Slashdot Mirror

Three-letter answer: LVM.
Four-letter answer: EVMS.

They are using RHEL3 maybe they had one of those problems with kswapd. We've had problems with kswapd on RH9 too. Had to reboot a server every few days. So yeah, things aren't all that great despite the great faith some fanatics have in Linux.

If you bother to look, Linux isn't quite as stable as some people believe it is, at least for some versions of Red Hat Linux. Makes you wonder what Red Hat are doing. They are supposed to be making their kernels more stable than the developer kernels (which aren't that stable - the kernel developers nowadays don't seem to care as much about that).

See this stress test that I did a few years ago. Load of 25 for hours without a hiccup. Well, yeah, the server slowed down, but it never hung, and as soon as the load went down to a normal level, everything was fine.

This article reeks of PR to me. Why did this small business go to the reporter in the first place? Why are the two biggest Linux consulting firms (RH & IBM) showed as being impotent? I'm not going to dispute the facts in the article, because I live a couple thousand miles north of the company, but the tone of the article makes it sound like it was written by a PR company and released to the press.

Those are all good features to protect against poor coding, however, they are also features which are already available for the linux kernel. In fact it appears that all these features you've mentioned are part of PaX and are shared among linux and openBSD.

http://pax.grsecurity.net/

But perhaps of greater importance is the fact that none of this will protect you against poor coding which is susceptible to unexpected actions such as sql injection. An sql injection attack does not necessarily create a buffer overflow, but gets an application to execute a query in ways the programmer did not expect and thus uses the privileges of the database or application user to perform operations on the system which were not intended. And this was only one example of potential exploits an installed application may open up. There are others, some of them as simple as a poor password set by a user. You see, you must protect against more than just memory exploits.

selinux is very effective at protecting, not only against buffer overflows which may result in the execution of unexpected code, but other exploits:

"...Running an SELinux MAC kernel protects the system from malicious or flawed applications that can damage or destroy the system. SELinux defines the access and transition rights of every user, application, process, and file on the system. SELinux then governs the interactions of these subjects and objects using a security policy that specifies how strict or lenient a given Red Hat Enterprise Linux installation should be..."

http://www.redhat.com/docs/manuals/enterprise/RHEL -4-Manual/ref-guide/ch-selinux.html

So, again, I may be off base due to my lack of experience with bsd but I still believe that the BSDs are susceptible to attacks which an selinux implementation could protect against.

burnin

Russell Coker now works for Red Hat. Hence Fedora has some of the best support for SELinux of any distribution.

There was also a recent article about SELinux in Fedora in the Red Hat Magazine.

How would Red Hat aim to deliver the "most secure Linux" based around SELinux if it didn't have its own SELinux expertise?

Russell Coker now works for Red Hat. Hence Fedora has some of the best support for SELinux of any distribution.

There was also a recent article about SELinux in Fedora in the Red Hat Magazine.

How would Red Hat aim to deliver the "most secure Linux" based around SELinux if it didn't have its own SELinux expertise?

Re: I don't know how to do it and therefore it can't be done and therefore it sucks.

It can be done. Here's how:

First some good documentation.

Run:

# up2date --install (or yum install) selinux-policy-targeted-sources
# cd /etc/selinux/targeted/src/policy
# make enableaudit

Run whatever service that is currently broken because of SELinux. Then:

# audit2allow -i /var/log/messages -l
allow httpd_t cifs_t:dir search;
allow httpd_t unlabeled_t:dir { getattr search };

...which will tell you where SELinux blocked the service. (Just some sample output here.)

Then add your own rules like this:

# cat >domains/misc/local.te <<EOF
allow httpd_t unlabeled_t:dir { getattr search read };
allow httpd_t unlabeled_t:file { getattr read };
allow httpd_t unlabeled_t:lnk_file { read getattr };
allow httpd_t cifs_t:dir { getattr search read };
allow httpd_t cifs_t:file { getattr read };
allow httpd_t cifs_t:lnk_file { read getattr };
allow httpd_t default_t:lnk_file { getattr read };
EOF

# make reload

The above is again just an example.

