Re: non-interactive sh and SIGTERM
On Thu, Nov 22, 2018 at 05:14:38PM -0800, Philip Guenther wrote: > On Thu, Nov 22, 2018 at 3:08 PM Olivier Taïbi wrote: > > > It seems that non-interactive sh(1) (i.e. sh -c command or sh file) > > ignores the TERM signal. I'm surprised, is this the intended behaviour? > > The man page says that interactive shells will ignore SIGTERM, but does > > not mention the non-interactive case. > > > > In my quick test it doesn't ignore SIGTERM, so you'll need to provide > additional information for us to help you. Oops, I did not notice that sh ignores SIGTERM on my -current installation but not on 6.4 (different machine though). The minimal test is: sh -c 'sleep 1000' then kill this sh process. Nothing happens, but killing the sleep process terminates it. In fact it is not completely true that sh ignores SIGTERM, but it seems that it is waiting for the current running command to terminate on its own, rather than forwarding the signal. That is, after running sh -c 'while [ -z "" ]; do sleep 10; echo test; done' and sending SIGTERM to sh, it will terminate (and print 'Terminated') after the sleep is complete. I did not imagine this was recent because I thought that this behaviour was the reason for this bug: https://github.com/lervag/vimtex/issues/1032 that I can reproduce. Thanks for your help. > > Philip Guenther
Re: non-interactive sh and SIGTERM
On Thu, Nov 22, 2018 at 3:08 PM Olivier Taïbi wrote: > It seems that non-interactive sh(1) (i.e. sh -c command or sh file) > ignores the TERM signal. I'm surprised, is this the intended behaviour? > The man page says that interactive shells will ignore SIGTERM, but does > not mention the non-interactive case. > In my quick test it doesn't ignore SIGTERM, so you'll need to provide additional information for us to help you. Philip Guenther
Re: With all this CPU/hardware mess, any advice on what to use for an organization?
On Thu, Nov 22, 2018 at 02:21:41PM -0800, Misc User wrote: > I'd look for software that has bug bounties. I'd also look at the CVEs for > each product and compare with the patch history. The delay between a flaw > being reported versus patched is going to be a much better indicator than Yes, that would be very true. Too slow could mean it's not being taken seriously enough. Which could mean the same for known, but unreported flaws. Good advice. > rate of patches. I'd also consider the seriousness of the flaw being > patched as well, like if it is due to a widespread issue (EG, Metldown, > heartbleed, etc) or if it is due to some basic programming error (Apple's > "enter a blank password for root enough times and you'll get root" or > Microsoft's "patching Windows 10 will obliterate your install because of a > typo in the patch code that is supposed to leave c:\users\ alone"). > Yes, Windows 10 got wiped out the first try after seeing three of their 6 month updates needing to try about 8 times eating up about days of time I wanted to use. > Also, look for something that could support external authentication, > especially something industry standard like LDAP, so you can use the > authentication database all your service can use while not relying on > whoever wrote the individual bits of software to have written something that > doesn't suck. Yeah, good plan. I've written fair amount of software that worked, but sucked. >Also look for something that will allow the admin pages to be > hosted on a different url from the user accessible stuff. > > If you are handling payment or financial information, outsource it to > something like paypal or another well-known payment processor. While they > aren't very secure, they are insured, so if they fuck something up, you > aren't holding the bag and are very unlikely to be blamed for it by your > users. > Yes, I have used PayPal for my business. Not very active now, but I really liked not being directly in the middle. "You are now being directed to PayPal, we do not ever have any of your credit card info." was very nice to say. Yes, they do fuck things up. Got me once when they just decided to change the phone number formatting without announcing it. > As for number of servers, more than one is going to be the better way. If > something has a port accessible by any old rando, you shouldn't be storing > anything secure on it. Especially if the server also stores something the > user can craft (EG, photos from the forum, arbitrary text, etc). > Dealing with that has had me really concerned. People really want to upload all kinds of stuff. That's a good idea. > As for ISPs, just assume they are all total shit (Most of them are anyway) > and treat them like you would an open wireless network. Don't use their DNS > and encrypt everything you can. Use static IPs if you can. Don't allow > passwords for ssh on anything public facing. Only allow admin pages to be > accessible from a private network (So that you'd need to use an ssh tunnel > to get to it remotely) Alright. Thanks. This is helpful. Someone suggested off-list that I make up a flow chart to plan out each step that needs to be taken. I'm getting good advice now to help me start that. It's tough to pull this off. But then, when is easy ever any real fun! :-} Chris Bennett
non-interactive sh and SIGTERM
It seems that non-interactive sh(1) (i.e. sh -c command or sh file) ignores the TERM signal. I'm surprised, is this the intended behaviour? The man page says that interactive shells will ignore SIGTERM, but does not mention the non-interactive case.
