Finer-grained securelevel: proof of concept
Patches are available from http://www.freebsd.org/~des/. This is strictly proof-of-concept; the patches demonstrate that fine-grained security knobs can be implemented with minimal code impact. No documentation is provided, RTFS. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: soundcard.h
Dan Nelson wrote:
>
> In the last episode (Oct 20), Jeroen Ruigrok/Asmodai said:
> > just been messing with some more include files and I am curious about
> > something.
> >
> > [Note: CURRENT system]
> >
> > I have a soundcard.h in both include/sys and include/machine.
> >
> > Which should have preference over the other, why does one simply not
> > include the other. In other words, why two _exactly_ the same files?
>
> Actually on my system it's a symlink. My guess is that some committer
> was sick of patching every Linux app from to
> .
soundcard.h has been moved by Peter from machine/ to sys/. A commit logs
tells us:
\begin{quote}
-> , since it's an exported API
that's arch neutral and OSS API and Linux API compatable.
\end{quote}
The link is to prevent breakages. Use #include in new
source code.
--
Marcel Moolenaarmailto:[EMAIL PROTECTED]
SCC Internetworking & Databases http://www.scc.nl/
The FreeBSD projectmailto:[EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
Re: Class C hack instead of ifconfig aliases
> 1. in your webserver: >a. ipfw add fwd localhost from any to 1.2.3/24 http Clever - I likes it. > - I don't think arp will work on 1.2.3/24 addresses, which is why the > route needs to be added to the router. This is becoming pretty off-topic, but having thousands of arp entries floating around on a network is also arguably a bad idea for the same reason as having thousands of IP addresses hanging off a single interface. I normally configure ip aliases off lo0 and use gated to announce the networks to the world and drop packets destined to unconfigured hosts. This is generally a cleaner and more flexible configuration to use. Nick To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
test
test to see if my inverse DNS is fixed. -- Edward Elhauge <[EMAIL PROTECTED]> | "I ask, sir, what is the militia? Uncanny Inc., San Francisco| It is the whole people, except for | a few public officials" -- George Mason To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Finer-grained securelevel: proof of concept
On 21 Oct 1999, Dag-Erling Smorgrav wrote: > Patches are available from http://www.freebsd.org/~des/. This is > strictly proof-of-concept; the patches demonstrate that fine-grained > security knobs can be implemented with minimal code impact. No > documentation is provided, RTFS. Very clean, pretty, etc -- only one object: please call it something other than capabilities :-). I already have a POSIX.1e kern_cap in the wings, and POSIX.1e has a very specific definition and interface for capabilities that refers to specific sets of rights, and is a per-process kind of thing. Maybe this is fgsecurelevel or something. To merge the two a little, I'd modifiable IS_CAPABLE() to accept a process as well as a description of the desired action, and because most of the ones (if not all) you've looked at are fairly infrequent, I'd be tempted to follow Eilvind's string-based hierarchal capability naming -- "kern.vfs.ffs.mount", "kern.socket.bind.tcp.25", "kern.socket.listen.tcp.25", et al. I believe he posted a missive on the topic on -arch a while back so it should be in the archives. BTW, it seems like what we really want is not securelevels, but some sort of Biba-like MAC integrity policy. I.e., stuff used during boot has high integrity, and the resources that can influence the high integrity component of the system should not be modifiable by lower integrity components except through specific and carefully monitored channels. I.e., each runlevel drops the integrity level of the initiating process by one level, meaning that new processes can never recover the old level, and therefore are prohibited from affecting the old level due to MAC. Disk devices, etc, would be marked as high integrity files on disk, so they would only be modifiable by very high integrity processes (Fsck, etc). Attaching a debugger to Init would be prohibited for normal processes, et al. Robert N M Watson [EMAIL PROTECTED] http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: IETF gettogether