Try again. If it doesn't work you need to allow some more stuff, which audit2allow will tell you.

RedHat/Fedora already do have ExecShield, which is similar to Pax:

http://www.redhat.com/magazine/009jul05/features/e xecshield/

Which idiot has modded this to "insightful"?

If he wants to access the content through samba, he can add a SEL policy rule to do this.

Furthermore SEL has nothing to do with Access Control Lists, that is old style protection; SEL sits ON TOP of it!

In other words he hasn't understood what SEL is. So please read SEL documentation, e.g. http://fedora.redhat.com/docs/selinux-apache-fc3/ before posting such nonsense here!

Now if only they (Fedora especially) would ship a basic "desktop install" on *one* CD image

Pretty sure people are working on this. If you are interesting in getting involved with development of such a solution in the Fedora space please take a moment and
look at:
http://fedoraproject.org/wiki/Kadischi
and read up on discussions at: https://www.redhat.com/mailman/listinfo/fedora-liv ecd-list

StarOffice uses the same native theming code that I originally wrote (any many others extended) for OpenOffice.org. Same stuff, same look, same capabilities.

http://people.redhat.com/dcbw/ooo-nwf.html

Red Hat Global File System now supported by Oracle, EMC and NetApp

http://www.oracle.com/technology/products/database /clustering/certify/tech_generic_linux.html
http://www.redhat.com/en_us/USA/home/company/news/ prarchive/2005/press_rh-gfs_support.html

Some information on the Global File System can be found here and here.

Some information on the Global File System can be found here and here.

I am running Fedora and I got Firefox 1.0.6 as an update. According to this, the update rpm was available on Sept 10.

I can pull them down automatically either with up2date or I can use yum. I don't think I will have to wait long to get 1.0.7 that way.

see how Sourceforge will not release their source

Redhat did not do the R&D to create Linux from scratch

Open Source is NOT always the only answer, some people have to make a living.

Fedora Directory Server was bought from AOL. It was called then Netscape Directory Server. So I think it is robust.

It has a graphical interface: AdminUtil and SetupUtil.

http://directory.fedora.redhat.com/wiki/Main_Page

Have anyone tested this?

http://www.redhat.com/software/rha/directory/

It's just a better product.

For a supported version of the highly-regarded LDAP formerly known as Netscape Directory Server that runs on Linux, see Red Hat Directory Server. And to try before you buy, you can check it out on Fedora as the parent suggested.

May I introduce you to an opensource Directory solution that quite nicely replaces Windows Active Directory. Many moons ago it started life as just OpenLDAP but it is now become so much more.

http://www.apple.com/server/macosx/features/opendi rectory.html

Good ol' Apple.

Darwin, *BSD, Linux, various Unixes. Builds with GCC and source is available under Apple's OpenSource license.

Redhat's RHDS available on subscription for RHEL3 and RHEL4 is another. Based on Netscape Directory Services. Thats mostly available under the GPL now, called Fedora Directory Server.

http://directory.fedora.redhat.com/

Personally my favourite has been eDirectory. It may not be opensource or even free, but the little you do pay for it is definitely worth the product. Anyone skipping over it is either deliberately obtuse or just plain ignorant. Especially if they're willing to pay for Active Directory and all the costs that go with it (including licensing, security and maintence/administration) while receiving a far inferior product.

Ultimately, Ask Slashdot is the worst place for the original poster to ask this kind of question. They need to sit down with people from various companies and vendors to get an idea of all available products. Many will happily discuss the requirements and work together with you to find the best solution, not just sell you a solution from a preferred supplier.

Ask various engineering places in the district to submitt RFP's based on requirements you set. It doesn't have to be a multi-million dollar contract to get many interested. Companies are starting to really take notice of the SME market now days. Ultimately the have to. ;-)

Hi all, A.Directory is not so bad for an LDAP made in MS , and if your boss want MS exchange (too bad ...). Nevertheless I'll have a look at Redhat Directory. What about Redhat Directory http://www.redhat.com/software/rha/directory/ . I think it can help you. See some of the features. # Centralizes management of people and their profiles, thus reducing administrative costs # Acts as a central repository for user profiles and preferences, enabling personalization # Allows 4-way multi-master replication of data across the enterprise, providing a centralized, consistent data source available to enterprise applications # Enables single sign-on access with a partner solution # Provides scalability for massive numbers of users by containing the information control required for developing extranet applications # Provides full support for 64-bit HP-UX and Solaris platforms. # Provides the foundation for strong certificate-based authentication when used in conjunction with a Red Hat Certificate System Regards. Guillaume.

