Re: Logging Password change attempts
On 2014-10-31 Fri 11:52 AM |, Alexander Hall wrote: However, for the purpose of indicating password changes, this is pretty useless anyway, since: - You can change to the same password - logger(1) is available for anyone to use (AFAIK) $ while sleep $((3600*24*7)); do logger I changed my password this week too; done How about a 2am (after /etc/daily finished) root cron job to run a script something like this (a bit rough could be improved): 03 2 * * * nice /root/bin/passwd-differ #!/bin/ksh _master='/etc/master.passwd' _current=/var/backups/${_master##*/}.current diff -q ${_master} ${_current} /dev/null || { diff ${_master} ${_current} | cut -d: -f1 | awk '/^ / { print $2 }' | while read user do logger -p auth.info ${user}'s password has changed done # adding/deleting users/packages will probably fuck this up... } Trawl syslog entries by root in /var/log/authlog -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: Question about FAQ section 10.3
On 2014-10-24 Fri 15:29 PM |, Worik Stanton wrote: I installed postgresql (with pkg_add) and it did not change this, I had to change /etc/rc.local by hand. Is there some reason why postgresql should not be started after a reboot? Have I completely got the wrong end of the stick? You're very close. $ man rc.conf: ... .. It is advisable to leave rc.conf untouched, and instead create and edit a new rc.conf.local file. Variables set in this file will override variables previously set in rc.conf. The man page then gives an example of dhcpd. /etc/rc 'starts' /etc/rc.d/dhcpd, but its default flag in /etc/rc.conf is 'NO', so it doesn't start. To actually start dhcpd, override its flags in /etc/rc.conf.local $ fgrep dhcpd /etc/rc* /etc/rc:start_daemon relayd dhcpd dhcrelay mrouted dvmrpd /etc/rc.conf:dhcpd_flags=NO # for normal use: /etc/rc.conf.local:dhcpd_flags='' Then the man page then covers the 'pkg_scripts' variable, responsible for starting and stopping daemons installed from packages. -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: Why .cshrc and .profile in / ?
On 2014-10-20 Mon 11:32 AM |, worik wrote: In a fresh(ish) OpenBSD installation I note .cshrc and .profile in /. Rename them to /.cshrc~ /.profile~ and see what breaks... I always delete them due to having /etc/{profile,csh.cshrc,csh.login} install.site (http://www.openbsd.org/faq/faq4.html#site): cd / rm .cshrc .profile # Tidy up /root cd /root rm .klogin .Xdefaults .profile .cshrc .login ... .. cd /etc cat rc.firsttime.run rc.firsttime And this in rc.firsttime(8): ... .. cd /etc ... .. # Tidy skel/ grep -v '^set path = ' skel/.cshrc | grep -v 'set mail = ' csh.cshrc cat skel/.login csh.login rm skel/{.Xdefaults,.cshrc,.login,.mailrc,.profile} chmod 700 skel ... .. PATH, MAIL umask are defined once in /etc/login.conf - for all shells. # /etc/profile: [[ -o interactive ]] { [[ ${SHELL} == '/bin/ksh' ]] . /etc/ksh.kshrc [[ ${SHELL} == '/bin/rksh' ]] . /etc/ksh.kshrc 2/dev/null [[ -x /usr/bin/tset ]] { [[ -n ${XTERM_VERSION} ]] I='I' eval $(/usr/bin/tset -${I}sQ '-munknown:?vt220' ${TERM}) } } [[ -f /etc/proxy.conf ]] . /etc/proxy.conf
Re: Publishing SSH public key fingerprints bit length?
On 2014-10-20 Mon 21:37 PM |, Christian Weisgerber wrote: On 2014-10-20, Craig R. Skinner skin...@britvault.co.uk wrote: I noticed OpenBSD anon CVS SSH fingerprints have the bit length published with the algorithm type: http://www.openbsd.org/anoncvs.html That seems useless. Is it important to have the bit length published with the fingerprint? No. I dinnae ken if this diff helps a bit. Running 'make anoncvs' builds the page without the bit lengths (below). Index: mirrors.dat === RCS file: /cvs/www/build/mirrors.dat,v retrieving revision 1.413 diff -u -p -r1.413 mirrors.dat --- mirrors.dat 15 Oct 2014 01:42:10 - 1.413 +++ mirrors.dat 21 Oct 2014 09:34:10 - @@ -30,9 +30,9 @@ #AHanoncvs.openbsd.org.ar #AR/cvs #APssh -#SD1024 d5:b3:21:45:71:27:9b:60:0a:34:21:75:9e:fb:c6:08 -#SE256 2d:3c:fb:18:f7:a6:a5:63:f3:af:db:b1:78:76:cd:21 -#SR2048 70:87:64:84:65:9e:45:4e:25:fa:c4:52:71:af:78:28 +#SDd5:b3:21:45:71:27:9b:60:0a:34:21:75:9e:fb:c6:08 +#SE2d:3c:fb:18:f7:a6:a5:63:f3:af:db:b1:78:76:cd:21 +#SR70:87:64:84:65:9e:45:4e:25:fa:c4:52:71:af:78:28 ## Start of Australia @@ -73,9 +73,9 @@ AUanoncvs AH anoncvs.au.openbsd.org AR /cvs AP ssh -SR 2048 19:4c:e2:a8:9e:42:b2:91:f3:d5:04:cf:b5:61:5e:ea -SD 1024 80:ff:d2:46:70:51:7d:09:a5:71:83:bb:89:98:44:b1 -SE 256 fa:57:1c:55:7c:aa:d0:bc:4c:e2:05:3d:9b:bb:83:2d +SR 19:4c:e2:a8:9e:42:b2:91:f3:d5:04:cf:b5:61:5e:ea +SD 80:ff:d2:46:70:51:7d:09:a5:71:83:bb:89:98:44:b1 +SE fa:57:1c:55:7c:aa:d0:bc:4c:e2:05:3d:9b:bb:83:2d ## Start of Austria @@ -96,10 +96,10 @@ AH ftp5.eu.openbsd.org AR /cvs AP ssh VH ftp5.eu.openbsd.org -SR 2048 e4:a7:3a:ab:e1:a7:c8:eb:5c:f4:ff:38:95:6f:81:f2 -SD 2048 66:03:a3:bc:46:85:f3:6c:4b:6b:e3:d4:f5:5f:a6:c4 -SE 256 47:07:69:c4:6c:1f:09:ed:f5:2c:02:af:a0:e9:67:85 -S2 256 32:0b:33:5f:81:77:5c:3b:0c:f6:85:fe:f0:7c:10:ea +SR e4:a7:3a:ab:e1:a7:c8:eb:5c:f4:ff:38:95:6f:81:f2 +SD 66:03:a3:bc:46:85:f3:6c:4b:6b:e3:d4:f5:5f:a6:c4 +SE 47:07:69:c4:6c:1f:09:ed:f5:2c:02:af:a0:e9:67:85 +S2 32:0b:33:5f:81:77:5c:3b:0c:f6:85:fe:f0:7c:10:ea 0 GC Austria @@ -167,10 +167,10 @@ AHanoncvs.comstyle.com AR /cvs AP ssh, ssh port 2022 VH anoncvs.comstyle.com -SD 1024 66:a1:f9:47:26:d9:15:3c:62:2b:b5:e8:0d:89:4a:6f -SE 256 62:28:13:ea:cd:ba:68:e6:e9:82:94:ac:10:7f:80:d5 -SR 2048 43:30:9a:c6:c4:19:80:ad:7d:58:3e:7a:a0:39:57:53 -S2 256 65:34:d5:69:47:38:58:01:47:5d:bd:09:9d:69:be:6b +SD 66:a1:f9:47:26:d9:15:3c:62:2b:b5:e8:0d:89:4a:6f +SE 62:28:13:ea:cd:ba:68:e6:e9:82:94:ac:10:7f:80:d5 +SR 43:30:9a:c6:c4:19:80:ad:7d:58:3e:7a:a0:39:57:53 +S2 65:34:d5:69:47:38:58:01:47:5d:bd:09:9d:69:be:6b 0 GC Canada @@ -295,10 +295,10 @@ AUanoncvs AH anoncvs.estpak.ee AR /OpenBSD AP ssh -SD 1024 bb:5c:44:f4:d9:12:3b:22:08:a9:12:c5:0c:e7:db:49 -SR 1024 e1:12:fb:6b:e5:c0:6a:b3:f8:ca:b1:4c:20:fb:5e:07 -SE 256 d7:46:c9:1e:43:e8:23:7b:4c:cb:5c:75:21:77:f9:bd -S2 256 a7:f6:ff:1a:31:cb:11:0c:84:d5:6b:28:b7:05:c6:7c +SD bb:5c:44:f4:d9:12:3b:22:08:a9:12:c5:0c:e7:db:49 +SR e1:12:fb:6b:e5:c0:6a:b3:f8:ca:b1:4c:20:fb:5e:07 +SE d7:46:c9:1e:43:e8:23:7b:4c:cb:5c:75:21:77:f9:bd +S2 a7:f6:ff:1a:31:cb:11:0c:84:d5:6b:28:b7:05:c6:7c VH anoncvs.estpak.ee ## Start of France: @@ -322,10 +322,10 @@ AHanoncvs.fr.openbsd.org AU anoncvs AR /cvs AP ssh -SR 2048 af:53:c8:ea:98:20:a2:81:e1:e3:c9:cb:06:d3:56:d7 -SD 1024 5e:3a:78:5f:ef:0a:53:b4:b9:2c:91:84:4f:3e:52:dd -SE 256 61:e1:2b:97:a4:65:4d:70:cd:23:3b:83:04:f1:2e:87 -S2 256 10:80:7f:b7:76:03:7a:51:10:23:fb:1e:05:5b:93:74 +SR af:53:c8:ea:98:20:a2:81:e1:e3:c9:cb:06:d3:56:d7 +SD 5e:3a:78:5f:ef:0a:53:b4:b9:2c:91:84:4f:3e:52:dd +SE 61:e1:2b:97:a4:65:4d:70:cd:23:3b:83:04:f1:2e:87 +S2 10:80:7f:b7:76:03:7a:51:10:23:fb:1e:05:5b:93:74 0 GC France @@ -380,9 +380,9 @@ AU anoncvs AH openbsd.cs.fau.de AR /cvs AP ssh, ssh port 2022 -SD 1024 9f:a1:78:0b:d4:76:68:bf:3e:83:d0:41:c8:1e:33:8b -SE 256 f0:d1:64:e6:6b:2f:9e:1e:85:aa:75:e3:a0:52:d3:5a -SR 2048 d0:f2:0c:a3:bf:28:ba:18:50:5f:04:dc:13:ed:63:42 +SD 9f:a1:78:0b:d4:76:68:bf:3e:83:d0:41:c8:1e:33:8b +SE f0:d1:64:e6:6b:2f:9e:1e:85:aa:75:e3:a0:52:d3:5a +SR d0:f2:0c:a3:bf:28:ba:18:50:5f:04:dc:13:ed:63:42 # stsp@ 0 @@ -417,8 +417,8 @@ AR /cvs AP ssh VH mirror.osn.de VU http://mirror.osn.de/ -SD 1024 fb:33:05:62:96:20:cf:88:7e:10:cb:8d:91:72:57:32 -SR 1024 f2:73:d2:f6:e3:01:ef:ca:3b:e7:6c:80:b6:bd:bb:84 +SD fb:33:05:62:96:20:cf:88:7e:10:cb:8d:91:72:57:32 +SR f2:73:d2:f6:e3:01:ef:ca:3b:e7:6c:80:b6:bd:bb:84 0 GC Germany @@ -473,10 +473,10 @@ AHftp.hostserver.de AU anoncvs AR /cvs AP ssh -SR 2048 ab:02
Publishing SSH public key fingerprints bit length?
