Re: [OT] how secure is 2 factor auth with a smartphone?

[Kamil Cholewiński]

> Re: [OT] how secure is 2 factor auth with a smartphone?

Not very much. Phones are easy to lose, break (which means 2nd factor
recovery must be relatively painless == lowest common denominator), etc.

For services that insist on 2FA, I have a script that calls oathtool
and copies the code to clipboard. Secret seeds are encrypted via GPG.
All integrated via dmenu. I went thru 3 phones since then.

<3,K.

Re: Fail2ban alternative for OpenBSD

[Kamil Cholewiński]

On Mon, 30 Oct 2017, Zbyszek Żółkiewski  wrote:
> that’s naive, did you trusted it when there were weak ssh keys
> generated back few years ago ? I am not here to teach anyone about
> good practices, but having ssh closed is just common-sense.

It was Debian's screwup, not OpenSSH's.

Call me naive. I'll call you if I ever get pwned, and enjoy not having
to muck around with OpenVPN in the meantime.

Re: Fail2ban alternative for OpenBSD

[Kamil Cholewiński]

> I am wondering since years why the hell people left SSH port open to
> the word?

Because I trust OpenSSH.

Re: Fail2ban alternative for OpenBSD

[Kamil Cholewiński]

On Mon, 30 Oct 2017, Gregory Edigarov  wrote:
> On 29.10.17 03:20, x9p wrote:
>>
>> Coming from the Linux world, I wonder if there is a better alternative
>> to fail2ban, already being used in OpenBSD servers by the majority.
>>
> I suggest you NEVER use such "solutions". It's security by obscurity
> model, and therefore a bad very very bad thing.
> You'd be much safer completely turning off password authentication,
> using keys instead.

Throttling brute-force attack attempts is usually Good. Passwords are
one thing to try forcing, but there may be other undiscovered (or
unpatched) vulns, like the Debian key fiasco or such.

Of course, if it actually made sense, OpenBSD would probably ship it as
a default ;)

<3,K.

Re: Need to swap partitions: /tmp amd /usr

[Kamil Cholewiński]

On Sun, 29 Oct 2017, Jay Hart  wrote:
> Good Evening Fellow OpenBSDers,
>
> Below is currently how I have my disk laid out partition wise.  I have a 
> feeling I need to swap
> /tmp and /usr in order to gain additional space for /usr.
>
> What is the best way to go about that?

Boot system from ramdisk (bsd.rd). Mount /, /tmp and /usr somewhere
(like /mnt). Move data from /mnt/usr to /mnt/tmp. Edit /mnt/etc/fstab,
wipe /mnt/usr, save, reboot. ?

<3,K.

Re: Flask app as UWSGI returning 500 when accessed through OpenBSD HTTPD

[Kamil Cholewiński]

I Am Not A uWSGI Expert, but the way we've been usually setting it up is
via plain HTTP reverse proxying, never CGI/FastCGI. I would try that
approach first.

Re: Automatically restarting services/daemons after crash

[Kamil Cholewiński]

Hi Aaron & misc@,

My take:

I favor a tool that gives me (the end-user) more power. OpenBSD folks
are 100% right to maintain a particular policy (no automatic restarts),
but I see no reason to enforce it by taking away options from the end
users.

(Furthermore, I see no reason to attack a tool or concept that makes it
easier to run crappy software; it makes running excellent software and
crappy software equally easy.)

So this is entirely possible, you can swap OpenBSD's init & rc
mechanisms with runit, S6, or nosh (which, unlike daemontools, were all
designed to fit that particular role), and you can configure each of
them to do "one-shot" starts (no automatic restarts). So you can get
both the powerful supervision mechanism AND a policy that favors
security. Last time I checked, separation of mechanism and policy was
considered Good.

But from there on, the sad reality is you're mostly on your own. You can
run a FrankenBSD or Frankenbuntu, nobody can stop you. But no mainstream
OS uses runit, S6 nor nosh. Warranty is void.

The author of nosh (JDeBP) is very active and maintains ports and
integrations for Debian, OpenBSD, FreeBSD, so if you're not up for
maintaining a fork of your OS, that might be your best chance.

On the other hand... I run my Debian box with runit as PID 1 (an
ENTIRELY unsupported setup), because the default thing is a horrible
abomination, and even though I'm on my own making sure all the pieces
fit together, I still find it nicer to work with.

However I consider OpenBSD's rc(8) suite the second best thing in the
world, and I'm entirely happy just not touching it.

(Hint: you can also run daemontools/runit/etc alongside the default
init.)

<3,K.

Re: Can I rotate the framebuffer (e.g. using wsdisplay) in OpenBSD?

[Kamil Cholewiński]

On Wed, 27 Sep 2017, Francois Pussault  wrote:
> maybe installing a tool like xrandr ?

Xrandr works only for X. I've skimmed wscons(4), wsdisplay(4),
wsconscfg(8), wsconsctl(8), nothing about rotation...

Re: OT: protonmail mail body

[Kamil Cholewiński]

On Wed, 12 Jul 2017, Rupert Gallagher  wrote:
> I top post deliberately, out of sympathy. When you will be as old as I
> am, you will find that scrolling a long thread to read a reply it
> pains your hand. So, to avoid top posting, you have to scroll twice:
> to read, and to write. I people top post by default, it would make
> things easier to everybody.

My MUA does this:

> [ 8 more citation lines. Click/Enter to show. ]

Problem solved.

Re: Robust ThinkPad suggestions for running OpenBSD.

[Kamil Cholewiński]

For lightweight, go with X2.0 series. I've used X200s (OpenBSD,
Linux), X220 & X250 (Linux), and can recommend all of these. X230 is
supposedly also decent, and can be modded with the old X220 keyboard.
Avoid X240, it has a very shitty touchpad.

For sturdy, go with any older model, up to & including X220 should be
fine.

Newer models usually have SSDs out of the box. It's trivial to swap one
in with older models, eg. with X200s it's removing a single screw to
access the bay.

Re: Limits on OBSD amd64

[Kamil Cholewiński]

On Fri, 26 May 2017, Stuart Henderson  wrote:
>> and ZFS ?
>
> 0 bytes.

-1 bytes and ENOENT? :)

Re: Etnernal & infernal browser woes

[Kamil Cholewiński]

On Fri, 28 Apr 2017, Anders Andersson  wrote:
> From what I read, it seems as if the problems are mostly from when you
> try websites which are heavy on javascript. Let me butt in as a grumpy
> not-so-old man and point out that there's nothing even remotely
> "secure by default" by even allowing javascript, considering its
> horrible track record.
>
> Perhaps this is one of the reasons for the disinterest with browser 
> performance?

I for one would recommend the following:

- Implement a TLS-enabled, cross-platform, secure Gopher server and client

- Start pressuring website maintainers and web companies to deliver
  content and expose services over Gopher

- Uninstall all web browsers

Seems like wins all around.

<3,K.

Re: softraid mirror & large drives (3T)

[Kamil Cholewiński]

On Tue, 18 Apr 2017, Jiri B  wrote:
> On Tue, Apr 18, 2017 at 08:23:56AM -0400, Allan Streib wrote:
>> Buy a hardware RAID controller.
>
> I suppose you wanted to write - 'buy two equal hardware RAID controllers',
> or how would you be solving problem in broken hw raid controller in
> cca 10 yrs from now? :-)
>
> j.

Redundant machines in isolated failure zones.

<3,K.

Re: Is there something to replace zaurus?

[Kamil Cholewiński]

On Tue, 04 Apr 2017, Kristoff Haler  wrote:
> Hello misc@,
>
> Unable to provide direct link from this email account
> Search  indiegogo  "gpd-pocket-7-0"
> Not ARM,
> x86_64,
> 8GB RAM, 
> TrackPoint,
> 7in 1920x1200,
> Touchscreen,
> Gorilla Glass,
> This "feels" OpenBSD.
>
> Regards,
> Kristoff Haler.
> -- 
> Take back your privacy. Switch to www.StartMail.com

Judging by this comment:

https://www.reddit.com/r/linux/comments/5u5ek7/gpd_pocket_70_umpclaptop_ubuntu_or_win_10_os/ddslacd/

Another "wintel" box... Which is sad, because trackpoint

Re: better way to detect new display

[Kamil Cholewiński]

On Wed, 01 Mar 2017, Marcus MERIGHI  wrote:
> sc...@ggr.com (Scott Bonds), 2017.02.28 (Tue) 02:21 (CET):
>> I'm polling using xrandr to check whether a new display was plugged
>> in, so I can run a script to switch to it, i.e. plug in an external
>> VGA monitor and it lights up automatically, unplug it and my laptop
>> automatically switches back to using its internal display. 
>
> I have wanted the same and found no way to avoid polling xrandr(1).
>
> If you find a way, would you be so kind to share the solution?

