daily insecurity output gid change

[Adriano Barbosa]

Hi misc@

Recently my computer became unresponsive while backing up files
through nfs and I had to hard reset it. The night after this reboot I
got an insecurity warning with the message below. Could fsck change
the gid while trying to fix the file system or should I look for another
cause?

Obrigado!
--
Adriano

Running security(8):

Checking special files and directories.
Output format is:
filename:
criteria (shouldbe, reallyis)
usr/bin:
gid (0, 7)
mtree special: exit code 2

OpenBSD hangs in X, but mouse can still move (ThinkPad T470)

[Hashim Mahmoud]

(Sorry, I accidentally pressed Send in the middle of typing, ignore the
previous message...)

I've been using OpenBSD on a ThinkPad T470 for a couple of days now,
and the experience is very nice. However, I've noticed an issue that
occurred twice today: while I'm using cwm and a bunch of apps (Firefox,
Claws Mail, KeepassXC, xterm, nothing special), OpenBSD completely
freezes, but the mouse cursor can still move. I can't even switch to a
different tty with ctrl+alt+F. But it seems that function
keys still work, as pressing the mute button activates the red LED
light on it (though pressing the backlight keys does nothing). Closing
the lid to try to suspend the laptop fails, but the green LED power
light and red ThinkPad light on the cover blink as they do when about
to suspend, though they never stop blinking as the laptop never
suspends. Nothing strange in Xorg.0.log and Xorg.0.log.old, and I'm not
sure what else I need to check.

The first time this happened I was just using Firefox, and the second 
time this happened was immediately after I started picom (I don't 
usually use it but wanted to see it this time).

Any idea what's going on?

picom.conf:
#
# Corners   #
#
# requires: https://github.com/sdhand/compton or 
https://github.com/jonaburg/picom
#corner-radius = 12;
#rounded-corners-exclude = [
#  "class_g = 'xlock'",
#  "window_type = 'dnd'",
#  "name = 'lemonbar'"
#];
#round-borders = 15;
#round-borders-exclude = [
  #"class_g = 'TelegramDesktop'",
#];

#
# Shadows   #
#
# Enabled client-side shadows on windows. Note desktop windows 
# (windows with '_NET_WM_WINDOW_TYPE_DESKTOP') never get shadow, 
# unless explicitly requested using the wintypes option.
#
# shadow = false
shadow = true;

# The blur radius for shadows, in pixels. (defaults to 12)
# shadow-radius = 12
shadow-radius = 15;

# The opacity of shadows. (0.0 - 1.0, defaults to 0.75)
shadow-opacity = .85

# The left offset for shadows, in pixels. (defaults to -15)
# shadow-offset-x = -15
shadow-offset-x = -12;

# The top offset for shadows, in pixels. (defaults to -15)
# shadow-offset-y = -15
shadow-offset-y = -12;

# Red color value of shadow (0.0 - 1.0, defaults to 0).
# shadow-red = 0

# Green color value of shadow (0.0 - 1.0, defaults to 0).
# shadow-green = 0

# Blue color value of shadow (0.0 - 1.0, defaults to 0).
# shadow-blue = 0

# Specify a list of conditions of windows that should have no shadow.
#
# examples:
#   shadow-exclude = "n:e:Notification";
#
# shadow-exclude = []
shadow-exclude = [
  #"name = 'Notification'",
  #"class_g = 'Conky'",
  #"class_g ?= 'Notify-osd'",
  #"class_g = 'Cairo-clock'",
  #"class_g = 'slop'",
  #"class_g = 'Polybar'",
  "_GTK_FRAME_EXTENTS@:c",
  "class_g = 'Firefox' && argb",
];

# Specify a X geometry that describes the region in which shadow should not
# be painted in, such as a dock window region. Use 
#shadow-exclude-reg = "x10+0+0"
# for example, if the 10 pixels on the bottom of the screen should not have 
shadows painted on.
#
# shadow-exclude-reg = "" 

# Crop shadow of a window fully on a particular Xinerama screen to the screen.
# xinerama-shadow-crop = false

#
#   Fading  #
#


# Fade windows in/out when opening/closing and when opacity changes,
#  unless no-fading-openclose is used.
# fading = false
fading = false;

# Opacity change between steps while fading in. (0.01 - 1.0, defaults to 0.028)
# fade-in-step = 0.028
fade-in-step = 0.025;

# Opacity change between steps while fading out. (0.01 - 1.0, defaults to 0.03)
# fade-out-step = 0.03
fade-out-step = 0.025;

