From owner-doc-jp@jp.freebsd.org  Fri Sep 10 07:56:23 1999
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id HAA84405;
	Fri, 10 Sep 1999 07:56:23 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from mail.kt.rim.or.jp (root@mail.kt.rim.or.jp [202.247.130.53])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id HAA84400
	for <doc-jp@jp.freebsd.org>; Fri, 10 Sep 1999 07:56:23 +0900 (JST)
	(envelope-from kuriyama@sky.rim.or.jp)
Received: from rhea.sky.rim.or.jp (ppp535.kt.rim.or.jp [202.247.140.185])
	by mail.kt.rim.or.jp (8.8.8/3.6W-RIMNET-98-06-09) with ESMTP id HAA08127
	for <doc-jp@jp.freebsd.org>; Fri, 10 Sep 1999 07:56:20 +0900 (JST)
Received: from localhost.sky.rim.or.jp (localhost [127.0.0.1])
	by rhea.sky.rim.or.jp (8.9.3/3.7W/rhea-1.1) with ESMTP id HAA59897
	for <doc-jp@jp.freebsd.org>; Fri, 10 Sep 1999 07:56:15 +0900 (JST)
Date: Fri, 10 Sep 1999 07:56:13 +0900
Message-ID: <14296.15117.964541.68187Y@localhost.sky.rim.or.jp>
From: Jun Kuriyama <kuriyama@sky.rim.or.jp>
To: Japanese Documentation Project <doc-jp@jp.freebsd.org>
User-Agent: Wanderlust/1.0.3 (Notorious) SEMI/1.13.3 (Komaiko) FLIM/1.12.5 (Hirahata) MULE XEmacs/20.4 (Emerald) (i386--freebsd)
MIME-Version: 1.0 (generated by SEMI 1.13.3 - "Komaiko")
Content-Type: text/plain; charset=ISO-2022-JP
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+990727
X-Sequence: doc-jp 6623
Subject: [doc-jp 6623] <FAQ> admin.sgml
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: kuriyama@sky.rim.or.jp


$B!!$A$g$C$HB?$$$+$J!#(B


Index: admin.sgml
===================================================================
RCS file: /home/ncvs/doc/FAQ/Attic/admin.sgml,v
retrieving revision 1.22
retrieving revision 1.29
diff -u -r1.22 -r1.29
--- admin.sgml	1999/05/08 16:03:10	1.22
+++ admin.sgml	1999/08/05 20:58:28	1.29
@@ -1,4 +1,4 @@
-<!-- $Id: admin.sgml,v 1.21 1999/03/20 12:40:32 jesusr Exp $ -->
+<!-- $Id: admin.sgml,v 1.28 1999/07/28 20:26:05 nik Exp $ -->
 <!-- The FreeBSD Documentation Project -->
 
   <sect>
@@ -10,7 +10,7 @@
       <p>From 2.0.5R to 2.2.1R, the primary configuration file is
       <tt>/etc/sysconfig</tt>. All the options are to be specified in
       this file and other files such as <htmlurl 
-      url="http://www.freebsd.org/cgi/man.cgi?rc" name="/etc/rc"> and
+      url="http://www.FreeBSD.org/cgi/man.cgi?rc" name="/etc/rc"> and
       <tt>/etc/netstart</tt> just include it.
 
       <p>Look in the <tt>/etc/sysconfig</tt> file and change the value to
@@ -19,16 +19,16 @@
 
       <p>In post-2.2.1 and 3.0, <tt>/etc/sysconfig</tt> was renamed
       to a more self-describing <htmlurl 
-      url="http://www.freebsd.org/cgi/man.cgi?rc.conf(5)" name="rc.conf">
+      url="http://www.FreeBSD.org/cgi/man.cgi?rc.conf(5)" name="rc.conf">
       file and the syntax cleaned up a bit in the process.
       <tt>/etc/netstart</tt> was also renamed to <tt>/etc/rc.network</tt>
       so that all files could be copied with a <tt><htmlurl 
-      url="http://www.freebsd.org/cgi/man.cgi?cp" name="cp"> /usr/src/etc/rc*
+      url="http://www.FreeBSD.org/cgi/man.cgi?cp" name="cp"> /usr/src/etc/rc*
       /etc</tt> command.
 
