BlogFish

Variant Symlinks

Andrey V. Elsukov ported the variant symlinks from DragonFlyBSD to FreeBSD. Variant symlinks are symlinks with variables in them and when you access the symlinks the variables are replaced with their contents. The variables can be set per-process, per-user, or per-system.

An example can be found here and the patchset for CURRENT can be found here. This is not commited yet.

New malloc commited to CURRENT

libc’s malloc(3) implementation has been replaced with Jason Evans’ newer version that should be faster for SMP systems. For now, all debugging, sanity, and statistics gathering options are enabled in order to find any problems. So your programs will run slower and willl have a larger memory footprint until debugging is disabled.

Ruby 1.8.4 testers wanted

The update to Ruby 1.8.4 is pending and testers are wanted. The patch (get it here) requires some testing as the last update (to Ruby 1.8.3) was rolled back due to plist issues. After the 1.8.4 update, Pav Lucistnik wants to phase out Ruby 1.6 support.

Security Advisories

Four security advisories were released (1,2,3,4). The most serious one affects ipfw as ICMP IP fragments can crash the firewall.

(There are also two security fixes and two reliability fixes for OpenBSD, check the errata for details)

Call for FreeBSD Status Reports

Max Laier called for the FreeBSD status reports. The reports are due on January 20th and the report will be published shortly afterwards.

UPDATE:
Ruby 1.8.4 is now in the tree.

UPDATE 2:
There is another security advisory for FreeBSD about a IEEE 802.11 buffer overflow. Details here.

Release schedule 2006

Scot Long posted the release schedule for 2006:

Jan 30: Freeze RELENG_5 and RELENG_6
Mar 20: Release FreeBSD 6.1
Apr 3: Release FreeBSD 5.5
Jun 12: Freeze RELENG_6
Jul 31: Release FreeBSD 6.2
Oct 23: Freeze RELENG_6
Dec 11: Release FreeBSD 6.3

5.5 will be the final release from the RELENG_5 tree. After this final release, the security team will provide security update support through 2007 but all FreeBSD users are strongly encouraged to evaluate FreeBSD 6. The primary focus for the 6.x releases is on bugfixes, performance enhancements, and incremental functionality and driver additions. FreeBSD 7.0 that is scheduled for June 2007 will bring new features.

XFS (read-only) support committed to CURRENT

Craig Rodrigues commited read-only XFS support that is based on the GPL sources by SGI. XFS partitions can be mounted with mount -t xfs device and additional utilities such as mkfs.xfs are available in the sysutils/xfsprogs port.

BSDInstaller Beta 2 release

The second release of FreeBSD install CD’s based on the BSD Installer was announced by Andrew Turner.

The new Lua backend is now being used in this release rather than the older, deprecated C version.

The CD image is available from ftp://ftp.freebsd.org/pub/FreeBSD/snapshots/bsdinstaller/7.0-BSDINSTALLER-BETA-2-i386-disc1.iso.gz or your local mirror.

Changes Since BETA-1
* Can now install Source
* Can now install the Ports tree
* Can now install Packages
* Change to the new Lua backend

Known Problems
* Can only install to one drive, can’t have / on ad0 and /usr on ad1
* fdisk doesn’t alter the geometry

The Honeynet Project and Research Alliance announced some new releases:

New Honeynet Project CDROM

The Honeynet Project and Research Alliance announced the second public release of the “roo” Honeywall CDROM roo-1.0.hw-189. Among other changes and updates, the NAT support was dropped, support for a yum update repository was added, and sendmail was replaced with postfix.

Get the ISO here.

Sebek 3

A new version of Sebek 3, the kernel based monitoring tool, was announced:

This new version is compatible with the new Roo Honeywall / Gen III Honeynet architecture and includes the ability to monitor user input, identify network connections made by processes and record relationships between processes. Such abilities are integral to the new data analysis capabilities within the Roo Honeywall’s Walleye data analysis interface.

Further Sebek 3 for Windows was released..

The FreeBSD ports tree is unfrozen again and 6.0 BETA 3 was released. That means than we can expect the official release any time soon.