Hi, I noticed OpenBSD anon CVS SSH fingerprints have the bit length published with the algorithm type: http://www.openbsd.org/anoncvs.html A couple of other popular non-OpenBSD sites omit the bit length: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48 (RSA) ad:1c:08:a4:40:e3:6f:9c:f5:66:26:5d:4b:33:5d:8c (DSA) https://help.github.com/articles/what-are-github-s-ssh-key-fingerprints/ 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40 (RSA) 35:ee:d7:b8:ef:d7:79:e2:c6:43:9e:ab:40:6f:50:74 (DSA) https://confluence.atlassian.com/display/BITBUCKET/Use+the+SSH+protocol+with+Bitbucket#UsetheSSHprotocolwithBitbucket-KnownhostorBitbucket%27spublickeyfingerprints Maybe the default length for the algorithm is implied if not stated? The bit length doesn't appear in the known_hosts file. Is it important to have the bit length published with the fingerprint? -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: host(1) prints errors to STDOUT
On 2014-10-14 Tue 10:41 AM |, Theo de Raadt wrote: Unfortunately host is maintained upstream, in the bind codebase, by ISC. You should file your bug report there, because that is the right way to get change into the ecosystem. Submitted, with their GITWEB line number refs. ISC's bug database is not publicly readable, in order to protect the privacy of users who have included identifying information or attached logs or crash dumps to their bug reports. http://www.isc.org/community/report-bug/ -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
host(1) prints errors to STDOUT
$ host loopy.loo.found.not; print $? Host loopy.loo.found.not not found: 3(NXDOMAIN) 1 $ host loopy.loo.found.not /dev/null; print $? 1 $ host loopy.loo.found.not 2/dev/null; print $? Host loopy.loo.found.not not found: 3(NXDOMAIN) 1 There's a printf at line 429 of /usr/src/usr.sbin/bind/bin/dig/host.c Line 569's printf may also be going to STDOUT. Maybe others Successful output to STDOUT: $ host www.example.org; print $? www.example.org has address 93.184.216.119 www.example.org has IPv6 address 2606:2800:220:6d:26bf:1447:1097:aa7 0 $ host www.example.org /dev/null; print $? 0
head(1) returns 0 on failure
I'm seeing head return 0 on failures: $ for tool in head tail cat; do $tool /var/empty/non-existant; print $?; done head: /var/empty/non-existant: No such file or directory 0 tail: /var/empty/non-existant: No such file or directory 1 cat: /var/empty/non-existant: No such file or directory 1 $ for tool in head tail cat; do $tool /root/non-existant; print $?; done head: /root/non-existant: Permission denied 0 tail: /root/non-existant: Permission denied 1 cat: /root/non-existant: Permission denied 1 head(1): EXIT STATUS The head utility exits 0 on success, and 0 if an error occurs. An ordinary 5.5 release box: $ uname -mrsv OpenBSD 5.5 GENERIC#276 i386 Am I doing something wrong?
Re: Android Studio
On 2014-09-27 Sat 00:33 AM |, Nick Holland wrote: I'd LOVE to think Google took security more seriously than other dipshits in the computer industry, but sadly, the Android platform did not show it. I have an Android phone, I would not trade it for an iProduct...but I will never trust it or use it for security critical purposes. While I don't have a smart phone, nor a tablet, is Blackberry worth considering? I guess not: According to Levison, the F.B.I. agents who came to his house were surprised that he hadn't seen one of the sets of documents that had been e-mailed to him demanding Lavabit's information; they pointed to his phone and said he could look up the information right there. He responded, 'You know better than I do why I don't have e-mail on my phone.' ... He doesn't use e-mail on his Android smartphone, for instance, because neither the software nor the hardware of any commercial phone can be trusted; carriers and phone makers can push malware onto the device, he said. Yet his views are far from radical. ... http://www.newyorker.com/tech/elements/how-lavabit-melted-down http://lavabit.com/
Re: Android Studio
On 2014-09-27 Sat 00:33 AM |, Nick Holland wrote: Sorry, I've had the honor of working with some amazing malware experts (AND the OpenBSD developers. Have I had a rockin' life or what? :), Absolutely, like 11:33 of this: http://www.youtube.com/watch?v=S72I-nSgQek http://www.NavalTankerMen.com/images/ken731.jpg -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: Thanks for ksh
On 2014-09-25 Thu 15:18 PM |, Maurice McCarthy wrote: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ More vulnerabilities in #bashbug: #Shellshock becomes whack-a-mole for security engineers http://ars.to/1uOtJcN ... he was able to bypass the fixes in the latest bash patch and pass through executable commands. partially patched, still highly dangerous. And it may take a significant change to fix the code. ... two specific recommendations for fixes to bash that will essentially break backward compatibility... OpenBSD;- bashbug free since 1996! Thanks again! -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: quotas grace period none right away
On 2014-09-24 Wed 09:22 AM |, Boris Goldberg wrote: Does this mean you tried and found out (or knew) that disk quotas where not going to work for you? At the moment Boris, I'm not using quotas - but did a few years ago. I don't remember having any problems then. I guessed Dovecot would work for you by going around any possible issue due to filesystem delivery ... temporarily drop privileges to users.
Thanks for ksh
All the highly skilled work invested in the project, keeping ordinary users secure, is appreciated.
Re: quotas grace period none right away
On 2014-09-23 Tue 10:06 AM |, Boris Goldberg wrote: This might have something to do with the fact that this is a mail server, and mail is being delivered by root (by procmail to maildirs if it makes a difference). How about Dovecot sieve (rules can be edited remotely in Thunderbird): Filesystem quota supports both local filesystems and rquota (NFS).: http://wiki2.dovecot.org/Quota/FS http://wiki2.dovecot.org/Quota ... temporarily drop privileges to users.: http://wiki2.dovecot.org/LMTP http://wiki2.dovecot.org/Pigeonhole/Sieve http://wiki2.dovecot.org/Pigeonhole/ManageSieve/ Almost a GUI for semi-competent users: https://addons.mozilla.org/EN-US/thunderbird/addon/sieve/ I've configured Dovecot to deliver to (NFS) /var/mail/ dirs, with per user sieve scripts in /var/mail/user/sieve/ too. Mutt works fine with /etc/mutt/Muttrc: set folder=$MAIL set postponed=$MAIL/.Drafts set record=$MAIL/.Sent set trash=$MAIL/.Trash mailboxes + `echo $MAIL/.* | tr -s ' ' '\n' | egrep -v 'Archive|Trash.' | tr -s '\n' ' '` There is no mail kept in $HOME This way, mail deleted or sent locally via Mutt, can be accessed remotely via IMAP - it is uniformly seemless. Also, /home /var/mail can be unmounted dumped with different level 0 frequency. Say annually for /home quarterly for /var/mail.
Re: unbound
On 2014-09-22 Mon 16:51 PM |, Giancarlo Razzolini wrote: Craig, If I understood this correctly this almost replace the view function on bind? Now that it was dropped I need to start planning my transition. Yes. Until 5.3 I was running a split horizon master zone, with different views for shadow (public) and internal (private). With the switch to NSD it became unworkable to use a split horizon zone on the same server internally as: *) NSD listens on port 53 to authoritatively serve the zone *) Unbound listens on port 53 to recursively resolve everything else This way, the old BIND shadow/public master zone is served by NSD, as is the old internal reverse zone, and a new .internal zone. These are all proxied (stubbed) by Unbound for the internal hosts. There is also an internal slave NSD server that xfers those zones stubs them via it's own Unbound daemon - that way I didn't have to hard code/rdist the internal forward reverse zones in multiple machine's unbound.conf The choice of the internal zone name basically boiled down to: .localdomain .priv(ate) .internal Apparently,... .local interferers with a lot of Apple gadgets. hostmaster@teak:~ 0$ ls -ld /var/unbound drwxr-xr-x 6 root wheel 512 Sep 11 15:23 /var/unbound/ hostmaster@teak:~ 0$ ls -loAR /var/unbound total 16 drwxrwx--- 2 _unboundhostmasters - 512 May 9 09:55 db/ drwxr-xr-x 2 rootwheel- 512 Sep 16 08:36 dev/ drwxr-x--- 3 hostmaster _unbound - 512 Sep 11 15:36 etc/ drwxr-xr-x 3 rootwheel- 512 Apr 24 19:20 var/ /var/unbound/db: total 4 -rw-r--r-- 1 _unbound _unbound - 759 May 9 09:55 root.key /var/unbound/dev: total 0 srw-rw-rw- 1 root wheel - 0 Sep 16 08:36 log= /var/unbound/etc: total 136 drwxrwx--- 2 hostmaster hostmasters - 512 Sep 11 15:36 RCS/ -rw-r--r-- 1 hostmaster hostmasters - 333 Apr 30 14:39 notes.txt -r--r--r-- 1 hostmaster hostmasters - 3323 Apr 26 20:53 root.hints -r--r--r-- 1 hostmaster hostmasters - 21314 Apr 24 19:20 unbound-example-54.conf -r--r--r-- 1 hostmaster hostmasters - 23548 Sep 11 15:18 unbound-example-55.conf -r--r--r-- 1 hostmaster hostmasters - 5939 Sep 11 15:31 unbound.conf -r--r- 1 hostmaster _unbound - 1277 Sep 11 15:32 unbound_control.key -r--r- 1 hostmaster _unbound - 802 Sep 11 15:32 unbound_control.pem -r--r- 1 hostmaster _unbound - 1277 Sep 11 15:32 unbound_server.key -r--r- 1 hostmaster _unbound - 790 Sep 11 15:32 unbound_server.pem /var/unbound/etc/RCS: total 60 -r--r--r-- 1 hostmaster hostmasters - 4477 Apr 26 21:42 root.hints,v -r--r--r-- 1 hostmaster hostmasters - 14483 Sep 11 15:32 unbound.conf,v -r--r- 1 hostmaster _unbound - 1485 Sep 11 15:34 unbound_control.key,v -r--r- 1 hostmaster _unbound - 1010 Sep 11 15:35 unbound_control.pem,v -r--r- 1 hostmaster _unbound - 1484 Sep 11 15:36 unbound_server.key,v -r--r- 1 hostmaster _unbound - 997 Sep 11 15:35 unbound_server.pem,v /var/unbound/var: total 4 drwxrwx--- 2 _unbound hostmasters - 512 Sep 16 08:36 run/ /var/unbound/var/run: total 4 -rw-r--r-- 1 _unbound _unbound - 6 Sep 16 08:36 unbound.pid hostmaster@teak:~ 0$ ls -ld /var/nsd drwxr-xr-x 7 root wheel 512 May 1 12:55 /var/nsd/ hostmaster@teak:~ 0$ ls -loAR /var/nsd total 20 drwxrwx--- 2 _nsdhostmasters - 512 Aug 7 13:42 db/ drwxr-xr-x 2 rootwheel- 512 Sep 16 08:36 dev/ drwxr-x--- 4 hostmaster _nsd - 512 Sep 11 13:49 etc/ drwxrwx--- 3 _nsdhostmasters - 512 Sep 23 09:48 run/ drwxr-xr-x 4 rootwheel- 512 May 1 14:26 zones/ /var/nsd/db: total 992 -rw-r--r-- 1 _nsd hostmasters - 589824 Sep 11 13:45 nsd.db /var/nsd/dev: total 0 srw-rw-rw- 1 root wheel - 0 Sep 16 08:36 log= /var/nsd/etc: total 36 drwxrwx--- 2 hostmaster hostmasters - 512 Sep 11 13:49 RCS/ -r--r- 1 hostmaster hostmasters - 1034 Mar 5 2014 nsd-55.conf -r--r--r-- 1 hostmaster hostmasters - 2886 Sep 11 13:38 nsd.conf -r--r- 1 hostmaster _nsd - 1277 Sep 11 13:45 nsd_control.key -r--r- 1 hostmaster _nsd - 790 Sep 11 13:45 nsd_control.pem -r--r- 1 hostmaster _nsd - 1277 Sep 11 13:45 nsd_server.key -r--r- 1 hostmaster _nsd - 782 Sep 11 13:45 nsd_server.pem drwxrwxr-x 3 hostmaster hostmasters - 512 May 22 12:45 slaves/ /var/nsd/etc/RCS: total 32 -r--r--r-- 1 hostmaster hostmasters - 7598 Sep 11 13:39 nsd.conf,v -r--r- 1 hostmaster _nsd - 1481 Sep 11 13:47 nsd_control.key,v -r--r- 1 hostmaster _nsd - 994 Sep 11 13:48 nsd_control.pem,v -r--r- 1 hostmaster _nsd - 1480 Sep 11 13:48 nsd_server.key,v -r--r- 1 hostmaster _nsd - 985 Sep 11 13:49 nsd_server.pem,v /var/nsd/etc/slaves: total 16 drwxrwx--- 2 hostmaster hostmasters - 512 May 22 12:45 RCS/ -r--r--r-- 1 hostmaster hostmasters - 427 May 13 21:04 X-nokey.conf
Re: unbound
On 2014-09-19 Fri 12:28 PM |, Krzysztof Strzeszewski wrote: I want add my global domain in my serwer dns unbound... How to do? I konw how add my domain in named(bind): $ man 8 unbound ... .. DESCRIPTION Unbound is an implementation of a DNS resolver, that does caching . Use NSD: $ man 8 nsd ... ... DESCRIPTION NSD is a complete implementation of an authoritative DNS nameserver. ... $ man 5 nsd.conf The zone file format is much the same as for named(BIND), you can probably use the same file copied in to /var/nsd/zones/master/ Something like: # nsd.conf server: verbosity: 2 hide-version: yes ip4-only: yes ip-address: pub.lic.ip.address # different privileged port on loopback for unbound stub zones: # The ARPA Host Name Server Protocol (NAMESERVER) # is an obsolete network protocol unused # http://en.wikipedia.org/wiki/ARPA_Host_Name_Server_Protocol ip-address: 127.0.0.1@42 remote-control: control-enable: yes # Master zones: zone: name: internal zonefile: master/internal zone: name: 1.168.192.in-addr.arpa zonefile: master/1.168.192.in-addr.arpa zone: name: example.not zonefile: master/example.not notify: slave.server.ip.address NOKEY provide-xfr: slave.server.ip.address NOKEY # unbound.conf server: interface: 127.0.0.1 interface: 192.168.1.1 do-ip6: no access-control: ::0/0 refuse access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: 192.168.1.0/24 allow hide-identity: yes hide-version: yes verbosity: 2 log-queries: yes root-hints: /etc/root.hints do-not-query-localhost: no # NOTE THIS!!! # private networks: private-address: 10.0.0.0/8 private-address: 100.64.0.0/10 private-address: 172.16.0.0/12 private-address: 192.0.0.0/29 private-address: 192.168.0.0/16 private-address: 198.18.0.0/15 # example source code documentation: private-address: 192.0.2.0/24 private-address: 198.51.100.0/24 private-address: 203.0.113.0/24 # subnet, autoconfiguration between two hosts on a single link: private-address: 169.254.0.0/16 # reserved for multicast assignments: private-address: 224.0.0.0/4 # reserved for future use: private-address: 240.0.0.0/4 private-domain: 'internal' local-zone: '1.168.192.in-addr.arpa' typetransparent# NOTE THIS!!! local-zone: localhost. static local-data: localhost. 10800 IN NS localhost. local-data: localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800 local-data: localhost. 10800 IN A 127.0.0.1 # Disabled: (do-ip6: no doesn't do it): # local-data: localhost. 10800 IN ::1 remote-control: control-enable: yes stub-zone: name: 'internal' stub-addr: 127.0.0.1@42 stub-zone: name: '1.168.192.in-addr.arpa' stub-addr: 127.0.0.1@42 stub-zone: name: 'example.not' stub-addr: 127.0.0.1@42 stub-addr: slave.server.ip.address stub-first: yes
new httpd and cachability?
