Re: xscreensaver-settings keeps on crashing

, Sep 29, 2023 at 06:38 John McCue wrote: > On Mon, Sep 11, 2023 at 10:51:55AM -0500, Luke Small wrote: > > > >I attached ???.xscreensaver??? I had to change the file type to send it. > > I ended up installing xscreensaver-6.05.1 via pkg_add(1) and > xscreensaver-demo and

xscreensaver-settings keeps on crashing

This is incredibly frustrating and has remained a problem throughout upgrades! Do I rebuild xenocara? Anyone know how to fix this? xscreensaver-settings crashes: " $ xscreensaver-settings xscreensaver-settings: 13:47:37: X error: xscreensaver-settings: Failed request: BadMatch (invalid

Re: xscreensaver-settings crashes in OpenBSD 7.2

Maybe Linux-drm messed it up? On Fri, Nov 11, 2022 at 10:35 AM Luke Small wrote: > xscreensaver-settings crashes in OpenBSD 7.2 > > Graphics card shows as radeon 7450 in the dmesg, > "radeondrm0 at pci3 dev 0 function 0 "ATI Radeon HD 7450" rev 0x00", > but

xscreensaver-settings crashes in OpenBSD 7.2

xscreensaver-settings crashes in OpenBSD 7.2 Graphics card shows as radeon 7450 in the dmesg, "radeondrm0 at pci3 dev 0 function 0 "ATI Radeon HD 7450" rev 0x00", but it is a radeon hd 6450 exactly like this one: https://www.amazon.com/MSI-Profile-PCI-Express-R6450-MD1GD3-LP/dp/B004X6ABTM the

KARL for user programs?

So if it’s a potential vulnerability for the kernel to be linked the same without KARL (I presume because if the source code is known and ASLR and PIE can potentially be randomly overcome) then can there be a KARL type extension for cc/c++ ?-- -Luke

Boise mirror certificate expired : Boise, ID, USA : mirrors.syringanetworks.net

Boise mirror certificate expired : Boise, ID, USA : mirrors.syringanetworks.net mirrors@ didn't quite seem like it was being used. -Luke

Kqueue priorities feature?

I recall tedu@ saying my that there was no reason for there to be multiple kqueues in a program. Well I beg to differ. I have a program with 3 kqueues because I want three distinct priorities on each worker process. The parent program initializes and fork()s a process that listens and passes

Re: disk lights on but top showed nothing!

percentage numbers. On Sun, Jan 2, 2022 at 11:43 AM Crystal Kolipe wrote: > On Sun, Jan 02, 2022 at 11:09:40AM -0600, Luke Small wrote: > > And if there was a super busy disk program running which would make a 2x3 > > RAID10 array of 15000 RPM disks busy running on OpenBSD, I pre

Re: disk lights on but top showed nothing!

It’s a 2U Supermicro pizza box server with a low profile Radeon graphics card. It’s always attached to a 32 inch monitor, a keyboard, mouse, KVM and I program on it, but it does a lot of server stuff. I doubt most people would call a pizza box a workstation no matter what you put on it. And if

Re: disk lights on but top showed nothing!

wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using wskbd0 wsdisplay0: screen 1-5 added (std, vt100 emulation) On Sat, Jan 1, 2022 at 4:22 AM Crystal Kolipe wrote: > On Sat, Jan 01, 2022 at 12:01:28AM -0600, Luke Small wrote: > > The lights on my server which shows that th

disk lights on but top showed nothing!

The lights on my server which shows that the disks are busy were on and not just flashing and I looked at top and usually it’s because security is running, but this time NOTHING! I even killed Firefox and by far the busiest thing on there was top! pftop didn’t seem especially busy either!-- -Luke

I had to change NIC I’m still having issues.