Formerly Netscape Directory Server, also the base for iPlanet/SunOne Directory server , Fedora Directory Server is the best OSS directory service out there today. Check These links for reviews.

Formerly Netscape Directory Server, also the base for iPlanet/SunOne Directory server , Fedora Directory Server is the best OSS directory service out there today. Check These links for reviews.

The Sun/iplanet ldap server has been bought by Red Hat and open sourced. You can find it here

"The disadvantage is that your Enterprise Directory is also your NOS, which can be a pain from a licensing perspective, if you want to store authentication-only users as well."

Other disadvantages include cost, vendor lock, increased maintenance, and inability to interoperate.

Finally I would also look at oracle, they too have a directory and an excellent groupware system which in many ways is superior to exchange.

I've just started to take a look at Fedora Directory Server. It is very easy to set up and with the GUI manager, it seems about as easy to manage as Microsoft AD.

I'm sure some /.ers can give you a better view of the quality of Netscape Directory Server but from the rumblings I've heard it's a complete package and it's pretty damned amazing (not to mention it supposedly scales through the roof).

You can check out the documents here

Also check out Fedora Directory: http://directory.fedora.redhat.com/wiki/Main_Page

Source based component upgrade is the path to madness (well, it is cool and usefull, but for an end-user, it is madness). You newly build IRC client will need some upgraded version of libxml, which may have an incompatibility with the Nvu HTML composer. After a few upgrades, you end up in dependency hell. Your binaries starts to randomly segfault, and you end up re-installing the whole OS.

Maybe if you're using something that isn't designed to resolve those dependencies...hell, my understanding of RPM is that it has a hard-enough time keeping dependencies in binary packages straightened out. If you're using a distro that's designed for source-based upgrades, it'll pull in any updated dependencies automagically and build them before building a new version of Firefox (or whatever).

I will probably get modded flamebait, but I agree.

I just went throught the process of adding Bugzilla to my installation of Fedora Core 3. I run Fedora because that is the default Linux installed by my provider and anything else would more than double my costs. I just checked the LSB Certified Distribution List, and sure enough Fedora is not on it. I tried upgrading my system using Yum, but the versions installed with Yum were not current enough for my purposes. Every piece of source I had to download to get Bugzilla installed had to be configured with a switch pointing to a non-standard install directory.

This really surprised me, because the LSB has been around for a long time. I thought all major distributions had become compliant several releases ago. I especially expected Fedora, which many people consider the standard for Linux, to be compliant.

I have always felt that Linux is a nice operating system (for hobbyists and geeks), but there are some areas where it is seriously lacking, especially when compared to its main competitor, Microsoft Windows.

* File sharing. Windows has long been superior when it comes to making large amounts of files available to third parties. Even early versions of Windows automatically detected and made available all directories thanks to the built in NetBIOS-powered file sharing support. But Microsoft has realized that this technology is inherently limited and has added even better file sharing support to its Windows XP operating system. Universal Plug and Play will make it possible to literally access any file, from any device! I think universal file sharing support needs to be built into the Linux kernel soon.

* Intelligent agents. With innovations like Clippy, the talking paperclip and Microsoft Bob, Microsoft has always tried to make life easier for its customers. With Outlook and Outlook Express, Microsoft has built a framework for developers to create even smarter agents. Especially popular agents include "Sircam", which automatically asks the users' friends for advice on files he is working on and the "Hybris" agent, which is a self-replicating copy of a humorous take on "Snow-White and the Seven Dwarves" (the real story!). Microsoft is working on expanding this P2P technology to its web servers. This project is still in the beta stage, thus the name "Code Red". The next versions will be called "Code Yellow" and "Code Green".

