From Axel.Rau at chaos1.de Mon Feb 4 10:09:27 2008 From: Axel.Rau at chaos1.de (Axel Rau) Date: Mon Feb 4 10:09:35 2008 Subject: Mac behind a pf firewall Message-ID: Hi all, anybody using Macs behind a OpenBSD/FreeBSD pf firewall? Mail.app accessing IMAP servers through such a firewall often hangs. Axel --------------------------------------------------------------------- Axel Rau, ?Frankfurt , Germany +49 69 9514 18 0 From mgf at mgfconsulting.net Mon Feb 4 10:21:19 2008 From: mgf at mgfconsulting.net (Mike Friedman) Date: Mon Feb 4 10:21:29 2008 Subject: Binding to AD in Leopard Message-ID: <96B2DBFE-E3B5-4F82-916B-1AD141DB3F68@mgfconsulting.net> Have any of you run into problems with binding to Active Directory in Leopard? I am attempting to bind two brand new iMacs to a brand new AD domain (new SBS 2003 server). When trying to use the Directory Utility, I get various network errors (edsAuthFailed and edsCannotAccessSession are the two most common) and am unable to bind these machines to AD. I did some googling around and this appears to be a fairly common problem. Have any of you run into this, and solved it? Thanks. ======================= Mike Friedman MGF Consulting Computers without Attitude http://www.mgfconsulting.net 415-648-6560 (office) 415-823-9990 (mobile) Yahoo Messenger/AIM: sfmike64 From christianedwardgruber at gmail.com Mon Feb 4 10:44:09 2008 From: christianedwardgruber at gmail.com (Christian Edward Gruber) Date: Mon Feb 4 10:44:14 2008 Subject: Mac behind a pf firewall In-Reply-To: References: Message-ID: <068739AB-0C59-4F74-8896-FABF93EAE08F@gmail.com> That's my setup and I have no problems with this. Mail.app -----> OpenBSD 4.1 pf -----> courier-imap mailserver Does restarting your Mail.app end up working? Christian. On 4-Feb-08, at 13:09 , Axel Rau wrote: > Hi all, > > anybody using Macs behind a OpenBSD/FreeBSD pf firewall? > Mail.app accessing IMAP servers through such a firewall often hangs. > > Axel > --------------------------------------------------------------------- > Axel Rau, ?Frankfurt , Germany +49 69 9514 18 > 0 > _______________________________________________ > MacOSX-admin mailing list > MacOSX-admin@omnigroup.com > http://www.omnigroup.com/mailman/listinfo/macosx-admin From dante.mclean at sympatico.ca Mon Feb 4 16:06:28 2008 From: dante.mclean at sympatico.ca (DANTE Mclean) Date: Mon Feb 4 16:06:34 2008 Subject: Locking the Dock In-Reply-To: <20080204200003.72E8EBE4C0@forums.omnigroup.com> Message-ID: Wondering if anybody knows of a way to "lock" the icons in the dock? I've got an iMac--I belive running under 10.4--in the Kindergarten room. The kids removed a dock icon by accident. I figure, once they discover the little "poof" when you take an icon out of the dock, it won't be long before it is an intentional accident. I'd like to be able to restrict the privileges on their account a bit more, say something similar to what I can do with Mac Manager on the 9.2.2 machines in the computer lab. At the very least, the dock must be locked. Thanks. Dante McLean System Administrator / Technology Teacher Wanipigow School From grail at goldweb.com.au Mon Feb 4 16:29:45 2008 From: grail at goldweb.com.au (Alex Satrapa) Date: Mon Feb 4 16:29:58 2008 Subject: Locking the Dock In-Reply-To: References: Message-ID: <9E4E2D6D-B827-4F6E-BC34-A5250627E823@goldweb.com.au> On 05/02/2008, at 11:06 , DANTE Mclean wrote: > Wondering if anybody knows of a way to "lock" the icons in the dock? System Preferences -> Accounts -> Parental Controls -> Finder & System My favourite is "Simple Finder", which ends up giving the user a very simple dock: - My Applications - My Documents - Shared You can then specify exactly what applications this user is allowed to run. The Dock is locked, and I think the simple Finder can only have one window open. Enjoy :) Alex From diego-osxadmin at zzamboni.org Mon Feb 4 16:22:36 2008 From: diego-osxadmin at zzamboni.org (Diego Zamboni) Date: Mon Feb 4 16:42:09 2008 Subject: Locking the Dock In-Reply-To: References: Message-ID: Hi, > Wondering if anybody knows of a way to "lock" the icons in the dock? > > I've got an iMac--I belive running under 10.4--in the Kindergarten > room. The kids removed a dock icon by accident. I figure, once > they discover the little "poof" when you take an icon out of the > dock, it won't be long before it is an intentional accident. > > I'd like to be able to restrict the privileges on their account a > bit more, say something similar to what I can do with Mac Manager on > the 9.2.2 machines in the computer lab. > > At the very least, the dock must be locked. Maybe Parental Controls would do what you need? I think (I have never used them) that you can specify that the user should not be able to modify the Dock, plus other restrictions. --Diego From Axel.Rau at chaos1.de Tue Feb 5 01:47:28 2008 From: Axel.Rau at chaos1.de (Axel Rau) Date: Tue Feb 5 01:47:45 2008 Subject: Mac behind a pf firewall In-Reply-To: <068739AB-0C59-4F74-8896-FABF93EAE08F@gmail.com> References: <068739AB-0C59-4F74-8896-FABF93EAE08F@gmail.com> Message-ID: Am 04.02.2008 um 19:44 schrieb Christian Edward Gruber: > That's my setup and I have no problems with this. > > Mail.app -----> OpenBSD 4.1 pf -----> courier-imap mailserver Similar setup with me. It happened with courier-imap and now with archiveopteryx. > > > Does restarting your Mail.app end up working? Yes, mostly. It happens, if you have some long lasting IMAP activity, like scanning big mailbox trees or copying hundreds of mails. In the activity monitor of Mail, those links show up as stalled. Could you try to reproduce it? tcpdump shows that Mail issues a TCP FIN but receives some more data messages before the FIN from the server. This is legal but seems not to be liked by Mail, so it issues a RST. This reset has the wrong sequence number and ist refused by the firewall. The TCP stack problem is bug #5008062 (2007-02-19). I can't believe that I'm the only site with Apple IMAP clients behind a pf firewall, seeing this problem. By the way, with thunderbird I don't see these RSTs. Axel --------------------------------------------------------------------- Axel Rau, ?Frankfurt , Germany +49 69 9514 18 0 From christianedwardgruber at gmail.com Tue Feb 5 06:23:37 2008 From: christianedwardgruber at gmail.com (Christian Edward Gruber) Date: Tue Feb 5 06:51:31 2008 Subject: Mac behind a pf firewall In-Reply-To: References: <068739AB-0C59-4F74-8896-FABF93EAE08F@gmail.com> Message-ID: <2E47CE01-678B-4990-8A84-3BDCBDB7DFEF@gmail.com> Maybe I do have that problem. If something got stalled, I just went to the activity monitor and killed it. The activity restarted and worked like a charm. It's probably important to note that I have that problem with courier even when I'm on the road (outside the pf zone), so I assumed it was courier. Christian. On 5-Feb-08, at 04:47 , Axel Rau wrote: > > Am 04.02.2008 um 19:44 schrieb Christian Edward Gruber: > >> That's my setup and I have no problems with this. >> >> Mail.app -----> OpenBSD 4.1 pf -----> courier-imap mailserver > Similar setup with me. It happened with courier-imap and now with > archiveopteryx. >> >> >> Does restarting your Mail.app end up working? > Yes, mostly. It happens, if you have some long lasting IMAP > activity, like scanning big mailbox trees or copying hundreds of > mails. > > In the activity monitor of Mail, those links show up as stalled. > > Could you try to reproduce it? > > tcpdump shows that Mail issues a TCP FIN but receives some more data > messages before the FIN from the server. This is legal but seems not > to be liked by > Mail, so it issues a RST. This reset has the wrong sequence number > and ist refused by the firewall. > The TCP stack problem is bug #5008062 (2007-02-19). > > I can't believe that I'm the only site with Apple IMAP clients > behind a pf firewall, seeing this problem. > > By the way, with thunderbird I don't see these RSTs. > > Axel > --------------------------------------------------------------------- > Axel Rau, ?Frankfurt , Germany +49 69 9514 18 > 0 > > From rlinesseagate at gmail.com Tue Feb 5 07:16:38 2008 From: rlinesseagate at gmail.com (Rob Lines) Date: Tue Feb 5 07:16:40 2008 Subject: Locking the Dock In-Reply-To: References: <20080204200003.72E8EBE4C0@forums.omnigroup.com> Message-ID: <69592cde0802050716h2eae77a0s5a15a5000dd8db85@mail.gmail.com> On Feb 4, 2008 7:06 PM, DANTE Mclean wrote: > Wondering if anybody knows of a way to "lock" the icons in the dock? > > I've got an iMac--I belive running under 10.4--in the Kindergarten room. > The kids removed a dock icon by accident. I figure, once they discover > the > little "poof" when you take an icon out of the dock, it won't be long > before > it is an intentional accident. > > I'd like to be able to restrict the privileges on their account a bit > more, > say something similar to what I can do with Mac Manager on the 9.2.2 > machines in the computer lab. > > At the very least, the dock must be locked. > If you have an OSX Server running 10.4 (or the same version as the client) that the kindergarden machine is connected to the open directory of you could use workgroup manager to set preferences on the machine level. I created a list of apps that I wanted to be in the dock on all the computers and applied it to them. I don't have workgroup manager in front of me at the moment but there are a number of options on how the icons appear. One is to have it apply only the first time that it is logged on (not the best option because you want it to heal itself) another option is to force only those dock items and another one is to merge with the user's dock. I pretty much cleaned the default user template of all the items in the dock and then use workgroup manager to hand down some sane defaults. While the students can still remove items from the dock a simple log out and log back in repairs it. It also allows for a teacher to add additional software under their log on. I also used workgroup manager to hand down some additional items in the dock just for the teachers such as the gradebook utility and some of the more advanced graphics and design software (Adobe Suite) that the kindergarden kids really don't need or use. It works pretty well and makes rolling out a new package and ensuring that it is on the dock properly easy as you can roll it out before hand and have people test it and once you are sure it is good to go you just add the icon to the dock and suddenly all the machines have it. Rob From nbfa at stanford.edu Tue Feb 5 13:24:51 2008 From: nbfa at stanford.edu (Noah Abrahamson) Date: Tue Feb 5 13:25:02 2008 Subject: Binding to AD in Leopard In-Reply-To: <96B2DBFE-E3B5-4F82-916B-1AD141DB3F68@mgfconsulting.net> References: <96B2DBFE-E3B5-4F82-916B-1AD141DB3F68@mgfconsulting.net> Message-ID: <731FB35C-1748-40BE-B2C8-2554F1579439@stanford.edu> On Feb 4, 2008, at 10:21 AM, Mike Friedman wrote: > Have any of you run into problems with binding to Active Directory > in Leopard? I am attempting to bind two brand new iMacs to a brand > new AD domain (new SBS 2003 server). When trying to use the > Directory Utility, I get various network errors (edsAuthFailed and > edsCannotAccessSession are the two most common) and am unable to > bind these machines to AD. > > I did some googling around and this appears to be a fairly common > problem. Have any of you run into this, and solved it? Yes, it's common; yes, those of us with multiple DCs have encountered it, and no, there is no solution. But there is (at least one) workaround that may work for you: pre-create the computer account in AD. 10.5.2 is being seeded to developers and purportedly addresses this/these issue(s). Noah ------------------- Noah Abrahamson Stanford University From jhealy at logn.net Tue Feb 5 14:12:20 2008 From: jhealy at logn.net (Jason Healy) Date: Tue Feb 5 14:43:40 2008 Subject: Mac behind a pf firewall In-Reply-To: References: Message-ID: On Feb 4, 2008, at 1:09 PM, Axel Rau wrote: > anybody using Macs behind a OpenBSD/FreeBSD pf firewall? Our campus has about 500 macs and an OpenBSD pf firewall that NATs them down to the outside world. I've not heard any complaints from users who have IMAP accounts (gmail, .Mac, etc) so I'm not aware of any issues. Our official e-mail system is not IMAP-based, though, so it would only affect external services. Also, I connect from off-campus sometimes via IMAP (through the same firewall) and have not noticed any hanging or stalled connections (I usually leave the Activity monitor open, so I would see them if they happened). Jason -- Jason Healy | jhealy@logn.net | http://www.logn.net/ From Axel.Rau at chaos1.de Wed Feb 6 00:45:41 2008 From: Axel.Rau at chaos1.de (Axel Rau) Date: Wed Feb 6 00:45:51 2008 Subject: Mac behind a pf firewall In-Reply-To: References: Message-ID: Am 05.02.2008 um 23:12 schrieb Jason Healy: > Also, I connect from off-campus sometimes via IMAP (through the same > firewall) and have not noticed any hanging or stalled connections (I > usually leave the Activity monitor open, so I would see them if they > happened). Maybe any IMAP specific code in Mail triggers this FIN RST