FAQ
One of my VPS stopped working. After the data centre replaced a disk
normal service resumed, then I notices this:

CentOS release 5.5 (Final)
Kernel 2.6.35.4 on an x86_64

I always thought Centos 5.x would always be on 2.6.18. Any thoughts?

Search Discussions

  • Brunner, Brian T. at Feb 10, 2011 at 4:36 pm

    -----Original Message-----
    From: centos-bounces at centos.org
    [mailto:centos-bounces at centos.org] On Behalf Of Always Learning
    Sent: Thursday, February 10, 2011 4:25 PM
    To: centos at centos.org
    Subject: [CentOS] Strange Kernel for Centos 5.5

    One of my VPS stopped working. After the data centre replaced
    a disk normal service resumed, then I notices this:

    CentOS release 5.5 (Final)

    Kernel 2.6.35.4 on an x86_64

    I always thought Centos 5.x would always be on 2.6.18. Any thoughts?
    uname -a should give the 2.6.18-xxx.y.z.el5 (with .centos.plus
    optionally) or you're not running a RH/CentOS/SL kernel.

    Check you /boot and grub.conf for whether you have the current kernel at
    all
    (2.6.18-194.32.1.el5.centos.plus in my case)
    *******************************************************************
    This email and any files transmitted with it are confidential and
    intended solely for the use of the individual or entity to whom
    they are addressed. If you have received this email in error please
    notify the system manager. This footnote also confirms that this
    email message has been swept for the presence of computer viruses.
    www.Hubbell.com - Hubbell Incorporated**
  • Always Learning at Feb 10, 2011 at 9:05 pm
    Hi Brian T. & Robert,

    Thanks for your input.

    I did a uname -a on a selection of Centos 5.5 machines and found the
    servers, netbooks and laptops were all a variety of 2.6.18-194.32.1.el5
    and 2.6.19-194.32.1.el5-centos.plus. Only the VPS were different most
    likely, as Robert suggested, because of the base operating system.

    I can update the VPS kernels and am looking forward to the surprises,
    all nice ones I hope, in 5.6 and then 6.0.

    Sometimes I just wonder about the luckiness of us non-Windoze people. We
    have a really marvellous choice of operating systems (BSDs, Solaris,
    Linux et al) and its all free and outstandingly good and reliable.

    I feel sorry for the Windoze victims. Its a really horrible experience
    using a bug-laden and Micro$oft knows best machine where it is awkward
    trying to make changes and avoid the ghastly mess of M$ Internet
    Security - ugh! Centos is so relaxing and enjoyable :-)

    --

    With best regards,

    Paul.
    England,
    EU.
  • David Sommerseth at Feb 11, 2011 at 10:03 am
    On 11/02/11 03:05, Always Learning wrote:
    [...snip...]
    Sometimes I just wonder about the luckiness of us non-Windoze people. We
    have a really marvellous choice of operating systems (BSDs, Solaris,
    Linux et al) and its all free and outstandingly good and reliable.

    I feel sorry for the Windoze victims. Its a really horrible experience
    using a bug-laden and Micro$oft knows best machine where it is awkward
    trying to make changes and avoid the ghastly mess of M$ Internet
    Security - ugh! Centos is so relaxing and enjoyable :-)
    Be careful with saying such things. A lot can be said about Windows as an
    operating system and Microsoft as a company. But be very careful about
    talking about its users, you do not know the reason why they run another OS
    than those which you love.

    Those who uses *nix oriented/based OSes aren't better people or superior to
    those not doing so. They are just different, with a different different
    needs. It doesn't necessarily make them victims or unlucky.


    kind regards,

    David Sommerseth
  • Always Learning at Feb 11, 2011 at 10:22 am

    On Fri, 2011-02-11 at 16:03 +0100, David Sommerseth wrote:

    On 11/02/11 03:05, Always Learning wrote:
    [...snip...]
    Sometimes I just wonder about the luckiness of us non-Windoze people. We
    have a really marvellous choice of operating systems (BSDs, Solaris,
    Linux et al) and its all free and outstandingly good and reliable.