# The time between steps in fade step, in milliseconds. (> 0, defaults to 10)
fade-delta = 8

# Specify a list of conditions of windows that should not be faded.
# don't need this, we disable fading for all normal windows with wintypes: {}
fade-exclude = [
  #"class_g = 'slop'"   # maim
]

# Do not fade on window open/close.
# no-fading-openclose = false

# Do not fade destroyed ARGB windows with WM frame. Workaround of bugs in 
Openbox, Fluxbox, etc.
# no-fading-destroyed-argb = false

#
#   Transparency / Opacity  #
#
# Opacity of inactive windows. (0.1 - 1.0, defaults to 1.0)
# inactive-opacity = 1
inactive-opacity = 1

# Opacity of window titlebars and borders. (0.1 - 1.0, disabled by default)
# frame-opacity = 1.0
frame-opacity = 1

# Default opacity for dropdown menus and popup menus. (0.0 - 1.0, defaults to 
1.0)
# menu-opacity = 1.0 
# menu-opacity is depreciated use dropdown-menu and popup-menu instead.

#If using these 2 below change their values in line 510 & 511 aswell
popup_menu = { opacity = 1; }
dropdown_menu = { opacity = 1; }


# Let inactive opacity set by -i override the '_NET_WM_OPAC

Re: Cannot open logfile in unbound(8)

[Stuart Henderson]

On 2022-08-31, luci...@ctrl-c.club  wrote:
> Hi,
> What is the proper way to use a logfile in unbound(8)? I tried adding
> the following lines in /var/unbound/etc/unbound.conf:
> # $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $
>
> server:
> use-syslog: no
> logfile: log/unbound.log
>
> Then touched /var/unbound/log/unbound.log. However when starting unbound
> with rcctl no logs were written in unbound.log. To investigate the issue
> I started unbound in non-daemon mode and debug mode: unbound -d, there I
> saw the following info:
> unbound[33113:0] error: Could not open logfile log/unbound.log:
> Permission denied
>
> Does anyone know what might be the problem with this approach?

This would usually suggest that the uid used by the daemon does not
have permission to access to the log file or directory containing it


-- 
Please keep replies on the mailing list.

OpenBSD hangs in X, but mouse can still move (ThinkPad T470)

[Hashim Mahmoud]

I've been using OpenBSD on a ThinkPad T470 for a couple of days now,
and the experience is very nice. However, I've noticed an issue that
occurred twice today: while I'm using cwm and a bunch of apps (Firefox,
Claws Mail, KeepassXC, xterm, nothing special), OpenBSD completely
freezes, but the mouse cursor retains

Re: guide: scanning on openbsd with sane, as non-root user

[Antoine Jacoutot]

On Wed, Aug 31, 2022 at 01:13:11PM +0100, li...@xza.fr wrote:
> 
> SCANNING ON OPENBSD WITH SANE, AS NON-ROOT USER
> 
> foreword: wanted to put this guide somewhere
> 
> 
> install sane:
> 
> # pkg_add sane 
> 
> 
> plug in the scanner, and immediately after, run this command:
> 
> # dmesg | tail -20
> ugen0 at uhub0 port 3 ""
> 
> the output should appear as above
> 
> 
> now take a note of the number after 'ugen' and the number after
> 'uhub'. in this example that number is 0 for both.
> 
> now to get a bit more info on the hardware, run:
> 
> # usbdevs
> Controller /dev/usb0:
> addr 01: 
> addr 02: : 
> 
> the output should appear as above
> 
> 
> so say we want to scan as the user 'theo', then theo needs access to
> both /dev/usb0 as well as /dev/ugen0.00
> 
> so execute the following command
> 
> # chgrp theo /dev/ugen0.* /dev/usb0
> # chmod g+rwx /dev/ugen0.* /dev/usb0

What's wrong with /usr/local/share/doc/pkg-readmes/sane-backends ?

Re: Non-Disclosure Agreement

[Janne Johansson]

> My team in Dell Technologies are looking to use your software OpenSSH Client 
> 9 and OpenSSH Server 8. To do this our Cyber Security department require that 
> we sign a Non-Disclosure Agreement with you. Who would be the best person to 
> reach out to regarding this request?

While you have already gotten a correct reply on this request, I am
still curious as to which direction you intended this NDA to work?
Is it so that you will not tell OpenSSH people about secrets or did
you expect it to work the other way around?

