BSDstats v3.0 - The Security Rewrite

Marc G. Fournier scrappy at
Sat Aug 19 00:36:45 UTC 2006

Thanks for your comments and suggestions ... I am currently in the middle 
of a campground working on a laptop (missing my desktop dearly, since this 
laptop is my wife's Windows box) ... when I get back online properly 
beginning of Sept, I will work on the suggestions though ... thx ...

On Thu, 17 Aug 2006, Oliver Fromme wrote:

> Marc G. Fournier wrote:
> > Over the past few days, I've been working with Paul Schmehl and Matthew
> > Seaman to come up with a more "security sensitive" version of BSDstats ...
> > one that reduces the amount of "sensitive information" stored in the
> > database down to ... zero.  No IPs, no hostnames ...
> > [...]
> > From now forward, the stats will be viewable from:
> >
> > 
> That's very cool.  I've installed it on some of my machines.
> Unfortunately, I haven't been able to use it on all of them,
> for reasons outlined below.
> I've got a few suggestions and ideas ...
> (1)  When run for the first time, you get an error message:
> : not found
> That's because a few bogus spaces after the backslash in
> the line containing the chmod command.  Those trailing
> spaces should be removed.  I suppose I don't need to send
> a PR for that.  :-)
> (2)  Some people aborted the inital "sleep 900" (because
> of the above-mentioned error message, or other reasons),
> then restarted the script.  In this case there is no sleep,
> and the submission _seems_ to be successful (no negative
> feedback), but it isn't.
> One way to improve the situation would be to check the
> mtime on the /var/db/bsdstats file.  If it's younger than
> 900 seconds, a sleep is required.  For example, something
> like this piece of shell code (untested):
> FILETIME=$( stat -f %m $id_token_file )
> NOW=$( date +%s )
> if [ $(( $NOW - 900 )) -le $FILETIME ]; then
>        SLEEPTIME=$(( 900 - ($NOW - $FILETIME) ))
>        echo "Token key is younger than 15 minutes!"
>        echo "Sleeping $SLEEPTIME seconds, please wait."
>        sleep $SLEEPTIME
> fi
> (3)  Some sites require the use of a proxy for HTTP access.
> Such sites usually have an entry in /etc/make.conf, so the
> ports can fetch their distfiles:
>            HTTP_PROXY=
> The bsdstats script could easily pick up that entry and set
> the environment variables appropriatly.  This line at the
> beginning of the script should be sufficient:
> export $( make -V FETCH_ENV 2>/dev/null )
> (4)  Some sites have a proxy that requires authentication.
> It is possible to include the password in the FETCH_ENV
> entry in /etc/make.conf, but it's usually not a good idea
> to do that, because you shouldn't write passwords to files
> that are world-readable.
> That problem could be solved in different ways.  One way
> would be a periodic.conf setting that instructs the script
> not to try to submit the data, but instead just print a
> reminder to the admin that he should run the monthly script
> manually (or print that reminder automatically when the
> submission fails because the proxy denies access).
> When the admin runs the script manually (which could be
> detected by "test -t 0", i.e. stdin is a terminal), it
> could ask for the HTTP proxy password and then set the
> HTTP_PROXY_AUTH variable appropriately (see fetch(3)).
> (5)  Some machines might not be able to access the web at
> all.  For example, I'm right now working on a farm of 35
> machines which don't have internet access, not even via
> a proxy.  I can connect to them via ssh/scp (port 22) from
> a management machine, and that management machine only has
> web access via a proxy.
> It would be nice to be able to request token keys on behalf
> of those 35 servers from the management machine, transfer
> them to the servers, run the data gathering script on the
> servers (putting it into a file instead of submitting it
> directyl), copy the results to the management machine and
> finally submit them from there.  That's pretty complicated,
> but I'm afraid I haven't gotten a better idea so far.  :-(
> (6)  All of the statistics on the web page are sorted by
> percentages.  It would be nice to be able to click on a
> column header and have the table sorted by that value.
> That would be especially useful for the release statistics
> and the country statistics.
> (If the PHP sources and a database export were publicly
> available, I would have taken a shot at implementing it.)
> (7)  In order to make the bsdstats project really useful,
> it is very important to have as many FreeBSD people as
> possible install it.  Currently, only very few people will
> notice the port and bother to install it.  Therefore I
> suggest to put bsdstats into the base system (it's only a
> small script after all, no bloat), and add a small switch
> to sysinstall which asks users whether they want to enable
> it, creating appropriate periodic.conf entry for them, and
> maybe even automatically running it when booting the newly
> installed system for the first time.
> Maybe it should be proposed and discussed in the arch@
> mailing list.
> Best regards
>   Oliver
> -- 
> Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
> Dienstleistungen mit Schwerpunkt FreeBSD:
> Any opinions expressed in this message may be personal to the author
> and may not necessarily reflect the opinions of secnetix in any way.
> "File names are infinite in length, where infinity is set to 255 characters."
>        -- Peter Collinson, "The Unix File System"
> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at"

Marc G. Fournier           Hub.Org Networking Services (
Email . scrappy at                              MSN . scrappy at
Yahoo . yscrappy               Skype:        ICQ . 7615664

More information about the freebsd-questions mailing list