Only an AuthGroup belonging to a Context Control Block that was
granted the FILE_READ_DATA permission is capable of reading
data from the file server.
Change-Id: I93a7d8e65a6bc87b44399a30da5c0dd7d4e07685
Reviewed-on: http://gerrit.openafs.org/6398
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Peter Scott <pscott@kerneldrivers.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
If AFSRequestExtentsAsync() fails to obtain requested extents
due to STATUS_ACCESS_DENIED using the AuthGroup associated with
the Context Control Block, try to find an alternate AuthGroup
to use to perform the extent request. We have already told
Windows what permissions the application has when the file was
opened. Windows will perform its own validation checks prior
to permitting the data to be accessed or altered.
Change-Id: I430657e8c8e30c9f636a5ec81065af4122c926d7
Reviewed-on: http://gerrit.openafs.org/6397
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
The afs redirector current tracks the most recent extent error
in the File Control Block. Prior to this patchset the error
was returned to the requesting thread when the process Id matched
the most recent Process to issue a request. This approach resulted
in a couple of problems.
1. There are multiple threads that can issue an extent request
on the same file at the same time representing different processes.
Resetting the process Id with each new request could clear the
error prior to its receipt.
2. The failure may be due to inappropriate permissions. Permissions
are not associated with proceses but with Authentication Groups.
This patchset makes several changes:
1. It enables the afsd_service to track the active authgroup as
part of the cm_user_t structure and associates that object with
the BIOD object to ensure that the active authgroup can be
reported to the afs redirector.
2. It modifies the AFSExtentFailureCB structure to include the
AuthGroup GUID.
3. It tracks the AuthGroup GUID associated with the extent
failure in the non-paged file control block.
4. It converts all tests on Process Id to use AuthGroup instead.
5. It alters the behavior of error delivery such that reported
error is only cleared after it has been reported once to a
thread using the matching AuthGroup.
These changes make the situation better but not perfect as error
states can still be lost. However, it avoids the case most often
seen in production where two processes (a end user process and an
anti-malware process) are fighting over a file and the anti-malware
process has no permission to access the file under its own credentials.
Change-Id: Ia5c3877b8d46de695c86884c4166dc812885a72c
Reviewed-on: http://gerrit.openafs.org/6396
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Peter Scott <pscott@kerneldrivers.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
When a data extent is released by the afs redirector or the
afsd_service performs an extent claw back during a cleanup
operation, perform an explicit permission check before attempting
to store dirty buffers to the file server. Instead of waiting
for the file server to fail the request, fail it immediately.
The permission check is performed using the currently active
authentication group.
Change-Id: I533f06ec10b8a6f4dbe5e18b1205b20881b5559a
Reviewed-on: http://gerrit.openafs.org/6395
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Only demand that extents be returned by the afs redirector
if this cleanup is the last open handle or the redirector has
requested that the file be flushed to the file server.
Change-Id: I03ddcd153d2ded5fc805148a192234742d20b29e
Reviewed-on: http://gerrit.openafs.org/6394
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
If the current DV is BAD_VERSION and the new DV is 0, do not send
an invalidation to the redirector. It only results in wasteful work.
If the current DV is BAD_VERSION the object either:
1. was never previously known
2. was recently flushed
3. the cm_scache_t was recycled
In all cases, the redirector does not have knowledge of the object
since either it didn't exist or a previous invalidation was sent.
Change-Id: I7e0cf41bae64660e4e1ec342bafcf3ef8a693d56
Reviewed-on: http://gerrit.openafs.org/6392
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
The afs redirector defines the macro AFS_ONE_SECOND to indicate
the number of 100ns units necessary to indicate one second of time.
Use that definition when defining other time values. Also define
AFS_ONE_MILLISECOND and AFS_ONE_MICROSECOND.
Change-Id: Ie2a173b4037af61e9a1c5aa06129520c36d714bb
Reviewed-on: http://gerrit.openafs.org/6391
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Peter Scott <pscott@kerneldrivers.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
afsconfig.h can define various preprocessor symbols that can affect
how system headers behave. For example, the presence of the
_POSIX_PTHREAD_SEMANTICS symbol changes the number of arguments to
getpwnam_r on at least Solaris 8. So, we must include afsconfig.h
before including anything else, to ensure consistency.
Change-Id: I84bc73b3fada5dbc68cd355c24f2f746f2e982b3
Reviewed-on: http://gerrit.openafs.org/6387
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
The VolumeLock must be held before the Fcb->NPFcb->Resource.
