Re: nginx + php = system() not working?

[Martijn van Duren]

On Thu, 2024-05-16 at 21:58 -0400, F Bax wrote:
> I think I missed something simple? I installed 7.5 release in a VM. I then 
> installed nginx and PHP 8.3.3; with pkg_add. I then ran these two commands:
> # rcctl enable php83_fpm
> # rcctl start php83_fpm
> I found an issue with php system() function; so created this simple script 
> which produces "HiThere"; why is the date not presented?
> 
>    echo 'Hi';
>   system( 'date' );
>   echo 'There';
> ?>

All the advise I've seen is horrible. chroot isn't enabled by default
without a reason (php and security have a history).
My first question would by why you need system() in the first place.
If you need the date/time, just use
https://www.php.net/manual/en/class.datetime.php. If it's just a proof
of concept be more precise in what you want to achieve and see if
there's a PHP library equivalent. If there's no reasonable way to
achieve it (which I highly doubt) I advise to copy the required binary
(and dependencies) into the chroot and make a memo to keep them up to
date.

martijn@

Re: pdftotext

[Martijn van Duren]

On Wed, 2024-03-20 at 11:55 +, James Cass wrote:
> pkg_info poppler-utils



In addition. If you know the name of the tool, but you don't know which
package it resides in, pkglocate from pkglocatedb is your friend:
$ pkglocate pdftotext
bash-completion-2.11p0:shells/bash-completion:/usr/local/share/bash-completion/completions/pdftotext
fish-3.7.0:shells/fish:/usr/local/share/fish/completions/pdftotext.fish
poppler-utils-24.02.0:print/poppler,-utils:/usr/local/bin/pdftotext
poppler-utils-24.02.0:print/poppler,-utils:/usr/local/man/man1/pdftotext.1

martijn@

> 
>  On Wednesday, March 20th, 2024 at 7:42 AM, soko.tica  
> wrote:
>  
> 
> >  
> > 
> > Hallo list,
> > 
> > There used to be pdftotext package, but I couldn't have found him now. I am 
> > running OpenBSD -stable 7.4 amd64.
> > 
> > I guess it is located in some other package, but can't find it.
> > 
> > Please let me now which package I should install. Thanks in advance.
> >  
> > 
> 
>  
> 

Re: history of w(1)

[Martijn van Duren]

On Mon, 2024-01-22 at 22:10 +0900, SASANO Takayoshi wrote:
> Hi,
> 
> I found history of w(1) is
> 
> > HISTORY
> >  The w command appeared in 2BSD.
> 
> But man of OpenBSD-5.0 and previous describes
> 
> > HISTORY
> >  The w command appeared in 3.0BSD.
> 
> NetBSD's w(1) comes from 3.0BSD.
> which is correct?

This was changed by schwarze@ back in 2012:

revision 1.19
date: 2012/01/15 20:06:40;  author: schwarze;  state: Exp;  lines: +3 -3;
Document what remains of the 2BSD heritage.
All facts found on the CSRG CD 1 in the 2bsd directory.
Feedback and ok jmc@, ok sobrado@.

Note the large number of 3BSD -> 2BSD changes.
Kirk McKusick asked Cynthia Livingston (cael@, of USENIX, who converted
most manuals from man(7) to mdoc(7) for the 4.3BSD-Net/2 release and
added lots of historical information around that time) what happened
in this respect, and she answered that she often wrote "appeared
in 3BSD" when she was unsure of when a utility was added.
Thanks to Kirk and Cynthia for that clarification.

Re: snmpd dies

[Martijn van Duren]

On Sat, 2024-01-06 at 16:12 +0100, Nicolas Goy wrote:
> On 06.01.24 00:03, Martijn van Duren wrote:
> > On Fri, 2024-01-05 at 13:09 +0100, Nicolas Goy wrote:
> > My first assumption is it's a bug in libagentx. However, I don't have
> > enough context to reproduce it. Can you reproduce it (somewhat)
> > reliably? Can you run snmpd with -vv to log the request(s) that
> > trigger it. If that's not sufficient context we might need to compile
> > either snmpd and/or libagentx with AX_DEBUG and AX_DEBUG_VERBOSE defined
> > and run it in the foreground (this logs all agentx data in hex-form to
> > stderr).
> 
> I was unable to reproduce it since it happened, I enabled the -vv flags. 
> I have only one machine monitoring the router and there is a single job 
> running every five minutes. I captured the output I got (which did not 
> trigger the bug). But it *should* be the request that was sent when the 
> crash occurred.
> 
> Regards
> 
> kuon

Unfortunately this isn't enough to give me a hint where the issue might
be... Let's keep an eye out and hope that we can gather some more
context next time, or that I can find something during normal
development.

Re: snmpd dies

[Martijn van Duren]

On Fri, 2024-01-05 at 13:09 +0100, Nicolas Goy wrote:
> Hello,
> 
> I am on OpenBSD 7.4 amd64 and today snmpd died with the following error 
> message:
> 
> snmpd[44109]: AgentX(1207475061): Protocol 
> error<27>snmpd_metrics[52600]: [fd:0 sess:3150713266 ctx:]: 
> unsupported call: agentx-Close-PDU
> snmpd[44109]: AgentX(1207475061/3150713266): Closed by snmpd (shutting 
> down)<26>snmpd[44109]: snmpe: AgentX(1207475061): disappeared unexpected
> 
> 
> My snmpd.conf
> 
> listen on :::1 snmpv2c
> listen on xxx.xxx.xxx.1 snmpv2c
> filter-pf-addresses yes
> filter-routes yes
> 
> read-only community public
> 
> 
> Any idea if there is something wrong or if it is just an snmpd bug?
> 
> Regards
> 
My first assumption is it's a bug in libagentx. However, I don't have
enough context to reproduce it. Can you reproduce it (somewhat)
reliably? Can you run snmpd with -vv to log the request(s) that
trigger it. If that's not sufficient context we might need to compile
either snmpd and/or libagentx with AX_DEBUG and AX_DEBUG_VERBOSE defined
and run it in the foreground (this logs all agentx data in hex-form to
stderr).

martijn@

Re: snmp protocol error

[Martijn van Duren]

On Fri, 2022-12-09 at 13:35 -0700, Byron Klippert wrote:
> On Fri, Dec 9, 2022, at 12:57, Stuart Henderson wrote:
> > On 2022-12-09, Byron Klippert  wrote:
> > > Hello,
> > > 
> > > I get an snmp protocol error response when attempting to `snmp get` 
> > > certain OIDs on various devices. However `tcpdump` shows that the device 
> > > is actually responding with the anticipated result but it appears snmp 
> > > isn't able to parse the response correctly? Any suggestions on how to 
> > > troubleshoot further are welcome.
> > > 
> > > 
> > > I'm requesting the mntrFreq OID which is formatted as such:
> > > Name: mntrFreq
> > > OID: .1.3.6.1.4.1.35833.12.3.1
> > > MIB: DB7000-MIB
> > > Syntax: INTEGER32 (87100..108100)
> > > Access: read-only
> > > Status: current
> > > DefVal:
> > > Indexes:
> > > Descr: "mntr Freq"
> > 
> > btw, the information in the mib file doesn't necessarily correspond
> > to what the device actually sends, "snmp get" doesn't care about the
> > mib file at all, just whether the pdu is correctly formatted.
> 
> Yup, understood. I've seen a few half-baked snmp implementations in the wild 
> to know the MIB docs are often only suggestions as to how devices actually 
> respond. 
> 
> > 
> > > imac:/home/admin $ snmp get -v 2c -r 0 -c *redacted* 
> > > udp:paint-receiver:161 .1.3.6.1.4.1.35833.12.3.1.0
> > > snmp: get: Protocol error
> > > 
> > > imac:/home/admin $ doas tcpdump host paint-receiver
> > > tcpdump: listening on bge0, link-type EN10MB
> > > 10:10:02.804614 192.168.0.4.21246 > paint-receiver.snmp: C=*redacted* 
> > > GetRequest(32) E:35833.12.3.1.0
> > > 10:10:03.231863 paint-receiver.snmp > 192.168.0.4.21246: C=*redacted* 
> > > GetResponse(40) E:35833.12.3.1.0=103500
> > 
> > It might be useful to use -X to do a hexdump (and maybe -s1500 to make
> > sure you get full packets); if you need to redact the snmp community
> > (although it probably doesn't really matter all that much seeing as
> > it's on a private lan address) make sure you get the hex digits too
> > 
> > That way we can get a better idea of what's actually sent on the wire
> > 
> > 
> > -- 
> > Please keep replies on the mailing list.
> 
> imac:/home/admin $ snmp get -v 2c -r 0 -c *redacted* udp:paint-receiver:161 
> .1.3.6.1.4.1.35833.12.3.1.0
> snmp: get: Protocol error
> 
> imac:/home/admin $ clear; doas tcpdump -X -s1500 host paint-receiver
> tcpdump: listening on bge0, link-type EN10MB
> 13:23:16.478673 192.168.0.4.11162 > paint-receiver.snmp: C=*redacted* 
> GetRequest(32) E:35833.12.3.1.0
>   : 4500 004d ce0a  4011  c0a8 0004  E..M@...
>   0010: c0a8 050c 2b9a 00a1 0039 aac2 302f 0201  +9..0/..
>   0020: 0104 082a 2a2a 2a2a 2a2a 2aa0 2002 0428  .... ..(
>   0030: f7c4 fb02 0100 0201 0030 1230 1006 0c2b  .0.0...+
>   0040: 0601 0401 8297 790c 0301 0005 00 ..y..
> 
> 13:23:17.366836 paint-receiver.snmp > 192.168.0.4.11162: C=*redacted* 
> GetResponse(40) E:35833.12.3.1.0=103500
>   : 4500 0059 f938  fd11 3dfa c0a8 050c  E..Y.8=.
>   0010: c0a8 0004 00a1 2b9a 0045 c089 3082 0039  ..+..E..0..9
>   0020: 0201 0104 082a 2a2a 2a2a 2a2a 2aa2 8200  ....
>   0030: 2802 0428 f7c4 fb02 0100 0201 0030 8200  (..(.0..
>   0040: 1830 8200 1406 0c2b 0601 0401 8297 790c  .0.+..y.
>   0050: 0301 0002 0400 0194 4c   L

The problem is here in the final 4 bytes: 0x0001944c, which is the int
value of the response (0x0204 is the integer preamble).
According to X.690 section 8.3.2:
If the contents octets of an integer value encoding consist of more than
one octet, then the bits of the first octet and bit 8 of the second 
octet:
a) shall not all be ones; and
b) shall not all be zero.
NOTE - These rules ensure that an integer value is always encoded in the 
smallest possible number of octets

In this case the 1st byte is all zeroes, violating the rule. A check for
this was introduced to ber.c by rob@ to enforce this:
revision 1.5
date: 2019/05/12 20:13:08;  author: rob;  state: Exp;  lines: +9 -2;  commitid: 
7FpdY7sgslPEOJU0;
Enforce smallest number of contents octets for int (and enum).

ok claudio@

Although the additional byte(s) don't really hurt I'm not sure if
reverting this diff for a single misbehaving device is worth it.
Unless anyone thinks differently I think it'd be better to first
go to the vendor of your device and ask them to fix this.

martijn@
> 
> 
> And here's the OID that responds correctly...
> 
> imac:/home/admin $ snmp get -v 2c -r 0 -c *redacted* udp:paint-receiver:161 
> .1.3.6.1.4.1.35833.12.2.10.1.0
> enterprises.35833.12.2.10.1.0 = STRING: DB7000: Paint Mt
> 
> imac:/home/admin $ clear; doas tcpdump -X -s1500 host paint-receiver
> tcpdump: listening on bge0, link-type EN10MB
> 13:32:08.168829 192.168.0.4.44771 > paint-receiver.snmp: C=*redacted* 
> GetRequest(33) E:35833.12.2.10.1.0
>   : 4500 004e 36ee  4011  c0a8 0004  E..N6...@...
>   0010: c0a8 050c aee3 

Re: redirection puzzle

[Martijn van Duren]

On Fri, 2022-12-02 at 16:17 +0100, rsyk...@disroot.org wrote:
> Dear list,
> 
> 
> I needed to show the stdout of a command as well as pass
> it to another command's stdin. This works:
> 
> odin:~$ echo 1 | tee /dev/stderr | sed 's/1/2/'
> 1
> 2
> odin:~$
> 
> and this works, too:
> 
> odin:~$ echo 1 | tee /dev/ttyp8 | sed 's/1/2/'
> 1
> 2
> odin:~$
> 
> where /dev/ttyp8 is the result of the tty command:
> 
> odin:~$ tty
> /dev/ttyp8
> odin:~$
> 
> but this does not work:
> 
> odin:~$ echo 1 | tee $(tty) | sed 's/1/2/'
> 2
> odin:~$
> 
> I do not understand why...

tty(1) is one of the shorter applications, so it's easy to see what it
does:
t = ttyname(STDIN_FILENO);
if (!sflag)
puts(t ? t : "not a tty");

Since $(tty) is part of the chain now, so stdin is the output of echo
and the output will be "not a tty". You might have some additional files
laying around. :-)

martijn@
> 
> Thanks for any comments (and sorry for such a trivial
> question).
> 
> 
> Best regards,
> Ruda
> 

IPV6 ND and non-local prefixes

[Martijn van Duren]

Hello misc,

I'm starting to play around with IPv6 and rad(8). I've noticed that I
can broadcast arbitrary prefixes via "no auto prefix" combined with
"prefix ". These get assigned properly via slaac and can be
used to forward packets, but if I don't assign an IP in the prefix on
the broadcasting interface the return packets won't get delivered,
because that interface doesn't participate in the ND process for that
prefix.

>From what I gathered RA (and thus the default gateway on the slaac nodes
using them) is always the link-local address. If I don't have a need for
a public IPv6 address on my router:
1) Is there a requirement I overlooked to have the public IP on the
   interface?
2) If there is no such requirement, is there a requirement to not do ND
   for not locally assigned prefixes?
3) If there is no such requirement, did I miss a switch to enable ND
   for a non-local assigned prefix? Or is there a reason to not have
   one?

martijn@

Re: snmp MIBs

[Martijn van Duren]

On Wed, 2022-10-19 at 05:50 +, Alec wrote:
> Hi,
> I wanted to ask about two things related to MIBs.

Please read http://www.openbsd.org/mail.html
The long lines are really hard to grok.

> 1) I noticed that in OPENBSD-PF-MIB.txt we have entries like pfTblAddrTblIndex
> pfTblAddrTblIndex OBJECT-TYPE        SYNTAX          Integer32 
> (1..2147483647)        MAX-ACCESS      read-only        STATUS          
> current        DESCRIPTION        "The index value which uniquely identifies 
> the table which        contains this pfTblAddrNet/pfTblAddrMask pair."        
> ::= { pfTblAddrEntry 1 }
> Which translates to OID 1.3.6.1.4.1.30155.1.9.129.1.1 (if I am not mistaken). 
> If I do snmp walk of the whole 1.3 I can see that after 
> 1.3.6.1.4.1.30155.1.9.128 the next OID is 1.3.6.1.4.1.30155.1.10.1.0, so  
> 1.3.6.1.4.1.30155.1.9.129 is skipped.Is there something that needs to be 
> enabled in order to get this OID? I have several tables setup in my pf.conf.

Are the tables also used or did you add the persist keyword to them?
If not the optimiser will remove them and empty snmp tables will return
the noSuchObject exception.
You can run `pfctl -s Tables` to verify.
$ doas pfctl -s Tables
testtable
$ snmp walk -v2c -cpublic 127.0.0.1 1.3.6.1.4.1.30155.1.9.128
pfTblIndex.1 = INTEGER: 1
pfTblName.1 = STRING: testtable
pfTblAddresses.1 = INTEGER: 1
pfTblAnchorRefs.1 = INTEGER: 0
pfTblRuleRefs.1 = INTEGER: 0
pfTblEvalsMatch.1 = Counter64: 0
pfTblEvalsNoMatch.1 = Counter64: 0
pfTblInPassPkts.1 = Counter64: 0
pfTblInPassBytes.1 = Counter64: 0
pfTblInBlockPkts.1 = Counter64: 0
pfTblInBlockBytes.1 = Counter64: 0
pfTblInXPassPkts.1 = Counter64: 0
pfTblInXPassBytes.1 = Counter64: 0
pfTblOutPassPkts.1 = Counter64: 0
pfTblOutPassBytes.1 = Counter64: 0
pfTblOutBlockPkts.1 = Counter64: 0
pfTblOutBlockBytes.1 = Counter64: 0
pfTblOutXPassPkts.1 = Counter64: 0
pfTblOutXPassBytes.1 = Counter64: 0
pfTblStatsCleared.1 = Timeticks: (400) 0:00:04.00
pfTblInMatchPkts.1 = Counter64: 0
pfTblInMatchBytes.1 = Counter64: 0
pfTblOutMatchPkts.1 = Counter64: 0
pfTblOutMatchBytes.1 = Counter64: 0
$ snmp walk -v2c -cpublic 127.0.0.1 1.3.6.1.4.1.30155.1.9.129
pfTblAddrTblIndex.1.10.0.0.0.8 = INTEGER: 1
pfTblAddrNet.1.10.0.0.0.8 = IpAddress: 10.0.0.0
pfTblAddrMask.1.10.0.0.0.8 = INTEGER: 8
pfTblAddrCleared.1.10.0.0.0.8 = Timeticks: (600) 0:00:06.00
pfTblAddrInBlockPkts.1.10.0.0.0.8 = Counter64: 0
pfTblAddrInBlockBytes.1.10.0.0.0.8 = Counter64: 0
pfTblAddrInPassPkts.1.10.0.0.0.8 = Counter64: 0
pfTblAddrInPassBytes.1.10.0.0.0.8 = Counter64: 0
pfTblAddrOutBlockPkts.1.10.0.0.0.8 = Counter64: 0
pfTblAddrOutBlockBytes.1.10.0.0.0.8 = Counter64: 0
pfTblAddrOutPassPkts.1.10.0.0.0.8 = Counter64: 0
pfTblAddrOutPassBytes.1.10.0.0.0.8 = Counter64: 0
pfTblAddrInMatchPkts.1.10.0.0.0.8 = Counter64: 0
pfTblAddrInMatchBytes.1.10.0.0.0.8 = Counter64: 0
pfTblAddrOutMatchPkts.1.10.0.0.0.8 = Counter64: 0
pfTblAddrOutMatchBytes.1.10.0.0.0.8 = Counter64: 0
$ doas pfctl -t testtable -T kill
1 table deleted.
$ snmp walk -v2c -cpublic 127.0.0.1 1.3.6.1.4.1.30155.1.9.128
pfTblTable = No Such Object available on this agent at this OID
$ snmp walk -v2c -cpublic 127.0.0.1 1.3.6.1.4.1.30155.1.9.129
pfTblAddrTable = No Such Object available on this agent at this OID

> 2) I wanted to see some stats for Pkts and Bytes on one of the interfaces but 
> was a bit confused by the description difference between In and Out.
> For "In" we have:
> pfIfIn4PassBytes OBJECT-TYPE        SYNTAX          Counter64        
> MAX-ACCESS      read-only        STATUS          current        DESCRIPTION   
>      "The number of IPv4 bytes passed in."        ::= { pfIfEntry 7 }
> pfIfIn4BlockPkts OBJECT-TYPE        SYNTAX          Counter64        
> MAX-ACCESS      read-only        STATUS          current        DESCRIPTION   
>      "The number of incoming IPv4 packets blocked."        ::= { pfIfEntry 8 }
> However, for "Out" we have:
> pfIfOut4PassPkts OBJECT-TYPE        SYNTAX          Counter64        
> MAX-ACCESS      read-only        STATUS          current        DESCRIPTION   
>      "The number of IPv4 bytes passed out." < ?        ::= { pfIfEntry 10 
> }
> pfIfOut4PassBytes OBJECT-TYPE        SYNTAX          Counter64        
> MAX-ACCESS      read-only        STATUS          current        DESCRIPTION   
>      "The number of IPv4 bytes passed out."        ::= { pfIfEntry 11 }
> The same can be seen for In6 and Out6
> Do we only count bytes for "Out"? Or perhaps description is wrong?
>  
That looks like a (copy-paste) bug in the description. The code actually
retrieves the number of packets; from libexec/snmpd/snmpd_metrics/mib.c:
else if (obj == pfIfOut4PassPkts)
agentx_varbind_counter64(vb, pif.pfik_packets[IPV4][OUT][PASS]);

There's another OPENBSD-PF-MIB diff pending, I can see if I can add
this one to the revision bump.

martijn@

Re: snmp traps

[Martijn van Duren]

On Wed, 2022-10-19 at 05:13 +, Alec wrote:
> Hi,
> Does anyone know where I can find the list of snmp traps that are supported 
> by OpenBSD?

Even though a lot of work has been done lately in snmp land, traps are
still one of the main tickets I need to address. Right now only
coldStart is supported and custom traps over AgentX are dropped with a
warning send to syslog.

Since I'm doing this in my spare time I can't give you a time frame of
when I'll get around to it.

For future references, are there any specific traps you would like to
see implemented?

martijn@

Re: Problems with LDAP authorization against OpenLDAP server

[Martijn van Duren]

On Fri, 2022-10-14 at 14:14 +0200, Željko Puškarić wrote:
> Hi Stuart,
> 
> adding all of my users to /etc/master.passwd would be administrative
> burden, I would have to do that on every OpenBSD box and removing users would 
> mean I'll have to remove users from all OpenBSD boxes so I am trying to avoid 
> that.

The suggestion was to test it out to see if the problem is just in
ypldap(8), or also in login_ldap.

One of the things I see is that you haven't set up ypbind(8), which
might be a big part why things fail for you.

> Since shell is retrieved from LDAP and is used to log in to Linux boxes
> too I just set it as is set on Linux (installed bash on OpenBSD prior
> to setting LDAP authentication).
> Why is bash a bad idea on OpenBSD?
> 
> 
> -Original Message-
> From: Stuart Henderson 
> To: misc@openbsd.org
> Subject: Re: Problems with LDAP authorization against OpenLDAP server
> Date: Fri, 14 Oct 2022 11:29:34 - (UTC)
> 
> On 2022-10-14, Željko Puškarić <
> zpuska...@hzhm.hr
> > wrote:
> > I am a seasoned Linux admin and my first forray into the world of
> > OpenBSD confronted me with a problem.
> > What I am trying to achieve is enabling authorization to OpenBSD
> > machine against existing OpenLDAP server (hosted on Linux).
> > I order to achieve that I followed these instructions: 
> > https://blog.obtusenet.com/openbsd-and-ldap/
> > 
> 
> I would start by adding as master.passwd entry for your user (you
> can just put * as the hashed password) and try to login while using
> login_ldap to handle the password.
> 
> That way you can at least confirm that login_ldap is working while
> investigating ypldap.
> 
> I can't help much with ypldap (I had it working once but decided to
> just build static master.passwd files based on the contents of ldap and
> push them out as it was much simpler and login_ldap did most of what
> I wanted), but a couple of quick comments, other than that
> /var/log/authlog might give some clues...
> 
> > attribute passwd maps to "userPassword"
> > #   fixed attribute passwd "*"
> > ttestic:{BCRYPT}$2b$08$eL8cupOC/ZqkRSKNjHW1D.0h541GVCf4F3GXTSoMX2DUBp
> > Zr
> > SgBlq:10042:10006::0:0:test testic:/home/ttestic:/bin/bash
> 
> Since you're using login_ldap you don't need the userPassword->passwd
> map, I think it's simpler to use "fixed attribute *" so it's clear that
> the password auth is not being done via yp. (login_ldap does a live
> check
> at login time, whereas if you were authing via the yp map then 1) you
> would need to avoid the {BCRYPT} prefix and 2) caching will get in the
> way of password changes etc).
> 
> Probably /bin/bash is not what you want as a shell for OpenBSD boxes.
> 
> > fixed attribute class ""
> 
> I used a separate class for ldap users set ('fixed attribute class
> "ldap"'), and created that class in login.conf with "auth=ldap" (so
> that only the users I expected to come from ldap tried to use ldap for
> authentication).
> 
> 
> 
> 
> 

Re: smtpd with dkim & mailing lists

[Martijn van Duren]

On Tue, 2022-08-30 at 17:13 +0200, Alexandre Ratchov wrote:
> Hi,
> 
> For my $DAYJOB I had to please big mail corporations and configured
> smtpd(8) to send DKIM-signed emails (also added SPF and DMARC
> records). This was easy using instruction in the
> opensmtpd-filter-dksim port and works fine to send messages to
> bigmailcorp accounts.
> 
> The mail server is used to manage few mailing lists using mlmmj. At
> first glance, things appear to work:
> 
> - The envelope address (aka smtp "mail from:" address or retrun-path)
>   matches the mailing list server domain (not sender address domain),
>   which has the proper SPF record.

This should be fine, although for DMARC to be correct the "MAIL FROM:"
and From-header should be in line, or else DMARC fails. So mailing
lists will fail, unless you rewrite the from-header as well.
> 
> - The list server (mlmmj port) resends the without modifying the
>   DKIM-signed headers and the DKSIM-Signature header. So the signature
>   remains valid. In other words the receiver can verify that the mail
>   originated from the sender domain servers even it it's received from
>   the list server.
> 
> - The list server adds its own signature which is also valid. But
>   AFAIU, it's irrelevant as the signing key is not the sender domain
>   key.

That's fully dependent on what the receiver does with it.
For DMARC it only looks at signatures that are domain aligned, all the
others are informational.

