Re: Mysql in replication setup
Marian Hettwer wrote: As soon as replication starts, mysql gets very unresponsive: - -bash-3.1$ time mysqladmin -uroot -p proc stat Enter password: ++-+---++-+--+---+--+ | Id | User| Host | db | Command | Time | State | Info | ++-+---++-+--+---+--+ | 4 | system user | || Connect | 204 | Waiting for master to send event | | | 5 | system user | || Connect | 8661 | Has read all relay log; waiting for the slave I/O thread to update it | | | 7 | root| localhost || Query | 0| | show processlist | ++-+---++-+--+---+--+ Uptime: 308 Threads: 1 Questions: 6328 Slow queries: 0 Opens: 0 Flush tables: 1 Open tables: 24 Queries per second avg: 20.545 real0m15.463s user0m0.010s sys 0m0.020s 15 bloody seconds to return mysqladmin proc stat ? That ain't good. Wasn't it that your slave actually catch up to the master and replicate all the tables your master had? You don't provide mysql.err logs, etc and we don't know if it actually replicate your tables or not. I guess from this it did. Let see 308 seconds up only for the server, did 20.5 query per seconds for that time with would be your 6328 queries there, of witch all finish based on this show process and also looks like it finish to mirror it and now is waiting for the master to send more. I don't know. But with what we have here. This is how I see it. May be I am wrong, but lets see. I have no clue how big your database might be or not. Nor how many tables, etc. The only think I know is that you did install from packages. Great. Then started master/slave and look like it worked. Then you were trying to query the server I guess for data may be, but it was up only for 5 minutes and based on the query listed, etc. It was really busy to mirror the data from the master to the new slave. Wasn't it what it was doing here? So, are you expecting to have all the data ready as soon as you start MySQL on a slave. Look like you were expecting it to be ready right away? I don't know but I know this. To query data, it has to be there first. To me look like the box was up 308 seconds and started to mirror the source, updated that databases/tables, may be creating the index as it goes, I don't know your data see, and may be some of your data was requesting the table to be lock when updated instead of may be insert delay or something like that. But now that's it's been up for 216000 seconds, how does it work? Is your data mirror well or not. Any error in mysql.err file or not. Responsive to query or not? I just wonder if you expected it to be all mirror and ready as soon as you issue the start slave? I do know MySQL quite well (MySQL 4.1 in fact) and for the OpenBSD Installation I followed the guidelines at www.openbsdsupport.org, which was basicly just increasing the kern.maxfiles and changing /etc/login.conf There was more then that, including to make sure you start the daemon with the class as well, etc. http://crivens.terrorteam.de/~rabauke/OpenBSD/MySQL/my.cnf.txt Ah, I nearly forgot: - -bash-3.1$ sysctl kern.maxfiles kern.maxfiles=8096 Did you notice that the suggeted configuration have double the allow files in the kernel oppose to the my.cnf configuration? There is a reason for that. Se the top of the document said that when you open about 29 tables, you will get the error 9. However you see 64 in the default limits right? Why you think that is? MySQL documentations does explain that mysql always open two files minimum per tables in most cases, so may be mysql should rewrite the meaning of max_open_files in the configurations. But anyway, simple rule of thumb. But twice the number of files limits in sysctl as you put in my.cnf, not the same as you do here. Not that I think you hit that limit here as you didn't say anything about error 9, but should one day start to have a lots of tables and come close to this limits, then you will not know why that is. - -bash-3.1$ sudo su -m _mysql -c "ulimit -a" time(cpu-seconds)unlimited file(blocks) unlimited coredump(blocks) unlimited data(kbytes) 1048576 stack(kbytes)8192 lockedmem(kbytes)635692 memory(kbytes) 1905588 nofiles(descriptors) 128 processes532 This show you define a class _mysql, doesn't show your daemon is running using it however at this time. Don't forget that the man page is clear on th
Re: OpenBSD dedicated hosting