Obtain the VolumeLock in AFSSetFileInformation only in the
rename case instead of obtaining the VolumeLockin AFSSetRenameInformation.
Change-Id: I84f086e3a8f7d08630266c9e409e1e22c1f92742
Reviewed-on: http://gerrit.openafs.org/6377
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
If the original file did not terminate with a newline,
add one before appending the "AFS" entry.
FIXES 130210
Change-Id: I35f96120904d09679d62ea4fb65f29648c4abfa5
Reviewed-on: http://gerrit.openafs.org/6375
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tracking the AuthGroup in the File Control Block proved to be
insufficient to ensure that dirty extents can be stored back
to the file server when an anti-virus service opens a file
in authgroup without 'write' permission immediate after the
application performing a WriteFile() opens it. In this situation
the Fcb ends up with the AuthGroup set to the anti-virus value
and not the one that belongs to the writing application.
Tracking the AuthGroup by Ccb provides the ability to select
an AuthGroup from the list of open handles instead of tracking
the most recent one.
Change-Id: I851ea646feb531d7c765e1cf789a4ba541e4a150
Reviewed-on: http://gerrit.openafs.org/6333
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
When processing AFS_INVALIDATE_REMOVED, tear down all extents
since they are no longer necessary and return them to the service
for recycling.
Change-Id: Iec6c0d2c68db16dbf3bd04c51536e13d45f0c1b8
Reviewed-on: http://gerrit.openafs.org/6365
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
When processing AFS_INVALIDATE_FLUSHED, notify any listeners
that the file size has changed to force a complete refresh.
Change-Id: Ie5f0076ea786357ae77ef6a76f162c776d555953
Reviewed-on: http://gerrit.openafs.org/6364
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
The AFS redirector was intentionally forgetting the data version
number for AFS_INVALIDATE_DATA_VERSION events. The point of that
event is to ensure that clean data be purged if the data version
in fact changed. Checking the data version for change cannot be
performed if the data version is reset to -1.
Only when AFS_INVALIDATE_FLUSHED is processed should the data
version be reset to ensure that all of the data is purged.
Change-Id: I430afc4889c55c49ef24904a987b08042994cfea
Reviewed-on: http://gerrit.openafs.org/6363
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Fix a typo in the log message and change its priority from
error to verbose
Change-Id: I807d7d6d9118b0fa6af3de638bb9fa2c0d90cbcb
Reviewed-on: http://gerrit.openafs.org/6361
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
If an error has been set on a file, return that error to the
System process for any outstanding extent requests.
Change-Id: I8f7244f19cc0e3f96a1599ce011251ade0afe3f4
Reviewed-on: http://gerrit.openafs.org/6360
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
If opening a volume root fails, log the authgroup and volume
to make it easier to debug the error.
Change-Id: I0c9ffc58ffaf7582a1b22043de2b5d096530de5b
Reviewed-on: http://gerrit.openafs.org/6352
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Must save the fid/type fields of the cm_scache_t object before
recycling in order to invalidate the contents in the redirector.
Change-Id: I7914faaa80082033044980deb471eaffbddf3cfc
Reviewed-on: http://gerrit.openafs.org/6359
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
If the buffer is not in the queue, do nothing.
Change-Id: Icdb95775bcc6d010ca1926ce4384d9edcd8f1cd3
Reviewed-on: http://gerrit.openafs.org/6351
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Use the FID conversion function in RDR_SetFileStatus().
The FID structures are not the same in afsd_service and the
afsredirlib.sys driver.
Change-Id: I6360f39c8b90c46d468a06c08f0911f55f9142fb
Reviewed-on: http://gerrit.openafs.org/6350
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
If a directory is enumerated with an AuthGroup that has no
permissions, do not treat the enumeration as successful.
Change-Id: I6a543a1b19b9d2e68ee2c99f67398ed94ad52896
Reviewed-on: http://gerrit.openafs.org/6344
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Do not specify the Service Name property. According to feedback
on openafs-info the Service Name blocks the rule from working properly.
If the rule already exists, attempt to remove the Service Name filter
and update NAT Edge Traversal and Permitted interface rules.
Change-Id: I1ab1a0c57f9271b68f91b08e530483a1fa40a165
Reviewed-on: http://gerrit.openafs.org/6332
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Patchset a08c320725 broke the suse
and windows builds by relying on C99 language syntax. Fix it.
