Wednesday Sep 24, 2014

getcwd(NULL, 0) revisited

Earlier I claimed that the POSIX standard didn't allow an extension in which the following statement returned anything other than NULL while setting errno to EINVAL:

char *cwd = getcwd(NULL, 0);

However, standard also says:

"If buf is a null pointer, the behavior of getcwd() is unspecified."

so the GNU/Linux extension is perfectly legal.  I was clearly wrong.

As many application check for this behavior when configuring, replacing the standard Solaris getcwd() with a concoction which runs much slower and fails more often, when Solaris getcwd() is found wanting, we're changing getcwd() to allocate sufficient memory when it is called with a buffer pointer of NULL and a size of zero.

Of course, you could already have that in Solaris 11, if you replaced getcwd(NULL, 0) with realpath(".", NULL).

Addendum: this fix is included in Solaris 11.2 SRU 3

Monday May 26, 2014

Solaris 11.2: presentations in Holland

I'm giving a presentation on Solaris 11.2 new features among others in June  12th and 19th,2014; register here:

I'll be highlighting some new features but will also show how new and old features are combined and how Solaris 11 is our first operating system with a holistic design philosophy.

Friday May 16, 2014

Solaris 11.2: unlink(2)/link(2) for directories: your time is up.

Some thirty years ago, the 4.2BSD Unix release included two new system calls: mkdir(2) and rmdir(2).  Before that time, in order to make a directory, you first needed to call mknod(2) and create the "." and ".." links.  When you remove a file, you would remove those two links and finally unlink the directory itself. As you couldn't call mknod(2) as an ordinary user nor could you call unlink(2) on a directory, the mkdir(1) and rmdir(1) commands were set-uid root.  A cursory inspection of the UNIX-V7 showed that both commands likely had security bugs.

Did 4.2BSD remove the ability to link or unlink directories?  It didn't.  It was probably kept temporarily for backward compatibility.  But many years later, and many Unix releases later, it is still their; neither Sun in SunOS or Solaris, nor Oracle in Solaris 11/11 or 11.1.

If you ask fsck(1m), the final arbiter about what is a valid UFS file system, it will complain loudly and it generally required system admin intervention when you made an additional hardlink to a directory; this was later hidden by logging UFS; fsck was hardly ever run since the introduction of UFS logging especially once it became the default.  In tmpfs it was a good way to lose swap, hide data or confuse the kernel. Special code was needed in find(1) and du(1) to not lose their way when the file system isn't a tree but rather a cyclic graph.

It is one of the reasons why, when Solaris Zones were developed, we decided that non-global zones can only be run without the {SYS_LINKDIR} privilege and that when we introduced ZFS it came without the ability to use link(2) or unlink(2) on directories.  VxFS also doesn't allow additional hardlinks to directories. And no-one complained!

This discrepancy between the global zone and non-global zones and ZFS versus the rest and it gave us problems when developing code; code run in tmpfs file system in the global zone, suddenly stopped working when moved to a non-global zone; code that worked before in UFS stopped working when moved to ZFS or to a non-global zone.  As Linux never allowed unlink(2) on directories, code developed there might suddenly have disastrous effect on Solaris when it was run with (not-so) appropriate privileges under Solaris.  There were at least two cases during the development of Solaris 11.2 when we were bitten by this problem for code we developed ourselves.

The time has arrived to disable link(2) and unlink(2) on directories; and that is what we have done in Solaris 11.2.  The {SYS_LINKDIR} privileges still exists in Solaris 11.2 but it is obsolete and has no effect.  We will likely remove it in a future minor release.

Is this a sudden incompatible change?  Perhaps, but is well within the limits of the specification and using this feature only leads to downtime and support calls. Sorry for removing this rope from your toolbox.

Monday May 12, 2014

Solaris 11: Evolution of v_path.

In Solaris 10, Eric Schrock (now at Delphix) added vnode-to-pathname functionality in the kernel; it stored the pathname used to find a file in the vnode but it did not handle renames nor did it elide ".." from the stored pathnames; the pathname stored was generally a full pathname from the root from the global zone.  It was used for getcwd(3) and for path subdirectory in /proc/pid/.

The v_path was implemented as a hint and whenever it was retrieved, e.g., for getcwd(3) or for the /proc file ssytem, the actual path was computed and the current zone's root directory was removed.

When I started to work on the Extended Policy and later on the Immutable Global zone, it was clear that the v_path was very useful but it wasn't ready for those projects.

