Re:NO CORBA !!! what where they thinking
on
KDE 2.0 in Action
·
· Score: 3
KDE 2 does use Corba, but it does not do so for local procedure calls and local inter-application communication. The KDE 2 team had a version of KDE 2 which was using Corba for everything and it was dog slow. They decided to build an alternate version which did not use Corba, but used shared objects and direct procedure calls instead and they found that it was more stable and much, much faster.
So in KDE 2 you can still use Corba if you want to, but KDE 2 does not do this by default and you do not have to, either, if you want speed.
Corba is an IPC protocol, which means that for each procedure call there is a message being sent. Doing this involves a lot of syscalls and context switches, which basically makes things slow. The method KDE 2 uses now makes foreign code local to your applications and you can do local subroutine calls - talk about saved overhead and speed increase.
This summer there has been the conference Wizards of OS in Berlin. One day before that conference there has been an expert hearing of the German Minstry of Commerce (BMWi) about Open Source. The meeting has been initiated by Ulrich Sandl (BMWi), who was unable to attend in person due to an accident.
They managed to get into contact with german developers of the KDE Team, the Apache Team, the Linux Kernel, the Mutt mailer, the GPG and OpenPGP projects and other key Open Source projects. Also attending were CEOs or key people from companies which were actually earning money with Open Source based business models. After that meeting, there has been a fruitful discussion between multiple supporters of the Open Source Scene in Germany and the BMWi.
The BMWi was particularly interested into ideas on how to create a supporting infrastructure for Open Source development without destroying the current structures and without creating a culture shock or the impression of a governmental takeover of Open Source development. They also learned first time about the dangers of Software Patents and were quite shocked to learn that Software Patents were seen as an obstacle, and not as a good thing by the Open Source devlopment scene.
Guessing passwords to enter a password protected area is not illegally breaking into a computer system and stealing private data? Tell that to Randal Schwartz, "just another Perl hacker and convicted felon".
When the English government mandates genetic testing for predisposition to violence in the early 21st century, it also creates an elaborate computer network to store the results. But when a computer expert with just such a violent predisposition breaks into the carefully-guarded data, he decides to protect the rest of society by killing off others on the list.
Enter Inspector "Jake" Jakowicz, a tough, smart cop who must use all her powers of intuition to track the sociopath who wants to draw her into a chilling dialogue about the nature of life itself. --This text refers to an out of print or unavailable edition of this title.
Synopsis
London 2013: a world in which serial murder has reached epidemic proportions. Tested positively by the government as one disposed to criminal violence, a computer expert breaks into the computer to erase his name, where he discovers a list of others so accused and hits on a horrifying idea: what if he were to become a killer of potential serial killers?
I registered my family name as a domain name in Germany: www.koehntopp.de. To protect me from lawsuits, and to offer other people of the same name an opportunity to have their family name as a domain name, I offer free links to homepages and mail aliases for that domain, if they live in Germany and go by the proper family name.
Some other people I know are doing just the same, even linking companies of that name. Avoids confusion and creates fair access to the name.
Linux is about to have THREE journalling file systems.
The team around Hans Reiser is currently beta testing their ReiserFS, a tree based filesystem which now also does logging. Beta test versions are available and perform nice on uniprocessor machines. I had some problems when I went SMP, though.
The ext2 development team is currently working on code for "ext3", an ext2 extension which among other things does logging. I do not know the exact state of their project, but they seem to be closely behind Reiser judging from their comments on the ReiserFS mailing list.
The SGI XFS team is porting their commercial quality XFS filesystem to Linux. The process requires major adaptions to XFS and Linux, and XFS seems to contain some code which is intellectual property SGI does not own and can therefore not GPL, but these problems are currently being fixed.
There is a very healthy and friendly competition between these teams and I think we may be able to see some very interesing released to the common kernel source in the very near future.
Capabilities are already part of the 2.2 kernel. The 2.2 kernel does no longer check for privilege by calling fsuser() checking for a fsuid of zero, but has code like the following (taken from fs/ext2/acl.c as an example):
/* * Access is always granted for root. We now check last, * though, for BSD process accounting correctness */ if (((mode & mask & S_IRWXO) == mask) || capable(CAP_DAC_OVERRIDE)) return 0;
What is missing is a mechanism to make the capabilities workable from the outside, that is, to store the required capabilities in a binary program. Unlike the old fsuser() approach, where we needed just a single "SUID" bit, we not have to store and maintain a bitmask of capabilities with a program. There have been different approaches to this problem (for example, storing capabilities in an ELF section), but the kernel developers have not yet settled on this.
The following is a drop-in replacement for the suexec.c that comes with Apache. It is a bit less tight about permissions (I want to be able to execute code under different UIDs), but executes the CGI within a chrooted environment (so that the UIDs cannot cause harm). Please have a look at the code and tell me what you think about it.
