On 1/26/06, Joachim Schipper [EMAIL PROTECTED] wrote:
I agree with your assessment - but disallowing mounts in securelevel 2
fixes the most obvious attack (that anybody with even a little UNIX
no, it fixes nothing. root can alter processes' memory. you gain
*nothing* by preventing
No this is only processor documentation.
http://marc.theaimsgroup.com/?l=openbsd-miscm=113398028623246w=2
Let me be clear.
Imagine if we only had processor documentation for Intel-based machines:
This is what a real i386 dmesg would look like. Look carefully. And I am
not making a joke.
Are there any plans to import ueaglectl to OpenBSD?
http://damien.bergamini.free.fr/ueagle/
The whole idea is to one day fix this so that it can just work
automatically, using ifconfig.
Please read a posting about 2 weeks ago by dlg comparing bioctl to
ifconfig. Please google for it.
Its actually not only processor documentation though. Its docs for
the new sun4v arch, specifically so people can port operating systems
to it. Operating systems run on the hypervisor, not on the hardware.
http://opensparc.sunsource.net/specs/Hypervisor-api-current-draft.pdf
That
We don't even have any documentation for Sun's ethernet chipsets, even
the old gem found in machines which showed up on the market about 8-10
years ago. Let alone their newer chipsets, or their pci chipsets.
And largely we suspect we don't get documentation because it would
show how buggy their
can anyone tell me wtf I'm missing in the commands below?
# mkdir foo
# cd foo
# mkdir bin dev
# cp -p /bin/cat bin
# cd dev
# /dev/MAKEDEV std
# cd ..
# chroot . /bin/cat /dev/stdin
cat: /dev/stdin: Device not configured
The reason I ask is that I need to run tar -czf within a
while doing some reading on secure software development
(//www.ranum.com/security/computer_security/archives/security-for-developers.pdf)
I came across the advice always link your priviliged binaries
statically.
However a quick check on my system revealed me almost all suid/sgid
programs
can anyone tell me wtf I'm missing in the commands below?
# mkdir foo
# cd foo
# mkdir bin dev
# cp -p /bin/cat bin
# cd dev
# /dev/MAKEDEV std
# cd ..
# chroot . /bin/cat /dev/stdin
cat: /dev/stdin: Device not configured
The reason I ask is that I need to run tar -czf
As the dmesg below shows, everything just works. My only complaints
thus far are that the board seems to lack a OS visible hardware sensor
of any sort (though the BIOS does has an emergency shutdown
temperature setting)
It is possible it does have some sort of sensor stuff, but that
they
I have seen that /etc cannot be located on a separated partition.
Why can it be not on an extra partition?
Because it is the directory that contains the lists first shell script
which must be run, /etc/rc. Same reason that /sbin cannot be a
different mount point, because then you cannot get at
Is anybody using 802.11a with ath?
The manpage lists a/b/g as working, although g definitly doesn't work
for me, only b does. Now I'm curious if anything besides b actually
works before I buy an antenna for a.
Or is it just my cards? If not, why isn't there a note about this in
the
Yep, the developers magically do more in the 6 months preceding 4.0
than the 6 months preceding any other release. That's definately how
it works.
We've been holding back about 50% of our work for each of the previous
4 releases, and now we are going to throw all those very large things
into
Can someone confirm or negate if this is a correct possible use of
trunk. I have two 'external' interfaces (em1 em2) which grab
dynamic IPs from my ISP. I have a single 'internal' interface (em0)
which is bound to my internal network 10.10.50.0/24. I boot, receive
the dynamic IPs on each
Pre-orders will be up soon, very soon...
I did a checkout of 3.8 today (I installed from CD, so figured a source
update would be good), did config GENERIC, make clean make depend
make, installed it, and now I have an odd beginning to the dmesg.boot:
$ head /var/run/dmesg.boot
686-class) 3.40 GHz
cpu0:
I am in the process of setting up an OpenBSD / OpenBGPD core router for
a small local ISP (two 20mbps upstreams, simple setup).
OpenBGPD's config seems OK, but I need some help about OpenBSD's tunable
parameters using sysctl.