I have a Ethernet westmere-ep Supermicro server I use for a local dns server which I have local devices vpn connected into. I started with em0 and I finagled a Google router/modem to give me back the same local reserved address for em3 for the new Intel i350-t2 card. I was watching “tcpdump

I got a new “em” card. pf uses old “self”

I reserved a new address for the new I350-T2 card and replaced unbound.conf and all uses of it in /etc. “tcpdump -aetvvipflog0” still returns the old reserved address! What do I do? -- -Luke

Got a new “em” card. pf uses old “self”

I reserved a new address for the new I350-T2 card and replaced unbound.conf and all uses of it in /etc. “tcpdump -aetvvipflog0” still returns the old reserved address! What do I do? -- -Luke

Re: Put non-NULL pledge abort in the man page

On Thu, Nov 25, 2021 at 5:17 AM Claudio Jeker wrote: > On Thu, Nov 25, 2021 at 04:55:23AM -0600, Luke Small wrote: > > I ran ktrace. Kdump said the last thing it did was try to load > > /usr/libexec/ld.so > > > > To main(), before the unveil pledge is dropped, I added:

Re: Put non-NULL pledge abort in the man page

ly created program, which hasn’t set new pledge execpromises, it won’t successfully run ftp(1) because it wasn’t granted the inet execpromise. execpromises seems to have carried over! On Thu, Nov 25, 2021 at 2:24 AM Sebastien Marie wrote: > On Thu, Nov 25, 2021 at 01:52:31AM -0600,

Re: Put non-NULL pledge abort in the man page

ame program? Is it trying to read another file which unveil is still affecting? >> >> Luke Small wrote: >> >> > I have a program which runs fork() a couple times with pledges: “stdio >> > cpath wpath” for writing to disk and “stdio dns” for a d

Re: Put non-NULL pledge abort in the man page

ant people on the internet to help > you debug what you have done wrong in this secret program. > > You obviously don't know what you are doing, and I think you don't > deserve help. > > > Luke Small wrote: > > > I have a program which runs fork() a couple times wit

Re: Put non-NULL pledge abort in the man page

This a command-line program is used to make manually choosing a responsive mirror or automatically writing the most responsive OpenBSD mirror to /etc/installurl very easy. On Wed, Nov 24, 2021 at 11:50 AM Luke Small wrote: > I tried calling pledge with a non-NULL execpromise and noti

Put non-NULL pledge abort in the man page

I tried calling pledge with a non-NULL execpromise and noticed that it was killed. That’d be convenient if that behavior was noted in the man page!-- -Luke

clang performance bug is worse on openbsd than freebsd

https://bugs.llvm.org/show_bug.cgi?id=50026 I reported it to the llvm people. it is two slightly different quicksort algorithms which perform radically differently. The one which you could assume would take more time, performs MUCH better. I made a custom quicksort algorithm which outperforms

bought an Audigy soundcard hoping it'd work.

I have a cheap 6450 radeon graphics card with unsupported audio and an Audigy FX I hoped Audigy card would work on the emu(4) driver, but doesn't seem to. I turned on sysctl kern.audio.record=1 Any thoughts? dmesg: ... azalia0 at pci3 dev 0 function 1 "ATI Radeon HD 6400 Audio" rev 0x00: msi

Can lmdb library linked C code be profiled?

I’ve discovered that C source code only seems to be able to be profiled by gprof profiled with gcc (or egcc from gcc package) and with the “-static” flag to static link the program. But statically linked code which uses lmdb with lmdb.a from the lmdb package will throw compile-time errors. Is

Re: I can’t get veb/vport to work with vmd.

I got it working. I have a pretty hefty amount of vether0 and vether0:network in my pf.conf that I changed to vport0 and vport0:network. That fixed every single thing! I somehow completely forgot about all the vether0 pf rules which isolates the the various local systems so VMs are isolated from

I can’t get veb/vport to work with vmd.

There seems to be ZERO examples of using veb/vport vs bridge/vether. I am running 6.9 now and I substituted the bridge0 usage in vm.conf and I copied the hostname.vether0 into hostname.vport0 and hostname.bridge0 uses vether0 so I used vport0 in hostname.veb0 . I used ifconfig … down for bridge0

Re: Can I do 4-26 snapshot to 6.9-stable safely?

ect "disk" and type in the location of the mount > On Sun May 2, 2021 at 12:34 PM CST, Luke Small wrote: > > There has to be a valid partition to install it to. When I have an > > encrypted drive, that doesn’t exist using usb…chudazoid. > > > > On Sun, May 2, 2021 at 1:

Re: Can I do 4-26 snapshot to 6.9-stable safely?