sequence. Axel --------------------------------------------------------------------- Axel Rau, ?Frankfurt , Germany +49 69 9514 18 0 From shoop at iwiring.net Wed Feb 6 15:56:16 2008 From: shoop at iwiring.net (Dan Shoop) Date: Wed Feb 6 15:56:25 2008 Subject: ZFS (was Reliable Firewire drives) In-Reply-To: <9d9c4a330801131308x61a5c257q278160c2533e826@mail.gmail.com> References: <66B19A2C-D4BA-4FC0-8434-47A03EA40065@iwiring.net> <17c8e29e0801102050u1b278413wc766e09f450b251a@mail.gmail.com> <9d9c4a330801111906gba7539bwbe65e5cfe628507c@mail.gmail.com> <9d9c4a330801131308x61a5c257q278160c2533e826@mail.gmail.com> Message-ID: <822E8FDD-A538-4970-96D5-857F45E67A17@iwiring.net> On Jan 13, 2008, at 4:08 PM, Brett Dikeman wrote: > On Jan 12, 2008 2:32 AM, Lewis Butler wrote: > >>> Running ZFS on any sort of production environment on anything except >>> 64 bit Sun hardware w/Solaris means running on borrowed time, at >>> least for the moment. >> >> I don't think that's quite true. > > http://www.google.com/search?q=zfs+crash > http://www.google.com/search?q=zfs+corrupt > > ZFS is not in STABLE in FreeBSD and there are numerous reports of it > crashing. The documentation for the ZFS FUSE module clearly states > "do not use this for anything important." The MacPorts ZFS driver > contains an errata list that demonstrates it has very basic problems > with both the implementation of the filesystem and the operating > system's support for ZFS-isms. Apple only provides read support in > the release of Leopard. > OK if you're talking about the FUSE port of ZFS well this is not ZFS, it's a US filesystem version of it, that is it's not the real ZFS. Since FUSE itself has significant issues obviously anything based on it will too. However there is a real port of ZFS which exists. For the Mac as well. > I don't know how much clearer I can make it to you that ZFS is not a > stable filesystem. It is not considered ready for production on > anything except 64-bit Solaris, and even on that platform, it has > issues. For example, even on Solaris 10 8/07, it can't be used as a > root filesystem. ZFS, as implemented by Sun, or the Apple build for OS X, has proven to be far more stable than many currently shipping filesystems for the same platforms. Is it 100% stable, no, but nothing is. That said ZFS will tell you a boatload more about what's going wrong before hand. We've had several cases where ZFS has alerted us to issues, and in many cases fixed them (including things not fixable at all in other FS), ebfore they've developed into problems. We've found disks not up to production muster by just writing to them once. I can't speak well enough about ZFS both on Solaris and Mac OS X. As for why it's not considered production worthy on 32 bit Solaris, this is an issue with 32 bit Solaris, not ZFS. And yes, very very unfortunately, ZFS can't be used, currently, as a boot volume for Solaris (or OS X) but this in NO WAY represents problems with its stability but issues regarding boot loaders. There aren't any boot loaders that currently support ZFS filesystems. -dhan ------------------------------------------------------------------------ Dan Shoop Computer Scientist iWiring / U.S. Technical Services shoop@iwiring.net AOL IM .................... iWiring Nextel .................... 1-714-363-1174 Operations TOC (24/7) ..... 1-866-901-USTS USTS Offices .............. 1-714-374-6300 For immediate response for urgent matters please speak to the Duty Officer at the USTS Tactical Operations Center (above) who can reach me by radio. From shoop at iwiring.net Wed Feb 6 15:58:52 2008 From: shoop at iwiring.net (Dan Shoop) Date: Wed Feb 6 15:59:05 2008 Subject: Reliable Firewire drives In-Reply-To: References: <23759C6B-050F-4FAB-AC80-956610926186@goldweb.com.au> Message-ID: On Jan 22, 2008, at 11:17 AM, David Gutierrez wrote: > Does anyone have experience with G-Technology drives >? They don't make drives, they make a nice enclosure for drives that the place in their units. -dhan ------------------------------------------------------------------------ Dan Shoop Computer Scientist iWiring / U.S. Technical Services shoop@iwiring.net AOL IM .................... iWiring Nextel .................... 1-714-363-1174 Operations TOC (24/7) ..... 1-866-901-USTS USTS Offices .............. 1-714-374-6300 For immediate response for urgent matters please speak to the Duty Officer at the USTS Tactical Operations Center (above) who can reach me by radio. From jwelch at bynkii.com Wed Feb 6 16:19:12 2008 From: jwelch at bynkii.com (John C. Welch) Date: Wed Feb 6 16:19:21 2008 Subject: ZFS (was Reliable Firewire drives) In-Reply-To: <822E8FDD-A538-4970-96D5-857F45E67A17@iwiring.net> Message-ID: On 02/06/2008 17:56 PM, "Dan Shoop" wrote: > ZFS, as implemented by Sun, or the Apple build for OS X, has proven to > be far more stable than many currently shipping filesystems for the > same platforms. Is it 100% stable, no, but nothing is. That said ZFS > will tell you a boatload more about what's going wrong before hand. > We've had several cases where ZFS has alerted us to issues, and in > many cases fixed them (including things not fixable at all in other > FS), ebfore they've developed into problems. We've found disks not up > to production muster by just writing to them once. I can't speak well > enough about ZFS both on Solaris and Mac OS X. ZFS is indeed quite nice, however, it is not the perfect magic spell its PR is trying to make it be. Like every other bit of software written, it has bugs, including this one: that bit Joyent in the ass: As well, ZFS is still only supported as *read only* on Mac OS X, so unless you have a lot of expertise with ZFS at all levels, running the beta R/W implementations on Mac OS X is not recommended at all. ZFS is on the right track, but it's not the perfect FS for all things. (There are some things it does as a matter of course that, in its current form, would make it a rather poor choice for a consumer - level FS.) -- John C. Welch Writer/Analyst Bynkii.com Mac and other opinions jwelch@bynkii.com From kremels at kreme.com Thu Feb 7 17:26:14 2008 From: kremels at kreme.com (LuKreme) Date: Thu Feb 7 17:26:19 2008 Subject: Locking the Dock In-Reply-To: References: Message-ID: <34F33A32-1783-4E9F-BD44-4E6F15D811E2@kreme.com> On 4-Feb-2008, at 17:06, DANTE Mclean wrote: > Wondering if anybody knows of a way to "lock" the icons in the dock? Switch the user to "Managed" These are kindergartners, they should be on managed accounts anyway. > I'd like to be able to restrict the privileges on their account a > bit more, say something similar to what I can do with Mac Manager on > the 9.2.2 machines in the computer lab. There's lots of stuff in the Parental Controls for a managed account, and it's even better in 10.5 -- You know, in a world in which Bush and Blair can be nominated for the Nobel Peace Prize, "for having dared to take the necessary decision to launch a war on Iraq without having the support of the UN" I find myself agreeing with Tom Lehrer: satire is dead. - Neil Gaiman From shoop at iwiring.net Fri Feb 8 11:04:28 2008 From: shoop at iwiring.net (Dan Shoop) Date: Fri Feb 8 11:04:35 2008 Subject: ZFS (was Reliable Firewire drives) In-Reply-To: References: Message-ID: <49D124B3-AECA-4B0B-88DA-809585D8DB15@iwiring.net> On Feb 6, 2008, at 7:19 PM, John C. Welch wrote: > On 02/06/2008 17:56 PM, "Dan Shoop" wrote: > >> ZFS, as implemented by Sun, or the Apple build for OS X, has proven >> to >> be far more stable than many currently shipping filesystems for the >> same platforms. Is it 100% stable, no, but nothing is. That said ZFS >> will tell you a boatload more about what's going wrong before hand. >> We've had several cases where ZFS has alerted us to issues, and in >> many cases fixed them (including things not fixable at all in other >> FS), ebfore they've developed into problems. We've found disks not up >> to production muster by just writing to them once. I can't speak well >> enough about ZFS both on Solaris and Mac OS X. > > ZFS is indeed quite nice, however, it is not the perfect magic spell > its PR > is trying to make it be. Like every other bit of software written, > it has > bugs, including this one: > that bit > Joyent in > the ass: It would be fair to note when mentioning this that they were running an out of date version of their OS and that had they updated like they should have they'd never have been bitten by their problem. Also this bug was from 2006 and was fixed long ago so while yes, ZFS, like anything -- including HFS -- can have bugs, this one was squashed in short order. All pointing out the above proves is that you need to keep up with your updates, which is true for any software you use. > As well, ZFS is still only supported as *read only* on Mac OS X, so > unless > you have a lot of expertise with ZFS at all levels, running the beta > R/W > implementations on Mac OS X is not recommended at all. To be fair the beta r/w *is* the production ZFS codebase, so the only thing really beta about it is that it's running or has been ported on OS X. -dhan ------------------------------------------------------------------------ Dan Shoop Computer Scientist iWiring / U.S. Technical Services shoop@iwiring.net AOL IM .................... iWiring Nextel .................... 1-714-363-1174 Operations TOC (24/7) ..... 1-866-901-USTS USTS Offices .............. 1-714-374-6300 For immediate response for urgent matters please speak to the Duty Officer at the USTS Tactical Operations Center (above) who can reach me by radio. From jwelch at bynkii.com Fri Feb 8 11:08:27 2008 From: jwelch at bynkii.com (John C. Welch) Date: Fri Feb 8 11:08:34 2008 Subject: ZFS (was Reliable Firewire drives) In-Reply-To: <49D124B3-AECA-4B0B-88DA-809585D8DB15@iwiring.net> Message-ID: On 02/08/2008 13:04 PM, "Dan Shoop" wrote: >> ZFS is indeed quite nice, however, it is not the perfect magic spell >> its PR >> is trying to make it be. Like every other bit of software written, >> it has >> bugs, including this one: >> that bit >> Joyent in >> the ass: > > It would be fair to note when mentioning this that they were running > an out of date version of their OS and that had they updated like they > should have they'd never have been bitten by their problem. Also this > bug was from 2006 and was fixed long ago so while yes, ZFS, like > anything -- including HFS -- can have bugs, this one was squashed in > short order. All pointing out the above proves is that you need to > keep up with your updates, which is true for any software you use. It also points out that contrary to PR, ZFS is not the magic file system, it's not perfect in form and execution, nor is it the last filesystem you'll ever need. It is a very good file system, but the magical thinking it inspires needs to end and bloody soon. > >> As well, ZFS is still only supported as *read only* on Mac OS X, so >> unless >> you have a lot of expertise with ZFS at all levels, running the beta >> R/W >> implementations on Mac OS X is not recommended at all. > > To be fair the beta r/w *is* the production ZFS codebase, so the only > thing really beta about it is that it's running or has been ported on > OS X. That's really immaterial. As of now, on Mac OS X, R/W ZFS is not supported by the OS Vendor. Period. Its status on other platforms is completely irrelevant to that fact. If that's not a concern, then act accordingly, but for many that *is* a concern. -- John C. Welch Writer/Analyst Bynkii.com Mac and other opinions jwelch@bynkii.com From jeff.hall at digitalmaelstrom.net Fri Feb 8 13:59:53 2008 From: jeff.hall at digitalmaelstrom.net (Jeff Hall) Date: Fri Feb 8 13:59:57 2008 Subject: Leopard Name Resolution Issues In-Reply-To: <92324C10E2DB0F9D9584491C@whitestar.local> References: <2127EC16BF7C60B16ACCCC8F@whitestar.local> <7e5608b50711272032o6389f87dt5db5ccf94441bcee@mail.gmail.com> <9615BEF06F03967F69F56634@whitestar.local> <7e5608b50711272227x1bc97333q9fd48da770b2080e@mail.gmail.com> <25720056194F3D249140F8A5@whitestar.local> <7e5608b50711272250q58612a1av4c3a542b31ca56f8@mail.gmail.com> <3CD3858C2FE5D0357D6ECE5A@whitestar.local> <7e5608b50711272300m2435aebes65aff96ff39629e@mail.gmail.com> <44692F76-77A5-4512-92D7-E6B52FE977CF@iwiring.net> <12F5D21BC05624E5D3CD44F8@D-128-208-244-210.dhcp4.washington.edu> <92324C10E2DB0F9D9584491C@whitestar.local> Message-ID: <15364788.post@talk.nabble.com> > So, now that I know exactly where in the system configuration the problem > lies... anybody have any suggestions on where the two offending entries > might be resurrecting from, and how I can purge them for good? > > I also encountered this issue in Leopard 10.5.1 - this is the procedure under which I resolved the issue. Hopefully it will work for you as well. 1. Open System Preferences 2. Open Sharing 3. Click Edit... under Computer Name 4. Check the checkbox next to Use dynamic global hostname 5. LEAVE ALL FIELDS under dynamic global hostname BLANK - there isn't any field validation 6. Click OK The State:/Network/PrivateDNS key remains unchanged, but seems to affect the system configuration elsewhere allowing DNS resolution to