The idea is that you shouldn't need to change any options.
I would like to remind our community that our project lives and
breathes because of the sale of CDs and the receipt of donations. In
the last few years a few very large donations have allowed our
hackathons to happen, but other than that we are always digging
ourself a bigger and bigger hole.
On Wed, Mar 08, 2006 at 07:59:02PM -0500, jared r r spiegel wrote:
only thing i guess i can offer is:
http://marc.theaimsgroup.com/?l=openbsd-miscm=108215148805896w=2
and to say that i've used a 1401 on a desktop and 1411s in soekris
4801s without issue(*) from 3.7 on up to
However, I don't think that's the gist of the message. OpenBSD is being
used by large companies in significant roles and few or none are kicking
in money. If anyone here works for/with such a company and can influence
them then consider trying to get them to send money to the project. If
Considering your input to this thread about donations wouldn't it be
smart to make it a little easier to find the donations pages?
I see nothing about where to do donations there or anywhere in
this thread.
Donations can be made in exactly the same place where orders for our
items are
I would like to thank whoever it is that (perhaps a year or two ago)
sent me a Japanese Sun type 6 USB keyboard. I have experienced very
few things as painful to use in my life, and it is making me more
humble.
I'm planning to buy a zaurus sl-c3200 (the latest zaurus 3xxx model).
Please note that you would be the first person. None of us have the
C3200 yet.
I had a look at the latest zaurus snapshot directories (on
ftp.openbsd.org) and saw that the choice of available pre-build
packages is highly
Am I missing something? Are snapshot not available anymore?
We've just finished building the 3.9 release, and will soon
start making -current snapshots available again.
Hold on.
I would like to educate people of something which many are not aware
of -- how X works on a modern machine.
Some of our architectures use a tricky and horrid thing to allow X to
run. This is due to modern PC video card architecture containing a
large quantity of PURE EVIL. To get around this
Are these new programable cards capable of reading main memory, which
OpenBSD would not be able to prevent if machdep.allowaperture were
set to something other than 0?
Yes, they have DMA engines. If the privilege seperate X server has a
bug, it can still wiggle the IO registers of the
Danilo Piazzalunga wrote:
Steve Shockley ha scritto:
Danilo Piazzalunga wrote:
Are snapshot not available anymore?
Hello,
I have been looking for 3.9 snapshots for i386 on OBSD mirrors and I can
not find the X stuff there. Is it a matter of waiting more time until
they appear
Are these new programable cards capable of reading main memory, which
OpenBSD would not be able to prevent if machdep.allowaperture were
set to something other than 0?
Yes, they have DMA engines. If the privilege seperate X server has a
bug, it can still wiggle the IO registers of the
There are serious bugs in sasyncd. Please do not use it yet. Instead
perhaps (like me) you can encourage the developers who wrote it to...
finish it.
Are these messages normal for a carped pair of firewalls running isakmpd
with sasyncd (3.8-stable)?
FW1/master - /var/log/message:
Mar 16
I'm trying to get a better idea about how my stuff performs, and are
now looking for ideas on where any changes on art(4) interfaces are
recorded. Can we please have some general play loud option that would
send everything to syslog using eg. kern.info? Seeing malloc() failures
is
Link state changes are generally not logged by the kernel.
Only lmc(4) and sppp(4) tend to fill the syslog with useless status
messages. The other interfaces I use seem to behave.
well, in general I agree with you, but I think that the special nature
of WAN lines warrants special
I was wondering, if anybody knows, if / when the embedded fingerprint reader
of certain ThinkPad notebooks (like in my T42p) will be supported in OpenBSD,
since UPEK already officially supports Linux FreeBSD
(http://www.upek.com/support/dl_freeBSD_bsp.asp)?
Go ahead, recompile it. And if
On Mon, Mar 20, 2006 at 01:00:57AM +0100, OpenBSD Prospect wrote:
Hi!
