"No, you don't understand how CGI access works. Nor do you understand about jails. Nor do you understand about running previously approved/audited/secure CGI vs. letting users install their own. Nor do you understand about running httpd (or whatever) as a chrooted user who only has read/write access to a very limited (and secure) space."
In fact I do. And less than 1% of those servers have anything like that setup. Because people won't pay for completely useless webhosting (suprise!).
"Not sure where you got the whole nologin idea from. Not sure why you're talking about linux misconceptions. The "subject at hand" was an OSX server where they allowed ssh, which is certainly a whole lot more access than CGI on a jailed or chrooted suid nobody http account - even with CGI access."
But its exactly the same amount of access as > 99% of webhosting companies give you. Which is what I said.
"Like I said: there are thousands of OSX machines on the net right now. Acting as servers. One of them vended ssh access and got hacked. The other thousands are doing just fine."
Like I said, supplying web hosting for people is something anyone should reasonably expect to be able to do with a unix machine. OS X has lots of local root exploits which make it impossible to safely provide web hosting for people (serving up only static files is not webhosting anyone will pay for). Pretending local root exploits don't matter because "people shouldn't have shell access" is rediculous. There's legitimate reasons to have local users. And besides that, local root exploit + remote non-priviledged exploit = remote root.
"You are mixing up "server" with "shell server". There are thousands of OSX servers on the net right now. One of those servers chose to give out shell access and got hacked. The other thousands are doing just fine."
No, you just don't understand the topic at hand. If you give someone access to run cgi scripts or any other form of dynamic content, then they can do anything and everything they can do with a shell. Either way you have access to execute code on the server as a non-priviledged user, and can exploit local vulnerabilities to get root. This crazy notion that setting users shells to nologin makes you "secure" is one of the most annoying linux noob misconceptions out there.
"Sorry to break it to you, if you've a userland process, you've userland activity. It makes bugger all difference where you'd like things to take place, they take place where the code is. "But packets are routed by the kernel!" That's not what the argument is about, the argument is not about packet flows, it's about BGP, and BGP is processed by the BGP daemon and not the kernel."
So to break it to you, but you are either the stupidest person on the planet, or intentionally trying to avoid answering for your rediculous stupidity. Just say "sorry I tried to pretend to be a know-it-all when I was clueless", we'll all forgive you.
First you complained that openbgpd was a userland process. I said "of course it is, only a complete fucking moron would want to put bgp decision making in kernel, since it provides no benefit". Then you made your amazingly stupid statement about "every packet" having to go through context switches and scheduling in a sad attempt to explain how putting bgp into the kernel would help. Of course there is userland activity, when there is BGP activity, NOT ON EVERY PACKET. BGP peers send each other updates, the local bgpd decides what routes need to be updated, and updates the kernel routing table. The kernel uses its routing table to route packets, it doesn't ask BGPd where to send every single packet it gets. If you have no fucking clue what you are talking about, then don't talk about it.
I fail to see how making progressively stupider and stupider posts is helping you. If you can't admit you are talking out of your ass and have no clue what you are talking about, then you should either dissapear, or go back to trying to redirect the conversation to distract from how stupid you are.
Its not like you just made statements proving how totally ignorant you are:
"What possible advantage could there be in not having 4 completely unnecessary context switches, assorted interrupts and an application scheduler call for EVERY packet that traverses the system."
Anyone with any clue at all would know routing is done in the kernel, so there are no context switches or userland scheduling involved.
"Besides which, that would be horribly inefficient. IPSec is good for sustained connections, but the negotiation is expensive and therefore not so great for transmitting occasional state changes."
Anyone with any clue at all would know that BGP uses sustained connections, and as such is a PERFECT candidate for ipsec, which is why openbsd and juniper both impliment it.
"Of OpenMOSIX - now we're getting into the child's play stuff I'd have thought would be obvious to anyone. Let's start with the obvious. OpenMOSIX (with the DSM extension) supports the migration of threads within a process between boxes, whilst keeping the memory accessible to all threads the same. This has two consequences. First, processes that are not directly related to routing but need to run somewhere (eg: SNMP monitoring, router console - if any, encryption for all those IPSec tunnels, etc) can all be farmed out and the boxes directly in-line with the networks need not handle any of that stuff at all."
