Nabble - freebsd-current

Re: Panic while doing zfs rename

2009-12-10T19:17:39Z

On Thu, 10 Dec 2009, Jeremie Le Hen wrote:

> Hi list,
>
> First, excuse me to post on -current@ while this problem happened with
> -STABLE but RELENG_8 is still relatively close to HEAD and I have the
> feeling that -stable@ is more concerned with configuration and maybe
> userland problems.
>
> I've done the following command sequence on a fresh RELENG_8 from around
> 3rd dec:
> zfs send -R data/repos | zfs receive -d data/crepos
> zfs destroy data/repos
> zfs rename data/crepos/repos data/repos
>
> And this led to the following panic on rename:
>
> % Fatal trap 12: page fault while in kernel mode
> % cpuid = 0; apic id = 00
> % fault virtual address = 0x780fe2a0
> % fault code = supervisor read, page not present
> % instruction pointer = 0x20:0x806d1687
> % stack pointer = 0x28:0xcb41c750
> % frame pointer = 0x28:0xcb41c784
> % code segment = base 0x0, limit 0xfffff, type 0x1b
> % = DPL 0, pres 1, def32 1, gran 1
> % processor eflags = resume, IOPL = 0
> % current process = 72605 (zfs)
> % [thread pid 72605 tid 100435 ]
> % Stopped at _sx_xlock_hard+0x21e: movl 0x1a0(%eax),%eax
> % db> bt
> % Tracing pid 72605 tid 100435 td 0x88b6c480
> % _sx_xlock_hard(8f2460a0,88b6c480,0,85ce8fc8,a1,...) at _sx_xlock_hard+0x21e
> % _sx_xlock(8f2460a0,0,85ce8fc8,a1,866b2a70,...) at _sx_xlock+0x48
> % rrw_enter(8f2460a0,1,85cdf7b1,0,cb41c7e8,...) at rrw_enter+0x35
> % zfs_statfs(866b2a10,866b2a70,1d8,cb41c844,865a3a10,...) at zfs_statfs+0x39
> % __vfs_statfs(866b2a10,cb41c844,0,0,0,...) at __vfs_statfs+0x1f
> % nullfs_statfs(865a3a10,865a3a70,806bd68b,865a3a70,865a3a10,...) at nullfs_statfs+0x46
> % __vfs_statfs(865a3a10,865a3a70,1d8,a5889340,cb41cb78,...) at __vfs_statfs+0x1f
> % kern_getfsstat(88b6c480,cb41ccf8,8df8,0,1,...) at kern_getfsstat+0x2d0
> % getfsstat(88b6c480,cb41ccf8,c,cb41ccb0,8096d28a,...) at getfsstat+0x2e
> % syscall(cb41cd38) at syscall+0x320
> % Xint0x80_syscall() at Xint0x80_syscall+0x20
> % --- syscall (395, FreeBSD ELF32, getfsstat), eip = 0x281742d7, esp = 0x7fbfc8dc, ebp = 0x7fbfc908 ---
>
>
> FYI, after the crash, I could rename the filesystem without any problem.

I think I saw this same panic last weekend after I migrated from an old
raidz2 to a new larger volume. I didn't have the kernel set up to get a
backtrace, so this is just a "me too", but it happened at exactly noon,
which is when freebsd-snapshot would be creating and renaming snapshots.
Just as you mentioned, after rebooting I was able to rename and destroy
the snapshots without a problem. As extra data points, if any of it
matters:

- I do not have nullfs in my kernel.
- Both the old and new pool are raidz2
- Both are attached to an mfi bus
- the old pool had been exported and all of the devices detached
- the new pool was been imported and renamed to the name of the old pool
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Installer partition size defaults

2009-12-10T16:21:54Z

For years now the default partition sizes during install have remained
pretty much the same.
While I normally change the partition sizes to my own specification I
decided to use the auto defaults in the installer for a test machine I
was putting together. (FreeBSD 8.0)

Once the system was installed I started a standard system update to 8.0
Stable. Partway through a make installworld I ran out of room on / (root).

In the age of the terrabyte drive, would it not be prudent to increase
the default partition size for at least / (root) in the installer in the
8.x tree if not for the 7.x tree as well?

Also, is there any intention to add a more simplified and direct way to
use zfs from the installer?

- Thanks,

- Justin
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: panic with em(4) in current

2009-12-10T14:20:08Z

2009/12/11 Brooks Davis <brooks@...>:
> Something with the latest e1000 update in current causes a panic during
> attach on my laptop. Rolling sys/dev/e1000 back to the previous version
> fixes the problem. Here's the hand transcribed panic:
>
> panic: mtx_lock() of spin mutex &dev_spec->swflag_mutex @ ../../../dev/e1000/e1000_ich8lan.c:651
>
> The back trace places me at: e1000_acquire_swflag_ich8lan()+0x30

Hi, I see bug there:
+#define E1000_MUTEX_INIT(mutex) mtx_init((mutex), #mutex, \
+ MTX_NETWORK_LOCK, \
+ MTX_DEF | MTX_SPIN)

mtx_init() first looks for MTX_SPIN flag and assign
lock_class_mtx_spin class to mutex.
Then mtx_lock() on spin mutex called.