For the new httpd, will there be a mechanism to set cachability? Browser/proxy caching reduces both bandwidth costs server load. Rough nginx e.g: http { ... .. expires 3d; add_header Pragma public; add_header Cache-Control public; server { ... .. location ~* \.(?:jpe?g|png|gif|svg|mp3|mp4)$ { expires 1y; } location ~* \.(?:ico|js|pdf)$ { expires 3M; } } } Maybe something could be done globally within the mime types???
Signing siteXX.tgz files?
I found a couple of threads related to signing the siteXX.tgz install files, and was wondering what the future (5.6) of this might look like. If I understand the present (5.5) situtation correctly, if site*.tgz are created distributed, you have to trust your own files method of distribution. Theo wrote (in part): ... signify only works for the signed base sets. site*.tgz is now a pretty serious outlier. https://www.mail-archive.com/misc@openbsd.org/msg127738.html Nick wrote (in part): It works exactly as intended: your siteXX.tgz file is something YOU generated, OpenBSD has no idea what's in it. If you can't trust your siteXX.tgz file and how it gets from you to you, you have much bigger problems that signing isn't going to fix. http://mailing.openbsd.misc.narkive.com/M1bFETMA/signing-release-files
Re: unbound reverse DNS problem to local stub zone
On 2014-09-01 Mon 08:58 AM |, Arthur Mesh wrote: I have the same exact symptom, unbound.conf: local-zone: 10.in-addr.arpa. nodefault Change this to: local-zone: 10.in-addr.arpa typetransparent See types under the section 'local-zone' of unbound.conf(5)
FAQ4 -vs- disklabel(8) re /tmp space?
Just an FYI;- While preparing to wipe reinstall a box with a different partitioning layout, I noticed these 2 items about /tmp space: http://www.openbsd.org/faq/faq4.html#Partitioning o /tmp: 50M is usually many times what you should ever need, disklabel(8) AUTOMATIC DISK ALLOCATION /tmp 8% of disk. 120M - 4G
Re: FAQ4 -vs- disklabel(8) re /tmp space?
On 2014-08-30 Sat 08:19 AM |, Nick Holland wrote: Was there a point you are trying to make? No: Just an FYI;-
Re: httpd URI rewriting / try_files
On 2014-08-28 Thu 22:14 PM |, Liviu Daia wrote: What about redirect, say from http://mumble to https://mumble? Or: http://example.org - http://www.example.org http://www.example.com - http://www.example.net
Re: maybe OT 10 year anniversay of Chuck Yerkes death
On 2014-08-27 Wed 17:21 PM |, Diana Eichert wrote: I'm writing this post to remember Chuck Yerkes, He must've made quite an impact for you to respect him every year. Cool.
Re: Postfix and SASL authentication.
On 2014-08-25 Mon 21:40 PM |, giacomo wrote: Join the Postfix users mailing list (http://www.postfix.org/lists.html) Send them a problem description the output of both: $ postconf -nf $ postconf -Mf REALLY: Join the Postfix users mailing list and send them the output. Sorry I can help further as I don't use SSL with SMTP as it can't be enforced throughout a message's life - therefore I consider it a false sense of security. Which is a solution, for you, to increase the security for connections from the outside , for example with a portable device (laptop,smartphone, etc) using a OpenBSD system? SMTP is not a point to point protocol, it is a redundant store forward protocol. SSL/TLS was an afterthought, and may be optionally negotiated for each hop. The security of the channel is never guaranteed for each leg of the journey. And the next hop never promises to encrypt the onward connection. Mail gateways may accept an encrypted connection forward it in clear text to a LAN M$ exchange, Solaris or Loonix box. You don't know. Some organisations also use 3rd party off-site MX backup boxes as well. Who knows what they do with mail, and what route they forward it onwards by. Want proof? Send me a mail from your SSL/TLS MTA watch the logs as the message is sent in clear text to Scotland. I'll reply and you'll see from your logs that your fancy SSL set up is ignored, and the message is accepted by your box in plain text. Even if the message does (by random chance) happen to travel via an encrypted channel, it then sits in clear text on Goatmail, Snotmail, Yahtwits or AOL.con's servers for government agencies around the world to read - years after it is 'deleted'. SMTP is resilient, but insecure. The best that can be done is to have the user PGP encrypt their message before sending. To protect the user's authentication credentials on port 587 is to use rather weak digest auth. e.g: 250-AUTH CRAM-MD5 NOT: 250-AUTH PLAIN 250-AUTH LOGIN Using SSL for SMTP-submission, IMAP or POP is to deceive users into thinking their mail is secure. It is a lie. Otherwise, both ssh to a box chat locally. Or use something like SILC: http://en.wikipedia.org/wiki/SILC_%28protocol%29
Re: Postfix and SASL authentication.
On 2014-08-24 Sun 18:44 PM |, giacomo wrote: Hi. Here there are other informations about the configuration of mail system. 1. The mail system use virtual users. 2. The postfix main.cf is: # Enable SASL authentication in the Postfix SMTP server smtpd_sasl_auth_enable = yes # Postfix 2.3 and later #smtpd_sasl_path = smtpd # Only accept mail from trusted networks, authenticated clients or mail with # a 'RCPT TO' address that Postfix is forwarder or final destination for smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_invalid_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client zombie.dnsbl.sorbs.net, reject_rbl_client list.dsbl.org, DSBL is GONE and highly unlikely to return. Please remove it from your mail server configuration. ( 03/09/2009 http://dsbl.org/) reject_rbl_client sbl.spamhaus.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, The blacklists on the easynet.nl domain discontinued on 1/12/2003 (http://vamsoft.com/company/news/easynet-nl-blacklists-discontinued) reject_rbl_client combined.njabl.org, njabl.org OFFLINE since 1/3/2013 (http://www.dnsbl.info/dnsbl-njabl-org.php) reject_rbl_client dul.dnsbl.sorbs.net, permit Join the Postfix users mailing list (http://www.postfix.org/lists.html) Send them a problem description the output of both: $ postconf -nf $ postconf -Mf Sorry I can help further as I don't use SSL with SMTP as it can't be enforced throughout a message's life - therefore I consider it a false sense of security.
Re: 5.4 (GENERIC) box has begun to randomly reboot
On 2014-08-05 Tue 16:13 PM |, STeve Andre' wrote: In decreasing order I'd say 5) motherboard problem, 4) power supply, 3) memory, 2) cabling failure, 1) disk controller. Thanks gents. After a night with the power off, the same phatom rebooting started within 10 minutes the next day. The used comptuer shop downstairs is on summer holidays, so I swapped the disks, cables memory in to another chassis I found in the spare room. This has been stable since. Someone suggested looking for swollen/domed capacitors on the main board (Supermicro), nothing out of the ordinary was seen. Onward, Craig.