/* * suexec.c -- "Wrapper" support program for suEXEC behaviour for Apache * ************************************************** ********************* * * NOTE! : DO NOT edit this code!!! Unless you know what you are doing, * editing this code might open up your system in unexpected * ways to would-be crackers. Every precaution has been taken * to make this code as safe as possible; alter it at your own * risk. * ************************************************** ********************* * * */
#include "ap_config.h" #include #include #include
#include
#include "suexec.h" #undef LOG_EXEC
/* ************************************************** ********************* * There is no initgroups() in QNX, so I believe this is safe:-) * Use cc -osuexec -3 -O -mf -DQNX suexec.c to compile. * * May 17, 1997. * Igor N. Kovalenko -- infoh@mail.wplus.net ************************************************** ********************* */
#if defined(NEED_INITGROUPS) int initgroups(const char *name, gid_t basegid) { /* QNX and MPE do not appear to support supplementary groups. */ return 0; } #endif
/* * Log the transaction here to be sure we have an open log * before we setuid(). */ log_err("uid: (%s/%s) gid: (%s/%s) cmd: %s\n", target_uname, actual_uname, target_gname, actual_gname, cmd);
/* * Error out if attempt is made to execute as root or as * a UID less than UID_MIN. Tsk tsk. */ if ((uid == 0) || (uid UID_MIN)) { log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd); exit(107); }
/* * Error out if attempt is made to execute as root group * or as a GID less than GID_MIN. Tsk tsk. */ if ((gid == 0) || (gid GID_MIN)) { log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd); exit(108); }
/* * Change UID/GID here so that the following tests work over NFS. * * Initialize the group access list for the target user, * and setgid() to the target group. If unsuccessful, error out. */ if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) { log_err("failed to setgid (%ld: %s)\n", gid, cmd); exit(109); }
/* now we chroot */ if ( chdir(newroot)!=0 ) { log_err("cannot chdir to newroot directory %s\n",newroot); exit(112); } if ( chroot(newroot) != 0 ) { log_err("failed to chroot to %s\n",newroot); exit(113); }
if ( strlen(cwd) strlen(newroot) ) { fprintf(stderr,"chroot not below docroot cwd=%s [%d] newroot=%s [%d] \n!",cwd,strlen(cwd),newroot,strlen(newroot)); exit(114); }
if ( chdir(cwd+strlen(newroot)) != 0 ) { log_err("warning: cannot chdir after chroot %s | %s \n",cwd,newroot); }
/* * setuid() to the target user. Error out on fail. */ if ((setuid(uid)) != 0) { log_err("failed to setuid (%ld: %s)\n", uid, cmd); exit(110); }
clean_env(cwd,strlen(newroot));
/* * Be sure to close the log file so the CGI can't * mess with it. If the exec fails, it will be reopened * automatically when log_err is called. Note that the log * might not actually be open if LOG_EXEC isn't defined. * However, the "log" cell isn't ifdef'd so let's be defensive * and assume someone might have done something with it * outside an ifdef'd LOG_EXEC block. */ if (log != NULL) { fclose(log); log = NULL; }
/* * Execute the command, replacing our image with its own. */ #ifdef NEED_HASHBANG_EMUL /* We need the #! emulation when we want to execute scripts */ { extern char **environ;
/* * (I can't help myself...sorry.) * * Uh oh. Still here. Where's the kaboom? There was supposed to be an * EARTH-shattering kaboom! * * Oh well, log the failure and error out. */ log_err("(%d)%s: exec failed (%s)\n", errno, strerror(errno), cmd); exit(255); }
... to shut down vital parts of the computer infrastructure of a country. As we have seen, a backhoe is enough. Or a faulty software upgrade in a power grid or phone control point.
Also, what crackers (and cyberterrorists, if they actually exist) do is utilizing remotely exploitable bugs in current software. That is, they use tolsl and techniques which are roughly identical with normal debugging techniques, but apply them a bit more creatively. The creative application may have spectacular effects, but that does not change the fact that the basic techniques used are actually routine debugging techniques.
The bottom line is: As long as current production software is as bad and immature as it is, there is no cyberterrorism. Just applied stupidity.
Your ability to break into a computer using flaws in the original programs running on these machines equals your ability to find bugs in your own programs. Cracking (as opposed to being a mere script kiddie) is just finding bugs in other peoples programs without their consent and their knowledge. Cracking is just debugging in a very scarce and hostile development envionment.
... that your IP is easily found out if your participiating in IRC and that has been so for ages. Also, you all know of course, that your IP shows up in web logs, and has been from the very beginning of the web.
You all know as well that you need to use some kind of cryptographically hard anonymizing service for better protection.
A display the size and thickness of a Sony Vaio cover, running on battery for about 5 hours straight, with a pen interface like the pilot, and an infrared or shortrange radio connect to a base station, providing a resolution of 150 dpi or better.
If I had such a thing, I would never grep paper again. ht://dig rules. This would be just so Star Trek!
While I consider myself to be not the stupidest of all persons, I still know many people who I consider vastly better than me in terms of performance and efficiency. Most of these people have one trait in common and that is the ability to focus, and to cut through hype. That is, they are not distracted by suportflous communication. Usually, they are able to grasp the essence of what they need to know to perform from the information tidal wave that drowns all others.
So the secret seems to be NOT to communicate and to participiate in the global chatter, unless you are forced to.
Sascha has already addressed most of your issues with PHP3. I might add that session management is builtin in PHP4 and is available as an addon in PHP3. See PHPLIB for more information. PHPLIB also provides a quite powerful and easy to use database abstraction.
