SELinux, Apache and PHP 5.

Recently at work we hired a contractor to come in and do some work.  The department that hired him requested a machine for him. Instead of giving the guy admin access on a CentOS machine, I decided he could run everything in user space.  Thats fine...and I figured I'd duplicate the environment he'd use just so I could make sure it would work.  I don't like to provision machines and give anyone but myself or my system administrators admin access.

The guy wanted PHP5, Apache 2 (I used 2.2), Moodle (Some Courseware php program), and PostgreSQL.

Everything compiled without a hitch (mostly, since I had to look up what all php modules he needed compiled in...also added Suhosin for good measure since who knows what this guy will be doing.)

After fighting a bit with PHP modules I then discovered that SELinux was denying access to libphp5.so in the apache httpd/modules directory.

This was an error : "cannot restore segment prot after reloc: Permission denied" - Of course, disabling SELinux fixed this...but I dont always want to disable SELinux...

Someone suggested running execstack against libphp5.so to enable a flag on the file so SELinux would let Apache load the module...That didn't work.

I'll update this post later with some answers...I hope. For now, I'm leaving the office.

yum rollback feature / rpm rollback feature

Doing some upgrades this week on a production system and don't want anything to break...So, I looked into this.

One of the least-known secrets about rpm is that it can rollback (undo) package changes. It can take a fair bit of storage space to track the information necessary for rollback, but since storage is cheap, it’s worthwhile enabling this feature on most systems.
Here are cut-to-the-chase directions on using this feature:

1. To configure yum to save rollback information, add the line tsflags=repackage to /etc/yum.conf.
   
2. To configure command-line rpm to do the same thing, add the line %_repackage_all_erasures 1 to /etc/rpm/macros.
   
3. Install, erase, and update packages to your heart’s content, using pup, pirut, yumex, yum, rpm, and the yum automatic update service.
   

If/when you want to rollback to a previous state, perform an rpm update with the –rollback option followed by a date/time specification. Some examples: rpm -Uhv –rollback ‘9:00 am’, rpm -Uhv –rollback ‘4 hours ago’, rpm -Uhv –rollback ‘december 25′.

php5 / suhosin extension (not patch) on CentOS or RHEL

Red Hat / CentOS Linux Install Suhosin PHP 5 Protection Security Patch

Q. Wordpress and many other open source application developers asks users to protect PHP apps using Suhosin patch to get protection from the full exploit. Suhosin is an advanced protection system for PHP installations. It was designed to protect your servers from various attacks. How do I install Suhosin under RHEL / CentOS / Fedora Linux?

A. Suhosin was designed to protect your servers against a number of well known problems in PHP applications and on the other hand against potential unknown vulnerabilities within these applications or the PHP core itself including wordpress and many other open source php based apps.

Install Suhosin as extension

Download latest version of Suhosin, enter:
# cd /opt
# wget http://download.suhosin.org/suhosin-0.9.27.tgz
Make sure you have php-devel installed:
# yum install php-devel

Compile Suhosin under PHP 5 and RHEL / CentOS Linux

Type the following commands:
# cd suhosin-0.9.27
# phpize
#./configure
# make
# make install

Configure Suhosin

Type the following command to create Suhosin configuration file:
# echo 'extension=suhosin.so' > /etc/php.d/suhosin.ini

Restart web server

Type the following command to restart httpd:
# service httpd restart
If you are using lighttpd, enter:
# service lighttpd restart

Verify Suhosin installation

Type the following command:
$ php -v
Sample output:

PHP 5.1.6 (cli) (built: Jun 12 2008 05:02:36)
Copyright (c) 1997-2006 The PHP Group
Zend Engine v2.1.0, Copyright (c) 1998-2006 Zend Technologies
    with XCache v1.2.2, Copyright (c) 2005-2007, by mOo
    with Suhosin v0.9.27, Copyright (c) 2007, by SektionEins GmbH

You can find more information by running phpinfo():

phpinfo();
?>

Sample output:

Fig.01: Suhosin information and settings displayed by phpinfo()

setup bridging br0 eth0 on Centos or RHEL for KVM virtual machines

There were several places online I could've visited to help me get bridging going on my system...They all seemed to be written for a home user though.

I recently setup a new CentOS 5.4 workstation on a machine here at work, and have been planning on moving everything over to that from my Mac Management station. Currently using a Macbook Pro as a management station but I'd like to free it up to do other things...

Also I wanted to do some KVM virtualizing because thats how RedHat does it, and thats our vendor...so...

For starters, I needed to let any VM's I created have bridged access to the network... This was probably the most difficult part, because it was just a mixed-bag when it came to how other people had done it. Here's how I did it, and it works for me.

The interface is an Intel gigabit card (wasn't supported until 5.3 out of the box!), so 1 physical interface formerly known as eth0.

`yum install bridge-utils` will install the proper utilities to enable bridging, and should also enable the kernel module on most distros.

I guess the tricky thing is, when you use bridging, you're actually kind of saying "ok bye eth0, we're going to replace you with br0 and then let br0 hand out access to any other interfaces" - This is hard for some people to grasp...

So goto /etc/sysconfig/network-scripts and `cp ifcfg-eth0 ifcfg-br0`

Then edit ifcfg-br0 to contain the following information:
DEVICE=br0
BOOTPROTO=static
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=x.x.x.x
GATEWAY= x.x.x.1
TYPE=Bridge
USERCTL=no
IPV6INIT=no
PEERDNS=yes



Then edit ifcfg-eth0, it should just have
DEVICE=eth0
ONBOOT=yes
BRIDGE=br0

-
You should then reboot. your main interface will have become br0, and eth0 will just be sitting there...waiting...for something.

Anyway,
You can use brctl show to show the current bridges on your system, and it gets more complicated from there on out.

You can then assign eth0 to virtual machines in the Virt Manager and the vm will use that as its bridge access. ;)

pidgin, otr, and random number generation

on a new centos plus workstation (5.4) i was trying to IM with pidgin and otr with my friends. we use OTR for private communication.

the key generation was failing, hanging actually, strace showed some problem with timeouts and /dev/urandom.

On the advice of someone who ran into the same problem, I used rngd to feed /dev/urandom into /dev/random

rngd -o /dev/urandom -r /dev/random

This worked and key generation completed successfully. Joy.

Pam Update, security pam_limits and 64 bit libs

ok, so, you have an x64 server and you updated pam, and you want to use pam_limits - cool story. until you try to login...and you're like, why isn't it working? because you added the line:

session required /lib/security/pam_limits.so

to /etc/pam.d/login

but you CAN login remotely and you check your log files and see 'Module unknown' when someone tries to login locally. This is because you're a 64bit server using a 32bit library...from /lib...so change that line to

session required /lib64/security/pam_limits.so

Then local logins work. =)

Updated on SSH Key authentication.

Public key authentication is great, as most of us have known for years, but I'm still in the middle of converting everyone to it who use the systems where I work.  Its actually a pretty big task since so many people do have to connect into our servers in order to get information...and if those accounts cannot connect then...well, stuff starts breaking.

We've done really well and our systems are really stable, of course they're still running HP Unix, but the new systems that are on their way into production are RedHat Linux (RHEL 5), so we have our work cut out for us. No problem -- They seem to be quite resilient and stable.  I wish we could get some Oracle on BSD. Grr.

