Can anyone tell me why, rpcbind not only binds to udp/111, but also
to some other random udp port above 32770. I can find lots of information
about this be a vulnerability and this and that, but I really cannot find any
information as to the functional reason for this.
Thanx
Kevin
This mess
>Henry B. Hotz wrote:
>> On Mar 19, 2008, at 9:06 AM, Jan Pechanec wrote:
>>
>>
>>> On Wed, 19 Mar 2008, Casper.Dik at Sun.COM wrote:
>>>
>>>
Powercycling a system during certain parts of boot is almost
guaranteed to cause the next boot to fail with a corrupted registry.
On Wed, 19 Mar 2008, Jeffrey Hutzelman wrote:
>> unfortunately I don't know too much about SMF so I'm also concerned
>> about probably not only my favourite way of running ssh with changed
>> configuration:
>>
>> sshd -f /dev/null -o -o
>>
>> this way would now mean to con
>There've been troubles (particularly in the logging system) where
>deleting a file, creating a new one, and then crashing before the
>directory updates themselves get out to disk causes havoc such as you
>describe.
>
>Search the bug database. In any event, Casper's right. It's possible
>to mak
>I'm pretty sure that the SQLite community really cares about this. And
>I think we need much more info before we blame any one component (so I
>blamed UFS too soon, sue me :)
>
>My recent experience with UFS left me thinking it's just not at all
>reliable in some circumstances.
There are three
On Wed, Mar 19, 2008 at 1:36 PM, James Carlson
wrote:
>
> > Viewing things stored in SMF is not easy and nor is there
> > a way to present and edit what's stored in SMF with the
> > same ease as "vi /etc/ssh/sshd_config".
>
> We've been over this ground before. See the original Greenline cas
>Well, that UFS problem seemed so random... (or perhaps DHCP was updating
>my hosts file?)
Likely (updated it, or updated it somewhere in a distant past)
>IIRC SQLite first writes to the journal and fsyncs that, then it writes
>to the DB and then fsyncs that, finally it removes the jorunal.
Wi
>Industry experience suggests that it is not possible to get *anything*
>right the first time. I hope that's not a reason for never doing
>anything new.
Touch?
>> I very much like the fact that SMF allows me to disable a service once and
>> for all; it's too bad that some services conspire
>Boy, y'all misunderstood what this proposal was about:
>
>_augment_, not replace.
*sigh*
>
>I've tapped a raw vein of dislike of SMF, a blinding dislike.
It was not my intention to start a flamewar; not should you infer
that I dislike SMF. It has, however, some rough edges that I think
we
>Then I don't see how SMF/SQLite can protect itself. I mean, the
>contents of /etc/inet/hosts on my laptop had been *completely* replaced
>with some other file's content (I forget which). I wonder if the fact
>that the system came up without forcing single-user mode (to manually
>fsck /) had any
>I'm real curious about this. For example, would upgrading to SQLite3
>help? Or is there a fundamental problem with SQLite2 that is not not
>changed in 3? Or can SMF recover more intelligently? Or is this more
>of a UFS reliability issue that ZFS boot will help with?
I have no idea what the
Dan Anderson wrote:
> Here's a review for CR 6665607 Need a SHA256/SHA384/SHA512 implementation
> optimized for 64-bit x86
> http://dan.drydog.com/reviews/6665607-sha2/
>
usr/src/common/crypto/sha2/amd64/sha512-x86_64.pl
KY-1lines 220, 314 T3
No need for these lines as this is just a di
On Wed, Mar 19, 2008 at 03:39:23PM -0700, Henry B. Hotz wrote:
> The fact that SMF's internals are so deliberately opaque makes it
> impossible for a typical admin to see if that is the case. The fact
> that so many people (who don't want to) are *required* to deal with
> SMF means there are
On Wed, Mar 19, 2008 at 03:36:00PM -0700, Darren Reed wrote:
> Nicolas Williams wrote:
> >I *like* the SMF UI. I was a senior sysadmin for seven years at a large
> >investment bank. I am proof that there are sysadmins who like this.