5.4 (GENERIC) box has begun to randomly reboot
Hi, A reliable box has begun to randomly reboot in the last couple of days. There's nothing obviously unusual in /var/log/* $ ls -ld /var/crash drwxrwx--- 2 root wheel 512 Dec 24 2013 /var/crash/ $ ls -lA /var/crash total 4 -rw-r--r-- 1 root wheel 5 Jul 30 2013 minfree I set up a 1 min cron job of sysctl | fgrep hw.sensors.lm1.temp uptime The last one before a reboot was: hw.sensors.lm1.temp0=34.00 degC hw.sensors.lm1.temp2=33.50 degC 2:53PM up 31 mins, 2 users, load averages: 0.13, 0.19, 0.23 I'm guessing some bit of hardware is on it's way out, but which? $ ls -l /var/run/dmesg.boot -rw-r--r-- 1 root wheel 3612 Aug 5 14:58 /var/run/dmesg.boot OpenBSD 5.4 (GENERIC) #37: Tue Jul 30 12:05:01 MDT 2013 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class, 128KB L2 cache) 635 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PSE36,MMX,FXSR,SSE,PERF real mem = 535228416 (510MB) avail mem = 515035136 (491MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 01/15/99, BIOS32 rev. 0 @ 0xfdb70, SMBIOS rev. 2.0 @ 0xf0480 (24 entries) bios0: vendor American Megatrends Inc. version 063101 date 01/15/99 bios0: Supermicro Computer Intel 810 apm0 at bios0: Power Management spec V1.2 acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI BIOS has 9 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801AA LPC rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82810E Host rev 0x03 vga1 at pci0 dev 1 function 0 Intel 82810E Video rev 0x03 intagp0 at vga1 agp0 at intagp0: aperture at 0xec00, size 0x400 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb0 at pci0 dev 30 function 0 Intel 82801AA Hub-to-PCI rev 0x02 pci1 at ppb0 bus 1 rl0 at pci1 dev 0 function 0 Realtek 8139 rev 0x10: irq 11, address 00:90:47:05:99:6d rlphy0 at rl0 phy 0: RTL internal PHY rl1 at pci1 dev 1 function 0 Realtek 8139 rev 0x10: irq 10, address 00:90:47:05:30:e8 rlphy1 at rl1 phy 0: RTL internal PHY ichpcib0 at pci0 dev 31 function 0 Intel 82801AA LPC rev 0x02: 24-bit timer at 3579545Hz pciide0 at pci0 dev 31 function 1 Intel 82801AA IDE rev 0x02: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: ST3250820A wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 wd1 at pciide0 channel 1 drive 0: Maxtor 5A320J0 wd1: 16-sector PIO, LBA48, 308921MB, 632672208 sectors wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 31 function 2 Intel 82801AA USB rev 0x02: irq 5 ichiic0 at pci0 dev 31 function 3 Intel 82801AA SMBus rev 0x02: irq 10 iic0 at ichiic0 spdmem0 at iic0 addr 0x50: 256MB SDRAM non-parity PC133CL2 spdmem1 at iic0 addr 0x51: 256MB SDRAM non-parity PC133CL2 auich0 at pci0 dev 31 function 5 Intel 82801AA AC97 rev 0x02: irq 10, ICH AC97 ac97: codec id 0x43525934 (Cirrus Logic CS4299 rev 4) ac97: codec features headphone, 20 bit DAC, 18 bit ADC, Crystal Semi 3D audio0 at auich0 isa0 at ichpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 wbsio0 at isa0 port 0x2e/2: W83627HF rev 0x13 lm1 at wbsio0 port 0x290/8: W83627HF npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec usb0 at uhci0: USB revision 1.0 uhub0 at usb0 Intel UHCI root hub rev 1.00/1.00 addr 1 mtrr: Pentium Pro MTRR support vscsi0 at root scsibus0 at vscsi0: 256 targets softraid0 at root scsibus1 at softraid0: 256 targets root on wd0a (0e3aa2ac975978d6.a) swap on wd0b dump on wd0b WARNING: / was not properly unmounted
[OT] Commonwealth Games Ceremonies
Last night at a dress reversal of the 2014 Commonwealth Games Opening Ceremony, I thrilled to walk my New Zealand flag in to the packed stadium of 71 nations from the British Empire!!! The opening is on Wednesday (tomorrow) closing on 3rd August. They're a lot of fun - I know as I'm performing the beauty of Scottish culture in both! Live an adventure, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: rc script problem with pgrep / pkill
On 2014-07-02 Wed 11:18 AM |, Leclerc, Sebastien wrote: $ pgrep -f ^tarpitd: \[priv\] 22014 But a check or stop doesn't: $ sudo /etc/rc.d/tarpitd -d check ; echo $? doing rc_read_runfile doing rc_check 1 Show the output of: $ cat /etc/rc.d/tarpitd; \ ls -l /var/run/rc.d/tarpitd; \ cat /var/run/rc.d/tarpitd
Re: 8 port serial card connections
On 2014-06-14 Sat 16:33 PM |, Christian Weisgerber wrote: On 2014-06-14, Craig R. Skinner skin...@britvault.co.uk wrote: To connect a Moxa 8 port serial card with octopus cable to an i386 serial port, do I need just a DB9 (2x female) gender changer, or a null modem cable/mini adapter as well? You need a null modem cable/adapter. A gender changer is of no use. Thanks. A bag of these ordered from ebay.co.uk @ ?2ea (incl delivery) arrived today: DB9 RS232 Serial Null Modem Adapter - F/F http://www.startech.com/Cables/Serial-Parallel-PS-2/DB9-DB25/DB9-RS232-Serial-Null-Modem-Adapter-Female-to-Female~NM9FF Works for me, apart from last 2, but the card isn't listed as supported. /etc/remote: # ... # -- # General definitions used in :tc=XXX: capabilities below # direct:\ :dc: doshost:\ :oe=^Z:tc=unixhost: unixhost:\ :pa=none:br#9600:el=^U^C^R^O^D^S^Q:ie=%$:oe=^D: common:\ :tc=direct:tc=unixhost:be: # com0: # console (from teak) as per boot.conf console:dv=/dev/tty00:common: # com1: teak:dv=/dev/tty01:common: # No. 3 Moxa card port: oak:dv=/dev/tty04:common: # No. 4 Moxa card port: birch:dv=/dev/tty05:common: # No. 5 Moxa card port: hickory:dv=/dev/tty06:common: # No. 6 Moxa card port: ash:dv=/dev/tty07:common: # No. 7 Moxa card port: moxa07:dv=/dev/tty08:common: # No. 8 Moxa card port: moxa08:dv=/dev/tty09:common: # FIXME broken/unsupported (tried tty02, tty10-30) # tip moxa09 # /dev/tty10: Device not configured # link down # # From puc(4): # Moxa Technologies Co., Ltd. PCI I/O Card 4S (4 port serial) # Moxa Technologies Co., Ltd. C104H/PCI (4 port serial) # Moxa Technologies Co., Ltd. CP104/PCI (4 port serial) # # From dmesg: # puc0 at pci0 dev 18 function 0 Moxa C168H rev 0x01: ports: 8 com # # FIXME No. 9 Moxa card port: moxa09:dv=/dev/tty10:common: # FIXME No. 10 Moxa card port: moxa10:dv=/dev/tty11:common:
Re: 8 port serial card connections
On 2014-06-20 Fri 16:14 PM |, Maurice Janssen wrote: # FIXME No. 9 Moxa card port: moxa09:dv=/dev/tty10:common: # FIXME No. 10 Moxa card port: moxa10:dv=/dev/tty11:common: Try /dev/tty0a and /dev/tty0b Perfect! Here's a man page diff to sync with lines 1383-1397 of /usr/src/sys/dev/pci/pucdata.c Index: share/man/man4/puc.4 === RCS file: /cvs/src/share/man/man4/puc.4,v retrieving revision 1.47 diff -u -p -r1.47 puc.4 --- share/man/man4/puc.42 Feb 2014 19:39:55 - 1.47 +++ share/man/man4/puc.420 Jun 2014 17:00:27 - @@ -85,6 +85,7 @@ The driver currently supports the follow .It Tn Moxa Technologies Co., Ltd. PCI I/O Card 4S (4 port serial) .It Tn Moxa Technologies Co., Ltd. C104H/PCI (4 port serial) .It Tn Moxa Technologies Co., Ltd. CP104/PCI (4 port serial) +.It Tn Moxa Technologies Co., Ltd. C168H/PCI (8 port serial) .It Tn NEC PK-UG-X008 (serial) .It Tn NEC PK-UG-X001 K56flex PCI (modem) .It Tn NetMos 1P (1 port parallel)
8 port serial card connections
To connect a Moxa 8 port serial card with octopus cable to an i386 serial port, do I need just a DB9 (2x female) gender changer, or a null modem cable/mini adapter as well? The octopus cable ends are all male, as are the serial/comm ports. I've standard Cisco rollover cables to connect to my Sun servers RJ45 serial ports. http://www.moxa.com/product/c168hpci.htm $ dmesg | egrep '(Moxa|^com)' puc0 at pci0 dev 18 function 0 Moxa C168H rev 0x01: ports: 8 com com4 at puc0 port 0 irq 9: ns16550a, 16 byte fifo com5 at puc0 port 1 irq 9: ns16550a, 16 byte fifo com6 at puc0 port 2 irq 9: ns16550a, 16 byte fifo com7 at puc0 port 3 irq 9: ns16550a, 16 byte fifo com8 at puc0 port 4 irq 9: ns16550a, 16 byte fifo com9 at puc0 port 5 irq 9: ns16550a, 16 byte fifo com10 at puc0 port 6 irq 9: ns16550a, 16 byte fifo com11 at puc0 port 7 irq 9: ns16550a, 16 byte fifo com12 at puc1 port 0 irq 5: ns16550a, 16 byte fifo com12: probed fifo depth: 0 bytes com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
Re: sudo -u environment help
FYI;- The sudo users mailing list quickly said the 3 issues I identified are known bugs, which have been fixed in newer sudo versions. http://www.sudo.ws/sudo/stable.html The current stable release of sudo is 1.8.10p3 $ sudo -V Sudo version 1.7.2p8 $ uname -a OpenBSD teak.britvault.co.uk 5.4 GENERIC#37 i386 http://thread.gmane.org/gmane.comp.tools.sudo.user/4367 http://thread.gmane.org/gmane.os.openbsd.misc/211823/ Bug 387 refers to MAIL being fixed in 1.7.4: http://www.sudo.ws/bugs/show_bug.cgi?id=387 Bug 527 (FreeBSD sudo -i doesn't use variables from /etc/login.conf) seems to be similar: http://www.sudo.ws/bugs/show_bug.cgi?id=527 which is logged as Fixed in sudo 1.8.4 Maybe that fix also covers the login.conf path umask issues: http://www.sudo.ws/sudo/stable.html#1.8.4 On systems that use login.conf, sudo -i now sets environment variables based on login.conf. http://www.sudo.ws/sudo/stable.html#1.8.5 The initial evironment created when env_reset is in effect now includes the contents of /etc/environment on AIX systems and the setenv and path entries from /etc/login.conf on BSD systems. sudo-users mailing list sudo-us...@sudo.ws For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
Re: alias's - ksh
On 2014-04-21 Mon 14:22 PM |, Martin Brandenburg wrote: # tset on interactive login shells. case $- in *i*) eval `tset -sQ '-munknown:?vt220' $TERM` ;; esac # /etc/profile: [[ -o interactive ]] { [[ ${SHELL} == '/bin/ksh' ]] . /etc/ksh.kshrc [[ ${SHELL} == '/bin/rksh' ]] . /etc/ksh.kshrc 2/dev/null [[ -x /usr/bin/tset ]] { [[ -n ${XTERM_VERSION} ]] I='I' eval $(/usr/bin/tset -${I}sQ '-munknown:?vt220' $TERM) } } Then ~/. shell dot files aren't needed as ksh(1): -l the shell reads and executes the contents of /etc/profile and $HOME/.profile if they exist and are readable. FILES ~/.profile User's login profile. /etc/ksh.kshrc Global configuration file. Not sourced by default. /etc/profile System login profile. login(1) sets $LOGNAME, $USER, $SHELL, $TERM, $HOME $MAIL, also umask $PATH are set in login.conf(5), which applies to ALL shells. Usually http://thread.gmane.org/gmane.os.openbsd.misc/211823/
Re: NFS server export node
On 2014-04-21 Mon 21:39 PM |, Alessandro DE LAURENZIS wrote: Folks, still unclear after reading the hier man page where is the most suitable node for a NFS server export directory. I would like to stay as much close as possible to the BSD tradition, so I would put data for or from services inside /var, but it seems that no predefined standard node is present there. Some alternatives: - /var{,/srv}/nfs - /var/share{,/nfs} - /share{,/nfs} - I don't think /usr/share is an option, right? - /home{,/share}/nfs (even if no nfs user exist?) Any hints? Sun Microsystems exported user home directories from /home/export/$USER and mounted on /home Application exports varried wildly. Most were mounted on /net/[country code]/[dept...]/[project]/... Yes, there was a global WAN, spanning from New Zealand to Scotland.
Re: ghostscript 9.06 in OpenBSD AGPL or GNU GPL version?
