Another reason I like OS X as much as I do, is because literally anything can be done from the command-line, something a Unix nerd like myself thoroughly loves to do. But, OS X has advanced features like Access Control Lists and all that fancy stuff, so sometimes I can be a bit of a learn to find out how exactly OS X does things compared to other members of the Unix family.

Now, I mentioned ACL’s, when you do something rather simple like ‘ls -la on /Groups’, you get this:

server:Groups username$ ls -la
total 0
drwxr-xr-x+  6 root  wheel   204 Aug  7 21:57 .
drwxr-xr-x  33 root  wheel  1190 Aug 17 09:29 ..
-rwxr-xr-x   1 root  wheel     0 Jul 27 21:29 .localized
drwxrwx---+  5 root  admin   170 Aug 13 12:37 group1
drwxrwx---+  2 root  admin    68 Aug  7 21:57 group2
drwxrwx---+  2 root  admin    68 Jul 27 21:47 workgroup

which is nice enough, but what if I wanted to see the real permissions, including the ACL’s? There’s a switch for that:

1

ls -lae

Wich produces the following output:

total 0
drwxr-xr-x+  6 root  wheel   204 Aug  7 21:57 .
 0: user:_spotlight inherited allow list,search,file_inherit,directory_inherit
drwxr-xr-x  33 root  wheel  1190 Aug 17 09:29 ..
-rwxr-xr-x   1 root  wheel     0 Jul 27 21:29 .localized
drwxrwx---+  5 root  admin   170 Aug 13 12:37 group1
 0: group:group1 allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 1: user:_spotlight inherited allow list,search,file_inherit,directory_inherit
drwxrwx---+  2 root  admin    68 Aug  7 21:57 group2
 0: group:group2 allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 1: user:_spotlight inherited allow list,search,file_inherit,directory_inherit
drwxrwx---+  2 root  admin    68 Jul 27 21:47 workgroup
 0: 839AE424-BBF3-442E-BAD6-C8B5E8B596F5 allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 1: user:_spotlight inherited allow list,search,file_inherit,directory_inherit

It might be a bit daunting to read through, but heck if it does’t show you exactly what you need to see. It’s really easy seeing ACL’s on Mac OS X with ls!

In case you’re wondering, the ’839AE424-BBF3-442E-BAD6-C8B5E8B596F5′ part corresponds to a UserID in OpenDirectory/LDAP.

1
2

cd /usr/ports/www/suphp
make deinstall && make reinstall

when using eaccelerator do:

1
2

cd /usr/ports/www/eaccelerator
make deinstall && make reinstall

too.

Saves you a LOT of headaches

[ad]

What’s next guys? -RELEASE before new years?

[ad]

One day, you’re bouncing all over the place because there’s an official 7.1-RC1, the next, there’s already two security advisories.

To sum them up:

• protosw
  safe to ignore unless you have local users, safe to ignore if you haven’t loaded / compiled in the ng_* modules

  Index: sys/kern/uipc_domain.c
  ===================================================================
  --- sys/kern/uipc_domain.c	(revision 186366)
  +++ sys/kern/uipc_domain.c	(working copy)
  @@ -112,13 +112,18 @@
   
   #define DEFAULT(foo, bar)	if ((foo) == NULL)  (foo) = (bar)
   	DEFAULT(pu->pru_accept, pru_accept_notsupp);
  +	DEFAULT(pu->pru_bind, pru_bind_notsupp);
   	DEFAULT(pu->pru_connect, pru_connect_notsupp);
   	DEFAULT(pu->pru_connect2, pru_connect2_notsupp);
   	DEFAULT(pu->pru_control, pru_control_notsupp);
  +	DEFAULT(pu->pru_disconnect, pru_disconnect_notsupp);
   	DEFAULT(pu->pru_listen, pru_listen_notsupp);
  +	DEFAULT(pu->pru_peeraddr, pru_peeraddr_notsupp);
   	DEFAULT(pu->pru_rcvd, pru_rcvd_notsupp);
   	DEFAULT(pu->pru_rcvoob, pru_rcvoob_notsupp);
   	DEFAULT(pu->pru_sense, pru_sense_null);
  +	DEFAULT(pu->pru_shutdown, pru_shutdown_notsupp);
  +	DEFAULT(pu->pru_sockaddr, pru_sockaddr_notsupp);
   	DEFAULT(pu->pru_sosend, sosend_generic);
   	DEFAULT(pu->pru_soreceive, soreceive_generic);
   	DEFAULT(pu->pru_sopoll, sopoll_generic);

• ftpd
  you can ignore it if you don’t run this ftp daemon, or if you have disabled ftp all together. Otherwise: patch it right the heck now!