succeed. -- View this message in context: http://www.nabble.com/Leopard-Name-Resolution-Issues-tp13985457p15364788.html Sent from the OmniGroup - MacOSX-Admin mailing list archive at Nabble.com. From grail at goldweb.com.au Mon Feb 11 15:29:33 2008 From: grail at goldweb.com.au (Alex Satrapa) Date: Mon Feb 11 15:29:46 2008 Subject: ZFS (was Reliable Firewire drives) In-Reply-To: References: Message-ID: <0B98DAE9-BF9F-4E61-B486-7E9E0139B8E3@goldweb.com.au> On 09/02/2008, at 06:08 , John C. Welch wrote: > It also points out that contrary to PR, ZFS is not the magic file > system, > it's not perfect in form and execution, nor is it the last > filesystem you'll > ever need. The story also points out that in any disaster recovery plan, you have to rehearse the recovery portion of the plan. That is to say, when making backup copies of file systems as part of a recovery plan, at some point in time someone has to try doing a recovery from the backup copy. Then you'd have ample warning about file system errors creeping into block-wise copies of your existing file systems. The story could also be used to point out that block-wise copies of file systems are a bad idea. It is obvious that you should do logical copies of the file system (copying file by file), to avoid carrying block-level faults (file system, hardware error, or otherwise) to your precious backup copy. The story is about poor recovery planning first, bug in file system second. Regards Alex From shoop at iwiring.net Tue Feb 12 07:26:38 2008 From: shoop at iwiring.net (Dan Shoop) Date: Tue Feb 12 07:28:18 2008 Subject: ZFS (was Reliable Firewire drives) In-Reply-To: <0B98DAE9-BF9F-4E61-B486-7E9E0139B8E3@goldweb.com.au> References: <0B98DAE9-BF9F-4E61-B486-7E9E0139B8E3@goldweb.com.au> Message-ID: <02DF8A3B-0639-4D7C-8F48-5D154A1D8A04@iwiring.net> On Feb 11, 2008, at 6:29 PM, Alex Satrapa wrote: > On 09/02/2008, at 06:08 , John C. Welch wrote: > >> It also points out that contrary to PR, ZFS is not the magic file >> system, >> it's not perfect in form and execution, nor is it the last >> filesystem you'll >> ever need. > > The story also points out that in any disaster recovery plan, you > have to rehearse the recovery portion of the plan. > > That is to say, when making backup copies of file systems as part of > a recovery plan, at some point in time someone has to try doing a > recovery from the backup copy. Then you'd have ample warning about > file system errors creeping into block-wise copies of your existing > file systems. > > The story could also be used to point out that block-wise copies of > file systems are a bad idea. It is obvious that you should do > logical copies of the file system (copying file by file), to avoid > carrying block-level faults (file system, hardware error, or > otherwise) to your precious backup copy. > > The story is about poor recovery planning first, bug in file system > second. Neither one should have occurred had only the sysadmins been exercising any modicum of due diligence. I suppose John will say that this is his point, that it's not a magic pill, but like in every fairy tale I've ever seen the hero never use the old version of the magic spell either nor does he slay the wrong dragon or try to win the affections of the princesses aging stepmother. One might point out that one of ZFS's engineering goals is to assure block-wise errors are detected if not fixed, and has a lot of magic associated with this; but using an unstable and outdated version (by well over a year) and ignoring updates that address significant major fixes, is ignoring your job. Your tools can only do their tricks if you keep them in working order. I don't expect a broken hammer to drive nails and shouldn't complain when its head flies off as I try to drive a nail and hits me in the face. -dhan ------------------------------------------------------------------------ Dan Shoop Computer Scientist iWiring / U.S. Technical Services shoop@iwiring.net AOL IM .................... iWiring Nextel .................... 1-714-363-1174 Operations TOC (24/7) ..... 1-866-901-USTS USTS Offices .............. 1-714-374-6300 For immediate response for urgent matters please speak to the Duty Officer at the USTS Tactical Operations Center (above) who can reach me by radio. From jwelch at bynkii.com Tue Feb 12 07:44:38 2008 From: jwelch at bynkii.com (John C. Welch) Date: Tue Feb 12 07:44:48 2008 Subject: ZFS (was Reliable Firewire drives) In-Reply-To: <02DF8A3B-0639-4D7C-8F48-5D154A1D8A04@iwiring.net> Message-ID: On 02/12/2008 09:26 AM, "Dan Shoop" wrote: >> The story could also be used to point out that block-wise copies of >> file systems are a bad idea. It is obvious that you should do >> logical copies of the file system (copying file by file), to avoid >> carrying block-level faults (file system, hardware error, or >> otherwise) to your precious backup copy. >> >> The story is about poor recovery planning first, bug in file system >> second. > > > Neither one should have occurred had only the sysadmins been > exercising any modicum of due diligence. They were. They had a planned upgrade. The bug hit before they could. Not upgrading just because you can is the definition of "due diligence". > > I suppose John will say that this is his point, that it's not a magic > pill, but like in every fairy tale I've ever seen the hero never use > the old version of the magic spell either nor does he slay the wrong > dragon or try to win the affections of the princesses aging stepmother. In fairy tales, there's no versioning. It's magic. That's why the perfection of ZFS or any software is a fairy tale. Because for it to be perfect, it relies on magic and magical thinking. I haven't yet seen claims that ZFS will make your teeny peenie larger, or whip up a great fondue, but they aren't *far* from it. The computer industry is always looking for the next magic spell, and as such, they are doomed to failure. ZFS is, without doubt, one of the first rethinking of the basic FS that isn't a "Database Filesystems are the magical future", and it has many good points. However, it is not the perfect FS for all needs. It is a useful tool when used correctly, nothing more. > > One might point out that one of ZFS's engineering goals is to assure > block-wise errors are detected if not fixed, and has a lot of magic > associated with this; but using an unstable and outdated version (by > well over a year) and ignoring updates that address significant major > fixes, is ignoring your job. Your tools can only do their tricks if > you keep them in working order. I don't expect a broken hammer to > drive nails and shouldn't complain when its head flies off as I try to > drive a nail and hits me in the face. However, you also don't trade in a working hammer because there's a new version out when you're in the middle of a nail. You plan your new hammer, and upgrade when it's appropriate. Sometimes that does in fact, take a year. Sometimes it takes days. Perhaps if there were less magical thinking about ZFS, the assumption that you can delay bug patches wouldn't have happened and they'd have upgraded sooner. However, that would require the industry to stop shoving its collective ego in every orifice that slows down long enough, and that's just never going to happen. -- John C. Welch Writer/Analyst Bynkii.com Mac and other opinions jwelch@bynkii.com From grail at goldweb.com.au Tue Feb 12 14:30:02 2008 From: grail at goldweb.com.au (Alex Satrapa) Date: Tue Feb 12 14:30:12 2008 Subject: ZFS (was Reliable Firewire drives) In-Reply-To: <02DF8A3B-0639-4D7C-8F48-5D154A1D8A04@iwiring.net> References: <0B98DAE9-BF9F-4E61-B486-7E9E0139B8E3@goldweb.com.au> <02DF8A3B-0639-4D7C-8F48-5D154A1D8A04@iwiring.net> Message-ID: <8B5AD4F2-7221-4591-BCE4-EB5497C06914@goldweb.com.au> On 13/02/2008, at 02:26 , Dan Shoop wrote: > Neither one should have occurred had only the sysadmins been > exercising any modicum of due diligence. Even if only one had occurred, the problem would not have presented itself. Doing a file-by-file copy means you insure yourself from errors in the source file system. Doing a verification restore means you can be alerted to the fact that your backup copy doesn't work, which will give you the opportunity to fix the underlying problem before you have to rely on it. But I agree with the principle of your statement. To everyone else on this list, take the original story as a warning - if you're doing backups, you really do need to restore from the backup to a scratch drive, and verify that the recovered copy is close enough to the original to be of value to you. It's worth remounting filesystems with "access time" turned off for the verification part, to save about up to 50% of your time ;) > Your tools can only do their tricks if you keep them in working > order. I don't expect a broken hammer to drive nails and shouldn't > complain when its head flies off as I try to drive a nail and hits > me in the face. Especially not when the vendor has already warned you that the head will fly off. Alex From scott_ribe at killerbytes.com Wed Feb 13 17:05:54 2008 From: scott_ribe at killerbytes.com (Scott Ribe) Date: Wed Feb 13 17:06:01 2008 Subject: Free VXA tapes Message-ID: 7 unopened VX17 tapes shipped via ground (at my convenience) to the first person to respond. (No longer using the drive for backup.) -- Scott Ribe scott_ribe@killerbytes.com http://www.killerbytes.com/ (303) 722-0567 voice From surajrai at mac.com Tue Feb 19 06:04:48 2008 From: surajrai at mac.com (Suraj Rai) Date: Tue Feb 19 06:04:55 2008 Subject: XServe RAID - No longer available? Message-ID: Looks like the XServe RAID product has been decommissioned by Apple following the announcement for XSan2. Looks like they are recommending "Promise RAID" solution. http://www.apple.com/server/storage/ How long before XServe itself is also taken out? S.r. From jearle at gmail.com Tue Feb 19 06:31:32 2008 From: jearle at gmail.com (Jared Earle) Date: Tue Feb 19 06:31:36 2008 Subject: XServe RAID - No longer available? In-Reply-To: References: Message-ID: <5bbc0cd60802190631mfcef233hbfde21ad03e230bc@mail.gmail.com> On Feb 19, 2008 2:04 PM, Suraj Rai wrote: > How long before XServe itself is also taken out? Not likely. -- Jared Earle :: There is no SPORK jearle@gmail.com :: http://www.23x.net The Spodcast :: http://spodcast.org From jwelch at bynkii.com Tue Feb 19 08:32:32 2008 From: jwelch at bynkii.com (John C. Welch) Date: Tue Feb 19 08:32:44 2008 Subject: XServe RAID - No longer available? In-Reply-To: Message-ID: On 02/19/2008 08:04 AM, "Suraj Rai" wrote: > Looks like the XServe RAID product has been decommissioned by Apple > following the announcement for XSan2. Looks like they are > recommending "Promise RAID" solution. > > http://www.apple.com/server/storage/ Yep. About time they made a decision on that -- John C. Welch Writer/Analyst Bynkii.com Mac and other opinions jwelch@bynkii.com From lynlist at nowdata.com Tue Feb 19 07:43:04 2008 From: lynlist at nowdata.com (Lyn) Date: Tue Feb 19 09:49:48 2008 Subject: XServe RAID - No longer available? In-Reply-To: References: Message-ID: Great. I just dropped $8,000 on an XServe RAID in January. Lyn On Feb 19, 2008, at 8:04 AM, Suraj Rai wrote: > Looks like the XServe RAID product has been decommissioned by Apple > following the announcement for XSan2. Looks like they are > recommending "Promise RAID" solution. > > http://www.apple.com/server/storage/ > > How long before XServe itself is also taken out? > > S.r. From jwelch at bynkii.com Tue Feb 19 10:13:57 2008 From: jwelch at bynkii.com (John C. Welch) Date: Tue Feb 19 10:14:07 2008 Subject: XServe RAID - No longer available? In-Reply-To: Message-ID: On 02/19/2008 09:43 AM, "Lyn" wrote: > Great. I just dropped $8,000 on an XServe RAID in January. > > Lyn > > On Feb 19, 2008, at 8:04 AM, Suraj Rai wrote: > >> Looks like the XServe RAID product has been decommissioned by Apple >> following the announcement for XSan2. Looks like they are >> recommending "Promise RAID" solution. >> >> http://www.apple.com/server/storage/ >> >> How long before XServe itself is also taken out? Okay. That Xserve RAID is still just as qualified to the task you needed it for as it was in Jan. It isn't going to burst into flames, nor will it stop working because of this. Your support contracts, if any, for it, will still be in use. What this means is that for the foreseeable future, Apple's out of the RAID business, which, considering the commoditization of that segment, makes sense. They were getting killed in their market, unless you had a real need for Apple - branding, they were getting killed on the high end, and on the low end too. Within the last year or so, there wasn't much the Xserve RAID was better at other than being an Apple-branded RAID. -- John C. Welch Writer/Analyst Bynkii.com Mac and other opinions jwelch@bynkii.com From brett.dikeman at gmail.com Tue Feb 19 12:38:19 2008 From: brett.dikeman at gmail.com (Brett Dikeman) Date: Tue Feb 19 12:38:24 2008 Subject: XServe RAID - No longer available? In-Reply-To: References: Message-ID: <9d9c4a330802191238rffef16aw9ecc043561108256@mail.gmail.com> On