tcpdump and 802.1d-support?

[Sebastian Rother]

Is it planed that tcpdump will get support for 802.1d-Packets?
Currently it reports that this type is an unknown packet-type.

Kind regards,
Sebastian

Re: IBM Thinkpad X40, which model?

[Zoong PHAM]

On Wednesday, 25 January 2006 at 15:17:27 +0800, [EMAIL PROTECTED] wrote:
 I wonder which model is supported best by 3.8 or the coming 3.9.
 
 2371-HSM works just fine on 3.8  current.

Can hibernate work in X mode for that model ?

 CPU speed, video graphics, Wifi, etc... are not that important to me.
 The X40 comes with 3 macs out of the box...it's BUILT for wifi...
 I suggest you look elsewhere.

No. What I really mean is 10Mbps or 54Mbps Wifi is no much a worry for
me. Same as 1MB or 2MB cache.

I have decided the X40.
I want this laptop to run only OBSD and I travel a lot so I want a light
weight one.
I just want to know from the experience of the users in this list which
particular model of the X40 works best in 3.8.


Thanks,
Zoong

Re: SSH publickey authentication - identity logging

[kami petersen]

Spruell, Darren-Perot skrev:

From: Joachim Schipper [mailto:[EMAIL PROTECTED]
Our situation is that we have a user account that multiple 

people have
access to log into to retrieve files. Each user 

authenticates to that

account with their own SSH key. Current log entry shows:

Jan 24 11:01:20 sftp sshd[23555]: Accepted publickey for 

transfers from

10.2.58.44 port 1420 ssh2

Would be useful to have information logged for the 

connection identifying
the key used to authenticate, by the key comment if 

possible. Does sshd
already have this capability? Would anyone consider this a 

useful feature

addition?

Only if you can provide a good reason this can not be implemented as a
couple of users and a shared group, combined with a group-writable
directory.


We require that the users be chroot'd to the home directory, so we'd
probably have to break the chroot to have a commonly writable directory...?
 


sharing user accounts should be avoided if possible. i can't see why 
your situation would demand parting with good practices, if there aren't 
more particularities that you have left out.


tips:

* use permissions and directory structuring creatively.
* you don't have to chroot all the way to the actual homedir.
* users don't even have to have separate homedirs.
* contenmplate what user privileges don't mix with chrooting.
* test, test, test.

Re: SSH publickey authentication - identity logging

[Joachim Schipper]

On Tue, Jan 24, 2006 at 04:31:39PM -0700, Spruell, Darren-Perot wrote:
 From: Joachim Schipper [mailto:[EMAIL PROTECTED]
   Our situation is that we have a user account that multiple 
  people have
   access to log into to retrieve files. Each user 
  authenticates to that
   account with their own SSH key. Current log entry shows:
   
   Jan 24 11:01:20 sftp sshd[23555]: Accepted publickey for 
  transfers from
   10.2.58.44 port 1420 ssh2
   
   Would be useful to have information logged for the 
  connection identifying
   the key used to authenticate, by the key comment if 
  possible. Does sshd
   already have this capability? Would anyone consider this a 
  useful feature
   addition?
  
  Only if you can provide a good reason this can not be implemented as a
  couple of users and a shared group, combined with a group-writable
  directory.
 
 We require that the users be chroot'd to the home directory, so we'd
 probably have to break the chroot to have a commonly writable directory...?

I don't know what method you use for that, but quite a few are flawed.
It's not part of stock sshd last I checked, either. (Though it'd be
neat.)

Anyway, create a /home/workgroup in which to chroot,
/home/workgroup/shared for the group-writable documents, and
/home/workgroup/dave and so on for the users. This, of course, breaks as
soon as someone is in more than two groups (some hacks might still be
possible, but this will soon grow out of control).

  However, as to an actual solution, use the command= syntax in
  authorized_keys (see sshd(8), under 'AUTHORIZED_KEYS FILE FORMAT', as
  was pointed out to me on misc@ this week) to differentiate 
  between keys,if desired.
 
 It's not occuring how a command= option could be used to provide logging of
 which key was used to authenticate as that user. What did you have in mind?

Something like

command=/usr/local/bin/logme dave,no-port-forwarding,no-X11-forwarding
---hexblob for the key--- dave

With
#!/bin/ksh

/usr/bin/logger -t Dave logged in
exec $SHELL

Of course, a compiled version of the above resists problems with the
environment scrubbing a lot better, and might be preferable.

This is not perfect though, as it is possible to run ssh without
executing a command. no-port-forwarding and no-X11-forwarding take away
any useful application of this, as far as I know.

It is also inconvenient, as I rather like the ability to run a quick
command on a remote host, but it does work.

Joachim

Re: webstore software: safe and configurable?

[Joachim Schipper]

On Tue, Jan 24, 2006 at 04:45:53PM -0700, Bob Beck wrote:
  However, all this mitigating points taken together do not suffice to
  convince me that PHP is the language to choose if you want to lead a
  quiet, secure life.
 
   Language has very little to do with it. The code that is
 written in the language is ususally the problem :)
 
 ...
 
  [1] Though this is a bit of an abuse in statistics; open source web
  applications are full of easy-to-find holes, and since PHP has almost a
  monopoly there and is almost never used elsewhere, so are almost all PHP
  applications. It would not be unreasonable to say that a large portion
  of web applications is just badly written.
  The point stands that PHP makes it too easy to write bad code, but
  still.
 
 ...
 
   People write bad code in everything. The way people write software
 and heave it out the door to the slobbering masses that don't care
 about how bad it works has everything to do with it.  Nothing will
 change until programmers of the applications are in general, smarter.
 That won't change without some evolutionary pressure to make them so,
 the only thing that will do that is people refusing to run crap and
 pushing back. Turning I don't like running crap into I don't like
 running language X is not helpful in this regard - the crap writers
 just move to another language-du-jour, make another application and
 pop up somewhere else - it's like playing whack-a-turd.  I don't
 like running crap no matter what it's written in. 
 
   Yes, I'm sometimes forced, I spent today fixing imp/horde and mysql
 issues. My crap-o-meter is overfull, I feel dirty - someone needs
 to send me some nice wholesome german scheisse porn so I can be
 convinced that not all the world is so smeared full of crap as
 the software I spent today looking at.

All good points. That, however, still leaves my point standing that by
evading PHP, you evade the worst crap.

I agree that it's possible to do really stupid things in any language
(though I think PHP makes it far too easy[1][2]), and that webmonkeys
(sorry, web application developers who have not yet reached the epitome
of their art) will always write crap in whatever the language-du-jour
is.

On a side note, hand-writing your own web scripts helps you evade almost
all of the crap - or at least, it'll be *your* crap. However, since one
has to deal with the pile of crap that is MSIE anyway (--- long rant
deleted ---), best to steer clear of web development at all. Which, on
a side note to this side note, does a very good job; The Crap is still
Out There, of course, but being rid of it as soon as you close your
browser is a good thing.

All this has no bearing on the fact that PHP, as a language, has a lot
of holes. This is independent of the programs you write in it, though
only having well-written programs on a server might make the problems
(almost) impossible to exploit.

As to IMP, I still haven't got it working. Might have something to do
with my reluctance to run two versions of PHP, and my unwillingness to
indulge crap that still demands PHP4. Another try coming up, probably...
(though at least I can use PostgreSQL, which I far prefer to MySQL).

Joachim

[1] Whoever made up such works of genius as register_globals, regexes
which execute stuff, and XML-RPC: all the world thanks you for it.
[2] I've also heard it say that quite a few modern scripting languages
are far too easy; this might be, to some extent, true, as a language
like C - full of obscure portability problems, NULL dereferences,
hard-to-find bugs which only rear their ugly head to shout SIGSEGV once
in a while - does scare off most of the monkeys. Then again, at least
PHP doesn't have buffer overflows (or, rather, at least programs written
in PHP don't/shouldn't have buffer overflows).

Re: IBM Thinkpad X40, which model?

[Kevin Foo]

Zoong,

Perhaps you should take a look at: http://www.openbsd.org/i386-laptop.html

--
Warm regards,
Kevin Foo

Key fingerprint : 4B23 FC1C E50B 9693 CCDD  2A7D A048 E909 8924 9BDD
Public key :
http://keyserver.linux.it/pks/lookup?op=getsearch=0xA048E90989249BDD


On Wednesday 25 January 2006 17:14, Zoong PHAM wrote:
 On Wednesday, 25 January 2006 at 15:17:27 +0800, [EMAIL PROTECTED]
wrote:
  I wonder which model is supported best by 3.8 or the coming 3.9.
 