  Index: libexec/ftpd/ftpcmd.y
  ===================================================================
  --- libexec/ftpd/ftpcmd.y	(revision 185134)
  +++ libexec/ftpd/ftpcmd.y	(working copy)
  @@ -1191,7 +1191,7 @@
   /*
    * getline - a hacked up version of fgets to ignore TELNET escape codes.
    */
  -char *
  +int
   getline(char *s, int n, FILE *iop)
   {
   	int c;
  @@ -1207,7 +1207,7 @@
   			if (ftpdebug)
   				syslog(LOG_DEBUG, "command: %s", s);
   			tmpline[0] = '\0';
  -			return(s);
  +			return(0);
   		}
   		if (c == 0)
   			tmpline[0] = '\0';
  @@ -1244,13 +1244,24 @@
   			}
   		}
   		*cs++ = c;
  -		if (--n <= 0 || c == '\n')
  +		if (--n <= 0) {
  +			/*
  +			 * If command doesn't fit into buffer, discard the
  +			 * rest of the command and indicate truncation.
  +			 * This prevents the command to be split up into
  +			 * multiple commands.
  +			 */
  +			while (c != '\n' && (c = getc(iop)) != EOF)
  +				;
  +			return (-2);
  +		}
  +		if (c == '\n')
   			break;
   	}
   got_eof:
   	sigprocmask(SIG_SETMASK, &osset, NULL);
   	if (c == EOF && cs == s)
  -		return (NULL);
  +		return (-1);
   	*cs++ = '\0';
   	if (ftpdebug) {
   		if (!guest && strncasecmp("pass ", s, 5) == 0) {
  @@ -1270,7 +1281,7 @@
   			syslog(LOG_DEBUG, "command: %.*s", len, s);
   		}
   	}
  -	return (s);
  +	return (0);
   }
   
   static void
  @@ -1300,9 +1311,14 @@
   		case CMD:
   			(void) signal(SIGALRM, toolong);
   			(void) alarm(timeout);
  -			if (getline(cbuf, sizeof(cbuf)-1, stdin) == NULL) {
  +			n = getline(cbuf, sizeof(cbuf)-1, stdin);
  +			if (n == -1) {
   				reply(221, "You could at least say goodbye.");
   				dologout(0);
  +			} else if (n == -2) {
  +				reply(500, "Command too long.");
  +				(void) alarm(0);
  +				continue;
   			}
   			(void) alarm(0);
   #ifdef SETPROCTITLE
  Index: libexec/ftpd/extern.h
  ===================================================================
  --- libexec/ftpd/extern.h	(revision 185134)
  +++ libexec/ftpd/extern.h	(working copy)
  @@ -46,7 +46,7 @@
   void    ftpd_logwtmp(char *, char *, struct sockaddr *addr);
   int	ftpd_pclose(FILE *);
   FILE   *ftpd_popen(char *, char *);
  -char   *getline(char *, int, FILE *);
  +int	getline(char *, int, FILE *);
   void	lreply(int, const char *, ...) __printflike(2, 3);
   void	makedir(char *);
   void	nack(char *);
  Index: libexec/ftpd/ftpd.c
  ===================================================================
  --- libexec/ftpd/ftpd.c	(revision 185134)
  +++ libexec/ftpd/ftpd.c	(working copy)
  @@ -2794,15 +2794,20 @@
   myoob(void)
   {
   	char *cp;
  +	int ret;
   
   	if (!transflag) {
   		syslog(LOG_ERR, "Internal: myoob() while no transfer");
   		return (0);
   	}
   	cp = tmpline;
  -	if (getline(cp, 7, stdin) == NULL) {
  +	ret = getline(cp, 7, stdin);
  +	if (ret == -1) {
   		reply(221, "You could at least say goodbye.");
   		dologout(0);
  +	} else if (ret == -2) {
  +		/* Ignore truncated command. */
  +		return (0);
   	}
   	upper(cp);
   	if (strcmp(cp, "ABOR\r\n") == 0) {

I noticed that the -RC2 branch is in place too now. Almost there…. must … be … patient …

[ad]

You got to love the way they write the release announcements:

“Gee. Did we really implement that new interface that way? That needs a bit more work.”