Gilles Chehade wrote: Hi misc@, I am looking for companies that provide OpenBSD-powered dedicated hosting. Currently, I am being hosted by a french company which turned out to be as incompetent as can be, and I am willing to switch as soon as possible (preferably before the 25th of September). I have google-d a bit and found out a few companies, but its hard to know in advance which are competent and which will drive me into depression. So I'm turning to you, if you know of companies that do good work, that aren't too expensive and that provide OpenBSD based services, please mail me off-list so I can start digging their offers. Thanks a lot people ;) Do as you wish and you will find many that run OpenBSD for hosting. But if I may suggest, why don't you give it to: http://www.bsws.de/ You mush have eared of it for sure no? Is the person "Henning Brauer" right a bell for you? I would be hard press to say that you could find a company out there that would/could do a better job, or at a minimum, know what's under the hood! I think if you have the possibility to use some of the services of the same developers that give you OpenBSD, then I don't see why you shouldn't. You don't have to agree with me if you don't see it the same way, but why not? I never compare prices and frankly I wouldn't eiter, at a minimum you know what you would pay for and you would know it just work! Just a thought! Daniel
Re: Low priority or real coders
Marc Espie [EMAIL PROTECTED] wrote: > Some of us learned to use color to read things faster. > I've learned to read C very quickly without color. I just find color distracting... I know one person who uses color highlighting has a hard time reading code without it so I consider it a handicap in his case. I've spent a bit of time with vim's color highlighting and I just find it really, really annoying. -- "Do you even send e-mails?" "I told you, I'm from the Wild West. I write by hand." -- Chuck Norris
Re: USB hard drives
On 2006/09/16 23:49, Default User wrote: > Does OpenBSD 3.9 RELEASE support usb external hard drives? Generally yes, this type of drive is supported by umass(4). If a particular device doesn't work, try again with a -current snapshot, if it still fails then post back here with a complete dmesg, usbdevs -dv, and as much information as you can give about how it fails. > could not determine from the OBSD i386 hardware information > whether such drives are supported. i386.html: "USB Mass Storage devices, i.e., USB floppy drives and USB memory stick controllers (umass)". I think this could do with s/i.e./e.g./ and maybe add something about other supported devices - it works as you'd expect with most IDE-USB bridges connected to hard drives, CD writers, etc.
Help with chroot
I'm am new to this mailing list but not new to OpenBSD. I have been having some success with working with Apache in chroot, but I am trying to experiment with setting up a wiki server (using mediawiki) and am having quite a time of it. I have figure out some of the problems and I am sure I have quite a few more to go, but right now I am struggling with one of the includes. Is there any one on this list who has set up mediawiki on their OpenBSD or knows where the right place would be to post this question. Thanks in advance K.Mackey
Re: Launching the Internet
On Saturday 16 September 2006 19:56, Juan Pablo Feria Gomez wrote: > looks like [EMAIL PROTECTED] are only for gurus who born knowing everything... > > giving the new users the pointers where to start (as shane message) is > enough... > > or just ignore the message... Well in this case it's pretty clear it's not a real call for help, otherwise you are of course right. (I did reply to it off line). -- Steve Szmidt "To enjoy the right of political self-government, men must be capable of personal self-government - the virtue of self-control. A people without decency cannot be secure in its liberty. From the Declaration Principles
Re: OpenBSD dedicated hosting
> "Gilles" == Gilles Chehade <[EMAIL PROTECTED]> writes: Gilles> I am looking for companies that provide OpenBSD-powered dedicated Gilles> hosting. Currently, I am being hosted by a french company which Gilles> turned out to be as incompetent as can be, and I am willing to switch Gilles> as soon as possible (preferably before the 25th of September). stonehenge.com has been on an openbsd-based dedicated box since april of 2002 at sprocketdata.com. You can ask me privately about details. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 http://www.stonehenge.com/merlyn/> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Re: Launching the Internet