    I feel sorry for the Windoze victims. Its a really horrible experience
    using a bug-laden and Micro$oft knows best machine where it is awkward
    trying to make changes and avoid the ghastly mess of M$ Internet
    Security - ugh! Centos is so relaxing and enjoyable :-)
    Be careful with saying such things. A lot can be said about Windows as an
    operating system and Microsoft as a company. But be very careful about
    talking about its users, you do not know the reason why they run another OS
    than those which you love.
    They probably run Windoze because:-

    (1) they are unaware of other operating systems;

    (2) their application only runs on Windoze;

    (3) their employer is a Windoze-only user;

    (4) when they purchased their new computer it was pre-installed with
    Windoze, for which they had to pay the Micro$oft premium (something
    which needs challenging in the EU), and XP on netbook refuses to work if
    the the hard disk is partitioned to create space for Linux whilst
    Windows 7 deliberately occupies all 4 primary sectors and the entire
    hard disk space just to obstruct users from installing another operating
    system;

    (4) they work for Micro$oft;

    (5) they mistakenly believe Windoze is the best operating system in the
    world;
    Those who uses *nix oriented/based OSes aren't better people or superior to
    those not doing so. They are just different, with a different different
    needs. It doesn't necessarily make them victims or unlucky.
    I think *nix users are more enlightened people and more aware of
    computers, in the widest sense, generally. They are individuals who
    enjoy things like 'Windows for Adults' (i.e. Gnome etc.) rather than
    'Windoze for Young Impressionable Children'. They are much luckier to
    enjoy a better, less stressful and more reliable operating system.

    With best regards,

    Paul.

    Programmer et al 1967-2011.
    Windows user 1992-2010.
    Joyful Linux user and programmer et al 2010-
  • Mark Roth at Feb 11, 2011 at 10:58 am

    David Sommerseth wrote:
    On 11/02/11 03:05, Always Learning wrote:
    [...snip...]
    Sometimes I just wonder about the luckiness of us non-Windoze people. We
    have a really marvellous choice of operating systems (BSDs, Solaris,
    Linux et al) and its all free and outstandingly good and reliable.

    I feel sorry for the Windoze victims. Its a really horrible experience
    using a bug-laden and Micro$oft knows best machine where it is awkward
    trying to make changes and avoid the ghastly mess of M$ Internet
    Security - ugh! Centos is so relaxing and enjoyable :-)
    Be careful with saying such things. A lot can be said about Windows as an
    operating system and Microsoft as a company. But be very careful about
    Yes, there can, and has been, a lot said. A *LOT* of it has not been
    positive (at least since WinDoze 95). I can go on for a while, though it's
    OT, as to their *lousy* design decisions, and then there's all the
    lawsuits that they lost, where they paid to cut out competetors.
    talking about its users, you do not know the reason why they run another
    OS than those which you love.
    Lack of knowledge and/or choice.
    Those who uses *nix oriented/based OSes aren't better people or superior
    to those not doing so. They are just different, with a different different
    needs. It doesn't necessarily make them victims or unlucky.
    Sure it does. And we're Superior (tm), don'tcha know?

    mark "actually liked DOS"
  • Les Mikesell at Feb 11, 2011 at 11:27 am

    On 2/11/2011 9:58 AM, m.roth at 5-cent.us wrote:
    Be careful with saying such things. A lot can be said about Windows as an
    operating system and Microsoft as a company. But be very careful about
    Yes, there can, and has been, a lot said. A *LOT* of it has not been
    positive (at least since WinDoze 95). I can go on for a while, though it's
    OT, as to their *lousy* design decisions, and then there's all the
    lawsuits that they lost, where they paid to cut out competetors.
    But those have next to nothing to do with their current products. If
    you go back to '95 and look at the security/design flaws in shipping
    Linux products it is not pretty either. Pretty much everything had wide
    open holes in required network services like bind/sendmail/ftp as well
    as the kernel itself (wade through the changelogs on any of the programs
    if you aren't convinced). I do agree that pre XP/SP2 versions of
    windows were badly broken and still resent the trouble they caused, but
    it's probably time to forget that.
    talking about its users, you do not know the reason why they run another
    OS than those which you love.
    Lack of knowledge and/or choice.
    Or lack of problems. Since MS started enabling a firewall by default
    and supplying regular updates it mostly just works. I still run XP on
    my work laptop, close it to sleep with running apps, open to wake up (in
    seconds) on a different network, bouncing between wired/docked and
    wireless undocked transparently and it runs for months at a time.
    Another laptop at home does the same with Windows 7 (minus the dock).
    It has been much easier to use windows running the NX client with freenx
    on Linux than to keep working video drivers for native X on linux. I
    can boot into Linux on my work laptop, but why? The only real reason is
    if I want to access an ext3 formatted disk via USB and that turns out to
    work just as well under vmware player, keeping XP's more agile network
    management and leaving my other open apps running.