If one department is putting pressure on another inside Dell, how do
you think it would affect OpenSSH which is already being given away
for any purpose to anyone?

I would understand this to some degree if you were to try to dangle a
ridiculous amount of money in front of someone in order to have them
bind themselves legally to you (or your cyber team) but this
suggestion above sounds like a weird and bad deal for the other party,
apart from the slightly obvious "we do not understand open source"
hints from your end.

Doing 3 minutes of research shows that Dell already uses openssh for
iDrac which can be seen here:

https://opensource.dell.com/releases/idrac9/3.36.36.36/LICENSES.html

so go talk to those people internally on how to make it work without
bothering the OpenSSH developers with silly requests.

-- 
May the most significant bit of your life be positive.

Re: httpd multiple site same address and port TLS issue

[George]

On 2022-08-29 05:50, Stuart Henderson wrote:

On 2022-08-29, George  wrote:

I am wish to run multiple site from the same IP and use different TLS
certs for each.

..

Problem is I get the certificate for the first declared
server each time unless I change the IP or port.

How are you testing? If you're using openssl s_client you need the
-servername option (though nc -vc is probably more convenient).


I am using a web browser and can view the cert and the corresponding 
error message.


netcat would be a good option too so thanks for the hint.

Re: Non-Disclosure Agreement

[Stefan Sperling]

On Wed, Aug 31, 2022 at 09:28:56AM +, O'Brien, Orla wrote:
> Hello,
> 
> My team in Dell Technologies are looking to use your software OpenSSH Client 
> 9 and OpenSSH Server 8. To do this our Cyber Security department require that 
> we sign a Non-Disclosure Agreement with you. Who would be the best person to 
> reach out to regarding this request?
> 
> Thank you for the help in advance.
> 
> Kind Regards,
> Orla.
> 

Hi Orla,

You can let your Cyber Security department know that there is nobody here
who is in a position to sign an NDA. The software is free to use by anyone
without restriction, and there is no formal licensing framework in place
that would allow the developers to tell who the active users are.

That said, the developers will gladly accept a pint of Murphy's as a
token of gratitude in case an opportunity arises :)
And donations to the OpenBSD foundation are always welcome at
https://www.openbsdfoundation.org/

With best regards, and with greetings to Cork which I hope to visit
again at some point,
Stefan

guide: scanning on openbsd with sane, as non-root user

[lists]

SCANNING ON OPENBSD WITH SANE, AS NON-ROOT USER

foreword: wanted to put this guide somewhere


install sane:

# pkg_add sane 


plug in the scanner, and immediately after, run this command:

# dmesg | tail -20
ugen0 at uhub0 port 3 ""

the output should appear as above


now take a note of the number after 'ugen' and the number after
'uhub'. in this example that number is 0 for both.

now to get a bit more info on the hardware, run:

# usbdevs
Controller /dev/usb0:
addr 01: 
addr 02: : 

the output should appear as above


so say we want to scan as the user 'theo', then theo needs access to
both /dev/usb0 as well as /dev/ugen0.00

so execute the following command

# chgrp theo /dev/ugen0.* /dev/usb0
# chmod g+rwx /dev/ugen0.* /dev/usb0


now run, as theo:

$ scanimage -L
device ':libusb:000:002' is a  scanner

the output should now show the scanner, as above


to scan:

$ scanimage -d ':libusb:000:002' -f jpeg --mode Color


to get scanner-specific options:

$ scanimage -h

Re: Cannot open logfile in unbound(8)

[Łukasz Moskała]

W dniu 31.08.2022 o 12:39, luci...@ctrl-c.club pisze:

Hi,
What is the proper way to use a logfile in unbound(8)? I tried adding
the following lines in /var/unbound/etc/unbound.conf:
# $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $

server:
 use-syslog: no
 logfile: log/unbound.log

Then touched /var/unbound/log/unbound.log. However when starting unbound
with rcctl no logs were written in unbound.log. To investigate the issue
I started unbound in non-daemon mode and debug mode: unbound -d, there I
saw the following info:
unbound[33113:0] error: Could not open logfile log/unbound.log:
Permission denied

Does anyone know what might be the problem with this approach?
Thanks!



What have you checked already? I'd start with:

 - what are the permissions on /var/unbound/log/unbound.log?
 - as what user is unbound running?
 - can that user access this file?
 - does unbound use unveil(2), and if so, is it configured to be able 
to access this file?


