Re: Rate limit the httpd web server for signup requests

[Dan]

Jun 12, 2024 00:56:47 Martin :

> A simple CAPTCHA reduces some of the irrelevant noise, but the more
> sophisticated bots solves the CAPTCHA.
>
> Using Cloudflare's or Google's CAPTCHA is frowned upon by the real
> users, which I fully understand.
>
> So I was wondering, if some other clever method can reduce the noise?


Testing and knowing all the possible solutions to fight "3rd kind intelligence 
spammers"
seems a little overwhelming to me, it appears to me like the story to search 
for a firewall that solve
every security problem. Indeed just consider that a parameter of curl allow you 
to simulate any
post submission. And the problem eventually could be exactly this, the why of 
the existance
of these advanced clients tools. [ ... ]

For now, I just implememted my own captcha asking to solve a simple math and 
that
eventually can be enriched for future research.. Some simple php code, easy 
stuff, happy to share it.

-Dan

Re: [Solved] Edit: Installation amd64 7.5: How to access the distribution sets on the USB stick?

[Dan]

Errata:

2) to solve I copied the content of my stick to a larger usbdisk (almost 512gb 
by copy machine), upgraded the disk and
copied back to the stick.

-Dan

Jun 9, 2024 17:35:56 Dan :

> 
> Sorry if I arrive late and maybe with something that is neither pertaining.
> 
> This prb make me remember an issue that I experienced many sysupgrades
> ago for almost two subsequent times: sysupgrade suddenly stopped on the disk
> selection saying no acceptable disk destination was inserted while my usb disk
> of my station was clearly inserted and ready for the upgrade. The interesting
> parts here possibly addressing a suggestion for you are: 1) my problem
> replicated on different machines (almost 1 minipc and 1 laptop) and sticks
> (altghough coming from the same original installation) 2) to solve I copied 
> the
> content of my stick to a larger usbdisk (almost 512gb by copy machine), 
> upgraded the disk and
> copied back to the disk. It happened to me many years ago and when I was still
> with 16gb sticks, however I still own the same hardware.
> A side note: 7.5 upgrade on 32gb stick gave me no problem.
> 
> -Dan

Re: [Solved] Edit: Installation amd64 7.5: How to access the distribution sets on the USB stick?

[Dan]

Sorry if I arrive late and maybe with something that is neither pertaining.

This prb make me remember an issue that I experienced many sysupgrades
ago for almost two subsequent times: sysupgrade suddenly stopped on the disk
selection saying no acceptable disk destination was inserted while my usb disk
of my station was clearly inserted and ready for the upgrade. The interesting
parts here possibly addressing a suggestion for you are: 1) my problem
replicated on different machines (almost 1 minipc and 1 laptop) and sticks
(altghough coming from the same original installation) 2) to solve I copied the
content of my stick to a larger usbdisk (almost 512gb by copy machine), 
upgraded the disk and
copied back to the disk. It happened to me many years ago and when I was still
with 16gb sticks, however I still own the same hardware.
A side note: 7.5 upgrade on 32gb stick gave me no problem.

-Dan

Re: nginx + php = system() not working?

[Dan]

"Souji Thenria"  wrote:

> Another issue might be that nginx is still running as www and doesn't
> have access to /home/Testing.

As per above suggestion double check that the user by which you
run nginx (usually www) has access almost by the group to
to the prefix directory declared by the -p flag, and to the subfolders.
(and clearly you can't manage to do that on an usr home dir..)

Then you should double check your phpfpm user and group by the
php-fpm.conf in the following declarations:

; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default
user's group ;   will be used.
user = www
group = www


-dan

Re: nginx + php = system() not working?

[Dan]

It can even help to run nginx in "unsecure mode" if you want to stay
not chrooted:

nginx_flags="-u -p /home/mytests"

man nginx

; while php-fpm.conf should remain with the default values 
; in this case..


-dan


Mike Fischer  wrote:

> 
> > Am 17.05.2024 um 03:58 schrieb F Bax :
> > 
> > I think I missed something simple? I installed 7.5 release in a VM.
> > I then installed nginx and PHP 8.3.3; with pkg_add. I then ran
> > these two commands: # rcctl enable php83_fpm # rcctl start php83_fpm
> > I found an issue with php system() function; so created this simple
> > script which produces "HiThere"; why is the date not presented?
> >  >   system( 'date' );
> >   echo 'There';
> > ?>
> 
> You are probably running the php83_fpm process accessed from nginx in
> the default chroot(2) environment? 

Re: nginx + php = system() not working?

[Dan]

May 17, 2024 11:30:25 Souji Thenria :

> -u   By default nginx will chroot(2) to the home
>  directory of the user running the daemon, typically
>  "www", or to the home directory of user in
>  nginx.conf.  The -u option disables this behaviour,
>  and returns nginx to the original "unsecure"
>  behaviour.
>
> But it doesn't do it on other systems; I cross-checked with nginx
> installed on a FreeBSD, where this option doesn't exist.


Indeed take care about this option as I use it every day in my dev 
environment.. ;-)

Re: OpenBSD 7.5: xfce-4.18.1: missing Special Characters utility

[Dan]

Reinstalled manually after the upgrade to 7.5 with:
pkg_add gucharmap

-dan


Dan  wrote:

> 
> Hello,
> 
> In my OpenBSD 7.5, xfce-4.18.1 is missing the Characters Map / Special
> Characters utility both graphically, in the menu, and on the disk.
> 
> Thanks!
> 
> -dan

Re: Errata: OpenBSD 7.5: high temperature spotted different times

[Dan]

Correction:

CPU: Intel(R) Core(TM) i7-4500U CPU @ 1.80GHz, 06-45-01,
patch 0026 (year 2014)


Dan  wrote:

> Hello,
> 
> In my OpenBSD 7.5 stable temperature incrises timtotime remaining on
> 64-65°C; an old quad cores I5 cpu.
> 
> Thanks,
> 
> -dan

OpenBSD 7.5: xfce-4.18.1: missing Special Characters utility

[Dan]

Hello,

In my OpenBSD 7.5, xfce-4.18.1 is missing the Characters Map / Special
Characters utility both graphically, in the menu, and on the disk.

Thanks!

-dan

OpenBSD 7.5: high temperature spotted different times

[Dan]

Hello,

In my OpenBSD 7.5 stable temperature incrises timtotime remaining on 64-65°C; 
an old quad cores I5 cpu.

Thanks,

-dan

Re: Why /var/www/run instead of /var/run for web services

[Dan]

> I suspect that it is because a web service might change its root
> directory to /var/www using chroot(2),

> Can anyone confirm or deny my assumption?


right, www is chrooted.

-Dan

Re: Guidance for booting NanoPi R6S?

[Dan Jones]

On Sun Apr 21, 2024 at 9:21 PM MDT, Stephan Somogyi wrote:
> On Sun, Apr 21, 2024 at 9:20 AM Mihai Dragan 
> wrote:
>
>
> > You need to follow a few additional steps to get R6S image to boot after
> > flashing the initial image:
> > On an OpenBSD desktop system, install "u-boot-rk3588" package. The one I
> > tested with is u-boot-rk3588-2024.01rc3p1.
> > Insert the sdcard you flashed with the install/miniroot image.
> > Copy the uboot binary for your specific board on the sdcard as described
> > in the "For systems based on Rockchip RK356x SoCs:" of this page
> > https://ftp.openbsd.org/pub/OpenBSD/7.5/arm64/INSTALL.arm64
> >
> > For the R6S this should be:
> > dd if=/usr/local/share/u-boot/nanopi-r6s-rk3588s/u-boot-rockchip.bin
> > of=/dev/sdXc seek=64
> >
> > Then plug the sdcard back in the board, connect a usb-to-serial adapter at
> > 115200 baud rate (this differs from the default rockchip settings) and
> > power the board on.
> > Everything's standard from here, follow the instructions on the arm64
> > installation page.
> >
> > Hope this helps
> >
>
> Yes, thanks, that was very helpful.
>
> I got some oob help as well and am in the process of debugging some of the
> hardware support.
>
> In case anyone else is interested, the kernel (both 7.5-stable and
> -current) hangs during boot at ohci; disabling that allows boot and install
> to proceed. I'm seeing unexpectedly poor performance with dwqe, and neither
> of the rge interfaces seems able to acquire a dhcp lease. I also am seeing
> unexpectedly low performance compared with an rpi4 in the LibreSSL speed
> test; AES, SHA1, and SHA2 are only ~clock-speed faster, and not Using ARMv8
> ISA faster.
>
> Thanks again for the reply.
>
> s.


If I remember correctly, both the NanoPi R5 and R6 require that you manually
set the MAC address for the rge interface via 'ifconfig lladdr etheraddr'.  
This is at least what I needed to do on my R5S.
 
Best, 

Dan

Re: Upgraded to 7.5: vfs.ffs.dirhash_dirsize no longer exists and large directory ere veeery slow

[Dan]

Thanks for the answer, it seems I'm not missing dirhashes after all.. :)

-Dan

Apr 12, 2024 16:25:51 Otto Moerbeek :

> On Fri, Apr 12, 2024 at 12:21:43PM +0200, Dan wrote:
> 
>> 
>> Really, I fear this value is due to a wrong tweak..
> 
> 
> Fear is a bad advisor.
> 
> If you look at man 3 sysctl, you'll see what vfs.ffs.dirhash_mem
> means:
> 
>  FFS_DIRHASH_MEM (vfs.ffs.dirhash_mem)
>   The amount of memory currently used by all directory
>   hashes.
> 
> In other words a harmless mem usage metric.
> 
>     -Otto
> 
>> 
>> -Dan
>> 
>> Apr 12, 2024 09:09:06 Dan :
>> 
>>> 
>>>> Yes, that fixes it for me:
>>>> 
>>>> $ sysctl vfs.ffs
>>>> vfs.ffs.dirhash_dirsize=2560
>>>> vfs.ffs.dirhash_maxmem=5242880
>>>> vfs.ffs.dirhash_mem=767359
>>> 
>>> 
>>> I have this value in 7.4 stable:
>>> 
>>> vfs.ffs.dirhash_mem=1412837
>>> 
>>> is it correct? or how to fix it?
>>> 
>>> 
>>> -Dan
>> 

Universal screen mirroring from mobile devices

[Dan]

Hello,

Intringuing this subject from my daughter watching mum doing
lessons at the computer using her mobile. It came out that from
her sparkling mind mum need to connect her mobile to the laptop
(an old 2011 mac) to watch to her student.

Do you think remote the possibility to have some screen mirroring
functionalities embedded in our favorit desktop environemnt under
OpenBSD?

I imagine a more *flexible* desk environment where sort of universal
screen mirroring is allowed among devices exacly how today we can
do in our livingroom on Samsung or other brand TVs..

-Dan

Re: Upgraded to 7.5: vfs.ffs.dirhash_dirsize no longer exists and large directory ere veeery slow

[Dan]

Really, I fear this value is due to a wrong tweak..

-Dan

Apr 12, 2024 09:09:06 Dan :

> 
>> Yes, that fixes it for me:
>> 
>> $ sysctl vfs.ffs
>> vfs.ffs.dirhash_dirsize=2560
>> vfs.ffs.dirhash_maxmem=5242880
>> vfs.ffs.dirhash_mem=767359
> 
> 
> I have this value in 7.4 stable:
> 
> vfs.ffs.dirhash_mem=1412837
> 
> is it correct? or how to fix it?
> 
> 
> -Dan

Re: Upgraded to 7.5: vfs.ffs.dirhash_dirsize no longer exists and large directory ere veeery slow

[Dan]

 
> Yes, that fixes it for me:
>  
> $ sysctl vfs.ffs
> vfs.ffs.dirhash_dirsize=2560
> vfs.ffs.dirhash_maxmem=5242880
> vfs.ffs.dirhash_mem=767359


I have this value in 7.4 stable:

vfs.ffs.dirhash_mem=1412837

is it correct? or how to fix it?


-Dan 

Re: newfs fast, but newfs_msdos and newfs_ext2fs very slow

[Dan]

As last resort, if you are one that lives with usb sticks
indipendent hardware duplicators like those from startech.com
have a quick format option (almost my old version of it has)
further than other useful functionalities.

-Dan

Apr 10, 2024 10:34:38 Stuart Henderson :

>> How can I speed the creation of a FAT32 or Ext2 file system up?
> 
> Maybe increasing block size will help. If not, I don't think there's
> really much you can do. There's no "quick format" option for newfs_msdos
> lile there is on Windows.

Re: Upgrade 7.5 /usr full

[Dan]

If you are by usb sticks you can find maybe useful one of old thread:

https://marc.info/?l=openbsd-misc=169896854913334=2

Please remember to update /etc/fstab accordingly to the new layout of the final 
system
before to reboot.

-Dan

Apr 9, 2024 18:37:39 Stuart Henderson :

> Some options:
> 
> - backup, reinstall with adjusted partition sizes, and restore

Re: TLS handshake failure at pkg_update

[Dan]

Mizsei Zoltán :

> doas pkg_add [...]
> https://ftp2.eu.openbsd.org/pub/OpenBSD//7.5/packages/amd64/: TLS handshake 
> failure: handshake failed: error:02FFF00D:system 
> library:func(4095):Permission denied

It sounds like your user context (by doas) is not enough to complete pkg_add 
operations.
I suggest to go for the superuser by chance.

-Dan

Re: need help to access my machine after upgrade -- system immediately logs me out

[Dan]

Stuart Henderson :
> 
> Running out of space (especially in /usr) during sysupgrade might
> do it too.


When in single mode I reccomend to check also the root for /dev
content, 90% of times I run out of space happens there to me, anyway
I'm not sure about the connection with xterm and sysupgrade.

-Dan

Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps

[Dan]

If I'm explaining security or lack of security, or saying things like "this
is not enough", it's not as part of a speech that's meant to whine. I'll
explain: I could've just asked, in my first message, whether OpenBSD has a
mechanism like Ctrl-Alt-Delete on Windows, and whether it has sandboxing
for desktop apps, without explaining the rationale of having such security
features. Then, someone could've come and tell me that these security
features aren't necessary, or that I'm focusing on a minor security aspect.
I wanted an informed discussion, so I was explaining the rationale behind
these to make readers understand why I was asking about them. Furthermore,
in my recent message about the faking of a doas/sudo prompt and User
Account Control (UAC) on Windows, there was a part where I said that the
sandboxing that OpenBSD provides for certain apps "[that alone] is not
enough"; I said that in the context of explaining the security that UAC
provides on Windows compared to what there seems to be with the default
installation of OpenBSD, notice the rest of the message and how that
comment of mine was in parantheses. It may sound like I'm completely
knowledgeable about OpenBSD, but I'm not. I understand certain
generally-applying concepts, but I don't know if, for example, there's a
sysctl(2) or something that can optionally toggle into that. (As an
example, until recently, I didn't know there was an optional sysctl(2) that
can enable extra hardening for malloc.) I hope this clears up why I'm
writing things the way I do.

Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps

[Dan]

On Sunday, March 31, 2024, Jose Maldonado  wrote:

> El Sun, 31 Mar 2024 01:10:15 +
> Dan  escribió:
> > On Wednesday, March 27, 2024, Dan  wrote:
> >
>
> Hi @list!
>
> Lots of discussion and useless talk when the solution is in your hands
> @Dan:
>
> 1.- Are you worried about the fact that apps on X11 may suffer


Emphasis on "may".


> input-spoofing? Great, start writing all the code necessary to prevent
> that from happening and help us improve the security of OpenBSD and any
> other OS that uses X11.


There's already rootless X on OpenBSD, it may prevent that? The thing is, I
don't know. So I asked. And there's already efforts to replace X11 with
Wayland, and already efforts to port Wayland to OpenBSD.