On Wed, 20 Oct 1999, Jonathan M. Bresler wrote: > sounds great! let me know which day you all pick and i'll do my best > to meet you there. It has been pointed out to me that Tuesday night is the night of the Social and therefore another evening might be a better choice. How about Wednesday for dinner (1730-1930 EST) before the open plenary? Robert N M Watson [EMAIL PROTECTED] http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Finer-grained securelevel: proof of concept
Good grief, there are a lot of weird gramatical things in that email I sent. I guess that's what I get for not getting enough sleep and then expecting to generate cogent and comprehensible emails first thing in the morning.. The meaning of the email makes it across, though, I think :-) Robert N M Watson [EMAIL PROTECTED] http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Finer-grained securelevel: proof of concept
Robert Watson <[EMAIL PROTECTED]> writes: > Very clean, pretty, etc -- only one object: please call it something other > than capabilities :-). [deletia] Please read the thread on -security and -arch that lead to these patches. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Finer-grained securelevel: proof of concept
On 21 Oct 1999, Dag-Erling Smorgrav wrote: > Robert Watson <[EMAIL PROTECTED]> writes: > > Very clean, pretty, etc -- only one object: please call it something other > > than capabilities :-). [deletia] > > Please read the thread on -security and -arch that lead to these > patches. I did--hence my comments. My understanding was you did a proof-of-concept to show that doing a bitmasked enabling of system-wide features was feasible and not all that intrusive. And sure enough, it is true (not that I disagreed with you in the first place) I'm objecting to the use of the terminology "capability", and also suggesting that this should become a more general policy query with whatever policy backend you want--i.e., if (!policy_allow(curproc, "kern.socket")) return(EPERM); The policy manager can then internally represent whatever definition of securelevel it chooses, paying or not paying attention to the passed credentials as it chooses. I'm also suggesting that what we really need is an integrity model and not just a set of feature switches. That is, that a security policy somewhere should describe these relationships between features and integrity of processes and files, and therefore be able to derive from that that certain events should not be allowed to take place--with some help, of course, from information about special files, etc, etc. MAC would be one way of going about doing this. Robert N M Watson [EMAIL PROTECTED] http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
comm doesn't obey current locale collation
Hello,
6 months ago I have sent a 'send-pr' about /usr/bin/comm (Problem Report
bin/11221).
Still there are no follow-ups, no has been this report assigned to any
responsible person.
What might this mean?
forward ---
Problem Report bin/11221
comm doesn't obey current locale collation
Confidential
no
Severity
serious
Priority
medium
Responsible
[EMAIL PROTECTED]
State
open
Class
sw-bug
Submitter-Id
current-users
Arrival-Date
Mon Apr 19 10:40:03 PDT 1999
Last-Modified
never
Originator
Grigoriy Strokin [EMAIL PROTECTED]
Release
FreeBSD 3.1-STABLE i386
Organization
Moscow University
Environment
$LANG set to ru_RU.KOI8-R
Description
Comm produces wrong results when processing 8-bit text files
sorted with /usr/bin/sort according to current locale (ru_RU.KOI8-R)
How-To-Repeat
Unpack the following shar-archive and call
LANG=ru_RU.KOI8-R comm jaa.srt jaa2.srt
Several identical characters will appear
in both first and second column,
whereas this must not occur with
these files that were produced
as output of
LANG=ru_RU.KOI8-R sort
-CUT--
# This is a shell archive. Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file". Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
# jaa.srt
# jaa2.srt
#
echo x - jaa.srt
sed 's/^X//' >jaa.srt << 'END-of-jaa.srt'
Xô
Xõ
Xæ
Xö
Xé
Xç
Xà
Xù
Xü
Xñ
Xý
Xû
Xø
Xá
Xó
END-of-jaa.srt
echo x - jaa2.srt
sed 's/^X//' >jaa2.srt << 'END-of-jaa2.srt'
Xô
Xõ
Xæ
Xè
Xö
Xé
Xç
Xà
Xù
Xü
Xý
Xø
Xá
Xó
END-of-jaa2.srt
exit
Fix
Apply the patch:
--- comm.c.orig Mon Apr 19 16:57:56 1999
+++ comm.c Mon Apr 19 19:45:49 1999
@@ -55,9 +55,29 @@
#include
#include
#include
+#include
+#include
#defineMAXLINELEN (LINE_MAX + 1)
+/* The standard library strcoll, an analog of strcmp that takes into account
+ * the current locale, but strcasecmp does not have such an analog.
