Re: [osol-discuss] root pw
On 1/22/11 1:24 PM, john g4lt wrote: The proper answer here is "there isn't a root password, root is a role" Yes, root is a role, meaning you can't log in directly. But it still has a password, which you must provide when you assume the root role (after logging in to an account that is authorized to assume the root role). You can also use the root password to enter single-user mode: Append -s to the boot line, when prompted enter root as the user name, followed by the root password. Scott On 1/4/11, Deric Kwok wrote: Hi I forget the pw root. How can I change it? ls there single user mode as linux when booting? How Thank you -- Scott Rotondo Senior Principal Engineer, Oracle Database Security Phone: +1 650 506 0138 ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] // napp-it WebUI + NAS-appliance Online-Installer with OpenIndiana support
On 10/10/10 1:11 AM, Stephan Budach wrote: Great - I will check it asap (today, that is ;) ). I had already considered to sit down and do some scripting for nappit installation on Openindiana, but I didn't had the time to do so. Btw, on Openindiana oi_147 I was only able to get napp-it working by adding All:suser:cmd:::*:uid=0 to exec_attr. Sorry, I haven't been following this thread so I don't know what issues you've been trying to resolve. But the change above is not the right solution to any problem. All users are granted this profile by default, as a subprofile of Basic Solaris User. So the net effect is to allow any user to execute any command as uid 0. It's equivalent to posting the root password in /etc/motd (and changing root to a regular account instead of a role). If you really want to give superuser powers to some user, assign them the Primary Administrator profile using usermod -P. Better yet, create a new profile containing just the command(s) that need to run with privilege and assign that to the user. Scott -- Scott Rotondo Senior Principal Engineer, Solaris Core OS Engineering President, Trusted Computing Group Phone: +1 408 276 6987 (Internal x66987) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] C programming, invalid argc value
On 10/ 5/10 11:04 AM, Jürgen Keil wrote: I can reproduce the problem on my system running bash so I don't think it is related the the shell: (gdb) b main Breakpoint 1 at 0x8050ccc: file g.c, line 4. (gdb) r Starting program: /home/gvasick/a.out Breakpoint 1, main (argc=260904, argv=0xfef90018) at g.c:4 Which compiler, compiler version, gdb version did you use? What compilation flags? What does the test program look like? Using Opensolaris b134, gcc 3.4.3, gdb 6.8, a simple "hello, world" type test program, and compilation options "-g -O" it works for me. For me, the "b main" command sets a breakpoint at offset 12 relative to the symbol "main", after main's function prologue. And that makes all the difference. It's never going to work properly unless at least the first two instructions of the function prologue get executed in order to set the frame pointer in %ebp. If the debugger automatically modifies your breakpoint request, you don't have to worry about this. If it literally sets the breakpoint where you tell it, you have to be aware of this little trick. Scott -- Scott Rotondo Senior Principal Engineer, Solaris Core OS Engineering President, Trusted Computing Group Phone: +1 408 276 6987 (Internal x66987) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] C programming, invalid argc value
On 10/ 4/10 10:45 AM, George Vasick wrote: Hi Alan, I can reproduce the problem on my system running bash so I don't think it is related the the shell: (gdb) b main Breakpoint 1 at 0x8050ccc: file g.c, line 4. (gdb) r Starting program: /home/gvasick/a.out Breakpoint 1, main (argc=260904, argv=0xfef90018) at g.c:4 4 { I also notice that stepping one statement seems to resolve the problem: (gdb) n main (argc=1, argv=0x8047a88) at g.c:5 5 printf ("hello world!\n"); (gdb) p argc $1 = 1 (gdb) p *argv $2 = 0x8047b60 "/home/gvasick/a.out" Isn't that a well-known issue with x86 debuggers - needing to break at +3 so that the frame pointer is set up before you try to examine arguments or local variables? Scott -- Scott Rotondo Senior Principal Engineer, Solaris Core OS Engineering President, Trusted Computing Group Phone: +1 408 276 6987 (Internal x66987) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root roles & security holes
On 08/ 2/10 04:55 AM, Mike DeMarco wrote: In making root a role you now rely on a user account to be available at all times. You can not login as the role and if the user account gets misconfigured in some way you can not login at all. User accounts are fluid they grow and get configured in different way each time you risk having the user account blow up and not be able to get back into the host to fix it other than with the LiveCD. Which means you always have to keep the LiveCD handy. Since root should be a limited use account you can and should give it a very cryptic password and keep its environment static. This ensures a level of sanity to the account and with it being static it will be left in a safe,secure and reliable state. Incidentally, if root is a role and the network is down and you have no local user accounts, you can still recover without a Live CD. You can use the root password to boot in single-user mode, even when root is a role. Scott -- Scott Rotondo Senior Principal Engineer, Solaris Core OS Engineering President, Trusted Computing Group Phone: +1 650 786 6309 (Internal x86309) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root roles & security holes
On 07/30/10 03:49 PM, David Brodbeck wrote: On Jul 30, 2010, at 3:31 PM, Scott Rotondo wrote: Regarding the expansion of the attack surface, remember that assuming the root role requires logging in to a user account first and then providing the root password. Well, yes and no. It's true that su requires the root password, and sudo usually requires the password of the user account before running commands with root privileges. pfexec does not require any password entry at all, so an account that's allowed to exercise root privileges via pfexec is, from a security standpoint, functionally equivalent to another root account. What you're describing is the effect of assigning the Primary Administrator profile to users (so they can run any command as uid 0). That's not something I would recommend from a security standpoint. You certainly aren't required to do that in order to have the root account as a role. Scott -- Scott Rotondo Senior Principal Engineer, Solaris Core OS Engineering President, Trusted Computing Group Phone: +1 650 786 6309 (Internal x86309) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root roles & security holes
On 07/30/10 12:44 PM, David Brodbeck wrote: This *can* be worked around by making sure every machine has a valid local user with access to the root role -- sort of. pfexec becomes extremely slow if you have incorrectly configured LDAP -- as in several minutes of waiting to run a single command. I suspect it tries to look up userIDs via LDAP first and has a long timeout. Best to su to root in that situation. Have a look at /etc/nsswitch.conf. The search order is configurable. Scott -- Scott Rotondo Senior Principal Engineer, Solaris Core OS Engineering President, Trusted Computing Group Phone: +1 650 786 6309 (Internal x86309) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root roles & security holes
On 07/30/10 02:05 PM, David Brodbeck wrote: On Jul 30, 2010, at 1:33 PM, Kyle McDonald wrote: I actually like root as a role, but it strikes me that by forcing all machines to have a single local user with a pw that everyone knows, you've totally re-opened the hole that this was supposed to close. Anyone can login as that local user, and assume the root role anonymously. It's essentially a "security through obscurity" measure. There's still an account with effective access to root privileges, but it's not *called* root, so it's slightly harder to target. Sort of like renaming the "Administrator" account on Windows. No, that's not correct. I agree that you should have a local account that can assume the root role so that you can fix things if something happens to your LDAP server, network, etc. But that doesn't mean that everyone, or even all the users who can assume the root role, need to know the password of the local account. For example, suppose you have a collection of systems using an LDAP server with lots of regular user accounts plus a handful of accounts for individual administrators, each of whom is able to assume the root role. I would make sure each system also has a local account that can assume the root role with a password known to a subset (or maybe just one) of those administrators. You want the local account so you can respond to emergencies, but emergencies should be rare so you don't necessarily need every administrator to have that access. Furthermore, as a matter of policy, administrators should use their regular LDAP accounts to access the root role except in those emergency situations when LDAP is not available. Remember, accountability is the reason for making root a role, so we can see when the local account has been used and follow up with the administrators accordingly. On the other hand, there are some accountability advantages if you enforce the use of a tool that does logging, like "sudo". If everyone has their own account and they have to use "sudo" to exercise rootly powers, then you have a useful record of who did what. If someone just logs in as root you really don't know which of the people who had the root password did it. The tradeoff is each account with sudo privileges becomes a potential attack surface, so you need to make sure your admins are picking good passwords. The accountability advantage is exactly the same with the root role. You have to assume the root role from a regular user account, so you know who it was. In fact, the individual audit events recorded while running in the root role include the real user attribution so you don't have to go back through the audit trail to figure out who assumed the role sometime prior to the event you're trying to examine. Regarding the expansion of the attack surface, remember that assuming the root role requires logging in to a user account first and then providing the root password. Even if the user accounts have weak (or non-existent) passwords, the situation is no worse than it was with a single root user account. Scott -- Scott Rotondo Senior Principal Engineer, Solaris Core OS Engineering President, Trusted Computing Group Phone: +1 650 786 6309 (Internal x86309) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root roles & security holes
