daily insecurity output gid change
Hi misc@ Recently my computer became unresponsive while backing up files through nfs and I had to hard reset it. The night after this reboot I got an insecurity warning with the message below. Could fsck change the gid while trying to fix the file system or should I look for another cause? Obrigado! -- Adriano Running security(8): Checking special files and directories. Output format is: filename: criteria (shouldbe, reallyis) usr/bin: gid (0, 7) mtree special: exit code 2
OpenBSD hangs in X, but mouse can still move (ThinkPad T470)
(Sorry, I accidentally pressed Send in the middle of typing, ignore the previous message...) I've been using OpenBSD on a ThinkPad T470 for a couple of days now, and the experience is very nice. However, I've noticed an issue that occurred twice today: while I'm using cwm and a bunch of apps (Firefox, Claws Mail, KeepassXC, xterm, nothing special), OpenBSD completely freezes, but the mouse cursor can still move. I can't even switch to a different tty with ctrl+alt+F. But it seems that function keys still work, as pressing the mute button activates the red LED light on it (though pressing the backlight keys does nothing). Closing the lid to try to suspend the laptop fails, but the green LED power light and red ThinkPad light on the cover blink as they do when about to suspend, though they never stop blinking as the laptop never suspends. Nothing strange in Xorg.0.log and Xorg.0.log.old, and I'm not sure what else I need to check. The first time this happened I was just using Firefox, and the second time this happened was immediately after I started picom (I don't usually use it but wanted to see it this time). Any idea what's going on? picom.conf: # # Corners # # # requires: https://github.com/sdhand/compton or https://github.com/jonaburg/picom #corner-radius = 12; #rounded-corners-exclude = [ # "class_g = 'xlock'", # "window_type = 'dnd'", # "name = 'lemonbar'" #]; #round-borders = 15; #round-borders-exclude = [ #"class_g = 'TelegramDesktop'", #]; # # Shadows # # # Enabled client-side shadows on windows. Note desktop windows # (windows with '_NET_WM_WINDOW_TYPE_DESKTOP') never get shadow, # unless explicitly requested using the wintypes option. # # shadow = false shadow = true; # The blur radius for shadows, in pixels. (defaults to 12) # shadow-radius = 12 shadow-radius = 15; # The opacity of shadows. (0.0 - 1.0, defaults to 0.75) shadow-opacity = .85 # The left offset for shadows, in pixels. (defaults to -15) # shadow-offset-x = -15 shadow-offset-x = -12; # The top offset for shadows, in pixels. (defaults to -15) # shadow-offset-y = -15 shadow-offset-y = -12; # Red color value of shadow (0.0 - 1.0, defaults to 0). # shadow-red = 0 # Green color value of shadow (0.0 - 1.0, defaults to 0). # shadow-green = 0 # Blue color value of shadow (0.0 - 1.0, defaults to 0). # shadow-blue = 0 # Specify a list of conditions of windows that should have no shadow. # # examples: # shadow-exclude = "n:e:Notification"; # # shadow-exclude = [] shadow-exclude = [ #"name = 'Notification'", #"class_g = 'Conky'", #"class_g ?= 'Notify-osd'", #"class_g = 'Cairo-clock'", #"class_g = 'slop'", #"class_g = 'Polybar'", "_GTK_FRAME_EXTENTS@:c", "class_g = 'Firefox' && argb", ]; # Specify a X geometry that describes the region in which shadow should not # be painted in, such as a dock window region. Use #shadow-exclude-reg = "x10+0+0" # for example, if the 10 pixels on the bottom of the screen should not have shadows painted on. # # shadow-exclude-reg = "" # Crop shadow of a window fully on a particular Xinerama screen to the screen. # xinerama-shadow-crop = false # # Fading # # # Fade windows in/out when opening/closing and when