I read [EMAIL PROTECTED]'s email and felt really bad about taking this so lightly, and not offering real help. So, I have decided to change my ways, and offer you real help. On 9/15/06, dilbert <[EMAIL PROTECTED]> wrote: > > My question is simple- I'm a relative newbie at BSD so please bear with > me. > I'm trying to launch the internet; so I open a terminal and go "percent > sign > 'Internet'" at the prompt > > ie: >%internet Well, see, the "internet" is actually an "internetwork" of networks. What this means is that the Internet is really a bunch of networks, all connected with the tubes that another fella mentioned. But that's besides the point, what's important is that there's a whole bunch of networks out there, and finding out what are the networks out there is a pain in the rear, so what you really want, is something like a list of things, almost a directory of sorts, you know, something like yellow pages. In fact, there is actually a website called yellow pages, and they must be associated with the REAL yellow pages, so, if you need help getting on the Internet, call your local phone company and ask for the REAL yellow pages, and there you go! and it doesn't work. What gives??!! > > Also "percent sign 'Print'" doesn't work and neither does "percent sign > 'word processor'" Ah. You have made the basic mistake of thinking there are separate applications for different things. Things are modern now. We don't use thousands of tiny utilties to do everything. Microsoft has shown us that all you need is just one application that will handle everything for you. In the unix world, we have learnt this lesson well, and so, let me introduce you to a new way to read email. % emacs If you use emacs, you can not only read your mail, print your documents and do word processing, but you can also make coffee, launch ICBMs, and if you have the correct modules installed, even take over the world! You just need to find out how to enable the secret wizard mode. How would I launch the internet, the word processor and print a document? > > any help would be appreciated Hope I was of some help. Feel free to ask if you need any more help. Remember, everything can be done from emacs!
Re: OpenBSD dedicated hosting
My team offers it. I personally have been using OpenBSD since 2.3. We also are the only company that using OpenBSD web servers in an HSphere cluster. Email [EMAIL PROTECTED] with your needs. The data center is in the states (Central Florida). Thanks, Aaron On 9/16/06, Gilles Chehade <[EMAIL PROTECTED]> wrote: Hi misc@, I am looking for companies that provide OpenBSD-powered dedicated hosting. Currently, I am being hosted by a french company which turned out to be as incompetent as can be, and I am willing to switch as soon as possible (preferably before the 25th of September). I have google-d a bit and found out a few companies, but its hard to know in advance which are competent and which will drive me into depression. So I'm turning to you, if you know of companies that do good work, that aren't too expensive and that provide OpenBSD based services, please mail me off-list so I can start digging their offers. Thanks a lot people ;)
Re: Launching the Internet
looks like [EMAIL PROTECTED] are only for gurus who born knowing everything... giving the new users the pointers where to start (as shane message) is enough... or just ignore the message...
OpenBSD dedicated hosting
Hi misc@, I am looking for companies that provide OpenBSD-powered dedicated hosting. Currently, I am being hosted by a french company which turned out to be as incompetent as can be, and I am willing to switch as soon as possible (preferably before the 25th of September). I have google-d a bit and found out a few companies, but its hard to know in advance which are competent and which will drive me into depression. So I'm turning to you, if you know of companies that do good work, that aren't too expensive and that provide OpenBSD based services, please mail me off-list so I can start digging their offers. Thanks a lot people ;)
USB hard drives
Does OpenBSD 3.9 RELEASE support usb external hard drives? I am considering getting one, like the Seagate 6-Gb "pocket" drive, to back up data from an i386 system, but could not determine from the OBSD i386 hardware information whether such drives are supported.
