ACLs on user Profiles and Settings directory mean that all new files saved to disk by a user have the execute permission turned on.
This makes it relatively easy to ask a user to look at a file they think is a document and run a program instead (displaying file.png.exe as file.png, and letting the file pick its own icon doesn't help either).
This should not be necessary. In the event new software needs to be installed, the user can simply click on a readable.msi file, be asked for their admin password, and (if the apps signature checks out) install their app.
Like Linux, or MacOS do.
So the question: Will execute for all new files be on by default in Vista? If not, why?
I've actually already asked this question to Microsoft 3 years ago, on an area of microsoft.com that allows users to submit the ideas for WIndows 2003 server. I got a response too - the Microsoft engineer (I can get his name from my laptop if necessary) responded that 'the current situation is not ideal and may contribute to data loss' from security issues.
I'm asking the question again closer to the release date of Vista because I'm interested to see whether things will have improved in that three years.
Open Gnome's Configuration Editor. In the Nautilus prefs, click enable 'desktop is home dir'. Gnome's desktop becomes your home dir. This:
Means when you scp a file to your machine, it appears on your desktop.
When a shell starts, it's in your desktop.
Encourages you to organize your home dir.
Means you're a lot faster at particular file operations which can be done quicker with the mouse keyboard shortcuts than with shell commands (eg, dragging a bunch of files onto a dir, deleting stuff).
not just to "hard-core group of hobbyists" or "highly professional" Linux server administrators
Oh yeah, we were all under the impression highly professional administrators use Slack. I'll be sure to read this one to know that Slack is not just limited to the massive enterprise environments where I always see it.
I don't know the numbers, and wasn't sure what the parent poster was saying. If he's around 195cm and is around 80 kilos, as another poster said, that's tall. Sorry, I clearly got it wrong, I just wish he said he was tall.
For the record, apparently Australians now weigh more than Americans anyway. And yeah, both countries have obesity problems.
I'm not really an imperial kind of guy, but it sounds like you might be fat.
Ignore fashion for now. You should make your priority losing weight. Start going to the gym after work. Part of presentation is giving an appearance of self control. You'll also feel more energetic and happier.
These same problems affect different versions of MS Office too. A complex word document written in Office 97 or 2000 can look completely different in Word 2003.
Best method: judge for yourself. Go to Microsoft.com, download all their complex Powerpoint presentations from the MS Office center. See if any don't display perfectly in OpenOffice 2.
Keep in mind, UNIX is not Windows. Generally speaking, you can put anything anywhere you want, as long as you change everything which cares about it. Which is usually possible!
Eugh. No. Most modern Unix-like OSs, particularly BSD and Linux, have definied File Heirarchy Standards. Sure, I'm being specific here, but your answer was specific to the situation of unmaintained, non standized filesystems on OS that for the most part are slowly dissappearing. Nobody cares about how things were. People care about how things are.
I don't care what SCO Unix did. Put your binaries in/etc at most places and you'll be laughed at. Hell, use the term SYSOP and you will be too, by either the rest of your team or the next admin.
Short version: modern Unix sorts files by importance, then file type.
- One root file system which must contain important executables files (mv), important sysadmin executables (fdisk), important libraries, device node files and all config files. - Non essential binaries (firefox) and libraries are live in the/usr directory, which may be on a different filesystem. - Variable files - stuff that changes without user intervention, like log files, mail spools, LDAP trees, web/FTP/DNS sites etc. typically live in/var./srv is becoming more popular tho for the served stuff. - People's personal documents and settings are in a dir called home. -/opt is a throwback to proprietary Unix, where the concept of optional software exists. Its empty by default, and only in the standards to please proprietary vendors who want to install the same stuff in the same place on modern Unix.
You forgot to tell him rwx settings were called modes. Hence 'chmod' seems completely arbitrary. Every modern Unix also can use symbolic modes. I suggest demonstrating chmod u=rw,g=rw,o= file Before the legacy stuff. You should also point out that at minimum, each file needs permissions for one user, one group, and all others (file servers are likely to require multiple groups having access to the same file, ie, use ACLs).
Your/proc stuff if great, here's a handy accompaniment: ever logged onto a system and had no idea what it is? Maybe a crappy Dell Poweredge or whiteboxx kit, maybe a nice solid IBM/HP box? Wanted to get the system's asset tag for support reasons?
dmidecode. Part of the kernel-utilss package on most Linux distros.