  2371-HSM works just fine on 3.8  current.

 Can hibernate work in X mode for that model ?

  CPU speed, video graphics, Wifi, etc... are not that important to me.
  The X40 comes with 3 macs out of the box...it's BUILT for wifi...
  I suggest you look elsewhere.

 No. What I really mean is 10Mbps or 54Mbps Wifi is no much a worry for
 me. Same as 1MB or 2MB cache.

 I have decided the X40.
 I want this laptop to run only OBSD and I travel a lot so I want a light
 weight one.
 I just want to know from the experience of the users in this list which
 particular model of the X40 works best in 3.8.


 Thanks,
 Zoong

[demime 1.01d removed an attachment of type application/pgp-signature]

FSC D1627-C and hw.sensors

[Jan Johansson]

Hello.

I have a Fujitsu Siemens D1627-C motherboard and with OpenBSD
3.9-beta (dmesg at end) I can not see any hw.sensors.

# /sbin/sysctl hw
hw.machine=i386
hw.model=Intel(R) Pentium(R) 4 CPU 3.20GHz (GenuineIntel 686-class)
hw.ncpu=1
hw.byteorder=1234
hw.physmem=1072717824
hw.usermem=1072488448
hw.pagesize=4096
hw.disknames=cd0,cd1,wd0
hw.diskcount=3
hw.cpuspeed=3192
hw.setperf=100

In Microsoft Windows XP (SP2) I use the program SpeedFAN, which
prints the following log

Win9x:NO  64Bit:NO  GiveIO:YES  SpeedFan:YES
I/O properly initialized
Linked ISA BUS at $0290
Linked Intel 82801EB ICH5 SMBUS at $2000
Scanning ISA BUS at $0290...
SuperIO Chip=LPC47m967
Scanning Intel SMBus at $2000...
FS Hermes (REV=$10) found on SMBus at $73
SMART Enabled for drive 0
Found WDC WD2500PD-07FZB1 (250,1GB)
End of detection
Error loading event --
  CfgVersion=01.0001
  EventsVersion=01.0001
Loaded 0 events

and then shows

Fan1: 0 RPM
Fan2: 1320 RPM
Fan3: 1400 RPM

where Fan1 seems to be a ghost without connector, Fan2 is the CPU
fan and Fan3 is an extra fan connector on the motherboard. It
also shows

Temp1: 35 C
Temp2: 26 C
Temp3: 127 C
HD0: 23 C

where Temp1 is the CPU temp, Temp2 is some kind of case temp and
Temp3 always says 127 C. HD0 I think is read from SMART. It also
shows the voltage for +12, +5 and vbat.

Is this and odd Fujitsu Siemens sensor that OpenBSD does not yet
support?

Jan J

OpenBSD 3.9-beta (GENERIC) #591: Thu Jan 19 12:32:39 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 3.20GHz (GenuineIntel 686-class) 3.20 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,CNXT-ID
real mem  = 1072717824 (1047576K)
avail mem = 972111872 (949328K)
using 4278 buffers containing 53739520 bytes (52480K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(c0) BIOS, date 10/11/04, BIOS32 rev. 0 @ 0xfd6c0
apm0 at bios0: Power Management spec V1.2
apm0: AC unknown, no battery
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd6c0/0x940
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdef0/240 (13 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0xd000 0xcd000/0x1800
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82865G/PE/P CPU-I/0-1 rev 0x02
ppb0 at pci0 dev 1 function 0 Intel 82865G/PE/P CPU-AGP rev 0x02
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 ATI Radeon 9200 PRO rev 0x01
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ATI Radeon 9200 PRO Sec rev 0x01 at pci1 dev 0 function 1 not configured
uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: irq 10
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: irq 9
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
uhci3 at pci0 dev 29 function 3 Intel 82801EB/ER USB rev 0x02: irq 11
usb3 at uhci3: USB revision 1.0
uhub3 at usb3
uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub3: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 29 function 7 Intel 82801EB/ER USB2 rev 0x02: irq 5
usb4 at ehci0: USB revision 2.0
uhub4 at usb4
uhub4: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub4: 8 ports with 8 removable, self powered
ppb1 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xc2
pci2 at ppb1 bus 2
fxp0 at pci2 dev 8 function 0 Intel PRO/100 VE rev 0x02, i82562: irq 11, 
address 00:30:05:60:93:05
inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0
fxp1 at pci2 dev 11 function 0 Intel 8255x rev 0x0c, i82550: irq 10, address 
00:02:b3:2b:b2:89
inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 4
vendor Conexant, unknown product 0x8800 (class multimedia subclass video, rev 
0x05) at pci2 dev 13 function 0 not configured
vendor Conexant, unknown product 0x8811 (class multimedia subclass 
miscellaneous, rev 0x05) at pci2 dev 13 function 1 not configured
emu0 at pci2 dev 15 function 0 Creative Labs SoundBlaster Audigy rev 0x04: 
irq 5
ac97: codec id 0x83847650 (SigmaTel STAC9750/51)
ac97: codec features headphone, 20 bit DAC, 20 bit ADC, SigmaTel 3D
audio0 at emu0
Creative Labs SoundBlaster Audigy Digital rev 0x04 at pci2 dev 15 function 1 
not configured
Creative Labs Firewire rev 0x04 at pci2 dev 15 function 2 not configured
ichpcib0 at pci0 dev 31 function 0 Intel 82801EB/ER LPC rev 0x02
pciide0 at pci0 dev 31 function 1 Intel 82801EB/ER IDE 

Online Account Access

[NYCE CORPORATION]

[IMAGE]

Dear NYCE Corporation valued member,

our company recently issued a new feature regarding our services to you,
Online Access to your accounts!
Accessing your NYCE account over the Internet is easier than you might
think! Check balances, get transaction
histories, pay bills, transfer funds and more. Please take 10 minutes off
your time, access the link bellow, and
get started on enrolling yourself!

http://online.nyce.net/

) 2006 NYCE CORPORATION, Member FDIC. Equal Housing Lender

Thank You for your prompt attention to this matter!

* Please do not reply to this message. For any inquiries, contact
Customer Service.

[IMAGE][IMAGE]

Re: SSH, sftp-server subsystem not logging to utmp ?

[Lukasz Sztachanski]

On Mon, Jan 23, 2006 at 11:10:16PM +0200, turha turha wrote:

 users are added, I'm guessing sftp-server doesn't inherit this functionality
 from ssh either, so is there any place to adjust the behavior ? or am I
 supposed to use some other tool to monitor sftp usage ?
 
authlog shows: date host sshd[pid]: subsystem request for sftp
after( obviously) succesfull login, and lastcomm(1) gives some info too. 


- Lukasz Sztachanski


-- 
0x058B7133 // 16AB 4EBC 29DA D92D 8DBE  BC01 FC91 9EF7 058B 7133
http://szati.blogspot.com
http://szati.entropy.pl

Possible implication of a Sendmail on OpenBSD 3.8 in a spam attack

[Gabriel George POPA]

 Sorry to bother you, but I would like to show you some aspects 
about how a Sendmail running on an OpenBSD 3.8 system can be involved in a 
spam attack. I'm not quite sure that OpenBSD 3.8 or Sendmail are exploitable, 
but I would like some help to clarify this problem.
   More precisely, one day I've noticed that /var/spool/mqueue was full with 
3 messages (in fact return messages, showing that some servers including 
Yahoo! do not accept some mails from me). I've noticed that the mailstats 
command reports 13 (!!!) messages sent (!) outside. My computer is a 
small server running OpenBSD 3.8, MySQL+PHP+Apache for the website; it's a 
FRESH install so that I don't think it's a problem in the system. I have around 
30 users that use POP3+Outlook Express to send and receive their mail messages.
   The problem is that I have antispoofing on, scrub in all; some suspect 
(probably Windows machines from the neighbouring departament which are  supposed
to have some viruses are bloked through the PF). I also have NAT for my local 
network (192.128.x.x) and ip forwarding for the global addresses. 
   Relaying is stopped so this could not be a problem (Yahoo! asks me if I am 
am open-relay!). 
   My machine seems quite secure, but I cannot say why my machine sends so much 
mail messages (day  night). Maybe some accounts are compromised, but I have no 
way of determining this. How can I see how many mail messages a user sends?
   I don't think this is an ordinary problem. I have some experience on 
FreeBSD (2 years) and on OpenBSD; moreover, I have 2.5 years of experience 
with GNU/Linux systems. Maybe this is a simple problem, but I can't solve 
it all by myself and thus I now requested help from our great OpenBSD community.
   My OpenBSD 3.8 system was not patched and the kernel was not recompiled.
   Thank you very much for your attention and I hope someone can help me with 
this (could it be  problem with Sendmail on OpenBSD 3.8? - I really don't think 
this could happen).

