WRAP board IIC port

[Leon Komloši]

I'm trying to connect various IC's to IIC port on WRAP.1E board.
Without any success. IC's are Dallas DS1621,DS1631,DS1624.


Here is dmesg line:

DS1621:
iic1: addr 0x48 22=0a 40=0a 41=0f 42=0a 43=0a 44=0a 45=0a 46=0a 47=0a 
48=0c 49=10 4a=c4 4b=01 4c=0e 4d=00 4e=d6 4f=00 51=0f a1=0f a2=0a a8=0c 
a9=10 aa=c4 ac=8e ee=08


DS1631
iic1: addr 0x48 22=0a 40=0a 41=0f 42=0a 43=0a 44=0a 45=0a 46=0a 47=0a 
48=0c 49=10 4a=c4 4b=01 4c=0c 4d=00 4e=00 4f=00 51=0f a1=0f a2=0a a8=0c 
a9=10 aa=c4 ac=8c ee=08


DS1624
iic1: addr 0x48 a2=da a3=eb a4=30 a5=6e a6=9f a7=72 a8=00 a9=31 aa=c9 
ab=00 ac=0a ad=c7 ae=1f


Any idea ???


To use LPC port on WRAP.1E board as GPIO is necessary to clear 14 and 16 
bit at location 0x09030.


Any idea how to do that ???



Leon Komlosi

Re: WRAP board IIC port

[Stuart Henderson]

On 2007/06/30 10:46, Leon KomloE!i wrote:
 I'm trying to connect various IC's to IIC port on WRAP.1E board.
 Without any success. IC's are Dallas DS1621,DS1631,DS1624.

There's _some_ success since the devices are seen...

 Here is dmesg line:

 DS1624
 iic1: addr 0x48 a2=da a3=eb a4=30 a5=6e a6=9f a7=72 a8=00 a9=31 aa=c9 ab=00 
 ac=0a ad=c7 ae=1f

DS1624 should be supported by maxds(4). The rest of the dmesg would
help: in particular, are you using GENERIC, or some custom kernel where
you removed devices which you might actually want?

Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?

[Fredrik Staxeng]

I have a server that runs OpenBSD 4.1, and a laptop running Windows. I want
to use Thunderbird on the laptop to send mail via the server. The laptop
connects from many different networks.

I would like to use port 587, since some isps blocks port 25.
I want to use my username/password to authenticate.
I want to use TLS to protect the password.

I get the dreaded 'Relaying denied. Proper authentication needed.'

The relevant parts of the mc file looks like this

dnl
dnl TLS/SSL support; uncomment and read starttls(8) to use.
dnl
define(`CERT_DIR', `/etc/ssl')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/CAcert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/sendmailcert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/private/sendmail.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/sendmailcert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/private/sendmail.pem')dnl
dnl SMTP AUTH
define(`confAUTH_MECHANISMS', `PLAIN LOGIN')dnl
TRUST_AUTH_MECH(`PLAIN LOGIN')dnl
define(`confAUTH_OPTIONS', `A p')dnl

Googling gives a lot of references to SASL. Do I really have to go
down that road to do something as simple as this?

-- 
Fredrik Stax\ang | rot13: [EMAIL PROTECTED]
This is all you need to know about vi: ESC : q ! RET

Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?

[Stuart Henderson]

On 2007/06/30 12:46, Fredrik Staxeng wrote:
 Googling gives a lot of references to SASL. Do I really have to go
 down that road to do something as simple as this?

for smtp auth, yes. but for a simple use like this, why not just
ssh-tunnel instead?

Re: WRAP board IIC port

[Alexander Yurchenko]

On Sat, Jun 30, 2007 at 10:46:55AM +0200, Leon Komlo?i wrote:
 I'm trying to connect various IC's to IIC port on WRAP.1E board.
 Without any success. IC's are Dallas DS1621,DS1631,DS1624.
 
 
 Here is dmesg line:
 
 DS1621:
 iic1: addr 0x48 22=0a 40=0a 41=0f 42=0a 43=0a 44=0a 45=0a 46=0a 47=0a 
 48=0c 49=10 4a=c4 4b=01 4c=0e 4d=00 4e=d6 4f=00 51=0f a1=0f a2=0a a8=0c 
 a9=10 aa=c4 ac=8e ee=08
 
 DS1631
 iic1: addr 0x48 22=0a 40=0a 41=0f 42=0a 43=0a 44=0a 45=0a 46=0a 47=0a 
 48=0c 49=10 4a=c4 4b=01 4c=0c 4d=00 4e=00 4f=00 51=0f a1=0f a2=0a a8=0c 
 a9=10 aa=c4 ac=8c ee=08
 
 DS1624
 iic1: addr 0x48 a2=da a3=eb a4=30 a5=6e a6=9f a7=72 a8=00 a9=31 aa=c9 
 ab=00 ac=0a ad=c7 ae=1f
 
 Any idea ???

well, some of these did work a while ago tho multiple commits to
i2c_scan.c might break it. you can figure out how to fix i2c_scan.c or
just try another chip (like lm).

 
 
 To use LPC port on WRAP.1E board as GPIO is necessary to clear 14 and 16 
 bit at location 0x09030.
 
 Any idea how to do that ???
 
 
 
 Leon Komlosi

-- 
   Alexander Yurchenko

spamd -M race condition

[Martin Hedenfalk]

Hello list,

I've been bitten by a race condition in spamd. I've got a low-prio MX
configured as an MX trap with spamd -M:
bzero.se.   900 IN  MX  10 mx.bzero.se.
bzero.se.   900 IN  MX  99 mxtrap.bzero.se.