Re: Low priority or real coders
On 9/15/06 8:09 PM, Chris Cappuccio wrote: I'm really perplexed about how people think that having each line of source code in six different colors somehow makes things clearer. I presume you are pretty often perplexed about people when you met them? +++chefren
Re: health check for members of round-robin group
On Sat, Sep 16, 2006 at 08:59:27PM +0200, Markus Wernig wrote: > Hi everybody! > > I am looking at implementing a round-robin load-balanced group of > servers behind an OBSD firewall. > > The pf commands would run along the lines > [...] > table persist file /etc/pf.serverlist > rdr on $ext_if proto tcp from any to $virtual_ip port 80 \ >-> round-robin > [...] > > Now the question is, what happens if one of the servers in > /etc/pf.serverlist goes down? I suppose, each nth connection is still > forwarded to it. Apparently, I need to do some sort of health check > periodically (say, every 60 seconds) and remove the faulty server from > and from /etc/pf.serverlist (in case the fw gets reloaded > while the server is still down). > > Now just before I go and hack away at that health check crontab script: > Is anybody aware if such a check mechanism already has been implemented, > maybe in some other form? I'm not aware of such a system, though I am sure some people will have already scripted one. User-level proxies might do what you want, though. Joachim
Re: Launching the Internet
On 9/16/06, Don Boling <[EMAIL PROTECTED]> wrote: > > > Dilhole, > > Thanks for teh question. > Hmmm, I think the proper command to "launch the internet" is: > > rm -r \* What would deleting a file named '"' do? -Another DOS user bites the dust
Re: OT: Adaptec SATA Raid controllers
Yeah, sorry Theo, I did post it as OT, I value this groups input greatly but point taken. -Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theo de Raadt Sent: 16 September 2006 20:59 To: Andrew Smith Cc: 'OpenBSD-misc list' Subject: Re: OT: Adaptec SATA Raid controllers You really have come to the wrong mailing list. This is a mailing list about OpenBSD. It is not a mailing list about SATA or SATA reliability. Nor is not a mailing list setup to assist you in fulfilling your contracts. It is about OpenBSD (which you do not mention), and which does not support those controllers you mention. Please stay on topic. > I have just taken a contract at a company for to help with driving some > procedure into their IT services to meet their growth demands. As an aside I > have picked up on discussions about number of failures of SATA RAID > subsystems using Adaptec 2610SA controllers provided by HP (running under > various OS). > > > > They actually seem to be getting drives failing at an alarming rate and are > actually getting occasional file system corruptions when this happens > (typically on RAID 5 configurations). > > > > I have never encountered hot swap on SATA before and am wondering if anybody > knows SATA well and can provide some info about SATA reliability in hot plug > environments. > > > > -Andy
Re: Launching the Internet
On 9/15/06, dilbert <[EMAIL PROTECTED]> wrote: > > My question is simple- I'm a relative newbie at BSD so please bear with > me. > I'm trying to launch the internet; so I open a terminal and go "percent > sign > 'Internet'" at the prompt > > ie: >%internet > > and it doesn't work. What gives??!! Dilhole, Thanks for teh question. Hmmm, I think the proper command to "launch the internet" is: rm -r \*
Re: OT: Adaptec SATA Raid controllers
You really have come to the wrong mailing list. This is a mailing list about OpenBSD. It is not a mailing list about SATA or SATA reliability. Nor is not a mailing list setup to assist you in fulfilling your contracts. It is about OpenBSD (which you do not mention), and which does not support those controllers you mention. Please stay on topic. > I have just taken a contract at a company for to help with driving some > procedure into their IT services to meet their growth demands. As an aside I > have picked up on discussions about number of failures of SATA RAID > subsystems using Adaptec 2610SA controllers provided by HP (running under > various OS). > > > > They actually seem to be getting drives failing at an alarming rate and are > actually getting occasional file system corruptions when this happens > (typically on RAID 5 configurations). > > > > I have never encountered hot swap on SATA before and am wondering if anybody > knows SATA well and can provide some info about SATA reliability in hot plug > environments. > > > > -Andy
OT: Adaptec SATA Raid controllers
Hi, I have just taken a contract at a company for to help with driving some procedure into their IT services to meet their growth demands. As an aside I have picked up on discussions about number of failures of SATA RAID subsystems using Adaptec 2610SA controllers provided by HP (running under various OS). They actually seem to be getting drives failing at an alarming rate and are actually getting occasional file system corruptions when this happens (typically on RAID 5 configurations). I have never encountered hot swap on SATA before and am wondering if anybody knows SATA well and can provide some info about SATA reliability in hot plug environments. -Andy
Re: Launching the Internet
On Fri, 15 Sep 2006 15:32:58 -0700 (PDT) dilbert <[EMAIL PROTECTED]> spake: > My question is simple- I'm a relative newbie at BSD so please bear with me. > I'm trying to launch the internet; so I open a terminal and go "percent sign > 'Internet'" at the prompt > > ie: >%internet > > and it doesn't work. What gives??!! > > Also "percent sign 'Print'" doesn't work and neither does "percent sign > 'word processor'" > > How would I launch the internet, the word processor and print a document? > > any help would be appreciated > > -James Due to misuse of it by a few bad employees, we have had to temporarily take the internet away. Its sad that the internet is ruined for everyone by a few "bad apples" but until they learn their lesson, the internet will stay locked in my desk drawer. I hope everyone will learn a valuable lesson by this...
