From owner-cvs-etc Mon Oct 27 00:26:14 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id AAA26065 for cvs-etc-outgoing; Mon, 27 Oct 1997 00:26:14 -0800 (PST) (envelope-from owner-cvs-etc) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id AAA25882; Mon, 27 Oct 1997 00:23:02 -0800 (PST) (envelope-from jkh@FreeBSD.org) From: "Jordan K. Hubbard" Received: (from jkh@localhost) by freefall.freebsd.org (8.8.6/8.8.5) id AAA06306; Mon, 27 Oct 1997 00:22:57 -0800 (PST) Date: Mon, 27 Oct 1997 00:22:57 -0800 (PST) Message-Id: <199710270822.AAA06306@freefall.freebsd.org> To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: cvs commit: src/etc rc.conf Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk jkh 1997/10/27 00:22:56 PST Modified files: (Branch: RELENG_2_2) etc rc.conf Log: MFC: 1.13, mention daemon saver. Revision Changes Path 1.1.2.28 +2 -2 src/etc/rc.conf From owner-cvs-etc Mon Oct 27 09:01:09 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA03639 for cvs-etc-outgoing; Mon, 27 Oct 1997 09:01:09 -0800 (PST) (envelope-from owner-cvs-etc) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA03280; Mon, 27 Oct 1997 08:59:17 -0800 (PST) (envelope-from ache@FreeBSD.org) From: "Andrey A. Chernov" Received: (from ache@localhost) by freefall.freebsd.org (8.8.6/8.8.5) id IAA26040; Mon, 27 Oct 1997 08:59:09 -0800 (PST) Date: Mon, 27 Oct 1997 08:59:09 -0800 (PST) Message-Id: <199710271659.IAA26040@freefall.freebsd.org> To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: cvs commit: src/etc master.passwd Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk ache 1997/10/27 08:59:09 PST Modified files: etc master.passwd Log: Move nobody to daemon class, otherwise it is impossible to start fingerd while Apache is running, it effectively eats all default class limits for nobody Revision Changes Path 1.19 +1 -1 src/etc/master.passwd From owner-cvs-etc Mon Oct 27 09:19:13 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA06420 for cvs-etc-outgoing; Mon, 27 Oct 1997 09:19:13 -0800 (PST) (envelope-from owner-cvs-etc) Received: from ns.mt.sri.com (SRI-56K-FR.mt.net [206.127.65.42]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA06288; Mon, 27 Oct 1997 09:18:32 -0800 (PST) (envelope-from nate@rocky.mt.sri.com) Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.7/8.8.7) with ESMTP id KAA14319; Mon, 27 Oct 1997 10:18:30 -0700 (MST) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id KAA00563; Mon, 27 Oct 1997 10:18:28 -0700 (MST) Date: Mon, 27 Oct 1997 10:18:28 -0700 (MST) Message-Id: <199710271718.KAA00563@rocky.mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Andrey A. Chernov" Cc: cvs-committers@freebsd.org, cvs-all@freebsd.org, cvs-etc@freebsd.org Subject: Re: cvs commit: src/etc master.passwd In-Reply-To: <199710271659.IAA26040@freefall.freebsd.org> References: <199710271659.IAA26040@freefall.freebsd.org> X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-cvs-etc@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > ache 1997/10/27 08:59:09 PST > > Modified files: > etc master.passwd > Log: > Move nobody to daemon class, otherwise it is impossible to start fingerd > while Apache is running, it effectively eats all default class limits for > nobody This seems silly. 'nobody' is nobody, and if Apache is running as nobody, it should be running as daemon, or another (new) user. nobody should be running as 'nobody'. :) Nate From owner-cvs-etc Mon Oct 27 09:43:35 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA08737 for cvs-etc-outgoing; Mon, 27 Oct 1997 09:43:35 -0800 (PST) (envelope-from owner-cvs-etc) Received: from mail.uniserve.com (dns1-van.uniserve.com [204.244.163.48]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id JAA08447; Mon, 27 Oct 1997 09:39:59 -0800 (PST) (envelope-from tom@uniserve.com) Received: from shell.uniserve.com [204.244.210.252] by mail.uniserve.com with smtp (Exim 1.70 #1) id 0xPt8J-0001J8-00; Mon, 27 Oct 1997 09:39:19 -0800 Date: Mon, 27 Oct 1997 09:39:16 -0800 (PST) From: Tom To: Nate Williams cc: "Andrey A. Chernov" , cvs-committers@freebsd.org, cvs-all@freebsd.org, cvs-etc@freebsd.org Subject: Re: cvs commit: src/etc master.passwd In-Reply-To: <199710271718.KAA00563@rocky.mt.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-etc@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 27 Oct 1997, Nate Williams wrote: > > ache 1997/10/27 08:59:09 PST > > > > Modified files: > > etc master.passwd > > Log: > > Move nobody to daemon class, otherwise it is impossible to start fingerd > > while Apache is running, it effectively eats all default class limits for > > nobody > > This seems silly. 'nobody' is nobody, and if Apache is running as > nobody, it should be running as daemon, or another (new) user. nobody > should be running as 'nobody'. :) I agree with that. Apache should be running as some other user. A problem with fingerd is that is does fuzzy lookups by default. If /etc/master.passwd is large, it will use a significant amount of CPU. Starting up 30-40 fingerds makes an easy and effective DoS attack. I had this happen to me. I now use xinetd to limit the number of simultaneous fingerd's, but an effective login class would be good too. > Nate Tom From owner-cvs-etc Mon Oct 27 09:44:28 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA08840 for cvs-etc-outgoing; Mon, 27 Oct 1997 09:44:28 -0800 (PST) (envelope-from owner-cvs-etc) Received: from ns.mt.sri.com (SRI-56K-FR.mt.net [206.127.65.42]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA08712; Mon, 27 Oct 1997 09:43:17 -0800 (PST) (envelope-from nate@rocky.mt.sri.com) Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.7/8.8.7) with ESMTP id KAA14484; Mon, 27 Oct 1997 10:43:07 -0700 (MST) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id KAA00685; Mon, 27 Oct 1997 10:43:05 -0700 (MST) Date: Mon, 27 Oct 1997 10:43:05 -0700 (MST) Message-Id: <199710271743.KAA00685@rocky.mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Tom Cc: Nate Williams , "Andrey A. Chernov" , cvs-committers@freebsd.org, cvs-all@freebsd.org, cvs-etc@freebsd.org Subject: Fingerd problems (was Re: cvs