>
> Coming here and saying that we are not attentive to security and that


Where did I say that? False accusation.


> is why we "HAVE" to do something, is utter


Where did I say anybody has to do anything? False accusation.


> idiocy. Start doing
> something yourself, if you want to collaborate beyond a stupid speech.


"Speech"? These are important questions.


>
> 2.- Do you want a mechanism that prevents logins being stolen? Same


Why should I want something to be added when it might already exist and I'm
missing it? Again, I asked.


> story, start writing kid, crying at the list doesn't help.


Where did I "cry" or whine about OpenBSD? False accusation. Quite the
contrary, I praised OpenBSD at various times, and I wouldn't have come here
in the first place if I wouldn't have had appreciation for OpenBSD.


>
> 3.- Do you want more applications to have pledge/unveil to improve


Which "more" applications? I do not know whether this:
https://openports.pl/search?file=unveil
https://openports.pl/search?descr=unveil
Is the exhaustive list of all third-party apps that are sandboxed with
pledge/unveil. I asked whether people knew of other programs or whether
it's possible to list other programs beyond that. It seems that you expect
me to assume that these links list all sandboxed programs exhaustively, but
I do not assume, I ask.


> security? Same story...start writing the code necessary for it and stop
> crying.


Where did I "cry" or whine about OpenBSD? False accusation.


>
> Nobody is here to serve your designs or needs.


Which ones? I didn't know I had any.


> Want something? Write it
> down, it contributes to the project more than


What if it's already written down?


> tantrums and tears.


Which ones?


>
> My last and unique message in this thread: Don´t feed the fucking
> troll!


In case you're referring to me feeding trolls rather than being the troll:
Peter N. M. Hansteen said he blocked me after merely my second message in
this thread. Because of his reputation, I lost sense of whether I'm
perceived as a troll here.

Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps

[Dan]

On Wednesday, March 27, 2024, Dan  wrote:

> Hello, I have 3 security-related questions:
> (1) Does OpenBSD have a mechanism like Ctrl-Alt-Delete on Windows (Secure
> Attention Key, or SAK) to prevent malware (or a website in fullscreen, for
> example) from faking a logout process and/or faking a login prompt? On
> Windows the kernel ensures that the operating system captures this key
> combination and takes over with a real login prompt that malware can't fake
> without first defeating the OS security.
>

(Let me clarify for the rest of this message: malware is any program that
acts maliciously; it doesn't *necessarily* bypass exploit mitigations or
security features of the OS (e.g. it could work around them, or abuse the
lack of them).)

Something recent that I found that's relevant:
https://www.bleepingcomputer.com/news/security/decade-old-linux-wall-bug-helps-make-fake-sudo-prompts-steal-passwords/
(From March 28, 2024. Note that this isn't a vulnerability in how the OS
separates users or enforces security, this is a vulnerability that could be
used to make a convincing "phishing" attack.)
This isn't exactly the issue that SAK prevents, because the SAK is meant to
be used at login time (not when already logged in as one user and trying to
doas/sudo one program/command into another user), but I'll repeat the two
links I sent before:
https://security.stackexchange.com/a/34975
https://learn.microsoft.com/windows/win32/winstation/desktops
The second link being the more relevant one. Notice how Microsoft describes
that User Account Control takes over the screen with a secure desktop mode.
UAC is the equivalent of doas/sudo. There's an additional problem though:
malware and websites in fullscreen could mimic the sound and visual dimming
effect that UAC does on Windows. While UAC doesn't ask the user to press a
privileged key combination like Ctrl-Alt-Delete (so the user has no
guarantee that the UAC prompt is authentic, even with the said perceptual
effects), it does something else: it asks for authorization (and details
what is authorized exactly) without relying on knowledge of the passphrase
as proof for authorization. Malware on OpenBSD that knows the root
passphrase, or the passphrase of a doas-capable/sudoer user, can escalate
its privileges; malware on Windows (including web content that escapes the
browser's sandbox) that knows the passphrase of a user in the
Administrators group cannot escalate its privileges without first
compromising the integrity of Windows, because asking Windows to escalate
privileges would ensure that the user authorizes the escalation regardless
of the passphrase (let's assume that UAC is set to its highest (fourth)
level, rather than the default (third) level that excepts some system
programs from causing a UAC prompt when escalating). (Web content that
escapes the browser's sandbox of Chromium, Firefox, and Tor Browser on
OpenBSD would need to compromise the integrity of OpenBSD, because it
sandboxes them further using pledge(2) and unveil(2) (or find a weakness in
how these two are set up). So that's already a very good thing, but that
alone is not enough.) It's important to emphasize that it doesn't matter
whether UAC asks or doesn't ask for a passphrase to authorize, rather the
important thing here is that it takes over the computer temporarily in a
way that cannot be interfered with by normal programs and asks for explicit
authorization; it could as well ask for a passphrase too as a second
factor. Malware that fakes a UAC prompt and get "authorized" by the user
would achieve nothing, as it hasn't really asked Windows to escalate,
whereas malware on OpenBSD that convincingly fakes a doas prompt and gets
"authorized" by the user can then impersonate the "authorizing" user going
forward.

Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps

[Dan]

On Saturday, March 30, 2024, hahahahacker2009 
wrote:

> Vào Th 7, 30 thg 3, 2024 vào lúc 11:19 Dan  đã
> viết:
>
> >>
> >>
> >> > I've looked at the
> >> > source code and issue tracker of upstream Firefox in the past and it
> has
> >> > upstream support for pledge(2) and unveil(2).
> >>
> >> Great, you figured it out: if you want to know if a given piece of
> >> software uses pledge, grep its source code for pledge.
> >
> >
> > Sounds very tiresome and cumbersome to check. You failed to point at any
> rule according to which I'm not permitted to ask a general question about
> such software without resorting to tiresome and cumbersome manual methods
> like what you're suggesting here, and you consistently ignore this by
> bringing the same manual grep/find suggestion again and again with no
> sensible reason given what I explained now.
>
> Even "friendly" linux communities would tell you to check yourself.


There's no problem in being told to do that, just as there's no problem in
asking if people know about such programs without me having to tiresomely
check everything. Perhaps there's a website somewhere that lists all
pledged/unveiled apps and I'd be duplicating the effort needlessly?


> You are wasting people's time.


Subjective.


> And before spamming in the list can you make your message
> fit 72 character per line and disable HTML?


First, I'm not spamming. Second, no, I can't. The Gmail web interface for
mobile (which I'm using) doesn't let me disable HTML, and I don't see how I
could limit line length except by manually counting characters and breaking
lines, and I'm obviously not gonna do that. Sorry. I may switch to a
different email client/interface in the future, this Gmail interface seems
to not be paid much attention to by Google.


>
>
> >
> >>
> >> You really need to shut the fuck up now.
> >>
> >> Please note that I am replying to you directly, off-list.
> >> Hint: there is a reason for that.
> >
> >
> > I am deliberately shaming you on a public mailing list because you're a
> troll. I may also block you in my Gmail settings if I'll find the setting
> in mobile. I'm giving you a middle finger.
> >
> > ~ | ~ | ~ | ~ | ~ | ~
> >
> > (Note for everyone: This message is intended to shame a troll; if you're
> here to follow the technical discussion only, feel free to skip reading
> this message.)
>
> Dan, I see you are a troll too.


False. I asked legitimate questions and I answer honestly and precisely.


> You are sending HTML emails and it doesn't fit 72 char per line.


Ditto.


> It is annoying. Your message include a bunch of not needed trash.


I answer everything that's brought up as comprehensively as needed, so I
don't see what's "not needed".


>
> You ask the whole list things that you can research yourself, they are


Ditto.


> not highly advanced topics. These topics are repeatedly asked by people
> who will never read man pages or faq. That


That doesn't appear in the man pages or FAQ, and in my very first message
I've already mentioned how Chromium, Firefox, and Tor Browser are
sandboxed, so I obviously did look up things before asking here. So you're
wrong here in two aspects.

attitude should only exist
>
on reddit/lemmy and other linux communities which tries to be "friendly".


Please elaborate, what attitude are you referring to precisely? That's a
vague statement. Also, please explain the reasoning (or point to a rule)
whereby the attitude should not exist here.


> So please:
> > Do your homework before you post.


Ditto.


>
>
> I saw Jan Stary's messages
> (https://marc.info/?a=10863507214=1=2)
> are mostly answering people's question.
> But your messages are asking people to do research for you.


False. I didn't tell anyone to do anything for me. I asked questions.


>
> If you can't do research yourself, why expecting people to do it for you?


Both premises are false. Ditto.


> They might think that you don't have any knowledge and thus ignore you
> (for example, they think you might not understand what they are writing).


I'm not sure what logic follows from asking questions about specific things
(specific as they are in the question) to drawing a conclusion that the
asker lacks knowledge about things not specified/asked about in the
questions. Regarding the things that are specified/asked about in the
question, it's obvious that the asker doesn't know about them, because I
wasn't presenting a riddle, and this is true universally to everyone. I
don't understand how I'm special here from any other people that ask
questions here.


> Or simply, if you cannot respect yourself, why expect others to respect
> you?


Excuse me?


>
> In Viet Nam, you are simply called "animals" (súc vật, very offensive) and
> then ignored.
>

Excuse me? What the fuck did you call me??

Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps

[Dan]

On Saturday, March 30, 2024, hahahahacker2009 
wrote:

> Vào Th 6, 29 thg 3, 2024 vào lúc 07:40 Dan  đã
> viết:
>
> > This only lists third-party packages that have an OpenBSD
> ports-originated addition of pledge/unveil configuration files; packages
> that use pledge/unveil without configuration files, or whose pledge/unveil
> configuration files originate from the upstream distribution, are not
> listed. Chromium, Ungoogled Chromium, Firefox, Firefox ESR, and Tor Browser
> are sandboxed, which is excellent because Web browsing is one of the most
> popular desktop activity and browsers are meant to use networking and
> execute untrusted JavaScript/WebAssembly code, and parse untrusted data
> like media, CSS, etc. Contrary to servers, that if they're hacked then some
> business might be ruined, personal computers are used to do banking and
> shopping online, chat with distant friends/family 
> members/doctors/lawyers/coworkers/etc.,
> and hold our personal thoughts and memories, so I believe that they
> shouldn't get compromised just because the user entered the wrong website
> on a bad day, or opened the wrong video, or the wrong file, etc. OpenBSD
> already has the excellent system calls pledge(2) and unveil(2), and already
> uses them extensively in the base system and for the aforementioned
> browsers, but what about other programs?
>
> You can help on applying pledge and unveil to your other programs
> now, instead of spamming on mailing list like this. Are you the
> Nowarez Market guy again?
>

What spam exactly? I have no idea who is "Nowarez Market guy".

Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps

[Dan]

James Huddle :

> I live in post-2016 USA and have essentially given up hope of any sort of 
> computer security.

Personal thought and from USA where the core of private data business resides.

Due to different reasons and the env I work in I results attacked very often 
under OpenBSD, in X.
Having the name of the vulnerability makes not such a difference to me, thanks 
for the insight anyway.
However, I think to not say it wrong recalling that most of people are here for 
the sempliticy applied to security and portability subjects
In OpenBSD. Minimize the security subject at this point seems having a purpose, 
wrong.



-Dan

Mar 30, 2024 18:23:38 James Huddle :

> I live in post-2016 USA and have essentially given up hope of any sort of 
> computer security.

Re: qwx0 / QCNFA765 Does 802.11g Only

[Dan]

4 :

> dear, why didn't you write about it in man?


Thanks 4, to support the wide community of who still remain surprised
about the scarsity of the doc.

I personally have subscribed also "Then, why the man in XXI century interested 
group".
But probably having roman numbers I have been the only group member till now.

Is it we need a man secretary or an I'm-not-a-dev-for-sure small woman
without dev bubbles who is able to dishern doc for users?

Is it we need a good man alternative?
( I personally hate 555 man pages doc when most of us have one life only to set
a firewall by reccomended choices, indeed did you notices 'man sh' end ? )

Indeed, the prefance must be always a capital 'thanks' to all the devs and
a capital 'for your good will' versus having the possibility of a good
publishing business.

Mar 30, 2024 10:40:50 4 :

> dear, why didn't you write about it in man?

Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps

[Dan]

Replying now to cho...@jtan.com:
>[…] any
>application which uses the X server (ie. can access the tcp port
>or unix socket and has the correct xauth key […]
The default PF configuration blocks access to the ports, but only on
non-loopback interfaces.
https://github.com/openbsd/src/blob/master/etc/pf.conf
Again, I'm not an X11 expert, but it looks like the X auth file exists
because anyone can connect to these ports on localhost, so the file would
mediate it further. PF can match packets based on UIDs, but if I understand
pf.conf(5) correctly, it matches based on the user owning the listening
socket (which would be the dedicated X11 account) rather than the user that
tries to connect to the X server. The xauth(1) and Xsecurity(7) man pages
seem relevant, I'll have a deeper look at them later.

Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps

[Dan]

(Note for everyone: This message is intended to shame a troll; if you're
here to follow the technical discussion only, feel free to skip reading
this message.)

~ | ~ | ~ | ~ | ~ | ~

On Friday, March 29, 2024, Jan Stary  wrote:

> > > > (The person
> > > > you're replying to should be in the To field, and the mailing list
> in the
> > > > Cc field.)
> > >
> > > I replied to the list.
> > > If you are not subscribed to the list,
> > > you don't get the list replies.
> >
> > I did not know that.
>
> Please don't send anything else to this mailing list.


Shut up. That's warranted given that this is essentially what you're
telling me here (also more explicitly in the last part of your message, as
quoted at the bottom here).


>
> > > Repeat after me: I can display what looks like a login screen;
> > > I don't to have anything to do with ctrl-alt-del to display that.
> >
> > I do not need to repeat mantras. I did not deny that programs can do
> that,
> > quite the opposite: I explicitly acknowledged that programs can do that,
> > and asked what mechanism OpenBSD provides to ensure, at the user's
> request,
> > that the operating system temporarily takes over with a real login prompt
> > that cannot be interfered with or snooped on.
>
> OpenBSD provides no "mechanism" to make it impossible for a user
> to display something that looks like a login screen; just like
> no other OS provides no such mechanism.


Once again, that's the opposite of what I said, and completely missing what
I said.


>
> > I've looked at the
> > source code and issue tracker of upstream Firefox in the past and it has
> > upstream support for pledge(2) and unveil(2).
>
> Great, you figured it out: if you want to know if a given piece of
> software uses pledge, grep its source code for pledge.


Sounds very tiresome and cumbersome to check. You failed to point at any
rule according to which I'm not permitted to ask a general question about
such software without resorting to tiresome and cumbersome manual methods
like what you're suggesting here, and you consistently ignore this by
bringing the same manual grep/find suggestion again and again with no
sensible reason given what I explained now.


>
> > Your "if there is one [program I care about]", "duh", and other things
> > you've said so far to me and I haven't pointed out in this paragraph show
> > that you're very disrespectful towards me.
>
> Nothing gets past you.


False. I strive to exercise critical thinking, analytical thinking, and
logic as much as possible. Nonsense, however, doesn't "get past me", as I
rightfully evaluate it as nonsense and therefore dismiss it. Ditto
regarding true but irrelevant things.


>
> > I saw that I got replied to using marc.info,
>
> No you didn't.


Maybe you'll understand it better if I'll rephrase, because you're
definitely lying here, with no basis:
I saw, using marc.info, that I got replied to.


