hm, gssd : 3031: open("/dev/urandom", O_WRONLY) Err#13 EACCES [sys_devices]

I'd think that random data should be needed for gssd:)

Write only?

Yes you're not allowed to write seed data into the random device from zones

It is prohibited by policy

So one can't count to isolate securely PCI-Express graphics cart/other PCI-Express card via passthrough to KVM or Bhyve VM.. (Were before Xen availabel and some VirtualBox) Security wise.

Oh, I did not look on open mode:) seems like seeding, yep. should probably check the source, however, and *maybe* we should this activity from local zone.

should avoid*

might be krb5_c_random_seed()

though if it is, it shouldn't care if it fails

it looks like at some point way in the past it was using it's own prng prior to /dev/[u]random being a thing

jbk: correct.

tsoome: is it failing, or did you just notice that failure?

[illumos-gate] 16495 ptree -g should be more willing to use UTF-8 box characters -- Bill Sommerfeld <sommerfeld⊙ho>

(jbk: kerberos had to build a lot of its own infrastructure in the beginning - cprng, crypto libraries, etc.,)

it'd be nice to update the client bits, but i wonder with all the customizations that were done, how much of a pain that'd be

(krb client bits)

yeah, I was once very familiar with the MIT kerberos codebase and .. it is almost unrecognizeable in illumos-gate

i've not compared, just noticed things that strongly hinted at customization, so not sure how many of those things would still be needed..

jbk gssd? I just noticed the failure, it appears to function as expected

[illumos-gate] 15022 rpcsec_gss always calls global-zone GSSD for gss_accept_sec_context -- Matt Barden <mbarden⊙tc>

sommerfeld: (catching up) it's tricky, yeah. What I was hoping to get out of it is basically `git clean` of the specified patterns

which will leave controlled files alone, and also say what it cleaned up which a clobber didn't (though as you said, that will get noisy with certain changes, so informative, not an error)

definitely _not_ silently and magically deleting `lib*.so*`

richlowe: perhaps run a "git clean -n" with some sort of exception list and add a mail_msg entry if anything appears.

ssss

oops, sorry, ignore that

listening to snake jazz? :)

nah, alan doesn't think they should let me on planes

you are clearly a national security threat

I on the other hand just switched to the wrong window while having some keyboard input lag issues and sent key events to a window I didn't intend

heh..

people still use SNMP for monitoring stuff apparently

a lot, I guess...

just had a situation where I wish I still had the copy of the additional MIBs I had proposed way back in the day

but got shot down because they'd use kstats to obtain a number of pieces of info

'and that's a private interface!'

which sort of missed the point

(this was back in the opensolaris days where basically any sun employee could effectively veto any idea from the community)

so it got lost in the shuffle between desktops

some of the folks complaining about private interface use were no doubt scarred by contact with irate customers complaining about changes like the ones in xkcd.com/1172

:-)

I believe there was never a way to get a contract on an interface without being at Sun

which if your contact at sun didn't want to put the work in, basically killed you

[illumos-gate] 16454 want IP_MINTTL socket option -- Robert Mustacchi <rm⊙fo>

[illumos-gate] 15023 __rpc_gss_seccreate() doesn't set options_ret->major/minor_status on failure -- Matt Barden <mbarden⊙tc>