Dutch log

I keep hitting a bug in make-kpkg when building recent kernels, and I always forget the fix. So, blogging it here for ease of reference

Original post was found at http://lkml.org/lkml/2006/7/16/109

Miro, formerly known as Democracy TV, made its first public release a few days ago.  It’s available at http://www.getmiro.com/. Miro is like a blog aggregator for video sources such as YouTube and Google Video, as well as provider content such as various news  and science tv channels, The Onion.

Installing it was trivial under Ubuntu, although it conflicts with the blackdown JRE. You can install the sun jre instead to get around this.

I (as root) have a directory hierarchy that I want a particular group to always have write access to. The files and folders inside the hierarchy are owned and manipulated by a wide variety of diffrent users.

Essentially I want to delegate ‘root’ access for a portion of the filesystem to a particular group.

My first attempt at implementing this was to use the standard POSIX ACLs that are available for almost every filesystem Linux supports.

I recursively set an ACL on the top-level directory to give the group write access to all files and directories that currently exist and then I recursively set a default ACL to give the group write access on all the directories. This default ACL should be inherited by any new files that are created ensuring that the group keeps write access to everything.

Problem solved? Unfortunately not.

The intricacies of complying with POSIX means that ACLs are implemented as an ACL plus a mask. To gain access to a particular file or directory the user or group must match an appropriate ACL granting the access and the mask for that file or directory must also allow the requested permission to be granted.

When you add an ACL to a file or directory, the ‘group’ bits of the standard Unix permissions magically switch from controlling group access to controlling the mask portion of the ACL, effectively providing an upper bound on the permissions that an ACL entry can grant. This prevents legacy POSIX applications that do not understand ACLs from unintentionally granting excessive permissions - arguably a good thing.

Unfortunately this also makes it very hard to preserve the ACL granting write access to the ‘root’ group which I legitimately intended to have in place on this portion of the filesystem.

Newly created files under the hierarchy generally inherit the ACL as intended, as most applications attempt to create files with as many permissions as possible, leaving it up to the umask to remove undesired permissions.

However any file that is copied into the hierarchy without the ‘group’ write bit set, or any file that has the ‘group’ write bit removed via chmod will actually remove the write bit from the ACL mask invalidating the ACL and leaving me back at square one!

After a bit of Googling I thought that NFSv4 ACLs might be the answer to this problem, as they are marketed as “very similar to Windows ACLs” and I’m sure that I vaugely recall Windows being able to properly inherit ACLs from parent directories. Unfortunately after downloading the NFSv4 ACL patches and trying all the various mount options I cannot find any combination that will offer the functionality I need. The implementation conforms to POSIX, so it still has a mask parameter and the same problems as the standard POSIX ACLs. The only benefit from using NFSv4 ACLs that I can see is that you have more permissions to grant.

So once again, I’m back to square one. I’m hoping that there is some fundamental point that I’m missing as this seems like a very common use-case that I would have thought would be well supported.

If a command-line example is clearer to you look at:
http://www.mattb.net.nz/blog/dump/acl-inheritance-problems.txt

My current solution is to run a cronjob every X minutes to recursively ‘chmod -R g+w /dir’, however that’s far from optimal as it exposes all sorts of race conditions and just seems ugly!

Any suggestions or solutions will be gratefully received.

Per my previous post on upload progress in Rails, I can now confirm:

• Mongrel upload progress works as long as you’re not using –prefix to host the application under a subdirectory
• As Brad Ediger points out, Pound works really well as a load-balancer and SSL offload engine for Mongrel with upload progress.
• The packages in Ubuntu have a pretty fatal bug - Pound segfaults and dies on any connection.
• Due to an OpenSSL bug, the error SSL_CTX_use_certificate_chain_file failed - aborted” could refer to any error, such as “typed the path to the certificate wrong”. Run pound inside strace to confirm.
• If you have a chained root SSL certificate, it’s a pain the ass to get Pound to see it:

The certificates must be in PEM format and must be sorted starting with the subject’s certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA.

Which means, cat site.cer chain.cer Equifax_Secure_Global_eBusiness_CA-1.cer site.key > site.pem.