Anyway, a lot of interesting changes going on in the workplace right now, so, I'll leave those for another time. Just wanted to give a quick update to all the readers out there... I'm still alive. Thanks for your emails.

SSH and SSH Key Pair Authentication instead of Passwords

Well, some of the users where I work were wanting to know what makes key authentication better than password authentication... Its a difficult thing to explain when people are unaware of the advantages of key auth, and the risks of password authentication. I suppose I try to explain it away with "this will actually make it simpler in the case of a compromise" ... So I may post more about this later, but a general reasoning behind this is described well by some PuTTY documentation.

Public key authentication - an introduction

Public key authentication is an alternative means of identifying yourself to a login server, instead of typing a password. It is more secure and more flexible, but more difficult to set up.
In conventional password authentication, you prove you are who you claim to be by proving that you know the correct password. The only way to prove you know the password is to tell the server what you think the password is. This means that if the server has been hacked, or spoofed (see section 2.2), an attacker can learn your password.
Public key authentication solves this problem. You generate a key pair, consisting of a public key (which everybody is allowed to know) and a private key (which you keep secret and do not give to anybody). The private key is able to generate signatures. A signature created using your private key cannot be forged by anybody who does not have that key; but anybody who has your public key can verify that a particular signature is genuine.
So you generate a key pair on your own computer, and you copy the public key to the server. Then, when the server asks you to prove who you are, PuTTY can generate a signature using your private key. The server can verify that signature (since it has your public key) and allow you to log in. Now if the server is hacked or spoofed, the attacker does not gain your private key or password; they only gain one signature. And signatures cannot be re-used, so they have gained nothing.
There is a problem with this: if your private key is stored unprotected on your own computer, then anybody who gains access to that will be able to generate signatures as if they were you. So they will be able to log in to your server under your account. For this reason, your private key is usually encrypted when it is stored on your local machine, using a passphrase of your choice. In order to generate a signature, PuTTY must decrypt the key, so you have to type your passphrase.
This can make public-key authentication less convenient than password authentication: every time you log in to the server, instead of typing a short password, you have to type a longer passphrase. One solution to this is to use an authentication agent, a separate program which holds decrypted private keys and generates signatures on request. PuTTY's authentication agent is called Pageant. When you begin a Windows session, you start Pageant and load your private key into it (typing your passphrase once). For the rest of your session, you can start PuTTY any number of times and Pageant will automatically generate signatures without you having to do anything. When you close your Windows session, Pageant shuts down, without ever having stored your decrypted private key on disk. Many people feel this is a good compromise between security and convenience. See chapter 9 for further details.
There is more than one public-key algorithm available. The most common is RSA, but others exist, notably DSA (otherwise known as DSS), the USA's federal Digital Signature Standard. The key types supported by PuTTY are described in section 8.2.2.

sudo, su, and you. oh, and root. and some tips...

sudo(8) executes commands as a different user on Unix systems, as allowed by the sudoers configuration file. Commands run via sudo are logged via syslog, providing an audit trail. While sudo may not work on your friends, I consider it essential to system administration.

• sudo homepage.
   
• Managing /etc/sudoers with CFEngine.

Alternatives

Consider also sudosh, or special logbash versions of the shell that log all commands. Never use the unsafe and unlogged sudo -s, sudo -i, and su commands. Between sudo and proper configuration management, logging in as root should be a very rare occasion.

List Commands

To see what commands can be run on a system, issue sudo -l. Depending on the sudoers configuration, this may prompt for the user’s password.

$ sudo -l
User admin may run the following commands on this host:
(ALL) NOPASSWD: ALL

If root is allowed to run sudo, one can inspect what commands another user may run:

$ sudo sudo -u someotheruser sudo -l
User someotheruser may run the following commands on this host:
(ALL) NOPASSWD: /usr/sbin/cleanup-logs

If administrators are allowed to sudo to any other user, this can be done directly via:

$ sudo -u someotheruser sudo -l
User someotheruser may run the following commands on this host:
(ALL) NOPASSWD: /usr/sbin/cleanup-logs

Configuration

The sudoers configuration file uses Extended Backus-Naur Form (EBNF), which is flexible but complex. For an overview, see the sudoers(5) documentation.

• Always use visudo(8).
The visudo command should be used to edit the sudoers data. Otherwise, errors or permissions problems may crop up randomly. If building a complex sudoers file using configuration management software, sanity check the resulting data with visudo -f tempsudoers -c before moving it into production use.
• Last entry wins
The last matching rule in sudoers wins; that is, if a NOPASSWD entry is followed by an entry that requires the implicit PASSWD, the user will be prompted to enter their password.
ALL ALL=(ALL) NOPASSWD: ALL ALL ALL=(ALL) ALL
$ sudo -l User admin may run the following commands on this host: (ALL) NOPASSWD: ALL (ALL) ALL $ sudo -k; sudo /bin/ls Password:
To avoid this problem, place NOPASSWD entries after any entries that require a password. The following requires passwords for all commands excepting xinetd service changes on a RedHat Linux system:
%wheel ALL=(ALL) ALL %wheel ALL=NOPASSWD: /sbin/service xinetd *

Disallow Shell Access

Use the following configuration to avoid needless use of unsafe and unlogged shells. Encourage users to avoid launching a root shell, and reserve a special logbash shell that logs all commands for the rare occasions a root shell is needed.

# specify full list of shells and login commands here
Cmnd_Alias SHELLS= /bin/sh, /bin/ksh, /bin/bash, /bin/zsh, \
/bin/csh, /bin/tcsh, \
/usr/bin/login, /usr/bin/su

%wheel ALL=(ALL) ALL, !SHELLS

If the configuration is correct, a user attempting to gain shell access will be properly rejected:

$ sudo -s
Sorry, user jdoe is not allowed to execute '/bin/zsh' as root on …
$ sudo -i
Sorry, user jdoe is not allowed to execute '/bin/sh' as root on …
$ sudo su
Sorry, user jdoe is not allowed to execute '/usr/bin/su' as root on …

OpenSSH and SSH.COM Key generation - Some Concerns...

Where I work some people use a very old commercial SSH Client - Its from circa 2002 and its really not that great.  So we're switching to key based auth -- This brings some problems about.  Some of my users will be using this antiquated client which generates some ugly keys. I'd prefer everything be openssh based. So, I found some information about this on someones blog, and I decided I would share it here on my blog, and leave it here for my reference as well as yours! Happy converting.
--

Connecting two server running different type of SSH can be nightmare if you does not know how to convert the key. In this tutorial, I will try to explain on how to convert the public key from OpenSSH to SSH2 and SSH2 to OpenSSH. To convert the key, it must be done in OpenSSH server.
Convert OpenSSH key to SSH2 key

• Run the OpenSSH version of ssh-keygen on your OpenSSH public key to convert it into the format needed by SSH2 on the remote machine. This must be done on the system running OpenSSH.
  #ssh-keygen -e -f ~/.ssh/id_dsa.pub > ~/.ssh/id_dsa_ssh2.pub

Convert SSH2 key to OpenSSH key

• Run the OpenSSH version of ssh-keygen on your ssh2 public key to convert it into the format needed by OpenSSH. This needs to be done on the system running OpenSSH.
  #ssh-keygen -i -f ~/.ssh/id_dsa_1024_a.pub > ~/.ssh/id_dsa_1024_a_openssh.pub