>
> The device in question is in my lenovo x61s laptop and the pciconf
> output is:
>
> em0@pci0:0:25:0: class=0x020000 card=0x20de17aa chip=0x10498086 rev=0x03 hdr=0x00
> vendor = 'Intel Corporation'
> device = 'Gigabit Network Connection Interface Controller (82566MM NIC)'
> class = network
> subclass = ethernet
>
> Thanks,
> Brooks
>

--
wbr,
pluknet
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

panic with em(4) in current

2009-12-10T13:09:01Z

Something with the latest e1000 update in current causes a panic during
attach on my laptop. Rolling sys/dev/e1000 back to the previous version
fixes the problem. Here's the hand transcribed panic:

panic: mtx_lock() of spin mutex &dev_spec->swflag_mutex @ ../../../dev/e1000/e1000_ich8lan.c:651

The back trace places me at: e1000_acquire_swflag_ich8lan()+0x30

The device in question is in my lenovo x61s laptop and the pciconf
output is:

em0@pci0:0:25:0: class=0x020000 card=0x20de17aa chip=0x10498086 rev=0x03 hdr=0x00
vendor = 'Intel Corporation'
device = 'Gigabit Network Connection Interface Controller (82566MM NIC)'
class = network
subclass = ethernet

Thanks,
Brooks

attachment0 (194 bytes) Download Attachment

Re: Panic while doing zfs rename

2009-12-10T12:45:38Z

On Thu, Dec 10, 2009 at 4:33 AM, Andriy Gapon <avg@...> wrote:
> on 10/12/2009 09:21 Jeremie Le Hen said the following:
> ...
>> % zfs_statfs(866b2a10,866b2a70,1d8,cb41c844,865a3a10,...) at zfs_statfs+0x39
>> % __vfs_statfs(866b2a10,cb41c844,0,0,0,...) at __vfs_statfs+0x1f
>> % nullfs_statfs(865a3a10,865a3a70,806bd68b,865a3a70,865a3a10,...) at nullfs_statfs+0x46
>> % __vfs_statfs(865a3a10,865a3a70,1d8,a5889340,cb41cb78,...) at __vfs_statfs+0x1f
>
> And you also seem to have nullfs in the picture.
> Did you by a chance renamed a zfs filesystem under nullfs?

I'm not sure but can it be related to OpenSolaris bug 6905188? [1]

changeset: 11209:462283cb4096
user: Matthew Ahrens <Matthew.Ahrens@...>
date: Mon Nov 30 11:36:36 2009 -0800
files: usr/src/cmd/zdb/zdb.c usr/src/cmd/ztest/ztest.c
usr/src/uts/common/fs/zfs/dmu_objset.c
usr/src/uts/common/fs/zfs/dmu_send.c
usr/src/uts/common/fs/zfs/dsl_dataset.c
usr/src/uts/common/fs/zfs/sys/dmu.h
usr/src/uts/common/fs/zfs/sys/dmu_objset.h
usr/src/uts/common/fs/zfs/sys/dsl_dataset.h
usr/src/uts/common/fs/zfs/sys/zfs_ioctl.h
usr/src/uts/common/fs/zfs/sys/zil.h
usr/src/uts/common/fs/zfs/zfs_ioctl.c usr/src/uts/common/fs/zfs/zil.c
description:
6905188 panic: kernel heap corruption when doing "zfs rename -r"

[1] http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6905188

Cheers,
--
Xin LI <delphij@...> http://www.delphij.net
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Root exploit for FreeBSD

2009-12-10T12:11:31Z

2009/12/10 Anton Shterenlikht <mexas@...>:

> I was just stressed after being forced by him
> to explain why I wanted firewall exceptions
> for two ports to my FreeBSD portscluster nodes.
> I explained the reasons and that was settled.

Anton, I don't know about the UK, Great Britain or England, but in US
Universities, this is fairly common. It just serves as a sanity check
for the many, many requests central IT tends to get regarding allowing
ingress traffic for faculty/staff machines, and it gives the firewall
guys documentation that such-and-such machine should be receiving
inbound traffic on specific ports.

> The Uni is, of course,
> addicted to Microsoft, but having realised all
> the problems with that, lately the policy has
> been to deny (!) MS users admin access to their
> own desktops. The situation is just ridiculous -
> if a MS user wants to install a piece of software
> on their PC he/she has to ask for permission,
> and then wait until some computer officer would
> come and do install for them.

Again, I don't know about the UK, Great Britain or England, but in the
US this is also quite common, at least with regards to University
owned hardware. The first responsibility is to protect the network and
existing services. Sadly, many groups fail to provide the next step,
that being a relatively quick, easy way to have approved software
installed for users, and a method for having non-approved software
scrutinised and either approved or rejected.