Change-Id: I8220e0504048d2caff00deb08e3bf53599e596b7
Reviewed-on: http://gerrit.openafs.org/6337
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
afs_Analyze sets VHardMount on a volume struct when a hard-mount
scenario is encountered, and clears it after sleeping. However, if the
volume struct has VRecheck set, or if it's not in memory, afs_Analyze
cannot retrieve the volume struct in order to clear VHardMount again.
For the VRecheck case, this can results in VHardMount never getting
cleared, and so hard-mount messages for the volume seem to disappear.
So, clear VHardMount when we set VRecheck so this does not occur.
For the case where the volume struct is not in memory, this is not a
problem, since when we allocate a volume struct again, the VHardMount
state will not be retained.
Change-Id: I607741241e330391b8c857b2a72f0e0cfc0b91cc
Reviewed-on: http://gerrit.openafs.org/6335
Reviewed-by: Derrick Brashear <shadow@dementix.org>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
A GetSomeSpace_r call indicates we don't have enough callbacks
configured. For many people, this can happen without the administrator
realizing anything is wrong, since we never give any indication that
something is amiss, unless the administrator checks the xstat
statistics.
Since this can indicate a serious performance problem, yell in the log
when this happens. Only do it once, so we don't spam the log.
Change-Id: I5c881a3c127c20b4f086d59bf3768864307efe92
Reviewed-on: http://gerrit.openafs.org/6334
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Tested-by: Derrick Brashear <shadow@dementix.org>
Reviewed-by: Derrick Brashear <shadow@dementix.org>
This reverts commit 642153cae6
cs_CZ localization cannot be committed to the repository until:
1. Resource DLLs for all components are built in the tree.
2. All built components have been successfully tested so that OpenAFS is not shipping code that caused executable components to crash in the cs_CZ locale.
Change-Id: Id287d150a4c63afdc3f4105d26c9faf211da5395
Reviewed-on: http://gerrit.openafs.org/6339
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
After a bnode is stopped because of two many consecutive exits
delay for some time and attempt to start the bnode again. Countine
to retry on each error stop, doubling the delay for each retry
attempt until a maxium number of attempts.
Change-Id: Ib6a4935d09c70c69de87f65717562bd3dcde761b
Reviewed-on: http://gerrit.openafs.org/5534
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@dementix.org>
On unix, save all the bosserver command-line options and reuse
them on bosserver restarts. On Windows, the SCM integrator saves
the argument list, just use them.
Change-Id: Ib54d1b0c9430946cce666d09f5ed923016d5ac8b
Reviewed-on: http://gerrit.openafs.org/5532
Reviewed-by: Derrick Brashear <shadow@dementix.org>
Tested-by: Derrick Brashear <shadow@dementix.org>
When we ReClone in the volserver, do not reset the clone's copyDate to
the current time. If we retain the copyDate between ReClone
operations, then we can know when the clone was first created (and
thus makes local RO clones more consistent with remote RO sites).
Change-Id: Ic76862c1a03ee3cafaf199f414fabc90e3b058d2
Reviewed-on: http://gerrit.openafs.org/3892
Reviewed-by: Derrick Brashear <shadow@dementix.org>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
It appears that we don't actually need an interface to set the name
of an arbitrary thread (which Mac OS can't do), so remove the
afs_pthread_setname() interface and promote afs_pthread_setname_self()
to the status of primary.
Change-Id: I2d915d8165dac9ccfe0cb99630db657cb1473389
Reviewed-on: http://gerrit.openafs.org/5121
Reviewed-by: Derrick Brashear <shadow@dementix.org>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
StringCchXXX functions take the number of characters not
the number of bytes. Use StringCbXXXX functions whenever the
buffer size is being specified.
Check return codes from StringXXXXXX functions and return errors
instead of blindly continuing with a truncated string.
Allocate a larger buffer for substitution strings since they
need to handle the device path plus the target path.
FIXES 130392
Change-Id: I62ca980d145d6fef8cf771c26cd634ce1dd55b91
Reviewed-on: http://gerrit.openafs.org/6248
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
!!! is !. just write it that way.
Change-Id: I8e788177280c4a1d78cedaffd144a5c4ecba28f2
Reviewed-on: http://gerrit.openafs.org/6252
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@dementix.org>
volscan program to print vnode meta-data in a grep/awk/perl friendly
format. Optionally, find the paths of each vnode relative to the volume
root. Access control list data can be reported, and are listed as one
access entry per line. Mount point information can be shown to which
volumes are mounted from given volumes.
The path lookup code originally written by Tom Keiser.