> >I know many don't. An existence proof was all I needed to ma
>Casper.Dik at sun.com wrote:
>> The Registry model is NOT one to aspire to.
>
>I have to just completely disagree there. I think there are numerous
>advantages to such a model, and very few disadvantages.
Unfortunately, the "few disadvantages" are, IMHO, show stoppers.
(the ability to hide all
On Wed, 19 Mar 2008, James Carlson wrote:
>Jeffrey Hutzelman writes:
>> So, my preference is for my platform-independent sshd_config to have the
>> same effect on the next Solaris port we do as it's had on every previous
>> platform since we started supporting ssh.
>
>The config-file-overrides-S
On Wed, Mar 19, 2008 at 03:17:34PM -0700, Lyndon Nerenberg wrote:
> >As a former sysadmin I believe what's missing is remote access. The
> >rest is fine. You're generalizing.
>
> No, what's missing is a simple way for the human sysadmin to view and
I *like* the SMF UI. I was a senior sysadmin
On Wed, 19 Mar 2008, Casper.Dik at Sun.COM wrote:
>Secondly, SMF has already proven to me to be too fragile because either
>the underlying database technology is not reliable or the way it uses
>that technology is prone to failures. Powercycling a system during
>certain parts of boot is almost g
>As more of an admin than a developer, I agree the centralized
>enable/disable of SMF is valuable. As are the log files you mention
>below. Some configurability in SMF is also useful, starting multiple
>instances of the same service for instance.
Personally, I think we already erred too muc
On Mon, 17 Mar 2008, Nicolas Williams wrote:
>> The Subsystem directive requires special treatment, since it is used
>> multiple times to declare multiple subsystems. This could be done by
>> treating a multi-valued subsystem property specially, or by using a
>> completely different approach f
On Wed, Mar 19, 2008 at 02:40:28PM -0700, Darren Reed wrote:
> My personal theory on why is simple:
> SMF was developed by developers and not system admins.
As a former sysadmin I believe what's missing is remote access. The
rest is fine. You're generalizing.
Chris Ricker wrote:
> On Wed, 19 Mar 2008, Nicolas Williams wrote:
>
>> Hmmm... We don't do user proximity detection, so we don't audit when
>> users get up and go to the restroom, say. If users can run their own
>> screen lock programs then where do we audit the lock/unlock? In the X11
>> serv
--On Wednesday, March 19, 2008 08:57:24 PM +0100 Jan Pechanec
wrote:
> On Wed, 19 Mar 2008, Jeffrey Hutzelman wrote:
>
>>> unfortunately I don't know too much about SMF so I'm also concerned
>>> about probably not only my favourite way of running ssh with changed
>>> configuration:
>>>
>>>
> By its nature bootup is (or should be anyway) a read-only activity for
> config files. I was reacting to the claim that rebooting during boot
> could corrupt SMF's configuration. (Granted that claim may have been
> exaggerated.)
That claim is just wrong. The only way rebooting during
On Mar 19, 2008, at 1:50 PM, Mike Shapiro wrote:
> On Wed, Mar 19, 2008 at 09:37:22AM -0700, Henry B. Hotz wrote:
>>
>> On Mar 19, 2008, at 9:06 AM, Jan Pechanec wrote:
>>
>>> On Wed, 19 Mar 2008, Casper.Dik at Sun.COM wrote:
>>>
Powercycling a system during certain parts of boot is almost
>>
Nicolas Williams wrote:
>On Wed, Mar 19, 2008 at 03:17:34PM -0700, Lyndon Nerenberg wrote:
>
>
>>>As a former sysadmin I believe what's missing is remote access. The
>>>rest is fine. You're generalizing.
>>>
>>>
>>No, what's missing is a simple way for the human sysadmin to view and
>>
--On Wednesday, March 19, 2008 05:30:34 PM +0100 Jan Pechanec
wrote:
> On Wed, 19 Mar 2008, James Carlson wrote:
>
>> Jeffrey Hutzelman writes:
>>> So, my preference is for my platform-independent sshd_config to have
>>> the same effect on the next Solaris port we do as it's had on every
>>> pr
--On Tuesday, March 18, 2008 08:01:01 PM -0700 Bart Smaalders
wrote:
> Henry B. Hotz wrote:
>
>> I find it really
>> difficult to invest time in learning single-platform technologies.