The Immutable Non-Global Zone (Solaris 11/11)

In the IMNGZ we need to compute the pathname and then check the pathname against the black-list and the white-list; however, where we are doing that the kernel is deep inside the file system code and we can't verify and recompute the pathname as we might be hold locks that we need further down; but since we are protecting a particular set of files and those files cannot be changed or renamed, it is safe to use the v_path as if it is more than a hint.  We did need to elide ".." and simplify pathnames; this is done directly when we are setting the v_path for a newly created pathname and if the code tries to add a ".." it instead removes the last component of the pathname. We did need to prevent linking protected files into the non-protected file space as that would circumvent the MWAC(5) protection offered in an IMNGZ.

The Extended Policy (Solaris 11.1)

The Extended Policy applies to all filenames in the filesystem, including those that can be renamed.  This is why we put some effort in handling renames better.  We now update the v_path name on rename(2) in all file systems; in the case of a link(2) we also handle this as a rename(2) as the observation is that the new name outlives the first name.  This new behavior works well with leaf nodes but there is no efficient algorithm that can handle the rename of a directory and all its children, yet we have no option other than using v_path for the same reasons we have for the IMNGZ. When we recalculate the pathname, e.g., for /proc or for getcwd() and we find it wanting, we update the v_path to the newly computed path, including all directories making up the full pathname.

One possible security risk is that a vnode has an incorrect v_path and the Extended Policy gives more privileges on that v_path then it gives for the actual pathname.  As this can only happen if the file once lived in that location this is not actually a risk at all; the process was able in the past to use those privileges on that file. We do make sure that linking is not allowed when the Extended Policy gives more privileges for the new pathname.

An update was needed for the secpolicy_*() routines to allow the Extended Policy to make a decision about files or directories that do not exist yet; as an extra benefit privilege debugging now gives even more information as we have more information deep down in the policy routines:

solaris11.0$ ppriv -De mkdir /casper
mkdir[11162]: missing privilege "ALL" (euid = 12345, syscall = 102) for "/" needed at zfs_zaccess+0x2c8
mkdir: Failed to make directory "/casper"; Permission denied

In Solaris 11.1 we know the full filename to be created and also show that with privilege debugging:

solaris11.1$ ppriv -De mkdir /casper
mkdir[13924]: missing privilege "ALL" (euid = 12345, syscall = 102) for "/casper" needed at zfs_zaccess+0x245
mkdir: Failed to make directory "/casper"; Permission denied

In Solaris 11.2 we also show the sycall name:

solaris 11.2$ ppriv -De mkdir /casper
mkdir[17488]: missing privilege "ALL" (euid = 12345, syscall = "mkdirat") for "/casper" at zfs_zaccess+0x245
mkdir: Failed to make directory "/casper"; Permission denied

Getcwd(3), realpath(3) fixes.

As part of the Extended Policy project, fixes to getcwd() and realpath() were made during the development of Solaris 11.1.  We've also put some of these fixes in 11.0 SRUs and in Solaris 10 patches. These fixes are the following:

  • Improved getcwd()/realpath() performance in zones.
  • Improved getcwd()/realpath() performance in the case of renaming (in some cases 1000x faster)
  • Fix getcwd() for chrooted process when the current working directory is not under the root directory. (This was a regression of the in-kernel getcwd())
  • Don't fail with EACCES so quickly
  • No limit on the size of the returned path from getcwd() and realpath()
  • realpath() moved into the kernel and the frealpath() system call (Solaris 11.1 and later only)

Several operating systems have "extended" getcwd(3) to return an unrestricted pathname when called as follows:

   char *cwd = getcwd(NULL, 0);

unfortunately, this is strictly forbidden by the standard:

     The getcwd() function shall fail if:


     EINVAL    The size argument is 0.

So in Solaris you have to loop with a longer and longer buffer until getcwd() no longer returns NULL with errno set to ERANGE or you could use realpath(".", NULL) in which case we can return a long pathname.

Both are actually a lot faster than running your own userland getcwd() implentation and such implementations are more likely to fail.

Friday May 02, 2014

Solaris 11.2: No Limits

In the past, I have increased a number of limitations in Solaris:

  • In Solaris 11.0, I increased NGROUPS_MAX to 1024 (from 32); also available since Solaris 10u8.
  • In Solaris 11.1, I added support for more than 16 groups for NFS AUTH_SYS authentication
  • In Solaris 11.1, I changed the system calls getcwd() and realpath() to support returning pathnames longer than MAXPATHLEN (and introduced frealpath() while I was in that code)

So what did I change in Solaris 11.2?   It was about time to look at the restrictions of user names and group names.