That change to undo the “supersede” command to look at the local unbound server in dhclient.conf fixed it. Downloading 6.9 release as we speak. On Sun, May 2, 2021 at 1:34 PM Luke Small wrote: > There has to be a valid partition to install it to. When I have an > encrypted drive, that d

Re: Can I do 4-26 snapshot to 6.9-stable safely?

ur file location > > On Sat May 1, 2021 at 7:37 PM CST, Luke Small wrote: > > I would do that, but I’ll have to figure out how to manually mount my > > encrypted partition, which sysupgrade and bsd.rd takes care if for me > > automatically. > > > > On Sat, Ma

Re: Can I do 4-26 snapshot to 6.9-stable safely?

"disk" at the prompt. once you go current you can't go back, and its > very clearly said in the FAQ as ashton said > > On Sat May 1, 2021 at 6:25 PM CST, Luke Small wrote: > > I tried that by the way. I even mv’ed my pf.conf to nullify it and > > tried > > and it coul

Re: Can I do 4-26 snapshot to 6.9-stable safely?

aks to this matter. > > Noone else has anything more to say. > > Please stop begging for personal handholding, everyone is getting > embarrassed. > > > > Luke Small wrote: > > > I tried that by the way. I even mv’ed my pf.conf to nullify it and tried > > and it co

Re: Can I do 4-26 snapshot to 6.9-stable safely?

enough. On Sat, May 1, 2021 at 5:26 PM jpeg bild wrote: > If you want to move back to stable, you would have to boot bsd.rd and > select "Upgrade" in the prompt, then install from http with the correct > path for 6.9-stable > > On Fri Apr 30, 2021 at 9:49 PM CST, Lu

Re: Can I do 4-26 snapshot to 6.9-stable safely?

an iso) to make that change? On Fri, Apr 30, 2021 at 11:01 PM Theo de Raadt wrote: > Luke Small wrote: > > > We’re there major irreversible changes made to the following snapshot: > > > > kern.version=OpenBSD 6.9-current (GENERIC.MP) #479: Mon Apr 26 02:26:53 > MDT &

Can I do 4-26 snapshot to 6.9-stable safely?

We’re there major irreversible changes made to the following snapshot: kern.version=OpenBSD 6.9-current (GENERIC.MP) #479: Mon Apr 26 02:26:53 MDT 2021 which would render in incapable of a downgrade? -- -Luke

Can I shorten fw_update download timeout?

I make unbound connect to dnscrypt-proxy and after an update, it’ll just sit there for what seems like 2 minutes while fw_update inevitably fails before turning on dnscrypt-proxy. I’ve been running snapshots and that’s really dumb. Or is there a way to have unbound connect to a failover server

Re: FVWM terminal emulator transparency issue in -current

Thanks! I just made it run at opacity .55 and I LOVE IT! Thanks! On Mon, Feb 15, 2021 at 11:25 PM Thomas Frohwein wrote: > On Mon, Feb 15, 2021 at 05:03:55PM -0600, Luke Small wrote: > > I'm running fvwm window manager and I just switched to -current. Roxterm > is > > totall

FVWM terminal emulator transparency issue in -current

I'm running fvwm window manager and I just switched to -current. Roxterm is totally messed up, won't do transparent background and I tried xfce4-terminal and it says it won't do transparent backgrounds because compositing is disabled Sure first-world problems, but I REALLY want fvwm to do

Snort for httpd’s https sessions?!

Is there a way for a hook(?) for snort to read plaintext https sessions in OpenBSD’s httpd?! That’d be SUPER SWEET!-- -Luke

pf and Wireguard

... Change: match out on egress from (wg0:network) to any nat-to (egress:0) To: match on egress from (wg0:network) to any nat-to (egress:0) tag “wireguard” pass tagged “wireguard” keep state -- -Luke

USA kernel hackers looking for a $120k+ job?

I’m applying for federal grant which will hopefully start about March or April and I’m looking for somebody who can work on OpenBSD and in C (perhaps with a touch of python) to do the server side of an extraordinary dating app which will be able to prove STD uninfectiousness! -- -Luke

fullscreen iridium stops me scrolling to another fvwm virt. desktop!

fullscreen iridium browser often stops letting me scroll to another fvwm virtual desktop, but I never have that problem with firefox! Whats the deal? On iridium, I either have to click on the browser window border or I have to unmaximize the browser window to leave space between the browser window

Re: strlcpy version speed tests?

