# file: recovery.conf
restore_command = ‘lzma -d -c /mnt/backup/postgresql/wal/%f | pg_decompresslog – %p’

all tests run 3-4 times:

Small EC2 EBS added 16GB volume $50-80/month
# dd bs=1M count=256 if=/dev/zero of=test oflag=dsync
256+0 records in
256+0 records out
268435456 bytes (268 MB) copied, 11.5874 s, 23.2 MB/s

Small EC2 Root FS EBS
# dd bs=1M count=256 if=/dev/zero of=test oflag=dsync
256+0 records in
256+0 records out
268435456 bytes (268 MB) copied, 32.8698 s, 8.2 MB/s

Linode 1.5GB $54-60/month
# dd bs=1M count=256 if=/dev/zero of=test oflag=dsync
256+0 records in
256+0 records out
268435456 bytes (268 MB) copied, 2.25564 s, 119 MB/s

Tilaa.nl 1GB $30/month
# dd bs=1M count=256 if=/dev/zero of=swapfile oflag=dsync
256+0 records in
256+0 records out
268435456 bytes (268 MB) copied, 4.66885 s, 57.5 MB/s

see dd benchmark information

Ec2 vs Linode vs Tilaa

rails311.tar.bz2 1.4M Nov 15 08:04

The package contants multiple gems rdoc: railties-3.1.1 rails-3.1.1 actionmailer-3.1.1 activemodel-3.1.1 activeresource-3.1.1 actionpack-3.1.1 activerecord-3.1.1 activesupport-3.1.1 sass-3.1.10 coffee-rails-3.1.1 coffee-script-2.2.0

You can browse online if you wish so : /rails311/index.html

Generated by sdoc

I was experimenting with google places and I found it to be quite awesome.

In this app you can search for a geocode address or establishments, move the marker and get the the GPS coordinates, and also get the gps coordinates out the search results.

it’s also possible to restrain the autocomplete results by limiting it to bounds:

autocomplete.setBounds(defaultBounds);

here is the demo app: http://electric-sunrise-8410.heroku.com/
source: https://github.com/fred/google_places_autocomplete

There are many perl packages required by MWForum, Im not totally sure if all of them are required, but here is the list of packages that will get MWForum fully working with Image Uploading, Image resizing, attaching image, Avatar, text quote and email support.

Install required debian packages with aptitude:

# aptitude install libgd-gd2-perl libgd2-xpm imagemagick libimage-base-bundle-perl libimage-magick-perl libimage-info-perl libimage-exif-perl libimage-base-perl libimage-imlib2-perl libimage-size-perl libgeo-ip-perl libgeo-ipfree-perl libemail-mime-perl libmail-sendmail-perl libmail-rfc822-address-perl libmail-sender-perl libmail-perl libnet-cidr-lite-perl libtext-reform-perl libtext-quoted-perl mysql-server libdbd-mysql-perl libdbi-perl libcompress-zlib-perl libwww-perl liburi-perl libxml-perl libxml-regexp-perl libxml-sax-expat-perl libxml-sax-perl libxml-xslt-perl perl-modules perlmagick libtext-iconv-perl libsocket6-perl  libtimedate-perl libnet-daemon-perl libmailtools-perl libhtml-clean-perl libhtml-format-perl libhtml-parser-perl libhtml-tree-perl libcflow-perl libdata-flow-perl apache2-mpm-prefork libapache2-mod-perl2 libapache2-mod-apreq2 libapreq2 libapache2-request-perl -V

Now check latest version for download from http://www.mwforum.org/forum/topic_show.pl?tid=4222
In this setup I will put mwforum in /var/www/mwforum/htdocs/ (gentoo style folder)

Download MWforum and extract

# mkdir -p /var/www/mwforum/
# cd /var/www/mwforum/
# wget http://www.mwforum.org/dl/stable/mwforum-2.24.1.tar.gz
# tar xpf mwforum-2.24.1.tar.gz
# mkdir htdocs
# cp -a mwforum-2.24.1/script/* htdocs/
# cp -a mwforum-2.24.1/data/* htdocs/

Setup Configuration files

# cd ./htdocs
# mv MwfConfigGlobalDefault.pm MwfConfigGlobal.pm
# mv MwfConfigDefault.pm MwfConfig.pm

Edit config file with your mysql username/password, site name and url.