However, on advantage is that by default filter-dkimsign adds a
signature to a lot of the different list-* headers. This means that
people know if someone messed with these headers since mlmmj added
them.
> 
> With all this, mails between gmail and microsoft seem fly through the
> lists server.
> 
> If the sender domain add a DKIM signature, I guess the mail will be
> possibly tagged as spam by bigmailcorps.
> 
Who knows what $BIGMAILCORP does. However, I can't think of a reason
why a valid signature (aligned or not) would cause a mail to be treated
as spam.

>  But it would also be tagged
> as spam if the sender did directly send to mailing list members. So,
> garbage in, garbage out, no problem.
> 
> Certain lists I'm subscribed to seem to use the same approach, others
> seem to discard DKIM-Signature headers.
> 
> - Is the reasoning correct? Am I missing something?
> 
> - Is there a way to make smtpd(8) add the DKIM signature only if the
>   sender domain is the local domain? (this would avoid the extra
>   irrelevant DKIM signature).

filter-dkimsign is complex enough as it is. I don't really want to add
too much more complexity. But if you make a strong enough case I'll
certainly consider it.
> 
> Thanks
> 
martijn@

Re: smtpd + dkimsign 7.0 upgraded to 7.1

[Martijn van Duren]

Your bugreport is all over the place...
First you say "stopped working", which I interpreted as won't start.
Then you follow up with a "connection refused", which means that
smtpd is not listening (or even running) and then you give an
example where you can connect, but trying to use TLS, while according
to the config you haven't set any pki. The latter couldn't have worked
in 7.0 either afaik.

If you want help, please try to be concise in your configuration/setup,
your test method and what you expect vs what you see.

On Tue, 2022-06-14 at 19:09 -0700, latin...@vcn.bc.ca wrote:
> > > Hello Martijn
> > > 
> > > Log do not show it.
> > > i found this error with:
> > > # openssl s_client -connect 45.32.6.189:25 -starttls smtp
> > > connect: Connection refused
> > > connect:errno=61
> > > 
> > > According to the internet, it is related to Python!
> > > 
> > > PS:
> > > i am NOT receiving mail but i am able to send!.
> > > 
> > > With this conf it works correctly send/receive:
> > > # $OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $
> > > 
> > > # This is the smtpd server system-wide configuration file.
> > > # See smtpd.conf(5) for more information.
> > > 
> > > table aliases file:/etc/mail/aliases
> > > 
> > > listen on socket
> > > 
> > > # To accept external mail, replace with: listen on all
> > > #
> > > listen on all
> > > 
> > > action "local_mail" mbox alias 
> > > action "outbound" relay
> > > 
> > > # Uncomment the following to accept external mail for domain
> > > "example.org"
> > > #
> > > match from any for domain "agroena.org" action "local_mail"
> > > match from local for local action "local_mail"
> > > match from local for any action "outbound"
> > > 
> > 
>  More info:
>  # openssl s_client -connect 45.32.6.189:25 -starttls smtp
>  CONNECTED(0003)
>  didn't find starttls in server response, try anyway...
>  6550766248824:error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1
>  alert protocol version:/usr/src/lib/libssl/tls13_lib.c:151:
>  ---
>  no peer certificate available
>  ---
>  No client certificate CA names sent
>  ---
>  SSL handshake has read 242 bytes and written 329 bytes
>  ---
>  New, (NONE), Cipher is (NONE)
>  Secure Renegotiation IS NOT supported
>  Compression: NONE
>  Expansion: NONE
>  No ALPN negotiated
>  SSL-Session:
>  Protocol  : TLSv1.3
>  Cipher: 
>  Session-ID:
>  Session-ID-ctx:
>  Master-Key:
>  Start Time: 1655257310
>  Timeout   : 7200 (sec)
>  Verify return code: 0 (ok)
> 
> 
> > > > Nothing stands out to me.
> > > > Your maillog should contain more details on what goes wrong.
> > > > 
> > > > martijn@
> > > > 
> > > > On Mon, 2022-06-13 at 00:15 -0700, latin...@vcn.bc.ca wrote:
> > > > > Hello
> > > > > 
> > > > > My mail server stop working after upgrade to 7.1; could somebody
> > > > > please
> > > > > check the conf?
> > > > > 
> > > > > # $OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $
> > > > > 
> > > > > # This is the smtpd server system-wide configuration file.
> > > > > # See smtpd.conf(5) for more information.
> > > > > 
> > > > > table aliases file:/etc/mail/aliases
> > > > > 
> > > > > filter "dkimsign" proc-exec "filter-dkimsign -d agroena.org -s s1 -k
> > > > > /etc/mail/dkim/agroena.org.private.key" user _dkimsign group _dkimsign
> > > > > 
> > > > > # To accept external mail, replace with: listen on all
> > > > > #
> > > > > listen on socket filter "dkimsign"
> > > > > listen on lo0 filter "dkimsign"
> > > > > 
> > > > > action "local_mail" mbox alias 
> > > > > action "outbound" relay
> > > > > 
> > > > > # Uncomment the following to accept external mail for domain
> > > > > "example.org"
> > > > > #
> > > > > # match from any for domain "example.org" action "local_mail"
> > > > > match from any for domain "agroena.org" action "local_mail"
> > > > > match for local action "local_mail"
> > > > > match for any action "outbound"
> > > > > 
> > > > > Thanks so much.
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > 
> > > 
> > > 
> > 
> > 
> 
> 

Re: smtpd + dkimsign 7.0 upgraded to 7.1

[Martijn van Duren]

Nothing stands out to me.
Your maillog should contain more details on what goes wrong.

martijn@

On Mon, 2022-06-13 at 00:15 -0700, latin...@vcn.bc.ca wrote:
> Hello
> 
> My mail server stop working after upgrade to 7.1; could somebody please
> check the conf?
> 
> # $OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $
> 
> # This is the smtpd server system-wide configuration file.
> # See smtpd.conf(5) for more information.
> 
> table aliases file:/etc/mail/aliases
> 
> filter "dkimsign" proc-exec "filter-dkimsign -d agroena.org -s s1 -k
> /etc/mail/dkim/agroena.org.private.key" user _dkimsign group _dkimsign
> 
> # To accept external mail, replace with: listen on all
> #
> listen on socket filter "dkimsign"
> listen on lo0 filter "dkimsign"
> 
> action "local_mail" mbox alias 
> action "outbound" relay
> 
> # Uncomment the following to accept external mail for domain "example.org"
> #
> # match from any for domain "example.org" action "local_mail"
> match from any for domain "agroena.org" action "local_mail"
> match for local action "local_mail"
> match for any action "outbound"
> 
> Thanks so much.
> 
> 
> 
> 

Re: tail(1) with multiple FIFOs

[Martijn van Duren]

The "problem" is that a FIFO without data hangs on open(2), until data
is available, the same goes for the initial read of the file.

We could work around this by adding the O_NONBLOCK flag to a separate
open(2) call, but I know that this flag is frowned upon. Since gnu tail
shows the same behaviour I'm not sure if it's worth doing.

Since I'm not claiming to know all the edge-cases of O_NONBLOCK you
could carry this diff locally at your own risk. Or maybe if other
developers feel strong about this and are braver than me when it comes
to O_NONBLOCK it might go somewhere.

martijn@

On Wed, 2022-06-08 at 22:09 -0400, Philippe Meunier wrote:
> Hi,
> 
> Try:
> 
> $ mkfifo fifo1 fifo2
> $ tail -f fifo1 fifo2
> 
> Then in another terminal:
> 
> $ while true; do /bin/echo  > fifo1; done
> 
> and... nothing happens.  I would have expected tail(1) to start showing the
> content of fifo1 as soon as content became available but no, it just keeps
> waiting.
> 
> Then in another terminal:
> 
> $ while true; do /bin/echo  > fifo2; done
> 
> and then tail(1) starts showing output as expected, alternating between
> fifo1 and fifo2.
> 
> The interesting part is that, once tail(1) has started producing output,
> you can interrupt and restart one or both of the "" and / or ""
> loops and tail(1) always does what you'd expect.  It seems that it's only
> at the very start that tail(1) doesn't produce any output until content is
> available in both fifos.
> 
> I tried various things like -n 0 and -c 0 but to no avail.
> 
> Another interesting thing to try:
> - start the "" loop
> - interrupt the "" loop
> - start the "" loop
> and tail(1) starts displaying output.
> 
> But if you try:
> - start the "" loop
> - interrupt the "" loop
> - start the "" loop
> then tail(1) still doesn't show any output, until you start the "" loop
> for a second time!
> 
> So at the very start, not only does tail(1) seem to expect content in both
> fifos before it start showing output, but it also seems to expect the
> content to appear in the specific order indicated on the tail(1) command
> line.
> 
> I assume this is a bug in tail(1)?
> 
> Cheers,
> 
> Philippe
> 
> 
Index: tail.c
===
RCS file: /cvs/src/usr.bin/tail/tail.c,v
retrieving revision 1.22
diff -u -p -r1.22 tail.c
--- tail.c  4 Jan 2019 15:04:28 -   1.22
+++ tail.c  9 Jun 2022 12:33:24 -
@@ -37,6 +37,7 @@
 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -56,7 +57,7 @@ main(int argc, char *argv[])
off_t off = 0;
enum STYLE style;
int ch;
-   int i;
+   int i, fd;
char *p;
 
if (pledge("stdio rpath", NULL) == -1)
@@ -154,8 +155,12 @@ main(int argc, char *argv[])
if (argc) {
for (i = 0; *argv; i++) {
tf[i].fname = *argv++;
-   if ((tf[i].fp = fopen(tf[i].fname, "r")) == NULL ||
-   fstat(fileno(tf[i].fp), &(tf[i].sb))) {
+   /*
+* Use O_NONBLOCK to avoid hanging on FIFO.
+*/
+   fd = open(tf[i].fname, O_RDONLY | O_NONBLOCK);
+   if (fd == -1 || (tf[i].fp = fdopen(fd, "r")) == NULL ||
+   fstat(fd, &(tf[i].sb))) {
ierr(tf[i].fname);
i--;
continue;

Re: LDIF case sensitivity, login_ldap

[Martijn van Duren]

On Thu, 2022-06-09 at 07:48 +, Stuart Henderson wrote:
> On 2022-06-09, David Diggles  wrote:
> > I've just got ldap login working on OpenBSD/7.1 with accounts stored 
> > locally in ldapd and using ypldap.
> > 
> > I just thought I'd share something so anyone reading this may save 
> > wasting the time that I wasted :-)
> > 
> > Your LDIF entry that you read into ldap must be as follows for 
> > userPassword
> > 
> > userPassword: {CRYPT}${ENCRYPTED_PASSWD}
> > 
> > ie uppercase CRYPT - I was stuffing around for ages with trying to 
> > understand why login_ldap was failing to bind because I had {crypt} in 
> > lowercase.
> 
> Perhaps it would make sense for ldapd to support {crypt} as well..

No personal preference, but seems easy enough at first glance.
Only compile-tested though...

martijn@

Index: auth.c
===
RCS file: /cvs/src/usr.sbin/ldapd/auth.c,v
retrieving revision 1.14
diff -u -p -r1.14 auth.c
--- auth.c  24 Oct 2019 12:39:26 -  1.14
+++ auth.c  9 Jun 2022 11:23:06 -
@@ -220,7 +220,7 @@ check_password(struct request *req, cons
if (stored_passwd == NULL)
return -1;
 
-   if (strncmp(stored_passwd, "{SHA}", 5) == 0) {
+   if (strncasecmp(stored_passwd, "{SHA}", 5) == 0) {
sz = b64_pton(stored_passwd + 5, tmp, sizeof(tmp));
if (sz != SHA_DIGEST_LENGTH)
return (-1);
@@ -228,7 +228,7 @@ check_password(struct request *req, cons
SHA1_Update(, passwd, strlen(passwd));
SHA1_Final(md, );
return (bcmp(md, tmp, SHA_DIGEST_LENGTH) == 0 ? 1 : 0);
-   } else if (strncmp(stored_passwd, "{SSHA}", 6) == 0) {
+   } else if (strncasecmp(stored_passwd, "{SSHA}", 6) == 0) {
sz = b64_pton(stored_passwd + 6, tmp, sizeof(tmp));
if (sz <= SHA_DIGEST_LENGTH)
return (-1);
@@ -238,12 +238,12 @@ check_password(struct request *req, cons
SHA1_Update(, salt, sz - SHA_DIGEST_LENGTH);
SHA1_Final(md, );
return (bcmp(md, tmp, SHA_DIGEST_LENGTH) == 0 ? 1 : 0);
-   } else if (strncmp(stored_passwd, "{CRYPT}", 7) == 0) {
+   } else if (strncasecmp(stored_passwd, "{CRYPT}", 7) == 0) {
encpw = crypt(passwd, stored_passwd + 7);
if (encpw == NULL)
return (-1);
return (strcmp(encpw, stored_passwd + 7) == 0 ? 1 : 0);
-   } else if (strncmp(stored_passwd, "{BSDAUTH}", 9) == 0) {
+   } else if (strncasecmp(stored_passwd, "{BSDAUTH}", 9) == 0) {
if (send_auth_request(req, stored_passwd + 9, passwd) == -1)
return (-1);
return 2;   /* Operation in progress. */

Re: SMART treshold (not) exceeded

[Martijn van Duren]

>From a quick glance in the code atactl calls
ATAPI_SMART/ATA_SMART_STATUS, which maps to section 7.31.6 of the ATA-3
spec[0] (there's newer standards, but shouldn't have changed). Here it
states:
NORMAL OUTPUTS - If the device has not detected a thrshold exceeded
condition, the device sets the Cylinder Low register to 4Fh and the 
Cylinder High register to C2h. If the device has detected a threshold
exceeded condition, the device sets the Cylinder Low register to F4h and
the Cylinder High register to 2Ch.

The message "No SMART threshold exceeded" only shows when
req.cylinder == 0xc24f. So unless I'm missing something it's your disk's
SMART that returns something that doesn't make sense.

martijn@

[0] https://www.scs.stanford.edu/10wi-cs140/pintos/specs/ata-3-std.pdf

On Mon, 2022-05-30 at 15:24 +0200, Jan Stary wrote:
> This is current/adm64 on a PC (dmesg below).
> I monitor disk status with atactl.
> On one of the disks, I get this:
> 
> # atactl sd2 identify
> Model: WDC WD3200AAJS-00VWA0, Rev: 12.01B02, Serial #:
> WD-WMARW0118535
> Device type: ATA, fixed
> Cylinders: 16383, heads: 16, sec/track: 63, total sectors: 625142448
> Device capabilities:
>   ATA standby timer values
>   IORDY operation
>   IORDY disabling
> Device supports the following standards:
> ATA-1 ATA-2 ATA-3 ATA-4 ATA-5 ATA-6 ATA-7 ATA-8
> Master password revision code 0xfffe
> Device supports the following command sets:
>   NOP command
>   READ BUFFER command
>   WRITE BUFFER command
>   Host Protected Area feature set
>   Read look-ahead
>   Write cache
>   Power Management feature set
>   Security Mode feature set
>   SMART feature set
>   Flush Cache Ext command
>   Flush Cache command
>   Device Configuration Overlay feature set
>   48bit address feature set
>   Automatic Acoustic Management feature set
>   Set Max security extension commands
>   Set Features subcommand required
>   Power-up in standby feature set
>   DOWNLOAD MICROCODE command
>   SMART self-test
>   SMART error logging
> Device has enabled the following command sets/features:
>   NOP command
>   READ BUFFER command
>   WRITE BUFFER command
>   Host Protected Area feature set
>   Read look-ahead
>   Write cache
>   Power Management feature set
>   SMART feature set
>   Flush Cache Ext command
>   Flush Cache command
>   Device Configuration Overlay feature set
>   48bit address feature set
>   Automatic Acoustic Management feature set
>   Set Features subcommand required
>   DOWNLOAD MICROCODE command
> 
> # atactl sd2 readattr
> Attributes table revision: 16
> IDAttribute name  Threshold   Value   Raw
>   1   Raw Read Error Rate   51199 0x000309c6
>   3   Spin Up Time  21157 0x1405
>   4   Start/Stop Count   0100 0x02b7
>   5   Reallocated Sector Count 140200 0x
>   7   Seek Error Rate   51200 0x
>   9   Power-On Hours Count   0 76 0x4660
>  10   Spin Retry Count  51100 0x
>  11   Calibration Retry Count   51100 0x
>  12   Device Power Cycle Count   0100 0x01ec
> 192   Power-Off Retract Count0200 0x0124
> 193   Load Cycle Count   0200 0x02b7
> 194   Temperature0105 0x002a
> 196   Reallocation Event Count   0200 0x
> 197   Current Pending Sector Count   0200 0x000a
> 198   Off-Line Scan Uncorrectable Sect   0200 0x0003
> 199   Ultra DMA CRC Error Count  0200 0x001d
> 200*Write Error Rate51  1 0xb290
> One or more threshold values exceeded!
> 
> # atactl sd2 smartstatus
> No SMART threshold exceeded
> 
> Either some threshold was exceeded or it wasn't:
> am I missing some subtle semantics here?
> 
>   Jan
> 

Re: OpenSMTPD + Dovecot + Dkimsign configuration?

[Martijn van Duren]

On Thu, 2022-04-07 at 21:04 -0700, latin...@vcn.bc.ca wrote:
> Hello
> 
> i have had 1 Personal server for years with httpd and OpenSMTPD  mail
> server working correctly; thanks OpenBSD Team.
> 
> But now i have another server for 500 Colleagues with OSMTPD + Dovecot +
> Dkimsign working well; but i ask, if it were possible to use only OSMTPD
> with virtual users + Dkimsign?
> 
> Please tell me what i might read.
> 
> Thanks .
> 
I'm not 100% sure what your question is, but filter-dkimsign doesn't
care about users; virtual or otherwise.

filter-dkimsign uses the domain part of the first mailbox from the
>From field if it matches any of the domains specified by '-d'. This
should be conferment to RFC7489 (DMARC). If none of the '-d'-specified
domains match it defaults back to the first '-d' domain.

Hope this answers your question.

martijn@

Re: libressl vs openssl

[Martijn van Duren]

On Fri, 2022-01-28 at 21:18 +, Stuart Henderson wrote:
> On 2022-01-28, Laura Smith  wrote:
> > ‐‐‐ Original Message ‐‐‐
> > 
> > On Friday, January 28th, 2022 at 14:43, dansk puffer 
> >  wrote:
> > 
> > > Are there any major security differences between libressl and openssl 
> > > nowadays? From what I read the situation for openssl improved and some 
> > > Linux distros switched back to openssl again with mostly? OpenBSD 
> > > remaining to use libressl.
> > 
> > For me at least, my main beef with Libressl is that it has seemingly mostly 
> > achieved its security posture by removing functions.
> > 
> > Unfortunatley the functions removed are not obscure ones, but more common 
> > ones such as, IIRC, various very useful certificate and PKCS11 related 
> > functions.
> 
> I think you'll need to back that up with some examples. Lots of code has
> been removed but much of that is not API-affecting. In particular *common*
> ones are not removed.
> 
> Almost nothing in the ports tree uses OpenSSL. The exceptions
> are nsca-ng (PSK was removed; almost nothing uses that),
> opensmtpd-filter-dkimsign (libressl doesn't have all of the ed25519 api
> from newer openssl yet), 
> 
To be more precise, this only goes for the -ed25519 flavor. The main
flavor is compiled with libressl. For most people, ed25519 dkim
signatures aren't even interesting yet, since most verifiers out there
(including the major players last time I checked) don't even support it
yet.

> sslscan (uses a special build with some
> outdated protocols enabled so that it can scan a server to see what it's
> using), and libretls (implementation of the libtls API against OpenSSL
> backend, used for testing portable versions of some OpenBSD software).
> That's all.
> 
> There are some functions from OpenSSL 1.1+ API that haven't been added
> to LibreSSL yet, though these days many of the ones which are _actually_
> used by various software have been added.
> 
> (Besides, not adding new functions that were added to OpenSSL after
> LibreSSL was forked is not the same thing as removing functions.)
> 
> 

Re: howto separate isakmpd syslogs into another file

[Martijn van Duren]

On Thu, 2021-12-30 at 08:59 +, Hayri Can KAVAK wrote:
> Hello,
> 
> I'm trying to separate isakmpd/ipsec logs to another file instead of 
> /var/log/messages.
> Here my config at the top of /etc/syslog.conf
> !!isakmpd
> daemon.info 
> /var/log/ipsec_info.log
> daemon.debug
> /var/log/ipsec_debug.log
> !*
> 
> I restarted syslogd & isakmpd but nothing changed. It still logs to 
> /var/log/messages.
> How can i achieve this?
> 
> Thanks in advance.

The files /var/log/ipsec_{info,debug}.log need to exist before logging
to them (and loaded in by sending SIGHUP to syslog(8)). syslogd(8) will
not try to create the files. From syslogd(8):

The logfiles already have to exist with the correct permissions.


The default syslog.conf doesn't write messages for DAEMON to
/var/log/messages, they should end up in /var/log/daemon. But without
seeing your full syslog.conf I can't say what's going on there.

Hope this helps.

martijn@

Re: Proposal for improvement of newsyslog.conf

[Martijn van Duren]

On Wed, 2021-12-08 at 02:12 +0300, Антон Касимов wrote:
> Hi,
> I've noticed that newsyslog sends SIGHUP to syslogd on /var/log/wtmp
> rotation.
> But syslogd does not deal with the wtmp log file so there is no need for
> SIGHUP.
> 
> I propose to make slightly changes to default newsyslog.conf file:
> 13c13
> < /var/log/wtmp 644  7 *$W6D4 B
> ---
> > /var/log/wtmp 644  7 *$W6D4 B ""
> 
> Is misc a proper mailing list, or shall I send this message to bugs?
> 
tech@ is usually the best place for this kind of suggestions.
Also make sure that you make your diff unified (diff -u).

martijn@

Re: Qt application font size increase

[Martijn van Duren]

On Tue, 2021-11-23 at 14:51 +0100, Andrea Biscuola wrote:
> 
> > Il giorno 23 nov 2021, alle ore 14:22, Martijn van Duren 
> >  ha scritto:
> > 
> > After upgrading to the latest snapshot yesterday[0] since the week
> > before[1] my qt based applications (mumble and nextcloud) have
> > increased at least a factor 2 (both icons and text), resulting in
> > unusable large windows.
> > 
> > Did anything recently change in X or Qt that could be the cause
> > of this? Can it be changed back with a setting?
> 
> Possible that it's related to the xorg update of the past week?
> 
> It happened to me too, although I don't use qt applications.
> 
> I solved it by setting:
> 
> xradr --dpi 96
> 
> in my .xsession file (as Mattew Herb suggested)

Thanks, this one was it.
Somehow I though that this commit was more than a week old and expected
it to be affecting all my GUI applications, not just Qt based.

Anyway, added to my xsession file and sorry for the noise.
> 
> > QT_SCALE_FACTOR=0.x doesn't seem to do the trick.
> > 
> > martijn@
> > 
> > xsession:
> > export LC_ALL=en_US.UTF-8
> > if [ -x /usr/local/bin/dbus-launch -a -z "${DBUS_SESSION_BUS_ADDRESS}" ]; 
> > then
> >eval `dbus-launch --sh-syntax --exit-with-x11`
> > fi
> > ssh-agent
> > eval $(gnome-keyring-daemon --components=secrets)
> > export GNOME_KEYRING_CONTROL
> > setxkbmap -layout us -variant intl
> > xset -b
> > /usr/X11R6/bin/cwm
> > Xdefaults:
> > martijn$ cat .Xdefaults 
> > ! $OpenBSD: dot.Xdefaults,v 1.3 2014/07/10 10:22:59 jasper Exp $
> > XTerm*loginShell:true
> > XTerm*Background:black
> > XTerm*Foreground:white
> > Xterm*utf8:2
> > XTerm*Locale:UTF-8
> > 
> > ssh-askpass*font:-adobe-helvetica-medium-r-normal--18-180-75-75-p-98-iso8859-1
> > ssh-askpass*foreground:#ff
> > ssh-askpass*background:#798a99
> > ssh-askpass.*.borderWidth:1
> > ssh-askpass.*.borderColor:black
> > ssh-askpass.*.shadowThickness:0
> > ssh-askpass.*Button.borderWidth:0
> > ssh-askpass.*Button.background:#99aab9
> > ssh-askpass.indicator.borderWidth:0
> > ssh-askpass.indicator.background:#99aab9
> > ssh-askpass.indicator.foreground:#fffa06
> > 
> > [0] OpenBSD 7.0-current (GENERIC.MP) #109: Sun Nov 21 10:59:33 MST 2021
> > [1] OpenBSD 7.0-current (GENERIC.MP) #87: Wed Nov 10 10:29:31 MST 2021
> > 
> 

Qt application font size increase

[Martijn van Duren]

After upgrading to the latest snapshot yesterday[0] since the week
before[1] my qt based applications (mumble and nextcloud) have
increased at least a factor 2 (both icons and text), resulting in
unusable large windows.

Did anything recently change in X or Qt that could be the cause
of this? Can it be changed back with a setting?