Are you clinging to traditions for some purpose? I gave two different versions. strlcpy3 is clearly more easily understood and even slightly faster and strlcpy4 which sets up the following workhorse lines which through timing the functions is hands down faster on my Xeon chips: strlcpy4: while

Re: strlcpy version speed tests?

I suppose this strlcpy4 without a goto is more elegant -Luke On Tue, Jun 30, 2020 at 10:07 PM Luke Small wrote: > I made it SUPER easy to test my assertion. The code is there. No > configuration needed. > > On Tue, Jun 30, 2020 at 9:59 PM Theo de Raadt wrote: > >&

strlcpy version speed tests?

I made a couple different versions if anybody is interested! -Luke #include #include #include #include #include #include /* cc strlcpy_test.c -pipe -O2 -o strlcpy_test && ./strlcpy_testfast */ /* * Copy string src to buffer dst of size dsize. At most dsize-1 * chars will be copied.

why isn't strlcpy written like this:

strlcpy is: size_t strlcpy(char *dst, const char *src, size_t dsize) { const char *osrc = src; size_t nleft = dsize; /* Copy as many bytes as will fit. */ if (nleft != 0) { while (--nleft != 0) { if ((*dst++ = *src++) == '\0') break; } } /* Not enough room in dst, add NUL

Re: Filling a 4TB Disk with Random Data

if you have access to packages, you could "pkg_add pv" and: "dd if=/dev/random | pv | dd of=/dev/rsdXc bs=1m" It will show you in real time how much random data has been written to disk. -Luke On Wed, Jun 10, 2020 at 11:43 AM Luke Small wrote: > I mean: "

realpath(3) to unveil() symbolic links!

You can use unveil() on both a symbolic link and the value recovered by putting it in realpath(3)! I used it in what I submitted for unveiling ftp(1) -- -Luke

Re: I unveil()ed ftp(1)!

I made symbolic links “ln -s /etc/ssl/cert.pem ”. I used the realpath command and it worked in the software I submitted. On Thu, Jun 4, 2020 at 11:06 AM Theo de Raadt wrote: > No. > > I'm guessing you don't understand symbolic links. > > Look, this is a waste of time. > >

Re: I unveil()ed ftp(1)!

In the case of 1 URLs couldn’t you at least merely unveil “./“ as “cw”; make any specified cafile/capath including shortcut resolution as “r” (perhaps with the shell “x”) so that at worst, current directory files could be overwritten, but not read? On Wed, Jun 3, 2020 at 10:39 AM Theo de

Re: I unveil()ed ftp(1)!

there was tiny error I created. -Luke On Wed, Jun 3, 2020 at 2:24 PM Luke Small wrote: > There! It doesn't use an unveil list. It has 2 dry runs as proposed. > It could just have a dry run to see if it goes into interactive mode > and then unveil as we go! but I like to see all t

Re: I unveil()ed ftp(1)!

There! It doesn't use an unveil list. It has 2 dry runs as proposed. It could just have a dry run to see if it goes into interactive mode and then unveil as we go! but I like to see all the unveil calls before the ftp output statements myself! -Luke On Wed, Jun 3, 2020 at 11:30 AM Luke Small

Re: I unveil()ed ftp(1)!

Or you could have 2 dry runs. One to merely see that it won't head into interactive mode and a second one to start the unveiling directly in fetch.c. Unless unveil itself will have too many entries! -Luke On Wed, Jun 3, 2020 at 11:12 AM Luke Small wrote: > I figure if it took up that m

Re: I unveil()ed ftp(1)!

I figure if it took up that much stack space from before, it'd start needing to dang near run the stack into on-disk virtual memory anyway. At that point, it'd perhaps be a better design choice to break up your ftp calls into slightly smaller chunks to avoid massively poor performance, yeah? LOL

Re: I unveil()ed ftp(1)!

ean it is amusing, because this is never going to fly. > > This increase in complexity is completely unacceptable, what I see is > completely amateurish, and I also see overflows, a lack of testing > for edge conditions, and a lack of attention to how unveil works. > > > Luke Sm

Re: I unveil()ed ftp(1)!

you for the laugh. > > > Luke Small wrote: > > > I think I'm done tinkering. try these out in ftp folder. I left in some > > fprintf(ttyout,...) in main.c > > to show what is being unveiled. It resolves shortcuts in SSL_CAFILE > > and SSL_PATH variables. &

I unveil()ed ftp(1)!