In a micro release, such as a Solaris 11 update, we cannot modify constants such as LOGNAME_MAX because of binary compatibility, we can only do that in a future minor release.  However, we can modify the code that limit usernames.  These are the bugs we have fixed and this shows how much work it actually was:

    14933330 SUNBT4033673 getlogin causes passwd to fail if login name is longer than 8 chars
    14954449 SUNBT4109819 programs inconsistently limit the size of user names
    15059729 SUNBT4435330 logname(1) prints out only part of long login name
    15178384 SUNBT4927530 *w* w(1) truncates usernames to 8 chars
    15393621 SUNBT6551524 su truncates LOGNAME for long usernames.
    15436992 SUNBT6627292 *cron* confused about username lengths
    15550167 SUNBT6819489 *su* sulog source username truncated to 8 chars but not destination
    15574163 SUNBT6857992 ps -u does not support usernames longer than 10 chars
    15579148 SUNBT6866548 last command does not support usernames longer than 8 characters
    17528753 group name handling in Solaris is a standards violation
    17528788 useradd(1m) user name handling problems
    17600453 bug 15226690, find with long usernames, not completely fixed
    17600724 The fix for 14954449 misses some programs (in.rlogind, in.rshd. zone*, dump)
    17625438 group file updates very inefficient.
    17625458 pwck lives in the past
    18068180 SunSSH truncates usernames/home directories with %.100s
    18068355 A few programs still limit the size of user names.
    18068215 passmgmt invents its own limits for the sizes of entries in /etc/passwd

In generaly, the code was changed to lift limits, but we are generally limited by the format of the utmpx file.  The maximum length of a username that can be stored there, is 32 bytes.  This is now a safe limit and we support user names in length upto 32 characters, despite protests from useradd(1m).  getlogin() and getlogin_r() can return a string of at most 33 characters, including the final NUL character.  Of course, getlogin_r() will not store past the end of the buffer given to it but it will now accept a buffer of any size.   Programs changed are, among others:

  • logname(1)
  • w(1)
  • who(1)
  • last(1)
  • ls(1)  - now a 64 bit executable
  • find(1) - now a 64 bit executable
  • passmgmt(1)
  • useradd/usermod/roleadd/rolemod(1m)
  • sshd(1mr)
  • repquota(1m)
  • zfs(1)
  • yppasswd(1)
  • tar(1)
  • lastcomm(1)
  • cron(1) etc
  • newtask(1)
  • ps(1)
  • wall(1)
  • rwall(1)
  • zlogin(1)
  • grpck(1)
  • pwck(1)
  • login(1)
  • in.rexecd(1m), in.rshd(1m), in.rlogind(1m)

And libraries such as libsocket (remote shell/remote login/rexec protocol)

I could only wonder why so many applications cache the return value of getpwuid() and getgrgid() while doing that in a fixed sized character array.

For reasons only known in New-Jersey, we didn't allow groupnames over 8 characters while limiting the characters to lower case and digits; as there is no manifest constant defining the size of a group name, there is no problem increasing it so we currently support upto 32 characters and we now accept all portable file name characters in a group name (lower and upper case, digits, dot, hyphen and underscore as long as the name doesn't start with a hyphen. Other than programs caching the result of getpwuid(), I found no other limits on the length of a group name in our code.

Thursday May 01, 2014

Solaris 11.2: Immutable Global Zone

This is blog is a bit more substantial; it requires some knowledge about Solaris Zones, Immutable Zones and Solaris administration in general. It is high-level; in future I'm hoping to get down to the nuts and bolts.

Immutable Zones

In Solaris 11 we added the Read-Only Root Non-Global Zones, marketed as Immutable Zones; this is a feature that makes a zone tamper-proof.

In an Immutable Zone is configured simply by setting the "file-mac-profile" to one of "strict" (not much writeable), "fixed-configuration" and "flexible-configuration" (configuration is writeable but binaries and such or not). This is all implemented in the kernel based on pathnames and depending on the context; the super-user in the global zone can still update the zone or even modify protected files as long as that is not done from within the zone.

We have made some changes to Immutable Non-Global Zones (IMZ, for short) that came out of developing the Immutable Global Zones (IMGZ); we have added a new feature, the "Trusted Path (TP)"; when logged in through the Trusted Path using the "-T" option to zlogin(1m), you can now modify protected files from within the zone. This is much safer as you no longer need to give root access in the global zone nor do you need to boot the IMZ in writeable mode. In the following example, we log in to the zone "fixed" which has been configured with the fixed-configuration file-mac-profile. A normal root login doesn't allow us to modify "/etc/passwd"; I'm using touch(1) under privilege debugging to illustrate the error and was caused the error. When we login with the "-T" option we suddenly can modify "/etc/passwd" because we're now in the Trusted Path. Notice also that the output from privilege debugging has been clarified; it points to the MWAC(5) manual page and it now also lists the system call name and not the number as it did before.