opacity changes, # unless no-fading-openclose is used. # fading = false fading = false; # Opacity change between steps while fading in. (0.01 - 1.0, defaults to 0.028) # fade-in-step = 0.028 fade-in-step = 0.025; # Opacity change between steps while fading out. (0.01 - 1.0, defaults to 0.03) # fade-out-step = 0.03 fade-out-step = 0.025; # The time between steps in fade step, in milliseconds. (> 0, defaults to 10) fade-delta = 8 # Specify a list of conditions of windows that should not be faded. # don't need this, we disable fading for all normal windows with wintypes: {} fade-exclude = [ #"class_g = 'slop'" # maim ] # Do not fade on window open/close. # no-fading-openclose = false # Do not fade destroyed ARGB windows with WM frame. Workaround of bugs in Openbox, Fluxbox, etc. # no-fading-destroyed-argb = false # # Transparency / Opacity # # # Opacity of inactive windows. (0.1 - 1.0, defaults to 1.0) # inactive-opacity = 1 inactive-opacity = 1 # Opacity of window titlebars and borders. (0.1 - 1.0, disabled by default) # frame-opacity = 1.0 frame-opacity = 1 # Default opacity for dropdown menus and popup menus. (0.0 - 1.0, defaults to 1.0) # menu-opacity = 1.0 # menu-opacity is depreciated use dropdown-menu and popup-menu instead. #If using these 2 below change their values in line 510 & 511 aswell popup_menu = { opacity = 1; } dropdown_menu = { opacity = 1; } # Let inactive opacity set by -i override the '_NET_WM_OPAC
Re: Cannot open logfile in unbound(8)
On 2022-08-31, luci...@ctrl-c.club wrote: > Hi, > What is the proper way to use a logfile in unbound(8)? I tried adding > the following lines in /var/unbound/etc/unbound.conf: > # $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $ > > server: > use-syslog: no > logfile: log/unbound.log > > Then touched /var/unbound/log/unbound.log. However when starting unbound > with rcctl no logs were written in unbound.log. To investigate the issue > I started unbound in non-daemon mode and debug mode: unbound -d, there I > saw the following info: > unbound[33113:0] error: Could not open logfile log/unbound.log: > Permission denied > > Does anyone know what might be the problem with this approach? This would usually suggest that the uid used by the daemon does not have permission to access to the log file or directory containing it -- Please keep replies on the mailing list.
OpenBSD hangs in X, but mouse can still move (ThinkPad T470)
I've been using OpenBSD on a ThinkPad T470 for a couple of days now, and the experience is very nice. However, I've noticed an issue that occurred twice today: while I'm using cwm and a bunch of apps (Firefox, Claws Mail, KeepassXC, xterm, nothing special), OpenBSD completely freezes, but the mouse cursor retains
Re: guide: scanning on openbsd with sane, as non-root user
On Wed, Aug 31, 2022 at 01:13:11PM +0100, li...@xza.fr wrote: > > SCANNING ON OPENBSD WITH SANE, AS NON-ROOT USER > > foreword: wanted to put this guide somewhere > > > install sane: > > # pkg_add sane > > > plug in the scanner, and immediately after, run this command: > > # dmesg | tail -20 > ugen0 at uhub0 port 3 "" > > the output should appear as above > > > now take a note of the number after 'ugen' and the number after > 'uhub'. in this example that number is 0 for both. > > now to get a bit more info on the hardware, run: > > # usbdevs > Controller /dev/usb0: > addr 01: > addr 02: : > > the output should appear as above > > > so say we want to scan as the user 'theo', then theo needs access to > both /dev/usb0 as well as /dev/ugen0.00 > > so execute the following command > > # chgrp theo /dev/ugen0.* /dev/usb0 > # chmod g+rwx /dev/ugen0.* /dev/usb0 What's wrong with /usr/local/share/doc/pkg-readmes/sane-backends ?