The Other Operating System has something called udev rules.

I have a file called /etc/acpi/hotplug-monitor.sh which queries for
connected displays and includes logic to set them up (falling back on
xrandr --auto if nothing else makes sense).

The file is invoked by udev, per another file named
/etc/udev/rules.d/80-hotplug-monitor.rules which has this one line:

SUBSYSTEM=="drm", ACTION=="change", RUN+="/etc/acpi/hotplug-monitor.sh"

I don't have any OpenBSD box nearby (:C), but perhaps there's something
in /var/log/* about a new monitor being plugged in? A process could
follow the file and trigger events.

<3,K.

Re: Looking for replacement of thinkpad x201

[Kamil Cholewiński]

Long time user of X200s, most beloved machine ever. Took a lot of
beating, even a Thinkpad wouldn't stand it. Took it apart for spare
parts. Screen is pretty poor compared to X220 and newer.

Currently on X250, and I like it. The keyboard is bearable but takes
some adjusting to.

Got an X220 (the last one with the classic keyboard), a gift for mom.
Now whenever I use it, I feel like I'd trade my X250 for it.

Apparently it's possible to fit an X220 keyboard into an X230 - I don't
have any X230's, didn't try, some people reported success.

Some parts (like the power socket) are compatible between X200 and X220.

The trackpoint is excellent on all the X2xx's.

<3,K.

Re: https for pkg_add?

[Kamil Cholewiński]

On Mon, 09 Jan 2017, Stuart Henderson  wrote:
> Performance won't be ideal though, there's no pipelining or session
> resumption - it needs to do a full TLS negotiation for each package
> fetched (note that pkg_add -u fetches at least the start of the tgz
> for *every* package which you have installed on the system).

Perhaps an index/manifest file, like apt does?
http://cdn.debian.net/debian/dists/stable/main/

Re: Making motd great again

[Kamil Cholewiński]

On Mon, 21 Nov 2016, trondd  wrote:
> If you want the MOTD to be aimed at users who may not have much Unix
> knowledge yet, then the sysadmin can change it to whatever makes sense for
> their environment.

Consider the first-time user experience for a person that just installed
OpenBSD on their own hardware, with no prior Unix experience.

The installer does a great job at holding your hand.
If you paid attention during installation, you can probably figure out
that the username and password that you gave to the installer will let
you get past the "login" prompt. But what next?

Experienced Unix sysadmins, using OpenBSD for their first time, would
probably know what's up once you mention the word "sendbug(1)" - the
rest could be moved to the manpage.

<3,K.

Re: Correct shebang for Python 3

[Kamil Cholewiński]

On Sun, 23 Oct 2016, Stuart Henderson  wrote:
>> #!/usr/bin/env python
>
> Opinions vary but I'm not a fan of using env for this, I don't normally
> want to trust the first file of that name found in the path.

There are two kinds of people: those that know exactly what their $PATH
is, and those who don't - the 99%.

Those who do know, are almost certainly well aware that 99% of one-off
scripts in the world use #!/usr/bin/env, and don't put an executable
named "python" in their $HOME/bin - or accept the consequences.

Those that don't know, are probably running OSX, or Windows, or some
random minty flavor of Ubuntu - and there is NO way to predict or
establish the location of the Python executable. Everyone wants to "just
move on with the work", I guarantee my coworkers would throw rocks at me
if I tried to get them to use setuptools.

> Can you just use setuptools? That generally does the right thing.

When distributing a library or a package - yes, the sanest thing to do.

When working with a bunch of frontend developers that try a "sudo curl |
bash" when "curl | bash" doesn't work - no, you can't let them hurt
themselves, you must use whatever method has the smallest chance of
making them shoot themselves in the foot. You want them alive, so they
can deal with that Node.js stuff - so you don't have to.

<3,K.

Re: 2 files, same name, same dir

[Kamil Cholewiński]

On Sat, 22 Oct 2016, Nick Holland  wrote:
> (and it wouldn't surprise me if Linux "saves" you from this error, and
> it would just make me hate it all the more)

No need to kick the poor penguin...

> $ uname
> Linux
> $ mkdir /tmp/test
> $ cd $_
> $ touch "pi.c"
> $ touch "pi.c "
> $ ls | hexdump -C
>   70 69 2e 63 0a 70 69 2e  63 20 0a |pi.c.pi.c .|
> 000b

Re: security(8) doesn't know about mailbox locks

[Kamil Cholewiński]

On Fri, 21 Oct 2016, Philippe Meunier  wrote:
> When cron runs /etc/daily, that script runs df and netstat and the
> output is sent by email to root.  On my system, emails to root are
> forwarded to local user meunier using /root/.forward.  The forwarding
> itself temporarily creates a lock file in /var/mail:

Try using aliases(5) instead

Re: DigitalOcean and OpenBSD

[Kamil Cholewiński]

On Thu, 25 Aug 2016, Uwe Werler  wrote:
> Now they offer a rescue boot with OpenBSD 5.9 too. It's quite easy to
> install a new machine now. And a very plus it their support.

Wow, this is good news and very, very cool.

(For those who, like me, are a bit lost: it's not in the "Rescue" tab,
 but in "vServer" -> "Settings" -> "Mount CD/DVD image".)

Re: DigitalOcean and OpenBSD

[Kamil Cholewiński]

On Thu, 25 Aug 2016, Gilles Chehade  wrote:
> There are other alternatives with better hardware, services and policies
> within the same price ranges. online.net to name one, hetzner.de to name
> another one.

Hetzner customer here. Hetzner doesn't support OpenBSD natively. The
only instructions I could find are kind of dated, in German, seem to
apply only to dedicated servers (as opposed to VMs), and overall look
like a giant hack. Anyone had luck getting things running recently?

<3,K.

Re: Installer overwrites partition table

[Kamil Cholewiński]

On Wed, 24 Aug 2016, Bertram Scharpf  wrote:
> Hi,
>
> first of all, I am an experienced OS installer and I did a
> heck of partitioning in my life. Now I had some unused disk
> space and I found it a good idea to install OpenBSD.
>
> The installers partitioning tool didn't offer me a variant
> that keeps my existing partitions. Therefore I immediately
> stopped it. But yet it was too late. The partition table was
> overwritten.
>
> The damage is not hard for me because I tersely do backups.
> But this behaviour is impudent. This blowfish is not a safe
> operating system, it rather is a poorly prepared fugu.
>
> Bertram
>
>
> -- 
> Bertram Scharpf
> Stuttgart, Deutschland/Germany
> http://www.bertram-scharpf.de

- You have unused disk space. Rather than spinning up a VM to play in,
  you've instead opted for letting a new OS, that you have no experience
  with, access and modify the raw disk bits.

- You've tried installing the aforementioned new and unknown OS, on a
  disk that had other important data, that was already governed by
  another OS.

To me, that doesn't sound like what an experienced user would do.

<3,K.

Re: Logging/backup .ksh_history

[Kamil Cholewiński]

On Mon, 08 Aug 2016, Francois Pussault  wrote:
>> 
>> From: Craig Skinner 
>> Sent: Mon Aug 08 09:49:11 CEST 2016
>> To: 
>> Subject: Re: Logging/backup .ksh_history
>>
>>
>> Hi John,
>>
>> On 2016-08-08 Mon 14:39 PM |, johnw wrote:
>> > Hi, I use /bin/ksh as a console/terminal shell program, I want to
>> > log/backup all command, run on console/terminal/ksh,
>> >
>> > Any idea how to do this?
>> >
>>
>> See HISTFILE and HISTSIZE in ksh(1).
>>
>> Cheers,
>> --
>> It isn't easy being a Friday kind of person in a Monday kind of world.
>>
>
> Using Ksh options is a good idea but that logs only the current user.
>
> a if you wanna get all actions even using successive multiples users with su,
> you might use a screen session to log absolute console instead of logging
> history.
>
> screen OPTIONS  2>&1 /var/log/screen.session.$$.$(date +%Y%m%d).log
>
> This is barbarian version but very usefull sometimes.

Also try script(1).

http://man.openbsd.org/OpenBSD-current/man1/script.1

Re: Thinking about writing something I'm calling wifid

[Kamil Cholewiński]

On Tue, 02 Aug 2016, Theo de Raadt  wrote:
> The kernel should have a better way of exporting stations it knows about
> live, rather than userland forcing channel hops and station changes out
> of sync with the kernel.

Perhaps overloading kevent? EVFILT_IEEE80211?