Steps involved to produce and convert the keys.
OpenSSH
To generate an OpenSSH sshv2 key
$ ssh-keygen -t dsa -f newkey
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in newkey.
Your public key has been saved in newkey.pub.
The key fingerprint is:
c6:db:3a:ff:4c:79:a7:d8:cb:be:82:e8:9d:db:8c:e9 brad@eta
To export to ssh.com
$ ssh-keygen -e -f newkey.pub
—- BEGIN SSH2 PUBLIC KEY —-
Comment: “1024-bit DSA, converted from OpenSSH by brad@eta”
AAAAB3NzaC1kc3MAAACBAJ7QKkrLoOE9TNPVmKVedk1GAr/S+Cruq3/GtjRnxvJqbBbfne
lWYUC+vbHc5a+7bgRsQfCgoCeGKH5wGD4CDWQMhy2XYomnGf1gUC86Hq77/Noqa02N441E
FSTIEoNlU2aYi8zwVQKlgP6e22mG9sK7zSaGX639ctaigHuST8qPAAAAFQC2az8dfxHkkD
ZAEw+RcvRn3cpXFQAAAIEAgYpPs6d+Kyw37ZaBarlMEaZoEfrxhUZ44SN+KoqBZYpSVwyH
J+/RB0zVUizXCmZ5RhYSsYZ57Iixx1bBmBxogaEh5d7xxUpg/9Xctf94Jsf7vxccjZ4XYA
RrVikq/0L9fuKOmo4ET9iAf+GL7w2u5gzxxZr+xX5jw/A7907lOCwAAACAMoHHk0o1XkG+
yeaPtuwbrHshGqTjpOUkJ/AYuQ8OBuVAOdqse1di9JpeHko26G0zoH3N+nDHMGdYYTNHzR
NYRd2q20ztcAP52crZo1rtpNdvs6c+RTEIgoP3oYh1e1+rg70tWKIW3R/NYB39CESHoyqs
AJ7vzOPm0iUOd36YECY=
—- END SSH2 PUBLIC KEY —-
SSH
To generate a key:
$ ssh-keygen
Generating 2048-bit dsa key pair
1 oOo.oO
Key generated.
2048-bit dsa, marshalb@obelix.cqu.edu.au, Tue Jul 15 2003 13:53:34 +1000
Passphrase :
Again      :
Private key saved to /usr/users/staff/m/marshalb/.ssh2/id_dsa_2048_b
Public key saved to /usr/users/staff/m/marshalb/.ssh2/id_dsa_2048_b.pub
To convert from ssh.com to OpenSSH (using OpenSSH ssh-keygen):
$ ssh-keygen -i -f id_dsa_2048_b.pub
ssh-dss AAAAB3NzaC1kc3MAAAEBAKueha6mfr5OUcscc88lmQUBBgYSZ08htHFaYzke2N
5WG6ql1NgwQsyY2mMRxvvGckBeInx2GvRlz1+izDs5p4UGhkMzG8qOoT2y2vLwTFQyxi4I
XET1e0E8VYC0dcLfs5Zg6RxEY7GA5FiydS6dceuPnLJgCYDfyb9Qbk4rVEvREODo8dV/KR
lZxecEgaeKOO7ZnEzaIVPRCVb6U6EaRtZvxKfGnNFI957AfZ+Hqevz1IeQNDCp00EmaNli
8Ow4rjOPlH7o818r35Ea8mMoV0hkirNQ25zf/Z1LvCS3649537YDi/SVmMMpGCvT93w/TR
vk5RKlwVVy+TH52C8/MKEAAAAVAOuDCV61LvfKz0bd8hYEJ/gGof9XAAABAQCFRhlpWtVO
hTxcWcrnZp9EbbVRZO16St5TPjL86khb7b/VjScOAgt0tslHwtEEQzImv1xRkk6ZQ1o9pv
Azb1fMZrZMGIy9zUXvL0v6LNXxCxN9YIjx14OXYfH8EIQDZJGRJoxHvEvUVjv3lHnTuxbd
Krcbagvakxvgjq1wVyEueilO+g+WhJm+Q+XIYRl0TK9qtsAVFmzxBxT5USZFJ+1kbG7ipp
fFSGWRd3KPUCVQ8iGO3IMjtIlfcuGOArbKB06kMlxsdjNjhcEIHtR0jpaEeB2X+HrVScQE
oXG4S8YkiIExlIvjhrVr571BTOuO9H5VHt4CtKUxeXxKZWslulYwAAABAHm3zlMsXxPL/H
Oq29qf7Lk90b7El+j19E2UkyssfSu6+/k4bFf6ax2n3yEn31S5bUdNvgqmlEjdERc4SkU6
5b5LW2ZI1v7kRoegG+bD2Q21N9Rv/lwS7CTprenKiMMRJ8TU7FMIVT3zEZkV+etC7cbaN+
09GoiFTt+h7IDmo7onlo64oSMrcc+xt++ZUzENTVBgDoS92jlpnELkyJqZgb1/fdEPT6wR
j132yBxWLqDGmbp9msmY1us+XNDY8isF80u9yTTXGTskOtCSaeavDDtPOKN5ZR20sHpIBg
t6zd6mm/zKD6OZo14BLSJr7ldwSRzNNYMtkLnNyFSYxAIrm9Y=
You can then use the output in authorized_keys file on an openssh box.
OpenSSH v2 -> SSH v2
On the OpenSSH box, create a DSA key via the following:
$ ssh-keygen -t dsa
Export the key into ssh.com v2 format:
$ ssh-keygen -e -f ~/.ssh/id_dsa.pub > newPubKey
Copy the converted ssh key to the ssh.com server
$ scp newPubKey server:.ssh2/id_dsa.pub
On the server, tell the ssh.com server that the public key is allowed:
echo “Key id_dsa.pub” >> ~/.ssh2/authorization
SSH v2 -> OpenSSH v2
On the ssh.com box, generate a DSA key:
$ ssh-keygen
Copy the generated key to the openssh box:
$ scp ~/.ssh2/id_dsa_1024_a.pub server:.ssh
Convert the public key to openssh format and append to authorized_keys:
$ ssh-keygen -i -f id_dsa_1024_a.pub >> ~/.ssh/authorized_keys
On the ssh.com box setup the private key:
$ echo “IdKey id_dsa_1024_a” >> ~/.ssh2/identification
SSH v2 -> SSH v2
On the ssh.com client, generate a DSA key:
$ ssh-keygen
Copy the generated key to the server:
$ scp ~/.ssh2/id_dsa_1024_a.pub server:.ssh2
On the server, tell the ssh.com server that the public key is allowed:
$ echo “Key id_dsa._1024_a.pub” >> ~/.ssh2/authorization
On the ssh.com client setup the private key:
$ echo “IdKey id_dsa_1024_a” >> ~/.ssh2/identification
OpenSSH v2 -> OpenSSH v2
On the OpenSSH box, create a DSA key via the following:
$ ssh-keygen -t dsa
Copy the ssh key to the server
$ scp ~/.ssh/id_dsa.pub server:.ssh/id_dsa.pub
Add the key to the authorized_keys file on the server
$ cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys

Oracle on Linux needs access to /proc? Only for Enterprise Manager?