Again, anyone with any clue would realize you can't migrate kernel threads, and thus openmosix makes no sense at all for routers.
"For example, OpenBSD's support for SMP and 64-bit processors isn't exactly world-class,"
I'm noticing a pattern here. Yet again, anyone with any clue would know that openbsd's amd64 support is top notch, and sparc64 and alpha are both quite good.
Please, pity me more for not being a wonderful combination of ignorant, arrogant and dishonest like you. I feel so bad that I can't live up to your great example.
First of all, just because people desperately need a stupid acronym for everything, they call pretty much any non java unix web development "LAMP". So there's nothing wrong with testing other free unixes, webservers, databases and languages. Second, a couple of the OpenBSD developers work at coverity. They have tested openbsd and fixed the issues found. It just isn't cool enough for the people who use acronyms like "LAMP" to care about.
Maybe you should try actually running a router instead of talking bullocks. Yeah, we desperately need a whole other machine just to run snmp on right? A router handling half a dozen 100Mbps links, QoS, packet filtering, snmp monitoring, netflow generation, etc, etc is all handled very easily by a single machine. By the time you get beyond a single machine handling things, you need to be buying a real router, openmosix does not deal with this at all, it can't migrate kernel threads, only process threads. Routing is done in the kernel.
OpeBSD's support for 64 bit processors is just fine actually, and 64 bit processors don't help in this case at all. And I would love to hear your reasoning why you would think OpenMOSIX is good for a router. Do you just always make up nonsense?
"More informed about the existence of the other ways of doing things"
Magical ways that exist only in your warped mind?
"Particularly when bragging about a secure OS that has no mandatory access controls or role-based memory segmentation"
Security has nothing to do with administrative access restriction. But then I wasn't bragging about security, you were.
"Let's see. What possible advantage could there be in not having 4 completely unnecessary context switches, assorted interrupts and an application scheduler call for EVERY packet that traverses the system... Hmmmmm. Tricky. Let me know when you've worked it out."
Good lord you are clueless. None of that happens for every packet that traverses the system, the kernel routing table is updated as needed by the userland BGP daemon. If you have absolutely no clue what you are talking about in any way, then its probably not a good idea to blather like an idiot about it.
"mrouted? The best you have to offer is an ancient, abandonware router for DVMRP?"
Best I have to offer what? WTF are you talking about? You said openbsd has no routing software, I am telling you it does.
""Secure routing" is not running a router over IPSec. (Besides which, that would be horribly inefficient. IPSec is good for sustained connections, but the negotiation is expensive and therefore not so great for transmitting occasional state changes.) A secure routing protocol is a routing protocol in which the security is built in (amazingly enough). This may include many of the techniques used in IPSec such as host authentication, packet validation and packet verification, but most will go considerably further to prevent router table poisoning."
First of all, what "considerably further" are you going to do? You have no magical way to decide if a route is valid or not, you have to trust your peers to give you valid info, as you have no way of finding out the info yourself. And of course, BGP uses sustained connections. You connect to your peers and stay connected, sending updates as needed. Again you demonstrate that you lack even a basic grasp of the subject. Suprise, suprise, a clueless moron with an axe to grind against openbsd makes up bullshit to convince himself openbsd sucks. Enjoy your delusional fantasy world.
Oops, I forgot mrouted. And wtf do you mean nothing for "secure routing"? Openbgpd can run over ipsec with almost no effort at all.
I don't know why you think something is supposed to impress you, I am pointing out that you are posting total nonsense. And its good that they are not kernel space, why the fuck would you want to stick complex decision making code like that in the kernel when it would provide absolutely no benefit?
Why you expect that I would "follow your posts" to know that you are a completely fucking clueless MirTard is beyond me. Try the security of openbsd, compromised by a retard who can't code for shit and has had his code rejected from openbsd repeatedly because it sucks so hard. Hooray, sign me up!