Re: Native C written i2pd port for OpenBSD

[Kamil Cholewiński]

Short answer: you'll probably have to get your hands dirty and help port it.
Open an issue, talk to maintainers, see what you can do to help.

On Thu, 21 Jul 2016, Denis Lapshin  wrote:
> Hi there.
>
> Looking for a OpenBSD port of PurpleI2P/i2pd C written project (non java 
> version).
> Github link: https://github.com/PurpleI2P/i2pd
>
> Building it from scratch make a lot of errors.
>
> Please suggest.
>
> Denis

Re: choosing OpenBSD for fileserver instead of FreeBSD + ZFS

[Kamil Cholewiński]

On Wed, 20 Jul 2016, Theodoros  wrote:
> +1, zfs and hammer are great filesystems for such a use.
>
> Looking forward to RAID10 support on softraid (!).

Been running "manually stacked" RAID10 with 6 drives, on a low-traffic
production system, for half a year. System boots off the first RAID1
array. The second RAID1 provides altroot. Script in rc.local assembles
the RAID0 volume with the data pool.

However, I didn't try an upgrade yet. ;)

Re: choosing OpenBSD for fileserver instead of FreeBSD + ZFS

[Kamil Cholewiński]

On Wed, 20 Jul 2016, Miles Keaton  wrote:
> So I figure if I use OpenBSD + softraid RAID 5 (across 4 disks) and then
> write my own little shell script to track the MD5 (find . -type f -exec md5
> {} \;) whenever I make changes, that should be enough to see if a file has
> been changed due to disk corruption.

This will detect corruption, but won't fix it. ZFS fixes corrupted files
on the fly, when possible, and updates on-disk parity to sustain another
hit on the same file.

Also I would rather recommend you use RAID10, with drives from two
different batches.

Re: How make "pkg_add" auto-choose some package version for me when same package is available in more versions?

[Kamil Cholewiński]

On Mon, 04 Jul 2016, Chris Bennett  wrote:
> Don't want to rebuild your production web/business servers?
> Look up Mtier in the mailing list. Nice helpful infrastructure.

Yes, I use their services both at work and at home.

> Not to sound like I'm kissing ass, but you really should look at the
> incredible work Marc Espie has done for OpenBSD. His work and dedication
> deserves respect. You should look at how things have improved
> tremendously since OpenBSD forked from NetBSD. The mailing lists go way
> back. I've read some of the older stuff. Impressive history.
>
> OpenBSD has it's own, distinct culture. I like it.

True and agree.

I'm not trying to diminish anyone's accomplishments, Marc (and other
OpenBSD devs) have done incredible work, and the Docker devs have done
incredible work.

It's easy to pick up a tool and misuse it, especially if the tool is so
powerful and easy to use. It's even easier to look at the other group,
misunderstand what they're trying to achieve, and dismiss the crowd as
clueless.

<3,K.

Re: How make "pkg_add" auto-choose some package version for me when same package is available in more versions?

[Kamil Cholewiński]

On Mon, 04 Jul 2016, Marc Espie  wrote:
> YES, they're all wrong. There's a BIG difference between running new
> shitz in a test setup vs running "bleeding edge" in production.

I think we're confusing two different concepts here... Latest stable
release (with most recent security patches) vs following bleeding edge.

Former is almost always what you want in production. There might be only
one exception: known new bug in the patch. If such a thing is common, I
guess that's really a problem with the process, not with the packaging
infrastructure...

Bleeding edge has its place too. Even reasonable people do it in
non-critical environments, to check out changes before they're surprised
in the next release, or give feedback to the OS developers / packaging
team.

> That's the large problem with the current devops/container culture.

If you're unhappy with this culture, do something to affect it in a
positive way. Devs at my $WORK know not to curl | sudo bash, because
we've had several chit-chats about what's OK and what's not, and why.

K.

Re: How make "pkg_add" auto-choose some package version for me when same package is available in more versions?

[Kamil Cholewiński]

On Sun, 03 Jul 2016, Raul Miller  wrote:
> And then there's the use case of untangling the mess when this did the
> wrong thing.

Well, I think nobody here argues that a program, if facing a hard
decision, should throw an error rather than corrupt the system.

I'm well aware, things that run fine on Python 3.4 can break horribly on
Python 3.5 (or vice versa!), but this is why you'd explicitly say
"python-3.*", or "python-3.4.*", depending on whichever variant you're
least uncomfortable to try.

> (Or, why do you think the Debian people take years to put together a release?)

- Ubuntu are releasing every 6 months, using the same packaging
  infrastructure (although I'm not a fan of Ubuntu).

- Debian has much bigger problems...

On Sun, 03 Jul 2016, Marc Espie  wrote:
> Now, a branch selector to be able to automate installation, that makes
> sense and that's why I added that to current.

Now this sounds interesting, I need to try it soon.

> But choosing and running the latest version automatically ? that's the
> computer equivalent of running blindfolded into traffic on a speedway.

Many people run CURRENT, trunk, HEAD, 0.999-dev, sid, Arch, however you
call it... (I don't, I like stable.) Suddenly they're all wrong?

<3,K.

Re: How make "pkg_add" auto-choose some package version for me when same package is available in more versions?

[Kamil Cholewiński]

On Sun, 03 Jul 2016, Chris Bennett  wrote:
> This can't be done and should NOT be done. if you are asked to choose
> between two+ different versions, often that choice is based on the other
> package(s) that depend on a particular version. You may even need to
> install both versions when two of your other packages require one of
> each of the two. See python. I have packages that require python 3.x.x
> and some others which require python 2.x.x.
> Even more as a good example, look at all of the different versions of
> autoconf. How could an automated version of pkg_add possibly guess which
> version you actually need in two months?

You've totally missed the 99% use case: "just give me the latest version".

Re: I am not sure if it is a problem with OpenBSD's httpd

[Kamil Cholewiński]

Oh my god, just realised TTRSS is a self-hosted web app... makes sense,
Stuart is right - it must be the chroot...

Re: I am not sure if it is a problem with OpenBSD's httpd

[Kamil Cholewiński]

>  Arrived to this point, could be a problem with OpenBSD's httpd daemon
>  that runs in chroot??

None of the symptoms you've described has anything at all to do with
local httpd, or any other web server you might be running locally.

> But when I try to resolve DNS googleprojectzero.blogspot.com name in
> the shell, works ok:

That's right, DNS works at a lower layer than HTTP. So DNS may resolve,
but the remote host may still be unable to service your request.

You may want to run something like this to help you diagnose:

curl -v http://googleprojectzero.blogspot.com/feeds/posts/default

Cheers,
K.

On Fri, 01 Jul 2016, "C. L. Martinez"  wrote:
> Hi all
>
>  Recently, I have installed an OpenBSD virtual machine in my laptop with 
> TT-RSS, and all works perfectlly. Until I try to subscribe to a new feed. 
> Every time, tt-rss returns the error "6 Couldn't resolve host". It is 
> strange, because all other feeds migrated from other linux host, works ok.
>
>  For example, if I try to subscribe to 
> http://googleprojectzero.blogspot.com/feeds/posts/default feed, error is 
> rturned. But when I try to resolve DNS googleprojectzero.blogspot.com name in 
> the shell, works ok:
>
> Last login: Fri Jul  1 07:06:54 2016 from 172.22.55.1
> OpenBSD 5.9 (GENERIC) #4: Thu May 19 08:23:10 CEST 2016
>
> Welcome to OpenBSD: The proactively secure Unix-like operating system.
>
> Please use the sendbug(1) utility to report bugs in the system.
> Before reporting a bug, please try to reproduce it with the latest
> version of the code.  With bug reports, please try to ensure that
> enough information to reproduce the problem is enclosed, and if a
> known fix for it exists, include that as well.
>
> root@edinburgh:~# nslookup googleprojectzero.blogspot.com 
>   
> 
> Server: 172.22.55.1
> Address:172.22.55.1#53
>
> Non-authoritative answer:
> googleprojectzero.blogspot.com  canonical name = 
> blogspot.l.googleusercontent.com.
> Name:   blogspot.l.googleusercontent.com
> Address: 216.58.208.225
>
>  Arrived to this point, could be a problem with OpenBSD's httpd daemon that 
> runs in chroot??
>
> Thanks.
>
>
> -- 
> Greetings,
> C. L. Martinez

Re: A patch for cal

[Kamil Cholewiński]

On Tue, 21 Jun 2016, Abu Unaysah  wrote:
> January 2016
> Su Mo Tu We Th Fr Sa
> 31  1  2
>  3  4  5  6  7  8  9
> 10 11 12 13 14 15 16
> 17 18 19 20 21 22 23
> 24 25 26 27 28 29 30

The reason this happens on commercially available, wall-hung calendars
is because they are all trying to save the extra few cm of paper, which
is less readable and an ugly hack - but justifiable, given living trees
are at stake. They often even cram the first and last day on the same
grid cell, which is impossible to reproduce on a terminal.