Re: Non-Disclosure Agreement
> My team in Dell Technologies are looking to use your software OpenSSH Client > 9 and OpenSSH Server 8. To do this our Cyber Security department require that > we sign a Non-Disclosure Agreement with you. Who would be the best person to > reach out to regarding this request? While you have already gotten a correct reply on this request, I am still curious as to which direction you intended this NDA to work? Is it so that you will not tell OpenSSH people about secrets or did you expect it to work the other way around? If one department is putting pressure on another inside Dell, how do you think it would affect OpenSSH which is already being given away for any purpose to anyone? I would understand this to some degree if you were to try to dangle a ridiculous amount of money in front of someone in order to have them bind themselves legally to you (or your cyber team) but this suggestion above sounds like a weird and bad deal for the other party, apart from the slightly obvious "we do not understand open source" hints from your end. Doing 3 minutes of research shows that Dell already uses openssh for iDrac which can be seen here: https://opensource.dell.com/releases/idrac9/3.36.36.36/LICENSES.html so go talk to those people internally on how to make it work without bothering the OpenSSH developers with silly requests. -- May the most significant bit of your life be positive.
Re: httpd multiple site same address and port TLS issue
On 2022-08-29 05:50, Stuart Henderson wrote: On 2022-08-29, George wrote: I am wish to run multiple site from the same IP and use different TLS certs for each. .. Problem is I get the certificate for the first declared server each time unless I change the IP or port. How are you testing? If you're using openssl s_client you need the -servername option (though nc -vc is probably more convenient). I am using a web browser and can view the cert and the corresponding error message. netcat would be a good option too so thanks for the hint.
Re: Non-Disclosure Agreement
On Wed, Aug 31, 2022 at 09:28:56AM +, O'Brien, Orla wrote: > Hello, > > My team in Dell Technologies are looking to use your software OpenSSH Client > 9 and OpenSSH Server 8. To do this our Cyber Security department require that > we sign a Non-Disclosure Agreement with you. Who would be the best person to > reach out to regarding this request? > > Thank you for the help in advance. > > Kind Regards, > Orla. > Hi Orla, You can let your Cyber Security department know that there is nobody here who is in a position to sign an NDA. The software is free to use by anyone without restriction, and there is no formal licensing framework in place that would allow the developers to tell who the active users are. That said, the developers will gladly accept a pint of Murphy's as a token of gratitude in case an opportunity arises :) And donations to the OpenBSD foundation are always welcome at https://www.openbsdfoundation.org/ With best regards, and with greetings to Cork which I hope to visit again at some point, Stefan
guide: scanning on openbsd with sane, as non-root user
SCANNING ON OPENBSD WITH SANE, AS NON-ROOT USER foreword: wanted to put this guide somewhere install sane: # pkg_add sane plug in the scanner, and immediately after, run this command: # dmesg | tail -20 ugen0 at uhub0 port 3 "" the output should appear as above now take a note of the number after 'ugen' and the number after 'uhub'. in this example that number is 0 for both. now to get a bit more info on the hardware, run: # usbdevs Controller /dev/usb0: addr 01: addr 02: : the output should appear as above so say we want to scan as the user 'theo', then theo needs access to both /dev/usb0 as well as /dev/ugen0.00 so execute the following command # chgrp theo /dev/ugen0.* /dev/usb0 # chmod g+rwx /dev/ugen0.* /dev/usb0 now run, as theo: $ scanimage -L device ':libusb:000:002' is a scanner the output should now show the scanner, as above to scan: $ scanimage -d ':libusb:000:002' -f jpeg --mode Color to get scanner-specific options: $ scanimage -h
Re: Cannot open logfile in unbound(8)
W dniu 31.08.2022 o 12:39, luci...@ctrl-c.club pisze: Hi, What is the proper way to use a logfile in unbound(8)? I tried adding the following lines in /var/unbound/etc/unbound.conf: # $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $ server: use-syslog: no logfile: log/unbound.log Then touched /var/unbound/log/unbound.log. However when starting unbound with rcctl no logs were written in unbound.log. To investigate the issue I started unbound in non-daemon mode and debug mode: unbound -d, there I saw the following info: unbound[33113:0] error: Could not open logfile log/unbound.log: Permission denied Does anyone know what might be the problem with this approach? Thanks! What have you checked already? I'd start with: - what are the permissions on /var/unbound/log/unbound.log? - as what user is unbound running? - can that user access this file? - does unbound use unveil(2), and if so, is it configured to be able to access this file? -- Łukasz Moskała
Cannot open logfile in unbound(8)
Hi, What is the proper way to use a logfile in unbound(8)? I tried adding the following lines in /var/unbound/etc/unbound.conf: # $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $ server: use-syslog: no logfile: log/unbound.log Then touched /var/unbound/log/unbound.log. However when starting unbound with rcctl no logs were written in unbound.log. To investigate the issue I started unbound in non-daemon mode and debug mode: unbound -d, there I saw the following info: unbound[33113:0] error: Could not open logfile log/unbound.log: Permission denied Does anyone know what might be the problem with this approach? Thanks!