I’ve backported Pound to Ubuntu Dapper, from Debian Testing. Dapper only has 1.0, which might work, but the configuration has changed beween 1.x and 2.x, which makes the examples incorrect.

I’ve built packages for SpamAssassin 3.2.0 for Ubuntu Dapper. They are available in my firewall repository with the dependencies (libnet-dns-perl, libnetaddr-ip-perl, libmail-spf-perl):

deb http://ubuntu.hs.net.nz dapper firewall

If you use this repository, you’ll get a new version of ClamAV, and some other packages also. Beware.

It was a bit of a mission to build, but made easier with the Prevu tool. This is like pbuilder for backports, and anyone doing anything with backports should use it. You can use the 0.4.1 release on Sourceforge on Dapper.

I had to spend a lot of time today re-remembering how to take a CVS/SVN tree and make a distributable package of it. Here are my notes, for me next time, and for anyone interested, now.

sed -i -e "s/AC_INIT(NetworkManager-ppp_vpn, 0.7.0-beta, eemynotna@gmail.com, NetworkManager-ppp_vpn)/AC_INIT(NetworkManager-pptp, 0.6.5, eemynotna@gmail.com, NetworkManager-pptp)/" configure.in
sed -i -e "s/SUBDIRS = src auth-dialog auth-dialog-general properties po/SUBDIRS = src auth-dialog properties po/" Makefile.am
sed -i -e "s_auth-dialog-general/Makefile__" configure.in
ln -s /usr/include/pppd src/pppd
./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make dist

What’s all that do, then?

1. Downgrade the version number
2. Remove the new auth-dialog-general, which isn’t ready for primetime yet, from the Makefile
3. (as above, but for the configure script)
4. Link the system pppd dir - not actually packaged, but <tt>make dist</tt> fails if the PPP headers are missing
5. Run the GNOME autogen script, which runs the autotools
6. Builds a NetworkManager-pptp-0.6.5.tar.gz, with a configure script, ready for packaging.

It helps to remember things. Before re-reading the docs, and realising there was an autogen script, I was running all these commands (which of course required Perry to figure out, as I hate the autotools)

aclocal
autoheader
intltoolize --copy --force --automake
libtoolize --force
automake --copy --add-missing
autoconf
./configure --with-pppd=/usr/include/pppd
ln -s /usr/include/pppd src/pppd
make dist

(Updated: now with AMD64 Feisty deb.) 

I’ve built a new Ubuntu package of the PPTP plugin for NetworkManager, from a recent SVN checkout. It closes some bugs, and hopefully solves a number of other issues with the stability of the program.

• Feisty i386 package, AMD64 package & source
• Edgy i386 package & source
  

I will rely on comments here to gauge the success of this version, and if it works well, I’ll get it uploaded for Gutsy, and possibly push for an -updates release.

Thanks to Ed Schofield for pointing out I’d only linked to i386 packages, and compiling me an AMD64 package.  He reports it clears up the segfault. I don’t have an AMD64 handy to compile on, so perhaps a kind soul will send me a (preferably PGP signed) AMD64 Edgy deb to put up also.

If you’ve come here from Launchpad, welcome, and please take the time to have a read around. I sometimes post about interesting stuff.

With the launch of Freeview, I’ve decided to upgrade my TV capture setup.

I bought a TechniSat SkyStar2 from Martin at Digiview.co.nz (he has them listed for $145 on Trade Me with a 1 year warranty).  Go buy one off him and tell him I sent you.

Thanks to David Zanetti’s in-depth information at pvr.geek.nz, and the always up-to-the-minute information from Steven Ellis on the mythtvnz mailing list, I found out everything I needed to know. And, as you’ve come to expect, processed it into an easy-to-replicate format, and wrote it up: Freeview MythTV setup. I’m running Ubuntu Edgy, and other than some DVB test utilities I chose to play with, didn’t have to install anything - a complete “out of the box” experience.

I’m enjoying watching Stargate SG-1 on the TVNZ widescreen test channel. Unfortunately, I’m going to have to plug the aerial back into Sky eventually.

Next step, moving the card into my server, retiring the dedicated MythTV machine, and setting up XBMC’s MythTV scripts.