       <p><tt>/etc/rc.local</tt> is here as always and may be used to
       start up additional local services like <htmlurl
-      url="http://www.freebsd.org/cgi/ports.cgi?^inn" name="INN">
+      url="http://www.FreeBSD.org/cgi/ports.cgi?^inn" name="INN">
       or set custom options.
 
       <p>The <tt>/etc/rc.serial</tt> is for serial port initialization
@@ -66,22 +66,19 @@
     <sect1>
       <heading>How do I add a user easily?</heading>
 
-      <p>Use the <htmlurl url="http://www.freebsd.org/cgi/man.cgi?adduser"
-      name="adduser"> command.
+      <p>Use the <htmlurl url="http://www.FreeBSD.org/cgi/man.cgi?adduser"
+      name="adduser"> command. For more complicated usage, the
+      <htmlurl url="http://www.FreeBSD.org/cgi/man.cgi?pw" name="pw"> command.
 
-      <p>There is another package called ``<tt/new-account/'' also written
-      in Perl by Ollivier Robert. Ask <tt>&lt;roberto@FreeBSD.ORG&gt;</tt>
-      about it.  It is currently undergoing further development.
-
       <p>To remove the user again, use the <htmlurl
-      url="http://www.freebsd.org/cgi/man.cgi?rmuser" name="rmuser"> command.
+      url="http://www.FreeBSD.org/cgi/man.cgi?rmuser" name="rmuser"> command.
 
     <sect1>
       <heading>How can I add my new hard disk to my FreeBSD system?</heading>
 
       <p>See the Disk Formatting Tutorial at 
       <url url="../tutorials/diskformat/" 
-       name="www.freebsd.org">.
+       name="www.FreeBSD.org">.
 
     <sect1>
       <heading>I have a new removable drive, how do I use it?</heading>
@@ -106,7 +103,7 @@
       <p>if it's a floppy, or this:
 
       <verb>
-        mount -t msdos /dev/sd2s4 /zip
+        mount -t msdos /dev/da2s4 /zip
       </verb>
 
       <p>for a ZIP disk with the factory configuration.
@@ -114,7 +111,7 @@
       <p>For other disks, see how they're laid out using <tt/fdisk/ or
       <tt>/stand/sysinstall</tt>.
 
-      <p>The rest of the examples will be for a ZIP drive on sd2, the third
+      <p>The rest of the examples will be for a ZIP drive on da2, the third
       SCSI disk.
 
       <p>Unless it's a floppy, or a removable you plan on sharing with
@@ -122,14 +119,14 @@
       system on it. You'll get long filename support, at least a 2X
       improvement in performance, and a lot more stability. First, you
       need to redo the DOS-level partitions/filesystems. You can either
-      use <htmlurl url="http://www.freebsd.org/cgi/man.cgi?fdisk"
+      use <htmlurl url="http://www.FreeBSD.org/cgi/man.cgi?fdisk"
       name="fdisk"> or <tt>/stand/sysinstall</tt>, or for a small
       drive that you don't want to bother with multiple operating system
       support on, just blow away the whole FAT partition table (slices)
       and just use the BSD partitioning:
 
       <verb>
-        dd if=/dev/zero of=/dev/rsd2 count=2
+        dd if=/dev/zero of=/dev/rda2 count=2
         disklabel -Brw sd2 auto
       </verb>
 
@@ -142,22 +139,22 @@
       using the whole disk:
 
       <verb>
-        newfs /dev/rsd2c
+        newfs /dev/rda2c
       </verb>
 
       <p>and mount it:
 
       <verb>
-        mount /dev/sd2c /zip
+        mount /dev/da2c /zip
       </verb>
 
       <p>and it's probably a good idea to add a line like this to
-      <htmlurl url="http://www.freebsd.org/cgi/man.cgi?fstab"
+      <htmlurl url="http://www.FreeBSD.org/cgi/man.cgi?fstab"
       name="/etc/fstab"> so you can just type "mount /zip" in the
       future:
 
       <verb>
-        /dev/sd2c /zip ffs rw,noauto 0 0
+        /dev/da2c /zip ffs rw,noauto 0 0
       </verb>
 
     <sect1>
@@ -166,12 +163,12 @@
       <p>The secondary DOS partitions are found after ALL the primary
       partitions. For example, if you have an "E" partition as the
       second DOS partition on the second SCSI drive, you need to create
-      the special files for "slice 5" in /dev, then mount /dev/sd1s5:
+      the special files for "slice 5" in /dev, then mount /dev/da1s5:
 
       <verb>
         # cd /dev
         # ./MAKEDEV sd1s5
-        # mount -t msdos /dev/sd1s5 /dos/e
+        # mount -t msdos /dev/da1s5 /dos/e
       </verb>
 
     <sect1>
@@ -183,7 +180,7 @@
       of the disk partitioning for the operating system in question.
 
