Re: Replace sendmail with qmail?
Frans Haarman wrote: Did he change his djbdns license as well !? From the Google Video (http://video.google.com/videosearch?q=Bernstein+releases+code+public+domain)... After talking about shortcomings of BSD/GNU licensing... ... as a result of seeing this mess for some decades and thinking about the sources of the mess I have decided to put my future and (going through the things I've done i the past) past software into the public domain. ... and some guy next to him, raises his hands, and quietly exclaims, Yes!, before the small crowd of SAGE attendees breaks into applause. If it isn't already changed, it may be soon. -ez
Magic numbers, signed binaries (Re: Compilers make a system less secure?)
I think a few people in the thread gave examples of how hackers and script kiddies don't really need compilers on the system to do damage. Once qn intruder is on your system, they can download pre-compiled tools to do what they need from a similar system where they (or the script-kiddies' hacker pimps) maintain a compiler and toolbox for the target system. Given such an environment, it doesn't make a difference whether the intruded sysadmin puts a compiler on their computer or not. I agree. ### Magic numbers helped protect systems Some friends of mine with a BSD compile-and-maintain-everything-from-source background came up with the idea where they would use a different Magic Number for binaries when they built their production systems. The binaries on the production systems would all have the special magic numbers and exec would require the magic numbers to run the binaries. If you tried to run a compiled program that was compiled elsewhere, it would fail. They also did cool things like give them stealthy monitoring tools within commonly used programs (top, ps, shells) so that their production systems were like fish bowls where you could watch inept hackers swim. Part of the policy of the production environment was not to have compilers on the production systems so that the hackers couldn't easily build a runnable program. An 3l33t hacker might figure out that all he/she had to do was modify the magic number to get their program to run, but most people (including script kiddies) wouldn't figure it out, give up, and move on to softer targets. This is one historical case where I think not having compilers made the system more secure, but it's not your standard system. ### Signed binaries To kick it up a notch, one might come up with a method for replacing the magic number hack with a method of making sure a hash or signature of a binary matched a trusted source before it was allowed to run. One would keep a signing-capable compiler away from the production systems and distribute signed binaries to the systems. A program might start slower initially, but that's a trade-off a paranoid sysadmin might be willing to make. It'd make a good Usenix paper (unless someone's already done it - anyone?). I do a Google search and see that FreeBSD updates are signed, but I don't see anything about binaries themselves. Over in linux land, there's cryptographically signed kernel modules. I hear murmurs about Microsoft having the system verify DRM before running programs someday. -- Eric Ziegast josh wrote: Some people seem to think that installing a compiler inherently makes their system less secure... despite never being able to cite any actual reasons why. Personally, I really dont see how a compiler is going to lessen security, particuarly when they are used to patch the system, But I was wondering what people here thought
/usr/src/lib/libpcap/Makefile depends on bpf_filter.c
Where do I find an bpf_filter.c in OpenBSD, or how is it generated? or is there better way to compile /usr/lib/libpcap*? In the latest src.tar.gz available via FTP, the file ./lib/libpcap/Makefile lists: SRCS= pcap.c inet.c gencode.c optimize.c nametoaddr.c etherent.c \ savefile.c bpf_filter.c bpf_image.c grammar.y scanner.l \ pcap-bpf.c version.c fad-getad.c ... but there's no bpf_filter.c in the ./lib/libpcap directory. Because of this dependency, libpcap won't compile. It seems that I can get a little further along if I remove bpf_filter.c from SRCS, but I wonder if that's the right thing to do. I found the problem originally by trying to compile libpcap from source on a 3.8 release system with the src.tar.gz tarball that came with it. I downloaded src.tar.gz from current (updated just last night) just to see if it's still and issue. -- Eric Ziegast
Problems bootin after installing OpenBSD 3.8 on Compaq Proliant G1/G2 SmartArray
A while back, I had problems installing OpenBSD on Proliants. I'd get all the way through the installation process and reboot the computer, and the BIOS wouldn't boot OpenBSD from the first the RAID1 hard disk. Playing with disklabel and using other commands to copy the MBR didn't work. If I boot from floppy or CD, I can chroot into my installed operating system just fine. It just wouldn't boot. Looking through the OpenBSD lists, I didn't find the answer, so I posted asking for help. I found that the problem wasn't with my BSD install, but I needed to perfom an additional installation step with my Proliant. When installing operating systems, best practices include using the Compaq SmartStart CD that comes with the system. If I boot with that CD and use the Erase Utility, it erases all past settings from BIOS, NVRAM and hard drives. I then go into the BIOS menus to change the default operating system from Windows to Other OS, and then initialize the RAID controller for the hard drives that I have installed. When installing OpenBSD 3.8, the installer detects my first RAID1+0 disk on the SmartArray 5 controller (ciss0) and uses it as sd0. After installing, the boot loader works when I reboot. I'm sure someone else will run into this problem, so I'm posting my info to misc@ so that someone else in the future will find it using the search functionality on the mail lists. / Eric Ziegast
Proliant SmartArray 5i boot blocks
I've tried a few times to get OpenBSD (3.8 beta from mid-late August) installed on a Proliant DL 380 G1 with a SmartArray 5i controller. The good news is that the installation CD found the RAID1 array and used it as /dev/sd0 to install the OS. The part I'm having trouble with is getting the box to boot from the installed disk. When it boots, it claims no operating system is found. I can boot afterwards with a floppy or CD just fine and then mount /dev/sd0a and chroot into my OpenBSD root partition. Things I tried: I always tell the installer to use the whole disk. I can see the A6 label created in MBR partition 3. I see the machine blink the drive lights when it claims to be writing an MBR. I have even run fdisk -e sd0 with flag to make sure the OpenBSD partition is a bootable partition. I have even tried swapping the penBSD partition to partition 0 instead of 3. I followed details frmm FAQ 14.8 to redo the ./installboot of [/mnt]/usr/mdec/biosboot. Things I'd rather not try: Install a working bootable Linux partition and use grub to boot OpenBSD. I'm not an expert, so I admit I may be overlooking something newbie-like, .. ... but if others got their older Proliants to boot, I was wonder what tricks, if any, they needed to get it to work. Thanks, Eric Ziegast ez -at- zoovy - com ziegast -at- vix - com PS: Hi Todd!