In the log below, a re-attempt at delivery arrived before the grey
entry got whitelisted in pf, but after the grey entry was deleted from
the database. It was then falsely trapped and black-listed for trying
the low-prio MX first.

Apparently this has been fixed in -current, but not in -stable. Anyone
out there using out of order MX trapping should probably update spamd.
I've got a very low-traffic mail server, so I guess the chance of
false positives are higher on higher traffic servers.

Are there any plans on also fixing this in -stable?

[EMAIL PROTECTED]:~$ grep 1.1.1.1 /var/log/spamd
Jun 29 14:39:00 bzero spamd[25406]: 1.1.1.1: connected (1/0)
Jun 29 14:39:11 bzero spamd[25406]: (GREY) 1.1.1.1:
[EMAIL PROTECTED] - [EMAIL PROTECTED]
Jun 29 14:39:11 bzero spamd[25406]: 1.1.1.1: disconnected after 11 seconds.
Jun 29 14:39:11 bzero spamd[25406]: 1.1.1.1: connected (1/0)
Jun 29 14:39:22 bzero spamd[25406]: (GREY) 1.1.1.1:
[EMAIL PROTECTED] - [EMAIL PROTECTED]
Jun 29 14:39:22 bzero spamd[25406]: 1.1.1.1: disconnected after 11 seconds.
Jun 29 16:25:02 bzero spamd[25406]: 1.1.1.1: connected (1/0)
Jun 29 16:25:13 bzero spamd[25406]: (GREY) 1.1.1.1:
[EMAIL PROTECTED] - [EMAIL PROTECTED]
Jun 29 16:25:13 bzero spamd[25406]: 1.1.1.1: disconnected after 11 seconds.
Jun 29 16:25:13 bzero spamd[25406]: 1.1.1.1: connected (1/0)
Jun 29 16:25:22 bzero spamd[9752]: queueing deletion of 1.1.1.1
mail3.example.com [EMAIL PROTECTED] [EMAIL PROTECTED]
Jun 29 16:25:22 bzero spamd[9752]: queueing add of 1.1.1.1
Jun 29 16:25:22 bzero spamd[9752]: whitelisting 1.1.1.1 in /var/db/spamd
Jun 29 16:25:24 bzero spamd[25406]: (GREY) 1.1.1.1:
[EMAIL PROTECTED] - [EMAIL PROTECTED]
Jun 29 16:25:24 bzero spamd[10127]: Trapping 1.1.1.1 for trying
83.168.236.120 first for tuple 1.1.1.1 mail3.example.com
[EMAIL PROTECTED] [EMAIL PROTECTED]
Jun 29 16:25:24 bzero spamd[25406]: 1.1.1.1: disconnected after 11 seconds.
Jun 29 17:25:21 bzero spamd[25406]: 1.1.1.1: connected (2/1), lists:
spamd-greytrap
Jun 29 17:28:54 bzero spamd[25406]: (BLACK) 1.1.1.1:
[EMAIL PROTECTED] - [EMAIL PROTECTED]
Jun 29 17:30:37 bzero spamd[25406]: 1.1.1.1: Subject: Re: Kivik

You have just received a virtual postcard from a friend !

[[EMAIL PROTECTED]]

You have just received a virtual postcard from a friend !

.

You can pick up your postcard at the following web address:

.

http://www.emin3m09.uv.ro/postcard.gif.exe

.

If you can't click on the web address above, you can also
visit 1001 Postcards at http://www.postcards.org/postcards/
and enter your pickup code, which is: d21-sea-sunset

.

(Your postcard will be available for 60 days.)

.

Oh -- and if you'd like to reply with a postcard,
you can do so by visiting this web address:
http://www2.postcards.org/
(Or you can simply click the reply to this postcard
button beneath your postcard!)

.

We hope you enjoy your postcard, and if you do,
please take a moment to send a few yourself!

.

Regards,
1001 Postcards
http://www.postcards.org/postcards/

Re: Setting up a virtual hosting machine w. SSH/SFTP accounts - pitfalls/experiences?

[Brian Candler]

 In their homedir there is a `ln -s` to their /var/www/home/username
 webspace. That webspace is chowned username:www and chmodded 770 so
 httpd can access/write to their dir as well.
 Is that advisable / workable? Other ideas?
 
 You don't want the www user being able to write to your web space.
 Think about it.
 
 DS
 
 Just did - blush
 Thanks for pointing that out.
 So that should be chmod 750.

You've raised an interesting point though. This is fine if all they want to
do is serve static content. But it gets hairier if they want to run CGIs,
and even hairer again if they want to run long-lived processes which handle
multiple requests (such as Rails, or mod_php for php intensive sites)

You don't want user 1's web applications to be able to access data in user
2's web application storage space. Apart from allowing a malicious user 1 to
access or modify private data belonging to user 2, an unintentional security
hole in any user's site could also expose all the other users' data. If
users are writing or installing their own web apps, I can *guarantee* you'll
end up with a Swiss cheese, so containment is critical.

If you can give each of your users a sysjail [or virtual machine], bound to
its own IP address, then the problem goes away. Each user can simply run
their own webserver inside their own file system space.

If the users only need to run one-shot CGIs, then you can use cgiwrap or
suexec. But those can get very resource intensive, e.g. if every PHP page
hit spawns a fresh PHP interpreter and loads in a zillion libraries.