I was wondering, if anybody knows, if / when the embedded fingerprint
reader
of certain ThinkPad notebooks (like in my T42p) will be supported in
OpenBSD,
since UPEK already officially supports Linux FreeBSD
I have a disk from an Alpha server that I need to get data from... The
Alpha server no longer boots, and I dont have the time right now to
diagnose the problem. So I took the disk and lashed it into a Sun Ultra60,
which is also running OpenBSD. My problem is that I cant remember all of
the
After reading the Packet Logging Through Syslog section of the pf FAQ
I decided to try a different approach. Now that it's working (for my
system and needs) I'm wondering 1) Is it (relatively) safe? 2) Is it
useful to others? and 3) Did I re-invent something already available I
missed?
Isn't the load a function of what I choose to log in pf.conf?
I'm not talking system load. The logging operation you have created
is expensive.
Is that why /snapshots/packages/i386/ is not available?
During the 3.9 release cycle BUILDS we run out of space in our FTP
partition temporarily. And so do quite a few mirrors -- so we are
cautious in this regard.
The packages for one release are 19GB. Considering that most FTP
sites contain
you Theo, have the luxury only few have
Actually the real luxury all of us have is that we can delete mails
from people who only think of themselves.
WE make it possible for YOU Theo to do this.
so don't tell me i am lucky to use openbsd.
Fine. So stop making it possible for (not me), but
it would be interesting to know about how MUCH money donated
to the openbsd project you all are REALLY talking here...
In the last month about 1/5th of what we need to run in a year
has been donated.
Sad, eh. 350 donation transactions in one month. I had no idea
that the OpenSSH deployment
it would be interesting to know about how MUCH money donated
to the openbsd project you all are REALLY talking here...
In the last month about 1/5th of what we need to run in a year
has been donated.
Sad, eh. 350 donation transactions in one month. I had no idea
that the OpenSSH
Frantisek Holop, if you are so thankless towards our efforts,
please stop posting to our mailing lists. PLEASE stop running
any software we write. I know I am not alone when I ask this
of you.
We have nowhere to start. Alberta does not care about what we do.
This is an oil place, not a IT place.
thankless? you sir, are the most thankless project leader
i have ever seen in my life.
We thank with code. We don't come shower people with nice words.
We write code.
i have been advocating openbsd since the 2.6 times
and buying cds/shirts/posters since i started making
money. wim can
I read that FTP is becoming far more popular than CDROMs as a means
of obtaining OpenBSD. If this is because it's more convenient (vs. folks
just being too cheap) then it might make sense to sell downloadable
official (copyright Theo de Raadt) ISO images of releases as well as
CDROMs
Until earlier today I was unaware that it is much easier for Europeans
to donate via direct bank transfers. Apparently bank transfers,
compared to paypal or credit card transactions, are more reliable,
more secure, and very inexpensive. (Between countries in the Euro zone
they may not cost more
I did not mean to step on another sacred cow - I really only wanted to
suggest redirecting this thread toward workable solutions.
The problem is that many of the workable solutions people are
suggesting are completely ridiculous.
They are in the catagory of Cater to me, the entire world is
http://www.digg.com/linux_unix/OpenBSD_needs_a_major_donor
http://bsd.slashdot.org/article.pl?sid=06/03/21/1555243
No one seems to care (unless donations have shot up and Theo, et. al.
haven't mentioned it)
From what I see, we have received a mini flood of donations, which
means there will
So it's probably easier to get a company
to order a few hundred CDs instead of a donation.
By the way, the golden CD signed by all core
developers for $9000 might just be the thing
to add to the store. :)
After it costs $8500 to get it Fedex'd back and forth all over the
world to
I don't actually understand what that whining about tax deduction is
about.
My guess is that it's not about the tax deduction in
itself (although that certainly helps), it's about
the receipt.
Companies very much like to generate a proper paper
trail when they hand out money, and
Realistically, I can't offer my services out for free at more than 8
hours per customer. If someone wants to pay me above and beyond,
with the extra funds earmarked for a donation to OpenBSD, I'll gladly
pass the money on to the project.
Jason, get real -- everyone is entitled to you
Is there that much difference between the [IBM laptop] T and Z series?