>
> > and proceeded to log into my
> > email to reply, but then I didn't see that reply in my inbox. So I looked
> > at an old thread I had a few years ago on this mailing list that I knew
> > that worked well, and looked at the To and Cc fields in the exchange of
> > messages, and I assumed this is how it's always meant to be.
>
> You assumed wrong.


Correct; I assumed you made a honest mistake. I had no better way to know
what's true, however, so it's not really my fault, because I acted in a
good way within the limits of my then-current knowledge and range of
possible reactions I could react in the situation.


>
> > this isn't my first time using a mailing list,
> > but I'm pretty sure it's my second time, and I'm fairly new
> > to how mailing lists work. I deserve none of your disrespectful attitude
> > and your wrong assumption of ill intentions from me; furthermore, you
> > completely ignored the substance of the discussion in this thread, and
> did
> > not contribute anything useful to the discussion. Your entire reply was
> > meant to purposely be rude to me and attack me ad hominem. Take an
> example
> > from Luke (luke...@onemodel.org), they actually contributed something
> > meaningful to the discussion and didn't act like an asshole to me. I
> > recognize your name, I know you publish lots of material about OpenBSD,
> for
> > example the links in your signature, and you're also part of the
> editorial
> > team of undeadly.org, which I frequently visit. It's a shame you're
> such an
> > asshole, though. Disgusting.
>
> Right, everybody knows PNH is a disgusting asshole contributing nothing.


Peter N. M. Hansteen's disgusting behavior has absolutely nothing to do
with any contribution he may or may not have contributed whatsoever.
Furthermore, I said quite the opposite: I mentioned how he's part of the
OpenBSD news website that I love to visit and that I've seen his name in
many places (for example, I found his networking tutorials in the past, and
saved the links for myself because it's good learning material and
interesting). I 

Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps

[Dan]

rts/ -name pledge\*
> > Already done:
> > https://openports.pl/search?file=unveil
> > This only lists third-party packages that have an OpenBSD
> ports-originated
> > addition of pledge/unveil configuration files; packages that use
> > pledge/unveil without configuration files, or whose pledge/unveil
> > configuration files originate from the upstream distribution, are not
> > listed.
>
> And what would those be, given that pledge/unveil is OpenBSD specific?


You know that apps can have OS-specific programming, right? pledge(2) and
unveil(2) are usable by all apps by all developers, not just by OpenBSD
developers that write software for the base OS or modify third-party
software to be confined on OpenBSD. As an example: I've looked at the
source code and issue tracker of upstream Firefox in the past and it has
upstream support for pledge(2) and unveil(2).
(Sidenote: I think I was wrong that the website I linked (openports.pl)
only searches in ports-originated files, I think it actually searches the
contents of packages for filenames, so that includes upstream-originated
files.)


>
> > Chromium, Ungoogled Chromium, Firefox, Firefox ESR, and Tor Browser
> > are sandboxed, which is excellent because Web browsing is one of the most
> > popular desktop activity and browsers are meant to use networking and
> > execute untrusted JavaScript/WebAssembly code, and parse untrusted data
> > like media, CSS, etc. Contrary to servers, that if they're hacked then
> some
> > business might be ruined, personal computers are used to do banking and
> > shopping online, chat with distant friends/family
> > members/doctors/lawyers/coworkers/etc., and hold our personal thoughts
> and
> > memories, so I believe that they shouldn't get compromised just because
> the
> > user entered the wrong website on a bad day, or opened the wrong video,
> or
> > the wrong file, etc. OpenBSD already has the excellent system calls
> > pledge(2) and unveil(2), and already uses them extensively in the base
> > system and for the aforementioned browsers, but what about other
> programs?
>
> That's a very general question.
> Look at the program you care about (if there is one)
> and grep the source/port for pledge. Duh.
>
> It's indeed a general question. What's the use of you mentioning the
generality of my question? Are general questions not allowed on this
mailing list??
Your "if there is one [program I care about]", "duh", and other things
you've said so far to me and I haven't pointed out in this paragraph show
that you're very disrespectful towards me. So I very not kindly will now
tell you to shut the fuck up.

~ | ~ | ~ | ~ | ~ | ~

Replying now to Peter N. M. Hansteen (pe...@bsdly.net):
>On Thu, Mar 28, 2024 at 09:16:45PM +, Dan wrote:
>> You didn't "Reply All", so I didn't get your reply in my inbox. (The
person
>> you're replying to should be in the To field, and the mailing list in the
>> Cc field.)
>
>OH PUH-LEEZE.
>
>No.
>
>You send to a mailing list, people are supposed to reply to the mailing
list.
>
>A select few may have their mail clients configured so the author of the
message
>will receive a courtesy copy (aka Cc:).
>
>If I seem unresponsive to any followups to this thread, a likely reason
will be that
>I will not see messages with your From: without putting in some extra
effort.
>
>- Peter
>
>--
>Peter N. M. Hansteen, member of the first RFC 1149 implementation team
>https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/

I saw that I got replied to using marc.info, and proceeded to log into my
email to reply, but then I didn't see that reply in my inbox. So I looked
at an old thread I had a few years ago on this mailing list that I knew
that worked well, and looked at the To and Cc fields in the exchange of
messages, and I assumed this is how it's always meant to be. So I assumed
that h...@stare.cz made an minor accident when replying to me, so I tried
being helpful by telling them what they should be seeing so I could see
their next replies. As stated before, this isn't my first time using a
mailing list, but I'm pretty sure it's my second time, and I'm fairly new
to how mailing lists work. I deserve none of your disrespectful attitude
and your wrong assumption of ill intentions from me; furthermore, you
completely ignored the substance of the discussion in this thread, and did
not contribute anything useful to the discussion. Your entire reply was
meant to purposely be rude to me and attack me ad hominem. Take an example
from Luke (luke...@onemodel.org), they actually contributed something
meaningful to the discussion and didn't act like an asshole to me. I
recognize your name, I know you publish lots of material about OpenBSD, for
example the links in your signature, and you're also part of the editorial
team of undeadly.org, which I frequently visit. It's a shame you're such an
asshole, though. Disgusting.

Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps

[Dan]

You didn't "Reply All", so I didn't get your reply in my inbox. (The person
you're replying to should be in the To field, and the mailing list in the
Cc field.)

>Even on windows; this has nothing to do with intercepting ctrl-alt-del.
False. Ctrl-Alt-Delete cannot be intercepted on Windows without first
compromising the integrity of the operating system. The Windows kernel is
hardcoded to forward Ctrl-Alt-Delete to Winlogon, and Winlogon runs in a
separate Secure Desktop mode that takes over the entire screen and no other
programs can intercept keystrokes from or send keystrokes to.
https://security.stackexchange.com/a/34975
https://learn.microsoft.com/windows/win32/winstation/desktops

>I don't believe that's true.
>"Dear X11, what is $user typing into his firefox textarea"?
I'm not an X11 expert, and I'm not sure if the example provided in the
following link is because the program and the desktop it's running under
have different UIDs (rather than locking the desktop, logging into a
different user with a new desktop session using a SAK like Ctrl-Alt-Delete,
and running it there), but I found this old blog post, by whom I believe is
the founder of Qubes OS, being cited somewhere:
https://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html
It is common knowledge that X11 is insecure by design, not (only) by the
ancient code, so even if the blog post isn't relevant anymore, it wouldn't
surprise me if such attacks could still be done.

>>I saw that Chromium, Firefox, and Tor Browser on OpenBSD (at least when
installed from the OpenBSD package manager/ports) are sandboxed with
pledge(2) and unveil(2).
>find /usr/ports/ -name pledge\*
Already done:
https://openports.pl/search?file=unveil
This only lists third-party packages that have an OpenBSD ports-originated
addition of pledge/unveil configuration files; packages that use
pledge/unveil without configuration files, or whose pledge/unveil
configuration files originate from the upstream distribution, are not
listed. Chromium, Ungoogled Chromium, Firefox, Firefox ESR, and Tor Browser
are sandboxed, which is excellent because Web browsing is one of the most
popular desktop activity and browsers are meant to use networking and
execute untrusted JavaScript/WebAssembly code, and parse untrusted data
like media, CSS, etc. Contrary to servers, that if they're hacked then some
business might be ruined, personal computers are used to do banking and
shopping online, chat with distant friends/family
members/doctors/lawyers/coworkers/etc., and hold our personal thoughts and
memories, so I believe that they shouldn't get compromised just because the
user entered the wrong website on a bad day, or opened the wrong video, or
the wrong file, etc. OpenBSD already has the excellent system calls
pledge(2) and unveil(2), and already uses them extensively in the base
system and for the aforementioned browsers, but what about other programs?

Re: One more thought about security..

[Dan]

Awesome, blacklists are still affordable at time word of mouth!

We got up too eatly today, take a nap like everyone do and care about your 
dears..

-Dan

Mar 27, 2024 11:51:32 hahahahacker2009 :

> -- Forwarded message -
> From: Mihai Popescu 
> Date: Th 7, 24 thg 2, 2024 vào lúc 08:15
> Subject: Re: If you need to gamify...
> To: 
> 
> 
> Captain Warez, Sir,
> 
> This list has already its share of spam and i think it doesn't need
> yours. Some of us are reading messages from web list archivers like
> marc.info. I don't need your offtopic messages there and neither your
> answers to your own messages. Find another list for this purpose.
> 
> Thank you very much.

Security questions: Login spoofing, X11 keylogging, and sandboxed apps

[Dan]

Hello, I have 3 security-related questions:
(1) Does OpenBSD have a mechanism like Ctrl-Alt-Delete on Windows (Secure
Attention Key, or SAK) to prevent malware (or a website in fullscreen, for
example) from faking a logout process and/or faking a login prompt? On
Windows the kernel ensures that the operating system captures this key
combination and takes over with a real login prompt that malware can't fake
without first defeating the OS security.
(2) I've learned that X11 allows locally running malware to sniff the
keystrokes input to any other X11-using app running under any user. Does
Xenocara/rootless X on OpenBSD prevent or limit this?
(3) I saw that Chromium, Firefox, and Tor Browser on OpenBSD (at least when
installed from the OpenBSD package manager/ports) are sandboxed with
pledge(2) and unveil(2). Are there any other major apps, especially that
commonly accept untrusted input, that are also sandboxed like that on
OpenBSD? Especially email clients, media players, word processors, apps to
send/receive/sync files, etc.

Thank you.

One more thought about security..

[Dan]

Hello,

Just adding a simple evidence: dark mode is difficult to print.

If you are dedicating time to web browser and email client development
in OpenBSD.. I suggest to point antennas on dark mode too..

-Dan

Re: securelevel=2 and mount hardening

[Dan]

Thanks for the reply..

Good one, try to think I was sure it was meaning
many western right wingers (cats) vs 1 jelly fish (cattle).

Then, when I have time I explain what is coudardy..

-Dan

Mar 26, 2024 11:06:17 Alexis :

> Dan  writes:
> 
>> I'm curious John Doe.. you said cloud but not firewall, and cattle but
>> not pets, right?
> 
> As with a number of your posts, i'm not clear on what you're saying or 
> asking, but for those wondering, here's an explanation of "cattle vs pets" in 
> the context of computing infrastructure:
> 
> https://www.copado.com/resources/blog/pets-vs-cattle-more-than-an-analogy-for-modern-infrastructures
> 
> 
> Alexis.

Re: securelevel=2 and mount hardening

[Dan]

I'm curious John Doe.. you said cloud but not firewall, and cattle but not 
pets, right?

You are a strange anglophon western toddler..

-Dan

Mar 25, 2024 23:41:44 jslee :

> On Tue, 26 Mar 2024, at 04:30, Dan wrote:
>> Eventually, having the kernel possibility to customize the config path
>> from /etc in eg /heroxyz
>> could be helpful for a firewall, what do you think?
> 
> Everything you to complicate ongoing admin will hinder your maintenance and 
> IMO this will make your overall security posture worse, not better
> 
> Unless, perhaps, you have a system to rebuild the machine every time you want 
> to update software and/or config? Cattle, not pets? I do this in cloud 
> environments but it’s rather more effort elsewhere
> 
> John

Re: securelevel=2 and mount hardening

[Dan]

Eventually, having the kernel possibility to customize the config path from 
/etc in eg /heroxyz
could be helpful for a firewall, what do you think? :-)

-Dan

Mar 25, 2024 18:06:10 Dan :

>> /etc is always going to be problematic.  I've been experimenting
>> to see if I can create a viable firewall config with a read-only
>> root filesystem.
> 
> I do not know what do you mean by "experimenting if", and if you finally
> realized your purpose.. but clearly what you suggest here is possible,
> just matter of mounting a copy /etc readonly/writable at the proper moment.
> I have a blog post "for paranoids" in https://bsdload.com and an old script
> for production (for a dev station, not a firewall, with all the prompts and 
> visual
> feedback popping up).
> But in the summary, if the securelevel allows you to mount/unmount /etc
> and the machine or auth meanings are already compromised your
> writable /etc should be well hidden.. maybe physically separated (a stick?), 
> hoping
> that the observer is not an OpenBSD enthusiast.

Re: securelevel=2 and mount hardening

[Dan]

Lyndon Nerenberg (VE7TFX/VE6BBM) :


> /etc is always going to be problematic.  I've been experimenting
> to see if I can create a viable firewall config with a read-only
> root filesystem.

I do not know what do you mean by "experimenting if", and if you finally
realized your purpose.. but clearly what you suggest here is possible,
just matter of mounting a copy /etc readonly/writable at the proper moment.
I have a blog post "for paranoids" in https://bsdload.com and an old script
for production (for a dev station, not a firewall, with all the prompts and 
visual
feedback popping up).
But in the summary, if the securelevel allows you to mount/unmount /etc
and the machine or auth meanings are already compromised your
writable /etc should be well hidden.. maybe physically separated (a stick?), 
hoping
that the observer is not an OpenBSD enthusiast.


Mar 25, 2024 17:34:54 Lyndon Nerenberg (VE7TFX/VE6BBM) :

> /etc is always going to be problematic.  I've been experimenting
> to see if I can create a viable firewall config with a read-only
> root filesystem.

Re: Request for a check 'relinking in progress' before a reboot

[Dan]

Thanks for the reply, I will give it a try.
I'm still with the /etc/bsd.re-config without effect..


Stuart Henderson :

>> Eg. actually I was testing changes to my /etc/bsd.re-config ( as per 
>> different thread ), it needs two reboots to apply changes..
>
> Run /usr/libexec/reorder_kernel after your edit.

-Dan

Re: Request for a check 'relinking in progress' before a reboot

[Dan]

Brian Conway :

>> To avoid prbs with the relinking of the kernel happening in background
>> I propose to set a little check during the shutdown to avoid to interrup it..
>>
>> Thnx!
>>
>> -Dan
>
> I have frequently rebooted or shut down shortly after boot, for example when 
> booting the wrong VM by accident, and it has never caused a problem on 
> subsequent reboots. What problem are you actually experiencing, just the 
> message being printed to the console?

Eg. actually I was testing changes to my /etc/bsd.re-config ( as per different 
thread ), it needs two reboots to apply changes..
and as unexpected I failed to wait the in prograss relinking just after the 
first saving of the file, and I launched the reboot.

Actually Im not involved directly in the development stuff and I neither want 
to touch one aspect of it with these words,
and I mean it could be certainly stuff complicated to fix.
But like an user experience after the n time you fail in the same situation
you can just think it is matter of a check and I said so..
Honestly speaking..

Re: Request for a check 'relinking in progress' before a reboot

[Dan]

Florian, thanks a lot for your effort, really appreciable..

> Could you give this a spin please an report back? See release(8) for
> details.

Unfortunately I'm still on 7.4 stable and I cant screw down any patch for you.
Maybe having a storagy with current on it I can be more helpful.. in the near 
future.. thinking.

