repo that provides 
add ons should not update base packages.

How it interacts with epel I don't really care about, but it should not 
update vendor packages, and anything that requires an updated vendor 
package will be broken on yum configurations that protect the base install.

While maybe not HFS compliant, it should be possible to build a newer 
python in, say, /opt/rpmforge and rpmforge (or whatever) packages that 
specifically need that newer python can call /opt/rpmforge/bin/python 
full path.

Most library packages can have updates available with a simple 
foo-compat package name, devel packages sometimes conflict but you can 
usually leave the devel packages in repo and let them be installed by 
mock during build of software that needs the alternate library version.

There are solutions for most things that do not require replacing a 
vendor supplied package. Hell, even gnome can be updated into /opt if 
you wanted newer gnome but stability of centos base (probably would take 
a hell of a lot of compat packages though ...)
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] server is always getting hacked

[Gary Greene]

On 7/1/09 3:08 PM, "Frank Cox"  wrote:

> On Wed, 01 Jul 2009 15:05:58 -0700
> Gary Greene wrote:
> 
>> . With sudo,
>> you get a record of what command was executed with superuser rights by whom
>> at whenever given hour.
> 
> sudo bash

I didn't think I had to be THAT pedantic of what you add to the allows and
disallows Its called common sense here. If the sub-process will give you
an unrestricted shell, and you don't trust xyz user, block it from being
allowed.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Multiple Internet facing Nics - Gateway issue

[Doug Coats]

I changed those two rules to no affect.  I have also done the above
mentioned things.  My tcpdump shows connections comming in on eth3 but there
is no outbound communication.

Example:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3, link-type EN10MB (Ethernet), capture size 96 bytes
20:21:11.915624 IP 41.178.204.108.25591 >
ipaa-bb-166-2.z166-152-67.customer.algx.net.smtp: S 3528290937:3528290937(0)
win 65535 
20:21:14.892106 IP 41.178.204.108.25591 >
ipaa-bb-166-2.z166-152-67.customer.algx.net.smtp: S 3528290937:3528290937(0)
win 65535 
20:21:16.017705
20:21:16.663301 IP newsletter.publicradio.org.54562 >
ipaa-bb-166-2.z166-152-67.customer.algx.net.smtp: S 1665702165:1665702165(0)
win 5840 
20:21:17.658835 IP client-201.230.112.209.speedy.net.pe.12095 >
ipaa-bb-166-2.z166-152-67.customer.algx.net.smtp: S 2778637809:2778637809(0)
win 65535 

An abreviated lsof -i4 -n

COMMANDPID   USER   FD   TYPE DEVICE SIZE NODE NAME
mysqld4004  mysql   10u  IPv4   8750   TCP *:mysql (LISTEN)
spamd 4056   root5u  IPv4   8943   TCP 127.0.0.1:783 (LISTEN)
sendmail  4076   root4u  IPv4   9094   TCP *:smtp (LISTEN)
httpd 4110   root4u  IPv4   9117   TCP aa.bb.166.2:http (LISTEN)
httpd 4166 apache4u  IPv4   9117   TCP aa.bb.166.2:http (LISTEN)
httpd 4167 apache4u  IPv4   9117   TCP aa.bb.166.2:http (LISTEN)
httpd 4168 apache4u  IPv4   9117   TCP aa.bb.166.2:http (LISTEN)
So it appears to me that the device is listening but it never picks up the
phone.

Any thoughts?


On Wed, Jul 1, 2009 at 7:00 PM, Christopher Chan <
christopher.c...@bradbury.edu.hk> wrote:

>
> >
> > ip rule add from xx.yy.51.46 table Cable
> > ip rule add from aa.bb.166.2 table T1
> >
> >
> > Other people seem to be using this configuration successfully but I
> > seem to be missing something important.
> >
> Change the above rules to:
>
> ip rule add from xx.yy.51.46 to default lookup Cable
>
> ip rule add from aa.bb.166.2 to default lookup T1
>  ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Multiple Internet facing Nics - Gateway issue

[Christopher Chan]

>
> ip rule add from xx.yy.51.46 table Cable
> ip rule add from aa.bb.166.2 table T1
>
>
> Other people seem to be using this configuration successfully but I 
> seem to be missing something important.
>  
Change the above rules to:

ip rule add from xx.yy.51.46 to default lookup Cable

ip rule add from aa.bb.166.2 to default lookup T1
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] server is always getting hacked

[Stephen Harris]

On Wed, Jul 01, 2009 at 04:59:36PM -0600, Warren Young wrote:
> Frank Cox wrote:
> > Gary Greene wrote:
> > 
> >> . With sudo,
> >> you get a record of what command was executed with superuser rights by whom
> >> at whenever given hour.
> > 
> > sudo bash
> 
> If that's a problem for you, don't let people run bash via sudo. 
> There's an entire body of articles and such on which processes to 
> restrict because they can give you a sub-shell.

Configuring sudo properly is a bit of a science; for example you don't
allow "sudo less" because inside less you can shell out.  Oops.  It's
amazing how many commands actually allow shell escapes.  What you should
do is only allow a minimal set of commands.

-- 

rgds
Stephen
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] server is always getting hacked

[Warren Young]

Frank Cox wrote:
> On Wed, 01 Jul 2009 15:05:58 -0700
> Gary Greene wrote:
> 
>> . With sudo,
>> you get a record of what command was executed with superuser rights by whom
>> at whenever given hour.
> 
> sudo bash

If that's a problem for you, don't let people run bash via sudo. 
There's an entire body of articles and such on which processes to 
restrict because they can give you a sub-shell.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] server is always getting hacked

[Frank Cox]

On Wed, 01 Jul 2009 15:05:58 -0700
Gary Greene wrote:

> . With sudo,
> you get a record of what command was executed with superuser rights by whom
> at whenever given hour.

sudo bash

-- 
MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] server is always getting hacked

[Gary Greene]

On 7/1/09 2:47 PM, "Warren Young"  wrote:
> Michael A. Peters wrote:
>> I still don't understand how using sudo instead of su makes it more secure.
> 
> Let's start with the simple case where only one person needs superuser
> type privileges on a given machine.  What, then, is the difference
> between sudo and su -?  There has to be one all-powerful superuser on
> such a machine, right?
> 
> That's true, but it ignores human nature.  Human nature, in a world
> without sudo, is to leave a root terminal up all the time so you don't
> have to keep su'ing up to root and then logging back out.  The default
> configuration for sudo ameliorates this problem by remembering your
> password for a short time, so you can do another sudo command shortly
> after without giving your password again.  Once the user stops invoking
> sudo long enough to let the timer expire, root privileges are
> automatically revoked.
> 
> This has two main benefits to security:
> 
> 1. On walking away from your computer, you're less likely to leave it in
> a state that gives anyone walking up to it root access.
> 
> 2. The extra "sudo" prefix you need in front of every command you want
> run as root makes it less likely that you will accidentally run a
> command as root that you should only run as a regular user.
> 
> Now take the more common case for an enterprise distro like CentOS,
> where more than one person needs some level of superuser access.  sudo
> provides more benefits in that case:
> 
> 1. You don't have to give the all-powerful root password to as many
> people.  sudo controls access to superuser privileges by asking for that
> user's account password, not the root password.  When it comes time to
> take superuser privileges away from someone, that user can just be
> removed from /etc/sudoers; you don't have to change the root password
> and redistribute it.  If you don't know why frequent password
> redistribution is a problem, you haven't been an admin very long.
> 
> 2. With su, it's all-or-nothing.  Once you have a root shell, there's
> nothing you can't do, barring some MAC type system, and that affects
> anyone with root access equally.  sudo lets you give access to just
> those commands that a given admin needs.  Maybe you have a dedicated web
> admin, so you let him run apachectl through sudo.  He has no legitimate
> need to run any other commands as root.
> 
> 3. sudo logs all commands executed through it.  su doesn't.  You could
> maybe configure bash to log commands, but then you run into Big Brother
> issues if you don't somehow do it only for bash when run as root.  Even
> if you did that, now you have to do it for all shells on the machine,
> else the first command a bad actor did on the machine would be to open a
> different sub-shell to escape the prying auditor eyes.  (Clearly for
> this to be a security feature, you need to have syslogd configured to
> redirect logs to another machine that doesn't allow remote access.)
> This doesn't prevent security breaches, just helps figure out what
> happened after one does occur.  Coupled with an IDS, it can even give
> you early warning that security has been breached.
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

There's also the obvious part about "why sudo vs. su -"; sudo logs the
action, su however, does not. The only thing you'll see in the log with su -
is that the user just elevated their privileges to root, however you won't
see what they may have executed with those elevated privileges. With sudo,
you get a record of what command was executed with superuser rights by whom
at whenever given hour.

This coupled with remote log hosting can greatly increase your security,
since you'll know who did what at when hour instead of floundering in the
dark tearing a box apart trying to figure out what a user inadvertently (or
not) via su, did to your machine. Mind, this isn't completely foolproof. You
still should get an IDS running, etc.