* Version numbers. Linux has real naming problems. What's the difference between a 2.4.19 and a 2.2.17 kernel anyway? And what's with those odd and even numbers? Microsoft has always had clear and sophisticated naming/versioning policies. For example, Windows 95 was named Windows 95 because it was released in 1995. Windows 98 was released three years later, and so on. Windows XP brought a whole new "experience" to the user, therefore the name. I suggest that the next Linux kernel releases be called Linux 03, Linux 04, Linux 04.5 (OSR1),
Linux 04.7B (OSR2 SP4 OEM), Linux 2005 and Linux VD (Valentine's Day edition). Furthermore, remember how Microsoft named every upcoming version of Windows after some Egyptian city? Cairo, Chicago and so on. I think that the development kernels should be named after Spanish cities to celebrate Linux' Spanish origins. Linux Milano or Linux Rome anyone?

* Multi-User Support. This has always been one of Microsoft's strong sides, especially in the Windows 95/98 variants, where passwords were completely unnecessary. Microsoft has made the right decision by not bothering the user
with a distinction between "normal" and "root" users too much -- practice has shown that average users can be trusted to act responsibly and in full awareness of the potential consequences of their actions. After all, if your operating system doesn't trust you, why should you trust it? (To be fair, Linux is making some progress here with the Lindows distribution, where users are always running as root.)

With Windows XP, Microsoft has again improved multi-user support. Not only does Windows XP come with a large library of user pictures that are displayed on the login screen, such as a guitar and a flower, i

This has already been done.

In case you're curious here's some info on the redhat mailing list about it.

Note that this message is from 2003, but still not a lot has been done.

It is possible though... you can check if your system uses md5 or blowfish by looking in /etc/shadow. If the passwords start with $1$ that means it's MD5, if it says $2$ that's blowfish.

RHEL is, indeed, free.

The *only* thing you pay for is support.

Link here:
http://www.redhat.com/software/rhel/eval/

You sign up for the 'evaluation'. You get the full install, and a one month subscription.

You do not get updates after one month.

With RHEL, you aren't paying for the software, you are paying for the support. Period.

More information:
https://www.redhat.com/archives/redhat-migration-l ist/2003-November/msg00025.html

The source will always be avaliable from Redhat. Period. It's a free product.

Don't expect someone to wrap the package up for you and present it in a usable form, with free updates, though. They aren't under any license requirement, and they've already given you the full source. Don't you think its a little ungrateful to ask for more?

About the pre-built systems:

Wow. I wasn't aware of that. I just saw that on Dell's small business site. And you even save ~$75 per system, which is great. That's definitely a good thing. A caveats, however: you can't get a laptop like that. And you won't get proper hardware support (like dell's non-standard compliant ACPI implementations). Still, that's really just a small quibble.

I don't remember seeing that option before, but I guess its been awhile since I've shopped at Dell.

I have happily paraded HP's Linux laptop to people, however. Perhaps competition will reign in the future.

RHEL is, indeed, free.

The *only* thing you pay for is support.

Link here:
http://www.redhat.com/software/rhel/eval/

You sign up for the 'evaluation'. You get the full install, and a one month subscription.

You do not get updates after one month.

With RHEL, you aren't paying for the software, you are paying for the support. Period.

More information:
https://www.redhat.com/archives/redhat-migration-l ist/2003-November/msg00025.html

The source will always be avaliable from Redhat. Period. It's a free product.

Don't expect someone to wrap the package up for you and present it in a usable form, with free updates, though. They aren't under any license requirement, and they've already given you the full source. Don't you think its a little ungrateful to ask for more?

About the pre-built systems:

Wow. I wasn't aware of that. I just saw that on Dell's small business site. And you even save ~$75 per system, which is great. That's definitely a good thing. A caveats, however: you can't get a laptop like that. And you won't get proper hardware support (like dell's non-standard compliant ACPI implementations). Still, that's really just a small quibble.

I don't remember seeing that option before, but I guess its been awhile since I've shopped at Dell.

I have happily paraded HP's Linux laptop to people, however. Perhaps competition will reign in the future.

Users aren't the problem. Allowing users to run unvetted executables is a problem. Relying on users to decide what executables are acceptable is a problem with their admins and with Windows.