> strings. Good to check if executables are using/etc/hosts.allow and/etc/hosts.deny, or where pop3/imap are looking for PEM certificates to configure pop3s/imaps, etc...
Sure, but ldding the binary is a better way to discover is the app supports TCP wrappers. ldd/usr/sbin/sshd, for example, mentions libwrap.so
But really, whether an app uses TCP Wrappers or where it looks for SSL certificates should be documented plainly. I think/etc/pki may also be an upcoming FHS standard for certificates too.
strings is still handy tho - to find out what a binary from a rootkit does, without running it.
> * [rs]sh - enables me to go places w/o passwords, copy files, and remotely execute commands. I can't live without it
rsh has lots of known security vulernabilities and shouldd not be used at all.
> * telnet - no, I never telnet to login to a machine, but I do it to test if a port is open, what's listening there, etc. very handy.
You should use nc for this. Telnet will fail with lots of data, only does TCP, and can't listen on ports. nc handles lots of data, can do TCP or UDP, and can listen as well as send.
> * Honorable mention -/bin/sh Only because it is always there by definition on UNIX systems, and a good shell programming language. tcsh, csh, and zsh are not as good as/bin/sh, and its always available, but a little boring to write about.
True, but also, if the only Unix-like OSs you use are Linux,/bin/bash is there by definition. Functions, arrays, and other useful stuff.
Did Oregon they feel invisibly sandwiched between Washington and Silicon Valley North California - as not also being on the forefront of the non stop tech - revolutions coming from the northwest USA?
Yeah, I bet they totally feel that way. The poor Oregonians have to spend all day looking at cute semi-naked gothic girls, listening to indie pop music, and buying Diesel Sweeties T shirts. I'm sure they really miss your non-stop tech revolution.
* I haven't actually been to the US. But when I will, Portland Oregon will be the first place I want to visit.
Giving me quick access to something like a blog or Flickr isn't "innovative". A bookmark/favorite does the same thing with less overhead.
No, it doesn't. I haven't made up my mind on Flock yet, but at least I'm using it before making an opinion. You, clearly, are not, and haven't tried to.
This isn't a complaint about NAC, I actually like the idea.
But I bet the way it integrates with the OS is a bit of a kludge (I haven't played with it, just guessing). Most network OSs have methods to integrate with host based auth systems - kerberos, LDAP or some such. Adding a secondary auth to the switch (which from what I hear of these technologies, they do) seems a bit hacky.
It'd be great if the switch only let the client send auth packets to the kerberos / LDAP server, only enabling them to do anything else once the auth server has approved their login. Maybe a kerberised router that's actually a host that clients need a service ticket to route to anything else, and the KDC automatically sends a service ticket along with the Ticket Granting Ticket.
Just an idea. Would love to talk to somebody that's played with this stuff and get your ideas.
I read the link you're pointed to (though what on earth the Pretty Printing is, and why a text document shouldn't be viewable in a text editor, is beyond me). But the link to actually use MS Office doesn't work. Could you create a document and send me a link to it so I can see for myself?
As the link you pointed to reveals, the XML is office 2003 is weak and while the schema is available, the data within is apparently not completely documented. Its understandable that people would expect similar things to occur in future.
Slashdot Mirror
ACLs on user Profiles and Settings directory mean that all new files saved to disk by a user have the execute permission turned on.
.msi file, be asked for their admin password, and (if the apps signature checks out) install their app.
This makes it relatively easy to ask a user to look at a file they think is a document and run a program instead (displaying file.png.exe as file.png, and letting the file pick its own icon doesn't help either).
This should not be necessary. In the event new software needs to be installed, the user can simply click on a readable
Like Linux, or MacOS do.
So the question:
Will execute for all new files be on by default in Vista? If not, why?
I've actually already asked this question to Microsoft 3 years ago, on an area of microsoft.com that allows users to submit the ideas for WIndows 2003 server. I got a response too - the Microsoft engineer (I can get his name from my laptop if necessary) responded that 'the current situation is not ideal and may contribute to data loss' from security issues.
I'm asking the question again closer to the release date of Vista because I'm interested to see whether things will have improved in that three years.