However, I hope anyoneelse can try the patch here.


> It's not perfect. We still need to disable the ddb.console sysctl if it
> has been activated. But we can't reenable it because of secure level, so
> this needs some readjustment of the whole boot process.
> We should also disable panic(9) in the kernel while reorder_kernel is
> running. Maybe a sysctl?


-Dan

Re: Got bsd.re-config apparently disabled

[Dan]

After three-four retries I confirm my station doesn't digest more the 
bsd.re-config file

-Dan

Mar 22, 2024 18:57:07 Dan :

> It is from some weeks that I noticed bsd.re-config has no effect on my 
> OpenBSD:
> 
> disable ucc
> disable ugen
> 
> Webcam and Blutooth are loaded "unusually" and the same X connect two kbrd 
> drivers instead of one only.
> 
> I just tried to rewrite /etc/bsd.re-config from scratch but without any luck.
> 
> I wonder if there is the possibility to disable the whole use of 
> /etc/bsd.re-config
> or any recent update could have affected it.

Request for a check 'relinking in progress' before a reboot

[Dan]

Hello,

To avoid prbs with the relinking of the kernel happening in background
I propose to set a little check during the shutdown to avoid to interrup it..

Thnx!

-Dan

Got bsd.re-config apparently disabled

[Dan]

Hello,

It is from some weeks that I noticed bsd.re-config has no effect on my OpenBSD:

disable ucc
disable ugen

Webcam and Blutooth are loaded "unusually" and the same X connect two kbrd 
drivers instead of one only.

I just tried to rewrite /etc/bsd.re-config from scratch but without any luck.

I wonder if there is the possibility to disable the whole use of 
/etc/bsd.re-config
or any recent update could have affected it.

Thxs!


-Dan

Solution to keystroke injection

[Dan]

Hello,

Just launching you an interesting question.

I noticed that software like Caja or Gedit suppress the text editing features 
or have a readonly mode.

Do you think that giving a default readonly *splash* or mode to all our 
software when unattended could be the good one to
defit keystroke injection kind of attacks one time for all?

Thnx!

-Dan

Re: New asset

[Dan]

Just would drop a thank you for the kindness to reply me.

And, to answer, I'm mostly a baby dadder during the day so
spare time and night is for the great work and exclusively under
exposure of tons of positive enthusiasm.. that - beside a good
training to resist tireness - is the true rocknroll. In alternative
cheergirls do not function, neither.

NB: for a general convinience I can't send a private pigeon..
If everything look hilarious is absolutely wanted.

-Dan

Brodey Dover :

> Progress looks great.
>
> Keep up the great work!

Re: rpc

[Dan]

If the latency of the web technologies are fine, I guess someone will point out:
NextCloud

Indeed is an allroundtheclock solution.

If you need something custom, on premised, with the messaging on the top
I can also think to go over my https://homomm.5mode-foss.eu and shape its
intranet facilities like within a star cascade :-)

Otherwise..
-Dan

Mar 20, 2024 06:50:39 Gustavo Rios :

>> NFS/NIS/AMD are very old technology and are not robust.
> 
> How to replace NIS ?
>  
>> Each OS implements different and only somewhat interoperable versions.
>> 
>> You really need to give a better idea of the size and shape of the problem.
>> How much data?
>> What size is each datum?
>> What latency is allowed?
>> Concurrency & locking?
>> What kind of data?
>> Tightly coupled or looser networked?
>> Central control or fully distributed?

Re: From Xfce to Mate

[Dan]

Claudio Miranda :

> MATE in OpenBSD does have a display utility. Via the command line,
> it's called mate-display-properties. Launching from the MATE menu,
> it's in System --> Preferences --> Hardware --> Displays.
> 
> You might have been missing some of the MATE packages.

Strange, I started from mate-1.26, the meta package..
However, thanks for this one.

Anyway, just to mention.. Mate is the desktop environm. of choise of 
OpenIndiana.

-Dan

From Xfce to Mate

[Dan]

Hello,

In these days  searching to fix security details on my station, eg. reducing 
the exposure to GUI programs,
etc. I tried to port my dev environment from Xfce to Mate and here some of my 
thoughts:

1) Mate is much lighter, eg tcl/tk software go up like a twist;
2) by multi screens the porting is a true adventure cause Mate doesn't come 
with a
"Display utility", all the screen configuration happens by xrandr;
3) the software that accompaign Mate is few or doesnt run, eg the power 
management
utility doesnt function or I can't set my custom 5 Mode background (the 
background utility
doesnt pop up);
4) the context menu by right clicking anywhere on the desktop has no 
application menu
apparently.. this the latest problem..

I passed a full night with Mate (..) but for now I was happy to come
back to my steps and restore Xfce, although performances seem very
interesting.
-Dan

Re: USB peripherals hang, nothing in messages

[Dan]

Thanks for the reply, Chris.

I found interesting this intervention of Laurence
because (as you know I'm on usb storage devices from an age
and..) in front of an hang problem of the usb
peripherals Laurence pointed out about the different performances
on the usb stack can be a reasonable cause of the hanging.

I was curious to gain technical confirmations
about this possibility, to keep usb peripherals separated
from storage devices, that time to time I did it but let say
I havent it adopted like my standard yet.

I can take also a fresh example. This night I was passing by an old
Puppy Linux where in the end for an inappropriate 'autoadddevice' set to true 
in its
xorg.conf all my usb peripherals hanged sometimes not repponding
neither after a reboot.

For who is working in this kind of fashion like mine
usb separation (hub = physically and in memory addresses )
could be reasonably suggestable to have, question ( ? )

-Dan

Chris Bennett :

> On Fri, Mar 15, 2024 at 01:40:56PM +0100, Dan via misc wrote:
>>
>> Interesting..
>>
>> Laurence Tratt via misc :
>>
>>> This sounds to me like it might be due to USB stack performance problems,
>>> though you'll at least want to give `dmesg` output so that those who better
>>> understand this have a chance of helping.
>>>
>>> FWIW, there seem to be notable differences in USB performance on nominally
>>> similar hardware with OpenBSD.
>>
>> Do you suggest to phisically (hub) separate peripherals from
>> eg. storage devices for who is working in this kind of fashion?
>>
>> -Dan
>>
>
> I used a powered USB hub on a laptop that somehow solved a bunch of
> connectivity problems to the laptop's USB3 port.
> I needed a powered hub to run both the wifi dongle and a spinning USB
> hard drive. No idea why it worked, but it did.

NB: keep Orwell with you, we are fine.

Re: DMARC/DKIM and OpenBSD Mailinglists

[Dan]

I notice date an time of your reply. You are quite ridiculus all.
Hoping to find any "indipendent head" around OpenBSD or leave..

-Dan

Mar 15, 2024 17:13:52 Dan :

> Todd C. Miller :
> 
>> I've disabled the From: rewriting
> 
> Indeed it appeared too secure for OpenBSD...

Re: DMARC/DKIM and OpenBSD Mailinglists

[Dan]

Todd C. Miller :

> I've disabled the From: rewriting

Indeed it appeared too secure for OpenBSD...

Re: DMARC/DKIM and OpenBSD Mailinglists

[Dan]

Todd C. Miller wrote:

> I've just added support to our majordomo for rewriting the From:
> header when the sender's domain has a DMARC policy.  Messages from
> domains using DMARC will now have a From: header like:
>
>     From: "John Connor via misc" 

I want to thank you for the From rewriting.

And, opinion, glad for the feature I wish everyone will take advantage
on it (eg. not using more to CC to personal accounts)

Re: USB peripherals hang, nothing in messages

[Dan via misc]

Interesting..

Laurence Tratt via misc :

> This sounds to me like it might be due to USB stack performance problems,
> though you'll at least want to give `dmesg` output so that those who better
> understand this have a chance of helping.
>
> FWIW, there seem to be notable differences in USB performance on nominally
> similar hardware with OpenBSD.

Do you suggest to phisically (hub) separate peripherals from
eg. storage devices for who is working in this kind of fashion?

-Dan

Re: [TUHS] Re: SunOS 4 in 2024

[Dan via misc]

Prepare yourself,I feel Jan is around searching to bit anyone.. :-/


"Alexis via misc"  wrote:

> 
> Sorry for accidentally sending this here, rather than to the TUHS 
> list. :-/
> 
> Alexis  writes:
> [snip]
> 

Re: Badwolf and LC_CTYPE

[Dan via misc]

For the same reason..

Looking to my dev env tcl/tk utilities..also tcl/tk renders textbox's
text in different way causing text or windows'objects to overlap too.


Dan  wrote:

> Hello,
> 
> Setting LC_CTYPE to zh_CN.UTF-8 in .xinitrc makes Badwolf (webkit)
> opening websites in chinese language by default while Firefox remains
> in English.
> 
> Thxs!
> 
> -Dan

Badwolf and LC_CTYPE

[Dan via misc]

Hello,

Setting LC_CTYPE to zh_CN.UTF-8 in .xinitrc makes Badwolf (webkit)
opening websites in chinese language by default while Firefox remains in
English.

Thxs!

-Dan

webGL viewer, networkload without proper session, burning bun..

[Dan via misc]

Hello,

After some hours my station was unused shell messages appeared
from Badwolf:
[...]
ERR: Display.cpp:1038 (initialize): ANGLE Display::initialize error
12289: Could not dlopen native EGL: File not found 
ERR: Display.cpp:1038 (initialize): ANGLE Display::initialize error
12289: Could not dlopen native EGL: File not found 
Attempted to create a NetworkLoad with a session
(id=9223372036854775815) that does not exist. 
Attempted to create a NetworkLoad with a session
(id=9223372036854775815) that does not exist

The first two lines are probably still related to the webGL animation
playing on my new website (actually it is played by a web viewer from a
3rd party portal probably using some special javascript api)..

Average temperature was stuck on 64C per core, against a normal
temperature of 54C.
I closed Badwolf and the temperature returned normal.

Don't say me that I can expect to get a silicon burned sandwich
inside my station like being under Windows..


-Dan

Re: browser titlebar doesn't support emoji

[Dan]

Thnx again for the more replies..

Страхиња Радић  wrote:

> On 24/03/08 11:37PM, Dan wrote:
> > * depending on one general font for text, often a
> > monospaced one, they will have no luck to display emoji anyway.
> 
> No, this depends on fontconfig[1] configuration.
> 
> [1]:
> https://fontconfig.pages.freedesktop.org/fontconfig/fontconfig-user.html

Sorry for the honesty..given it a look, I found things and conf syntax a
little bit odd..or maybe its me I'm not so sharp at this time. However,
I'm almost happy with what the thread produced for now. Hopefully
someone will reasoning about this stuff and conceive a better way to
plasm an emoji flag in the titlebars for users..

Re: browser titlebar doesn't support emoji

[Dan]

Thxs for the replies..

Just adding a little feedback more about dealing with emoji flags
coding on my station:

Claws Mail*: doesn't help a lot, blank with auto encoding or a
difficult hex representation with unicode; anyway it depends on a
general font set in its preferences.

gedit*: depend on the general font of the editor.
NetBeans: depends on the fonts for the single portions of text set its
preferences.
nano: display an easy bold "IT" at the place of the flag.
[my] RADXIDE (tcl/tk): display an easy bold "IT" like nano behavior. 
vi: display a difficult hex representation of the emoji.

* depending on one general font for text, often a
monospaced one, they will have no luck to display emoji anyway.


-Dan


Dan  wrote:
> 
> Tested in 7.4 Xfce, Firefox and Badwolf titlebar don't support
> emojicon (tested: flags) like from the picture attached.

browser titlebar doesn't support emoji

[Dan]

Hello,

Tested in 7.4 Xfce, Firefox and Badwolf titlebar don't support emojicon
(tested: flags) like from the picture attached.

Thxs!

-Dan

Re: wsmouse, synaptics, xorg.conf, and Touchpad versus Touchscreen

[Dan]

First, did you try to disable AutoAddDevices before any change?

Section "ServerFlags"
  Option "AutoAddDevices"  "off"

-Dan


Philippe Meunier  wrote:

> Hi,
> 
> I have a Thinkpad T14g3 (dmesg below), which has both a touchpad and a
> touchscreen (and also the red knob thing but I don't care about that
> one).
> 
> When I start Xorg with no xorg.conf, I get the following in the logs
> (see at the end of this message for the complete logs);
> 
> [...]

> Automatically adding devices [ 13275.735] (==)
> Automatically enabling devices [ 13275.735] (==) Not automatically
> adding GPU devices [ 13275.735] (==) Automatically binding GPU devices

Re: Fwd: install74.iso

[Dan]

On Mon, 23 Oct 2023, at 22:33, Theo de Raadt wrote:
> In the next few snapshots, an ISO file will start to show up.

Thank you. 

May I ask that the team also start building the bootstrapping cd74.iso, not 
just the full install74.iso? 


Regards,
Dan 


>> >> Am 21. Okt. 2023, 16:59, um 16:59, Dan 
>> >schrieb:
>> >> >Hi folks,
>> >> >
>> >> >Is there a technical reason why the project is not providing
>> >> >installation ISOs for the arm64 architecture?
>> >> >The easiest way to install OpenBSD on a new cloud virtual machine
>> >for
>> >> >me would be to mount cd74.iso and boot.
>> >> >
>> >> >Could someone give me some pointers for turning the arm bsd.rd
>> >> >installation ramdisk kernel into a minimal CD-ROM image?

Re: Installation Media Self Integrity Check

[Dan Peretz]

Thank you for responding, Theo :)

On Thu, Aug 13, 2020 at (...):59 AM Theo de Raadt  wrote:
>
> the FAQ is wrong.
>
> Those images don't contain signatures because my build & sign
> procedure does not have a way to sign something, then continue
> building, then sign the result.
>
>
> If you looked, you would see there is an unsigned SHA256 file.
>

Yes, I opened the install ISO and I see. I also read the INSTALL.amd64
doc. Maybe change the FAQ to something like this?
"[...] If someone were to make a rogue installation image, they could
certainly change the installer to say the files were legitimate.
Regardless, an unsigned SHA256 file is used by the installation to
detect accidental corruption in the file sets. If the distribution
sets do not match their recorded checksums, the installation program
will complain."

>
> It already uses the SHA256 file to determine which files to install,
> this is done, but a hash is not a cryptographic signature, so the warning
> issued is accurate.
>

Maybe also rephrase the warning by the installer to something like
this, to make it clearer to the admin that the installer does not skip
verification *completely*:
"Directory does not contain SHA256.sig. Continue without verifying
authenticity? (The sets will still be verified against accidental
corruption with SHA256.) [no]"

>
> Huh.  What you are asking for cannot be done.  And obviously a bogus
> image would declare that it isn't bogus.
>

True, but I meant that if the ISO boots a BSD.RD file, then the
ramdisk (booted from that exact file) would verify the checksum of
that file, from the disc. Obviously not from RAM. It's not foolproof,
and it surely doesn't help against malicious alterations, but I think
this is better than not doing so...

Installation Media Self Integrity Check

[Dan Peretz]

Hello, the FAQ states this:
"The installXX.iso and installXX.fs images do not contain an
SHA256.sig file, so the installer will complain that it can't check
the signature of the included sets [...] This is because it would make
no sense for the installer to verify them. If someone were to make a
rogue installation image, they could certainly change the installer to
say the files were legitimate."
Although that's true for intentional modifications, it would still be
useful to have the installation medium perform a self integrity check
against accidental or natural data corruption. For example, Ubuntu
recently enabled a by-default integrity check, starting with release
20.04:
"Ubuntu now defaults to checking the integrity of the medium in use
when booting into live sessions. This can be skipped by hitting
Ctrl-C. We’ve enabled this because failed installs due to corrupt
downloads of installation media is one of the most common error
conditions that users encounter." (Source:
)
I would like to have OpenBSD include at least an unsigned SHA256 file
in the discs. The installer would then detect that the checksums are
unsigned and warn about the security implications, but it would let
the user run the check. I think it would be wise to make it check the
bsd.rd image that's actually booted when booting from the disc, and
not just the bsd.rd file set. (I get that the OpenBSD installer is
just a multipurpose "bsd.rd" RAM disk that can be found not just in
the installation discs, right?)