commit: src/etc master.passwd) In-Reply-To: References: <199710271718.KAA00563@rocky.mt.sri.com> X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-cvs-etc@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > A problem with fingerd is that is does fuzzy lookups by default. If > /etc/master.passwd is large, it will use a significant amount of CPU. > Starting up 30-40 fingerds makes an easy and effective DoS attack. If this is a problem, disable fingerd. If that's not feasible, then I think your other solution is really the only other solution (limiting the # of fingerd's that should run.) Nate From owner-cvs-etc Mon Oct 27 10:00:39 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA10214 for cvs-etc-outgoing; Mon, 27 Oct 1997 10:00:39 -0800 (PST) (envelope-from owner-cvs-etc) Received: from lsd.relcom.eu.net (lsd.relcom.eu.net [193.124.23.23]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA10060; Mon, 27 Oct 1997 09:58:36 -0800 (PST) (envelope-from ache@lsd.relcom.eu.net) Received: (from ache@localhost) by lsd.relcom.eu.net (8.8.7/8.8.7) id UAA00948; Mon, 27 Oct 1997 20:57:36 +0300 (MSK) (envelope-from ache) Date: Mon, 27 Oct 1997 20:57:33 +0300 (MSK) From: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= X-Sender: ache@lsd.relcom.eu.net To: Nate Williams cc: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: Re: cvs commit: src/etc master.passwd In-Reply-To: <199710271718.KAA00563@rocky.mt.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 27 Oct 1997, Nate Williams wrote: > > ache 1997/10/27 08:59:09 PST > > > > Modified files: > > etc master.passwd > > Log: > > Move nobody to daemon class, otherwise it is impossible to start fingerd > > while Apache is running, it effectively eats all default class limits for > > nobody > > This seems silly. 'nobody' is nobody, and if Apache is running as > nobody, it should be running as daemon, or another (new) user. nobody > should be running as 'nobody'. :) It is sharing name conflict, both Apache and fingerd runs as nobody, but Apache do it with daemon class while inetd runs fingerd with default class only (which is very limited). So nothing left to fingerd while Apache occupes its resources. There is old tradition exists to run Apache as nobody and it is better to not touch it. It is possible to change fingerd owner from nobody to some other nouser, but we don't have one and it looks silly to have many nousers. Moreover, tftp f.e not resistent of this problem too since it runs as nobody. Since nobody not means normal user (and its limits) in any case, it seems logical to assign daemon class for it resolving all issues above. -- Andrey A. Chernov http://www.nagual.pp.ru/~ache/ From owner-cvs-etc Mon Oct 27 10:03:38 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA10669 for cvs-etc-outgoing; Mon, 27 Oct 1997 10:03:38 -0800 (PST) (envelope-from owner-cvs-etc) Received: from ns.mt.sri.com (SRI-56K-FR.mt.net [206.127.65.42]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA10645; Mon, 27 Oct 1997 10:03:34 -0800 (PST) (envelope-from nate@rocky.mt.sri.com) Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.7/8.8.7) with ESMTP id LAA14644; Mon, 27 Oct 1997 11:03:32 -0700 (MST) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id LAA00863; Mon, 27 Oct 1997 11:03:30 -0700 (MST) Date: Mon, 27 Oct 1997 11:03:30 -0700 (MST) Message-Id: <199710271803.LAA00863@rocky.mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= Cc: Nate Williams , cvs-committers@freebsd.org, cvs-all@freebsd.org, cvs-etc@freebsd.org Subject: Re: cvs commit: src/etc master.passwd In-Reply-To: References: <199710271718.KAA00563@rocky.mt.sri.com> X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-cvs-etc@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >>> Move nobody to daemon class, otherwise it is impossible to start fingerd >>> while Apache is running, it effectively eats all default class limits for >>> nobody >> This seems silly. 'nobody' is nobody, and if Apache is running as >> nobody, it should be running as daemon, or another (new) user. nobody >> should be running as 'nobody'. :) > > There is old tradition exists to run Apache as nobody and it is better to > not touch it. It's *worse* to change nobody to be effectively 'daemon'. It's alot easier (and better) to give Apache a new user then to make nobody 'daemon'. (Think NFS, among other things.) > Since nobody not means normal user (and its limits) in any case, it seems > logical to assign daemon class for it resolving all issues above. No, nobody means 'nobody'. Apache is a 'daemon', so if that's not appropriate, create a new user for it. Either that or disable fingerd on machines where Apache is running. Nate From owner-cvs-etc Mon Oct 27 10:05:39 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA10872 for cvs-etc-outgoing; Mon, 27 Oct 1997 10:05:39 -0800 (PST) (envelope-from owner-cvs-etc) Received: from lsd.relcom.eu.net (lsd.relcom.eu.net [193.124.23.23]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA10703; Mon, 27 Oct 1997 10:03:47 -0800 (PST) (envelope-from ache@lsd.relcom.eu.net) Received: (from ache@localhost) by lsd.relcom.eu.net (8.8.7/8.8.7) id VAA00982; Mon, 27 Oct 1997 21:03:06 +0300 (MSK) (envelope-from ache) Date: Mon, 27 Oct 1997 21:03:01 +0300 (MSK) From: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= X-Sender: ache@lsd.relcom.eu.net To: Tom cc: Nate Williams , cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: Re: cvs commit: src/etc master.passwd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 27 Oct 1997, Tom wrote: > I agree with that. Apache should be running as some other user. No. If you ever run Apache, you'll understand. Many CGI scripts and other things for WWW already assume nobody. BTW, I even see no reason to do it, we need just single nobody only to share among all programs which needs it, not bunch of no-user ids each per particular program. -- Andrey A. Chernov http://www.nagual.pp.ru/~ache/ From owner-cvs-etc Mon Oct 27 10:26:36 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA12220 for cvs-etc-outgoing; Mon, 27 Oct 1997 10:26:36 -0800 (PST) (envelope-from owner-cvs-etc) Received: from lsd.relcom.eu.net (lsd.relcom.eu.net [193.124.23.23]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA12095; Mon, 27 Oct 1997 10:24:22 -0800 (PST) (envelope-from ache@lsd.relcom.eu.net) Received: (from ache@localhost) by lsd.relcom.eu.net (8.8.7/8.8.7) id VAA01070; Mon, 27 Oct 1997 21:23:22 +0300 (MSK) (envelope-from ache) Date: Mon, 27 Oct 1997 21:23:20 +0300 (MSK) From: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= X-Sender: ache@lsd.relcom.eu.net To: Nate Williams cc: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: Re: cvs commit: src/etc master.passwd In-Reply-To: <199710271803.LAA00863@rocky.mt.