-- 
Gary L. Greene, Jr.
IT Operations
Minerva Networks, Inc.
Cell:  (650) 704-6633
Phone: (408) 240-1239

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] server is always getting hacked

[Warren Young]

Michael A. Peters wrote:
> I still don't understand how using sudo instead of su makes it more secure.

Let's start with the simple case where only one person needs superuser 
type privileges on a given machine.  What, then, is the difference 
between sudo and su -?  There has to be one all-powerful superuser on 
such a machine, right?

That's true, but it ignores human nature.  Human nature, in a world 
without sudo, is to leave a root terminal up all the time so you don't 
have to keep su'ing up to root and then logging back out.  The default 
configuration for sudo ameliorates this problem by remembering your 
password for a short time, so you can do another sudo command shortly 
after without giving your password again.  Once the user stops invoking 
sudo long enough to let the timer expire, root privileges are 
automatically revoked.

This has two main benefits to security:

1. On walking away from your computer, you're less likely to leave it in 
a state that gives anyone walking up to it root access.

2. The extra "sudo" prefix you need in front of every command you want 
run as root makes it less likely that you will accidentally run a 
command as root that you should only run as a regular user.

Now take the more common case for an enterprise distro like CentOS, 
where more than one person needs some level of superuser access.  sudo 
provides more benefits in that case:

1. You don't have to give the all-powerful root password to as many 
people.  sudo controls access to superuser privileges by asking for that 
user's account password, not the root password.  When it comes time to 
take superuser privileges away from someone, that user can just be 
removed from /etc/sudoers; you don't have to change the root password 
and redistribute it.  If you don't know why frequent password 
redistribution is a problem, you haven't been an admin very long.

2. With su, it's all-or-nothing.  Once you have a root shell, there's 
nothing you can't do, barring some MAC type system, and that affects 
anyone with root access equally.  sudo lets you give access to just 
those commands that a given admin needs.  Maybe you have a dedicated web 
admin, so you let him run apachectl through sudo.  He has no legitimate 
need to run any other commands as root.

3. sudo logs all commands executed through it.  su doesn't.  You could 
maybe configure bash to log commands, but then you run into Big Brother 
issues if you don't somehow do it only for bash when run as root.  Even 
if you did that, now you have to do it for all shells on the machine, 
else the first command a bad actor did on the machine would be to open a 
different sub-shell to escape the prying auditor eyes.  (Clearly for 
this to be a security feature, you need to have syslogd configured to 
redirect logs to another machine that doesn't allow remote access.) 
This doesn't prevent security breaches, just helps figure out what 
happened after one does occur.  Coupled with an IDS, it can even give 
you early warning that security has been breached.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Multiple Internet facing Nics - Gateway issue

[Doug Coats]

Thanks for your responses.  I have tried some of the configurations that you
have mentioned but not all of them.  I will try the others tonight when the
server is less active.  In the meantime I will read the links you sent.

Thanks again.  This is starting to drive me crazy.

On Wed, Jul 1, 2009 at 3:07 PM, Alexander Dalloz

> wrote:

> Doug Coats schrieb:
>  > I have a server with 4 nics.  Two are using different internet
> connections,
> > both with static IP's, and two are connected to our private network.
> >
> > The two internet facing nics seem to be battling over the gateway
> > designation.  Which ever I designate as the gateway the other stops
> > responding to incoming traffic.  I need both to listen to inbound
> traffic.
> > One for our main web page and the other for another web server.  I found
> > some information of Iproute2 but that did not seem to solve my issues.
> >
> > Here are the config files:
> >
> > ifcfg-eth2
> > DEVICE=eth2
> > BOOTPROTO=static
> > HWADDR=00:24:E8:52:92:8E
> > ONBOOT=yes
> > IPADDR=xx.yy.51.45
> > NETMASK=255.255.255.252
> > GATEWAY=xx.yy.51.46
> >
> > ifcfg-eth3
> > DEVICE=eth3
> > BOOTPROTO=static
> > HWADDR=00:24:E8:52:92:90
> > ONBOOT=yes
> > IPADDR=aa.bb.166.2
> > NETMASK=255.255.255.224
> > GATEWAY=aa.bb.166.1
> >
> > network
> > NETWORKING=yes
> > NETWORKING_IPV6=no
> > HOSTNAME=heritage01
> > GATEWAY=xx.yy.51.46
> > GATEWAYDEV=eth2
> >
> > rt_tables
> > #
> > # reserved values
> > #
> > 255 local
> > 254 main
> > 253 default
> > 0   unspec
> > #
> > # local
> > #
> > #1  inr.ruhep
> > 200 Cable
> > 201 T1
> > iproute2 routes
> > ip route add xx.yy.51.44/30 dev eth2 src xx.yy.51.46 table Cable
> > ip route add default via xx.yy.51.46
> > ip route add xx.yy.51.44/30 dev eth2 src xx.yy.51.46
> > ip route add default via xx.yy.51.46
> > ip rule add from xx.yy.51.46 table Cable
> > ip route add aa.bb.166.0/27 dev eth3 src aa.bb.165.2 table T1
> > ip route add default via aa.bb.166.1
> > ip route add aa.bb.166.0/27 dev eth3 src aa.bb.166.2
> > ip rule add from aa.bb.166.2 table T1
> > ip route flush cache
> >
> > Other people seem to be using this configuration successfully but I seem
> to
> > be missing something important.
> >
> > Any help is greatly appreciated!!!  Thanks!
>
> The GATEWAY parameter within the ifcfg- configuration files tries
> to set the default gateway. There can be just 1 default gateway for a
> system. So, the interface which comes up first will set the route and
> the other has no effect.
>
> Remove the GATEWAY entry from all ifcfg- files and place the
> GATEWAY parameter into /etc/sysconfig/network only.
>
> Running different networks you must can set additional routings by
> route- configuration files inside /etc/sysconfig/network-scripts/.
>
> Given your default gateway is set as xx.yy.51.46 for the network
> configured on eth2, you set to use a gateway aa.bb.166.1 for other
> destinations by
>
> ip route add targetnet/CIDR via aa.bb.166.1 dev eth3
>
> Please see
>
>
> http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-networkscripts-static-routes.html
>
> You multiple uplink topic is documented in this howto
>
> http://lartc.org/howto/lartc.rpdb.multiple-links.html
>
>
> Alexander
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Multiple Internet facing Nics - Gateway issue

[Alexander Dalloz]

Doug Coats schrieb:
> I have a server with 4 nics.  Two are using different internet connections,
> both with static IP's, and two are connected to our private network.
> 
> The two internet facing nics seem to be battling over the gateway
> designation.  Which ever I designate as the gateway the other stops
> responding to incoming traffic.  I need both to listen to inbound traffic.
> One for our main web page and the other for another web server.  I found
> some information of Iproute2 but that did not seem to solve my issues.
> 
> Here are the config files:
> 
> ifcfg-eth2
> DEVICE=eth2
> BOOTPROTO=static
> HWADDR=00:24:E8:52:92:8E
> ONBOOT=yes
> IPADDR=xx.yy.51.45
> NETMASK=255.255.255.252
> GATEWAY=xx.yy.51.46
> 
> ifcfg-eth3
> DEVICE=eth3
> BOOTPROTO=static
> HWADDR=00:24:E8:52:92:90
> ONBOOT=yes
> IPADDR=aa.bb.166.2
> NETMASK=255.255.255.224
> GATEWAY=aa.bb.166.1
> 
> network
> NETWORKING=yes
> NETWORKING_IPV6=no
> HOSTNAME=heritage01
> GATEWAY=xx.yy.51.46
> GATEWAYDEV=eth2
> 
> rt_tables
> #
> # reserved values
> #
> 255 local
> 254 main
> 253 default
> 0   unspec
> #
> # local
> #
> #1  inr.ruhep
> 200 Cable
> 201 T1
> iproute2 routes
> ip route add xx.yy.51.44/30 dev eth2 src xx.yy.51.46 table Cable
> ip route add default via xx.yy.51.46
> ip route add xx.yy.51.44/30 dev eth2 src xx.yy.51.46
> ip route add default via xx.yy.51.46
> ip rule add from xx.yy.51.46 table Cable
> ip route add aa.bb.166.0/27 dev eth3 src aa.bb.165.2 table T1
> ip route add default via aa.bb.166.1
> ip route add aa.bb.166.0/27 dev eth3 src aa.bb.166.2
> ip rule add from aa.bb.166.2 table T1
> ip route flush cache
> 
> Other people seem to be using this configuration successfully but I seem to
> be missing something important.
> 
> Any help is greatly appreciated!!!  Thanks!

The GATEWAY parameter within the ifcfg- configuration files tries
to set the default gateway. There can be just 1 default gateway for a
system. So, the interface which comes up first will set the route and
the other has no effect.

Remove the GATEWAY entry from all ifcfg- files and place the
GATEWAY parameter into /etc/sysconfig/network only.

Running different networks you must can set additional routings by
route- configuration files inside /etc/sysconfig/network-scripts/.