# zlogin fixed
[Connected to zone 'fixed' pts/3]
Oracle Corporation      SunOS 5.11      11.2    April 2014
root@fixed:~# ppriv -De touch /etc/passwd
touch[117063]: MWAC(5) policy violation (euid = 0, syscall = "utimensat") for "/etc/passwd" at fop_setattr+0x10b
touch: cannot change times on /etc/passwd: Read-only file system
root@fixed:~# logout
[Connection to zone 'fixed' pts/3 closed]

# zlogin -T fixed
[Connected to zone 'fixed' pts/3]
Oracle Corporation      SunOS 5.11      11.2    April 2014
root@fixed:~# ppriv -De touch /etc/passwd

Additionally, we have restricted the use of mount(1m) in an IMZ, while we allowed random loopback mounts before we now only allow loopback mounts on empty directories unless the file or directory isn't protected by MWAC(5).

Immutable Global Zone

In order to prevent tampering of the file system, we have extended Immutable Zones in Solaris 11.2 to the global zone; using the same mechanism you can now configure the global zone as an IMGZ. As there is no "super-global" zone, a different mechanism has been designed to enter the Trusted Path. A kernel-zone still has a bare-metal zone controlling it, so this doesn't apply to kernel zones. Some additional steps need to be taken and they are listed here.

Preparing the global zone for immutable global zone.

As maintenance of the global zone is only possible using the Trusted Path access; Trusted Path is only available on the console, so make sure the console is accessible through the ILOM, a serial connection or through the graphical console.

Once a system is configured as an immutable global zone, the break sequence, F1-A on a graphical console, <break> or the alternate break sequence (CR-tilde-<ctl-b>) on a serial console, will instead start the Trusted Path login. (A immediate second break sequence will work as a standard break-sequence: start the kernel debugger (if it is loaded), drop to the OBP, etc)

Configuring the Global Immutable Zone

The configuration of the global zone is done through zonecfg(1m) by picking the appropriate file-mac-profile for your situation; they allowed values are the same for non-global immutable zones: "strict", "fixed-configuration", "flexible-configuration". See zonecfg(1m).

Note that if the system uses DHCP to set network interfaces, the "flexible-configuration" must be selected.

        # zonecfg -z global
        zonecfg:global> set file-mac-profile=flexible-configuration
The "rpool" dataset will be restricted but sub dataset can be unrestricted using "add dataset"
        zonecfg:global> add dataset
        zonecfg:global:dataset> set name=rpool/export
        zonecfg:global:dataset> end

        zonecfg:global> add dataset
        zonecfg:global:dataset> set name=rpool/zones
        zonecfg:global:dataset> end
In this example we add "rpool/export" and "rpool/zones"; writable data sets for users and for zones. An immutable global zone can only run zones in unrestricted datasets. All the children of an unrestricted dataset are also unrestricted.

Note that all datasets on other zpools are unrestricted and there is no needed to add them with "add dataset".

After committing the zonecfg boot information is written and the boot archive is updated:

        zonecfg:global> commit
        updating /platform/sun4u/boot_archive
When the system is configured, it should be rebooted the system will boot with an immutable global zone.

Maintenance of the immutable global zone

An immutable zone cannot be updated other then through the Trusted Path login or when the system is booted in writeable mode by using the "-w" flag when booting. Note that if you try to reboot the immutable zone with "reboot -- -w", the argument is ignored when not performed through the Trusted Path login.

After using the break-sequence on the console, you should be greeted with:

        trusted path console login:
Login and assume the root role; at that point ordinary commands used to update the system are available; this includes "pkg update", "beadm activate" or also "zonecfg" if the need arises to change the global zone's configuration.

A separate pam stack can be configured for tpdlogin(1).

When "pkg update" is performed, the first boot of the immutable global zone is read write; this is needed by the system to perform the needed self-assembly steps. When the self-assembly steps have been performed, the system will reboot and in this second boot the system will be immutable again.

Wednesday Apr 30, 2014

Solaris 11.2: User, Pid and Commands in netstat(1m)

As it has been years since I've blogged, let me start with one of smallest features I added to Solaris 11.2; an option to netstat(1m), allowing administrators to figure out who is using which port and which with process or command is using a particular network connection.

As there little or no similarity between other netstat implementation, we picked our own option letter "-u". At the same time we realigned the columns as the standard width didn't fit modern TCP window sizes, the length of Unix sockets, etc. We've also removed, for unprivileged users, unusable information such as the "kernel addresses", leaving a bit more room, though an 80 width terminal isn't really enough room for all of the information. Alignment only guaranteed with -n, of course.

Our implementation doesn't use /proc like the Linux implementation uses nor does it look through /dev/kmem like lsof(1m) does; instead we get the information available direct in the kernel. While some of the information might be out of date, we can give information about sockets in TIME_WAIT or CLOSE_WAIT, even when the latter sockets haven't been accepted yet! Additionally, those sockets owned by the kernel are also listed. This works in the global zone, non-global zones, kernel zones *and* even in Solaris 10 branded zones; the latter uses the "native" Solaris 11.2 netstat command.