SELinux is the solution.

Two things are being done. First, the FBI is nailing inept perpetrators as they can. This is like trying to cure a flea infestation by pinching the fleas off your friend's back. The second, more effective thing is the replacement of Windoze. Without Windoze, there will be no botnet. If you are new here, I suggest you get one of the following to improve your computing experience and help stamp out the weakness that will destroy the net:

• Mepis, auto configures and runs live off CD. If you like it, the "install me" button does it's business in 20 minutes.
• Xandros, what's left of Correl Linux, even easier for Windoze refugees with as much of the look and feel as possible.
• Fedora, Red Hat's free software offering.
• Debian Proper, harder than the others to set up but of much higher quality and easier to maintain.

With so many choices, there will never be Windoze type problems on free software. The exploits will not carry into more than 10% of the install base at a time. Go get some and take a bite out of crime.

Yes, considering that you can download and install any(*) of those Linux distributions for free, and that both Linux and Windows (and Mac OS and BSD...) are operating systems, doing basicaly the same thing... How exactly Windows qualifies as monopolly?

It's not that anyone forces you to use it, just download/buy any of the alternatives and use it.

So if you say that MS has monopolly on Windows OS market, I'll say that Linux has monopolly on..um... market of OS'es using Linux kernel?

(* not all of the Linux distributions are "completely free", and please don't start this "free as in this vs. free vs. that" argument)

It would appear MS has again fouled up a simple concept - "Applications". Other OSes have had this concept for a while. Instead of building functionality, like a web browser, into the OS and selling it as different versions, how about making a single version and then selling "applications" that add functionality to the OS.

The article sums things up nicely: My initial reactions are reserved, because there's just not that much detail available. Pricing, for instance, would be really nice to know. Will Home Basic Edition debut below the price point of XP Home today? Place your bets. The one thing I will say is that I fear that this may cause a great deal of confusion on behalf of your average consumer. Two versions of XP were enough to cause confusion, and now Joe Blow has four choices that may fit the bill.

Why can't there be a Linux distribution that is changed to meet commercial desires?

RHEL?

Why can't there be a Linux distribution that is changed to meet home user desires?

Ubuntu?

Just an idea... if you want to go with open sources products in your company.

First, the most important is the backend storage.

- I would try using a SAN for storage, like a small Clarion for example. I would carve the storage for the mail there on a volume.
- I would create a set of export servers that would connect directly to the SAN and re-export the volumes to a set of front end servers using a combination of gndb, gfs, etc...
See this document:
- http://www.redhat.com/magazine/008jun05/features/g fs/
- configure a set of servers that would act now as the mail servers themselves (frontends). I would strongly suggest using maildir. CourrierIMAP for the pop3/imap accounts is great. Install this on all the machines. For the SMTP agent you could use courrier but I usually prefer Exim.
- run both the IMAP/POP/SMTP servers on all the servers, using maildir only.
- use a mysql database to store the users information (passwords, email addresses, etc...). You might want to configure 2 mysql servers. One as the Master slave that will receive only the writes, and the other that would be accessed for read and balanced with the first one as reads to access user information and accounts will probably be 99% of the database activities.
- use a load balancer to put in front of all the frontend servers, do a load balancing for all the services (POP3/IMAP/SMTP) with sticky session that will try to keep the same users on the same machines when they try to download their mail.

When you are running out of capacity, simply adds new frontends, put them behind the load balancers and voila...

of course I would advise going right away with powerfull 2x3.6GHZ P4 servers and like 4GB of memory. That is powerfull and can certainely serve a LOT of users already per server.

my 2c, written quickly. I apologies if not complete but I am pretty sure the general idea is there and sound.

open to comments

well here is some more reading on the subject of how systemtap is flawed http://uadmin.blogspot.com/2005/08/systemtap-vs-dt race-debate-continues.html> systemtap debate

RUNTIME issues:
how do you sudgest you solve the halting problem?
do you have a solution for errant pointers?
and many more.

compile time issues:

You should read this latest tidbit from the systemtap mailing list, basicly it says that systemtap will not understand include files, so if you want to track data in a userland or kernel based struct. So you are then forced to use premade tapsets or expose your system to the unsafe mode. If and when userland probes are created there won't be anytap sets for your apps you created your self.

from the systemtap mailing list

> [...] Shouldn't systemtap be able to handle all of the standard
> include files in /usr/include and the includes in a 2.6.x kernel so
> users can monitor the system? [...]