So, on some of our systems oracle runs as the oracle user, and the /proc filesystem is off limits for standard user accounts. This hasn't affected much...however I came across the error:
Error retrieving information from EMD. Exception: oracle.sysman.emSDK.emd.comm.MetricGetException: Could not open /proc/partitions

today...Hrm. Wonder what thats hurting...Probably nothing as everything seems to be running properly.

In addition...uname must be unrestricted in order for Oracle Wallet Manager (owm) to function. Probably lots of other java stuff too.

Linux, sudo, and environment variables

Our DBA came to me and said he was having some problems with sudo. A little background, we recently upgraded our test systems to the latest version of RedHat Enterprise Linux.  We have a pretty complicated setup with Oracle and Fujitsu NetCOBOL and a lot of customizations for our site.  My latest round of updates with the systems prompted me to enact a new baseline security policy.  One of the features of this new baseline policy is that it requires us going to a new procedure for issuing super user commands... Used to we'd just su, as thats how it had always been done here on HPUX and other UNIX Operating Systems.  With little separation of duty due to such a small staff, the DBA and others have all frequently pitched in to help with administration tasks.

Anyway, enforcing su provides a lot of benefit, even if it does mean we have to change the way we're doing some things.  Our system relies a lot upon environment variables being carried over from one environ to the other, and some of our system users and the tasks they perform depend largely upon those envars.  So, it came to pass that there is a directive in the sudoers file that allows (or, by default, disallows) environment variables passing through with sudo execution. This is "Default env_reset" - Changed to "Default !env_reset" to say ! = NO! Don't reset the envars when using sudo!

This solved our issue, and the DBA was able to complete the upgrades.

The blackberry Curve 8300 - 83xx - Pretty cool.

I recently came across a free Blackberry Curve 8300 for ATT - a friend of a friend was getting an iPhone 3G (after she had become enamored with the iPod touch) and was just going to give it to him, fortunately for me he has Verizon not ATT or T-Mobile, and I said I'd offer him some money for it. He said "nonsense (nice!), I'll ask her if I can give it to you." So she said yes.

The software that came with it was old, like it had never been updated. I later found out why. The synching/software interface for the blackberry is atrocious. I later found out too that you can do MOST things without synching. Such as over-the-airwaves App installs and stuff. Not to mention...Synching the blackberry to the computer is extremely slow. It took like 35 minutes just to do the software upgrade. The iPhone definitely has it beat in that arena.

Anway, I'm a happy, Loyal, iPhone user (only because its unix in my pocket, and jailbroken..so I can do the things I need to do with MY computer - hopefully all of this carrier-lock in junk will be over soon.), but I was impressed with this little device, despite its stubbornness in wanting to charge. It seems to have some issues...I bought a car charger for my girlfriend for this device, and it seemed to charge straight away. When I hooked it up to the computer (much like I had found trying to synch it at work) - It was a mess of steps to get the thing recognized and charging.  Why can't I just plug the USB cable in and let it charge the battery. ARGH.

Anyway, hopefully I can work on her Vista machine some more (i did the synching and initial software upgrade on an XP machine) and get it to recognize the device so she can charge it there, since my friend forgot to bring me the wall charger.

Overall, I like the device. They're relatively inexpensive, though the data plan is more expensive than an iphone at 30$/month (35$/month if you want at least 200 txt messages...some are a requirement otherwise you're getting shafted at the .20/.30 cent per message mark. Lame.

Its not an iPhone, but its not half bad either, and it has a large community support base as well. Once I got past a few of the quirks, everything seems to be OK and she seemed to pick it up pretty intuitively.

unix security problems

so, you're in a meeting and you get asked to provide an account to a group thats not in your department. when you tell your friends they tell you to tell the people you work "if you're so good at security make your own account"

that wouldn't go over well.

session recording with 'script' in linux/unix hosts.

don't forget you can use the 'script' command 'script output.log' to record all commands you type.
you can use this as a reference to see what you've done in the session ( such as wanting to record all file permission changes that you make in a session )

Enable Oracle Application Server to run on port <1024 on HPUX

Below are the instructions, probably a little too detailed, on how to enable oracle to start httpd as root then fork to user specified in httpd.conf (em -> advanced properties -> httpd.conf) - For most people, Since Oracle App server is just a modified apache...Task 1 is the only thing you really have to do. You can then add the port in EM, and add the vhost directive in either ssl.conf or whatever file you're sourcing vhosts from.

--

Task 1: Enable Oracle HTTP Server to Run as Root for Ports Set to Less Than 1024 (Unix Only)

If you are on a UNIX system and you are changing the Listen port to a number less than 1024, perform these steps before you change the Oracle HTTP Server Listen port.
By default, Oracle HTTP Server runs as a non-root user (the user that installed Oracle Application Server). On UNIX systems, if you change the Oracle HTTP Server Listen port number to a value less than 1024, you must enable Oracle HTTP Server to run as root, as follows:

1. Log in as root.
   
2. Run the following commands in the middle-tier Oracle home:
   
   
   

   cd ORACLE_HOME/Apache/Apache/bin
   chown root .apachectl
   chmod 6750 .apachectl
   

Task 2: Use the portconfig Command to Change the Oracle HTTP Server Listen Ports

Use the following procedure to change the Oracle HTTP Server HTTP or HTTPS listen port:

1. Set the ORACLE_HOME environment variable to the home directory of the Oracle Application Server instance where the Oracle HTTP Server resides.
   For example:
   
   
   

   (UNIX) setenv ORACLE_HOME /dev0/private/oracle/appserv1/ 
   
   

2. On UNIX systems, set the LD_LIBRARY_PATH, LD_LIBRARY_PATH_64, LIB_PATH, or SHLIB_PATH environment variables to the proper values. The actual environment variables and values that you must set depend on the type of your UNIX operating system.
   
   
3. Create an alias (on UNIX systems) to represent the portconfig command.
   For example, to execute the command as an alias on UNIX systems, enter the following command:
   
   
   

   alias portconfig '$ORACLE_HOME/jdk/bin/java -cp 
   $ORACLE_HOME/sysman/webapps/emd/WEB-INF/lib/emd.jar:
   $ORACLE_HOME/dcm/lib/dcm.jar:
   $ORACLE_HOME/sso/lib/ossoreg.jar
   oracle.sysman.ias.sta.tools.PortConfigCmdLine \!*'
   
   

4. Use the newly created portconfig command as follows:
   
   
   

   portconfig -oracleHome ORACLE_HOME 
   -oldPort old_port 
   -newPort new_port 
   [-sso -url http://sso_host:port -user http_server_admin_user 
     [-site name_of_sso_partner_application]
     [-admin mod_osso_admin_user]
     [-vHost path_to_mod_osso_configuration_file]]
   [-webCache] [-debug]
   {-start | -restart}
   
   

   For example, on UNIX systems:
   
   
   

   portconfig -oracleHome $ORACLE_HOME -oldPort 7777 -newPort 7778 -webCache
   

Changing VSWIF IP in VMWare ESX

Pretty nice post on esxcfg commands...