QT_SCALE_FACTOR=0.x doesn't seem to do the trick.

martijn@

xsession:
export LC_ALL=en_US.UTF-8
if [ -x /usr/local/bin/dbus-launch -a -z "${DBUS_SESSION_BUS_ADDRESS}" ]; then
eval `dbus-launch --sh-syntax --exit-with-x11`
fi
ssh-agent
eval $(gnome-keyring-daemon --components=secrets)
export GNOME_KEYRING_CONTROL
setxkbmap -layout us -variant intl
xset -b
/usr/X11R6/bin/cwm
Xdefaults:
martijn$ cat .Xdefaults 
! $OpenBSD: dot.Xdefaults,v 1.3 2014/07/10 10:22:59 jasper Exp $
XTerm*loginShell:true
XTerm*Background:black
XTerm*Foreground:white
Xterm*utf8:2
XTerm*Locale:UTF-8

ssh-askpass*font:-adobe-helvetica-medium-r-normal--18-180-75-75-p-98-iso8859-1
ssh-askpass*foreground:#ff
ssh-askpass*background:#798a99
ssh-askpass.*.borderWidth:1
ssh-askpass.*.borderColor:black
ssh-askpass.*.shadowThickness:0
ssh-askpass.*Button.borderWidth:0
ssh-askpass.*Button.background:#99aab9
ssh-askpass.indicator.borderWidth:0
ssh-askpass.indicator.background:#99aab9
ssh-askpass.indicator.foreground:#fffa06

[0] OpenBSD 7.0-current (GENERIC.MP) #109: Sun Nov 21 10:59:33 MST 2021
[1] OpenBSD 7.0-current (GENERIC.MP) #87: Wed Nov 10 10:29:31 MST 2021

Re: relayd and snmp agentx

[Martijn van Duren]

On Fri, 2021-11-05 at 15:59 +, Stuart Henderson wrote:
> On 2021-11-05, Joel Carnat  wrote:
> > Hello,
> > 
> > I read in relayd.conf(5) that there is an SNMP agentx feature. And
> > there is an OPENBSD-RELAYD-MIB.txt file in 7.0 /usr/share/snmp/mibs
> > directory.
> > 
> > But in snmpd.conf(5), I couldn't found any reference for subagent or
> > agentx. Reading the sources logs, I understood that agentx was removed
> > from snmpd(8) around Jun 30, 2020.
> 
> btw, martijn@ is working on this, see "snmpd(8): New application layer -
> step towards agentx support" on tech@ which would benefit from test
> reports/feedback

++
I do want to emphasise that that diff doesn't include the agentx bits.
But having more (any) test-reports will greatly help speed agentx
support in snmpd(8) up.
> 
> > Is there a way to query relayd MIB on OpenBSD 7.0?
> > Either by using snmpd(8) or ports/net/net-snmpd.
> 
> Worth a try via net-snmp, or build snmpd from an old checkout..
> 
I developed libagentx with net-snmpd, so that one should work just fine.
Setting "master agentx" in should work, since both daemons default to
/var/agentx/master (as specified by the RFC), but you might need to
tweak agentXPerms a little.

I don't recommend using the old snmpd agentx code. There's quite a few
fixes since then and the reason I removed the code is because it allowed
anyone with access to crash the daemon by use after free.

Re: NSD exit status 11 on 7.0

[Martijn van Duren]

On Tue, 2021-10-19 at 19:56 +0200, Otto Moerbeek wrote:
> On Tue, Oct 19, 2021 at 07:49:15PM +0200, Mischa wrote:
> 
> > On 2021-10-15 20:05, Otto Moerbeek wrote:
> > > On Fri, Oct 15, 2021 at 07:47:22PM +0200, Mischa wrote:
> > > > On 2021-10-15 19:42, Otto Moerbeek wrote:
> > > > > On Fri, Oct 15, 2021 at 07:16:55PM +0200, Mischa wrote:
> > > > > 
> > > > > > On 2021-10-15 18:27, Otto Moerbeek wrote:
> > > > > > > 
> > > > > > > The actual problem (SIGSEGV) happens in the child processes: 
> > > > > > > ktrace the
> > > > > > > children as well: ktrace -di ...
> > > > > > > 
> > > > > > >   -Otto
> > > > > > 
> > > > > > Thanx Otto.
> > > > > > Below is the the kdump with ktrace -di
> > > > > > It's quite a lot of data but I didn't want to remove something that
> > > > > > could
> > > > > > potentially be useful.
> > > > > > 
> > > > > > Mischa
> > > > > > 
> > > > > 
> > > > > The pattern below happens multiple times:
> > > > > 
> > > > > A recvfrom of 101 bytes and after that a SIGSEGV.
> > > > > 
> > > > > Now we do not know for sure if those two lines are related.
> > > > > 
> > > > > I suspect that it is no coincidence that the 101 is one larger than
> > > > > 100...
> > > > > 
> > > > > No other clue yet.
> > > > 
> > > > Anything else I can collect.
> > > 
> > > You might want to compile and install nsd wit debug symbols info:
> > > 
> > >   cd /usr/src/usr.sbin/nsd
> > >   make -f Makefile.bsd-wrapper obj
> > >   make -f Makefile.bsd-wrapper clean
> > >   DEBUG=-g make -f  Makefile.bsd-wrapper
> > >   make -f  Makefile.bsd-wrapper install
> > > 
> > > 
> > > Then: collect a gdb trace from a running process: install gdb from
> > > ports,
> > > run
> > >   egdb --pid=pidofnsdchild /usr/sbin/nsd
> > > 
> > > and wait for the crash.
> > > 
> > > But I'm mostly unfamiliar with the nsd code and what has been changed
> > > recently.  I's say make sure sthen@ and florian@ see this: move to
> > > bugs@ as I do not know if they read misc@.
> > 
> > Thanx Otto.
> > 
> > As this is my first time using gdb, I need some assistance.
> > 
> > root@name2:~ # ps -aux | grep nsd
> > _nsd 79188  0.0  1.0 101704 86400 ??  Ip  7:31PM0:00.20 nsd:
> > xfrd (nsd)
> > _nsd 24002  0.0  0.4 37188 37388 ??  Ip  7:31PM0:00.29 nsd: main
> > (nsd)
> > _nsd 44937  0.0  0.2 37544 18308 ??  Sp  7:45PM0:00.11 nsd:
> > server 1 (nsd)
> > 
> > root@name2:~ # egdb --pid=44937 /usr/sbin/nsd
> > GNU gdb (GDB) 7.12.1
> > Copyright (C) 2017 Free Software Foundation, Inc.
> > License GPLv3+: GNU GPL version 3 or later
> > 
> > This is free software: you are free to change and redistribute it.
> > There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> > and "show warranty" for details.
> > This GDB was configured as "x86_64-unknown-openbsd7.0".
> > Type "show configuration" for configuration details.
> > For bug reporting instructions, please see:
> > .
> > Find the GDB manual and other documentation resources online at:
> > .
> > For help, type "help".
> > Type "apropos word" to search for commands related to "word"...
> > Reading symbols from /usr/sbin/nsd...(no debugging symbols found)...done.
> > Attaching to program: /usr/sbin/nsd, process 44937
> > Reading symbols from /usr/lib/libssl.so.50.0...done.
> > Reading symbols from /usr/lib/libcrypto.so.47.0...done.
> > Reading symbols from /usr/lib/libevent.so.4.1...done.
> > Reading symbols from /usr/lib/libc.so.96.1...done.
> > Reading symbols from /usr/libexec/ld.so...done.
> > [Switching to thread 563101]
> > kevent () at /tmp/-:3
> > 3   /tmp/-: No such file or directory.
> > 
> > Anything I am missing?
> > 
> > Mischa
> > 
> 
> Do you see a gdb prompt? If so
> 
>   continue
> 
> should it (and then wait for the crash).
> 
> If you still see the crashes, a tcpdump of the traffic to nsd might
> helps as well, I can replay that locally against nsd. I would also
> need your nsd config for that.
> 
>   -Otto
> 
I did some debugging with Mischa.

Unfortunately I misclicked and deleted the backtrace. However, the
problem was that query.c calls add_rrset (query.c:736) from
answer_delegation (query.c:917), where rrset is NULL.

When looking in the original query it was always a PTR request to
an IPv6 record. When looking through the file we tried to remove
some likely suspect entries to see if we could pinpoint the root-
cause, but after readding everything it wouldn't crash anymore.

Adding a simple comment to the zonefile of the second NS server
yielded the same result: the server won't crash anymore.

Mischa is going to monitor the situation to see if the issues
return, but my current best guess is that some weird state got
cached somewhere somehow and got flushed when saving the
zonefile.

martijn@

Re: smtpd only Mail Server

[Martijn van Duren]

On Sat, 2021-08-21 at 07:20 -0700, latin...@vcn.bc.ca wrote:
> > On Tue, 2021-08-10 at 04:32 -0700, latin...@vcn.bc.ca wrote:
> > > > On Aug 10 01:52:57, latin...@vcn.bc.ca wrote:
> > > > > > - smtpd had its first commit in 2008 and back then was far from
> > > > > >   production ready: So are you using base smtpd, or sendmail, or
> > > > > >   something else?
> > > > > 
> > > > > Yes, 2000 it was sendmail, nginx, apache, smtpd if i remember
> > > correctly;
> > > > > but my question is:
> > > > > 
> > > > > "Could someone please point me to specific openbsd place to look for
> > > > > it?"
> > > > 
> > > > To look for what? smtpd documentation? man smtpd, man spmtpd.conf,
> > > > there's a dkim example right there.
> > > 
> > > Jay in this case it looks out of context, because it is a question after
> > > the explanation! Look for understandable (my level) information related
> > > to
> > > dkim, dmarc, and spf! My field is agriculture!
> > > 
> > > > 
> > > > > > - I assume it's related to outbound mail, but even that is not
> > > > > >   completely clear to me.
> > > > > 
> > > > > No, it is the complete behaviour of dkim, dmarc, and spf. i got 0/10
> > > at
> > > > > this page: https://www.mail-tester.com/ and yes, i can receive
> > > mail, but
> > > > > mine is considered spam!
> > > > 
> > > > The fact that and arbitrary third site "tester" gives you this score
> > > > or another can mean a lot of things. Nobody has seen your DNS or a
> > > > single line of your conig yet, so it's hard to help you really.
> > > > 
> > > 
> > > Well, i never said that it is the last word! I am asking for clear
> > > information for dkim, dmarc, spf, and now dkimproxy and anything related
> > > to send mail correctly; where correctly means "NO qualify my mail as
> > > spam"
> > > 
> > > > > > - Did you just put a dkim txt record in DNS without any additional
> > > > > >   configuration on your mailserver?
> > > > > 
> > > > > ok: i have 2 servers: 1. managed by nsd, which obtained 9.7/10 at
> > > the
> > > > > same
> > > > > web page, not a problem; 2. vultr managed by their dns app, here i
> > > am
> > > > > not
> > > > > able to make it work correctly. What should be the additional
> > > > > configuration on the mail server please?
> > > > 
> > > > What mail server?
> > > > What "additional" configuration?
> > > 
> > > This server:
> > > > > > - Did you just put a dkim txt record in DNS without any additional
> > > > > >   configuration on your mailserver?
> > > 
> > > > 
> > > > If you want help with a mail config,
> > > > you need to show your mail config.
> > > > 
> > > 
> > > No problem:
> > > I am used to use only the base system.
> > > 
> > > #       $OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles
> > > Exp $
> > > 
> > > # This is the smtpd server system-wide configuration file.
> > > # See smtpd.conf(5) for more information.
> > > 
> > > table aliases file:/etc/mail/aliases
> > > 
> > > listen on socket
> > > 
> > > # To accept external mail, replace with: listen on all
> > > #
> > > listen on all filter "dkimsign"
> > > 
> > > action "local_mail" mbox alias 
> > > action "outbound" relay
> > > 
> > > # Uncomment the following to accept external mail for domain
> > > "example.org"
> > > #
> > > # match from any for domain "example.org" action "local_mail"
> > > match from any for domain "agroena.org" action "local_mail"
> > > match from local for local action "local_mail"
> > > match from local for any action "outbound"
> > > 
> > > # dkim
> > > filter "dkimsign" proc-exec "filter-dkimsign -d agroena.org -s s1 -k
> > > /etc/mail/dkim/private.key" user _dkimsign group _dkimsign
> > > 
> > > 
> > So assuming that you actually installed opensmtpd-filter-dkimsign and
> > everything starts okay, you haven't put the public key in the DNS like
> > you claimed in your original e-mail.
> > $ dig +short txt s1._domainkey.agroena.org
> > $
> > 
> 
> Hello Martijn
> I changed the selector to s=s1 the same at DNS record, and my smtpd.conf
> with 2 lines related to dkim; and my mail is not spam anymore, thanks for
> your help; but it is not signed yet! Can you please help?
> 
> #$OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $
> 
> # This is the smtpd server system-wide configuration file.
> # See smtpd.conf(5) for more information.
> 
> table aliases file:/etc/mail/aliases
> 
> listen on socket
> 
> # To accept external mail, replace with: listen on all
> #
> listen on all
> 
> action "local_mail" mbox alias 
> action "outbound" relay
> 
> # Uncomment the following to accept external mail for domain "example.org"
> #
> # match from any for domain "example.org" action "local_mail"
> #match from any for domain "agroena.org" action "local_mail"
> match from local for local action "local_mail"
> match from local for any action "outbound"
> 
> # dkim
> filter "dkimsign" proc-exec "filter-dkimsign -d agroena.org -s s1 -k
> /etc/mail/dkim/agroena.org.private.key" user _dkimsign group 

Re: sed(1) and line number 0

[Martijn van Duren]

On Sat, 2021-08-14 at 20:20 +0200, Andreas Kusalananda Kähäri wrote:
> On Fri, Aug 13, 2021 at 11:19:16PM +0800, Philippe Meunier wrote:
> > Hello,
> > 
> > While porting a shell script from Linux to OpenBSD I came across the
> > following:
> [cut] 
> > 2) Out of curiosity, is there an OpenBSD equivalent to GNU's '0,/^test$/d' ?
> 
> As far as I can see, the following would work the same as GNU's '0,/^test$/d':
> 
>   sed -e '1 { /^test$/d; }' -e '1,/^test$/d' file
> 
> That is, delete the first line if it is "test", otherwise delete from
> line 1 the next line that is "test".
> 
This behaviour should not be relied upon for portable scripts, since
addresses in combination with "next cycle" are heavily underspecified
and at least doesn't match gsed's behaviour:
$ printf 'test1\nbla1\ntest2\nbla2\n' | gsed -e '1 { /^test/d; }' -e 
'1,/^test/d'
bla2

Right now, I can't for the life of me think of a shorter way to do this
portably, but the code below works in both sed and gsed.
$ printf 'bla0\ntest1\nbla1\ntest2\nbla2\n' | sed 
'1{/^test/{h;d;};};1,/^test/{x;/^$/{x;d;};x;}'  
bla1
test2
bla2
$ printf 'bla0\ntest1\nbla1\ntest2\nbla2\n' | gsed 
'1{/^test/{h;d;};};1,/^test/{x;/^$/{x;d;};x;}'
bla1
test2
bla2
$ printf 'test1\nbla1\ntest2\nbla2\n' | sed 
'1{/^test/{h;d;};};1,/^test/{x;/^$/{x;d;};x;}'   
bla1
test2
bla2
$ printf 'test1\nbla1\ntest2\nbla2\n' | gsed 
'1{/^test/{h;d;};};1,/^test/{x;/^$/{x;d;};x;}'
bla1
test2
bla2
If you need this snippet in a larger script that needs the holdspace,
make sure that you clean the holdspace before continuing.

martijn@

Re: smtpd only Mail Server

[Martijn van Duren]

On Tue, 2021-08-10 at 04:32 -0700, latin...@vcn.bc.ca wrote:
> > On Aug 10 01:52:57, latin...@vcn.bc.ca wrote:
> > > > - smtpd had its first commit in 2008 and back then was far from
> > > >   production ready: So are you using base smtpd, or sendmail, or
> > > >   something else?
> > > 
> > > Yes, 2000 it was sendmail, nginx, apache, smtpd if i remember correctly;
> > > but my question is:
> > > 
> > > "Could someone please point me to specific openbsd place to look for
> > > it?"
> > 
> > To look for what? smtpd documentation? man smtpd, man spmtpd.conf,
> > there's a dkim example right there.
> 
> Jay in this case it looks out of context, because it is a question after
> the explanation! Look for understandable (my level) information related to
> dkim, dmarc, and spf! My field is agriculture!
> 
> > 
> > > > - I assume it's related to outbound mail, but even that is not
> > > >   completely clear to me.
> > > 
> > > No, it is the complete behaviour of dkim, dmarc, and spf. i got 0/10 at
> > > this page: https://www.mail-tester.com/ and yes, i can receive mail, but
> > > mine is considered spam!
> > 
> > The fact that and arbitrary third site "tester" gives you this score
> > or another can mean a lot of things. Nobody has seen your DNS or a
> > single line of your conig yet, so it's hard to help you really.
> > 
> 
> Well, i never said that it is the last word! I am asking for clear
> information for dkim, dmarc, spf, and now dkimproxy and anything related
> to send mail correctly; where correctly means "NO qualify my mail as spam"
> 
> > > > - Did you just put a dkim txt record in DNS without any additional
> > > >   configuration on your mailserver?
> > > 
> > > ok: i have 2 servers: 1. managed by nsd, which obtained 9.7/10 at the
> > > same
> > > web page, not a problem; 2. vultr managed by their dns app, here i am
> > > not
> > > able to make it work correctly. What should be the additional
> > > configuration on the mail server please?
> > 
> > What mail server?
> > What "additional" configuration?
> 
> This server:
> > > > - Did you just put a dkim txt record in DNS without any additional
> > > >   configuration on your mailserver?
> 
> > 
> > If you want help with a mail config,
> > you need to show your mail config.
> > 
> 
> No problem:
> I am used to use only the base system.
> 
> #   $OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $
> 
> # This is the smtpd server system-wide configuration file.
> # See smtpd.conf(5) for more information.
> 
> table aliases file:/etc/mail/aliases
> 
> listen on socket
> 
> # To accept external mail, replace with: listen on all
> #
> listen on all filter "dkimsign"
> 
> action "local_mail" mbox alias 
> action "outbound" relay
> 
> # Uncomment the following to accept external mail for domain "example.org"
> #
> # match from any for domain "example.org" action "local_mail"
> match from any for domain "agroena.org" action "local_mail"
> match from local for local action "local_mail"
> match from local for any action "outbound"
> 
> # dkim
> filter "dkimsign" proc-exec "filter-dkimsign -d agroena.org -s s1 -k
> /etc/mail/dkim/private.key" user _dkimsign group _dkimsign
> 
> 
So assuming that you actually installed opensmtpd-filter-dkimsign and
everything starts okay, you haven't put the public key in the DNS like
you claimed in your original e-mail.
$ dig +short txt s1._domainkey.agroena.org
$

Re: smtpd only Mail Server

[Martijn van Duren]

On Mon, 2021-08-09 at 20:02 -0700, latin...@vcn.bc.ca wrote:
> Hello
> 
> i have had a smtpd only mail server for 21 years; but now i have a big
> problem related to dkim, dmarc, and spf. First, there is not man page,
> archives are not clear for me, google is confusing; but i have added the
> corresponding dns records, with the result that dkim is not signing mail!
> 
> Could someone please point me to specific openbsd place to look for it?
> 
> thanks
> 

Your information is far from complete, so don't expect anything
useful from this mail, but:
- smtpd had its first commit in 2008 and back then was far from
  production ready: So are you using base smtpd, or sendmail, or
  something else?
- I assume it's related to outbound mail, but even that is not
  completely clear to me.
- Did you just put a dkim txt record in DNS without any additional
  configuration on your mailserver?
- If you did configure something, what do you use? (e.g.
  filter-dkimsign, rspamd, dkimproxy, ...)
- What kind of errors do you see?

So if I'm taking a blind guess I'd say smtpd, without additional
configuration on outbound mail. In that case I suggest you install
opensmtpd-filter-dkimsign from ports and read the readme:
/usr/local/share/doc/pkg-readmes/opensmtpd-filter-dkimsign and
filter-dkimsign(8).

martijn@

Re: Regarding Openbsd and zoom/hangouts etc

[Martijn van Duren]

That would be ENABLE_WASM=yes

On Mon, 2021-08-02 at 20:09 +0200, Antoine Jacoutot wrote:
> Hi. 
> 
> Zoom works in chromium, I now use it on a daily basis. You need to enable 
> audio and video record using sysctl, change /dev/video0 ownership to your 
> user and activate web assembly in chromium (just a
> matter of exporting a variable which I don’t remember the name right now).
> 
> Cheers!
> 
> —
> Antoine
> 
> > On 2 Aug 2021, at 18:23, Riza Dindir  wrote:
> > 
> > Hello,
> > 
> > I amthinking of using openbsd as my OS, and desktop, giving up windows,
> > after I am having trouble updating the system.
> > 
> > I have a question. Is it possible to use zoom, hangouts or other
> > conferencing/communication systems using the browser
> > (iridium/chrome/firefox, etc) on openbsd?
> > 
> > Kind Regards,
> > Riza Dindir
> 

Re: dhcp issues

[Martijn van Duren]

On Fri, 2021-07-16 at 21:57 -0400, Sonic wrote:
> Having some issues after a sysupgrade to the latest snapshot (of this
> writing) - OpenBSD 6.9-current (GENERIC.MP) #131.
> 
> Seems the base change to dhcpleased/resolvd has presented some issues.
> Pf does not start on boot as it claims my dhcp interface has no
> address, however after logging in I can load pf and almost resume
> normal operations. Apparently the interface does get an IP address,
> but the start of pf doesn't wait for it.
> Almost, because my supersedes, etc. in /etc/dhclient.conf are
> completely ignored.
> The only workaround I found was to disable resolvd so I could manually
> propagate /etc/resolv.conf without it being overwritten.
> 
Like others said: Without enough context it can't be said with
certainty. But my best guess with the current information would be that
you have a domain name in one or more of your rules, which can't be
resolved until you have full network connectivity.

martijn@

Re: email dkim signing failing with 6.8

[Martijn van Duren]

I'm not sure what you're doing, but you show a piece of rspamd config
for your signing, while you claim to use dkimproxy_out. I haven't used
dkimproxy_out in a long time (basically since I wrote filter-dkimsign)
but last time I used dkimproxy_in it worked as expected for rsa.

Also note that dkimproxy doesn't have had a new release since 2011,
which doesn't have to mean anything, but is usually not a great sign.

If you really want to continue using dkimproxy I'd suggest running
dkimproxy_out on the shell:
/usr/local/bin/dkimproxy.out --conf_file=/etc/dkimproxy_out.conf 
--user=_dkimproxy --group=_dkimproxy
and see what it spews out.

Personally I'd replace dkimproxy with either (filter-)respamd or
filter-dkimsign depending on your needs.

martijn@

On Sat, 2021-05-22 at 11:44 +0200, flipchan wrote:
> Hi all,
> 
> 
> I upgraded from 6.6 to 6.8 and dkim magically stopped appending the dkim 
> signatures to my emails. I have tried to debug it but im not really 
> getting anywhere. dkimproxy_out is running without complains.
> 
> Does anyone see what im doing wrong?
> 
> 
> mail# cat /etc/mail/smtpd.conf
> table aliases file:/etc/mail/aliases
> #table other-relays file:/etc/mail/other-relays
> 
> pki mail.example.com cert "/etc/ssl/mail.example.com.crt"
> pki mail.example.com key "/etc/ssl/private/mail.example.com.key"
> 
> filter "rspamd" proc-exec "/usr/local/libexec/smtpd/filter-rspamd"
> 
> listen on vio0 port 587 hostname example.com tls-require pki 
> mail.example.com auth filter "rspamd"
> #mask-src
> listen on vio0 port 25 hostname example.com tls pki mail.example.com 
> filter "rspamd"
> # auth-optional
> 
> #action "mbox" mbox alias 
> #action "relay" relay
> 
> #match for local action "mbox"
> #match for any action "relay"
> #match !from src  mail-from "@example.com" for any \
>   # reject
> 
> listen on lo0 port 10028 tag DKIM
> 
> action "mbox" mbox alias 
> action "relay" relay
> action "relay_dkim" relay host smtp://127.0.0.1:10027
> match from any for domain example.com action "mbox"
> 
> match auth from any for any action "relay"
> match for local action "mbox"
> match tag DKIM for any action "relay"
> #match tag dkim for any action "relay"
> #match tag DKIM for any action "outbound"
> #match for any action relay_dkim
> match auth from any for any action "relay_dkim"
> mail#
> dkim_signing.conf    redis.conf
> mail# cat /etc/rspamd/local.d/dkim_signing.conf
> domain {
>  example.com {
>  path = "/var/dkimproxy/default.private";
>  selector = "default";
>  }
> }
> mail# uname -a
> OpenBSD mail.firosolutions.com 6.8 GENERIC#5 amd64
> 
> 
> 
> Thanks!
> 
> Sincerely,
> 
> Flipchan
> 

Re: relay email from users to per-user smtp servers

[Martijn van Duren]

I have no clue on what you're trying to do, so here's my best guess.
Your users have something like a shell account and want to submit mail
via the sendmail command. Your users want you to forward the mail to
their "standard" mailserver before it is relayed further.

Afaik there is no option to configure a specific runtime determined
relay host option, so you'd have to create a different "relay host"
action per match rule.

Another option is to let your users submit the mail to their mail
provider directly through port 587 or something similar, or why not
just let you handle the mail and let them add your server's IP to
their SPF-record and install filter-dkimsign, which supports multiple
domains for DMARC from-domain matching.

But like I said, no idea what you're trying to achieve, so my answer
might be way off.

martijn@

On Fri, 2021-01-22 at 23:45 +0100, Rudolf Sykora wrote:
> Dear list,
> 
> 
> if I have several users, each of which wants to be able to send email to
> generally different smtp servers with their own credentials, how does
> one arrange such a thing? Can it be done easily without having a
> separate rule in the system-wide /etc/mail/smtp.conf for each individual
> user? Can it be done that they themselves can easily modify the smtp
> servers information/credentials?
> 
> 
> Thanks for comments
> Ruda
> 

Re: doas changes?