health check for members of round-robin group
Hi everybody! I am looking at implementing a round-robin load-balanced group of servers behind an OBSD firewall. The pf commands would run along the lines [...] table persist file /etc/pf.serverlist rdr on $ext_if proto tcp from any to $virtual_ip port 80 \ -> round-robin [...] Now the question is, what happens if one of the servers in /etc/pf.serverlist goes down? I suppose, each nth connection is still forwarded to it. Apparently, I need to do some sort of health check periodically (say, every 60 seconds) and remove the faulty server from and from /etc/pf.serverlist (in case the fw gets reloaded while the server is still down). Now just before I go and hack away at that health check crontab script: Is anybody aware if such a check mechanism already has been implemented, maybe in some other form? thx /markus
FlexRAID, anyone?
Is anyone using LSI Logic's FlexRAID? The archives seem suspiciously quiet on this. Seems nice to add a disk to an array on the fly. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: webbased authpf ?
Joachim Schipper wrote: On Fri, Sep 15, 2006 at 02:18:58PM -0500, Victor Camacho wrote: Jeff Quast wrote: On 9/15/06, Joachim Schipper <[EMAIL PROTECTED]> wrote: It would probably be best to let a daemon or cronjob outside the chroot read it; a socket or even a simple pipe in the chroot is sufficient to signal a daemon, or even send the whole IP address. Of course, this does result in a two-part script, but the seperation is likely to be a good thing from a security standpoint. This design is mentioned alot. I understand it, and it would probobly be best solution. Does anybody have a simple two-bin C app that communicates over a pipe that functions for this purpose? I suppose I could pull out my richard stevens AUP... I see this recommended alot. So somebody had to actualy sat down and do this at some point. Care to share? I have two perl scripts that I used to implement wireless Internet access. There are a few holes but it is a work in progress. My next step is to change it to allow users that do not have ssh, access to our network. Some, airports only allow port 80 so I need to deal with that. The way the scripts work: PF redirects all users that are not in the goodip table to a default web page. They are asked for a user name and password. When they hit enter, the first script handles the input. The perl script checks the user name and password and if it is correct it sends the IP address over a socket to the access server script that then adds the ip to the goodip table. If the user then enters a new web page then they are directed because PF will now have them in the good ip table. Things that need to be fixed or considered. Consider using authpf. Not really necessary, is it? I have not used authpf before and I was not sure if there was any advantage to it. I did not add perl to the Apache chroot. When this is done, will the socket still work? You do need perl (either /usr/bin/perl or mod_perl, plus supporting files) in the chroot of Apache, or perl scripts won't work. However, sockets work just fine across chroot. Thanks for the information. I have user name and password in the perl script. This is not secure. Simple pass whatever the user entered to the second script, and validate there. Great idea. I have to write a script to clean the goodip table every so often. Well, and *this* is the reason I didn't try to write something last night; a good solution to this problem would be much appreciated... There are many half-assed solutions. A possible solution is just pinging the host every five seconds and dropping the connection as soon as no return packets are received; this is dependent on the security of the underlying medium, but since the original design already is, that's no biggy. (Of course, this consideration makes this solution much less useful than it appears to be, but again, that's no news). A solution that might actually works involves Java or some other client-side scripting and authpf. Joachim For one application the usage expires at closing time. For the other, the people access the network at all hours and your client side scripting may be the answer. Thank you very much for you input. Victor