Respectfully yours,
  George Popa

Re: Possible implication of a Sendmail on OpenBSD 3.8 in a spam attack

[James Strandboge]

On Wed, 2006-01-25 at 14:09 +0200, Gabriel George POPA wrote:
  
 small server running OpenBSD 3.8, MySQL+PHP+Apache for the website; 

I'd look here.  Check out:

http://secunia.com/advisories/17763/

You didn't post anything from maillog or headers of a rejected message,
so this is only a guess.  You need to look in /var/log/maillog and see
where those messages are coming from.  Also, look in php.ini and turn on
debugging.  Try disabling the php application and see if the messages
stop.

-- 
James Strandboge
[EMAIL PROTECTED]

Security announces

[Rob W]

http://docs.freebsd.org/cgi/mid.cgi?200601251013.k0PAD9lO059018 looks like 
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_bridge.c.diff?r1=1.147r2=1.148

OpenBGPD status

[Claudio Jeker]

Over the last few weeks a lot of developement happened in OpenBGPD.
Many minor bugs were found and fixed. Additionaly some memory leaks were
plugged and the overall memory consumption was reduced. Now this would not
be enough to make me write such a mail but we added a new important
feature: Softreconfig in.

Since a couple of month OpenBGPD was already doing softreconfig out. In
other words on configuration reloads the output filter are rerun and
the announced prefixes are correctly updated. Now with softreconfig in
we do the same thing for the incomming filters. So reloading bgpd no
longer results in unexpected RIB contents until you clear all sessions.
Now the RIB is adjusted on reloads and so the result is always consistent.
In the end it is no longer necessary to clear sessions on reload or even
restart bgpd.

To implement this feature many complex changes had to be done in the RDE.
Instead of duplicating every update and store it in different tables
OpenBGPD merges these tables and so only changed entries are duplicated.
This will reduce the memory overhead of softreconfig in drastically.
Both zebra/quagga and ciscos bgpd double more or less the memory
consumtion if softreconfig in is enabled.

So OpenBGPD users this is now a good time to install a -current snapshot
on your test machines and play around with these new feature(s). This will
help us to make softreconfig as solid as the rest of OpenBGPD.

Thanks 
-- 
:wq Claudio

PS: here some small statistics from one of my test systems.
The box is a Via C3 with 512M RAM and 11 full feeds
# bgpctl show rib mem
RDE memory statistics
177558 IPv4 network entries using 5.4M of memory
   1920275 prefix entries using 58.6M of memory
355777 BGP path attribute entries using 23.1M of memory
324123 BGP AS-PATH attribute entries using 9.6M of memory,
   and holding 355777 references
  7188 BGP attributes entries using 169K of memory
   and holding 289419 references
  7187 BGP attributes using 122K of memory
RIB using 96.9M of memory

Re: Possible implication of a Sendmail on OpenBSD 3.8 in a spam attack

[Alexander Bochmann]

...on Wed, Jan 25, 2006 at 02:09:58PM +0200, Gabriel George POPA wrote:

  Yahoo! do not accept some mails from me). I've noticed that the mailstats 
  command reports 13 (!!!) messages sent (!) outside. My computer is a 
  small server running OpenBSD 3.8, MySQL+PHP+Apache for the website; it's a 
  FRESH install so that I don't think it's a problem in the system. I have 
  around 
  30 users that use POP3+Outlook Express to send and receive their mail 
  messages.

It's quite unprobable that your box can be used as 
relay without some additional software or some sort 
of configuration problem.

How about some more info on what you are running on that 
web site? The usual feedback script abuse comes to mind.

Also, you have all the logfiles on your machine, try to 
single out a specific spam message (I assume you have a 
few samples) and find out how it came into your system. 

Alex.

Re: Possible implication of a Sendmail on OpenBSD 3.8 in a spam attack

[Stuart Henderson]

On 2006/01/25 14:09, Gabriel George POPA wrote:
More precisely, one day I've noticed that /var/spool/mqueue was full with 
 3 messages (in fact return messages, showing that some servers including 
 Yahoo! do not accept some mails from me).

Some people send bulk email by putting the intended recipient in
the *sender* address in the envelope. Recipient address needs to be
something that will generate a bounce message (rather than an SMTP
error code) in an attempt to get the message body returned as part
of the bounce message (I was told some years ago that people used
to do this in the early days of email to avoid charges for sending
messages on some pay-per-message systems). 

OpenBSD sendmail configuration files (at least on -current, I don't
recall when it was added) use the nobodyreturn privacy flag in the
mc-file, to make this a less-than-successful operation (since the
intended payload isn't carried in the bounce report).

This may or may not be the problem you're seeing: you'll have to
look at the headers in the queued emails and analyse them to find out
for sure.

Re: Possible implication of a Sendmail on OpenBSD 3.8 in a spam attack

[Dylan Smith]

On Wednesday 25 January 2006 12:09, you wrote:
 ... I've noticed that the
 mailstats command reports 13 (!!!) messages sent (!) outside. My
 computer is a small server running OpenBSD 3.8, MySQL+PHP+Apache for the
 website;

There's one potential smoking gun right there. PHP. You know PGP stands for 
'Pretty Good Privacy'? Well, I think PHP stands for 'Pretty Hopeless 
Privacy'.

What PHP scripts are you or your users running? Any phpbb installations? 
*nukes? What other PHP scripts are installed? phpbb and the various nukes are 
notorious for exploits.

It is quite often the case that well known PHP scripts are getting exploited - 
I've seen it twice in the field where a PHP script was exploited by 
phishers/spammers. The general sequence of events is:

1. User installs exploitable PHP script
2. Phisherman finds it.
3. Phisherman exploits it, and using the shell execution exploit, executes 
'cd /tmp; wget some-evil-script.php' and then exploits it again to 
run /tmp/some-evil-script.php (in PHP command line mode).

Some-evil-script.php turns out to be a spamming script. They don't need to 
root your server, they just need to be able to write somewhere. Have a poke 
around where Apache has write access, I bet you find some dodgy PHP scripts. 
Look through the logs for attempted exploits on PHP scripts (you can usually 
find %-encoded versions of commands in the arguments to the PHP script).

The other possibility is one of your users has a virus/trojan/worm that uses 
their Outlook settings to relay mail through your mail server. Tell your 
users to relay through their ISP only, you just don't want to get involved 
with being the mail relay for your users if you can help it. However, I 
suspect you've been exploited via a buggy insecure PHP script.

To stop this happening again:
Apply strict egress filtering. Allow *no traffic out at all*. There is 
probably no reason your server should be making any outbound connections 
except via a few daemons (DNS and outbound SMTP spring to mind - for those 
use 'pf' rules that only allow BIND and sendmail to send data out on those 
ports). Strict egress filtering will prevent phishers/spammers from managing 
to do the 'wget some-evil-script.php' to get the spamming script onto your 
server.
No, 'chmod 700 wget' is no substitute - it's trivial to write a Perl script 
that can be injected via your vulnerable PHP script to do open a socket to a 
remote server and download a file. Block ALL OUTBOUND ACCESS to anything 
except for what explicitly should happen: DNS lookups to the two or three DNS 
servers listed in resolv.conf, and SMTP access (if you absolutely cannot 
avoid allowing outbound SMTP) to the sendmail process only (user _sendmail).

Egress filtering is often forgotten, missed or not considered - but it is 
every bit as important as filtering inbound traffic (possibly more so, as y 
ou have discovered). Never forget egress filtering.