       <p><bf/ Linux/: 2.2 and later have support for <bf/ext2fs/ partitions.
-      See <htmlurl url="http://www.freebsd.org/cgi/man.cgi?mount_ext2fs"
+      See <htmlurl url="http://www.FreeBSD.org/cgi/man.cgi?mount_ext2fs"
       name="mount_ext2fs"> for more information.
 
       <p><bf/ NT/: A read-only NTFS driver exists for FreeBSD. For more 
@@ -223,7 +220,7 @@
       FAT partition, under, say, <tt>/mnt</tt>.
 
       <verb>
-        dd if=/dev/rsd0a of=/mnt/bootsect.bsd bs=512 count=1
+        dd if=/dev/rda0a of=/mnt/bootsect.bsd bs=512 count=1
       </verb>
 
       <p>Reboot into DOS or NT.  NTFS users copy the <tt/bootsect.bsd/
@@ -239,7 +236,7 @@
       <tt/boot.ini/ above, and restore the attributes:
 
       <verb>
-        attrib -r -s c:\boot.ini
+        attrib +s +r c:\boot.ini
       </verb>
 
       <p>If FreeBSD is booting from the MBR, restore it with the DOS
@@ -270,8 +267,8 @@
       ``<tt>loader=/boot/chain.b</tt>'' to the LILO entry.  
       For example:
       <verb>
-      other=/dev/sdb4
-	      table=/dev/sdb
+      other=/dev/dab4
+	      table=/dev/dab
 	      loader=/boot/chain.b
 	      label=FreeBSD
       </verb>
@@ -281,11 +278,11 @@
       For example, if your FreeBSD SCSI disk is probed by BIOS as BIOS 
       disk 1, at the FreeBSD boot loader prompt you need to specify:
       <verb>
-      Boot: 1:sd(0,a)/kernel
+      Boot: 1:da(0,a)/kernel
       </verb>
 
       <p>On FreeBSD 2.2.5 and later, you can configure <htmlurl 
-      url="http://www.freebsd.org/cgi/man.cgi?boot(8)" name="boot(8)">
+      url="http://www.FreeBSD.org/cgi/man.cgi?boot(8)" name="boot(8)">
       to automatically do this for you at boot time.
 
       <p>The <htmlurl 
@@ -388,7 +385,7 @@
       this for example with
 
       <verb>
-        dd if=/dev/zero of=/dev/rsd0 count=15
+        dd if=/dev/zero of=/dev/rda0 count=15
       </verb>
 
       <p>Alternatively, the undocumented DOS ``feature''
@@ -505,11 +502,11 @@
 
       <p>Both the <tt>/usr/share/syscons/keymaps</tt> and the <tt/.kbd/
       extension are assumed by 
-      <htmlurl url="http://www.freebsd.org/cgi/man.cgi?kbdcontrol"
+      <htmlurl url="http://www.FreeBSD.org/cgi/man.cgi?kbdcontrol"
       name="kbdcontrol">.
 
       <p>This can be configured in <tt>/etc/sysconfig</tt> (or <htmlurl
-      url="http://www.freebsd.org/cgi/man.cgi?rc.conf(5)" name="rc.conf">).
+      url="http://www.FreeBSD.org/cgi/man.cgi?rc.conf(5)" name="rc.conf">).
       See the appropriate comments in this file.
 
       <p>In 2.0.5R and later, everything related to text fonts, keyboard
@@ -642,7 +639,7 @@
       <p>Tweaking <tt>/etc/sendmail.cf</tt> manually is considered
       something for purists.  Sendmail version 8 comes with a
       new approach of generating config files via some 
-      <htmlurl url="http://www.freebsd.org/cgi/man.cgi?m4"
+      <htmlurl url="http://www.FreeBSD.org/cgi/man.cgi?m4"
       name="m4"> preprocessing, where the actual hand-crafted configuration
       is on a higher abstraction level.  You should use the
       configuration files under
@@ -884,8 +881,8 @@
      <p>file is the file(s) to process.  The modification is done in-place,
      with the original file stored with a .bak extension.
 