>
> That makes it difficult to do innovation, since we need to convince
> other OSes to use our technology befor
> On Wed, Mar 19, 2008 at 02:40:28PM -0700, Darren Reed wrote:
>> My personal theory on why is simple:
>> SMF was developed by developers and not system admins.
>
> As a former sysadmin I believe what's missing is remote access. The
> rest is fine. You're generalizing.
No, what's missing is a si
--On Wednesday, March 19, 2008 10:55:26 AM -0500 Nicolas Williams
wrote:
> On Wed, Mar 19, 2008 at 08:24:12AM -0800, Gary Winiger wrote:
>> > Nicolas Williams wrote:
>> > > But one thing is clear: the architectural direction for Solaris is
>> > > and long has been to move away from configuration
Bart Smaalders wrote:
>Henry B. Hotz wrote:
>
>
>
>>I find it really
>>difficult to invest time in learning single-platform technologies.
>>
>>
>
>That makes it difficult to do innovation, since we need to convince
>other OSes to use our technology before you will use it :-).
>
>So far we'
Jan Pechanec wrote:
>On Wed, 19 Mar 2008, James Carlson wrote:
>
>
>
>>Jeffrey Hutzelman writes:
>>
>>
>>>So, my preference is for my platform-independent sshd_config to have the
>>>same effect on the next Solaris port we do as it's had on every previous
>>>platform since we started suppor
Nicolas Williams writes:
> On Wed, Mar 19, 2008 at 06:54:00PM +0100, Casper.Dik at Sun.COM wrote:
> >
> > >Then I don't see how SMF/SQLite can protect itself. I mean, the
> > >contents of /etc/inet/hosts on my laptop had been *completely* replaced
> > >with some other file's content (I forget whi
On Wed, Mar 19, 2008 at 09:37:22AM -0700, Henry B. Hotz wrote:
>
> On Mar 19, 2008, at 9:06 AM, Jan Pechanec wrote:
>
> > On Wed, 19 Mar 2008, Casper.Dik at Sun.COM wrote:
> >
> >> Powercycling a system during certain parts of boot is almost
> >> guaranteed to cause the next boot to fail with a
On Wed, Mar 19, 2008 at 02:10:56PM -0400, James Carlson wrote:
> Nicolas Williams writes:
> > Well, that UFS problem seemed so random... (or perhaps DHCP was updating
> > my hosts file?)
>
> There've been troubles (particularly in the logging system) where
> deleting a file, creating a new one, an
Gary Winiger writes:
> > How can an OpenSolaris developer see the original Greenline case for
> > details ?
>
> Have you tried, http://opensolaris.org/os/community/smf/
> There far more complete information there than you find in the
> draft opinion.
If you're interested in how
Cyril Plisko writes:
> On Wed, Mar 19, 2008 at 1:36 PM, James Carlson
> wrote:
> >
> > > Viewing things stored in SMF is not easy and nor is there
> > > a way to present and edit what's stored in SMF with the
> > > same ease as "vi /etc/ssh/sshd_config".
> >
> > We've been over this ground be
Bernd Schemmer writes:
> I still don't understand why Sun is going here the "Windows Way" --
> Windows has already prooven that this is the wrong way.
Because PSARC 2002/547 ("Greenline") specified it that way. It's not
much more complex than that, and those wishing to change that
direction (rat
All what Jordan wrote. +1
On Wed, Mar 19, 2008 at 07:15:00PM +0100, Casper.Dik at Sun.COM wrote:
> >IIRC SQLite first writes to the journal and fsyncs that, then it writes
> >to the DB and then fsyncs that, finally it removes the jorunal.
>
> Without knowing the exact protocol and sequence of updates, it is
> impossible to
On Wed, Mar 19, 2008 at 07:02:28PM +0100, Casper.Dik at Sun.COM wrote:
>
>
> >Boy, y'all misunderstood what this proposal was about:
> >
> >_augment_, not replace.