Thank you!

Got hits Job offering in the mail

[Dan Shechter]

Got approached by a head hunter.

If anyone in the community is interested and read it as is, I am just copy
pasting, and I know NOTHING about this job or the head hunter that sent me
the bellow email:

Hii There!



Greetings of the day!!



I found your resume from one of the job portal and just want to check if
you are available for new opportunity and it seems really a good match with
the requirement so please have a look at the requirement and let me know if
you are comfortable with the requirement. If interested please revert back
with updated resume



*JD : OpenBSD Resource*

*Start Date:  Immediate*

*Location:  Apple Park*




*Tasks:*
1. Document the existing state of projects
  - Diff versions in macOS vs released by project
  - Public state of projects (how much active development,
direction, potential replacements, license status, etc.)
2. Bring macOS forward
  - Pull latest project versions in
  - Review radars to determine what is fixed in latests
versions vs. is still a problem or is a new feature/enhancement request
  - Fix high/medium impact issues
  - Upstream changes, if possible and as appropriate
3. Testing suite
  - Integrate existing open source tests
  - Develop new tests where there are gaps
4. Automate the process
  - Create a tool that will automate as much of the work as
possible
  - Pull down latest repo, apply Apple-specific patches,
prep for submission to build
  - Would be run on a set cadence relative to OS releases
5. GPL replacements
  - Develop BSD licensed replacements for any strategically
important projects that don’t currently have one







Thanks & Regards,

*Jack Thomson*

*Talent Acquisition Team*

*Ph: 732-200-1396*

*2 N. Market St., #400, San Jose, CA, 95113*

*jac...@e-solutionsinc.com* 

www.e-solutionsinc.com

hyper-threading...

[Dan Campbell]

Just saw the news about you disabling hyper-threading by default on Intel CPUs 
for security reasons, which I agree with.  It would be nice to be able to do 
this on systems that don't have a toggle for it in the BIOS, as it increases 
single-threaded performance.  So just wondering when your latest distro will be 
coming out with this change, as I see your current version came out in April?  
I would like to create a Linux live DVD/flash drive that I could boot to toggle 
hyper-threading off on Intel systems running Windows, or to create a dual-boot 
situation for those who want to use Linux part-time.  It could also be useful 
for updating processor microcode, which can't be done under Windows.  Thanks,

Dan

Re: AuthorizedKeyCommand ldap

[Dan Becker]

On Mon, Dec 11, 2017 at 7:13 PM, Paulm <pa...@tetrardus.net> wrote:

> On Mon, Dec 11, 2017 at 03:49:24PM -0700, Dan Becker wrote:
> > I am reading a blog proposing to use the AuthorizedKeyCommand to hook
> into
> > another authentication mechanism  by calling a shell script
> >
> > https://blog.heckel.xyz/2015/05/04/openssh-authorizedkeyscommand-with-
> fingerprint/
> >
> > Do I have a valid concern in thinking this might not be a prudent method
> of
> > authentication ?
> >
>
> I don't know why he uses the term 'dynamic authorized_keys file'.  I
> know what he means, but it's not a file.  (When people misuse basic
> terms I immediately question their depth of understanding.)
>
> As for your question - these are some thoughts, not intended to be
> comprehensive:
>
> As I see it, the key will be somewhere - in the authorized_keys file
> in the user's home directory, in an LDAP directory, or perhaps
> elsewhere.  Regardless of where it's kept, it needs to be secured
> against tampering.  Is the local host more secure in that regard than
> an LDAP dir?  That depends on the quality of the sysadmins who set up
> the server and how the network infrastructure is designed.  The same
> applies to any other mechanism for remotely storing public keys.
>
> sshd(8) will complain if the perms for the user's authorized_key file
> aren't correct, so it offers a safe-guard against misconfiguration.
>
> The mechanism for retrieving the key from a remote server should use
> SSL/TLS to validate the server's identity and protect the contents.
>
> The utility invoked by sshd to fetch the key needs to be secured,
> requiring special privileges to modify it.
>
> Locally, points of attack would be the tool itself or the user's
> authorized keys file, or the server's public key.  They're all files,
> so file permission restrictions would have to be circumvented.  If the
> tool is not written in a type-safe language, then it could create
> additional vulnerabilities as well.
>
> In larger environments, keeping track of authorized_keys files for
> users and hosts, making sure they're (only) on the hosts they need to
> be on, and keeping them accurate and up-to-date can be tedious and
> error prone, even with a config management system.  One could argue
> that that method allows for vulnerabilities that would not exist if
> the keys were managed centrally.  Again, it depends on the quality of
> the sysadmins' work.
>
> The security requirements in an infrastructure are probably not the
> same for all hosts, so you could use a hybrid strategy, using a local
> authorzed_keys file for hosts that need greater protection (e.g.,
> database servers, firewalls, DMZ hosts, etc) if that makes you more
> comfortable. (Generally speaking, I think too much uniformity can
> sometimes be a weakness).
>
>
>
>
Thank you for the above

We have someone suggesting we implement something similar to the above with
a twist.

The script they call acts similar to this

user="$1"
hostname="$(hostname)"
curl -s -q -m 5 -f -H "Authorization: Token ${secret}" "
https://auth.site.com/sshkeys/?user=${user}=${hostname};
2>/dev/null
exit $?


My main concern comes from the fact this process is being ran as root and
injecting the username as an arg "$1"

Example :

What happens if someone runs ssh '" -rf /'@host, is there a sanitation
in the ssh daemon ?






-- 
--Dan

AuthorizedKeyCommand ldap

[Dan Becker]

I am reading a blog proposing to use the AuthorizedKeyCommand to hook into
another authentication mechanism  by calling a shell script

https://blog.heckel.xyz/2015/05/04/openssh-authorizedkeyscommand-with-fingerprint/

Do I have a valid concern in thinking this might not be a prudent method of
authentication ?

-- 
--Dan

iwm fatal firmware error on - current

[Dan Jones]

On 6.2 current shortly after boot iwm fails with the error:

iwm0: fatal firmware error
iwm0: could not remove MAC context (error 35)

The device is able to initially connect get an address and connect for a few 
minutes.  Output from ifconfig and dmesg are below.  Let me know what other 
troubleshooting steps will be helpful.

$ ifconfig iwm0
iwm0: flags=8843 mtu 1500
lladdr a4:34:d9:aa:64:d2
index 1 priority 4 llprio 3
groups: wlan
media: IEEE802.11 autoselect (DS1 mode 11g)
status: no network
ieee80211: nwid Home wpakey  wpaprotos wpa2 wpaakms psk 
wpaciphers ccmp wpagroupcipher ccmp
inet 10.0.0.121 netmask 0xff00 broadcast 10.0.0.255


OpenBSD 6.2-current (GENERIC.MP) #147: Fri Oct 13 10:54:52 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8438796288 (8047MB)
avail mem = 8176173056 (7797MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xd7054000 (65 entries)
bios0: vendor LENOVO version "N1FET50W (1.24 )" date 03/08/2017
bios0: LENOVO 20FB002RUS
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP TCPA SSDT SSDT TPM2 UEFI SSDT SSDT ECDT HPET APIC MCFG 
SSDT SSDT DBGP DBG2 BOOT BATB SLIC SSDT SSDT MSDM DMAR ASF! FPDT UEFI
acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP9(S4) XHCI(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiec0 at acpi0
acpihpet0 at acpi0: 2399 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 2195.78 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 24MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 2194.90 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 2194.90 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 2194.90 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG0)
acpiprt2 at acpi0: bus -1 (PEG1)
acpiprt3 at acpi0: bus -1 (PEG2)
acpiprt4 at acpi0: bus 2 (EXP1)
acpiprt5 at acpi0: bus 4 (EXP3)
acpiprt6 at acpi0: bus -1 (EXP5)
acpiprt7 at acpi0: bus -1 (EXP9)
acpicpu0 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), 
C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), 
C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), 
C1(1000@1 mwait.1), PSS
acpicpu3 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), 
C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: PUBS, resource for XHCI
acpipwrres1 at acpi0: PG00, resource for PEG0
acpipwrres2 at acpi0: PG01, resource for PEG1

Re: strict separation base system and third party software

[dan mclaughlin]

On Fri, 28 Oct 2016 01:21:13 -0600 "Theo de Raadt"  wrote:
> > > > Different design, different philosophy, and different goals [1] but the
> > > > same BSD heritage.
> > > 
> > > There is no philosophy involved.
> > > 
> > > England and the US and Canada are not differences in philosophy.
> > > 
> > > They are just different.  philosophy has little to do with it.
> > > 
> > > Stop using that word incorrectly, please.
> > > 
> > > Try:
> > > 
> > > Different texture, different pantone.
> > > 
> > > See, it fails to reuse words which are out of scope, and is just as
> > > accurate.
> > 
> > actually, philosophy was used accurately here.
> > 
> > the relevant definition from wordnet:
> >   any personal belief about how to live or how to deal with a situation
> > and the equivalent from merriam-webster.com:
> >   a set of ideas about how to do something or how to live
> > 
> > it's only because you have a different philosophy that you use only /etc
> > instead of /usr/local/etc. that's how you deal with the situation of where 
> > to
> > put configuration files.
> > 
> > people/groups have different ideas of "how to deal with a situation" or "how
> > to do something", which means they have different philosophies.
> 
> there is no philosophy.
> 
> there was no belief.
> 
> maybe there was a touch of idealism, but nothing as refined as you
> suggest.

i made no such suggestion. a 'philosophy' doesn't have to be a doctrine.

> 
> it was simply a decision made for a handful of things which got reused
> for the rest of them.
> 
> back decades ago.
> 
> your philosphy is that you can copy things from a dictionary and
> that we should live according to that as a rule?

i never said you "should live according to that as a rule". and where the FUCK
did you get that, eh?  all i did was to point out that you were wrong about the
use of the word philosophy. i have heard it used innumerable times in my life
in exactly the manner it was originally used in this thread.

and yes, when dealing with definitions of words, my philosophy is to go to
the dictionary.

> you weren't there.  were you even born?  perhaps your philosophy is
> that you can speak authoritatively upon things you didn't experience
> directly?
> 
> oh wait, that's religion

and what the FUCK does this have to do with anything? this is completely
irrelevant anyway. you said the word philosophy was used wrong, and i *cited*
authoritative sources. i could have said that i have always heard philosophy
used in that manner all of my life, as i have, but instead i *cited* recognized
authorities on the meanings of words.

Re: strict separation base system and third party software

[dan mclaughlin]

On Thu, Oct 27, 2016 at 23:16:50 -0600, Theo de Raadt wrote:
> > Different design, different philosophy, and different goals [1] but the
> > same BSD heritage.
> 
> There is no philosophy involved.
> 
> England and the US and Canada are not differences in philosophy.
> 
> They are just different.  philosophy has little to do with it.
> 
> Stop using that word incorrectly, please.
> 
> Try:
> 
> Different texture, different pantone.
> 
> See, it fails to reuse words which are out of scope, and is just as
> accurate.

actually, philosophy was used accurately here.

the relevant definition from wordnet:
  any personal belief about how to live or how to deal with a situation
and the equivalent from merriam-webster.com:
  a set of ideas about how to do something or how to live

it's only because you have a different philosophy that you use only /etc
instead of /usr/local/etc. that's how you deal with the situation of where to
put configuration files.

people/groups have different ideas of "how to deal with a situation" or "how
to do something", which means they have different philosophies.

Re: [pf] NAT64 rule for *outgoing* packets

[Dan Lüdtke]

Benno, all,

The gateway is running unbound with dns64 module enabled. The gateway does use
the resolver for it's own resolving of names. I found a better solution by
running two instances of unbound on the gateway. One instance for the client
networks with dns64 module enabled, and one instance for the gateway itself
which validates but does not translate.

Thanks for the clarification regarding pass out rules and af-to.

Dan


> On 19 Jun 2016, at 22:53, Sebastian Benoit <benoit-li...@fb12.de> wrote:
>
> Dan L??dtke(m...@danrl.com) on 2016.06.07 19:14:24 +0200:
>> Follow-up:
>>
>> This rule matches outgoing packets to nat64 well-known prefix
64:ff9b::/96:
>> pass out quick on $if_wan inet6 from $if_wan:network to 64:ff9b::/96 af-to
>> inet from ($if_wan)
>
> af-to does not work on pass out rules.
>
> Why do you want to use it on the gateway itself?
>
> /Benno
>
>
>> Echo requests do leave $if_wan with translated address family, replies show
up
>> in tcpdump on $if_wan:
>>
>> 19:09:54.038392 router > 8.8.8.8: icmp: echo request (DF)
>> 19:09:54.051733 8.8.8.8 > router: icmp: echo reply
>>
>> BUT the echo replies do *not* make it through to the ping6 process. It
looks
>> like there is no back-translation taking place. Anyone ideas how to debug
or
>> follow packets on their way through the kernel for this issue?
>>
>> Cheers,
>>
>> Dan
>>
>>
>>
>>> On 7 Jun 2016, at 14:48, Dan L??dtke <m...@danrl.com> wrote:
>>>
>>> Hi,
>>>
>>> my setup: [host]--[router]--[internet]
>>>
>>> [Host] can ping legacy internet hosts via NAT64. Works fine.
Corresponding
>>> line in pf.conf reads:
>>> pass in  quick on $if_lan inet6 from $if_lan:network to 64:ff9b::/96
af-to
>>> inet from ($if_wan)
>>>
>>> However, [router] can not ping legacy internet hosts via NAT64. It can,
of
>>> course, reach legacy internet hosts natively.
>>>
>>> How to push outgoing traffic addressed to 64:ff9b::/96 through pf's NAT64
>>> engine?
>>>
>>> Cheers,
>>>
>>> Dan
>>>
>>>
>>>
>>> Some outputs FYI:
>>>
>>> router# route get 64:ff9b::/96
>>> route: writing to routing socket: No such process
>>>
>>>
>>> router# ping6 64:ff9b::8.8.8.8
>>> PING6 64:ff9b::8.8.8.8 (64:ff9b::808:808): 24 data bytes
>>> ^C--- 64:ff9b::8.8.8.8 ping6 statistics ---
>>> 3 packets transmitted, 0 packets received, 100.0% packet loss
>>
>
> --

OpenBSD on SBC?

[Dan Lüdtke]

Hi,

is there an OpenBSD-compatible SBC (Singe Board Computer) that comes close to
raspberryPi size-wise? I saw some x86-based SBCs on kickstarter a while ago,
but lost track of the projects and their OpenBSD compatibility.

I know so far:
- soekris
- pcengines

More?

Bonus points for working on-board wifi (hostapd).

Cheers,

Dan

Re: [pf] NAT64 rule for *outgoing* packets

[Dan Lüdtke]

Follow-up:

This rule matches outgoing packets to nat64 well-known prefix 64:ff9b::/96:
pass out quick on $if_wan inet6 from $if_wan:network to 64:ff9b::/96 af-to
inet from ($if_wan)

Echo requests do leave $if_wan with translated address family, replies show up
in tcpdump on $if_wan:

19:09:54.038392 router > 8.8.8.8: icmp: echo request (DF)
19:09:54.051733 8.8.8.8 > router: icmp: echo reply

BUT the echo replies do *not* make it through to the ping6 process. It looks
like there is no back-translation taking place. Anyone ideas how to debug or
follow packets on their way through the kernel for this issue?