Means when you scp a file to your machine, it appears on your desktop.
When a shell starts, it's in your desktop.
Encourages you to organize your home dir.
Means you're a lot faster at particular file operations which can be done quicker with the mouse keyboard shortcuts than with shell commands (eg, dragging a bunch of files onto a dir, deleting stuff).
> (Pet peave: why doesn't unlink(2) move stuff to a filesystem-wide deleted area?)
libtrash makes your system do exactly this. Start it when your shell does.
> So, what do you guys think?
From the lead-in:
not just to "hard-core group of hobbyists" or "highly professional" Linux server administrators
Oh yeah, we were all under the impression highly professional administrators use Slack. I'll be sure to read this one to know that Slack is not just limited to the massive enterprise environments where I always see it.
What are IE7, Konq, FF and other next gen web browsers doing to stop self-signed certs?
A screen full of technobabble isn't enough. A warning that the site is suspicious, as used for other dodgy sites, is better.
Did you read my post?
As I said earlier, I'm not an imperial guy.
I don't know the numbers, and wasn't sure what the parent poster was saying. If he's around 195cm and is around 80 kilos, as another poster said, that's tall. Sorry, I clearly got it wrong, I just wish he said he was tall.
For the record, apparently Australians now weigh more than Americans anyway. And yeah, both countries have obesity problems.
I'm not really an imperial kind of guy, but it sounds like you might be fat.
Ignore fashion for now. You should make your priority losing weight. Start going to the gym after work. Part of presentation is giving an appearance of self control. You'll also feel more energetic and happier.
These same problems affect different versions of MS Office too. A complex word document written in Office 97 or 2000 can look completely different in Word 2003.
Best method: judge for yourself. Go to Microsoft.com, download all their complex Powerpoint presentations from the MS Office center. See if any don't display perfectly in OpenOffice 2.
> /var - Theoretically, for VARs.
Okay, now I realize you're taking the piss. +5 funny.
Keep in mind, UNIX is not Windows. Generally speaking, you can put anything anywhere you want, as long as you change everything which cares about it. Which is usually possible!
/etc at most places and you'll be laughed at. Hell, use the term SYSOP and you will be too, by either the rest of your team or the next admin.
/usr directory, which may be on a different filesystem. /var. /srv is becoming more popular tho for the served stuff. /opt is a throwback to proprietary Unix, where the concept of optional software exists. Its empty by default, and only in the standards to please proprietary vendors who want to install the same stuff in the same place on modern Unix.
Eugh. No. Most modern Unix-like OSs, particularly BSD and Linux, have definied File Heirarchy Standards. Sure, I'm being specific here, but your answer was specific to the situation of unmaintained, non standized filesystems on OS that for the most part are slowly dissappearing. Nobody cares about how things were. People care about how things are.
I don't care what SCO Unix did. Put your binaries in
Short version: modern Unix sorts files by importance, then file type.
- One root file system which must contain important executables files (mv), important sysadmin executables (fdisk), important libraries, device node files and all config files.
- Non essential binaries (firefox) and libraries are live in the
- Variable files - stuff that changes without user intervention, like log files, mail spools, LDAP trees, web/FTP/DNS sites etc. typically live in
- People's personal documents and settings are in a dir called home.
-
You forgot to tell him rwx settings were called modes. Hence 'chmod' seems completely arbitrary. Every modern Unix also can use symbolic modes. I suggest demonstrating
chmod u=rw,g=rw,o= file
Before the legacy stuff. You should also point out that at minimum, each file needs permissions for one user, one group, and all others (file servers are likely to require multiple groups having access to the same file, ie, use ACLs).
I don't want to decide what you shouldn't use. I want you to decide yourself what you shouldn't use.
How many environments, realistically, are isolated these days? Where every single host attached to the same switch is trusted?
Very few. Since OSs shouldn't install insecure software by default anyway, and most don't, why bother using RSH just to prove a point?
Yeah, rm, With the options last.
/foo -rf
rm
Works fine. Yeah, it's GNU, not Unix. But if you git enter too early, you'll be glad.
Your /proc stuff if great, here's a handy accompaniment: ever logged onto a system and had no idea what it is? Maybe a crappy Dell Poweredge or whiteboxx kit, maybe a nice solid IBM/HP box? Wanted to get the system's asset tag for support reasons?
dmidecode. Part of the kernel-utilss package on most Linux distros.