Once upon a time, there was a race condition between udev and device-mapper (the kernel interface used for EVMS and LVM2). DM would create and destroy devices regularly, say in the action of creating an LVM snapshot, and udev would say “ooh, shiny new device created” and try and do stuff with it, only to find it had gone away.

For some time, the fix for Ubuntu was a udev rule instructing it to ignore dm-N devices, as such:

KERNEL=="dm-[0-9]*", OPTIONS+="ignore_device"

All well and good, until they fixed that bug in Feisty. Now, if you still have that option in your udev rules, you will get LVM snapshots taking 10 minutes to create, and you’ll also get LVM not starting properly at boot.

Check your workarounds when you upgrade packages. Sometimes, they not only don’t work around any more, they cause all new problems.

Linux (and Unix in general) has a long and (imho) interesting history. It’s always evolving, always continuing to change. However in the rush there are some interesting things that things that have been buried and all but lost. Some of these are abominations that should have never ever seen the light of day (eg, gets(3)), but many of them were a good idea that’s got lost somewhere along the way, and often naively reinvented and all the knowledge that was gained the first time around has been lost.

I’m not saying that all of these technologies should be revived wholesale, many have been buried for good reason, but there are lessons to be learnt here. I refer to Linux and glibc here since thats what I know, much of this applies equally to any Unix.

Lets start with the fact on a modern Linux system you’d be hard pressed to realise that the GUI is network transparent. There is no dialog box “Run [application [v]] on host [hostname [v]] as user [username [v]].” Yet it was very common 10 years ago to be running xterm’s on a variety of boxes, executing cpu intensive commands on machines with cycles to spare. Today people are surprised when you explain that you’re running your web browser on a machine thats seperate to the machine you’re logged into. X11 doesn’t work well over high latency links I’ll admit, but over a local network it’s nearly impossible to tell that even a heavy application like a word processor isn’t running locally. Theres none of the blocky loading like you get with VNC. Yet this is becoming less and less well known.

Thin client Xterminals would speak “XDMCP” to query for which machines were the least loaded for you to login to. You could select from a list, selecting ones that were lightly loaded, but contained the resources you needed to get your work done, and being thin clients it didn’t matter which mchine you used. The support is all still there, but mostly disabled by default because of network security issues, a story that repeats itself further through the article.

Because there were only a few of these big machines, everyone would be logged into them. Commands like “ps” and “who” would show you what other people were doing. Since there were probably multiple computers around you could use rwho(1) and rusers(1) to find out where someone was logged into. You could talk to any user that hadn’t disabled it, with write(1), or talk(1). People would write blog-like entries in their .plan which you could read with finger(1). Contrary to popular belief, Mirabilis didn’t invent “Instant Messenging” in 1996, Mirabilis just made a limited form what Unix users had been doing for years available to non-Unix users. (No possibility to be logged into multiple places, no .plan/blog, having to run a seperate program to announce your presence, no rwall(1)) Almost all of these protocols have been disabled as being insecure, and have never been reimplemented in more secure ways.

rcmd(3) is still a function in glibc which allows programmers to run a command on an another machine. While rsh(1)/rexec(1)/rlogin(1) have all been replaced with ssh(1), rcmd(3) has never been upgraded and remains a forgotten relic from when the Internet was a more trusting place.

Unix machines have always been multiuser boxes, although with the rapid increase in computing power in PC’s, this is becoming less common. Unix machines have files called utmp(5) and wtmp(5) that log who’s currently logged in and who has been logged in, in the past. These files are nearly forgotten, and rarely are even written to unless someone opens an xterm(1). The sense of community that went with using a large multiuser system has disappeared.

It’s not just the community orientated commands mentioned above that made Unix machines truely part of the network rather than boxes that just use the network. With yp/NIS/NIS+ you could trivially enable large groups of machines to share critical databases with ease. Not only were passwd(5), shadow(5) and group(5) shared, but other information like services(5), networks(5), hosts(5), ethers(5), rpc(5) and probably others were also copied. To enable this you’d edit one or two lines and everything was set, extensive customisation was possible via netgroups. Compare to a more “modern” LDAP setup which requires a lot more effort to setup and maintain. Once again yp/NIS/NIS+ were horribly insecure, and LDAP at least can deliver it’s data securely over SSL, but is LDAP really an improvement?