Cheers,

Dan



> On 7 Jun 2016, at 14:48, Dan Lüdtke <m...@danrl.com> wrote:
>
> Hi,
>
> my setup: [host]--[router]--[internet]
>
> [Host] can ping legacy internet hosts via NAT64. Works fine. Corresponding
> line in pf.conf reads:
> pass in  quick on $if_lan inet6 from $if_lan:network to 64:ff9b::/96 af-to
> inet from ($if_wan)
>
> However, [router] can not ping legacy internet hosts via NAT64. It can, of
> course, reach legacy internet hosts natively.
>
> How to push outgoing traffic addressed to 64:ff9b::/96 through pf's NAT64
> engine?
>
> Cheers,
>
> Dan
>
>
>
> Some outputs FYI:
>
> router# route get 64:ff9b::/96
> route: writing to routing socket: No such process
>
>
> router# ping6 64:ff9b::8.8.8.8
> PING6 64:ff9b::8.8.8.8 (64:ff9b::808:808): 24 data bytes
> ^C--- 64:ff9b::8.8.8.8 ping6 statistics ---
> 3 packets transmitted, 0 packets received, 100.0% packet loss

[pf] NAT64 rule for *outgoing* packets

[Dan Lüdtke]

Hi,

my setup: [host]--[router]--[internet]

[Host] can ping legacy internet hosts via NAT64. Works fine. Corresponding
line in pf.conf reads:
pass in  quick on $if_lan inet6 from $if_lan:network to 64:ff9b::/96 af-to
inet from ($if_wan)

However, [router] can not ping legacy internet hosts via NAT64. It can, of
course, reach legacy internet hosts natively.

How to push outgoing traffic addressed to 64:ff9b::/96 through pf's NAT64
engine?

Cheers,

Dan



Some outputs FYI:

router# route get 64:ff9b::/96
route: writing to routing socket: No such process


router# ping6 64:ff9b::8.8.8.8
PING6 64:ff9b::8.8.8.8 (64:ff9b::808:808): 24 data bytes
^C--- 64:ff9b::8.8.8.8 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

Re: help with kshrc

[dan mclaughlin]

On Mon, 18 Apr 2016 16:42:56 +0200 Marko =?ISO-8859-1?Q?Cupa=3F?= 
 wrote:
> Hi,
> 
> in tcsh on FreeBSD, I use the following line in .tcshrc in order to
> start xfce when looging on ttyv3:
> 
> if  ($tty == ttyv3) then
>   startxfce4 --with-ck-launch
>   logout
> endif
> 
> How can I achieve the same with OpenBSD's default ksh and .kshrc?
> 
> Thank you in advance,
> --
> Before enlightenment - chop wood, draw water.
> After  enlightenment - chop wood, draw water.
> 
> Marko Cupać
> https://www.mimar.rs/
> 

it's been more years than i can count since i've used either tcsh or FreeBSD,
but if you are trying to detect the current tty (which is what i am assuming
is what is in $tty), you can use ps (the variable '$$' is a reference to the
current shell's pid):

$ ps -o pid,tt | sed -n "s/^$$ //p"
p3

now i don't know what v3 is, but the console ttys are ttyC? on OpenBSD, so
if you want only the first window at the console,

  if [[ $(ps -o pid,tt | sed -n "s/^$$ //p") = C0 ]];then
startxfce4 --with-ck-launch
exit
  fi

should do the trick. i also assume that 'logout' exits the shell, and thus
logs you out, hence logout -> exit, which will exit the script (or in this
case the shell since it's in the startup script).

Re: Post pkg_delete messages, change message format?

[dan mclaughlin]

On Fri, 25 Mar 2016 12:47:01 -0500 Chris Bennett 
 wrote:
> After I delete packages, especially pkg_delete -X, I get a long list of
> instructions like:
> 
> 
> -2.1.3 ---
> You should also run rm -rf /etc/cups/*.conf.O /var/log/cups
> You should also run rm -rf /var/cache/cups
> You should also run rm -rf /var/spool/cups
> --- -cups-pdf-2.6.1p0 ---
> You should also run rm -rf /var/spool/cups-pdf/
> --- -dbus-1.10.8v0 ---
> Remember to update /var/db/dbus/machine-id
> Remember to update /etc/machine-id
> --- -dconf-0.24.0p1 ---
> You should also run rm -rf /etc/dconf/db/*
> You should also run rm -rf /etc/dconf/profile/*
> --- -foo2zjs-20140627p1 ---
> You should also run rm -f /usr/local/share/foo2hbpl/icm/*
> You should also run rm -f /usr/local/share/foo2hiperc/icm/*
> You should also run rm -f /usr/local/share/foo2hp/icm/*
> You should also run rm -f /usr/local/share/foo2lava/icm/*
> You should also run rm -f /usr/local/share/foo2oak/icm/*
> You should also run rm -f /usr/local/share/foo2qpdl/icm/*
> You should also run rm -f /usr/local/share/foo2slx/icm/*
> You should also run rm -f /usr/local/share/foo2xqx/firmware/*
> You should also run rm -f /usr/local/share/foo2zjs/firmware/*
> You should also run rm -f /usr/local/share/foo2zjs/icm/*
> --- -hplip-3.16.2 ---
> You should also run rm -rf /usr/local/share/hplip/data/firmware
> You should also run rm -rf /usr/local/share/hplip/data/plugins
> You should also run rm -rf /usr/local/share/hplip/fax/plugins
> You should also run rm -rf /usr/local/share/hplip/prnt/plugins
> You should also run rm -rf /usr/local/share/hplip/scan/plugins
> You should also run rm -f /usr/local/share/hplip/plugin.spec
> --- -hplip-common-3.16.2 ---
> You should also run rm -rf /var/log/hp/tmp/*
> You should also run rm -f /var/log/hp/* 2>/dev/null || true
> --- -net-snmp-5.7.3p6 ---
> You should also run rm -rf /var/net-snmp/*
> --- -sane-backends-1.0.25p2 ---
> You should also run rm -rf /var/spool/lock/sane/*
> 
> With this format, I have to copy/paste each rm -rf, groupdel, etc by hand.
> Could these messages be changed to something easier to use like:
> 
> 
> --- -hplip-3.16.2 ---
> You should also run
> rm -rf /usr/local/share/hplip/data/firmware
> rm -rf /usr/local/share/hplip/data/plugins
> rm -rf /usr/local/share/hplip/fax/plugins
> rm -rf /usr/local/share/hplip/prnt/plugins
> rm -rf /usr/local/share/hplip/scan/plugins
> rm -f /usr/local/share/hplip/plugin.spec
> 
> This would make these commands very simple to run.
> 
> Chris Bennett
> 

the magic of unix; you can work around this with some sed.

# pkg_delete -X 2>&1 | tee you_should
# sed -n 's/^You should also run //p' you_should >also_run
# cat also_run #to verify
# ksh ./also_run

alternately, as non-root

$ doas pkg_delete -X 2>&1 | tee you_should
$ sed -n 's/^You should also run /doas /p' you_should >also_run
$ cat also_run
$ ksh ./also_run

the above would allow doas to log each command.

you could also make this into a script

pkg_scrub:
#!/bin/ksh
raw=$TMPDIR/$$.you_should
cooked=$TMPDIR/$$.also_run

if [[ "$1" = all ]];then
  doas pkg_delete -X 2>&1 | tee $raw
else
  doas pkg_delete $* 2>&1 | tee $raw
fi
sed -n 's/^You should also run /doas /p' $raw >$cooked
rm -f $raw
if [ ! -s $cooked ];then
  rm -f $cooked
  return 0
fi
cat $cooked
prompt run?"run these commands? [type 'Yes' to confirm] "
if [[ "$run" = Yes ]];then
  ksh $cooked
  rm -f $cooked
else
  echo "not running commands, saved in $cooked"
fi


i didn't properly test this, but you would use this like
$ pkg_scrub all
or
$ pkg_scrub pkg1 pkg2 ...

Re: how to mount encription volume

[dan mclaughlin]

On Sat, 12 Mar 2016 12:19:59 + freeu...@ruggedinbox.com wrote:
> hi, I use the bioctl encryption on boot volume.
> 
> example A:
> fdisk -iy sd0
> echo -n "a a\n64\n\nRAID\np\nw\nq\n\n" |disklabel -E sd0
> bioctl -c C -l /dev/sd0a softraid0
> 
> then, OpenBSD detect sd1 and I install the OpenBSD on sd1a.
> It's OK. X and any process are running on these drive[call A:].
> 
> 
> I have problem. I tried mount this dirve[A:] on other OpenBSD machine.
> (other OpenBSD machine uses drive wd0a[call B:])
> 
> but, I can't mount the encrytion volume[A:].
> 
> example B:
> vnconfig -ck vnd0 /dev/sd0a
> Encryption key:[any words]
> vnconfig -l
> vnd0: covering /dev/sd0a on wd0a, inode [any number]
> mount /dev/vnd0a /mnt
> mount_ffs: /dev/vnd0a on /mnt: Device not configured
> 
> any ideas?
> 

softraid and vnconfig are completely separate systems. if you want to mount
the softraid, you need to use the bioctl command you used above (it's not
just for creation, it also configures it). check out bioctl(8) (check under
EXAMPLES), and the archives at https://marc.info/?l=openbsd-misc=1=2
(search "softraid crypto").

radius authentication support for httpd

[Dan Farrell]

Hello,

Using the built-in httpd I'm wondering if it is possible to use RADIUS
authentication. I did not see a mention in the man page nor in google
searches (thought my google foo could be part of that problem).

Thank-you,

Dan Farrell

Re: some problems with disks

[dan mclaughlin]

On Tue, 8 Mar 2016 00:20:08 +0100 arrowscr...@mail.com wrote:
> I'm having some problems with disks. Probably because I still don't
> understand enough of how BSD manage them:
> 
> 1. I was going to install -current on a USB flash drive. I did the
> install media using install59.fs and booted. I scape from installer to
> shell because I wanted to wipe the drive using dd(1) and to create a
> RAID partition (for FDE). I could not find the disk on /dev/, however.
> The system print on screen that the disk is located at "sd5" interface
> ("dmesg | grep sd" confirm this), but I cound not find it using "disklabel
> /dev/sd5". The only interfaces there was sd0 and wd0, none was my disk.
> How can I find it? The ./install script can find the sd5 normally, but I
> can't find it manually.

# (cd /dev && ./MAKEDEV sd5)

> 
> 2. I gave up of the FDE idea temporarily and I just did the install
> normally. No problem to install, but the speed of the system was too
> slow... at the point that it was basically unusable (>4 hours to install
> 10 packages and ~4 minutes to startx).
> The device, a USB flash drive, have about 10MB/s write speed. It's kinda
> slow, but I don't think this was the cause of the slowliness. I checked
> the signature of the snapshot and the installed sets had no problem with
> SHA256 too, so it's not a problem with corrupted snapshot.
> 

on quick way to check to check if it is the drive itself is to use dd:

# dd if=/dev/zero of=/mnt/testfile bs=1M count=20

but if the install was not slow that is unlikely to be the problem.

Re: e-commerce framework suggestion? medoc?

[Dan Jones]

> On Feb 25, 2016, at 1:28 AM, li...@wrant.com wrote:
>
> Don't fall for regulation scare talks, there should be no reason to
> put something outside local premises except payment processing which
> is a well developed monetary system service from banks etc.
>

Since I deal with credit card security in my professional life I’ll chime
in.  PCIDSS are the primary security standards you (or your client) need to
deal with.  These are not governmental standards but are set by the payment
card industry (JCB International, Visa, MasterCard, etc.). While there may be
government regulations they are typically less stringent than PCIDSS.

The standards vary based on how credit cards are being handled. If, as
suggested, you allow a third party (Paypal, Square, your bank) to do the
actual payment processing and at no point in time your does server asks for
(or handles) a credit card number your life is much simpler.  If you develop a
web form that asks for a credit card number (even if you pass it back to the
bank for processing) you have to comply with more regulations.  You can choose
the path that makes the most sense by taking at look at the requirements at
https://www.pcisecuritystandards.org/.

elite smtpd control

[dan mclaughlin]

i caught this in a process listing, and did a double take.

$ ps ax|grep control
31337 ??  I   0:00.09 smtpd: control (smtpd)
$ ps auxw|grep control
_smtpd   31337  0.0  0.0  1592 4 ??  I 21Jan160:00.09 smtpd: 
control (smtpd)

i thought it was interesting enough to share given the improbability, and
relation to openbsd. i know processes are going to have this pid often
enough, but many of those processes don't stick around that long, and fewer
form a sentence fragment.

Lenovo Ideapad 100s Boot Failure

[Dan Jones]

Getting back to testing with a Lenovo Ideapad 100S-11. Using the February 1
amd64 snapshot I am able to complete the install.  Upon first reboot at the
initial boot prompt I receive the following messages:

probing: pc0 mem[572K 56L 511M 1391M 61M 9M 2M 124K 36K]
disk: hd0* hd1* hd2*
>> OpenBSD/amd64 EFIBOOT 3.29
open(hd0a:/etc/boot.conf): invalid argument
boot>  [enter]
cannot open hd0a:/etc/random.seed: invalid argument
booting hd0a:/bsd: open hd0a:/bsd: Invalid argument
  failed(22). will try /bsd

I have booted back into the install kernel on a usb drive and can mount the
eMMC and verified that the kernel is on sd0a.  Rebooting and in the second
stage bootstrap again I’ve also issued and ‘ls’ for hd0a, hd1a, and hd2a
each of which generated an error.