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 27 Oct 1997, Nate Williams wrote: > It's *worse* to change nobody to be effectively 'daemon'. It's alot Why is is worse? Nobody used only by daemons normally. > easier (and better) to give Apache a new user then to make nobody > 'daemon'. (Think NFS, among other things.) Forget about Apache, it simple reveals the bug. Lets talk about tftpd and fingerd conflict. Your suggestion will be make yet another nobody still? > No, nobody means 'nobody'. Apache is a 'daemon', so if that's not > appropriate, create a new user for it. Either that or disable fingerd > on machines where Apache is running. tftpd is daemon too. Lets disable tftpd on fingerd machines. Or vice versa. Or make yet another 100 nousers to satisfy each daemon which need it. -- Andrey A. Chernov http://www.nagual.pp.ru/~ache/ From owner-cvs-etc Mon Oct 27 10:28:43 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA12346 for cvs-etc-outgoing; Mon, 27 Oct 1997 10:28:43 -0800 (PST) (envelope-from owner-cvs-etc) Received: from ns.mt.sri.com (SRI-56K-FR.mt.net [206.127.65.42]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA12338; Mon, 27 Oct 1997 10:28:36 -0800 (PST) (envelope-from nate@rocky.mt.sri.com) Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.7/8.8.7) with ESMTP id LAA14861; Mon, 27 Oct 1997 11:28:31 -0700 (MST) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id LAA01057; Mon, 27 Oct 1997 11:28:29 -0700 (MST) Date: Mon, 27 Oct 1997 11:28:29 -0700 (MST) Message-Id: <199710271828.LAA01057@rocky.mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= Cc: Nate Williams , cvs-committers@freebsd.org, cvs-all@freebsd.org, cvs-etc@freebsd.org Subject: Re: cvs commit: src/etc master.passwd In-Reply-To: References: <199710271803.LAA00863@rocky.mt.sri.com> X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-cvs-etc@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Forget about Apache, it simple reveals the bug. Lets talk about tftpd and > fingerd conflict. Your suggestion will be make yet another nobody still? > > > No, nobody means 'nobody'. Apache is a 'daemon', so if that's not > > appropriate, create a new user for it. Either that or disable fingerd > > on machines where Apache is running. > > tftpd is daemon too. Lets disable tftpd on fingerd machines. tftpd should be disabled on *every* machine. :) > Or vice versa. Or make yet another 100 nousers to satisfy each daemon > which need it. It seems that your problem is with fingerd taking up too many resources, not on users. Fix the problem, don't band-aid around it and cause other problems. Nate From owner-cvs-etc Mon Oct 27 10:30:04 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA12486 for cvs-etc-outgoing; Mon, 27 Oct 1997 10:30:04 -0800 (PST) (envelope-from owner-cvs-etc) Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.133]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA12324; Mon, 27 Oct 1997 10:28:15 -0800 (PST) (envelope-from mark@greenpeace.grondar.za) Received: from greenpeace.grondar.za (mvD7JS1mRIWKSJvh+qxbZtWFvll+E9tn@greenpeace.grondar.za [196.7.18.132]) by gratis.grondar.za (8.8.7/8.8.7) with ESMTP id UAA17706; Mon, 27 Oct 1997 20:28:09 +0200 (SAT) (envelope-from mark@greenpeace.grondar.za) Received: from greenpeace.grondar.za (wR4HYofdkaSV/n9pvTLzXJwFfRt0K3yh@localhost [127.0.0.1]) by greenpeace.grondar.za (8.8.7/8.8.7) with ESMTP id UAA29423; Mon, 27 Oct 1997 20:27:51 +0200 (SAST) Message-Id: <199710271827.UAA29423@greenpeace.grondar.za> X-Mailer: exmh version 2.0zeta 7/24/97 To: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= cc: Tom , Nate Williams , cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: Re: cvs commit: src/etc master.passwd Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 27 Oct 1997 20:27:50 +0200 From: Mark Murray Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= wrote: > No. If you ever run Apache, you'll understand. Many CGI scripts and other > things for WWW already assume nobody. > > BTW, I even see no reason to do it, we need just single nobody only to > share among all programs which needs it, not bunch of no-user ids each per > particular program. The reason for nobody:nobody is a truly "nobody" user with no special priveliges or status, not a user with features, etc shoehorned to fit available software. The software should be fixed, not the OS broken. It sounds to me as though Apache and/or fingerd is broken. Surely an appropriate set{e}gid(2) will fix this (off the top of my head)? Modifying a user (like you did) may be valid, but not as a design consideration. It is the sort of thing someone may do when building a box for a specific task, like a web server. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org From owner-cvs-etc Mon Oct 27 10:35:11 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA12891 for cvs-etc-outgoing; Mon, 27 Oct 1997 10:35:11 -0800 (PST) (envelope-from owner-cvs-etc) Received: from gvr.gvr.org (root@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA12844; Mon, 27 Oct 1997 10:34:51 -0800 (PST) (envelope-from guido@gvr.