The FreeBSD Technical Review Team (TRB) is stepping down:

The TRB has not been called upon to resolve any technical disputes in quite a while. It seems that instead, developers have been able to discuss ideas and work out disputes either on arch@ or through some other means. There is certainly nothing wrong with this as the FreeBSD Project certainly wants to encourage open development. Given the TRB’s idleness, however, core@ feels that the TRB in its current state simply isn’t needed. If the need arises once again in the future for resolution of technical disputes beyond the currently available tools (public mailing lists, etc.), then either the TRB can be reinstated or perhaps some new approach could be used dependent on core@’s judgement at that time. Finally, the core team thanks the current members of the TRB for the service they have rendered over the past 2.75 years.

On behalf of core,

Don Lewis commited a change to the witness code in HEAD that speeds it up considerably.

I ran three different tasks as benchmarks:
cd /usr/src; make buildworld

cd /usr/ports; make index

cd /usr/ports/x11/gnome2; make clean

I ran the benchmarks without the WITNESS options, with the original witness code, and with the new witness code. My test hardware is an Athlon XP 2400+ box with 1G of RAM, SCSI disks, NFS client, and the DEBUG_NFS_LOCKS kernel option.

With this change, I’m seeing anywhere from a factor of 5.4 to a factor of 10.3 reduction in the system CPU time in the witness code. Enabling the original witness code increased the system CPU time by anywhere from 330% to 615%. With the new witness code, the system CPU time penalty for enabling witness dropped to about 60%, which was fairly consistent across the three benchmarks. Enabling the original witness code increased the wall time for these benchmarks anywhere from 69% (make buildworld) to 260%. With the new witness code, the wall time penalty decreased to the range 12% to 26%.

If you’ve been disabling witness because of the large performance penalty, you may find that this is no longer necessary.

I’ve got another potential performance boost in the hopper. I’ll release it if it pans out.

I’m planning on doing an MFC after 6.0-RELEASE.

The is also a new snapshot of the XFS for FreeBSD project available CURRENT only and gives you read-only access to XFS partitions.

R. Imura made some enhancements to kiconv that he plans to commit after the 6.0 release. His work is available Michael Bushkov’s nsswitch and cached release, Dario Freni’s FreeSBIE 2 toolkit, and Ivon Voras’ gjournal beta3.

BSDfreak.org has an interview with Elad Efrat of NetBSD. Elad Efrat is know for his Stephanie patchset for OpenBSD.

The OpenBSD team seeks ThinkPad users in order to test the latest snapshot. There were some changes in suspending that need to be tested on the following laptops:

- ThinkPad R50, R50p, R51, R52
- ThinkPad T41, T41p, T42, T42p, T43, T43p
- ThinkPad X40
- ThinkPad X41, X41 Tablet

Try running the latest snapshot (08/27/05 06:49:00)

Check they have working aps via
sysctl hw.sensors
Numbers should change when tilting the laptop.

Suspend the system ie
zzz

Resume and check they still have normal looking numbers when running the same sysctl command again?

We need this to be tested on as wide a range of models as possible ASAP.

Send all reports positive and negative alike to djm@ and me.

There were some updates from the FreeBSD Summer of Code projects.

Ivan Voras released a first version of a GEOM journaling layer:

It’s a journaling layer in GEOM subsystem. The intention is to provide devices (on which maybe filesystems are hosted) with data journaling capabilities.
...
gjournal connectes (“consumes”) two devices – one is the “data device” that is the target for journaling, and the other is “journal device” on which data is journaled. For every write request, its data is written on the journal device, and after some time transferred to the data device.
...
More information is available at:
http://wikitest.freebsd.org/moin.cgi/gjournal

Csaba Henk is working on a ssh based virtual filesystem and on porting Fuse – Filesystem in Userspace to FreeBSD. He also released a first version and asks for help in debugging. His work is available at the SoC wiki.

Michael Bushkov is working on improving the nsswitch subsytem:

The patch for security/openssh-portable port is ready. It allows openssh to get the host keys not only from the ssh_known_hosts file, but from all possible nsswitch sources too. Files and NIS sources are implemented.