On 2014-04-17 Thu 17:12 PM |, Chris Cappuccio wrote: noah pugsley [noah.pugs...@gmail.com] wrote: You know Chris, if you grew a beard..nmedia.net/bsdsexy? wopsexy? Maybe a sexy developer calendar can help with the donations... Perhaps a swimsuit calendar? I'll volunteer for the cover! Done in sunny Scotland: http://tinyurl.com/npdpp4f
Re: sudo -u environment help
Would this be better asked on tech@? On 2014-04-08 Tue 09:26 AM |, Craig R. Skinner wrote: To clarify, there are no ~/. shell dot files. $PATH umask are set in /etc/login.conf $MAIL is the default set by login(1) /etc/profile sources /etc/ksh.kshrc, which just sets $PS1, window decor some aliases, nothing major. This arrangement works fine when logging in directly, or via sudo su -l user From my reading of sudo(8), I thought the same environment could be gained with something like sudo -H -i -u username. Am I missing sudo flags or settings in /etc/sudoers? On 2014-04-04 Fri 11:30 AM |, Craig R. Skinner wrote: Hi, When sudo'ing to another user, how can I obtain all of their environment settings as they receive when logging in themselves? When I use sudo in this manner, settings such as $PATH, $MAIL umask aren't being honoured: $ echo $LOGNAME; echo $PATH; echo $MAIL; umask craig /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/usr/site/sbin:/home/craig/bin /var/mail/craig 027 Here, $PATH, $MAIL umask are unchanged: $ sudo -H -i -u david $ echo $LOGNAME; echo $PATH; echo $MAIL; umask david /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/usr/site/sbin:/home/craig/bin /var/mail/craig 027 Compare the difference when logging in as that user: $ login david ... $ echo $LOGNAME; echo $PATH; echo $MAIL; umask david /usr/bin:/bin:/usr/local/bin:/usr/site/bin:/home/david/bin /var/mail/david 022 /etc/login.conf: default:\ :passwordcheck=/usr/local/bin/pwqcheck -1:\ :passwordtries=0:\ :path=/usr/bin /bin /usr/local/bin /usr/site/bin ~/bin:\ :umask=022:\ :datasize-cur= staff:\ :path=/usr/bin /bin /usr/sbin /sbin /usr/local/bin /usr/local/sbin /usr/site/bin /usr/site/sbin ~/bin:\ :umask=027:\ :datasize-cur= $ egrep 'env_|Defaults' /etc/sudoers | grep -v ^# Defaults env_keep +=DESTDIR DISTDIR EDITOR FETCH_CMD FLAVOR FTPMODE GROUP MAKE Defaults env_keep +=MAKECONF MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_CACHE Defaults env_keep +=PKG_DBDIR PKG_DESTDIR PKG_PATH PKG_TMPDIR PORTSDIR Defaults env_keep +=RELEASEDIR SHARED_ONLY SSH_AUTH_SOCK SUBPACKAGE VISUAL Defaults env_keep +=WRKOBJDIR Defaults always_set_home, ignore_dot, use_loginclass login(1): login enters information into the environment (see environ(7)) specifying the user's home directory (HOME), command interpreter (SHELL), search path (PATH), terminal type (TERM), and user name (both LOGNAME and USER). ENVIRONMENT login sets the following environment variables: HOME MAIL sudo(8): Command Environment .. On BSD systems, if the use_loginclass option is enabled, the environment is initialized based on the path and setenv settings in /etc/login.conf. The new environment contains the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in addition to variables from the invoking process permitted by the env_check and env_keep options. This is effectively a whitelist for environment variables. How can I become another user - without knowing their password, and gain their 'natural' environment? e.g. from wheel group to a users group member. 'su -l username' 'login username' require their password. I thought 'sudo -H -i -u username' would do it. Any suggestions on what else I need to configure?
Re: PF for a VPS
On 2014-04-11 Fri 09:10 AM |, Sinosuke Noara wrote: 1) This is the host (physical machine) http://www.hetzner.de/hosting/produkte_rootserver/ex40 Have you seen this: http://www.bsws.de/en/root-server/
Re: OpenBSD users web page updates
ping (http://thread.gmane.org/gmane.os.openbsd.misc/211666) On 2014-03-31 Mon 14:59 PM |, Brad Smith wrote: On 31/03/14 1:34 PM, Craig R. Skinner wrote: A few updates for the page: http://www.OpenBSD.org/users.html#isp * Fix broken Swebase link. * Add Devio.us * Add Grex * Add Polar Home It looks like Reverse.Net should be removed. Their website makes it pretty clear they don't run OpenBSD anymore. IMO the same thing should be done for any other entries where it is known or can be determined that a particular listed user isn't using OpenBSD anymore.
Re: sudo -u environment help
To clarify, there are no ~/. shell dot files. $PATH umask are set in /etc/login.conf $MAIL is the default set by login(1) /etc/profile sources /etc/ksh.kshrc, which just sets $PS1, window decor some aliases, nothing major. This arrangement works fine when logging in directly, or via sudo su -l user From my reading of sudo(8), I thought the same environment could be gained with something like sudo -H -i -u username. Am I missing sudo flags or settings in /etc/sudoers? On 2014-04-04 Fri 11:30 AM |, Craig R. Skinner wrote: Hi, When sudo'ing to another user, how can I obtain all of their environment settings as they receive when logging in themselves? When I use sudo in this manner, settings such as $PATH, $MAIL umask aren't being honoured: $ echo $LOGNAME; echo $PATH; echo $MAIL; umask craig /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/usr/site/sbin:/home/craig/bin /var/mail/craig 027 Here, $PATH, $MAIL umask are unchanged: $ sudo -H -i -u david $ echo $LOGNAME; echo $PATH; echo $MAIL; umask david /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/usr/site/sbin:/home/craig/bin /var/mail/craig 027 Compare the difference when logging in as that user: $ login david ... $ echo $LOGNAME; echo $PATH; echo $MAIL; umask david /usr/bin:/bin:/usr/local/bin:/usr/site/bin:/home/david/bin /var/mail/david 022 /etc/login.conf: default:\ :passwordcheck=/usr/local/bin/pwqcheck -1:\ :passwordtries=0:\ :path=/usr/bin /bin /usr/local/bin /usr/site/bin ~/bin:\ :umask=022:\ :datasize-cur= staff:\ :path=/usr/bin /bin /usr/sbin /sbin /usr/local/bin /usr/local/sbin /usr/site/bin /usr/site/sbin ~/bin:\ :umask=027:\ :datasize-cur= $ egrep 'env_|Defaults' /etc/sudoers | grep -v ^# Defaults env_keep +=DESTDIR DISTDIR EDITOR FETCH_CMD FLAVOR FTPMODE GROUP MAKE Defaults env_keep +=MAKECONF MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_CACHE Defaults env_keep +=PKG_DBDIR PKG_DESTDIR PKG_PATH PKG_TMPDIR PORTSDIR Defaults env_keep +=RELEASEDIR SHARED_ONLY SSH_AUTH_SOCK SUBPACKAGE VISUAL Defaults env_keep +=WRKOBJDIR Defaults always_set_home, ignore_dot, use_loginclass login(1): login enters information into the environment (see environ(7)) specifying the user's home directory (HOME), command interpreter (SHELL), search path (PATH), terminal type (TERM), and user name (both LOGNAME and USER). ENVIRONMENT login sets the following environment variables: HOME MAIL sudo(8): Command Environment .. On BSD systems, if the use_loginclass option is enabled, the environment is initialized based on the path and setenv settings in /etc/login.conf. The new environment contains the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in addition to variables from the invoking process permitted by the env_check and env_keep options. This is effectively a whitelist for environment variables. How can I become another user - without knowing their password, and gain their 'natural' environment? e.g. from wheel group to a users group member. 'su -l username' 'login username' require their password. I thought 'sudo -H -i -u username' would do it. Any suggestions on what else I need to configure?
Re: sudo -u environment help
On 2014-04-08 Tue 07:17 AM |, Andres Perera wrote: You do that with `sudo -c - -l`: $ sudo -c - -i 'ulimit -a; env' eb $ diff -u ea e --- ea Tue Apr 8 07:13:11 2014 +++ eb Tue Apr 8 07:14:22 2014 @@ -1,29 +1,24 @@ -LOGNAME=a +LOGNAME=root Also see `use_loginclass` in sudoers(5). Unfortunately Andres, that doesn't work here for non-root: $ userinfo $LOGNAME | fgrep class class staff ^ $ echo $LOGNAME; echo $PATH; echo $MAIL; umask craig /usr/bin:/bin:/usr/sbin:.../usr/site/bin:/usr/site/sbin:/home/craig/bin /var/mail/craig 027 $ userinfo david | fgrep class class $ sudo -c - -i -u david $ userinfo $LOGNAME | fgrep class class ^ $ echo $LOGNAME; echo $PATH; echo $MAIL; umask david /usr/bin:/bin:/usr/sbin:.../usr/site/bin:/usr/site/sbin:/home/craig/bin ^ /var/mail/craig ^ 027 ^ $ exit $ fgrep use_loginclass /etc/sudoers Defaults always_set_home, ignore_dot, use_loginclass $ login david Password: $ echo $LOGNAME; echo $PATH; echo $MAIL; umask david /usr/bin:/bin:/usr/local/bin:/usr/site/bin:/home/david/bin ^ /var/mail/david ^ 022 ^ $ /usr/sbin/userinfo $LOGNAME | fgrep class class ^ /etc/login.conf: ... ... default:\ :path=/usr/bin /bin /usr/local/bin /usr/site/bin ~/bin:\ :umask=022:\ :datasize staff:\ :path=/usr/bin /bin /usr/sbin /sbin /usr/local/bin /usr/local/sbin /usr/site/bin /usr/site/sbin ~/bin:\ :umask=027:\ :ignorenologin:\ :datasize... $ sudo -c default -i -u david sudo: only root can use -c default From what I'm seeing, sudo -iu username isn't setting $PATH, $MAIL umask, as set by login/su -l, rather than shell dotfiles.
Re: sudo -u environment help
On 2014-04-04 Fri 12:01 PM |, Todd wrote: I think this should work sudo su - user Yes, going via root works. How do I get the same user environment with something like: sudo -H -i -u username See below: When I use sudo in this manner, settings such as $PATH, $MAIL umask aren't being honoured: $ sudo -H -i -u david $ echo $LOGNAME; echo $PATH; echo $MAIL; umask david /usr/bin:/bin:/usr/sbin:/s./bin:/usr/site/sbin:/home/craig/bin ^ /var/mail/craig ^ 027 not: 022 sudo(8): Command Environment By default, the env_reset option is enabled. . ... On BSD systems, if the use_loginclass option is enabled, the environment is initialized based on the path and setenv settings in /etc/login.conf. The new environment contains the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables $ egrep 'env_|Defaults' /etc/sudoers | grep -v ^# . Defaults always_set_home, ignore_dot, use_loginclass HOME, SHELL, LOGNAME, USER, USERNAME are being set. PATH MAIL are not. I don't understand why sudo su -l username cleanly logs into the user's environment, but sudo -i -u username ignores PATH, MAIL umask Is it necessary to go through root? e.g: sudo vi /etc/pf.conf -vs- sudoedit /etc/pf.conf
sudo -u environment help
Hi, When sudo'ing to another user, how can I obtain all of their environment settings as they receive when logging in themselves? When I use sudo in this manner, settings such as $PATH, $MAIL umask aren't being honoured: $ echo $LOGNAME; echo $PATH; echo $MAIL; umask craig /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/usr/site/sbin:/home/craig/bin /var/mail/craig 027 Here, $PATH, $MAIL umask are unchanged: $ sudo -H -i -u david $ echo $LOGNAME; echo $PATH; echo $MAIL; umask david /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/usr/site/sbin:/home/craig/bin /var/mail/craig 027 Compare the difference when logging in as that user: $ login david ... $ echo $LOGNAME; echo $PATH; echo $MAIL; umask david /usr/bin:/bin:/usr/local/bin:/usr/site/bin:/home/david/bin /var/mail/david 022 /etc/login.conf: default:\ :passwordcheck=/usr/local/bin/pwqcheck -1:\ :passwordtries=0:\ :path=/usr/bin /bin /usr/local/bin /usr/site/bin ~/bin:\ :umask=022:\ :datasize-cur= staff:\ :path=/usr/bin /bin /usr/sbin /sbin /usr/local/bin /usr/local/sbin /usr/site/bin /usr/site/sbin ~/bin:\ :umask=027:\ :datasize-cur= $ egrep 'env_|Defaults' /etc/sudoers | grep -v ^# Defaults env_keep +=DESTDIR DISTDIR EDITOR FETCH_CMD FLAVOR FTPMODE GROUP MAKE Defaults env_keep +=MAKECONF MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_CACHE Defaults env_keep +=PKG_DBDIR PKG_DESTDIR PKG_PATH PKG_TMPDIR PORTSDIR Defaults env_keep +=RELEASEDIR SHARED_ONLY SSH_AUTH_SOCK SUBPACKAGE VISUAL Defaults env_keep +=WRKOBJDIR Defaults always_set_home, ignore_dot, use_loginclass login(1): login enters information into the environment (see environ(7)) specifying the user's home directory (HOME), command interpreter (SHELL), search path (PATH), terminal type (TERM), and user name (both LOGNAME and USER). ENVIRONMENT login sets the following environment variables: HOME MAIL sudo(8): Command Environment .. On BSD systems, if the use_loginclass option is enabled, the environment is initialized based on the path and setenv settings in /etc/login.conf. The new environment contains the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in addition to variables from the invoking process permitted by the env_check and env_keep options. This is effectively a whitelist for environment variables. How can I become another user - without knowing their password, and gain their 'natural' environment? e.g. from wheel group to a users group member. 'su -l username' 'login username' require their password. I thought 'sudo -H -i -u username' would do it. Any suggestions on what else I need to configure?
Re: upgrades no longer allow ftp for sets
On 2014-03-29 Sat 19:26 PM |, Ted Unangst wrote: Eventually, will base ftpd be removed? The program (some might say pogrom) to delete old shit doesn't really need any more suggestions at this time. I'm happily using it was wondering if I should plan to stop doing so.