On 07/30/10 04:59 AM, Mike DeMarco wrote: Build 134: 1) Could anyone please explain why root has been converted to a role. I would venture a guess that someone somewhere believes that it is more secure to run root as a role. The whole "if root can not log directly into the box than someone can not crack the root password. Well I agree that root should not be allowed to login from the net but locking a root account out of console login relies on the user account always being valid. and how much harder is it to hack the user then move on to root, especially when the root password is the same as the users. Having root as a role is causing me many problems and I am wondering if others are in agreement or disagreement with this practice? It has been possible to configure the root account as a role since Solaris 8, and it has been a recommended security practice for many years. Accessing the root role, generally via su(1M), requires that you first log into a user account that includes root in its list of allowed roles. The primary security benefit of this arrangement is attribution. In the common case where multiple people use the root account to administer the system, a direct login to that account is anonymous in the sense that it could be done by anyone who knows the account password. When root is a role, actions can be attributed to the individual user account used to assume the role. In addition, even for a system administered by a single user, making the root account a role encourages the beneficial least-privilege practice of using the root account only when necessary instead of running with full privilege all the time. It would be interesting to hear what problems you have had with root as a role. You could of course change root to a regular user account by running rolemod -K type=normal root but I wouldn't recommend that unless you can't find another solution. Scott -- Scott Rotondo Senior Principal Engineer, Solaris Core OS Engineering President, Trusted Computing Group Phone: +1 650 786 6309 (Internal x86309) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] crontab disappearing
On 07/28/10 09:27 AM, William Bauer wrote: I've noticed over the last couple years that with every version of OpenSolaris, from 2008.05 through build 134, at times my root crontab spontaneously deletes every line from the last comment (# symbol) and above. Only the lines below the last # remain. No, not just the comments disappear, but ALL above the last comment. These have all been clean installs, and impacts multiple computers. I have no explanation for when it happens--doesn't seem to be a crash or other non-graceful shutdown. cron just seems to blow up at very random times. I've had affected systems be fine for many months, then suddenly my root cron has one or two lines left. No one has access to my home computer, and few have any type of access to my work system. Very odd. I'd submit a bug, but have nothing to offer but the information in this message. That's very strange. I assume you mean that the damage occurs at a random time while the system is running, not as a side effect of updating to a new build. It's worth noting that the cron daemon always opens these files read-only. So I suspect that there must be a stray invocation of /usr/bin/crontab or a process that directly writes to the file in /var/spool/cron/crontab. Scott -- Scott Rotondo Senior Principal Engineer, Solaris Core OS Engineering President, Trusted Computing Group Phone: +1 650 786 6309 (Internal x86309) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Solaris Next timescale
On 07/19/10 09:21 AM, Alan Coopersmith wrote: I know some work was done on ON to fix gcc 4.x build issues so that the Parfait static analyzer from Sun Labs could be run on the code, but don't know of anyone testing a full build with actual gcc 4.x compilers. I integrated those syntax fixes, in collaboration with the Sun Labs engineers. I haven't tested this for the past few builds, so it's possible that a new syntax problem has crept in. However, based on the last time I tried it, you should be able to build ON for x86 with gcc 4.x. Building for sparc requires syntax fixes in a handful of additional files I haven't integrated yet. Note that I'm talking about syntactic correctness only; I haven't tried to run the resulting binaries. Scott -- Scott Rotondo Senior Principal Engineer, Solaris Core OS Engineering President, Trusted Computing Group Phone: +1 650 786 6309 (Internal x86309) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] The nearest thing to (forthcoming) news
Please don't speculate about anyone's departure, including whether it was voluntary or not. I won't comment on any individual, but suffice it to say that Oracle is not actively "sending away" senior Solaris engineers. Scott -- Scott Rotondo Senior Principal Engineer, Solaris Core OS Engineering President, Trusted Computing Group Phone: +1 650 786 6309 (Internal x86309) On Jul 9, 2010, at 4:18 PM, Chris Pickett wrote: > On Fri, Jul 9, 2010 at 4:39 AM, John Plocher wrote: >> It might be worth going just to find out who the current "head of >> Oracle Solaris development" really is; it'll certainly be more than >> the OGB has been able to find out all year... >> >> Might it be Stephen Hahn or Tim Marsland or Bill Franklin or Vincent >> Murphy or Greg Lavender or someone completely new? > > Sorry, but Tim Marsland has been fired on Oracle's behalf and now > works for Apple. Most other Solaris lead designers were "send away" by > Oracle, too. > > Chris > -- >^---^ > (@)v(@) Chris Pickett > |/ IT consultant > ===m==m=== pkch...@users.sourceforge.net > ___ > opensolaris-discuss mailing list > opensolaris-discuss@opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] thanks to all who helped choochoo with OSOL & message to Oracle/ Sun
Is there any particular reason you thought it would be something other than the standard JVM? Scott -- Scott Rotondo Senior Principal Engineer, Solaris Core OS Engineering President, Trusted Computing Group Phone: +1 650 786 6309 (Internal x86309) On Jun 20, 2010, at 12:36 PM, "W. Wayne Liauh" wrote: > > During the installation of Solaris Express, shortly after the kernel is > loaded, a Java virtual machine will appear which will take over the > installation process. I was wondering whether this is a special version of > JVM, and if so, how "useful" (capability-wise) it is? where can I find any > info? More to the point, do you think it may be possible to build a Open > Solaris distro based on this kernel+JVM combo? > ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Netservices Limited
On 05/20/10 03:03 AM, Ian Garbutt wrote: Casper We have a number of users who have different skill, knowledge and ability levels and for the security of the systems it will be much easier if they could use netservices open to connect via a gui, have services available and then when finished run netservices limited to lock the machine down again. That way I don't have to worry about tidying down after them. And yes possibly they shouldn't have root access but we don't always have a choice of who does and doesn't get access. Ian I strongly advise you not to do it this way. As Casper already said, we designed netservices to be used for two purposes: - to initially set the configuration of the system, either wide open (default for Solaris 10) or with ssh as the only network-facing service (default for OpenSolaris). - to return to the initial setting above after some unknown set of individual service changes using svcadm. Netservices limited/open are not designed to be used as bracketing operations as you describe. Instead, I suggest that you do the following: 1. Run netservices limited once to start with network services disabled. 2. Use svcadm to enable ftp and any other network services that you want to run all the time. 3. Create your own script for users to run, instead of netservices, to enable/disable the transient services they need. This can be as simple as a shell script with a series of svcadm enable/disable commands, or you could create SMF profiles to enable and disable the specific services and apply them with svccfg apply. Scott -- Scott Rotondo Senior Principal Engineer, Solaris Core OS Engineering President, Trusted Computing Group Phone: +1 650 786 6309 (Internal x86309) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] snv137 package manager does not work
On 05/ 4/10 05:54 PM, tom60 wrote: How do I change package server? I tried pkg set-publisher, but ipkg.sfbay/dev/ is un-reachable. I thought it could be a name resolution issue, but it should not be, since I can ping Yahoo.com. Note Alan's initial assumption that you must be on Sun's internal network: snv_137 packages are not available on pkg.opensolaris.org so you will not be able to install new packages from there. If you actually have snv_137 you must be behind Sun's firewall, and should thus change your pkg publisher from the default to an internal server like ipkg.sfbay/dev . If that's not true, then you won't be able to reach ipkg.sfbay since it's an internal system. Scott -- Scott Rotondo Senior Principal Engineer, Solaris Core OS Engineering President, Trusted Computing Group Phone/FAX: +1 650 786 6309 (Internal x86309) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] very long wait in the end of pkg install
Alan Coopersmith wrote: Richard L. Hamilton wrote: [...] Except that pkg uses elfcmp/wsdiff type mechanisms to not rev ELF binaries that don't differ in the important bits, but only differ in the timestamps or other metadata. [...] Are there standalone tools like that, able to ignore trivial differences when comparing ELF binaries? The only elfcmp I've found so far is meant to compare a binary to a running process, to ensure the process hasn't been tampered with. See /opt/onbld/bin/elfcmp in the SUNWonbld package. Elfcmp is a useful tool to determine if two binaries are essentially equivalent. However, I believe there are minor differences between what elfcmp considers "the same" and what IPS does. That may be fine for your purposes; just don't expect matching results 100% of the time. Scott -- Scott Rotondo Senior Principal Engineer, Solaris Engineering President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Is there a way to start up a service & all its dependencies with 1 command?