# vi MwfConfig.pm

Inside Mysql shell create database and username/password for mwforum:

mysql> CREATE DATABASE mwforum CHARSET=utf8;
Query OK, 1 row affected (0.30 sec)

mysql> GRANT ALL ON mwforum.* TO mwforum@localhost IDENTIFIED BY 'sk8hg4I2mxW';
Query OK, 0 rows affected (0.60 sec)

mysql> flush privileges;

Install MWForum database:

# perl install.pl

Activate Apache modules:

# a2enmod perl
# a2enmod apreq
# a2enmod headers

Add the apache Virtualhost config file:

# vi /etc/apache2/sites-availables/mwforum

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

<VirtualHost *:80>
    ServerName myforum.com
    ServerAlias www.myforum.com
    ServerAdmin webmaster@myforum.com
    DocumentRoot /var/www/mwforum/htdocs
    DirectoryIndex forum_show.pl
    #XSendFile on
    #XSendFileAllowAbove on
    ScriptAlias /cgi-bin/ "/var/www/mwforum/htdocs/"
    <Directory "/var/www/mwforum/htdocs">
        Options +ExecCGI FollowSymLinks -Indexes
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
    RewriteEngine On
    # Uncomment to force redirect to https, but you need to create https vhost
    # RewriteCond %{HTTPS} off
    # RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

Add PerlSwitches:

# vi /etc/apache2/conf.d/mwforum

1
2
3
4
5
6
7
8
9
10
11
12
13
14

PerlSwitches -I/var/www/mwforum/htdocs
<Directory /var/www/mwforum/htdocs/>
    DirectoryIndex forum.pl
    Options -Indexes
    <Files "*.pl">
        Options +ExecCGI
        SetHandler perl-script
        PerlResponseHandler ModPerl::Registry
        PerlOptions -SetupEnv -ParseHeaders
    </Files>
    <Files "*.pm">
        Deny from all
    </Files>
</Directory>

Now activate mwforum and check for configurations

# a2ensite mwforum
# apache2ctl configtest
Syntax OK

If syntax OK, then restart

# /etc/init.d/apache2 restart

Security and Cleanup:

# rm install.pl upgrade.pl
# cat ./mwforum-2.24.1/example/script.htaccess >> htdocs/.htacess
# cat ./mwforum-2.24.1/example/attach.htaccess >> htdocs/.htacess

Definition
Homebrew: The missing package manager for OS X

Why? well, the reality is, macports is not that good anymore.
Once you have many packages installed and start updating, everything start to break apart, lot’s of failing packages.

Homebrew is very easy to install, it’s fast and simple. That means you can make your own homebrew formula for your package so easily. oh, and homebrew is in ruby! :)

Back to topic, this is you how you get rails with mysql up and running with homebrew and rvm.

Clean up

To make sure to have a clean install, I recommend removing any previous .rvm installation and previous Xcode.

$ rm -rf ~/.rvm/
$ sudo rm -rf /Developer

1. Xcode

Install Xcode from AppStore. it’s 1+ GB download so it may take a while.
after it’s downloaded it will not install automatically, you need to open Applications and install again from there, the name will be “Install Xcode”.
You also need to install Command Line Tools for Xcode.

Better way is to go to https://developer.apple.com/downloads/index.action and download from there, you will have to login with a free apple developer account.
Download the 2 minimum require files

- Xcode 4.3.1 for Lion (1.85 GB)
- Command Line Tools for Xcode (171.70 MB)

Update: If you don’t want to download and install huge XCODE (3.0GB) :
https://github.com/kennethreitz/osx-gcc-installer
It allows you to install the essential compilers, GCC, LLVM, etc.
PS: I have not tested it
Thanks JP for the tip.

2. Install HomeBrew

UPDATE: in the comments some people recommended to do create the folder “/usr/local/Cellar” before hand, due to some bug on homebrew.

mkdir -p /usr/local/Cellar

$ /usr/bin/ruby -e "$(/usr/bin/curl -fsSL https://raw.github.com/mxcl/homebrew/master/Library/Contributions/install_homebrew.rb)"

Installation instructions: https://github.com/mxcl/homebrew/wiki/installation

3. install RVM

$  bash -s master < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer)

Above im using the master branch, so that it works with xcode 4.3.1

Then after RVM is installed run these two 'one-line' commands, the second command will reload your bash with RVM.