[Martijn van Duren]

On Thu, 2021-01-21 at 19:56 +0100, Simon Parrer wrote:
> Hello together,
> maybe any one can say me if there are changes on doas?
> I ask because my doas say Abort trap when i try to use it with sysupgrade or 
> pkg_add -u.
> I do sysupgrade to OpenBSD 6.8-current (GENERIC.MP) #285: Wed Jan 20 17:31:16 
> MST 2021.
> Many Thanks and best regards Simon
> 
There has been a recent change that caused a pledge violation in some
situations. The change has been reverted and the next snapshot should
fix things.

martijn@

Re: OpenSMTPD is not sending e-mail.

[Martijn van Duren]

You haven't given much log output, but "Network error on destination
MXs" usually indicates something like DNS or network issues.

Considering it states relay="openbsd.org", where it should be
"mail.openbsd.org" my best guess is DNS issues.

martijn@

On Wed, 2021-01-20 at 17:04 -0800, latincom wrote:
> I read the archives of OpenSMTPD, and found 2 messages related to ssl, 
> nothing more. Can someone give me an advise where to look, please?
> 
> did something stupid, maybe:
> I forgot, that the installer, ask for a name; then i wrote a name, which 
> later change to a fqdn; according to man page; declared it in hosts and 
> myname!
> 
>  From Log:
> mta delivery evpid=7465b44496df9b1a from= 
> to= rcpt=<-> source="-" relay="openbsd.org" 
> delay=11h8m1s result="TempFail" stat="Network error on destination MXs"
> 
> smtp.conf:
> #   $OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $
> 
> # This is the smtpd server system-wide configuration file.
> # See smtpd.conf(5) for more information.
> 
> table aliases file:/etc/mail/aliases
> 
> listen on socket
> 
> # To accept external mail, replace with: listen on all
> #
> listen on all
> 
> action "local_mail" mbox alias 
> action "outbound" relay
> 
> # Uncomment the following to accept external mail for domain "example.org"
> #
> match from any for domain "agroena.org" action "local_mail"
> match from local for local action "local_mail"
> match from local for any action "outbound"
> 
> ssl:
> m# ls -l /etc/ssl/
> total 764
> -r--r--r--  1 root  bin    350172 Oct  4 23:47 cert.pem
> -r--r--r--  1 root  wheel    3791 Jan 10 23:57 fullchain.pem
> -rw-r--r--  1 root  wheel    2703 Oct  4 23:47 ikeca.cnf
> -r--r--r--  1 root  bin   745 Oct  4 23:47 openssl.cnf
> drwx--  2 root  wheel 512 Jan 10 23:57 private
> -r--r--r--  1 root  bin  1006 Oct  4 23:47 x509v3.cnfatch from local
> 
> 
> 

Re: adding user to a group

[Martijn van Duren]

User and group information is set during login. When running a new shell
with -l it only reads the shell profile:
 -l  Login shell.  If the basename the shell is called with
 (i.e. argv[0]) starts with ‘-’ or if this option is used,
 the shell is assumed to be a login shell and the shell
 reads and executes the contents of /etc/profile and
 $HOME/.profile if they exist and are readable.
So you need to log out and log in again (either from your terminal
session or X11 session).

If you want to make sure your user is added to the group dialer you can
verify via:
$ getent group dialer
dialer:*:117:ruda

martijn@

On Fri, 2021-01-08 at 16:21 +0100, Rudolf Sykora wrote:
> Dear list,
> 
> 
> I tried to add myself to the "dialer" group:
> 
> #usermod -G dialer ruda
> 
> But when I write
> 
> $groups
> 
> in a terminal I still do not see the new group. Not even if I open a new login
> shell (by writing "ksh -l"). However, when I log in in a text console
> (ctrl-alt-1), I see the new group there.
> 
> What is it that I have to do to have the membership updated, i.e., how
> can I open e.g. a terminal in the running environment that would see my
> new groups?
> 
> 
> Thanks for comments
> Ruda
> 

Re: OpenSMTPD-extras manual

[Martijn van Duren]

On Sat, 2020-12-19 at 15:37 -0600, Edgar Pettijohn wrote:
> On Sat, Dec 19, 2020 at 08:02:19PM +0300, ??  wrote:
> > Hello.
> > Where can I find any manuals and examples regarding OpenSMTPD-extras?
> > Which table types are supported and do not have status "experimental"
> > like ldap tables?
> > E.g. what is opensmtpd-extras-python and how can I use it?
> > -- 
> > Best regards
> > Maksim Rodin
> > 
> 
> Your best bet is to git clone the repository and search for the tables, 
> etc you are interested in. If there is a manual simply `mandoc file | less`.
> 
> Unfortunantly there aren't manuals for all of the `extras`.
> 
> Good luck,
> 
> Edgar
> 
I don't play around too much with opensmtpd-extras and I don't do
python, but minor unrelated hint: mandoc -l will spawn less for
you and will include the tags-file.

martijn@

Re: dkim && ed25519

[Martijn van Duren]

On Fri, 2020-12-04 at 17:53 +0200, Gregory Edigarov wrote:
> Hello misc@,
> 
> Just wanna check status of ed25519/x25519 support in OpenBSD.
> I want to use ed25519 keypair for dkim, because of the smaller
> size of the resulting keys, to completely eliminate the line breaking
> issues.
> Found nothing in man openssl, how am I supposed to generate keypair?
> Will ssh-keygen or signify do the trick?
> 
> Thank you.
> --
> With best regards,
>         Gregory Edigarov
> 
> 
> 
You failed to specify which mailserver/dkimsigner you want to use,
but if it's filter-dkimsign you're currently out of luck.
libressl currently doesn't support ed25519 and so neither does
filter-dkimsign.

martijn@

Re: OpenSMTPD and ldap+tls

[Martijn van Duren]

Hello,

There is table_ldap in the opensmtpd-extras package, but I've never used
it, it's undocumented and I've heard that the author sees it as a proof
of concept only at this point. So no idea how far this will take you,
but it's your best shot. :-)

A quick look through the source shows me the following snippet of the
config parser:

else if (!strcmp(key, "username"))
read_value(, key, value);
else if (!strcmp(key, "password"))
read_value(, key, value);
else if (!strcmp(key, "basedn"))
read_value(, key, value);
else if (!strcmp(key, "alias_filter"))
read_value([LDAP_ALIAS].filter, key, value);
else if (!strcmp(key, "alias_attributes")) {
ldap_parse_attributes([LDAP_ALIAS],
key, value, 1);
} else if (!strcmp(key, "credentials_filter"))
read_value([LDAP_CREDENTIALS].filter, key, 
value);
else if (!strcmp(key, "credentials_attributes")) {
ldap_parse_attributes([LDAP_CREDENTIALS],
key, value, 2);
} else if (!strcmp(key, "domain_filter"))
read_value([LDAP_DOMAIN].filter, key, value);
else if (!strcmp(key, "domain_attributes")) {
ldap_parse_attributes([LDAP_DOMAIN],
key, value, 1);
} else if (!strcmp(key, "userinfo_filter"))
read_value([LDAP_USERINFO].filter, key, value);
else if (!strcmp(key, "userinfo_attributes")) {
ldap_parse_attributes([LDAP_USERINFO],
key, value, 3);
} else if (!strcmp(key, "mailaddr_filter"))
read_value([LDAP_MAILADDR].filter, key, value);
else if (!strcmp(key, "mailaddr_attributes")) {

Hope this works for you.

martijn@

On Tue, 2020-12-01 at 09:02 +0300, Родин Максим wrote:
> Hello
> Is there a way to make opensmtpd work
> with ldap aliases over a secure connection?
> 
> I do not know where to find working examples of this
> My current /etc/mail/ldap.conf look like this:
>    1 url>>--->---ldap://ldap1.mydomain.ru
>    2 basedn>->--->---dc=mydomain,dc=ru
>    3 username>--->---cn=service,dc=mydomain,dc=ru
>    4 password>--->---passpasspass
>    5
>    6 domain_filter>-->---(&(objectClass=domain)(dc=%s))
>    7 domain_attributes>--dc
>    8
>    9 credentials_filter>-(&(objectClass=posixAccount)(uid=%s))
>   10 credentials_attributes>-uid,userPassword
>   11
>   12 userinfo_filter>>---(&(objectClass=posixAccount)(uid=%s))
>   13 userinfo_attributes>uid,uidNumber,gidNumber,homeDirectory
>   14
>   15 alias_filter>--->---(&(objectClass=nisMailAlias)(cn=%s))
>   16 alias_attributes>---rfc822MailMember
> 
> ldapd daemon is set up on another host to work over tls and ssl and
> working correctly.
> 
> If I change url to ldaps://ldap1.mydomain.ru
> or to ldap+tls://ldap1.mydomain.ru
> then smtpd -dv shows:
> """
> _
> vdomains[50952]: warn: ldap_parse_url fail
> vdomains[50952]: warn: ldap_connect error
> vdomains[50952]: fatal: failed to connect
> """
> _
> 

Re: ldapd.conf certificate directive not working?

[Martijn van Duren]

On Sat, 2020-11-28 at 23:08 +0100, Theo Buehler wrote:
> > "If the certificate name is an absolute path, a .crt and .key
> > extension are appended to form the certificate path and key path
> > respectively."
> > This part does not seem to work at all.
> > Neither it tries to search certificates using the absolute path nor
> > it tries to append .crt or .key extension to the absolute path when no
> > extension is used in config.
> > 
> > Or I do it completely wrong?
> 
> It's a bug. If the certificate path is absolute, faulty short-circuiting
> logic would result in first correctly appending ".crt" to the path, then
> incorrectly prepending "/etc/ldap/cert".
> 
> You can see the problem with a config containing
> 
> listen on lo0 port 6636 tls certificate "/bogus/lo0"
> 
> $ ldapd -vv -f ldapd.conf -n
> ...
> loading certificate file /etc/ldap/certs//bogus/lo0.crt
> ldapd.conf:5: cannot load certificate: /bogus/lo0
> ...
> 
> The diff below avoids calling bsnprintf() twice for an absolute
> certificate path.
> 

Wouldn't it be more future idiot proof if we were a little more verbose?
But if you prefer, your diff also looks good to me.

martijn@

Index: parse.y
===
RCS file: /cvs/src/usr.sbin/ldapd/parse.y,v
retrieving revision 1.36
diff -u -p -r1.36 parse.y
--- parse.y 24 Jun 2020 07:20:47 -  1.36
+++ parse.y 28 Nov 2020 22:54:42 -
@@ -1279,12 +1279,17 @@ load_certfile(struct ldapd_config *env, 
goto err;
}
 
-   if ((name[0] == '/' &&
-!bsnprintf(certfile, sizeof(certfile), "%s.crt", name)) ||
-   !bsnprintf(certfile, sizeof(certfile), "/etc/ldap/certs/%s.crt",
-   name)) {
-   log_warn("load_certfile: path truncated");
-   goto err;
+   if (name[0] == '/') {
+   if (!bsnprintf(certfile, sizeof(certfile), "%s.crt", name)) {
+   log_warn("load_certfile: path truncated");
+   goto err;
+   }
+   } else {
+   if (!bsnprintf(certfile, sizeof(certfile),
+   "/etc/ldap/certs/%s.crt", name)) {
+   log_warn("load_certfile: path truncated");
+   goto err;
+   }
}
 
log_debug("loading certificate file %s", certfile);
@@ -1298,12 +1303,17 @@ load_certfile(struct ldapd_config *env, 
goto err;
}
 
-   if ((name[0] == '/' &&
-!bsnprintf(certfile, sizeof(certfile), "%s.key", name)) ||
-   !bsnprintf(certfile, sizeof(certfile), "/etc/ldap/certs/%s.key",
-   name)) {
-   log_warn("load_certfile: path truncated");
-   goto err;
+   if (name[0] == '/') {
+   if (!bsnprintf(certfile, sizeof(certfile), "%s.key", name)) {
+   log_warn("load_certfile: path truncated");
+   goto err;
+   }
+   } else {
+   if (!bsnprintf(certfile, sizeof(certfile),
+   "/etc/ldap/certs/%s.key", name)) {
+   log_warn("load_certfile: path truncated");
+   goto err;
+   }
}
 
log_debug("loading key file %s", certfile);

Re: How to split install.wim

[Martijn van Duren]

There's ntfs_3g in ports.
But never had a use for it, so no clue how well it functions.

On Wed, 2020-09-02 at 01:49 -0700, Greg Thomas wrote:
> I believe NTFS is read only on *BSD.
> 
> On Tue, Sep 1, 2020 at 11:44 PM Peter Nicolai Mathias Hansteen <
> pe...@bsdly.net> wrote:
> 
> > 
> > > 2. sep. 2020 kl. 07:33 skrev Predrag Punosevac :
> > > 
> > > Hi All,
> > > 
> > > I am using my desktop
> > > 
> > > predrag@oko$ uname -a
> > > OpenBSD oko.int.bagdala2.net 6.7 GENERIC.MP#5 amd64
> > > 
> > > to create a bootable Windows 10 USB flash drive. It is a paid job
> > > although I would not be surprised that my consent to do it, is
> > > consistent with the early signs of dementia. I just wasted a few hours
> > > of my life to find out that install.wim is too large to be written on
> > > Fat32 file system as described in this article
> > > 
> > > 
> > https://www.zdnet.com/article/windows-10-installer-files-too-big-for-usb-flash-drive-heres-the-fix/
> > 
> > Urgh. I’s probably due to the lack of a useful dd analogue that they make
> > users jump through hoops like that.
> > 
> > Otherwise my initial reaction before reading the article was ‘just use
> > dd’, but that would be totally foreign territory to most Windows admins
> > most likely.
> > 
> > But I agree with Aaron that the other workaround would be to format the
> > USB drive as NTFS to start with, that would not be subject to the 4GB file
> > size restriction. Just how good the NTFS support is in OpenBSD I have no
> > personal experience with, though.
> > 
> > All the best,
> > 
> > —
> > Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> > "Remember to set the evil bit on all malicious network traffic"
> > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
> > 
> > 
> > 
> > 
> > 

Re: Potential grep bug?

[Martijn van Duren]

This seems to fix the issue for me.

OK?

martijn@

On Tue, 2020-06-23 at 19:29 -0700, Jordan Geoghegan wrote:
> Hello,
> 
> I was working on a couple POSIX regular expressions to search for and 
> validate IPv4 and IPv6 addresses with optional CIDR blocks, and 
> encountered some strange behaviour from the base system grep.
> 
> I wanted to validate my regex against a list of every valid IPv4 
> address, so I generated a list with a zsh 1 liner:
> 
>   for i in {0..255}; do; echo $i.{0..255}.{0..255}.{0..255} ; done | 
> tr '[:space:]' '\n' > IPv4.txt
> 
> My intentions were to test the regex by running it with 'grep -c' to 
> confirm there was indeed 2^32 addresses matched, and I also wanted to 
> benchmark and compare performance between BSD grep, GNU grep and 
> ripgrep. The command I used:
> 
> grep -Eoc 
> "((25[0-5]|(2[0-4]|1{0,1}[[:digit:]]){0,1}[[:digit:]])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[[:digit:]]){0,1}[[:digit:]])(/[1-9]|/[1-2][[:digit:]]|/3[0-2])?"
> 
> My findings were surprising. Both GNU grep and ripgrep were able get 
> through the file in roughly 10 and 20 minutes respectively, whereas the 
> base system grep took over 20 hours! What interested me the most was 
> that the base system grep when run with '-c' returned '0' for match 
> count. It seems that 'grep -c' will have its counter overflow if there 
> are more than 2^32-1 matches (4294967295) and then the counter will 
> start counting from zero again for further matches.
> 
>  ryzen$ time zcat IPv4.txt.gz | grep -Eoc "((25[0-5]|(2[0-4]|1{0,1}...
>  0
>  1222m09.32s real  1224m28.02s user 1m16.17s system
> 
>  ryzen$ time zcat allip.txt.gz | ggrep -Eoc "((25[0-5]|(2[0-4]|1{0,1}...
>  4294967296
>  10m00.38s real11m40.57s user 0m30.55s system
> 
>  ryzen$ time rg -zoc "((25[0-5]|(2[0-4]|1{0,1}...
>  4294967296
>  21m06.36s real27m06.04s user 0m50.08s system
> 
> # See the counter overflow/reset:
>  jot 4294967350 | grep -c "^[[:digit:]]"
>  54
> 
> All testing was done on a Ryzen desktop machine running 6.7 stable.
> 
> The grep counting bug can be reproduced with this command:
> jot 4294967296 | nice grep -c "^[[:digit:]]"
> 
> Regards,
> 
> Jordan
> 
Index: util.c
===
RCS file: /cvs/src/usr.bin/grep/util.c,v
retrieving revision 1.62
diff -u -p -r1.62 util.c
--- util.c  3 Dec 2019 09:14:37 -   1.62
+++ util.c  24 Jun 2020 06:46:52 -
@@ -106,7 +106,8 @@ procfile(char *fn)
 {
str_t ln;
file_t *f;
-   int c, t, z, nottext;
+   int t, z, nottext;
+   unsigned long long c;
 
mcount = mlimit;
 
@@ -169,7 +170,7 @@ procfile(char *fn)
if (cflag) {
if (!hflag)
printf("%s:", ln.file);
-   printf("%u\n", c);
+   printf("%llu\n", c);
}
if (lflag && c != 0)
printf("%s\n", fn);

Re: filter-dkimsign and multiple domains

[Martijn van Duren]

On 5/5/20 7:15 PM, Paul N. Pace wrote:
> I saw the recent thread regarding multiple domains and filter-dkimsign.
> 
> I just wanted to add in my $.02 that I prefer to have as much 
> proof-of-work as reasonable since it seems, at least a little, to help 
> with inboxing at the oligopoly providers. The trend for them to direct 
> legitimate mail to spam filters has been notching up year-by-year, and 
> having the domain of the DKIM signature match the from address seems 
> like an easy check for them to perform.
> 
> My purpose for filter-dkimsign is on a webserver that sends 
> transactional email for several domains.
> 
> A solution that would work for me does not have to be complex or 
> feature-rich. For example, if there were an option to sign with whatever 
> domain is in the from address (everything after '@'), that would be perfect.
> 
> In any case, thank you for the very easy to implement DKIM signing solution.
> 
> Paul
> 
You've read the threat so you know my position and you know what it
would take for me to change my mind, yet you come here with a feature-
request that's actually worth what you priced it.
Your request *IS* complex and it *IS* feature-rich if you actually took
the time to work out the details of what you're asking. If I'm wrong in
that show me your diff and we'll talk.

martijn@

Re: How to enable TLS 1.3?

[Martijn van Duren]

If it's not in the manpage it's probably not there.
I did gave a quick look through the relayd source, but from what I saw  
there's no TLS1.3 support there.


On 4/30/20 3:55 PM, Chad Hoolie wrote:
> Any idea about relayd though? I don't see any mentioning of 1.3 in man 
> relayd.conf:
> 
> tls
>   no tlsv1.2
>   Disable the TLSv1.2 protocol.  The default is to enable
>   TLSv1.2.
> 
>   sslv3   Enable the SSLv3 protocol.  The default is no sslv3.
> 
>   tlsv1   Enable all TLSv1 protocols.  This is an alias that
>   includes tlsv1.0, tlsv1.1, and tlsv1.2.  The default is
>   no tlsv1.
> 
>   tlsv1.0
>   Enable the TLSv1.0 protocol.  The default is no tlsv1.0.
> 
>   tlsv1.1
>   Enable the TLSv1.1 protocol.  The default is no tlsv1.1.
> 
> --Chad
> 
> ‐‐‐ Original Message ‐‐‐
> On Thursday, April 30, 2020 3:04 PM, Martijn van Duren 
>  wrote:
> 
>> On 4/30/20 1:19 PM, Chad Hoolie wrote:
>>
>>> Hello,
>>> I'm using httpd with acme-client and Let's Encrypt 
>>> (https://www.romanzolotarev.com/openbsd/acme-client.html).
>>> This setup, however, only seems to support TLS 1.2, whereas TLS 1.3 is 
>>> needed to achieve A+ ratings across the board.
>>> Anybody know how to make the upgrade?
>>> --Chad
>>
>> httpd(8):
>> protocols string Specify the TLS protocols to enable for this server.
>> If not specified, the value "default" will be used (secure protocols;
>> TLSv1.2-only). Refer to the tls_config_parse_protocols(3) function for
>> other valid protocol string values.
>>
>> tls_config_parse_protocols(3):
>> Valid keywords are tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3, all (all
>> supported protocols),
>>
>> untested, but seems pretty self-explanatory.
> 
> 

Re: How to enable TLS 1.3?

[Martijn van Duren]

On 4/30/20 1:19 PM, Chad Hoolie wrote:
> Hello,
> 
> I'm using httpd with acme-client and Let's Encrypt 
> (https://www.romanzolotarev.com/openbsd/acme-client.html).
> 
> This setup, however, only seems to support TLS 1.2, whereas TLS 1.3 is needed 
> to achieve A+ ratings across the board.
> 
> Anybody know how to make the upgrade?
> 
> --Chad
> 
httpd(8):
protocols string Specify the TLS protocols to enable for this server.   
If not specified, the value "default" will be used (secure protocols; 
TLSv1.2-only).  Refer to the tls_config_parse_protocols(3) function for 
other valid protocol string values.


tls_config_parse_protocols(3):
Valid keywords are tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3, all (all
supported protocols),

untested, but seems pretty self-explanatory.

Re: /bin/sh echo \n

[Martijn van Duren]

On 4/26/20 12:27 PM, Thomas de Grivel wrote:
> Hello,
> 
> I was testing some scripting using /bin/sh and I could not find this
> behaviour in the documentation :
> 
>> $ /bin/sh
>> $ echo -n '\n'
>>
>> $
> 
> It seems that ksh even in sh (posix ?) mode does expansion of \n to an
> actual newline.> 
> First is there a way to turn off the \n expansion in simple quotes in /bin/sh 
> ?

You mean placing an additional \ in front of it?
$ echo '\\n'
\n

Or by calling the binary instead of the shell builtin?
$ /bin/echo '\n'
\n

Or by adding -E?
$ echo -E '\n'
\n

Now also note what POSIX itself says[0]:
It is not possible to use echo portably across all POSIX systems unless
both -n (as the first argument) and escape sequences are omitted.
...
New applications are encouraged to use printf instead of echo.
> 
> Second I don't see this feature described neither in man sh nor man
> ksh so is it a known behaviour of ksh ?

from echo(1):
echo does not support any of the backslash character sequences mandated
by XSI.

from ksh(1):
See the print command below for a list of other backslash sequences that
are recognized.
...
By default, certain C escapes are translated.  These include ‘\b’, ‘\f’,
‘\n’, ‘\r’, ‘\t’, ‘\v’, and ‘\0###’ (‘#’ is an octal digit, of which
there may be 0 to 3).
> 
> Thanks a ton,
> 
[0] https://pubs.opengroup.org/onlinepubs/9699919799/utilities/echo.html

Re: [/ is full] How to delete junk in /dev ?

[Martijn van Duren]

On 4/5/20 10:19 AM, Olivier wrote:
> Hi,
> 
> I am running OpenBSD from a long time(T410 / Amd64) ; and 6.6 from the 
> release. I did not monitor the size of / in the past...
> Until today :(
> 
> Please, how to identify junk to remove in /dev below :
> 
> +---< oliv@snow >---< / >
> +---> df -h 
> Filesystem SizeUsed   Avail Capacity  Mounted on
> /dev/sd0a 1008M   1003M  -44.9M   105%/
> /dev/sd0m 37.4G3.7G   31.8G10%/home
> /dev/sd0d  3.9G1.6M3.7G 0%/tmp
> /dev/sd0f  3.9G975M2.8G25%/usr
> /dev/sd0g 1008M258M700M27%/usr/X11R6
> /dev/sd0h 15.7G4.5G   10.5G30%/usr/local
> /dev/sd0l  2.0G2.0K1.9G 0%/usr/obj
> /dev/sd0k  2.0G2.0K1.9G 0%/usr/src
> /dev/sd0e  7.9G971M6.5G13%/var
> +---< oliv@snow >---< / >
> +---> doas find -x / -size +1 -exec du -h {} \; 
> 17.9M /bsd
> 9.8M  /bsd.rd
> 848K  /dev/sdXc
> 884M  /dev/sd3
> 17.8M /bsd.sp
> 17.9M /bsd.booted
> +---< oliv@snow >---< / >
> +---> doas du -d1 -h -x /   
> 2.0K  /home
> 2.0K  /tmp
> 2.0K  /usr
> 2.0K  /var
> 16.0K /net
> 2.0K  /altroot
> 10.1M /bin
> 885M  /dev
> 16.2M /etc
> 2.0K  /mnt
> 4.6M  /root
> 23.4M /sbin
> 1003M /
> +---< oliv@snow >---< / >
> +---> doas du -d1 -h -x /dev
> 2.0K  /dev/fd
> 885M  /dev
> +---< oliv@snow >---< / >
> +---> 
> 
> 
> 
> 
> Thanks in advance.
> 
Most likely one of your device nodes turned into a regular file.
Considering what I've seen over the years the most likely culprit is
/dev/null.
Probably the easiest way to find it is with:
find /dev/ -type f -a ! -name MAKEDEV
Once you've find it you can just delete it and recreate it with
cd /dev; sh ./MAKEDEV 

martijn@

Re: Multi-domain DKIM signature with OpenSMTPd

[Martijn van Duren]

On 3/19/20 9:21 PM, Matthieu wrote:
> Le 19/03/2020 à 20:46, Martijn van Duren a écrit :
>> On 3/19/20 8:24 PM, Matthieu wrote:
>>> Thank you for your response.
>>> My main reason is that, as a freelancer, I have a professional email
>>> that I don't want to mix with my personal email. Moreover, a friend asks
>>> me to host his emails and I don't want to mix it up either.
>>
>> Please be more concise. What do you mean "don't want to mix it up"?
>> What would be mixed up? What would be the consequences of that?
>> Based on what would it need to be separated?
> I don't want the personal or professional domain name to appear in the 
> other's signature. I understand that nobody is going to look at it and 
> that it's a bit maniacal, but I find it cleaner.
> Knowing that Gmail and others are quite strict about their spam filters, 
> I don't find it useless.
> 
So basically the warm and fuzzies. :-)
No problem, but in that case dkimsign is not for you and dkimproxy might
be more suitable.