Rigoberto Corujo wrote: I'm new to Solaris and I know you can start up an SMF service with the command: svcadm enable but if that service has dependencies then you have to start up its dependencies first. is there a way to tell svcadm to automatically start all the services on which the service that I'm trying to start depends on? Sure: svcadm enable -r. See svcadm(1M). Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Weird bash behaviour
Henrik wrote: If you omit the #!/bin/bash from child.sh, I suspect the original bash will look at the file, recognize it's executable, but since the file doesn't specify a new command interpreter, it's equivalent to ". ./child.sh" meaning the parent script simply sources the child script. Not in a new Interpreter. Not quite. It's equivalent to "bash ./child.sh" rather than ". ./child.sh". I sounds plausible, but I am not sure it is excatly like that because a quick test did not give me the expected result After I trid to change test.sh to use the ". ./child.sh" notation, I do not get a child process at all, only the process of test.sh 13870 -bash 17820 /bin/bash ./test.sh 17824 sleep 160 So somehow running without "#!/usr/bin/bash" gets me a new process in the same interpreter ? The shell forks, and the child process tries to execute child.sh using execve(). If this succeeds, the arguments you see in ptree show the child script. If it fails (because there is no #! line), the child process interprets the script, but the process args still match those of the parent. Have a look at shell_execve() in the bash sources for details. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] UltraSPAR_K_
Cyril Plisko wrote: http://www.oracle.com/us/products/servers-storage/servers/blades/index.html Oh well... I don't see it. Maybe it's been fixed already? Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Is there Lexmark printer support? [X4875 in particular]
Norm Jacobs wrote: On 01/23/10 06:45 AM, Andreas Braathen wrote: I've bought a Lexmark X4875 printer and to my big disappointment I cannot find any driver or guidelines on how to set it up. Does anyone have any experience with this printer and been able to make it work with CUPS? I doesn't seem to be listed at http://www.openprinting.org/driver_list.cgi either. If there were an entry for it on openprinting.org, it's likely that it would be listed as a paperweight. Lexmark inkjet printers tend to not have open source drivers for them. Usually, their laser printers support some version of PCL or PostScript and have PPD files that work fine under CUPS. -Norm For laser printers, it's even better than that. I bought a Lexmark 543dn recently, and I was pleasantly surprised to see Solaris compatibility explicitly listed on the spec page: http://www1.lexmark.com/products/view/Printers/Lexmark-C543dn/catId=cat10006-category&prodId=4609-product I realize this doesn't help with the original inkjet question, but I thought the rest of opensolaris-discuss might be interested. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] redirect "command --help" to file
Sven Aluoor wrote: Hi folks [Please add me CC] How to redirect "command --help" to file? Why normal way doesn't work? keytool --help > /tmp/keytool The help text is written to stderr, not stdout. From sh or ksh, try keytool --help 2>/tmp/keytool instead. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] RBAC database files /etc/security/auth_attr , prof_attr cleaned out.
dennis mathews wrote: Has anyone come across their RBAC files ( 200906 - 111b ) being reduced from around 60-odd entries to less than 5 ? Are these files auto-generated now by any chance ? Below is the full contents of the files. Incidentally exec_attr still has all it's contents. I know this because I've got the fresh installs bootenv. $ cat /etc/security/auth_attr solaris.cluster.admin:::Manage Quorum Server Daemons:: solaris.cluster.read:::Print Quorum Server Configuration:: solaris.smf.manage.zfs-auto-snapshot:::Manage the ZFS Automatic Snapshot Service:: $ cat /etc/security/prof_attr Basic Solaris Userauths=solaris.cluster.read Quorum Server Managementauths=solaris.cluster.admin It appears that some package you installed delivered copies of prof_attr and auth_attr, which overwrote the original versions. You should be able to find the package(s) that delivered these files with two commands: $ pkg search -l /etc/security/prof_attr [for IPS packages] $ grep prof_attr /var/sadm/install/contents [for SVr4 packages] Here's what should have happened: 1. Historically SVr4 packages delivered fragments of the RBAC database files using the regular pathname (e.g. /etc/security/prof_attr) but specifying i.rbac as the action script to use to install the file. That script merged the new fragment into the existing file rather than overwriting it. 2. IPS packages deliver the fragments as separate files in a special directory, and the SMF service svc:/system/rbac:default merges the fragments using the same i.rbac script. It appears that your files were overwritten by a package that delivers RBAC database fragments but does not use either of the methods above. All of the ill effects you observed (missing shutdown option, inability to use pfexec to run with privilege) are direct results of overwriting those files. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root account
Bryan Allen wrote: +-- | On 2009-10-16 03:23:07, Harry Putnam wrote: | | I remember having done something way back... I think it was posted on | an opensolaris.org page... how to setup a root account and login as | root. Any way it was fairly common knowledge and a howto was | available. $ pfexec rolemod -K type=normal root $ pfexec perl -pi -e s/^PermitRootLogin no/^PermitRootLogin yes/ /etc/ssh/sshd_config $ pfexec svcadm restart ssh I didn't have to do anything else on a fresh upgrade of snv_124. See Also: http://dlc.sun.com/osol/docs/content/IPS/login.html Yes, that's exactly what you would need to do to change the root account from a role to a regular user and allow it to be used with ssh. I was puzzled because Harry seemed to be saying that previous OpenSolaris releases had behaved this way out of the box, but given that he followed those steps earlier it all makes sense. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root account
Harry Putnam wrote: It may have... but it was still possible to have root as an account and to ssh to root if you set it up in /etc/sshd_config... I've been doing it since 2008.11 b101 It's only between 118 and 124 that things got more complicated... bringing Pam in as enforcer I guess. But that too can be circumvented. I'm really not certain why you're seeing a change in behavior. Perhaps I'm forgetting an earlier bug that somehow allowed you to directly log into the root account. In any case, what you're describing is how it was supposed to behave before. I just don't get why devs are so hell bent on crippling root account. Its been around many many yrs. The key reason behind this change is accountability. Since the root account may be shared by several people (and we hope it's not anyone's primary login!), direct login to the root account is anonymous in the sense that we can't attribute it to a single individual. If the user logs into his own account first and then assumes the root role, we know exactly who it was. Furthermore, you can revoke root access at any time by removing the user's ability to assume the root role, even if he still knows the root password. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root account
Harry Putnam wrote: Oscar del Rio writes: No problems here. After enabling RootLogin and setting root as a regular account, I can ssh as root without any errors or warnings. Thanks... What do you mean by `setting root as a regular account'? Something more than having a passwd and home directory? In OpenSolaris, root is installed as a role account. [1] You can't log in to that account directly; instead you log in to a regular user account [2] and then su to root. But some posters here have said in build 124 root has been removed as an account...or reduced to a role or something like that, so depending on what you mean by `setting root as a regular account', I'm not sure whats going on. I believe the root account has been a role since the first OpenSolaris binary release; this is not a recent change. Scott [1] The root entry in /etc/user_attr will include "type=role". [2] The regular user account must be authorized to assume the root role, indicated by "roles=root" in its /etc/user_attr entry. -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] finding sufficient privilege using ppriv