Historically, maybe you could use cal(1) to print your own wall-hung
calendar, I don't know if that was the case, as I was born after CRTs
became a thing. Nowadays the utility is excellent for firing up a
terminal window, typing "cal" quickly, glancing over the output, and
closing the window. Re-arranging the numbers to be LESS readable, for
the sake of imitating dead tree technology, does not seem helpful.

<3,K.

Re: No slip anymore?

[Kamil Cholewiński]

On Wed, 08 Jun 2016, Roderick  wrote:
> If you have a very old laptop with a comfortable keyboard, then
> minix is a good alternative to use the laptop for example as a
> typewriter (and much more than that).

Does your typewriter with 32 MB of RAM have Ethernet?
I remember occasionally browsing the interwebs on one,
as late as 2006.

Re: wifind(8) find your wifi

[Kamil Cholewiński]

Perhaps it's time that the best tool be chosen and made a part of the
base install? I've already seen like a 100 different OBSD WiFi scripts
floating around the 'net, and naturally I also have a DIY one.

Re: wifind(8) find your wifi

[Kamil Cholewiński]

On Thu, 02 Jun 2016, Ray Lai  wrote:
> use JSON::PP;

That's just my personal opinion, but JSON sucks for configuration files.
It's more of a human-readable data interchange format.

It feels like the same functionality can be achieved with something much
simpler, getent or CSV style.

> my $tmp = "/etc/wifind.tmp";

mkstemp?

> Please avoid nwid or wpakey with quotes, dollar signs, or backslashes.

Without knowing or assuming much about how WiFi works, why would this be
a concern in a well-designed program?

<3,K.

Re: hardware recommendation for openbsd-based thin client?

[Kamil Cholewiński]

I have an alix 2d3 (no vga) running on 5.9 as a jumphost for ssh.

It's slow. It's *very* slow. Usable more or less only as a router,
firewall, jumphost, ntp, etc that sort of appliance. If you'd like, I
can run some benchmarks for common tasks like pkg_add or a compile, so
you can get an idea.

On Fri, 27 May 2016, Marko Cupać  wrote:
> Hi,
>
> I have just noticed that pcengines has alix models with VGA ports:
>
> http://www.pcengines.ch/alix3d3.htm
> http://www.pcengines.ch/alix1e.htm
>
> Anyone tried OpenBSD on them?
>
> Regards,
> --
> Before enlightenment - chop wood, draw water.
> After  enlightenment - chop wood, draw water.
>
> Marko Cupać
> https://www.mimar.rs/

Re: Suggestion: new webpage for openbsd.org

[Kamil Cholewiński]

On Wed, 18 May 2016, Joakim Frostegård  wrote:
> I think it's more important to have good mobile support than perfect
> console browser support. Actually, bad mobile support is one of the
> biggest problems with the current site.

You have to cater to your audience... I'm quite sure there are many
people in OpenBSD's user base that would appreciate decent support for
"low-fi" browsers much more than being mobile-friendly. That is, there
is value in the latter, as long as the former is not hurt in the
process.

Cheers!
K.

Re:

[Kamil Cholewiński]

sed -i

Re: TLS now supported on openbsd.org?

[Kamil Cholewiński]

On Tue, 10 May 2016, Giancarlo Razzolini  wrote:
> Until every UA is changed to first try TLS and *only then* fall back
> to clear text http, this kind of measure has its uses.

This is of limited usefulness.

All you need to do (as a mitm) is to block the connection on port 443,
client will now automagically fall back to using 80 and plain text...
It's even easier than filtering out STARTTLS for SMTP. Go google some,
why opportunistic encryption is a bad idea.

K.

Re: letsencrypt (Was: Re: TLS now supported on openbsd.org?)

[Kamil Cholewiński]

On Tue, 10 May 2016, Ingo Schwarze  wrote:
> Hi Kristaps,
>
> Kristaps Dzonsons wrote on Tue, May 10, 2016 at 11:37:42AM +0200:
>
>> (1) download ... couldn't find ... didn't require bash
>> (2) aforementioned script in a cronjob
>> (2b) user to have access to
>> (3) doas rule
>> (4) doas rule
>> (5) [another?] script from a cronjob
>
> You must be joking, Mr. Feynman.
>   Ingo
>
>> anything in those directories is toxic.

Precisely why I've been reluctant to try letsencrypt...

"What would be the least insane way to implement this in production?" -
Right now, I'm not sure if I should be asking this seriously.

K.

Re: Comprehensive user's/programmer's manual for OpenBSD: Do they exist?

[Kamil Cholewiński]

On Sat, 07 May 2016, David Lou  wrote:
> I wasn't able to find such a thing but perhaps I just missed it. I
> am wondering if anyone in the community knows whether such manuals
> exist for OpenBSD. Manpages are nice but they're not what I'm looking
> for. Trying to learn OpenBSD by looking up individual manpages is like
> trying to learn C programming by looking up individual functions. Sure
> you get a description of the functions but you will NOT get all the
> background information like C syntax, semantics, memory model,
> pointers, the whole shebang that every beginner *should* know, but
> don't have the background knowledge to know that they should be
> looking these up in manpages or elsewhere.
>
> I'd like to acquire confident working knowledge in OpenBSD. If no
> such manuals exist, then I'm wondering how did you or other expert
> users learn how to use and administrate the system, what the best
> programming practices are, etc. and have confidence that what they're
> doing is what they think they're doing? Surely it's not just by
> trial and error and seeing what appears to work because their
> ignorance will be a frustrating source of bugs and security flaws?

Start with the FAQ. As a *BSD beginner with only Linux knowledge, I
found it quite good at explaining all the basics, and the manuals (and
reading misc@, including the archives!) helped to fill in the gaps.

Set up a playground in Qemu or similar, or best - on some real hardware
that you can spare. Try things. Do things. Break things. Fix things.
Make it do something useful, like a file or game server, or use it as
your desktop. Have fun!

K.

Re: Pledging Python programs

[Kamil Cholewiński]

On Mon, 02 May 2016, Tobias Borgert  wrote:
> Hello misc,
>
> I wanted to look into Python C extensions and as I also wanted to look
> at pledge, the following was the result.
>
> [...]
>
> I didn't expect it to work even for basic examples, so I wanted to share
> this as I was surprised that it was actually simple up to this point.
>
> Best regards,
>
> Tobias

This is extremely relevant to my interests. I will definitely test soon.
Thank you!

Re: Create a RAID5 with a disk marked as degraded

[Kamil Cholewiński]

On Fri, 29 Apr 2016, Karel Gardas <gard...@gmail.com> wrote:
> On Fri, Apr 29, 2016 at 2:38 PM, Kamil Cholewiński <harry6...@gmail.com>
wrote:
>> Silly, tangentially related question, perhaps someone knows an answer:
>>
>> Is there a considerable performance impact to be expected when using an
>> odd number of disks in RAID[56] setups?
>>
>> I mean, e.g. with RAID5, one disk stores parity data, so in a 3-disk
>> setup, a 512-byte data block is split between two devices. In a 5-disk
>> setup, or in a 6-disk RAID6 setup, similarly the data chunk is split
>> between four physical devices, so 512/4=nice number. What about
>> situations where 512/3, 512/5, etc?
>>
>> Am I making sense or garbage?
>
> If you look into softraid_raid5.c you will see that actual write I/O
> is done to only 2 drives: one data and one parity chunk. The thing is
> that both data and parity chunks change based on the disk block
> position and data length. I really recommend to see the code as it is
> nicely commented. Look for sr_raid5_rw and sr_raid5_write. In case of
> RAID6 this is more complicated, but write I/O goes to 3 drives (1 data
> + 2 parities) depending again on disk block position and data length.

That's brilliant. I'll definitely have a look. Thanks!

Re: Create a RAID5 with a disk marked as degraded

[Kamil Cholewiński]

On Fri, 29 Apr 2016, Karel Gardas  wrote:
> On Fri, Apr 29, 2016 at 10:20 AM, Erling Westenvik
>  wrote:
>> On Fri, Apr 29, 2016 at 09:49:14AM +0200, Karel Gardas wrote:
>>> Also for creation of RAID5 you need minimally 4 drives.
>>
>> Make that 3. :)
>
> I stand corrected! Mistake caused by my testing where I prepared 4
> drives also to perform RAID-6 testing besides RAID-5.
>
> Thanks! Karel

Silly, tangentially related question, perhaps someone knows an answer:

Is there a considerable performance impact to be expected when using an
odd number of disks in RAID[56] setups?