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.6/8.8.5) id TAA02111; Mon, 27 Oct 1997 19:34:45 +0100 (MET) From: Guido van Rooij Message-Id: <199710271834.TAA02111@gvr.gvr.org> Subject: Re: cvs commit: src/etc master.passwd In-Reply-To: <199710271659.IAA26040@freefall.freebsd.org> from "Andrey A. Chernov" at "Oct 27, 97 08:59:09 am" To: ache@FreeBSD.ORG (Andrey A. Chernov) Date: Mon, 27 Oct 1997 19:34:45 +0100 (MET) Cc: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Andrey A. Chernov wrote: > ache 1997/10/27 08:59:09 PST > > Modified files: > etc master.passwd > Log: > Move nobody to daemon class, otherwise it is impossible to start fingerd > while Apache is running, it effectively eats all default class limits for > nobody > Perhaps it's time to implement an extra switch for su to set the class. Then we can do things like: echo /wher/ever/httpd | su -fm -C daemon nobody Which would solve th problem as well and in a cleaner way. -Guido From owner-cvs-etc Mon Oct 27 10:39:12 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA13192 for cvs-etc-outgoing; Mon, 27 Oct 1997 10:39:12 -0800 (PST) (envelope-from owner-cvs-etc) Received: from lsd.relcom.eu.net (lsd.relcom.eu.net [193.124.23.23]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA13051; Mon, 27 Oct 1997 10:37:08 -0800 (PST) (envelope-from ache@lsd.relcom.eu.net) Received: (from ache@localhost) by lsd.relcom.eu.net (8.8.7/8.8.7) id VAA01144; Mon, 27 Oct 1997 21:36:26 +0300 (MSK) (envelope-from ache) Date: Mon, 27 Oct 1997 21:36:22 +0300 (MSK) From: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= X-Sender: ache@lsd.relcom.eu.net To: Mark Murray cc: Tom , Nate Williams , cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: Inetd & login class bug (was Re: cvs commit: src/etc master.passwd) In-Reply-To: <199710271827.UAA29423@greenpeace.grondar.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 27 Oct 1997, Mark Murray wrote: > The reason for nobody:nobody is a truly "nobody" user with no special > priveliges or status, not a user with features, etc shoehorned to fit > available software. The software should be fixed, not the OS broken. Well. > It sounds to me as though Apache and/or fingerd is broken. Surely an > appropriate set{e}gid(2) will fix this (off the top of my head)? Apache _not_ use special priviledges of nobody, it was inetd who suppose that nobody have particular limits. It seems inetd must be fixed somehow to stop using nobody limits. I am not sure, how to fix inetd at this time, maybe we need to handle nobody name specially (and use daemon limits in this case), or maybe just use daemon limits for _all_ entries in inetd.conf... Any ideas? -- Andrey A. Chernov http://www.nagual.pp.ru/~ache/ From owner-cvs-etc Mon Oct 27 10:42:07 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA13421 for cvs-etc-outgoing; Mon, 27 Oct 1997 10:42:07 -0800 (PST) (envelope-from owner-cvs-etc) Received: from gvr.gvr.org (root@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA13334; Mon, 27 Oct 1997 10:40:32 -0800 (PST) (envelope-from guido@gvr.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.6/8.8.5) id TAA02224; Mon, 27 Oct 1997 19:39:50 +0100 (MET) From: Guido van Rooij Message-Id: <199710271839.TAA02224@gvr.gvr.org> Subject: Re: Fingerd problems (was Re: cvs commit: src/etc master.passwd) In-Reply-To: <199710271743.KAA00685@rocky.mt.sri.com> from Nate Williams at "Oct 27, 97 10:43:05 am" To: nate@mt.sri.com (Nate Williams) Date: Mon, 27 Oct 1997 19:39:50 +0100 (MET) Cc: tom@uniserve.com, nate@mt.sri.com, ache@FreeBSD.ORG, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Nate Williams wrote: > > A problem with fingerd is that is does fuzzy lookups by default. If > > /etc/master.passwd is large, it will use a significant amount of CPU. > > Starting up 30-40 fingerds makes an easy and effective DoS attack. > > If this is a problem, disable fingerd. If that's not feasible, then I > think your other solution is really the only other solution (limiting > the # of fingerd's that should run.) Perhaps implement a switch to fingerd disallowing the fuzzy lookups. Now that I think of it: It should be part of the -s flag as it gives an easy way of guessing usernames. (consider taht a *lot* of ppl in the netherlands have either 'van' or 'de' as a separate word in their family name). -Guido From owner-cvs-etc Mon Oct 27 10:53:35 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA14458 for cvs-etc-outgoing; Mon, 27 Oct 1997 10:53:35 -0800 (PST) (envelope-from owner-cvs-etc) Received: from precipice.shockwave.com (precipice.shockwave.com [207.105.15.229]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA14453; Mon, 27 Oct 1997 10:53:32 -0800 (PST) (envelope-from pst@shockwave.com) Received: from shockwave.com (localhost [127.0.0.1]) by precipice.shockwave.com (8.8.7/8.7.3) with ESMTP id KAA07132; Mon, 27 Oct 1997 10:52:53 -0800 (PST) Message-Id: <199710271852.KAA07132@precipice.shockwave.com> To: Nate Williams cc: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= , cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: Re: cvs commit: src/etc master.passwd In-reply-to: Your message of "Mon, 27 Oct 1997 11:28:29 MST." <199710271828.LAA01057@rocky.mt.sri.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 27 Oct 1997 10:52:51 -0800 From: Paul Traina Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > Forget about Apache, it simple reveals the bug. Lets talk about tftpd and > > fingerd conflict. Your suggestion will be make yet another nobody still? > > > > > No, nobody means 'nobody'. Apache is a 'daemon', so if that's not > > > appropriate, create a new user for it. Either that or disable fingerd > > > on machines where Apache is running. > > > > tftpd is daemon too. Lets disable tftpd on fingerd machines. > > tftpd should be disabled on *every* machine. :) > > > Or vice versa. Or make yet another 100 nousers to satisfy each daemon > > which need it. > > It seems that your problem is with fingerd taking up too many resources, > not on users. Fix the problem, don't band-aid around it and cause other > problems. For once I agree with Andrey... the problem here is not fingerd's resource utilization, it's that we have daemons starting in inetd not running with daemon resource limits. That should be fixed, one way or another. From owner-cvs-etc Mon Oct 27 11:21:32 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id LAA16810 for cvs-etc-outgoing; Mon, 27 Oct 1997 11:21:32 -0800 (PST) (envelope-from owner-cvs-etc) Received: from gvr.gvr.org (root@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id LAA16730; Mon, 27 Oct 1997 11:21:02 -0800 (PST) (envelope-from guido@gvr.