>
> *sigh*
> >
> >I've tapped a raw vein of dislike of SMF, a blinding dislike.
>
> It was not my intention to start a flamewar
Casper.Dik at Sun.COM writes:
> Removing /etc/ssh/sshd_config seems counter-productive, specifically
> considering that we do not offer a way to make SMF changes during install.
I don't think that any of the proposed mechanisms so far included the
removal of sshd_config.
If any did, then I'd lik
On Wed, Mar 19, 2008 at 06:54:00PM +0100, Casper.Dik at Sun.COM wrote:
>
> >Then I don't see how SMF/SQLite can protect itself. I mean, the
> >contents of /etc/inet/hosts on my laptop had been *completely* replaced
> >with some other file's content (I forget which). I wonder if the fact
> >that
On Wed, Mar 19, 2008 at 06:20:36PM +0100, Bernd Schemmer wrote:
> >>The Registry model is NOT one to aspire to.
>
> I think that Solaris is going the wrong way with SMF. SMF as replacement
> for the init scripts is okay - but I don't think it's a good idea to
> replace existing config files with
> Jeffrey Hutzelman wrote:
> > Sorry; but I'm going to return us to this flamewar...
> >
> > --On Thursday, March 06, 2008 02:43:00 PM -0600 Nicolas Williams
> > wrote:
> >
> >> PAM modules may require any and all [zone] privileges. Using PAM
> >> requires all [zone] privileges.
> >
> > This
On Wed, 19 Mar 2008, Nicolas Williams wrote:
> Hmmm... We don't do user proximity detection, so we don't audit when
> users get up and go to the restroom, say. If users can run their own
> screen lock programs then where do we audit the lock/unlock? In the X11
> server, I'd think, since in that
On Wed, Mar 19, 2008 at 06:01:31PM +0100, Casper.Dik at Sun.COM wrote:
> >I'm real curious about this. For example, would upgrading to SQLite3
> >help? Or is there a fundamental problem with SQLite2 that is not not
> >changed in 3? Or can SMF recover more intelligently? Or is this more
> >of a
Henry B. Hotz wrote:
> On Mar 19, 2008, at 9:06 AM, Jan Pechanec wrote:
>
>
>> On Wed, 19 Mar 2008, Casper.Dik at Sun.COM wrote:
>>
>>
>>> Powercycling a system during certain parts of boot is almost
>>> guaranteed to cause the next boot to fail with a corrupted registry.
>>>
>
> W
On Wed, Mar 19, 2008 at 09:37:22AM -0700, Henry B. Hotz wrote:
>
> On Mar 19, 2008, at 9:06 AM, Jan Pechanec wrote:
>
> > On Wed, 19 Mar 2008, Casper.Dik at Sun.COM wrote:
> >
> >> Powercycling a system during certain parts of boot is almost
> >> guaranteed to cause the next boot to fail with a
On Wed, Mar 19, 2008 at 05:06:55PM +0100, Jan Pechanec wrote:
> On Wed, 19 Mar 2008, Casper.Dik at Sun.COM wrote:
>
> >Secondly, SMF has already proven to me to be too fragile because either
> >the underlying database technology is not reliable or the way it uses
> >that technology is prone to fai
eparated though?
What is being held accountable? to what?
How is Format different from Data Validation?
-Kyle
> Gary..
>
-- next part ------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/security-discuss/attachments/20080319/141683f9/attachment.html>
> Bernd Schemmer writes:
> > I still don't understand why Sun is going here the "Windows Way" --
> > Windows has already prooven that this is the wrong way.
>
> Because PSARC 2002/547 ("Greenline") specified it that way. It's not
> much more complex than that, and those wishing to change that
>
Nicolas Williams wrote:
>> But putting it in their will make certain things worse: such as the
>> familiarity with other OSes.
>
> Again, the config file wouldn't go away; the purpose of this proposal is
> to make it easier to setup new instances that differ very little from
> the default ins
ere my log files are, how to do basic admin and
> (above all), I can now log into my machine when the building yp servers
> are completely
> fubar'd.