> Also recently, well.. about a year ago, no
> host (!) could be accessed from outside the
> Uni firewall. Special exception has to be
> obtained even for ssh. There is only one dedicated
> sun server which accepts only ssh. The users
> are supposed to dial to this frontend server
> first, and from there to hosts on the local net.

Again, quite common. Most Universities here do not provide
public-facing IP addresses without some sort of application and
approval process. For example, we have a handful of machines that are
public facing but most of our hardware sits inside site-only networks.
To access those machines you either have to be on-campus or you have
to connect via VPN (and yes, we support Windows, Mac, Linux, Solaris,
*BSD).

Having an SSH proxy isn't an entirely bad idea, though I can see where
performance may be hindered.

> I had to fight a long battle, well.. I had
> some support from other academics, to have
> a linux class in my Faculty. Here the
> opposition wasn't so much security, as
> "why would any undegraduate need linux",
> as if MS solutions are a pinnacle of human thought.

That's a pretty fair question and one that I hope you would have asked
yourself before you made the push for the class.

> And from I understand it's going to get worse.
> Apparently the IT services are drawing up
> plans to completely forbid use of "non-autorized"
> OS. I imagine fbsd will not be authorized.
> So I'm anticipating another battle already.

Does this extend to computers used for academic research, student
owned computers being used on campus, etc?

Perhaps it's because we're conditioned to think this way but a lot of
us at universities in the US see a lot of this as being commonplace
and to *not* do them is generally considered bad security practice.

kmw

--
Beware the leader who bangs the drums of war in order to whip the
citizenry into a patriotic fervor, for patriotism is indeed a
double-edged sword. It both emboldens the blood, just as it narrows
the mind. And when the drums of war have reached a fever pitch and the
blood boils with hate and the mind has closed, the leader will have no
need in seizing the rights of the citizenry. Rather, the citizenry,
infused with fear and blinded by patriotism, will offer up all of
their rights unto the leader and gladly so - Unattributed, post 9/11
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Root exploit for FreeBSD

2009-12-10T11:21:26Z

> Fortuantely, I had no problem setting up a "black" FreeBSD box to
> preserve my sanity.

A tip for those threatened with no BSD box at work:
FreeBSD runs fine _inside_ a box that looks like a multi sheet scanner.
OK, slow, but invisible to managers who require MS only.

These scanners often lie abandoned in company junk rooms (& cheap
on web), as people know they used to need MS's abandoned NT (= Not
There) operating system. Well they do ... until one installs BSD.
Credit to David M. who did the FreeBSD work. Pictures of hardware
to look for in junk rooms: http://www.berklix.com/scanjet/

Cheers,
Julian
--
Julian Stacey: BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com
Mail plain text not quoted-printable, HTML or Base64: http://asciiribbon.org
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: HEADS UP: Important bug fix in ZFS replay code!

2009-12-10T10:12:14Z

On 11/10/09 4:45 PM, Pawel Jakub Dawidek wrote:

> Hi.
>
> There was important bug in ZFS replay code. If there were setattr logs
> (not related to permission change) in ZIL during unclean shutdown, one
> can end up with files that have mode set to 07777.
>
> This is very dangerous, especially if you have untrusted local users, as
> this will set setuid bit on such files. Note that FreeBSD will remove
> setuid bits when someone will try to modify the file, but it is still
> dangerous.
>
> You can locate such files with the following command:
>
> # find / -perm -7777 -print0 | xargs -0 ls -ld
>
> You can locate and fix such files with the following command:
>
> # find / -perm -7777 -print0 | xargs -0 chmod a-s,o-w,-t

I just noticed this fix didn't make it into 8.0, I just had an
8.0-RELEASE-p1 machine crash and come back with a bunch of 07777 files.

Maybe this should be documented as an errata or security advisory.

Barry
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Root exploit for FreeBSD

2009-12-10T09:53:19Z

On Thu, Dec 10, 2009 at 10:21 AM, Anton Shterenlikht <mexas@...>wrote:

> Perhaps I should start putting together
> some statistics to make my case more forcefully.
>

I fought the same battle at the Univ. I attended (as a student). They were
an M$ shop as well and had issues with me running OpenBSD. I stuck to it
and finally got a "straight" answer from the Dean of CS: "I don't know
anything about OpenBSD...please just use Windows and be like everyone
else!".

Odd, I thought that one role of higher education is to teach critical
thinking, which by definition means disagreements will (and should!) occur.
Apparently I was wrong.

I later took a independent study at the same Univ. I wanted to compare
security records for various OS's (FreeBSD and OpenBSD being listed in
there). This was rejected in favor of me doing security research for
Windows...so I wrote a program to demonstrate why Admins shouldn't blindly
trust even system code (Windows Server 2003...stuff like netstat and task
manager) and demonstrated that to the graduate level network security class
(I was an undergrad at the time). I completely gave up when the grad
students followed suit with the dean and tried arguing with me that my code
was "hacked together specifically to exhibit the behavior I was trying to
demonstrate"...as if it wasn't *real* and it couldn't be used to a malicious
user's advantage.