> strings. Good to check if executables are using /etc/hosts.allow and /etc/hosts.deny, or where pop3/imap are looking for PEM certificates to configure pop3s/imaps, etc...
/usr/sbin/sshd, for example, mentions libwrap.so
/etc/pki may also be an upcoming FHS standard for certificates too.
Sure, but ldding the binary is a better way to discover is the app supports TCP wrappers.
ldd
But really, whether an app uses TCP Wrappers or where it looks for SSL certificates should be documented plainly. I think
strings is still handy tho - to find out what a binary from a rootkit does, without running it.
Nice post, but...
/bin/sh Only because it is always there by definition on UNIX systems, and a good shell programming language. tcsh, csh, and zsh are not as good as /bin/sh, and its always available, but a little boring to write about.
/bin/bash is there by definition. Functions, arrays, and other useful stuff.
> * [rs]sh - enables me to go places w/o passwords, copy files, and remotely execute commands. I can't live without it
rsh has lots of known security vulernabilities and shouldd not be used at all.
> * telnet - no, I never telnet to login to a machine, but I do it to test if a port is open, what's listening there, etc. very handy.
You should use nc for this. Telnet will fail with lots of data, only does TCP, and can't listen on ports. nc handles lots of data, can do TCP or UDP, and can listen as well as send.
> * Honorable mention -
True, but also, if the only Unix-like OSs you use are Linux,
In the SimCity games there wasn't a world to explore. Just one to build, with a very limited set of structures. It's a different kind of realism.
Did Oregon they feel invisibly sandwiched between Washington and Silicon Valley North California - as not also being on the forefront of the non stop tech - revolutions coming from the northwest USA?
Yeah, I bet they totally feel that way. The poor Oregonians have to spend all day looking at cute semi-naked gothic girls, listening to indie pop music, and buying Diesel Sweeties T shirts. I'm sure they really miss your non-stop tech revolution.
* I haven't actually been to the US. But when I will, Portland Oregon will be the first place I want to visit.
Pretty sure the Open Source Initiative already exists, guys. Could somebody with a passing knowledge of this site's audience please edit submissions?
Because the people interested in deployment systems typically use either Red Hat or Suse.
Debian's popular at ISPs and Unis. Not corporates.
I got Flock. I made a delicious account aas it said to. I set up that account in Flock.
Now I have no idea how to make Flock show me the tags delicious users are putting on pages.
None of the getting started with Flock pages help me. I don't seem to be made aware anywhere that any major website has tags I can see.
Giving me quick access to something like a blog or Flickr isn't "innovative". A bookmark/favorite does the same thing with less overhead.
No, it doesn't. I haven't made up my mind on Flock yet, but at least I'm using it before making an opinion. You, clearly, are not, and haven't tried to.
This isn't a complaint about NAC, I actually like the idea.
But I bet the way it integrates with the OS is a bit of a kludge (I haven't played with it, just guessing). Most network OSs have methods to integrate with host based auth systems - kerberos, LDAP or some such. Adding a secondary auth to the switch (which from what I hear of these technologies, they do) seems a bit hacky.
It'd be great if the switch only let the client send auth packets to the kerberos / LDAP server, only enabling them to do anything else once the auth server has approved their login. Maybe a kerberised router that's actually a host that clients need a service ticket to route to anything else, and the KDC automatically sends a service ticket along with the Ticket Granting Ticket.
Just an idea. Would love to talk to somebody that's played with this stuff and get your ideas.
I read the link you're pointed to (though what on earth the Pretty Printing is, and why a text document shouldn't be viewable in a text editor, is beyond me). But the link to actually use MS Office doesn't work. Could you create a document and send me a link to it so I can see for myself?
As the link you pointed to reveals, the XML is office 2003 is weak and while the schema is available, the data within is apparently not completely documented. Its understandable that people would expect similar things to occur in future.
So the parent poster's point stands. The XML gives you the content, the styles are locked away with a binary key you need Microsoft products to read.
Does anyone not consider a documents visual presentation part of the document?
Isn't a valid answer to any of these problems 'there is no solution'? And then perhaps proving this?
It's actually a pretty good exercise in lateral thinking.