Given your default gateway is set as xx.yy.51.46 for the network
configured on eth2, you set to use a gateway aa.bb.166.1 for other
destinations by

ip route add targetnet/CIDR via aa.bb.166.1 dev eth3

Please see

http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-networkscripts-static-routes.html

You multiple uplink topic is documented in this howto

http://lartc.org/howto/lartc.rpdb.multiple-links.html


Alexander

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to change Disk sequence on DELL R900 CENTOS 5.3?

[Robert Heller]

At Thu, 2 Jul 2009 02:39:02 +0800 (CST) CentOS mailing list  
wrote:

> 
> 
> Thank you for your answer.
> 
> change adapter sequence on /etc/modprobe.conf and rebuild image always my 
> first try.
> 
> Unfortunately it does NOT work on DELL R900.  The reason is DELL R900 
> internal RAID and external RAID use same driver.  There is NO way to change 
> adapter sequence on /etc/modprobe.conf.

Is there some *specific* reason you want the device names in /dev to
match some sequence?  For mounting to work, you can just use UUIDs or
LABELs in /etc/fstab.  This also works for swap partitions (mkswap has a
-L option).

The only other reason would be getting the BIOS to boot the correct
disk (and this would be handled by BIOS settings).  I am not sure what
grub needs exactly (I use lilo myself).

Otherwise, why *exactly* does it matter if a certain disk's device file
is named /dev/sda1 or /dev/sdc1?


-- 
Robert Heller -- 978-544-6933
Deepwoods Software-- Download the Model Railroad System
http://www.deepsoft.com/  -- Binaries for Linux and MS-Windows
hel...@deepsoft.com   -- http://www.deepsoft.com/ModelRailroadSystem/

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Multiple Internet facing Nics - Gateway issue

[James A. Peltier]

On Wed, 1 Jul 2009, Doug Coats wrote:


I have a server with 4 nics.  Two are using different internet connections, 
both with static IP's, and two
are connected to our private network.
 
The two internet facing nics seem to be battling over the gateway designation.  
Which ever I designate as
the gateway the other stops responding to incoming traffic.  I need both to 
listen to inbound traffic.  One
for our main web page and the other for another web server.  I found some 
information of Iproute2 but that
did not seem to solve my issues.
 
Here are the config files:
 
ifcfg-eth2
DEVICE=eth2
BOOTPROTO=static
HWADDR=00:24:E8:52:92:8E
ONBOOT=yes
IPADDR=xx.yy.51.45
NETMASK=255.255.255.252
GATEWAY=xx.yy.51.46
 
ifcfg-eth3
DEVICE=eth3
BOOTPROTO=static
HWADDR=00:24:E8:52:92:90
ONBOOT=yes
IPADDR=aa.bb.166.2
NETMASK=255.255.255.224
GATEWAY=aa.bb.166.1
 
network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=heritage01
GATEWAY=xx.yy.51.46
GATEWAYDEV=eth2


remove the gateway from /etc/sysconfig/network, reboot and try again.

--
James A. Peltier
Systems Analyst (FASNet), VIVARIUM Technical Director
HPC Coordinator
Simon Fraser University - Burnaby Campus
Phone   : 778-782-6573
Fax : 778-782-3045
E-Mail  : jpelt...@sfu.ca
Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca
  http://blogs.sfu.ca/people/jpeltier
MSN : subatomic_s...@hotmail.com

The point of the HPC scheduler is to
keep everyone equally unhappy.___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dag's comment at linuxtag

[Dag Wieers]

On Wed, 1 Jul 2009, Dag Wieers wrote:


On Wed, 1 Jul 2009, Radu-Cristian FOTESCU wrote:


>    - audacious has a missing dependency (audacious-plugins)
>    - comix SRPM does not rebuild
> 
>  That's 2 packages, I think we do quite well if that is it :)


 But this is only because I am not crazy enough to try 7,600 packages!


Well, you said it was silly to have 8000 packages, while we should only 
provide 400 that worked very well.


I say that you only proved to me that 2 are not working well. I am unwilling 
to drop 7600 packages because you report 2 that are broken.


You see the difference :)

Of course if you want to make the case that it is better to focus on quality 
it is better to day that 7600 have problems, but you are actually lying 
because you only know about 2 broken packages.


Besides we don't have 8000 unique packages, more like 5000 I think. But that 
is beside the point.


Now that I read this again, you only proved that 1 is broken, the other 
simply doesn't build for you. I have the proof it build for me :)


Maybe the BuildRequires are incorrect, because I work with static 
buildroots, not dynamic ones. And as a consequence my BuildRequires could 
be insufficient. (Doubtful because it was made by Dries)


Maybe the BuildRequires doesn't say exactly what version it needs. Because 
doing that would mean you have to go and see what the lowest version is 
with which is works. Which is time-consuming. (We do build from the same 
SPEC file for RHEL2, RH7, RH9, RHEL3, RHEL4 and RHEL5)


But that doesn't mean it is broken. It is certainly sub-optimal, and if 
you report such cases we do fix them.


Imagine that we would do exactly as you say, even then Radu-Christian² 
may state on this list with a lot of fanfare that certain packages we 
ship may not function properly because our process does not include 100% 
functional testing and we should dedicate our time to functionally test an 
RPM before shipping it. And drop any packages we don't do this for.


So this whole situation is not black and white. In fact if we would have
unlimited time, unlimited money or unlimited contributors I would consider 
your suggestions seriously. But right now, any effort would be hurting 
some other effort and I would rather have X new packages then spending the 
same time to remove Y other packages.


Because I think my time would simply be worth more spending on something 
else. You obviously do think this time would be worth spending, and have 
been told what is needed to get it fixed :) I don't want to be the person 
that denies improving what is suboptimal though.


So my offer for commit access still stands, in case you'd reconsider.

Kind regards,
--
--   dag wieers,  d...@wieers.com,  http://dag.wieers.com/   --
[Any errors in spelling, tact or fact are transmission errors]___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to change Disk sequence on DELL R900 CENTOS 5.3?

[Joseph L. Casale]

>Unfortunately it does NOT work on DELL R900.  The reason is DELL R900
>internal RAID and external RAID use same driver.  There is NO way to
>change adapter sequence on /etc/modprobe.conf.

Well, I suspect a udev rule *might* work to rename the discs, but labels
or uuid's aren’t designed to *change* the name (who cares?), they are
designed to cause mount to "mount" the expected disc :) It makes much more
sense to focus on that than to maintain aesthetics which again can be
changed in the future so the solution is not failsafe.

To each his own I guess!

jlc



--- 09/7/1 (三)，Ross Walker  寫道：

> 寄件者: Ross Walker 
> 主旨: Re: [CentOS] How to change Disk sequence on DELL R900 CENTOS 5.3?
> 收件者: "CentOS mailing list" 
> 日期: 2009年7月1日,三,上午11:59
> 2009/7/1 mcclnx mcc :
> >
> > Thank you for answer.
> >
> > I change /etc/fstab and using UUID instead of LABEL.
> 蟵fter reboot, UUID did NOT change disk sequence back to
> what I want. 泎oot device original /dev/sda1, it still
> /dev/sdc1 NO change.
>
> Modify modprobe.conf to list the disk driver you want
> loaded in the
> order you want then re-make the initrd file:
>
> For example, say you want your internal SATA disks
> recognized before
> your SAS RAID disks, your modprobe for the scsi_hostadapter
> would look
> something like this:
>
> alias scsi_hostadapter ata_piix (or ahci, sata_XXX whatever
> your SATA
> controller is)
> alias scsi_hostadapter0 megaraid_sas
>
> Then you remake your initrd with a command:
>
> mkinitrd -f /boot/initrd-$(uname -r).img $(uname -r)
>
> Remember to use LABELs or UUIDs in fstab first or your
> partitions
> won't mount (wrong disk names)!
>
> Then reboot.
>
> -Ross
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


  
__
付費才容量無上限？Yahoo!奇摩電子信箱2.0免費給你，信件永遠不必刪！ http://tw.mg0.mail.yahoo.com/dc/landing
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dag's comment at linuxtag

[Ron Loftin]

As a really radical suggestion, perhaps you should consider moving this
"discussion" to the rpmforge mail list, since it seems that most of your
issues are focused on that repository.  You might even find a larger
collection of viewpoints there.

On Wed, 2009-07-01 at 11:32 -0700, Radu-Cristian FOTESCU wrote:
> > I believe that YOU are the only person on this list 
> > who has expressed an interest in "audacious" 
> > (whatever it is & does) for CentOS during these several
> > days of rant.  
> 
> I believe that YOU are the only person on this list
> (whoever you are & do) to have suggested popularity as
> a required raison d'être. Maybe we should make a poll:
> from the 8,614 RPM files RPMforge are, I am pretty much
> sure you wouldn't find in a couple of days more than 
> 1 person to express interest in *half* of them. Should 
> half of them be dropped?
> 
> R-C
> 
> 
> 
>   __
> Ask a question on any topic and get answers from real people. Go to Yahoo! 
> Answers and share what you know at http://ca.answers.yahoo.com
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
-- 
Ron Loftin  relof...@twcny.rr.com

"God, root, what is difference ?"   Piter from UserFriendly

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to change Disk sequence on DELL R900 CENTOS 5.3?