You might want to reconsider bragging about how long you have used BSDs. See, using something for a long time doesn't make you smarter, or better, or even informed (obviously). But if you have used something for a long time, yet are still completely fucking clueless, it makes you seem like you might have a developmental disorder or mild brain damage or something.
If you want to dispute it then do so. Posting a link to someone making random assumptions isn't disputing.
Try using both, its pretty easy to see how much better openbgpd is. The memory usage difference alone is amazing, nevermind how openbgpd loads in full feeds so much faster, and doesn't occasionally lose sessions under high load like zebra/quagga. And soft-reconfig has been in for a while now.
I'm sure plenty of decent sized places are using quagga. I used to use it too. That doesn't mean its good though. Most people don't even know about openbgpd, and alot of people won't switch to openbsd because they haven't used it before. And of course, there's plenty of decent sized places using openbgpd too, and I've never heard of anyone trying it and not finding it an improvement over quagga, or cisco.
OpenBSD ships with its own RIP, BGP and OSPF daemons. Its BGP daemon is BY FAR better than xorp and quagga, and its BSD licensed of course. OpenBSD is already a fantastic software router, maybe you should try using it instead of ignorantly telling us what it "could be"?
Giving people nologin for a shell doesn't do anything. Any web host that lets you run CGI or PHP or anything dynamic at all is giving you all the same abilities that you get with a real shell. Its just less convienient. You can still exploit local holes to gain root priv all you want.
You are saying that providing web hosting means you should expect to be rooted all the time? People need to have unpriviledged user accounts. That should never mean they can root the system. OSX is insecure, and cannot be used as a server because of this. Its nothing at all like physical access, which gives you the ability to bypass the OS altogether. This is just a case of the OS being broken, plain and simple.
The whole thing is just "blah blah, we don't understand open source and refuse to learn". The only thing unsettling is that "journalists" are too stupid to read.
No, that bit of "FUD" is completely accurate. A virus will work just fine on any unix. If Bob the moron runs a virus, it can still go right ahead and mail itself out to everyone else with an email address on his system, just like with windows. Unix does not have any magical way to divine what is good code and what is bad code, it runs what the user asks it to. And users are dumb.
Viruses are very much dependant on marketshare. If there aren't enough people running a platform, then it won't spread well, the odds of finding new victims is too low.
I think he just assumes that everyone has read his insane babblings, so they will already know they are worthless if they are older than 25. The obvious exception being PG himself of course, since getting lucky once, and then being a blowhard forever after makes you something akin to a god.
The whole thing is for recent graduates, or even people still going to school doing this for the summer. He is convinced that people with jobs and families can't start companies.
C++, VB, C#, objective C, python, perl, pike, ruby, smalltalk, and likely several other languages I am not familiar enough with to comment on all can do this. Yep, sounds like ruby is pretty much on its own here huh?
Intel makes the chips. They have said quite clearly that the chips do support VT. People have displayed dmesg's showing that the CPUs do in fact report that they support it. Its just that some companies are shipping shitty boards with the functionality turned off, that doesn't mean that the CPUs don't support it.
No, its not perfectly concievable at all, that's what I am saying. Its just as rediculous and inconcievable as wanting to use exchange instead of oracle. I'm sure there is someone, some where that is that stupid, but that doesn't mean those are competing products.
Any relatively smart business person will look at what market the products are in to decide if they compete or not. They will not ask every retard that has ever lived if they might confuse the two products purposes.
That's like saying samba competes with oracle because they both let you store data. You can pretend anything is competition if look at it from a rediculously abstract perspective. That doesn't make it true though, it just means you are ignoring the details.
You can certainly argue that mysql competes with oracle. They are both relational SQL database servers. Oracle did not purchase mysql however, they bought sleepycat, who makes BDB, which is in no way a competitor to oracle. It is neither relational, nor SQL, nor even a server. Its a low level database library. It is also BSD licensed, so mysql can go right ahead and keep using it until they end of time, regardless of who buys the company who made it.
Slashdot Mirror
"No, you don't understand how CGI access works. Nor do you understand about jails. Nor do you understand about running previously approved/audited/secure CGI vs. letting users install their own. Nor do you understand about running httpd (or whatever) as a chrooted user who only has read/write access to a very limited (and secure) space."