    --
    Les Mikesell
    lesmikesell at gmail.com
  • Mark Roth at Feb 11, 2011 at 11:39 am

    Les Mikesell wrote:
    On 2/11/2011 9:58 AM, m.roth at 5-cent.us wrote:

    Be careful with saying such things. A lot can be said about Windows as
    an operating system and Microsoft as a company. But be very careful
    about
    Yes, there can, and has been, a lot said. A *LOT* of it has not been
    positive (at least since WinDoze 95). I can go on for a while, though
    it's OT, as to their *lousy* design decisions, and then there's all the
    lawsuits that they lost, where they paid to cut out competetors.
    But those have next to nothing to do with their current products. If
    They have *everything* to do. Look, I *said* this is OT, but since you
    insist, the overwhelmingly *bad* design decision was to put the GUI into
    ring 0, instead of the way Windows 3, and X on *Nix, and *everybody* else
    did, resulting in a GUI error bringing down the *entire* system.
    <snip>

    mark
  • John Hodrien at Feb 11, 2011 at 11:47 am

    On Fri, 11 Feb 2011, m.roth at 5-cent.us wrote:

    They have *everything* to do. Look, I *said* this is OT, but since you
    insist, the overwhelmingly *bad* design decision was to put the GUI into
    ring 0, instead of the way Windows 3, and X on *Nix, and *everybody* else
    did, resulting in a GUI error bringing down the *entire* system.
    <snip>
    I thought Vista brought that to be much more inline with how it is on linux.

    It's still the case that a graphics driver error on linux can take out the
    entire system, so it's not like linux is some sort of gold standard on this
    front.

    jh
  • Larry Vaden at Feb 11, 2011 at 4:57 pm

    On Fri, Feb 11, 2011 at 10:47 AM, John Hodrien wrote:
    It's still the case that a graphics driver error on linux can take out the
    entire system, so it's not like linux is some sort of gold standard on this
    front.
    e.g., any modern Ubuntu can write 300 GB per day of syslog if equipped
    with at least certain Nvidia video cards (I'm unaware of which ones
    might work).

    That makes the system unusable, essentially a self-invoked denial of service.

    Apparently there is a little internal disagreement in the
    Debian/Ubuntu camp about Nouveau.

    https://help.ubuntu.com/community/BinaryDriverHowto/Nvidia#Recommended

    which says, in part:

    <quote>
    Recommended step for Ubuntu 10.04 or higher
    Nouveau, an open source driver, is installed by default. You can
    remove it by command-line by entering this:

    sudo apt-get --purge remove xserver-xorg-video-nouveau
    </quote>
  • Les Mikesell at Feb 11, 2011 at 11:52 am

    On 2/11/2011 10:39 AM, m.roth at 5-cent.us wrote:

    Be careful with saying such things. A lot can be said about Windows as
    an operating system and Microsoft as a company. But be very careful
    about
    Yes, there can, and has been, a lot said. A *LOT* of it has not been
    positive (at least since WinDoze 95). I can go on for a while, though
    it's OT, as to their *lousy* design decisions, and then there's all the
    lawsuits that they lost, where they paid to cut out competetors.
    But those have next to nothing to do with their current products. If
    They have *everything* to do. Look, I *said* this is OT, but since you
    insist, the overwhelmingly *bad* design decision was to put the GUI into
    ring 0, instead of the way Windows 3, and X on *Nix, and *everybody* else
    did, resulting in a GUI error bringing down the *entire* system.
    <snip>
    Yes, but with Linux and many, many, many combination of shipping
    software and existing hardware you actually have GUI errors. With the
    combinations of windows drivers and hardware I've used, I haven't seen
    any such error in years. While I agree that even running a GUI at all
    on a server is a waste of resources, in practice it is not something
    that matters. My company runs about 10x the number of windows servers
    as Linux. Not my choice of course, but we don't see OS-related
    differences in reliability, just different quirks you have to work around.

    --
    Les Mikesell
    lesmikesell at gmail.com
  • Stephen Harris at Feb 11, 2011 at 12:09 pm

    On Fri, Feb 11, 2011 at 11:39:21AM -0500, m.roth at 5-cent.us wrote:
    They have *everything* to do. Look, I *said* this is OT, but since you
    insist, the overwhelmingly *bad* design decision was to put the GUI into
    ring 0, instead of the way Windows 3, and X on *Nix, and *everybody* else
    did, resulting in a GUI error bringing down the *entire* system.
    The only part that runs in ring 0 is the video driver. The GUI itself
    runs in userspace.

    In Linux the graphics driver runs in userspace, but even that can freeze
    a machine because it requires direct hardware access. My Radeon HD
    2400 PRO driver will cause an immediate lockup if I run X, then quit X,
    then start X again.

    So the ring-0 stuff is a bit of a red herring.