Re: Ospf adding new interface
So, with 6.4 recently released, I just installed it rather than using latest current - worked flawlessly - thank you. ospfctl reload now picks up new interfaces added. /S On Sat, 29 Sep 2018 at 13:40, Stuart Henderson wrote: > On 2018/09/29 13:36, Simen Stavdal wrote: > > Thanks Stuart, > > > > -vd just said the same, i.e interface unknown, will try -current and > report back :) > > If it doesn't help, it would also be worth capturing "route -n monitor" > output while adding. > > > > > Thanks, > > Simon > > > > On Sat, 29 Sep 2018 at 13:06, Stuart Henderson > wrote: > > > > I've had problems at times with ospfd not seeing interfaces properly > > after adding them, please try a -current snapshot and see if you can > > replicate it, it's possible that a change made in June might help. > > > > Also maybe try running with ospfd -vd and see if you get anything > unusual > > logged when the interface is added or when you issue 'reload'. > > > > > > >
Re: With all this CPU/hardware mess, any advice on what to use for an organization?
On 11/22/2018 12:56 PM, Chris Bennett wrote: On Thu, Nov 22, 2018 at 09:55:35AM -0600, Boris Goldberg wrote: Hello Chris, There is something extremely weird going on around lately. People are easily take offense where no offense where intended (and hard to find anyway). Nick was just telling you that (in his expert opinion) you shouldn't worry much about "Meltdown, Spectre, insecure motherboard chips", but concentrate on the real security instead. Unfortunately the real security takes years of learning and experience, and can't be "advised" in a couple of emails, but he provided a lot of valuable (and valid) information (which you where not ready to digest, I guess). If you are allowing to run an arbitrary code on you server you are screwed with or without Spectre, otherwise there is nothing to spy on you on that server (even if it's technically possible). If (any) government agency really want to access you server, you are writing to the wrong list, otherwise government installed spying chips (if any) wont really hurt you. On the other hand, crapware (like Superfish) might. BTW, your boss doesn't need to be stupid to compromise your password (or keys), just a "normal" human. Security isn't grokkable by "normal" people. I'm actually sorry, Nick. I've got a personal situation that has me very touchy right now. But that's another issue completely. Since there is a forum, and one has to stay, I have a few questions. I looked over a lot of forums, both for features and security. I realized that I couldn't properly judge security. If a forum has a lot of security patches, does that mean that problems are being swiftly dealt with or that the forum has serious problems? If a forum doesn't have reported security patches, does that mean that it is good or just not maintained? I never thought about this before. It seems to me that a login username should not be allowed to be the displayed forum username. The real username is also used for purchases, membership activities, etc. I also think that passwords need to be enforced to be changed occasionally. What sort of timing delay is okay with users? Nobody really likes changing passwords, but since so many people use the same one all over the place, it seems like a good idea since they would then be forced to have a different one from the rest. There is a need for pretty secure stuff, like the forum and membership, purchases, etc. But also very secure activities. Seems to me that 2 servers (or more) would be best to accomplish this. Any disagreement or other suggestions? The main website is probably the most important objective right now. It's what the public sees. And if (which means when, not if) I make a mistake, the world won't come tumbling down. Thanks all, Chris Bennett I'd look for software that has bug bounties. I'd also look at the CVEs for each product and compare with the patch history. The delay between a flaw being reported versus patched is going to be a much better indicator than rate of patches. I'd also consider the seriousness of the flaw being patched as well, like if it is due to a widespread issue (EG, Metldown, heartbleed, etc) or if it is due to some basic programming error (Apple's "enter a blank password for root enough times and you'll get root" or Microsoft's "patching Windows 10 will obliterate your install because of a typo in the patch code that is supposed to leave c:\users\ alone"). Also, look for something that could support external authentication, especially something industry standard like LDAP, so you can use the authentication database all your service can use while not relying on whoever wrote the individual bits of software to have written something that doesn't suck. Also look for something that will allow the admin pages to be hosted on a different url from the user accessible stuff. If you are handling payment or financial information, outsource it to something like paypal or another well-known payment processor. While they aren't very secure, they are insured, so if they fuck something up, you aren't holding the bag and are very unlikely to be blamed for it by your users. As for number of servers, more than one is going to be the better way. If something has a port accessible by any old rando, you shouldn't be storing anything secure on it. Especially if the server also stores something the user can craft (EG, photos from the forum, arbitrary text, etc). As for ISPs, just assume they are all total shit (Most of them are anyway) and treat them like you would an open wireless network. Don't use their DNS and encrypt everything you can. Use static IPs if you can. Don't allow passwords for ssh on anything public facing. Only allow admin pages to be accessible from a private network (So that you'd need to use an ssh tunnel to get to it remotely) -CA
Re: With all this CPU/hardware mess, any advice on what to use for an organization?