In fact I do. And less than 1% of those servers have anything like that setup. Because people won't pay for completely useless webhosting (suprise!).
"Not sure where you got the whole nologin idea from. Not sure why you're talking about linux misconceptions. The "subject at hand" was an OSX server where they allowed ssh, which is certainly a whole lot more access than CGI on a jailed or chrooted suid nobody http account - even with CGI access."
But its exactly the same amount of access as > 99% of webhosting companies give you. Which is what I said.
"Like I said: there are thousands of OSX machines on the net right now. Acting as servers. One of them vended ssh access and got hacked. The other thousands are doing just fine."
Like I said, supplying web hosting for people is something anyone should reasonably expect to be able to do with a unix machine. OS X has lots of local root exploits which make it impossible to safely provide web hosting for people (serving up only static files is not webhosting anyone will pay for). Pretending local root exploits don't matter because "people shouldn't have shell access" is rediculous. There's legitimate reasons to have local users. And besides that, local root exploit + remote non-priviledged exploit = remote root.
"You are mixing up "server" with "shell server". There are thousands of OSX servers on the net right now. One of those servers chose to give out shell access and got hacked. The other thousands are doing just fine."
No, you just don't understand the topic at hand. If you give someone access to run cgi scripts or any other form of dynamic content, then they can do anything and everything they can do with a shell. Either way you have access to execute code on the server as a non-priviledged user, and can exploit local vulnerabilities to get root. This crazy notion that setting users shells to nologin makes you "secure" is one of the most annoying linux noob misconceptions out there.
"Sorry to break it to you, if you've a userland process, you've userland activity. It makes bugger all difference where you'd like things to take place, they take place where the code is. "But packets are routed by the kernel!" That's not what the argument is about, the argument is not about packet flows, it's about BGP, and BGP is processed by the BGP daemon and not the kernel."
So to break it to you, but you are either the stupidest person on the planet, or intentionally trying to avoid answering for your rediculous stupidity. Just say "sorry I tried to pretend to be a know-it-all when I was clueless", we'll all forgive you.
First you complained that openbgpd was a userland process. I said "of course it is, only a complete fucking moron would want to put bgp decision making in kernel, since it provides no benefit". Then you made your amazingly stupid statement about "every packet" having to go through context switches and scheduling in a sad attempt to explain how putting bgp into the kernel would help. Of course there is userland activity, when there is BGP activity, NOT ON EVERY PACKET. BGP peers send each other updates, the local bgpd decides what routes need to be updated, and updates the kernel routing table. The kernel uses its routing table to route packets, it doesn't ask BGPd where to send every single packet it gets. If you have no fucking clue what you are talking about, then don't talk about it.
I fail to see how making progressively stupider and stupider posts is helping you. If you can't admit you are talking out of your ass and have no clue what you are talking about, then you should either dissapear, or go back to trying to redirect the conversation to distract from how stupid you are.
Its not like you just made statements proving how totally ignorant you are:
"What possible advantage could there be in not having 4 completely unnecessary context switches, assorted interrupts and an application scheduler call for EVERY packet that traverses the system."
Anyone with any clue at all would know routing is done in the kernel, so there are no context switches or userland scheduling involved.
"Besides which, that would be horribly inefficient. IPSec is good for sustained connections, but the negotiation is expensive and therefore not so great for transmitting occasional state changes."
Anyone with any clue at all would know that BGP uses sustained connections, and as such is a PERFECT candidate for ipsec, which is why openbsd and juniper both impliment it.
"Of OpenMOSIX - now we're getting into the child's play stuff I'd have thought would be obvious to anyone. Let's start with the obvious. OpenMOSIX (with the DSM extension) supports the migration of threads within a process between boxes, whilst keeping the memory accessible to all threads the same. This has two consequences. First, processes that are not directly related to routing but need to run somewhere (eg: SNMP monitoring, router console - if any, encryption for all those IPSec tunnels, etc) can all be farmed out and the boxes directly in-line with the networks need not handle any of that stuff at all."