I guess it doesn't exist in the security world (according to the previously
mentioned grad students) if it's not "mainstream thinking"...I feel sorry
for the companies that depend on those idiots for security.

If they've bought into M$ FUD, no amount of statistics/code/demonstrations
will help. I'd skip the statistics in favor of putting together a resume.
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Root exploit for FreeBSD

2009-12-10T09:45:02Z

On Thu, 10 Dec 2009 16:21:50 +0000
Anton Shterenlikht <mexas@...> wrote:

> I had to fight a long battle, well.. I had
> some support from other academics, to have
> a linux class in my Faculty. Here the
> opposition wasn't so much security, as
> "why would any undegraduate need linux",
> as if MS solutions are a pinnacle of human thought.
>

I feel for you. I used to work for DEC, at one time a major UNIX vendor.
Then one day all employees were forced to install Windows NT to access
their mail accounts because management, in its wisdom, decided to
standardize on Mickeysoft Exchange Server. No real reason, since up til
then UNIX mail servers had been more than adequate. IT services had
similarly restrictive policies regarding users installing SW, etc.

I always wondered who Mickeysoft bribed to get that put through.

Fortuantely, I had no problem setting up a "black" FreeBSD box to
preserve my sanity.

---
Gary Jennejohn
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Root exploit for FreeBSD

2009-12-10T09:18:04Z

http://security.freebsd.org/advisories/FreeBSD-SA-09:16.rtld.asc

On Thu, Dec 10, 2009 at 11:05:16AM -0600, Paul Schmehl thus spake:

>--On Thursday, December 10, 2009 08:41:41 -0600 Anton Shterenlikht
><mexas@...> wrote:
>
>>
>>> From my information security manager:
>>
>> FreeBSD isn't much used within the University (I understand) and has a
>> (comparatively) poor security record. Most recently, for example:
>>
>>
>> http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.ht
>> ml
>>
>
>Please pass this to your information security manager:
>
>>From one information security manager to another, you're an idiot.
>
>--
>Paul Schmehl, Senior Infosec Analyst
>As if it wasn't already obvious, my opinions
>are my own and not those of my employer.
>*******************************************
>"It is as useless to argue with those who have
>renounced the use of reason as to administer
>medication to the dead." Thomas Jefferson
>
>_______________________________________________
>freebsd-questions@... mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."
>

--
i am a mutthead
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Root exploit for FreeBSD

2009-12-10T09:05:16Z

--On Thursday, December 10, 2009 08:41:41 -0600 Anton Shterenlikht
<mexas@...> wrote:

>
>> From my information security manager:
>
> FreeBSD isn't much used within the University (I understand) and has a
> (comparatively) poor security record. Most recently, for example:
>
>
> http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.ht
> ml
>

Please pass this to your information security manager:

>From one information security manager to another, you're an idiot.

--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Root exploit for FreeBSD

2009-12-10T09:04:05Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chargen wrote:

> On Thu, Dec 10, 2009 at 5:21 PM, Anton Shterenlikht <mexas@...> wrote:
>> On Thu, Dec 10, 2009 at 09:51:22AM -0500, Bill Moran wrote:
>>> In response to Anton Shterenlikht <mexas@...>:
>
>> I had to fight a long battle, well.. I had
>> some support from other academics, to have
>> a linux class in my Faculty. Here the
>> opposition wasn't so much security, as
>> "why would any undegraduate need linux",
>> as if MS solutions are a pinnacle of human thought.
>
> This is getting so funny..
>
> Next topic please.
>
> Peace.

What bothers me is that some of these worshipers (be that demon,
penguin, apple, or windows) simple cannot fathom the old "right tool for
the right job" saying...

//Svein

- --
- --------+-------------------+-------------------------------
/"\ |Svein Skogen | svein@...
\ / |Solberg Østli 9 | PGP Key: 0xE5E76831
X |2020 Skedsmokorset | svein@...
/ \ |Norway | PGP Key: 0xCE96CE13
| | svein@...
ascii | | PGP Key: 0x58CD33B6
ribbon |System Admin | svein-listmail@...
Campaign|stillbilde.net | PGP Key: 0x22D494A4
+-------------------+-------------------------------
|msn messenger: | Mobile Phone: +47 907 03 575
|svein@... | RIPE handle: SS16503-RIPE
- --------+-------------------+-------------------------------
If you really are in a hurry, mail me at
svein-mobile@...
This mailbox goes directly to my cellphone and is checked
even when I'm not in front of my computer.
- ------------------------------------------------------------
Picture Gallery:
https://gallery.stillbilde.net/v/svein/
- ------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkshKgUACgkQODUnwSLUlKQepACgkDgvRoCEbJvrRbfkCa3YrF9P
c/IAoKNxVaAcoVn/cEYUg0yIJgf6k+ek
=oGMp
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Root exploit for FreeBSD

2009-12-10T08:32:11Z

On Thu, Dec 10, 2009 at 5:21 PM, Anton Shterenlikht <mexas@...> wrote:
> On Thu, Dec 10, 2009 at 09:51:22AM -0500, Bill Moran wrote:
>> In response to Anton Shterenlikht <mexas@...>:

> I had to fight a long battle, well.. I had
> some support from other academics, to have
> a linux class in my Faculty. Here the
> opposition wasn't so much security, as
> "why would any undegraduate need linux",
> as if MS solutions are a pinnacle of human thought.