OpenBSD users web page updates
A few updates for the page: http://www.OpenBSD.org/users.html#isp * Fix broken Swebase link. * Add Devio.us * Add Grex * Add Polar Home Index: www/users.html === RCS file: /cvs/www/users.html,v retrieving revision 1.132 diff -u -p -r1.132 users.html --- www/users.html 11 Mar 2014 07:02:08 - 1.132 +++ www/users.html 31 Mar 2014 17:25:43 - @@ -498,6 +498,13 @@ Server, Primary and Secondary DNS, and R OpenBSD/sparc and our shell server and several co-located servers are running OpenBSD/i386.p +lia href=http://www.Devio.us;Devio.us/abr +SSH shell account hoster. Users have access to all standard software - +compilers, IRC clients, mail clients, screen, MySQL and so forth. +Users can host a secure personal website and +remotely access their mail securely. +p + lia href=http://www.reverse.net/;Reverse.Net (former Elixor Networks)/abr Reverse.Net uses OpenBSD on AMD hardware to provide shell accounts, website hosting, and domain name hosting. @@ -520,6 +527,13 @@ Globalwire Communications is using Open Service (SMS) gateway and database servers. p +lia href=http://www.grex.org/;Grex/abr +A public access Unix and computer conferencing system, with email, +shell accounts and more. Based in Michigan, USA since 1991, supported by users, +and is run entirely by volunteers on +a href=http://www.grex.org/staff/system.xhtml;OpenBSD/a. +p + lia href=http://www.hobbiton.org/;Hobbiton.org/abr This ISP used OpenBSD to run their free shell server for many years (it was shut down in November, 2001 due to rising costs of running @@ -583,6 +597,13 @@ Phoenix Communications is an ISP in Dall for firewalls and other infrastructure. p +lia href=http://www.polarhome.com/;Polar Home/abr +A Swedish shell account provider since 1999 of many operating systems, +including a href=http://openbsd.polarhome.com/;OpenBSD/a. +User services include SSH, CVS, FTP, web, email, SQL, IRC, and others. +Seven on/offline payment methods. +p + lia href=http://www.poppe.com;Poppe Tyson Europe/a is using OpenBSD as a primary DNS, mailserver for 100+ mailboxes, and as their Website Development server for over 50 @@ -609,7 +630,7 @@ and also provides an anonymous CVS repos (CVSROOT=anon...@openbsd.groupbsd.org:/cvs), all thanks to 47GB of disk space and a dedicated T1 connection.p -lia href=http://start.swebase.com/?sida=maskiner;Swebase Network/abr +lia href=http://www.swebase.com/;Swebase Network/abr This ISP in Sweden uses OpenBSD for Web, DNS and mail servers. p
Re: upgrades no longer allow ftp for sets
On 2014-03-26 Wed 16:06 PM |, Craig R. Skinner wrote: On 2014-03-25 Tue 18:34 PM |, Theo de Raadt wrote: The 5.5 release will support FTP releases, but after that we are disabling FTP and thus pushing people to use HTTP installs. In this day and age, it is somewhat irresponsible for us to put people into a situation where they might install new FTP servers on the internet. We've known it is a dangerous protocol for over 20 years. Use a HTTP server to serve the sets, please. Would these pages summarise it? http://cr.yp.to/ftp/security.html http://tools.ietf.org/html/rfc2577 http://en.wikipedia.org/wiki/File_Transfer_Protocol#Security http://daniel.haxx.se/docs/ftp-vs-http.html Eventually, will base ftpd be removed? e.g: telnetd, rshd, uucpd, rmail,...
Re: upgrades no longer allow ftp for sets
On 2014-03-29 Sat 02:10 AM |, Eric Oyen wrote: . On 2014-03-26 Wed 16:06 PM |, Craig R. Skinner wrote: Eventually, will base ftpd be removed? *BASE*
Re: In OpenBSD how to upgrade individual system files like (grep, rcs, rlog ) to latest version?
On 2014-03-27 Thu 14:12 PM |, jignesh desai wrote: I am attempting to run foswiki on OpenBSD. Things are installed and i am able to open /bin/Configure page of foswiki configuration screen. but the page reports few errors, complaining that following files are either not found or outdated and new versions are required. The Files are : grep, rcs, ci, The webserver runs chrooted: http://www.openbsd.org/faq/faq10.html#httpdchroot
Re: In OpenBSD how to upgrade individual system files like (grep, rcs, rlog ) to latest version?
On 2014-03-27 Thu 19:47 PM |, jignesh desai wrote: ? Any advice what to type in Pkg_add .. ??? ? command to install GNU stuff ? There are other wikis already ported come with specific instructions on how to use them on OpenBSD. If you have the ports tree installed, do this: $ cd /usr/ports $ make search key=wiki ... www/dokuwiki www/mediawiki www/moinmoin www/pmwiki www/trac www/twiki ... See: http://www.openbsd.org/faq/faq15.html#PkgFind http://www.openbsd.org/faq/faq15.html#PortsSearch
Re: upgrades no longer allow ftp for sets
On 2014-03-25 Tue 18:34 PM |, Theo de Raadt wrote: The 5.5 release will support FTP releases, but after that we are disabling FTP and thus pushing people to use HTTP installs. In this day and age, it is somewhat irresponsible for us to put people into a situation where they might install new FTP servers on the internet. We've known it is a dangerous protocol for over 20 years. Use a HTTP server to serve the sets, please. Would these pages summarise it? http://cr.yp.to/ftp/security.html http://tools.ietf.org/html/rfc2577 http://en.wikipedia.org/wiki/File_Transfer_Protocol#Security http://daniel.haxx.se/docs/ftp-vs-http.html
Re: FOSS Open Hardware Documentation
What was the long term fall out of this? Sell out to Oracle, etc. On 2007-08-28 Tue 10:43 AM |, Theo de Raadt wrote: On Tue, Aug 28, 2007 at 04:08:02PM +0100, Edd Barrett wrote: On 28/08/07, Craig Skinner - Sun Microsystems - Linlithgow - Scotland Yay! Action at last. Wow! This is great news. Better late than never, but damn is it late. Indeed, that is the correct sentiment regarding Sun's action here. The facts of the industry are simply this: Approximately 95% of machine parts are documented (whether they are documented well or not is a totally seperate question). Starting roughly around 1990, Sun put themselves on the path of supplying only the absolute minimum documentation for their machine parts. Meanwhile, the PC really took off, and all the documentation for PC parts has always been out there (minus a few special cases that we have had to fight for). DEC released pretty much all the documentation for the Alpha right from the start, and later a few people pressured HP to release pretty much all the HPPA documentation. That left the largest straggler in the industry: Sun. And the case is that Sun has always had the documentation in-house; because of solid engineering principles in-house they document everything, perhaps because their hardware and software groups are seperated so much. Apple also has done a poor job of documenting their hardware, but looking at the quality of their hardware (with entirely pointless divergences between models that come out 3 months apart) we can guess that maybe we don't want to see them. Finally, there are a few American chip makers that resist the status quo, like Marvell and (to a lesser degree) Broadcom. Even Intel tries to play the open game now. Then there are a handful of (increasingly irrelevant) American wireless chipset manufacturers. But in general there are fewer and fewer closed vendors. But Sun had no excuse for this behaviour in 1990, and it is incredible that only now they will try to redeem it. So I don't say bravo, but I say about time. They don't get any points from me, because they are so late. I give the most credit to Craig Skinner who started the conversation at Sun with us (he found the right place to push Sun -- right at the top), and David Gwynne for continuing the soft pressure through the last couple of months. My biggest hope is that Sun's cleanup process does not delete too much information from the pages... like descriptions of hardware bugs and the workarounds needed for best effort operation. Because we already know that some revisions of Sun hardware have brutally bad bugs that ... even sometimes cannot be worked around.
Re: ffs2
On 2014-03-17 Mon 21:19 PM |, Adam Thompson wrote: OK, obviously I missed something. How do you resize ffs filesystems without a dump/restore step? http://thread.gmane.org/gmane.os.openbsd.misc/207756
Re: OpenBSD email provider
On 2014-03-17 Mon 20:25 PM |, Jean-Francois Simon wrote: Just to mention, I'm looking for a more private ESP. As I know that OpenBSD conveys an idea of security, I tend to trust a provider relying on this OS. If you want to read documentation, become your own mail provider using OpenBSD. I have tried some time ago third solution, however I think since I have a local dynamic IP, I got soon identified as spam mail server and mails would'nt reach their destination. Find an ISP that will provision a static IP address do it yourself. Ask around at your local BSD/Linux user groups. Until then; Outbound: ask your ISP for their relay host detail. Normally it is mail.isp.net or smtp.isp.net. Usually there is no authentication required as they only allow connections from the (dynamic) IP addresses they provide to their customers. Inbound: Ask your ISP about an ETRN feed, which used to be popular for businesses connected by dialup/ISDN. If they charge extra for it, ask about the cost of a static IP connection compare. For off site mail, a search for OpenBSD shell hosting providers came up with these, some of which are used by people on this list: http://www.devio.us/help#10 http://www.grex.org/staff/system.xhtml http://openbsd.polarhome.com/
Re: Security
On 2014-01-10 Fri 21:12 PM |, Jan Stary wrote: 2 references to hinet (chinese) What references? What's hinet and how do you know it is chinese? intenting to send spam (relay). How do you know that hinet (whatever it is) was intenting to send or relay spam? Hosts in hinet have been relentlessly attacking my mail web servers for over 8 years. I feed them rubbish to play with, and they're still at it this week, in spamd's log: copatriot-jun-2...@kepax.co.uk copatron-jun-2...@kepax.co.uk copatroness-jun-2...@kepax.co.uk cope-jun-2...@kepax.co.uk copehan-jun-2...@kepax.co.uk copei-jun-2...@kepax.co.uk copelata-jun-2...@kepax.co.uk copelatae-jun-2...@kepax.co.uk copelate-jun-2...@kepax.co.uk copellidine-jun-2...@kepax.co.uk copeman-jun-2...@kepax.co.uk copemate-jun-2...@kepax.co.uk copen-jun-2...@kepax.co.uk Looking at some of the IP addresses: $ host 1.34.176.248 248.176.34.1.in-addr.arpa domain name pointer 1-34-176-248.HINET-IP.hinet.net. $ whois 1.34.176.248 ... ... netnum:1.34.0.0 - 1.34.255.255 netname:HINET-NET descr: Taipei Taiwan country:TW ... Since late last year, I've noticed an increase in cgi/php probes. I don't use scripting/CGI dynamic stuff - static html only in chroot. HINET is one of the top offenders: $ for ip in $(awk '/POST \/cgi-bin\/php/ { print $1 }' /var/www/logs/access_log | sort -u); do host $ip | fgrep -i hinet print $ip; done 248.176.34.1.in-addr.arpa domain name pointer 1-34-176-248.HINET-IP.hinet.net. 1.34.176.248 127.59.127.59.in-addr.arpa domain name pointer 59-127-59-127.HINET-IP.hinet.net. 59.127.59.127 ... They've even infected iPads as probing droids: $ fgrep 1.34.176.248 /var/www/logs/access_log 1.34.176.248 - - [20/Dec/2013:07:55:54 +] POST /cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1 404 221 teak.britvault.co.uk - Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25 Decoding it (http://meyerweb.com/eric/tools/dencoder/) shows this: -d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions= -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n Which is another known PHP exploit: ...continued scanning for CVE-2012-1823 which is a vulnerability within PHP-CGI ...the attacker is attempt to use various command-line web clients (wget/curl/fetch/lwp-get, etc...) to download the mc.pl script on the remote attacker's site. http://blog.spiderlabs.com/2013/11/honeypot-alert-more-php-cgi-scanning-apache-magikac.html I'm no web guru, so I use HTTP (Hypertext Transfer Protocol) just for what it was designed to do: let users transfer/GET static files. Get safe, get static. -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: Security
On 2014-01-09 Thu 22:36 PM |, agrquinonez wrote: This time, i installed DokuWiki, and Running dynamic web content (wikis, etc.) on the public Internet is a massive risk. I've seen multi-national companies' websites fail penetration testing, and they employee teams of skilled developers.. On another box/laptop, try exporting STATIC .html pages from your wiki copying them to a chrooted .html only public web server. Personally, I use Perl's Template Toolkit to generate static pages. http://www.template-toolkit.org/ It's in ports as textproc/p5-Template When 'ttree' is run from the command line, it can do many fancy things, such as getting info from cvs/database - to generate static pages. Ideas are going to be really appreciated, because i am not a technical guy. Some men are excellent teachers to help improve anyone's skills: 'Absolute OpenBSD' by Michael Lucas. 'Secure Architectures with OpenBSD' by Brandon Palmer, Jose Nazario. http://www.openbsd.org/books.html Live learn. There's a popular saying in New Zealand: He who has made no mistakes, has made fuck all (nothing). Cheers, -- Craig Skinner | http://web.hope-church-falkirk.org.uk/
Re: Security
On 2014-01-10 Fri 07:44 AM |, Nick Holland wrote: On 01/10/14 01:36, agrquinonez wrote: ... [compromised box] ... Ideas are going to be really appreciated, because i am not a technical guy. ok, this is the unpopular answer, but here it is anyway: Stop. You should not be running your own web and mail server. Years ago, I used to say that I could make a good case that anyone running a mail server or DNS server should require a license, for much the same reason as one should have a driver's license to drive on public roads: to indicate you have some minimum level of skill so you don't hurt others on the road. (NOT that I would in any way welcome more government involvement in the Internet). http://bsdcertification.org/ ??