Re: USB Serial Converter
Antoine Jacoutot wrote: Fred Crowson wrote: However when I try to connect using cu I don't get any output: zaurus:fred /home/fred> cu -l /dev/cuaU0 -s19200 Just a stupid idea, but shouldn't you use ttyU0 instead of cuaU0? I've always used cua as I'm dialing out to the machine on the end of the serial cable - but using the ttyU0 had the same effect, ie no output, but it should work as well. I'm sure this is a chipset issue - as the FT232R has the same product id (0x6001) as the 8U232AM chipset that is supported by uftdi.c Thanks Fred -- OpenBSD on the Zaurus C3200 http://www.crowsons.net/puters/zaurus.php
Re: Launching the Internet
James, On 16/09/2006, at 8:32 AM, dilbert wrote: My question is simple- I'm a relative newbie at BSD so please bear with me. I'm trying to launch the internet; so I open a terminal and go "percent sign 'Internet'" at the prompt ie: >%internet and it doesn't work. What gives??!! It appears from my end that you are trying to use the internets in "big truck" mode. Please remember, the internets "big truck" mode has been deprecated. You should now be using the internets in "series of tubes" mode. Your leaf node is currently blocking the internets. As a result, my internets are currently blocked also. Did you remember to prime the percent commands with the appropriate tilde-hash-bang flush commands first? To force the blockage out? /usr/bin/plunger and /dev/caustic- soda might be able to help you also. Please ">%man afterboot" before doing anything else. You are probably also blocking the OpenBSD developers internets, in which case they will not be able to perform CVS commits. Please hurry, as this may push back the release date of OpenBSD 4.0! I hope this DoS vulnerability will be addressed in OpenBSD 4.0. We users are counting on you James. You are our only hope. Shane J Pearson
Re: Low priority or real coders
What do I care about the size of vim ? My development box has got 1G of real memory, and vim is the most single important tool on that box ! All I care about is that it starts up fast enough, and it does what I need it to do (visual highlights with v, and multiple windows). Heck, it's pretty small compared to what it does. If you want to look at people's development tools these days, have a look at eclipse.
Re: [ way... OT ] ho hum
please do test the new code in a sparc64 container. > Return-Path: [EMAIL PROTECTED] > Delivery-Date: Sun Sep 10 13:24:11 2006 > Received: from shear.ucar.edu (shear.ucar.edu [192.43.244.163]) > by cvs.openbsd.org (8.13.6/8.12.1) with ESMTP id k8AJOBsp024771 > for <[EMAIL PROTECTED]>; Sun, 10 Sep 2006 13:24:11 -0600 (MDT) > Received: from openbsd.org (localhost.ucar.edu [127.0.0.1]) > by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id k8AJLUDe005275; > Sun, 10 Sep 2006 13:21:30 -0600 (MDT) > Received: from monaro.kepax.co.uk (monaro.kepax.co.uk [84.19.247.237]) > by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id k8AJIRZ1028994 > for ; Sun, 10 Sep 2006 13:18:27 -0600 (MDT) > Received: from oak.kepax.co.uk (oak.kepax.co.uk [192.168.253.20]) > by monaro.kepax.co.uk (Postfix) with ESMTP id C81E61A > for ; Sun, 10 Sep 2006 20:18:25 +0100 (BST) > Received: by oak.kepax.co.uk (Postfix, from userid 1970) id 753CD7606; Sun, > 10 Sep 2006 20:18:25 +0100 (BST) > Date: Sun, 10 Sep 2006 20:18:25 +0100 > To: misc@openbsd.org > Subject: [ way... OT ] ho hum > Message-ID: <[EMAIL PROTECTED]> > Reply-To: misc@openbsd.org > MIME-Version: 1.0 > Content-Type: text/plain; charset=us-ascii > User-Agent: Mutt/1.5.12-2006-07-14 > From: [EMAIL PROTECTED] (Craig Skinner) > X-Loop: misc@openbsd.org > Precedence: list > Sender: [EMAIL PROTECTED] > > Another weekend at work: > > # uname -a > SunOS X 5.10 Generic_XX sun4u sparc SUNW,Sun-Fire-15000 > # uname -X > System = SunOS > Node = XX > Release = 5.10 > KernelID = Generic_XX > Machine = sun4u > BusType = > Serial = > Users = > OEM# = 0 > Origin# = 1 > NumCPU = 144 > > # id > uid=0(root) gid=0(root) > > > > Maybe one day this could have a great dmesg.., not to mention the > rest of the cluster.