[mcclnx mcc]

Thank you for your answer.

change adapter sequence on /etc/modprobe.conf and rebuild image always my first 
try.

Unfortunately it does NOT work on DELL R900.  The reason is DELL R900 internal 
RAID and external RAID use same driver.  There is NO way to change adapter 
sequence on /etc/modprobe.conf.



--- 09/7/1 (三)，Ross Walker  寫道：

> 寄件者: Ross Walker 
> 主旨: Re: [CentOS] How to change Disk sequence on DELL R900 CENTOS 5.3?
> 收件者: "CentOS mailing list" 
> 日期: 2009年7月1日,三,上午11:59
> 2009/7/1 mcclnx mcc :
> >
> > Thank you for answer.
> >
> > I change /etc/fstab and using UUID instead of LABEL.
> 蟵fter reboot, UUID did NOT change disk sequence back to
> what I want. 泎oot device original /dev/sda1, it still
> /dev/sdc1 NO change.
> 
> Modify modprobe.conf to list the disk driver you want
> loaded in the
> order you want then re-make the initrd file:
> 
> For example, say you want your internal SATA disks
> recognized before
> your SAS RAID disks, your modprobe for the scsi_hostadapter
> would look
> something like this:
> 
> alias scsi_hostadapter ata_piix (or ahci, sata_XXX whatever
> your SATA
> controller is)
> alias scsi_hostadapter0 megaraid_sas
> 
> Then you remake your initrd with a command:
> 
> mkinitrd -f /boot/initrd-$(uname -r).img $(uname -r)
> 
> Remember to use LABELs or UUIDs in fstab first or your
> partitions
> won't mount (wrong disk names)!
> 
> Then reboot.
> 
> -Ross
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 


  
__
付費才容量無上限？Yahoo!奇摩電子信箱2.0免費給你，信件永遠不必刪！ http://tw.mg0.mail.yahoo.com/dc/landing
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dag's comment at linuxtag

[Radu-Cristian FOTESCU]

> I believe that YOU are the only person on this list 
> who has expressed an interest in "audacious" 
> (whatever it is & does) for CentOS during these several
> days of rant.  

I believe that YOU are the only person on this list
(whoever you are & do) to have suggested popularity as
a required raison d'être. Maybe we should make a poll:
from the 8,614 RPM files RPMforge are, I am pretty much
sure you wouldn't find in a couple of days more than 
1 person to express interest in *half* of them. Should 
half of them be dropped?

R-C



  __
Ask a question on any topic and get answers from real people. Go to Yahoo! 
Answers and share what you know at http://ca.answers.yahoo.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dag's comment at linuxtag

[Radu-Cristian FOTESCU]

> Buildlogs are available from:
> 
>     http://packages.sw.be/comix/_buildlogs/
> 
> I hope you come back and tell me what was your problem.

I have to be back on my continent before addressing this issue.
So far, I can see that the build of Comix seems to have been done
by Dries, and that it was successful in April 2009.

I am pretty much sure I can prove it *won't* compile on any EL5 clone
with the officially available versions of:
BuildRequires: python, python-imaging, pygtk2-devel

I am not sure what mushrooms were installed on the build machine.
It *doesn't* build with:
  pygtk2-devel-2.10.1-12.el5.i386
  python-imaging-devel-1.1.5-5.el5.i386
Which is whatever EL5 has.

I can see that RF has a slightly newer version of 
  python-imaging-1.1.6-2.el5.rf.i386
but as long as the SPEC file doesn't require a newer version
than 1.1.5, nor does the tarball's Makefile, I *don't* pull
updates from RF. Maybe I should have did it, but then the 
SPEC is incomplete and it assumes that whatever version is OK
when it's not.

I'll check this in a couple of days.

OTOH, frankly, I should rather find some time (which I don't have)
to fscking build my own VLC and MPlayer and gstreamer-* so I won't
need RPMforge in the future.

Frankly, I hate huge repos. Yes, even Debian's. Whatever is huge 
can't be maintained with the current mindset of the FLOSS people.

R-C



  __
Connect with friends from any web browser - no download required. Try the new 
Yahoo! Canada Messenger for the Web BETA at 
http://ca.messenger.yahoo.com/webmessengerpromo.php
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Web photo gallery options

[Lanny Marcus]

On Wed, Jul 1, 2009 at 4:25 AM, Sorin Srbu wrote:

>>FYI, gallery2 is available in EPEL for EL-5.
>
> I used the info available at
> http://www.cyberciti.biz/faq/rhel-fedora-centos-linux-enable-epel-repo/ to
> add the EPEL-repo.
>
> r...@kadath ~ [0 jobs]# yum repolist
> Loaded plugins: allowdowngrade, changelog, downloadonly, fastestmirror,
> kernel-module, priorities, protectbase, tsflags, versionlock
> Loading mirror speeds from cached hostfile
>  * epel: mirrors.se.eu.kernel.org
>  * rpmforge: apt.sw.be
>  * contrib: mirror.ii.uib.no
>  * base: mirror.ii.uib.no
>  * updates: mirror.ii.uib.no
>  * addons: mirror.ii.uib.no
>  * extras: mirror.ii.uib.no
> repo id              repo name                                status
> addons               CentOS-5 - Addons                        enabled :
> 0
> base                 CentOS-5 - Base                          enabled :
> 2,508
> contrib              CentOS-5 - Contrib                       enabled :
> 0
> epel                 Extra Packages for Enterprise Linux 5 -  enabled :
> 4,377
> extras               CentOS-5 - Extras                        enabled :
> 311
> rpmforge             Red Hat Enterprise 5 - RPMforge.net - da enabled :
> 8,852
> updates              CentOS-5 - Updates                       enabled :
> 311
> repolist: 16,359
> r...@kadath ~ [0 jobs]#
>
> r...@kadath ~ [0 jobs]# yum install *gallery*
> Loaded plugins: allowdowngrade, changelog, downloadonly, fastestmirror,
> kernel-module, priorities, protectbase, tsflags, versionlock
> Loading mirror speeds from cached hostfile
>  * epel: mirrors.se.eu.kernel.org
>  * rpmforge: apt.sw.be
>  * contrib: mirror.ii.uib.no
>  * base: mirror.ii.uib.no
>  * updates: mirror.ii.uib.no
>  * addons: mirror.ii.uib.no
>  * extras: mirror.ii.uib.no
> 0 packages excluded due to repository protections

You do not have priorities configured properly. It is not working.
IMHO, since you (like me) have both rpmforge and epel configured, you
should give epel a very low priority or epel will replace a *LOT* of
the packages on your box.  Also, I suggest you disable the protecbase
plug in. Priorities is newer and more powerful.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Multiple Internet facing Nics - Gateway issue

[Doug Coats]

I have a server with 4 nics.  Two are using different internet connections,
both with static IP's, and two are connected to our private network.

The two internet facing nics seem to be battling over the gateway
designation.  Which ever I designate as the gateway the other stops
responding to incoming traffic.  I need both to listen to inbound traffic.
One for our main web page and the other for another web server.  I found
some information of Iproute2 but that did not seem to solve my issues.

Here are the config files:

ifcfg-eth2
DEVICE=eth2
BOOTPROTO=static
HWADDR=00:24:E8:52:92:8E
ONBOOT=yes
IPADDR=xx.yy.51.45
NETMASK=255.255.255.252
GATEWAY=xx.yy.51.46

ifcfg-eth3
DEVICE=eth3
BOOTPROTO=static
HWADDR=00:24:E8:52:92:90
ONBOOT=yes
IPADDR=aa.bb.166.2
NETMASK=255.255.255.224
GATEWAY=aa.bb.166.1

network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=heritage01
GATEWAY=xx.yy.51.46
GATEWAYDEV=eth2

rt_tables
#
# reserved values
#
255 local
254 main
253 default
0   unspec
#
# local
#
#1  inr.ruhep
200 Cable
201 T1
iproute2 routes
ip route add xx.yy.51.44/30 dev eth2 src xx.yy.51.46 table Cable
ip route add default via xx.yy.51.46
ip route add xx.yy.51.44/30 dev eth2 src xx.yy.51.46
ip route add default via xx.yy.51.46
ip rule add from xx.yy.51.46 table Cable
ip route add aa.bb.166.0/27 dev eth3 src aa.bb.165.2 table T1
ip route add default via aa.bb.166.1
ip route add aa.bb.166.0/27 dev eth3 src aa.bb.166.2
ip rule add from aa.bb.166.2 table T1
ip route flush cache

Other people seem to be using this configuration successfully but I seem to
be missing something important.

Any help is greatly appreciated!!!  Thanks!
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dag's comment at linuxtag

[Lanny Marcus]

On Wed, Jul 1, 2009 at 5:05 AM, Dag Wieers wrote:
> On Tue, 30 Jun 2009, Radu-Cristian FOTESCU wrote:
>>> What was the problem with audacious again ?