Here is how you speak to any database, using the PHPLIB database abstraction:
$db = new DB_Example; $db->query("select * from mytable"); while($db->next_record()) { print $db->f("fieldname"); }
The DB_Example class is a subclass of DB_Sql provided by PHPLIB and knows the connection parameters (host, username, password, database) as well as the specific details of your DB server (such as vendor, protocol and the like).
$somevar will now be present on all session pages that use Example_Session. We propagate sessions using cookies, automatically and transparently falling back to other means if the user does not support sessions. In PHP4, session support is buildin and available without PHPLIB. You will be able to use PHPLIB with PHP4, too, taking advantage of the builtin support.
Ah, I forgot to mention: WDDX is supported on PHP, too. You can exchange data in WDDX format between PHP and CF without problems. PHP also makes good use of the expat XML parser that comes with your Apache or is available separately, enabling you do decode and perform XML RPC.
I have never used CF in a project, but have evaluated it before committing ourselves to PHP.
We are currently using Solaris as a server platform, with Apache or phttpd as a webserver and we are using Oracle and MySQL as databases. We are running PHP as scriping engine as CGI version and as Apache module in some instances.
You seem to come from a mostly Microsoft background, which is not where PHP is at home. PHP3 does not run as an IIS module, as far as I know, but only as a CGI version. This will make it perform much worse that for example CF or ASP on IIS, due to the abysmal performance of the NT platform and IIS as a CGI host - NT just doesn't fork. PHP4 will be running as an IIS module, but is in beta now and I would not build any production code on it - yet. As soon as PHP4 proves to be stable under load, it should outperform PHP3 by a factor of 5-10, though, plus the speed gain coming from being able to use it as a module on IIS.
On a Unix system (Linux, Solaris, doesn't matter) with Apache, PHP3 performs excellently as a module and can take any reasonable amount of load, provided you have enough RAM. We already know this from the Mindcraft benchmark - Apache must not swap and you must tune your MaxClients to match your RAM size to avoid performance degradation under high load. Many sites are parsing all pages, including their regular HTML, through PHP3 for convenience and the performance overhead is neglegible - if Apache can take it, Apache and mod_php can usually take it as well.
PHP excels in portability, support and in connectivity when benchmarked against CF. PHP will run on any old server platform and will talk to almost anything, and natively, where CF will most probably talk through an ODBC adapter. PHP includes some 10+ native database interfaces, including all major database vendors, and does LDAP, SNMP, SMTP, NNTP, IMAP4, POP3, some OODB and fulltext database protocols, can generate pictures on the fly, can generate PDF on the fly and so on. Writing extensions for PHP is trivial, if you can do reasonable PHP programming.
One point must not be left out of the equation when talking about PHP, and that is the online support. There are many large PHP mailing lists, including THE PHP3 mailing list, which are extremely friendly and efficient and usually generate correct and useful answers within 15 minutes. Also, the annotated online manual is a unique ressource for help, because it is learning and growing, incorporating user annotations. I have nowhere experienced anything that comes close to this kind in support, commerical or not.
My recommendation: PHP on IIS on Windows works, but will most likely not perform as exspected. It is nice for testing, but I won't go productive in this configuration. PHP on Apache on Windows works better, but will still not use PHP to it's fullest advantage. Also, you will make installation and maintentance unnecessarily difficult for you. PHP on Apache on any Unix will perform extremely satisfactorily, generate only minimal TCO, and is supported excellently. If you have at least minimal Unix knowhow inhouse, I suggest that you go for the full plunge in a test installation instead of an incremental migratory approach, because this way you will maximize the advantages of PHP and your server platform.
Re the migration from version 3 to version 4: PHP4 and PHP3 are drop-in compatible. There is no need to "port" from 3 to 4, because both languages are virtually identical. The differences are extremely minimal and well documented, also the development team is working on closing these final gaps between versions. Changes between version 3 and 4 are completly internal, switching from a fully interpreted system to a byte-code compiler/interpreter hybrid for speed reasons. Also, some language features have been added in an upward compatible and transparent way. We have tested the beta and found it to be living up to its promises in speed _and_ compatibility. Waiting for PHP4 won't pay: You can use PHP3 to learn just now and all this knowledge as well as your code will be valid and valueable on PHP4.
If you'll be using the CGI version of PHP3, please be sure that you
set up a chroot() running environment for your CGI (phttpd does this by default, Apache does this with a modified suexec - ask me if you need it).
compile a version of PHP with --enable-force-cgi-redirect or you'll be opening a great security hole.
If you have any further questions, please subscribe to the php3@lists.php.net mailing list or have a look at the PHP Knowledge base. These are great ressources.
One thing you should keep in mind when talking about Corel: In the Open Source Development model, there is no such thing as a Beta version.
Release early, release often, integrate feedback. You may mark version as stable, but to take full advantage of the Open Source development model, you must keep your code available at all stages of the development process. Only this will ensure that many eyes go over the code and kill all that nasty, numerous and shallow bugs.
Corels fails to understand this, and that is why they are failing not only PR wise. They do not get the model. I'd say, toast them, even if it is just as a deterrent for others.
The background of how you first became interested in Slashdot.
Any interesting anecdotes from your time in Slashdot
An explanation of what being in the Slashdot community means to you and friendships that you have formed here.
How your life on Slashdot contrasts with your normal life.
