similar to: /etc/rc.bsdextended: am I misunderstanding this..?

Hey everyone, I'm hoping someone can point me in the right direction. I'm running a 6.1 box with mac_bsdextended compiled. I've created my ugidfw rules, and all seems well in the universe. I've got rules set up so the web process uid 80 and gid 80 can only read uid 1010 and gid 1010 owned files. When the web server tries to do something else, it throws an error such as:

Hello, I've been looking at the different MAC modules available and how they cold help to implement a less insecure than usual shared hosting web server. I've not been able to come up with a suitable configuration, looking at mac_bsdextended, mac_biba and mac_mls, but I think that a MAC module with the following policies could be very useful for such an environment. Have I

Hello, Are there many people actually using the MAC subsystem in the real world? I have been working to set up a shared hosting webserver and I've stumbled against some limitations with the BIBA policy. In short, it's an excellent model, and can be used succesfully if applications are aware of its existance, but I find it incompatible with the real-world needs in Unix, and,

I've had problems with post-August kernels. Under load, builds are dying. I see lots of these: Sep 10 17:56:17 tribble /kernel: pid 60715 (make), uid 0: exited on signal 4 (core dumped) Sep 10 17:56:21 tribble /kernel: pid 61489 (make), uid 0: exited on signal 11 (core dumped) Sep 10 17:56:29 tribble /kernel: pid 63495 (sh), uid 0: exited on signal 4 (core dumped) Sep 10 17:56:29 tribble

I would like to know that there is or is not a way to prevent users from executing binaries that are not owned by root or that the user is in a particular group. Is this something I can achieve with TrustedBSD's MAC framework?

Hi, is there any chance (if yes, how to do this?) to use the xf86 driver which "provides access to the memory and I/O ports of a VGA board and to the PCI configuration registers for use by the X servers when running with a kernel security level greater than 0" in FreeBSD*? Then it will be possible to start X environment with a kernel secure level > 0, right? Normally it is impossible

Hi. We have had SAMBA running successfully at work here for a while, it's on a Sun Sparc Solaris 2.6. The version of samba is 2.0.0. Unfortunately our sysadmin has left the company, and I have to try and fix a problem with Samba. When I try and start samba, "nmbd" starts ok, but "smbd" doesn't start. When I check the log files, I get these errors: [2001/09/24

Thanks to Will Saxon I'm finally able to mount Samba shares on my 5.1-R box using the command mount_smbfs -I 129.197.36.34 -W acct01 //bfosdick@129.197.36.34/net-11 /sp/net-11 which then prompts me for my password. So now the question is...how do I put this in /etc/fstab? What do I do about the password?

We're supposed to provide redundant firewall service. I'm wondering if anyone has ever tried to do this and if it's realistic. Basically 2 firewall machines hooked up so if one fails the other will transparently step in. I've googled it to death without much luck. The security issue here lies in that the 2 firewalls can't talk to each other. So if I'm keeping state on

When using /usr/bin/read with the -t option the "timeout" return code should be 1 (verified with 8.4-RELEASE and 9.2-RELEASE). When used with 10.0-BETA1, the return code is 142. How to recreate: /usr/bin/read -t 1 RESPONSE JUNK (allow this to timeout) echo $? 142 Also with /bin/sh: builtin read -t 1 RESPONSE JUNK (allow this to timeout) echo $? 142 Thanks for

dash didn't compile in DEBUG mode against klibc for all long time. Now it fails at link stage for not having setlinebuf(3). Fixes: usr/dash/show.o: In function `opentrace': show.c:(.text+0x86): undefined reference to `setlinebuf' Signed-off-by: maximilian attems <max at stro.at> --- the last open error, looks more like a klibc bug to me, will fix it

Hi all, I am looking at securing a web server using the FreeBSD MAC Framework. To make things clear I will call the hosted users "web users". Those are the issues I am dealing with: ** Network Security ** - Web users shouldn't be able to connect to reserved local ports apart from 25(smtp); 80(http); 443(https) and 3306(MySQL) Solution: run the web server and web users shell in

Hi there, I seem to be misunderstanding routes a little bit as I can''t get the behavior I''m expecting from the following. My goal is to get "/forums/1" from the code <%= url_for :id => forum.id %> which is being called from a view associated with a controller named "Forums" and the "index" action. I have the following routes:

Either I''m not understanding how things are used, or this might be a bug in ActiveRecord. I''m using version 1.13.2. In my version of activerecord/lib/active_record/validations.rb (the svn trunk version is browsable at http://dev.rubyonrails.org/browser/trunk/activerecord/lib/active_record/validations.rb ), I have: def update_attribute_with_validation_skipping(name,

Hi, I''ve been experimenting with ip route for the last few days to get load sharing accross 2 providers working. While it works most of the time, on a few occasions, packets are routed to the wrong interface. I''m not sure to understand rules and routes traversal correctly (I couldn''t find answers in the howto). So, here are my questions: 1. How does the rule

Hi, I''ve been playing with Arel for a few days, but I feel really confused about predicates / arrays intersection. Let''s say I have 3 models: users, (bank) accounts and transfers. An account belongs to a user, and a transfer is made of a source and target accounts (see the snippets below). Given a user, I want to query his transfers. I can go this way in the User class: def

I suspect I might be grossly misunderstanding kerberos and AD here, but I cant seem to grok the following. net ads join integrates my linux samba server (named foundry) into an AD domain and all works fine. The samba server is using the kerberos keytab. root@foundry:~ # kinit -k -t /etc/krb5.keytab foundry$ root@foundry:~ # kinit -k -t /etc/krb5.keytab host/foundry.example.local kinit(v5):

syslinux 6.01, on XP cmd prompt: With syslinux.exe --update c: At least one specified option not yet implemented for this installer. it is clear which option is not yet implemented. However, before trying just --update, I did try: syslinux.exe --active --directory /downloadedPrograms/syslinux \ --update --mbr c: (line was edited for presentation purposes) and got

On Sunday 21 September 2008 20:45:37 Jonathan S. Shapiro wrote: > I was re-reading the specification for extractelement and friends, and I > notice that the index is restricted to i32. Since vectors might clearly > have a larger number of elements on 64-bit platforms, I wonder if I am > misunderstanding the intended use of these instructions. The code generator cannot handle vectors

On Mon, 2008-09-22 at 09:42 +0200, Duncan Sands wrote: > On Sunday 21 September 2008 20:45:37 Jonathan S. Shapiro wrote: > > I was re-reading the specification for extractelement and friends, and I > > notice that the index is restricted to i32. Since vectors might clearly > > have a larger number of elements on 64-bit platforms, I wonder if I am > > misunderstanding the