> Maybe the problem is indeed you, and not the repository. You expect too
> much from people who volunteer their own time. As I said now multiple
> times, unless you are not yourself committed to help, why expect someone
> else to do it ?

+1

Very easy to criticize people who are volunteering their time and
doing their best.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dag's comment at linuxtag

[Dag Wieers]

On Wed, 1 Jul 2009, Radu-Cristian FOTESCU wrote:


My point being: audacious does build, but it has a missing
dependency.


Which still == broken repo.


Sure, but when you started that thread you didn't mention your problem 
with the comix package. I was still confused why you would talk about 
SRPMs that do not build when audacious was not having this problem.




You were referring the whole time to SRPMs that do not build.
But you never give me an example of one.


On the contrary, I mentioned Comix. But again, I never try the
SRPM, but the SPEC+tarball. Which don't build.


Buildlogs are available from:

http://packages.sw.be/comix/_buildlogs/

I hope you come back and tell me what was your problem.



See, this is why I am not a QA manager anywhere: people would commit
mass suicide under my rule :-)


Maybe the problem is indeed you, and not the repository. You expect
too much from people who volunteer their own time. As I said now
multiple times, unless you are not yourself committed to help,
why expect someone else to do it ?


Because you either do something properly, or don't do it at all.


That's not how Open Source works. I do something "properly" so that it 
works well for me. And I provide it hoping that people that have some 
other use (or expectations) can help me as well.


You have a different expectation. Either you can help the project, or you 
use it as-is, or you don't use it.


For me everyone of those is fine. You choose door 2 and I accept.



Maybe RPMforge should ask for money for those people who expect
more than we offer. But I seriously doubt you would pay for it.
So what we do is best effort, much like any other repository really.


Maybe Ubuntu should ask for money from those people who expect
more than they offer. But would this improve Ubuntu's quality?
I very much doubt it.


That's not the point. If you have problem X with Ubuntu, your only 
guarantee to see it fixed is by paying Canonical.


In any other case you can report it or fix it yourself. None of these 
options guarantee that it will be fixed in Ubuntu. But fixing it yourself 
has the highest probability.




  - audacious has a missing dependency (audacious-plugins)
  - comix SRPM does not rebuild

That's 2 packages, I think we do quite well if that is it :)


But this is only because I am not crazy enough to try 7,600 packages!


Well, you said it was silly to have 8000 packages, while we should only 
provide 400 that worked very well.


I say that you only proved to me that 2 are not working well. I am 
unwilling to drop 7600 packages because you report 2 that are broken.


You see the difference :)

Of course if you want to make the case that it is better to focus on 
quality it is better to day that 7600 have problems, but you are actually 
lying because you only know about 2 broken packages.


Besides we don't have 8000 unique packages, more like 5000 I think. But 
that is beside the point.


--
--   dag wieers,  d...@wieers.com,  http://dag.wieers.com/   --
[Any errors in spelling, tact or fact are transmission errors]___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dag's comment at linuxtag

[Robert]

Radu-Cristian FOTESCU wrote:
 The audacious package is willing to wait that long
 
>> :)
>> 
>>> Nope, because I've built it *for myself*, 
>>> i.e. in my repo.
>>>   
>> And was your patch rejected from the places you are
>> complaining about?
>> 
>
> There. Is. No. Question. About. Any. Patch.
>
> When you build audacious from SPEC + tarball, it spits out
> audacious + audacious_plugins, both as RPMs and as SRPMs
> (actually, it spits around 15 plugins RPMs).
>
> RPMforge misses the plugins, that's all. Probably just 
> triggering a rebuild would fix it all.
>
> Instead of talking for ages about patches, what builds and
> what doesn't, and why "better services" would need pay etc.
> maybe someone (Dag?) could have triggered the rebuild of 
> audacious for 100 times in the meantime.
>
> Truly yours,
> R-C
>   
Looking at this from yet another angle, I believe that YOU are the only 
person on this list who has expressed an interest in "audacious" 
(whatever it is & does) for CentOS during these several days of rant.  
By some weird coincidence, you purport to have a working version.  Bully 
for you! You allegedly have what you want. Most list members here seem 
to have what they want. I absolutely, definitely, positively, most 
assuredly have what I want and am free of the crap that I don't want, 
which would include "audacious". **And any half-baked, half-tested L&G 
package.**
With so much contentment floating around, it surely makes you look like 
a 33rd Degree Horse's Ass to continue ranting about the damn thing, in 
the process, greatly diminishing any stature that has accumulated here 
deriving from your technical achievements.




___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to change Disk sequence on DELL R900 CENTOS 5.3?

[Ross Walker]

2009/7/1 mcclnx mcc :
>
> Thank you for answer.
>
> I change /etc/fstab and using UUID instead of LABEL.  after reboot, UUID did 
> NOT change disk sequence back to what I want.  Boot device original 
> /dev/sda1, it still /dev/sdc1 NO change.

Modify modprobe.conf to list the disk driver you want loaded in the
order you want then re-make the initrd file:

For example, say you want your internal SATA disks recognized before
your SAS RAID disks, your modprobe for the scsi_hostadapter would look
something like this:

alias scsi_hostadapter ata_piix (or ahci, sata_XXX whatever your SATA
controller is)
alias scsi_hostadapter0 megaraid_sas

Then you remake your initrd with a command:

mkinitrd -f /boot/initrd-$(uname -r).img $(uname -r)

Remember to use LABELs or UUIDs in fstab first or your partitions
won't mount (wrong disk names)!

Then reboot.

-Ross
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How best to allow users to change Samba passwords?

[Alexander Georgiev]

2009/7/1 Kevin Thorpe :
> On 01/07/2009 14:29, Jason Pyeron wrote:
>
> We're missing some bits on this. We don't run Windows servers at all so the
> Exchange route is out. Also most of our
> workstations are only windows Home, not Professional so we can't use a
> domain or the ctrl-alt-del approach. I think
> I'm going to have to use openLDAP to do this, but it seems overly hard to
> set up. It will however work for Samba,
> Scalix and our website (Drupal) so I think it's the way to go.

I have successfully used http://www.pgina.org to authenticate Windows
Home users against a Samba domain. Pgina has plugins for different
authentication providers, so openLDAP should work.

Of course you should ensure user and password synchronization between
the 2 servers as a first step. OpenLDAP will work. I have used
http://sourceforge.net/projects/smbldap-tools/ to store samba account
database in openldap.

The real challenge for me 7 years ago, was password expiration. I
believe this requirement will sooner or later come to you. Users tend
to use the same password for years. Therefore a mechanism of password
expiration must be enforced to make sure those passwords will be
changed, also the mechanism observes that passwords are strong and not
rotated.

When I was using a Windows NT4 domain there was a mechanism which
would observe the password expiration of domain users and would
trigger via RPC a password change request on the user workstation.
Upon login, the user would not be granted login until the password is
changed.

I could not reproduce this behavior using samba 2.2.xxx and have not
tried since then.


With best regards
Alexander
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dag's comment at linuxtag

[Radu-Cristian FOTESCU]

> >> The audacious package is willing to wait that long
> :)
> > 
> > Nope, because I've built it *for myself*, 
> > i.e. in my repo.
> 
> And was your patch rejected from the places you are
> complaining about?

There. Is. No. Question. About. Any. Patch.

When you build audacious from SPEC + tarball, it spits out
audacious + audacious_plugins, both as RPMs and as SRPMs
(actually, it spits around 15 plugins RPMs).

RPMforge misses the plugins, that's all. Probably just 
triggering a rebuild would fix it all.

Instead of talking for ages about patches, what builds and
what doesn't, and why "better services" would need pay etc.
maybe someone (Dag?) could have triggered the rebuild of 
audacious for 100 times in the meantime.

Truly yours,
R-C




  __
Looking for the perfect gift? Give the gift of Flickr! 

http://www.flickr.com/gift/
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dag's comment at linuxtag

[Les Mikesell]

Radu-Cristian FOTESCU wrote:
>
>> The audacious package is willing to wait that long :)
> 
> Nope, because I've built it *for myself*, i.e. in my repo.

And was your patch rejected from the places you are complaining about?

-- 
   Les Mikesell
 lesmikes...@gmail.com

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Web photo gallery options

[Ray Van Dolson]

On Wed, Jul 01, 2009 at 11:45:05AM +0200, Sorin Srbu wrote:
> >>FYI, gallery2 is available in EPEL for EL-5.
> >
> >I used the info available at
> >http://www.cyberciti.biz/faq/rhel-fedora-centos-linux-enable-epel-repo/ to
> >add the EPEL-repo.
> 
> Replying to myself... Googled some and found that Gallery2 is most probably
> in the Fedora development repo. Now to find how I add this repo to CentOS..
> 

Yeah, as you discovered, I think it's in the -testing repository of
epel.  Usually involves editing on of your epel .repo files, enabling
the -testing repo and then doing yum install gallery2*.

Or:

  yum --enablerepo=epel-testing install gallery2*

Ray
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to change Disk sequence on DELL R900 CENTOS 5.3?

