Date: Fri, 18 Aug 2006 21:36:47 -0300 (ADT) From: "Marc G. Fournier" <scrappy@freebsd.org> To: Oliver Fromme <olli@lurza.secnetix.de> Cc: scrappy@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: BSDstats v3.0 - The Security Rewrite Message-ID: <20060818213531.M32509@ganymede.hub.org> In-Reply-To: <200608171803.k7HI3Mfr069265@lurza.secnetix.de> References: <200608171803.k7HI3Mfr069265@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for your comments and suggestions ... I am currently in the middle of a campground working on a laptop (missing my desktop dearly, since this laptop is my wife's Windows box) ... when I get back online properly beginning of Sept, I will work on the suggestions though ... thx ... On Thu, 17 Aug 2006, Oliver Fromme wrote: > Marc G. Fournier wrote: > > Over the past few days, I've been working with Paul Schmehl and Matthew > > Seaman to come up with a more "security sensitive" version of BSDstats ... > > one that reduces the amount of "sensitive information" stored in the > > database down to ... zero. No IPs, no hostnames ... > > [...] > > From now forward, the stats will be viewable from: > > > > http://www.bsdstats.org > > That's very cool. I've installed it on some of my machines. > Unfortunately, I haven't been able to use it on all of them, > for reasons outlined below. > > I've got a few suggestions and ideas ... > > (1) When run for the first time, you get an error message: > : not found > That's because a few bogus spaces after the backslash in > the line containing the chmod command. Those trailing > spaces should be removed. I suppose I don't need to send > a PR for that. :-) > > (2) Some people aborted the inital "sleep 900" (because > of the above-mentioned error message, or other reasons), > then restarted the script. In this case there is no sleep, > and the submission _seems_ to be successful (no negative > feedback), but it isn't. > > One way to improve the situation would be to check the > mtime on the /var/db/bsdstats file. If it's younger than > 900 seconds, a sleep is required. For example, something > like this piece of shell code (untested): > > FILETIME=$( stat -f %m $id_token_file ) > NOW=$( date +%s ) > if [ $(( $NOW - 900 )) -le $FILETIME ]; then > SLEEPTIME=$(( 900 - ($NOW - $FILETIME) )) > echo "Token key is younger than 15 minutes!" > echo "Sleeping $SLEEPTIME seconds, please wait." > sleep $SLEEPTIME > fi > > (3) Some sites require the use of a proxy for HTTP access. > Such sites usually have an entry in /etc/make.conf, so the > ports can fetch their distfiles: > > FETCH_ENV= FTP_PROXY=http://proxy.my.site:3128 \ > HTTP_PROXY=http://proxy.my.site:3128 > > The bsdstats script could easily pick up that entry and set > the environment variables appropriatly. This line at the > beginning of the script should be sufficient: > > export $( make -V FETCH_ENV 2>/dev/null ) > > (4) Some sites have a proxy that requires authentication. > It is possible to include the password in the FETCH_ENV > entry in /etc/make.conf, but it's usually not a good idea > to do that, because you shouldn't write passwords to files > that are world-readable. > > That problem could be solved in different ways. One way > would be a periodic.conf setting that instructs the script > not to try to submit the data, but instead just print a > reminder to the admin that he should run the monthly script > manually (or print that reminder automatically when the > submission fails because the proxy denies access). > When the admin runs the script manually (which could be > detected by "test -t 0", i.e. stdin is a terminal), it > could ask for the HTTP proxy password and then set the > HTTP_PROXY_AUTH variable appropriately (see fetch(3)). > > (5) Some machines might not be able to access the web at > all. For example, I'm right now working on a farm of 35 > machines which don't have internet access, not even via > a proxy. I can connect to them via ssh/scp (port 22) from > a management machine, and that management machine only has > web access via a proxy. > > It would be nice to be able to request token keys on behalf > of those 35 servers from the management machine, transfer > them to the servers, run the data gathering script on the > servers (putting it into a file instead of submitting it > directyl), copy the results to the management machine and > finally submit them from there. That's pretty complicated, > but I'm afraid I haven't gotten a better idea so far. :-( > > (6) All of the statistics on the web page are sorted by > percentages. It would be nice to be able to click on a > column header and have the table sorted by that value. > That would be especially useful for the release statistics > and the country statistics. > > (If the PHP sources and a database export were publicly > available, I would have taken a shot at implementing it.) > > (7) In order to make the bsdstats project really useful, > it is very important to have as many FreeBSD people as > possible install it. Currently, only very few people will > notice the port and bother to install it. Therefore I > suggest to put bsdstats into the base system (it's only a > small script after all, no bloat), and add a small switch > to sysinstall which asks users whether they want to enable > it, creating appropriate periodic.conf entry for them, and > maybe even automatically running it when booting the newly > installed system for the first time. > > Maybe it should be proposed and discussed in the arch@ > mailing list. > > Best regards > Oliver > > -- > Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing > Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd > Any opinions expressed in this message may be personal to the author > and may not necessarily reflect the opinions of secnetix in any way. > > "File names are infinite in length, where infinity is set to 255 characters." > -- Peter Collinson, "The Unix File System" > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060818213531.M32509>