You could tell a well administered network, as every machine had an up to date, and useful /etc/networks and often a useful /etc/ethers too. However it’s been years since I’ve heard of anyone even mention these files. Now days hosts(5) is mostly used as a kind of weird outbound firewall to prevent software talking to hosts you don’t like.

Networked file systems are also another interesting part of the story. NFS is remarkably easy to setup under Unix, it integrates well. It supports the unix semantics well, and with newer versions (eg NFSv4) supports running over a single easily (un?) firewalled port and avoiding the reliance on UIDs being identical between multiple machines.

Then there are other really interesting things that have gone on in the space like Kerberos and AFS/Coda. It’s a pity that they’re not quite so nicely integrated as YP/NIS/NIS+/NFS etc.

Old command line applications such as ftp(1) and the various r* tools supported netrc(5), a file that could contain usernames and passwords as well as aliases for machines and even would support macros to run. Programs such as curl(1) and wget(1) still support this, but this feature is rarely if ever used, and I’d doubt would be implemented in many new applications.

In fact, most config files were executable, or scriptable in some way. When you logged into a machine various scripts would run which could determine based on all kinds of criteria how to configure your setup. You could decide not to use the high colour wallpaper on the old machine that only had 256 colours (oooh! flashies! remember them?), you could dim the colours your window manager used if you logged in after dark. Your $PATH could be setup based on hardware platform, OS version or even if directories existed or not. Window manager menus would be tweaked based on if this computer had a two or three button mouse, or may decide between several different programs depending on what was installed. A “Run Xterm on…” menu might be populated from /etc/hosts.equiv. Because the majority of users prefer not to program a lot of this kind of functionality has been removed. Now if you use the same config from multiple computers you’d better aim for the lowest common denominator.

You used to be able rely on every machine being able to store mail locally, all kinds of programs still look in $MAIL to check if you have new mail. Programs used to assume they can send you email if they had something non urgent to tell you. Mail clients would check the local mail spool for your messages. Anyone remember having bash(1) tell you that you had new mail?

The current trend with SOAP and XMLRPC is also amusing, given that glibc still contains all the sunrpc xdr encoding systems. These are solved problems. ASN.1 is another encoding scheme thats been around for ages. Neither appears to have any real problems (other than they don’t have standardised methods of passing them over HTTP, although that’s perhaps more a feature than a bug). Yet people still insist on reinventing them.

There are other weird features in libc that are there for one reason or another strfry(3) and memfrob(3) being amusing examples. Other examples include hsearch(3), lsearch(3), tsearch(3), insque(3), dbopen(3) etc… None of these as far as I’m aware are part of any standard.

X11 has had several other interesting ideas that have been often overlooked. Window managers were always extremely extensible, and supported all kinds of interesting features. Virtual Desktops and Workspaces are something that everyone has needed to support to be even considered (and I really wish the other OS’s would pick up. I really feel cramped without my virtual workspaces!). Lots of interesting things have been done with window managers that are being slowly forgotten. Focus follows mouse is about as close to “focus follow eyes” as you can get vs Click to focus’s “is it safe to click on that part of the window right now or will that cause something to execute now?” issues. Meta-LeftClick to raise, Meta-RightClick to bury, Meta-RightDrag to resize, and Meta-LeftClick to move all being fairly standard, but modern window managers are starting to ignore. Window Manages

X has a “resource database” which has a standard config for everything. Want to change the font size of some random little bit of text? Easy. Want to change the colour of something? Simple. Want to make all your xterms use visual bells? These are per X server (”Display”), and thus applications running remotely will pick up the local styling, even if your /home is not shared between the two. However modern toolkits ignore that,

On the flipside modern desktop “environments” are doing really well at looking really pretty (ooh! cubes!). however you can find lots of people using window managers that are eye burningly highlighter blue because they support the way they work.

There have been some great ideas in unix that have been discarded for one reason or another, and often even “reinvented” with all the lessons of the past doomed to be reinvented.

(Postscript: In editing this post to link all the stuff I wanted to link I realised I could have used a regex(5) to link all the manpages, but my browser doesn’t do regex searches let alone regex search and replace! Why the hell not?!)