Here is some sample output, partially hidden by how we format blogs (so, install Solaris 11.2 and all will be revealed)

% netstat -aun

   Local Address        Remote Address      User    Pid      Command       State
-------------------- -------------------- -------- ------ -------------- ----------
      *.50258                             root       1038 syslogd        Idle
      *.*                                 root        133 in.mpathd      Unbound
      *.*                                 root        133 in.mpathd      Unbound
      *.*                                 netadm      721 nwamd          Unbound
      *.*                                 netadm      721 nwamd          Unbound
      *.123                               root        961 ntpd           Idle
      *.123                               root        961 ntpd           Idle                             root        961 ntpd           Idle
10.311.249.18.123                         root        961 ntpd           Idle
      *.111                               daemon      980 rpcbind        Idle
      *.*                                 daemon      980 rpcbind        Unbound
      *.41327                             daemon      980 rpcbind        Idle
      *.111                               daemon      980 rpcbind        Idle
      *.*                                 daemon      980 rpcbind        Unbound
      *.37058                             daemon      980 rpcbind        Idle
      *.*                                 root        988 in.ndpd        Unbound
      *.*                                 root        999 statd          Unbound
      *.*                                 root        999 statd          Unbound
      *.39150                             root        999 statd          Idle
      *.43382                             root        999 statd          Idle
      *.4045                              daemon     1008 lockd          Idle
      *.4045                              daemon     1008 lockd          Idle
      *.56874                             root       1004 inetd          Idle
      *.37069                             root       1004 inetd          Idle
      *.42765                             root       1148 mountd         Idle
      *.64957                             root       1148 mountd         Idle
      *.2049                              root       1150 nfsd           Idle
      *.2049                              root       1150 nfsd           Idle

   Local Address                     Remote Address                   User    Pid      Command       State      If
--------------------------------- --------------------------------- -------- ------ -------------- ---------- -----
      *.*                                                           root        133 in.mpathd      Unbound    
      *.*                                                           netadm      721 nwamd          Unbound    
      *.123                                                         root        961 ntpd           Idle       
::1.123                                                             root        961 ntpd           Idle       
      *.111                                                         daemon      980 rpcbind        Idle       
      *.*                                                           daemon      980 rpcbind        Unbound    
      *.41327                                                       daemon      980 rpcbind        Idle       
      *.*                                                           root        988 in.ndpd        Unbound    
      *.39150                                                       root        999 statd          Idle       
      *.4045                                                        daemon     1008 lockd          Idle       
      *.37069                                                       root       1004 inetd          Idle       
      *.42765                                                       root       1148 mountd         Idle       
      *.2049                                                        root       1150 nfsd           Idle       

   Local Address        Remote Address      User     Pid     Command     Swind  Send-Q  Rwind  Recv-Q    State
-------------------- -------------------- -------- ------ ------------- ------- ------ ------- ------ -----------             *.*            root        133 in.mpathd           0      0  128000      0 LISTEN
      *.111                *.*            daemon      980 rpcbind             0      0  128000      0 LISTEN
      *.*                  *.*            daemon      980 rpcbind             0      0  128000      0 IDLE
      *.111                *.*            daemon      980 rpcbind             0      0  128000      0 LISTEN
      *.*                  *.*            daemon      980 rpcbind             0      0  128000      0 IDLE
      *.36887              *.*            root        999 statd               0      0  128000      0 LISTEN
      *.65159              *.*            root        999 statd               0      0  128000      0 LISTEN
10.311.249.18.58810  10.312.132.13.636    root        851 nscd            49232      0  128872      0 ESTABLISHED
      *.4045               *.*            daemon     1008 lockd               0      0 1049200      0 LISTEN
      *.4045               *.*            daemon     1008 lockd               0      0 1048952      0 LISTEN
      *.22                 *.*            root       1030 sshd                0      0  128000      0 LISTEN               *.*            root       1068 sendmail            0      0  128000      0 LISTEN              *.*            root       1068 sendmail            0      0  128000      0 LISTEN
      *.47629              *.*            root       1148 mountd              0      0  128000      0 LISTEN
      *.35906              *.*            root       1148 mountd              0      0  128000      0 LISTEN
      *.2049               *.*            root       1150 nfsd                0      0 1049200      0 LISTEN
      *.2049               *.*            root       1150 nfsd                0      0 1048952      0 LISTEN             *.*            pkg5srv    1600                     0      0  128000      0 LISTEN
10.311.249.18.857    10.311.246.25.2049   casper        0 <kernel>        49232      0 1049800    116 ESTABLISHED
10.311.249.18.22     10.311.249.34.64127  root       1030 sshd           263536     63  128872      0 ESTABLISHED             *.*            casper     1969 sshd                0      0  128000      0 LISTEN