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.6/8.8.5) id TAA02054; Mon, 27 Oct 1997 19:30:47 +0100 (MET) From: Guido van Rooij Message-Id: <199710271830.TAA02054@gvr.gvr.org> Subject: Re: cvs commit: src/etc master.passwd In-Reply-To: from Tom at "Oct 27, 97 09:39:16 am" To: tom@uniserve.com (Tom) Date: Mon, 27 Oct 1997 19:30:47 +0100 (MET) Cc: nate@mt.sri.com, ache@FreeBSD.ORG, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > A problem with fingerd is that is does fuzzy lookups by default. If > /etc/master.passwd is large, it will use a significant amount of CPU. > Starting up 30-40 fingerds makes an easy and effective DoS attack. I had > this happen to me. I now use xinetd to limit the number of simultaneous > fingerd's, but an effective login class would be good too. You don;t need xinetd to do that; our inetd has the same possibilities. -Guido From owner-cvs-etc Mon Oct 27 11:40:24 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id LAA18022 for cvs-etc-outgoing; Mon, 27 Oct 1997 11:40:24 -0800 (PST) (envelope-from owner-cvs-etc) Received: from fallout.campusview.indiana.edu (fallout.campusview.indiana.edu [149.159.1.1]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id LAA17913; Mon, 27 Oct 1997 11:39:31 -0800 (PST) (envelope-from jfieber@indiana.edu) Received: from localhost (jfieber@localhost) by fallout.campusview.indiana.edu (8.8.7/8.8.7) with SMTP id OAA24848; Mon, 27 Oct 1997 14:38:53 -0500 (EST) Date: Mon, 27 Oct 1997 14:38:52 -0500 (EST) From: John Fieber To: Guido van Rooij cc: "Andrey A. Chernov" , cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: Re: cvs commit: src/etc master.passwd In-Reply-To: <199710271834.TAA02111@gvr.gvr.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 27 Oct 1997, Guido van Rooij wrote: > Perhaps it's time to implement an extra switch for su to set the class. > Then we can do things like: > echo /wher/ever/httpd | su -fm -C daemon nobody > > Which would solve th problem as well and in a cleaner way. Except the small detail that httpd needs to be started by root to get port 80, it then changes to the uid/gid specified in the config file, which defaults to nobody. -john From owner-cvs-etc Mon Oct 27 11:43:48 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id LAA18197 for cvs-etc-outgoing; Mon, 27 Oct 1997 11:43:48 -0800 (PST) (envelope-from owner-cvs-etc) Received: from lsd.relcom.eu.net (lsd.relcom.eu.net [193.124.23.23]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id LAA18106; Mon, 27 Oct 1997 11:41:57 -0800 (PST) (envelope-from ache@lsd.relcom.eu.net) Received: (from ache@localhost) by lsd.relcom.eu.net (8.8.7/8.8.7) id WAA01586; Mon, 27 Oct 1997 22:41:46 +0300 (MSK) (envelope-from ache) Date: Mon, 27 Oct 1997 22:41:45 +0300 (MSK) From: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= X-Sender: ache@lsd.relcom.eu.net To: Guido van Rooij cc: Nate Williams , tom@uniserve.com, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: Re: Fingerd problems (was Re: cvs commit: src/etc master.passwd) In-Reply-To: <199710271839.TAA02224@gvr.gvr.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 27 Oct 1997, Guido van Rooij wrote: > Nate Williams wrote: > > > A problem with fingerd is that is does fuzzy lookups by default. If > > > /etc/master.passwd is large, it will use a significant amount of CPU. > > > Starting up 30-40 fingerds makes an easy and effective DoS attack. > > > > If this is a problem, disable fingerd. If that's not feasible, then I > > think your other solution is really the only other solution (limiting > > the # of fingerd's that should run.) You can already limit maximum number of fingerd's by "/30" suffix, see inetd.conf(8) -- Andrey A. Chernov http://www.nagual.pp.ru/~ache/ From owner-cvs-etc Mon Oct 27 11:46:31 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id LAA18326 for cvs-etc-outgoing; Mon, 27 Oct 1997 11:46:31 -0800 (PST) (envelope-from owner-cvs-etc) Received: from gvr.gvr.org (root@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id LAA18314; Mon, 27 Oct 1997 11:46:18 -0800 (PST) (envelope-from guido@gvr.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.6/8.8.5) id UAA24705; Mon, 27 Oct 1997 20:45:37 +0100 (MET) From: Guido van Rooij Message-Id: <199710271945.UAA24705@gvr.gvr.org> Subject: Re: cvs commit: src/etc master.passwd In-Reply-To: from John Fieber at "Oct 27, 97 02:38:52 pm" To: jfieber@indiana.edu (John Fieber) Date: Mon, 27 Oct 1997 20:45:37 +0100 (MET) Cc: ache@FreeBSD.ORG, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk John Fieber wrote: > On Mon, 27 Oct 1997, Guido van Rooij wrote: > > > Perhaps it's time to implement an extra switch for su to set the class. > > Then we can do things like: > > echo /wher/ever/httpd | su -fm -C daemon nobody > > > > Which would solve th problem as well and in a cleaner way. > > Except the small detail that httpd needs to be started by root to > get port 80, it then changes to the uid/gid specified in the > config file, which defaults to nobody. :-( Yep; I overlooked that. However the switch is still usefull so I coded it and will commit later. -Guido From owner-cvs-etc Mon Oct 27 12:01:13 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA19310 for cvs-etc-outgoing; Mon, 27 Oct 1997 12:01:13 -0800 (PST) (envelope-from owner-cvs-etc) Received: from lsd.relcom.eu.net (lsd.relcom.eu.net [193.124.23.23]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id LAA19110; Mon, 27 Oct 1997 11:59:05 -0800 (PST) (envelope-from ache@lsd.relcom.eu.net) Received: (from ache@localhost) by lsd.relcom.eu.net (8.8.7/8.8.7) id WAA01683; Mon, 27 Oct 1997 22:58:49 +0300 (MSK) (envelope-from ache) Date: Mon, 27 Oct 1997 22:58:46 +0300 (MSK) From: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= X-Sender: ache@lsd.relcom.eu.net To: Guido van Rooij cc: John Fieber , cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: Re: cvs commit: src/etc master.passwd In-Reply-To: <199710271945.UAA24705@gvr.gvr.