    --

    rgds
    Stephen
  • John R Pierce at Feb 11, 2011 at 12:26 pm

    On 02/11/11 8:39 AM, m.roth at 5-cent.us wrote:
    They have*everything* to do. Look, I*said* this is OT, but since you
    insist, the overwhelmingly*bad* design decision was to put the GUI into
    ring 0, instead of the way Windows 3, and X on*Nix, and *everybody* else
    did, resulting in a GUI error bringing down the*entire* system.
    the "GUI" is a fairly nebulous term. The graphics display driver
    is indeed at ring zero for performance (in fact in early versions of NT,
    it ran in ring 1 or 2, but the performance hit of the ring transitions
    to access IO ports on early graphics cards was overwhelming so in NT4 it
    was moved to ring0). However, the GDI, User (window manager), desktop,
    and about everything else are in ring3 user space.
  • Mark Roth at Feb 11, 2011 at 4:27 pm

    John R Pierce wrote:
    On 02/11/11 8:39 AM, m.roth at 5-cent.us wrote:
    They have*everything* to do. Look, I*said* this is OT, but since you
    insist, the overwhelmingly*bad* design decision was to put the GUI into
    ring 0, instead of the way Windows 3, and X on*Nix, and *everybody*
    else did, resulting in a GUI error bringing down the*entire* system.
    the "GUI" is a fairly nebulous term. The graphics display driver
    is indeed at ring zero for performance (in fact in early versions of NT,
    it ran in ring 1 or 2, but the performance hit of the ring transitions
    to access IO ports on early graphics cards was overwhelming so in NT4 it
    was moved to ring0). However, the GDI, User (window manager), desktop,
    and about everything else are in ring3 user space.
    I'll assume that you've actually worked with the code; I haven't. However,
    I also trust it about as far as I can through a sumo wrestler, since I
    *know* as a fact that M$ frequently had apps make direct calls, *not* to
    the system, but directly to the hardware because the code ran so slowly.
    For example, the classic proof was when Apple went from Moto chips to
    PowerPC, and it broke Word, where they were doing just that (and I've
    heard that from friends who are Macaholics).

    mark
  • Christopher Chan at Feb 11, 2011 at 7:20 pm

    On Saturday, February 12, 2011 05:27 AM, m.roth at 5-cent.us wrote:
    John R Pierce wrote:
    On 02/11/11 8:39 AM, m.roth at 5-cent.us wrote:
    They have*everything* to do. Look, I*said* this is OT, but since you
    insist, the overwhelmingly*bad* design decision was to put the GUI into
    ring 0, instead of the way Windows 3, and X on*Nix, and *everybody*
    else did, resulting in a GUI error bringing down the*entire* system.
    the "GUI" is a fairly nebulous term. The graphics display driver
    is indeed at ring zero for performance (in fact in early versions of NT,
    it ran in ring 1 or 2, but the performance hit of the ring transitions
    to access IO ports on early graphics cards was overwhelming so in NT4 it
    was moved to ring0). However, the GDI, User (window manager), desktop,
    and about everything else are in ring3 user space.
    I'll assume that you've actually worked with the code; I haven't. However,
    I also trust it about as far as I can through a sumo wrestler, since I
    *know* as a fact that M$ frequently had apps make direct calls, *not* to
    the system, but directly to the hardware because the code ran so slowly.
    For example, the classic proof was when Apple went from Moto chips to
    PowerPC, and it broke Word, where they were doing just that (and I've
    heard that from friends who are Macaholics).
    Oh stop digging deeper. You get app crashes and even lock ups too on
    UNIX/Linux. There is only one thing that we can all agree on. All
    Microsoft ware are high security risks and should be run inside a
    software fortress so to speak.

    Everything else is pretty much the same nowadays.
  • Nico Kadel-Garcia at Feb 11, 2011 at 7:55 pm

    On Fri, Feb 11, 2011 at 11:27 AM, Les Mikesell wrote:
    On 2/11/2011 9:58 AM, m.roth at 5-cent.us wrote:

    Be careful with saying such things. ?A lot can be said about Windows as an
    operating system and Microsoft as a company. ?But be very careful about
    Yes, there can, and has been, a lot said. A *LOT* of it has not been
    positive (at least since WinDoze 95). I can go on for a while, though it's
    OT, as to their *lousy* design decisions, and then there's all the
    lawsuits that they lost, where they paid to cut out competetors.
    But those have next to nothing to do with their current products. ?If
    Make a bet? Video drivers, alone, and the feeping creaturism of the
    base web browser create significant risks.

    RHEL and CentOS have much, much tighter basic privilege handling. The
    complexity of the NTFS ACL structure, for example, is so frequently
    mishandled that it's often ignored and simply dealt with as
    "Administrator". The result is privilege escalation chaos.