I mean, e.g. with RAID5, one disk stores parity data, so in a 3-disk
setup, a 512-byte data block is split between two devices. In a 5-disk
setup, or in a 6-disk RAID6 setup, similarly the data chunk is split
between four physical devices, so 512/4=nice number. What about
situations where 512/3, 512/5, etc?

Am I making sense or garbage?

K.

Re: Create a RAID5 with a disk marked as degraded

[Kamil Cholewiński]

On Fri, 29 Apr 2016, Benton Lam  wrote:
> Hi,
>
> I currently have a 5.7 box, with 2 disk RAID1 (comprise of sd1a and sd2a)
>
> Suppose I upgrade / install to 5.9. Is it possible for me to do the following:
>
> bioctl -O /dev/sd2a sd3 # degrade the raid1 (sd3)
> bioctl -c 5 -l /dev/sd1a,/dev/sd2a,/dev/sd4a -O /dev/sd1a softraid0 #
> create a raid 5 with sd1a, sd2a and sd4a, but sd1a is degraded,
> suppose that creates sd5
>
> 
> bioctl -d sd3
> bioctl -R /dev/sd1a sd5 # swap the sd1a back into  the raid5
>
> Is that possible? or should I be finding another 3TB drive, copy the
> stuff onto that temporary drive and create the RAID5?
>
> Thanks,
> Benton Lam

1. Try it in Qemu. Really, nothing like a playground where you can try
things without unnecessary risk. I run my lab like this:

> #!/bin/sh
> exec qemu-system-x86_64 -m 512 -no-fd-bootchk \
> -device virtio-net,netdev=mynet0 -netdev user,id=mynet0 \
> -cpu host -enable-kvm \
> -serial mon:stdio \
> -drive if=virtio,index=0,file=$HOME/vm/raidlab-0.img \
> -drive if=virtio,index=1,file=$HOME/vm/raidlab-1.img \
> -drive if=virtio,index=2,file=$HOME/vm/raidlab-2.img \
> ... [ continue adding drives here ] ... \
> -cdrom ~/iso/OpenBSD/amd64/install59.iso \
> $@

To get more disks, dd if=/dev/zero of=raidlab-$i.img bs=1M count=1024

The host is on Linux, but I think you only need to drop the kvm flag for
other host OS's to work.

You need -boot d to start from CD, and -nographic to use your terminal
as the console after installation. You may also want to add:

/etc/boot.conf:
> set tty com0
> stty com0 115200
/etc/ttys:
> tty00 "/usr/libexec/getty std.115200" vt220 on secure

2. For live data, if you care about it at all, this sounds like a really
bad idea. Ensure you have good backups before you do anything
destructive. Consider whether another drive's cost really means more to
you than your data. You can keep the extra drives as spares for later.
Better safe than sorry.

K.

Re: Not enough Memory!

[Kamil Cholewiński]

On Mon, 25 Apr 2016, Mohammad BadieZadegan  wrote:
> Hi everybody,
> I want to install wireshark but my memory was full!
> Is that a way to increase /dev/sd0h?
> Regards.

Do you have any unallocated disk space? "disklabel sd0" should show us
your disk layout.

Easiest is to use this unallocated space. In case you don't have any,
you could perform some surgery and swap /home & /usr/local around, since
/home seems to have a lot of unused space available.

For the future... Try planning your disk slice usage more carefully. If
you expect to install a lot of very heavy packages, 10-20GB for
/usr/local sounds like a reasonable choice.

K.

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Kamil Cholewiński]

On Tue, 26 Apr 2016, ra...@openmailbox.org wrote:
> If you want to make a dynamic "web application" then consider using 
> ur/web [1]. The programming language itself protects against SQL 
> injection, XSS attacks, CSRF attacks.

I hate to bring the bad news, but this language / framework has close to
zero chances of being used in a commercial product.

- ML / Haskell are too abstract for the 99% of Python/Ruby/JS/NameIt
  programmers out there. You or me love ML, the next guy will run away.

- The website itself looks horrible. You or me don't mind, because we
  focus on content and not presentation, but we're not in the 99%. Also
  it takes actual effort to make a website look this horrible...

- The documentation is lacking horribly. First off, these days if your
  TLDR to a "200 OK Hello world" is not in 10 lines and on your landing
  page, you probably have already lost 90% of the potential audience.
  The remainder got lost in incomplete examples and a terse reference
  manual.

- Nobody is interested in writing the most elegant qsort, because
  Python/Ruby/JS/NameIt already have a working implementation in their
  standard libraries. They also focus on helping you solve more real
  world problems (pushing HTML or JSON to browsers), which, skimming
  over the docs, I didn't see explained.

Sorry, but few people today judge a product based solely on its
theoretical merits; they need a toy to play with, and to see that it can
help them solve their problems.

A "half-secure" product that is easy to use, is more secure than a
secure product that nobody cares to use, because it provides a typical,
real-world user with a viable, real-world alternative over a completely
insecure product that is also easy to use.

> String based scripting languages like {node, php, python, perl, ruby} 
> have added on frameworks that try to 'prepare' sql queries or template 
> HTML to get it to do the various different levels of quoting for you. 
> It's possible to make secure sites in them if you do everything right. 
> problems still slip through.

Not necessarily. Consider a function prototype:

query(template: string, param1: mixed, ...) -> result: mixed

Whether this function is correct or secure or not, does not depend on
the language it was implemented or used in. Using it securely is still
up to the caller. Good interfaces can help good programmers write good
code, but you can't stop a bad programmer from writing bad code...

> That's why I recommend a programming language designed to remove these 
> issues entirely by parsing and understanding the sublanguages involved 
> in making a website (instead of having them as strings in your code).

Context-sensitive templating languages are a thing in mainstream tools.
I'm not a frontend web developer, but some quick googling brought this
up:

http://www.slideshare.net/adonatwork/efficient-contextsensitive-output-escaping-for-javascript-template-engines

K.

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Kamil Cholewiński]

On Tue, 26 Apr 2016, li...@wrant.com wrote:
> Reality check, structured text presentation beats any sort of generator:
>
> [https://en.wikipedia.org/wiki/Lightweight_markup_language]

I agree with using an LML, but that's just one piece of the puzzle.
There are numerous converters available:

- http://pandoc.org/
- https://pypi.python.org/pypi/Markdown
- etc

Where's the line between a fully-fledged generator and a simple
converter?

Eg. pandoc is quite versatile, but you need a little glue and a template
before you could call it a blog. Going with a simpler converter, and you
soon end up with enough glue to call it a framework. (Greenspun's tenth
law?)

>> Try one of these: https://www.staticgen.com/
>
> Good luck finding one that will not shoot you in the foot in the long
> run if you are not trained to handle it inside out from the internals.

Agree! 100% agree! I did look at a whole bunch before deciding it's not
worth it, and stitched something together using pandoc, make, and some
Python to generate indexes. That's for v2, v1 didn't even use pandoc.

However same argument as with anything custom vs stock.

> And prepare some cost and a person to dedicate to handling the comments.
> AI is pretty stagnant plus the personal e-assistants still don't get it.

If you want comments on your website, you need this person either way.

Disqus has an advantage, that you don't have to run a database and
handle user input on your backend. Of course if you're fine with Disqus,
you can probably also just go to Blogspot...

Personally, if I cared about comments, I'd insert a mailto: link in the
footer.

> The less the better, so edit where you like, copy to web server, done.

Depends! It may be OK if you're exactly one person with exactly one
website, but this won't scale well, esp. when there's any sort of build
process involved. Storing artifacts in VC sucks horribly, even for a
small thing. Build servers are overkill for a blog.

K.

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Kamil Cholewiński]

On Tue, 26 Apr 2016, David Lou  wrote:
> Hello,
>
> This is my first post. :) I suppose this is a high level kind of
> question.
>
> When I say 'blog', I'm referring to a website that contains
> essentially many pages of content. Each content page has attributes
> such as title, date, category, tags, and so on. When a user browsers
> this website, the content pages are served in a visually attractive
> layout, with possible bells and whistles such as Facebook/Twitter
> share buttons, and comment sections. Additional features may include
> a search bar and an archive page.

Use a static site generator. Nothing beats a bunch of static files when
it comes to keeping your backend secure. No code is best code.

Don't try to roll your own, unless you're prepared to deal with CSRF,
XSS, comment spam, blah blah blah.

Try one of these: https://www.staticgen.com/

If you need comments, try https://disqus.com/

> Lastly, just a side question. Not sure if this is an FAQ: Running a
> webserver on OpenBSD probably means I'll need to stay up to date with
> security patches. Is there an automatic script I can run so I don't
> have to constantly worry about this aspect of running a website?