Re: popa3d removed from base - what do people recommend?
On 2014-01-04 Sat 21:04 PM |, John Smith wrote: What would people recommend for a simple replacement for SSL pop3? I use dovecot for IMAP only (no POP). It can do SSL authenticate against the /etc password arrangement. Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: Running security(8): Root sh startup files do not set the umask.
On 2013-12-17 Tue 11:25 AM |, Craig R. Skinner wrote: The umask is set in /etc/login.conf: default:\ ... ... :umask=022:\ ... ... staff:\ ... ... :umask=027:\ ... ... Is this still a problem? (e.g. cron jobs) Yes/No/Go boil my head in a cauldron brimming with rancid rhino rectal fluid, while surrounded by little blue sexually aroused smurfs chanting, Great is Willie Wonker of the Chocolate Factory Dynasty!! Running security(8): Checking root sh paths, umask values: /etc/profile /root/.profile Root sh startup files do not set the umask. ? -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Running security(8): Root sh startup files do not set the umask.
The umask is set in /etc/login.conf: default:\ ... ... :umask=022:\ ... ... staff:\ ... ... :umask=027:\ ... ... Is this still a problem? (e.g. cron jobs) - Forwarded message from Charlie Root r...@britvault.co.uk - Date: Tue, 17 Dec 2013 01:56:49 + (GMT) From: Charlie Root r...@britvault.co.uk To: r...@britvault.co.uk Subject: teak.britvault.co.uk daily insecurity output Running security(8): Checking root sh paths, umask values: /etc/profile /root/.profile Root sh startup files do not set the umask.
Re: Bizarre pf/sendmail interaction
On 2013-12-17 Tue 17:05 PM |, Tethys wrote: On Tue, Dec 17, 2013 at 4:43 PM, Craig R. Skinner skin...@britvault.co.uk wrote: I guess you have net.inetsomething.forwarding=1 in /etc/sysctl.conf Yes, I do. I can browse the web etc from inside the firewall without problems. Does the firewall also know where to forward external traffic to your internal mail server? (NON-NAT) I have: pass in on $ext inet proto tcp from $mx to $loki_ext port smtp rdr-to $riva port smtp keep state $ext is the firewall's external interface. $mx expands to the IP addresses of my MX servers. $loki_ext is the external IP address of my firewall, and $riva is my internal mail server. There might be some other rule later on that's blocking it. Scan through the output of: $ sudo pfctl -sr
Re: spamd in blacklist only modexd
On 2013-12-10 Tue 09:26 AM |, Alexander Hall wrote: The OP is referring to this part of /etc/rc, which has nothing to do with neither crontab nor /etc/rc.d/*. if [ X${spamd_flags} != XNO ]; then /usr/libexec/spamd-setup -D fi Indeed, please suggest a diff. Maybe we should just incorporate that into /etc/rc.d/spamd instead? This has worked OK for me for a few months: Index: rc === RCS file: /cvs/src/etc/rc,v retrieving revision 1.407 diff -u -u -p -r1.407 rc --- rc 9 Aug 2013 16:24:54 - 1.407 +++ rc 10 Dec 2013 12:59:49 - @@ -499,10 +499,6 @@ start_daemon rbootd mopd popa3d spamd sp start_daemon ipropd_master ipropd_slave sndiod echo '.' -if [ X${spamd_flags} != XNO ]; then - /usr/libexec/spamd-setup -D -fi - # If rc.firstime exists, run it just once, and make sure it is deleted if [ -f /etc/rc.firsttime ]; then mv /etc/rc.firsttime /etc/rc.firsttime.run Index: rc.d/spamd === RCS file: /cvs/src/etc/rc.d/spamd,v retrieving revision 1.3 diff -u -u -p -r1.3 spamd --- rc.d/spamd 13 Sep 2013 14:50:56 - 1.3 +++ rc.d/spamd 10 Dec 2013 12:59:49 - @@ -1,18 +1,23 @@ #!/bin/sh # -# $OpenBSD: spamd,v 1.3 2013/09/13 14:50:56 okan Exp $ +# $OpenBSD: spamd,v 1.4 2013/09/05 19:08:22 skinner Exp $ -daemon=/usr/libexec/spamd +daemon='/usr/libexec/spamd' . /etc/rc.d/rc.subr pexp=spamd: \[priv\] rc_reload=NO -rc_pre() { - [ X${spamd_black} != XNO ] \ - daemon_flags=-b ${daemon_flags} - return 0 +rc_pre() +{ + [[ ${spamd_black} == 'NO' ]] || daemon_flags=-b ${daemon_flags} +} + +rc_start() +{ + ${rcexec} ${daemon} ${daemon_flags} ${_bg} + rc_do rc_wait start ${daemon}-setup -D } rc_cmd $1 Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: Are there any default password managers in OpenBSD?
On 2013-12-05 Thu 12:50 PM |, InterNetX - Robert Garrett wrote: use sticky notes.. preferably on your monitor Just use the word 'incorrect' everywhere. Whenever a mistake is entered, the system will say: Your password is incorrect. Done, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: OT: OpenBSD website scores high in Google PageSpeed Insight
On 2013-11-19 Tue 21:23 PM |, Theo de Raadt wrote: That is the score you get when you don't leverage all the latest new cool but heavy shit. +12 votes for flat static HTML without client scripts.
[Waaaay O/T Humour] Avenging narwhal toy impales a penguin
Maybe But WTF is the koala doing in the ice? No polar bears??? http://distractify.com/fun/fails/20-horrifying-toys-to-traumatize-your-child/ What colour magical tusk are you? -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: DNS Hosting Managed DNS
On 2013-10-24 Thu 10:35 AM |, Predrag Punosevac wrote: We have one domain name, small web server and a mail server. In that situation, I'd: 1) run a master DNS server on the public web/mail server 2) find a domain name registrar that: 1. will slave the zone from your master 2. has 2-4 servers, mainly in the general geographic region of the web/mail users 3. runs an acceptable OS/daemon You'd have control over the zone's contents (incl subdomains, client caching, refresh, retry expire periods). Not have to use any stupid web forms that limit how you use your zone. Have fun using more of OpenBSD's capabilities. Do you have others that you could partner with to provide each other's reciprocal slave DNS service? People on this list - running the most secure OS? If for some (bizarre) reason you don't want your DNS server to be public, then run the above as a hidden master: 1) don't list it in the zone's whois records 2) restrict DNS requests to the slaves only (via the daemon's access controls pf too.) There's no difference whatsoever for the external provider, and same benefits as above, but no public queries. Running a public web or mail server is much more complicated and risky, so there's not much point in hiding it. Become a hostmaster - you know you can. Do it, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: Blocking facebook.com: PF or squid?
On 2013-10-19 Sat 01:56 AM |, Stefan Wollny wrote: No, no: The squid is running on a regular server at home securing the PCs and the laptop once I am around. Maybe feed a modified version of this list to Squid (fb ad servers are in there, adjust to block the whole thing): http://pgl.yoyo.org/as/serverlist.php?hostformat=squid-dstdom-regexshowintro=0startdate[day]=startdate[month]=startdate[year]=mimetype=plaintext A Squid idea which I've been meaning to try with the above (needs mods: 'wget' should be 'ftp', should use /etc/rc.d/squid) I run squid chrooted, so further mods needed for that too. https://calomel.org/squid_adservers.html DNS ideas which I use to block some advertising other junk: http://www.deer-run.com/~hal/sysadmin/dns-advert.html http://www.holland-consulting.net/tech/imblock.html http://box.matto.nl/dnsadblok.html For my laptop when away from home, I've found the Firefox plugin 'Block site' works: https://addons.mozilla.org/En-us/firefox/addon/blocksite/ And another FX addon: http://adblockplus.org/
Re: OpenBSD site SSL
On 2013-10-11 Fri 22:42 PM |, John Darrah wrote: Hi. Would it be possible to get SSL on the OpenBSD website(s)? Please don't. That would slow it down eliminate cachability - increasing network load costs. There's no personal data no point. Anyway, THIS email is being sent in clear text from Scotland to Canada. It will also be archived and published on several public websites. Regards, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: dump(8) and permissions
On 2013-10-12 Sat 11:47 AM |, Rodolfo Gouveia wrote: When /var is a real partition, there is a device node that corresponds to it and the group operator has read permissions on it. Where possible, unmount partitions before dumping dump the RAW character device: operator@oak:~ 0$ ls -l /dev/sd5f brw-r- 1 root operator4, 85 Aug 29 16:41 /dev/sd5f operator@oak:~ 0$ ls -l /dev/rsd5f crw-r- 1 root operator 13, 85 Aug 29 16:41 /dev/rsd5f Note that operator's home is /operator (not /home/operator) so /home can be unmounted for dumping. 19.12.7 Which Backup Program Is Best? dump(8) Period. Elizabeth D. Zwicky torture tested all the backup programs discussed here. The clear choice for preserving all your data and all the peculiarities of UNIX file systems is dump. Elizabeth created file systems containing a large variety of unusual conditions (and some not so unusual ones) and tested each program by doing a backup and restore of those file systems. The peculiarities included: files with holes, files with holes and a block of nulls, files with funny characters in their names, unreadable and unwritable files, devices, files that change size during the backup, files that are created/deleted during the backup and more. She presented the results at LISA V in Oct. 1991. 5.0 Conclusions (Zwicky): These results are in most cases stunningly appalling. dump comes out ahead, which is no great surprise. Tools tested were: tar, gnutar, bar, cpio, pax, afio, fbackup, and bru. Almost all backup utilities are based on these tools underneath. Others use rsync, which is also not as reliable as dump as like the other tools, it does not work with the raw binary data of an (unmounted) disk. References: http://www.freebsd.org/doc/en/books/handbook/backup-basics.html http://www.coredumps.de/doc/dump/zwicky/testdump.doc.html Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
growfs - thanks!
Thanks for growfs - phew me@small-host$ sudo umount /var/growing-app operator@larger-host$ ssh small-host dump -0anu -f - -h 0 /dev/rwd1f | dd of=small-host_var_growing-app.dump operator@larger-host$ chflags nodump small-host_var_growing-app.dump operator@larger-host$ restore -if small-host_var_growing-app.dump # just checking... me@small-host$ disklabel -p G wd1 me@small-host$ sudo disklabel -E wd1 # increase the partition size with 'm f', then 'w', 'q' me@small-host$ growfs -N /dev/rwd1f me@small-host$ sudo growfs /dev/rwd1f me@small-host$ sudo fsck /dev/wd1f me@small-host$ sudo mount /var/growing-app me@small-host$ df me@small-host$ ls -lR /var/growing-app operator@larger-host$ rm small-host_var_growing-app.dump Happy, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: PostgreSQL samenet in pg_hba.conf
No? On 2013-10-02 Wed 18:06 PM |, Craig R. Skinner wrote: Does the ADDRESS keyword samenet work in OpenBSD's PostgreSQL pg_hba.conf? Manually specifying an address block works, as does a DNS hostname domain name. $ pkg_info -I postgresql-server postgresql-server-9.2.3 PostgreSQL RDBMS (server) $ uname -a OpenBSD oak.britvault.co.uk 5.3 GENERIC#50 i386 This page mentions an interface testing tool test_ifaddrs: https://www.virtualnetwork.net/about/opensource/package/postgres http://doxygen.postgresql.org/test__ifaddrs_8c_source.html Not found: find /usr/local -type f -name test_ifaddrs Thoughts? -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
PostgreSQL samenet in pg_hba.conf
Does the ADDRESS keyword samenet work in OpenBSD's PostgreSQL pg_hba.conf? Manually specifying an address block works, as does a DNS hostname domain name. $ pkg_info -I postgresql-server postgresql-server-9.2.3 PostgreSQL RDBMS (server) $ uname -a OpenBSD oak.britvault.co.uk 5.3 GENERIC#50 i386 This page mentions an interface testing tool test_ifaddrs: https://www.virtualnetwork.net/about/opensource/package/postgres http://doxygen.postgresql.org/test__ifaddrs_8c_source.html Not found: find /usr/local -type f -name test_ifaddrs Thoughts? -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: mailx : mime handling?