Re: Multi-domain DKIM signature with OpenSMTPd

[Martijn van Duren]

On 3/19/20 8:24 PM, Matthieu wrote:
> 
>> On Wed, Mar 18, 2020 at 10:45:06PM +0100, Martijn van Duren wrote:
> 
>> Could you explain why you (think you) need to have multiple domain
>> support?
>> You (currently?) can't. If you want multiple conditions on different
>> filters you would need to create multiple listening sockets (e.g.
>> multiple ips or ports) and apply the correct match-rules based on the
>> socket.
>>
>> martijn@
>>
> Thank you for your response.
> My main reason is that, as a freelancer, I have a professional email 
> that I don't want to mix with my personal email. Moreover, a friend asks 
> me to host his emails and I don't want to mix it up either.

Please be more concise. What do you mean "don't want to mix it up"?
What would be mixed up? What would be the consequences of that?
Based on what would it need to be separated?

And just to be clear, I'm not trying to be a pedantic asshole for its
own sake. I honestly don't see where our interpretations diverge.
> 
> I'm not develloper C, but if I propose a patch for this feature, does it 
> have a possibility to be integrated ?
> 
Any patch is welcome if properly motivated. If it's not up to par we can
always polish it further. But I'd advise to first come to an understanding
on the motivation.

Re: Multi-domain DKIM signature with OpenSMTPd

[Martijn van Duren]

On 3/19/20 7:49 PM, Chris Bennett wrote:
> On Wed, Mar 18, 2020 at 10:45:06PM +0100, Martijn van Duren wrote:
>> That's because filter-dkimsign doesn't support multiple domains, and
>> unless someone can give me a good reason to do so it probably is going
>> to stay that way.
>>
>> I know that some mail providers add an additional positive score to
>> your spam rating if you have DKIM, but I reckon this is BS, because
>> DKIM is nothing more than a glorified debugging tool to tell you which
>> server butchered the content of your mail if every server in the chain
>> adds a DKIM signature. To be precise: it only tells you that a
>> particular domain owner (d-option) knows what server(s) a particular key
>> (s-option) belongs to, so that if a signature fails it it could only
>> have happened before the last server which has a valid signature.
>>
>> Could you explain why you (think you) need to have multiple domain
>> support?
>> You (currently?) can't. If you want multiple conditions on different
>> filters you would need to create multiple listening sockets (e.g.
>> multiple ips or ports) and apply the correct match-rules based on the
>> socket.
>>
>> martijn@
>>
> 
> OK, thanks for clearing that up. I learned a lot using it. I would also
> like to use multiple domains, but I don't see any reason to ask you to
> do any more work than you want to.
> Thanks for your work. I appreciate it. And trying to use multiple
> domains was a good lesson in strange results. :-}
> 
> Chris Bennett
> 
I've had multiple people tell me that they want to have multiple domain
support, but either they misunderstood the workings of DKIM, or it's a
case of "but it gives me the warm and fuzzies".

So please, be as clear as you can be on why you want to use it and how
you want to use it; and either we can improve your understanding of the
spec and your setup (and help people on the list at the same time) or
you make a valid case (maybe I did miss something) and I might be
motivated to add it.

In other words, I'm not definitively saying no, but it will only
complicate the code even further with all the additional risks; there
must be a damn good reason to go down that path.

Re: Multi-domain DKIM signature with OpenSMTPd

[Martijn van Duren]

On 3/19/20 5:06 AM, Graeme Lee wrote:
> 
> 
> On 19/03/2020 8:45 am, Martijn van Duren wrote:
>> On 3/18/20 8:41 PM, Matthieu wrote:
>>> Le 18/03/2020 à 19:39, Hiltjo Posthuma a écrit :
>>>> On Wed, Mar 18, 2020 at 06:23:30PM +0100, Matthieu wrote:
>>>>> Hi everybody
>>>>> I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it 
>>>>> before ?
>>>>> My first intention is to sign mails from different domains on a single 
>>>>> mail
>>>>> server. So the
>>>>>
>>>>> OpenDKIM works with a socket and I don't know how and if it works with the
>>>>> smptd filter.
>>>>> I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify
>>>>> one domaine.
>>>>>
>>>>> Otherwise I'd be looking at the side of dkimproxy if it can do the job or
>>>>> not.
>>>>>
>>>>> Thx for any help.
>>>>>
>>>> Hi,
>>>>
>>>> Theres an example described in the smtpd.conf(5) man page.
>>>>
>>>> opensmtpd filters are in ports as a package: opensmtpd-filter-dkimsign
>>>>
>>>> The source-code is at: https://imperialat.at/dev/filter-dkimsign/ in main.c
>>>> It's relatively small and also privilege-separated.
>>>>
>>>> It has a parameter to set the domain name (-d). In smtpd.conf you can 
>>>> define
>>>> multiple filters. See also the man page filter-dkimsign(8) for detailed
>>>> information.
>>>>
>>>> I've replaced dkimproxy (Perl-based and complex) with
>>>> opensmtpd-filter-dkimsign. It works well for my needs.
>>>>
>>> Hi Hiltjo,
>>> Currently I already use opensmtpd-filter-dkimsign, but I didn't
>>> understand how to use it for multiple domains at once.
>>>
>>> I've seen the example in the man page :
>>> https://man.openbsd.org/smtpd.conf#opensmtpd-filter-dkimsign
>>>
>>> I thought  was to be replaced by only one domain to sign. Is a
>>> domain a table like Alias? If so, what is the format of the file? But I
>>> doubt it since in the filter code it doesn't look like a list.
>>>
>>> static char *domain = NULL;
>>> […]
>>> box 'd':
>>>   domain = optarg;
>>> […]
>>> if (!dkim_signature_printf(message,
>>> "DKIM-Signature: v=%s; a=%s-%s; c=%s/%s; d=%s; s=%s; ", "1",
>>> cryptalg, hashalg,
>>> canonheader == CANON_SIMPLE ? "simple": "relaxed."
>>> canonbody == CANON_SIMPLE ? "simple": "relaxed."
>>> domain, selector))
>>>
>>> Finally in the example given in this presentation it is indeed a single
>>> domain:
>>> https://fosdem.org/2020/schedule/event/opensmtpd_in_the_cloud/attachments/slides/3736/export/events/attachments/opensmtpd_in_the_cloud/slides/3736/OpenSMTPD_Slides.pdf
>>>
>> That's because filter-dkimsign doesn't support multiple domains, and
>> unless someone can give me a good reason to do so it probably is going
>> to stay that way.
> I'm using dkimproxy for this.  I host multiple domain names. dkimproxy 
> is pretty easy to configure to sign outbound on a per domain basis.
> 
> /etc/dkimproxy_out.conf
> listen 127.0.0.1:
> relay 127.0.0.1:
> sender_map /etc/mail/dkim/sender_map
> 
> /etc/dmail/dkim/sender_map
> example.com 
> dkim(key=/etc/mail/dkim/example.com.key,d=example.com,c=relaxed,s=selector1)
> example.org 
> dkim(key=/etc/mail/dkim/example.org.key,d=example.org,c=simple,s=selector1)
> ...
> 
> I can send the smtpdconf through if you're stuck.
> 
> If the domain being relayed is not in the map, it isn't signed. 
> dkimproxy is not doing any inbound processing.  It would be awesome to 
> pull this from a pgsql db source, which is how I manage what smtpd can 
> and cannot relay.
> 
>>
>> I know that some mail providers add an additional positive score to
>> your spam rating if you have DKIM, but I reckon this is BS, because
>> DKIM is nothing more than a glorified debugging tool to tell you which
>> server butchered the content of your mail if every server in the chain
>> adds a DKIM signature. To be precise: it only tells you that a
>> particular domain owner (d-option) knows what server(s) a particular key
>> (s-option) belongs to, so that if a signature fails it it could only
>> have happened before the last server which has a valid signature.
>>
>> Could you explain why you (think you) need to have multiple domain
>> support?
> I own (and manage) multiple domains.  Why would I not take advantage of 
> virtual domains on 1 host?

I do to, but as far as I'm aware there's nothing in the spec that states
that a mail domain should be signed with a key in its own domain; and
I'd to think that I've be pretty thorough while reading it multiple
times. If I want I can sign a mail with an @gmail.com sender on it with
my personal imperialat.at DKIM key and recipients will properly validate
it.

So yes, I have multiple virtual hosts and only one key (domain+selector)
per server. And if you were to look through your mailbox you'd find
multiple vendors who also sign their mail with a different domain in
their DKIM signature than is in the domain component of their from
header; including office365.
> 
> Graeme
> 
> 

Re: Multi-domain DKIM signature with OpenSMTPd

[Martijn van Duren]

On 3/18/20 8:41 PM, Matthieu wrote:
> Le 18/03/2020 à 19:39, Hiltjo Posthuma a écrit :
>> On Wed, Mar 18, 2020 at 06:23:30PM +0100, Matthieu wrote:
>>> Hi everybody
>>> I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it before ?
>>> My first intention is to sign mails from different domains on a single mail
>>> server. So the
>>>
>>> OpenDKIM works with a socket and I don't know how and if it works with the
>>> smptd filter.
>>> I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify
>>> one domaine.
>>>
>>> Otherwise I'd be looking at the side of dkimproxy if it can do the job or
>>> not.
>>>
>>> Thx for any help.
>>>
>>
>> Hi,
>>
>> Theres an example described in the smtpd.conf(5) man page.
>>
>> opensmtpd filters are in ports as a package: opensmtpd-filter-dkimsign
>>
>> The source-code is at: https://imperialat.at/dev/filter-dkimsign/ in main.c
>> It's relatively small and also privilege-separated.
>>
>> It has a parameter to set the domain name (-d). In smtpd.conf you can define
>> multiple filters. See also the man page filter-dkimsign(8) for detailed
>> information.
>>
>> I've replaced dkimproxy (Perl-based and complex) with
>> opensmtpd-filter-dkimsign. It works well for my needs.
>>
> 
> Hi Hiltjo,
> Currently I already use opensmtpd-filter-dkimsign, but I didn't 
> understand how to use it for multiple domains at once.
> 
> I've seen the example in the man page :
> https://man.openbsd.org/smtpd.conf#opensmtpd-filter-dkimsign
> 
> I thought  was to be replaced by only one domain to sign. Is a 
> domain a table like Alias? If so, what is the format of the file? But I 
> doubt it since in the filter code it doesn't look like a list.
> 
> static char *domain = NULL;
> […]
> box 'd':
>  domain = optarg;
> […]
> if (!dkim_signature_printf(message,
>   "DKIM-Signature: v=%s; a=%s-%s; c=%s/%s; d=%s; s=%s; ", "1",
>   cryptalg, hashalg,
>   canonheader == CANON_SIMPLE ? "simple": "relaxed."
>   canonbody == CANON_SIMPLE ? "simple": "relaxed."
>   domain, selector))
> 
> Finally in the example given in this presentation it is indeed a single 
> domain:
> https://fosdem.org/2020/schedule/event/opensmtpd_in_the_cloud/attachments/slides/3736/export/events/attachments/opensmtpd_in_the_cloud/slides/3736/OpenSMTPD_Slides.pdf
>  
> 
That's because filter-dkimsign doesn't support multiple domains, and
unless someone can give me a good reason to do so it probably is going
to stay that way.

I know that some mail providers add an additional positive score to
your spam rating if you have DKIM, but I reckon this is BS, because
DKIM is nothing more than a glorified debugging tool to tell you which
server butchered the content of your mail if every server in the chain
adds a DKIM signature. To be precise: it only tells you that a
particular domain owner (d-option) knows what server(s) a particular key
(s-option) belongs to, so that if a signature fails it it could only
have happened before the last server which has a valid signature.

Could you explain why you (think you) need to have multiple domain
support?
> 
> Besides, I can't find the man page you're talking about:
> https://man.openbsd.org/filter-dkimsign

man.openbsd.org doesn't contain manpages for packages.
But it should be installed with the package (man filter-dkimsign)
> 
> Finally, I understand how to write multiple filters, but not how to 
> modify the "listen" directive to choose the right filter.
> 
You (currently?) can't. If you want multiple conditions on different
filters you would need to create multiple listening sockets (e.g.
multiple ips or ports) and apply the correct match-rules based on the
socket.

martijn@

Re: How to test for FORTIFY_SOURCE?

[Martijn van Duren]

On 3/18/20 3:59 PM, Jeffrey Walton wrote:
> On Wed, Mar 18, 2020 at 4:26 AM Stuart Henderson  wrote:
>>
>> On 2020-03-18, Jeffrey Walton  wrote:
>>> According to https://man.openbsd.org/NetBSD-8.1/security.7#FORTIFY_SOURCE
>>> OpenBSD implements glibc bounds checking on certain functions. I am
>>> trying to detect FORTIFY_SOURCE without looking up operating system
>>> names and versions.
>>
>> That is a NetBSD manual page, it does not apply to OpenBSD.
> 
> Thanks.
> 
> I may be splitting hairs, but the pages title clearly says it is an
> OpenBSD man page.
> 
> What is the purpose of supplying man pages for the wrong operating
> system? It wastes people's time and breaks search. This search does
> not produce expected results:
> https://www.google.com/search?q=FORTIFY_SOURCE+site%3Aopenbsd.org.
> 
> If you really want to confuse folks, maybe OpenSD can supply Windows man 
> pages.
> 
> Jeff
> 
What do you mean?
Do you mean "OpenBSD manual page server", which clearly states OpenBSD's
the just the server.
>From the NAME section: "security — NetBSD security features"
>From the DESCRIPTION section: "NetBSD supports a variety of security
features"
>From the footer: "May 21, 2016 NetBSD-8.1"

On the entire page OpenBSD is only mentioned once, NetBSD 16 times, not
including the drop down menu allowing you to select your operating
system + version of choice.

To me this feels similar to someone coming to the list and asking why
they can't find snmpctl on their OpenBSD 6.6 machine, because some
search engine send them to a 6.5 or older page.

Re: Start point to learn OpenBSD programming

[Martijn van Duren]

On 3/16/20 9:22 AM, Ingo Schwarze wrote:
> Hi Martijn,
> 
> Martijn van Duren wrote on Mon, Mar 16, 2020 at 08:52:54AM +0100:
>> On 3/16/20 8:23 AM, Martin wrote:
>> If you want reading material find a function you don't understand and
>> lookup the manpage. If you want to have a more adventurous approach:
>> $ PAGE=$(ls /usr/share/man/man[23] | sort -R  | head -1); \
>> man ${PAGE##*.} ${PAGE%.*}
> 
> That can be simplified:
> 
>   $ man -l $(ls /usr/share/man/man[23]/*.[23] | sort -R  | head -1)
> 
> ;-)
>   Ingo
> 
Who said I went for simple? I even left a minor bug in there for Martin
to find. :-)

Re: Start point to learn OpenBSD programming

[Martijn van Duren]

On 3/16/20 8:23 AM, Martin wrote:
> Hello list,
> 
> The best way for beginner to start with OpenbBSD programming?
> 
> Martin
> 
This belongs on misc, so moving it there.

My usual routine (and probably of a lot of other OpenBSD developers) is:
1) Use it
2) Get annoyed by something (bug?)
3) Dive into /usr/src to see what it actually does
4a) Realize I'm wrong in my initial annoyance; goto 1)
4b) Realize you can't fix the bug and ask for help on bugs@; goto 1)
4c) Try to fix the bug and sent a patch to tech@
5a) Patch falls in between the cracks (no-one responds) and it's not
that important to you; goto 1)
5b) Patch falls in between the cracks and it's important to you;
send reminder and goto 1) in the meantime.
5c) Realize my interpretation was wrong based on feedback; goto 1)
5d) Realize my patch was wrong based on feedback; goto 4b)
5e) Patch gets committed; goto 1)

If you want reading material find a function you don't understand and
lookup the manpage. If you want to have a more adventurage approach:
$ PAGE=$(ls /usr/share/man/man[23] | sort -R  | head -1); \
man ${PAGE##*.} ${PAGE%.*}

Another interesting place for some backstories is:
https://www.openbsd.org/events.html

Hope this helps.

martijn@

Re: FreeBSD daemon(8)-like command for OpenBSD

[Martijn van Duren]

On 1/28/20 9:29 AM, Patrick Kristiansen wrote:
> Hi Ingo
> 
> Thank you for your reply.
> 
> I can't say I disagree with your and the OpenBSD team's attitude about
> bug-free daemons. But I am just a lowly application programmer, and
> sometimes I introduce horrible bugs that make our systems crash. In many
> cases it will be preferable to just start the process again (and, of
> course, fix the bug) for the purposes of keeping our business running.

Everyone has a testing environment, not everyone has a production
environment...
> 
> But another use for daemon(8) is for its ability to detach the child
> process from the controlling terminal and furthermore redirect its
> stdout/stderr to syslog. Is there some mechanism to do that from the
> shell? Perhaps a combination of nohup and starting a background job?

I once had to write a support script in shell that needed to run as
daemon, basically some action needed to be taken if something was found
in a log-file. To do this I did exactly what you said:
nohup  2>&1 | logger  &
and put this inside an rc.d file or equivalent format of your OS of
choice.

now I'm not promoting this kind of hackery, but this worked for me
quite reliably at the time.

martijn@
> 
> Best regards,
> Patrick
> 
>> Hi Patrick,
>>
>> Patrick Kristiansen wrote on Mon, Jan 27, 2020 at 08:13:28PM +0100:
>>
>>> Is there something like the FreeBSD daemon(8) command for OpenBSD,
>>> which can run a process in the background and restart it if it
>>> crashes?
>>
>> Absolutely not, we are strongly convinced this is an utterly stupid
>> idea and a serious security risk.
>>
>> If a daemon crashes, it has a bug.  Many bugs that cause crashes
>> are also exploitable.  So if a daemon crashes, you first have to
>> understand why it crashed, fix or at least mitigate the bug, and
>> can only restart it afterwards.
>>
>> Restarting it automatically is an irresponsible thing to do.
>>
>> If a daemon keeps crashing so frequently that you can only run it
>> in production with automatic restarts, then running it at all is
>> irresponsible in the first place.
>>
>> Yours,
>>  Ingo
> 

Re: The OpenBSD talk at 36c3

[Martijn van Duren]

On 12/30/19 11:46 AM, Claudio Jeker wrote:
> On Sun, Dec 29, 2019 at 01:29:12PM +0100, Henry Jensen wrote:
>> Greetings,
>>
>> for those who didn't watched it, there is an accompanied site at
>> https://isopenbsdsecu.re/
>>
>> Summary: There are a lot of claims. The speaker basically said, that
>> some mitigations are "cool", but other, more or less, useless.
>>
>> Further accusations are, that OpenBSD still uses e-mail and cvs and not
>> more advanced CI tools.
>>
>> I can't say anything to the more technical claims about useless
>> mitigations, since I am not a OS developer. Is there going to be a
>> response from the OpenBSD team?
>>
> 
> One thing that everyone can check is the claim that 50% of our commit
> messages are less than 10 chars long and 75% are less than 20 chars.
> Using the git repo you can run something like this and get the numbers
> yourself.
> 
> openbsd-git> git log --log-size --format="%B" | grep '^log size ' | cut -f
> 3 -d ' ' | awk '{ t++; if ($1 <= 10) s++; if ($1 <= 20) m++; else l++; }
> END { print s " <= 10 char"; print m " <= 20 char"; print l " rest"; print
> t " total" }'
> 
> 12386 <= 10 char
> 25894 <= 20 char
> 176304 rest
> 202198 total
> 
> Sorry but 25k is no where close to 75% of 202198.
> Seems he did count words not characters.
> 
And of those messages the vast majority are sync and regen which are
done to whip the built/sets infrastructure back into shape after a major
change (addition or deletion) and don't need any additional information.

$ git log --log-size --format="%B" | \
awk '/^log size/{
  if (matches == 1) {messages[line]++; line = ""}
  matches = 0;
  if ($3 <= 10) { matches = 1}
}
{
  if (matches == 1 && $0 !~ /^log size/) {line = line tolower($0)}
}
END {
  for (line in messages){ print messages[line]": "line}
}' | \
sort -n | tail
107: tweaks;
115: spelling
117: regen.
135: indent
183: oops
249: spacing
416: knf
441: typo
1902: regen
4915: sync

Re: snmpd(8) custom OID names

[Martijn van Duren]

On 11/27/19 4:27 PM, Joel Carnat wrote:
> Hello,
> 
> I have set custom OIDs in my snmpd.conf(5).
> When I walk or get those values, using snmp(1) or snmpget(1), the
> "name" parameters is not listed. I only get values described as
> OPENBSD-BASE-MIB::localTest.*
> 
> Is there a straight way to get the configured names from snmp clients?
> Or do I have to write a MIB file for this particular localTest sub-MIB?
> 
> TIA,
> Jo
> 
The snmp protocol has no notion of symbolic names, it's just the oid
and the value.

If you want to show your custom name with snmp(1) you can add it to
mib.h and recompile. This is of course not supported. There currently
is no support for MIB-files for snmp(1), and there might never be.

For net-snmp you can write a custom MIB-file to get the symbolic name.

martijn@

Re: Tools for writers

[Martijn van Duren]

On 11/6/19 12:07 AM, Steve Litt wrote:
> On Tue, 5 Nov 2019 23:12:52 +0100
> Ingo Schwarze  wrote:
> 
>  
>> https://www.openbsd.org/papers/bsdcan18-mandoc.pdf
> 
> If the preceding presentation was authored in mdoc(7), could  you please
> post the mdoc code that created it, and the mandoc(1) command and any
> filter programs that caused it to be a presentation instead of a man
> page?

You mean this one?
https://www.openbsd.org/papers/bsdcan18-mandoc.roff

There are more examples at:
https://www.openbsd.org/events.html

martijn@

Re: LDAP tls: handshake failure

[Martijn van Duren]

On 10/24/19 3:29 PM, Robert Klein wrote:
> On Thu, 24 Oct 2019 14:06:47 +0200,
> Martijn van Duren wrote:
>>
>> On 10/24/19 1:50 PM, Robert Klein wrote:
>>> Hi,
>>>
>>>
>>>
>>> On Thu, 24 Oct 2019 05:26:49 +0200,
>>> Predrag Punosevac wrote:
>>>>
>>>> Kapetanakis Giannis wrote:
>>>>
>>>>> On 23/10/2019 19:14, Predrag Punosevac wrote:
>>>>>> Hi Misc,
>>>>>>
>>>>>> I just upgraded a LDAP server from 6.5 to 6.6 running authorization and
>>>>>> authentication services for a 100 some member university research group.
>>>>>> It appears TLS handshake is broken. This worked perfectly on 6.5 and
>>>>>> earlier.
>>>>>>
>>>
>>> [ rest deleted ]
>>>
>>>> I am out of fuel to look more this tonight but I am 99% sure something
>>>> have changed on 6.6 which broke the things. Maybe my configuration was
>>>> wrong all along and in 6.6 few screws got tighten up which bit me for my
>>>> rear end. I would appreciate any further commend or suggestions how to
>>>> debug this. I would also appreciate any reports of fully working ldapd
>>>> on 6.6 release
>>>>
>>>> Best,
>>>> Predrag
>>>>
>>>
>>> This is related to commit “Make sure that ber in ber_scanf_elements is
>>> not NULL before parsing format” (martijn@) and caused by the scan string
>>> used by ber_scanf_elements on line 310 in ldape.c
>>
>> Thanks for looking into this. I didn't found the time yet.
>>>
>>> Regarding the commit, see also emails with subject “ber.c: Don't
>>> continue on nonexistent ber” to tech@ on August, 13.
>>>
>>> When you set scan string for ber_scanf_elements in line 310 of ldape.c
>>> from "{se" to "{s" it works again.  Patch below.
>>>
>>> When you look at the ldap_extended function on ldape.c, you see ext_val
>>> is assigned to req_op in line 314.  The only use could happen in the
>>> extended_ops[i]fn(req) call in line 318.  This currently can only be a
>>> call to ldap_starttls (beginning at line 285, same file) which doesn't
>>> use req_op either.  So it the `e' shouldn't matter.
>>>
>>> At a guess, this also conforms to RFC4511, section 4.14.1.
>>
>> Glancing over the RFC seems that you are correct.
>>>
>>> If ldap_extended is extended to handle other operations than starttls,
>>> care must be taken for an optional additional octet string in the
>>> request (see definition of extended request in RFC4511, section 4.12).
>>
>> Diff below should handle this. Also, you forgot to remove the ext_val.
> 
> Sorry.  Been too happy to get it working.
> 
> Is it necessary to assign req->op ?  I didn't see it used and it gets
> freed in the call to request_free().

In its current form probably not, but on the other hand it keeps the
current behaviour/intent more consistent and might help expand if we
ever want to add additional extended operations.