I think these questions show a great misconception on what/. is and how it works. I do not read/. to find friends or to experience anecdotes worth remembering. I am reading/. for the news and for the perspective it puts these news into.
I am reading/. on threshold 2, occasionally switching to 3 if the thread is very large and to -1 if I'm on duty. Reading/. this way, I do read the original article and the top comments about these articles. They are usually well worth it, as are is the news selection I find on/.
The remarkable thing about/. is that it still works./. has now - how many? 80000? subscribers and experiences thousand of comments each day. Still Rob and gang have managed to build a system that still works, most of the time. Remarkable, it works mostly anonymously, that is, I'm reading/. not scanning for names as I am reading newsgroups, but I select articles using a score that is not tied to a person but to an individually judged article.
/. has gone through a transition from a students home project with a few dozen, later hundreds of participiant to something with a worldwide impact, playing somewhere in the same league as the big portals. Rob and gang have not only managed to keep it alive through this growth, which is an astonishing fact in itself, but they also managed to preserve much of its spirit. Of course it can not be just the same it was in the early days (I have a user id of 824, but I was with/. before there was registration), but it is still good and it is far better than USENET./. is an amplifier of targeted and well founded opinion and commentary - that's where the value is, at least for me.
So I am still reading/., but not for people, or because of friendships, but because its news and because it matters.
I do not think that this is the correct category for such stuff. The following message came around yesterday evening on the PHP-Slashdot Developers mailing list:
From:... Date: 13.09.1999 01:46 Subject: [PHPSLASH] The big blow To: "PHPSlash"
Well, we are under mandatory evacuation orders here in Hollywood, Fl. where I live. There is a major storm about to stomp us. They are not sure if it is going to come ashore here, or somewhere north of us, but as it's less then 400 miles away now and is over 400 miles wide, that puts the leading edge less than 200 miles away. Tropical storm force winds (35+ MPH) are due in a matter of hours, gale force (about 60+ mph) by 10 AM. The storm is expected to last all day tomorrow and most of Wednesday. What fun. Currently it is a category five storm that is described as capable of doing catastrophic damage. Love that word, catastrophic. Everything three and above is considered deadly.
As most of you possibly know, I live on a sailboat about 500 feet from the Atlantic Ocean. If my home (boat) is destroyed, or S. Fl. looses power/telephone/water, then god only knows when I will be back online, might even take weeks/months. If everything survives all right, I'll be back online Wednesday night or Thursday morning.
The good news is that the storm center is thinking the hurricane force winds (155+ mph in this case) will miss us. By about 10 miles. Nothing like cutting it close.
Currently, I am ignoring the evacuation orders, as nothing much will actually happen for another 10 hours or so, but after that...
So, wish me luck and if you are so inclined, say a prayer....
get the MaxServers right so that your machine does not swap.
disable hostname lookups.
create static pages, if at all possible, for example with a script running cron.
do not use CGI for dynamic content, but use an Apache module instead. mod_perl and mod_php are fine.
get on a fast line. If your line cannot handle the load, your server speed is irrelevant.
If the load gets even higher, split your server. Get your images from another machine, possible with a special web server optimized for static data ("phttpd). If you are using an SQL backend, put the database on a dedicated machine.
And always remember: In servers, memory is more important than I/O. I/O is more important than CPU.
Slashdot Mirror
KDE 2 does use Corba, but it does not do so for
local procedure calls and local inter-application
communication. The KDE 2 team had a version
of KDE 2 which was using Corba for everything and
it was dog slow. They decided to build an
alternate version which did not use Corba, but
used shared objects and direct procedure calls
instead and they found that it was more stable
and much, much faster.
So in KDE 2 you can still use Corba if you want
to, but KDE 2 does not do this by default and
you do not have to, either, if you want speed.
Corba is an IPC protocol, which means that for
each procedure call there is a message being
sent. Doing this involves a lot of syscalls and
context switches, which basically makes things
slow. The method KDE 2 uses now makes foreign code
local to your applications and you can do local
subroutine calls - talk about saved overhead
and speed increase.
© Copyright 1999 Kristian Köhntopp
Janet Reno already wrote to the german government. You can find the letter on the Heise/Telepolis website. They have a commentary article as well as the original letter. Telepolis' writer Christiane Schulzki-Haddouti covers the whole Echelon and ENFOPOL (english URL) thingy in a special Telepolis section. If you do not read German, this woman is a single, very good reason to do so.
© Copyright 1999 Kristian Köhntopp
This summer there has been the conference Wizards of OS in Berlin. One day before that conference there has been an expert hearing of the German Minstry of Commerce (BMWi) about Open Source. The meeting has been initiated by Ulrich Sandl (BMWi), who was unable to attend in person due to an accident.
They managed to get into contact with german developers of the KDE Team, the Apache Team, the Linux Kernel, the Mutt mailer, the GPG and OpenPGP projects and other key Open Source projects. Also attending were CEOs or key people from companies which were actually earning money with Open Source based business models. After that meeting, there has been a fruitful discussion between multiple supporters of the Open Source Scene in Germany and the BMWi.
The BMWi was particularly interested into ideas on how to create a supporting infrastructure for Open Source development without destroying the current structures and without creating a culture shock or the impression of a governmental takeover of Open Source development. They also learned first time about the dangers of Software Patents and were quite shocked to learn that Software Patents were seen as an obstacle, and not as a good thing by the Open Source devlopment scene.