Reportedly, yes. A lot of the Z machines no longer have apm(4)
support, so they will have to wait for our acpi(4) support to be
better.
Hmm. The last time money was short I unselfishly offered my time to help
raise
money, because I wanted to help.
I have been the recipient of hundreds of these I want to help
letters.
In this last donation drive I have received over 200 letters, and then
had to spend a lot of hours going
Hi All, Could anyone please tell me if the book Building firewalls with
OpenBSD and PF (found at Amazon), would still be applicable today, or is
it a bit outdated. Thank You Danny
A few small thigns have been added to pf since. More significantly,
some much larger networking features
I've spent a good bit of time looking at source code, forums, and
archives and am still having trouble. I'm running an OpenBSD 3.8
GENERIC#138 i386 server with a Soekris card with hifn drivers.
dmesg says:
hifn0 at pci0 dev 14 function 0 Hifn 7955/7954 rev 0x00: LZS 3DES ARC4
MD5
I assume this is an obvious question, but I just wanted to be sure. Was
the release that was sent to the CD manufacturer created before the 3.9
001 errata?
Yes.
Luckily within a few months you will be able to tell Sendmail how
to disclose their bugs because their next version is going to come
out with a much more commercial licence. Then you can pay for it,
and then you can complain too.
Is this a hint that there might be a license issues that
Some crypto cards are based on a supported chip, but are simply
re-branded. I took a brief look at the Cavium and it looks like they
have their own chips. We don't have support for those. They also state
they have drivers for FreeBSD. Perhaps you can talk them into making
an BSD-licensed
Glass is hard to ship.
Is there any plan to support the blksize option in libexec/tftpd?
I am unaware of any. Perhaps the guy who lacks hacked in there will
reply to you.
Does anybody else find it strange that tftp-hpa was based on openbsd
code, but no longer compiles on openbsd?
I am not surprised at all.
I
For those who have not noticed yet, the 3.9 song is available at
http://www.openbsd.org/lyrics.html
Enjoy!
iic0 at nviic0
sch5017 at iic0 addr 0x2e not configured
iic0: addr 0x2e 00=00 01=00 02=00 03=00 04=00 05=00 06=00 07=00 08=00 09=00
0a=00 0b=00 0c=00 0d=00 0e=00 0f=00 10=00 11=00 12=00 13=00 14=00 15=00 16=00
17=00 18=00 19=00 1a=00 1b=00 1c=00 1d=00 1e=00 1f=ec 20=65 21=7a 22=c2 23=c4
Basicaly, is the PCI bus a bottle neck for crypto card or is it the
chip on the card?
No.
The scatter gather interface is the bottleneck. This is normally
setup a bit like an ethernet or scsi chipset's outstanding operations
list, but you need to be able to cut virtual address ranges into
Basicaly, is the PCI bus a bottle neck for crypto card or is it the
chip on the card?
No.
The scatter gather interface is the bottleneck. This is normally
setup a bit like an ethernet or scsi chipset's outstanding operations
list, but you need to be able to cut virtual address ranges
Pre-ordering does usually mean you get the cds quite early. However
there is no guarantee this happens BEFORE the official release date.
Sometimes the plant is slow. Sometimes the plant is fast. Sometimes
the printed art comes back early, sometimes it does not.
Here's a little surprising
Two developers who don't have a lot of money recently had their
laptops die -- laptops which other project developers gave them in the
past.
We would love if it some people could donate some.
One is Brad in Toronto, and the other is Joris in Dominica (yes, the
island -- one could argue that
From: [EMAIL PROTECTED]
Should each user have access to his/her own passwords, and
nothing else?
Which user can change which password(s)?
The security model can be something like 'john belongs to pay_group,
so he can read and maybe write (if group administrator) passwords of
1) we get the list twice due to the nviic detecting two iic's
Some vendors make an error of wiring the same chip to both i2c
busses.
Other vendors use two of the same chips, one on each i2c bus.
Obviously we cannot tell these situations apart, so we error on the
side of displaying more, even
Regarding running 3.6:
I guess this anwsers my question. Allthough logging would have helped me
today, I don't consider it worthy of upgrading. My servers are 400km away...