$ echo '[[ -s "$HOME/.rvm/scripts/rvm" ]] && . "$HOME/.rvm/scripts/rvm" # Load RVM function' >> ~/.bash_profile
$ source ~/.bash_profile

Details instructions: http://beginrescueend.com/rvm/install/

Note: you may have to add "--with-gcc=clang" to rvm for installing ruby 1.9.2 if you have Xcode 4.3+
Read this: http://stackoverflow.com/a/9651747/1107516

4. Install ruby 1.9.3-p125

OS X Lion comes with Ruby-1.8.7-p249, but we all want ruby 1.9.2/1.9.3 right?
RVM head and Ruby 1.9.3-p125 supports XCODE 4.3.1 http://www.ruby-lang.org/en/news/2012/02/16/ruby-1-9-3-p125-is-released/

$ rvm install 1.9.3-p125
$ rvm use ruby-1.9.3-p125
$ gem install rails bundler unicorn pg
... and so on ...

I tested both ruby-1.9.3-head and ruby-1.9.3-p0, and 1.9.3-p125, and it works well with all my apps. Ruby 1.9.3 is faster than 1.9.2 booting rails, and way way faster than 1.8.7. So let's use the lastest Stable Ruby (1.9.3-p0)

See: Rails booting a lot faster.

NOTE: For Heroku I recommend you to use ruby-1.9.2-p290, if you use taps ("heroku db:pull/push")

Optionally you might want to install GIT, wget, ack, imagemagick and any other mighty software tools for daily use.

Example apps I'm usually required to install:

# brew install git ack wget curl redis memcached libmemcached colordiff imagemagick nginx sqlite libxml2 libxslt readline v8 rsync sphinx lzma geoip lzo

5. Install Mysql

$ brew install mysql

one-line command:

$ mysql_install_db --verbose --user=`whoami` --basedir="$(brew --prefix mysql)" --datadir=/usr/local/var/mysql --tmpdir=/tmp

Once mysql is installed you might want it to load automatically each time you start your mac.

$ mkdir -p ~/Library/LaunchAgents
$ cp /usr/local/Cellar/mysql/5.5.14/com.mysql.mysqld.plist ~/Library/LaunchAgents/
$ launchctl load -w ~/Library/LaunchAgents/com.mysql.mysqld.plist

*check that the version I use here is 5.5.14

6. Troubleshooting:

if you have problems with mysql "cannot connect to /tmp/mysql.sock"
then create a file /usr/local/etc/my.cnf and add this:

[client]
port = 3306
socket = /tmp/mysql.sock
[mysqld]
bind-address = 127.0.0.1
port = 3306
socket = /tmp/mysql.sock

if encounter errors with homebrew run this command and follow recommendations:

$ brew doctor

update: If you end up with Segmentation fault or cannot install Ruby-1.8.7, you might want to try this solution:

$ export CC=/usr/bin/gcc-4.2
$ rvm install ruby-1.8.7

Important, also read this if you have Xcode 4.3.1+

http://stackoverflow.com/questions/9651670/issue-updating-ruby-on-mac-with-xcode-4-3-1

by the way this is my /usr/local/etc/my.cnf optimized file, when using this file you may have to recreate your db

$ mysql_install_db --verbose --user=`whoami` --basedir="$(brew --prefix mysql)" --datadir=/usr/local/var/mysql --tmpdir=/tmp

[client]
port = 3306
socket = /tmp/mysql.sock 

[mysqld]
event_scheduler = ON
skip-character-set-client-handshake
collation_server = utf8_unicode_ci
character_set_server = utf8 

bind-address = 127.0.0.1
port = 3306
socket = /tmp/mysql.sock
max_connections = 20

table_open_cache = 256
max_allowed_packet = 32M
binlog_cache_size = 1M
max_heap_table_size = 64M 

read_buffer_size = 2M
read_rnd_buffer_size = 2M
sort_buffer_size = 4M
join_buffer_size = 512k

thread_cache_size = 2
thread_concurrency = 2
query_cache_size = 16M
query_cache_limit = 2M 

default-storage-engine = INNODB
thread_stack = 192K
transaction_isolation = REPEATABLE-READ
tmp_table_size = 64M 