CRN has a series of stories on the increasing use of Linux in Indiana, under a program called Affordable Classroom Computers for Every Secondary Student (ACCESS).

"The amazing part of this is, with everything we’re doing in the classroom, teachers don’t bring up Linux," he said. "They don’t bring up open source. They bring up curriculum. You don’t want the focus to be on Linux or open source."

As usual there Microsoft are trying to spin this, but it’s very hard to spin curriculum-based arguments.

CRN has a series of stories on the increasing use of Linux in Indiana, under a program called Affordable Classroom Computers for Every Secondary Student (ACCESS). "The amazing part of this is, with everything we’re doing in the classroom, teachers don’t bring up Linux," he said. "They don’t bring up open source. They bring up curriculum. You don’t want the focus to be on Linux or open source." As usual there Microsoft are trying to spin this, but it’s very hard to spin curriculum-based arguments.

Well, ok, so I don’t hate Macs, but this guy does. A funny article for all you Mac haters out there. Personally I’d like to spend some quality time with a Mac learning it inside and out. My mum has a Mac and I liked using that. I bought it for her. But still don’t know enough about them. I don’t like Windows, but I use it every day at home and at work. I write software that only runs on Windows in C#, a Microsoft invented programming language.
I use Linux all the time, mostly on the server but I ran Linux as my primary desktop OS for a long long time. But in the last 12 months my system has pretty much stayed running Windows XP because there are programs I use that don’t run in Linux, eg Visual Studio Express, iTunes, etc. Also, I tend to not want to tinker with my PC so much these days. I just want to read mail, surf the web, and refill my iPod with podcasts each day.
The funny thing is that even though I’m running lots of commercial proprietary software on my PC the only things I’ve had to pay for besides games is Windows. Everything else is either free (as in Beer), or Open Source.
If I was a non-Linux using/aware person and I got a new PC (with Windows bundled in the price) there isn’t much I’d need to buy once I’d connected to the Internet. If I didn’t know about OpenOffice maybe I might mistakenly think I needed to buy Microsoft Office.
Actually when I think about it, Open Office really is exposing a soft underbelly of Microsoft. One of the massive cash cows at MS is the Office application suite. They sell truck loads of it to corporations and small businesses. 90% of which most office workers don’t use. Especially the small/medium business types. Sure some companies use it to ridiculous degrees and have entire document and workflow management systems built around exotic VBA macro nightmares. But heaps of people don’t use a fraction of what Office can do.
If OpenOffice could pull a Firefox and really get its marketing up to scratch they could put a large dent in Microsofts revenue stream. Firefox is attacking a free product in the form of Internet Explorer and winning ground. Surely the Open Source community can have an even larger impact competing with software that costs hundreds of dollars. If there was a “spread OpenOffice” campaigns like Spread FireFox and a snazzy professional “Web 2.0″ looking website like mozilla.com for OpenOffice I’m sure more people would take OpenOffice more seriously.
Ah well, enough ranting.

My laptop died recently. It turns on, but fails to POST. So I replaced it with a shiny new workstation. I didn’t want to spend to much so it’s not completely wiz-bang-flash. For around $1700 AUD I got an AMD Athlon 64 3500, nVidia 7600GT, 320GB disk, nForce 4 based motherboard, ViewSonic 19″ widescreen LCD, and Windows XP Pro.
It certainly seems to power along quite nice. Games certainly look a little more slick with all the shiny nobs turned up to 11. Now I can play Half-Life 2 Episode One.
Only downer at the moment is that Ubuntu 6.06 x64 (Dapper Drake) fails to install. Seems it has “issues” with my SATA Hard Disk controller.