Vikash Tulsiyan wrote: I am writing an installer script for opensolaris. It changes preferred authority, enable/disable pkg service on my localhost, pushes the application package to my depot server and eventually install the package from depot server. However i first need to check if user running my script has sufficient privileges to perform these tasks. Is runnning "ppriv $$" in my script and then checking for 'all' in E field a reliable check? The answer I sent you on Wednesday (attached) still applies in this case. What you need to perform these tasks is a specific set of authorizations and privileges. Having all auths and all privs is certainly sufficient, but not necessary. As I said Wednesday, it's not a good idea to write scripts that try to predict whether operations will succeed or fail. In the best case, if you do it perfectly, you have a fragile implementation that may break whenever the underlying OS changes. It's a far more effective programming model to simply issue the commands and see if they succeed or not. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) --- Begin Message --- Vikash Tulsiyan wrote: I am writing a script that allows any user(with appropriate permissions) to install packages and start/stop some services on opensolaris. As far as i know only Primary Administrator has the priviledge to perform these task. Is my understanding correct or any other role allows similar privilege? No, what's actually required is an authorization. The solaris.smf.manage authorization allows you to start/stop any service. Two profiles that contain this authorization are Service Managment and Service Operator. Of course, Primary Administrator will also work because it contains all authorizations. Individual services can also define authorizations that allow management of that particular service, and these authorizations can be included in RBAC profiles. Also whats the best way to find out if a given user has a particular role or not. Say in my script if i am looking if a particular user have Primary Administrator role or not. Is [i]profiles {USER} | grep -i Primary Administrator[/i] a good check or is there a better way? Yes, that will work to answer the specific question about whether a user has the Primary Administrator profile. But as explained above, there are several other profiles that could give the user sufficient authorization to start or stop a given service. As you can see, this gets pretty complicated. It's generally not a good idea to try to predict whether or not a user or process is sufficiently privileged to perform some operation. A much better approach is to have the script/program just try the operation and report an error if it doesn't succeed. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) --- End Message --- ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Users role and pfexec
Vikash Tulsiyan wrote: I am writing a script that allows any user(with appropriate permissions) to install packages and start/stop some services on opensolaris. As far as i know only Primary Administrator has the priviledge to perform these task. Is my understanding correct or any other role allows similar privilege? No, what's actually required is an authorization. The solaris.smf.manage authorization allows you to start/stop any service. Two profiles that contain this authorization are Service Managment and Service Operator. Of course, Primary Administrator will also work because it contains all authorizations. Individual services can also define authorizations that allow management of that particular service, and these authorizations can be included in RBAC profiles. Also whats the best way to find out if a given user has a particular role or not. Say in my script if i am looking if a particular user have Primary Administrator role or not. Is [i]profiles {USER} | grep -i Primary Administrator[/i] a good check or is there a better way? Yes, that will work to answer the specific question about whether a user has the Primary Administrator profile. But as explained above, there are several other profiles that could give the user sufficient authorization to start or stop a given service. As you can see, this gets pretty complicated. It's generally not a good idea to try to predict whether or not a user or process is sufficiently privileged to perform some operation. A much better approach is to have the script/program just try the operation and report an error if it doesn't succeed. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Arbitrary scripting for post-install configuration
Shawn Walker wrote: Scott Rotondo wrote: Yes, I think there is no getting away from arbitrary scripting, though I understand the desire to move it out of the installation context. That's funny, last I checked there have been OpenSolaris 200x releases since 2008.05 without relying on arbitrary scripting capability within the packaging system ... You can have all the scripting you want; just not within the context of package operations. Yes, I'm agreeing with you. The point of my message was: 1. We still need arbitrary scripting for configuration. 2. It doesn't have to run in the packaging context. 3. There should be a built-in service to facilitate running those scripts, instead of implementing the same thing over and over. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Arbitrary scripting for post-install configuration
Peter Tribble wrote: To configure 'anything' requires essentially arbitrary scripting. First you tell us that arbitrary scripting will never be allowed, then you tell us that it's necessary, but we all have to implement our own mechanisms to get it. Shawn Walker wrote: No, we've told you that you have to move your scripting out of installation context where it only needlessly complicates the job of package management. Yes, I think there is no getting away from arbitrary scripting, though I understand the desire to move it out of the installation context. casper@sun.com wrote: And instead we run it on *every boot* which makes booting the system slower and maintenance of a installed system harder? (Much of what "svcs" today prints is "scripts runs at boot which would really needed to be run once when the system/package is installed"; that alone makes it a lot harder to find out all the services running as you can't see the forest for the trees) We could probably fix it by making "svcs" only print services with running processes; the other services are typically not of interest. It seems to me that OpenSolaris needs a single built-in service that runs these one-shot scripts for post-install configuration. Then every package could use it by delivering its script files to a predetermined directory. We currently have 91 class action scripts used by packages in ON Nevada. I don't think we want to see the same basic functionality implemented dozens and dozens of times. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Anyone successfully boot OpenSolaris on Toshiba A605 notebook ?
Kewl Eugene wrote: I went back to Fry's Sunnyvale this afternoon. On the Toshiba A605-P210 I was NOT able to boot OpenSolaris 2009.06 USB. I was able to boot Ubuntu Jaunty Jackalope 9.04 x64 USB. I tried several other Toshiba notebooks and none would boot OpenSolaris. I will next check the forums to see if the Toshiba R600 uses a special OpenSolaris build. I can't comment on the other Toshiba models, but I can answer your second question. I have personally installed an R600 using the standard 2009.06 CD. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Anyone successfully boot OpenSolaris on Toshiba A605 notebook ?