And keep an eye on your users - particularly what PHP scripts they have 
installed. Apply a LART if they don't keep up to date with security patches. 
Have a policy of banning scripts known to have a bad security track record.

OpenBSD-specific plugins for Munin, anyone?

[Alexander Bochmann]

Hi,

I've recently been playing with Munin again
(http://munin.projects.linpro.no/), and noticed 
there are nearly no plugins for OpenBSD.

While I have adapted a few for my needs, I 
shurely can't be the first to do that?

(Munin is a(nother) simple, low-configuration 
software using rrdtool to create pretty graphs 
of different things happening on networked systems. 
I'm using it because I'm lazy. Having to write my 
own plugins is bad in that respect.)

Alex.

RE: Re: webstore software: safe and configurable?

[tony]

[EMAIL PROTECTED] wrote:
[snip]
All good points. That, however, still leaves my
point standing that by
evading PHP, you evade the worst crap.


True, but that is the same as that by evading ENGLISH as a 
lnaguage in posts, you evade the worst crap.
If these discussions were carried out in classical latin,
the level of discussion would rise considerably.

This is the same as registering automobiles in Antartica
because they have fewer accidents there.

An oversimplification, but an ill-written application has
essentially two choices. It can refuse to run because 
somebody forgot to dot an i or something, or it can try
to run anyway with whatseems reasonable under the 
circumstances. Ultimately everything is really only some
varient of choice number two. (Understand ALL of the
foundations of mathematics if you think otherwise.)

There is an enormous difference between sometimes doing
something right and never doing anything wrong.
There was something about an error every few lines in 
C compilers. You think a webstore something is better?

enable the Fn key of my keyboard in my OpenBSD 3.8

[João Salvatti]

Hi all,

Is there any way to enable the Fn key of my keyboard in my OpenBSD 3.8 and
configure the delete key? Because right now the delete key is working the same
way backspace does, and the Fn key is useless.

Thanks.

--
Joco Salvatti
Undergraduating in Computer Science
Federal University of Para - UFPA
web: http://salvatti.expert.com.br
e-mail: [EMAIL PROTECTED]

Re: Anonym.OS - OpenBSD-based live CD

[Diana Eichert]

On Tue, 24 Jan 2006, Bob Beck wrote:
SNIP
 or perhaps a brief dorothy-esque moment of clicking my ruby slippers
 together and saying ignorance is bliss.
SNIP
   -Bob

and what size would those ruby slippers be?

Encrypting content/filesystem on DVD?

[Paul Thorn]

Hi,

This may not be OpenBSD specific, but I'm looking for a way to encrypt
the contents of a DVD such that only a user with the correct passphrase
would be able to mount the contents. Sort of an optical equivilent to:

   vnconfig -ck svnd0 my-encrypted-file
   mount /dev/svnd0c /mount-point

My initial thoughts were to simply store an encrypted vnd file filesystem
as the only contents of a normal ISO9660 DVD, mount the DVD as always and
then attach a vnd device to the file stored on the DVD using
vnconfig, as above. Unfortunately, neither mkisofs (and indeed the
iso standard) nor growisofs appear to like 4G+ files ...
The encrypted content may represent a reasonable large filesystem
in one large file under this scheme.

My attempts at burning an ffs filesystem to DVD/CDR to get around the
filesize limitation of ISO9660 have been largely unsuccessful. See
below for details on the (flawed) procedure I initially attempted.
I'm sure I'm missing some crucial details -- blocksizes or similar.

As an aside, I'm also curious how one might successfully burn an ffs
filesystem to a DVD/CD such that OpenBSD can mount it, if such a thing
is even possible.

The contents only have to be mounted/read via an OpenBSD box. I'm not
concerned with interoperability with other architectures or making the
disk bootable.

I'm not stuck on any particular method of producing the encrypted
contents. Using vnd devices with a large file stored on a standard ISO
filesystem only seemed like a logical and familiar approach for me
and if the size of the file didn't trample ISO's limits, it would
have worked fine, I suspect.

I'm open to any suggestions on how else this might be most easily
accomplished.

Regards,
  - Paul

*** cdrw-ffs filesystem procedure -- comments in () ***
*** OpenBSD 3.8 GENERIC ***

(create a virtual filesystem)

# dd if=/dev/zero of=tst.fs bs=1024 count=10240
# vnconfig -c svnd2 tst.fs
# newfs -f 2048 /dev/svnd2c

newfs: /dev/svnd2c: not a character-special device
Warning: cylinder groups must have a multiple of 8 cylinders
Warning: 20 sector(s) in last cylinder unallocated
/dev/svnd2c:20480 sectors in 205 cylinders of 1 tracks, 100 sectors
10.0MB in 1 cyl groups (208 c/g, 10.16MB/g, 1408 i/g)
super-block backups (for fsck -b #) at:
32,

(reference)
# disklabel svnd2

# /dev/rsvnd2c:
type: SCSI
disk: vnd device
label: fictitious
flags:
bytes/sector: 512
sectors/track: 100
tracks/cylinder: 1
sectors/cylinder: 100
cylinders: 204
total sectors: 20480
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0   # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0

16 partitions:
# sizeoffset  fstype [fsize bsize  cpg]
   c: 20480 0  4.2BSD   2048 16384  208 # Cyl 0 -
204*


(put something into the ffs image file - tst.fs)
# mkdir tstmnt
# mount /dev/svnd2c tstmnt
# touch tstmnt/hello_world
# umount tstmnt
# vnconfig -u svnd2

(burn it ...)
(Note: cdrecord installed from binary package using pkg_add crdtools-2.01)

# cdrecord -v dev=/dev/rcd0c tst.fs
cdrecord: No write mode specified.
cdrecord: Asuming -tao mode.
cdrecord: Future versions of cdrecord may have different drive
dependent defaults.
cdrecord: Continuing in 5 seconds...
Cdrecord-Clone 2.01 (i386-unknown-openbsd3.8)
Copyright (C) 1995-2004 Jvrg Schilling
TOC Type: 1 = CD-ROM
scsidev: '/dev/rcd0c'
devname: '/dev/rcd0c'
scsibus: -2 target: -2 lun: -2
Using libscg version 'schily-0.8'.
SCSI buffer size: 61440
atapi: 0
Device type: Removable CD-ROM
Version: 0
Response Format: 2
Capabilities   :
Vendor_info: 'PIONEER '
Identifikation : 'DVD-RW  DVR-106D'
Revision   : '1.06'
Device seems to be: Generic mmc2 DVD-R/DVD-RW.
Current: 0x000A
Profile: 0x001B
Profile: 0x001A
Profile: 0x0014
Profile: 0x0013
Profile: 0x0011
Profile: 0x0010
Profile: 0x000A (current)
Profile: 0x0009 (current)
Profile: 0x0008
cdrecord: This version of cdrecord does not include DVD-R/DVD-RW support
code.
cdrecord: If you need DVD-R/DVD-RW support, ask the Author for
cdrecord-ProDVD.
cdrecord: Free test versions and free keys for personal use are at
ftp://ftp.berlios.de/pub/cdrecord/ProDVD/
Using generic SCSI-3/mmc   CD-R/CD-RW driver (mmc_cdr).
Driver flags   : MMC-3 SWABAUDIO BURNFREE
Supported modes: TAO PACKET SAO SAO/R96P SAO/R96R RAW/R16 RAW/R96P RAW/R96R
Drive buf size : 1267712 = 1238 KB
FIFO size  : 4194304 = 4096 KB
Track 01: data10 MB
Total size:   11 MB (01:08.29) = 5122 sectors
Lout start:   11 MB (01:10/22) = 5122 sectors
Current Secsize: 2048
ATIP info from disk:
Indicated writing power: 2
Reference speed: 6
Is not unrestricted
Is erasable
Disk sub type: High speed Rewritable (CAV) media (1)
ATIP start of lead in:  -11077 (97:34/23)
ATIP start of lead out: 336075 (74:43/00)
   1T speed low:  4 1T speed high: 10
   2T speed low:  2 2T speed high: 10
   power mult factor: 2 6
   recommended erase/write power: 5
   A1 values: 24 2C DC
   A2 values: 14 A4 4A
   A3 

Re: IBM Thinkpad X40, which model?