On Tue, Nov 20, 2018 at 02:24:55PM -0500, Nick Holland wrote: > > all on one server? > > And as someone who has run a number of mail servers for a number of > companies ... don't. Just don't. Running your own mail server is a > good way to accomplish nothing except wasting a lot of time and making > people hate you. > I got mad before thinking. Bad habit I need to break. You are right. We wouldn't want any of the "evil empires" for that. That is a set policy already. So no Gmail, Yahoo, Microsoft, etc. Can't control where the mail goes to however. Outbound mail is going to be from forum topics, which I will change to only reference the post, no content. Requests for donations and about upcoming events. Asking for immediate help when disasters or other events occur. News topics. How do I pick some company to do this? I'll start looking up information now. Hadn't even occurred to me. But exactly how does that work from our servers to theirs and back? Thank you, Chris Bennett
Re: With all this CPU/hardware mess, any advice on what to use for an organization?
On Thu, Nov 22, 2018 at 09:55:35AM -0600, Boris Goldberg wrote: > Hello Chris, > > There is something extremely weird going on around lately. People are > easily take offense where no offense where intended (and hard to find > anyway). Nick was just telling you that (in his expert opinion) you > shouldn't worry much about "Meltdown, Spectre, insecure motherboard chips", > but concentrate on the real security instead. Unfortunately the real > security takes years of learning and experience, and can't be "advised" in > a couple of emails, but he provided a lot of valuable (and valid) > information (which you where not ready to digest, I guess). > If you are allowing to run an arbitrary code on you server you are > screwed with or without Spectre, otherwise there is nothing to spy on you > on that server (even if it's technically possible). > If (any) government agency really want to access you server, you are > writing to the wrong list, otherwise government installed spying chips (if > any) wont really hurt you. On the other hand, crapware (like Superfish) > might. > > BTW, your boss doesn't need to be stupid to compromise your password (or > keys), just a "normal" human. Security isn't grokkable by "normal" people. I'm actually sorry, Nick. I've got a personal situation that has me very touchy right now. But that's another issue completely. Since there is a forum, and one has to stay, I have a few questions. I looked over a lot of forums, both for features and security. I realized that I couldn't properly judge security. If a forum has a lot of security patches, does that mean that problems are being swiftly dealt with or that the forum has serious problems? If a forum doesn't have reported security patches, does that mean that it is good or just not maintained? I never thought about this before. It seems to me that a login username should not be allowed to be the displayed forum username. The real username is also used for purchases, membership activities, etc. I also think that passwords need to be enforced to be changed occasionally. What sort of timing delay is okay with users? Nobody really likes changing passwords, but since so many people use the same one all over the place, it seems like a good idea since they would then be forced to have a different one from the rest. There is a need for pretty secure stuff, like the forum and membership, purchases, etc. But also very secure activities. Seems to me that 2 servers (or more) would be best to accomplish this. Any disagreement or other suggestions? The main website is probably the most important objective right now. It's what the public sees. And if (which means when, not if) I make a mistake, the world won't come tumbling down. Thanks all, Chris Bennett
Re: With all this CPU/hardware mess, any advice on what to use for an organization?
On Thu, Nov 22, 2018 at 10:50:38AM +, Kevin Chadwick wrote:
> On 11/20/18 4:43 PM, Chris Bennett wrote:
> > AMD? I have read about problems with non-CPU chips being compromised.
> > Another architecture? I have never used anything other than Intel/AMD.
>
> I can't comment on SUN etc. but AMD would be the way to go if you can.
>
> Theo has said in a recent presentation something along the lines of that AMD
> are
> far more considerate and apply the security checks first whereas Intel do so
> at
> the end!!