Kewl Eugene wrote: I meant the R600 (not R500) and A605 share the same PDF manual. The Toshiba R600 is $1600 with OpenSolaris. If you shop around you can buy a Toshiba A605 for $800. That's alot of sushi ;-) The specs are all the same. *Apparently* they both use the same board. I want to run Mentor, Synopsys, etc. tools for Intelx64 that the sales rep lets us use for free. It looks like physical form factor is the key difference. According to http://laptop.toshiba.com, the A605 is a pound or two heavier. The list price difference between the two models from Toshiba is $700. I haven't personally tried the A605, but I assume that it would run OpenSolaris equally well. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] How to "mirror" an entire zfs pool to another pool
Thomas Walker wrote: We are upgrading to new storage hardware. We currently have a zfs pool with the old storage volumes. I would like to create a new zfs pool, completely separate, with the new storage volumes. I do not want to just replace the old volumes with new volumes in the pool we are currently using. I don't see a way to create a mirror of a pool. Note, I'm not talking about a mirrored-pool, meaning mirrored drives inside the pool. I want to mirror pool1 to pool2. Snapshots and clones do not seem to be what I want as they only work inside a given pool. I have looked at Sun Network Data Replicator (SNDR) but that doesn't seem to be what I want either as the physical volumes in the new pool may be a different size than in the old pool. It sounds like you want the equivalent of zfs send/receive, but for pools instead of filesystems. Does anyone know how to do this? My only idea at the moment is to create the new pool, create new filesystems and then use rsync from the old filesystems to the new filesystems, but it seems like there should be a way to mirror or replicate the pool itself rather than doing it at the filesystem level. I think your best bet is to create the new pool and then use zfs send/receive for each filesystem. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Latin program
Alex Viskovatoff wrote: There's also this approach: [url=http://adatoccpptranslator.free.fr/PRIVOXY-FORCE/eg/index.html]Adatoccpptranslator[/url]. The program's Web site says it builds under Solaris. Good idea. Before suggesting the rewrite, I did a very quick Google search for an Ada to C translator, but I didn't find anything. Looks like you had better luck. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Latin program
david wrote: I am not a programmer, rather I am an English teacher. However I have been thinking of doing a few things. There is a program called Whitakers words, it is a Latin-English dictionary program written in Ada. It runs in the Dos command prompt. I currently have my machine running the Windows exe version in Wine and it runs perfect. It is not a very complicated program at all. I noticed that there was a Linux and FreeBSD version but neither of these version run in my install of OpenSolaris for some reason. They both ask for something called ld-linux.so.2. So I downloaded the source code from users.erols.com/whitaker/wordsdev and am not wondering how I can compile this so that it will run natively in Solaris in the terminal. If I can get it run in the terminal, it would mean (I hope) that I could copy and past to it and from it and that would make my work a lot easier. thanks for any help you all can give me. I have netbeans and sunStudio, should I use those, and if so, ... How do I use those? If it turns out that getting an Ada compiler for Solaris isn't feasible, the fact that you have source code for this program suggests another option. Someone [1] could take the Ada source and rewrite it, perhaps in a scripting language like python. Although the Ada source is about 22K lines, it seems to be mostly building some data structures and doing string manipulation. I suspect this would be a much smaller python program. Scott [1] I saw the "I am not a programmer" statement above. So "someone" may not be you. I might be interested in trying this for fun, but I'm not sure how soon I'd get around to it. -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] SPARC Rock is dead,
Anon Y Mous wrote: I think that Fujitsu should perhaps consider renaming the SPARC64 VIIIfx to be the "Paper" CPU, because we all understand the flawless logic of how "Paper" beats "Rock" by covering it up. However, what if IBM retaliates by secretly developing a revolutionary thread-cutting "Scissors" CPU? Scissors cuts Paper, so Fujitsu doesn't stand a chance. But Rock crushes Scissors, so maybe the Rock will win after all? http://en.wikipedia.org/wiki/Rock_scissors_paper I suggest Spock. http://www.samkass.com/theories/RPSSL.html Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] GCC 4.4: Can we handle it?!?
casper@sun.com wrote: Glenn Lagasse wrote: I can't speak definitively about this, but my best guess is that SUNWgcc is still 3.4.3 because the ON consolidation hasn't qualified later builds of GCC for building ON. And so, the supported method for compiling code using GCC in ON is to use 3.4.3 until such time as someone does the work to update ON to build using later versions. Which I'd imagine will have to happen at some point. You can at least compile ON with gcc 4.x now, though that's a recent development. See CR 6795209. I'm sure this is really "it compiles and it seems to run"? Or was a gcc 4.4 compiled ON send to PIT? Casper All I claim is that the ON code compiles cleanly. I'm not certain that the resulting kernel will even boot. This putback was a collection of minor syntax fixes for errors reported by gcc 4.x but not 3.x. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] GCC 4.4: Can we handle it?!?
Glenn Lagasse wrote: I can't speak definitively about this, but my best guess is that SUNWgcc is still 3.4.3 because the ON consolidation hasn't qualified later builds of GCC for building ON. And so, the supported method for compiling code using GCC in ON is to use 3.4.3 until such time as someone does the work to update ON to build using later versions. Which I'd imagine will have to happen at some point. You can at least compile ON with gcc 4.x now, though that's a recent development. See CR 6795209. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] [tools-compilers] [desktop-discuss] Report on issues when porting OpenSource projects to Solaris
Joerg Schilling wrote: al...@x11x:/tmp [8:12am - 9] cat > foo.c #include int main(int argc, char **argv) { printf("Goodbye cruel world\n"); } al...@x11x:/tmp [8:13am - 10] perl -i -p -e 's/\n/\r\n/' foo.c al...@x11x:/tmp [8:13am - 11] cc foo.c "foo.c", line 1: warning: invalid white space character in directive Interesting. It seems that I used CC ;-), so this is a non-orthogonal behavior in Sun Studio You can also avoid the error using cc -Xs. Perhaps ANSI C explicitly disallows the carriage return character as whitespace. It would be nice to be able to toggle this one behavior while still compiling with -Xa. Anyone know of a not-so-obvious Sun Studio option to do that? Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] xBrowser: Cannot login to my Solaris 10 from PC
Oscar del Rio wrote: Sven Marcel Buchholz wrote: The reason could be the Security by Default: http://www.opensolaris.org/os/community/security/projects/sbd/ After a "netservices open" you should be able to connect via XDMCP. Opening all services might be overkill. Just enable "tcp_listen" on the x11-server. svccfg -s x11-server setprop options/tcp_listen=true Absolutely right. The idea is to enable only the services you are using. We provide "netservices open" to get back to the way systems were before SBD, but it's a pretty blunt instrument. All of the local-only services, like the X server, have documentation on their man pages about how to enable remote use. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] bash signal handling
Harry Putnam wrote: Scott Rotondo writes: casper@sun.com wrote: The most broken part of bash is its signal handling: cd /net/somehost/file/dir ; rm -rf * "somehost" hangs; now you type a ^C to interrupt the "cd". What happens? bash-3.2$ sleep 10; echo foo ^C foo bash-3.2$ Any other shell: $ sleep 10; echo foo ^C$ Casper has mentioned this a couple of times on this alias, and I agree that the example above doesn't behave the way I would want or expect. Now I'm curious: Is there a faction out there arguing that the current bash behavior is correct and shouldn't be changed? Does someone actually rely on the current behavior? If you were thinking it might be me, since I asked for examples... no. As I mentioned I'm not knowledgeable enough really to have an opinion. No, I wasn't expecting a response from any particular person. I was just honestly wondering if this is a controversial point. If not, I'm a little surprised that no one has modified bash to behave more like other shells in this respect. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] bash signal handling
casper@sun.com wrote: The most broken part of bash is its signal handling: cd /net/somehost/file/dir ; rm -rf * "somehost" hangs; now you type a ^C to interrupt the "cd". What happens? bash-3.2$ sleep 10; echo foo ^C foo bash-3.2$ Any other shell: $ sleep 10; echo foo ^C$ Casper has mentioned this a couple of times on this alias, and I agree that the example above doesn't behave the way I would want or expect. Now I'm curious: Is there a faction out there arguing that the current bash behavior is correct and shouldn't be changed? Does someone actually rely on the current behavior? Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Acroreader 9.1
Anon Y Mous wrote: I just decided to check Adobe's ftp directory for acroreader and a new directory was posted for v9.1. It contains both x86 and x64 versions of acroreader. What it does not contain is a Sparc version. ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/9.1/enu/ I haven't tried downloading and installing it yet, but this is very good news! Do the tar balls contain binaries in standard SysV package format? No, it contains more tar archives and a shell script called INSTALL. Package format would be nice, but this was pretty painless to install. I just installed this and used it to view and print a handful of PDF files. This is so much better than the 20th century Acroread 4.x we had before that it's hard to describe. Now I never have to run Evince again! Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] [indiana-discuss] why gnu chmod in os2008.11?