Esxcfg command help

Esxcfg-firewall
Description: Configures the service console firewall ports
Syntax: esxcfg-firewall

Options:

-q	Lists current settings
-q	Lists settings for the specified service
-q incoming|outgoing	Lists settings for non-required incoming/outgoing ports
-s	Lists known services
-l	Loads current settings
-r	Resets all options to defaults
-e	Allows specified service through the firewall (enables)
-d	Blocks specified service (disables)
-o	Opens a port
-c	Closes a port previously opened by –o
-h	Displays command help
-allowincoming	Allow all incoming ports
-allowoutgoing	Allow all outgoing ports
-blockincoming	Block all non-required incoming ports (default value)
-blockoutgoing	Block all non-required outgoing ports (default value)

Default Services:

AAMClient	Added by the vpxa RPM: Traffic between ESX Server hosts for VMware High Availability (HA) and EMC Autostart Manager – inbound and outbound TCP and UDP Ports 2050 – 5000 and 8042 – 8045
activeDirectorKerberos	Active Directory Kerberos - outbound TCPs Port 88 and 464
CIMHttpServer	First-party optional service: CIM HTTP Server - inbound TCP Port 5988
CIMHttpsServer	First-party optional service: CIM HTTPS Server - inbound TCP Port 5989
CIMSLP	First-party optional service: CIM SLP - inbound and outbound TCP and UDP Ports 427
commvaultDynamic	Backup agent: Commvault dynamic – inbound and outbound TCP Ports 8600 – 8619
commvaultStatic	Backup agent: Commvault static – inbound and outbound TCP Ports 8400 – 8403
ftpClient	FTP client - outbound TCP Port 21
ftpServer	FTP server - inbound TCP Port 21
kerberos	Kerberos - outbound TCPs Port 88 and 749
LicenseClient	FlexLM license server client - outbound TCP Ports 27000 and 27010
nfsClient	NFS client - outbound TCP and UDP Ports 111 and 2049 (0 – 65535)
nisClient	NIS client - outbound TCP and UDP Ports 111 (0 – 65535)
ntpClient	NTP client - outbound UDP Port 123
smbClient	SMB client - outbound TCP Ports 137 – 139 and 445
snmpd	SNMP services - inbound TCP Port 161 and outbound TCP Port 162
sshClient	SSH client - outbound TCP Port 22
sshServer	SSH server - inbound TCP Port 22
swISCSIClient	First-party optional service: Software iSCSI client - outbound TCP Port 3260
telnetClient	NTP client - outbound TCP Port 23
TSM	Backup agent: IBM Tivoli Storage Manager – inbound and outbound TCP Ports 1500
veritasBackupExec	Backup agent: Veritas BackupExec – inbound TCP Ports 10000 – 10200
veritasNetBackup	Backup agent: Veritas NetBackup – inbound TCP Ports 13720, 13732, 13734, and 13783
vncServer	VNC server - Allow VNC sessions 0-64: inbound TCP Ports 5900 – 5964
vpxHeartbeats	vpx heartbeats - outbound UDP Port 902

Note: You can configure your own services in the file /etc/vmware/firewall/services.xml

esxcfg-firewall examples:
Enable ssh client connections from the Service Console:
# esxcfg-firewall -e sshClient
Disable the Samba client connections:
# esxcfg-firewall -d smbClient
Allow syslog outgoing traffic:
# esxcfg-firewall -o 514,udp,out,syslog
Turn off the firewall:
# esxcfg-firewall -allowIncoming
# esxcfg-firewall -allowOutgoing
Re-enable the firewall:
# esxcfg-firewall -blockIncoming
# esxcfg-firewall –blockOutgoing


Esxcfg-nics
Description: Prints a list of physical network adapters along with information on the driver, PCI device, and link state of each NIC. You can also use this command to control a physical network adapter’s speed and duplexing.
Syntax: esxcfg-nics [nic]

Options:

-s	Set the speed of this NIC to one of 10/100/1000/10000. Requires a NIC parameter.
-d	Set the duplex of this NIC to one of 'full' or 'half'. Requires a NIC parameter.
-a	Set speed and duplex automatically. Requires a NIC parameter.
-l	Print the list of NICs and their settings.
-r	Restore the NICs configured speed/duplex settings. (Internal use only)
-h	Displays command help

esxcfg-nics examples:
Set the speed and duplex of a NIC (vmnic2) to 100/Full:
esxcfg-nics -s 100 -d full vmnic2
Set the speed and duplex of a NIC (vmnic2) to auto-negotiate:
esxcfg-nics -a vmnic2


Esxcfg-vswitch
Description: Creates and updates virtual machine (vswitch) network settings
Syntax: esxcfg-vswitch [vswitch[:ports]]

Options:

-a	Add a new virtual switch.
-d	Delete the virtual switch.
-l	List all the virtual switches.
-L	Set pnic as an uplink for the vswitch.
-U	Remove pnic from the uplinks for the vswitch.
-p	Specify a portgroup for operation. Use ALL for operation to work on all portgroups
-v	Set VLAN ID for portgroup specified by -p. 0 would disable the VLAN.
-c	Check to see if a virtual switch exists. Program outputs a 1 if it exists, 0 otherwise.
-A	Add a new portgroup to the virtual switch.
-D	Delete the portgroup from the virtual switch.
-C	Check to see if a portgroup exists. Program outputs a 1 if it exists, 0 otherwise.
-r	Restore all virtual switches from the configuration file (Internal use only)
-h	Displays command help

esxcfg-vswitch examples:
Add a pnic (vmnic2) to a vswitch (vswitch1):
esxcfg-vswitch -L vmnic2 vswitch1
Remove a pnic (vmnic3) from a vswitch (vswitch0):
esxcfg-vswitch -U vmnic3 vswitch0
Create a portgroup (VM Network3) on a vswitch (vswitch1):
esxcfg-vswitch -A "VM Network 3" vSwitch1
Assign a VLAN ID (3) to a portgroup (VM Network 3) on a vswitch (vswitch1):
esxcfg-vswitch -v 3 -p "VM Network 3" vSwitch1


Esxcfg-vswif
Description: Creates and updates service console network settings. This command is used if you cannot manage the ESX Server host through the VI Client because of network configuration issues.
Syntax: esxcfg-vswif [vswif]

Options:

-a	Add vswif, requires IP parameters. Automatically enables interface.
-d	Delete vswif.
-l	List configured vswifs.
-e	Enable this vswif interface.
-s	Disable this vswif interface.
-p	Set the portgroup name of the vswif.
-i or DHCP	The IP address for this vswif or specify DHCP to use DHCP for this address.
-n	The IP netmask for this vswif.
-b	The IP broadcast address for this vswif. (not required if netmask and ip are set)
-c	Check to see if a virtual NIC exists. Program outputs a 1 if the given vswif exists, 0 otherwise.
-D	Disable all vswif interfaces. (WARNING: This may result in a loss of network connectivity to the Service Console)
-E	Enable all vswif interfaces and bring them up.
-r	Restore all vswifs from the configuration file. (Internal use only)
-h	Displays command help.