The debugging information associated with the kernel (and in the
future, user-land applications) contains a form of that information.
We already expose it to some extent, and will probably do so more as
we gain experience. It is unlikely for systemtap to ever have to
directly parse C files such as kernel headers.

These are just a few of the issues, that systemtap faces. currently they are using work arounds that involve using "guru mode" for stuff that should of been dealt with from day one.

There is no other tracing tool to compare with this.

Yes, there is: SystemTap by Red Hat, IBM and Intel.

I think Evince has been over-hyped. For instance, the Fedora Core 4 release notes says that Evince supports pdf, ps, "and many others". In fact pdf and ps are the only 2 formats Evince fully supports. The Fedora 4 version of Evince doesn't even display dvi files.

Perhaps in the future Evince will be the best thing ever, but I'm not sure why it's getting so much hype. At the moment it just seems to be a prettier ghostview.

First of all, some of the open source players have started patenting software for defensive purposes. See, e.g., http://www.redhat.com/legal/patent_policy.html . Do you really want to cut these players out?

Secondly, this is going to be a big barrier to adoption both of the GPL and of software under it -- what owner of a "software patent" is going to write GPL'd code or use it? Considering the number of such companies, this change will just about condemn the GPL to the trash heap.

I take your point, but it seems to depend on context. The major Linux distros, for example, seem to be seeling pretty well from my local PC store at around 30-40 pounds (I'm in the UK), which is a pretty significant fraction of the asking price for Windows XP Home.

Said distros are sold that price for price of the support and documentation that come with them (support you don't have when you buy WXP Home), and sometimes for price of paid softwares bundled in the package, not for the distro itself.

I guess it's all about convenience. Whereas things like Firefox or OpenOffice.org can usually just be downloaded from the project's web site, it's harder to find a "pre-fab" version of SUSE Linux for example.

Ah yeah, really hard, I mean you have to click on links to Novell from suse.de, really really hard walli walli walli

and everyone clearly knows that one can't find any freely downloadable distro on teh intarweb

# Cygwin is a Linux-like environment for Windows. It consists of two parts: A DLL (cygwin1.dll) which acts as a Linux API emulation layer providing substantial Linux API functionality.
# A collection of tools, which provide Linux look and feel.

Cygwin delivers the open source standard Red Hat GNU gcc compiler and gdb debugger on Windows.

``They think: "this guy doesn't even know X, how can he be an MSCE?''

Well...why would one need to know X to be a MSCE?

You don't expect an RHCE to know Solitaire, either, right?

http://fedora.redhat.com/

People should have been using FBSD for wifi access points and aggregation long ago. Glad to see the corporate folks have finally figured out how linux errodes the bottom line.

The
stupider
ones
haven't
figured
it
out
yet.
You'd
better
go
tell
them!

User identities are confirmed by using an Authentication Package. All of the packages that Windows includes require the user's password or smartcard interaction. It is documented how to write a new package; it is possible to create a package that would allow an administrator to act with the authority of any user. No one has done so AFAIK, and it doesn't look too simple.

An even easier way to impersonate a user on the local system is to manufacture a token: tokens are used to identify the authority behind a process. Anyone with TCB privilege (SYSTEM by default) can directly manufacture a token using NtCreateToken that contains user and group identities of whomever you want. This only works on the local system, though.

This is another case of the underlying system being capable, but Microsoft dropping the ball at a later stage. I think the justification for not being able to impersonate other users is the same as for not being able to assign ownership of objects to other users, except to restore backups.

About processes you can't kill: see the latest Sysinternals blog entry. It's due to buggy drivers that don't cancel IRPs correctly: a process can't exit until all of its IO is canceled. As for deleting files, that's a property of the locking system. You can still rename the files, though. That's what SFU does.