Friday Aug 06, 2010
Thursday Jul 15, 2010
By Brian Leonard on Jul 15, 2010
Just a quick tip as this question came across the opensolaris-help forum - "How can I (as admin) find out when a certain user e.g. "karl" most recently logged in and most recently logged out of a system?"
The simple answer is last:
bleonard@opensolaris:~$ last karl karl pts/5 10.0.1.9 Thu Jul 15 11:12 still logged in karl sshd 10.0.1.9 Thu Jul 15 11:12 still logged in karl pts/5 opensolaris Thu Jul 15 11:11 - 11:12 (00:00) karl sshd opensolaris Thu Jul 15 11:11 - 11:12 (00:00)
Thursday Jun 24, 2010
By Brian Leonard on Jun 24, 2010
Wednesday Jun 23, 2010
By Brian Leonard on Jun 23, 2010
Tuesday Jun 22, 2010
By Brian Leonard on Jun 22, 2010
Tuesday Jun 01, 2010
By Brian Leonard on Jun 01, 2010
Thursday May 27, 2010
By Brian Leonard on May 27, 2010
Wednesday May 26, 2010
Tuesday May 25, 2010
By Brian Leonard on May 25, 2010
Of all the components of Solaris' Role Based Access Control (RBAC), roles are the easiest the implement. When I explain the concept of roles to people, they immediately get it.
OpenSolaris comes with a couple of roles pre-configured, most notably root.
This has led to some frustration for newcomers to OpenSolaris as they
don't understand why they can't log into their system as root.
But, as there is most likely no person in your organization named 'root', why do you wnat a user account on your system for a person that doesn't exist? Who is this root user and who's accountable for what they do on the system? Over time the password for the root user account always seems to proliferate. The principle of least privilege, another RBAC concept that I'm not addressing here, is meant to limit the need to hand out root access, but even in the absence of that, wouldn't it be nice to know who's doing what as root on your system?[Read More]
Monday May 24, 2010
Wednesday May 12, 2010
Tuesday May 11, 2010
By Brian Leonard on May 11, 2010
I noticed my Apache web server had one process that ran as root, which then forked other processes as user webservd. The reason for this is that apache wants access to port 80, which traditionally requires root privileges. To improve upon this all-or-nothing security model, Solaris 10 introduced the concept of fine-grained privileges, and in OpenSolaris there are now 75 of them.
What this means is that I can now give a process, which has
traditionally run with root privileges, just the privileges it needs to
get its job done - a concept known as least privilege. The trick, of course, is figuring out which privileges a process needs.
Friday Feb 12, 2010
By Brian Leonard on Feb 12, 2010
OpenSolaris comes with a single repository configured, known as the release repository: http://pkg.opensolaris.org/release. The packages in the release repository are updated roughly every 6 months when a new release of OpenSolaris occurs, that last being OpenSolaris 2009.06 (June 2009).
Meanwhile, development toward the next release of OpenSolaris is happening at a rapid pace. For those of you unwilling to wait for next scheduled release, you have the option of upgrading to a development build of OpenSolaris, which is produced every 2 weeks (the development repository is updated roughly 10 days after the wod of stuff (WOS) build - see the WOS schedule).
Understandably, the development build will not have gone through the same quality assurance process as the release build, so be sure to read the release notes and expect some bumps along the way.
If you're going to update to a development build, it's important to note that as of build 127, you can no longer assign random names to the repositories (see bug 11532). The publisher name must match that which is set in the repository, and for the http://pkg.opensolaris.org/dev/ repository, the publisher name is opensolaris.org.
If you're on a build prior to 127, it's not uncommon to find yourself with a setup like the following:
To fix this erroneous configuration, just correctly set opensolaris.org as the preferred publisher pointing to the development repository:bleonard@os200906:~$ pkg publisher PUBLISHER TYPE STATUS URI dev (preferred) origin online http://pkg.opensolaris.org/dev/ opensolaris.org origin online http://pkg.opensolaris.org/release/
bleonard@os200906:~$ pfexec pkg set-publisher -PO http://pkg.opensolaris.org/dev/ opensolaris.org
Then remove the incorrectly named development publisher:
bleonard@os200906:~$ pfexec pkg unset-publisher dev
And now your development repository is correctly configured:
bleonard@os200906:~$ pkg publisher PUBLISHER TYPE STATUS URI opensolaris.org origin online http://pkg.opensolaris.org/dev/
Note, when build 133 comes out, you will no longer have to specify a publisher name when setting a publisher. The new syntax will be as follows:
pkg set-publisher -p http://pkg.opensolaris.org/dev
Wednesday Feb 10, 2010
Wednesday Feb 03, 2010
By Brian Leonard on Feb 03, 2010
I can't count how many times I've read in the various OpenSolaris forums "Read the release notes."
It's true, the OpenSolaris release notes are chock full of good information. However, where are these mysterious release notes?
I've thought about setting up a wiki pointing to them, but that's just one more thing I'd forget to maintain. Instead, here's a quick Google search that seems to do the trick. If you can think of a better way to customize it, please let me know.
The Observatory is a blog for users of Oracle Solaris. Tune in here for tips, tricks and more as we explore the Solaris operating system from Oracle.
- Last login tracking in pam_unix_session
- Oracle Solaris 11.3 progress on LP64 conversion
- Valgrind: Easy and powerful detection of memory and threading problems
- Minimizing the Size of Your Oracle Solaris IPS Package Repository
- AI Manifest Editor CLI in Solaris 11.3
- Virtual Address Reservation in Solaris 11.3
- APIs for handling per-thread signals in Solaris
- PV IPoIB in Kernel Zones in Solaris 11.3
- Named threads in Oracle Solaris 11.3
- Better performing pthread reader-writer locks for NUMA architectures