# MyISAM Options 

key_buffer_size = 32M
bulk_insert_buffer_size = 32M
myisam_sort_buffer_size = 32M
myisam_max_sort_file_size = 256M
myisam_repair_threads = 1
myisam_recover 

# INNODB Options
innodb_additional_mem_pool_size = 8M
innodb_buffer_pool_size = 64M
innodb_thread_concurrency = 2
innodb_flush_log_at_trx_commit = 2
innodb_log_buffer_size = 8M
innodb_log_file_size = 8M
innodb_log_files_in_group = 3
innodb_max_dirty_pages_pct = 90
innodb_flush_method = O_DIRECT
innodb_lock_wait_timeout = 120
innodb_file_per_table

[mysqldump]
quick
max_allowed_packet = 16M 

[mysql]
no-auto-rehash 

[myisamchk]
key_buffer_size = 64M
sort_buffer_size = 64M
read_buffer = 16M
write_buffer = 16M

[mysqlhotcopy]
interactive-timeout 

UPDATED (Mar 14, 2012):
* Fixed homebrew install URL
* changed from "#" to "$" to avoid confusion of running commands as root

EDITED (Feb 10, 2012):
* updated for new RVM
* source .bash_profile after editing it.
* decreased memory settings for mysql
* using ruby-1.9.3-p0
* fixed minor bugs

1. Disable Password Login

edit /etc/ssh/sshd_config and set the following

PasswordAuthentication no

now you can only login via ssh keys.
generate your local keys using ssh-keygen -t rsa
then put your id_rsa.pub in the user account on the server
i.e. /root/.ssh/authorized_keys

2. Random Passwords

Set all user passwords to large pseudo-random strings.
i.e. I set all users on all servers with different passwords looking like this:
Z4Q7H6pI53Xtsbgs8qKC
20 random alpha-numeric characters (a-z, A-Z, 0-9)

see here for more passwords https://www.grc.com/passwords.htm
you can test the password with the brute force search space calculator with https://www.grc.com/haystack.htm

3. Login alerts by email

Everytime a user has logged in the system, you should get an email alert.
For that I do put login_alert.sh and appended it to the end of /etc/profile

At the end of the file /etc/profile add this line:

sh /etc/login_alert.sh

then create a file /etc/login_alert.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

#!/bin/sh
SERVER_NAME=`hostname -f`
SEND_TO="myemail@gmail.com"
LOGIN_WHO=`who -m | cut -d"(" -f2 | cut -d")" -f1 | tr -d \r`
 
echo "
Shell Login Access to ${SERVER_NAME}
From: ${LOGIN_WHO}
Date: `date`
 
Active Users:
 `who`
 
Uptime: 
 `uptime`
 
" | mail -s "Alert: SSH Login to ${SERVER_NAME} from ${LOGIN_WHO}" $SEND_TO

so you will get an email like this every time someone login to the server.

Subject: Alert: Shell Login to 'hostname' from ppp-122-122-122-122.evip2.xxxxxx.xx.xx

Shell Login Access to mail9.hostname.net
From: ppp-122-122-122-122.evip2.xxxxxx.xx.xx
Date: Fri Jul 29 18:23:19 UTC 2011

Active Users:
 root     pts/0        2011-07-29 17:57 (ppp-122-122-122-122.evip2.xxxxxx.xx.xx)

Uptime:
  18:23:19 up 189 days,  2:38,  1 user,  load average: 0.05, 0.08, 0.07

4. System Updates

Always keep updated. I run “aptitude full-upgrade” everyday on all debian machines.
also goes for Mac and Windows.

I can’t agree more that the average quality of programmers (and therefore reusable components) is miserable. Code reuse can be very messy and anyone serious about quality is forced to reinvent the wheel over and over.

Of course I also agree that not all standards are good, as I don’t consider the web’s standards good.

However, there are fake high level languages and real high level languages. You cannot really build a complex system in a low level language, and even if you did, it would be full of abstractions, effectively making it a high level language via design patterns.