Note: You can set the Service Console default gateway by editing the /etc/sysconfig/network file or through the VI Client under Configuration, DNS & Routing.

esxcfg-vswif examples:
Change your Service Console (vswif0) IP and Subnet Mask:
esxcfg-vswif -i 172.20.20.5 -n 255.255.255.0 vswif0
Add a Service Console (vswif0):
esxcfg-vswif -a vswif0 -p "Service Console" -i 172.20.20.40 -n 255.255.255.0


Esxcfg-route
Description: Sets or retrieves the default VMkernel gateway route
Syntax: esxcfg-route [ [] ]
can be specified in 2 ways: as a single argument in / format or as a pair.
is either an IP address or 'default'

Options:

-a	Add route to the VMkernel, requires network address (or 'default') and gateway IP address.
-d	Delete route from the VMkernel, requires network address (or 'default').
-l	List configured routes for the Service Console.
-r	Restore route setting to configured values on system start. (Internal use only)
-h	Displays command help

esxcfg-route examples:
Set the VMkernel default gateway route:
esxcfg-route 172.20.20.1
Add a route to the VMkernel:
esxcfg-route -a default 255.255.255.0 172.20.20.1


Esxcfg-vmknic
Description: Creates and updates VMkernel TCP/IP settings for VMotion, NAS, and iSCSI
Syntax: esxcfg-vmknic [[portgroup]]

Options:

-a	Add a VMkernel NIC to the system, requires IP parameters and portgroup name.
-d	Delete VMkernel NIC on given portgroup.
-e	Enable the given NIC if disabled.
-D	Disable the given NIC if enabled.
-l	List VMkernel NICs.
-i	The IP address for this VMkernel NIC. Setting an IP address requires that the -n option be given in same command.
-n	The IP netmask for this VMkernel NIC. Setting the IP netmask requires that the -i option be given in the same command.
-r	Restore VMkernel TCP/IP interfaces from configuration file. (Internal use only)
-h	Displays command help

esxcfg-vmknic examples:
Add a VMkernel NIC and set the IP and subnet mask:
esxcfg-vmknic -a "VM Kernel" -i 172.20.20.19 -n 255.255.255.0

Serial Console on VMWare ESX

I primarily use HP ILO's on our DL360s. I never get ILO Advanced Pack..Its expensive, and I ues UNIX so, for my BSD and Linux machines I just use serial consoles... It beats buying the license...and I don't need the graphical stuff... Thats what X servers are for.

Compiled this from a defunct wiki from some edu, but its pretty much common sense. Just wanted to document it for those who care ;)

For an ESX Server:
This is about enabling the console of ESX server to be a serial port. Running an IP KVM for ESX servers seems a really expensive thing to do, when it just needs a shell.

This is a method I use for RHEL/CentOS. I had to modify it slightly for VMware ESX:
Edit /boot/grub/grub.conf
Add the following lines after "timeout=3" line

serial --unit=0 --speed=9600 --word=8 --parity=no --stop=1
terminal --timeout=8 serial console

* The first line tells GRUB to use the first serial port at a baud rate of 9600
* The second line gives the user 8 seconds to decide where GRUB should output it's information. * Please adjust port number and speed as per your setup.

Append the kernel entry in /boot/grub/grub.conf to add serial console:


kernel /vmlinuz ro root=UUID=675026ae-e3ee-4340-8614-9173f59d5bfb mem=300M quiet console=ttyS0,9600

Edit /etc/inittab to add a new line for agetty. I placed this after the mingetty entries:

s0:2345:respawn:/sbin/agetty -L -f /etc/issueserial 9600 ttyS0 vt100

Additional notes: - root logins are restricted over ttysX by default unless your ttysX is added to the securetty config. So, edit /etc/securettty and add your port to your config if you want to allow root logins.

For a VM:
To add a serial console to VMWare ESX, there's no way to do it either from the web console nor from their dinky vmware-console. There's just grayed out menu items that torment your soul leaving you with a bitter taste of unfulfilled possibilites. Yet there is hope!

Here I add serial console 0. serial0.present = "TRUE" serial0.fileType = "file" serial0.fileName = "/tmp/console.debian26_dan"

then add in your kernel boot options (ie, in /boot/grub/menu.lst) console=ttyS0,19200
like this: kernel /boot/vmlinuz root=/dev/sdc1 ro console=ttyS0,19200 console=tty0

now as you do crazy things to the kernel and crash it (ie, run zap), you can access your kernel log for debugging information in /tmp/console.debian26_dan.

NOTE: this enables a serial console for a guest machine on ESX. It does not enable a serial console for the ESX system itself, for that see above. ;p

it is the whole thing.

see subject. no comment. sigh.

mpage!

so...i guess, i just screwed up when i was working with mpage before trying to get the fonts right. it appears now that Courier-Bold as a -F parameter is working. ;) Yay.

That's how you get darker color, Bob!

cups-pdf, cups, RHEL, Linux, and EPEL repositories...

Soo...you want to add some other packages...
OK!

su -c 'rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm'

they should now be available in yum...in my case, cups-pdf.

using firefox 3.5.x in Linux ... Its not just that easy, apparently.

I got tired of looking for a repo version and decided to get the bin pkg from Mozilla.

Here’s a really quick way to get 3.5.2 running on your Ubuntu or RHEL/CentOS system.

I removed the Firefox 3.0 that shipped... In this case, with CentOS. This tutorial taken from some Ubuntu user's post/page...I forget.

Open up Terminal (Applications > Accessories > Terminal) and run the following commands:

1. cd /tmp
2. wget "http://download.mozilla.org/?product=firefox-3.5.2&os=linux&lang=en-US"
   Note: Your download link may be different depending on your country and language. I got the link by clicking the download link, canceling the automatic download, right-clicking the “Your download should automatically begin in a few seconds, but if not, click here” link, and selecting Copy Link Location.
3. tar xvjf firefox-*.bz2
4. sudo cp -r firefox /usr/lib/firefox-3.5.2
5. sudo mv /usr/bin/firefox /usr/bin/firefox.old
6. sudo ln -s /usr/lib/firefox-3.5.2/firefox /usr/bin/firefox-3.5.2
7. sudo ln -s /usr/bin/firefox-3.5.2 /usr/bin/firefox

Close Firefox and then reopen. You should now be running Firefox 3.5.2.

If for whatever reason you’d like to switch back to your previous version of Firefox, simply run the following commands from Terminal:

1. sudo mv /usr/bin/firefox /usr/bin/firefox.bak
2. sudo mv /usr/bin/firefox.old /usr/bin/firefox

enable rpmfusion, epel for CentOS / RHEL5 to install other repos...

[root@caliban-centos ~]# su -c 'rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm'

[root@caliban-centos ~]# su -c 'rpm -Uvh http://download1.rpmfusion.org/free/el/updates/testing/5/i386/rpmfusion-free-release-5-0.1.noarch.rpm http://download1.rpmfusion.org/nonfree/el/updates/testing/5/i386/rpmfusion-nonfree-release-5-0.1.noarch.rpm'

- this should then allow software to be pulled from rpmfusion!

homemade tend skin recipe.

Crush 18 tablets aspirin and dissolve in alcohol. Crush remaining 8 tablet aspirin and dissolve in witch hazel. Combine alcohol and witch hazel together. Pour into squeeze bottle. Make need to shake before each use, as aspirin may settle. Apply once daily after waxing or shaving to prevent and treat ingrown hairs.
26 tablets uncoated aspirin, divided
5 ½ oz. 70% rubbing alcohol
2 ½ oz. witch hazel extract

From a "Best of Craigslist"

Dear Christians

---

Date: 2009-04-03, 5:02AM PDT

In the following argument of nine premises, I will aim to convince you that Jesus of Nazareth was a fictional character, and not a real person. I do not intend to sway the beliefs of many of you, nor even budge them - I know this to be an impossibility, for if the religious mind is well-trained at anything, it is circumventing rational argument. I only intend to sew seeds of doubt, in the hopes that perhaps some of you will nurture them and let them grow. Here goes.