Again, anyone with any clue would realize you can't migrate kernel threads, and thus openmosix makes no sense at all for routers.
"For example, OpenBSD's support for SMP and 64-bit processors isn't exactly world-class,"
I'm noticing a pattern here. Yet again, anyone with any clue would know that openbsd's amd64 support is top notch, and sparc64 and alpha are both quite good.
Please, pity me more for not being a wonderful combination of ignorant, arrogant and dishonest like you. I feel so bad that I can't live up to your great example.
First of all, just because people desperately need a stupid acronym for everything, they call pretty much any non java unix web development "LAMP". So there's nothing wrong with testing other free unixes, webservers, databases and languages. Second, a couple of the OpenBSD developers work at coverity. They have tested openbsd and fixed the issues found. It just isn't cool enough for the people who use acronyms like "LAMP" to care about.
Maybe you should try actually running a router instead of talking bullocks. Yeah, we desperately need a whole other machine just to run snmp on right? A router handling half a dozen 100Mbps links, QoS, packet filtering, snmp monitoring, netflow generation, etc, etc is all handled very easily by a single machine. By the time you get beyond a single machine handling things, you need to be buying a real router, openmosix does not deal with this at all, it can't migrate kernel threads, only process threads. Routing is done in the kernel.
OpeBSD's support for 64 bit processors is just fine actually, and 64 bit processors don't help in this case at all. And I would love to hear your reasoning why you would think OpenMOSIX is good for a router. Do you just always make up nonsense?
"More informed about the existence of the other ways of doing things"
Magical ways that exist only in your warped mind?
"Particularly when bragging about a secure OS that has no mandatory access controls or role-based memory segmentation"
Security has nothing to do with administrative access restriction. But then I wasn't bragging about security, you were.
"Let's see. What possible advantage could there be in not having 4 completely unnecessary context switches, assorted interrupts and an application scheduler call for EVERY packet that traverses the system... Hmmmmm. Tricky. Let me know when you've worked it out."
Good lord you are clueless. None of that happens for every packet that traverses the system, the kernel routing table is updated as needed by the userland BGP daemon. If you have absolutely no clue what you are talking about in any way, then its probably not a good idea to blather like an idiot about it.
"mrouted? The best you have to offer is an ancient, abandonware router for DVMRP?"
Best I have to offer what? WTF are you talking about? You said openbsd has no routing software, I am telling you it does.
""Secure routing" is not running a router over IPSec. (Besides which, that would be horribly inefficient. IPSec is good for sustained connections, but the negotiation is expensive and therefore not so great for transmitting occasional state changes.) A secure routing protocol is a routing protocol in which the security is built in (amazingly enough). This may include many of the techniques used in IPSec such as host authentication, packet validation and packet verification, but most will go considerably further to prevent router table poisoning."
First of all, what "considerably further" are you going to do? You have no magical way to decide if a route is valid or not, you have to trust your peers to give you valid info, as you have no way of finding out the info yourself. And of course, BGP uses sustained connections. You connect to your peers and stay connected, sending updates as needed. Again you demonstrate that you lack even a basic grasp of the subject. Suprise, suprise, a clueless moron with an axe to grind against openbsd makes up bullshit to convince himself openbsd sucks. Enjoy your delusional fantasy world.
Oops, I forgot mrouted. And wtf do you mean nothing for "secure routing"? Openbgpd can run over ipsec with almost no effort at all.
I don't know why you think something is supposed to impress you, I am pointing out that you are posting total nonsense. And its good that they are not kernel space, why the fuck would you want to stick complex decision making code like that in the kernel when it would provide absolutely no benefit?
Why you expect that I would "follow your posts" to know that you are a completely fucking clueless MirTard is beyond me. Try the security of openbsd, compromised by a retard who can't code for shit and has had his code rejected from openbsd repeatedly because it sucks so hard. Hooray, sign me up!
You might want to reconsider bragging about how long you have used BSDs. See, using something for a long time doesn't make you smarter, or better, or even informed (obviously). But if you have used something for a long time, yet are still completely fucking clueless, it makes you seem like you might have a developmental disorder or mild brain damage or something.