Look at PHP, it’s a horrible mess, a big ball of crap thrown together to make a “framework” to “ease” web development. The developers don’t have a clue what they’re doing and there are lots of new vulns in it every month at both the high and low levels. The builtin functions are completely inconsistent, some things return magic values and some things raise exceptions. PHP just takes random features from other languages and piles them together in an incoherent way. PHP is weakly typed (which is _always_ useless and causes more bugs). PHP is configurable, different libraries depend on different configurations of it. PHP has a garbage optional security model thing called safe-mode, which doesn’t work as it’s just more crap incoherently thrown together.

Now look at a real high level language, like Haskell, everything is immutable, which immediately mitigates one of the big class of bugs. Lazy evaluation means everything is more efficient most of the time (most problems are best solved lazily), but can be turned off when needed. The type system tells you all the information you’d ever want to know about the architecture of a given program, as well as catches _lots_ of bugs up front. Functions can easily be reasoned about due to type safety and immutability. This is a language that was actually thought out, unlike PHP.

Also, there are capability-secure languages/OSs, such as E (language), where security is orthogonal and forces the principle of least authority upon the entire architecture from the ground up. They have already been proven easy to use (obviously, much easier to use than any *nix crap because they have strong typing and aren’t C) and exponentially more secure. E is basically reifies one of the things computing is meant to have but doesn’t currently: you can run any code without caring if it’s evil or crappy. Sort of like the web but not completely flawed/unusable/insecure. The capability model also stop programs from dumping random garbage all over your OS, which is what happens on *nix and Windows.

Did I mention POLA is important? Why one would ever want to run random code off the internet with full privileges is beyond me. Java has an actual _half_ decent security/object model BTW, but it was ruined by pragmatism, and now everyone just signs their applets and the users can’t run them unless they modify their JVM or allow the code to run with full privileges.

Heck, even QNX is vastly superior to *nix just because they took a few old academic ideas into practice.

But what I really want to get down to is that strong typing is mandatory. (Strong typing in the data sense as well as language).

What I mean by strong typing in the data level is that you don’t take a bunch of random text and try to interpret it. You don’t take a bunch of machine words off the stack/heap and try to interpret them. Data must be organized mechanically, never trust the human.

Stack smashing happens because of lack of strong typing; array’s don’t really exist, you just get pointers to memory and are free to do anything with them, integers don’t exist either, you just have machine words. Actually nothing exists because C is just one crappy abstraction with a ton of undefined behavior. Strongly typed arrays cannot be violated, nor can ints etc. C is another example of this nonsense re-usability notion, to make it “fast”, _as well_ as portable, it has to have tons of undefined behavior. A secure system would have a high level language and the underlying low level components would be written in a way specialized to that architecture, in which case you can get performance as well as **no** undefined behavior.

XSS is because of lack of strong typing, you are just taking a bunch of text and blindly treating it as code or crap to inject into some text that is meant to be code. This is about as unreliable as it gets. Strongly typed declarative data structures prevent this.

SQL Injection? Ditto. But has been solved by A) ORMs that aren’t vulnerable B) Object databases (which are on par and sometimes better than RDBMS with respect to performance, BTW) C) HaskellDB ;)