For OS security updates: https://stable.mtier.org/

If you install packages from third-party sources (pip, gem, npm, go get,
whatever), you need to come up with some sort of strategy. Best if you'd
subscribe to some sort of security@ or announce@ mailing list for each
project you care about.

K.

Re: Odd (incorrect?) zsh output

[Kamil Cholewiński]

On Sun, 17 Apr 2016, Geoff Wozniak  wrote:
>   # zsh -c 'x=$(false); echo $?'
>   0

Same thing here, same arch/release, different hardware:

> $ uname -mr 
> 5.9 amd64
> $ sysctl hw.vendor hw.product 
> hw.vendor=Dell Inc.
> hw.product=PowerEdge T20
> $ zsh -c 'x=$(false); echo $?' 
> 0
> $ pkg_info -I zsh
> zsh-5.2p2   Z shell, Bourne shell-compatible

No rc files in sight:

> $ ls .zsh*   
> ls: .zsh*: No such file or directory

Seems like a fault with zsh, not false:

> $ zsh -c 'x=$(ls xxx); echo $?'
> ls: xxx: No such file or directory
> 0

Built latest release from http://www.zsh.org/:

> $ ./Src/zsh --version
> zsh 5.2 (x86_64-unknown-openbsd5.9)
> $ ./Src/zsh -c 'x=$(false); echo $?' 
> 0

Looks like zsh bug.

K.

Re: bioctl disk encryption

[Kamil Cholewiński]

On Sun, 10 Apr 2016, Matt Schwartz  wrote:
> I really like the bioctl full disk encryption feature. I would love to see
> it extended to support multiple users/passkeys. I once worked with a
> commercial full disk encryption product that allowed this and could even be
> managed over a network. Coming up with a solution to manage encryption keys
> over a network is trivial but I'd love to see the full disk encryption
> extended to support multiple users with individual passkeys.
>
> Thanks for listening!

This is pretty much completely pointless.

FDE is supposed to protect your data when an adversary gains physical
access to the disks. Physical access to the machine = root access to the
OS.

If you suspect someone could've tampered with the OS/bootloader (e.g.
log the passphrase in cleartext), you better carry the bootloader on a
USB stick and keep it under your pillow.

If you trust your local users not to screw with the machine, just give
them the damn passphrase.

How many users share physical access to that box? 2? 5? 150? Perhaps too
many? How often does a member of the staff leave the company? Is
changing the passphrase every 6-12 months such a bother?

For any networked access, the traditional unix permission model does the
job, and having or not having FDE wouldn't make a slightest difference.
One user can't see or modify the files of another.

K.

Relative performance in "stacked" RAID setups

[Kamil Cholewiński]

Hello,

I have a couple Dell machines to play with, both with OpenBSD 5.[89] and
some sort of "stacked" RAID setup, involving crypto, mirroring and
striping in various orders. I've decided to play a little benchmark game
and share some numbers.

Machine 1: 5.8, PowerEdge 2970, Opteron 2378  (8 cores), 8GB, 6x2TB drives
Machine 2: 5.9, PowerEdge T20,  Pentium G3220 (2 cores), 8GB, 4x3TB drives

First machine is set up with /, /usr & /var on top of an unencrypted,
"raw" hard drive. There's also a big "data" volume assembled from three
sets of two-disk RAID1 mirrors, these three striped with RAID0, and a
crypto volume on top. Let's call it "RAID 10C".

Second machine has all four disks encrypted end-to-end, and the first
disk has the system (/, /usr, /var), while the remaining area is set up
with RAID10; let's call that "RAID C10".

On the second box, power saving settings are all at the speedy end
(hw.setperf=100, hw.perfpolicy=high); sysctl doesn't show anything on
the first one (probably missing support, but I assume the machine is
stuck at the high performance setting).

The commands I've used to measure write/read speed:

> dd if=/dev/urandom of=/var/test  bs=1M count=100
> dd if=/dev/urandom of=/var/test  bs=1M count=1000
> dd of=/dev/nullif=/var/test  bs=1M
> dd if=/dev/urandom of=/data/test bs=1M count=100
> dd if=/dev/urandom of=/data/test bs=1M count=1000
> dd of=/dev/nullif=/data/test bs=1M

Data (bytes per second):

> Host  Setup   Write 100M  Write 1000M Read 1000M
> m1raw 139414012   137725122   110265042
> m110C 390290243877939438833820
> m2C   641690396334490864132991
> m2C10 267179743712151461389590

Interesting observations:

- Crypto seems to add significant overhead, regardless of where it sits
  in a RAID stack;

- Crypto-then-RAID10 seems to be much more performant than
  RAID10-then-crypto, at least for large sequential reads; this seems
  counter-intuitive (blocks of data have to be encrypted 4x as often);

- Any form of RAID10 + crypto seems to be *slower* than a non-RAID setup
  with crypto; since RAID0 is supposed to help performance, perhaps a
  concatenating discipline would be more appropriate with such a setup?

- I don't have exact numbers right now since I've wiped and reinstalled
  machine #2 in between, but I've observed ~260MB/s write speeds with
  RAID10 w/o crypto;

- I have no idea how to flush the VFS cache! 100MB reads return
  immediately, a 1000MB file seems to always come off the disk. The
  Other OS has a "nocache" utility, and a "nocache" flag for dd.

Currently the machine #2 is just a plaything, so if anyone is interested
in more silly benchmarks, I can wipe the entire thing and set up
something else (1+C+0, C+5, 5+C, 0+C, C+1+cat, etc etc).

(Yes yes I know, all benchmarks are flawed, I should test the machine
with production workloads, performance vs redundancy vs encryption is a
tradeoff - pick one that suits the application, etc.)

K.

Re: faq12.html

[Kamil Cholewiński]

On Wed, 30 Mar 2016, Rob Pierce  wrote:
> For your consideration.
>
> Index: faq12.html
> ===
> RCS file: /cvs/www/faq/faq12.html,v
> retrieving revision 1.125
> diff -u -p -r1.125 faq12.html
> --- faq12.html29 Mar 2016 01:27:39 -  1.125
> +++ faq12.html30 Mar 2016 12:30:48 -
> @@ -662,7 +662,7 @@ on SIMH page.
>  
>  12.7.1 - USB devices aren't working properly
>  
> -The Zaurus has very little current available on its USB port, so many
> +The Zaurus has very little currently available on its USB port, so many
>  USB devices will not work if they are directly attached to it.
>  You will need to use a powered USB hub to run these devices.

"current" as in electricity.

Re: HTTPS Only 3.1 (Detailed Analysis, Browser Security, Open Source, Python)

[Kamil Cholewiński]

On Thu, 24 Mar 2016, Kevin Chadwick  wrote:
> BTW, only allowing Javascript to come from the primary domain over SSL
> would be a far saner idea, but lets see you get that past Google,
> facebook and all the other tracking sites?

It's possible with content security policy[1][2], but completely
optional and up to the webmaster (custom header sent by the server).
Google etc are actually pushing for it.

[1]: https://en.wikipedia.org/wiki/Content_Security_Policy
[2]: https://developer.mozilla.org/en-US/docs/Web/Security/CSP

Re: /usr/games/hack

[Kamil Cholewiński]

On Tue, 15 Mar 2016, Raul Miller <rauldmil...@gmail.com> wrote:
> On Tue, Mar 15, 2016 at 3:04 PM, Kamil Cholewiński <harry6...@gmail.com>
wrote:
>> I didn't suggest it to be enabled by default. Administrator's choice.
>> Users can spawn private instances. No more dangerous than installing
>> openarena-server from ports.
>>
>> Not a score daemon but a game server. If it's a simple daemon keeping
>> scores, it couldn't stop users from submitting any score they please and
>> thus cheating.
>
> How is a game server better security (or better anything) than setgid
> for these games?

setgid is setgid, you give unprivileged users an executable they can
play with.

A daemon can open a descriptor to the score file at startup, chroot,
drop privileges, and only then start accepting connections.

> In my opinion:
>
> You'd basically have to rewrite everything from scratch to turn them
> into game servers. And, ok, that might make a fun project for someone
> with an MVC bent and an intense interest in game archeology, but the
> development/debugging issues here are daunting (and offer lots of
> potential for security holes).

Agree. Probably easier to write a couple of new, fun games from scratch.

> Meanwhile, if you trim that back to just a score server, you need to
> create a networked equivalent of setgid - maybe not a bad project in
> itself, but more opportunity for flaws.

I can't think of a way a networked setgid could ever be possible.
Ultimately it means the score server would have to somehow trust the
input from whichever program is sending the score.