>
> - Bart
>
>
-- next part --
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/security-discuss/attachments/20080319/c67fed81/attachment.html>
> >> Just curious. What is/was the reasoning/logic behind this change?
> >> What was seen as being so valuable that would overcome the negatives of
> >> being so different from other Unix platforms?
> >>
> >
> > Separation of duties and accountability to name two. Data
> > validation
On Wed, Mar 19, 2008 at 08:24:12AM -0800, Gary Winiger wrote:
> > Nicolas Williams wrote:
> > > But one thing is clear: the architectural direction for Solaris is and
> > > long has been to move away from configuration files whose admin
> > > interface is $EDITOR.
> > >
> > >
> > Just curious. W
Nicolas Williams wrote:
> I think a remote access protocol to SMF would probably make things
> easier.
In latest Visual Panels bits (available at the VP project page),
there are Java bindings to SMF, JMX mbeans for remote access, and
Cacao modules that expose it to people in a secure fa
On Mon, Mar 17, 2008 at 07:49:05PM -0400, Jeffrey Hutzelman wrote:
> Sorry; but I'm going to return us to this flamewar...
Oh no!
> --On Thursday, March 06, 2008 02:43:00 PM -0600 Nicolas Williams
> wrote:
>
> >PAM modules may require any and all [zone] privileges. Using PAM
> >requires all [
> > > Viewing things stored in SMF is not easy and nor is there
> > > a way to present and edit what's stored in SMF with the
> > > same ease as "vi /etc/ssh/sshd_config".
> >
> > We've been over this ground before. See the original Greenline case
> > for details.
> >
>
> Is it PSARC 2002/54
On 2008-Mar-18, at 23:04 , Darren Reed wrote:
> Viewing things stored in SMF is not easy and nor is there
> a way to present and edit what's stored in SMF with the
> same ease as "vi /etc/ssh/sshd_config".
>
> For command line options and other simple things, sure,
> maybe SMF is a good place for
On Mar 19, 2008, at 9:06 AM, Jan Pechanec wrote:
> On Wed, 19 Mar 2008, Casper.Dik at Sun.COM wrote:
>
>> Powercycling a system during certain parts of boot is almost
>> guaranteed to cause the next boot to fail with a corrupted registry.
Wow! I do I even need to say what that implies about S
Jeffrey Hutzelman wrote:
> Sorry; but I'm going to return us to this flamewar...
>
> --On Thursday, March 06, 2008 02:43:00 PM -0600 Nicolas Williams
> wrote:
>
>> PAM modules may require any and all [zone] privileges. Using PAM
>> requires all [zone] privileges.
>
> This is a Solaris-ism. Y
On Mar 18, 2008, at 8:01 PM, Bart Smaalders wrote:
> Henry B. Hotz wrote:
>
>> I find it really difficult to invest time in learning single-
>> platform technologies.
>
> That makes it difficult to do innovation, since we need to convince
> other OSes to use our technology before you will use i
> Nicolas Williams wrote:
> > But one thing is clear: the architectural direction for Solaris is and
> > long has been to move away from configuration files whose admin
> > interface is $EDITOR.
> >
> >
> Just curious. What is/was the reasoning/logic behind this change?
> What was seen as being
Jeffrey Hutzelman writes:
> So, my preference is for my platform-independent sshd_config to have the
> same effect on the next Solaris port we do as it's had on every previous
> platform since we started supporting ssh.
The config-file-overrides-SMF but default-config-file-is-empty
proposal I ma
Richard L. Hamilton wrote:
>> Now that TX is bundled with OpenSolaris, anyone can
>> take advantage of
>> these features. However, be careful of what you mean
>> by using them
>> independently. Independent of what? Labels? Zones?
>> Why not just use it
>> as it is?
>>
>>
> Yes, labels and z
> Richard L. Hamilton wrote:
> > Does Trusted Extensions have any helpful
> capabilities to avoid
> > trojans/spoofing, ensure the visual representation
> of labels (or other
> > security status indicators) can't be faked, assure
> that programs that
> > need it can be ensured exclusive access to
>
67 matches
Mail list logo