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 27 Oct 1997, Guido van Rooij wrote: > :-( Yep; I overlooked that. > However the switch is still usefull so I coded it and will commit > later. I is not needed, I already add "limits -C daemon" call to apachectl. -- Andrey A. Chernov http://www.nagual.pp.ru/~ache/ From owner-cvs-etc Mon Oct 27 12:04:56 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA19637 for cvs-etc-outgoing; Mon, 27 Oct 1997 12:04:56 -0800 (PST) (envelope-from owner-cvs-etc) Received: from gvr.gvr.org (root@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id MAA19610; Mon, 27 Oct 1997 12:04:46 -0800 (PST) (envelope-from guido@gvr.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.6/8.8.5) id VAA01918; Mon, 27 Oct 1997 21:03:47 +0100 (MET) From: Guido van Rooij Message-Id: <199710272003.VAA01918@gvr.gvr.org> Subject: Re: cvs commit: src/etc master.passwd In-Reply-To: from "[______ ______]" at "Oct 27, 97 10:58:46 pm" To: ache@nagual.pp.ru (=?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?=) Date: Mon, 27 Oct 1997 21:03:47 +0100 (MET) Cc: jfieber@indiana.edu, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk [______ ______] wrote: > On Mon, 27 Oct 1997, Guido van Rooij wrote: > > > :-( Yep; I overlooked that. > > However the switch is still usefull so I coded it and will commit > > later. > > I is not needed, I already add "limits -C daemon" call to apachectl. Limits does not allow the setting of all knobs in the class file. E.g. umask etc etc. -Guido From owner-cvs-etc Mon Oct 27 12:41:47 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA23961 for cvs-etc-outgoing; Mon, 27 Oct 1997 12:41:47 -0800 (PST) (envelope-from owner-cvs-etc) Received: from lsd.relcom.eu.net (lsd.relcom.eu.net [193.124.23.23]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id MAA23591; Mon, 27 Oct 1997 12:39:00 -0800 (PST) (envelope-from ache@lsd.relcom.eu.net) Received: (from ache@localhost) by lsd.relcom.eu.net (8.8.7/8.8.7) id XAA01877; Mon, 27 Oct 1997 23:38:40 +0300 (MSK) (envelope-from ache) Date: Mon, 27 Oct 1997 23:38:37 +0300 (MSK) From: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= X-Sender: ache@lsd.relcom.eu.net To: Guido van Rooij cc: jfieber@indiana.edu, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: Re: cvs commit: src/etc master.passwd In-Reply-To: <199710272003.VAA01918@gvr.gvr.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 27 Oct 1997, Guido van Rooij wrote: > [______ ______] wrote: > > On Mon, 27 Oct 1997, Guido van Rooij wrote: > > > > > :-( Yep; I overlooked that. > > > However the switch is still usefull so I coded it and will commit > > > later. > > > > I is not needed, I already add "limits -C daemon" call to apachectl. > > Limits does not allow the setting of all knobs in the class file. > E.g. umask etc etc. Yes, but Apache not relay on complex things like default umask etc and uses their own. As I see 'limits' does all job needed by Apache. BTW, if you know better way to set login class things inside shell script, I think there is no harm to use it. My way is eval `limits -e -C daemon` line at the start of apachectl script. Which line you suggest instead? -- Andrey A. Chernov http://www.nagual.pp.ru/~ache/ From owner-cvs-etc Mon Oct 27 13:01:15 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id NAA26072 for cvs-etc-outgoing; Mon, 27 Oct 1997 13:01:15 -0800 (PST) (envelope-from owner-cvs-etc) Received: from gvr.gvr.org (gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id MAA25697; Mon, 27 Oct 1997 12:57:05 -0800 (PST) (envelope-from guido@gvr.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.6/8.8.5) id VAA18661; Mon, 27 Oct 1997 21:54:52 +0100 (MET) From: Guido van Rooij Message-Id: <199710272054.VAA18661@gvr.gvr.org> Subject: Re: cvs commit: src/etc master.passwd In-Reply-To: from "[______ ______]" at "Oct 27, 97 11:38:37 pm" To: ache@nagual.pp.ru (=?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?=) Date: Mon, 27 Oct 1997 21:54:52 +0100 (MET) Cc: jfieber@indiana.edu, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > Yes, but Apache not relay on complex things like default umask etc and > uses their own. As I see 'limits' does all job needed by Apache. > > BTW, if you know better way to set login class things inside shell script, > I think there is no harm to use it. > My way is > eval `limits -e -C daemon` > line at the start of apachectl script. > Which line you suggest instead? I completely agre with you here. It seems the best way to do this for apache. What I tried to say was that the extra switch for su would be usefull in other cases, and that why I made it. -Guido From owner-cvs-etc Mon Oct 27 14:08:56 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA00374 for cvs-etc-outgoing; Mon, 27 Oct 1997 14:08:56 -0800 (PST) (envelope-from owner-cvs-etc) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA00177; Mon, 27 Oct 1997 14:07:14 -0800 (PST) (envelope-from ache@FreeBSD.org) From: "Andrey A. Chernov" Received: (from ache@localhost) by freefall.freebsd.org (8.8.6/8.8.5) id OAA27725; Mon, 27 Oct 1997 14:07:05 -0800 (PST) Date: Mon, 27 Oct 1997 14:07:05 -0800 (PST) Message-Id: <199710272207.OAA27725@freefall.freebsd.org> To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: cvs commit: src/etc master.passwd Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk ache 1997/10/27 14:07:05 PST Modified files: etc master.passwd Log: Back out moving nobody to daemon class, the problem fixed in another place: inetd Revision Changes Path 1.20 +1 -1 src/etc/master.passwd From owner-cvs-etc Mon Oct 27 14:46:25 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA02551 for cvs-etc-outgoing; Mon, 27 Oct 1997 14:46:25 -0800 (PST) (envelope-from owner-cvs-etc) Received: from ns.mt.sri.com (SRI-56K-FR.mt.net [206.127.65.42]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA02544; Mon, 27 Oct 1997 14:46:09 -0800 (PST) (envelope-from nate@rocky.mt.sri.com) Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.7/8.8.7) with ESMTP id PAA16707; Mon, 27 Oct 