If I publically gave all of you 10 reasons why you should not run code
that old, would you upgrade?
Would there be a benefit to use the pkg_ tools to install and manage the
install sets?
Good luck fitting the pkg_tools and perl onto the install floppies.
Congratulations to the team...
http://www.thehostingnews.com/article2217.html
Hmm? Hopefully it seems that Mozilla's donation has kicked off a
scrambling of companies to buy bragging rights about donating to
OpenBSD. Yay?
A few things with a few vendors and larger company-users are
As some of you have heard before, Sun has said no because they
consider OpenSSH to be a competitor to OpenSSH. Just can't make
some of this stuff up
Do you mean SunSSH or is that actually the truth?
Oops:
As some of you have heard before, Sun has said no because they
consider
The raid(4) codebase is old, unmaintained, and known to have issues.
That's one of the reasons it's not in the stock kernel.
Oh I thought the OpenBSD team was silently discouraging people from the
practice of using software RAID. :}
No. We just wish we had newer and better code. We
think about why this is undesirable and practically impossible for
five minutes. (hint: you are confusing DNS names and network addresses,
and making incorrect assumptions about how both DNS and pf work).
Well what if *.site.domain meant find all IP addresses mapped to this
domain and
Give it time -- FPGA's are getting more and more academic attention
every year, and our computer engineering students are getting more
opportunities to work with them in school. Before long, the support
and demmand will catch up to their potential.
Your optimism is entirely misplaced and
http://www.openbsd.org/plus.html
Which is the page that shows:
Changes made between OpenBSD 3.9 and OpenBSD-current
points to http://www.openbsd.org/portsplus/index.html
which hasn't been updated since Feb 05.
It is a lot of work. We do it when we can.
This should either be updated
I wonder why http://www.openbsd.org/books.html still recommend old
daemon book, The Design and Implementation of the 4.4 BSD Operating
System?
As most of you know, there's newer version, The Design and
Implementation of the FreeBSD Operating System.
Because the old book is still more
002 patch for 3.9 says crash it and to execute malicious code within
the X server.
What side of the privilege separated X does this apply to?
If you had read the paper Loic gave at cansecwest, the real answer is
it does not really matter. Unfortunately only about 1% of the people
who read it
I'm looking for some hints on evaluating load average.
You can't. It's a statement about job queue lengths, not about how
busy a machine is. And since different operating systems (and even
different versions) have made various tweaks to it over the years, it
is essentially a set of values you
Your mistake is very simple. I will mark it in your message:
Hi people, i want to set a rate limit in my proxy server, i have 2mbps
and i want to limit the proxy to 768kbps, reading the pf faq i found
some examples, but its not working, i only want to limit the bw, not to
do qos, i only
I've been running a Debian based firewall for a number of years and have
a need to update the hardware, so have decided to change the OS over to
OpenBSD at the same time.
The box has 4 NICs(identical make/model) and by using 'ifrename' I'm
able to specify which NICs are assigned each
There's no solution because there's no problem. OpenBSD doesn't randomly
reorder interfaces for no reason.
So the order in which the cards are detected is deterministic and never
changes? I'm not being a smartass, I really want to know.
We have worked very hard at this. On a particular
There may be a race in usb for how devices respond, but I bet it is small
and not really that worrying. One day maybe someone can look at it.
Is there something to look for there? My limited experience with usb on
OpenBSD leads me to think every thing comes in with the same order by
The Lantronix solution is actually the old Lightwave communications
console server line. The founders of Lightwave went off and started a new
company doing the same thing called Logical Solutions (think logical). It
would be nice if companies making money off of selling secure console
Diana Eichert wrote:
company doing the same thing called Logical Solutions (think logical). It
would be nice if companies making money off of selling secure console
servers would give some back to the OpenSSH project.
Let me put it this way: Is there any serial console server vendor who
http://marc.theaimsgroup.com/?l=openbsd-miscm=114657401630096w=2
If I understand correctly from what I've been told, this is not a
hardware
issue but an 'X' issue.
It is the job of the operating system to shield the hardware from
userland processes. That's what every operating system does.