[Christian Weisgerber]

Zoong PHAM [EMAIL PROTECTED] wrote:

 I plan to get a IBM Thinkpad X40 laptop.
 I can see at least there are 3 different models.
 I wonder which model is supported best by 3.8 or the coming 3.9.

These are all submodels that only differ in processor speed, memory
and disk size, and wireless options. Pick according to those criteria
or whatever's conveniently available in your part of the world.

-- 
Christian naddy Weisgerber  [EMAIL PROTECTED]

Missing patch and security announce

[Rob W]

See http://docs.freebsd.org/cgi/mid.cgi?200601251013.k0PAD9lO059018

Fixed in cvs, but NO patch for 3.8 or 3.7 and NO security announce.
(http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_bridge.c.diff?r1=1.147r2=1.148)

How does this match http://openbsd.org/security.html#disclosure ?

_
Opret en personlig blog og del dine billeder pe MSN Spaces:  
http://spaces.msn.com/

Re: Missing patch and security announce

[eric]

On Wed, 2006-01-25 at 16:06:55 +0100, Rob W proclaimed...

 See http://docs.freebsd.org/cgi/mid.cgi?200601251013.k0PAD9lO059018
 
 Fixed in cvs, but NO patch for 3.8 or 3.7 and NO security announce.
 (http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_bridge.c.diff?r1=1.147r2=1.148)
 
 How does this match http://openbsd.org/security.html#disclosure ?

Troll,

It's usually best to just troll once and wait for a reply.

Re: tutorial for securing wifi networks with ipsec and openbsd, somewhere?

[Christian Weisgerber]

Didier Wiroth [EMAIL PROTECTED] wrote:

 I've read man ipsec and vpn. Unfortunately I'm totally new to ipsec and
 have no ipsec experience.
 
 I'm looking for tutorials with samples, URLs or anything else, where I
 can find additional info on how to secure wifi networks with openbsd's:
 ipsec and authpf.

Okay, this is as good an opportunity as any to write down what I
did to my wireless a while ago:

Configure dhcpd on the gateway (172.16.1.1) to always give the same
address (172.16.1.99) to my laptop, based on its MAC address.

Exchange public keys:  Copy /etc/isakmpd/private/local.pub from the
gateway to /etc/isakmpd/pubkeys/ipv4/172.16.1.1 on my laptop, and
the laptop's .../local.pub to .../172.16.1.99 on the gateway.

Start up isakmpd -K on both machines.
No other isakmpd configuration.  None.

On the gateway, create a one-line /etc/ipsec.conf:

ike esp from any to 172.16.1.99

On the laptop, create a one-line /etc/ipsec.conf:

ike esp from ral0 to any peer 172.16.1.1

Run ipsecctl -f /etc/ipsec.conf on both machines.
Congratulations, you have set up IPsec.

Repeat the same procedure for additional wireless clients.  Wait a
moment, you say, does that mean that two hosts on the wireless will
talk to each other through the IPsec gateway rather than directly?
That's right, but in infrastructure mode, i.e., if you use an access
point, the packets already cross the air twice (host 1 - AP -
host 2).  Looping them through the gateway doesn't add appreciable
overhead.

The wireless clients only need to talk ISAKMP (to authenticate and
renegotiate keys) and ESP to the gateway.  Block everything else
on the gateway:

block return on $wlan all
pass in  on $wlan proto esp to $wlan keep state
pass out on $wlan proto esp from $wlan keep state
pass in  on $wlan proto udp to $wlan port isakmp keep state
pass out on $wlan proto udp from $wlan port isakmp keep state

Actually, there is one more thing, and it's important.  With the
setup above, you will run into MTU issues with hosts behind the
gateway.  The symptom is that bulk data transfers _to_ the wireless
host will be redicuously slow or stall completely.  There must be
a better way, but in the meantime TCP clamping on the gateway works:

scrub in on enc0 all max-mss 1318

As far as pf is concerned, all decoded IPsec traffic is from the
enc0 interface.  If you use the antispoof directive, make sure
to add a pass rule for traffic on enc0.

-- 
Christian naddy Weisgerber  [EMAIL PROTECTED]

Re: Missing patch and security announce

[Ted Unangst]

it's a minor issue.

On 1/25/06, Rob W [EMAIL PROTECTED] wrote:
 See http://docs.freebsd.org/cgi/mid.cgi?200601251013.k0PAD9lO059018

 Fixed in cvs, but NO patch for 3.8 or 3.7 and NO security announce.
 (http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_bridge.c.diff?r1=1.147r2=1.148)

 How does this match http://openbsd.org/security.html#disclosure ?

 _
 Opret en personlig blog og del dine billeder pe MSN Spaces:
 http://spaces.msn.com/

Re: Marvell Yukon 88E8053 PCI-E Gigabit

[Christoph Fritz]

Am Mittwoch, 25. Januar 2006 16:20 schrieb Adam Dennis:
 I noticed that openbsd-current doesn't have support for Marvell
 Yukon88E8053 PCI-E Gigabit (onboard).

I have the same if, but not on my OpenBSD-Computer.

www.skd.de supports drivers for FreeBSD, Linux, etc. but not for 
OpenBSD as far as I can see.

view available inodes on partition

[Matthew Closson]

Hello,

Is there a way to view how many inodes are still available on a partition.
I'm decompressing a ton of small files onto a 60Gb onto my /dev/wd1a. And 
I'm not really concerned about running out of space, but possibly out of 
inodes, I just used the default parameters creating the filesystem, which 
is ffs.  Thanks,


-Matt-

Re: Missing patch and security announce

[Rob W]

This wasn't meant as a Troll - I just want to understand why there isn't a 
patch available for this. Moreover why there haven't been made a security 
announce.


(I thought that something went wrong with my first message)


From: eric [EMAIL PROTECTED]
To: Rob W [EMAIL PROTECTED]
CC: misc@openbsd.org
Subject: Re: Missing patch and security announce
Date: Wed, 25 Jan 2006 11:03:21 -0600

On Wed, 2006-01-25 at 16:06:55 +0100, Rob W proclaimed...

 See http://docs.freebsd.org/cgi/mid.cgi?200601251013.k0PAD9lO059018

 Fixed in cvs, but NO patch for 3.8 or 3.7 and NO security announce.
 
(http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_bridge.c.diff?r1=1.147r2=1.148)


 How does this match http://openbsd.org/security.html#disclosure ?

Troll,

It's usually best to just troll once and wait for a reply.

Re: Marvell Yukon 88E8053 PCI-E Gigabit

[Diana Eichert]

On Wed, 25 Jan 2006, Christoph Fritz wrote:

 Am Mittwoch, 25. Januar 2006 16:20 schrieb Adam Dennis:
  I noticed that openbsd-current doesn't have support for Marvell
  Yukon88E8053 PCI-E Gigabit (onboard).

 I have the same if, but not on my OpenBSD-Computer.

 www.skd.de supports drivers for FreeBSD, Linux, etc. but not for
 OpenBSD as far as I can see.

SysKonnect support has gone down hill ever since Marvel bought them.  I
tried unsuccessfully to get h/w and doc supplied to OBSD devs a little
over a year ago, then all of the sudden my old SK contact quit replying.

diana

Re: view available inodes on partition

[Hannah Schroeter]

Hello!

On Wed, Jan 25, 2006 at 03:04:05PM -0500, Matthew Closson wrote:
Is there a way to view how many inodes are still available on a partition.
I'm decompressing a ton of small files onto a 60Gb onto my /dev/wd1a. And 
I'm not really concerned about running out of space, but possibly out of 
inodes, I just used the default parameters creating the filesystem, which 
is ffs.  Thanks,

Just read the manual of df. And then look at the option -i.

Kind regards,

Hannah.

Re: view available inodes on partition

[STeve Andre']

On Wednesday 25 January 2006 20:04, Matthew Closson wrote:
 Hello,

 Is there a way to view how many inodes are still available on a partition.
 I'm decompressing a ton of small files onto a 60Gb onto my /dev/wd1a. And
 I'm not really concerned about running out of space, but possibly out of
 inodes, I just used the default parameters creating the filesystem, which
 is ffs.  Thanks,

   -Matt-

df -i

--STeve Andre'

Re: view available inodes on partition

[Stuart Henderson]

On 2006/01/25 15:04, Matthew Closson wrote:
 Is there a way to view how many inodes are still available on a partition.

df(1).