Perhaps embed a signing key in the executable and chmod 111?
Infrastructural mess, keys would have to be different per each install.
Also not sure how to keep the user away from inspecting a core dump.

Perhaps there could be a way to let an unprivileged process exchange one
set of capabilities for another; like pledge, but a trade. "In exchange
for this cookie, I promise I will only ever write /var/games/scores".
Probably would end up having similar problems as setgid.

> But maybe you have some working code which shows otherwise? (Have you
> you looked at how these games were implemented?)
>
> Thanks,
>
> --
> Raul

Re: /usr/games/hack

[Kamil Cholewiński]

On Tue, 15 Mar 2016, Theo de Raadt  wrote:
>> > You obviously cannot make them private, because that destroys inter-
>> > terminal games, and you cannot remove the common data because it is the
>> > game status data.
>>
>> The rest of the gamedev world seems to handle this situation by
>> splitting the game into a client and a server part.
>>
>> The client handles whatever the player is supposed to witness with their
>> eyes, and communicates with the server using some network protocol. The
>> server accepts client input, executes the game logic, keeps the game
>> state, updates connected clients, and keeps scores.
>>
>> This would probably be a major rewrite for most games.
>
> You propose to start a score daemon all the time?  Yes, you do...

I didn't suggest it to be enabled by default. Administrator's choice.
Users can spawn private instances. No more dangerous than installing
openarena-server from ports.

Not a score daemon but a game server. If it's a simple daemon keeping
scores, it couldn't stop users from submitting any score they please and
thus cheating.

Re: /usr/games/hack

[Kamil Cholewiński]

On Tue, 15 Mar 2016, Black Rider  wrote:
> El Sun, 13 Mar 2016 20:17:00 +0100, Theo Buehler escribió:
>
>> On Sun, Mar 13, 2016 at 02:06:54PM -0500, Edgar Pettijohn wrote:
>>> On current I get the following when starting 'hack'
>>>
>>> "Cannot get status of hack"
>>>
>>> It worked on 5.8 release.  Just wanted to see if anyone else had the
>>> same problem.
>>
>> hack, hunt, phantasia and sail are either completely broken or mostly
>> broken since they had their setgid bits removed almost 4 months ago:
>>
>> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/games/hack/Makefile
>>
>> so far, nobody has stepped up to fix them and I think you're the first
>> to mention it on the list.
>
> From the link:
>
> "score file features must be removed, or
> rewritten to use private files"
>
> That can be ok for some games, but Phantasia stores the game status in
> common files that must be accesible/writeable by the players, I think.
> You obviously cannot make them private, because that destroys inter-
> terminal games, and you cannot remove the common data because it is the
> game status data.

The rest of the gamedev world seems to handle this situation by
splitting the game into a client and a server part.

The client handles whatever the player is supposed to witness with their
eyes, and communicates with the server using some network protocol. The
server accepts client input, executes the game logic, keeps the game
state, updates connected clients, and keeps scores.

This would probably be a major rewrite for most games.

K.

Re: What do you use to manage contact info?

[Kamil Cholewiński]

On Fri, 04 Mar 2016, Joe Er  wrote:
> What do you use to manage your contacts?  I am currently using the
> address book in Thunderbird and am wondering if there is something that
> is better.

A file named ~/.people, with one entry per line:

Firstname Lastname 

Re: hostname | /etc/hosts

[Kamil Cholewiński]

On Thu, 25 Feb 2016, Stuart Henderson <s...@spacehopper.org> wrote:
> On 2016-02-24, Kamil Cholewiński <harry6...@gmail.com> wrote:
>> This. See how Google bought '.dev'.
>>
>> https://tools.ietf.org/html/rfc2606
>
>  was cheaper to buy the TLD to prevent anyone else from grabbing
> it, rather than change it>

Definitely. At Google's scale, probably any trivial decision like that
instantly saves them money or improves some process.

Re: hostname | /etc/hosts

[Kamil Cholewiński]

On Wed, 24 Feb 2016, Peter Hessler  wrote:
> On 2016 Feb 24 (Wed) at 12:59:04 + (+), Craig Skinner wrote:
> :Hi Rodrigo,
> :
> :On 2016-02-24 Wed 10:48 AM |, Roderick wrote:
> :> 
> :> Should the name in /etc/myname include a domain name? Even when I
> :> do not have a static IP registered in a public DNS?
> :> 
> :
> :Yes, these non-public "domains" are suitable:
> :.localdomain
> :.internal
> :.private
> :.priv
>
> Do not depend on any domain that you don't own.  Just because it isn't
> allocated _now_ doesn't mean it won't be.
>

This. See how Google bought '.dev'.

https://tools.ietf.org/html/rfc2606

Any other relevant RFC's?

K.

Re: GUI Designer

[Kamil Cholewiński]

If your program / tool mainly operates on lines of text, you absolutely
must check out dmenu .

You can write a program launcher, ssh launcher, file manager, music
player, copy to clipboard, password vault, Wifi selector, todo/calendar
app, web bookmarks manager, list email headlines, mount volumes, kill
processes... All with a bunch of simple shell scripts and stdio.

I would say this is the most UNIX-y way to do a GUI.

K.

Re: Firefox W^X isn't a part of Pwn2Own contest

[Kamil Cholewiński]

On Wed, 17 Feb 2016, Lampshade  wrote:
> Does original Firefox compiled by Mozilla running on Windows
> have W^X? I bet: no, it doesn't.
> I run browsers on the other user account in OpenBSD.

Do you also sandbox the browser with some sort of remote desktop, or run
under a separate X session? AFAIK X allows any program to meddle with
any other program under the same display.

I was considering a separate user setup, but I'm not sure if it's worth
the trouble if there's little added security. Do you know of a setup
that provides both adequate isolation and doesn't make you want to throw
the computer out the window in frustration over things like clipboard
sharing?

K.

Re: can't run multiple instances of httpd, flags not visible in processes

[Kamil Cholewiński]

On Thu, 28 Jan 2016, Paolo Aglialoro  wrote:
> When this goes implemented, how will one start/stop/reload/check the single
> instance or all instances through /etc/rc.d/ ?

I hate to repeat myself, but runit solves all of these problems cleanly,
with no need for ps grepping, with no patches in the daemons necessary,
and with minimal setup.

sv restart /var/services/httpd1
sv restart /var/services/httpd2

Re: can't run multiple instances of httpd, flags not visible in processes

[Kamil Cholewiński]

> Or is there any other way to distinguish between two httpd instances?

Try runit: http://smarden.org/runit/

Re: Daily cron error in 5.7

[Kamil Cholewiński]

On Mon, 25 Jan 2016, Craig Skinner  wrote:
> Hi Luciano,
>
> On 2016-01-24 Sun 19:52 PM |, Luciano wrote:
>> run-parts: /etc/cron.daily/logrotate exited with return code 1
>   ^  ^ what are these?
>
> $ man run-parts
> man: no entry for run-parts in the manual.

Looks like some Debianism:

> % apt-file find bin/run-parts   
> debianutils: /bin/run-parts
> % man -f run-parts
> run-parts (8)- run scripts or programs in a directory

http://manpages.ubuntu.com/manpages/lucid/man8/run-parts.8.html

Re: if I were to make a pkg-add diff

[Kamil Cholewiński]

On Mon, 04 Jan 2016, Janne Johansson  wrote:
> What you meant was thousands of users sending handful of pings across
> the world to a lot of the mirrors each time they (re)restart pkg_add?

http://packages.debian.org/unstable/net/netselect-apt
http://http.debian.net/

Re: Is a gmail/text-flow dmesg better than no dmesg?

[Kamil Cholewiński]

> (not compatible with 2-factor auth).

Citation needed? App-specific passwords work.

Re: Highest Speed Network Packet Generator?

[Kamil Cholewiński]

You should have a look at Snabb Switch. I haven't tried it myself yet.

On Sat, 26 Dec 2015, Mohammad BadieZadegan  wrote:
> Hi everybody,
> I need a network packet generator that generates Network Packets with the
> HIGHEST Speed!
> Before I migrate to OpenBSD I used PKTGEN on Linux to generate this with
> the highest speed level.
> At this state I need one tools BUT on the OpenBSD.
> Is that netmap (http://info.iet.unipi.it/~luigi/netmap/) useful in OpenBSD?
>
> -- 
> [image: ( openbsd.pro  933k.ir )] 

Re: text-mode gui

[Kamil Cholewiński]

On Mon, 21 Dec 2015, li...@wrant.com wrote:
>> > Usability means then it should be not only humans but also programs
>> > who are able to interact with the installer.  So, since stream editors
>> > know nothing about this seasons' (or Luddite's) line drawing symbols,
>> > and users barely see the information between these on another terminal
>> > capability controlled device, just and only:
>
> On Mon, 21 Dec 2015 00:16:02 +0100 Kamil Cholewiński <harry6...@gmail.com>
>>
>> A DSL.
>
> Get out of your ideas inception hat.  If you did not witness it, the
> books say UNIX command line domain specific language is called shell,
> the one used in OpenBSD is ksh(1).  The rest is history.  There is
> absolutely no way to add another on top of this one to make it a silly
> dungeon quest instead of a 3 min installer susceptible to automation.