>
> Many modern UEFI (bios) have very limited configuration enabled, however the
> configs the OEM has access to enable are larger than ever. It would be better
> if
> the functionality that caused them were not there by default but you may find
> these chip attacks can be mitigated for your scenario, quite easily with the
> right Vendor/OEM board?? Incidentally the Intel usb debug access has been
> there
> for years but it was a physical motherboard access only scenario until
> recently.
>
> I can't help with a good vendor unfortunately. I have no fairly new, off the
> shelf commercial HW to inspect the BIOS of.
>
Thanks.
After digging into many pages source and I use NoScript, which has an
irritating side effect of actually hiding some of the JavaScript
present, I now see that they are using cloud hosting and some naughty
Google stuff. So I will get much more information about everything
probably next week since this is Thanksgiving weekend here.
So I will be having to select hardware to purchase.
I was assuming that AMD was the right choice, but I wanted to be sure.
I saw the presentation about Intel and AMD on the website. Intel's
behaviour was surprisingly terrible.
I'm not sure exactly what load of users I will have to deal with.
A ton of long-time members have been furious about the WordPress mess
that got put up. As in most forums, more people just read than post.
I'm not at all concerned about govt. snooping. Politics and groups have
gotten extraordinarily weird, odd and even violent in the US.
Their previous setup (before this current one) was hacked at least once.
I'm completely open to any suggestions. I just don't have a budget or a
for sure location to work from yet.
Things are bad enough that anything I do can only be helpful.
So that's pretty bad! :-{
I also want to hear any don't do this or work with this ISP, etc.
Thanks,
Chris Bennett
Re: Supermicro X7SPA-HF D510 and OpenBSD
On 11/22/2018 6:13 AM, Stuart Henderson wrote: On 2018-11-22, Radek wrote: Hello, does anybody run OpenBSD 6.3/amd64 or 6.4/amd64 on SUPERMICRO X7SPA-HF D510? Does it work well together? I need to build a backup server (rsync only) with 2-3x 4TB HDD, 3U/4U Rack case for better cooling. RAID is not needed. It must be as silent as possible. Low power consumption is also welcomed. Thanks! Not sure if I have that *exact* board but I have something very similar, I wouldn't expect any problems with this. I am running the X7SPA-HF-D525 version (Same board, different chip. The D525 and D510 are really just the same chip anyway, just that the D510 has a slightly different set of bits burned into the configuration fuses). Everything seems to work just fine, only problems are that it can't support a lot of graphical modes (xenocara will run, just not very well, since the gpu only has 8 MB of memory and it comes from the main pool of memory anyway). That and you can't communicate with the IPMI interface from within the OS (But doesn't prevent you from using the IPMI interface, you'd just need to do any configuration of it via BIOS or the IPMI's web interface). dmesg from my system is below OpenBSD 6.4 (GENERIC.MP) #0: Sat Nov 17 22:15:46 CET 2018 r...@syspatch-64-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4277665792 (4079MB) avail mem = 4138745856 (3947MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0x9ac00 (19 entries) bios0: vendor American Megatrends Inc. version "1.2" date 09/14/11 bios0: Supermicro X7SPA-HF acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC MCFG OEMB HPET EINJ BERT ERST HEST acpi0: wakeup devices P0P1(S4) USB0(S4) USB1(S4) USB2(S4) USB5(S4) EUSB(S4) USB3(S4) USB4(S4) USB6(S4) USBE(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) P0P9(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.30 MHz, 06-1c-0a cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN cpu0: 512KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 207MHz cpu0: mwait min=64, max=64, C-substates=0.