--
Łukasz Moskała

Cannot open logfile in unbound(8)

[lucic71]

Hi,
What is the proper way to use a logfile in unbound(8)? I tried adding
the following lines in /var/unbound/etc/unbound.conf:
# $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $

server:
use-syslog: no
logfile: log/unbound.log

Then touched /var/unbound/log/unbound.log. However when starting unbound
with rcctl no logs were written in unbound.log. To investigate the issue
I started unbound in non-daemon mode and debug mode: unbound -d, there I
saw the following info:
unbound[33113:0] error: Could not open logfile log/unbound.log:
Permission denied

Does anyone know what might be the problem with this approach?
Thanks!

Re: smtpd with dkim & mailing lists

[Alexandre Ratchov]

On Tue, Aug 30, 2022 at 09:17:44PM +0200, Tobias Fiebig wrote:
> Heho,
>
> The important part is not 'not adding an additional signature' but
> 'not breaking the previous signature'. As long as you do not fiddle
> with anything in there, things will be fine; But, as you most likely
> do (think: Adding a prefix for the subject like [LISTNAME]), DKIM
> will be an issue (mostly, if there is DMARC in play as well).
>

Thank you. I'm using the mlmmj port to manage the lists. By default it
doesn't modify the headers or the body so the DKIM signature is still
valid.

Re: smtpd with dkim & mailing lists

[Alexandre Ratchov]

On Tue, Aug 30, 2022 at 07:26:11PM +0200, Martijn van Duren wrote:
> On Tue, 2022-08-30 at 17:13 +0200, Alexandre Ratchov wrote:
> > Hi,
> > 
> > For my $DAYJOB I had to please big mail corporations and configured
> > smtpd(8) to send DKIM-signed emails (also added SPF and DMARC
> > records). This was easy using instruction in the
> > opensmtpd-filter-dksim port and works fine to send messages to
> > bigmailcorp accounts.
> > 
> > The mail server is used to manage few mailing lists using mlmmj. At
> > first glance, things appear to work:
> > 
> > - The envelope address (aka smtp "mail from:" address or retrun-path)
> >   matches the mailing list server domain (not sender address domain),
> >   which has the proper SPF record.
> 
> This should be fine, although for DMARC to be correct the "MAIL FROM:"
> and From-header should be in line, or else DMARC fails. So mailing
> lists will fail, unless you rewrite the from-header as well.

This is the part I'm unsure, I've found contradictory claims on the
internet.

I've found no such requirement in the RFC (see refs below) and the two
major bigmailcorps I've tested just work (say "dmarc=pass" in header
and/or user interface).

But I found many claims that the "MAIL FROM:" domain is required to
match the From-header domain. Maybe this requirement is only for list
servers that modify the original mail (to add a footer, drop
attachments, tweak headers, etc), which invalidates the orinal sender
DKIM signature. In turn a new DKIM signature is needed but as the list
server can only sign with its own domain, a new From-header with the
list server domain is needed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

refs & reasoning:

The rfc7489, sec. 6.6.2 [*] says the receiver does 3 things: (1) DKIM
signatures checks, (2) SPF checks and (3) "Identifier Alignement"
checks.  The later is defined as:

"If one or more of the Authenticated Identifiers align with the
RFC5322.From domain, the message is considered to pass the
DMARC mechanism check.  All other conditions (authentication
failures, identifier mismatches) are considered to be DMARC
mechanism check failures."

where "Identifier Alignment" is defined in sec. 3 as:

Identifier Alignment: When the domain in the RFC5322.From
address matches a domain validated by SPF or DKIM (or both),
it has Identifier Alignment.

In other words:
 - sender IP must belong to HELO & MAIL FROM (to pass SPF)
 - DKIM signatures must be valid (to pass DKIM)
 - From-header must match the signature or the envelope (to pass DMARC)

Consequently, a "bounced" email should pass DMARC provided that the
mail body and signed headers are preserved. Indeed:
 - IP of the relay would match the new envelope domain SPF record
 - body & header are preserved, so original DKIM signature is valid
 - From-header still matches the DKIM sign. so DMARC passes.

[*] https://www.rfc-editor.org/rfc/rfc7489.html#section-6.6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

> > 
> > - Is there a way to make smtpd(8) add the DKIM signature only if the
> >   sender domain is the local domain? (this would avoid the extra
> >   irrelevant DKIM signature).
> 
> filter-dkimsign is complex enough as it is. I don't really want to add
> too much more complexity. But if you make a strong enough case I'll
> certainly consider it.

please don't, simpler is better ;-)