If you want to dispute it then do so. Posting a link to someone making random assumptions isn't disputing.
Try using both, its pretty easy to see how much better openbgpd is. The memory usage difference alone is amazing, nevermind how openbgpd loads in full feeds so much faster, and doesn't occasionally lose sessions under high load like zebra/quagga. And soft-reconfig has been in for a while now.
I'm sure plenty of decent sized places are using quagga. I used to use it too. That doesn't mean its good though. Most people don't even know about openbgpd, and alot of people won't switch to openbsd because they haven't used it before. And of course, there's plenty of decent sized places using openbgpd too, and I've never heard of anyone trying it and not finding it an improvement over quagga, or cisco.
OpenBSD ships with its own RIP, BGP and OSPF daemons. Its BGP daemon is BY FAR better than xorp and quagga, and its BSD licensed of course. OpenBSD is already a fantastic software router, maybe you should try using it instead of ignorantly telling us what it "could be"?
Giving people nologin for a shell doesn't do anything. Any web host that lets you run CGI or PHP or anything dynamic at all is giving you all the same abilities that you get with a real shell. Its just less convienient. You can still exploit local holes to gain root priv all you want.
You are saying that providing web hosting means you should expect to be rooted all the time? People need to have unpriviledged user accounts. That should never mean they can root the system. OSX is insecure, and cannot be used as a server because of this. Its nothing at all like physical access, which gives you the ability to bypass the OS altogether. This is just a case of the OS being broken, plain and simple.
The whole thing is just "blah blah, we don't understand open source and refuse to learn". The only thing unsettling is that "journalists" are too stupid to read.
No, that bit of "FUD" is completely accurate. A virus will work just fine on any unix. If Bob the moron runs a virus, it can still go right ahead and mail itself out to everyone else with an email address on his system, just like with windows. Unix does not have any magical way to divine what is good code and what is bad code, it runs what the user asks it to. And users are dumb.
Viruses are very much dependant on marketshare. If there aren't enough people running a platform, then it won't spread well, the odds of finding new victims is too low.
I think he just assumes that everyone has read his insane babblings, so they will already know they are worthless if they are older than 25. The obvious exception being PG himself of course, since getting lucky once, and then being a blowhard forever after makes you something akin to a god.
The whole thing is for recent graduates, or even people still going to school doing this for the summer. He is convinced that people with jobs and families can't start companies.
C++, VB, C#, objective C, python, perl, pike, ruby, smalltalk, and likely several other languages I am not familiar enough with to comment on all can do this. Yep, sounds like ruby is pretty much on its own here huh?
You mean kinda like every language that supports OO design? None of this is even remotely ruby specific, or even ruby inspired.
Intel makes the chips. They have said quite clearly that the chips do support VT. People have displayed dmesg's showing that the CPUs do in fact report that they support it. Its just that some companies are shipping shitty boards with the functionality turned off, that doesn't mean that the CPUs don't support it.
. pdf
http://appleintelfaq.com/images/intel_vt_response
You mean once someone decides to actually do something with it.
"Ok, now you're just being ridiculous."
No, the thread started out ridiculous, that's what I've been saying.
No, its not perfectly concievable at all, that's what I am saying. Its just as rediculous and inconcievable as wanting to use exchange instead of oracle. I'm sure there is someone, some where that is that stupid, but that doesn't mean those are competing products.
Any relatively smart business person will look at what market the products are in to decide if they compete or not. They will not ask every retard that has ever lived if they might confuse the two products purposes.
That's like saying samba competes with oracle because they both let you store data. You can pretend anything is competition if look at it from a rediculously abstract perspective. That doesn't make it true though, it just means you are ignoring the details.
You can certainly argue that mysql competes with oracle. They are both relational SQL database servers. Oracle did not purchase mysql however, they bought sleepycat, who makes BDB, which is in no way a competitor to oracle. It is neither relational, nor SQL, nor even a server. Its a low level database library. It is also BSD licensed, so mysql can go right ahead and keep using it until they end of time, regardless of who buys the company who made it.