Marc Aurele La France: Contrary to what too many security pundits think,
limiting root's power doesn't solve anything. Like bugs, security issues
will forever be uncovered, whether they be in setuid applications like an X
server or in a kernel itself. The trick, it seems, is to
I was looking through the list of wireless PCMCIA cards known to be
supported from the man page for wi(4), but it appears that all of those are
just 802.11b cards. I'd prefer to get one that also supports g mode
Any recommendations?
Different drivers for different devices:
an (4) -
As mentioned before, I have a new server with the LSI MegaRaid
SATA150-4 card. All works nicely at the moment, bar a slight problem
with hot-spares.
We configured a RAID-5 array with three 250Gb drives and one hot
spare. We simulated a failure by yanking the cable out from drive 2,
.
# pas on re0 from any \ #
# to any port 59#
.
is it expected behavior that pfctl complains about a space after the
backslash, DESPITE the line being a comment?
Or is there a good reason
For something being worked on at the hackathon, we would love to
borrow at least one SAS drive (serial attached scsi). Obviously SAS
is rather new and the drives are hard to find, so that is why I am
asking. If anyone has one, please reply to me directly. Thanks.
On 5/26/06, Christopher Snell [EMAIL PROTECTED] wrote:
It seems like every major laptop manufacturer is locked into Intel
CPU, graphics, WiFi, and sound and that there's no chance in hell that
Intel will release specs on these. What is the future of laptop
support for free Unicies? Will
Can OpenBSD (at least v3.8 or the latest release) run on Sun's
AMD64-based SunFire x64 servers? Thanks!
As of today (as far as I know) all of them. So yes.
Index: sys/dev/usb/usb_quirks.c
===
RCS file: /data/cvsroot/OpenBSD/src/sys/dev/usb/usb_quirks.c,v
retrieving revision 1.22
diff -u -r1.22 usb_quirks.c
--- sys/dev/usb/usb_quirks.c 14 May 2006 12:00:04 - 1.22
+++
On 6/2/06, Winston [EMAIL PROTECTED] wrote:
I have tried the following command to get the hw crypto to work:
openssl speed des-cbc -engine cryptodev
But the result I got is pretty much the same if I don't specify the
cryptodev engine.
The crypto card I have is hifn7956.
Who made the
Is reading the sensor.desc the right way to do this, and if so, is the
information in sensor.desc consistent across all drivers?
When it comes to i2c devices, we have no idea what is a particular pin
on the measuring chip is wired to. There is just no information at all.
Only the vendor knows.
Is reading the sensor.desc the right way to do this, and if so, is the
information in sensor.desc consistent across all drivers?
When it comes to i2c devices, we have no idea what is a particular pin
on the measuring chip is wired to. There is just no information at all.
Only the
We are looking for one Sun Blade 1000/2000 in the Washington DC area
for Jason Wright. If anyone can help, please contact [EMAIL PROTECTED]
If another can be easily gotten to Mark Kettenis in Assen, the Netherlands,
that would be great. Please cc me on mail to [EMAIL PROTECTED],
since he is
The fact that a company restricts documentation to US download to satisfy
export concerns is quite valid. If the TERMS of the license ON the
documentation are 'unrestricted use', that's where we need to direct our
attention.
But that is not the point of the whole problem. The issue is
Just an idle thought: are there any plans to put information from
bioctl into some sensors that would be accessible by sysctl -a? It's
(marginally) easier to parse information from the sysctl output than
from bioctl itself.
In -current you get this:
hw.sensors.69=sd0, ami0 0, drive
Though slightly OT, might be of interested.
http://www.cert.org/secure-coding/managedstring.html
This is written by people who just don't understand the problem space
or the solution space.
Let me summarize;
If people can't handle something as simple as C strings, don't try to
shove
My doubts may seem fool, so thanks in advance for those who will read
this e-mail and may help me with my doubts.
1. Why doesn't passwd ask superuser's current password when it's run
by the superuser to change its own password? May not it be considered
a serious security flaw?
Oh come on.
301 - 400 of 2950 matches
Mail list logo