    This turns out to be one of the problems with SELinux, in fact. It's
    so powerful and complex, and ill managed in many instances, that many
    developers simply disable it and ignore it, especially for web
    applications. (Don't get me going on the pain of integrating locally
    built Lilac and Bugzilla with SELinux: eeewwwwh!)
    you go back to '95 and look at the security/design flaws in shipping
    Linux products it is not pretty either. ?Pretty much everything had wide
    open holes in required network services like bind/sendmail/ftp as well
    as the kernel itself (wade through the changelogs on any of the programs
    if you aren't convinced). ?I do agree that pre XP/SP2 versions of
    windows were badly broken and still resent the trouble they caused, but
    it's probably time to forget that.
    Not as big, serioiusly. The separation between "userspace" and
    "kernelspace" and "root access" was much better than it has been in
    the Windows world.
    talking about its users, you do not know the reason why they run another
    OS than those which you love.
    Lack of knowledge and/or choice.
    Or lack of problems. ?Since MS started enabling a firewall by default
    Or need to play Half-Life. (Games are why my desktop is Windows, it
    runs CentOS comfortably in VirtualBox.)
    and supplying regular updates it mostly just works. ?I still run XP on
    my work laptop, close it to sleep with running apps, open to wake up (in
    seconds) on a different network, bouncing between wired/docked and
    wireless undocked transparently and it runs for months at a time.
    Another laptop at home does the same with Windows 7 (minus the dock).
    It has been much easier to use windows running the NX client with freenx
    on Linux than to keep working video drivers for native X on linux. ?I
    can boot into Linux on my work laptop, but why? ?The only real reason is
    if I want to access an ext3 formatted disk via USB and that turns out to
    work just as well under vmware player, keeping XP's more agile network
    management and leaving my other open apps running.
    Sadly, freenx is abandonware. So is neatx. (I've been working with
    them lately.) The clients and servers from NoMachine are pretty good,
    and play nicely on CentOS. (I'm using them now for personal use, which
    their license allows.) The new NX version 4 alpha release is very,
    very alpha. We'll see how it works out in the long term. I've been
    trying to pay them for licenses, but the licensing model hasn't fitted
    anything I can *explain* to the people who sign checks.
  • Drew at Feb 11, 2011 at 9:38 pm

    RHEL and CentOS have much, much tighter basic privilege handling. The
    complexity of the NTFS ACL structure, for example, is so frequently
    mishandled that it's often ignored and simply dealt with as
    "Administrator". The result is privilege escalation chaos.
    And how is the user-group-world permissions system any better?

    I work daily with both *nix & NTFS ACL's and given the choice I prefer
    NTFS' for the finer grained control.

    You want to create a folder in which user A & B have access to but
    nobody else? In *nix you create a group that both those users belong
    to and set the folder to use that group's permissions. In NTFS you set
    the ACL's so those two users have (almost) full access to the folder.
    Simple enough.

    Now say you need to create another folder which only users B & C have
    access to? In *nix you create another group, one that B & C belong to,
    and assign that group permissions to that folder. NTFS? Set the ACL's
    so that only B & C have access.

    Now let's say we want User A to have read only access to that second
    folder? They're not the owner, and don't belong to the group, so world
    permissions are your only choice. What if this folder is a
    confidential folder containing files the CEO & VP should be able to
    alter but the Admin Assistant needs to be able to pick files from? You
    really don't want a lowly peon down in shipping seeing the
    confidential memo now do you?

    In NTFS you just add user A to the folder with read only permissions.

    Now expand this out to hundreds of folders and watch the *nix groups
    multiply like rabbits.

    Admittedly a few areas of NTFS ACL's cause some confusion, inheritance
    and precedence rules among them, but if you take the time to read how
    they work and play with it before putting it into production it's
    actually quite easy to work with.

    RTFM? :-)

    --
    Drew

    "Nothing in life is to be feared. It is only to be understood."
    --Marie Curie
  • Joshua Baker-LePain at Feb 11, 2011 at 10:36 pm
    On Fri, 11 Feb 2011 at 6:38pm, Drew wrote
    RHEL and CentOS have much, much tighter basic privilege handling. The
    complexity of the NTFS ACL structure, for example, is so frequently
    mishandled that it's often ignored and simply dealt with as
    "Administrator". The result is privilege escalation chaos.
    And how is the user-group-world permissions system any better?

    I work daily with both *nix & NTFS ACL's and given the choice I prefer
    NTFS' for the finer grained control.
    Erm, *nix has fully functional ACLs as well. 'man setfacl'

    --
    Joshua Baker-LePain
    QB3 Shared Cluster Sysadmin
    UCSF
  • Johnny Hughes at Feb 11, 2011 at 11:48 pm

    On 02/11/2011 09:36 PM, Joshua Baker-LePain wrote:
    On Fri, 11 Feb 2011 at 6:38pm, Drew wrote
    RHEL and CentOS have much, much tighter basic privilege handling. The
    complexity of the NTFS ACL structure, for example, is so frequently
    mishandled that it's often ignored and simply dealt with as
    "Administrator". The result is privilege escalation chaos.
    And how is the user-group-world permissions system any better?