This is getting so funny..

Next topic please.

Peace.
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Root exploit for FreeBSD

2009-12-10T08:21:50Z

On Thu, Dec 10, 2009 at 09:51:22AM -0500, Bill Moran wrote:

> In response to Anton Shterenlikht <mexas@...>:
>
> > >From my information security manager:
> >
> > FreeBSD isn't much used within the University (I understand) and has a
> > (comparatively) poor security record. Most recently, for example:
> >
> > http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html
>
> Are you trying to make your infosec guy look like an idiot? Does he
> realize that FreeBSD has a grand total of 16 security problems for all
> of 2009? Hell, Microsoft has that many in an average month.
>
> If he can find something (other than OpenBSD) with a better record than
> that, I'd love to hear about it.

I was just stressed after being forced by him
to explain why I wanted firewall exceptions
for two ports to my FreeBSD portscluster nodes.
I explained the reasons and that was settled.

I wouldn't be surprised if I'm the sole fbsd user
at my Uni. The situation with computing is not
great and getting worse.

The Uni is, of course,
addicted to Microsoft, but having realised all
the problems with that, lately the policy has
been to deny (!) MS users admin access to their
own desktops. The situation is just ridiculous -
if a MS user wants to install a piece of software
on their PC he/she has to ask for permission,
and then wait until some computer officer would
come and do install for them.

Also recently, well.. about a year ago, no
host (!) could be accessed from outside the
Uni firewall. Special exception has to be
obtained even for ssh. There is only one dedicated
sun server which accepts only ssh. The users
are supposed to dial to this frontend server
first, and from there to hosts on the local net.

Honestly, the situation is so bad that I
sometimes wonder - perhaps it's me who is mad.
It seems IT services look at anybody who
wants to escape MS with suspicion at best.

I had to fight a long battle, well.. I had
some support from other academics, to have
a linux class in my Faculty. Here the
opposition wasn't so much security, as
"why would any undegraduate need linux",
as if MS solutions are a pinnacle of human thought.

And from I understand it's going to get worse.
Apparently the IT services are drawing up
plans to completely forbid use of "non-autorized"
OS. I imagine fbsd will not be authorized.
So I'm anticipating another battle already.

Perhaps I should start putting together
some statistics to make my case more forcefully.

many thanks for your support, as always

--
Anton Shterenlikht
Room 2.6, Queen's Building
Mech Eng Dept
Bristol University
University Walk, Bristol BS8 1TR, UK
Tel: +44 (0)117 331 5944
Fax: +44 (0)117 929 4423
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Root exploit for FreeBSD

2009-12-10T08:02:51Z

Anton Shterenlikht wrote:
>>From my information security manager:
>
> FreeBSD isn't much used within the University (I understand) and has a
> (comparatively) poor security record. Most recently, for example:
>
> http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html

yeah we know, but really, quoting security as a reason not to use it
is a bit like quoting flat tyres (British spelling to those USA'ns
reading) as a reason to not buy a Jag. Every OS has them and in fact
we are better than many.

>
>
>
>
>

_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Root exploit for FreeBSD

2009-12-10T07:04:14Z

2009/12/10 Anton Shterenlikht <mexas@...>:

> >From my information security manager:
>
> FreeBSD isn't much used within the University (I understand) and has a
> (comparatively) poor security record. Most recently, for example:
>
> http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html

Wow.

Just...wow.

FreeBSD's security record, the rate at which fixes occur, the ports
system and the overall sanity of the environment is *precisely* why we
have been migrating from RHEL to FreeBSD at my University (I'm
employed by the University, not a student).

I would be quite curious as to which operating system is serving as
the baseline for this comparison. I would also be quite curious as to
whether the manager making said statement is responsible for central
IT services or is locked into providing services by a particular
vendor.

kmw

--
Beware the leader who bangs the drums of war in order to whip the
citizenry into a patriotic fervor, for patriotism is indeed a
double-edged sword. It both emboldens the blood, just as it narrows
the mind. And when the drums of war have reached a fever pitch and the
blood boils with hate and the mind has closed, the leader will have no
need in seizing the rights of the citizenry. Rather, the citizenry,
infused with fear and blinded by patriotism, will offer up all of
their rights unto the leader and gladly so - Unattributed, post 9/11
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Root exploit for FreeBSD

2009-12-10T07:01:31Z

Fire the noob you have working for you and hire someone with a clue.