Re: view available inodes on partition

[mickey]

On Wed, Jan 25, 2006 at 03:04:05PM -0500, Matthew Closson wrote:
 Hello,
 
 Is there a way to view how many inodes are still available on a partition.
 I'm decompressing a ton of small files onto a 60Gb onto my /dev/wd1a. And 
 I'm not really concerned about running out of space, but possibly out of 
 inodes, I just used the default parameters creating the filesystem, which 
 is ffs.  Thanks,

rtfm
df(1)

cu
-- 
paranoic mickey   (my employers have changed but, the name has remained)

Re: view available inodes on partition

[Jason Crawford]

On 1/25/06, Matthew Closson [EMAIL PROTECTED] wrote:
 Hello,

 Is there a way to view how many inodes are still available on a partition.
 I'm decompressing a ton of small files onto a 60Gb onto my /dev/wd1a. And
 I'm not really concerned about running out of space, but possibly out of
 inodes, I just used the default parameters creating the filesystem, which
 is ffs.  Thanks,


man 1 df

Re: view available inodes on partition

[Matthew Closson]

Thanks for all the replies, that obviously worked fine.

On Wed, 25 Jan 2006, Otto Moerbeek wrote:



On Wed, 25 Jan 2006, Matthew Closson wrote:


Hello,

Is there a way to view how many inodes are still available on a partition.
I'm decompressing a ton of small files onto a 60Gb onto my /dev/wd1a. And I'm
not really concerned about running out of space, but possibly out of inodes, I
just used the default parameters creating the filesystem, which is ffs.


df -i

-Otto

Re: view available inodes on partition

[Otto Moerbeek]

On Wed, 25 Jan 2006, Matthew Closson wrote:

 Hello,
 
 Is there a way to view how many inodes are still available on a partition.
 I'm decompressing a ton of small files onto a 60Gb onto my /dev/wd1a. And I'm
 not really concerned about running out of space, but possibly out of inodes, I
 just used the default parameters creating the filesystem, which is ffs.

df -i

-Otto

std. paths for IMAP folders

[Joakim Roubert]

Hi!

I guess I can configure things to be anyway I want it, but I would like
to ask you guys what would be the most common place where users' IMAP
folders are to be stored. If all the incomping mail goes to in /var/mail
something, is this also the place that would be the best place to let
them (us) have their (our) folders? Or perhaps the home directories?

TIA, and best regards,

/Joakim
-- 
 http://www.df.lth.se/~jokke/

Backups under linux emulation

[Michael Favinsky]

Dear misc:

I'm attempting to use (EMC) Legato Networker to backup one of my OpenBSD
boxes. Since there's no OpenBSD binary, and Networker isn't open source, I'm
using the Linux binary uner Linux emulation. The binary executes fine, and
the OpenBSD box and Legato server are communicating perfectly. Backups work,
but with one major problem:

Legato backs up files by crawling the file system, starting at / going into
each directory and backing up files as it finds them. The problem that I'm
having is that, under linux emulation, the emulator first checks to see if a
file/directory exists under /emul/linux. So, when the backup software tries
to back up /var, it ends up backing up /emul/linux/var, and my actual /var
never gets backed up. I have the same problem in /usr, and so on.

Is there some method/way around this problem? How can I make my Linux binary
back up the actual /var rather than /emul/linux/var?

Thanks for the help.

Michael

Re: Marvell Yukon 88E8053 PCI-E Gigabit

[Christoph Fritz]

Am Mittwoch, 25. Januar 2006 20:09 schrieb Diana Eichert:
 On Wed, 25 Jan 2006, Christoph Fritz wrote:
  Am Mittwoch, 25. Januar 2006 16:20 schrieb Adam Dennis:
   I noticed that openbsd-current doesn't have support for
   Marvell Yukon88E8053 PCI-E Gigabit (onboard).
 
  I have the same if, but not on my OpenBSD-Computer.
 
  www.skd.de supports drivers for FreeBSD, Linux, etc. but not
  for OpenBSD as far as I can see.

 SysKonnect support has gone down hill ever since Marvel bought
 them.  I tried unsuccessfully to get h/w and doc supplied to OBSD
 devs a little over a year ago, then all of the sudden my old SK
 contact quit replying.

I wrote to [EMAIL PROTECTED] and got a working driver 
(source-code) from [EMAIL PROTECTED] for my current Linux 
2.6.15

Maybe the linux source is all docu they give out?

Re: SSH publickey authentication - identity logging

[Spruell, Darren-Perot]

From: steven mestdagh [mailto:[EMAIL PROTECTED]
 On Tue, Jan 24, 2006 at 11:04:33AM -0700, Spruell, Darren-Perot wrote:
  Would be useful to have information logged for the 
 connection identifying
  the key used to authenticate, by the key comment if 
 possible. Does sshd
  already have this capability? Would anyone consider this a 
 useful feature
  addition?
 
 Have you tried LogLevel VERBOSE in sshd_config(5)? That prints lines
 like 'Found matching DSA key: fingerprint in the log file.

Hadn't tried that, but it gives us enough of what we want to work. Thanks
for the tip.

DS

Re: Marvell Yukon 88E8053 PCI-E Gigabit

[Tobias Weingartner]

On Wednesday, January 25, Christoph Fritz wrote:
 
 Maybe the linux source is all docu they give out?

Linux source is *not* documentation.

--Toby.

Re: Backups under linux emulation

[Rick Aliwalas]

On Wed, 25 Jan 2006, Michael Favinsky wrote:


Dear misc:

I'm attempting to use (EMC) Legato Networker to backup one of my OpenBSD
boxes. Since there's no OpenBSD binary, and Networker isn't open source, I'm


There is an openbsd client.  We're using it (nwclient-6.0.2-openbsd-i386.tgz).
I'm going to ask around to find out how we got it.  Apparently it's not
supported but works fine.

-rick


using the Linux binary uner Linux emulation. The binary executes fine, and
the OpenBSD box and Legato server are communicating perfectly. Backups work,
but with one major problem:

Legato backs up files by crawling the file system, starting at / going into
each directory and backing up files as it finds them. The problem that I'm
having is that, under linux emulation, the emulator first checks to see if a
file/directory exists under /emul/linux. So, when the backup software tries
to back up /var, it ends up backing up /emul/linux/var, and my actual /var
never gets backed up. I have the same problem in /usr, and so on.

Is there some method/way around this problem? How can I make my Linux binary
back up the actual /var rather than /emul/linux/var?

Thanks for the help.

Michael

Re: Backups under linux emulation

[Michael Favinsky]

Rick, this is good news. If you can provide me some more info on where you
got it I'd be grateful.

One thing you should be aware of: 6.0.2 has known vulnerabilities, per
http://www.securityfocus.com/bid/14582. I suppose that's the price paid when
running older unsuppoted software.

I'd be a bit concerned about installing exploitable 6.0.2 on one of my
servers.

-Original Message-
From: Rick Aliwalas [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 25, 2006 1:25 PM
To: Michael Favinsky
Cc: misc@openbsd.org
Subject: Re: Backups under linux emulation

On Wed, 25 Jan 2006, Michael Favinsky wrote:

 Dear misc:

 I'm attempting to use (EMC) Legato Networker to backup one of my 
 OpenBSD boxes. Since there's no OpenBSD binary, and Networker isn't 
 open source, I'm

There is an openbsd client.  We're using it
(nwclient-6.0.2-openbsd-i386.tgz).
I'm going to ask around to find out how we got it.  Apparently it's not
supported but works fine.

-rick

 using the Linux binary uner Linux emulation. The binary executes fine, 
 and the OpenBSD box and Legato server are communicating perfectly. 
 Backups work, but with one major problem:

 Legato backs up files by crawling the file system, starting at / going 
 into each directory and backing up files as it finds them. The problem 
 that I'm having is that, under linux emulation, the emulator first 
 checks to see if a file/directory exists under /emul/linux. So, when 
 the backup software tries to back up /var, it ends up backing up 
 /emul/linux/var, and my actual /var never gets backed up. I have the same
problem in /usr, and so on.

 Is there some method/way around this problem? How can I make my Linux 
 binary back up the actual /var rather than /emul/linux/var?

 Thanks for the help.