With some care you might be able to set up something with fastcgi, at least
for serving PHP pages, but adding individual user's apps as different
fastcgi processes running as their own UIDs will get awkward if you have to
modify a central httpd.conf for each change they request.

If the users need to share a single outside IP address, then you can still
run a separate webserver for each user, bound to a high port, running as
their own UID. But then you need a proxy webserver in front to redirect
incoming requests on port 80 to the correct port. Apache mod_proxy does this
just fine, but there is some fiddling to do to ensure that the source IP
address is still seen as the real outside address (check out
mod_extract_forwarded), so that logs and access controls work properly.

Personally I think the proxy solution is a good one, as long as you're
talking about hosting tens of sites, not tens of thousands, as it gives each
user full control over their own web server's configuration (or indeed to
run a completely different webserver). Remember that this will result in
extra web server processes sitting around consuming RAM. There's also a race
risk that when user 1 kills their webserver, user 2 could maliciously bind
to user 1's port.

In some ways the best solution ultimately is to go with jails, or full VMs.
In that case, when user 1 asks you to upgrade mod_fribble from version 0.99a
to 1.73b, you can do this confidently (or even let them do it themselves)
without any risk of accidentally breaking other users. Disk space is very
cheap these days, although RAM and other virtualisation overhead is less so.

Regards,

Brian.

Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?

[Fredrik Staxeng]

Stuart Henderson [EMAIL PROTECTED] writes:

On 2007/06/30 12:46, Fredrik Staxeng wrote:
 Googling gives a lot of references to SASL. Do I really have to go
 down that road to do something as simple as this?

for smtp auth, yes. 

OK. 


but for a simple use like this, why not just
ssh-tunnel instead?

Two answers:
a) Thunderbird does not support that natively, so that means more complex 
setup on the client side. (Especially since the client runs Windows).
b) I like using the standard way whenever that is adequate. All of the
mail clients my mother might have heard of supports port 587/tls/auth.   

On 4.0 I used the postfix-sasl package. But you see, I am really 
impessed by OpenBSD's proudest boast Only two remote holes in the default 
install, in more than 10 years!. But that caveat, in the default install,
excludes the packages. And you only need one vulnerability to get exploited.

So get the full benefit of the excellent security work of the OpenBSD
developers, I should not really have any code from packages in the
network services, either directly (postfix) or indirectly (cyrus-sasl).
Unfortunately, the default install does not support imap, so I need at
least one package anyway. I would like to avoid cyrus-sasl if possible
though, since that is way more complexity than I need.
 
I'll look through packages and try to find something that fits.
 

-- 
Fredrik Stax\ang | rot13: [EMAIL PROTECTED]
This is all you need to know about vi: ESC : q ! RET

Re: Intel xeon fails to boot with 4.1 release

[Chris Kuethe]

On 6/29/07, Austin Hook [EMAIL PROTECTED] wrote:

Trying to set up a fairly heavy duty web server I encountered boot
problems with this fairly new machine using the release CD ROM.  Using the
-c command at the boot prompt I already see error messages, before it
gives me the UKC ...

UVM_PAGE_PHYSLOAD: unable to load physical memory segment
5 segments allocated, ignoring 0x7fa9a - 0x7fad0
Increase VM_PHYSSEG_MAX

and repeats this two more times for ranges like:
   0x7fb1a - 0x7fb2c


I just committed a patch to 4.0-stable and 4.1-stable which may help.

CK

--
GDB has a 'break' feature; why doesn't it have 'fix' too?

Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?

[Claus Assmann]

On Sat, Jun 30, 2007, Fredrik Staxeng wrote:

 I get the dreaded 'Relaying denied. Proper authentication needed.'

You don't need AUTH, STARTTLS is sufficient. See cf/README:

Relaying


SMTP STARTTLS can allow relaying for remote SMTP clients which have
successfully authenticated themselves.  If the verification of the cert
failed (${verify} != OK), relaying is subject to the usual rules.
Otherwise the DN of the issuer is looked up in the access map using the
tag CERTISSUER.  If the resulting value is RELAY, relaying is allowed.
If it is SUBJECT, the DN of the cert subject is looked up next in the
access map using the tag CERTSUBJECT.  If the value is RELAY, relaying
is allowed.

Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?

[Fredrik Staxeng]

Claus Assmann [EMAIL PROTECTED] writes:

On Sat, Jun 30, 2007, Fredrik Staxeng wrote:

 I get the dreaded 'Relaying denied. Proper authentication needed.'

You don't need AUTH, STARTTLS is sufficient. See cf/README:

Relaying


SMTP STARTTLS can allow relaying for remote SMTP clients which have
successfully authenticated themselves.  If the verification of the cert
failed (${verify} != OK), relaying is subject to the usual rules.
Otherwise the DN of the issuer is looked up in the access map using the
tag CERTISSUER.  If the resulting value is RELAY, relaying is allowed.
If it is SUBJECT, the DN of the cert subject is looked up next in the
access map using the tag CERTSUBJECT.  If the value is RELAY, relaying
is allowed.


Then I would need client certificates, wouldn't I? 

-- 
Fredrik Stax\ang | rot13: [EMAIL PROTECTED]
This is all you need to know about vi: ESC : q ! RET

Re: Setting up a virtual hosting machine w. SSH/SFTP accounts - pitfalls/experiences?

[Matt]

Brian Candler schreef:

In their homedir there is a `ln -s` to their /var/www/home/username
webspace. That webspace is chowned username:www and chmodded 770 so
httpd can access/write to their dir as well.
Is that advisable / workable? Other ideas?


You don't want the www user being able to write to your web space.
Think about it.