The dmesg from the install kernel is below

OpenBSD 5.9 (RAMDISK_CD) #1700: Mon Feb  1 20:07:42 MST 2016
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
RTC BIOS diagnostic error
ff
real mem = 2056638464 (1961MB)
avail mem = 1992650752 (1900MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x7b2ae000 (38 entries)
bios0: vendor LENOVO version "E2CN13WW" date 12/22/2015
bios0: LENOVO 80R2
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP UEFI TCPA MSDM UEFI OEM0 DBG2 HPET LPIT APIC MCFG SLIC
SSDT SSDT SSDT SSDT SSDT TPM2 SSDT SSDT SSDT FPDT WDAT CSRT BGRT
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) CPU Z3735F @ 1.33GHz, 1333.59 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,
NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: apic clock running at 83MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 87 pins
ioapic0: misconfigured as apic 1, remapped to apid 2
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpitz at acpi0 not configured
sdhc0 at acpi0: SDHA addr 0x9091d000/0x1000 irq 44
sdmmc0 at sdhc0
sdhc at acpi0 not configured
sdhc1 at acpi0: SDHD addr 0x90903000/0x1000 irq 47
sdmmc1 at sdhc1
dwiic0 at acpi0: I2C1, addr 0x90906000 len 0x1000, apic int 32
iic0 at dwiic0
acpibat at acpi0 not configured
dwiic1 at acpi0: I2C2, addr 0x9090c000 len 0x1000, apic int 33
iic1 at dwiic1
dwiic2 at acpi0: I2C3, addr 0x9090e000 len 0x1000, apic int 34
iic2 at dwiic2
dwiic2: couldn't find irq for \\_SB_.I2C3.EC01
dwiic3 at acpi0: I2C4, addr 0x9091 len 0x1000, apic int 35
iic3 at dwiic3
dwiic4 at acpi0: I2C5, addr 0x90912000 len 0x1000, apic int 36
iic4 at dwiic4
acpibat at acpi0 not configured
acpibat at acpi0 not configured
acpibtn at acpi0 not configured
acpiac at acpi0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Bay Trail Host" rev 0x0f
"Intel Bay Trail Video" rev 0x0f at pci0 dev 2 function 0 not configured
xhci0 at pci0 dev 20 function 0 "Intel Bay Trail xHCI" rev 0x0f: msi
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 "Intel xHCI root hub" rev 3.00/1.00 addr 1
"Intel Bay Trail TXE" rev 0x0f at pci0 dev 26 function 0 not configured
"Intel Bay Trail LPC" rev 0x0f at pci0 dev 31 function 0 not configured
isa0 at mainbus0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
efifb0 at mainbus0
wsdisplay0 at efifb0 mux 1: console (std, vt100 emulation)
scsibus0 at sdmmc0: 2 targets, initiator 0
sd0 at scsibus0 targ 1 lun 0:  SCSI2 0/direct fixed
sd0: 29820MB, 512 bytes/sector, 61071360 sectors
uhub1 at uhub0 port 1 "vendor 0x1a40 USB 2.0 Hub" rev 2.00/1.11 addr 2
uhub2 at uhub1 port 1 "vendor 0x05e3 USB2.0 Hub" rev 2.00/32.98 addr 3
url0 at uhub2 port 1 "USBKR100 USB 10/100 LAN" rev 1.10/1.00 addr 4
url0: address 00:10:60:e0:ab:4a
urlphy0 at url0 phy 0: RTL internal phy
uhidev0 at uhub2 port 2 configuration 1 interface 0 "Dell Dell USB Keyboard"
rev 1.10/3.50 addr 5
uhidev0: iclass 3/1
ukbd0 at uhidev0
wskbd0 at ukbd0: console keyboard, using wsdisplay0
urtwn0 at uhub2 port 4 configuration 1 interface 0 "Realtek 802.11n WLAN
Adapter" rev 2.00/2.00 addr 6
urtwn0: MAC/BB RTL8188CUS, RF 6052 1T1R, address 80:1f:02:f5:26:83
umass0 at uhub1 port 2 configuration 1 interface 0 "Sony Storage Media" rev
2.00/1.00 addr 7
umass0: using SCSI over 

Re: Lanp equivalent web server working on OpenBSD no Apache

[Dan Farrell]

Except that you state it as something people should include as part of
their proper configuration.

Really? They should give Ted Unangst's account access to procmap?


Dan

On Mon, Feb 1, 2016 at 7:19 PM, bruce <bruc...@laernu.com> wrote:

> I didn't, that's direct from the man page for doas.conf
>
> > On February 1, 2016 at 12:16 AM Bernd Schoeller <ber...@fams.de> wrote:
> >
> >
> > On 30/01/16 21:10, bruce wrote:
> > > I've been working on this for several weeks now.
> > > Results with instructions can be seen here:
> > > http://tonyevil.zapto.org/serendipity/
> > > Any feedback welcome.
> > > httpd is too new for this to be well documented, so here is my small
> > > contribution.
> >
> > Beyond the usual problems of posting HowTos (search the list archives),
> > I find it remarkable that you give tedu access to your procmap command
> ...
> >
> > Bernd

Re: piping stderr to tee log (so I can have my log and watch it, too)

[dan mclaughlin]

On Mon, 18 Jan 2016 10:09:14 +0900 Joel Rees  wrote:
> Trying to put some scripts together so I can set an update going one
> night, check it in the morning, reboot, and finish the update while
> I'm at work.
> 
> So I want to do something like
> 
>cd /usr/src && cvs -d$CVSROOT up -Pd | tee /var/log/build/cvssrc.log
>cd /usr/xenocara && cvs -d$CVSROOT up -Pd | tee
> /var/log/build/cvsxenocara.log
>cd /usr/ports && cvs -d$CVSROOT up -Pd | tee /var/log/build/cvsports.log
>cd /usr/src/sys/arch/`machine`/conf && config GENERIC.MP && \
>cd ../compile/GENERIC.MP && make clean && make && \
>make install | tee /var/log/build/buildsys.log 2>&1
>...

i've been down this road, and there are a few problems with this. you don't
check to see if the commands fail before you move on, so if cvs fails, it
will continue with the next cvs or make, etc.

when you pipe something, the error code will come from the last command in
the pipe, which would be tee, so you can't test the error code directly.
one way around this is what i do for commands that fail is i have some
functions:

make_failed() {
  [ $# -ge 1 ] || return 1
  [ ${#1} -gt 0 ] || return 1
  tail -1 "$1" | grep -q "\*\*\* Error "
}
cvs_failed()
  [ $# -ge 1 ] || return 1
  [ ${#1} -gt 0 ] || return 1
  tail -1 "$1" | grep -q "\[update aborted\]"
}

which will return true if the last line has an error (since a function
returns the error code of the last program executed, and grep here fails
or not depending on the presence of the error string.)

i use it like this:

make 2>&1 | tee $_logfile_build
make_failed $_logfile_build && errx "make failed"

or using your example:

cd /usr/src && cvs -d$CVSROOT up -Pd 2>&1 | tee /var/log/build/cvssrc.log
cvs_failed /var/log/build/cvsrsc.log && errx "cvs src failed"

where errx is another function of mine:

err() { echo "$0: ERR $*" >&2; }
errx() { echo "$0: ERR $*" >&2; exit 1; }

i have an include file with basic functions i use in many of my scripts like
this, at the head of the script i have a line:

. ~/.func


a few more notes on the shell. you can do something like

if ! make;then
  err "make failed"
fi 2>&1 | tee logfile

which will send all output from the 'if' statement to tee, much like the
{ cmd1; cmd2; } examples you were given earlier. one issue with this is
that when you pipe it like this, it spawns a subshell, so nothing in the
if statement goes outside. an 'exit' will only exit the 'if' statement (or
'while', 'for', etc) and not the program, so my 'errx' function above does
not exit the whole script, only the subshell.

the same holds true for '(cmd)' statements, which start a subshell, which
is why you can do (cd /usr/src && ls) and it returns to its original directory
afterwards, since the 'cd' only changes the subshell's working directory.

you also can't set varibles in '(cmd)' or in anything in a pipeline (like
that 'if'), and have them carry over to the rest of the script. you CAN
however set variables in '{ cmd; }' statements.

a good place to learn some interesting shell techiniques in in things like
the /etc/rc* scripts and the install scripts in /usr/src/distrib/miniroot/.
sometimes you learn the hard way though through experimentation and failure
(even if you RTFM sometimes the meaning only becomes clear after you
experience it.)

Re: tsort: pledge: invalid agument (building -current)

[dan mclaughlin]

i ran into this myself the other day. you already got good advice, so i will
just make one comment.

On Sat, 9 Jan 2016 18:54:22 +0900 Joel Rees  wrote:
> Do I need to backup my data, wipe the OS, and re-install from a snapshot 
> kernel?
> 

it's unlikely you will ever have to nuke the system. upgrading from snapshots
should always work.

Re: Add Bay Trail EHCI controller to pcidevs

[Dan Jones]

> On Jan 7, 2016, at 4:08 AM, open...@tuta.io wrote:
>
> Hi Mark,
> Thanks for having a look at this.
> The 6th of January install59.fs should have v 1.298 of acpi.c
> But I still get the same 'can't map interrupt' on both EHCI and XHCI.
> Let me know if there's a way to collect more support data to help
investigating this.
> Thanks.
> Regards,
>

Thank you also for continuing to look at this. On Lenovo Ideapad 100S-11
(Intel Atom Z3735F) using the January 6 amd64 snapshot it no longer reports
the interrupt error but the system will not complete the boot due to a memory
conflict.  Sections of the dmesg are below.

[skipping initial boot message thru bios0]

acpi0 at bios0: rev 2
acpi0: tables DSDT FACP UEFI TCPA MSDM UEFI OEM0 DBG2 HPET LPIT APIC MCFG SLIC
SSDT SSDT SSDT SSDT SSDT TPM2 SSDT SSDT SSDT FPDT WDAT CSRT BGRT
acpimadt0 at acpi0 add 0xfee0: PC-AT compat

[skipping cpu0]

ioapic0 at mainbus0: amid 2 ps 0xfed0, version 20, 87 pins
ioapic0: misconfigured as apic 1, remapped at apid 2
acpiprt0 at acpi0: bus 0 (PC10)
pci0 at mainbus0 bus 0
0:2:0: mem address conflict 0x9000/0x40
0:2:0: mem address conflict 0x8000/0x1000

Regards,

Dan

Re: the location of openbsd.pbr

[dan mclaughlin]

On Wed, 30 Dec 2015 22:50:08 -0700 "Jack J. Woehr"  wrote:
> Brian McCafferty wrote:
> > Are you referring to the file you need to create for dual booting with the 
> > windows ntldr? Check the FAQ: 
> > http://www.openbsd.org/faq/obsd-faq.txt 
> 
> Just out of curiousity, I dd'ed that sector and it didn't end in AA55. Did I 
> get something wrong? I'm doing full-disk 
> encryption so I'm not sure how grabbing
> the "real" boot sector works in that circumstance.
> 
> -- 
> Jack J. Woehr # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the universe
> www.softwoehr.com # with a fine understanding of human fallibility. - Carl 
> Sagan
> 

even with FDE, in order to boot at all it needs "plaintext" instructions.
the bios loads the boot sector to run. the boot sector on my disk (wd0) which
contains my softraid partition ends in the proper 0xaa55. as far as i am
aware the bios will not load a boot sector that doesn't end with 0xaa55.
did you dd the 'c' partition on the underlying disk (not the softraid disk)?

Re: Add Bay Trail EHCI controller to pcidevs

[Dan Jones]

>From:  tuta.io>
>Subject: Re: Add Bay Trail EHCI controller to pcidevs
>Newsgroups: gmane.os.openbsd.misc
>Date: 2015-12-17 09:58:44 GMT (2 weeks, 4 hours and 34 minutes ago)
>>> Doesn't work, but at least it makes the dmesg look better.>What doesn't
>>> work?Hi Martin,
>Can't speak for Callum but in my case USB isn't working on Bay Trail.
>ASUS X205TA - amd64 16th december snapshot (now booting fine UEFI native)
>EHCI configured returns:
>ehci0 at pci0 dev 29 function 0 vendor "Intel", unknown product 0x0f34 rev
>0x0f: couldn't map interrupt
>
>XHCI congifured retunrs:
>xhci0 at pci0 dev 20 function 0 "Intel Bay Trail xHCI" rev 0x0f: couldn't map
>interrupt
>
>can't proceed with install until internal keyboard works (USB support).

Similar issue with Lenovo Ideapad 100S-11 using the December 27 amd64
snapshot.  After UEFI the system boots bsd.rd. The dmesg is displayed followed
by the welcome and install message.   I do not have a good way to capture the
install log since the keyboard seems to stop functioning. The keyboard does
work during the initial boot prompt (e.g., I can type boot bsd.rd).

If it is helpful I can forward a photo of the boot messages.  Below are
sections of the dmesg which indicated some error.

acpi0 at bios2: rev 2, ACPI control unavailable
“Intel Bay Trail Video” rev 0x0f at pci0 dev 2 function 0 not configured
xhci0 at pci0 dev 20 function 0 “Intel Bay Train xHCI” rev 0x0f:
couldn’t map interrupt
“Intel Bay Trail TXE” rev 0x0f at pci0 dev 26 function 0 not configured
“Intel Bay Trail LPC” rev 0x0f at pci0 dev 31 function 0 not configured

Re: owncloud and php5-libsmbclient / occ

[dan mclaughlin]

On Tue, 29 Dec 2015 20:43:49 -0500 Johan Huldtgren 
 wrote:
> > Also, if one would like to use occ utility from CLI, considering that the
> > whole owncloud runs chrooted under /var/www/ and that occ therefore looks
> > for /owncloud/apps folder (which is obviously /var/www/owncloud/apps) and
> > that www user is a nologin one, trying to run the following command:
> >
> > # doas -u www /var/www/owncloud/occ
> >
> > provides the following result:
> >
> > PHP Notice:  Undefined index: SERVER_PROTOCOL in
> > /var/www/owncloud/lib/private/response.php on line 77
> > App directory "/owncloud/apps" not found! Please put the ownCloud apps
> > folder in the ownCloud folder or the folder above. You can also configure
> > the location in the config.php file.
> >
> > How can occ then be run?
> 
> I solved this by temporarily symlinking the directory it asked for
> to the root, which let me run occ, and then I removed the symlink.
> I'm sure there is a better solution, but I needed something which
> worked quickly. so something like this:
> 
> ln -s /var/www/owncloud/apps /owncloud/apps
> doas -u www /usr/local/bin/php-5.6 /var/www/owncloud/occ
> 
> .jh
> 

how about:

$ doas chroot -u www /var/www /owncloud/occ

which should run /owncloud/occ after entering the chroot fs.

Re: TCL in a chroot

[dan mclaughlin]

On Mon, 28 Dec 2015 19:53:47 -0500 Paul Pereira  wrote:
> Has anyone had luck running tcl within a chroot? I have the required
> libraries reported by ldd in place, but the interpreter cannot find
> them.
> 
> # chroot /var/www /usr/local/bin/tclsh8.5
> /usr/local/bin/tclsh8.5: can't load library 'libtcl85.so.1.7'
> 
> # ldd `which tclsh8.5`
> /usr/local/bin/tclsh8.5:
> StartEnd  Type Open Ref GrpRef Name
> 1a646000 3a64a000 exe  10   0  /usr/local/bin/tclsh8.5
> 0c0e6000 2c105000 rlib 01   0  /usr/local/lib/libtcl85.so.1.7
> 0a26d000 2a276000 rlib 02   0  /usr/lib/libm.so.9.0
> 0ce86000 2cea4000 rlib 01   0  /usr/lib/libc.so.80.1
> 02688000 02688000 rtld 01   0  /usr/libexec/ld.so
> 
> # ls /var/www/usr/local/lib/libtcl85.so.1.7
> /var/www/usr/local/lib/libtcl85.so.1.7
> 
> Regards,
> Paul
> 

have you run ldconfig?

i do the following to set up my chroots (_jailroot=/var/www in your case)

sudo mkdir $_jailroot/{sbin,usr/libexec}
sudo cp -p /sbin/ldconfig $_jailroot/sbin
sudo cp -p /usr/libexec/ld.so $_jailroot/usr/libexec
sudo chroot $_jailroot ldconfig /usr/{,X11R6,local}/lib

that should create /var/www/var/run/ld.so.hints which aids the linker in
locating the shared libs.