HTTP injection? Well this doesn’t happen as much because one typically uses a safe API to build the HTTP request as opposed to editing it and parameterizing it by hand. This is analogous to using a safe API to manipulate a binary data structure (that is strongly typed). Hey? Binary is compact and efficient, then why do we have text protocols and formats? Oh yeah, someone thought it would be a good idea to have plaintext stuff because maybe we would be able to edit it by hand or something. BS. Do they expect us to edit 20MB XML documents by hand? You should be using a graph editor that provides a set of idiomatic transforms and queries (does this exist for XML? it should.). The only time you can edit _any_ plaintext document by hand is when it’s tiny, except this still doesn’t work because you don’t know what character set encoding to use… XML sucks, it’s not a cyclic graph so you have to retype things instead of just putting a reference to them, or invent an ad-hoc way of doing this for your schema. This is clearly propagated by the “simple” design of plaintext XML, if it were binary, they probably would have just made a real cyclic graph. This stuff also reminds me of another major issue with *nix, everything is a file (which is nonsense, everything should be an object, or maybe there is something better? I dunno, but objects are already superior to files in every way. Want streams? read: lazy evaluation), which for some reason, means everything is text with an arbitrary grammar, so you have to write a ton of regular expressions to get anything done in *nix. Ooh and you have magic numbers as return values from programs. Except these both break all the time as new versions of the programs come out. And they are a bitch to fix because they aren’t objects; you have to rewrite the parsers (text) instead of using the new fields (objects). Even the input to any *nix program is braindead and violates strong typing principles so they can’t be used without causing new vulnerabilities. Even if you escape the input to make it safe for bash or whatever shell you are using, the data within that parameter might still need to be further escaped because it’s passed as an SQL string or some other weakly typed system. I don’t know why “command line” mantra even exists anymore (now that we don’t use ancient terminal things anymore, well some people do, but not me at least), every program that has an interactive bash shell thing is different and crappy and has no multiline input and a lot of them overwrite your input as you’re typing it with output. Command line apps shouldn’t exist, there should just be objects that you invoke methods on with a _real_ (bash isn’t a real language) statically strongly typed language and get back some other objects. Static typing allows *rich* auto-completion for free. The shell can infer the variables in the local namespace that match the input parameter you are on, and then suggest them all. And the shell should actually be a decent thing, not a stupid pair of I/O streams. *nix terminal things suck **hard**. If you copy and paste some text from a web page, it might contain malicious code followed by a newline (a page can make you copy something other than what is displayed and highlighted on it), and you get owned. Oooh, oooh, X11 is also broken, it doesn’t let non-you users display to a constricted area on it, so you have to run random crap programs off the internet as you, and they get to steal all your non-root stuff (the stuff that *actually* matters). But they get root by ptracing your bash shell and escalating to root the next time you sudo or su. The Qubes OS tries to fix some of this stuff, but fails miserably, because it’s not even as good as or better than the Object Capability Model, which was invented decades ago, but I guess this is because they want compatibility with current software, which means they have to diminish security. Maybe they would be better off joining Tunes.

Computing sucks hard for many other reasons, but I’m getting tired of writing for now and am hungry.

What does this all have to do with firesheep? Dunno, but it’s not surprising what firesheep can do, and it’s about time someone is stepping up and trying to expose more loudly one of the many critical flaws that have been being used for malicious purposes for the past decades. I predict the next movement is for someone to write a nice metamorphic virus and take over hundreds of millions of boxes on the internet and all those crappy embedded devices. (It’s not that hard to pull off.)

Anyone interested in creating a secure computing paradigm and ditch all this other nonsense? Call me.

You will need gcc and some packages/libs for building berk-db and netatalkd, like “patch” and “make”

  yum install openssl.x86_64 libssl-dev gcc automake autoconf GSSAPI libgssapi-devel libgssapi  libgssapi-devel krb5-devel pam-devel shadow-devel openssl-devel cracklib wget

1. Download the latest berkeley-db 4.8 (5.0 and 5.1 did not work for me), compile and install

wget http://download.oracle.com/berkeley-db/db-4.8.30.tar.gz
tar xpf db-4.8.30.tar.gz
cd db-4.8.30/build_unix/
../dist/configure
make
make install

2. Download latest netatalkd, compile, install and copy config files to /etc/atalk
AFP works fine with the default configuration files.

wget "http://downloads.sourceforge.net/project/netatalk/netatalk/2.1.5/netatalk-2.1.5.tar.bz2?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fnetatalk%2F&ts=1293643408&use_mirror=biznetnetworks"
tar xpf netatalk-2.1.5.tar.bz2
cd netatalk-2.1.5

./configure --enable-redhat --enable-pgp-uam --enable-krb4-uam --enable-krbV-uam --with-bdb=/usr/local/BerkeleyDB.4.8/
make
make install
mkdir -p /etc/atalk/
cp -a config/*.conf /etc/atalk/
chkconfig netatalk on
service netatalk start

Extra:

When you mount this filesystem on mac, all files and directory permissions will be reset to 755, which is really annoying, specially if you use git. Git will show all the file permission changes to 755 instead of 644 for files.

so, to solve the problem edit the file /etc/atalk/AppleVolumes.default and update the last line on the file

  vi /etc/atalk/AppleVolumes.default
  # change from
    :DEFAULT: options:upriv,usedots
  # to
    :DEFAULT: options:upriv,usedots dperm:0755 fperm:0644

Resources:

• http://www.linuxquestions.org/questions/red-hat-31/how-to-get-netatalk-installed-on-centos-5-1-a-636147/

• http://permalink.gmane.org/gmane.network.netatalk.user/20594