If you feel strongly I'll remove it altogether, I'm not strongly
inclined either way.
> 
> 
> Robert
> 
>>>
>>>
>>> Best regards
>>> Robert
>>>
>> martijn@
>>
>> Index: ldape.c
>> ===
>> RCS file: /cvs/src/usr.sbin/ldapd/ldape.c,v
>> retrieving revision 1.31
>> diff -u -p -r1.31 ldape.c
>> --- ldape.c  28 Jun 2019 13:32:48 -  1.31
>> +++ ldape.c  24 Oct 2019 12:05:19 -
>> @@ -298,7 +298,6 @@ ldap_extended(struct request *req)
>>  {
>>  int  i, rc = LDAP_PROTOCOL_ERROR;
>>  char*oid = NULL;
>> -struct ber_element  *ext_val = NULL;
>>  struct {
>>  const char  *oid;
>>  int (*fn)(struct request *);
>> @@ -307,11 +306,11 @@ ldap_extended(struct request *req)
>>  { NULL }
>>  };
>>  
>> -if (ber_scanf_elements(req->op, "{se", , _val) != 0)
>> +if (ber_scanf_elements(req->op, "{s", ) != 0)
>>  goto done;
>>  
>>  log_debug("got extended operation %s", oid);
>> -req->op = ext_val;
>> +req->op = req->op->be_sub->be_next;
>>  
>>  for (i = 0; extended_ops[i].oid != NULL; i++) {
>>  if (strcmp(oid, extended_ops[i].oid) == 0) {
> 

Re: LDAP tls: handshake failure

[Martijn van Duren]

On 10/24/19 2:25 PM, Claudio Jeker wrote:
> 
> OK claudio@
> 
I'll commit this soon-ish based on claudio's OK, but if at all possible 
I would like to ask the people affected by this to test this and see if 
this solves their problem.

For the people running -current, here's an updated diff based on tb@'s
commit which changes ber_* to ober_* (note that you also need to get
the latest libutil).

martijn@

Index: ldape.c
===
RCS file: /cvs/src/usr.sbin/ldapd/ldape.c,v
retrieving revision 1.32
diff -u -p -r1.32 ldape.c
--- ldape.c 24 Oct 2019 12:39:26 -  1.32
+++ ldape.c 24 Oct 2019 13:22:37 -
@@ -298,7 +298,6 @@ ldap_extended(struct request *req)
 {
int  i, rc = LDAP_PROTOCOL_ERROR;
char*oid = NULL;
-   struct ber_element  *ext_val = NULL;
struct {
const char  *oid;
int (*fn)(struct request *);
@@ -307,11 +306,11 @@ ldap_extended(struct request *req)
{ NULL }
};
 
-   if (ober_scanf_elements(req->op, "{se", , _val) != 0)
+   if (ober_scanf_elements(req->op, "{s", ) != 0)
goto done;
 
log_debug("got extended operation %s", oid);
-   req->op = ext_val;
+   req->op = req->op->be_sub->be_next;
 
for (i = 0; extended_ops[i].oid != NULL; i++) {
if (strcmp(oid, extended_ops[i].oid) == 0) {

Re: LDAP tls: handshake failure

[Martijn van Duren]

On 10/24/19 1:50 PM, Robert Klein wrote:
> Hi,
> 
> 
> 
> On Thu, 24 Oct 2019 05:26:49 +0200,
> Predrag Punosevac wrote:
>>
>> Kapetanakis Giannis wrote:
>>
>>> On 23/10/2019 19:14, Predrag Punosevac wrote:
 Hi Misc,

 I just upgraded a LDAP server from 6.5 to 6.6 running authorization and
 authentication services for a 100 some member university research group.
 It appears TLS handshake is broken. This worked perfectly on 6.5 and
 earlier.

> 
> [ rest deleted ]
> 
>> I am out of fuel to look more this tonight but I am 99% sure something
>> have changed on 6.6 which broke the things. Maybe my configuration was
>> wrong all along and in 6.6 few screws got tighten up which bit me for my
>> rear end. I would appreciate any further commend or suggestions how to
>> debug this. I would also appreciate any reports of fully working ldapd
>> on 6.6 release
>>
>> Best,
>> Predrag
>>
> 
> This is related to commit “Make sure that ber in ber_scanf_elements is
> not NULL before parsing format” (martijn@) and caused by the scan string
> used by ber_scanf_elements on line 310 in ldape.c

Thanks for looking into this. I didn't found the time yet.
> 
> Regarding the commit, see also emails with subject “ber.c: Don't
> continue on nonexistent ber” to tech@ on August, 13.
> 
> When you set scan string for ber_scanf_elements in line 310 of ldape.c
> from "{se" to "{s" it works again.  Patch below.
> 
> When you look at the ldap_extended function on ldape.c, you see ext_val
> is assigned to req_op in line 314.  The only use could happen in the
> extended_ops[i]fn(req) call in line 318.  This currently can only be a
> call to ldap_starttls (beginning at line 285, same file) which doesn't
> use req_op either.  So it the `e' shouldn't matter.
> 
> At a guess, this also conforms to RFC4511, section 4.14.1.

Glancing over the RFC seems that you are correct.
> 
> If ldap_extended is extended to handle other operations than starttls,
> care must be taken for an optional additional octet string in the
> request (see definition of extended request in RFC4511, section 4.12).

Diff below should handle this. Also, you forgot to remove the ext_val.
> 
> 
> Best regards
> Robert
> 
martijn@

Index: ldape.c
===
RCS file: /cvs/src/usr.sbin/ldapd/ldape.c,v
retrieving revision 1.31
diff -u -p -r1.31 ldape.c
--- ldape.c 28 Jun 2019 13:32:48 -  1.31
+++ ldape.c 24 Oct 2019 12:05:19 -
@@ -298,7 +298,6 @@ ldap_extended(struct request *req)
 {
int  i, rc = LDAP_PROTOCOL_ERROR;
char*oid = NULL;
-   struct ber_element  *ext_val = NULL;
struct {
const char  *oid;
int (*fn)(struct request *);
@@ -307,11 +306,11 @@ ldap_extended(struct request *req)
{ NULL }
};
 
-   if (ber_scanf_elements(req->op, "{se", , _val) != 0)
+   if (ber_scanf_elements(req->op, "{s", ) != 0)
goto done;
 
log_debug("got extended operation %s", oid);
-   req->op = ext_val;
+   req->op = req->op->be_sub->be_next;
 
for (i = 0; extended_ops[i].oid != NULL; i++) {
if (strcmp(oid, extended_ops[i].oid) == 0) {

Re: OpenBSD and doas xterm pftop

[Martijn van Duren]

On 10/21/19 10:35 PM, Peter Fraser wrote:
> I was surprised that after upgrading to 6.6 that
> 
> doas xterm pftop & 
> 
> fails with:
> 
> Warning: This program is an suid-root program or is being run by the root 
> user.
> The full text of the error or warning message cannot be safely formatted
> in this environment. You may get a more descriptive message by running the
> program as a non-root user or by removing the suid bit on the executable.
> xterm: Xt error: Can't open display: %s
> 
> This is the result of the change in the behavior of doas.
> Quoting from the upgrade manual
> 
> doas(1). The environment variable handling in doas(1) has been changed. In 
> particular HOME and PATH are now reset to the target user.
> 
> I assume that the problem arises because .Xauthority cannot be found
> 
> Pass HOME and PATH in doas.conf allows the old behavior.
> 
This is primarily the reason for changing doas' behaviour.
Not Xauthority per say, but reaching back to he caller's home directory
allowing arbitrary files to be loaded and potentially executed as
another user in a way not intended potentially leading to privilege
escalation.

Instead of setenving HOME and PATH I suggest you change the command to
xterm -e doas pftop &
or if your needs are covered
xterm -e doas systat states &

martijn@

Re: vi(1) and ranges

[Martijn van Duren]

On 10/18/19 7:23 PM, adr wrote:
> Going through the vi man page (and the one of editors/nvi) looking
> for some hint about '|' in maps some days before, I noticed that
> the ranges aren't described.
> 
> If the developers are interested I can add the description from
> the nvi reference manual, next to the description of count, motion,
> etc.
> 
> regards,
> adr
> 
First you insult someone who says he's happy with a developers answer 
and then you send this email without any contribution to basically the  
wrong list. You might want to learn from the saying "You catch more 
flies with honey than vinegar".

I for one am currently not interested in looking at your work (assuming
there's going to be any) if that's how you present yourself to the
community.

martijn@

Re: shell_exec() exec() and system() not working in php 5.6 openbsd 6.4

[Martijn van Duren]

On 7/9/19 11:40 AM, mansoor wrote:
> Hi,
> I am using OpenBSD 6.4 and php version 5.6, I am trying to execute shell
> commands through php file using exec, shell_exec or system (tried all of
> them) but none is working.
> 
> Here is a sample code in my index.php file.
> 
>  $output = shell_exec('ls -l');
> echo "$output";
> ?>

It's almost never a good idea to use shell_exec or system.
In this case I'd advise to use opendir+readdir and stat if you need the
file metadata.
> 
> Here is  link
> 
>  
> to my stackoverflow question.
> 
> I am stuck in this problem for about a week now.
> Please help me if anyone know about this.
> Thanks

You haven't given enough information for a definitive answer, but my
guess is that you run php through php-fpm, which is by default chrooted
to /var/www. Since shell_exec and system first call /bin/sh and you
most likely didn't copy it to /var/www/bin/sh it can't find your shell.
After that you'd also need to copy the binaries (in this case ls) to
your chroot and possible library dependencies (not needed for files
under /bin).

Hope this helps for illustrative purposes, but please don't use it in
production.

martijn@
> 
> 
> 
> --
> Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-misc-f3.html
> 

Re: [6.5] minidlna error: accept(http): Too many open files

[Martijn van Duren]

I haven't spend any time on the why, but I also had some problems with  
openfiles-{cur,max}, but changing it to openfiles=x worked for me.

ymmv.

martijn@

On 4/28/19 10:35 PM, Stephane HUC "PengouinBSD" wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> Hi, all
> 
> After upgrading OpenBSD from 6.4 to 6.5, I've problem to use minidlna.
> It fill the /var/log/minidlna/minidlna.log with severals errors
> messages, as:
> [2019/04/25 15:26:29] monitor_kqueue.c:226: error:
> open(/home/z2/Music/xyz) [Too many open files]
> (...)
> [2019/04/25 20:15:05] minidlna.c:165: error: accept(http): Too many
> open files
> 
> as read on the pkg-readme, I change both files '/etc/sysctl.conf',
> '/etc/login.conf'.
> 
> I added 'kern.maxfiles=16384' for sysctl.
> And on login file, I wrote:
> "minidlna:\
> :openfiles-cur=16384:\
> :openfiles-max=16384:\
> :tc=daemon:
> "
> And after, I rebooted my machine.
> 
> But, thoses errors continue, and grow the log until my dedicated slide
> /var/log is full. and minidlna not run correctly. Why?
> What are the good values of limits systems to run correctly minidlna?
> 
> - 
> 
> OpenBSD 6.5 (GENERIC.MP) #3: Sat Apr 13 14:48:43 MDT 2019
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 8487260160 (8094MB)
> avail mem = 8220409856 (7839MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xec580 (74 entries)
> bios0: vendor Alienware version "A08" date 01/25/2018
> bios0: Alienware Alienware 13
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP APIC FPDT FIDT MCFG HPET SSDT UEFI SSDT ASF!
> SLIC SSDT SSDT SSDT SSDT CSRT SSDT
> acpi0: wakeup devices PEGP(S4) PEG0(S4) PEGP(S4) PEG1(S4) PEGP(S4)
> PEG2(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4)
> PXSX(S4) RP04(S4) RP05(S4) PEGP(S4) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz, 799.44 MHz, 06-45-01
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
> CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,
> DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOV
> BE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAH
> F,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIB
> P,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
> cpu0: apic clock running at 99MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz, 799.32 MHz, 06-45-01
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
> CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,
> DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOV
> BE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAH
> F,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIB
> P,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 0, core 1, package 0
> cpu2 at mainbus0: apid 1 (application processor)
> cpu2: Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz, 799.31 MHz, 06-45-01
> cpu2:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
> CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,
> DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOV
> BE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAH
> F,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIB
> P,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
> cpu2: 256KB 64b/line 8-way L2 cache
> cpu2: smt 1, core 0, package 0
> cpu3 at mainbus0: apid 3 (application processor)
> cpu3: Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz, 799.31 MHz, 06-45-01
> cpu3:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
> CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,
> DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOV
> BE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAH
> F,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIB
> P,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
> cpu3: 256KB 64b/line 8-way L2 cache
> cpu3: smt 1, core 1, package 0
> ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins
> acpimadt0: bogus nmi for apid 0
> acpimadt0: bogus nmi for apid 2
> acpimadt0: bogus nmi for apid 1
> acpimadt0: bogus nmi for apid 3
> acpimcfg0 at acpi0
> acpimcfg0: addr 0xf800, bus 0-63
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus 

Re: Code of Conduct location

[Martijn van Duren]

You mean something like this the following?
https://www.openbsd.org/mail.html

martijn@

On 4/28/19 9:58 AM, Strahil Nikolov wrote:
> Hello All,
> 
> can someone point me to the link of the OpenBSD code of Conduct ?
> 
> It seems that I can't find it even with the help of google.
> 
> Best Regards,
> Strahil Nikolov
> 

Re: Changing kern.nprocs and kern.nfiles

[Martijn van Duren]

On 11/16/18 10:24 AM, Mik J wrote:
> Hello,
> 
> Does anyone know how to change these values ?
> 
> # sysctl kern.nprocs=52
> sysctl: kern.nprocs: Operation not permitted
> # sysctl kern.nfiles=575
> sysctl: kern.nfiles: Operation not permitted
> 
> Regards
> 
See sysctl(2):
   Second level nameTypeChangeable
...
   KERN_NFILES  integer no
...
   KERN_NPROCS  integer no
...
 KERN_NFILES (kern.nfiles)
 Number of open files.
...
 KERN_NPROCS (kern.nprocs)
 The number of entries in the kernel process table.

If you want to change the maximum number of open files/processes take a
look at ksh(1) ulimit or csh(1) limit and login.conf(5).

Hope this helps.

martijn@

Re: Clarification about mfs/tmpfs on /tmp

[Martijn van Duren]

On 10/9/18 2:03 PM, Stuart Henderson wrote:
> On 2018-10-09,   wrote:
>> Solene Rapenne wrote:
>>> hello,
>>
>>> if you don't put any /tmp in fstab, /tmp comes from the / partition, which
>>> doesn't have nodev and nosuid mount options, and which is very tiny.
>>
>>> tmpfs has been disabled: see
>>> https://marc.info/?l=openbsd-tech=148173068424515=2 
>>> 
>>
>>> main difference between mfs and tmpfs. mfs is a ffs mounted from memory and
>>> will use the memory reserved for it, while tmpfs will use memory only when 
>>> it's
>>> really used. If you give 500 MB to mfs, it will be instantly used in your
>>> memory, even if you have 0 file in it.
>>
>>> I don't know for chromium.
>>
>> Thank you for your reply, this resolves my first two problems.
>> I have two follow-up questions:
>>
>> 1) Regarding mfs, using an fstab entry as in the example in fstab(5), i.e.,
>>     swap /tmp mfs rw,nodev,nosuid,-s=153600 0 0, gives me a /tmp with write
>>     permissions for root only (as opposed to mounting UID.d, where every
>>     user can write on /tmp). Looking up newfs(8), I don't see a way to set
>>     permissions, hence I have done this using a chmod command in rc.local.
>>     Is there a better way to set the right permissions for a mfs /tmp?
> 
> This one is easy, simply set the appropriate permissions on the
> directory where you mount the mfs.
> 
> 
> 
> 
>> 2) "tmpfs has been disabled": Would it make sense to write to the developer
>>     mailing list and suggest to either drop it (as I understand it, OpenBSD
>>     has a policy of dropping unsupported/unmaintained features) or at least
> 
> It's not included in the GENERIC kernel configuration but isn't
> otherwise disabled. Actually removing code from the tree would make
> it harder if anyone wants to fix it ..
> 
>>     to mention that tmpfs has been disabled in mount_tmpfs(8)?
> 
> Perhaps. Though I think in general with the mount_* manuals it's
> assumed that the relevant support is compiled into the kernel for them
> to work ..
> 
> 
So what about unlinking the tool from the build?
Probably not until after release though.

This probably should probably be done in the rd as well, but I'm not
familiar enough with that part of the tree to include it in this
quick diff.

martijn@

Index: Makefile
===
RCS file: /cvs/src/sbin/Makefile,v
retrieving revision 1.106
diff -u -p -r1.106 Makefile
--- Makefile3 Jun 2017 10:00:29 -   1.106
+++ Makefile9 Oct 2018 12:13:30 -
@@ -4,7 +4,7 @@ SUBDIR= atactl badsect bioctl clri dhcli
disklabel dmesg dump dumpfs fdisk fsck fsck_ext2fs fsck_ffs  \
fsck_msdos fsdb fsirand growfs ifconfig iked init ipsecctl  \
isakmpd kbd ldattach mknod mount \
-   mount_cd9660 mount_ext2fs mount_ffs mount_msdos \
+   mount_cd9660 mount_ffs mount_msdos \
mount_nfs mount_ntfs mount_tmpfs mount_udf \
mount_vnd mountd ncheck_ffs newfs newfs_ext2fs newfs_msdos \
nfsd nologin pdisk pfctl pflogd ping quotacheck \

Re: Pkg_add

[Martijn van Duren]

On 09/13/18 07:08, Michael Ayres wrote:
> New to OpenBSD, which I am newly running as a Parallels VM on my Apple 
> MacBook Pro. Shell and basic commands working, and have set path variable 
> PKG_PATH =
> 
> On calling PGK_ADD, with -v switch,  I get screen display of
> 
> “Update candidates: quits-2.414 -> quirks-2.414
> quirks-2.414 signed on 2018-03-29T09:01:59Z"
> 
> but then nothing.
> 
> Recalling Unix’s reticent personality, I wait, but nothing ever seems to 
> happen. With a new install, downloaded 6, do I have 29 tons of updates, has 
> BSD become to bored with me to even acknowledge I exit, or I have I misspoken 
> to it?
> 
> 
> Michael Ayres
> 
> Michael Ayres, MS, CISSP, CSEP, CSM, PMI-ACP, PMP | www.mace-associates.com 
> 
> San Francisco, CA. | 415.999.2049   
> https://www.linkedin.com/in/michaelmaceayres 
> 
> michael.ay...@yahoo.com 
> 
> 
> 
I'm not 100% sure what your question is, but here's my take on things:
pkg_add only works on 3rd party packages. If you have 3rd party
packages installed you can update those with `pkg_add -u`, although
they usually don't get updates on stable releases, which you're
running based on quirks version.
If you want updates on your base OS you can run syspatch(8).

Once you feel familiar enough with the system I encourage you to
run -current, since that's where the cool kids hang out. You can
update to -current by downloading bsd.rd from your favourite mirror
and boot it, similar to how you've installed OpenBSD.
Once you've updated to -current, don't forget to update your packages
with `pkg_add -u`.

For further reading I recommend at least:
http://man.openbsd.org/syspatch
http://man.openbsd.org/pkg_add
https://www.openbsd.org/faq/current.html
https://www.openbsd.org/faq/faq15.html
and if you're up to it the rest of the FAQ and after that some
manpages. They're a never ending source of information.

Hope this helps.

martijn@

Re: VMD linux/debian cdrom issue

[Martijn van Duren]

Hello Ales,

I ran into the same problem and found that the Debian installer doesn't
include the virtio drivers and thus can't use the cdrom or the disk.

I worked around this by bootstrapping the disk via the qemu port and
booting the disk from vmm once it's finally done. Qemu is significantly
slower than vmm, so do get another cup of $BEVERAGE.

I haven't taken the time to contact Debian about this, so it's
probably not yet known to them.

Hope this helps for now.

martijn@

On 08/23/18 12:18, Ales Tepina wrote:
> Hello!
> 
> I have a lenovo T470 running current on which i would like to use vmd
> to run debian for some work specific stuff.
> I'm having trouble installing debian though because the installer
> doesn't seem to find cdrom.
> 
> My vm.conf is pretty basic:
>  switch "local" {
>  interface bridge0
>  }
>  vm "work" {
>  disable
>  memory 2G
>  cdrom "/home/vm/debian-9.5.0-amd64-xfce-CD-1.iso"
>  disk "/home/vm/debian.img"
>  interface { switch "local" }
>  }
> 
> On the debian installer boot menu, i select Install and press TAB to
> edit the menu entry. I remove the "quiet" at the end and append from
> --- onwards so at the end it looks like this:
>  (omitted part)/install.amd/vmlinuz desktop=xfce vga=788
> initrd=/install.amd/initrd.gz --- clocksource=tsc console=ttyS0,115200
> noapic
> 
> The text based installer starts and i'm able to choose language,
> location and keyboard.
> At the "Detect and mount CD-ROM section, i'm informed that "No common
> CD-ROM drive was detected." and i'm given the option to load CD-ROM
> drivers from removable media. When i select NO the installer gives me
> the option to manually select a CD-ROM module or device. I  can choose
> between none and cdrom. The cdrom option just asks me for a device
> like /dev/ cdrom
> 
> I tried with debian netboot image - same problem.
> 
> I've read Mike Larkin's slides "OpenBSD vmm/vmd Update" and if some of
> you are running linux in vmm (for testing purposes of course) i would
> be gratefull to know how did you manage to get past this problem?
> 
> Best regards, Ales
> 

Re: roundcube installation php modules

[Martijn van Duren]

On 07/10/18 14:00, Teno Deuter wrote:
> Dear list,
> 
> in a OpenBSD 6.3 machine I run httpd and opensmptd and try to intall
> roundcubemail 1.3.5 from the OpenBSD packages repository.
> 
> When running the installer, in the first page, I get following warnings:
> 
> FileInfo:  OK
> Libiconv:  OK
> Intl:  NOT AVAILABLE(See http://www.php.net/manual/en/book.intl.php)
> Exif:  OK
> LDAP:  NOT AVAILABLE(See http://www.php.net/manual/en/book.ldap.php)
> GD:  NOT AVAILABLE(See http://www.php.net/manual/en/book.image.php)
> Imagick:  NOT AVAILABLE(See http://www.php.net/manual/en/book.imagick.php)
> 
> but pkg_info shows:
> 
> php-gd-5.6.34   image manipulation extensions for php
> php-intl-5.6.34 intl library support for php
> 
> and I think php-imagick is already part of the php OpenBSD package.
> 
> Why do I get the above warnings?

$ doas cp /et/php-5.6.sample/{gd,intl}.ini /etc/php-5.6
$ doas rcctl restart php56_fpm
> 
> Also, in the second installation page I get the following:
> 
> Mimetype to file extension mapping:  NOT OK
> 
> but in httpd.conf, on the top of the file, I have the following entry:
> 
> types { include "/usr/share/misc/mime.types" }

No clue.
> 
> Thank you
> martijn@

Re: ed viewing trailing spaces

[Martijn van Duren]

Hello Predrag,

I assume that you don't run -current. I changed this about a month ago.

martijn@

On 05/24/18 06:28, Predrag Punosevac wrote:
> Hi Misc,
> 
> I just got Michael Lucas' Ed Mastery. While reading through the book I
> tried few things and I realized that viewing trailing spaces on OpenBSD
> 6.3 doesn't work the way described in man pages, Michael's book, and
> other OSs (I tired Red Hat 7.5, FreeBSD 11.1p10, DFBSD 5.2.1)
> 
> Namely command 
> 
> ,l
> 
> doesn't allow me to see trailing spaces. I would expect to see a dollar
> sign at the end of the line.
> 
> Am I missing something obvious here. I like probably most of you use ed
> only when trying to edit something in the single user mode so I don't
> recall using this particular command before.
> 
> Cheers,
> Predrag
> 
> P.S. It is nice to see that after Jacek Artymiak, Michael took a shot
> and wrote this short book on Ed. The book is nice read and so far my
> main complaint with it is the lack of the summary of all Ed commands
> which is actually present in man pages as well as in this GNU manual
> (obviously different version of the editor)
> 
> https://www.gnu.org/software/ed/manual/ed_manual.html
> 

Re: pledge violation in firefox-60 on snapshots

[Martijn van Duren]

$ grep SYS_fork /usr/include/sys/syscall.h
#define SYS_fork2

See: https://marc.info/?l=openbsd-ports=152623658627250=2

You probably don't run dbus, so I assume you're going to need to start
it up in your .xsession file.

martijn@

On 05/16/18 03:59, William Orr wrote:
> Hey there,
> 
> When visiting the following health insurance site: 
> 
> https://www.cignaglobal.com/CASPAI/public/SignIn.do?application=CIEB_IPMI=GB=en=all=https://www.cignaglobal.com/ma/pages/CASPA/Landing.html=.
> 
> Clicking the password field will consistently cause that tab in firefox
> to crash with a pledge violation (calling fork):
> 
> firefox[75379]: pledge "proc", syscall 2
> firefox[99617]: pledge "proc", syscall 2
> firefox[89996]: pledge "proc", syscall 2
> firefox[29564]: pledge "proc", syscall 2
> firefox[58111]: pledge "proc", syscall 2
> firefox[97980]: pledge "proc", syscall 2
> firefox[37363]: pledge "proc", syscall 2
> 
> Is anyone else seeing something similar? I've repro'd this in safe mode
> with add-ons disabled. I'm runnning a snapshot as of 3 days ago with
> firefox from packages.
> 
> % pkg_info firefox
> Information for inst:firefox-60.0
> 
> 
> Following is a full dmesg. Let me know if there's other info that I can
> provide. There are other firefox pledge violations in there, but I have
> no indication that they're related.
> 
> Thanks!
> 
> OpenBSD 6.3-current (GENERIC.MP) #29: Fri May  4 09:22:48 MDT 2018
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 17040244736 (16250MB)
> avail mem = 16515768320 (15750MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xee7f0 (26 entries)
> bios0: vendor American Megatrends Inc. version "P2.90" date 07/11/2013
> bios0: ASRock Z77 Extreme4
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP APIC FPDT MCFG SSDT AAFT HPET SSDT SSDT SSDT BGRT
> acpi0: wakeup devices UAR1(S4) P0P1(S4) USB1(S3) USB2(S3) USB3(S3) 
> USB4(S3) USB5(S3) USB6(S3) USB7(S3) RP01(S4) RP02(S4) RP03(S4) RP04(S4) 
> RP05(S4) BR40(S4) RP06(S4) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM) i7-3770K CPU @ 3.50GHz, 3500.52 MHz
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM
> 
> ,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
> 
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
> cpu0: apic clock running at 100MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Core(TM) i7-3770K CPU @ 3.50GHz, 3500.02 MHz
> cpu1: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM
> 
> ,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
> 
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 0, core 1, package 0
> cpu2 at mainbus0: apid 4 (application processor)
> cpu2: Intel(R) Core(TM) i7-3770K CPU @ 3.50GHz, 3500.02 MHz
> cpu2: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM
> 
> ,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
> 
> cpu2: 256KB 64b/line 8-way L2 cache
> cpu2: smt 0, core 2, package 0
> cpu3 at mainbus0: apid 6 (application processor)
> cpu3: Intel(R) Core(TM) i7-3770K CPU @ 3.50GHz, 3500.02 MHz
> cpu3: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM
> 
> ,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
> 
> cpu3: 256KB 64b/line 8-way L2 cache
> cpu3: smt 0, core 3, package 0
> cpu4 at mainbus0: apid 1 (application processor)
> cpu4: Intel(R) Core(TM) i7-3770K CPU @ 3.50GHz, 

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

[Martijn van Duren]

On 05/07/18 23:51, Martin Gignac wrote:
>> It looks like 'received-on' would be a cleaner and shorter way to
>> achieve my goal by allowing me to specify inbound and outbound
>> interfaces in the same rule.
>>
> 
> I think I spoke to quickly; it would be an alternative way, but not a
> shorter one as I would still need the initial "pass in lab01" I guess. I
> just wouldn't have to tag it.
> 
>>
I usually do the filtering on the outbound interface and add a statement
like the following the pass in all to be forwarded packets:
pass in to !(self)

This way you don't have to add different rules for different tags.

martijn@

Re: frequent SeaMonkey crashes

[Martijn van Duren]

Hello Riccardo,

On 05/06/18 21:53, Riccardo Mottola wrote:
> Hi,
> 
> after 6.3 upgade (with associated packages) I experience very frequent 
> crashes of the SeaMonkey browser.
> I checked RAM consumption and it crashes even if it is not very hight, around 
> 400MB, for example.
> 
> I tried starting it from a terminal and see this message after a crash:
> 
> seamonkey: Fatal IO error 12 (Cannot allocate memory) on X server :0.