Octave Orgeron wrote: > One of the things that does kinda concern me here is that by just > jumping on the GNU bandwagon and hoping for a smooth ride is a bit > backward. I think most people who have worked on multiple OS's know > that the GNU tools do have their issues and conflicts. Ultimately, if > Sun wants to improve those tools, then great. However, if the hope is > that the GNU toolset will attract users and developers.. I think that > idea maybe a little flawed. If the idea is to be on par with Linux > and hope that people will switch because of all the GNUness and > Solaris specific features.. I'm not sure that's the best path. > Definitely it helps.. but I don't think it'll magically cause a mass > migration. What would be nice is some leadership in standards that > bridges the gaps and makes Solaris the *best* platform for > enterprises and for professional desktop/workstation users. If the > idea is to go after the real desktop users across the globe.. then > Sun should merge with Apple and learn what everyday people really > need and expect. > > As things stand, continuing to go after the Linux user base is like > trying to convert the religion of people.. pointless and a waste of > effort. Apple understands that the real attraction for everyday users > is differentiation and quality. OpenSolaris has come a long way and > it's good that we are trying to accomodate user expectations. > However, to fall into the trap of "we have to be like Linux to > survive" is a dangerous and almost "end game" way of looking at the > future. Where is the leadership? I think we all want the best > platform to be OpenSolaris. > > Would it not make more sense to work with the different organizations > and development teams to build a unified cross-platform toolset? I > think enough consolidation has happened in the UNIX and UNIX-like > market for people to come together and build something we can all be > happy with. Let people choose their kernel and native toolset.. but > atleast have a common toolset across all the platforms for the > basics:) It's happening in other areas, such as Xorg.. minus the fact > that MacOSX has a better GUI and doesn't need X11. Hear, hear. We need to offer much more than just parity with Linux. If the GNU utilities are as unstable (from an interface perspective) as has been suggested on this thread, maybe we should seriously consider one of the hybrid approaches that has been suggested here. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Birthday Calendar
Prabit Mishra wrote: > Hi > > I'm setting up a birthday calendar and need your help. Just click on the > link below and enter your birthday details. (It's quick, easy, and you can > keep your age a secret.) > > http://www.birthdayalarm.com/bd2/83720186a641925951b1436602666c360747359d1386 > Be aware, however, that some financial institutions and other entities use date of birth as a pseudo-secret identifier, much like mother's maiden name. I'm not aware of anyone using it as a primary means of authentication, but they may use it when you request a reset of a forgotten password, for example. Obviously your birthdate isn't really secret, but you may want to consider this before posting it on a website. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] SRP target project
Chris Wood wrote: > All: > > iSER and SRP are _not_ the same. iSER (along with iWARP) is a potential > replacement for > SRP. It just turns out that there are a lot more SRP initiators and > devices out there > than iSER right now. If we want to play in the IB attached storage arena > right now, then > SRP is the name of the game. > > CW > > > Nicolas Williams wrote: >> On Thu, Dec 18, 2008 at 01:15:35PM -0600, Shawn Walker wrote: >> >>> Dan Maslowski wrote: >>> >>>> Folks, >>>> >>>> We have posted preliminary binaries and documents to the >>>> http://opensolaris.org/os/project/srp web page. We are in the process of >>>> stepping though the code and compiling for sparc etc We are >>>> currently "unhiding" the web page, but you can see it now by pointing >>>> directly to the URL. >>>> >>>> We invite active participation, comments, unit testing or other wise. I >>>> expect another drop of the source in the next couple of days and will >>>> post source by the end of this year. >>>> >>> OpenSolaris Project: SCSI RDMA Protocol >>> >>> ...for those of you mystified as I was. >>> >> >> I was mystified too. I think SRP is too confusable. I recommend a >> different acronym. What's wrong with "iSER" as a project name anyways? I think it's unavoidable that the URL for the project page will include an abbreviation that is incomprehensible to outsiders (for me, iSER and SRP are about equivalent). As long as the project title spells out "SCSI RDMA Protocol" I think you can use whatever abbreviation you like. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] [desktop-discuss] FF3 stability and performance concerns
Jason King wrote: > > Even worse than that, even on a Ferrari 4000 2ghz w/ 1gb ram, starting > with around sxce b98, the desktop in general seem to be suffering from > a critical performance regression, FF3 seems to be the worst in this > respect. I've seen systems where actual swapping (not paging) are > more responsive (I'm not kidding), yet none of the usual tools > (vmstat, prstat, mpstat, etc.) show anything amiss. As I have more > time to dig into it, I might be able to provide actual actionable > issues, but first I was at least going to get to b101 and see if it > still is having the issue. I'd be surprised if a later build of Solaris makes any difference. From what I've seen, FF3 is unbelievably slow everywhere, even on Windows. Scott -- Scott Rotondo Principal Engineer, Solaris Security Technologies President, Trusted Computing Group Phone/FAX: +1 408 850 3655 (Internal x68278) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Solaris Jargon
Dennis Clarke wrote: >> Dennis Clarke wrote: >>> Here are some key terms. The FCS or GA release and the ABI, the SPI and >>> API. >>> >>> I have always been curious what the difference was between FCS and GA. I >>> think that GA means General Availability and perhaps is the same as FCS. >>> >>> >> FCS stands for First Customer Ship[ment] I believe. It predated software >> distribution via Internet, so I believe it generally referred to when >> the CD (or DVD) and packaging is available for shipping to customers. > > So samething as GA then I guess. > FCS is an older, somewhat imprecise term that has been replaced by Revenue Release (RR) and General Availability (GA). RR refers to the first time the OS release is shipped in any form [1], possibly before media kits or downloadable images are available. GA, as the name implies, refers to the time when everything is in place to ship in quantity for all delivery mechanisms, locales, etc. FCS could refer to either milestone depending upon context, which is why we generally avoid the term now. This is probably way more than you wanted to know. :-) Scott [1] Revenue release may seem like a strange term for something that is free, but it's the point at which we could recognize revenue if we were charging for it. ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Solaris Jargon
andrew wrote: > I have started to create a page to explain some of the jargon that is > specific to Solaris and/or Sun but I'm stock on a few terms. Can some > knowledgeable folk possibly have a look and reply here with definitions for > those I've not got meanings for, and also check I've got the rest correct? > The page is here: > > http://sites.google.com/site/solarium/solaris-jargon > > Thanks > > Andrew. Under the definition for WOS it's worth noting that this is the union of the objects delivered by all of the consolidations. Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Disabling unneeded services
Vincent Boisard wrote: > 2. I want to disable services for two reasons: improving security and > reducing resource usage. > I have already disabled, for example, the web management console, to > avoid running a JVM (I don't use the web console: it currently only > manages ZFS and CLI tools are just fine). I also want to disable all the > stuff related to Graphical Desktop (gnome and al.). I have tried to > install only the packages I wanted (with jumpstart, building up from the > mreq cluster), but I don't know solaris enough to know what is really > needed and what can break the system if not present (had a lot of > trouble with locales for example). Disabling services you don't need is fine, but I suggest you concentrate on big pieces like the ones you mentioned (graphical desktop, web console). Disabling minor miscellaneous services is problematic because (a) it's harder to be sure you're not using the service in some way, and (b) the payoff in terms of resource consumption is likely to be small. > 3. I've checked the default profile, and it seems already to be network > limited. So I don't think netservices will do anything more for me Right, that's the default setting. Netservices would be useful to get back to that state if you had changed it for some reason. Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Disabling unneeded services