I think I'm done tinkering. try these out in ftp folder. I left in some fprintf(ttyout,...) in main.c to show what is being unveiled. It resolves shortcuts in SSL_CAFILE and SSL_PATH variables. It leaves in place the functionality of the original functions, but adds the availability to perform a

Re: Could somebody please put unveil() in ftp(1)?

files below vs the originals since I last updated the source files. -Luke On Tue, Jun 2, 2020 at 12:43 PM Kevin Chadwick wrote: > On 2020-06-02 17:28, Luke Small wrote: > > I don’t have experience doing diffs. Are there flags I should be using > in diff > > or should I do

Re: Could somebody please put unveil() in ftp(1)?

I missed something. -Luke On Sat, May 30, 2020 at 2:53 PM Luke Small wrote: > I’ll get to looking at ftp(1) more when I get some physical contact with > my server. I’m quaranteaming with my girlfriend’s folks. > > I have a pkg_ping program (OpenBSD-specific, dns caching, l

Re: Could somebody please put unveil() in ftp(1)?

May 29, 2020 at 8:50 AM Stuart Henderson wrote: > On 2020/05/29 08:30, Luke Small wrote: > > You mention a lot of files that need to be read, but a program like > pkg_add can make it the > > _pkgfetch (57) user which has no directory and I’m guessing not in > interactive mode. At t

Re: Could somebody please put unveil() in ftp(1)?

You mention a lot of files that need to be read, but a program like pkg_add can make it the _pkgfetch (57) user which has no directory and I’m guessing not in interactive mode. At the very least, in noninteractive mode you could unveil(“/“, “rx”); and change the specified output file discover the

Could somebody please put unveil() in ftp(1)?

unveil is nowhere to be found in the ftp program source code. There’s probably another way to do it, but I wrote a program and searched all files in /usr/src/usr.bin/ftp/ contain no mention of “unveil”, but It mentions “pledge” It could take 3 lines at line 389 in /usr/src/usr.bin/ftp/main.c: if

Can root C program call to sysctl be pledge()ed?

I have need to call sysctl() in a C program to read “sysctl kern.version”. Will there be a pledge() to prohibit further calls to sysctl()? I’m kinda afraid that putting a sysctl call could conceivably leave it vulnerable to calling it again in the case the mitigations fail and sysctl() is run to

Re: 6.6-beta (RAMDISK_CD) #281 hangs on fsck

Yay! -Luke On Sun, Sep 8, 2019 at 8:07 PM David Gwynne wrote: > I think I see the problem. We're going to try and test this locally and > will hopefully have something committed in a few hours time. > > dlg > > > On 9 Sep 2019, at 10:33, Luke Small wrote: > > >

Re: 6.6-beta (RAMDISK_CD) #281 hangs on fsck

I have mfii too: dmesg | grep mfii: mfii0 at pci11 dev 0 function 0 "Symbios Logic MegaRAID SAS2208" rev 0x05: msi mfii0: "LSI MegaRAID SAS 9271-8i", firmware 23.28.0-0010, 1024MB cache scsibus1 at mfii0: 64 targets scsibus2 at mfii0: 256 targets > On 8.9.2019.

Re: 6.6-beta (RAMDISK_CD) #281 hangs on fsck

is installed soon af...“ On Sun, Sep 8, 2019 at 11:19 AM Luke Small wrote: > It doesn’t work for me on the > ftp.hostserver.de/archive/2019-08-29-0105/amd64/ > bsd.rd! > > On Sun, Sep 8, 2019 at 10:50 AM Luke Small wrote: > >> Mine works on 8-27 >> -- >> -Luke >> > -- > -Luke > -- -Luke

Re: 6.6-beta (RAMDISK_CD) #281 hangs on fsck

It doesn’t work for me on the ftp.hostserver.de/archive/2019-08-29-0105/amd64/ bsd.rd! On Sun, Sep 8, 2019 at 10:50 AM Luke Small wrote: > Mine works on 8-27 > -- > -Luke > -- -Luke