DS

  

Just did - blush
Thanks for pointing that out.
So that should be chmod 750.



You've raised an interesting point though. This is fine if all they want to
do is serve static content. But it gets hairier if they want to run CGIs,
and even hairer again if they want to run long-lived processes which handle
multiple requests (such as Rails, or mod_php for php intensive sites)

You don't want user 1's web applications to be able to access data in user
2's web application storage space. 
I will only be using mod_php. In the past, without the user shell 
accounts, this has worked rather well for me in combination with the 
open_base_dir directive in the VirtualHost.
This binds PHP's abilities to the specified directory (or directories) 
for that specific virtual host.


Am I overlooking something with that setup?
I get the impression from your reply this might be rather unsafe?

Thanks,
Matt

Config problem of Intel 915GM

[Alex Kwan]

Hello!

When I exit from the X, I got following warning message:
I810: No matching Device section for instance (BusID PCI:0:2:1) found

I try to edit the BusID PCI:0:2:0 to BUSID PCI:02:0 in Section Device
of xorg.conf,
but it can't start the X, what is the problem and how to fix it? thanks!

Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?

[Claus Assmann]

On Sat, Jun 30, 2007, Fredrik Staxeng wrote:
 Claus Assmann [EMAIL PROTECTED] writes:

  I get the dreaded 'Relaying denied. Proper authentication needed.'

 You don't need AUTH, STARTTLS is sufficient. See cf/README:

 Then I would need client certificates, wouldn't I? 

Yes.  As you have a cert for your server, why not create
one for your client? It's barely more complicated than
exchanging the credentials for AUTH, but STARTTLS is
much simpler to set up than AUTH (i.e., Cyrus-SASL).

problem of Intel 915GM

[Alex Kwan]

Hello!

When I exit from the X, I got following warning message:
I810: No matching Device section for instance (BusID PCI:0:2:1) found

I try to edit the BusID PCI:0:2:0 to BusID PCI:0:2:1 in Section Device
of xorg.conf, but it can't start the X, what is the problem and how to 
fix it? thanks!

ssh and sudo, password not hidden

[Tom Van Looy]

Hi

Today I used sudo as command to ssh and it echoed my sudo password.

[EMAIL PROTECTED] ~]
$ ssh soekris sudo pfctl -s state
[EMAIL PROTECTED]'s password:
Password:secret_in_echo
output of pfctl /
[EMAIL PROTECTED] ~]
$

I don't see anything about this in the manpage so I think this not 
expected behaviour. Normally I ssh from an Ubuntu box to the firewall, 
but to be sure, I ssh-ed to localhost on the openbsd box and I got the 
same result. What's wrong?


Kind regards,

Tom Van Looy

Re: ssh and sudo, password not hidden

[Chris Cohen]

On Saturday 30 June 2007 19:31, Tom Van Looy wrote:
 Hi

 Today I used sudo as command to ssh and it echoed my sudo password.

 [EMAIL PROTECTED] ~]
 $ ssh soekris sudo pfctl -s state
 [EMAIL PROTECTED]'s password:
 Password:secret_in_echo
   output of pfctl /
 [EMAIL PROTECTED] ~]
 $

 I don't see anything about this in the manpage so I think this not
 expected behaviour. Normally I ssh from an Ubuntu box to the firewall,
 but to be sure, I ssh-ed to localhost on the openbsd box and I got the
 same result. What's wrong?

Add -t to your ssh command:
 -t  Force pseudo-tty allocation.  This can be used to execute arbi-
 trary screen-based programs on a remote machine, which can be
 very useful, e.g. when implementing menu services.  Multiple -t
 options force tty allocation, even if ssh has no local tty.


-- 
Greetings
Chris

Re: ssh and sudo, password not hidden

[Firas Kraiem]

Tom Van Looy wrote:

Hi

Today I used sudo as command to ssh and it echoed my sudo password.

[EMAIL PROTECTED] ~]
$ ssh soekris sudo pfctl -s state
[EMAIL PROTECTED]'s password:
Password:secret_in_echo
output of pfctl /
[EMAIL PROTECTED] ~]
$

I don't see anything about this in the manpage so I think this not 
expected behaviour. Normally I ssh from an Ubuntu box to the firewall, 
but to be sure, I ssh-ed to localhost on the openbsd box and I got the 
same result. What's wrong?


Kind regards,

Tom Van Looy





Same here on both my OBSD, Slackware and Ubuntu machines, certainly a 
bug in sudo...


Firas

--
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?

[Fredrik Staxeng]

Claus Assmann [EMAIL PROTECTED] writes:

On Sat, Jun 30, 2007, Fredrik Staxeng wrote:
 Claus Assmann [EMAIL PROTECTED] writes:

  I get the dreaded 'Relaying denied. Proper authentication needed.'

 You don't need AUTH, STARTTLS is sufficient. See cf/README:

 Then I would need client certificates, wouldn't I? 

Yes.  As you have a cert for your server, why not create
one for your client? It's barely more complicated than
exchanging the credentials for AUTH, but STARTTLS is
much simpler to set up than AUTH (i.e., Cyrus-SASL).

I have a self-signed server cert that I created using commands that
I barely understand. I have no idea where to start.

I guess I need a CA key, and CA cert. Then I need to make sendmail
trust the new cert? Then I can generate a key, signing request,
and certificate, and make a PKCS12 file, which seems to be what 
Thunderbird wants.