Feb 19, 2008 9:04 AM, Suraj Rai wrote: > Looks like the XServe RAID product has been decommissioned by Apple Whoa. http://www.appleinsider.com/articles/07/01/19/sata_based_xserve_raid_prototype_escapes_from_apple_photos.html Either Apple did an about-face, or someone killed a lot of time in Photoshop on the above! > following the announcement for XSan2. Looks like they are > recommending "Promise RAID" solution. Ugh. They're about 1-2 steps from the bottom of the barrel in the RAID controller market; I have no experience with their disk array units, but given how bad support and drivers were for the controllers, this isn't encouraging. There had to have been someone better to go with... Then again, given how bad the Xraid was, it's hard to fall off the floor... > How long before XServe itself is also taken out? I'd say "never"- it fills a market segment nothing else can. It may be substantially changed, but there will always be something for a server/cluster node. Also, Jobs has consistently maintained that licensing was a gigantic mistake. It was (both in terms of competition they couldn't handle, and a bad experience for users on clone hardware hurting their brand image.) Brett From PERBIX at lmsd.org Tue Feb 19 16:47:46 2008 From: PERBIX at lmsd.org (Perbix, Michael) Date: Tue Feb 19 16:57:41 2008 Subject: XServe RAID - No longer available? In-Reply-To: <9d9c4a330802191238rffef16aw9ecc043561108256@mail.gmail.com> Message-ID: <06A81E8192910B41B2B3FFD57535BCF75B226E5D02@MS1.lmsd.org> I have two Xserve Raid units that are fully loaded with with HD's and used extensivley for our imaging and file servers. They have been work horses with 0 (Zero, nichts, nothing, zilch) trouble. One is running on 5 years old (purchased in 2003) and other than 2 HD's that went south...no problems at all. These raids have been perfect for my need. Now we also have a monster honkin' EMC SAN with Fiber Channel that serves as storage for all our Windows servers. Has all the enterprise features etc etc etc..... But, I would say that I bought these Raids for a specific function, and I have gotten way more out of them than I originally planned. -Mike -----Original Message----- From: macosx-admin-bounces@omnigroup.com [mailto:macosx-admin-bounces@omnigroup.com] On Behalf Of Brett Dikeman Sent: Tuesday, February 19, 2008 3:38 PM To: Suraj Rai Cc: Omni List Subject: Re: XServe RAID - No longer available? On Feb 19, 2008 9:04 AM, Suraj Rai wrote: > Looks like the XServe RAID product has been decommissioned by Apple Whoa. http://www.appleinsider.com/articles/07/01/19/sata_based_xserve_raid_prototype_escapes_from_apple_photos.html Either Apple did an about-face, or someone killed a lot of time in Photoshop on the above! > following the announcement for XSan2. Looks like they are > recommending "Promise RAID" solution. Ugh. They're about 1-2 steps from the bottom of the barrel in the RAID controller market; I have no experience with their disk array units, but given how bad support and drivers were for the controllers, this isn't encouraging. There had to have been someone better to go with... Then again, given how bad the Xraid was, it's hard to fall off the floor... > How long before XServe itself is also taken out? I'd say "never"- it fills a market segment nothing else can. It may be substantially changed, but there will always be something for a server/cluster node. Also, Jobs has consistently maintained that licensing was a gigantic mistake. It was (both in terms of competition they couldn't handle, and a bad experience for users on clone hardware hurting their brand image.) Brett _______________________________________________ MacOSX-admin mailing list MacOSX-admin@omnigroup.com http://www.omnigroup.com/mailman/listinfo/macosx-admin From grail at goldweb.com.au Tue Feb 19 17:43:29 2008 From: grail at goldweb.com.au (Alex Satrapa) Date: Tue Feb 19 17:43:42 2008 Subject: XServe RAID - No longer available? In-Reply-To: <06A81E8192910B41B2B3FFD57535BCF75B226E5D02@MS1.lmsd.org> References: <06A81E8192910B41B2B3FFD57535BCF75B226E5D02@MS1.lmsd.org> Message-ID: On 20/02/2008, at 11:47 , Perbix, Michael wrote: > ... Now we also have a monster honkin' EMC SAN with Fiber Channel > that serves as storage for all our Windows servers. Has all the > enterprise features etc etc etc... Sort-of on the same topic, has anyone here played with a Drobo? How well do they compare to the other RAID options that you've played with in that price-range (~$US500)? I've just had my first disk failure in one of my LaCie Big Disk Extremes, and rather than replace it with yet another Raid 1 enclosure, I'm thinking about getting a Drobo instead. My main concern being that it will be connected to my AirPort Extreme Base Station, so I can't use software RAID. Alex From marksteinberg at textiletech.com Tue Feb 19 18:08:37 2008 From: marksteinberg at textiletech.com (Mark Steinberg) Date: Tue Feb 19 18:13:53 2008 Subject: XServe RAID - No longer available? In-Reply-To: References: <06A81E8192910B41B2B3FFD57535BCF75B226E5D02@MS1.lmsd.org> Message-ID: <3CD0699D-E3D1-4FD9-85C6-81E7CEEA6175@textiletech.com> Check out this review that came out today. Make sure to read all the user comments. I seriously looked at it about 4 months ago and decided not to use it due to the non standard disk formatting and issues with multimedia files. http://ihnatko.com/index.php/2008/02/18/sun-times-drobo-and-droboshare/ Mark On Feb 19, 2008, at 8:43 PM, Alex Satrapa wrote: > On 20/02/2008, at 11:47 , Perbix, Michael wrote: > >> ... Now we also have a monster honkin' EMC SAN with Fiber Channel >> that serves as storage for all our Windows servers. Has all the >> enterprise features etc etc etc... > > Sort-of on the same topic, has anyone here played with a Drobo? > > How well do they compare to the other RAID options that you've > played with in that price-range (~$US500)? > > I've just had my first disk failure in one of my LaCie Big Disk > Extremes, and rather than replace it with yet another Raid 1 > enclosure, I'm thinking about getting a Drobo instead. My main > concern being that it will be connected to my AirPort Extreme Base > Station, so I can't use software RAID. > > Alex > > _______________________________________________ > MacOSX-admin mailing list > MacOSX-admin@omnigroup.com > http://www.omnigroup.com/mailman/listinfo/macosx-admin From sglewis at mac.com Wed Feb 20 20:04:56 2008 From: sglewis at mac.com (Scott Lewis) Date: Wed Feb 20 20:05:08 2008 Subject: XServe RAID - No longer available? In-Reply-To: <9d9c4a330802191238rffef16aw9ecc043561108256@mail.gmail.com> References: <9d9c4a330802191238rffef16aw9ecc043561108256@mail.gmail.com> Message-ID: On Feb 19, 2008, at 3:38 PM, Brett Dikeman wrote: > Ugh. They're about 1-2 steps from the bottom of the barrel in the > RAID controller market; I have no experience with their disk array > units, but given how bad support and drivers were for the controllers, > this isn't encouraging. There had to have been someone better to go > with... Promise isn't bad on the lower end of the scale. I had the occasion to use a couple of them at a client that was very much cash strapped. If this is similar to the cabinet I used, drivers don't come into play. The situation I ran into was a client with a cheap budget, and an older app running SCO OpenServer 5.0.6 specifically (very old, and for a variety of reasons they couldn't upgrade as it was the last version THIS application could run on). The problem I was finding in upgrading their server hardware after a failure was driver support. The Promise boxes had 16 SATA drive bays (hot swap), and presented two Ultra SCSI interfaces to the server. All RAID was built in, so you did not need a RAID controller, you could telnet to the Promise box and configure LUNs internally, but to the server, it looked like a regular SCSI connection. This allowed my client to use a cheap Adaptec SCSI adapter, that was supported by this very old SCO OS. For the price, is performed extremely well. It was also nice to be able to use off the shelf SATA drives (and presumably SAS drives in their SAS version), intsalling them into the Promise carriers. Compare to many "top tier" brands, where you pay a huge premium for the same drive. Ever compare the price of a Seagate Fibre Channel drive versus what EMC charges for their "version"? From Philip.Moetteli at tele2.ch Mon Feb 25 09:47:55 2008 From: Philip.Moetteli at tele2.ch (=?ISO-8859-1?Q?Philip_M=F6tteli?=) Date: Mon Feb 25 10:48:06 2008 Subject: Can't su anymore Message-ID: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> Hi, Since the update to Leopard, I can't 'su' to root anymore: $ su - root Password: su: Sorry In the security log, I have the following entry: com.apple.SecurityServer[20]: checkpw() returned -2; failed to authenticate user root (uid 0) 21.02.08 15:59:29 su[24444] pam_authenticate: Permission denied But, I can login as root on the console, which also proves, that the root user is in fact activated. When logged in as root on the console, I can do root # su someotheruser someotheruser % su root # So, being in the root console, I can 'su' to root ? though the prompt changes. Thanks for any help Phil From jearle at gmail.com Mon Feb 25 11:56:20 2008 From: jearle at gmail.com (Jared Earle) Date: Mon Feb 25 11:56:24 2008 Subject: Can't su anymore In-Reply-To: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> Message-ID: <5bbc0cd60802251156o4834f651w6b80913d219703ea@mail.gmail.com> On Mon, Feb 25, 2008 at 5:47 PM, Philip M?tteli wrote: > So, being in the root console, I can 'su' to root ? though the prompt > changes. Does "sudo su -" work? -- Jared Earle :: There is no SPORK jearle@gmail.com :: http://www.23x.net The Spodcast :: http://spodcast.org From donmontalvo at mac.com Mon Feb 25 13:08:45 2008 From: donmontalvo at mac.com (Don Montalvo) Date: Mon Feb 25 13:10:50 2008 Subject: Can't su anymore In-Reply-To: <20080225200006.CADCBDEE94@forums.omnigroup.com> References: <20080225200006.CADCBDEE94@forums.omnigroup.com> Message-ID: <336C8AB9-F876-47EF-938F-B32951FBDA9E@mac.com> "Jared Earle" wrote: > On Mon, Feb 25, 2008 at 5:47 PM, Philip M?tteli > wrote: >> So, being in the root console, I can 'su' to root ? though the prompt >> changes. > > Does "sudo su -" work? I use "sudo -s" From Agustin.Diez at uv.es Mon Feb 25 11:56:44 2008 From: Agustin.Diez at uv.es (Agustin Diez Castillo) Date: Mon Feb 25 13:11:34 2008 Subject: Can't su anymore In-Reply-To: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> Message-ID: <6258418796adiez@uv.es> maybe this is what happens to me with applejack in single user mode it says something like the root GID is wrong > Hi, > > > Since the update to Leopard, I can't 'su' to root anymore: > > $ su - root > Password: > su: Sorry > > > In the security log, I have the following entry: > > com.apple.SecurityServer[20]: checkpw() returned -2; failed to > authenticate user root (uid 0) > 21.02.08 15:59:29 su[24444] pam_authenticate: Permission denied > > > But, I can login as root on the console, which also proves, that the > root user is in fact activated. > When logged in as root on the console, I can do > > root # su someotheruser > someotheruser % su > root # > > > So, being in the root console, I can 'su' to root ? though the prompt > changes. > > > Thanks for any help > Phil > _______________________________________________ > MacOSX-admin mailing list > MacOSX-admin@omnigroup.com > http://www.omnigroup.com/mailman/listinfo/macosx-admin > > From kremels at kreme.com Mon Feb 25 15:51:54 2008 From: kremels at kreme.com (LuKreme) Date: Mon Feb 25 15:56:21 2008 Subject: Can't su anymore In-Reply-To: <336C8AB9-F876-47EF-938F-B32951FBDA9E@mac.com> References: <20080225200006.CADCBDEE94@forums.omnigroup.com> <336C8AB9-F876-47EF-938F-B32951FBDA9E@mac.com> Message-ID: <8EA52236-37C0-4EF4-BFD9-E29636AF3A69@kreme.com> On 25-Feb-2008, at 14:08, Don Montalvo wrote: > "Jared Earle" wrote: >> On Mon, Feb 25, 2008 at 5:47 PM, Philip M?tteli >> wrote: >>> So, being in the root console, I can 'su' to root ? though the >>> prompt >>> changes. >> >> Does "sudo su -" work? > > I use "sudo -s" But that is not the same thing as sudo su - -- Hi, I'm Gary Cooper, but not the Gary Cooper that's dead. From johnmusbach1 at gmail.com Mon Feb 25 17:34:46 2008 From: johnmusbach1 at gmail.com (John Musbach) Date: Mon Feb 25 17:34:54 2008 Subject: Can't su anymore In-Reply-To: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> Message-ID: <17c8e29e0802251734x24f16b8cq7c84078d0d8f1aee@mail.gmail.com> On Mon, Feb 25, 2008 at 9:47 AM, Philip M?tteli wrote: > Hi, > > > Since the update to Leopard, I can't 'su' to root anymore: > > $ su - root > Password: > su: Sorry > Are you by chance operating under a normal privilege account? If so then this is expected behavior. In order to elevate privileges to the root level you must first authenticate as a user who has administrative privileges. Also, for security reasons it is not recommended that you have the root account enabled. Instead, use "sudo command" to temporarily provide root privileges when needed for "command" and if absolutely