 Michael

Re: std. paths for IMAP folders

[Tomasz Kniaz]

On Wed, 25 Jan 2006 21:04:43 +0100, Joakim Roubert wrote:

Or perhaps the home directories?

Yes, $HOME/something (e.g. $HOME/MAIL/inbox ) is a fine place for
incoming mail (and other mboxes/maildirs).

Regards,
tkniaz

Independent Dealers Unite

[ITEX 2006]

 http://www.itexshow.com/attend_home.asp


Register Now! https://secure.ud.net/guesttrackeronline/itex2006/

The Largest and Fastest Growing Event for the Digital Copier//Printer 
Document Technology Industry
www.itexshow.com http://www.itexshow.com/attend_home.asp  Las
Vegas Convention Center, Las Vegas Nevada, March 14-17, 2006
Put your company in the right position to leverage the lucrative
multi-billion dollar Digital/Copier Printer  Document Solutions market.

ITEX has guided thousands of industry professionals toward a clearer
picture of the changing document and workflow landscape.

ITEX wants to give you the opportunity to register early for the 2006
event. Registering early guarantees you a seat in the Power Hour
workshops of your choice. Seating is limited so be sure to register
today!

ITEX, now in its sixth year, is a vendor-neutral breeding ground for top
Digital/Copier Printer Dealers, Imaging Dealers, VARs, System
Integrators and Resellers. Each year, the best of the best convene at
ITEX to see the latest technology. You will learn how to take advantage
of the seemingly endless document and workflow solutions market offered
by the industrys elite.

This year at ITEXClick on any of the links to learn more

 Over 220 vendors http://www.itexshow.com/exhibitlist.asp
 Over 120 hours of Education http://www.itexshow.com/powerhours
 Over 125,000 square feet of exhibit space
http://www.itexshow.com/floorplan
 Concurrent Events at ITEX
http://www.itexshow.com/attend_concevents.asp
 2 separate full-day solutions forums
http://www.itexshow.com/attend_dbfselect.asp
 Compelling Keynote Event
http://www.itexshow.com/attend_keynote06.asp
 Travel Discounts http://www.itexshow.com/atravel

Find out what 2,700 industry professionals found out last year. ITEX is
the most important event any Document Solution Provider can attend.



Las Vegas Convention Center, Las Vegas Nevada
SHOW FLOOR OPEN  March 15-16, 2006
ITEX POWER HOURS (Hour Seminars) March 15-16, 2006
DEALER BUSINESS FORUMS (All-Day Seminars)March 14  17, 2006


[www.itexshow.com] http://www.itexshow.com


2006 Sponsors

DealerSiteBuilder.com http://www.itexshow.com/profile.asp?ID=893

Digital Gateway http://www.itexshow.com/profile.asp?ID=456

eBay Business http://www.itexshow.com/profile.asp?ID=947

EFI Mobile Workforce Automation
http://www.itexshow.com/profile.asp?ID=765

GE Commercial Finance http://www.itexshow.com/profile.asp?ID=942

Katun Corporation http://www.itexshow.com/profile.asp?ID=484

LaCrosse Management Systems, Inc.
http://www.itexshow.com/profile.asp?ID=485

Laser Imaging International http://www.itexshow.com/profile.asp?ID=486


MKG Imaging Solutions Inc. http://www.itexshow.com/profile.asp?ID=787


Oki Data http://www.itexshow.com/profile.asp?ID=503

Panasonic http://www.itexshow.com/profile.asp?ID=960

PARTS NOW! http://www.itexshow.com/profile.asp?ID=507

PrintFleet Inc. http://www.itexshow.com/profile.asp?ID=496

Q-Imaging USA Inc. http://www.itexshow.com/profile.asp?ID=518

Sharp Electronics Corporation
http://www.itexshow.com/profile.asp?ID=997

StructuredWeb http://www.itexshow.com/profile.asp?ID=905

Tech Data Corporation http://www.itexshow.com/profile.asp?ID=780

TSC Imaging http://www.itexshow.com/profile.asp?ID=796

Xerox North American Dealer Channel
http://www.itexshow.com/profile.asp?ID=648




Click Below to Remove
unsubscribe me
http://216.122.144.75/Remove20.asp?tbl=imp_WCCopyMachineLID=66EID=868
0SUPID=28[EMAIL PROTECTED] .

console font size

[Igor Vilensky]

How does one control appearance of console/fonts on the screen?
On one laptop,  letters are quite large and console fills entire screen,  on
another,  letters are tiny and the console fills a fraction
of the screen.

Many thanks!

-Igor

Generic 3:8

Re: console font size

[Mike Hernandez]

On  Wed, Jan 25, 2006 at 05:45:52PM -0600, Igor Vilensky wrote:
 How does one control appearance of console/fonts on the screen?
 On one laptop,  letters are quite large and console fills entire screen,  on
 another,  letters are tiny and the console fills a fraction
 of the screen.
 
Check out the man pages for:

wsconscfg, wsconsctl, wsfontload


Mike

Re: Marvell Yukon 88E8053 PCI-E Gigabit

[Chris Cappuccio]

isn't the openbsd driver derived from the freebsd if_sk?

Christoph Fritz [EMAIL PROTECTED] wrote:
 Am Mittwoch, 25. Januar 2006 16:20 schrieb Adam Dennis:
  I noticed that openbsd-current doesn't have support for Marvell
  Yukon88E8053 PCI-E Gigabit (onboard).
 
 I have the same if, but not on my OpenBSD-Computer.
 
 www.skd.de supports drivers for FreeBSD, Linux, etc. but not for 
 OpenBSD as far as I can see.

-- 
Don Rumsfeld has been chewing on my ankles. -- Dick Cheney

le1: underflow and le1: transmitter disabled errors

[Davin Flatten]

Hello-

We have OpenBSD 3.5 running as a filtering bridge on our network using 
two Allied Telesyn AT-2971SX cards.  The traffic across the bridge is 
about 150 Mb/s on average.  We are experiencing the following errors in 
our log files:


Jan 25 17:01:03 xxx /bsd: le1: underflow
Jan 25 17:01:03 xxx /bsd: le1: transmitter disabled
Jan 25 17:01:05 xxx last message repeated 5 times
Jan 25 17:01:05 xxx /bsd: le2: transmitter disabled
Jan 25 17:01:05 xxx /bsd: le1: transmitter disabled
Jan 25 17:01:16 xxx /bsd: le1: underflow
Jan 25 17:01:16 xxx /bsd: le1: underflow
Jan 25 17:01:17 xxx /bsd: le1: transmitter disabled

As you can see these errors are coming very fast.  Any information would 
help.


Thank you,
Davin Flatten

Boot Log:
---
Jan 25 08:41:34 xxx /bsd: OpenBSD 3.5 (GENERIC) #34: Mon Mar 29 12:24:55 
MST 2004
Jan 25 08:41:34 xxx /bsd: 
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
Jan 25 08:41:34 xxx /bsd: cpu0: Intel(R) Pentium(R) III CPU - S 1400MHz 
(GenuineIntel 686-class) 1.40 GHz
Jan 25 08:41:34 xxx /bsd: cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE

Jan 25 08:41:34 xxx /bsd: real mem  = 267960320 (261680K)
Jan 25 08:41:34 xxx /bsd: avail mem = 242130944 (236456K)
Jan 25 08:41:34 xxx /bsd: using 3296 buffers containing 13500416 bytes 
(13184K) of memory

Jan 25 08:41:35 xxx /bsd: mainbus0 (root)
Jan 25 08:41:35 xxx /bsd: bios0 at mainbus0: AT/286+(00) BIOS, date 
05/01/03, BIOS32 rev. 0 @ 0xffe90

Jan 25 08:41:35 xxx /bsd: pcibios0 at bios0: rev. 2.1 @ 0xf/0x1
Jan 25 08:41:35 xxx /bsd: pcibios0: PCI IRQ Routing Table rev. 1.0 @ 
0xfc220/176 (9 entries)
Jan 25 08:41:35 xxx /bsd: pcibios0: no compatible PCI ICU found: ICU 
vendor 0x1166 product 0x0201
Jan 25 08:41:35 xxx /bsd: pcibios0: Warning, unable to fix up PCI 
interrupt routing