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1872.00 MHz, 06-1c-0a cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN cpu1: 512KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 3 pa 0xfec0, version 20, 24 pins, remapped acpimcfg0 at acpi0 acpimcfg0: addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (P0P1) acpiprt2 at acpi0: bus 1 (P0P4) acpiprt3 at acpi0: bus -1 (P0P5) acpiprt4 at acpi0: bus -1 (P0P6) acpiprt5 at acpi0: bus -1 (P0P7) acpiprt6 at acpi0: bus 2 (P0P8) acpiprt7 at acpi0: bus 3 (P0P9) acpicpu0 at acpi0: C1(@1 halt!) acpicpu1 at acpi0: C1(@1 halt!) acpicmos0 at acpi0 acpibtn0 at acpi0: PWRB ipmi at mainbus0 not configured pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel Pineview DMI" rev 0x02 ppb0 at pci0 dev 28 function 0 "Intel 82801I PCIE" rev 0x02: msi pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 4 "Intel 82801I PCIE" rev 0x02: msi pci2 at ppb1 bus 2 em0 at pci2 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 00:25:90:62:cc:46 ppb2 at pci0 dev 28 function 5 "Intel 82801I PCIE" rev 0x02: msi pci3 at ppb2 bus 3 em1 at pci3 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 00:25:90:62:cc:47 uhci0 at pci0 dev 29 function 0 "Intel 82801I USB" rev 0x02: apic 3 int 23 uhci1 at pci0 dev 29 function 1 "Intel 82801I USB" rev 0x02: apic 3 int 19 ehci0 at pci0 dev 29 function 7 "Intel 82801I USB" rev 0x02: apic 3 int 23 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ppb3 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x92 pci4 at ppb3 bus 4 vga1 at pci4 dev 4 function 0 "Matrox MGA G200eW" rev 0x0a wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 31 function 0 "Intel 82801IR LPC" rev 0x02 ahci0 at pci0 dev 31 function 2 "Intel 82801I AHCI" rev 0x02: msi, AHCI 1.2 ahci0: port 0: 3.0Gb/s scsibus1 at ahci0: 32 targets sd0 at scsibus1 targ 0 lun 0: SCSI3 0/direct fixed naa.50014ee2059bdbc4 sd0: 953869MB, 512 bytes/sector, 1953525168 sectors ichiic0 at pci0 dev 31 function 3 "Intel
Re: Thank you
On 1109 0832, Wayne Oliver wrote: > Hi All, > > Just wanted to say thanks for the hard work, OpenBSD runs better than any > other OS on my laptop. > One thing that really stands out is suspend and resume, I have *never* had a > Linux or Windows laptop do it properly. > > Obviously everything else works great, I just wanted to point this out as > people have the misconception that OpenBSD is not desktop/laptop friendly. > > P.S. join is a great new addition too. > > -- > Wayn0 Can we ask, what kind of laptop?
Re: With all this CPU/hardware mess, any advice on what to use for an organization?
Hello Chris, There is something extremely weird going on around lately. People are easily take offense where no offense where intended (and hard to find anyway). Nick was just telling you that (in his expert opinion) you shouldn't worry much about "Meltdown, Spectre, insecure motherboard chips", but concentrate on the real security instead. Unfortunately the real security takes years of learning and experience, and can't be "advised" in a couple of emails, but he provided a lot of valuable (and valid) information (which you where not ready to digest, I guess). If you are allowing to run an arbitrary code on you server you are screwed with or without Spectre, otherwise there is nothing to spy on you on that server (even if it's technically possible). If (any) government agency really want to access you server, you are writing to the wrong list, otherwise government installed spying chips (if any) wont really hurt you. On the other hand, crapware (like Superfish) might. BTW, your boss doesn't need to be stupid to compromise your password (or keys), just a "normal" human. Security isn't grokkable by "normal" people. Tuesday, November 20, 2018, 2:11:52 PM, you wrote: CB> On Tue, Nov 20, 2018 at 02:24:55PM -0500, Nick Holland wrote: >> On 11/20/18 11:43, Chris Bennett wrote: >> > I am almost certainly going to be replacing with a new server for an >> > organization I am a member of. >> > With all of this mess with Meltdown, Spectre, insecure motherboard >> > chips,etc. >> > I am pretty clueless on exactly what is going to be a secure set of >> > server hardware. >> > Intel, well no. >> > AMD? I have read about problems with non-CPU chips being compromised. >> > Another architecture? I have never used anything other than Intel/AMD. >> > >> > The server will run httpd, mailserver, PostgreSQL and somehow a good way >> > for well encrypted messaging at times. >> >> all on one server? >> >> And as someone who has run a number of mail servers for a number of >> companies ... don't. Just don't. Running your own mail server is a >> good way to accomplish nothing except wasting a lot of time and making >> people hate you. >> CB> The mail server is ONLY intended for members of the organization. CB> You would have me use gmail or yahoo? CB> The organization is suing another group for slander. >> > It is very likely to run out of Austin, Texas. >> > I think that having a direct connection would be best, but would a >> > proper setup make collocation OK? >> >> You are using poorly defined buzzwords. What you mean by a "direct >> connection", "proper setup", "collocation" and what I mean are likely >> very different. >> CB> Well, then tell me some useful information. Correct my idiotic