Re: [jail] Allowing root privledged users to renice
On Sun, May 27, 2012 at 05:33:30PM -0600, Jamie Gritton wrote: On 05/25/12 10:48, Sean Bruno wrote: I've been toying with the idea of letting jails renice processes ... how dangerous and/or stupid is this idea? //depot/yahoo/ybsd_9/src/sys/kern/kern_jail.c#5 - /home/seanbru/ybsd_9/src/sys/kern/kern_jail.c 270a271,275 + int jail_allow_renice = 0; + SYSCTL_INT(_security_jail, OID_AUTO, allow_renice, CTLFLAG_RW, +jail_allow_renice, 0, +Prison root can renice processes); 3857a3863,3865 + case PRIV_SCHED_SETPRIORITY: + if (!jail_allow_renice) + return (EPERM); Considering they can only renice their own stuff, and could always just start a new process anyway, I see very little reason to deny this. But the -niced process affects the whole system. pgpTVkDgDqsv0.pgp Description: PGP signature
pxe + nfs + microsoft dhcp
Dear list readers, I am having a problem with pxe loader on FreeBSD 9.0 i386 release. No matter what value I put for DHCP option 017 (Root Path) in Microsoft DHCP server, pxe always sets root path: pxe_open: server path: / I've read src/sys/boot/i386/libi386/pxe.c as instructed in handbook, and i learned there that root path is a failover value which gets set if no valid value is supplied by DHCP server. At first i thought that Microsoft DHCP does not send it but i confirmed with windump it does: -- 15:46:49.505748 IP (tos 0x0, ttl 128, id 6066, offset 0, flags [none], proto: UDP (17), length: 392) dhcp.domain.tld.67 255.255.255.255.68: [bad udp cksum 4537!] BOOTP/DHCP, Reply, length 364, xid 0xdcdb5309, Flags [ none ] (0x) Your-IP 192.168.218.32 Server-IP dhcp.domain.tld Client-Ethernet-Address 00:19:db:db:53:09 (oui Unknown) file FreeBSD/install/boot/pxeboot Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Offer Subnet-Mask Option 1, length 4: 255.255.255.0 RN Option 58, length 4: 345600 RB Option 59, length 4: 604800 Lease-Time Option 51, length 4: 691200 Server-ID Option 54, length 4: dhcp.domain.tld Default-Gateway Option 3, length 4: gate.domain.tld Domain-Name-Server Option 6, length 4: dhcp.domain.tld Domain-Name Option 15, length 1: ^@ RP Option 17, length 42: 192.168.218.32:/b/tftpboot/FreeBSD/install/^@ BF Option 67, length 29: FreeBSD/install/boot/pxeboot^@ -- I do not understand code well enough to fix it, or at least send pxeloader static value of /b/tftpboot/FreeBSD/install/, so if someone would instruct me how to do it i would be very grateful. Thank you in advance for your help. ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: [jail] Allowing root privledged users to renice
On Fri, May 25, 2012 at 10:23:53AM -0700, Julian Elischer wrote: On 5/25/12 10:04 AM, Bjoern A. Zeeb wrote: On 25. May 2012, at 16:48 , Sean Bruno wrote: I've been toying with the idea of letting jails renice processes ... how dangerous and/or stupid is this idea? //depot/yahoo/ybsd_9/src/sys/kern/kern_jail.c#5 - /home/seanbru/ybsd_9/src/sys/kern/kern_jail.c 270a271,275 + int jail_allow_renice = 0; + SYSCTL_INT(_security_jail, OID_AUTO, allow_renice, CTLFLAG_RW, +jail_allow_renice, 0, +Prison root can renice processes); 3857a3863,3865 + case PRIV_SCHED_SETPRIORITY: + if (!jail_allow_renice) + return (EPERM); I think sysctls are a bad idea given jails have per-jail flags these days. Maybe also only allow re-nicing to be nicer but not less nice? for sure ! start a jail with it's max priority and the root within can allow nicer priorities only.. you can always add priority from teh master (parent) environment outside. Unless I seriously misunderstood something, that's the case right now. That is, PRIV_SCHED_SETPRIORITY matters only if resulting nice parameter would be lower. -- Mateusz Guzik mjguzik gmail.com ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: nvidia-driver-295.49 is highly unstable