Jan 25 08:41:35 xxx /bsd: pcibios0: PCI bus #0 is the last bus
Jan 25 08:41:35 xxx /bsd: bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 
0xc9000/0x4000! 0xec000/0x4000!
Jan 25 08:41:35 xxx /bsd: pci0 at mainbus0 bus 0: configuration mode 1 
(no bios)
Jan 25 08:41:35 xxx /bsd: pchb0 at pci0 dev 0 function 0 ServerWorks 
CNB20HE Host rev 0x23

Jan 25 08:41:35 xxx /bsd: pci1 at pchb0 bus 1
Jan 25 08:41:35 xxx /bsd: em0 at pci1 dev 2 function 0 Intel PRO/1000XT 
(PWLA8490XT) rev 0x02: irq 7, address: 00:06:5b:8b:31:dc
Jan 25 08:41:35 xxx /bsd: em1 at pci1 dev 4 function 0 Intel PRO/1000XT 
(PWLA8490XT) rev 0x02: irq 5, address: 00:06:5b:8b:31:dd
Jan 25 08:41:35 xxx /bsd: ppb0 at pci1 dev 8 function 0 vendor Intel, 
unknown product 0x309 rev 0x01

Jan 25 08:41:35 xxx /bsd: pci2 at ppb0 bus 2
Jan 25 08:41:35 xxx /bsd: Adaptec AIC-7899F rev 0x01 at pci2 dev 6 
function 0 not configured
Jan 25 08:41:35 xxx /bsd: Adaptec AIC-7899F rev 0x01 at pci2 dev 6 
function 1 not configured
Jan 25 08:41:35 xxx /bsd: aac0 at pci1 dev 8 function 1 Dell PERC 3/Di 
rev 0x01: irq 3
Jan 25 08:41:35 xxx /bsd: aac0: i960RX 100MHz, 128MB, optional battery 
present (3) Kernel 2.7-1

Jan 25 08:41:35 xxx /bsd: scsibus0 at aac0: 64 targets
Jan 25 08:41:35 xxx /bsd: sd0 at scsibus0 targ 0 lun 0: Adaptec, 
Container #00,  SCSI2 0/direct fixed
Jan 25 08:41:35 xxx /bsd: sd0: 17351MB, 2212 cyl, 255 head, 63 sec, 512 
bytes/sec, 35535780 sec total
Jan 25 08:41:36 xxx /bsd: pchb1 at pci0 dev 0 function 1 ServerWorks 
CNB20HE Host rev 0x01
Jan 25 08:41:36 xxx /bsd: pchb2 at pci0 dev 0 function 2 ServerWorks 
I/O Bridge rev 0x01
Jan 25 08:41:36 xxx /bsd: pchb3 at pci0 dev 0 function 3 ServerWorks 
I/O Bridge rev 0x01

Jan 25 08:41:36 xxx /bsd: pci3 at pchb3 bus 3
Jan 25 08:41:36 xxx /bsd: le1 at pci3 dev 8 function 0 AMD 79c970 
PCnet-PCI rev 0x36: irq 5

Jan 25 08:41:36 xxx /bsd: le1: address 00:30:84:6f:ea:79
Jan 25 08:41:36 xxx /bsd: le1: 8 receive buffers, 2 transmit buffers
Jan 25 08:41:36 xxx /bsd: le2 at pci3 dev 10 function 0 AMD 79c970 
PCnet-PCI rev 0x36: irq 3

Jan 25 08:41:36 xxx /bsd: le2: address 00:30:84:71:33:12
Jan 25 08:41:36 xxx /bsd: le2: 8 receive buffers, 2 transmit buffers
Jan 25 08:41:36 xxx /bsd: vga1 at pci0 dev 12 function 0 ATI Rage XL 
rev 0x27
Jan 25 08:41:36 xxx /bsd: wsdisplay0 at vga1: console (80x25, vt100 
emulation)
Jan 25 08:41:36 xxx /bsd: wsdisplay0: screen 1-5 added (80x25, vt100 
emulation)
Jan 25 08:41:36 xxx /bsd: pchb4 at pci0 dev 15 function 0 ServerWorks 
CSB5 SouthBridge rev 0x93
Jan 25 08:41:36 xxx /bsd: pciide0 at pci0 dev 15 function 1 ServerWorks 
CSB5 IDE rev 0x93: DMA

Jan 25 08:41:36 xxx /bsd: atapiscsi0 at pciide0 channel 0 drive 0
Jan 25 08:41:36 xxx /bsd: scsibus1 at atapiscsi0: 2 targets
Jan 25 08:41:36 xxx /bsd: cd0 at scsibus1 targ 0 lun 0: SAMSUNG, CD-ROM 
SN-124, N102 SCSI0 5/cdrom removable
Jan 25 08:41:36 xxx /bsd: cd0(pciide0:0:0): using PIO mode 4, DMA mode 
2, Ultra-DMA mode 2
Jan 25 08:41:36 xxx /bsd: ohci0 at pci0 dev 15 function 2 ServerWorks 
OSB4/CSB5 USB rev 0x05: irq 11, version 1.0, 

make build | securelevel=2

[levitch]

3.9 beta was not fun for me, so I am reinstalling to 3.8 -Stable.
For whatever reason I forgot that securelevel was set to 2, but
'make build' is running alright at the moment.

Can I also compile ports with securelevel set to 2?  Does someone
know of a port where I must decrease the securelevel?  Usually I
install at least nano, tcsh, and kermit.

Darrel

Re: make build | securelevel=2

[Peter Valchev]

 3.9 beta was not fun for me, so I am reinstalling to 3.8 -Stable.
 For whatever reason I forgot that securelevel was set to 2, but
 'make build' is running alright at the moment.

Did you have a problem with 3.9-beta that you want to report?
Otherwise who knows, you'll probably have the same problem with
3.9-stable a few months from now... and then?

Re: make build | securelevel=2

[Ted Unangst]

On 1/25/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
 3.9 beta was not fun for me, so I am reinstalling to 3.8 -Stable.
 For whatever reason I forgot that securelevel was set to 2, but
 'make build' is running alright at the moment.

 Can I also compile ports with securelevel set to 2?  Does someone
 know of a port where I must decrease the securelevel?  Usually I
 install at least nano, tcsh, and kermit.

you can do everything except make release.  which means you should ask
why you even bother with securelevel 2.  if you don't know what it
does, don't fiddle with it.

Re: std. paths for IMAP folders

[Joakim Roubert]

On 25/01/06 22:06, Tomasz Kniaz wrote:

 Yes, $HOME/something (e.g. $HOME/MAIL/inbox ) is a fine place for
 incoming mail (and other mboxes/maildirs).

Excellent, thanks a lot!

Regards,

/Joakim
-- 
 http://www.df.lth.se/~jokke/

Re: make build | securelevel=2

[levitch]

On Thursday, January 26, 2006, at 00:53AM, Ted Unangst [EMAIL PROTECTED] 
wrote:

On 1/25/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
 3.9 beta was not fun for me, so I am reinstalling to 3.8 -Stable.
 For whatever reason I forgot that securelevel was set to 2, but
 'make build' is running alright at the moment.

 Can I also compile ports with securelevel set to 2?  Does someone
 know of a port where I must decrease the securelevel?  Usually I
 install at least nano, tcsh, and kermit.

you can do everything except make release.  which means you should ask
why you even bother with securelevel 2.  if you don't know what it
does, don't fiddle with it.



I am *learning* what it does.  :)
I am planning on make release for tomorrow.
Things are great- thanks.

Darrel

Re: make build | securelevel=2

[levitch]

On Thursday, January 26, 2006, at 00:20AM, Peter Valchev [EMAIL PROTECTED] 
wrote:

 3.9 beta was not fun for me, so I am reinstalling to 3.8 -Stable.
 For whatever reason I forgot that securelevel was set to 2, but
 'make build' is running alright at the moment.

Did you have a problem with 3.9-beta that you want to report?
Otherwise who knows, you'll probably have the same problem with
3.9-stable a few months from now... and then?



Good point, thanks.  I am still troubleshooting and have not
thoroughly prepared the information, though.

At home, cvs downloads are halting and will time out, but it could
be that something changed at my ISP.

At work, 3.9 did not find the 'startx' command and
/usr/libexec/locate.updatedb failed, too.  However, this is on known
bad hardware that can actually serve DNS and time.

I will update if something potentially interesting happens.

Darrel