CB> buzzwords. There was carefully noted in my message that I am facing new CB> territory and need some advice. >> > This isn't going to be my server, I will just be in charge. That's >> > completely new for me. >> > Any advice is really welcome, everywhere I read anything, hardware seems >> > broken and insecure. >> >> Pretty much all new HW is optimized in ways that we are now learning >> (and has been known for a long time) introduce security problems. >> However, most of the problems boil down to having malicious software >> running in the control of someone else on the same physical machine YOUR >> code is running on. >> >> In short: No news. Really. >> >> If someone that wanted to do you evil lived in the same house as you, >> you would not be comfortable, right? What if you put up walls >> (virtualization) that have proven to to be about as robust as paper? >> That make you feel any better? Probably not. Virtualization has been >> proven -- over and over -- not terribly secure. Now we got >> cross-virtualization platforms ways of stealing data from other >> processes. Important? yes. But in the big picture, it's similar to Yet >> Another buffer overflow. >> CB> To be quite frank, and I don't mean anything negative to others using CB> virtualization, you couldn't pay me to even consider using something CB> that idiotic for trying to make a "secure" setup. And using the "clouds" CB> , to me, is getting just a little bit too "high". >> So...split your tasks on different physical systems as much as possible. >> If your webserver is serving static pages, it's probably pretty robust. >> If it's running Wordpress or any other "any idiot can manage the web >> page" apps or dynamic web pages for other reasons, it should be a >> machine of its own and have no other important data on it. CB> Yes, using that idiotic Wordpress crap is exactly one of many problems I CB> am going to immediately fix. Whoever is in charge can't even make that CB> work! >> Your primary goal should be to keep the bad guys off your computer in >> every sense. And again...nothing new here. >> >> But if security is your concern, you want real hw you control in every >> sense. >> CB> Which is exactly what my silly buzzwords was
Re: Supermicro X7SPA-HF D510 and OpenBSD
On 2018-11-22, Radek wrote: > Hello, > does anybody run OpenBSD 6.3/amd64 or 6.4/amd64 on SUPERMICRO X7SPA-HF D510? > Does it work well together? > > I need to build a backup server (rsync only) with 2-3x 4TB HDD, 3U/4U Rack > case for better cooling. RAID is not needed. > It must be as silent as possible. Low power consumption is also welcomed. > > Thanks! Not sure if I have that *exact* board but I have something very similar, I wouldn't expect any problems with this.
Re: XORG Doesnt start after syspatch
Thank you all, it worked! Sorry for the trouble, i will search more next time. El mié., 21 nov. 2018 a las 19:14, escribió: > If you are using startx, it won't work anymore after 001 security fix. > Please switch to using xenodm(1). > > There were a couple of discussions on this list about this, you can search > archives for more details. > > On Wed, Nov 21, 2018, at 4:12 PM, Manuel Solis wrote: > > Hello Misc. > > > > I have installed 64 in a macbook and it works great and out of the box, > > however i notice that after i run syspatch and reboot, xorg doesn´t start > > at all. > > > > I have done several tries like install64 - syspatch - error ; install64 > > -fw_update -syspatch - error; > > > > May i missing some sysctl trick ? > > > > Thank you all. > > > > Manuel > > > > === > > === Xorg.0.log after syspatch with Xorg not working === > > === > > [39.473] > > X.Org X Server 1.19.6 > > Release Date: 2017-12-20 > > [39.536] X Protocol Version 11, Revision 0 > > [39.562] Build Operating System: OpenBSD 6.4 amd64 > > [39.570] Current Operating System: OpenBSD mac.book 6.4 > GENERIC.MP#364 > > amd64 > > [39.579] Build Date: 25 October 2018 11:39:05PM > > [39.588] > > [39.596] Current version of pixman: 0.34.0 > > [39.605] Before reporting problems, check http://wiki.x.org > > to make sure that you have the latest version. > > [39.605] Markers: (--) probed, (**) from config file, (==) default > > setting, > > (++) from command line, (!!) notice, (II) informational, > > (WW) warning, (EE) error, (NI) not implemented, (??) unknown. > > [39.639] (==) Log file: "/home/msolis/.local/share/xorg/Xorg.0.log", > > Time: Wed Nov 21 17:44:59 2018 > > [39.649] (==) Using system config directory > > "/usr/X11R6/share/X11/xorg.conf.d" > > [39.650] (==) No Layout section. Using the first Screen section. > > [39.650] (==) No screen section available. Using