On Sun, 27 May 2012 11:46:23 -0500, y...@rawbw.com wrote: After the recent system upgrade that brought nvidia-driver-295.49 my system began to malfunction. Xorg randomly freezes and gets to 100% CPU (in kde4), switching back from the black terminal takes 30 seconds, some windows don't repaint while windows effects are on, etc. Switching back to 295.05.09 from Feb 11, 2012 fixed the problem. 9400GT I can't believe this is only my problem. I think the version should be rolled back until the problem is fixed. Hmmm I think this is exactly my problem. My desktop at home is working fine, but it's a 4xx and my work machine is a 9xxx. I honestly thought it was a flash problem because it seems to happen most on pages that have flash content. ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Activating libssp
Hi Mel, On Sun, May 27, 2012 at 08:15:02PM +0200, Mel Flynn wrote: Hi, for a port, I'm seeing: #ifdef _FORTIFY_SOURCE ... #endif I did a bit of reading (http://wiki.debian.org/Hardening) for example, searching through /usr/share/mk/* /usr/include/libssp, /usr/src/gnu/libssp. However, it's not clear to me, where the magic is that pulls in the libssp library that is in /lib. Also - it seems to be part of gcc, so does that mean on systems without gcc, that this library is not available or does clang have a variant? gnu/lib/libssp is built for compatibility reasons. See http://svnweb.freebsd.org/base?view=revisionrevision=169718 Our libc provides the necessary symbols. http://svnweb.freebsd.org/base/head/lib/libc/sys/stack_protector.c I do see -fstack-protector is added to CFLAGS by default, so I'm thinking there's some magic somewhere, but I'm just missing the docs that tell me if you add foo to CFLAGS then bar will happen, unless baz. I'm not sure what you mean, but -fstack-protector is documented in GCC documentation, I suppose it's the same for Clang but I didn't check. You can disable it on FreeBSD by setting WITHOUT_SSP in src.conf(5). -- Jeremie Le Hen Men are born free and equal. Later on, they're on their own. Jean Yanne ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: pxe + nfs + microsoft dhcp
pacija wrote: - Original Message - Dear list readers, I am having a problem with pxe loader on FreeBSD 9.0 i386 release. No matter what value I put for DHCP option 017 (Root Path) in Microsoft DHCP server, pxe always sets root path: pxe_open: server path: / I've read src/sys/boot/i386/libi386/pxe.c as instructed in handbook, and i learned there that root path is a failover value which gets set if no valid value is supplied by DHCP server. At first i thought that Microsoft DHCP does not send it but i confirmed with windump it does: -- 15:46:49.505748 IP (tos 0x0, ttl 128, id 6066, offset 0, flags [none], proto: UDP (17), length: 392) dhcp.domain.tld.67 255.255.255.255.68: [bad udp cksum 4537!] BOOTP/DHCP, Reply, length 364, xid 0xdcdb5309, Flags [ none ] (0x) Your-IP 192.168.218.32 Server-IP dhcp.domain.tld Client-Ethernet-Address 00:19:db:db:53:09 (oui Unknown) file FreeBSD/install/boot/pxeboot Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Offer Subnet-Mask Option 1, length 4: 255.255.255.0 RN Option 58, length 4: 345600 RB Option 59, length 4: 604800 Lease-Time Option 51, length 4: 691200 Server-ID Option 54, length 4: dhcp.domain.tld Default-Gateway Option 3, length 4: gate.domain.tld Domain-Name-Server Option 6, length 4: dhcp.domain.tld Domain-Name Option 15, length 1: ^@ RP Option 17, length 42: 192.168.218.32:/b/tftpboot/FreeBSD/install/^@ BF Option 67, length 29: FreeBSD/install/boot/pxeboot^@ What about getting rid of the ^@ characters at the end of the strings? rick -- I do not understand code well enough to fix it, or at least send pxeloader static value of /b/tftpboot/FreeBSD/install/, so if someone would instruct me how to do it i would be very grateful. Thank you in advance for your help. ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org