bk.addn/dev.mac/unix
bk"mac security:
9.25:
(stty -a) is for chking sys ctrl-char's (your terminal's lang)
(echo $TERM) makes sure your environ has your terminal type guessed right .
^U kill current line
^c intr current cmd
^\ quit current cmd
(force intr w core dump)
^D eof -- may exit terminal
^O flush output to screen
but continue with other functions of cmd
^z suspend current process t oget cli back
^w WdErase -- bsd's backspace over previous word of current line
^s stop processing (ascii`DC1)
^q start the stopped process (ascii`DC3)
9.26:
. man 2 cmd
is all c calls to system
man 3 is c lib calls
man -k keyword -- same as bsd`apropos .
/usr/doc -- place where unix keeps doc's
xman -- (man run in an x`window)
you can belong to groups primary and supp'al,
login makes your primary group active,
use newgr.cmd to set your current active group
-- same idea as having a current active directory .
(etc/passwd = (.(users).(user name, id, primary group) )
id.cmd shows (id,name) of {you, your groups},
. besides intr and quit
you can use ps.cmd to get pid, and then kill(pid) .
unix doc's on signals ref both to symbols and codes
but only symbols are portable
do (kill -l)
to see a list of both
do (man kill) to make sure that param is really a lower-case L .
your c prgm is expected to return status <= 128
. if your prgm is terminated abnormally (non-voluntarily)
then it won't be getting a chance to provide an exit status,
if status above 128,
then subract 128 to know the code for signal that did the abnormal termination .
. while dos can have 8.3-size names
posix guarantees names can be 14 char's,
but most unix.impl's have a max of 255 .
. filename`syntax"[.name] are for hidden files
like the same as a resource fork on the mac .
redo terms:
what I've been calling a url:(pathname, filename)
is really a pathname:(path prefix, base name)
rm -- remove a link;
all filenames are just links to a file's inode;
but if there's only one filename for that inode,
then rm really does remove the actual file .
. the way to safe trash backup
is to always put your files in a log
and then use extra links (using the hard-link maker)
for use in your working directory .
. soft links are like url's or bookmarks:
they can point at anything,
while hardlinks are just aliased filenames .
(directories are files too, but not leaf files in the fs)
. notice that filenames (and therefore hardlinks)
are relative to a volume, so only softlinks can be url's .
. unix (but not posix) has a limit on filesize .
. files structure uses a tree
where the root is a small block for root (the inode),
and then the leaf nodes are large.blocks (often 4096bytes -- a 12bit-space)
holding the file contents (content.blocks) .
. if there are more content.blocks than the inode has room to point at,
then the inode instead points at other small.blocks (indirection.blocks)
that are then pointing to the content.blocks .
set uid bit is a sort of capabilities control
. it's access to a prgm
that dos tings for you
to make sure you do only what you're allowed to do .
. but on unix it's letting one client give tool to another client
so there's no picking levels of trust per client .
9.27: news.addn/dev.unix/pola (Principle of Least Authority) utterly disregarded:
The only people who have trouble understanding POLAare credit card companies(which really do tell you to hand all your creditto the unknown operator of a remote Web site),and computer security experts who tell you touse larger numbers of longer passwordsand ever more complicated firewalls.All Windows and Unix operating systems (referred to as ÒWinixÓ hereafter)utterly disregard the concept of POLA.
[9.29: comment:
. actually, mac has managed to combine unix with a microkernel;
just what the pola doctor ordered . ]
9.30:
cat dir/* | more
-- to see contents of whole dir .
. besides environ's, a cmd can be param'ized by local var's .
environ's are inherited typically by
copying them to locals of the same name .
. if locals are chg'd,
then they are typically exported to environ's
so for some locals it may appear that they are identical to environ's .
shells have init files usually in home:
~/.profile or ~/.login
or in place given by enviro'var"ENV
.*rc = rc (run command) file;
eg, ~/.cshrc is a subshell rc file for the csh shell;
--. subshells don't use the same init file as the
login or top-level shell .
10.1?:
man bc -- bell labs` calculator on cli,
extended by gnu (on mac?),
10.7:
dev.unix/need to specify current directory with command:
. the reason for unix needing to precede a command with (./)
(ie, this command is found in the current directory)
is that unix doesn't look in the current dir for a cmd
it uses the environ's path var to find where to find binaries .
. it does this because it uses the safe habit of having
separate partitions for variable and constant resources,
so then code in rom is sure not get corrupted .
10.9: mac.keychain:
. mac security expert warns don't open keychain on login?
gen'ly minimize keeping it open,
so that you are aware of the traffic getting access to it .
. additionally make a routine of checking
which app's have permission to see which passes .
10.21: mac`sec:
. shell hist file and sys process list
are including a copy of the user's cli inputs;
so, don't use cli param's for taking secrets from user .
[if wanting an automated way
have the user put the pass in an expected location,
like have the keychain unlocked when running this prog .]
11.1:
md5 = Msg Digest version5(for doing checksums)
. security-wise, unix is a significant part of mac,
see additional reading appendix,
11.12:
. one way to minimize browser cookie abuse
would be for browser to adjust cookies
so they're usble only by site that created them .
. the cache should be encrypted .
. chroot'ing
is chging what an app sees as the root folder
thereby jailing it
but, this doesn't always have a jailing effect .
(as seen when user can't see root in finder
but can see it while using vmware.linux )
todo: opengroup.org common data security architecture [done]
11.13:
. keyword for soa`token'based security is
(
) .
11.14:
. mac's controls for [remote login]
are views of openssh (secure shell),
-- remoting is inherently more risky than not,
so enabling this feature is not reducing security .
11.23: web.addn/dev.mac/unix/opengroup.org`common data security architecture:
ogpubs@opengroup.org/The Open Group Bookstore Download
. introduction to the security issues addessed by CDSAand a high-level description of the main components in the CDSA architecture,how they interrelate,and how the CDSA provides interfaces to service provider modulesand to applications software.
ogpubs@opengroup.org/The Open Group Bookstore Download:
date Mon, Nov 23, 2009 at 9:17 PM
Thank you for using The Open Group Bookstore.
The Open Group Conference Seattle 2010
February 1-5 2010
For more information see http://www.opengroup.org/seattle2010/
Please visit our new store .
web.addn/dev.mac/unix/http state management mechanism rfc:
11.28: todo.addn/dev.mac/unix/c class vars:
. c's static internal var's are actually class var's;
ie, you get a template of code,
and instances get their own var space,
except for these static internal var's:
all the consecutive calls share the value
and so the question is
doesn't unix allows a program to be instantiated concurrently;
and, doesn't this cause problems with these class var's?
. these could be useful for controlling concurrency in c
. when tasks do share var's
its done by atomically accessing c class var's,
eg, the scheduler has a class var for queueing requests;
atomic access is done by reducing any shared-state change
to a pointer update .
No comments:
Post a Comment