Pardon sir, I believe there is quite a lot of well-established prior art
that disproves your point. Or perhaps someone is interested in patches
to turn hostname.if(5), doas.conf(5), or pf.conf(5) into executable
shell scripts.

> susceptible to automation.

Step 1. create a tool that requires user interaction
Step 2. create a tool that automates the interaction

When you type "ls" without an argument, does it start asking you
questions? We'd soon need "autols" to automate feeding answers to "ls".

Perhaps I'm a bit unclear about my POV, because I've both proposed a
silly dungeon quest language, and argued against interactive scripts.

Interactive scripts have their place, the installer is one. Building an
interactive script to gather answers is a common pattern, that may be
worthy of capturing and reusing.

However with almost every interactive tool, soon someone shows up that
just needs the "interactive" part to get out of their way. Now they must
write more code to "defeat" the interactive code.

Now which one is simpler?

> a=`echo 1 | read answer && echo $answer`

or:

> a=1

Silly dungeon quest could do the broad equivalent of the latter form.
You could tell it to read answers from a file instead of bugging the
user, or having them write automation code.

This is only possible in the general case if a DSL is used. You can't
automate automating sh - you're now dealing with the halting problem.

K.

Re: text-mode gui

[Kamil Cholewiński]

> Back about 2008 I had my own way of downloading and installing, still
> with the stock installer.  I'd download some files and put them on a
> CD, using the install floppy image as a boot image.  Boot the CD as a
> floppy, shell out and mount it as a CD, then go back and install from
> a mounted drive.  Worked fine for years until somebody had a "bright
> idea" that broke it.

Sorry for spamming this one but can't... resist... http://xkcd.com/1172/

Re: BIOS call fallback

[Kamil Cholewiński]

> Somebody who installs OpenBSD and cannot access the internet now has a
> double problem 1) he can't access the internet 2) he therefore can't
> search online for information about how to fix the problem.

IF you're installing a new and unknown OS on your only Internet-capable
device - you are *asking* for trouble. No level of hardware support can
help you if you're acting irresponsibly.

> I wonder what a brand new PC developed in hind sight that doesn't have
> to worry about backward compatibility would like look.

Read on Raspberry Pi's boot horror stories. It's a "brand new" toy PC
built with no legacy platform support.

Re: text-mode gui

[Kamil Cholewiński]

> Usability means then it should be not only humans but also programs
> who are able to interact with the installer.  So, since stream editors
> know nothing about this seasons' (or Luddite's) line drawing symbols,
> and users barely see the information between these on another terminal
> capability controlled device, just and only:

A DSL.

> ask: What is your hostname?
> type: text
> store: name

> ask: What is your quest?
> choices: 1="To seek the Holy Grail" 2="umm"
> store: quest

> ask: Would you like to change the default partition layout?
> choose: yes-no
> if-yes: !disklabel -E $disk

A DSL is easy to both read and write, for both machines and humans.
It can provide escape hatches to "real" languages when such need arises.
It decouples the model from the presentation, so that a more trendy
frontend can be swapped in later with minimal effort.

Of course none of that is necessary when a tool "just does" the job. We
don't need xterm, or a framebuffer console either for that matter - the
teletype works just fine.

(Not in favor of graphical or "curses" installers BTW)

K.

Re: mupdf / mutool

[Kamil Cholewiński]

On Thu, 17 Dec 2015, Jan Stary  wrote:
> On Dec 17 03:28:38, tre...@india.com wrote:
>> You can write a script wich execute mupdf and send the the route of the 
>> directory containing the
>> pdf to a file in /tmp with the $pid of mupdf in the name. Then you can use 
>> your wm's key bindings
>> (or use xbindkeys) to excecute a program (or a shell script, or a Tcl/Tk 
>> script, or a zenity script with
>> gtk crap or whatever) to ask for printing options. You can get the pid and 
>> the file name from the title 
>> of the focused windows with the help of xdotool, and the directory route 
>> from the temp file. 
>
> ... and then archive it in a ZIP file, make that an attachment
> to the A1 cell in a spread sheet, and mail that to yourself.

https://xkcd.com/1172/

Re: /bsd: athn0: device timeout

[Kamil Cholewiński]

> In doubt try an older but reliable Mainboard/Hardware/Bios. Modern
> Mainboard/Hardware/Bios CAN make difficulties.

Agree and agree. I've had a vaguely similar experience in 2014 with a
combination of Debian 7, a "latest and greatest" mobo, a noname PCIe
USB3.0 card, a 15m USB extension cable, and five USB webcams. The
webcams would randomly start outputting WAY too dark video streams, once
in 1-3h.

After several weeks of fighting and head-scratching, we've replaced the
"latest and greatest" PC with a mini Dell server. The setup was 100%
reliable following the switch.

One day before the project was delivered, mobo manufacturer releases
errata: PCIe bus would randomly drop voltage. BIOS upgrade would have
fixed it... I was already happy with the Dell though.

K.

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

[Kamil Cholewiński]

> The official CD set contains the signify keys for that release and the
> next one.  Once you have a known good copy of one set, you can always obtain
> future ones securely.
>
> You don't even need to use the CD set to install, just as a way of obtaining
> the signify keys with a high degree of confidence.

This is the real thing bothering me. I don't even have a CD drive
available, and I was about to ask if it would be possible to get the
signify keys via paper mail in exchange for a donation. But both paper
and CDs can be intercepted and tampered with (with some effort).

> I currently just assume they are correct because it'd be enormously
> complex to spoof the entire OpenBSD distribution, but I souldn't have
> to rely on "security through effort involved".

Exactly, and this is a problem with the CDs too. There's currently no
way to securely bootstrap the chain of trust. HTTPS is a way to do that.

Yes, we would have to rely on third parties (CAs). It can be optional
(so that a text browser from an ancient unsupported release can still
access plain HTTP version fine). It can be just a single page like
keys.openbsd.org so that there are few extra computing resources used.
It doesn't have to be Let's Encrypt - heck, I'm willing to go to
RapidSSL or whoever and pay for it myself if someone can give me a CSR
and assist with domain validation.

K.

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

[Kamil Cholewiński]

> The official CDs have the signify key physically printed on them.

You press a new CD, print a new cover, etc.

> If you want to rely on third parties, I can send you a copy of the
> signify keys, signed by my PGP key.  How would that help you at all?

Sounds reasonable to me.

Re: python uwsgi port/package

[Kamil Cholewiński]

> I looked at runit but the documentation bills it as a replacement for
> init which I find to be very heavyweight. Am I missing something about
> runit, like a way to use it to manage a set of processes under init?

It can replace init or it can happily co-exist with it. If you only need
service supervision, on most OS's it's just "foopkg install runit".

Replacing init is the hard part, very few distros do that (eg. Void).

Re: python uwsgi port/package

[Kamil Cholewiński]

Everything boils down to whether you'd like to run more than one app on
your box.

> While I love pip and virtualenv in development, I don't understand the
> advantage they offer over the system package manager on a production
> machine.

Easy: whenever you can't be bothered with proper containers. App X
requires package foo version 1.2, app Y requires foo version 1.4.

Docker solves this universally. You can also achieve a similar effect by
building a chroot. virtualenv's advantage is it doesn't require root,
and is (subjectively) easier to use.

Also dev = staging = live. Every difference between the environments is
a potential bug, ready to blow up in your face the moment you hit the
deploy button.

> In addition, I feel that a reasonable uwsgi package would include an
> rc-script to start your app automatically at system boot time.

I prefer to run my application servers with runit. Traditional RC
scripts usually assume one package = one application instance. Usually
that's a sane assumption (what would be your reason for running two
instances of Apache?) but again, if you can't be bothered with
containers, virtualenv+runit make it easy to just put app X in /home/x,
app Y in /home/y, then run two uwsgi's.

> There's no doubt that all of this could be hand hacked but the way I
> see it the less hand hacking on production machines, the better. It
> might just be my style, but I feel that the less work I have to do on
> a production system from the command line, the more reliable that
> system will be.

You've mentioned Puppet. Also check out Ansible.

K.