   Local Address                     Remote Address                   User    Pid      Command      Swind  Send-Q  Rwind  Recv-Q   State      If
--------------------------------- --------------------------------- -------- ------ -------------- ------- ------ ------- ------ ----------- -----
::1.5999                                *.*                         root        133 in.mpathd            0      0  128000      0 LISTEN      
      *.111                             *.*                         daemon      980 rpcbind              0      0  128000      0 LISTEN      
      *.*                               *.*                         daemon      980 rpcbind              0      0  128000      0 IDLE        
      *.36887                           *.*                         root        999 statd                0      0  128000      0 LISTEN      
      *.4045                            *.*                         daemon     1008 lockd                0      0 1049200      0 LISTEN      
      *.22                              *.*                         root       1030 sshd                 0      0  128000      0 LISTEN      
::1.25                                  *.*                         root       1068 sendmail             0      0  128000      0 LISTEN      
      *.47629                           *.*                         root       1148 mountd               0      0  128000      0 LISTEN      
      *.2049                            *.*                         root       1150 nfsd                 0      0 1049200      0 LISTEN      
::1.6010                                *.*                         casper     1969 sshd                 0      0  128000      0 LISTEN      
::1.51794                         ::1.6010                          casper     1970 xterm           130880      0  139264      0 ESTABLISHED 
::1.6010                          ::1.51794                         casper     1969 sshd            139060      0  130880      0 ESTABLISHED 

Active UNIX domain sockets
Type       User        Pid Command        Local Address                           Remote Address
stream-ord casper     1969 sshd            (socketpair)                            (socketpair)
stream-ord casper     1969 sshd            (socketpair)                            (socketpair)
stream-ord casper     1969 sshd            (socketpair)                            (socketpair)
stream-ord casper     1969 sshd            (socketpair)                            (socketpair)
stream-ord casper     1969 sshd            (socketpair)                            (socketpair)
stream-ord root        372 dbus-daemon    /var/run/dbus/system_bus_socket
stream-ord root       1028 rmvolmgr                                               /var/run/dbus/system_bus_socket
stream-ord root        372 dbus-daemon    /var/run/dbus/system_bus_socket
stream-ord root        943 hald                                                   /var/run/dbus/system_bus_socket
stream-ord root       1004 inetd          /system/volatile/inetd.uds
stream-ord root        943 hald           /system/volatile/hald/dbus-TM2nMhzrpM
stream-ord root        993 hald-addon-sto                                         /system/volatile/hald/dbus-TM2nMhzrpM
stream-ord pkg5srv    1601 httpd.worker   /system/volatile/pkg/sysrepo/wsgi.1601.0.1.sock
stream-ord root        943 hald           /system/volatile/hald/dbus-TM2nMhzrpM
dgram      root        988 in.ndpd        /system/volatile/in.ndpd_mib
stream-ord root        988 in.ndpd        /system/volatile/in.ndpd_ipadm
stream-ord root        970 hald-addon-cpu                                         /system/volatile/hald/dbus-TM2nMhzrpM
stream-ord root        943 hald           /system/volatile/hald/dbus-MIhDasTVfy
stream-ord root        944 hald-runner                                            /system/volatile/hald/dbus-MIhDasTVfy
stream-ord root        943 hald           /system/volatile/hald/dbus-MIhDasTVfy
stream-ord root        943 hald           /system/volatile/hald/dbus-TM2nMhzrpM
stream-ord root        372 dbus-daemon    /var/run/dbus/system_bus_socket
stream-ord root        922 console-kit-da                                         /var/run/dbus/system_bus_socket
stream-ord root        196 rad            /system/volatile/rad/radsocket-unauth
stream-ord root        372 dbus-daemon     (socketpair)                            (socketpair)
stream-ord root        372 dbus-daemon     (socketpair)                            (socketpair)
stream-ord root        196 rad            /system/volatile/rad/radsocket
stream-ord root        372 dbus-daemon    /var/run/dbus/system_bus_socket
Adding the option -v, you also get command line:
   Local Address        Remote Address      User    Pid     State       Command
-------------------- -------------------- -------- ------ ---------- ----------------
      *.50258                             root       1038 Idle       /usr/sbin/syslogd
      *.*                                 root        133 Unbound    /lib/inet/in.mpathd
      *.*                                 root        133 Unbound    /lib/inet/in.mpathd
      *.*                                 netadm      721 Unbound    /lib/inet/nwamd
      *.*                                 netadm      721 Unbound    /lib/inet/nwamd
      *.123                               root        961 Idle       /usr/lib/inet/ntpd -p /var/run/ -g
And for half-closed connection, you'd also get the information you want:
   Local Address        Remote Address      User     Pid     Command     Swind  Send-Q  Rwind  Recv-Q    State
-------------------- -------------------- -------- ------ ------------- ------- ------ ------- ------ -----------       casper     1033 closewait      130880      0  139264      0 FIN_WAIT_2      casper     1031 closewait      139264      0  130880      0 CLOSE_WAIT       casper     1033 closewait      130880      0  139264      0 FIN_WAIT_2      casper     1031 closewait      139264      0  130880      0 CLOSE_WAIT       casper     1033 closewait      130880      0  139264      0 FIN_WAIT_2      casper     1031 closewait      139264      0  130880      0 CLOSE_WAIT

PS: I used the Hollywood IP extension to masquerade the IP addresses.