Anton Shterenlikht wrote:

>>From my information security manager:
>
> FreeBSD isn't much used within the University (I understand) and has a
> (comparatively) poor security record. Most recently, for example:
>
> http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html
>
>
>
>
>

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Root exploit for FreeBSD

2009-12-10T07:01:09Z

Anton Shterenlikht <mexas@...> writes:
> From my information security manager:
>
> FreeBSD isn't much used within the University (I understand) and has a
> (comparatively) poor security record. Most recently, for
> example:

"comparatively", compared to what? Windows? Linux? We beat them both
into the ground. He is speaking from ignorance.

DES
--
Dag-Erling Smørgrav - des@...
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Root exploit for FreeBSD

2009-12-10T06:59:53Z

Bill Moran wrote:

He doesn't really have to _try_, does he?

I have always thought that an infosec person should *know* what they
have running within their own network, and furthermore, gather his
comparative analysis from somewhere other than the
dept-of-some-guys-blog. Perhaps these are not the job requirements of a
security person.

Steve
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Root exploit for FreeBSD

2009-12-10T06:55:40Z

At 09:41 AM 12/10/2009, Anton Shterenlikht wrote:
> >From my information security manager:
>
> FreeBSD isn't much used within the University (I
> understand) and has a
> (comparatively) poor security record. Most recently, for example:
>
>
>http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html
>

Some say... world flat... some say roundish. There are lots of
opinions to choose from. It would be nice to see an actual properly
designed study quoted... or even some raw data referenced. and I am
not talking about something vendor sponsored that examines such track records.

In the case of the above mentioned zero day exploit someone posted, I
think FreeBSD did a GREAT job at getting a fast unofficial patch out
and then 2 days later an official advisory and patch out. Take a
look at their actual track record at http://www.freebsd.org/security
and judge for yourself based on that. Note, a good chunk of whats
there is common across multiple operating systems (e.g ntpd, BIND, openssl etc)

There are lots of reasons why someone might use or not use FreeBSD.
In my _opinion_, a "poor security record" is not one of them... But
judge for yourself based on their actual track record.

---Mike

--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@...
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike

_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Root exploit for FreeBSD

2009-12-10T06:52:23Z

Anton Shterenlikht wrote:
>>From my information security manager:
>
> FreeBSD isn't much used within the University (I understand) and has a
> (comparatively) poor security record. Most recently, for example:
>
> http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html

Without wanting to get into any "flame wars", I will only say this ..

I find this kind of unsubstantiated speculation extremely disappointing.
It speaks not only to an apparent lack of knowledge about FreeBSD but
also about any alternative operating system.

Subject closed,

imb

_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Root exploit for FreeBSD

2009-12-10T06:51:22Z

In response to Anton Shterenlikht <mexas@...>:

> >From my information security manager:
>
> FreeBSD isn't much used within the University (I understand) and has a
> (comparatively) poor security record. Most recently, for example:
>
> http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html

Are you trying to make your infosec guy look like an idiot? Does he
realize that FreeBSD has a grand total of 16 security problems for all
of 2009? Hell, Microsoft has that many in an average month.

If he can find something (other than OpenBSD) with a better record than
that, I'd love to hear about it.

--
Bill Moran
http://www.potentialtech.com
http://people.collaborativefusion.com/~wmoran/
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

HEADS UP: NDISulator - please test

2009-12-10T06:48:56Z

Hello,

I made some general improvements, added some features and fixed dozens of bugs.

Goal is to make WPA work with bsd driver for wpa_supplicant (-Dbsd)

Code is available here:
http://gitorious.org/ndisulator

It can be also downloaded as tar.gz:
http://www.gitorious.org/ndisulator/ndisulator/archive-tarball/master

Example how to build:

Just extract archive somewhere and use mount_nullfs(8):

mount_nullfs ndisulator-ndisulator/src/sys/dev/if_ndis /sys/dev/if_ndis
mount_nullfs ndisulator-ndisulator/src/sys/compat/ndis /sys/compat/ndis
mount_nullfs ndisulator-ndisulator/src/usr.sbin/ndiscvt
/usr/src/usr.sbin/ndiscvt

Now you just need to rebuild modules, including modules created via
ndisgen(8) and ndiscvt.

How to test:

Does 'wpa_supplicant -Dbsd' works in your environment ?

Known issues:
WPA is broken. WPA2 is missing PMKID support.
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Root exploit for FreeBSD

2009-12-10T06:47:12Z

On 10.12.2009 17:41, Anton Shterenlikht wrote:
> > From my information security manager:
>
> FreeBSD isn't much used within the University (I understand) and has a
> (comparatively) poor security record. Most recently, for example:
>
> http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html
>
>
This has already been fixed in -stable somewhere around December 2nd or 3rd.