Wired is running an article on the increasing Linux-friendliness of European territorial authorities, which are switching to Linux and OpenOffice solutions for a whole range of reasons, including ease of customisation, translation and localisation. Linux and OpenOffice aren’t a silver bullet, of course, there are no silver bullets in IT. A Gendarme contacted by Wired News who spoke on the condition of anonymity said that while he was optimistic about the prospects of the Linux operating system and noted how his unit had a capable IT support staff, he was not too happy with OpenOffice. He said he missed MS Office, even though it is designed by a company run by people he considers to be "thieves." Linux.com is reporting that the recent release of a Kurdish localisation of Ubuntu is causing tensions in Turkey. However, many bureaucrats still put up staunch resistance to the limited rights granted the Kurds. Subsequent reports in the Turkish press suggest that Mayor Abdullah Demirbas of Sur, a town in Diyarbakir, Eastern Turkey, is currently under investigation by the Diyarbakir chief public prosecutor’s office following the launch. It is not clear what Demirbas is being investigated for, but it is probably related to Turkey’s less than tolerant stance on the public use of Kurdish. The Ubuntu release reflects a great deal of hard work, not just by the Ubuntu Kurdish translation team, but the Kurdish translation teams for Gnome and all the other packages that make up Ubuntu. Even their work would not be possible without the careful use of internationalisation (i18n) libraries by literally thousands of open source programmers worldwide, which allow the text, documentation and interfaces to be translated. cheers stuart

A whole range of geek websites have run christmas lists, and if get it quick there’s a chance they’ll be delivered before christmas: linux.com, red hat, make and even MSN

You’d think that that Oracle, after dubbing their version of Linux Unbreakable Linux would have been very, very careful about the security, particularly the security practises that they were seen to be advising on their website. Take a look at their Adding New Nodes to Your Oracle RAC 10g Cluster on Linux tutorial. Most of it’s all good stuff: users and groups for file permissions, ssh certificates for validation of remote connections, and so forth. But look at the .bash_profile recommended in step seven: … export PATH=.:${PATH}:$HOME/bin:$ORACLE_HOME/bin export PATH=${PATH}:$ORA_CRS_HOME/bin export PATH=${PATH}:/usr/bin:/bin:/usr/bin/X11:/usr/local/bin:/sbin … These three lines build the PATH variable, which is defines where the shell looks for executables to run when they’re given without absolute paths, and the order it which to look. Security aware readers will have noticed that the order is a problem here. By having "." as the first component in the path, when commands are run from the command line, the shell will always look first in the current directory first. Security dictates that directories should be listed from most secure to least secure, and "." probably shouldn’t be there at all. Executables in the current directory can be run using  ./<executable> . To see why this might be a problem, consider these three commands, which mount a USB memory stick, change directory to it and list the contents: mount /dev/sda1/ /media/usb cd /media/usb ls The problem arises if there is an executable directory called "ls" in the root directory of the memory stick, when it is run, rather than the system executable. On a well-secured system this won’t be a problem, of course, because the many-layered UNIX security model will ensure that: untrusted partitions are mounted with the noexec flag; that users know what’s on random media and don’t mount untrusted media on production systems; and so forth. But a combination of two or three little slips like this, and suddenly there is no security. cheers, stuart (Oracle website checked 12:15 5th December 2006)

I’ve written a patch for the madwifi-ng driver to separate each associated client into a unique VLAN. The patch only makes sense for use when the driver is in master mode being controlled by hostapd. Using this patch with WPA2/RSN you can acheive complete layer 2 isolation between associated clients. The patch does not support placing multiple clients in the same VLAN.
Full layer 2 isolation requires that there is no broadcast or multicast traffic transmitted from the access point. To enforce this the patch mangles outgoing broadcast / multicast packets to be directed only to the node associated with the VLAN that the packet was received from. Clients can still send/recieve broadcast and multicast traffic without problems if you bridge them onto another layer 2 network. You must fully understand the consequences of this before using the patch.
In the worst case scenario if you bridged the VLANs for each client together onto a common L2 network you will cause every broadcast/multicast packet sent onto that L2 network to be transmitted by the access point as a unicast packet to each associated client. If you have a lot of broadcast/multicast packets this is going to significantly reduce the performance of your network. This is a somewhat contrived situation as there is no point creating the VLANs in the first place if you’re just planning to bridge them back together, but I use it to illustrate the risks this patch can introduce if you don’t understand it properly.
At this stage I’m not convinced that the patch is actually useful, and I’m not going to be proposing it for inclusion in the driver. You’re welcome to use it if you find it useful. Please let me know how you are using it and any problems that you run into. I don’t guarantee that I can provide support or assistance though
The Patch