Monday Mar 12, 2007

OGP election

About a week ago I accepted my nomination for the OGB after being nominated by Garrett D'Amore medio february.

Why do I nominate myself?

I've always felt a strong sense of community with all folks involved with Unix, SunOS and later Solaris. Having earned the dubious distinction of running one of the few Solaris 2.1 sites in production and sharing my experiences of that time with the world, I can truly say that I have been part of the Solaris community pretty much from the day it was born.

I joined Sun some years later, in 1995, and continued to be outward facing and involved with the community, regardless of whatever folly reigned at Sun at the time such as the time the edict came that all outside communication needed to be approved by a PR person. Surely they wouldn't have found the time to approve my 1000s of posts, even if they had found the will.

As the most prolific Sun employee/poster in OpenSolaris I believe I have firmly established my role as a community player; leading the laptop community and sharing some of the stuff I made through the OpenSolaris website.

I also think the OGB needs a person who is well-versed in Solaris "ON" development; someone who knows an ARC from a C-team and who has more than passing knowledge of our development process.

As an OGB member, I think I foremost want to focus on getting the open development process moving ahead more smoothly; and this does mean direct commit access. The current system is too much of a bottleneck for external development. As a Sun employee, I can look at both sides of the fence which can help resolve issues between Sun and the community.

But I also believe in quality all the time; it is what makes Solaris fairly stable to use, even using the more or less experimental releases.

I've written a bunch of code and have literally build 100s of kernels; some of which blew up spectacularly but others of which code found its way back into (Open)Solaris such as Solaris privileges, getpeerucred() I've distributed experimental code (acpidrv, powernow) and even experimented with the X server. As a security person, I have needed to touch larger parts of the system than many of my peers; security bugs know no boundaries.

I make a point of always running the latest release of Solaris Nevada on most of my systems, that is, unless there's fatal brakage. So my little home server, my laptop and my desktops all run Snv_59 today.

Once we have established all our procedures, I see the OGB pretty much as a hands-off body. We are there to quell conflicts but I don't think we should be pussyfooting around the mailing lists; a spade is a spade so let's not call it by another name. Arguments are healthy and should not be supressed unless they become destructive. I like to think that developers like it that way: just enjoy doing there thing with as little as possible outside interference.

Yes, I'm late in posting this; let me just say that life was pretty full the last few weeks. Both workwise (moving office and some urgent matters which required me to skip some vacation) and personal (buying a new house). Lame excuses, I know.

Let your vote be counted!

Thursday Oct 19, 2006

NLOSUG: 26/10/2006 Dutch OpenSolaris User Group First Meeting

The Dutch OpenSolaris User Group will have a meeting at the Sun offices in Amersfoort at Oktober 26, 2006. For program and registration see the website.

Monday Jan 16, 2006

Updated drivers: but only at

I've updated the powernow driver because of a serious incompatibility with the upcoming SOlaris build 32.
I've also updated acpidrv and also moved it to the opensolaris laptop community.

Start with downloading the frkit script and running it.

Tuesday Oct 25, 2005

Small acpidrv update

I've created a small update to acpidrv which lets you specify automatic shutdown parameters when your battery runs low.

As usual, it can be found here.

Monday Oct 10, 2005

OpenSolaris User Group Meeting, Amsterdam, October 18th

I've arranged for an OpenSolaris User Group BOF at Euro OSCon in Amsterdam. While the primary focus would be to get a Dutch/Benelux OpenSolaris User Group in the air.

7.30pm (19:30 for those of you who can tell time properly :-) in the Krasnapolsky Hotel in Amsterdam

I have a suitcase full of SWAG so come and get some.

Information over the BOFs and the conference can be found here

Laptop community live!

As promised, the OpenSolaris laptop community went live somewhere in the last few days.

The first wireless driver is available (Supporting some Atheros MiniPCI and cardbus cards; but Cardbus support will have to wait until the Solaris cardbus driver is released)

Watch that space for further announcement of exciting drivers which will make your laptop much more usable.

Oh, I've finally refreshed the powernow driver to be a bit more lenient with broken BIOSes and initial CPU configs which are a bit off.