1997 15:46:07 -0700 (MST) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id PAA03022; Mon, 27 Oct 1997 15:46:05 -0700 (MST) Date: Mon, 27 Oct 1997 15:46:05 -0700 (MST) Message-Id: <199710272246.PAA03022@rocky.mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Andrey A. Chernov" Cc: cvs-committers@freebsd.org, cvs-all@freebsd.org, cvs-etc@freebsd.org Subject: Re: cvs commit: src/etc master.passwd In-Reply-To: <199710272207.OAA27725@freefall.freebsd.org> References: <199710272207.OAA27725@freefall.freebsd.org> X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-cvs-etc@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > ache 1997/10/27 14:07:05 PST > > Modified files: > etc master.passwd > Log: > Back out moving nobody to daemon class, the problem fixed in another place: > inetd Thanks! Nate From owner-cvs-etc Tue Oct 28 04:05:03 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id EAA18123 for cvs-etc-outgoing; Tue, 28 Oct 1997 04:05:03 -0800 (PST) (envelope-from owner-cvs-etc) Received: from pillar.elsevier.co.uk (root@pillar.elsevier.co.uk [193.131.222.35]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id EAA17972; Tue, 28 Oct 1997 04:03:13 -0800 (PST) (envelope-from p.richards@elsevier.co.uk) Received: from snowdon.elsevier.co.uk (snowdon.elsevier.co.uk [193.131.197.164]) by pillar.elsevier.co.uk (8.8.5/8.8.5) with ESMTP id MAA29867; Tue, 28 Oct 1997 12:01:53 GMT Received: from screavie.elsevier.co.uk by snowdon.elsevier.co.uk with SMTP (PP); Tue, 28 Oct 1997 12:02:13 +0000 Received: from tees.elsevier.co.uk (tees.elsevier.co.uk [193.131.192.70]) by screavie.elsevier.co.uk (8.8.5/8.8.5) with ESMTP id MAA21719; Tue, 28 Oct 1997 12:01:36 GMT Received: (from dpr@localhost) by tees.elsevier.co.uk (8.8.5/8.8.5) id MAA00438; Tue, 28 Oct 1997 12:01:35 GMT To: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= Cc: Guido van Rooij , jfieber@indiana.edu, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: Re: cvs commit: src/etc master.passwd References: From: Paul Richards Date: 28 Oct 1997 12:01:34 +0000 In-Reply-To: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?='s message of Mon, 27 Oct 1997 23:38:37 +0300 (MSK) Message-ID: <57u3e2yu3l.fsf@tees.elsevier.co.uk> Lines: 13 X-Mailer: Gnus v5.4.37/Emacs 19.30 Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= writes: > Yes, but Apache not relay on complex things like default umask etc and > uses their own. As I see 'limits' does all job needed by Apache. Are you sure about that? We've seen problems here with Apache picking up umasks from the parent environment. A cursory examination showed that it was inconsistent with it's use of open and fopen. -- Dr Paul Richards. IT, Product Application Development. Email: p.richards@elsevier.co.uk Phone: x3155 From owner-cvs-etc Tue Oct 28 04:07:04 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id EAA18214 for cvs-etc-outgoing; Tue, 28 Oct 1997 04:07:04 -0800 (PST) (envelope-from owner-cvs-etc) Received: from pillar.elsevier.co.uk (root@pillar.elsevier.co.uk [193.131.222.35]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id EAA18129; Tue, 28 Oct 1997 04:05:05 -0800 (PST) (envelope-from p.richards@elsevier.co.uk) Received: from snowdon.elsevier.co.uk (snowdon.elsevier.co.uk [193.131.197.164]) by pillar.elsevier.co.uk (8.8.5/8.8.5) with ESMTP id MAA29967; Tue, 28 Oct 1997 12:03:50 GMT Received: from screavie.elsevier.co.uk by snowdon.elsevier.co.uk with SMTP (PP); Tue, 28 Oct 1997 12:04:12 +0000 Received: from tees.elsevier.co.uk (tees.elsevier.co.uk [193.131.192.70]) by screavie.elsevier.co.uk (8.8.5/8.8.5) with ESMTP id MAA21737; Tue, 28 Oct 1997 12:04:09 GMT Received: (from dpr@localhost) by tees.elsevier.co.uk (8.8.5/8.8.5) id MAA00441; Tue, 28 Oct 1997 12:04:08 GMT To: Guido van Rooij Cc: ache@nagual.pp.ru (=?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?=), jfieber@indiana.edu, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: Re: cvs commit: src/etc master.passwd References: <199710272054.VAA18661@gvr.gvr.org> From: Paul Richards Date: 28 Oct 1997 12:04:07 +0000 In-Reply-To: Guido van Rooij's message of Mon, 27 Oct 1997 21:54:52 +0100 (MET) Message-ID: <57sotmytzc.fsf@tees.elsevier.co.uk> Lines: 22 X-Mailer: Gnus v5.4.37/Emacs 19.30 Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Guido van Rooij writes: > I completely agre with you here. It seems the best way to do this for apache. > What I tried to say was that the extra switch for su would be usefull > in other cases, and that why I made it. Hmm, surely the best way to deal with this is to fix the Apache configuration. Nowhere I've ever installed Apache, or have worked where someone else has installed it, leaves it running as nobody since that route is fraught with problems. Shipping the sources with a default as nobody is more a legacy issue that anything else and rather than force the users to configure a sensible alternative it's left as nobody since that will work everywhere. For the FreeBSD version I'd suggest we create an apache user. -- Dr Paul Richards. IT, Product Application Development. Email: p.richards@elsevier.co.uk Phone: x3155 From owner-cvs-etc Tue Oct 28 05:15:19 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id FAA21874 for cvs-etc-outgoing; Tue, 28 Oct 1997 05:15:19 -0800 (PST) (envelope-from owner-cvs-etc) Received: from nagual.pp.ru (ache.relcom.ru [193.125.20.108]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id FAA21810; Tue, 28 Oct 1997 05:14:42 -0800 (PST) (envelope-from ache@nagual.pp.ru) Received: (from ache@localhost) by nagual.pp.ru (8.8.7/8.8.7) id QAA00773; Tue, 28 Oct 1997 16:11:26 +0300 (MSK) (envelope-from ache) Date: Tue, 28 Oct 1997 16:11:24 +0300 (MSK) From: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= To: Paul Richards cc: Guido van Rooij , jfieber@indiana.edu, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: Re: cvs commit: src/etc master.passwd In-Reply-To: <57sotmytzc.fsf@tees.elsevier.