    I work daily with both *nix & NTFS ACL's and given the choice I prefer
    NTFS' for the finer grained control.
    Erm, *nix has fully functional ACLs as well. 'man setfacl'
    In fact, you can do things very easily with *nix acls that are very
    difficult in Windows. For example, you can set different 'Default'
    permissions (what will be on things created in the directory) than the
    permissions that are actually on the directory. You can set different
    masks for different groups or users in the same directory, etc.

    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: signature.asc
    Type: application/pgp-signature
    Size: 253 bytes
    Desc: OpenPGP digital signature
    Url : http://lists.centos.org/pipermail/centos/attachments/20110211/3439143e/attachment.bin
  • Joseph L. Casale at Feb 12, 2011 at 1:57 am

    In fact, you can do things very easily with *nix acls that are very
    difficult in Windows. For example, you can set different 'Default'
    permissions (what will be on things created in the directory) than the
    permissions that are actually on the directory. You can set different
    masks for different groups or users in the same directory, etc.
    That's not accurate. You can do exactly that very trivially with Container
    Inheritance flags only etc...
  • Johnny Hughes at Feb 12, 2011 at 4:52 am

    On 02/12/2011 12:57 AM, Joseph L. Casale wrote:
    In fact, you can do things very easily with *nix acls that are very
    difficult in Windows. For example, you can set different 'Default'
    permissions (what will be on things created in the directory) than the
    permissions that are actually on the directory. You can set different
    masks for different groups or users in the same directory, etc.
    That's not accurate. You can do exactly that very trivially with Container
    Inheritance flags only etc...
    It is NOT trivial in Windows to have the permissions on a directory set
    so that Bob has rwx permission on the directory, but when new files (or
    directories) are created in that directory Bob has r-- permissions on
    the files inside the said directory.

    You can "assign" different permissions on each file and directory in
    Windows by turning off inheritance and making an assignment. You can
    not easily make default create permissions be different than the
    container the objects are created in.

    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: signature.asc
    Type: application/pgp-signature
    Size: 253 bytes
    Desc: OpenPGP digital signature
    Url : http://lists.centos.org/pipermail/centos/attachments/20110212/7773949d/attachment.bin
  • John R Pierce at Feb 12, 2011 at 5:05 am
    regardless of the OS, any time you start to get tricky with per object
    permissions, before long you end up with a complex mess that's a pain in
    the butt to keep track of.
  • Les Mikesell at Feb 12, 2011 at 12:14 pm

    On 2/12/11 4:05 AM, John R Pierce wrote:
    regardless of the OS, any time you start to get tricky with per object
    permissions, before long you end up with a complex mess that's a pain in
    the butt to keep track of.
    And this is especially true if you don't first map the users to a group role or
    job position, then set appropriate permissions for files/directories based on
    the roles instead of the individuals that are temporarily involved with them.
    You really don't want to maintain systems by searching the entire filesystem for
    acls containing a user and changing it to some other user. And generally you'll
    want a mail group associated with the role as well. I always liked the way SME
    server let you associate users with groups in its web admin interface and then
    took care of the details of setting up permission groups and mail groups for
    you. Too bad it doesn't do LDAP to make it suitable for places with more than
    one server.

    --
    Les Mikesell
    lesmikesell at gmail.com
  • Nico Kadel-Garcia at Feb 12, 2011 at 7:50 am

    On Fri, Feb 11, 2011 at 9:38 PM, Drew wrote:
    RHEL and CentOS have much, much tighter basic privilege handling. The
    complexity of the NTFS ACL structure, for example, is so frequently
    mishandled that it's often ignored and simply dealt with as
    "Administrator". The result is privilege escalation chaos.
    And how is the user-group-world permissions system any better?

    I work daily with both *nix & NTFS ACL's and given the choice I prefer
    NTFS' for the finer grained control.

    You want to create a folder in which user A & B have access to but
    nobody else? In *nix you create a group that both those users belong
    to and set the folder to use that group's permissions. In NTFS you set
    the ACL's so those two users have (almost) full access to the folder.
    Simple enough.
    If you *need* that level, you use NTFSv4 ACL's. But the result is
    often that it gets so complex, so fast, that ever figuring out who
    ever owned or had access to something in the first place is a
    nightmare. It slows filesystems, it complicates backups, and it's
    proven itself fairly dangerous because of the tendency to toss in
    extraneous access.
    Now let's say we want User A to have read only access to that second
    folder? They're not the owner, and don't belong to the group, so world
    permissions are your only choice. What if this folder is a
    confidential folder containing files the CEO & VP should be able to
    alter but the Admin Assistant needs to be able to pick files from? You
    really don't want a lowly peon down in shipping seeing the
    confidential memo now do you?
    Yes, it solves some problems. But the complexity and inconsistencies
    get pretty nasty pretty fast, and I've found the results a nightmare
    in privilege escalation issues, and the mishandling so very common in
    basic system configuration files and common software that it's rarely
    worth the difficulty to resolve.
    In NTFS you just add user A to the folder with read only permissions.