Change-Id: I743e1a33d9e6076e4f1b1b2cc462960a94e3763b
Reviewed-on: http://gerrit.openafs.org/5102
Reviewed-by: Derrick Brashear <shadow@dementix.org>
Tested-by: Derrick Brashear <shadow@dementix.org>
When we mark a server up or down also log the error code that says
why we did so, for help in debugging connection issues.
Change-Id: I1a14434607499c9932e23724b8e403442dc400c7
Reviewed-on: http://gerrit.openafs.org/6116
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Reviewed-by: Derrick Brashear <shadow@dementix.org>
Tested-by: Derrick Brashear <shadow@dementix.org>
Implement the -checkout option using the FSSYNC communication
channel with the fileserver.
Change-Id: I119fab0c238fd37eb85c9810626ee91210b2efb6
Reviewed-on: http://gerrit.openafs.org/5101
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@dementix.org>
Resource conversion for the cs_CZ locale. Does not include
installer updates.
Change-Id: Ifac0d7d9818dc662e584bc74701133cada9fbf33
Reviewed-on: http://gerrit.openafs.org/6227
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@dementix.org>
we need to rework this to use lack of soft acks instead of this
method, which is too fragile
Change-Id: Iedcd1e57e2c6a6c15ce3c040a9a9e6ae7d78bb36
Reviewed-on: http://gerrit.openafs.org/6256
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@dementix.org>
Tested-by: Derrick Brashear <shadow@dementix.org>
instead of doing it for potentially every unauth user, just do it for
root.
Change-Id: I39ef22578eb07c339b096b25753a1775c9917e0b
Reviewed-on: http://gerrit.openafs.org/6255
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@dementix.org>
Tested-by: Derrick Brashear <shadow@dementix.org>
The SID string of the RPC used to set the token sessionKey
was being leaked. Be sure to free it when it is no longer
required.
Change-Id: I28261643680d608d5c8805e095650a751193ab6d
Reviewed-on: http://gerrit.openafs.org/6244
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
The power mgmt events are received in the service. The service
can block all requests from the redirector from being processed
until it knows that it is safe to process them.
The service will receive a SERVICE_CONTROL_APMSUSPEND just before
the system goes to sleep. The service has two seconds to respond
and it uses that time to attempt to send RXAFS_GiveUpAllCallBacks
to all file servers as an rx_multi with no wait. It also marks
all servers down and updates the callback expirations to be just
after the servers were marked down so that they will be forced to
be refreshed when the server is marked up.
Upon resume the service receives two events. First,
SERVICE_CONTROL_APMRESUMEAUTOMATIC which is used to perform an
SMB lan adapter change detection and perform a probe of all down
servers. The second, SERVICE_CONTROL_APMRESUMESUSPEND is used to
resume SMB listeners, perform a 2nd lan adapter change check (just
in case), check the status of all down servers in additional
networks have come up, and finally resume processing of redirector
requests.
With these changes no special logic in the redirector is required.
Change-Id: I5405ecab754dca04f34afb024c4dacc3fe089088
Reviewed-on: http://gerrit.openafs.org/6243
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
This message is useless, annoying, and is the UI equivalent of littering... but
it does explain why your backup command is just sitting there.
Change-Id: Ied49d0bf9f81b0e10804133c6f05814321d80438
Reviewed-on: http://gerrit.openafs.org/6223
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
The AFS Redirector requests file data extents from the afsd_service.exe. If
it does not receive the requested extent within 10 seconds it issues another
request for that extent. Extent processing in the afsd_service is handled
by background daemons that process tasks serially from a work queue. When
the load on the system is large enough that satisfying the work queue takes
longer than 10 seconds, the redirector would retry the request. This would
increase the length of the work queue and increase lock contention.
Increasing the timeout period for extent retries to two minutes
significantly reduces the number of retry attempts while maintaining
protection against a lost extent request. Two minutes is selected because
that is the rx hard dead call timeout.
Change-Id: I8169fbdc2d3456f151359ffe9eaa8eeccb2ceaf1
Reviewed-on: http://gerrit.openafs.org/6237
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Include the World (Everyone) SID as the owner and group for
all files in AFS.
FIXES 130343
Change-Id: I01d697d7a6dea8e0bea67b81c14597c197b4241d
Reviewed-on: http://gerrit.openafs.org/6236
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
If the connection is no longer in use, reset the nat keep alive
timer to 0 seconds.
Change-Id: I72b69979fb8b15ab5afaa654b317edc254253b4b
Reviewed-on: http://gerrit.openafs.org/6230
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@dementix.org>