Re: 6.6-beta (RAMDISK_CD) #281 hangs on fsck

Mine works on 8-27 -- -Luke

Re: Who has an ancient -current snapshot

Thanks, Somebody else directed me to it too! I got my server working again!!! -Luke On Sat, Sep 7, 2019 at 3:52 AM Marcus MERIGHI wrote: > Hello Luke, > > lukensm...@gmail.com (Luke Small), 2019.09.07 (Sat) 00:56 (CEST): > > I need an old kernel image older than maybe a coup

Who has an ancient -current snapshot

I need an old kernel image older than maybe a couple weeks old. I have the x8dth-6f motherboard and newer snapshots broke it. I made the mistake of trying to downgrade to 6.5 and now I can boot my machine! I made a not-bright decision. -- -Luke

Re: Can unveil pledge to only reduce?

of a pledge command? It apparently knows if it is an increase in permissions, can't it be set to only permit them? On Thu, Aug 16, 2018 at 2:00 PM Luke Small wrote: > Ok. Thanks. > On Thu, Aug 16, 2018 at 1:59 PM Theo de Raadt wrote: > >> Luke Small wrote: >> >

Make new OpenBSD 2.5 daemon art!!!

Re: Can unveil pledge to only reduce?

Ok. Thanks. On Thu, Aug 16, 2018 at 1:59 PM Theo de Raadt wrote: > Luke Small wrote: > > Could you have a promise for unveil reductions only? > > That won't actually help much, and people will fall into some > pretty significant traps. > > Sorry it would require a really long explanation. >

Can unveil pledge to only reduce?

Could you have a promise for unveil reductions only?

anybody installed angr, eg. pip install angr

It doesn't natively support OpenBSD.

This a good place to find a Sr. C coder 4 app server?

I have what I feel to be a profound idea that is in need of someone with a strong resume. I have a patent. I want to use it to enable users to get tested for sexually transmitted diseases, then use iris scanning smartphones to compare their disease sets. There is a strong epidemiological component

Re: Can SSH report successful connections to pf?

Cool! On Sat, May 5, 2018 at 3:17 AM Andreas Kusalananda Kähäri < andreas.kah...@icm.uu.se> wrote: > On Fri, May 04, 2018 at 11:56:33PM +, Kapfhammer, Stefan wrote: > > > > You might want to parse /var/log/authlog and the logrotated > authlog.[0-9].gz > > for successful and unsuccessful

Can SSH report successful connections to pf?

Can SSH and possibly other programs more easily able to report successful connections so pf can make stricter bruteforce connection rejecting even better?

Wouldn't it be cool...!

What if you could set up a pf rule to: overload an ip address into a table if they tried to access the wrong port on an address and overload flush global immediately into a blocklist ( max-src-states 0)! or with max-src-conn-rate 2/60 when sshd behaves in such a manner as to confirm that a

Re: Automatically restarting services/daemons after crash

/Blind_return_oriented_programming seems to state so. I dont fully trust wikipedia. On Sat, Oct 14, 2017 at 3:06 AM Philip Guenther <guent...@gmail.com> wrote: > On Sat, Oct 14, 2017 at 12:49 AM, Luke Small <lukensm...@gmail.com> wrote: > >> If that's true, then why has Theo been speaking of th

Re: Automatically restarting services/daemons after crash

If that's true, then why has Theo been speaking of the brop problems, when they begin with an incremental canary discovery that becomes all but impossible to guess when it becomes a random 4 byte datum each time rather than a datum that remains the same each restart? Braille should already be

Re: Automatically restarting services/daemons after crash

I am not versed in operating systems as well as you, but I would think that stack and buffer canaries would differ from each execution.

Re: Automatically restarting services/daemons after crash

Maybe more things should be randomized like the stack canaries. Is that a new idea? On Fri, Oct 13, 2017 at 11:34 PM Theo de Raadt wrote: > > I read "hacking blind." Can you restart a daemon with another forked > > process that's only job is to monitor a pipe or a

Re: Automatically restarting services/daemons after crash

I read "hacking blind." Can you restart a daemon with another forked process that's only job is to monitor a pipe or a waitpid()-like operation and if the parent dies, it exec's to restart it, or even execs "rcctl restart ntpd" If the mitigations are successful at limiting execution to let's say,

pkg_add ignores -m

Using the -m flag it still gets warnings from pulseaudio and redis that I didn't use the -m flag

Pledge paths[ ]