    Now expand this out to hundreds of folders and watch the *nix groups
    multiply like rabbits.
    Only if you're trying for that fine a grain of control. If you need to
    handle that fine grained control, it's not a file system issue it's a
    procedural one.
    Admittedly a few areas of NTFS ACL's cause some confusion, inheritance
    and precedence rules among them, but if you take the time to read how
    they work and play with it before putting it into production it's
    actually quite easy to work with.

    RTFM? :-)
    Easy to work with, and way, way, way too common to screw up.
  • Natxo Asenjo at Feb 12, 2011 at 8:02 am

    On Sat, Feb 12, 2011 at 3:38 AM, Drew wrote:
    RHEL and CentOS have much, much tighter basic privilege handling. The
    complexity of the NTFS ACL structure, for example, is so frequently
    mishandled that it's often ignored and simply dealt with as
    "Administrator". The result is privilege escalation chaos.
    And how is the user-group-world permissions system any better?

    I work daily with both *nix & NTFS ACL's and given the choice I prefer
    NTFS' for the finer grained control.

    You want to create a folder in which user A & B have access to but
    nobody else? In *nix you create a group that both those users belong
    to and set the folder to use that group's permissions. In NTFS you set
    the ACL's so those two users have (almost) full access to the folder.
    Simple enough.
    in unix you can use acls as well. See getacl/setacl. No sweat.

    Anyway, neither in windows nor in unix/linux you want to specify
    permissions on a per user level. Always groups. If the user leaves the
    company and the permissions are on a per user level you need to start
    all over again. If on a per group level, just disable/remove the user
    from the group and it keeps working for the rest of members.

    Bonus points if you enable your helpdesk group to administer the groups
    and the children folders so you no longer have to waste any time with
    this boring stuff.

    --
    natxo
  • Christopher Chan at Feb 12, 2011 at 8:09 am

    On Saturday, February 12, 2011 09:02 PM, Natxo Asenjo wrote:
    On Sat, Feb 12, 2011 at 3:38 AM, Drewwrote:
    RHEL and CentOS have much, much tighter basic privilege handling. The
    complexity of the NTFS ACL structure, for example, is so frequently
    mishandled that it's often ignored and simply dealt with as
    "Administrator". The result is privilege escalation chaos.
    And how is the user-group-world permissions system any better?

    I work daily with both *nix& NTFS ACL's and given the choice I prefer
    NTFS' for the finer grained control.

    You want to create a folder in which user A& B have access to but
    nobody else? In *nix you create a group that both those users belong
    to and set the folder to use that group's permissions. In NTFS you set
    the ACL's so those two users have (almost) full access to the folder.
    Simple enough.
    in unix you can use acls as well. See getacl/setacl. No sweat.

    Anyway, neither in windows nor in unix/linux you want to specify
    permissions on a per user level. Always groups. If the user leaves the
    company and the permissions are on a per user level you need to start
    all over again. If on a per group level, just disable/remove the user
    from the group and it keeps working for the rest of members.
    And what do you do when you have cases that a user needs access to these
    set of files/directories but not all the files/directories the group has
    access to?
  • Tom H at Feb 12, 2011 at 9:16 am

    On Sat, Feb 12, 2011 at 8:09 AM, Christopher Chan wrote:
    On Saturday, February 12, 2011 09:02 PM, Natxo Asenjo wrote:

    Anyway, neither in windows nor in unix/linux you want to specify
    permissions on a per user level. Always groups. If the user leaves the
    company and the permissions are on a per user level you need to start
    all over again. If on a per group level, just disable/remove the user
    from the group and it keeps working for the rest of members.
    And what do you do when you have cases that a user needs access to these
    set of files/directories but not all the files/directories the group has
    access to?
    We create specific groups and netgroups for teams/subteams accessing
    specific shares and servers.
  • Natxo Asenjo at Feb 12, 2011 at 2:38 pm

    On Sat, Feb 12, 2011 at 2:09 PM, Christopher Chan wrote:
    On Saturday, February 12, 2011 09:02 PM, Natxo Asenjo wrote:

    Anyway, neither in windows nor in unix/linux you want to specify
    permissions on a per user level. Always groups. If the user leaves the
    company and the permissions are on a per user level you need to start
    all over again. If on a per group level, just disable/remove the user
    from the group and it keeps working for the rest of members.
    And what do you do when you have cases that a user needs access to these
    set of files/directories but not all the files/directories the group has
    access to?
    If you are in such a scenario, then you have not planned your folder
    structure well enough :-)

    What do you do when you have thousands of users in your company? Do
    you keep individual permissions or do you use group permissions?