defaults. > > [39.650] (**) |-->Screen "Default Screen Section" (0) > > [39.650] (**) | |-->Monitor "" > > [39.650] (==) No monitor specified for screen "Default Screen > Section". > > Using a default monitor configuration. > > [39.650] (==) Automatically adding devices > > [39.650] (==) Automatically enabling devices > > [39.650] (==) Not automatically adding GPU devices > > [39.650] (==) Max clients allowed: 256, resource mask: 0x1f > > [39.654] (==) FontPath set to: > > /usr/X11R6/lib/X11/fonts/misc/, > > /usr/X11R6/lib/X11/fonts/TTF/, > > /usr/X11R6/lib/X11/fonts/OTF/, > > /usr/X11R6/lib/X11/fonts/Type1/, > > /usr/X11R6/lib/X11/fonts/100dpi/, > > /usr/X11R6/lib/X11/fonts/75dpi/ > > [39.654] (==) ModulePath set to "/usr/X11R6/lib/modules" > > [39.654] (II) The server relies on wscons to provide the list of > input > > devices. > > If no devices become available, reconfigure wscons or disable > > AutoAddDevices. > > [39.654] (II) Loader magic: 0x2de2fe71000 > > [39.654] (II) Module ABI versions: > > [39.654] X.Org ANSI C Emulation: 0.4 > > [39.654] X.Org Video Driver: 23.0 > > [39.654] X.Org XInput driver : 24.1 > > [39.654] X.Org Server Extension : 10.0 > > [39.654] (WW) checkDevMem: failed to open /dev/xf86 and /dev/mem > > (Permission denied) > > Check that you have set 'machdep.allowaperture=1' > > in /etc/sysctl.conf and reboot your machine > > refer to xf86(4) for details > > [39.654] linear framebuffer access unavailable > > [39.654] (II) LoadModule: "glx" > > [39.656] (II) Loading /usr/X11R6/lib/modules/extensions/libglx.so > > [39.663] (II) Module glx: vendor="X.Org Foundation" > > [39.663] compiled for 1.19.6, module version = 1.0.0 > > [39.663] ABI class: X.Org Server Extension, version 10.0 > > [39.663] (==) Assigned the driver to the xf86ConfigLayout > > [39.663] (EE) No drivers available. > > [39.663] (EE) > > Fatal server error: > > [39.671] (EE) no screens found(EE) > > [39.680] (EE) > > Please consult the The X.Org Foundation support > > at http://wiki.x.org > > for help. > > [39.688] (EE) Please also check the log file at > > "/home/msolis/.local/share/xorg/Xorg.0.log" for additional information. > > [39.697] (EE) > > [39.706] (EE) Server terminated with error (1). Closing log file. > > > > == > > ===working Xorg.0.log just after new installation = > > == > > [50.434] (WW) checkDevMem: failed to open /dev/xf86 and /dev/mem > > (Operation not permitted) > > Check that you have set 'machdep.allowaperture=1' > > in /etc/sysctl.conf and reboot your machine > > refer to xf86(4) for details > > [
Supermicro X7SPA-HF D510 and OpenBSD
Hello, does anybody run OpenBSD 6.3/amd64 or 6.4/amd64 on SUPERMICRO X7SPA-HF D510? Does it work well together? I need to build a backup server (rsync only) with 2-3x 4TB HDD, 3U/4U Rack case for better cooling. RAID is not needed. It must be as silent as possible. Low power consumption is also welcomed. Thanks! -- radek
Re: current snapshot breaks ports? (strange libc versioning)
On 11/22/18 9:24 AM, Karel Gardas wrote: > in an attempt to update today from ftp.spline.de I've been kicked out > after -current update with pkg_add -u complaining about wrong libc > versions. Packages complains like: Likely you have a snapshot or packages out of sync. The packages take a lot longer to build so wait and try again. Most of the time they work together but not always. If you are running current, the best advice I can give is to rsync a local repo of the snapshot and packages. Then you can also install packages later without library compatibility issues.
OT: Https very slow since openbsd 6.1/Cipher String
On 11/21/18 4:00 PM, Gerhard Schweiger wrote on bugs@: > Then comes in openbsd 6.1 amd64, and now the same huge speed difference > between with or without encryption as found on OpenBSD 6.4.Is there any > tweak I could test or is this just bad luck on my VPS or something else? > Speed goes down so badly you can notice it very clearly on photo gallery > but even on static html, site is kind of "slow" when using https. There were some constant time changes that had a significant impact. Not sure if the impact was reduced or not or if that is even the cause here. Lol, Google says https is faster without mentioning parameters! Akin to a lie, evil or not. If you can upgrade to hw or a processor with AES-NI (hw acceleration), I guess you will be ~10* faster than you had before 6.1 with AES and still be constant time. Incidentally, does anyone know a good ciphers string to select AES only on OpenBSD httpd? I know it may use a bit more power for phone clients, but any other downsides? All countries can use AES these days, right?