Here is the link to download the patch.

To add the NIS map, copy the appropriate ssh_known_hosts file to the yp.src folder and the run the patched Makefile. The patch for the /var/yp/Makefile is here.

After patching, OpenSSH will still use ~/.ssh/known_hosts files, but instead of looking through /usr/local/etc/ssh/ssh_known_hosts file directly, it will use nsswitch. So, with the help of the NIS, the known_hosts keys can be shared among different hosts.

Apart from the progress on the Summer of Code projects there was of course other work.

Poul-Henning Kamp created a survey of buildoptions for the FreeBSD src tree. It is available here.

Emanuel Strobl is working on ggtab, the counterpart to fstab for ggatec (like gg.exports to exports). He is trying to make some rcNG compatible startup scripts to include ggated and ggatec in the boot process. See his mail for details.

Further Colin Percival commited Portsnap to the base system:

About 12 hours ago I committed portsnap to HEAD. From the commit log:

Add portsnap to the base system. This is a secure, easy to use, fast, lightweight, and generally good way for users to keep their ports trees up to date.

In particular, users who just want to keep their ports tree up to date and don’t want to do anything unusual (keeping a complete repository, checking out old versions of the ports tree, getting themselves rooted via a man-in-the-middle attack on cvsup, etc.) will probably find that portsnap is a very useful tool.

There are several changes between the version in the ports tree and the version I committed to HEAD, but the only one which most users should notice is that the default location of portsnap’s compressed snapshot has moved from /usr/local/portsnap to /var/db/portsnap.

See his mail for details.

The honeynet project that aims to “improve the security of the internet by providing cutting-edge research for free” has some interesting updates. The honeynet project develops tools for honeypots, shares reseach results and papers, and publishes the Scan of the Month challenges.

They released a new version of Sebek. Sebek is a kernel based monitoring tool originally built to circumvent session encryption and monitor user input. It is used when you want to be able to log and analyze encrypted communications like SSH of intruders on your honeypots. It operates in a client/server model where the client lives on your honeypot and logs all information to a Sebek server. The new features of version 3 are:

• Process Tree Monitoring.
• Socket tracking to relate host and network activity.
• File Opening monitoring to identify all files opened by a process.

For more information see the announce message.

Another updated tool is the Honeywall CD. The Honeywall CD is a complete GenIII honeyport that enables the used to easily depoly honeypots. The new release “Roo” is not a LiveCD like its predecessor and incorporates these features:

• Automated, headless installation to your local hard drive.
• Robust, hardened OS base that includes automated updates of OS and Honeywall packages.
• Vastly improved hardware and international keyboard support.
• New GUI “Walleye” for remote administration and robust, real time data analysis.
• Optional command-line tool ‘hwctl’ for administration.
• Integration of the new Sebek format, 3.x.
• Designed as a distributed solution.

For more information read the paper about the Honeywall CD.

Further the project released a new paper about Phishing and an individual papers section on the website.

A bit older but still interesting is the tool mwcollect that is designed for the automated collection of malware. Read the paper about tracking botnets for details.

If you are interested in these topics be sure to read their book Know your Enemy, second edition. I’ve read it and it is really good. It describes the background, the different generations of honeypots, how to build and deploy them, and how to analyze the logs and traffic with tcpdump, Ethereal, snort and ACID.

Poul-Henning Kamp uploaded his BSDCan 2005 ioctl-presentation.

Han Boetes released a new version of his OpenBSD-binary-upgrade script. He uses it to do a binary upgrade from snapshot to snapshot but it can also be used to upgrade from 3.6 to 3.7.

On http://openbsd.somedomain.net you can get torrents of OpenBSD (snapshots and releases). The torrents are generated automatically on a server that is rsynced to ftp3.usa.openbsd.org every 4 hours. Thanks to Andrew Fresh for this service.

Slashdot published a link to a chapter of ‘Operating Systems Concepts’. This chapter examines the Mach Kernel.

Apple released an article about system startup on Tiger. It covers the new launchd daemon that is supposed to replace init/mach_init and StartupItems. Mac Geekery has also some tips for launchd.