You can try to extend your data area size via ulimit -d.
See ksh(1) for more information. Don't forget to start SeaMonkey via
that same shell as well, changing the data area only works for child-
programs, not the entire X login session.

If this works for you you can increase the limit permanent via
/etc/login.conf (which will increase the limit for all applications) or
by creating a wrapper-script which will increase the limit before
executing SeaMonkey.

Hope this helps.
> 
> Is it a bug perhaps_ or some limit i can extend?
> 
> I tried FireFox and it seems a little bit better: strange though, because 
> usually it is has always been the other way and I am a long-time seamonkey 
> fan.
> 
> Riccardo
> 

martijn@

Re: HTTPD and php-cgi

[Martijn van Duren]

On 05/06/18 06:31, Duncan Patton a Campbell wrote:
> On Sat, 5 May 2018 12:19:59 +0200
> Martijn van Duren <openbsd+m...@list.imperialat.at> wrote:
> 
> On Sat, 5 May 2018 08:48:23 +0200
> Mischa Peters <obs...@high5.nl> wrote:
> 
> Hi Martijn, Mischa.  Thanks for you replies, from which 
> I've figured out that the problem is I'm running sparc64
> and the packages you refer to are not extant...  I guess
> I'll have a go with ports and hopefully report back...

sparc64 currently misses php-7.0, because of segfaults during the
generation of phar, but php-5.6 is available. So if you
`pkg_add php` you'll get the php-5.6 package which contains php-fpm.
After that's installed you can run `rcctl start php56-fpm`.

I have a patch in the pipeline that can disable the extensions based on
architecture during compile-time which should allow us to have php-7.0
on sparc64 (without phar), but I don't have the hardware to test it.
> 
> Thanks again.
> 
> Dhu
> 

Re: HTTPD and php-cgi

[Martijn van Duren]

Hello Duncan,

On 05/05/18 03:23, Duncan Patton a Campbell wrote:
> 
> I am looking for documentation on running php-cgi-5.6 under the bsd httpd 
> server.
> 
> From what I can tell, the function of php-fastcgi has been subsumed to 
> php-cgi-5.6, 
> but further than that I can find little or no salient documentation.  Any 
> pointers
> would be appreciated.
> 
> Thanks,
> 
> Dhu
> 
This is exactly the reason why php-fastcgi was renamed to php-cgi. The
old php-fastcgi contained what normally is normally called the php-cgi
binary, which also contains *some* fastcgi functionality, but is *not*
the recommended way to run php in fastcgi mode.

The recommended way to run php in fastcgi mode is php-fpm, which is
included in in the php main package. You can start this daemon by
running `rcctl start php${PHP_VERSION}_fpm`. This will make php-fpm
listen on its socket which can be set via the listen statement in
/etc/php-fpm.conf (by default it's /var/www/run/php-fpm.sock).

Once you have php-fpm up and running you can connect to it through httpd
through the "fastcgi socket /run/php-fpm.sock" command in the
appropriate "location" block from. See httpd.conf(5) for more
information.

Hope this helps.

martijn@

Re: net-snmpd extend and doas : a tty is required

[Martijn van Duren]

On 04/12/18 23:13, Joel Carnat wrote:
>> Le 12 avr. 2018 à 21:10, Stuart Henderson  a écrit :
>>
>> On 2018-04-12, Joel Carnat > wrote:
>>> Hi,
>>>
>>> I want net-snmpd to run a script via the extend directive.
>>> This script has to run a command using doas to get temporary root 
>>> permission.
>>>
>>> The script is run on snmpcmd call but the doas command returns:
>>> doas: a tty is required
>>>
>>> Is there a way to run doas from net-snmpd ?
>>> I already have doas running from collectd-exec without issues.
>>>
>>> Thanks.
>>>
>>> # More infos on configuration and commands
>>>
>>> # grep extend /etc/snmp/snmpd.conf
>>> extend test /home/scripts/test.sh
>>>
>>> # grep snmpd /etc/doas.conf
>>> permit nopass _snmpd as root
>>
>> Net-SNMP runs as _netsnmp, but you're giving nopass access to _snmpd
>> (base snmpd's uid, which doesn't execute anything anyway).
> 
> Of course…
> Using "permit nopass _netsnmp as root" makes it run as expected.

Please add "cmd  args ..." to that line to prevent more root-
exposure than required.
> 
> Thanks a lot!
>

Re: sudoedit for doas?

[Martijn van Duren]

On 03/01/18 11:41, tomr wrote:



On 02/28/18 17:50, Hess THR wrote:

Hello,

hmm, I went through the relevant man pages:

https://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/doas.1
https://man.openbsd.org/doas.conf.5

but I cannot find a sudoedit alternative for the "doas".

Are there any?


Use `doas -C` in a wrapper script that:

- checks for a lock / creates a lock
- copies /etc/doas.conf somewhere
- edits it with your editor of choice
- checks it (with -C)
- copies it back into place
- removes the lock

t


sudoedit != visudo

Re: OpenBSD as an IKEv2 IPsec client with L/P authent

[Martijn van Duren]

On 02/22/18 09:51, Joel Carnat wrote:

Hi,

Le 22/02/2018 09:35, Stuart Henderson a écrit :

On 2018-02-22, Igor V. Gubenko  wrote:

I am far from an expert; having issues myself at the moment, but maybe
if we get all of the iked experimenters together, we can figure it out
:)


This definitely isn't going to work, iked only supports username/password
authentication as a responder. not initiator.


Is there any software that enables openbsd to be an ipsec initiator 
using user/pass ?


Thanks.

Maybe not as native a solution as you'd like, but I have one environment 
where I have to login with username/password over ikev2. For this I have 
a VM with Alpine Linux+strongswan through which I route the VPN-destined 
traffic.

Re: vmd - Unable to reboot Alpine guest

[Martijn van Duren]

Hello Aham,

On 02/18/18 21:09, Aham Brahmasmi wrote:

Hi Carlos,

Thank you for your response.

I have been learning and understanding OpenBSD for around one month now.
As such, I had installed -release, and used syspatch to reach -stable.

I have spent some time right now trying to understand the mechanism to
reach -current from -stable.

 From what I understand, I first need to upgrade to the latest snapshot.
 From there, I need to use source build instructions at
https://www.openbsd.org/faq/faq5.html#Bld to reach -current.


There's no need to build from source, just upgrading via the latest
snapshot suffices.


I would like to do the above because I am also interested in the spamd
and IPv6 diff that phessler@ has. But right now, I am quite a bit
inexperienced, so you would have to be patient with me.

 From what I understand, to install snapshot I need to download
https://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/bsd.rd, boot that
at the boot prompt and then (U)pgrade from there.


That is correct.
If you don't intent to work on the source, there's no need to build it
yourself.

martijn@

Re: Syn flood crashed my LAN

[Martijn van Duren]

Try -current[0]. I think henning will be glad to hear how his new toy
works in the field.

martijn@

[0] https://marc.info/?l=openbsd-cvs=151796069324365=2

On 02/12/18 01:26, Martin Hanson wrote:
> Hi,
> 
> I have a home network that is segmented into 3 different zones using a NIC 
> with 4 ports sitting on an OpenBSD firewall/dhcp server. One port is 
> connected to the Internet (ISP router) and each of the three others has a 
> D-Link DGS-1005D switch connected to each.
> 
> So..
> 
> LAN1 = 192.168.1.0
> LAN2 = 192.168.2.0
> LAN3 = 192.168.3.0
> 
> Learning more about networking I wanted to test a SYN flood so I set up a 
> couple of boxes on LAN1 and LAN3 to flood a box on LAN2. I used "hping3" with 
> the "S" and "flood" options.
> 
> Running a regular ping in a terminal I could see how the response time 
> decreased and eventually the box began to loose packages.
> 
> However after a while it seemed like the entire internal network went down.
> 
> No box on any LAN could get an IP address from the DHCP server on the OpenBSD 
> box.
> 
> I eventually rebooted the OpenBSD box, but that didn't immediately help, and 
> only after powering down the switches and powering the switches on again, 
> everything worked again.
> 
> I have been looking through the PF documentation to see if PF somehow blocks 
> SYN flooding, but I am not using synproxy on any rules.
> 
> What could cause such a "melt down" of the entire network because of a SYN 
> flood to a box?
> 
> I suspect that the D-Link switches are pretty bad and maybe are the cause of 
> the problem?
> 
> I eventually will try again to see if I can determine what's causing the 
> "melt down", but I want to know if anyone perhaps has experienced similar 
> results during some testing?
> 
> Many thanks in advance.
> 
> Kind regards,
> 
> Martin 
> 

Re: message authentication code incorrect

[Martijn van Duren]

Hello Jan,

See https://marc.info/?l=openbsd-cvs=151673244010209=2 and
https://marc.info/?l=openbsd-cvs=151673766411788=2.
So it's probably fixed in the next snapshot.

On 01/24/18 14:08, Jan Stary wrote:
> On Jan 23 16:48:57, h...@stare.cz wrote:
>> I just upgraded my current/amd64 and now con't ssh to it
> 
> In fact, I can't ssh _fom_ it either:
> 
> $ ssh wherever
> write: Socket is not connected
> 
> has something changed with ssh or sshd?
> 
>   Jan
> 
>> from an amd64 machine running the Jan 19 snapshot:
>>
>> $ ssh -v biblio.stare.cz
>> OpenSSH_7.6, LibreSSL 2.7.0
>> debug1: Reading configuration data /home/hans/.ssh/config
>> debug1: /home/hans/.ssh/config line 1: Applying options for *
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: Connecting to biblio.stare.cz [147.32.233.137] port 22.
>> debug1: Connection established.
>> debug1: identity file /home/hans/.ssh/id_rsa type 0
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /home/hans/.ssh/id_rsa-cert type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /home/hans/.ssh/id_dsa type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /home/hans/.ssh/id_dsa-cert type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /home/hans/.ssh/id_ecdsa type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /home/hans/.ssh/id_ecdsa-cert type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /home/hans/.ssh/id_ed25519 type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /home/hans/.ssh/id_ed25519-cert type -1
>> debug1: Local version string SSH-2.0-OpenSSH_7.6
>> debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6
>> debug1: match: OpenSSH_7.6 pat OpenSSH* compat 0x0400
>> debug1: Authenticating to biblio.stare.cz:22 as 'hans'
>> debug1: SSH2_MSG_KEXINIT sent
>> Bad packet length 1349676916.
>> ssh_dispatch_run_fatal: Connection to 147.32.233.137 port 22: message 
>> authentication code incorrect
>>
>>  Jan
>>
> 

Re: After a failed checksum: What options remain?

[Martijn van Duren]

Hello Charlie,

There is no correct way to wear a tinfoil hat. Do you trust your current
installation of Windows? And why? Do you trust your computer hardware?
Intel has proven something along those lines a couple of times in recent
history. Based on what premise do you trust OpenBSD?

Suspicion can be a good thing, but you need to balance your security
with other factors in life like usability, stability, compatibility and
probably some other ity's.

I love OpenBSD. Both for its security, but also its simplicity and
usability. But I'm also aware that even OpenBSD isn't without its quirks
and bugs. It's also still based on the premises that you trust other
components on which OpenBSD was build around. Even the mathematical
principles behind signature verification.

In other words choose something that works for you and where you feel
confident enough that it won't try to kill your kittens.

As for the checking a signature you can start by downloading OpenBSD 6.2
and verifying its signature:
$ cat /etc/signify/openbsd-62-base.pub
untrusted comment: openbsd 6.2 base public key
RWRVWzAMgtyg7g27STK1h1xA6RIwtjex6Vr5Y9q5SC5q5+b0GN4lLhfu
You can compare that string to any other sources, among others:
- https://www.openbsd.org/62.html
- https://twitter.com/phessler/status/914414877539803136
- ...
If you need signify I found a Windows port here[0], but since I don't
run Windows, so I haven't tested any of it (nor checked the diff). I
found that it is an older release, so the diff (against my personal
OpenBSD cvs account checkout) below also includes changes in OpenBSD's
current signify. But I guess this release will still work and the diff
is still small enough to manually verify if something funky has been
done with this port (still a pain though).
Nevertheless, it runs on Windows, so you have to trust your Windows
installation, which runs on 
Once OpenBSD is installed it'll automatically install the keys for the
next release and which will be verified with the current key.

Finally your usability question. I find it easy to use, but that's a
combination of years of experience and liking the minimal footprint.
A lot of people seem to be unable to work with the removal of a lot
of abstraction layers, I find it liberating and it gives me more
peace of mind that not a lot more happens than I request of the system.
If it works for you, is for you to find out. Just install it and take it
for a test run. OpenBSD's FAQ[1] is quite good and covers quite a lot of
subjects. You can use the FAQ to guide you to the man pages and if that
doesn't satisfy you, you can always turn to the source. Feel free to
send in some patches if you find something quirky in the source. :-)

Hope this helps.

martijn@

[0] https://github.com/stoeckmann/signify-windows
[1] https://www.openbsd.org/faq/

Only in /home/martijn/src/OpenBSD/usr.bin/signify: CVS
Only in /home/martijn/src/OpenBSD/usr.bin/signify: Makefile
Only in /tmp/signify-windows/patched-src: base64.c
diff -ru /home/martijn/src/OpenBSD/usr.bin/signify/crypto_api.c 
/tmp/signify-windows/patched-src/crypto_api.c
--- /home/martijn/src/OpenBSD/usr.bin/signify/crypto_api.c  Wed Jan  8 
04:59:46 2014
+++ /tmp/signify-windows/patched-src/crypto_api.c   Fri Jan 12 11:07:34 2018
@@ -3,6 +3,8 @@
  * Public domain. Author: Ted Unangst 
  * API compatible reimplementation of functions from nacl
  */
+#include "mingw.h"
+
 #include 
 
 #include 
Only in /tmp/signify-windows/patched-src: err.c
Only in /tmp/signify-windows/patched-src: errx.c
Only in /tmp/signify-windows/patched-src: explicit_bzero.c
Only in /tmp/signify-windows/patched-src: sha2.c
Only in /tmp/signify-windows/patched-src: sha2.h
Only in /home/martijn/src/OpenBSD/usr.bin/signify: signify.1
diff -ru /home/martijn/src/OpenBSD/usr.bin/signify/signify.c 
/tmp/signify-windows/patched-src/signify.c
--- /home/martijn/src/OpenBSD/usr.bin/signify/signify.c Wed Jul 12 01:27:13 2017
+++ /tmp/signify-windows/patched-src/signify.c  Fri Jan 12 11:07:34 2018
@@ -1,4 +1,4 @@
-/* $OpenBSD: signify.c,v 1.128 2017/07/11 23:27:13 tedu Exp $ */
+/* $OpenBSD: signify.c,v 1.100 2015/01/16 06:16:12 tedu Exp $ */
 /*
  * Copyright (c) 2013 Ted Unangst 
  *
@@ -14,11 +14,10 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
+#include "mingw.h"
+
 #include 
 
-#include 
-#include 
-
 #include 
 #include 
 #include 
@@ -26,15 +25,10 @@
 #include 
 #include 
 #include 
-#include 
-#include 
 #include 
-#include 
-#include 
 #include 
 
 #include "crypto_api.h"
-#include "signify.h"
 
 #define SIGBYTES crypto_sign_ed25519_BYTES
 #define SECRETBYTES crypto_sign_ed25519_SECRETKEYBYTES
@@ -71,7 +65,9 @@
uint8_t sig[SIGBYTES];
 };
 
-static void __dead
+char *__progname = "signify";
+
+static void
 usage(const char *error)
 {
if (error)
@@ -80,14 +76,13 @@
 #ifndef VERIFYONLY
"\t%1$s -C 

Re: ed(1) text editor issue with Spanish accents

[Martijn van Duren]

Hello Alejandro,

ed works on both binary and ASCII text, which are all individual bytes.
Since ´ is an UTF-8 character, which comprises of the bytes C2 and B4,
ed thinks it should only delete a single byte which results in only C2.

Your terminal can't tell the meaning of just C2 which results, in this
particular case, in a question mark.

The reason the character disappears after the backspace is because the
presentation layer gets the instruction to clear the column prior to
the current position, so hence it appears deleted after the backspace.

Currently there's no UTF-8 support in our ed, and I don't see how this
can be done without endangering the binary editing capabilities.

martijn@

On 12/04/17 00:43, Alejandro G. Peregrina wrote:
> Hello,
> 
> I've noticed something unexpected when entering an accent character
> alone (´) and then deleting it in ed(1) in xterm(1). Instead of deleting
> it, it creates another character which is seen as an inverted
> exclamation (?) in the font 'misc-fixed'.
> 
>   How to reproduce:
> $ uname -a
> OpenBSD foo.my.domain 6.2 GENERIC.MP#1 amd64
> $ locale
> LANG=
> LC_COLLATE="C"
> LC_CTYPE=en_US.UTF-8
> LC_MONETARY="C"
> LC_NUMERIC="C"
> LC_TIME="C"
> LC_MESSAGES="C"
> LC_ALL=
> $ #Let's append the ´ character in ed(1)
> $ ed -p"> "
>> a
> ´
> 
>   Now let's delete with a backspace, return to create a newline and a dot
> to stop appending, and then print:
> 
> $ ed -p"> "
>> a
> 
> .
>> p
> (?)
> 
>   (The (?) is a simulation of the font character that misc-fixed shows to
> the terminal.)
> 
>   Whenever I use more(1) or less(1) to view it, it shows:
> 
> $ more test.txt
> 
> 
> 
> 
> I have to add that I tested this with urxvt and ed(1) prints an Â
> character, but more(1) and less(1) keep printing .
> 
> When not using X this can't be reproduced. This is reproducible with
> xterm(1) and urxvt(1) in cwm(1) and fvwm(1). I've tested this in Linux
> and FreeBSD and this behaviour is not reproducible.
> 
> Thank you,
> A
> 

Re: Debugging a php's script startup

[Martijn van Duren]

Hello C.,

Can you start up the daemon process from the CLI (without the rc
script)? If not and it still has the same error message as below (which
I reckon it will) you might want to change your mysqli.default_socket =
in your /etc/php-7.0.ini.
Do note however that this will also affect php-fpm and mod_php which run
chrooted by default (hence the weird path), so if you need those installs
unaffected try to create a custom ini-file and specify it with -c as a
php-argument.

Also note that php is not designed to write daemons in and should only
be done if there are no other options. The rc-script won't restart your
daemon automatically if it crashes.

Hope this helps.

martijn@

On 11/08/17 20:22, C. L. Martinez wrote:
> Hi all,
> 
>  I am trying to setup a startup file for TT-Rss (installed under OpenBSD 6.2 
> host, fully patched). This is the script:
> 
> #!/bin/sh -x
> #
> 
> daemon="/usr/local/bin/php-7.0"
> daemon_flags="/var/www/htdocs/rss/update_daemon2.php --log 
> /tmp/update_rss.log"
> daemon_user="www"
> 
> . /etc/rc.d/rc.subr
> 
> pexp="${MODPHP_BIN} ${daemon}${daemon_flags:+ ${daemon_flags}}"
> 
> rc_bg=YES
> rc_reload=NO
> 
> rc_post() {
> rm -f /var/www/htdocs/rss/lock/update_daemon.lock
> }
> 
> rc_cmd $1
> 
>  And when I try to start it, this is the output:
> 
> root@rssweb:/etc/rc.d# ./tt_rss start
> + daemon=/usr/local/bin/php-7.0
> + daemon_flags=/var/www/htdocs/rss/update_daemon2.php --log 
> /tmp/update_rss.log
> + daemon_user=www
> + . /etc/rc.d/rc.subr
> + _rc_actions=start stop restart reload check
> + readonly _rc_actions
> + [ -n  ]
> + basename ./tt_rss
> + _name=tt_rss
> + _rc_check_name tt_rss
> + [ -n /usr/local/bin/php-7.0 ]
> + unset _RC_DEBUG _RC_FORCE
> + getopts df c
> + shift 0
> + _RC_RUNDIR=/var/run/rc.d
> + _RC_RUNFILE=/var/run/rc.d/tt_rss
> + _rc_do _rc_parse_conf
> + eval _rcflags=${tt_rss_flags}
> + _rcflags=
> + eval _rcrtable=${tt_rss_rtable}
> + _rcrtable=
> + eval _rcuser=${tt_rss_user}
> + _rcuser=
> + eval _rctimeout=${tt_rss_timeout}
> + _rctimeout=
> + getcap -f /etc/login.conf tt_rss
> + > /dev/null 
> + 2>&1 
> + daemon_class=daemon
> + [ -z  ]
> + daemon_rtable=0
> + [ -z www ]
> + [ -z  ]
> + daemon_timeout=30
> + [ -n  -o start != start ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + readonly daemon_class
> + unset _rcflags _rcrtable _rcuser _rctimeout
> + pexp=/usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log 
> /tmp/update_rss.log
> + rcexec=su -l -c daemon -s /bin/sh www -c
> + [ 0 -eq 0 ]
> + pexp= /usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log 
> /tmp/update_rss.log
> + rc_bg=YES
> + rc_reload=NO
> + rc_cmd start
> tt_rss(failed)
> 
>  pexp's option seems good ... I think the problem is with 'www' user and with 
> this command: "su -l -c daemon -s /bin/sh www -c". Launching from console 
> returns an error:
> 
> root@rssweb:/etc/rc.d# su -l -c daemon -s /bin/sh www -c 
> '/usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log 
> /tmp/update_rss.log'
> PHP Warning:  mysqli_connect(): (HY000/2002): Can't connect to local MySQL 
> server through socket '/var/run/mysql/mysql.sock' (2 "No such file or 
> directory") in /var/www/htdocs/rss/classes/db/mysqli.php on line 8
> Unable to connect to database (as rss to localhost, database dbrss): Can't 
> connect to local MySQL server through socket '/var/run/mysql/mysql.sock'
> 
>  mysql's socket is created under www's chroot like in pkg-readme says: 
> srwxrwxrwx  1 _mysql  _mysql  0 Nov  8 17:45 /var/www/var/run/mysql/mysql.sock
> 
>  If I am not wrong, then, how can I configure this startup script?
> 
> Thanks
> 

Re: php-fpm and OpenBSD 6.2

[Martijn van Duren]

On 10/12/17 09:39, Markus Rosjat wrote:
> Hi there,
> 
> I can't find a php-fpm package under 6.2 but there are php-fastcgi packages. 
> Is this the new php-fpm naming convention starting with 6.2 or do I get this 
> wrong here?
> 
> regards
> 

php-fpm is currently part of the PHP package (php-5.6.31 and php-7.0.23).
With my latest proposed patch the php-fpm will be moved to it's own
subpackage, along with all the other SAPI interfaces[0], so it might be
changed for the 6.3 release.

As for the -fastcgi subpackage. It's the -cgi SAPI, which in my opinion
has been misnamed for this package. Don't use it unless you absolutely
need it. Also note that -fastcgi will be renamed back to -cgi with my
patch.

martijn@

[0] https://marc.info/?l=openbsd-ports=150774437313393=2

Re: Strange sed substitution removes text

[Martijn van Duren]

On 09/25/17 09:15, Andreas Kusalananda Kähäri wrote:
> Yes, this seems to fix this particular issue for me nicely,
> but the "int i = 0;" is probably not needed.

You're right, that part was from some debugging printfs.
I also wasn't asking for OKs, but merely pointing out the root of
problem.