Re: webbased authpf ?
On Fri, Sep 15, 2006 at 02:18:58PM -0500, Victor Camacho wrote: > Jeff Quast wrote: > >On 9/15/06, Joachim Schipper <[EMAIL PROTECTED]> wrote: > >>It would probably be best to let a daemon or cronjob outside the chroot > >>read it; a socket or even a simple pipe in the chroot is sufficient to > >>signal a daemon, or even send the whole IP address. > >> > >>Of course, this does result in a two-part script, but the seperation is > >>likely to be a good thing from a security standpoint. > > > >This design is mentioned alot. I understand it, and it would probobly > >be best solution. > > > >Does anybody have a simple two-bin C app that communicates over a pipe > >that functions for this purpose? I suppose I could pull out my richard > >stevens AUP... > > > >I see this recommended alot. So somebody had to actualy sat down and > >do this at some point. Care to share? > > > I have two perl scripts that I used to implement wireless Internet access. > There are a few holes but it is a work in progress. My next step is to > change it to allow users that do not have ssh, access to our network. > Some, airports only allow port 80 so I need to deal with that. > > The way the scripts work: > PF redirects all users that are not in the goodip table to a default web > page. > They are asked for a user name and password. When they hit enter, the > first script handles the input. > The perl script checks the user name and password and if it is correct > it sends the IP address over a socket to the access server script that > then adds the ip to the goodip table. If the user then enters a new web > page then they are directed because PF will now have them in the good ip > table. > > Things that need to be fixed or considered. > Consider using authpf. Not really necessary, is it? > I did not add perl to the Apache chroot. When this is done, will the > socket still work? You do need perl (either /usr/bin/perl or mod_perl, plus supporting files) in the chroot of Apache, or perl scripts won't work. However, sockets work just fine across chroot. > I have user name and password in the perl script. This is not secure. Simple pass whatever the user entered to the second script, and validate there. > I have to write a script to clean the goodip table every so often. Well, and *this* is the reason I didn't try to write something last night; a good solution to this problem would be much appreciated... There are many half-assed solutions. A possible solution is just pinging the host every five seconds and dropping the connection as soon as no return packets are received; this is dependent on the security of the underlying medium, but since the original design already is, that's no biggy. (Of course, this consideration makes this solution much less useful than it appears to be, but again, that's no news). A solution that might actually works involves Java or some other client-side scripting and authpf. Joachim
Re: Low priority or real coders
On Fri, Sep 15, 2006 at 11:09:03AM -0700, Chris Cappuccio wrote: > My faith in the non-Improved vi is reinforced every time I see > someone using vim with color syntax highlighting. Highlighting > makes source code impossible to read to someone who isn't used ^ > to it. I'm really perplexed about how people think that having ^ > each line of source code in six different colors somehow makes > things clearer. You learned to read, didn't you ? Some of us learned to use color to read things faster. The only bad thing about syntax highlighting is when it breaks, e.g., no color-highlighter can deal correctly with syntax interspersed with macros #ifdef'd.