Is paths[] going to have permissions defined for each path? Like: char *paths[], int *mode, where mode is the same as in dbopen(3). Maybe so you don't have to clean up previous pledge calls, any pledge calls with a NULL paths argument doesn't have anything specified for mode. for simplicity,

How do you use EV_DISPATCH in kqueue(2)

Is EV_DISPATCH somehow like EV_ONESHOT or EVDISABLE ? What is a use case? If you have an open socket file descriptor with a EVEFILT_READ, does it close the socket upon getting some data? I don't run current.

why does unbound listen as root

pf rule execution says it listens as root, but it connects as the _unbound user, when configured to run as _unbound. Why doesn't it listen, bind, etc. as root, drop privileges and pledge away privilege escalation? Is it to avoid more #ifdef hell? Or can you not listen to a privileged port if you

Re: list all system users, eg. _x11

if I need to identify all > the user accounts (to recreate them on a new system or something), I > exclude uids under 1000 as a starting point. > > > On Mon, May 8, 2017 at 4:51 AM, Marcus MERIGHI <mcmer-open...@tor.at> > wrote: > >> and...@msu.edu (STeve Andre'),

list all system users, eg. _x11

Is there a way to determine all users on a system that the users command doesn't seem to show? like _x11 and _ntpd

Pf with secondary DNS resolution

Four words Peter..."dynamic IP address". I'm sure that there are folks that ssh into machines that are on a dynamic IP address that don't have a modem on a power backup, or even possibly on an ISP that may down, possibly when they are out of town. I don't know if it is possible or already done,

Re: Pf with secondary DNS resolution

ready done, but you could have a computer check into a target machine that often changes the ip address or system while the firewall is locked down to only send messages to that remote machine and if it is compromised, can't send it anywhere else. On Wed, May 3, 2017 at 3:16 PM Luke Small <lukensm

Pf with secondary DNS resolution

Is it worthwhile to set up a hook for pf to load rules that have URLs after the network services that can resolve them come into effect?

80 users

As I recall, there is a build configuration of 80 users for some kernel components. What happens if the system exceeds that number?

Re: pledge for sockets

a different user through pf (and when I get a more serious machine, possibly through a unique interface). Most importantly, I need it for session cache for multiple processes. On Sat, Apr 29, 2017 at 10:02 AM Luke Small <lukensm...@gmail.com> wrote: > I have a program that I believe needs ine

Re: pledge for sockets

AM Reyk Floeter <r...@openbsd.org> wrote: > > > Am 26.04.2017 um 13:38 schrieb Luke Small <lukensm...@gmail.com>: > > > > Pledge will presumably have per process (including fork()ed process) > **path > > limitations on rpath rpath and wpath calls, why not

Re: pledge for sockets

Pledge will presumably have per process (including fork()ed process) **path limitations on rpath rpath and wpath calls, why not limitations on inet and unix? On Wed, Apr 26, 2017 at 6:26 AM Janne Johansson <icepic...@gmail.com> wrote: > 2017-04-26 13:19 GMT+02:00 Luke Small <lukensm.

Re: pledge for sockets

I'm not saying to alter pledge necessarily, maybe make new system call like pledge. There aren't any per-process pf rules that are applied. When a socket connects to a remote or local server and pf makes a state, it has the originating randomized port. Pf rules can be made that target those

pledge for sockets?

Would it be a good idea to make a pledge like call that limits a process from connecting to ports and/or hosts? Maybe it could be done in way that the kernel is made aware of the limitations like in a pledge call and while the process is alive, the kernel spawns pf rules based upon the socket

Re: kqueue

It looks like you will be limited to 4096 timers and to valid file descriptors that don't exceed INT_MAX. My guess is that if you need more, you could run another kqueue for more timers or different kevents on identical file descriptors. Otherwise, the man page says: kevent() returns the number

kqueue

I suspect that you will sooner run out of file descriptors. but I assume that if it runs into a problem, kevent() will return -1 and it may be unrecoverable. I suspect that it would first occur because the kernel is being overutilized. The information that is being created, I suspect, is being

Re: Why isn't OpenBSD in Google Summer of Code 2017?...

nful > and much more effective to rewrite from scratch. So what's the point of > having that previous iteration? > > On 5 Apr 2017 at 13:10, Luke Small wrote: > > > I imagine there are some projects that need some love that are on the > back > > burner at the moment that

  1   2   >