1. Much, if not most, of the Bible is arguably fiction. Quit being so intellectually dishonest, Christians - this is the twenty-first century. That means the burden of proof is on YOU. If you make a claim about the universe, it is up to you to prove it is true, not the other way around. It is not up to us, the rest of the world, to prove your claims false - that is not scientific thinking, that is anti-scientific thinking. Because I am a man of my times, and believe in correcting ignorance, what I am doing here is out of courtesy to YOU, just as if I were to argue publicly that there is a Flying Spaghetti Monster orbiting Venus preparing to blow up Planet Earth, one of you would probably, out of simple human decency attempt to correct me and point me towards the truth. This is my way of doing that. Now, back to the Bible being fiction... that part's easy. Find me a snake with vocal chords, water that is dense enough for a human being to walk on, or a chemical process that converts complex carbohydrates to fish. Until then, you're out of luck, sucker. The evidence wins, and the evidence sides with me. These are invented stories... fictional dramas meant to impart some moral lesson. They are not real.

2. Following point two: from an objective, scrutinizing view, there is no reason to believe one story in the Bible over another. We cannot honestly engage shades of truth here - either the books in the Bible are historically true or they are not. Since they almost ubiquitously contain material to make the scientific person skeptical, we can chance to say the same is true of the entire book: either it happened, or it didn't. Therefore, it is no less plausible to disbelieve the Jesus myth than the myth about Enoch the nine-hundred year old man or the creation myth wherein God pats the first humans out of clay. Here's a hint: humans, like all other complex organisms, reached their present condition by millions of years of natural selection through the self-preservation of certain greedy genes. We can observe this happening today; anti-biotic resistant bacteria are a good example. Plus, we've mapped the human genome - we know our ancestry, and it's simian. Even Pope John Paul II said evolution is a historical fact. People did not come from clay.

3. By definition, intellect, or "reason" is the ability to revise one's beliefs in light of better argumentation. Taking simple, empirical data from the the world around you should make it easy to determine that the physical laws of the universe DO NOT CHANGE. It therefore stands to reason that "miracles" can only possible be one of two phenomena: A, an outside agent actually interfering with the laws of the universe; or B, hyperbolized coincidences. Considering the Bible was written in a time when allegory was the most common form of journalistic reporting and most people still believed spitting on a wound was an appropriate way to cure it, it is far more reasonable to assume the latter.

*Side note: Seriously Hoss, let me clue you in on something: things that are impossible to do now - like walking on water, resuscitation after days of biological death, and wine magically turning into blood - were just as impossible 2,000 years ago. There's a much greater power in the universe than "belief." It's called "observation."

4. To believe these stories, you must create strange rationalizations that do not hold up to true intellectual scrutiny. This brings us to the issue of honesty. Without deluding yourself, can you honestly answer the following questions? Such as, why doesn't God heal amputees? He heals everyone else miraculously, right? But neither you nor I have ever seen an amputee grow back a leg. Oh wait, God has a special plan for them. But isn't he supposed to be loving and just? What's with the discrimination, man? Or how about Jonah surviving in the belly of that whale? Wouldn't he be partially digested after three days? Maybe Baby Balooga had a slow metabolism?

5. Following four, and this one is my favorite: if Jesus is the one true messiah, the only God, whom you shall hath no other gods before him, yada yada, how come so many gods DID come before him having nearly identical biographies? There are no less than two dozen god-men of the ancient Mediterranean whose birth was heralded by a bright star in the East (Sirius, for those who don't practice astronomy), who were also adored by wise men, walked on water, fed the hungry, resurrected the dead, were crucified and rose again, etc. Many even had the same birthday as Jesus - December 25th! Not coincidentally, this was the Roman Holiday of Saturnalia centuries before the clergy decided to call it Jesus' birthday. Surprise! Christians plagiarized earlier religions. I cannot spell it out any clearer than that. Knowing that, how can one believe anything Christian doctrine teaches? How do you even begin to separate what was invented from what was borrowed? You don't. The cold, hard truth is, it was an old story then, and it's an old story now. These messianic archetypes - the man that is god, the man who conquers death - existed long, long before Jesus came around. They were old news when soap was a cutting-edge technology, before written language was even invented. They are ancient fucking history. Jesus was not the antitype of these messianic figures, he was their distillation.

7. Following point 6. If you are skeptical of this information (and you should be, as doubt is the seed of all knowing), investigate the matter for yourself. One hugely recurring problem I find when debating with Christians is that they either know very little about other religions or are ignorant of their existence entirely. This is counter-intuitive to me, and perhaps my own fault in failing to understand the religious mind. Shouldn't it be fairly crucial to make the most educated decision in choosing a religion, if practicing the "right" one is important to you? For example, you wouldn't want to choose a religion based on plagiarism, would you? Or one that literally absorbed every earlier belief system it encountered through endless politicizing or the diplomacy of the sword? Well, better crack those books then - there's a whole heap of gods who fit the Christ mold long before Christ. I suggest you begin by researching Mithra of Rome, Attis of Frigia, Dionysis of Greece, Krishna of India, and Horus of Egypt. The last should be of particular interest to you, as his mythology is almost an exact carbon copy of Jesus', right down to the twelve apostles and three-day rebound time after being murdered by jealous clergy. Though, I should point out that Horus was worshipped nearly 1000 years BEFORE Christianity began spreading through the Hebrew-populated Roman colonies. This should come as no surprise to you, as it's written right in the bible that the Hebrews came out of Egypt.

8. On a more serious note. Western civilization may have been "built" on Judeo-Christian values (at least the "don't kill" and "don't steal" parts), but we have become a modern society and have adopted the scientific way of thinking. While the aforementioned values have indisputable merits, maintaining the dogma in its entirety is no longer necessary, especially when we consider the violence and segregation it has caused throughout the ages. Furthermore, philosophically speaking, Christian ethics are severely outdated. Since the Enlightenment, the Western World has seen far superior ethicists to Jesus of Nazareth. Kant and Mill, for example, created life-affirming ethical systems that can be applied to a wider range of people without destroying their culture or beliefs about where the universe came from and what kind of sex they should consider perverse. Truly, there is no reason to cling to the old way any longer. We have adopted science and reason in every other aspect of our lives... yet somehow we have retained Bronze Age ethics? It makes no sense. Why should we continue to believe it is better to be tribalists than to be humanists? This mentality is not compatible with a just, egalitarian society. Besides, Jesus may tell us to love one another, but he also says we should maintain the Old Testament in its entirety - no cherry-picking - which means we technically must condone rape, incest, slavery, and genocide (!). If we can do away with these parts (and we have), why not do away with the whole thing?