Lets just wait until Ingo has time to look into it. He's still on
holiday in Paris, so it might be a few days.
> 
> 
> On Sun, Sep 24, 2017 at 11:59:49PM +0200, Martijn van Duren wrote:
>> and now with 100% more patch...
>>
>> Index: process.c
>> ===
>> RCS file: /cvs/src/usr.bin/sed/process.c,v
>> retrieving revision 1.32
>> diff -u -p -r1.32 process.c
>> --- process.c22 Feb 2017 14:09:09 -  1.32
>> +++ process.c24 Sep 2017 21:58:14 -
>> @@ -336,6 +336,7 @@ substitute(struct s_command *cp)
>>  int n, lastempty;
>>  size_t le = 0;
>>  char *s;
>> +int i = 0;
>>  
>>  s = ps;
>>  re = cp->u.s->re;
>> @@ -386,7 +387,7 @@ substitute(struct s_command *cp)
>>   * and at the end of the line, terminate.
>>   */
>>  if (match[0].rm_so == match[0].rm_eo) {
>> -if (*s == '\0' || *s == '\n')
>> +            if (*s == '\0')
>>  slen = -1;
>>  else
>>  slen--;
>>
>>
>> On 09/24/17 23:57, Martijn van Duren wrote:
>>> This fixes the issue for me, but I'm not sure about the motivation
>>> behind the check.
>>> Maybe schwarze@ can shed some light on it, since he's to (cvs) blame for
>>> the particular line.
>>>
>>> martijn@
>>>
>>> On 09/24/17 15:42, Andreas Kusalananda Kähäri wrote:
>>>> Hi,
>>>>
>>>> Given the input file of three lines:
>>>>
>>>> line 1
>>>> line 2
>>>> line 3
>>>>
>>>> and the sed script
>>>>
>>>> s/\>>> /g
>>>> s/^/hello/
>>>>
>>>> which inserts a newline in front of every word and then prepends the
>>>> word "hello" to the beginning of the pattern space.
>>>>
>>>> The following happens:
>>>>
>>>> $ sed -f script.sed input.txt
>>>> hello
>>>>
>>>> hello
>>>>
>>>> hello
>>>>
>>>>
>>>> I was expecting to get
>>>>
>>>> hello
>>>> line
>>>> 1
>>>> hello
>>>> line
>>>> 2
>>>> hello
>>>> line
>>>> 3
>>>>
>>>> This is a bit surprising since running only the first sed expression
>>>> gives (as expected)
>>>>
>>>>
>>>> line
>>>> 1
>>>>
>>>> line
>>>> 2
>>>>
>>>> line
>>>> 3
>>>>
>>>>
>>>> The question is, why does the "line N" data disappear when inserting a
>>>> word at the start of the pattern space here?
>>>>
>>>> I'm also noticing that this does not happen if a space (for instance)
>>>> precedes the escaped newline in the first expression:
>>>>
>>>> s/\>>> /g
>>>> s/^/hello/
>>>>
>>>>
>>>> This is using sed in the base system on OpenBSD 6.1-stable (amd64).
>>>>
>>>> Cheers,
>>>>
>>>
> 

Re: Strange sed substitution removes text

[Martijn van Duren]

and now with 100% more patch...

Index: process.c
===
RCS file: /cvs/src/usr.bin/sed/process.c,v
retrieving revision 1.32
diff -u -p -r1.32 process.c
--- process.c   22 Feb 2017 14:09:09 -  1.32
+++ process.c   24 Sep 2017 21:58:14 -
@@ -336,6 +336,7 @@ substitute(struct s_command *cp)
int n, lastempty;
size_t le = 0;
char *s;
+int i = 0;
 
s = ps;
re = cp->u.s->re;
@@ -386,7 +387,7 @@ substitute(struct s_command *cp)
 * and at the end of the line, terminate.
 */
if (match[0].rm_so == match[0].rm_eo) {
-   if (*s == '\0' || *s == '\n')
+   if (*s == '\0')
slen = -1;
else
slen--;


On 09/24/17 23:57, Martijn van Duren wrote:
> This fixes the issue for me, but I'm not sure about the motivation
> behind the check.
> Maybe schwarze@ can shed some light on it, since he's to (cvs) blame for
> the particular line.
> 
> martijn@
> 
> On 09/24/17 15:42, Andreas Kusalananda Kähäri wrote:
>> Hi,
>>
>> Given the input file of three lines:
>>
>> line 1
>> line 2
>> line 3
>>
>> and the sed script
>>
>> s/\> /g
>> s/^/hello/
>>
>> which inserts a newline in front of every word and then prepends the
>> word "hello" to the beginning of the pattern space.
>>
>> The following happens:
>>
>> $ sed -f script.sed input.txt
>> hello
>>
>> hello
>>
>> hello
>>
>>
>> I was expecting to get
>>
>> hello
>> line
>> 1
>> hello
>> line
>> 2
>> hello
>> line
>> 3
>>
>> This is a bit surprising since running only the first sed expression
>> gives (as expected)
>>
>>
>> line
>> 1
>>
>> line
>> 2
>>
>> line
>> 3
>>
>>
>> The question is, why does the "line N" data disappear when inserting a
>> word at the start of the pattern space here?
>>
>> I'm also noticing that this does not happen if a space (for instance)
>> precedes the escaped newline in the first expression:
>>
>> s/\> /g
>> s/^/hello/
>>
>>
>> This is using sed in the base system on OpenBSD 6.1-stable (amd64).
>>
>> Cheers,
>>
> 

Re: Strange sed substitution removes text

[Martijn van Duren]

This fixes the issue for me, but I'm not sure about the motivation
behind the check.
Maybe schwarze@ can shed some light on it, since he's to (cvs) blame for
the particular line.

martijn@

On 09/24/17 15:42, Andreas Kusalananda Kähäri wrote:
> Hi,
> 
> Given the input file of three lines:
> 
> line 1
> line 2
> line 3
> 
> and the sed script
> 
> s/\ /g
> s/^/hello/
> 
> which inserts a newline in front of every word and then prepends the
> word "hello" to the beginning of the pattern space.
> 
> The following happens:
> 
> $ sed -f script.sed input.txt
> hello
> 
> hello
> 
> hello
> 
> 
> I was expecting to get
> 
> hello
> line
> 1
> hello
> line
> 2
> hello
> line
> 3
> 
> This is a bit surprising since running only the first sed expression
> gives (as expected)
> 
> 
> line
> 1
> 
> line
> 2
> 
> line
> 3
> 
> 
> The question is, why does the "line N" data disappear when inserting a
> word at the start of the pattern space here?
> 
> I'm also noticing that this does not happen if a space (for instance)
> precedes the escaped newline in the first expression:
> 
> s/\ /g
> s/^/hello/
> 
> 
> This is using sed in the base system on OpenBSD 6.1-stable (amd64).
> 
> Cheers,
> 

Re: Octeon/MIPS64 SMP Support

[Martijn van Duren]

On 09/13/17 22:28, Dante F. B. Colò wrote:
> Hi
> 
> I'm think about get a Ubiquiti Edgerouter  box  and drop openbsd there. 
> I read the instalation  file and was not clear to me  if the current 
> MIPS/Octeon kernel implementation supports SMP or not , does it support ?
> 
> Regards
> 
> Dante F. B. Colò
> 
Yes it does, just don't forget to set numcores/coremask in the boot
command.

Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2017 OpenBSD. All rights reserved.  https://www.OpenBSD.org

OpenBSD 6.1 (GENERIC.MP) #0: Mon Apr  3 08:08:00 UTC 2017
visa@octeon:/usr/src/sys/arch/octeon/compile/GENERIC.MP
real mem = 2147483648 (2048MB)
avail mem = 2113486848 (2015MB)
warning: no entropy supplied by boot loader
mainbus0 at root
cpu0 at mainbus0: CN61xx CPU rev 0.1 800 MHz, Software FP emulation
cpu0: cache L1-I 512KB D 8KB 64 way, L2 1024KB 8 way
cpu1 at mainbus0: CN61xx CPU rev 0.1 800 MHz, Software FP emulation
cpu1: cache L1-I 512KB D 8KB 64 way, L2 1024KB 8 way
clock0 at mainbus0: int 5
iobus0 at mainbus0
octuctl0 at iobus0 base 0x118006f00 irq 56
ehci0 at octuctl0
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Octeon EHCI root hub" rev 2.00/1.00 
addr 1
ohci0 at octuctl0, version 1.0
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 configuration 1 interface 0 "Octeon OHCI root hub" rev 1.00/1.00 
addr 1
octrng0 at iobus0 base 0x14000 irq 0
cn30xxgmx0 at iobus0 base 0x118000800
cnmac0 at cn30xxgmx0: SGMII, address 24:a4:3c:06:a2:72
ukphy0 at cnmac0 phy 4: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x180361, model 0x0004
cnmac1 at cn30xxgmx0: SGMII, address 24:a4:3c:06:a2:73
ukphy1 at cnmac1 phy 5: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x180361, model 0x0004
cnmac2 at cn30xxgmx0: SGMII, address 24:a4:3c:06:a2:74
ukphy2 at cnmac2 phy 6: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x180361, model 0x0004
cnmac3 at cn30xxgmx0: SGMII, address 24:a4:3c:06:a2:75
ukphy3 at cnmac3 phy 7: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x180361, model 0x0004
cn30xxgmx1 at iobus0 base 0x118001000
cnmac4 at cn30xxgmx1: SGMII, address 24:a4:3c:06:a2:76
ukphy4 at cnmac4 phy 0: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x180361, model 0x0004
cnmac5 at cn30xxgmx1: SGMII, address 24:a4:3c:06:a2:77
ukphy5 at cnmac5 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x180361, model 0x0004
cnmac6 at cn30xxgmx1: SGMII, address 24:a4:3c:06:a2:78
ukphy6 at cnmac6 phy 2: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x180361, model 0x0004
cnmac7 at cn30xxgmx1: SGMII, address 24:a4:3c:06:a2:79
ukphy7 at cnmac7 phy 3: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x180361, model 0x0004
simplebus0 at iobus0: "soc"
octmmc0 at simplebus0
sdmmc0 at octmmc0: 8-bit, mmc high-speed
uartbus0 at mainbus0
com0 at uartbus0 base 0x118000800 irq 34: ns16550a, 64 byte fifo
com0: console
com1 at uartbus0 base 0x118000c00 irq 35: ns16550a, 64 byte fifo
/dev/ksyms: Symbol table not valid.
ural0 at uhub0 port 1 configuration 1 interface 0 "Cisco-Linksys Wireless-G USB 
Network Adapter" rev 2.00/0.04 addr 2
ural0: MAC/BBP RT2571 (rev 0x05), RF RT2526, address 00:14:bf:75:9a:45
scsibus0 at sdmmc0: 2 targets, initiator 0
sd0 at scsibus0 targ 1 lun 0:  SCSI2 0/direct removable
sd0: 3776MB, 512 bytes/sector, 7733248 sectors
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
boot device: sd0
root on sd0a (5e15570835adc5f6.a) swap on sd0b dump on sd0b

Re: (Possibly OT) Trouble installing kanboard

[Martijn van Duren]

On 09/12/17 15:38, Andreas Thulin wrote:
> Hi all!
> 
> This may be OT, and if so I apologise (and appreciate being pushed in the
> right direction). I'm trying to install and run kanboard (
> https://kanboard.net) on my 6.1-stable amd64 VPS using httpd + php 7.0.16 +
> php-fpm-7.0.
> 
> At first, the web GUI installer complained (Internal Error: PHP extension
> required: "gd"), so I installed php-gd, and
> 
> # rcctl restart php70_fpm
> as well as
> # rcctl restart httpd
> 
> but I still get the same error message. My php_info() page claims I have gd
> ("shared", whatever that means) support.
Extensions aren't loaded in by default.

# cp /etc/php-7.0.sample/gd.ini /etc/php-7.0
# rcctl restart php70_fpm
> 
> There are a few different components involved here, so I'm not sure where
> to start trouble-shooting. Any pointers would help.
> 
> BR
> Andreas
> 

martijn@

Re: gmail and hotmail blocking mail sent from my IP

[Martijn van Duren]

Not an authority on this, so take my reply for what you want.

As far as I know this list is used to keep track of ip-addresses by ISPs
for home-addresses, which are not intended to be used for outgoing mail.

You can whitelist your ip-address on this list yourself and all should
be back to normal.

I faced the same issues and adding my ip did solve the 550s.

Do note that my ip gets removed every year and thus should be re-added
ever year.

Sincerely,

martijn@

On 08/06/17 16:51, Walter Alejandro Iglesias wrote:
> Hello everyone,
> 
> I was using smtpd(8) (static IP and FQDN resolving direct and reverse)
> for a year without problems.  Today sending from my server (from the
> same address I'm using now) to gmail and hotmail they answered the
> following (MAILER-DAEMON answer).
> 
> Sending to gmail addresses:
> 
>   *@gmail.com: 550-5.7.1 [185.37.212.61] The IP you're using to send
>   mail is not authorized to send email directly to our servers.  Please
>   use the SMTP relay at your service provider instead. Learn more at
>   https://support.google.com/mail/?p=NotAuthorizedError
>   e1si6736354wra.236 - gsmtp
> 
> Sending to hotmail:
> 
>   *@hotmail.com: 550 DY-001 (SNT004-MC3F42) Unfortunately, messages from
>   185.37.212.61 weren't sent. Please contact your Internet service
>   provider. You can tell them that Hotmail does not relay
>   dynamically-assigned IP ranges. You can also refer your provider to
>   http://mail.live.com/mail/troubleshooting.aspx#errors.
> 
> 
> On the hotmail link above the explanaition for code DY-001 is:
> 
>   Mail rejected by Outlook.com for policy reasons. We generally do not
>   accept email from dynamic IP's as they are not typically used to
>   deliver unauthenticated SMTP email to an Internet mail server. If you
>   are not an email/network admin please contact your Email/Internet
>   Service Provider for help. http://www.spamhaus.org maintains lists of
>   dynamic and residential IP addresses.
> 
> It doesn't happen with yahoo.
> 
> I visited spamhaus.org site and found out my IP is included in a list
> called PBL that, as they  explain is not a spammers list, it just
> includes dynamic and "non mail server IP ranges".
> 
> Does someone here know what is "non mail server IP ranges" about?  Or,
> how could my static IP could be taken as dynamic (some DNS faliure at my
> ISP end?).
> 

Re: FastCGI sent in stderr: "PHP message: PHP Warning: Unknown: Unable to create temporary file, Check permissions in temporary files directory.

[Martijn van Duren]

Hello Stephane,

First, please send mails with questions about packages to ports@ in the
future. I'm not changing list now because I don't want to continue the
discussion, but merely rectify a few of your mistakes and hopefully
prevent people finding this thread in the future from making the same
ones.

If anyone feels like they should continue this thread please change the
list to ports@.

On 07/26/17 23:33, Stephane HUC "PengouinBSD" wrote:
> Hi, all.
> 
> Sorry for the latence!
> 
> Yes, i'm sure all ENV* variables are absolute to the system root.
> As explain on the php-fpm.conf, only few directives are relative to be
> chroot.
> 
> [quote]
> (...)
> ; Per pool prefix
> ; It only applies on the following directives:
> ; - 'access.log'
> ; - 'slowlog'
> ; - 'listen' (unixsocket)
> ; - 'chroot'
> ; - 'chdir'
> ; - 'php_values'
> ; - 'php_admin_values'
> ; When not set, the global prefix (or /usr/local) applies instead.
> ; Note: This directive can also be relative to the global prefix.
> (...)
> [/quote]
> 
> I modified the php-fpm.conf_user as:
> 
> env[TMP] = /var/www/tmp/$pool
> env[TMPDIR] = /var/www/tmp/$pool
> env[TEMP] = /var/www/tmp/$pool
> (...)
> php_admin_value[upload_tmp_dir]=/tmp/$pool
> 
> I created the directory /var/www/tmp/$pool, and chowned user_blog:www on
> this!
> 
> In facts, i was wrong user.
> 
> Now, it's run correctly! ;)

It runs because of sheer luck, not because of a proper configuration,
let alone correctly.

My statements are based on 7.1.7 which I compiled locally and will
hopefully hit the tree soon(tm), but should be equally valid for
other versions of PHP.
Also, I don't know your setup, so my response is based on
speculation, but is hopefully accurate enough for you to figure out
what is going on yourself.

I assume that you try to upload a file to a PHP script and store
it locally. This reaches main/rfc1867.c:1021 in the PHP core.

This tries to open a file based on upload_tmp_dir, which you've
set to /tmp/$pool in your final solution. This succeeds, because
it exists inside your chroot.
The problem here is that you haven't fixed env[{TMP,TMPDIR,TEMP}].

If upload_tmp_dir isn't set php_open_temporary_fd_ex
(main/php_open_temporary_file.c:294) calls php_get_temporary_directory.
This function tries several options, of which one is getenv("TMPDIR");.
Because you've set this variable to /var/www/tmp in your original setup,
but is called *AFTER* the fpm-daemon has chrooted to /var/www it
effectively tries to call /var/www/var/www/tmp, which does not exist.
See also the documentation at http://php.net/manual/en/ini.core.php.

If you hadn't set the environment variable it would've eventually fallen
back to /tmp, which is effectively /var/www/tmp because of the chroot.
Ergo: Fix your environment and unset upload_tmp_dir.

The second problem you hit is that /var/www/tmp is owned by www:www
with 755 permissions (pitfall, these permissions can be reset at any
time to 700). So even if PHP would try to create the intermediate
directories (don't know, haven't checked) it would still fail because of
the permissions on this directory.
Creating the /var/www/tmp/$pool directory with the correct owner
solves the problem indeed, but not because of your env statements.

The problem now is that you've fixed one problem but you've left open an
entire subsection of problems that you happen to not hit, and are still
a risk for people copying your configuration, or even yourself in the
future.
If you were to use tmpfile() you'd probably run into the same problem,
and that's just one example that I thought of, there's probably a lot
more.

So please, make sure you know what you're doing, especially if you claim
you've fixed something. These misconfigurations are always picked up by
other users and will cause problems down the road.

Next time you run into a similar problem go through the following steps:
1) Formulate what you've changed compared to the default configuration
file.
2) Formulate why you've changed these settings.
3) If you happen to solve your particular problem, report it as such
(that it fixes just your use case), unless you've researched why things
failed in the first place and you're absolutely sure your solution is
a generic solution.

Hope this mail helped you understand a little more of the internals and
added a little to your skills to debug such problems yourself.

martijn@
> 
> Thank you all.
> 
> 
> Le 07/26/17 à 01:50, Todd Mortimer a écrit :
>> Hi Stephane,
>>
>> Are you sure that the env[TMP], env[TMPDIR] and env[TEMP] variables are
>> supposed to be relative to the real system root, or relative to the
>> chroot? If I were to guess, I would bet that php is trying to create a
>> file after chrooting itself, and inside the chroot, /var/www/tmp doesn't
>> exist. Try setting those env vars to /tmp and see if that works. 
>>
>> Todd
>>
>> On Tue, Jul 25, 2017 at 09:03:38AM +0200, Stephane HUC "PengouinBSD" wrote:
>>> Hi all.
>>>
>>> I have this error on my,OpenBSD server 

Re: Missed ifconfig [[-]txpower dBm] option for 802.11

[Martijn van Duren]

On 07/04/17 15:07, Denis wrote:
> Looking for ifconfig '[[-]txpower dBm]' option which was present in
> OpenBSD 5.4 amd64. Try to find 'txpower' on 6.0 amd64 but seems it
> missed out.
> 
> Actively using it to match power for 802.11 card and it's RF recipient
> (post amp). What mechanism of output power matching is provided
> currently since 5.4 amd64?
> 
> Thanks for answers in advance.
> 
A quick look in the ifconfig.8 cvs log shows:
revision 1.264
date: 2015/12/06 12:50:05;  author: tedu;  state: Exp;  lines: +2 -10;  
commitid: elXp5QtailrWrL5N;
remove txpower option. only relevant to the now irrelevant wi driver.
(several other drivers misleadingly claim generic 802.11 txpower, but
do not in fact do anything. the knob is not connected to the radio.)
ok benno jsg krw reyk

martijn@

scsi_xfer pool exhausted

[Martijn van Duren]

Hello misc@,

A customer system of mine has problems with the system since this 
morning (happened 3 times so far).
The dmesg shows a large number "scsi_xfer pool exhausted" messages.

Right now I have no idea on how to debug this any further.

Cluestick more than welcome

$ dmesg 
OpenBSD 6.1 (GENERIC.MP) #7: Mon Jun 12 20:41:01 CEST 2017

rob...@syspatch-61-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2026598400 (1932MB)
avail mem = 1960488960 (1869MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x7ad34018 (93 entries)
bios0: vendor FUJITSU // American Megatrends Inc. version "V4.6.5.4 R1.25.0 for 
D3230-A1x" date 06/24/2014
bios0: FUJITSU ESPRIMO P420
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT SSDT SSDT MCFG HPET SSDT SSDT MSDM SLIC
acpi0: wakeup devices PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) 
PXSX(S4) RP04(S4) GLAN(S4) EHC1(S4) EHC2(S4) XHC_(S4) HDEF(S4) PEG0(S4) PEGP(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Pentium(R) CPU G3220 @ 3.00GHz, 2993.54 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,ERMS,INVPCID,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 2993537960 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Pentium(R) CPU G3220 @ 3.00GHz, 2993.06 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,ERMS,INVPCID,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP02)
acpiprt3 at acpi0: bus 6 (RP03)
acpiprt4 at acpi0: bus 7 (RP04)
acpiprt5 at acpi0: bus -1 (PEG0)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C2(350@117 mwait.1@0x20), C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C2(350@117 mwait.1@0x20), C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: FN00, resource for FAN0
acpipwrres1 at acpi0: FN01, resource for FAN1
acpipwrres2 at acpi0: FN02, resource for FAN2
acpipwrres3 at acpi0: FN03, resource for FAN3
acpipwrres4 at acpi0: FN04, resource for FAN4
acpitz0 at acpi0: critical temperature is 105 degC
acpitz1 at acpi0: critical temperature is 105 degC
"INT3F0D" at acpi0 not configured
"PNP0303" at acpi0 not configured
acpibtn0 at acpi0: PWRB
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
cpu0: Enhanced SpeedStep 2993 MHz: speeds: 3000, 2900, 2700, 2600, 2400, 2300, 
2100, 2000, 1800, 1700, 1500, 1400, 1200, 1100, 900, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 4G Host" rev 0x06
inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics" rev 0x06
drm0 at inteldrm0
inteldrm0: msi
inteldrm0: 1280x1024, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
azalia0 at pci0 dev 3 function 0 "Intel Core 4G HD Audio" rev 0x06: msi
azalia0: No codecs found
xhci0 at pci0 dev 20 function 0 "Intel 8 Series xHCI" rev 0x04: msi
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 
addr 1
"Intel 8 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
ehci0 at pci0 dev 26 function 0 "Intel 8 Series USB" rev 0x04: apic 8 int 16
usb1 at ehci0: USB revision 2.0
uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
azalia1 at pci0 dev 27 function 0 "Intel 8 Series HD Audio" rev 0x04: msi
azalia1: codecs: Realtek/0x0671
audio0 at azalia1
ppb0 at pci0 dev 28 function 0 "Intel 8 Series PCIE" rev 0xd4: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 1 "Intel 8 Series PCIE" rev 0xd4: msi
pci2 at ppb1 bus 2
ppb2 at pci2 dev 0 function 0 vendor "ASMedia", unknown product 0x1182 rev 0x00
pci3 at ppb2 bus 3
ppb3 at pci3 dev 3 function 0 vendor "ASMedia", unknown product 0x1182 rev 
0x00: msi
pci4 at ppb3 bus 4
re0 at pci4 dev 0 function 

Re: HELP! My HTTPD website keeps breaking because the custom directory/user permissions are being reverting for some reason!

[Martijn van Duren]

On 05/29/17 01:57, tec...@protonmail.com wrote:
> Hi there,
> 
> I have been using httpd for quite a while now, but after a new 
> project/website having to have read/write/execute permissions (unsafe, I do 
> realise..) I decided to:
> 
> 1. add root to the www group,
> 2. chown -R www:www /var/www/htdocs
> 3. chmod -R 775 /var/www/htdocs
> 
> Everything was running smoothly, until I was testing out the functionality 
> and realised I couldn't use php to write new directories or files, so I 
> checked the permissions and for some reason they have all switched back to: 
> root:daemon with permissions of 755.
> 
> Now, I'm guessing this is a security feature in some way, but for my purposes 
> and he type of service I'm creating it is breaking everything. Can someone 
> tell me what to man page to look up for this or something? Time is of the 
> essence because I need this website runing properly by tomorrow at latest.
> 
> Many many thanks!!
> 

My suggestion would be to look into mtree(8) and security(8)

Re: OpenIKED and Windows 10 Client

[Martijn van Duren]

On 04/12/17 11:42, Stuart Henderson wrote:
> On 2017-04-11, Markus Rosjat  wrote:
>> I think the problem is with the windows site because it tells me there 
>> is no certificate to be found. I added the certificate to local machine 
>> store -> own certificates (at least in the german UI is no personal folder)
> 
> I think you're adding this cert to the wrong one of the many cert stores
> on Windows. It worked for me in trusted CAs, though there may be a better
> option that also works.
> 
One thing that also bit me was that I had to put them in the system-wide
store and not in the personal store.

Re: bandwidth monitoring

[Martijn van Duren]

On 03/07/17 12:08, thrph.i...@gmail.com wrote:
> http://www.ex-parrot.com/pdw/iftop/

systat(1) states
> 
> On Tue, 7 Mar 2017 11:28:50 +0100
> Frank White  wrote:
> 
>> Hi,
>> how can I monitor the bandwidth and know what client is occupying the
>> bandwidth ?
>> Thank u.