necessary (use sparingly!) use "sudo -s" to get a root prompt. Additionally, it is preferred for security reasons that day to day operations are run under a user account with normal privileges and that a secondary administrative account be created so that it can be su'd to when the need to use sudo (or do other administrative tasks such as install new programs) arises. -- Best Regards, John Musbach From shoop at iwiring.net Mon Feb 25 21:23:38 2008 From: shoop at iwiring.net (Dan Shoop) Date: Mon Feb 25 21:38:59 2008 Subject: Can't su anymore In-Reply-To: <8EA52236-37C0-4EF4-BFD9-E29636AF3A69@kreme.com> References: <20080225200006.CADCBDEE94@forums.omnigroup.com> <336C8AB9-F876-47EF-938F-B32951FBDA9E@mac.com> <8EA52236-37C0-4EF4-BFD9-E29636AF3A69@kreme.com> Message-ID: <63CFB971-8175-48CA-87BD-67C60E040B77@iwiring.net> On Feb 25, 2008, at 6:51 PM, LuKreme wrote: > On 25-Feb-2008, at 14:08, Don Montalvo wrote: >> "Jared Earle" wrote: >>> On Mon, Feb 25, 2008 at 5:47 PM, Philip M?tteli >>> wrote: >>>> So, being in the root console, I can 'su' to root ? though the >>>> prompt >>>> changes. >>> >>> Does "sudo su -" work? >> >> I use "sudo -s" > > > But that is not the same thing as sudo su - Not always, but normally so, yes. If root had some shell different than the invoker's then it could be different. On Feb 25, 2008, at 8:34 PM, John Musbach wrote: > Also, for security reasons it is not > recommended that you have the root account enabled. Instead, use "sudo > command" to temporarily provide root privileges when needed for > "command" and if absolutely necessary (use sparingly!) use "sudo -s" > to get a root prompt. Additionally, it is preferred for security > reasons that day to day operations are run under a user account with > normal privileges and that a secondary administrative account be > created so that it can be su'd to when the need to use sudo (or do > other administrative tasks such as install new programs) arises. YMMV. These "recommendations" and "preferences" are just the way some view this "concern". "Day to day" non-root operations, like reading email and surfing porn, are not generally done from the root account anyway,leaving the account used for, well the same exact tasks you'd have to sudo about with. So this buys you little overall. However it does make certain types who enjoy security theater happier. I reality logging into th root account (perhaps via ssh from a specifically permitted machine/network using keys) and performing tasks x, y & z adds no real security than sudo x, sudo y sudo z. ...and then there's the issue that sudo might not give you the same exact environment that the root user has, which makes running (or testing) certain processes potentially problematic. Meanwhile the root account should be enabled in many specific cases for OS X [Server], is enabled by default, and having it enabled, especially using keys, allows you to connect to the machine in circumstances where Password Services get fubar. So there are many rationales to support enabling the root account. So basically there's argument to be had either way. Personally, as an old curmudgeon that has been using the root account longer than sudo's juvenile existence I see no reason to change *my* best practices. Just my $0.02 -dhan ------------------------------------------------------------------------ Dan Shoop Computer Scientist iWiring / U.S. Technical Services shoop@iwiring.net AOL IM .................... iWiring Nextel .................... 1-714-363-1174 Operations TOC (24/7) ..... 1-866-901-USTS USTS Offices .............. 1-714-374-6300 For immediate response for urgent matters please speak to the Duty Officer at the USTS Tactical Operations Center (above) who can reach me by radio. From Philip.Moetteli at tele2.ch Mon Feb 25 23:21:54 2008 From: Philip.Moetteli at tele2.ch (=?WINDOWS-1252?Q?Philip_M=F6tteli?=) Date: Tue Feb 26 00:21:59 2008 Subject: Can't su anymore In-Reply-To: <5bbc0cd60802251156o4834f651w6b80913d219703ea@mail.gmail.com> References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> <5bbc0cd60802251156o4834f651w6b80913d219703ea@mail.gmail.com> Message-ID: <0B102139-34D9-497D-8903-86D615FC9CCC@tele2.ch> Am 25.02.2008 um 20:56 schrieb Jared Earle: > On Mon, Feb 25, 2008 at 5:47 PM, Philip M?tteli > wrote: >> So, being in the root console, I can 'su' to root ? though the prompt >> changes. > > Does "sudo su -" work? Yes. Am 25.02.2008 um 22:08 schrieb Don Montalvo: >> Does "sudo su -" work? Yes. Am 26.02.2008 um 02:34 schrieb John Musbach: > On Mon, Feb 25, 2008 at 9:47 AM, Philip M?tteli > wrote: >> Since the update to Leopard, I can't 'su' to root anymore: >> >> $ su - root >> Password: >> su: Sorry >> > > Are you by chance operating under a normal privilege account? $ groups staff wheel daemon sys _lpadmin _appserveradm com.apple.sharepoint.group.1 _appserverusr admin > Also, for security reasons it is not > recommended that you have the root account enabled. On Mac OS X Server it is enabled by default. So, it seems, that 'sudo' does work, but 'su' not. I still have no idea, why this is the case. But perhaps somebody here knows? Thanks Phil From jearle at gmail.com Tue Feb 26 02:05:21 2008 From: jearle at gmail.com (Jared Earle) Date: Tue Feb 26 02:05:32 2008 Subject: Can't su anymore In-Reply-To: <63CFB971-8175-48CA-87BD-67C60E040B77@iwiring.net> References: <20080225200006.CADCBDEE94@forums.omnigroup.com> <336C8AB9-F876-47EF-938F-B32951FBDA9E@mac.com> <8EA52236-37C0-4EF4-BFD9-E29636AF3A69@kreme.com> <63CFB971-8175-48CA-87BD-67C60E040B77@iwiring.net> Message-ID: <5bbc0cd60802260205t21fb672cl53b7a95c200273f3@mail.gmail.com> On Tue, Feb 26, 2008 at 5:23 AM, Dan Shoop wrote: > > On Feb 25, 2008, at 6:51 PM, LuKreme wrote: > > On 25-Feb-2008, at 14:08, Don Montalvo wrote: > >> "Jared Earle" wrote: > >>> Does "sudo su -" work? > >> > >> I use "sudo -s" > > > > But that is not the same thing as sudo su - > > Not always, but normally so, yes. If root had some shell different > than the invoker's then it could be different. Apart from $HOME and .bashrc/.env are vastly different, for instance. As "sudo -s", type "cd && pwd" and see where you are. Now try this after "sudo su -". Your environments are, of course, completely different. I personally use "sudo -s" more than "sudo su -" but I do so precisely because I don't want to have root's environment. I presume the OP was asking to get su working precisely because he does want root's env. -- Jared Earle :: There is no SPORK jearle@gmail.com :: http://www.23x.net The Spodcast :: http://spodcast.org From luttgens at fusl.ac.be Tue Feb 26 02:45:13 2008 From: luttgens at fusl.ac.be (Axel Luttgens) Date: Tue Feb 26 03:05:31 2008 Subject: Can't su anymore In-Reply-To: <0B102139-34D9-497D-8903-86D615FC9CCC@tele2.ch> References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> <5bbc0cd60802251156o4834f651w6b80913d219703ea@mail.gmail.com> <0B102139-34D9-497D-8903-86D615FC9CCC@tele2.ch> Message-ID: Le 26 f?vr. 08 ? 08:21, Philip M?tteli a ?crit : > [...] > > > So, it seems, that 'sudo' does work, but 'su' not. > I still have no idea, why this is the case. But perhaps somebody > here knows? Hello Phil, Could you show us the output of dscl . read /Users/root TIA, Axel From Philip.Moetteli at tele2.ch Tue Feb 26 05:25:40 2008 From: Philip.Moetteli at tele2.ch (=?ISO-8859-1?Q?Philip_M=F6tteli?=) Date: Tue Feb 26 05:25:43 2008 Subject: Can't su anymore In-Reply-To: References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> <5bbc0cd60802251156o4834f651w6b80913d219703ea@mail.gmail.com> <0B102139-34D9-497D-8903-86D615FC9CCC@tele2.ch> Message-ID: Am 26.02.2008 um 11:45 schrieb Axel Luttgens: > Le 26 f?vr. 08 ? 08:21, Philip M?tteli a ?crit : > >> [...] >> >> >> So, it seems, that 'sudo' does work, but 'su' not. >> I still have no idea, why this is the case. But perhaps somebody >> here knows? > > Could you show us the output of > > dscl . read /Users/root # dscl . read /Users/root AppleMetaNodeLocation: /Local/Default AuthenticationAuthority : ;ShadowHash ; ;Kerberosv5 ;;root @LKDC:SHA1.8416ACCDD2522F287C91170EBB2710BFA9D47949 ;LKDC:SHA1.8416ACCDD2522F287C91170EBB2710BFA9D47949; GeneratedUID: BE293589-E6E9-47F9-B866-010821C503B0 NFSHomeDirectory: /var/root Password: ******** PrimaryGroupID: 0 RealName: System Administrator RecordName: root RecordType: dsRecTypeStandard:Users UniqueID: 0 UserShell: /bin/bash From luttgens at fusl.ac.be Tue Feb 26 05:43:29 2008 From: luttgens at fusl.ac.be (Axel Luttgens) Date: Tue Feb 26 05:43:33 2008 Subject: Can't su anymore In-Reply-To: References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> <5bbc0cd60802251156o4834f651w6b80913d219703ea@mail.gmail.com> <0B102139-34D9-497D-8903-86D615FC9CCC@tele2.ch> Message-ID: <27E97B78-CA0E-47AA-874A-39B1A41F70A5@fusl.ac.be> Le 26 f?vr. 08 ? 14:25, Philip M?tteli a ?crit : >> [...] > > # dscl . read /Users/root > [...] > AuthenticationAuthority > : ;ShadowHash > ; ;Kerberosv5 > ;;root > @LKDC:SHA1.8416ACCDD2522F287C91170EBB2710BFA9D47949 > ;LKDC:SHA1.8416ACCDD2522F287C91170EBB2710BFA9D47949; > [...] So, the local root user doesn't seem to be disabled. Are you sure not to have forgotten its password? ;-) On the other hand, le 25 f?vr. 08 ? 18:47, you wrote : > [...] > > But, I can login as root on the console, which also proves, that the > root user is in fact activated. > > [...] What did you exactly mean by logging in at the console? Axel From Philip.Moetteli at tele2.ch Tue Feb 26 05:57:04 2008 From: Philip.Moetteli at tele2.ch (=?ISO-8859-1?Q?Philip_M=F6tteli?=) Date: Tue Feb 26 05:57:07 2008 Subject: Can't su anymore In-Reply-To: <27E97B78-CA0E-47AA-874A-39B1A41F70A5@fusl.ac.be> References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> <5bbc0cd60802251156o4834f651w6b80913d219703ea@mail.gmail.com> <0B102139-34D9-497D-8903-86D615FC9CCC@tele2.ch> <27E97B78-CA0E-47AA-874A-39B1A41F70A5@fusl.ac.be> Message-ID: <66DC1199-3E96-4B86-ADD7-B0629B362050@tele2.ch> Am 26.02.2008 um 14:43 schrieb Axel Luttgens: > Le 26 f?vr. 08 ? 14:25, Philip M?tteli a ?crit : > >>> [...] >> >> # dscl . read /Users/root >> [...] >> AuthenticationAuthority >> : ;ShadowHash >> ; ;Kerberosv5 >> ;;root >> @LKDC:SHA1.8416ACCDD2522F287C91170EBB2710BFA9D47949 >> ;LKDC:SHA1.8416ACCDD2522F287C91170EBB2710BFA9D47949; >> [...] > > > So, the local root user doesn't seem to be disabled. > Are you sure not to have forgotten its password? ;-) > On the other hand, le 25 f?vr. 08 ? 18:47, you wrote : > >> [...] >> >> But, I can login as root on the console, which also proves, that >> the root user is in fact activated. >> >> [...] > > What did you exactly mean by logging in at the console? That I can login from the login panel, sitting in front of the computer (as root). From zpamaral at gmail.com Tue Feb 26 10:45:03 2008 From: zpamaral at gmail.com (=?ISO-8859-1?Q?Jos=E9_Pedro_do_Amaral?=) Date: Tue Feb 26 10:45:15 2008 Subject: Can't su anymore In-Reply-To: <66DC1199-3E96-4B86-ADD7-B0629B362050@tele2.ch> References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> <5bbc0cd60802251156o4834f651w6b80913d219703ea@mail.gmail.com> <0B102139-34D9-497D-8903-86D615FC9CCC@tele2.ch> <27E97B78-CA0E-47AA-874A-39B1A41F70A5@fusl.ac.be> <66DC1199-3E96-4B86-ADD7-B0629B362050@tele2.ch> Message-ID: <4A546BCA-31F0-4DD9-A248-DC22DE0DD983@gmail.com> Hi, Looks like you have GNU su before Mac OS X su in your path. Did you install coreutils (GNU su is part of that package)? If you do "locate bin/su" do you get more than one su? What happens if you try /usr/bin/su (or /usr/bin/su -)? I had exactly the same problem su (/usr/local/bin/su) would not work, whereas /usr/ bin/su did. ZP -- Jos? Pedro Sousa do Amaral In Riemann, Hilbert or in Banach space Let superscripts and subscripts go their ways. Our asymptotes no longer out of phase, We shall encounter, counting, face to face. -- Stanislaw Lem From j.mccuistion at teachnet.edb.utexas.edu Tue Feb 26 10:59:28 2008 From: j.mccuistion at teachnet.edb.utexas.edu (Jeff McCuistion) Date: Tue Feb 26 11:08:58 2008 Subject: TimeMachine Ext HDD Message-ID: I'm looking to purchase a new external hard drive for a Intel iMac. I've heard there are several manufacturers whose hard drives have a lot of problems with Leopard's TimeMachine. Can anyone steer me in the right direction? Also, I don't know if it maters, but I want to partition the drive and have one partition for TimeMachine and one for media. I need at least 500GB. Thanks! From mgf at mgfconsulting.net Tue Feb 26 11:10:51 2008 From: mgf at mgfconsulting.net (Mike Friedman) Date: Tue Feb 26 11:11:10 2008 Subject: TimeMachine Ext HDD In-Reply-To: References: Message-ID: I'm using a Seagate FreeAgent 500 GB drive, with no problems. It was about $125 too, with a 5 year warranty. On Feb 26, 2008, at 10:59 AM, Jeff McCuistion wrote: > I'm looking to purchase a new external hard drive for a Intel iMac. > I've heard there are several manufacturers whose hard drives have a > lot of problems with Leopard's TimeMachine. Can anyone steer me in > the right direction? Also, I don't know if it maters, but I want to > partition the drive and have one partition for TimeMachine