http://www.mattb.net.nz/patches/madwifi/per-node-vlan.patch

How the patch works
One of the primary constraints I had in writing this patch was that the clients using the access point are not required to do anything special. From their point of view they are simply associated to a standard AP running 802.1x with WPA2. There are no 802.1q packets “on the air”. All of the VLAN functionality is handled within the driver itself.
Inside the driver there is a node table listing every node that is associated. The patch adds an entry to each node record specifying a VLAN id for that client. By default this id is automatically assigned when a node associates, but it can be modified by wriiting to the /proc/net/madwifi/<iface>/sta_vlan file.
As packets are moved between the kernel and the actual physical card by the driver 802.1q tags are added and removed as appropriate to ensure that the kernel sees every node in it’s own VLAN.
The VLAN tagging code in the driver ignores EAPOL frames so that they are always sent to the base device where hostapd is listening.
Userspace Setup
By default per node VLANs are disabled and have to be explicitly enabled

echo 1 > /proc/sys/net/<iface>/per_node_vlan

And you almost certainly want to stop the driver from bridging packets between clients

iwpriv <iface> ap_bridge 0

Then it’s simply a matter of creating the appropriate VLANs on the base interface using the standard Linux VLAN tools, eg:

vconfig add <iface> 4

Final Comments
I’ve tested the code fairly extensive and it works fine for me. It’s not particularly clean and the mangling of broadcast/multicast packets is a messy hack. You can achieve a very similar situation using PPPoE from the client to the Access Point without having to patch the driver to support per node VLANs.

Open Source Development Labs have laid off 9 of 28 workers and CEO Stuart Cohen has resigned. The OSDL is largely an industry joint venture, where IT companies pool resources to fund the development and mantainance of the linux kernel and other core open source components. The layoffs presumably reflect a drop in funding from those members, which makes sense as a number of industry players have decided to go their own way recently. Companies such as Oracle and Novell in particular. cheers, stuart

So as you may remember, I've been thinking about (and quietly implementing) a distributed filesystem.  Tonight I got as far as it mostly working, and since everyone around here is sick of me telling them about it I thought I'd tell you all about it instead
It uses the 9p protocol to talk to the kernel (although I'm using the 9p python client for testing).  I use the chimera DHT for indexing, and libnpfs for dealing with the low level details of the 9p protocol.  I've managed to find bugs in all of these pieces of software so far
 Anyway, onto the interesting part of the show:
9p> ls
foo/
9p> cd foo
9p> ls
readme
9p> cat readme
Hello World
9p> mkdir sample
9p> ls -l
-rw-r–r– perry perry 0 readme
drwxr-xr-x perry perry 0 sample
9p> cd sample
9p> ls -l
9p> put testfile
9p> ls -l
-rw-r–r– perry perry 0 testfile
9p> cat testfile
This file is a test
9p> 
You may notice that the file sizes are all 0, even though most of them seem to contain data, this is coz I've not finished implementing stat(2) yet.  Permissions etc are kinda implemented (they're stored, but not read off disk yet, although libnpfs appears to verify them for me).
There's a bit of polishing off to do before the "local" part of the filesystem is mostly viable. Then I just have to hook all the distributedness together and I should have a fully functional prototype! (yeah right…)

Mayank Sharma writes about some of the features that Red Hat is rolling out to support SELinux on the desktop. SELinux is an NSA-developed security system for locking down Linux. The new tools are GUI tools which allow end-users to configure, examine and analyse an SELinux system. SELinux is unlikely to be suited to non-technical users and still looks to be a significant administration burden even with the new tools, but it’s a must-have for the security conscious. The benefit of SELinux is twofold. First, it replaces the user-based model with a policy-centric model. Every action, like running an application or reading and modifying data, is controlled by a security policy. Actions that violate the policy are denied. Additionally, SELinux compartmentalizes the various applications and processes running on the system. This not only helps in isolating a break-in, but also confines the damage caused by one compromised service. SELinux plugs into the Linux distribution through the Linux Security Module (LSM) hooks, which are available in the 2.6.x kernel series. LSM was designed to integrate security models to work with the kernel, instead of applying them as a patch.