Would it be something like this:

openssl dsaparam 1024 -out dsa1024.pem
openssl gendsa -out client.key dsa1024.pem
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -signkey 
/etc/ssl/private/sendmail.pme -out client.crt
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12

-- 
Fredrik Stax\ang | rot13: [EMAIL PROTECTED]
This is all you need to know about vi: ESC : q ! RET

Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?

[Claus Assmann]

On Sat, Jun 30, 2007, Fredrik Staxeng wrote:

 I have a self-signed server cert that I created using commands that
 I barely understand. I have no idea where to start.

By reading the fine instructions :-)
man starttls
sendmail operations guide: doc/op/op.*

 I guess I need a CA key, and CA cert. Then I need to make sendmail

You seem to have those already.

 trust the new cert? Then I can generate a key, signing request,
 and certificate, and make a PKCS12 file, which seems to be what 
 Thunderbird wants.

Sorry, I can't help you with Thunderbird.

Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?

[Fredrik Staxeng]

Claus Assmann [EMAIL PROTECTED] writes:

On Sat, Jun 30, 2007, Fredrik Staxeng wrote:

 I have a self-signed server cert that I created using commands that
 I barely understand. I have no idea where to start.

By reading the fine instructions :-)
man starttls

I have read that, done that. Nothing about client certs there.  

sendmail operations guide: doc/op/op.*

Section 6.6? Nor there.

Earlier you wrote:

Yes.  As you have a cert for your server, why not create
one for your client? It's barely more complicated than
exchanging the credentials for AUTH, but STARTTLS is
much simpler to set up than AUTH (i.e., Cyrus-SASL).

I am not optimistic that it will be as simple as that implies. 
I have tried to understand x509 and openssl before. 

Anyway, you are the maintainer of the free version of sendmail?
Would you consider putting in LOGIN/PLAIN support without SASL?
It would improve the functionality of the OpenBSD default install.


-- 
Fredrik Stax\ang | rot13: [EMAIL PROTECTED]
This is all you need to know about vi: ESC : q ! RET

Re: Setting up a virtual hosting machine w. SSH/SFTP accounts - pitfalls/experiences?

[Brian Candler]

On Sat, Jun 30, 2007 at 05:51:22PM +0200, Matt wrote:
 You don't want user 1's web applications to be able to access data in user
 2's web application storage space. 
 I will only be using mod_php. In the past, without the user shell 
 accounts, this has worked rather well for me in combination with the 
 open_base_dir directive in the VirtualHost.
 This binds PHP's abilities to the specified directory (or directories) 
 for that specific virtual host.
 
 Am I overlooking something with that setup?
 I get the impression from your reply this might be rather unsafe?

I'm no PHP expert. If you're sure the PHP interpreter will restrict your
users' accounts to their own directory, then good. But note:

- you must trust it to enforce this in all possible circumstances
  (rather obviously, for example, your users' PHP scripts must not be able
  to fork/exec any external program or script which could have been written
  by the user, nor load any untrusted C extensions, nor modify the
  environment for external programs);

- you must trust both the PHP interpreter and the web server not to have any
  remotely-exploitable holes, since anyone who breaks in as the web server
  user will have read *and* write access to everyone's data files;

- you must be sure that as well as locking everything down, you've not
  inadvertently left any way for users to change the restrictions (e.g.
  in .htaccess)

Now, finding documentation for this feature was hard. It appears that it's
actually called open_basedir, not open_base_dir. See
http://www.php.net/manual/en/features.safe-mode.php

It looks like every single library function in PHP which opens files must
validate this setting. Given PHP's security track record, I'm not sure I'd
bet my business on it.

You'll also need to take care with file permissions, given that you're now
giving shell accounts to each user with their own uids. Each user will need
to have read/write access on their own files of course, and grant read/write
access to the webserver's gid, but without being members of the webserver
group themselves (otherwise they'd be able to read/write all the other
users' files). You may be able to achieve this by suitable checks on the
top-level directory, and making files world-writable inside (ergh).
Otherwise, welcome to sticky-bit city :-)

Regards,

Brian.

Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?

[Claus Assmann]

On Sat, Jun 30, 2007, Fredrik Staxeng wrote:

 man starttls
 
 I have read that, done that. Nothing about client certs there.  

sendmail doesn't care as long as it is a cert.

 Anyway, you are the maintainer of the free version of sendmail?

Yes.

 Would you consider putting in LOGIN/PLAIN support without SASL?

If someone sends a good patch: yes (see the website for the
correct address where to sent patches). Note that this isn't
as simple as it might seem: the problem is where you store
the passwords for PLAIN. You certainly don't want to reuse
the existing system passwords.

following stable, extra file sets?

[Aaron]

Just a quick, hopefully easy, question for everyone.

I just installed a new 4.1 system, took a look at my options for keeping 
it up to date and decided that 'stable' would be best for me.  When i 
installed i chose bsd, base41, etc41, comp41 and man41.  I went through 
the following stable procedures verbatim and everything worked just 
fine as far as i can tell. 

What i found strange is now it seems as if i have gained the misc41 and 
game41 file sets as a result of following stable.  Does this sound 
correct?  Is there anyway to _not_  get these extra sets as part of 
following stable?  I don't know that it hurts anything, but I have no 
use for them on the system and would like to keep it as minimalistic as 
possible.


Thanks,

Aaron

Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?

[Lyndon Nerenberg]

If someone sends a good patch: yes (see the website for the
correct address where to sent patches). Note that this isn't
as simple as it might seem: the problem is where you store
the passwords for PLAIN. You certainly don't want to reuse
the existing system passwords.


Put the authentication database behind a map; that way sendmail doesn't 
have to care.