+ * So let's define a replacement, locale_dependent_strcasecmp
+ * */
+
+int locale_dependent_strcasecmp(const char *s1, const char *s2)
+{
+ char a1[MAXLINELEN], a2[MAXLINELEN];
+ char *c;
+ for (c = a1; *s1; c++, s1++)
+*c = toupper((unsigned char)(*s1));
+ *c = 0;
+ for (c = a2; *s2; c++, s2++)
+*c = toupper((unsigned char)(*s2));
+ *c = 0;
+ return strcoll(a1, a2);
+}
+
char *tabs[] = { "", "\t", "\t\t" };
FILE *file __P((char *));
@@ -74,7 +94,7 @@
FILE *fp1, *fp2;
char *col1, *col2, *col3;
char **p, line1[MAXLINELEN], line2[MAXLINELEN];
-
+ setlocale(LC_ALL, "");
flag1 = flag2 = flag3 = 1;
iflag = 0;
@@ -139,9 +159,9 @@
/* lines are the same */
if(iflag)
- comp = strcasecmp(line1, line2);
+ comp = locale_dependent_strcasecmp(line1, line2);
else
- comp = strcmp(line1, line2);
+ comp = strcoll(line1, line2);
if (!comp) {
read1 = read2 = 1;
== CUT
--
=== Grigoriy Strokin, Lomonosov University (MGU), Moscow ===
=== contact info: http://isabase.philol.msu.ru/~grg/ ===
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
FreeBSD Driver Database
It took a bit longer to put together than I had planned, but I can finally announce that the FreeBSD Driver Database is on-line at http://www.posi.net/freebsd/drivers/ The inspiration for the site came from a message about a month ago on -hackers to try and coordinate driver developers who need hardware for testing with sysadmins who have spare hardware laying around. The FreeBSD Driver Database allows driver developers to post information about the status of their drivers including needs they may have that could help them in their development efforts. Similarly, sysadmins (well, anyone really) with hardware they are willing to lend to a developer can post details about the hardware and it's availability. In addition, volunteers can signup to test drivers that are currently in development. I tried to implement as much functionality as I could think of, but surely I left something important out. So, as always, suggestions are welcome. Kelly -- Kelly Yancey - [EMAIL PROTECTED] - Richmond, VA Director of Technical Services, ALC Communications http://www.alcnet.com/ Maintainer, FreeBSD Driver Database http://www.posi.net/freebsd/drivers/ Coordinator, Team FreeBSDhttp://www.posi.net/freebsd/Team-FreeBSD/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: soundcard.h
On [19991021 12:00], Sheldon Hearn ([EMAIL PROTECTED]) wrote: >On Wed, 20 Oct 1999 22:19:29 +0200, Jeroen Ruigrok/Asmodai wrote: > >> I have a soundcard.h in both include/sys and include/machine. >> >> Which should have preference over the other, why does one simply not >> include the other. In other words, why two _exactly_ the same files? > >revision 1.97 >date: 1999/09/05 07:58:28; author: peter; state: Exp; lines: +6 -6 >Only install backwards compat symlink for if using >the default SHARED=copies, otherwise the kernel source tree gets modified >if /usr/include/machine is a symlink to the source tree (which is not the >case by default). Nothing in our src tree uses . Pointy hat please. I only looked my means of more, not an actual ls -asl of those directories. Now I noticed the symlink. *sigh* -- Jeroen Ruigrok van der Werven/Asmodai asmodai(at)wxs.nl The BSD Programmer's Documentation Project <http://home.wxs.nl/~asmodai> Network/Security SpecialistBSD: Technical excellence at its best He travels the fastest who travels alone. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: IETF gettogether
On Thu, 21 Oct 1999, you wrote: > On Wed, 20 Oct 1999, Jonathan M. Bresler wrote: > > > sounds great! let me know which day you all pick and i'll do my best > > to meet you there. > > It has been pointed out to me that Tuesday night is the night of the > Social and therefore another evening might be a better choice. > > How about Wednesday for dinner (1730-1930 EST) before the open plenary? That's fine by me... -- Dr Graham WheelerE-mail: [EMAIL PROTECTED] Cequrux Technologies Phone: +27(21)423-6065/6/7 Firewalls/Virtual Private Networks Fax:+27(21)24-3656 Data/Network Security SpecialistsWWW:http://www.cequrux.com/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
aliasing a point-to-point interface
Hi all Is it possible to assign an IP alias to a point to point interface (in my case, a sync PPP interface)? It doesn't seem to be possible, but perhaps I'm missing something... -- Dr Graham WheelerE-mail: [EMAIL PROTECTED] Cequrux Technologies Phone: +27(21)423-6065/6/7 Firewalls/Virtual Private Networks Fax:+27(21)24-3656 Data/Network Security SpecialistsWWW:http://www.cequrux.com/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Staroffice 5.1 on 3.3-RELEASE (how I ended up getting it to work)