[nate]

mcclnx mcc wrote:
>
> Thank you for answer.
>
> I change /etc/fstab and using UUID instead of LABEL.  after reboot, UUID did
> NOT change disk sequence back to what I want.  Boot device original
> /dev/sda1, it still /dev/sdc1 NO change.

Have you tried asking Dell? Your asking to change the boot device
order which is a hardware question, not a OS question.

In any case I believe you mentioned you had multiple controllers
that were using the same driver, in my experience the only way to
change the order in that situation is to change the IRQs of the
controllers, usually the one with the lower IRQ is detected first.
This can usually be done in the BIOS or by changing the slots that
the controllers are in.

It is probably a better to just use different controllers  that
use different drivers anyways.

nate


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Batch Job Scheduler/Manager

[Marcelo M. Garcia]

Mauriat Miranda wrote:
> On Wed, Jul 1, 2009 at 8:03 AM, Marcelo M.
> Garcia wrote:
> 
>> I suggest sge. It doesn't have a web interface, but a GUI. Or torque.
> 
> Looks like most of the robust tools are Java based, including Hudson.
> 
> I also found the following:
> https://computing.llnl.gov/linux/slurm/
> non free:
> http://www.nobix.com/JobQueX/JobQueX.aspx
> 
> Thanks for all the ideas.  I will have to evaluate each option.
> 
> -Mauriat
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
Hi

Nor sge neither torque are Java base. Sge has a GUI, but I don't think 
is Java-based.

Torque is purely text interface, the web administration is not free, but 
it's not expensive. Have a look at "cluster resources":
http://www.clusterresources.com/

Regards

mg.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] server is always getting hacked

[Stuart Jansen]

On Wed, 2009-07-01 at 01:20 -0700, Michael A. Peters wrote:
> I still don't understand how using sudo instead of su makes it more secure.

As implemented by Ubuntu and others, sudo does nothing to make things
more secure. In fact, as you pointed out, it can be less secure.

However, sudo has the capability to grant fine grained access. For
example, one could configure sudo so that operators are able to launch
backups as root but not start a shell or edit the web server config
files. This capability is what earned sudo its reputation for being more
secure. Sadly too many people chant "sudo is more secure" without
understanding the conditions necessary to make that statement true.

John R. Dennison has already pointed out that it is trivial to configure
su on CentOS to require wheel.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Batch Job Scheduler/Manager

[Mauriat Miranda]

On Wed, Jul 1, 2009 at 8:03 AM, Marcelo M.
Garcia wrote:

> I suggest sge. It doesn't have a web interface, but a GUI. Or torque.

Looks like most of the robust tools are Java based, including Hudson.

I also found the following:
https://computing.llnl.gov/linux/slurm/
non free:
http://www.nobix.com/JobQueX/JobQueX.aspx

Thanks for all the ideas.  I will have to evaluate each option.

-Mauriat
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to change Disk sequence on DELL R900 CENTOS 5.3?

[mcclnx mcc]

Thank you for answer.

I change /etc/fstab and using UUID instead of LABEL.  after reboot, UUID did 
NOT change disk sequence back to what I want.  Boot device original /dev/sda1, 
it still /dev/sdc1 NO change.



--- 09/6/29 (一)，Joseph L. Casale  寫道：

> 寄件者: Joseph L. Casale 
> 主旨: Re: [CentOS] How to change Disk sequence on DELL R900 CENTOS 5.3?
> 收件者: "'CentOS mailing list'" 
> 日期: 2009年6月29日,一,上午2:22
> >how to change sequence back?
> 
> Rather than chase that never ending loop, maybe now is the
> time
> to look into an fstab populated by UUID.
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 


  
__
付費才容量無上限？Yahoo!奇摩電子信箱2.0免費給你，信件永遠不必刪！ http://tw.mg0.mail.yahoo.com/dc/landing
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How best to allow users to change Samba passwords?

[Kevin Thorpe]

On 01/07/2009 14:29, Jason Pyeron wrote:

-Original Message-
From: Kevin Thorpe
Sent: Wednesday, July 01, 2009 5:43

I was wondering if anyone could advise me on this.
 


We allow users th change their passwords via ctrl-alt-del, and via the web using
the password change tool that comes with exchange.
   
We're missing some bits on this. We don't run Windows servers at all so 
the Exchange route is out. Also most of our
workstations are only windows Home, not Professional so we can't use a 
domain or the ctrl-alt-del approach. I think
I'm going to have to use openLDAP to do this, but it seems overly hard 
to set up. It will however work for Samba,

Scalix and our website (Drupal) so I think it's the way to go.
   

I've got two Samba servers, each using passdb.tdb for authentication.
All works well, but I've now been asked to let users change
their own passwords (a requirement of data secuity). What's
the best way of arranging this, preferably updating both
servers at the same time?

thanks
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

 


   
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How best to allow users to change Samba passwords?

[Ross Walker]

On Jul 1, 2009, at 5:42 AM, Kevin Thorpe  wrote:

> What's the best way of
> arranging this, preferably updating both servers at the same time?

What you should do is pick one server to manage the passwords and have  
the other setup to authenticate users against the first. Use samba's  
'password server=' option. Then password changes happen only on the  
password server.

I would start thinking samba domain controller at this point.

-Ross

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dag's comment at linuxtag

[Radu-Cristian FOTESCU]

> My point being: audacious does build, but it has a missing 
> dependency. 

Which still == broken repo.

> You were referring the whole time to SRPMs that do not build. 
> But you never give me an example of one.

On the contrary, I mentioned Comix. But again, I never try the
SRPM, but the SPEC+tarball. Which don't build.

> > When they *did* build, it was maybe 2007. Now it's 2009 and 
> > EL5.3 and... it doesn't build :-(
> 
> Care to give an example ? Then I can point you to the buildlog and you 
> might be able to find the cause of your problem by comparing ?

Comix, for God's sake.

> The audacious package is willing to wait that long :)

Nope, because I've built it *for myself*, i.e. in my repo.


> > See, this is why I am not a QA manager anywhere: people would commit
> > mass suicide under my rule :-)
> 
> Maybe the problem is indeed you, and not the repository. You expect
> too much from people who volunteer their own time. As I said now
> multiple times, unless you are not yourself committed to help, 
> why expect someone else to do it ?

Because you either do something properly, or don't do it at all.


> Maybe RPMforge should ask for money for those people who expect
> more than we offer. But I seriously doubt you would pay for it.
> So what we do is best effort, much like any other repository really.

Maybe Ubuntu should ask for money from those people who expect
more than they offer. But would this improve Ubuntu's quality?
I very much doubt it.

> 
>  - audacious has a missing dependency (audacious-plugins)
>  - comix SRPM does not rebuild
>
> That's 2 packages, I think we do quite well if that is it :)

But this is only because I am not crazy enough to try 7,600 packages!

Cheers,
R-C



  __
Get a sneak peak at messages with a handy reading pane with All new Yahoo! 
Mail: http://ca.promos.yahoo.com/newmail/overview2/
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How best to allow users to change Samba passwords?

[Jason Pyeron]

 

> -Original Message-
> From: Kevin Thorpe
> Sent: Wednesday, July 01, 2009 5:43
> 
> I was wondering if anyone could advise me on this.

We allow users th change their passwords via ctrl-alt-del, and via the web using
the password change tool that comes with exchange.

> 
> I've got two Samba servers, each using passdb.tdb for authentication. 
> All works well, but I've now been asked to let users change 
> their own passwords (a requirement of data secuity). What's 
> the best way of arranging this, preferably updating both 
> servers at the same time?
> 
> thanks
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 

On CentOS release 4.7:

/etc/samba/smb.conf (redacted)

[global]

#log level = 10

encrypt passwords = yes

workgroup = 
server string = Logon Server
pam password change = Yes
unix password sync = Yes
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/useradd -m '%u'
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -G '%g' '%u'
add machine script = /usr/sbin/useradd -s /sbin/nologin -d /tmp '%u'
domain logons = Yes
preferred master = Yes
domain master = Yes
wins support = Yes
ldap ssl = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
map acl inherit = Yes
cups options = raw
csc policy = disable

[homes]
comment = Home Directories
read only = No
browseable = No

[netlogon]
comment = Network Logon Service
path = /home/netlogon
guest ok = Yes
share modes = No

[print$]
comment = All Printers
path = /var/lib/samba/drivers
guest ok = Yes
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No



--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-   -
- Jason Pyeron  PD Inc. http://www.pdinc.us -
- Principal Consultant  10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
-   -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Fortran90 and 77 on CentOS

[Sorin Srbu]

>-Original Message-
>From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
Behalf
>Of Marcelo M. Garcia
>Sent: Wednesday, July 01, 2009 2:24 PM
>To: CentOS mailing list
>Subject: Re: [CentOS] Fortran90 and 77 on CentOS
>
>> Is anybody here using Fortran90 and Fortran77 on their CentOS-machine(s)?
>>
>> If so, did you get that from a repo or something? One of our PhD-students
>> needs a software that requires the Fortran compilers mentioned in order
to
>> make the sources for our i7-machines.
>
>Intel has "non-commercial software download" with FORTRAN, C/C++, MKL, etc:
>http://software.intel.com/en-us/articles/non-commercial-software-download/