The donation to the GPG project is the first in a number of actions in a governmental plan which are the direct or indirect result of this meeting. Exspect further investment and support for Open Source projects from the German Government as well as the donation of ressources and services where needed.
© Copyright 1999 Kristian Köhntopp
Guessing passwords to enter a password protected
area is not illegally breaking into a computer system and stealing private data? Tell that to Randal Schwartz, "just another Perl hacker and convicted felon".
Rahul.net on Randal, Friends of Randal Schwartz, Randal's Homepage, Tim O'Reilly on the prosecution of Randal.
I'd say, sue CMU and see what comes from it.
© Copyright 1999 Kristian Köhntopp
Book Description
When the English government mandates genetic testing for predisposition to violence in the early 21st century, it also creates an elaborate computer network to store the results. But when a computer expert with just such a violent predisposition breaks into the carefully-guarded data, he decides to protect the rest of society by killing off others on the list.
Enter Inspector "Jake" Jakowicz, a tough, smart cop who must use all her powers of intuition to track the sociopath who wants to draw her into a chilling dialogue about the nature of life itself. --This text refers to an out of print or unavailable edition of this title.
Synopsis
London 2013: a world in which serial murder has reached epidemic proportions. Tested positively by
the government as one disposed to criminal violence, a computer expert breaks into the computer to erase his name, where he discovers a list of others so accused and hits on a horrifying idea: what if he were to become a killer of potential serial killers?
Summarizing Tim in a single sentence: Chase the dream, not the competition..
I registered my family name as a domain name in Germany: www.koehntopp.de. To protect me from lawsuits, and to offer other people of the same name an opportunity to have their family name as a domain name, I offer free links to homepages and mail aliases for that domain, if they live in Germany and go by the proper family name.
Some other people I know are doing just the same, even linking companies of that name. Avoids confusion and creates fair access to the name.
Please go to Linux Memory Management subsystem; main page and search for the words "large file". You will find a patch that you may want to try out.
Linux is about to have THREE journalling file systems.
The team around Hans Reiser is currently beta testing their ReiserFS, a tree based filesystem which now also does logging. Beta test versions are available and perform nice on uniprocessor machines. I had some problems when I went SMP, though.
The ext2 development team is currently working on code for "ext3", an ext2 extension which among other things does logging. I do not know the exact state of their project, but they seem to be closely behind Reiser judging from their comments on the ReiserFS mailing list.
The SGI XFS team is porting their commercial quality XFS filesystem to Linux. The process requires major adaptions to XFS and Linux, and XFS seems to contain some code which is intellectual property SGI does not own and can therefore not GPL, but these problems are currently being fixed.
There is a very healthy and friendly competition between these teams and I think we may be able to see some very interesing released to the common kernel source in the very near future.
Capabilities are already part of the 2.2 kernel. The 2.2 kernel does no longer check for privilege by calling fsuser() checking for a fsuid of zero, but has code like the following (taken from fs/ext2/acl.c as an example):
/*
* Access is always granted for root. We now check last,
* though, for BSD process accounting correctness
*/
if (((mode & mask & S_IRWXO) == mask) || capable(CAP_DAC_OVERRIDE))
return 0;
What is missing is a mechanism to make the capabilities workable from the outside, that is, to store the required capabilities in a binary program. Unlike the old fsuser() approach, where we needed just a single "SUID" bit, we not have to store and maintain a bitmask of capabilities with a program. There have been different approaches to this problem (for example, storing capabilities in an ELF section), but the kernel developers have not yet settled on this.
I have, yet this is currently experimental. Also it is small enough to be distributed as a single piece, enabling you to read it without tools.
Something like this would have been able to contain the ZDnet script in a tight environment, probably making the exploit much harder.
The following is a drop-in replacement for the suexec.c that comes with Apache. It is a bit less tight about permissions (I want to be able to execute code under different UIDs), but executes the CGI within a chrooted environment (so that the UIDs cannot cause harm). Please have a look at the code and tell me what you think about it.
* ********************* * *********************
* ********************* :-) * *********************
/* LOG_EXEC */
/* LOG_EXEC */
/. for uid= %ld\n",pw->pw_dir,uid);
/*
/*
/*
/*
/*
/*
/*
/* We need the #! emulation when we want to execute scripts */
/*NEED_HASHBANG_EMUL*/ /*NEED_HASHBANG_EMUL*/
/*
/*
* suexec.c -- "Wrapper" support program for suEXEC behaviour for Apache
*
*************************************************
*
* NOTE! : DO NOT edit this code!!! Unless you know what you are doing,
* editing this code might open up your system in unexpected
* ways to would-be crackers. Every precaution has been taken
* to make this code as safe as possible; alter it at your own
* risk.
*
*************************************************
*
*
*/
#include "ap_config.h"
#include
#include
#include
#include
#include "suexec.h"
#undef LOG_EXEC
/*
*************************************************
* There is no initgroups() in QNX, so I believe this is safe
* Use cc -osuexec -3 -O -mf -DQNX suexec.c to compile.
*
* May 17, 1997.