    I know what I'd rather do, specially if I need to audit that folder
    structure.

    --
    natxo
  • Christopher Chan at Feb 12, 2011 at 7:20 pm

    On Sunday, February 13, 2011 03:38 AM, Natxo Asenjo wrote:
    On Sat, Feb 12, 2011 at 2:09 PM, Christopher Chan
    wrote:
    On Saturday, February 12, 2011 09:02 PM, Natxo Asenjo wrote:

    Anyway, neither in windows nor in unix/linux you want to specify
    permissions on a per user level. Always groups. If the user leaves the
    company and the permissions are on a per user level you need to start
    all over again. If on a per group level, just disable/remove the user
    from the group and it keeps working for the rest of members.
    And what do you do when you have cases that a user needs access to these
    set of files/directories but not all the files/directories the group has
    access to?
    If you are in such a scenario, then you have not planned your folder
    structure well enough :-)

    What do you do when you have thousands of users in your company? Do
    you keep individual permissions or do you use group permissions?

    I know what I'd rather do, specially if I need to audit that folder
    structure.
    You are assuming that company structure is somehow sensible. Just saying
    that 'always groups' may not work everywhere.
  • Les Mikesell at Feb 11, 2011 at 11:19 pm

    On 2/11/11 6:55 PM, Nico Kadel-Garcia wrote:
    you go back to '95 and look at the security/design flaws in shipping
    Linux products it is not pretty either. Pretty much everything had wide
    open holes in required network services like bind/sendmail/ftp as well
    as the kernel itself (wade through the changelogs on any of the programs
    if you aren't convinced). I do agree that pre XP/SP2 versions of
    windows were badly broken and still resent the trouble they caused, but
    it's probably time to forget that.
    Not as big, serioiusly. The separation between "userspace" and
    "kernelspace" and "root access" was much better than it has been in
    the Windows world.
    So exactly what couldn't you do after exploiting one of the holes in bind or
    sendmail or the kernel? It is only recently that bind was moved to a chroot and
    sendmail to mostly run as a non-root user.
    Sadly, freenx is abandonware. So is neatx. (I've been working with
    them lately.) The clients and servers from NoMachine are pretty good,
    and play nicely on CentOS. (I'm using them now for personal use, which
    their license allows.) The new NX version 4 alpha release is very,
    very alpha. We'll see how it works out in the long term. I've been
    trying to pay them for licenses, but the licensing model hasn't fitted
    anything I can *explain* to the people who sign checks.
    Yes, it's too bad memory wasn't cheap back when X was designed or maybe they
    would have done client caching in the first place.

    --
    Les Mikesell
    lesmikesell at gmail.com
  • Always Learning at Feb 11, 2011 at 11:43 am

    On Fri, 2011-02-11 at 10:58 -0500, m.roth at 5-cent.us wrote:

    mark "actually liked DOS"
    Me too!

    --

    With best regards,

    Paul.
    England,
    EU.
  • Robert Heller at Feb 10, 2011 at 5:08 pm

    At Thu, 10 Feb 2011 21:25:24 +0000 CentOS mailing list wrote:
    One of my VPS stopped working. After the data centre replaced a disk
    normal service resumed, then I notices this:

    CentOS release 5.5 (Final)
    Kernel 2.6.35.4 on an x86_64

    I always thought Centos 5.x would always be on 2.6.18. Any thoughts?
    Depending on what sort of VM system the data centre uses, it is possible
    to have a non-standard kernel. This is my VPS (CentOS 4.8):

    sauron.deepsoft.com% ssh sharky.deepsoft.com cat /etc/redhat-release
    CentOS release 4.8 (Final)
    sauron.deepsoft.com% ssh sharky.deepsoft.com uname -r
    2.6.18-194.17.1.el5.028stab070.7

    *I* don't have control over the kernel -- this is set up as part of the
    virtual machine setup, by the people I am renting the VPS from.


    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
    --
    Robert Heller -- 978-544-6933 / heller at deepsoft.com
    Deepwoods Software -- http://www.deepsoft.com/
    () ascii ribbon campaign -- against html e-mail
    /\ www.asciiribbon.org -- against proprietary attachments

Related Discussions

People

Translate

site design / logo © 2022 Grokbase