and one > for media. I need at least 500GB. Thanks! > > > > > > _______________________________________________ > MacOSX-admin mailing list > MacOSX-admin@omnigroup.com > http://www.omnigroup.com/mailman/listinfo/macosx-admin ======================= Mike Friedman MGF Consulting Computers without Attitude http://www.mgfconsulting.net 415-648-6560 (office) 415-823-9990 (mobile) Yahoo Messenger/AIM: sfmike64 From neil at laubenthal.net Tue Feb 26 11:39:22 2008 From: neil at laubenthal.net (Neil Laubenthal) Date: Tue Feb 26 11:39:26 2008 Subject: TimeMachine Ext HDD In-Reply-To: References: Message-ID: <20080226143922.xx7irk6vdsdsswgg@webmail.his.com> I always recommend drives from OWC . . . www.macsales.com. Buy their Mercury Elite Pro Aluminum line, get whichever interface set you like from the various combinations of USB2/FW400/FW800/eSata, and get the largest 7200 rpm Seagate Barracuda mechanism in it that you can afford. You'll pay a little more for a Barracuda; but the quality/reliability is worth it. The dual FW/USB2 model with a 750 GB Barracuda is $299. Quoting Jeff McCuistion : > I'm looking to purchase a new external hard drive for a Intel iMac. > I've heard there are several manufacturers whose hard drives have a lot > of problems with Leopard's TimeMachine. Can anyone steer me in the > right direction? Also, I don't know if it maters, but I want to > partition the drive and have one partition for TimeMachine and one for > media. I need at least 500GB. Thanks! > -- There are only three kinds of stress . . .your basic nuclear stress, cooking stress, and A$$ho1e stress. The key to relating them is . . . Jello. neil From fan at cns.nyu.edu Tue Feb 26 13:08:52 2008 From: fan at cns.nyu.edu (fan@cns.nyu.edu) Date: Tue Feb 26 13:21:51 2008 Subject: Can't su anymore Message-ID: <200802262108.m1QL8qx08942@calaf.cns.nyu.edu> I believe in order for a user to be able to do su - root, he or she has to be in the wheel group. Does dscl . -read /groups/wheel GroupMembership contain the person who is trying to do su - root ? Best, Paul From johnmusbach1 at gmail.com Tue Feb 26 21:40:15 2008 From: johnmusbach1 at gmail.com (John Musbach) Date: Tue Feb 26 21:40:31 2008 Subject: TimeMachine Ext HDD In-Reply-To: References: Message-ID: <17c8e29e0802262140i5cc807dfu2a419daf48868c8c@mail.gmail.com> On Tue, Feb 26, 2008 at 10:59 AM, Jeff McCuistion wrote: > I'm looking to purchase a new external hard drive for a Intel iMac. > I've heard there are several manufacturers whose hard drives have a > lot of problems with Leopard's TimeMachine. Can anyone steer me in > the right direction? Also, I don't know if it maters, but I want to > partition the drive and have one partition for TimeMachine and one for > media. I need at least 500GB. Thanks! Hello, I bought from newegg an OEM IDE 500gb HD and a cheap Chinese i-rocks enclosure (firewire and usb) and have had no problems at all using it with time machine -- Best Regards, John Musbach From Philip.Moetteli at tele2.ch Tue Feb 26 23:21:08 2008 From: Philip.Moetteli at tele2.ch (=?ISO-8859-1?Q?Philip_M=F6tteli?=) Date: Tue Feb 26 23:21:18 2008 Subject: Can't su anymore In-Reply-To: <4A546BCA-31F0-4DD9-A248-DC22DE0DD983@gmail.com> References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> <5bbc0cd60802251156o4834f651w6b80913d219703ea@mail.gmail.com> <0B102139-34D9-497D-8903-86D615FC9CCC@tele2.ch> <27E97B78-CA0E-47AA-874A-39B1A41F70A5@fusl.ac.be> <66DC1199-3E96-4B86-ADD7-B0629B362050@tele2.ch> <4A546BCA-31F0-4DD9-A248-DC22DE0DD983@gmail.com> Message-ID: <5710D777-C2FC-49DE-89BA-BC4A0E9B8B70@tele2.ch> Am 26.02.2008 um 19:45 schrieb Jos? Pedro do Amaral: > Looks like you have GNU su before Mac OS X su in your path. Interesting question! > Did you install coreutils (GNU su is part of that package)? I indeed have installed Fink. So perhaps it has installed another 'su'. > If you do "locate bin/su" do you get more than one su? $ locate bin/su /usr/bin/su /usr/bin/sudo /usr/bin/sum $ whereis su /usr/bin/su $ which su /usr/bin/su > What happens if you try /usr/bin/su (or /usr/bin/su -)? It works! But why? I mean, 'which' gives exactly the same file. Thanks! Phil From Philip.Moetteli at tele2.ch Tue Feb 26 23:22:39 2008 From: Philip.Moetteli at tele2.ch (=?ISO-8859-1?Q?Philip_M=F6tteli?=) Date: Tue Feb 26 23:22:42 2008 Subject: Can't su anymore In-Reply-To: <200802262108.m1QL8qx08942@calaf.cns.nyu.edu> References: <200802262108.m1QL8qx08942@calaf.cns.nyu.edu> Message-ID: Am 26.02.2008 um 22:08 schrieb fan@cns.nyu.edu: > I believe in order for a user to be able to do > su - root, You're right. > he or she has to be in the wheel group. $ groups staff wheel daemon sys _lpadmin _appserveradm com.apple.sharepoint.group.1 _appserverusr admin > Does dscl . -read /groups/wheel GroupMembership contain > the person who is trying to do su - root ? Yes. From johnmusbach1 at gmail.com Wed Feb 27 07:35:22 2008 From: johnmusbach1 at gmail.com (John Musbach) Date: Wed Feb 27 07:35:28 2008 Subject: Can't su anymore In-Reply-To: <5710D777-C2FC-49DE-89BA-BC4A0E9B8B70@tele2.ch> References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> <5bbc0cd60802251156o4834f651w6b80913d219703ea@mail.gmail.com> <0B102139-34D9-497D-8903-86D615FC9CCC@tele2.ch> <27E97B78-CA0E-47AA-874A-39B1A41F70A5@fusl.ac.be> <66DC1199-3E96-4B86-ADD7-B0629B362050@tele2.ch> <4A546BCA-31F0-4DD9-A248-DC22DE0DD983@gmail.com> <5710D777-C2FC-49DE-89BA-BC4A0E9B8B70@tele2.ch> Message-ID: <17c8e29e0802270735n3ff3a8aar8b237d6ec19796ce@mail.gmail.com> On Tue, Feb 26, 2008 at 11:21 PM, Philip M?tteli wrote: > It works! > But why? I mean, 'which' gives exactly the same file. Can you paste the output of "echo $PATH" please? -- Best Regards, John Musbach From Philip.Moetteli at tele2.ch Wed Feb 27 07:49:29 2008 From: Philip.Moetteli at tele2.ch (=?ISO-8859-1?Q?Philip_M=F6tteli?=) Date: Wed Feb 27 07:49:36 2008 Subject: Can't su anymore In-Reply-To: <17c8e29e0802270735n3ff3a8aar8b237d6ec19796ce@mail.gmail.com> References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> <5bbc0cd60802251156o4834f651w6b80913d219703ea@mail.gmail.com> <0B102139-34D9-497D-8903-86D615FC9CCC@tele2.ch> <27E97B78-CA0E-47AA-874A-39B1A41F70A5@fusl.ac.be> <66DC1199-3E96-4B86-ADD7-B0629B362050@tele2.ch> <4A546BCA-31F0-4DD9-A248-DC22DE0DD983@gmail.com> <5710D777-C2FC-49DE-89BA-BC4A0E9B8B70@tele2.ch> <17c8e29e0802270735n3ff3a8aar8b237d6ec19796ce@mail.gmail.com> Message-ID: <9F8AA252-D26F-4E63-B75A-4C9C9AB3254C@tele2.ch> Am 27.02.2008 um 16:35 schrieb John Musbach: > On Tue, Feb 26, 2008 at 11:21 PM, Philip M?tteli > wrote: >> It works! >> But why? I mean, 'which' gives exactly the same file. > > Can you paste the output of "echo $PATH" please? $ echo $PATH /sw/bin:/sw/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/Users/moetteli:/usr/ local/bin:/usr/X11/bin:/Users/moetteli/bin:/usr/X/bin:/usr/X11R6/bin From zpamaral at gmail.com Wed Feb 27 10:16:49 2008 From: zpamaral at gmail.com (=?ISO-8859-1?Q?Jos=E9_Pedro_do_Amaral?=) Date: Wed Feb 27 10:17:11 2008 Subject: Can't su anymore In-Reply-To: <9F8AA252-D26F-4E63-B75A-4C9C9AB3254C@tele2.ch> References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> <5bbc0cd60802251156o4834f651w6b80913d219703ea@mail.gmail.com> <0B102139-34D9-497D-8903-86D615FC9CCC@tele2.ch> <27E97B78-CA0E-47AA-874A-39B1A41F70A5@fusl.ac.be> <66DC1199-3E96-4B86-ADD7-B0629B362050@tele2.ch> <4A546BCA-31F0-4DD9-A248-DC22DE0DD983@gmail.com> <5710D777-C2FC-49DE-89BA-BC4A0E9B8B70@tele2.ch> <17c8e29e0802270735n3ff3a8aar8b237d6ec19796ce@mail.gmail.com> <9F8AA252-D26F-4E63-B75A-4C9C9AB3254C@tele2.ch> Message-ID: <7E3D3BEB-EB2A-4331-A08B-27105A118E8A@gmail.com> Em 27/02/2008, ?s 09:49, Philip M?tteli escreveu: > > Am 27.02.2008 um 16:35 schrieb John Musbach: > >> On Tue, Feb 26, 2008 at 11:21 PM, Philip M?tteli >> wrote: >>> It works! >>> But why? I mean, 'which' gives exactly the same file. >> >> Can you paste the output of "echo $PATH" please? > > $ echo $PATH > /sw/bin:/sw/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/Users/moetteli:/usr/ > local/bin:/usr/X11/bin:/Users/moetteli/bin:/usr/X/bin:/usr/X11R6/bin Hi, Those pesky /sw/bin and /sw/sbin take precedence, and I guess that the non-system su is in one of them... You may edit your shell configuration file and add an alias for su to / usr/bin/su. That will fix it without thinking too much about Fink or your PATH. ZP -- Jos? Pedro Sousa do Amaral By the yard, life is hard. By the inch, it's a cinch. From kremels at kreme.com Wed Feb 27 22:19:50 2008 From: kremels at kreme.com (LuKreme) Date: Wed Feb 27 22:19:54 2008 Subject: Can't su anymore In-Reply-To: <63CFB971-8175-48CA-87BD-67C60E040B77@iwiring.net> References: <20080225200006.CADCBDEE94@forums.omnigroup.com> <336C8AB9-F876-47EF-938F-B32951FBDA9E@mac.com> <8EA52236-37C0-4EF4-BFD9-E29636AF3A69@kreme.com> <63CFB971-8175-48CA-87BD-67C60E040B77@iwiring.net> Message-ID: <2084F83A-D927-4176-AE60-477197E2F88B@kreme.com> On 25-Feb-2008, at 22:23, Dan Shoop wrote: > On Feb 25, 2008, at 6:51 PM, LuKreme wrote: >> On 25-Feb-2008, at 14:08, Don Montalvo wrote: >>> "Jared Earle" wrote: >>>> On Mon, Feb 25, 2008 at 5:47 PM, Philip M?tteli >>>> wrote: >>>>> So, being in the root console, I can 'su' to root ? though the >>>>> prompt >>>>> changes. >>>> >>>> Does "sudo su -" work? >>> I use "sudo -s" >> But that is not the same thing as sudo su - > Not always, but normally so, yes. No, it is never the same thing. One causes sudo to invoke a shell as root. The other cause sudo to invoke su, which invokes a shell as root. They are similar, they do somewhat the same thing (but not exactly), they are not, however, the same thing: [cerebus] ~ $ whoami kreme [cerebus] ~ $ sudo -s [cerebus] ~ $ whoami root [cerebus] ~ $ exit [cerebus] ~ $ sudo su - cerebus:~ root# whoami root Notice the difference in the prompts? sudo su - invokes a whole new shell without your environment. from man su: -l Simulate a full login. The environment is discarded except for HOME, SHELL, PATH, TERM, and USER. HOME and SHELL are modified as above. USER is set to the target login. PATH is set to ``/bin:/usr/bin''. TERM is imported from your current environ- ment. The invoked shell is the target login's, and su will change directory to the target login's home directory. This option is identical to just passing "-", as in "su -". man sudo: -s The -s (shell) option runs the shell specified by the SHELL envi- ronment variable if it is set or the shell as specified in passwd(5). So, sudo -s keeps all your existing settings (and aliases), while `su - ` does not. -- You think you can catch Keyser Soze? You think a guy like that comes this close to getting caught, and sticks his head out? If he comes up for anything it'll be to get rid of me. After that? my guess is you'll never hear from him again. From Philip.Moetteli at tele2.ch Wed Feb 27 23:05:07 2008 From: Philip.Moetteli at tele2.ch (=?ISO-8859-1?Q?Philip_M=F6tteli?=) Date: Wed Feb 27 23:05:10 2008 Subject: Can't su anymore In-Reply-To: <7E3D3BEB-EB2A-4331-A08B-27105A118E8A@gmail.com> References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> <5bbc0cd60802251156o4834f651w6b80913d219703ea@mail.gmail.com> <0B102139-34D9-497D-8903-86D615FC9CCC@tele2.ch> <27E97B78-CA0E-47AA-874A-39B1A41F70A5@fusl.ac.be> <66DC1199-3E96-4B86-ADD7-B0629B362050@tele2.ch> <4A546BCA-31F0-4DD9-A248-DC22DE0DD983@gmail.com> <5710D777-C2FC-49DE-89BA-BC4A0E9B8B70@tele2.ch> <17c8e29e0802270735n3ff3a8aar8b237d6ec19796ce@mail.gmail.com> <9F8AA252-D26F-4E63-B75A-4C9C9AB3254C@tele2.ch> <7E3D3BEB-EB2A-4331-A08B-27105A118E8A@gmail.com> Message-ID: Am 27.02.2008 um 19:16 schrieb Jos? Pedro do Amaral: > > Em 27/02/2008, ?s 09:49, Philip M?tteli escreveu: > >> Am 27.02.2008 um 16:35 schrieb John Musbach: >> >>> On Tue, Feb 26, 2008 at 11:21 PM, Philip M?tteli >>> wrote: >>>> It works! >>>> But why? I mean, 'which' gives exactly the same file. >>> >>> Can you paste the output of "echo $PATH" please? >> >> $ echo $PATH >> /sw/bin:/sw/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/Users/moetteli:/usr/ >> local/bin:/usr/X11/bin:/Users/moetteli/bin:/usr/X/bin:/usr/X11R6/bin > > Those pesky /sw/bin and /sw/sbin take precedence, and I guess that > the non-system su is in one of them... There's no other su: $ whereis su /usr/bin/su I can also test this with 'locate': $ locate bin/su /usr/bin/su /usr/bin/sudo /usr/bin/sum Another proof is 'which', which shows me, which 'su' is actually chosen by the shell: $ which su /usr/bin/su > You may edit your shell configuration file and add an alias for su > to /usr/bin/su. That will fix it without thinking too much about > Fink or your PATH. Done. From Philip.Moetteli at tele2.ch Thu Feb 28 00:53:09 2008 From: Philip.Moetteli at tele2.ch (=?ISO-8859-1?Q?Philip_M=F6tteli?=) Date: Thu Feb 28 00:53:14 2008 Subject: Can't su anymore In-Reply-To: <47C6738E.1030700@wanadoo.fr> References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> <5bbc0cd60802251156o4834f651w6b80913d219703ea@mail.gmail.com> <0B102139-34D9-497D-8903-86D615FC9CCC@tele2.ch> <27E97B78-CA0E-47AA-874A-39B1A41F70A5@fusl.ac.be> <66DC1199-3E96-4B86-ADD7-B0629B362050@tele2.ch> <4A546BCA-31F0-4DD9-A248-DC22DE0DD983@gmail.com> <5710D777-C2FC-49DE-89BA-BC4A0E9B8B70@tele2.ch> <17c8e29e0802270735n3ff3a8aar8b237d6ec19796ce@mail.gmail.com> <9F8AA252-D26F-4E63-B75A-4C9C9AB3254C@tele2.ch> <7E3D3BEB-EB2A-4331-A08B-27105A118E8A@gmail.com> <47C6738E.1030700@wanadoo.fr> Message-ID: <491F9255-714F-45F9-996E-1082070E245F@tele2.ch> Am 28.02.2008 um 09:40 schrieb Martin Costabel: > Philip M?tteli wrote: > [] >> There's no other su: >> $ whereis su >> /usr/bin/su > >> $ locate bin/su >> /usr/bin/su >> /usr/bin/sudo >> /usr/bin/sum > >> $ which su >> /usr/bin/su > > We don't know when your locate database was last updated, Nightly. > and /usr/bin/which is - or was until recently - a csh script, so > when you use it from bash you are not sure it sees the same > environment as your shell. $ file /usr/bin/which /usr/bin/which: Mach-O universal binary with 2 architectures /usr/bin/which (for architecture i386): Mach-O executable i386 /usr/bin/which (for architecture ppc7400): Mach-O executable ppc > You never said whether or not you have /sw/bin/su. $ file /sw/bin/su /sw/bin/su: cannot open `/sw/bin/su' (No such file or directory) > As for proof, the fact that `su` and `/usr/bin/su` behave > differently, as you claim, speaks for itself. You're right. I think it's strange, too. And I tried to explain it like you. But I still don't have any 'su' elsewhere. At least, not that I could find one. > Another remark is that your user seems to belong to a weird > collection of groups for a non-root user. What is a non-root user? > It looks like you fiddled with groups, so maybe you also have a > custom /etc/sudoers file? Have a look (I didn't copy the out-commented parts): # Defaults specification Defaults env_reset Defaults env_keep += "BLOCKSIZE" Defaults env_keep += "COLORFGBG COLORTERM" Defaults env_keep += "__CF_USER_TEXT_ENCODING" Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE" Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME" Defaults env_keep += "LINES COLUMNS" Defaults env_keep += "LSCOLORS" Defaults env_keep += "SSH_AUTH_SOCK" Defaults env_keep += "TZ" Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY" Defaults env_keep += "EDITOR VISUAL" # User privilege specification root ALL=(ALL) ALL %admin ALL=(ALL) ALL From costabel at wanadoo.fr Thu Feb 28 00:40:46 2008 From: costabel at wanadoo.fr (Martin Costabel) Date: Thu Feb 28 01:34:58 2008 Subject: Can't su anymore In-Reply-To: References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> <5bbc0cd60802251156o4834f651w6b80913d219703ea@mail.gmail.com> <0B102139-34D9-497D-8903-86D615FC9CCC@tele2.ch> <27E97B78-CA0E-47AA-874A-39B1A41F70A5@fusl.ac.be> <66DC1199-3E96-4B86-ADD7-B0629B362050@tele2.ch> <4A546BCA-31F0-4DD9-A248-DC22DE0DD983@gmail.com> <5710D777-C2FC-49DE-89BA-BC4A0E9B8B70@tele2.ch> <17c8e29e0802270735n3ff3a8aar8b237d6ec19796ce@mail.gmail.com> <9F8AA252-D26F-4E63-B75A-4C9C9AB3254C@tele2.ch> <7E3D3BEB-EB2A-4331-A08B-27105A118E8A@gmail.com> Message-ID: <47C6738E.1030700@wanadoo.fr> Philip M?tteli wrote: [] > There's no other su: > > $ whereis su > /usr/bin/su > $ locate bin/su > /usr/bin/su > /usr/bin/sudo > /usr/bin/sum > $ which su > /usr/bin/su To be strict, all this is no proof. We don't know when your locate database was last updated, and /usr/bin/which is - or was until recently - a csh script, so when you use it from bash you are not sure it sees the same environment as your shell. In bash you should use 'type -a'. You never said whether or not you have /sw/bin/su. As for proof, the fact that `su` and `/usr/bin/su` behave differently, as you claim, speaks for itself. Another remark is that your user seems to belong to a weird collection of groups for a non-root user. It looks like you fiddled with groups, so maybe you also have a custom /etc/sudoers file? With that one you could produce all kinds of weird permission problems. -- Martin From luttgens at fusl.ac.be Thu Feb 28 01:47:29 2008 From: luttgens at fusl.ac.be (Axel Luttgens) Date: Thu Feb 28 01:47:33 2008 Subject: Can't su anymore In-Reply-To: <491F9255-714F-45F9-996E-1082070E245F@tele2.ch> References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> <5bbc0cd60802251156o4834f651w6b80913d219703ea@mail.gmail.com> <0B102139-34D9-497D-8903-86D615FC9CCC@tele2.ch> <27E97B78-CA0E-47AA-874A-39B1A41F70A5@fusl.ac.be> <66DC1199-3E96-4B86-ADD7-B0629B362050@tele2.ch> <4A546BCA-31F0-4DD9-A248-DC22DE0DD983@gmail.com> <5710D777-C2FC-49DE-89BA-BC4A0E9B8B70@tele2.ch> <17c8e29e0802270735n3ff3a8aar8b237d6ec19796ce@mail.gmail.com> <9F8AA252-D26F-4E63-B75A-4C9C9AB3254C@tele2.ch> <7E3D3BEB-EB2A-4331-A08B-27105A118E8A@gmail.com> <47C6738E.1030700@wanadoo.fr> <491F9255-714F-45F9-996E-1082070E245F@tele2.ch> Message-ID: <42ECA8EF-723A-4204-9A2C-C04AE9C355B3@fusl.ac.be> Le 28 f?vr. 08 ? 09:53, Philip M?tteli a ?crit : > Am 28.02.2008 um 09:40 schrieb Martin Costabel: > >> [...] >> It looks like you fiddled with groups, so maybe you also have a >> custom /etc/sudoers file? > > Have a look (I didn't copy the out-commented parts): > > [...] Looks like to be rather standard. ;-) But more directly related to su, perhaps has your /etc/authorization file been modified (especialy wrt to its key system.login.tty)? Or even your /etc/pam.d/su file? On the other hand, could you try a: sudo find / -name su (longer than just a locate, but sure more exhaustive; of course, should you have other volumes on which you have installed various "active" tools, the search should be done on those volumes too) There must be an explanation... Axel From Philip.Moetteli at tele2.ch Thu Feb 28 02:24:47 2008 From: Philip.Moetteli at tele2.ch (=?ISO-8859-1?Q?Philip_M=F6tteli?=) Date: Thu Feb 28 02:24:51 2008 Subject: Can't su anymore In-Reply-To: <42ECA8EF-723A-4204-9A2C-C04AE9C355B3@fusl.ac.be> References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> <5bbc0cd60802251156o4834f651w6b80913d219703ea@mail.gmail.com> <0B102139-34D9-497D-8903-86D615FC9CCC@tele2.ch> <27E97B78-CA0E-47AA-874A-39B1A41F70A5@fusl.ac.be> <66DC1199-3E96-4B86-ADD7-B0629B362050@tele2.ch> <4A546BCA-31F0-4DD9-A248-DC22DE0DD983@gmail.com> <5710D777-C2FC-49DE-89BA-BC4A0E9B8B70@tele2.ch> <17c8e29e0802270735n3ff3a8aar8b237d6ec19796ce@mail.gmail.com> <9F8AA252-D26F-4E63-B75A-4C9C9AB3254C@tele2.ch> <7E3D3BEB-EB2A-4331-A08B-27105A118E8A@gmail.com> <47C6738E.1030700@wanadoo.fr> <491F9255-714F-45F9-996E-1082070E245F@tele2.ch> <42ECA8EF-723A-4204-9A2C-C04AE9C355B3@fusl.ac.be> Message-ID: <9A3216B2-14AB-4C00-A2E4-4F1AFFE913EE@tele2.ch> Am 28.02.2008 um 10:47 schrieb Axel Luttgens: > Le 28 f?vr. 08 ? 09:53, Philip M?tteli a ?crit : > >> Am 28.02.2008 um 09:40 schrieb Martin Costabel: >> >>> [...] >>> It looks like you fiddled with groups, so maybe you also have a >>> custom /etc/sudoers file? >> >> Have a look (I didn't copy the out-commented parts): >> >> [...] > > Looks like to be rather standard. ;-) Comforting. > But more directly related to su, perhaps has your > /etc/authorization > file been modified That's interesting: I have a '/private/etc/authorization' and a '/ private/etc/authorization.user_modified'. I have no idea, when this has been modified. > (especialy wrt to its key system.login.tty)? I don't know, what should be there. Perhaps you have a look: -------------- next part -------------- ? > Or even your > /etc/pam.d/su > file? Again, I don't know, what should be there: -------------- next part -------------- ? > On the other hand, could you try a: > sudo find / -name su > > (longer than just a locate, but sure more exhaustive; $ sudo find / -name su Password: /private/etc/pam.d/su /usr/bin/su That's all. > of course, should you have other volumes on which you have installed > various "active" tools, the search should be done on those volumes > too) No. There's only one volume. > There must be an explanation... Definitely. Thanks! From luttgens at fusl.ac.be Thu Feb 28 03:05:50 2008 From: luttgens at fusl.ac.be (Axel Luttgens) Date: Thu Feb 28 03:05:54 2008 Subject: Can't su anymore In-Reply-To: <9A3216B2-14AB-4C00-A2E4-4F1AFFE913EE@tele2.ch> References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> <5bbc0cd60802251156o4834f651w6b80913d219703ea@mail.gmail.com> <0B102139-34D9-497D-8903-86D615FC9CCC@tele2.ch> <27E97B78-CA0E-47AA-874A-39B1A41F70A5@fusl.ac.be> <66DC1199-3E96-4B86-ADD7-B0629B362050@tele2.ch> <4A546BCA-31F0-4DD9-A248-DC22DE0DD983@gmail.com> <5710D777-C2FC-49DE-89BA-BC4A0E9B8B70@tele2.ch> <17c8e29e0802270735n3ff3a8aar8b237d6ec19796ce@mail.gmail.com> <9F8AA252-D26F-4E63-B75A-4C9C9AB3254C@tele2.ch> <7E3D3BEB-EB2A-4331-A08B-27105A118E8A@gmail.com> <47C6738E.1030700@wanadoo.fr> <491F9255-714F-45F9-996E-1082070E245F@tele2.ch> <42ECA8EF-723A-4204-9A2C-C04AE9C355B3@fusl.ac.be> <9A3216B2-14AB-4C00-A2E4-4F1AFFE913EE@tele2.ch> Message-ID: <3C951116-7C57-4925-826E-64B1E964A3DC@fusl.ac.be> Le 28 f?vr. 08 ? 11:24, Philip M?tteli a ?crit : > Am 28.02.2008 um 10:47 schrieb Axel Luttgens: > >> [...] >> But more directly related to su, perhaps has your >> /etc/authorization >> file been modified > > That's interesting: I have a '/private/etc/authorization' and a '/ > private/etc/authorization.user_modified'. I have no idea, when this > has been modified. > > >> (especialy wrt to its key system.login.tty)? > > I don't know, what should be there. Perhaps you have a look:? > > >> Or even your >> /etc/pam.d/su >> file? > > Again, I don't know, what should be there: > ? Sending you a copy of those files (authorization and su) in a separate email. > >> On the other hand, could you try a: >> sudo find / -name su >> >> (longer than just a locate, but sure more exhaustive; > > $ sudo find / -name su > Password: > /private/etc/pam.d/su > /usr/bin/su > > That's all. So, only one su executable. By chance, do you have aliases somehow defined when launching your shell? (BTW, what's your shell?) In the case of bash (or sh), alias -p may provide a hint, as well as a look at /etc/profile, ~/.bash_profile, ~/.bashrc, ~/.profile, $BASH_ENV, $ENV, etc. And what gives when trying with a shell other than the usual one? Axel From zpamaral at gmail.com Thu Feb 28 08:18:13 2008 From: zpamaral at gmail.com (=?ISO-8859-1?Q?Jos=E9_Pedro_do_Amaral?=) Date: Thu Feb 28 08:18:23 2008 Subject: Can't su anymore In-Reply-To: <3C951116-7C57-4925-826E-64B1E964A3DC@fusl.ac.be> References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> <5bbc0cd60802251156o4834f651w6b80913d219703ea@mail.gmail.com> <0B102139-34D9-497D-8903-86D615FC9CCC@tele2.ch> <27E97B78-CA0E-47AA-874A-39B1A41F70A5@fusl.ac.be> <66DC1199-3E96-4B86-ADD7-B0629B362050@tele2.ch> <4A546BCA-31F0-4DD9-A248-DC22DE0DD983@gmail.com> <5710D777-C2FC-49DE-89BA-BC4A0E9B8B70@tele2.ch> <17c8e29e0802270735n3ff3a8aar8b237d6ec19796ce@mail.gmail.com> <9F8AA252-D26F-4E63-B75A-4C9C9AB3254C@tele2.ch> <7E3D3BEB-EB2A-4331-A08B-27105A118E8A@gmail.com> <47C6738E.1030700@wanadoo.fr> <491F9255-714F-45F9-996E-1082070E245F@tele2.ch> <42ECA8EF-723A-4204-9A2C-C04AE9C355B3@fusl.ac.be> <9A3216B2-14AB-4C00-A2E4-4F1AFFE913EE@tele2.ch> <3C951116-7C57-4925-826E-64B1E964A3DC@fusl.ac.be> Message-ID: <3025FF40-3A50-4495-8CCA-6C818335864A@gmail.com> Hi, Another possible test for this interesting situation (this test will only work if you have not done the aliasing in the shell configuration of su to /usr/bin/su): 1. Try su --version then 2. Try /usr/bin/su --version and 3. Check whether the output is different, for the GNU coreutils sudo should say the coreutils version whereas the system su will prompt an error for that flag. If both give you error then the plot thickens. By the way, have you tried /sfw/sbin/su? ZP -- Jos? Pedro Sousa do Amaral An expert is a person who avoids the small errors as he sweeps on to the grand fallacy. -- Benjamin Stolberg From johnmusbach1 at gmail.com Thu Feb 28 22:08:39 2008 From: johnmusbach1 at gmail.com (John Musbach) Date: Thu Feb 28 22:08:43 2008 Subject: Can't su anymore In-Reply-To: <9A3216B2-14AB-4C00-A2E4-4F1AFFE913EE@tele2.ch> References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> <5710D777-C2FC-49DE-89BA-BC4A0E9B8B70@tele2.ch> <17c8e29e0802270735n3ff3a8aar8b237d6ec19796ce@mail.gmail.com> <9F8AA252-D26F-4E63-B75A-4C9C9AB3254C@tele2.ch> <7E3D3BEB-EB2A-4331-A08B-27105A118E8A@gmail.com> <47C6738E.1030700@wanadoo.fr> <491F9255-714F-45F9-996E-1082070E245F@tele2.ch> <42ECA8EF-723A-4204-9A2C-C04AE9C355B3@fusl.ac.be> <9A3216B2-14AB-4C00-A2E4-4F1AFFE913EE@tele2.ch> Message-ID: <17c8e29e0802282208v45726fd3y889e1eb8c2bfa10d@mail.gmail.com> On Thu, Feb 28, 2008 at 2:24 AM, Philip M?tteli wrote: > > Or even your > > /etc/pam.d/su > > file? > > Again, I don't know, what should be there: > > ? # su: auth account session auth sufficient pam_rootok.so auth required pam_wheel.so use_uid group=admin group=wheel auth sufficient pam_securityserver.so auth sufficient pam_unix.so auth required pam_deny.so account required pam_permit.so session required pam_permit.so -- Best Regards, John Musbach From johnmusbach1 at gmail.com Thu Feb 28 22:11:08 2008 From: johnmusbach1 at gmail.com (John Musbach) Date: Thu Feb 28 22:11:11 2008 Subject: Can't su anymore In-Reply-To: <9A3216B2-14AB-4C00-A2E4-4F1AFFE913EE@tele2.ch> References: <680861F0-D6F9-4138-8861-D693FDC10914@tele2.ch> <5710D777-C2FC-49DE-89BA-BC4A0E9B8B70@tele2.ch> <17c8e29e0802270735n3ff3a8aar8b237d6ec19796ce@mail.gmail.com> <9F8AA252-D26F-4E63-B75A-4C9C9AB3254C@tele2.ch> <7E3D3BEB-EB2A-4331-A08B-27105A118E8A@gmail.com> <47C6738E.1030700@wanadoo.fr> <491F9255-714F-45F9-996E-1082070E245F@tele2.ch> <42ECA8EF-723A-4204-9A2C-C04AE9C355B3@fusl.ac.be> <9A3216B2-14AB-4C00-A2E4-4F1AFFE913EE@tele2.ch> Message-ID: <17c8e29e0802282211n76e3faah9f86e4a36bbe3f86@mail.gmail.com> On Thu, Feb 28, 2008 at 2:24 AM, Philip M?tteli wrote: > > But more directly related to su, perhaps has your > > /etc/authorization > > file been modified > > That's interesting: I have a '/private/etc/authorization' and a '/ > private/etc/authorization.user_modified'. I have no idea, when this > has been modified. > > > > > (especialy wrt to its key system.login.tty)? > > I don't know, what should be there. Perhaps you have a look: > ? comment The name of the requested right is matched against the keys. An exact match has priority, otherwise the longest match from the start is used. Note that the right will only match wildcard rules (ending in a ".") during this reduction. allow rule: this is always allowed <key>com.apple.TestApp.benign</key> <string>allow</string> deny rule: this is always denied <key>com.apple.TestApp.dangerous</key> <string>deny</string> user rule: successful authentication as a user in the specified group(5) allows the associated right. The shared property specifies whether a credential generated on success is shared with other apps (i.e., those in the same "session"). This property defaults to false if not specified. The timeout property specifies the maximum age of a (cached/shared) credential accepted for this rule. The allow-root property specifies whether a right should be allowed automatically if the requesting process is running with uid == 0. This defaults to false if not specified. See remaining rules for examples. rights class rule comment Matches otherwise unmatched rights (i.e., is a default). rule default com.alf class rule k-of-n 1 rule is-admin default timeout 300 com.apple. rule default com.apple.CoreRAID.admin allow-root class user comment Used by CoreRAID to allow access to administration functions of RAID devices group admin shared com.apple.Safari.parental-controls allow-root class user comment Checked when changing parental controls for Safari. group admin shared timeout 0 com.apple.Xcode.distcc.admin class user comment This right is used by Xcode to invoke a setuid tool to run launchctl as root to change distcc sharing on this machine group admin shared timeout 300 com.apple.activitymonitor.kill class user comment Used by Activity Monitor to authorize killing processes not owned by the user. group admin shared timeout 0 com.apple.appserver.privilege.admin class rule comment For administrative access to the Application Server management tool. rule appserver-admin com.apple.appserver.privilege.user class rule comment For user access to the Application Server management tool. k-of-n 1 rule appserver-admin appserver-user com.apple.builtin.confirm-access class evaluate-mechanisms mechanisms builtin:confirm-access tries 1 com.apple.builtin.confirm-access-password class evaluate-mechanisms mechanisms builtin:confirm-access-password com.apple.builtin.generic-new-passphrase class evaluate-mechanisms mechanisms builtin:generic-new-passphrase com.apple.builtin.generic-unlock class evaluate-mechanisms mechanisms builtin:generic-unlock com.apple.chud.io.read allow-root class user comment Used to allow admin reading of I/O space via the CHUD framework group admin timeout 3600 com.apple.chud.io.write allow-root class user comment Used to allow admin writing of I/O space via the CHUD framework group admin timeout 3600 com.apple.chud.pci.read allow-root class allow comment Used to allow user reading of the PCI configuration space via the CHUD framework timeout 3600 com.apple.chud.pci.write allow-root class user comment Used to allow admin writing of PCI configuration space via the CHUD framework group admin timeout 3600 com.apple.chud.physmem allow-root class user comment Used to allow admin access to physical memory addresses via the CHUD framework group admin timeout 3600 com.apple.chud.spr.read allow-root class allow comment Used to allow user reading of CPU special purpose registers via the CHUD framework timeout 3600 com.apple.chud.spr.write allow-root class user comment Used to allow admin writing of CPU special purpose registers via the CHUD framework group admin timeout 3600 com.apple.dashboard.advisory.allow class user group admin shared timeout 300 com.apple.desktopservices class user comment For privileged file operations from within the Finder. group admin shared timeout 0 com.apple.docset.install class user comment Used by Xcode to restrict access to a daemon it uses to install and update documentation sets. group admin shared com.apple.server.admin.streaming allow-root class user comment For making administrative requests to the QuickTime Streaming Server. group admin shared timeout 0 com.apple.trust-settings.admin allow-root class user comment For modifying Trust Settings in the Local Admin domain. group admin com.apple.trust-settings.user comment For modifying per-user Trust Settings. rule authenticate-session-owner config.add. class allow comment Wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights. config.config. class deny comment Wildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file). config.modify. class rule comment Wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights. Root does not require authentication. k-of-n 1 rule is-root authenticate-admin config.remove. class rule comment Wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights. Root does not require authentication. k-of-n 1 rule is-root authenticate-admin config.remove.system. class deny comment Wildcard right for deleting system rights. sys.openfile. class user comment See authopen(1) for information on the use of this right. group admin shared timeout 300 system. rule default system.burn class allow comment For burning media. system.device.dvd.setregion.initial class user comment Used by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change). group admin shared system.global-login-items. class rule k-of-n 1 rule is-admin default system.identity.write. class rule comment For creating, changing or deleting local user accounts and groups. k-of-n 1 rule is-admin authenticate-admin system.identity.write.credential class rule comment Checked when changing authentication credentials (password or certificate) for a local user account. rule default system.identity.write.self authenticate-user class user comment Checked when changing authentication credentials (password or certificate) for the current user's account. session-owner system.install.admin.user class user comment Checked when user is installing in admin domain (/Applications). group admin shared timeout 300 system.install.root.admin class user comment Checked when admin is installing in root domain (/System). group admin shared timeout 300 system.install.root.user class user comment Checked when user is installing in root domain (/System). group admin shared timeout 300 system.keychain.create.loginkc allow-root class evaluate-mechanisms comment Used by the Security framework when you add an item to an unconfigured default keychain. mechanisms loginKC:queryCreate loginKC:showPasswordUI authinternal session-owner shared system.keychain.modify class user comment Used by Keychain Access when editing a system keychain. group admin shared timeout 300 system.login.console class evaluate-mechanisms comment Login mechanism based rule. Not for general use, yet. mechanisms builtin:smartcard-sniffer,privileged loginwindow:login builtin:reset-password,privileged builtin:auto-login,privileged builtin:authenticate,privileged HomeDirMechanism:login,privileged HomeDirMechanism:status MCXMechanism:login loginwindow:success loginwindow:done system.login.done class evaluate-mechanisms mechanisms system.login.screensaver class rule comment The owner or any administrator can unlock the screensaver. rule authenticate-session-owner-or-admin system.login.tty class evaluate-mechanisms mechanisms push_hints_to_context authinternal tries 1 system.preferences allow-root class user comment Checked by the Admin framework when making changes to certain System Preferences. group admin shared system.preferences.accessibility allow-root class user comment Checked by the Admin framework when enabling or disabling the Accessibility APIs. group admin shared timeout 0 system.preferences.accounts allow-root class user comment Checked by the Admin framework when making changes to the Accounts preference pane. group admin shared system.preferences.parental-controls class user comment Checked when making changes to the Parental Controls preference pane. group admin shared system.print.admin class rule k-of-n 1 rule is-lpadmin is-admin default system.printingmanager class rule comment For printing to locked printers. rule authenticate-admin system.privilege.admin allow-root class user comment Used by AuthorizationExecuteWithPrivileges(...). AuthorizationExecuteWithPrivileges() is used by programs requesting to run a tool as root (e.g., some installers). group admin shared timeout 300 system.privilege.taskport allow-root class user comment Used by task_for_pid(...). Task_for_pid is called by programs requesting full control over another program for things like debugging or performance analysis. This authorization only applies if the requesting and target programs are run by the same user; it will never authorize access to the program of another user. group admin shared system.restart class evaluate-mechanisms comment Checked if the foreground console user tries to restart the system while other users are logged in via fast-user switching. mechanisms RestartAuthorization:restart RestartAuthorization:authenticate RestartAuthorization:success system.services.directory.configure allow-root class user comment For making Directory Services changes. group admin shared timeout 300 system.sharepoints. allow-root class user comment Checked when making changes to the Sharepoints. group admin shared system.shutdown class evaluate-mechanisms comment Checked if the foreground console user tries to shut down the system while other users are logged in via fast-user switching. mechanisms RestartAuthorization:shutdown RestartAuthorization:authenticate RestartAuthorization:success rules allow class allow comment Allow anyone. appserver-admin class user group appserveradm appserver-user class user group appserverusr authenticate class evaluate-mechanisms mechanisms builtin:smartcard-sniffer,privileged builtin:authenticate builtin:authenticate,privileged authenticate-admin class user comment Authenticate as an administrator. group admin shared timeout 0 authenticate-session-owner class user comment Authenticate as the session owner. session-owner authenticate-session-owner-or-admin allow-root class user comment Authenticate either as the owner or as an administrator. group admin session-owner shared default class user comment Default rule. Credentials remain valid for 5 minutes after they've been obtained. An acquired credential is shared by all clients. group admin shared timeout 300 is-admin authenticate-user class user comment Verify that the user asking for authorization is an administrator. group admin shared true is-lpadmin authenticate-user class user comment Verify that the user asking for authorization is an lp administrator. group lpadmin is-root allow-root authenticate-user class user comment Verify that the process that created this AuthorizationRef is running as root. -- Best Regards, John Musbach From ort at bergersen.no Fri Feb 29 15:00:13 2008 From: ort at bergersen.no (Richard Taubo) Date: Fri Feb 29 15:16:22 2008 Subject: [OT] Advanced ln command use Message-ID: Hi! This might be slightly off topic, but I wonder if anyone have a solution to a problem I have concerning the use of soft links (ln -s). I want to keep a program in one place for administration purposes, but use the program for many domains on the web. The program uses config files, so I have to keep those local for each domain, and I do not want to change the linking in the program itself. My solution looked like this, but I was a little bummed that it didn't work: 1) Program directory (where myconfig.cfg is a softlink to ../ myconfig.cfg): /usr/local/myprogram /usr/local/myprogram/myconfig.cfg -> ../myconfig.cfg There is no /usr/local/myconfig.cfg 2) Domain directory /Web/Sites/www.mysite.com/cgi-bin -> /usr/local/myprogram /Web/Sites/www.mysite.com/myconfig.cfg When cd?ing into: /Web/Sites/www.mysite.com/cgi-bin and checking if myconfig.cfg exists, it doesn't exist. I am not very surprised about this, since there is no: /usr/local/myconfig.cfg . . . but I still hoped that the ../myconfig.cfg link would reference locally instead of in respect to the original /usr/local/myprogram directory. Is there another way of solving these type of issues? Thanks for feedback! Best regards, Richard Taubo