Re: With all this CPU/hardware mess, any advice on what to use for an organization?
On 11/20/18 4:43 PM, Chris Bennett wrote: > AMD? I have read about problems with non-CPU chips being compromised. > Another architecture? I have never used anything other than Intel/AMD. I can't comment on SUN etc. but AMD would be the way to go if you can. Theo has said in a recent presentation something along the lines of that AMD are far more considerate and apply the security checks first whereas Intel do so at the end!! Many modern UEFI (bios) have very limited configuration enabled, however the configs the OEM has access to enable are larger than ever. It would be better if the functionality that caused them were not there by default but you may find these chip attacks can be mitigated for your scenario, quite easily with the right Vendor/OEM board?? Incidentally the Intel usb debug access has been there for years but it was a physical motherboard access only scenario until recently. I can't help with a good vendor unfortunately. I have no fairly new, off the shelf commercial HW to inspect the BIOS of.
Re: alix 2d13 + 6.4: should it work?
On Wed, Nov 21, 2018 at 05:37:05PM -0700, Theo de Raadt wrote:
> First time you need to
>
> stty com0
> set tty com0
>
> then you can boot.
>
> The installer will remember this for next time, but our kernel does not
> know the speed so early on.
That was it! Excellent:
boot> stty com0 38400
boot> set tty com0
switching console to com0
Kernel boot now looks like this:
cannot open hd0a:/etc/random.seed: No such file or directory
booting hd0a:/6.4/i386/bsd.rd: 3111423+1360896+3362824+0+454656
[363995+98+289392+283301]=0x8ced6c
entry point at 0x2000d4
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
Copyright (c) 1995-2018 OpenBSD. All rights reserved. https://www.OpenBSD.org
OpenBSD 6.4 (RAMDISK_CD) #916: Thu Oct 11 14:00:12 MDT 2018
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/RAMDISK_CD
real mem = 267976704 (255MB)
avail mem = 254033920 (242MB)
mainbus0 at root
bios0 at mainbus0: date 01/15/14, BIOS32 rev. 0 @ 0xfd0e4
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xe/0xa800
cpu0 at mainbus0: (uniprocessor)
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 499
MHz, 05-0a-02
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
...
Some time later:
CONGRATULATIONS! Your OpenBSD install has been successfully completed!
Thanks Theo for the tip and for all the work!
Cheers,
Robb.
Re: current snapshot breaks ports? (strange libc versioning)
On Thu, Nov 22, 2018 at 10:24:02AM +0100, Karel Gardas wrote: > > Hello, > > in an attempt to update today from ftp.spline.de I've been kicked out > after -current update with pkg_add -u complaining about wrong libc > versions. Packages complains like: > > Can't install png-1.6.35 because of libraries > |library c.92.8 not found > | /usr/lib/libc.so.92.6 (system): minor is too small > | /usr/lib/libc.so.92.7 (system): minor is too small > | /usr/lib/libc.so.93.0 (system): bad major > > I guess this may be already a known issue, but chance is it's not hence > reporting. > > Thanks! > Karel > Recently the libc major was incremented shortly after the minor was incremented. Snaps already have it the proper major, but packages are lagging. Packages are build using machines that run a snapshot, so this will solve itself in time. -Otto
current snapshot breaks ports? (strange libc versioning)
Hello, in an attempt to update today from ftp.spline.de I've been kicked out after -current update with pkg_add -u complaining about wrong libc versions. Packages complains like: Can't install png-1.6.35 because of libraries |library c.92.8 not found | /usr/lib/libc.so.92.6 (system): minor is too small | /usr/lib/libc.so.92.7 (system): minor is too small | /usr/lib/libc.so.93.0 (system): bad major I guess this may be already a known issue, but chance is it's not hence reporting. Thanks! Karel
Re: XORG Doesnt start after syspatch
On Wed, Nov 21, 2018 at 06:12:55PM -0600, Manuel Solis wrote: > Hello Misc. > > I have installed 64 in a macbook and it works great and out of the box, > however i notice that after i run syspatch and reboot, xorg doesn´t start > at all. > Until this problem is fixed, Xorg must be started by root, for instance with xenodm.