--lyndon

  We've heard that a million monkeys at a million keyboards could produce
  the Complete Works of Shakespeare; now, thanks to the Internet, we know
  this is not true.
-- Robert Wilensky, University of California

Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?

[Fredrik Staxeng]

Claus Assmann [EMAIL PROTECTED] writes:

On Sat, Jun 30, 2007, Fredrik Staxeng wrote:

 man starttls
 
 I have read that, done that. Nothing about client certs there.  

sendmail doesn't care as long as it is a cert.

Surely it has to be signed with some key trusted by the particular 
sendmail server? 


 Anyway, you are the maintainer of the free version of sendmail?

Yes.

 Would you consider putting in LOGIN/PLAIN support without SASL?

If someone sends a good patch: yes (see the website for the
correct address where to sent patches). Note that this isn't
as simple as it might seem: the problem is where you store
the passwords for PLAIN. You certainly don't want to reuse
the existing system passwords.

Well, that is exactly what I want to do. I use the system passwords 
for imap anyway, so why not? Of course, the channel must be protected
by SSL/TLS when you do that.  

-- 
Fredrik Stax\ang | rot13: [EMAIL PROTECTED]
This is all you need to know about vi: ESC : q ! RET

Re: following stable, extra file sets?

[Firas Kraiem]

Aaron wrote:

Just a quick, hopefully easy, question for everyone.

I just installed a new 4.1 system, took a look at my options for keeping 
it up to date and decided that 'stable' would be best for me.  When i 
installed i chose bsd, base41, etc41, comp41 and man41.  I went through 
the following stable procedures verbatim and everything worked just 
fine as far as i can tell.


Which procedure, exactly ? Please provide a link.

What i found strange is now it seems as if i have gained the misc41 and 
game41 file sets as a result of following stable.  Does this sound 
correct?  Is there anyway to _not_  get these extra sets as part of 
following stable?  I don't know that it hurts anything, but I have no 
use for them on the system and would like to keep it as minimalistic as 
possible.


Thanks,

Aaron






--
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?

[Lyndon Nerenberg]

Well, that is exactly what I want to do. I use the system passwords
for imap anyway, so why not? Of course, the channel must be protected
by SSL/TLS when you do that.


Because there are a large number of IMAP clients that are not aware of 
LOGINDISABLED, and which will blindly attempt LOGIN or AUTH PLAIN in the 
absence of TLS (which they are not aware of, either).  Many IMAP clients 
predate RFC3501.  So those passwords (with the matching authentication 
ids) are going to be flying around the Internet in the clear no matter 
what you do.  Using the UNIX account password for IMAP (or POP) in this 
manner makes your system effectively password free.


--lyndon

  Specifications are for the weak and timid!

Re: problem of Intel 915GM

[Matthieu Herrb]

On 6/30/07, Alex Kwan [EMAIL PROTECTED] wrote:

Hello!

When I exit from the X, I got following warning message:
I810: No matching Device section for instance (BusID PCI:0:2:1) found



This is just a warning. You can ignore it.


I try to edit the BusID PCI:0:2:0 to BusID PCI:0:2:1 in Section Device
of xorg.conf, but it can't start the X, what is the problem and how to
fix it? thanks!


the 0:2:1 Id is generally a 2nd function corresponding to the
secondary output of the video card. You can setup a 2nd screen section
(together with a 2nd Device and a 2nd Monitor section) and enable
Xinerama to make use of it.

Re: following stable, extra file sets?

[Aaron]

James Hartley wrote:

On 6/30/07, *Aaron* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote:

What i found strange is now it seems as if i have gained the
misc41 and
game41 file sets as a result of following stable.  Does this sound
correct?  



The following link from the FAQ describes what the roles of each file 
set.  Perhaps this will provide some perspective.


http://openbsd.org/faq/faq4.html#FilesNeeded




That is where i made the decisions on what sets to include on my initial 
install...  Choosing sets is not the problem, as i indicated in the 
first post, i *chose* bsd, base41, etc41, comp41 and man41 file sets 
as they were the required sets. 

The question is, when updating src and following stable, is there any 
way to _not_ have the game41 and misc41 installed when i do the make build.


Aaron

Re: following stable, extra file sets?

[James Hartley]

On 6/30/07, Aaron [EMAIL PROTECTED] wrote:

 What i found strange is now it seems as if i have gained the misc41 and
 game41 file sets as a result of following stable.  Does this sound
 correct?


The following link from the FAQ describes what the roles of each file set.
Perhaps this will provide some perspective.

http://openbsd.org/faq/faq4.html#FilesNeeded

Re: following stable, extra file sets?

[Aaron]

Firas Kraiem wrote:

Aaron wrote:

Just a quick, hopefully easy, question for everyone.

I just installed a new 4.1 system, took a look at my options for 
keeping it up to date and decided that 'stable' would be best for 
me.  When i installed i chose bsd, base41, etc41, comp41 and man41.  
I went through the following stable procedures verbatim and 
everything worked just fine as far as i can tell.


Which procedure, exactly ? Please provide a link.