So,  it’s now the last few legs of the release cycle, and I’m looking forward to it.

DO read the release announcement or /usr/src/UPDATING, specialy if you currently have a system that uses the em(4) driver (Intel E1000 NIC), it might change with this release, to igb(4).

[ad]

I’ve been running -PRERELEASE for a while now, and haven’t found any problems so far, not on real-steal hardware, nor on vmware virtualized hardware.

[ad]

it covers a number of common pitfalls related to using FreeBSD in a vmware setting:

• using the wrong network driver (reducing network bandwith to 10Mbit/s)
• wrong kernel time frequency (modern day is 1000Hz, 100Hz is recommended)

if I come up with some more interesting things, I’ll post them here.

[ad]

Second: get some coffee

Finaly: rm /var/db/pkg/pkgdb.db

I think this comes from upgrading portupgrade somewhere along the line, and accidentaly switching between database formats (hash, or bdb4 btree). The strangest thing is that I’ve searched high and low with Google, but no results anywhere. (not even any of the FreeBSD maillinglists). So it took me a little while to figure out this one.

Anyhow, I’m stuck with HP, which is not a bad platform to get stuck with to begin with. FreeBSD runs beautifully on it, but then you have to do without the insight manager agents, the same deal applies when you run Ubuntu. Centos 4 and 5 are a breeze, just edit /etc/redhat-release so it reflects a RedHat version of Enterprise Server, and install the software like you normaly do.

One thing I seriously dislike however, is that when I run Ubuntu or FreeBSD on a HP box, my monitoring capabilities drop to almost zero. With RedHat or Centos I can monitor through the insight manager agents (who hook into SNMP), and use the nagios check_compaq_insight.pl, and as soon as something breaks: I get paged. With FreeBSD (and ubuntu) that seems completely impossible. My last attempt on an Ubuntu box to install those agents resulted in some very serious library problems, because the installer auto-installed some distro-specific rpm’s. That showed me who’s boss. (not!).

Anyhow, during my daily stroll at the Nagios Exchange I noticed a plugin that I hadn’t noticed before: check_ilo2_health. This is a great little plugin written in Perl. Instead of the old: talk to snmpd approach, this little bugger talks directly to the ilo2 interface (ilo/il01 won’t work), and more specifically: it’s XML interface.

wait. did you say XML interface?

Yup, the ILO2 sports a nice new XML interface, with which you can communicate. HP even provides a bunch of examples on how to talk shop with it. Nice hey?

Now I thought, did HP actually put everything you can monitor with the insight agents into the ILO2 and make it accessible with XML?

Unfortunatly: no. (yes, that was quite disappointing).

You can get quite a bit of useful information through the XML interface, including the speed of the fans, temperature readings from all the internal sensors. You can even configure a lot of things, like users and IP settings through it. You can even upgrade the ILO2 firmware through the XML interface. But nothing on RAID status, rebuild status, etc. I tried this against a brand spanking new DL380 G5, so if it doesn’t work there, it won’t work anywhere.

If anyone at HP reads this: please extend the ILO2 so everything is accessible through it’s XML interface. That saves us a lot of trouble of trying to get those agents installed on other operating systems. FreeBSD is too good an OS to ignore, even for an OEM as big as you. (and you don’t, judging from this news-snippet (PDF)). So either open up the XML interface more, or provide us with insight manager agents for FreeBSD. (I would be more then happy to help with testing).

[ad]

After I figured out that the CPU was, in fact, 64-bit capable (amd64/intel64 – EM64T), I went and downloaded the x86_64 version of FreeBSD 6.2, burned it on CD, popped it into the drive, and….

nothing

Okay, nothing is an overstatement really, but as soon as it got to:

ips0: resetting adapter, this may take up to 5 minutes

The box completely froze, and nothing could persuade the thing to continue booting. (actually, even numlock didn’t work any more, which pretty much means that the box died trying.)

Now, no real harm done, the box isn’t production yet, and it has a good install in good old 32-bit mode, but I went ahead and e-mailed one of the developers for the ips driver (Scott Long), and told him about what I encountered. He confirmed that this was probably a 64-bit related bug, and would look into it. How is that for support?! (seriously, we are talking opensource, free of charge software here, and still I get a reply in a matter of a couple of hours! I don’t see certain commercial software houses doing that)

Anyhow, can’t wait to see what happens, because hey, what’s the use of having a perfectly good 64-bit cpu, if you are not going to use it to it’s full potential?