* Igor N. Kovalenko -- infoh@mail.wplus.net
*************************************************
*/
#if defined(NEED_INITGROUPS)
int initgroups(const char *name, gid_t basegid)
{
/* QNX and MPE do not appear to support supplementary groups. */
return 0;
}
#endif
#if defined(PATH_MAX)
#define AP_MAXPATH PATH_MAX
#elif defined(MAXPATHLEN)
#define AP_MAXPATH MAXPATHLEN
#else
#define AP_MAXPATH 8192
#endif
#define AP_ENVBUF 256
extern char **environ;
static FILE *log = NULL;
char *safe_env_lst[] =
{
"AUTH_TYPE",
"CONTENT_LENGTH",
"CONTENT_TYPE",
"DATE_GMT",
"DATE_LOCAL",
"DOCUMENT_NAME",
"DOCUMENT_PATH_INFO",
"DOCUMENT_ROOT",
"DOCUMENT_URI",
"FILEPATH_INFO",
"GATEWAY_INTERFACE",
"LAST_MODIFIED",
"PATH_INFO",
"PATH_TRANSLATED",
"QUERY_STRING",
"QUERY_STRING_UNESCAPED",
"REMOTE_ADDR",
"REMOTE_HOST",
"REMOTE_IDENT",
"REMOTE_PORT",
"REMOTE_USER",
"REDIRECT_QUERY_STRING",
"REDIRECT_STATUS",
"REDIRECT_URL",
"REQUEST_METHOD",
"REQUEST_URI",
"SCRIPT_FILENAME",
"SCRIPT_NAME",
"SCRIPT_URI",
"SCRIPT_URL",
"SERVER_ADMIN",
"SERVER_NAME",
"SERVER_ADDR",
"SERVER_PORT",
"SERVER_PROTOCOL",
"SERVER_SOFTWARE",
"UNIQUE_ID",
"USER_NAME",
"TZ",
NULL
};
static void err_output(const char *fmt, va_list ap)
{
#ifdef LOG_EXEC
time_t timevar;
struct tm *lt;
if (!log) {
if ((log = fopen(LOG_EXEC, "a")) == NULL) {
fprintf(stderr, "failed to open log file\n");
perror("fopen");
exit(1);
}
}
time(&timevar);
lt = localtime(&timevar);
fprintf(log, "[%d-%.2d-%.2d %.2d:%.2d:%.2d]: ",
lt->tm_year + 1900, lt->tm_mon + 1, lt->tm_mday,
lt->tm_hour, lt->tm_min, lt->tm_sec);
vfprintf(log, fmt, ap);
fflush(log);
#endif
return;
}
static void log_err(const char *fmt,...)
{
#ifdef LOG_EXEC
va_list ap;
va_start(ap, fmt);
err_output(fmt, ap);
va_end(ap);
#endif
return;
}
static void clean_env(char *cwd,int len)
{
char pathbuf[512];
char stripbuf[1024];
char **cleanenv;
char **ep;
int cidx = 0;
int idx;
if ((cleanenv = (char **) calloc(AP_ENVBUF, sizeof(char *))) == NULL) {
log_err("failed to malloc memory for environment\n");
exit(120);
}
sprintf(pathbuf, "PATH=%s", SAFE_PATH);
cleanenv[cidx] = strdup(pathbuf);
cidx++;
for (ep = environ; *ep && cidx pw_dir);
p=strstr(newroot,"/.");
if ( newroot[0]!='/' || p == NULL ) {
log_err("$home (%s) has no
exit(102);
}
*p=0x00;
if (getcwd(cwd, AP_MAXPATH) == NULL) {
log_err("cannot get current working directory\n");
exit(111);
}
uid = pw->pw_uid;
gid = pw->pw_gid;
actual_uname = strdup(pw->pw_name);
target_homedir = strdup(pw->pw_dir);
* Log the transaction here to be sure we have an open log
* before we setuid().
*/
log_err("uid: (%s/%s) gid: (%s/%s) cmd: %s\n",
target_uname, actual_uname,
target_gname, actual_gname,
cmd);
* Error out if attempt is made to execute as root or as
* a UID less than UID_MIN. Tsk tsk.
*/
if ((uid == 0) || (uid UID_MIN)) {
log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd);
exit(107);
}
* Error out if attempt is made to execute as root group
* or as a GID less than GID_MIN. Tsk tsk.
*/
if ((gid == 0) || (gid GID_MIN)) {
log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd);
exit(108);
}
* Change UID/GID here so that the following tests work over NFS.
*
* Initialize the group access list for the target user,
* and setgid() to the target group. If unsuccessful, error out.
*/
if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) {
log_err("failed to setgid (%ld: %s)\n", gid, cmd);
exit(109);
}
/* now we chroot */
if ( chdir(newroot)!=0 ) {
log_err("cannot chdir to newroot directory %s\n",newroot);
exit(112);
}
if ( chroot(newroot) != 0 ) {
log_err("failed to chroot to %s\n",newroot);
exit(113);
}
if ( strlen(cwd) strlen(newroot) ) {
fprintf(stderr,"chroot not below docroot cwd=%s [%d] newroot=%s [%d] \n!",cwd,strlen(cwd),newroot,strlen(newroot));
exit(114);
}
if ( chdir(cwd+strlen(newroot)) != 0 ) {
log_err("warning: cannot chdir after chroot %s | %s \n",cwd,newroot);
}
* setuid() to the target user. Error out on fail.