--
Kamigishi Rei
KREI-RIPE
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Root exploit for FreeBSD

2009-12-10T06:41:41Z

>From my information security manager:

FreeBSD isn't much used within the University (I understand) and has a
(comparatively) poor security record. Most recently, for example:

http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html

--
Anton Shterenlikht
Room 2.6, Queen's Building
Mech Eng Dept
Bristol University
University Walk, Bristol BS8 1TR, UK
Tel: +44 (0)117 331 5944
Fax: +44 (0)117 929 4423
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Testing CAM wrapper for ata(4) controller drivers

2009-12-10T06:31:41Z

On Dec 10, 2009, at 3:02 AM, Alexander Motin wrote:

> Alexander Motin wrote:
>> The main regression of the new mode is a lack of ataraid
>> alternative, to
>> support cheap BIOS-based ATA RAIDs. If somebody has time and wish to
>> port that code from inside ata(4) into GEOM module, to make it work
>> over
>> CAM also, I would appreciate that and propose a help, if needed.
>
> May be it would be easier to just teach gmirror, gstripe and gconcat
> to
> handle ATA RAIDs metadata formats, to not duplicate and support the
> rest
> of code.
>

The existing graid modules are not well suited for learning new
metadata. I have plans for restructuring them into a stack within
GEOM that handles metadata separate from the transforms.

Scott

_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Testing CAM wrapper for ata(4) controller drivers

2009-12-10T04:49:52Z

Alexander Motin wrote:

> Andriy Gapon wrote:
>> on 10/12/2009 01:07 Alexander Best said the following:
>>> ah. i see. thanks for the hint. sorry mav for blaming ATA_CAM. ;) would be
>>> nice if this would be fixed at some point. i believe the problem also applies
>>> to tape drives, usb memory card readers, etc.? so generally speaking: any
>>> devices which allow new media insertion, but don't disconnect/re-attach
>>> from/to CAM.
>> Yes, we need to get some notification that media is changed and then trigger geom
>> action. Right now there is no notification from hardware in most cases and there
>> is no support for handling that in drivers, AFAIK. Maybe ahci driver starts to
>> add support for that. So either something needs to poll media for changes or a
>> user has to trigger some action explicitly. No magic.
>
> Both ahci and siis drivers already have SATA Asynchronous Notifications
> support, that was especially made to do that. Now AN used to receive
> messages from PMP about fan-out ports physical events and working fine.
>
> What is needed: SATA ATAPI device with AN support (haven't checked if
> there are ones on the market), enable these messages, improve cd driver
> to make some useful activity (have no idea how) on such events.

With "how" I've meant "how to properly report it to GEOM".

--
Alexander Motin
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Testing CAM wrapper for ata(4) controller drivers

2009-12-10T04:47:14Z

Andriy Gapon wrote:

> on 10/12/2009 01:07 Alexander Best said the following:
>> ah. i see. thanks for the hint. sorry mav for blaming ATA_CAM. ;) would be
>> nice if this would be fixed at some point. i believe the problem also applies
>> to tape drives, usb memory card readers, etc.? so generally speaking: any
>> devices which allow new media insertion, but don't disconnect/re-attach
>> from/to CAM.
>
> Yes, we need to get some notification that media is changed and then trigger geom
> action. Right now there is no notification from hardware in most cases and there
> is no support for handling that in drivers, AFAIK. Maybe ahci driver starts to
> add support for that. So either something needs to poll media for changes or a
> user has to trigger some action explicitly. No magic.

Both ahci and siis drivers already have SATA Asynchronous Notifications
support, that was especially made to do that. Now AN used to receive
messages from PMP about fan-out ports physical events and working fine.

What is needed: SATA ATAPI device with AN support (haven't checked if
there are ones on the market), enable these messages, improve cd driver
to make some useful activity (have no idea how) on such events.

--
Alexander Motin
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Panic while doing zfs rename

2009-12-10T04:33:39Z

on 10/12/2009 09:21 Jeremie Le Hen said the following:
...
> % zfs_statfs(866b2a10,866b2a70,1d8,cb41c844,865a3a10,...) at zfs_statfs+0x39
> % __vfs_statfs(866b2a10,cb41c844,0,0,0,...) at __vfs_statfs+0x1f
> % nullfs_statfs(865a3a10,865a3a70,806bd68b,865a3a70,865a3a10,...) at nullfs_statfs+0x46
> % __vfs_statfs(865a3a10,865a3a70,1d8,a5889340,cb41cb78,...) at __vfs_statfs+0x1f

And you also seem to have nullfs in the picture.
Did you by a chance renamed a zfs filesystem under nullfs?

--
Andriy Gapon
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Testing CAM wrapper for ata(4) controller drivers

2009-12-10T04:31:27Z

on 10/12/2009 01:07 Alexander Best said the following:
> ah. i see. thanks for the hint. sorry mav for blaming ATA_CAM. ;) would be
> nice if this would be fixed at some point. i believe the problem also applies
> to tape drives, usb memory card readers, etc.? so generally speaking: any
> devices which allow new media insertion, but don't disconnect/re-attach
> from/to CAM.

Yes, we need to get some notification that media is changed and then trigger geom
action. Right now there is no notification from hardware in most cases and there
is no support for handling that in drivers, AFAIK. Maybe ahci driver starts to
add support for that. So either something needs to poll media for changes or a
user has to trigger some action explicitly. No magic.