This morning I decided to install Staroffice 5.1 on one of my 3.3-RELEASE machines -- previously I had only used the StarDivision version of StarOffice, and only on 4.0. Needless to say, I ran into some bumps, but I figured I'd let people know how I ended up getting it working for me based on plain&simple 3.3-RELEASE, and so that you could put updates on your page if you liked. I largely followed the directions found at: http://www.serv.net/~mcglk/staroffice-install.html which assume 3.2-RELEASE. The differences were that: 1) I skipped the modifications to libosl517li.so, as they caused the infinite setup problem described previously (wherein once a user install is performed, the user is always put back into Setup and prompted to Repair or Deinstall instead of running the Office package). 2) I used ./setup /net to do a central installation, meaning that the default user install is only around 1.7mb instead of the 7mb via the symlink approach, or the 160mb if you actually install it all in each user's directory. Also, I found that the advice to move the 'Fun & More' directory resulted in StarOffice whining about being unable to install files it expected to find, so I left them as they were -- it breaks shell interaction with the files for users who don't know what they're up against, but works fine in the GUI, so... I have not yet figured out how to get rid of the two warning messages at startup, which are irritating but appear not to actually break anything. Robert N M Watson [EMAIL PROTECTED] http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Staroffice 5.1 on 3.3-RELEASE (how I ended up getting it to work)
On Thu, 21 Oct 1999, Robert Watson wrote: > Date: Thu, 21 Oct 1999 13:44:47 -0400 (EDT) > From: Robert Watson <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Staroffice 5.1 on 3.3-RELEASE (how I ended up getting it to work) > > > This morning I decided to install Staroffice 5.1 on one of my 3.3-RELEASE > machines -- previously I had only used the StarDivision version of > StarOffice, and only on 4.0. Needless to say, I ran into some bumps, but > I figured I'd let people know how I ended up getting it working for me > based on plain&simple 3.3-RELEASE, and so that you could put updates on > your page if you liked. We also have followed the steps you have outlined, and had success getting Star Office installed. The last remaining problem we are having is getting Java support installed. I would prefer to use the FreeBSD Java VM that we have installed (version 1.1.8), but it looks like we need to use the Linux 1.1.7 JVM. I have partially got this working, but it is definitely not right. It crashes frequently, and the 'Java Setup' bookmark still says the JVM is not installed. If everyone is having less luck even getting to this point, I can give you pointers on what we did to get here (boy I hope someone else got further). On a related note, has anyone else tried running this client over a remote connection ? The performance is defintely abysmal. I expected it to be slow, but I was shocked just how bad it was (over 64K lines). We even tried compressing the X-Protocol using DXPC. The performance improved, but it is now only barely usable. It just burns me that the Windows based Citrix system is faster than X. --- Jim C., President | C A R R O L L - N E T, Inc. 201-488-1332| New Jersey's Premier Internet Service Provider www.carroll.com | | Want to grow your business and at the same | time, decrease costs? Ask about the www.message-server.com | Carroll-Net Message Server. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Optimization done in TCP/IP stack
I have put all distribution files on a machine and installed three PCs via FTP from that machine. The installation process should access the same files, the buffer cache can be used to improve effieciency on the filesystem side. I am wondering whether some sort of optimization is done on the TCP/IP side in this situation. Do we have to copy data from buffer-cache to mbuf each time we need to send the data over network? As far as I know, the buffer cache has identity associated with it (vnode, block #), but the mbuf does not. Any help is appreciated. -Zhihui To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
profile of tcp
I'm wondering if anyone in this group has done or knows of a good profile of a tcp send going from user mode to bits on the wire. Reason I'm asking is the old "put TCP/IP on the NIC" is once again rearing its head, and I'm hoping there are numbers I can point to (ones that aren't old, that is) about why this may not be the best idea in the world. FreeBSD seems a good choice since it has a pretty reasonable implementation. Thanks ron To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Barcode reader on a scsi tape changer
Anybody hear of this one? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Barcode reader on a scsi tape changer
In the last episode (Oct 21), Sam Samalin said: > Barcode reader on a scsi tape changer. > Anybody hear of this one? Overland Data's ( http://www.ovrland.com ) LibraryExpress line have a barcode option. And it works really well, too. I printed out some labels using Word and a free 3of9 font and it scanned them in just fine. -- Dan Nelson [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Barcode reader on a scsi tape changer
of course. that is volume tags On Thu, 21 Oct 1999, Sam Samalin wrote: > Anybody hear of this one? > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-hackers" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
3.3 Driver for Qualstar TLS 4000 tape changer?
I need this driver because the standard one lacks barcode support. Either wise I'll have to port the hack of the 2.2.8 driver. Any one know of one? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: 3.3 Driver for Qualstar TLS 4000 tape changer?