-     <p>Alternatively you can use the <url url="/cgi/man.cgi?tr" 
-	name="tr(1)"> command:
+     <p>Alternatively you can use the <htmlurl
+     url="http://www.FreeBSD.org/cgi/man.cgi?tr" name="tr"> command:
 
 <verb>
 tr -d '\r' &lt; dos-text-file &gt; unix-file
@@ -898,7 +895,8 @@
    <sect1>
      <heading>How do I kill processes by name?</heading>
 
-     <p>Use <url url="/cgi/man.cgi?killall" name="killall(1)">.
+     <p>Use <htmlurl url="http://www.FreeBSD.org/cgi/man.cgi?killall"
+     name="killall">.
 
    <sect1>
      <heading>Why is su bugging me about not being in root's ACL?
@@ -958,6 +956,20 @@
     </enum>
 
    <sect1>
+     <heading>I can't create the snd0 device!</heading>
+
+     <p>The command to create the devices for the sound card is:
+<verb>
+     # cd /dev
+     # sh MAKEDEV snd0
+</verb>
+
+     <p>However, this does not make a device named <tt>/dev/snd0</tt>.
+     Instead, it creates devices named <tt>mixer0</tt>, <tt>sndstat0</tt>,
+     <tt>dsp0</tt>, and others.  Running the command is still necessary
+     to add sound devices, however.
+
+   <sect1>
      <heading>How do I re-read /etc/rc.conf and re-start /etc/rc without
      a reboot?</heading>
 
@@ -972,5 +984,73 @@
      # exit
 </verb>
      
-  </sect>
+    <sect1>
+      <heading>What is a sandbox?</heading>
+
+      <p>&quot;Sandbox&quot; is a security term.  It can mean two things:
+
+      <itemize>
+       <item>
+         <p>A process which is placed inside a set of virtual walls
+           that are designed to prevent someone who breaks into the
+           process from being able to break into the wider system.
+
+         <p>The process is said to be able to "play" inside the
+           walls.  That is, nothing the process does in regards to
+           executing code is supposed to be able to breech the walls
+           so you do not have to do a detailed audit of its code to
+           be able to say certain things about its security.
+
+         <p>The walls might be a userid, for example.  This is the
+           definition used in the security and named man pages.
+
+         <p>Take the 'ntalk' service, for example (see
+           /etc/inetd.conf).  This service used to run as userid
+           root.  Now it runs as userid tty.  The tty user is a
+           sandbox designed to make it more difficult for someone
+           who has successfully hacked into the system via ntalk from
+           being able to hack beyond that user id.
+       </item>
+ 
+       <item>
+         <p>A process which is placed inside a simulation of the
+           machine.  This is more hard-core.  Basically it means that
+           someone who is able to break into the process may believe
+           that he can break into the wider machine but is, in fact,
+           only breaking into a simulation of that machine and not
+           modifying any real data.
+
+         <p>The most common way to accomplish this is to build a
+           simulated environment in a subdirectory and then run the
+           processes in that directory chroot'd (i.e. "/" for that
+           process is this directory, not the real "/" of the
+           system).
+
+         <p>Another common use is to mount an underlying filesystem
+           read-only and then create a filesystem layer on top of it
+           that gives a process a seemingly writeable view into that
+           filesystem.  The process may believe it is able to write
+           to those files, but only the process sees the effects
+           &dash; other processes in the system do not, necessarily.
+           <p>An attempt is made to make this sort of sandbox so
+           transparent that the user (or hacker) does not realize
+           that he is sitting in it.
+       </item>
+      </itemize>
+
+      <p>UNIX implements two core sanboxes.  One is at the process
+        level, and one is at the userid level.
+
+      <p>Every UNIX process is completely firewalled off from every
+        other UNIX process.  One process can not modify the address space
+        of another.  This is unlike Windows where a process can easily
+        overwrite the address space of any other, leading to a crash.
+
+      <p>A UNIX process is owned by a patricular userid.  If the
+        userid is not the root user, it serves to firewall the process
+        off from processes owned by other users.  The userid is also
+        used to firewall off on-disk data.
+
+  </sect> 
+
 


$B$/$j$d$^(B // kuriyama@sky.rim.or.jp
        // kuriyama@FreeBSD.ORG