Thursday Sep 22, 2005


After advancing the state of Solaris on the Ferrari 3400 with frkit, someone suggested that I should one of all new laptops we at Sun may decide to standardize on. That's how it came to be that I now have both a Ferrari 3400 and a Ferrari 4000.

But today in the mail, I got a message telling me of yet another laptop heading my way. This time a lightweight Fujitsu s2110, again a AMD64 based laptop, as those are the ones we like best.

Perhaps should I make a plot of laptops I got and when and then see if I can estimate the curve; I think I got one in '96, one in 2000, another one in dec 2004 and then again 6 months later and yet again 3 months later; with this accelerating pace it'd be one a day at christmas and one per hour early next year. Hm, perhaps not likely.

Solaris keeps on improving rapidly when it comes to device support; and while in the laptop space things appear to be moving forward very rapidly, there also appears to be some gravitating toward common chipsets. Graphics are often an issue but the fact that the Ferrari 4000 comes with a ATI X700 has the consequence that the updating of the Xorg ati driver is done much more quickly than before.

The Ferrari 3400 is relatively well supported in S10, though I think you really need my powernow driver and even then it still runs fairly hot to the touch.

The Ferrari 4000 requires some external drivers, but then, so does most bleeding hardware, regardless of OS. For the Ferrari 4000, you'll need to download the ethernet driver "bcme" from and we're working hard on getting OSS sound to work nicely on it. The 4000 runs much cooler than the 3400, but the downside is that it always has its fan blowing, albeit quitely. Probably because of a device enumeration bug, the firewire does not yet work. The SD card reader is a special device and we do not support it, unfortunately.

Of course, we're working on getting our broadcom ethernet driver "bge" and the one by broadcom "bcme" to be merged and shipped as a single driver.

Cardbus support is coming for all laptops, as the cardbus interface is properly standardized and they all work more or less the same.

I haven't gotten the Fujitsu yet, so I can't tell how well that will run and/or whether tweaking is necessary.

I don't like to recommend any particular brand or kind of laptop; one recommendation which I can make is this: run Solaris Express on it. It will get all the laptop features you may want much sooner. Such features include new drivers, Xorg support for new hardware, ACPI support, newboot, bug fixes (in some cases the difference between a device working and not working is just a small fix in an existing driver).

S10 was a huge leap forward and brought Solaris for x86/x64 to a point where it again runs on lots of (server) hardware. In Solaris Express, there is much more room for desktop/laptop innovation. We now ship several different x64 desktop platforms, so the x64 desktop/laptop space has much more visibility inside Sun.

If you want performant OpenGL, the only choice you have now is buying a laptop with an nVidia graphics chip and installing the nVidia "closed source" driver.

On the wireless front, things are moving but slowly, but more soon here. So watch this space.

Bluetooth is still a barren landscape when it comes to Solaris; I can't use the bluetooth rodent that came with the Ferrari 4000 (I'm saying rodent because it's quite a bit bigger than a mouse)

Note: I've just started the laptop-discuss list at

Tuesday Jun 28, 2005

First Installment (of frkit)

I've teased people before about the nifty hacks I've been doing for my Ferrari 3400 laptop.

The hacks I did and the tool I wrote to make the distribution easier were so well liked that there was this "meme" propagating that whenever we got even cooler laptops, I should get the first one. And so it happened, I literally got the first Ferrari 4000 shipped to Sun.

Now, this is a whole different beast than the Ferrari 3400 and I haven't yet gotten quite to the same comfort level yet.

I've long promised to make all of the neat stuff available, but legalities are the difficult part of such a venture. But now with OpenSolaris and a supported license scheme (plus management buy-in), I now feel comfortable to release the stuff which I wrote or was derived from source now available under the CDDL)

The first installment includes my single CPU "PowerNow!(tm)" driver and my battery driver and utility.

What the heck, let's throw in the mdb scripts which enable the additional keys on the Acer keyboards (mail, www, P1, P2, audio control). Some of these appear standard controls and may work for internet keyboards as well.

The tar.gz files all come with an install script which will take care of all the details of the installation; the battery driver requires ACPICA; that is only included in Solaris Nevada (11) build 14 and later.

I'll see what I can do about the GNOME battery utility we've done as well; oh, sorry for the somewhat lacking documentation.

Update: I've added acpipowertool, a small graphic battery meter by Matt Simmons, and fixed some installation issues for root user's without "nm" in $PATH.

Update2: (2005/7/31) Ive upgraded powernow so it works for more systems and to better integrate powernowadm with SMF; apcidrv is also updated to do a little bit more of thermal zone handling.

acpidrv only works for Solaris express build 14 and later; powernow should work with Solaris 10 GA also.

Update3: frkit is for some time now available as runnable script at in the

Permanent link to this entry | Comments [19] | Comments have been disabled.




« February 2015