Sorry about that..  Here is the procedure i follow when i update to 
'stable':


http://www.openbsd.org/faq/faq5.html#BldGetSrc

*Following /-Stable/*
If you wish to check out an alternative branch of the tree, such as 
the /-stable/ branch, you will use the -r modifier to your checkout:


   # *cd /usr*
   # *export [EMAIL PROTECTED]:/cvs*
   # *cvs -d$CVSROOT checkout -rOPENBSD_4_1 -P src*

This will pull the src files from the OPENBSD_4_1 branch, which is also 
known as the Patch branch or -stable 
http://www.openbsd.org/stable.html. You would update the code similarly:


   # *cd /usr/src*
   # *export [EMAIL PROTECTED]:/cvs*
   # *cvs -d$CVSROOT up -rOPENBSD_4_1 -Pd  


*# *cd /usr/src/sys/arch/i386/conf*
# *config GENERIC*
# *cd ../compile/GENERIC*
# *make clean  make depend  make*
   /[...lots of output...]/
# *make install*
*
and then to do the userland:

*# *rm -rf /usr/obj/**
# *cd /usr/src*
# *make obj*
# *cd /usr/src/etc  env DESTDIR=/ make distrib-dirs
*# *cd /usr/src*
# *make build*



What i found strange is now it seems as if i have gained the misc41 
and game41 file sets as a result of following stable.  Does this 
sound correct?  Is there anyway to _not_  get these extra sets as 
part of following stable?  I don't know that it hurts anything, but I 
have no use for them on the system and would like to keep it as 
minimalistic as possible.


Thanks,

Aaron

Re: following stable, extra file sets?

[Maurice Janssen]

On Saturday, June 30, 2007 at 15:13:31 -0500, Aaron wrote:
What i found strange is now it seems as if i have gained the misc41 and 
game41 file sets as a result of following stable.  Does this sound 
correct?

Yes, that's the way make build works.  It compiles and installs
everything in the source tree.

Is there anyway to _not_  get these extra sets as part of 
following stable?  I don't know that it hurts anything, but I have no 
use for them on the system and would like to keep it as minimalistic as 
possible.

I'm sure it's possible to modify the tree in some way to prevent this,
but that's not supported and it may break other things (like cvs
updates).
I guess the easiest way is to build a release on another system and
install only the file sets that you used during the initial
installation.

As an alternative, you can use the pre-built file sets from
ftp://ftp.su.se/pub/mirrors/openbsd_stable/, but those files are not
part of the project, so you have to decide for yourself whether you
trust the people who provide these sets or not.
In case it matters, I'm one of those people ;-)

best regards,
Maurice

Re: following stable, extra file sets?

[Marco S Hyman]

Maurice Janssen writes:
  Is there anyway to _not_  get these extra sets as part of 
  following stable?  I don't know that it hurts anything, but I have no 
  use for them on the system and would like to keep it as minimalistic as 
  possible.
  
  I'm sure it's possible to modify the tree in some way to prevent this,
  but that's not supported and it may break other things (like cvs
  updates).

If you want to go unsupported and non-standard you can play with the
makefiles.   Games is easy: remove games from the list of SUBDIR in
/usr/src/Makefile.  misc is quite a bit harder as it contains
the documentation for thing that you still want built and installed.

  I guess the easiest way is to build a release on another system and
  install only the file sets that you used during the initial
  installation.

Or, let it install then remove the unneeded files.  The source contains
a list of everything in a set and in the case of misc everything is
machine independat.   After a build you could do something like this
(untested):

cd /
# remove the regular files
cat /usr/src/distrib/sets/lists/misc/mi |
while read f; do test -f $f  rm $f; done
# remove the directories
tail -r /usr/src/distrib/sets/lists/misc/mi |
while read d; do test -d $d  rmdir $d; done

// marc

Re: following stable, extra file sets?

[Aaron]

Marco S Hyman wrote:

Maurice Janssen writes:
  Is there anyway to _not_  get these extra sets as part of 
  following stable?  I don't know that it hurts anything, but I have no 
  use for them on the system and would like to keep it as minimalistic as 
  possible.
  
  I'm sure it's possible to modify the tree in some way to prevent this,

  but that's not supported and it may break other things (like cvs
  updates).

If you want to go unsupported and non-standard you can play with the
makefiles.   Games is easy: remove games from the list of SUBDIR in
/usr/src/Makefile.  misc is quite a bit harder as it contains
the documentation for thing that you still want built and installed.

  I guess the easiest way is to build a release on another system and
  install only the file sets that you used during the initial
  installation.

Or, let it install then remove the unneeded files.  The source contains
a list of everything in a set and in the case of misc everything is
machine independat.   After a build you could do something like this
(untested):

cd /
# remove the regular files
cat /usr/src/distrib/sets/lists/misc/mi |
while read f; do test -f $f  rm $f; done
# remove the directories
tail -r /usr/src/distrib/sets/lists/misc/mi |
while read d; do test -d $d  rmdir $d; done

// marc

  
Ok this has answered the question, and thanks.This raises another 
question for me.. If updating just the sets that you install, and I am 
making an assumption here that people would want to update code when 
needed, and be supported, why even give the choice on which sets to 
install initially if the two extra sets will be installed anyway during 
the supported method of updating?


Thanks again,

Aaron

Intel 975X Express Chipset supported?

[Juan Miscaro]

Is the Intel 975X Express Chipset supported by OpenBSD 4.1 ?

Thank you,

Juan


  Be smarter than spam. See how smart SpamGuard is at giving junk email the 
boot with the All-new Yahoo! Mail at http://mrd.mail.yahoo.com/try_beta?.intl=ca

Re: following stable, extra file sets?

[David Higgs]

On 6/30/07, Aaron [EMAIL PROTECTED] wrote:

Ok this has answered the question, and thanks.This raises another
question for me.. If updating just the sets that you install, and I am
making an assumption here that people would want to update code when
needed, and be supported, why even give the choice on which sets to
install initially if the two extra sets will be installed anyway during
the supported method of updating?