*/
if ((setuid(uid)) != 0) {
log_err("failed to setuid (%ld: %s)\n", uid, cmd);
exit(110);
}
clean_env(cwd,strlen(newroot));
* Be sure to close the log file so the CGI can't
* mess with it. If the exec fails, it will be reopened
* automatically when log_err is called. Note that the log
* might not actually be open if LOG_EXEC isn't defined.
* However, the "log" cell isn't ifdef'd so let's be defensive
* and assume someone might have done something with it
* outside an ifdef'd LOG_EXEC block.
*/
if (log != NULL) {
fclose(log);
log = NULL;
}
* Execute the command, replacing our image with its own.
*/
#ifdef NEED_HASHBANG_EMUL
{
extern char **environ;
ap_execve(cmd, &argv[3], environ);
}
#else
execv(cmd, &argv[3]);
#endif
* (I can't help myself...sorry.)
*
* Uh oh. Still here. Where's the kaboom? There was supposed to be an
* EARTH-shattering kaboom!
*
* Oh well, log the failure and error out.
*/
log_err("(%d)%s: exec failed (%s)\n", errno, strerror(errno), cmd);
exit(255);
}
... to shut down vital parts of the computer infrastructure of a country. As we have seen, a backhoe is enough. Or a faulty software upgrade in a power grid or phone control point.
Also, what crackers (and cyberterrorists, if they actually exist) do is utilizing remotely exploitable bugs in current software. That is, they use tolsl and techniques which are roughly identical with normal debugging techniques, but apply them a bit more creatively. The creative application may have spectacular effects, but that does not change the fact that the basic techniques used are actually routine debugging techniques.
The bottom line is: As long as current production software is as bad and immature as it is, there is no cyberterrorism. Just applied stupidity.
Your ability to break into a computer using flaws in the original programs running on these machines equals your ability to find bugs in your own programs. Cracking (as opposed to being a mere script kiddie) is just finding bugs in other peoples programs without their consent and their knowledge. Cracking is just debugging in a very scarce and hostile development envionment.
Some things to check out:
The Anonymizer
Surf the Web anonymously
Replays Anonymous Remailers
Send email anonymously
Onion Routing
Onion Routing allows you to send IP packets anonymously.
SSonet
Multilevel security in computer networks.
... that your IP is easily found out if your participiating in IRC and that has been so for ages. Also, you all know of course, that your IP shows up in web logs, and has been from the very beginning of the web.
You all know as well that you need to use some kind of cryptographically hard anonymizing service for better protection.
A display the size and thickness of a Sony Vaio
cover, running on battery for about 5 hours straight, with a pen interface like the pilot, and an infrared or shortrange radio connect to a base station, providing a resolution of 150 dpi or better.
If I had such a thing, I would never grep paper again. ht://dig rules. This would be just so Star Trek!
While I consider myself to be not the stupidest of all persons, I still know many people who I consider vastly better than me in terms of performance and efficiency. Most of these people have one trait in common and that is the ability to focus, and to cut through hype. That is, they are not distracted by suportflous communication. Usually, they are able to grasp the essence of what they need to know to perform from the information tidal wave that drowns all others.
So the secret seems to be NOT to communicate and to participiate in the global chatter, unless you are forced to.
Here is how you do a foreach-loop in PHP:
reset($ary);
while(list($k, $v) = each($ary)) {
print "key = $k val=$v\n";
}
Here is how you speak to any database, using
the PHPLIB database abstraction:
$db = new DB_Example;
$db->query("select * from mytable");
while($db->next_record()) {
print $db->f("fieldname");
}
The DB_Example class is a subclass of DB_Sql provided by PHPLIB and knows the connection parameters (host, username, password, database) as well as the specific details of your DB server (such as vendor, protocol and the like).
Here is how you handle sessions using PHPLIB:
page_open(array("sess" => "Example_Session"));
$somevar = "somevalue";
$sess->register("somevar");
page_close();
$somevar will now be present on all session pages that use Example_Session. We propagate sessions using cookies, automatically and transparently falling back to other means if the user does not support sessions. In PHP4, session support is buildin and available without PHPLIB. You will be able to use PHPLIB with PHP4, too, taking advantage of the builtin support.
Ah, I forgot to mention: WDDX is supported on PHP, too. You can exchange data in WDDX format between PHP and CF without problems. PHP also makes good use of the expat XML parser that comes with your Apache or is available separately, enabling you do decode and perform XML RPC.
We are currently using Solaris as a server platform, with Apache or phttpd as a webserver and we are using Oracle and MySQL as databases. We are running PHP as scriping engine as CGI version and as Apache module in some instances.
You seem to come from a mostly Microsoft background, which is not where PHP is at home. PHP3 does not run as an IIS module, as far as I know, but only as a CGI version. This will make it perform much worse that for example CF or ASP on IIS, due to the abysmal performance of the NT platform and IIS as a CGI host - NT just doesn't fork. PHP4 will be running as an IIS module, but is in beta now and I would not build any production code on it - yet. As soon as PHP4 proves to be stable under load, it should outperform PHP3 by a factor of 5-10, though, plus the speed gain coming from being able to use it as a module on IIS.