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On 28 Oct 1997, Paul Richards wrote: > Guido van Rooij writes: > > > I completely agre with you here. It seems the best way to do this for apache. > > What I tried to say was that the extra switch for su would be usefull > > in other cases, and that why I made it. > > Hmm, surely the best way to deal with this is to fix the Apache > configuration. Nowhere I've ever installed Apache, or have worked > where someone else has installed it, leaves it running as nobody since > that route is fraught with problems. The problem already fixed in another place: inetd -- Andrey A. Chernov http://www.nagual.pp.ru/~ache/ From owner-cvs-etc Wed Oct 29 17:19:22 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id RAA01607 for cvs-etc-outgoing; Wed, 29 Oct 1997 17:19:22 -0800 (PST) (envelope-from owner-cvs-etc) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA01463; Wed, 29 Oct 1997 17:17:31 -0800 (PST) (envelope-from nate@FreeBSD.org) From: Nate Williams Received: (from nate@localhost) by freefall.freebsd.org (8.8.6/8.8.5) id RAA18543; Wed, 29 Oct 1997 17:17:04 -0800 (PST) Date: Wed, 29 Oct 1997 17:17:04 -0800 (PST) Message-Id: <199710300117.RAA18543@freefall.freebsd.org> To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: cvs commit: src/etc pccard.conf.sample Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk nate 1997/10/29 17:17:04 PST Modified files: etc pccard.conf.sample Log: - Commented out some PAO specific portions of this file. Noticed by: Michael Reifenberger Revision Changes Path 1.9 +27 -27 src/etc/pccard.conf.sample From owner-cvs-etc Wed Oct 29 17:21:02 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id RAA01771 for cvs-etc-outgoing; Wed, 29 Oct 1997 17:21:02 -0800 (PST) (envelope-from owner-cvs-etc) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA01571; Wed, 29 Oct 1997 17:19:05 -0800 (PST) (envelope-from nate@FreeBSD.org) From: Nate Williams Received: (from nate@localhost) by freefall.freebsd.org (8.8.6/8.8.5) id RAA18586; Wed, 29 Oct 1997 17:18:39 -0800 (PST) Date: Wed, 29 Oct 1997 17:18:39 -0800 (PST) Message-Id: <199710300118.RAA18586@freefall.freebsd.org> To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: cvs commit: src/etc pccard.conf.sample Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk nate 1997/10/29 17:18:38 PST Modified files: (Branch: RELENG_2_2) etc pccard.conf.sample Log: - MFC: News definitions, and removal of PAO-specific definitions. Revision Changes Path 1.4.2.2 +39 -27 src/etc/pccard.conf.sample From owner-cvs-etc Thu Oct 30 18:01:33 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id SAA01254 for cvs-etc-outgoing; Thu, 30 Oct 1997 18:01:33 -0800 (PST) (envelope-from owner-cvs-etc) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA00949; Thu, 30 Oct 1997 17:59:30 -0800 (PST) (envelope-from jdp@FreeBSD.org) From: John Polstra Received: (from jdp@localhost) by freefall.freebsd.org (8.8.6/8.8.5) id RAA10972; Thu, 30 Oct 1997 17:58:55 -0800 (PST) Date: Thu, 30 Oct 1997 17:58:55 -0800 (PST) Message-Id: <199710310158.RAA10972@freefall.freebsd.org> To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: cvs commit: src/etc rc.conf Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk jdp 1997/10/30 17:58:54 PST Modified files: etc rc.conf Log: Add "mrouted_flags". It has been referenced by rc.network for a long time. Revision Changes Path 1.32 +2 -1 src/etc/rc.conf From owner-cvs-etc Thu Oct 30 18:02:53 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id SAA01418 for cvs-etc-outgoing; Thu, 30 Oct 1997 18:02:53 -0800 (PST) (envelope-from owner-cvs-etc) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id SAA01221; Thu, 30 Oct 1997 18:01:20 -0800 (PST) (envelope-from jdp@FreeBSD.org) From: John Polstra Received: (from jdp@localhost) by freefall.freebsd.org (8.8.6/8.8.5) id SAA11029; Thu, 30 Oct 1997 18:00:45 -0800 (PST) Date: Thu, 30 Oct 1997 18:00:45 -0800 (PST) Message-Id: <199710310200.SAA11029@freefall.freebsd.org> To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: cvs commit: src/etc rc.conf Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk jdp 1997/10/30 18:00:44 PST Modified files: (Branch: RELENG_2_2) etc rc.conf Log: Merge from main branch 1.31 -> 1.32: add "mrouted_flags". Revision Changes Path 1.1.2.29 +2 -1 src/etc/rc.conf From owner-cvs-etc Sat Nov 1 07:04:54 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id HAA22437 for cvs-etc-outgoing; Sat, 1 Nov 1997 07:04:54 -0800 (PST) (envelope-from owner-cvs-etc) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA22231; Sat, 1 Nov 1997 07:01:29 -0800 (PST) (envelope-from wosch@FreeBSD.org) From: Wolfram Schneider Received: (from wosch@localhost) by freefall.freebsd.org (8.8.6/8.8.5) id HAA09129; Sat, 1 Nov 1997 07:00:41 -0800 (PST) Date: Sat, 1 Nov 1997 07:00:41 -0800 (PST) Message-Id: <199711011500.HAA09129@freefall.freebsd.org> To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: cvs commit: src/etc/periodic/weekly 310.locate Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk wosch 1997/11/01 07:00:41 PST Modified files: etc/periodic/weekly 310.locate Log: Delete unused code. Revision Changes Path 1.2 +2 -4 src/etc/periodic/weekly/310.locate From owner-cvs-etc Sat Nov 1 07:07:03 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id HAA22551 for cvs-etc-outgoing; Sat, 1 Nov 1997 07:07:03 -0800 (PST) (envelope-from owner-cvs-etc) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA22386; Sat, 1 Nov 1997 07:03:54 -0800 (PST) (envelope-from wosch@FreeBSD.org) From: Wolfram Schneider Received: (from wosch@localhost) by freefall.freebsd.org (8.8.6/8.8.5) id HAA09182; Sat, 1 Nov 1997 07:03:06 -0800 (PST) Date: Sat, 1 Nov 1997 07:03:06 -0800 (PST) Message-Id: <199711011503.HAA09182@freefall.freebsd.org> To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-etc@FreeBSD.ORG Subject: cvs commit: src/etc/periodic/weekly 340.noid Makefile Sender: owner-cvs-etc@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk wosch 1997/11/01 07:03:06 PST Modified files: etc/periodic/weekly Makefile Added files: etc/periodic/weekly 340.noid Log: Check for files belongs to an unknown user or unknown group. Do not run by default. Revision Changes Path 1.3 +2 -1 src/etc/periodic/weekly/Makefile