Yupp, thanks. Just ran into it like 10 seconds ago. 8-)


smime.p7s
Description: S/MIME cryptographic signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Fortran90 and 77 on CentOS

[Marcelo M. Garcia]

Sorin Srbu wrote:
> Hi all,
> 
> Is anybody here using Fortran90 and Fortran77 on their CentOS-machine(s)?
> 
> If so, did you get that from a repo or something? One of our PhD-students
> needs a software that requires the Fortran compilers mentioned in order to
> make the sources for our i7-machines. 
> 
> The Fortran stuff that is available to me is from the standard CentOS repos,
> as well as Rpmforge and EPEL repos, from which I got gcc43-fortran and some
> more dependencies and and such. But as far as I can tell, this is not going
> to work.
> 
> This is all new territory to me, to have to compile stuff... Please let me
> know if this is off-topic and should be taken elsewhere.
> 
> Thanks for any information.
> 
> 
> 
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
Hi

Intel has "non-commercial software download" with FORTRAN, C/C++, MKL, etc:
http://software.intel.com/en-us/articles/non-commercial-software-download/

Regards

mg.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Fortran90 and 77 on CentOS

[Sorin Srbu]

Hi all,

Is anybody here using Fortran90 and Fortran77 on their CentOS-machine(s)?

If so, did you get that from a repo or something? One of our PhD-students
needs a software that requires the Fortran compilers mentioned in order to
make the sources for our i7-machines. 

The Fortran stuff that is available to me is from the standard CentOS repos,
as well as Rpmforge and EPEL repos, from which I got gcc43-fortran and some
more dependencies and and such. But as far as I can tell, this is not going
to work.

This is all new territory to me, to have to compile stuff... Please let me
know if this is off-topic and should be taken elsewhere.

Thanks for any information.
-- 
BW,
Sorin
---
# Sorin Srbu[Sysadmin, Systems Engineer]
# Dept of Medicinal Chemistry,  Phone: +46 (0)18-4714482 >3 signals> GSM
# Div of Org Pharm Chem,Mobile: +46 (0)701-718023
# Box 574, Uppsala University,  Fax: +46 (0)18-4714482
# SE-751 23 Uppsala, Sweden Visit: BMC, Husargatan 3, D5:512b
#   Web: http://www.orgfarm.uu.se
---
# ()  ASCII ribbon campaign - Against html E-mail 
# /\
#
# MotD follows:
# CentOS: Enterprise Linux for the people.



smime.p7s
Description: S/MIME cryptographic signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Batch Job Scheduler/Manager

[Marcelo M. Garcia]

Mauriat Miranda wrote:
> Hi.  Looking for suggestions/ideas.
> 
> I have pretty loose requirements at this point, but I am looking for a
> tool (or set of tools) where I can automate and control a large group
> of tasks by a basic web front end.
> 
> I have a series of scripts that do various conversions of data or
> media, as well as analysis and I want to be able check their status,
> see if they completed or if they failed.  Then possibly react or setup
> alternate jobs if they passed or failed, etc. - some basic logic.
> 
> I want to avoid building something for this.  But if there already
> exists a tool(s) that I could tailor that would be good too.
> Something Perl would be perfect, but PHP could be made to work.  Free
> or not would be acceptable.
> 
> Thanks for any ideas.
> 
> -Mauriat
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
Hi

I suggest sge. It doesn't have a web interface, but a GUI. Or torque.

Regards

mg.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dag's comment at linuxtag

[Ned Slider]

Dag Wieers wrote:
> On Tue, 30 Jun 2009, Radu-Cristian FOTESCU wrote:
> 
>>> Anyway, as I said previously, I would rather see the CentOS
>>> Project concentrate on the core product and do a really good
>>> job on that (i.e, a move closer to the old 4 week release lag
>>> than the current 10 week release lag), and I would much rather
>>> see this than effort diluted by taking on a contrib repo.
>>  
>> Right:
>> http://beranger.org/v3/wordpress/wp-content/uploads/2009/05/useless_chart_rhel5_clones.png
>>  
>>
>>  
>> After all, I love (some) charts from time to time.
> 
> I'd be very interested to have a similar chart of the average delay for 
> updates plotted in time. Not because I think it shows something 
> fantastic, but rather to give us a better target to meet.
> 

Same here.

Maybe something along the lines of the 'days at risk' reports Mark Cox 
produces for RHEL:

http://www.awe.com/mark/blog/
http://www.awe.com/mark/blog/2009012017.html

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dag's comment at linuxtag

[Mihai T. Lazarescu]

On Tue, Jun 30, 2009 at 03:43:41PM -0700, Radu-Cristian FOTESCU wrote:

> > I Can not speak for others, but the only time i have
> > seen Karanbir be stern with anyone is when they do
> > deserve it. 
> 
> Well, I've read him saying in various ways and on
> several occasions something that would equate "RTFM",
> only it was put in such an offensive way that even 
> myself, as an external reader, I felt compassion for 
> the poor user who was asking an innocent question 
> just to be slapped over the face.
> 
> > I have no idea what your deal is though with going
> > after anyone and everybody. Do you just love attacking
> > people in gerernal?
> 
> Of course. I also like killing kittens and sodomizing kids.
> 
> If telling to someone that there are issues with "his" repo
> (that was RPMforge and Dag is #1 when comes to RF) is an
> attack, then your world and my world are different, and *your*
> world is broken. Basically, I have been answered that I cannot
> ask for consistency for something that's free unless I help
> fixing the issues. Fair enough.
> 
> But then, if mentioning that KB's repo for EL5 is still having
> *everything* in testing (the repo for EL4 is not in testing, 
> and it even wasn't in testing a few years ago when I was using it)
> is still an attack...
> 
> ...whereas KB's *offending* and *despising* answer (because *this*
> is how he usually replies!) basically says that I am an idiot who
> shouldn't use his repo (only that he wasn't using these exact words,
> so he's technically "politically correct" in the way he's telling 
> people that they're morons that should shut the fsck up) is not an
> attack, huh?
> 
> Well, then raise a statue to the beloved KB, because I'm gonna shut 
> the fuck up. This is not a community, and I know of several people
> who use ScientificLinux not because it's better, but because on their 
> mailing list, their developers *don't* imply that people are morons
> when they spit an answer to the list.
> 
> But now, you're right: should I have the chance to meet KB in person,
> I'd punch him in the face with an infinite pleasure.

Perhaps all boils down to "How To Ask Questions The Smart Way":

http://www.catb.org/~esr/faqs/smart-questions.html

Mihai
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dag's comment at linuxtag

[Dag Wieers]

On Tue, 30 Jun 2009, Radu-Cristian FOTESCU wrote:


Anyway, as I said previously, I would rather see the CentOS
Project concentrate on the core product and do a really good
job on that (i.e, a move closer to the old 4 week release lag
than the current 10 week release lag), and I would much rather
see this than effort diluted by taking on a contrib repo.

 
Right:
http://beranger.org/v3/wordpress/wp-content/uploads/2009/05/useless_chart_rhel5_clones.png
 
After all, I love (some) charts from time to time.


I'd be very interested to have a similar chart of the average delay for 
updates plotted in time. Not because I think it shows something fantastic, 
but rather to give us a better target to meet.


--
--   dag wieers,  d...@wieers.com,  http://dag.wieers.com/   --
[Any errors in spelling, tact or fact are transmission errors]___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dag's comment at linuxtag

[Dag Wieers]

On Tue, 30 Jun 2009, Radu-Cristian FOTESCU wrote:

>> What was the problem with audacious again ?
>
> # yum install audacious
> ...
> Resolving Dependencies
> --> Running transaction check
> ---> Package audacious.i386 0:1.3.2-5.el5.rf set to be updated
> --> Processing Dependency: audacious-plugins >= 1.3.0 for package: audacious
> ...
> --> Missing Dependency: audacious-plugins >= 1.3.0 is needed by package 
> audacious-1.3.2-5.el5.rf.i386 (rpmforge)
> ...
> Error: Missing Dependency: audacious-plugins >= 1.3.0 is needed by package 
> audacious-1.3.2-5.el5.rf.i386 (rpmforge)

My point being: audacious does build, but it has a missing dependency. You 
were referring the whole time to SRPMs that do not build. But you never 
give me an example of one.


>> We publish buildlogs. There is no reason to find it out
>> yourself. I also do not build from the SRPM, I build from
>> the SPEC file directly, so if an SRPM is published, it is
>> because it build fine.
>
> I also build from the SPEC + tarball. I took them from RF and...
> ...they don't build!
>
> When they *did* build, it was maybe 2007. Now it's 2009 and EL5.3
> and... it doesn't build :-(

Care to give an example ? Then I can point you to the buildlog and you 
might be able to find the cause of your problem by comparing ?

Without an example, or without an error of why it does not build I cannot 
even try to fix it.