This is nonsense. See the chio man page. Primary volume tag is barcode. On Thu, 21 Oct 1999, Sam Samalin wrote: > I need this driver because the standard one lacks barcode support. > Either wise I'll have to port the hack of the 2.2.8 driver. Any one > know of one? > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-hackers" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Finer-grained securelevel: proof of concept
In message <[EMAIL PROTECTED]>, Robert Watson writes: >On 21 Oct 1999, Dag-Erling Smorgrav wrote: > >> Patches are available from http://www.freebsd.org/~des/. This is >> strictly proof-of-concept; the patches demonstrate that fine-grained >> security knobs can be implemented with minimal code impact. No >> documentation is provided, RTFS. > >Very clean, pretty, etc -- only one object: I have been talking to a lot of people over here, and one common thing seems to be that they want to be able to set these things differently on a "per jail" basis. I actually think we should not get into the jail thing, but rather make them inheritable like other credentials, so the structure containing the stuff should hang of the proc structure, and hey wait, we already have this "struct ucred" hanging there. -- Poul-Henning Kamp FreeBSD coreteam member [EMAIL PROTECTED] "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
volume tag does barcodes?
The volume tags of the ch driver and chio works on a scsi tape changer (Qualstar TLS 4000) reads barcodes? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Finer-grained securelevel: proof of concept
On Fri, 22 Oct 1999, Poul-Henning Kamp wrote: > In message <[EMAIL PROTECTED]>, Robert > Watson writes: > >On 21 Oct 1999, Dag-Erling Smorgrav wrote: > > > >> Patches are available from http://www.freebsd.org/~des/. This is > >> strictly proof-of-concept; the patches demonstrate that fine-grained > >> security knobs can be implemented with minimal code impact. No > >> documentation is provided, RTFS. > > > >Very clean, pretty, etc -- only one object: > > I have been talking to a lot of people over here, and one common > thing seems to be that they want to be able to set these things > differently on a "per jail" basis. > > I actually think we should not get into the jail thing, but rather > make them inheritable like other credentials, so the structure > containing the stuff should hang of the proc structure, and hey > wait, we already have this "struct ucred" hanging there. At one point I submitted patches for a p->p_authext void pointer for kernel modules that want to maintain their own security contexts -- unfortunately, it never went in, and now that I've given it some though, perhaps a registration system makes more sense -- i.e., modules register a unique magic number and can access it via a hash/etc when they need it. One can imagine, actually, a chain of authorizers being queried for security-sensitive operations, each of which stores some of its own credentials... This might fit into my kernel tokens architecture, but that might also be a bit heavy-weight (it does have the inheritence properties you mention, however). The other approach for jails is the virtual machine approach--don't treat it so much as security, as much as accessible resources accessed as though by fd's -- interfaces or virtual interfaces are mapped to logical interfaces within virtual machines -- it's not so much as they are not permitted to access the resource, as much as they are unable to access it. One could imagine during the jail creation procedure-- j = jail_new(); jail_add_if(j, "ed0.inet.128.2.35.50", "eth0"); jail_add_if(j, "xl0", "eth1"); jail_enter(j); Etc. Doesn't fit well into the current jail model, which might fit the authorization token approach -- a token or capability represented as a token authorizing binding. Robert N M Watson [EMAIL PROTECTED] http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Optimization done in TCP/IP stack
On Thu, 21 Oct 1999, Zhihui Zhang wrote: > > I have put all distribution files on a machine and installed three PCs via > FTP from that machine. The installation process should access the same > files, the buffer cache can be used to improve effieciency on the > filesystem side. I am wondering whether some sort of optimization is done > on the TCP/IP side in this situation. Do we have to copy data from > buffer-cache to mbuf each time we need to send the data over network? As > far as I know, the buffer cache has identity associated with it (vnode, > block #), but the mbuf does not. > > Any help is appreciated. You can use "sendfile" to accomplish zero copy file transfer. -Alfred To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Class C hack instead of ifconfig aliases