Keep in mind there is more than one way of updating in a supported
manner.  Applying the errata patches rarely requires a full userland
rebuild.  Also, you can make a -stable release(8) on one machine and
still choose your sets whenever you install/upgrade from them.

--david

Re: Intel 975X Express Chipset supported?

[Chris Cappuccio]

The 965 works fine for me.  I use the pci-e slot with an 8x raid controller
instead of a 16x video card.  The CPU is the cheapest 512k cache celeron D that
I could find, they are really fast and around $40-$50.

Juan Miscaro [EMAIL PROTECTED] wrote:
 Is the Intel 975X Express Chipset supported by OpenBSD 4.1 ?
 
 Thank you,
 
 Juan
 
 
   Be smarter than spam. See how smart SpamGuard is at giving junk email 
 the boot with the All-new Yahoo! Mail at 
 http://mrd.mail.yahoo.com/try_beta?.intl=ca

-- 
The lessons of history teach us - if they teach us anything - that nobody
learns the lessons that history teaches us. - Paul Robinson

Re: following stable, extra file sets?

[Aaron]

David Higgs wrote:

On 6/30/07, Aaron [EMAIL PROTECTED] wrote:

Ok this has answered the question, and thanks.This raises another
question for me.. If updating just the sets that you install, and I am
making an assumption here that people would want to update code when
needed, and be supported, why even give the choice on which sets to
install initially if the two extra sets will be installed anyway during
the supported method of updating?


Keep in mind there is more than one way of updating in a supported
manner.  Applying the errata patches rarely requires a full userland
rebuild.  Also, you can make a -stable release(8) on one machine and
still choose your sets whenever you install/upgrade from them.

--david

That sounds good, and i read http://www.openbsd.org/faq/upgrade41.html 
about upgrading, and http://www.openbsd.org/faq/faq5.html#Release


When following stable with the method described in the faq, i didn't 
notice anything about final steps as outlined in the upgrade faq.  Can 
i safely assume since i'm not in fact upgrading, only updating that I 
wouldn't have to worry about upgrading /etc, new users and groups, 
operational changes, /etc file changes and checking the kernel as 
described in the final steps of the upgrade faq?  Would this leave all 
of my /etc files in tact with any changes I have made?


Thanks,

Aaron

Re: [OT] Open Source OSS for OpenBSD?

[Shawn K. Quinn]

On Thu, 2007-06-14 at 19:23 -0600, Theo de Raadt wrote:
 I have been throwing around a phrase for a few weeks.  Perhaps it
 should
 be popularized.
 
 OpenBSD is free as in air.

Unfortunately, Richard Stallman beat you to this one by about 24 years.
He never popularized it, but this was one of the phrases he used in the
first posts announcing the GNU project.

-- 
Shawn K. Quinn [EMAIL PROTECTED]

Re: Setting up a virtual hosting machine w. SSH/SFTP accounts - pitfalls/experiences?

[Chris Cappuccio]

I've found that most clients don't need or expect to login to a web server.
The handful of people that do can be given their own dedicated server to use
or something like that.  For the rest, just give each domain name/user
their own httpd instance running with its own config, its own unix user, and
its own IP address.  Or give each domain two users-one user to own the file
system and a separate one that is selectively given permission to write within
that filesystem.  Run httpd chrooted, and you can use any module you want
without sharing write permissions between unix users (shared webhosting evil).
Give all the users chrooted access to their own web root files through ftp or
sftp.  I've never tried to chroot sftp, or at least there is no obvious way
to do it to me.  But, since no unix user needs access to another's directory
tree, it's pretty easy to lock people out of places they don't need to be.

You need to give SSL users their own IP address anyways, and this technique
makes it easier to ensure security on a shared server.  It is a bit more
resource intensive since each virtual host has several apache processes
running, but apache will scale down the number of processes when hits
are low and modern hardware is fast and big enough that this becomes a decent
compromise for resource usage (versus multiple virtualized OS servers or
whatever.)

For email it is nice to keep the users in an sql or ldap database, use
one of a million web/database mangement tools for it, and point your
software to use it.  I like postfix and dovecot but i am not overjoyed
with any of the mediocre web tools for managing the virtual users and
whatever else.  A well thought out database driven system can be fairly
easy to scale as disk or cpu load increases by using multiple data stores,
pop/imap proxies and multiple front end spam processors.  There are lots of
examples of these sorts of designs available through google so I won't bore
you anymore.

Also if you have the right kind of user popluation, a significant percentage
expect MS Frontpage support.  These are always the same peopel who don't ever
ask for shell access.  MS Frontpage is fairly easy to do with some mod_rewrite
rules and a custom CGI that calls the MS cgi (i386 bsdos executable). 
There are almost certainly buffer overflows in the MS cgi.  So if you
are running a chrooted per-user apache installation, you can theoretically
limit potential damage to the user.  suexec would be the only privileged
binary in the chroot (and not necessary if the apache user has write
permission where expected).

Chris

Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?

[a666]

From: Fredrik Staxeng [EMAIL PROTECTED]

I have a server that runs OpenBSD 4.1, and a laptop running
Windows. I want
to use Thunderbird on the laptop to send mail via the server. The
laptop
connects from many different networks.

I would like to use port 587, since some isps blocks port 25.
I want to use my username/password to authenticate.
I want to use TLS to protect the password.


I've done experiments with what you are doing.  I found it simpler
to just get openvpn working with sendmail and popa3d.

But either way you might want to play with /etc/mail/relay-domains.