Vincent Boisard wrote: > Hello, > > I am currently trying to reduce the number of services running on my headless > server. > My main problem is that for most of them, I can't find info on what they do > so I don't know if I > need them or not. My system is headless so no X server, only cli. 1. You can get some basic information about any SMF service with 'svcs -x '. That information generally includes a man page where you can read a detailed description of what the service does. 2. You should think about *why* you are interested in disabling services. If it's to improve security by reducing your attack surface (the most common reason this issue comes up), then I suggest that you should concentrate your effort on *network* services which are reachable from outside your system. For that, your work is mostly done already; see #3 below. 3. If you haven't already done so, look at http://opensolaris.org/os/community/security/projects/sbd. There you can read about simple ways to disable all unnecessary network services. Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] [ufs-discuss] PANIC! mounting cdrom slice on b78
Joerg Schilling wrote: > Scott Rotondo <[EMAIL PROTECTED]> wrote: > >> Joerg Schilling wrote: >>> >>> Does it help to intialize the pointers to NULL? >>> >> Sure. This code >> >> 943 if (fsp) >> 944 kmem_free(fsp, sizeof (*fsp)); >> 945 if (svp) >> 946 kmem_free(svp, sizeof (*svp)); >> 947 if (jvp) >> 948 kmem_free(jvp, sizeof (*jvp)); >> >> will behave very differently if those pointers are NULL rather than >> uninitialized. > > > > I was interested in a useful reply for the OP case Sorry, I don't know what you're asking. > > Did you run a test with the original filesystem, or what do you like to tell > us > here? I didn't test anything. I was just pointing out, based on simple examination of the source code, that line 944 is sure to panic if fsp contains random bits, but if it's set to NULL then line 943 will prevent 944 from executing at all. Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] [ufs-discuss] PANIC! mounting cdrom slice on b78
Joerg Schilling wrote: > Juergen Keil <[EMAIL PROTECTED]> wrote: > >> Hmm, in usr/src/uts/common/fs/hsfs/hsfs_vfsops.c function hs_mountfs(), >> whenever we use one of the first three |goto cleanup|, the local variables >> |svp| and |jvp| are uninitialized. That should corrupt the kernel heap >> when we kmem_free() with an unitialized stack lock pointer in the >> cleanup section ... >> >> >> >> struct hs_volume *svp; /* Supplemental VD for ISO-9660:1999 >> */ >> struct hs_volume *jvp; /* Joliet VD */ >> > > I have to admit that I am responsible for the uninitialized Joliet VD pointer. > Duplicating code is simple and in this case even passed 4 code reviews. > > Does it help to intialize the pointers to NULL? > Sure. This code 943if (fsp) 944kmem_free(fsp, sizeof (*fsp)); 945if (svp) 946kmem_free(svp, sizeof (*svp)); 947if (jvp) 948kmem_free(jvp, sizeof (*jvp)); will behave very differently if those pointers are NULL rather than uninitialized. Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] In Unix
Andrew Watkins wrote: > Come on folks! The first answer should be "What has this got to do > with OpenSolaris? > > But you are presuming that the file has only the 4 lines in it. What > happens if the crontab is much longer > > # more data here 0 0 * * * /usr/bin/true #Start of lines added by > SUNWscu 20 4 * * 0 /usr/cluster/lib/sc/newcleventlog > /var/cluster/logs/eventlog 20 4 * * 0 > /usr/cluster/lib/sc/newcleventlog /var/cluster/logs/DS # End of lines > added by SUNWscu > > try: % awk ' { if ( $0 ~ /^#Start of lines added by SUNWscu/ ) { > START=1 } else if ( $0 ~ /^# End of lines added by SUNWscu/ ) { > START=0 } else if ( START==1 ) { print $0 } } ' > > Andrew Actually, awk has built-in support for this idiom: awk '/Start.*SUNWscu/,/End.*SUNWscu/' will do the same thing. Daniel Rock pointed out in another email that sed supports this syntax also. Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Longest uptime?
Shawn Walker wrote: > Not only that, is uptime really an indicator of operating system > reliability, or hardware reliability and system administration > policies? Or lack of system use? Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Tab auto-completion doesn't work?
Jennifer Pioch wrote: > On 1/30/08, James Carlson <[EMAIL PROTECTED]> wrote: >> Jennifer Pioch writes: >>> On 1/30/08, Richard Zhao <[EMAIL PROTECTED]> wrote: I just come to solaris from linux, and find Tab auto-completion doesn't work in console. why? >>> # cp /usr/bin/i86/ksh93 /sbin/sh >>> will fix your problem. >> Unless, of course, you ever upgrade your system. In that case, your >> change will be silently removed, because that's packaged as a type 'f' >> file, meaning that the contents of the file should not be altered by >> the user because it's not an administrative interface. > > How do I make the change permanent? > You change the entry in /etc/passwd to refer to your preferred shell. Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] less
Alan Coopersmith wrote: > Thommy M. Malmström wrote: >> Seems as if there was a change in default behaviour of the less command >> between b72 and b76. It now clears the screen at exit which I find most >> annoying. Or is it the GNOME terminal that has changed??? >> >> Anyway, why have the behaviour changed??? > > The terminfo data for terminal type "xterm" changed. > 6569261 xterm, xtermc, xterm-color: smcup/rmcup definitions are > incorrect/missing I first noticed this behavior change when running vi. At least for an editor, I think using the alternate screen is a distinct improvement. Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Lines of Code
Anil Gulecha wrote: >> >> Total 40012 files, 8793366 lines >> > > Thats funny, I remember seeing '11m' mentioned in some opensolaris > slides. Marketing to blame? Remember my example about cat.c, where wc -l shows 630 lines, but my tool reports 379 lines? It's likely that the 11M number is from a straightforward wc -l, especially given that the same methodology today (about 16 months later) reports 12.9M. Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Lines of Code
Edward Pilatowicz wrote: > > given the total file count i'd guess that these numbers are > just for ON, which is only one component of opensolaris. > ed Good point. I did my count on the ON usr/src tree because I had it conveniently available (/ws/onnv-clone/usr/src at Sun). Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Lines of Code
Jim Grisanzio wrote: > hey ... anyone have an updated count of the number of lines of code in > the OpenSolaris source? > > Jim (Ada) 33 files,18944 lines (Tcl) 6 files, 1028 lines (make) 5016 files, 101157 lines (other) 2520 files, 805011 lines (Pascal) 1 files, 27 lines (Lisp) 24 files, 6793 lines (Java)714 files, 102802 lines (Perl) 2440 files, 368705 lines (shell) 6197 files, 822722 lines (C++)902 files, 353252 lines (Awk) 18 files, 1374 lines (Assembly)686 files, 133825 lines (C) 21455 files, 6077726 lines Total 40012 files, 8793366 lines Some of the language identification is a little off; we don't really have any Ada code, for example. But it's about 6.4M lines of C/C++, or 8.8M lines if you count everything, including text files. Note that these totals refer to real lines of code, excluding comments, blank lines, etc. The one exception is the "other" category (e.g. text files) where the count is simply the number of lines in the file. For an example of the difference, look at usr/src/cmd/cat: (C) 379 ./cat.c (make) 10 ./Makefile = (make) 1 files, 10 lines (C) 1 files, 379 lines Total 2 files, 389 lines $ wc -l cat.c Makefile 630 cat.c 47 Makefile 677 total ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Apple bought CUPS source code.
Brian Gupta wrote: > Here's the basic truth about Apple and OpenSource: > http://ezine.daemonnews.org/200602/apple.html The first half-dozen paragraphs, describing the obstacles facing external developers when the Apple source was still reasonably open, seem eerily familiar. s/Apple/Sun/g s/2000/2005/g Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] backspace key not working on Java environment
Anne wrote: All When I start Xwindows from my workstation and connect to my Solaris 10 boxes, and I choose the Sun Java Desktop (not the classic CDE), I can't use the backup space key in the terminal windows. It's terribly annoying and in fact, I have to run CDE from now on because of it. I've tried changing the profile on it to allow the CTRL+H to be mapped to the backspace key, but doesn't work. Any ideas out there? It sounds like you're suffering from CR 6173972, but turning off numlock should have been an effective workaround for that problem. Another workaround for that problem is this environment variable setting: _AWT_USE_TYPE4_PATCH=false. Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] E_SEC_SHELL_WARN ( running lint )
Ian Collins wrote: sprintf (start_command,"%s", "/opt/SUNWdsee/start-slapd"); (void) system(start_command); In addition to the other reply, you shouldn't have to use the ghastly (void)system() just to silence lint warnings. Well, you *could* examine the return value and deal with any errors that are returned. Incidentally, that sprintf() call should generate a warning too, since the "%s" format string doesn't limit the amount of output that could be generated (though the fixed argument string does). The usual fix is to replace sprintf() with snprintf(), though in this case I would replace both lines with: (void) system("/opt/SUNWdsee/start-slapd"); [assuming you ignore all the other advice about launching daemons using SMF, not using system(), etc.] Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] xpg/bin/tr unexpect output on Sparc?