--
Andriy Gapon
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Testing CAM wrapper for ata(4) controller drivers

2009-12-10T02:02:08Z

Alexander Motin wrote:
> The main regression of the new mode is a lack of ataraid alternative, to
> support cheap BIOS-based ATA RAIDs. If somebody has time and wish to
> port that code from inside ata(4) into GEOM module, to make it work over
> CAM also, I would appreciate that and propose a help, if needed.

May be it would be easier to just teach gmirror, gstripe and gconcat to
handle ATA RAIDs metadata formats, to not duplicate and support the rest
of code.

--
Alexander Motin
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Panic while doing zfs rename

2009-12-09T23:21:47Z

Hi list,

First, excuse me to post on -current@ while this problem happened with
-STABLE but RELENG_8 is still relatively close to HEAD and I have the
feeling that -stable@ is more concerned with configuration and maybe
userland problems.

I've done the following command sequence on a fresh RELENG_8 from around
3rd dec:
zfs send -R data/repos | zfs receive -d data/crepos
zfs destroy data/repos
zfs rename data/crepos/repos data/repos

And this led to the following panic on rename:

% Fatal trap 12: page fault while in kernel mode
% cpuid = 0; apic id = 00
% fault virtual address = 0x780fe2a0
% fault code = supervisor read, page not present
% instruction pointer = 0x20:0x806d1687
% stack pointer = 0x28:0xcb41c750
% frame pointer = 0x28:0xcb41c784
% code segment = base 0x0, limit 0xfffff, type 0x1b
% = DPL 0, pres 1, def32 1, gran 1
% processor eflags = resume, IOPL = 0
% current process = 72605 (zfs)
% [thread pid 72605 tid 100435 ]
% Stopped at _sx_xlock_hard+0x21e: movl 0x1a0(%eax),%eax
% db> bt
% Tracing pid 72605 tid 100435 td 0x88b6c480
% _sx_xlock_hard(8f2460a0,88b6c480,0,85ce8fc8,a1,...) at _sx_xlock_hard+0x21e
% _sx_xlock(8f2460a0,0,85ce8fc8,a1,866b2a70,...) at _sx_xlock+0x48
% rrw_enter(8f2460a0,1,85cdf7b1,0,cb41c7e8,...) at rrw_enter+0x35
% zfs_statfs(866b2a10,866b2a70,1d8,cb41c844,865a3a10,...) at zfs_statfs+0x39
% __vfs_statfs(866b2a10,cb41c844,0,0,0,...) at __vfs_statfs+0x1f
% nullfs_statfs(865a3a10,865a3a70,806bd68b,865a3a70,865a3a10,...) at nullfs_statfs+0x46
% __vfs_statfs(865a3a10,865a3a70,1d8,a5889340,cb41cb78,...) at __vfs_statfs+0x1f
% kern_getfsstat(88b6c480,cb41ccf8,8df8,0,1,...) at kern_getfsstat+0x2d0
% getfsstat(88b6c480,cb41ccf8,c,cb41ccb0,8096d28a,...) at getfsstat+0x2e
% syscall(cb41cd38) at syscall+0x320
% Xint0x80_syscall() at Xint0x80_syscall+0x20
% --- syscall (395, FreeBSD ELF32, getfsstat), eip = 0x281742d7, esp = 0x7fbfc8dc, ebp = 0x7fbfc908 ---

FYI, after the crash, I could rename the filesystem without any problem.

Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: Testing CAM wrapper for ata(4) controller drivers

2009-12-09T15:07:48Z

ah. i see. thanks for the hint. sorry mav for blaming ATA_CAM. ;) would be
nice if this would be fixed at some point. i believe the problem also applies
to tape drives, usb memory card readers, etc.? so generally speaking: any
devices which allow new media insertion, but don't disconnect/re-attach
from/to CAM.

cheers.
alex

Wes Morgan schrieb am 2009-12-09:
> On Wed, 9 Dec 2009, Alexander Best wrote:

> >i'm not sure if this issue is directly linked to ATA_CAM, but i've
> >not seen it
> >before the ATA_CAM changes:

> >removing a cd/dvd and inserting a new one doesn't update the label
> >in
> >/dev/iso9660.

> >`file -s /dev/iso9660/CD1` says:
> >/dev/iso9660/CD1: ISO 9660 CD-ROM filesystem data 'CD2
> >'

> Nay, I've seen this kind of behavior for ages. I just assumed that
> the cd9660 labels never updated.
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."

Re: ifconfig_lo0_alias0 does not work any more on 9-CURRENT - solved

2009-12-09T12:27:54Z

On 09.12.2009 23:16, Vladislav V. Prodan wrote:
> After applying the network settings /etc/rc.d/netif restart
> All falls
>
>
You might be interested in doing

/etc/rc.d/routing restart

after /etc/rc.d/netif restart

When interface addresses are flushed with netif restart, the routing
table is flushed too (or so it usually happens for me).
Obviously, you won't be able to reach anything outside your LAN if you
have no default gateway set.

--
Kamigishi Rei
KREI-RIPE
_______________________________________________
freebsd-current@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@..."