9. In the grand scheme of things, it would be generally permissible for one to believe in Christian ethics if it were readily understood that Jesus was not a historical person, and the story is allegory. However, if you are a Christian, you probably do believe that Jesus was a real human being. This is a threat to both the advancement of science and the absolution of religious conflict in the world, two issues that are paramount to our survival as a species as our planet nears carrying capacity and is dangerously on the brink of overheating. It creates too slippery a slope for other theocratic nonsense to take hold; for example, tthe mindset that human beings can literally live after death (how many soldiers would we send to die if everyone believed this is the only life?); or that preserving the existence of cell clusters which bear no conceivable human traits is somehow a better aim than alleviating actual human suffering; or that sex is harmful, but killing, bigotry, and total obedience to clandestine authority are healthy practices; or that blood sacrifice is a value modern societies should endorse. But Jesus WAS a real person, you say! There's a plethora of evidence! No, not really, outside of the gospels. And those hardly count as "evidence." They are secondary sources at best. Here's why: if a historical Jesus really lived and died between 0 and 33 CE, then we know beyond a doubt that at least forty years passed before the earliest gospel - the one written by Mark - was scribed. Because the aforementioned gospel discusses the destruction of Solomon's temple, we know it was written in or sometime after 70 CE. Given the lifespan of the period, that means the author or authors were at best infants or young children when Jesus of Nazareth was supposed to have been crucified. Moreover, the gospel writers are not themselves mentioned in the gospels, and they make no claim to actually having met Jesus. None of the apostles who walked with Jesus nor anyone who even met him wrote accounts to that effect. Granted, there are certain mentions of a "Christ" in the writings of Mediterranean historians from that period (not Justin Martyr or Pontius Pilate - sorry, but those are proven forgeries). However, if are a serious Christian, these should be of little consideration to you, as you know "the Christ" is really a title that simply means "the Anointed," and was taken up by many rabbis of that time. In not ONE of these documents is a man named Jesus, or Yeshua of Nazareth mentioned.


In conclusion, the gospels which discuss the life of Jesus of Nazareth are at best hearsay, almost certainly hyperbolized, and at worst complete fabrications. What we can determine beyond a doubt is that for at least four decades after his death, everyone in the world, including his sworn followers and students, simply forgot their messiah existed. If that doesn't cast on you a serious shade of doubt, then nothing will, and perhaps I'm not "the fool".


- A

• it's NOT ok to contact this poster with services or other commercial interests

PostingID: 1104940994

Resetting OS Passwords! Just a good writeup for those interested. ;)

Windows
Windows is still the most popular operating system, and the method used to discover the login password is the easiest. The program used is called Ophcrack, and it is free. Ophcrack is based on Slackware, and uses rainbow tables to solve passwords up to 14 characters in length. The time required to solve a password? Generally 10 seconds. The expertise needed? None.

Simply download the Ophcrack ISO and burn it to a CD (or load it onto a USB drive via UNetbootin). Insert the CD into a machine you would like to gain access to, then press and hold the power button until the computer shuts down. Turn the computer back on and enter BIOS at startup. Change the boot sequence to CD before HDD, then save and exit.

The computer will restart and Ophcrack will be loaded. Sit back and watch as it does all the work for your. Write down the password it gives you, remove the disc, restart the computer, and log in as if it were you own machine.

Mac
The second most popular operating system, OS X is no safer when it comes to password cracking then Windows.

The easiest method would be to use Ophcrack on this, also, as it works with Mac and Linux in addition to Windows. However, there are other methods that can be used, as demonstrated below.

If the Mac runs OS X 10.4, then you only need the installation CD. Insert it into the computer, reboot. When it starts up, select UTILITIES > RESET PASSWORD. Choose a new password and then use that to log in.

If the Mac runs OS X 10.5, restart the computer and press COMMAND + S. When at the prompt, type:

fsck -fy

mount -uw /

launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist

dscl . -passwd /Users/UserName newpassword

That’s it. Now that the password is reset, you can login.

Linux
Finally, there is Linux, an operating system quickly gaining popularity in mainstream, but not so common you’re likely to come across it. Though Mac and Linux are both based on Unix, it is easier to change the password in Linux than it is OS X.

To change the password, turn on the computer and press the ESC key when GRUB appears. Scroll down and highlight ‘Recovery Mode’ and press the ‘B’ key; this will cause you to enter ‘Single User Mode’.

You’re now at the prompt, and logged in as ‘root’ by default. Type ‘passwd’ and then choose a new password. This will change the root password to whatever you enter. If you’re interested in only gaining access to a single account on the system, however, then type ‘passwd username’ replacing ‘username’ with the login name for the account you would like to alter the password for.

Conclusion
There you have it - that is how simple it is for someone to hack your password. It requires no technical skills, no laborious tasks, only simple words or programs. The moral of the story? Encrypt your data to keep it safe. Don’t use only a password, but actually encryption, such as Blowfish or AES-128. There are a number of programs that can do this - TrueCrypt for Windows, or the native encryption found on Ubuntu, creating a disk image in Mac, etc.

'08 nissan 350z - nogaro red paint code

the factory paint code for my nogaro red 350z is A41.

...because i have to buy some touch up paint!

rEFIt - bootloader for the mac.

http://refit.sf.net

The rEFIt Project

rEFIt is a boot menu and maintenance toolkit for EFI-based machines like the Intel Macs. You can use it to boot multiple operating systems easily, including triple-boot setups with Boot Camp. It also provides an easy way to enter and explore the EFI pre-boot environment.

burn a playable dvd from video_ts in Mac OS X

Burn a playable DVD from a VIDEO_TS folder Thu, Jun 14 2007 at 7:30AM PDT • Submitted by gavynj

After searching the forums and trying various things, I still couldn't find a quick, reliable, free method of burning a VIDEO_TS folder to a pure UDF DVD, so that it would play in regular DVD players, as well trigger DVD Player to start up automatically. Anyway, as often is the case, Terminal had the answers. Just type in this command and change the paths to suit: hdiutil makehybrid -udf -udf-volume-name DVD_NAME \ -o MY_DVD.iso /path/to/VIDEO_TS/parent/folder Make sure that /path/to/VIDEO_TS/parent/folder is the path to the folder containing the VIDEO_TS folder, not the VIDEO_TS folder itself. Once the .iso file has been created, drag this to Disk Utility and hit the Burn button.

some things someones father taught them...

Things my father taught me

---

Date: 2008-04-13, 9:33AM PDT


The measurement of my finger from the tip to the first joint is 1 inch...depth for planting peas.
The measurement to the second joint is 2 inches...depth for corn.
Return borrowed things in better shape than when you borrowed them.
There are two types of trouble...one is the trouble you knowingly walk into, the other is trouble that just happens...it's important to know the difference.
Walk softly but carry a big stick.
if you have to use said stick, make sure who you use it on, doesn't get up.
Grits is good.
Foul language is a sign of a limited vocabulary
Orion, the Big and Little Dippers.
Everyone is a friend until proven otherwise.
Licorice ferns, huckleberries, nettles, sword ferns.
Tabasco won't kill you even if you eat it by the spoonfull.
Don't watch the clock when you're at work.
Fish can see you if you look over the side of the boat.
Fish can hear you if you talk to loud.
Respect the elders.
Never go to bed angry.
That which does not kill you will hurt like the dickens, but it will make you stronger.
Family is the most important thing on earth.
How to play the guitar, spoons, mouth harp, and water filled bottles.
The true meaning of "Self Made Man"
If you don't know something, go to the library and learn it.
The phrases "I don't know", "I forgot", or "I tried (and failed)" are excuses.
There is a difference between an excuse and a reason, know the difference.
Take care of your apperance...even if it is just a t-shirt and jeans.
The world can change everything about you, except your point of view...unless you allow it to.

David L. McDonald
born 1936-passed 2008
precious father
beloved husband
A right good fellow.