On Sat, 20 Aug 2005, Alan Coopersmith wrote:
> James G. Stallings II wrote:
> > All that aside, I'm preparing to evaluate opensolaris on an intel box, and
> > have a few goofy questions that I haven't been able to gather from the faq
> > or from searching this list:
>
> One important point is that OpenSolaris is just a set of source code at
> this point. There are two distros built on top of that source code -
> Solaris Express from Sun, and Schillix from Joerg Schilling and his helpers.
> Solaris Express includes the software from OpenSolaris, plus a lot more that
> hasn't been open sourced yet. So far OpenSolaris only has the base kernel
> and core OS libraries and utilities. Other portions of the Solaris source
> are coming in the future - see the roadmap on the OpenSolaris site for when
> those are expected to be released.
>
> > 1. Where's the application/utility software repository? I'd like to browse
> > whats working, with an eye toward replacing my existing freebsd
> > installation with opensolaris. This means I'd need a minimal desktop,
> > apache, tcl/tk, ruby, perl, php, sendmail, mysql, ssh, vnc suite, and samba
> > at minimum; is this an unrealistic expectation at present?
>
> There isn't one specific to OpenSolaris yet, but www.blastwave.org
> and www.sunfreeware.com have large collections available for Solaris,
> which should all work on Solaris Express.
>
> Many of those applications are included directly in Solaris Express
> as well - perl, php, samba, the Java Desktop System (based on GNOME 2.6),
> ssh, apache, sendmail and mysql.
>
> > 2. How much of the intallable application base is in common with gnome?
> > essentially, are all gnome apps available on the gnome desktop under
> > opensolaris? if not, what are the porting hurdles in very general terms?
>
> The Java Desktop System included in Solaris Express is based on
> GNOME 2.6, though work is in progress to update it to GNOME 2.10
> or 2.12 soon.
>
> If you're sticking to pure OpenSolaris, then no desktop is included
> yet, but you can build Xorg & GNOME on your own without much problem.
> We're working to have the sources for both included in OpenSolaris in
> the near future.
>
> > 3. Aside from the machine partitioning, how's security? Assuming its all
> > working, I'll need the sendmail, ssh and apache services to face the web --
> > am I gonna leave my hindparts exposed to the breeze by doing something like
> > this?
>
> Solaris security is as strong or as weak as you want it to be.
> It's very configurable, and includes ipfilter firewall, IPsec
> options, a service manager to control which services are running,
> etc.
Building on Alan Cs advice I'll add the following: One of the real
strengths of (Open)Solaris is security IMHO. Sun has a serious presence in
almost every conceivable security related technology sector and tends to
lead, rather than follow many security related (software) initiatives.
There are a couple of flies on the oinment however:
a) While patches to fix a Mozilla security advisory appear in other
environments within days of a Cert advisorary - Sun has a track record of
taking months to release patches for the same advisory. Additionally, all
patches originate from sunsolve.sun.com and their track record, in terms of
availability, reliability, accountability (to the user community) and
accuracy, is dismal.
b) Recently sunsolve was effectively "broken" for more than 3 business days
(straight) - but you could not tell that by accessing the site.
Apparently, putting up a "Sorry - we've broken" on the main page was beyond
their collective ability. Over the last several weeks the performance of
the various tools on the site has been spotty (various degrees of
brokenness being readily apparent) - which has been broadly explained by
them going through a tool upgrade/release cycle.
c) Every week there seems to be some crisis on Sunsolve. This week it was
a withdrawn patch being available that was not supposed to be available
(hence the term "withdrawn"). And continued degrees of broken-ness being
displayed by the patching tools or the patching data that is driving their
behavior.
d) for more information on this topic, examine the archives for the Solaris
on Intel list at [EMAIL PROTECTED] - but only if you've got a
bunch of time on your hands. BTW: that mailing list is a great source of
help for (Open)Solaris on x86 newbies.
So, in terms of you keeping a web facing system secure, do not rely on
sunsolve to provide the necessary information or the required fixes. Rely
on other sources for advisories and fixes - in addition to what you can
retrieve and load (successfully) from sunsolve. If you see some behavior
you don't understand on sunsolve, wait two (??) days and try it again.
After you load your (Open)Solaris box, please examine the following script
and see if it meets your security requirements before running it. This is
my *generic* receipe for an (Open)Solaris box after it's been booted the
first time. Search on docs.sun.com (by keyword) for anything you're not
familiar with.
#!/usr/bin/ksh
svccfg apply /var/svc/profile/generic_limited_net.xml
svcadm disable svc:/network/nfs/status:default
svcadm disable svc:/network/nfs/nlockmgr:default
svcadm disable svc:/network/telnet:default
svcadm disable svc:/network/nfs/client:default
svcadm disable svc:/network/nfs/rquota:default
svcadm disable svc:/network/ftp:default
svcadm disable svc:/network/finger:default
svcadm disable svc:/network/login:rlogin
svcadm disable svc:/network/shell:default
cd /etc/rc3.d
S50apache stop
mv S50apache s50apache
S76snmpdx stop
mv S76snmpdx s76snmpdx
S77dmi stop
mv S77dmi s77dmi
S82initsma stop
mv S82initsma s82initsma
S90samba stop
mv S90samba s90samba
cd ../rc2.d
S47pppd stop
mv S47pppd s47pppd
S95IIim stop
mv S95IIim s95IIim
----
One more tip for a (Open)Solaris newbie. If you're going to use
www.blastwave.org for packages, which I would highly recommend, then make
/opt a separate mount point. This will allow you to (very easily) build a
zone and customize that zone with a different set of blastwave packages
which get installed, by default, in /opt/csw.
Regards,
Al Hopper Logical Approach Inc, Plano, TX. [EMAIL PROTECTED]
Voice: 972.379.2133 Fax: 972.379.2134
OpenSolaris Community Advisory Board (CAB) Member - Apr 2005
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org