Geoff Buckingham <[EMAIL PROTECTED]> wrote: > >In an effort to avoid what may follow, I fully appreciate HTTP 1.1 vhosting >is much more appropriate in many situations, this does not however >remove the need for large scale conventional virtual hosting alltogether. I'll also mention SSL, since it requires an IP address per virtual host. Tony. -- dot it at To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Class C hack instead of ifconfig aliases
Matthew Reimer <[EMAIL PROTECTED]> wrote: >Here's a way to do it without patches: > >1. in your webserver: > a. ipfw add fwd localhost from any to 1.2.3/24 http > b. add sections, like this: If you're using enough IP addresses to make this trick worthwhile then you're probably interested in mod_vhost_alias which is new in Apache 1.3.9. >Pros: > >- no need to 'ifconfig xyz alias...'. Big deal -- you still have to use an ipfw command instead. >- address matching is fast, since only a few ipfw rules are checked, > rather than lists of hundreds or thousands of IP addresses The NETALIAS patch (PR#12071) is smaller and faster than turning on IPFIREWALL and IPFIREWALL_FORWARD. Tony. -- the .@ person To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: ftpmirror proxy
Hi, You can use ftpmirror-1.9x to transfer FTP archives via squid proxy, with `http-proxy' configuration: http-proxy = squid.server.name:3128 But, please remind that there are some truoble. The most serious problem is that squid proxy replaces `\n' to `\r\n' when it transfers text files. This cause a problem when we are getting files such as `*.cc' or `*.txt'. I mean, we can get bin.aa, bin.ab, bin.ac, ... normally, but we can't get correct `bin.cc' file. -ikuo From: Richard Puga <[EMAIL PROTECTED]> Subject: ftpmirror proxy Date: Sat, 16 Oct 1999 05:36:36 -1000 > I realy like ftpmirror it is a great program. > > I was wondering if ftpmirror can use a squid proxy server which runs on > port 3128? > Is there a way to use ftp-gateway on a specific port? > > below is a sampe of the configurations I have tried. > > Thank you for your time > > Richard Puga > [EMAIL PROTECTED] > > ftp-user = anonymous > ftp-pass = [EMAIL PROTECTED] > ftp-stats = yes > temp-directory = /usr/tmp > > package = FreeBSD > ftp-server = ftp.freebsd.org > # ftp-gateway = ftp.squid.proxy.server 3128 > ftp-gateway = ftp.squid.proxy.server :3128 > remote-directory = /pub/FreeBSD > local-directory = /usr/var/ftp/pub/FreeBSD > transfer-file-regexp += !/\/core$/ > transfer-file-regexp += !/\.core$/ > transfer-file-regexp += !/\/\ko-/ > transfer-file-regexp += !/\/\ja-/ > transfer-file-regexp += !/\/\zh-/ > transfer-directory-regexp += !/\/CERT\/$/ > transfer-directory-regexp += !/\/releases\/alpha\/$/ > transfer-directory-regexp += !/\/development\/$/ > transfer-directory-regexp += !/\/doc\/mailing\-lists\/$/ > transfer-directory-regexp += !/\/ports\/alpha\/$/ > transfer-directory-regexp += > !/\/ports\/i386\/packages\-3\.0\-aout\/$/ > transfer-directory-regexp += > !/\/branches\/\-current\/XF86333\/$/ > transfer-directory-regexp += > !/\/branches\/\-current\/packages\-aout\/ > > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: aliasing a point-to-point interface
On Thu, Oct 21, 1999 at 06:50:07PM +0200, Graham Wheeler wrote: > Hi all > > Is it possible to assign an IP alias to a point to point interface (in my case, > a sync PPP interface)? It doesn't seem to be possible, but perhaps I'm > missing something... Yup, that's possible but is somewhat tricky: # ifconfig ptpN inet X.X.X.X X.X.X.X alias # route delete -host X.X.X.X # route add -host X.X.X.X -gateway 127.1 # ping X.X.X.X Cheers, -- Ruslan Ermilov Sysadmin and DBA of the [EMAIL PROTECTED]United Commercial Bank, [EMAIL PROTECTED] FreeBSD committer, +380.652.247.647Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Finer-grained securelevel: proof of concept
Robert Watson <[EMAIL PROTECTED]> writes: > On 21 Oct 1999, Dag-Erling Smorgrav wrote: > > Robert Watson <[EMAIL PROTECTED]> writes: > > > Very clean, pretty, etc -- only one object: please call it something other > > > than capabilities :-). [deletia] > > Please read the thread on -security and -arch that lead to these > > patches. > I did--hence my comments. You seem to have missed the part that says "this should be integrated with process-level and user-level capabilities". DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