On a Unix system (Linux, Solaris, doesn't matter) with Apache, PHP3 performs excellently as a module and can take any reasonable amount of load, provided you have enough RAM. We already know this from the Mindcraft benchmark - Apache must not swap and you must tune your MaxClients to match your RAM size to avoid performance degradation under high load. Many sites are parsing all pages, including their regular HTML, through PHP3 for convenience and the performance overhead is neglegible - if Apache can take it, Apache and mod_php can usually take it as well.
PHP excels in portability, support and in connectivity when benchmarked against CF. PHP will run on any old server platform and will talk to almost anything, and natively, where CF will most probably talk through an ODBC adapter. PHP includes some 10+ native database interfaces, including all major database vendors, and does LDAP, SNMP, SMTP, NNTP, IMAP4, POP3, some OODB and fulltext database protocols, can generate pictures on the fly, can generate PDF on the fly and so on. Writing extensions for PHP is trivial, if you can do reasonable PHP programming.
One point must not be left out of the equation when talking about PHP, and that is the online support. There are many large PHP mailing lists, including THE PHP3 mailing list, which are extremely friendly and efficient and usually generate correct and useful answers within 15 minutes. Also, the annotated online manual is a unique ressource for help, because it is learning and growing, incorporating user annotations. I have nowhere experienced anything that comes close to this kind in support, commerical or not.
My recommendation: PHP on IIS on Windows works, but will most likely not perform as exspected. It is nice for testing, but I won't go productive in this configuration. PHP on Apache on Windows works better, but will still not use PHP to it's fullest advantage. Also, you will make installation and maintentance unnecessarily difficult for you. PHP on Apache on any Unix will perform extremely satisfactorily, generate only minimal TCO, and is supported excellently. If you have at least minimal Unix knowhow inhouse, I suggest that you go for the full plunge in a test installation instead of an incremental migratory approach, because this way you will maximize the advantages of PHP and your server platform.
Re the migration from version 3 to version 4: PHP4 and PHP3 are drop-in compatible. There is no need to "port" from 3 to 4, because both languages are virtually identical. The differences are extremely minimal and well documented, also the development team is working on closing these final gaps between versions. Changes between version 3 and 4 are completly internal, switching from a fully interpreted system to a byte-code compiler/interpreter hybrid for speed reasons. Also, some language features have been added in an upward compatible and transparent way. We have tested the beta and found it to be living up to its promises in speed _and_ compatibility. Waiting for PHP4 won't pay: You can use PHP3 to learn just now and all this knowledge as well as your code will be valid and valueable on PHP4.
If you'll be using the CGI version of PHP3, please be sure that you
If you have any further questions, please subscribe to the php3@lists.php.net mailing list or have a look at the PHP Knowledge base. These are great ressources.
One thing you should keep in mind when talking about Corel: In the Open Source Development model, there is no such thing as a Beta version.
Release early, release often, integrate feedback. You may mark version as stable, but to take full advantage of the Open Source development model, you must keep your code available at all stages of the development process. Only this will ensure that many eyes go over the code and kill all that nasty, numerous and shallow bugs.
Corels fails to understand this, and that is why they are failing not only PR wise. They do not get the model. I'd say, toast them, even if it is just as a deterrent for others.
I think these questions show a great misconception on what
I am reading
The remarkable thing about
/. has gone through a transition from a students home project with a few dozen, later hundreds of participiant to something with a worldwide impact, playing somewhere in the same league as the big portals. Rob and gang have not only managed to keep it alive through this growth, which is an astonishing fact in itself, but they also managed to preserve much of its spirit. Of course it can not be just the same it was in the early days (I have a user id of 824, but I was with
So I am still reading
I do not think that this is the correct category for such stuff. The following message came around yesterday evening on the PHP-Slashdot Developers mailing list:
...
From:
Date: 13.09.1999 01:46
Subject: [PHPSLASH] The big blow
To: "PHPSlash"
Well, we are under mandatory evacuation orders here in Hollywood, Fl. where I live. There is a major storm about to stomp us. They are not sure if it is going to come ashore here, or somewhere north of us, but as it's less then 400 miles away now and is over 400 miles wide, that puts the leading edge less than 200 miles away. Tropical storm force winds (35+ MPH) are due in a matter of hours, gale force (about 60+ mph) by 10 AM. The storm is expected to last all day tomorrow and most of Wednesday. What fun. Currently it is a
category five storm that is described as capable of doing catastrophic damage. Love that word, catastrophic. Everything three and above is
considered deadly.
As most of you possibly know, I live on a sailboat about 500 feet from the Atlantic Ocean. If my home (boat) is destroyed, or S. Fl. looses power/telephone/water, then god only knows when I will be back online, might even take weeks/months. If everything survives all right, I'll be back online Wednesday night or Thursday morning.
The good news is that the storm center is thinking the hurricane force winds (155+ mph in this case) will miss us. By about 10 miles. Nothing like
cutting it close.
Currently, I am ignoring the evacuation orders, as nothing much will actually happen for another 10 hours or so, but after that...
So, wish me luck and if you are so inclined, say a prayer....
Best always,
...
Still thinking this is funny?
If the load gets even higher, split your server. Get your images from another machine, possible with a special web server optimized for static data ("phttpd). If you are using an SQL backend, put the database on a dedicated machine.
And always remember: In servers, memory is more important than I/O. I/O is more important than CPU.