>> Oh, I agree completely. So when are you going to help us?
>
> When I'll have a better brain able of a better time management
> for my life :-(

The audacious package is willing to wait that long :)


>> If a SRPMS builds under CentOS 5.0 and it doesn't
>> under 5.3,then this package is broekn.
>>
>> Ok, you're making it yourself very hard now, but I
>> will accept scripts/tools that can verify this.
>> I don't think any other repository is
>> even doing this though.
>
> Now you're wrong. You must be wrong.
>
> Say, TUV releases EL5.3. I am *sure* they rebuild *all* the
> packages, not only whatever was affected on the way from 5.2->5.3.
>
> This is what *each* and every repo should be doing when EL releases
> a point update: to rebuild EVERYTHING, just to check it still works.
>
> See, this is why I am not a QA manager anywhere: people would commit
> mass suicide under my rule :-)

Maybe the problem is indeed you, and not the repository. You expect too 
much from people who volunteer their own time. As I said now multiple 
times, unless you are not yourself committed to help, why expect someone 
else to do it ?


>> Can you give me an example of an SRPM that doesn't build.
>> Because we have buildlogs of everything, so everything at
>> least once build.
>
> Probably, that comix thing. I only tried to build from
> SPEC + tarball, because these are the *real* sources,
> right?
>
> Then, audacious should be rebuilt to spit out those plugins too.

The plugins belong to another package actually. I don't know what is wrong 
with it, but there are buildlogs.


>> I don't see the point in trying to rebuild everything for
>> RHEL5.3, RHEL5.4.
>
> That's BECAUSE YOUR REPO SAYS "FOR EL5", AND THE CURRENT
> VERSION IS 5.3.
>
> You can't claim compatibility when no check is made!!!

I never claimed any compatibility, no waranty, if it breaks you can 
provide me a patch.

Maybe RPMforge should ask for money for those people who expect more than 
we offer. But I seriously doubt you would pay for it. So what we do is 
best effort, much like any other repository really.


>> Can you please list them. I like statistics.
>
> I can't, because only a freak would try to check 7,600 packages
> on his own laptop! (I doubt I'd even have enough disk space.)

Still you complain about lots of packages that fail to rebuild, but if I 
ask what these are I only get 2 items:

  - audacious has a missing dependency (audacious-plugins)
  - comix SRPM does not rebuild

That's 2 packages, I think we do quite well if that is it :)

-- 
--   dag wieers,  d...@wieers.com,  http://dag.wieers.com/   --
[Any errors in spelling, tact or fact are transmission errors]
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] How best to allow users to change Samba passwords?

[Kevin Thorpe]

I was wondering if anyone could advise me on this.

I've got two Samba servers, each using passdb.tdb for authentication. 
All works well, but I've now been asked to let users change their own 
passwords (a requirement of data secuity). What's the best way of 
arranging this, preferably updating both servers at the same time?

thanks
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Web photo gallery options

[Sorin Srbu]

>-Original Message-
>From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
Behalf
>Of Sorin Srbu
>Sent: Wednesday, July 01, 2009 11:26 AM
>To: 'CentOS mailing list'
>Subject: Re: [CentOS] Web photo gallery options
>
>>FYI, gallery2 is available in EPEL for EL-5.
>
>I used the info available at
>http://www.cyberciti.biz/faq/rhel-fedora-centos-linux-enable-epel-repo/ to
>add the EPEL-repo.

Replying to myself... Googled some and found that Gallery2 is most probably
in the Fedora development repo. Now to find how I add this repo to CentOS..

-- 
/Sorin


smime.p7s
Description: S/MIME cryptographic signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Playing with php 5.3.0

[Michael A. Peters]

Even though I do not recommend it for production yet, I packaged and am 
playing with php 5.3.0 - src.rpm at

http://www.clfsrpm.net/php53/

(needed epel to build)

Other than the suhosin loadable module messing up pear's ability to do 
anything, initial tests show it working fairly well.

Looks like the enchant module is a nogo on CentOS (aspell too old) but 
in the few hours of testing, none of my code (yet) is broken in it.

There are some warnings in the log files w/ respect to squirrelmail and 
setting time zone (stock centos squirrelmail), I'll have to look into 
that, and the php src.rpm there actually has a minor bug - it should 
obsolete/provide pecl-Fileinfo, but I'll wait for suhosin to come up 
with their patch to core php before I bother to update.

Anyway, it's there for anyone who feels like playing with 5.3.0 to see 
what breaks, you just to rebuild the src.rpm.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Web photo gallery options

[Sorin Srbu]

>-Original Message-
>From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
Behalf
>Of Ray Van Dolson
>Sent: Wednesday, July 01, 2009 12:12 AM
>To: CentOS mailing list
>Subject: Re: [CentOS] Web photo gallery options
>
>FYI, gallery2 is available in EPEL for EL-5.

I used the info available at
http://www.cyberciti.biz/faq/rhel-fedora-centos-linux-enable-epel-repo/ to
add the EPEL-repo.

r...@kadath ~ [0 jobs]# yum repolist
Loaded plugins: allowdowngrade, changelog, downloadonly, fastestmirror,
kernel-module, priorities, protectbase, tsflags, versionlock
Loading mirror speeds from cached hostfile
 * epel: mirrors.se.eu.kernel.org
 * rpmforge: apt.sw.be
 * contrib: mirror.ii.uib.no
 * base: mirror.ii.uib.no
 * updates: mirror.ii.uib.no
 * addons: mirror.ii.uib.no
 * extras: mirror.ii.uib.no
repo id  repo namestatus
addons   CentOS-5 - Addonsenabled :
0
base CentOS-5 - Base  enabled :
2,508
contrib  CentOS-5 - Contrib   enabled :
0
epel Extra Packages for Enterprise Linux 5 -  enabled :
4,377
extras   CentOS-5 - Extrasenabled :
311
rpmforge Red Hat Enterprise 5 - RPMforge.net - da enabled :
8,852
updates  CentOS-5 - Updates   enabled :
311
repolist: 16,359
r...@kadath ~ [0 jobs]#

r...@kadath ~ [0 jobs]# yum install *gallery*
Loaded plugins: allowdowngrade, changelog, downloadonly, fastestmirror,
kernel-module, priorities, protectbase, tsflags, versionlock
Loading mirror speeds from cached hostfile
 * epel: mirrors.se.eu.kernel.org
 * rpmforge: apt.sw.be
 * contrib: mirror.ii.uib.no
 * base: mirror.ii.uib.no
 * updates: mirror.ii.uib.no
 * addons: mirror.ii.uib.no
 * extras: mirror.ii.uib.no
0 packages excluded due to repository protections
Reading version lock configuration
Setting up Install Process
Parsing package install arguments
No package *gallery* available.
Nothing to do
r...@kadath ~ [0 jobs]#

You sure about Gallery2 being available in EPEL5? Or did you literally mean
EPEL5 and not EPEL5.3? 8-}

-- 
/Sorin


smime.p7s
Description: S/MIME cryptographic signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Web photo gallery options

[Sorin Srbu]

>-Original Message-
>From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
Behalf
>Of John R Pierce
>Sent: Wednesday, July 01, 2009 12:19 AM
>To: CentOS mailing list
>Subject: Re: [CentOS] Web photo gallery options
>
>Ray Van Dolson wrote:
>> On Wed, Jun 24, 2009 at 3:57 AM, Sorin Srbu 
wrote:
>>
>>> So far I've come across a project called Gallery2, that seems to do
>>> what I want. Downside is that no rpm-packages are available with yum
>>> with this one.
>>>
>>
>> FYI, gallery2 is available in EPEL for EL-5.
>>
>
>gallery2 requires PHP, a SQL database, and a lot of server side
>support.   IIRC, the original poster said he had none of those.

It's doable, but will require some work and time.

-- 
/Sorin


smime.p7s
Description: S/MIME cryptographic signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] server is always getting hacked

[John R. Dennison]

On Wed, Jul 01, 2009 at 01:20:50AM -0700, Michael A. Peters wrote:
> 
> What would be a security enhancement would be to borrow the bsd su which 
> only allows you to su to root from a wheel group account.

Take a look at /etc/pam.d/su; the ability of restricting
su to root for accounts that only exist as a member of
group "wheel" already exists.





John

-- 
We have joy, we have fun, we have Linux on our Sun! - Ralf Hildebrandt


pgpkfniGNmBjS.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] server is always getting hacked

[Michael A. Peters]

Michael A. Peters wrote:
> Sander Snel wrote:
> 
>> 10. use sudo instead of su -
> 
> How does that help?

I still don't understand how using sudo instead of su makes it more secure.

If the user does not have the root password that the only danger to su - 
is brute force from local account, but you can protect against that, and 
the same issue exists with sudo.

With sudo, very often the password is same as the admin's password - so 
if the admin account is brute forced the cracker then can use sudo to 
gain root.

What would be a security enhancement would be to borrow the bsd su which 
only allows you to su to root from a wheel group account.

I never understood why gnu su didn't implement that.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos