- Explain the importance of installing and running portsnap after installing a current version of FreeBSD.
Portsnap is a system for securely distributing the FreeBSD ports tree. Approximately once an hour, a “snapshot” of the ports tree is generated, repackaged, and cryptographically signed. The resulting files are then distributed via HTTP.
The first time portsnap is run, it will need to download a compressed snapshot of the entire ports tree (portsnap fetch) and then a “live” copy of the ports tree can be extracted into /usr/ports/ (portsnap extract). This is necessary even if a ports tree has already been created in that directory (e.g., by using CVSup), since it establishes a baseline from which portsnap can determine which parts of the ports tree need to be updated later.
Initializing portsnap as soon as possible will ensure the most secure and up to date software installations on your machine and will prevent a long download of the initial compressed tree when you need it later.
After the initialization of portsnap, it is recommended to put ‘portsnap cron’ in a cronjob to fetch updates regularly. Then you should use ‘portsnap update’ before using the ports system. Putting ‘portsnap update’ in cron is not recommended since it can cause problems if run while using the ports tree.
- Explain the role configuration files in Unix applications. In Apache version 2.2, the configuration files have been modularized. What are the advantages and disadvantages of using a modular approach to configuration files?
Configuration files allow you to control the settings and parameters of a service or program by editing in most cases a simple text file. Well known configuration files include /etc/hosts (local hostname to ip resolution), /etc/nsswitch.conf (name service configuration), /etc/resolv.conf (DNS server configuration). Samba uses a configuration file which looks more like a windows .ini file. Apache uses it’s own XML-ish format
Apache’s use of modular configuration files is not new in version 2.2 as can be seen here: http://httpd.apache.org/docs/1.3/mod/core.html#include
More likely you are used to a binary distribution of Apache which has split the configuration file into several files/directories and included them for te base configuration. The reason for doing this is convenience. It is easy to manage multiple Apache servers with similar settings by creating a basic shared configuration for all servers and only modifying a subset of the configuration sitting in an included file.
It is also popular to use a set of prepared configuration files (module configurations/vhost configurations) in a directory marked “_available” and symlink them into a directory called “_enabled” which is included in the Apache configuration. This provides a quick on/off mechanism for certain configurations.
- Explain the use of “directives” in configuration files. Provide an example of two directives found in an Apache configuration file and detail what each accomplishes.
Directives is a word which is pretty specific to Apache. Each directive controls some part of the configuration. Apache has ~410 of them. Each one is characterized by the syntax of the arguments it accepts, the default value if there is one, the context in which it can be used (server, virtual host, directory, etc.), what overrides must be in place for the directive to be used in a .htaccess file, status, module, and compatibility.
ServerName is a directive which sets the request scheme, hostname and port that the server uses to identify itself. http://httpd.apache.org/docs/2.2/mod/core.html#servername
The ServerAdmin directive sets the contact address that the server includes in any error messages it returns to the client. http://httpd.apache.org/docs/2.2/mod/core.html#serveradmin
- What is meant by “overrides”? Provide an example of an override found in an Apache configuration file and detail what is accomplished by the override.
An override allows a directive to be overridden by directives in a .htaccess file located in one of the web content directories.
An example of an override is AuthConfig. This override will allow the .htaccess file in a directory to change the apache configuration of that directory in terms of authentication (either allow or deny access, specify users, etc.) http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride
- Define what is meant up a Common Gateway Interface, how it is used in websites, and the methods for providing one? Discuss the advantages and disadvantages of providing this functionality on a web site.
CGI is an older standard for allowing a web server like Apache to send request parameters to an external program and use the program’s output as a response. Before scripting languages like PHP or PERL where built straight into web server modules, this was the only way to use dynamically generated content.
CGI is generally not a great solution today although it is still used. It’s performance is poor due to the need to start a completely new process on each request. CGIs generally take more memory and require more open processes on the server. PERL has a CGI module which makes writing a CGI script fairly easy.
More common today is the use of FastCGI which requires a different interface from the external program. FastCGI keeps a number of external programs running to improve performance. Many recommend running PHP as a FastCGI program in order to take advantage of Apache’s newer multi-threaded MPM.
Recently, I wanted to confirm that I was running the 64 bit version of the MySQL server as opposed to the 32 bit version.
The Sun Webstack installation comes with both versions and if you use the built in SMF service, the difference between using the 32 bit version or 64 bit version is controlled by a flag in the service properties.
I was not using the built in service, but rather using Sun Cluster to start the server. In order to convince Sun Cluster to start the 64 bit version (I’m sure there is a better way to do this), one of my admins had made a symlink from the mysql/bin directory to the 64 bit binary directory. On the command line, you could no longer tell if the mysqld command was run from the 64 bit directory and there doesn’t seem to be a built in MySQL command which shows what version is currently running (show status, \s, show variables, etc)
In the end I ran pldd on the process id of the MySQL server. I am reasonably sure that I am running the 64 bit version of the server because all the shared libraries being used came from the /lib/sparcv9/ and /usr/lib/sparcv9/ directories which are the 64 bit libraries. Not sure if this method works on other OS’s but I thought it might be helpful to someone.
If you’re like me, you love the granular permissions capabilities of MySQL but hate the work that goes into managing them.
Recently, I’ve been dealing with MySQL permissions a lot and most of the time I’m creating very similar permissions over and over again. It got me thinking that I could really use MySQL groups. Unfortunately, there doesn’t seem to be anything like groups in MySQL and according to plans won’t be added officially until MySQL 7.0 (WL#988). Considering they originally planned to include Role support in MySQL 5.0, I’m not sure I’m holding my breath.
While searching around, I found Securich – a project about 6 months old which uses stored procedures to create a much more capable and easy to manage permissions system on top of MySQL’s existing permissions. DISCLAIMER: I have not actually tried this so everything I say is based on what I’ve understood from the documentation.
On the simplest level, it gives you the ability to define roles as a set of privilege types. This isn’t what I had in mind but it does help. For example, there might be a role called ‘readonly’ which only has SELECT permissions and there may be another role called ‘readwrite’ which has ‘SELECT,INSERT,UPDATE,DELETE’ etc. Then you can grant a role on tables or databases to users. Any time you update the permissions in the role, you update the permissions for all the users on every database/table where they have those permissions.
An interesting feature is the ability to define the tables in the grant privileges procedure using a regexp so if you use a prefix like ‘dev_ ‘ to indicate tables used by developers, you might create a role called ‘developer’ and apply it to all tables beginning with ‘dev_’.
Additional features I like are:
- The ability to search for users with specific permissions.
- The ability to clone users (ie. add another developer)
- Storing meta-data on the users like contact email address.
- Password aging, history, and complexity requirements – although it seems like these are only enforced if the passwords aren’t modified using standard MySQL commands.
- Auditing – Securich stores a history of when permissions are granted and to whom, etc.
What I don’t see:
- I don’t see column level permissions
- Preferably there would be a way to combine the permissions and the DB/Table set into the ‘Role’ but the ability to clone users is pretty close.
- Promised support – I’m a fan of open source but a one man project is not something for production. It would be nice if this were adopted by someone bigger.
To summarize, I don’t think I’ll be deploying this but it looks promising. I hope Oracle will prioritize Roles and deliver them before 7.0. If not, maybe someone in MySQL will implement something similar to Securich (without the major architecture changes planned for 7.0 (pluggable authentication, new privilege table structures, etc.) to give us the quick win.
Just saw this on Slashdot. Basically the idea is that you give them a certain amount of money each month which you then use to “flatter” Internet content that you like. By clicking on someone’s Flattr button the same way you would click on a Digg button, etc. you give that person a share of your monthly pot.
According to the video, “Flattr” is also a play on “Flat Rate” that is, you would spend the same amount of money each month. This means, you aren’t spending more if you click on more Flattr buttons. Since your pot or “cake” is split evenly between the people you Flattr, as long as you Flattr someone, the money goes somewhere. I’m not sure what happens if you don’t Flattr anyone???
While it seems like a good idea, and the domain name it great, I’m not sure there is any market for more “buttons”. They should probably try integrating this directly into Twitter, Digg, etc. so if someone retweets, they get a piece of the cake. There are already too many social networks as it is.
My guess is that there is no IP here keeping Digg or Twitter from offering this themselves and faster. In the end, whichever network can offer more from one place will win out of convenience.
I just ran into an interesting site goosh.org. Goosh = GOOgle SHell – basically the guy has built a CLI or shell interface to google services. Strangely enough, it gives you a CLI inside your web browser which might be an oxymoron but it’s cute anyway.
It apparently has the ability to access your accounts if you login but I wouldn’t trust my identity to it so be careful.