On 2013-09-26 Thu 10:15 AM |, Roberto E. Vargas Caballero wrote: I use mutt basically because it has threading support, and I cannot live without it. Same, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: Alternate authentication source in OpenSMTPd
On 2013-09-25 Wed 11:39 AM |, Gilles Chehade wrote: It's officially still true, unofficially you can do it on recent versions by declaring a table (i'll use a static table for the example but you can use a file, db, sqlite or ldap one): $ encrypt mypassword $2a$06$BTOM8Ck.HEInGF888KbjiORoXSOFT.McbLZIS85gMSmHTPA5Tds2S $ smtpd.conf: table mycreds { gilles = gilles:$2a$06$BTO[...]PA5Tds2S } listen on [...] auth mycreds and now, user 'gilles' can authenticate with password 'mypassword' Is this possible without TLS/SSL Gilles? i.e; via CRAM-MD5 or DIGEST-MD5 Such as: $ telnet localhost submission Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 teak.britvault.co.uk ESMTP Postfix ehlo localhost 250-teak.britvault.co.uk 250-PIPELINING 250-SIZE 10485760 250-ETRN 250-AUTH CRAM-MD5 250-XVERP 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN Regards, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: daily insecurity output: Login operator is off but still....
On 2013-09-11 Wed 11:47 AM |, Rogier Krieger wrote: On Wed, Sep 11, 2013 at 11:37 AM, Craig R. Skinner [1]skin...@britvault.co.uk wrote: Do I need to change operator's password to be 13 *'s? No, you need to change the value in the password field to 13 asterisks. Try vipw(8). IIRC, the idea is that no entered password could ever produce 13 asterisks as a password field, effectively disabling password authentication. That explains it. Done alert gone this morning. Thanks, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
daily insecurity output: Login operator is off but still....
For backups, I set up operator to dump scp to another box, so he needs $HOME/.ssh/: $ sudo usermod -L daemon operator $ sudo chsh -s /bin/ksh operator $ sudo mkdir /operator $ sudo chown operator:operator /operator $ sudo chmod 750 operator /operator $ userinfo operator login operator passwd * uid 2 groups operator change NEVER class gecos System dir /operator shell /bin/ksh expire NEVER From the daily security email: Running security(8): Checking the /etc/master.passwd file: Login operator is off but still has a valid shell and alternate access files in home directory are still readable. Which I think could be part of security(8) .Check the master.passwd(5) and group(5) files for syntax, empty passwords, partially closed accounts. $ sudo fgrep operator /etc/master.passwd operator:*:2:5::0:0:System :/operator:/bin/ksh master.passwd(5) says: Similarly, login accounts not allowing password authentication but allowing other authentication methods, for example public key authentication, conventionally have 13 asterisks in the password field. The alert comes from check_access_file() in /usr/libexec/security Which comes from approx line 94 in check_passwd(): $pwd ne '' $pwd ne 'skey' length $pwd != 13 $pwd !~ /^\$[0-9a-f]+\$/ Do I need to change operator's password to be 13 *'s? What's the best way to do that as I have this in /etc/login.conf: default:\ :passwordcheck=/usr/local/bin/pwqcheck -1:\ Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
[OT] New Zealand Ends Patents for Basic Software Dilbert's opinion
International technology giants won't be able to get patents for basic software under a law passed by the New Zealand government, although protection for significant innovations and programs will remain under the country's copyright law. http://blogs.wsj.com/digits/2013/09/01/new-zealand-ends-patents-for-basic-software/ http://www.linkedin.com/today/post/article/20130903133938-50510-software-patents-a-tax-on-innovation Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: Compiling BOINC/Seti at Home for OpenBSD 5.3 Sparc64
On 2013-08-29 Thu 17:02 PM |, Daniel Ouellet wrote: Wonder why keep running something doing nothing ;) Still happily married I see. (: Install a network of multiple machines at home. There'll be lots to do.. -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
diff: INSTALL: etcXX: (addition of opening quotes)
Here's an addition of opening quotes in this INSTALL file: --- INSTALL.i386.53 Wed Mar 13 00:58:19 2013 +++ INSTALL.i386.changedSat Aug 17 10:11:40 2013 @@ -359,7 +359,7 @@ upgrading. (If you are upgrading, it's recommended that you get a copy of this set and CAREFULLY upgrade your configuration files by hand; see the section named -Upgrading a previously-installed OpenBSD System below.) +Upgrading a previously-installed OpenBSD System below.) [ 511.3 KB gzipped, 1.5 MB uncompressed ] game53 This set includes the games and their manual pages. -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
dump(8): unify grammar of both 'file system(s)' 'filesystem(s)'
The existing grammar is erratic: $ fgrep filesystem dump.8 | wc -l 15 $ fgrep 'file system' dump.8 | wc -l 6 Uniformly concatenate both words into one: Index: dump.8 === RCS file: /cvs/src/sbin/dump/dump.8,v retrieving revision 1.45 diff -u -r1.45 dump.8 --- dump.8 4 Apr 2013 10:47:21 - 1.45 +++ dump.8 16 Aug 2013 19:28:41 - @@ -114,7 +114,7 @@ .It Fl 0\-9 Dump levels. A level 0, full backup, -guarantees the entire file system is copied +guarantees the entire filesystem is copied (but see also the .Fl h option below). @@ -250,7 +250,7 @@ is ignored. .It Fl W .Nm -tells the operator what file systems need to be dumped. +tells the operator what filesystems need to be dumped. This information is gleaned from the files .Pa /etc/dumpdates and @@ -259,10 +259,10 @@ .Fl W flag causes .Nm -to print out, for each file system in +to print out, for each filesystem in .Pa /etc/dumpdates , the most recent dump date and level, -and highlights those file systems that should be dumped. +and highlights those filesystems that should be dumped. If the .Fl W flag is set, all other options are ignored, and @@ -365,7 +365,7 @@ and on a set of fresh tapes that is saved forever. .It After the level 0 dump, -backups of active file systems are taken on each day in a cycle of a week. +backups of active filesystems are taken on each day in a cycle of a week. Once a week, a level 1 dump is taken. The other days of the week a higher level dump is done. .Pp @@ -413,7 +413,7 @@ .It Pa /etc/dumpdates dump date records .It Pa /etc/fstab -dump table: file systems and frequency +dump table: filesystems and frequency .It Pa /etc/group to find group .Em operator -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: Other mailers failing on spamd's 451?
On 2013-08-14 Wed 07:43 AM |, Nick Holland wrote: that are having the same problem from seemingly other servers -- I send them a 451 and they toss up their arms and immediately quit trying and bounce the message back to the sender. And yes, the bounce message is funny -- clearly saying the mailer gave up on what is clearly being described as a temporary failure. gmx.net -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: /etc/mail/spamd.key permissions/ownership?
On 2013-08-09 Fri 14:23 PM |, Peter N. M. Hansteen wrote: I checked the nearest couple of spamd equipped boxes, and it tends to be [Fri Aug 09 14:21:47] peter@skapet:~/www_sider$ ls -l /etc/mail/spamd.key -rw-r--r-- 1 root wheel 2048 Nov 1 2009 /etc/mail/spamd.key It's been syncing OK for a few days now as this (under RCS control): $ ls -l /etc/mail/spamd.key -r--r--r-- 1 postmaster postmasters 1574 Aug 10 01:54 /etc/mail/spamd.key Thanks Peter, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: ifconfig(8) --frontend
On 2013-08-04 Sun 14:30 PM |, Gregor Best wrote: known wireless ESSIDs, known gateway MAC addresses and known network topologies, for example When I'm at home, my gateway is 192.168.2.1, there's a host named Zim and one named Gir and my public IP address resolves back to Unity Media. That's probably unportable and needs to be reimplemented for every user. Maybe knock up a config file for all your specific stuff? -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
/etc/mail/spamd.key permissions/ownership?
On a multi-user box, what are the recommended permissions/ownership of /etc/mail/spamd.key? Or is the question irrelevant as a checksum of the file is used, not its contents? Thanks, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
spamd: sync init: Device not configured
When attempting to sync spamd between 2 hosts via unicast, I see this error when starting spamd: spamd: sync init: Device not configured Web searching with this phrase didn't yeild useful pointers. In /etc/rc.conf.local I have: spamd_flags=-y smtp.example.com -Y mx-backup.example.com I'm not using CARP or pfsync, and have a default block in/out pf policy. After looking at the spamd man page source, I'm not seeing clues of where to look next. Do I need to add some parameter to /etc/hostname.if? Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: spamd: sync init: Device not configured
On 2013-07-31 Wed 14:25 PM |, Peter Hessler wrote: You need to change those to the correct IPs or hostnames for your configuration. Thanks Peter. This works: spamd_flags=-y [ip.address] -Y mx-backup When testing with various hostnames with the -y option, all failed with the Device not configured message. The host is dual homed and has specific hostnames for each interface, but they're not accepted in either long or short (without the domain name) form. e.g: public.server.example.com public.server.example.com. public.server server-public server (produces 2 ip addresses via 'host') This pf rule subset seems to pass the sync as now the sync_trap messages on 1 box have corresponding 'new TRAP from' messages on the other: # spamd-sync: pass in log on $ext_if inet proto udp from mx-backup port 1023 \ to $ext_if port spamd-sync user root #_spamd pass out log on $ext_if inet proto udp from $ext_if port 1023 \ to any port spamd-sync user root #_spamd $ fstat | fgrep 8025 | fgrep udp shows _spamd has the port, but it must've been opened by root as when the _spamd user is in the above pf rule, it doesn't pass. Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: Wake via serial port?
On 2013-07-12 Fri 23:12 PM |, Thomas Reiter wrote: would you mind to share how you have solved the problem? otherwise someone has to ask the same question some day. Of course Thomas, but as each piece of hardware is different, I doubt what worked in this case will be transferable. I first began by trying Wake on LAN with pointers from https://calomel.org/wakeonlan.html Although the NIC's WOL cable was connected the BIOS claimed WOL support, it wouldn't bring the box up. Eventually I discovered ifconfig(8)'s notes re WOL established that the cheap card didn't actually support WOL: $ ifconfig rl0 hwfeatures | fgrep hwfeatures hwfeatures=10VLAN_MTU hardmtu 1500 $ sudo ifconfig rl0 wol ifconfig: SIOCSIFXFLAGS: Not supported So I started experimenting via the serial port then the power button. With Nick's suggestions about the power button, I thought that'd be the quickest route, so opened the box again, removed the WOL cable noticed some motherboard settings. That jogged my mind to Nick's comments about just because the BIOS claims to do something, doesn't mean it will. With random inspiration I decided to have another look at the BIOS, now there was an option to have the box auto power on. So whether I nudged a DIP switch or otherwise jiggled something, I can't be sure. Anyway, Nick was right, as I'll tell you how to figure it out. Job done, in unspectacular style. Onwards, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: Wake via serial port?
On 2013-07-12 Fri 17:39 PM |, Diana Eichert wrote: What you are asking only makes sense, unfortunately Craig appears to be like a lot of malling list subscribers. They are takers not givers. Lady Di, It's gracious to be respectful of other's timezone's life schedules. Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: Wake via serial port?
On 2013-07-12 Fri 10:42 AM |, Nick Holland wrote: but I'll tell you how to figure it out. [ wise words of practical relevance ] Solved! Thanks, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: apropos
On 2013-06-29 Sat 10:09 AM |, Ingo Schwarze wrote: In OpenBSD, all elementary userland utilities are actively maintained, Appreciated, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7