Re: smtpd with dkim & mailing lists
On Tue, Aug 30, 2022 at 09:17:44PM +0200, Tobias Fiebig wrote: > Heho, > > The important part is not 'not adding an additional signature' but > 'not breaking the previous signature'. As long as you do not fiddle > with anything in there, things will be fine; But, as you most likely > do (think: Adding a prefix for the subject like [LISTNAME]), DKIM > will be an issue (mostly, if there is DMARC in play as well). > Thank you. I'm using the mlmmj port to manage the lists. By default it doesn't modify the headers or the body so the DKIM signature is still valid.
Re: smtpd with dkim & mailing lists
On Tue, Aug 30, 2022 at 07:26:11PM +0200, Martijn van Duren wrote: > On Tue, 2022-08-30 at 17:13 +0200, Alexandre Ratchov wrote: > > Hi, > > > > For my $DAYJOB I had to please big mail corporations and configured > > smtpd(8) to send DKIM-signed emails (also added SPF and DMARC > > records). This was easy using instruction in the > > opensmtpd-filter-dksim port and works fine to send messages to > > bigmailcorp accounts. > > > > The mail server is used to manage few mailing lists using mlmmj. At > > first glance, things appear to work: > > > > - The envelope address (aka smtp "mail from:" address or retrun-path) > > matches the mailing list server domain (not sender address domain), > > which has the proper SPF record. > > This should be fine, although for DMARC to be correct the "MAIL FROM:" > and From-header should be in line, or else DMARC fails. So mailing > lists will fail, unless you rewrite the from-header as well. This is the part I'm unsure, I've found contradictory claims on the internet. I've found no such requirement in the RFC (see refs below) and the two major bigmailcorps I've tested just work (say "dmarc=pass" in header and/or user interface). But I found many claims that the "MAIL FROM:" domain is required to match the From-header domain. Maybe this requirement is only for list servers that modify the original mail (to add a footer, drop attachments, tweak headers, etc), which invalidates the orinal sender DKIM signature. In turn a new DKIM signature is needed but as the list server can only sign with its own domain, a new From-header with the list server domain is needed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - refs & reasoning: The rfc7489, sec. 6.6.2 [*] says the receiver does 3 things: (1) DKIM signatures checks, (2) SPF checks and (3) "Identifier Alignement" checks. The later is defined as: "If one or more of the Authenticated Identifiers align with the RFC5322.From domain, the message is considered to pass the DMARC mechanism check. All other conditions (authentication failures, identifier mismatches) are considered to be DMARC mechanism check failures." where "Identifier Alignment" is defined in sec. 3 as: Identifier Alignment: When the domain in the RFC5322.From address matches a domain validated by SPF or DKIM (or both), it has Identifier Alignment. In other words: - sender IP must belong to HELO & MAIL FROM (to pass SPF) - DKIM signatures must be valid (to pass DKIM) - From-header must match the signature or the envelope (to pass DMARC) Consequently, a "bounced" email should pass DMARC provided that the mail body and signed headers are preserved. Indeed: - IP of the relay would match the new envelope domain SPF record - body & header are preserved, so original DKIM signature is valid - From-header still matches the DKIM sign. so DMARC passes. [*] https://www.rfc-editor.org/rfc/rfc7489.html#section-6.6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > > - Is there a way to make smtpd(8) add the DKIM signature only if the > > sender domain is the local domain? (this would avoid the extra > > irrelevant DKIM signature). > > filter-dkimsign is complex enough as it is. I don't really want to add > too much more complexity. But if you make a strong enough case I'll > certainly consider it. please don't, simpler is better ;-)