Steven Xie wrote: echo EFG|/usr/xpg4/bin/tr '[EFG]' '[pBC]' Segmentation Fault (core dumped) echo EFG|/usr/xpg6/bin/tr '[EFG]' '[pBC]' Segmentation Fault (core dumped) echo EFG|/usr/bin/tr '[EFG]' '[pBC]' pBC hard to pick now. This is crazy. Has anybody filed a bug yet? Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Project Proposal - TPM Drivers
Darren J Moffat wrote: Eric Boutilier wrote: Thanks, Wyllys. Your proposal has been seconded. I'll contact you offline to get you set up. Given the project is more than just a driver for the TPM chip to plugin to the crypto framework can we *please* use a project name that reflects that, please. Will do. Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Re: Re: telnetd exploit
Donald Brownlee wrote: I installed update 3 Saturday. I think that I had to check the box other than the one that was checked by default -- maybe I misread the explanation? No, you're correct. In Solaris 10, you need to give a non-default answer to the install question in order to get the configuration that disables network services like telnet. If you install Solaris Express (or a distro built from OpenSolaris) you get this configuration by default, and there is no install question. Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Project Proposal - TPM Drivers
Darren J Moffat wrote: Wyllys Ingersoll wrote: I would like to propose a new project for OpenSolaris.org. The project will be called "Solaris TPM Drivers". The goal is to create TPM (Trusted Platform Module) kernel drivers and cryptographic framework plugins for OpenSolaris to facilitate future secure computing work. Having properly plumbed TPM support will allow applications to take advantage of the HSM (Hardware Storage Module) features offered by TPMs currently deployed on many systems (x86/64 and SPARC). We don't need a project for that that can be covered by the existing crypto project if this is just about using them as crypto framework plugins. That is already in scope for the crypto project that already exists on opensolaris.org. If what you really want is a project to support a full TCG stack (what ever that may mean) then I would agree. If this is just drivers for the crypto framework then we don't need a separate project for that. The project is more than a driver for the crypto framework. It does include the software stack (TSS) for TCG applications as well. Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Project Proposal - TPM Drivers
Wyllys Ingersoll wrote: I would like to propose a new project for OpenSolaris.org. The project will be called "Solaris TPM Drivers". The goal is to create TPM (Trusted Platform Module) kernel drivers and cryptographic framework plugins for OpenSolaris to facilitate future secure computing work. Having properly plumbed TPM support will allow applications to take advantage of the HSM (Hardware Storage Module) features offered by TPMs currently deployed on many systems (x86/64 and SPARC). This project would be under the Security and Kernel Driver communities and we hope to attract outside contributions for different TPM chips. +1 Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [Fwd: Re: [osol-discuss] GPLv3?]
Stephen Harpster wrote: We're wondering if this would increase participation. There are a lot of GPL bigots out there. If OpenSolaris were available under GPL, would there be more people willing to participate who have to date ignored us because we're CDDL only? That seems unlikely. At least, we have no indication that anyone in that camp would be satisfied by GPLv3. In fact, do we have *any* example of someone who said, "I was all set to contribute my code to OpenSolaris, but then I saw the CDDL license and decided against it"? Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Assembler Output
Deepak Bhatia wrote: When we do #cc test.c We get a.out file but it is again ELF File format file. A.out is the name of a binary format that predates ELF. This compiler always produces ELF output files, even if the file name happens to be "a.out". Hi, I am working on a project related to the dynamic linker on Solaris. This involves understanding the code from /usr/src/cmd/sgs/rtld/ directory. When I create an ELF File on my i386 machine with Solaris Nevada and execute the code ./ld.so.1 a.out I am not able to reach the file a.out.c which it looks like is used to handle old a.out (Assembler OUTput) file. Please confirm if this is true or not. Correct. That code is used for a.out *format* files (which today's compiler will not generate), not files named a.out. Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] problem with /tmp FS still up
wb wrote: Hi. I have a /tmp FS for swap, and a really big file crout* inside. The /tmp was 95% up. I decided to remove the crout file. The problem, is the /tmp is not decreasing, but still growing. How could I make it decrease? Removing the file just deletes the directory entry in /tmp. The space is not reclaimed until all references to the file, including open file descriptors, are removed. Another email in this thread already supplied some good ideas about finding the process that has the file open. Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] backup software?
Darren J Moffat wrote: Patrick wrote: just wondering if there is any free software to back-up and keep up-to-date certain folders on my hard drive to external hard drive? basically i need to be able to plug in my external USB HD and be able to tell which files have changed and which files are new and copy them down. i thought about using CVS or Subversion and checking in the directories i want to keep backed up, but perhaps there's something better suited for the job out there? filesync(1) http://cvs.opensolaris.org/source/xref/on/usr/src/cmd/filesync/ Even has a README in the source to show how it works. I use filesync(1) all the time to maintain identical copies of my home directory on my laptop and my desktop system. It's great because I can have access to my complete environment even when disconnected from the network, and any file changes I make are reflected everywhere the next time I connect to the network. Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Re: Adding commands to a rights profile in Sol 10 w/TX
[EMAIL PROTECTED] wrote: #!/bin/csh Refuses to run if real and effective uids don't match. #!/bin/csh -b Runs set-uid scripts just tine Yes, to be complete I should have included csh -b. The point I wanted to emphasize, however, is that csh (with no options) will refuse to run the script if the uids don't match, while sh will silently reset the euid. Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
[osol-discuss] Re: Adding commands to a rights profile in Sol 10 w/TX
James Hardwick wrote: So I have been working in Solaris, and *nix in general recently for the first time in a long long while. Trying to do various things which may be easy to you guys, but not so much to me. Anyways, here goes it... I am currently running in Solaris 10 w/ TX, build 42. I have a script Nit: You're running Solaris Nevada, not Solaris 10. It doesn't matter for this issue, but it might for some future question. which needs to run as though it were root, only when a certain user calls it. I create a rights profile within the SMC modeling it nearly identically to Basic Solaris User, add the desired script as a command, go into "Set Attributes" and set its EUID as root. I then add this rights profile to the user I desire to execute it as root. Within the script, I do an: echo `/usr/ucb/whoami` > blah/blah/blah/blah.log Since I figure this should print out the EUID running the script, which I expect to be root. Well, when run, the log shows the user I assigned the rights profile to, NOT root as I expected (or rather hoped for). I tested to see if that truly was the case by placing shutdown in the script. When running the script, I get an error along the lines "/usr/sbin/shutdown can only be run as root". So I know for a fact the script is not running with an EUID of root. So, why is this? I thought you were supposed to be able to do this with the Rights Profiles? It's possible, of course, that the new Rights Profile you created is not set up correctly. However, it's more likely that RBAC is working just fine and you've run into a subtlety of shell script behavior. In general, shell scripts don't behave like other programs when the real and effective uids don't match. You will see different behavior depending on which shell interprets your shell script (determined by the #! directive at the top of the script). Here's what you can expect: #!/bin/sh Effective uid is reset to match real uid. #!/bin/sh -p Mismatched real/effective uid allowed. #!/bin/ksh Allows mismatched real/effective uid, like sh -p. #!/bin/csh Refuses to run if real and effective uids don't match. You can see these different behaviors by changing the first line of your shell script to the various possibilities above. The behavior you observed is correct if the shell interpreter is /bin/sh. You can get the effect you want by changing it to /bin/sh -p or /bin/ksh. Scott ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org