Re: DESTDIR chroot for Mailman from ports

[dan mclaughlin]

On Sun, 27 Dec 2015 11:22:56 + (UTC) Juuso Lapinlampi  
wrote:
> I'm having a bit of hard time installing Mailman from ports to an
> alternative `DESTDIR` chroot on OpenBSD 5.8 -stable, GENERIC.MP amd64. I
> have a working Mailman setup in a non-chroot environment and I'm trying
> to move it to a chroot. I've partially succeeded in doing so, but it
> seems `DESTDIR` is not working on this port.
> 
> For those not yet aware, Mailman is a mailing list software written in
> Python that interacts with CGI to provide a web interface for mail
> archives and control panel.
> 
> By default, Mailman packages will install to `/usr/local/lib/mailman/`.
> For this to work with Mailman's web interface, both OpenBSD httpd(8) and
> slowcgi(8) must be chrooted to `/` to be able to access Mailman's needed
> files. For obvious reasons, running slowcgi with `-p /` is not
> recommended from security perspective and is actively discouraged by
> OpenBSD developers.
> 
> Ideally, Mailman should be installed to a chroot at `/var/www`
> (`/var/www/usr/local/lib/mailman/`). This is what I'm looking for.
> Because the packages for Mailman don't do this by default, I am trying
> to use the ports to customize the DESTDIR.
> 
> It seems this port doesn't play very well with `DESTDIR` however. I've
> tried at least
> 
> cd /usr/ports/mail/mailman/
> make
> DESTDIR="/var/www" make install
> 
> among other similar things (e.g. using `env DESTDIR="/var/www"`), but it
> seems Mailman will be installed to `DESTDIR=/` (that is,
> `/usr/local/lib/mailman/`).
> 
> The Makefile itself has this comment:
> 
> # gnu still breaks the pathes as prefix is actually mailman's home
> CONFIGURE_STYLE=simple
> 
> This might be the blocker, but I am not sure what to do with it. Maybe
> any of porters have a better idea.
> 
> Right now I also tried creating a package and installing it with
> `pkg_add(1)` to work around the issue:
> 
> cd /usr/ports/mail/mailman/
> make
> make uninstall package clean
> pkg_add -B /var/www /usr/ports/packages/amd64/all/mailman-2.1.20.tgz

if i am reading you right, you probably only need that last pkg_add.
i regularly use chroot for a number of packages (and their complex
dependencies), and the packages are the normally compiled versions.
the line from my scripts which is pretty much identical, is:

$ env PKG_DBDIR=$_dbdir pkg_add -B $_jaildir $_pkg

except i use PKG_DBDIR for an alternative to /var/db/pkg.

but your pkg_add should install to '/var/www/usr/local/lib/mailman/'.
and within the the chroot it will see it as /usr/local/lib/mailman so
there shouldn't be a problem unless mailman doesn't play nice in a chroot
(there are a number of packages that don't).

my notes on using chroot here may be useful:
https://marc.info/?l=openbsd-misc=142676615612510=2

> 
> and this seems to be a success, assuming the dependencies are okay and
> also in the chroot (they're not, yet). Now my problem is getting
> `DESTDIR` for the dependencies. I'm not also sure if using `pkg_add(1)`
> like this is a great idea.

i think you are looking in the wrong direction with DESTDIR. i have never
found modifying ports/packages necessary.

> 
> The closest advice I found for installing Mailman to an OpenBSD chroot
> was a `mailman-users` mailing list post from 2008.[1] However, this
> advice is quite dated and relies too much on copying Mailman manually
> and building Mailman from source instead of ports. Not what I'm looking
> for.
> 
> It seems `/ports/mail/mailman/` hasn't changed in `-current` tree or in
> the past 8 months, so I could probably reproduce my issue there but I've
> not yet tested so.
> 
> I could move or copy Mailman and all of its dependencies manually under
> `/var/www` chroot, but this doesn't seem to be a good idea from
> maintenance perspective.
> 
> Can I do something to build Mailman and its dependencies with
> `DESTDIR=/var/www` for easier maintenance?
> 
> [1]: https://mail.python.org/pipermail/mailman-users/2008-April/061331.html
> 

for maintainance, just do the reverse, and 'pkg_delete -B /var/www ...' or
if you use PKG_DBDIR=/var/www/pkgdb (or something similar) you can just
delete the packages and the pkg database manually, and install the new
versions.

Re: if I were to make a pkg-add diff

[dan mclaughlin]

On Fri, 25 Dec 2015 16:09:27 -0600 Luke Small  wrote:
> I suppose folks could opt for the more stable yet higher latency
> official mirrors even if they aren't local to canada and they would
> never be surprised. It may not be too much trouble for me to implement
> a mere stdout statement in the perl pkg-add to advise the user to
> update PKG-PATH to randomly offer one of the official mirrors as the
> PKG-PATH (as an easy to implement fix) and steer the user to install a
> web-browser to discover the current list of http/ftp package mirrors
> if Firefox or lynx exists on the system; since they don't by default.
> It wouldn't be too dissimilar to the kind of messages delivered by
> pkg-add itself to rm folder contents at the end of a run.

talk is cheap. if you see a problem, show a fix instead of talking about it.
(i am really starting to feel for the devs. this gets wearying.)

so lynx is gone, but you don't need to install a web browser. ftp(1) is in
base and functions quite well. you want the mirrors?

ftp -o - http://www.openbsd.org/ftp.html | more

will display the html source of the page, which is pretty easy to read even
unrendered.

if you wanted to format it better, you could do:

ftp -o - http://www.openbsd.org/ftp.html | \
sed -n \
-e 's:$::' \
-e 's:  \([^<]*\)<.*:\1 :p' \
-e 's:^\(   [hfr].*\):\1:p'

(all whitespace in the above sed are single tabs, copy & paste will not work)

will display them all (http,ftp,rsync) as below:

Australia (Adelaide)
http://mirror.internode.on.net/pub/OpenBSD/
Australia (Brisbane)
http://mirror.aarnet.edu.au/pub/OpenBSD/
Australia (Perth)
http://ftp.iinet.net.au/pub/OpenBSD/
...


if you want to test a mirror, just use ftp's return value as below:

ftp -VM -o /dev/null $MIRROR && echo "$MIRROR" >>good-mirrors

or if you had a list of possible mirrors (in file 'mirrors'):

for MIRROR in $(< mirrors); do
  ftp -VM -o /dev/null $MIRROR && echo "$MIRROR"
done >good-mirrors

whenever i want something to work the way i want, i just script around it.
the beauty of unix.

> 
> On 12/25/15, Luke Small  wrote:
> > I suspect that if you did, it wouldn't check whether there was an
> > astronaut ready to control the on-board computer and would sit there
> > continuously trying to rev the rocket engines with no jet fuel. That
> > is the way pkg-add acts right now. I felt pretty ridiculous wondering
> > why pkg-add wasn't working only to figure out I was working with a
> > mirror that was no longer active this week.
> >
> > On 12/24/15, Theo de Raadt  wrote:
> >>>I wanna make a c program that checks for a PKG_PATH that exists and
> >>>connects to a workable link for pkg_add().
> >>
> >> and I wanna build a rocket ship...
> >>
> >
> >
> > --
> > -Luke
> >
> 
> 
> -- 
> -Luke

Re: utilities in bsd.rd

[dan mclaughlin]

On Mon, 21 Dec 2015 20:45:15 + "AHLSENGIRARD, EDWARD F CTR USAF AFMC 
AFNWC/NDBD"  wrote:
> By any chance is there a handy list of the utilities compiled into bsd.rd
> (release or recent snap)?
> 
> 
> --
> Edward Ahlsen-Girard
> 

it may not be exhaustive but the kernel is compiled from /usr/src/distrib and:

$ ls /usr/src/distrib/special/
CVS  dhclient grep mkdirmv   route
Makefile disklabelgzip mknodnewfssed
Makefile.inc dmesghostname mkuboot  newfs_ext2fs signify
arch ed   ifconfig more newfs_msdos  sleep
bioctl   eeprom   init mountpax  stty
cat  encrypt  installboot  mount_cd9660 pdisksync
chmodfdiskkbd  mount_ext2fs ping sysctl
chroot   fsck ksh  mount_ffsping6umount
cp   fsck_ext2fs  libstubs mount_msdos  pwd_mkdb ztsscale
date fsck_ffs ln   mount_nfsreboot
dd   fsck_msdos   ls   mount_udfrestore
df   ftp  md5  mt   rm


you can also use the process in
https://marc.info/?l=openbsd-misc=141552533922277=2

which will allow you to look at the filesystem of the kernel itself.

Re: Is it possible to use pledge(2) to make something similar to firejail?

[dan mclaughlin]

On Mon, 30 Nov 2015 23:30:49 +0100 Lampshade <lampsh...@poczta.fm> wrote:
> Thanks for answers.
> @dan mclaughlin. But how to prevent attacker going out of chroot?

as far as i am aware only root can break out of a chroot. as long as nothing
runs as root, and there are no suid root this shouldn't be a problem.

> Do you think that this is possible to prevent this using pledge(2)?

pledge may not be the best tool. see
https://marc.info/?l=openbsd-ports=144822758614817=2

there is systrace(1) which does something similar.

> 
> Thanks for links. Especially Jonathan's "Re: making firefox less
> insecure"
> mail dated 2014-11-23 is worth reading for me. I wonder if
> pledge(2), in theory, can be used to extend his program.
> 

see the above url re pledge.

Re: Is it possible to use pledge(2) to make something similar to firejail?

[dan mclaughlin]

On Sun, 29 Nov 2015 07:08:57 -0700 "Anthony J. Bentley"  
wrote:
> Lampshade writes:
> > Is it possible, in theory, to use pledge(2) to make something similar to 
> > fire
> > jail?
> > https://packages.debian.org/sid/main/firejail
> > Firejail is a Gnu/Linux's program which executes Firefox as it's descendant
> > with reduced privilages.
> > For example I would like to restrict Firefox to not write and read to 
> > directo
> > ry
> > outside /home/firefox directory. Let's assume that I run firefox as another 
> > u
> > ser than
> > my normal account. I would restrict, using traditional Unix privilages, 
> > Firef
> > ox
> > and all its descendants, logging as another user to regain privilages to
> > for example to /home/open. I imagine that would still leave huge attack 
> > vecto
> > r
> > to pown system and/or sniff password, but I think it is better than nothing.
> 
> After the recent Firefox pdf.js exploit (where malicious PDFs on an ad
> server were reading files under ~, including ssh keys), I started
> running Firefox as its own user, and tightened the permissions on my
> home directory so Firefox can't access it.
> 
> There's a large class of attacks this doesn't help against (anything
> that uses X to access keystrokes or similar) but it stops a large set of
> potential Firefox exploits right away with nothing but Unix filesystem
> permissions.
> 
> http://lists.dragonflybsd.org/pipermail/users/2015-August/228324.html
> 
> -- 
> Anthony J. Bentley
> 

you can mitigate those X attacks using 'ssh -X'. i detailed a number of
mitigations here in 'isolating untrusted programs in ssh chroot jails'
(https://marc.info/?l=openbsd-misc=142676615612510=2).

it has been reported that those methods work for firefox as well.

if going the route of chroot itself is too extreme, you would still profit
from some of the other information in that post ie X11 Security Extensions,
Xephyr.

for pdfs, i have a chroot under a user who is denied access to the net
via pf. i find it a good idea to only allow specific users access, eg:

pass out log quick on $intif proto tcp user { browse, 1000, pfetch }
pass out log quick on $intif proto udp user { browse, 1000, pfetch }

even root is denied net access with the above.

Re: Mount ISO as read write

[dan mclaughlin]

On Wed, 28 Oct 2015 07:45:05 + (UTC) Mik J  wrote:
> Hello everyone,
> I asked this question on another list a long time ago.
> * I would like to mount an iso in order to add some files# ls -l /mnt
> drwxr-xr-x   2 root  wheel 512 May  3 15:31 iso# vnconfig svnd0 Image.iso
> # mount_cd9660 -o rw /dev/svnd0c /mnt/iso
> After the mount, it's read only# ls -l /mnt
> dr-xr-xr-x   1 root  wheel 512 May  3 15:31 iso
> The person who replied told me it was normal, cd9660 are always mounted as
> read only and suggested that I have to remake the iso
> * If that is correct, I would like to know how would I be able to remake
> this iso, and particularly keeping the boot options.
> When I want to make an OpenBSD iso I use -b i386/floppy58c.fs -c boot.catalog
> I would like to know how can I find which -b and -c options have been used by
> the person who made the iso in order to use it when I want to rebuild this iso
> Thanks
> 

you must be using a pretty old version of OpenBSD if you are using svnd0 (it is
just vnd0 now).

i don't know of a way to mount an iso9660 filesystem r/w either (makes sense
as it is for read-only media), but you can mount the iso image as you did
above, and then copy it into a new directory.

# mkdir newiso
# (cd /mnt/iso && tar cf - *) | tar xpf - -C newiso

now you can modify the version in the newiso directory.

i don't know how to get the parameters used on any random image, but the
command used to create the install cd image is:

mkhybrid -a -R -T -L -l -d -D -N -o /usr/src/distrib/i386/cdfs/obj/cd58.iso -v 
-v  -A "OpenBSD 5.8 i386 bootonly CD"  -P "Copyright (c) `date +%Y` Theo de 
Raadt, The OpenBSD project"  -p "Theo de Raadt "  -V 
"OpenBSD/i3865.8 boot-only CD"  -b 5.8/i386/cdbr -c 5.8/i386/boot.catalog  
/usr/src/distrib/i386/cdfs/obj/cd-dir

but i don't think it matters much which -b and -c options were used
originally. when you recreate the image you have to redo that anyway.

i'm not sure of your use of -b for a cd however. according to mkhybrid(8):

  This will work, for example, if the boot image is a LILO-based boot floppy.

but i've never tried that. i use cdbr as in the example above (which is from
the release(8) process, used to make the official releases). you can find cdbr
as /usr/mdec/cdbr, and can copy it to the newiso dir if you don't already have
a copy there.

Re: Because Theo and various users told them that the projects GnoBSD and Comixwall were worthless and that they weren't contributing to OpenBSD?

[Dan Farrell]

I'd like to correct the record here, because you're Misrepresenting with a
capital "M":

Comixwall shut down beacuse Soner Tari, the guy who put it all together,
got butt-hurt after unsuccessfully trying to advertise his project on this
mailing list. Theo's apparent tough-reply was enough to make this guy
cancel his own project entirely. He literally melted down, took his toys
back home, and was never heard from again. Does that sound like a project
you would trust your home network to, much less your day-job-network?

Imagine if it were 'okay' for calomel to advertise here? If you don't
understand the question, you have some learning to do in this subject.

In light of all of this, now maybe do you think the philosophy about not
letting every tom-dick-n-harry advertising their projects here makes sense?


Very Sincerely,

Dan Farrell

On Sat, Oct 17, 2015 at 9:59 AM, français <romaper...@gmail.com> wrote:

> I always find it amusing how OpenBSD is "audited", yet there's not one
> audit
> report on the OpenBSD website. The closest answer I've been able to find on
> the mailing list is to review all of the CVS commit logs. Yeah, that's not
> opaque in the slightest...
>
> The bigger problem with OpenBSD is it's community. In the FreeBSD world,
> you
> have PC-BSD and pfsense, both of which are generally welcomed by the
> community. With OpenBSD, there were two sister projects that tried to
> target
> a similar audience: GnoBSD and Comixwall. Comixwall was the equivalent of
> pfsense for easy router/firewall management and GnoBSD was an attempt to
> make an easy-to-use desktop. Both, however, ended up shutting down after
> Theo and various users told them that their projects were worthless and
> that
> they weren't contributing to OpenBSD.
>
> Because Theo and various users told them that their projects were worthless
> and that they weren't contributing to OpenBSD?
>
>
>
> --
> View this message in context:
>
http://openbsd-archive.7691.n7.nabble.com/Because-Theo-and-various-users-told
-them-that-the-projects-GnoBSD-and-Comixwall-were-worthless-and-t-tp280374.ht
ml
> Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: doas and home directory of target user

[dan mclaughlin]

On Fri, 25 Sep 2015 02:09:40 +0900 Joel Rees <joel.r...@gmail.com> wrote:
> At any rate, I have convinced myself that doas follows the manual page
> in preserving the calling user's key environment variables, including
> HOME and USER.
> 
> I had not grasped that this was considered desired behavior, so did
> not initially read it that way. I still think the man page is a little
> confusing, but do not at the moment have any suggestions for
> clarifying things. (Now I'm not sure what doas is for, other than for
> running build scripts more safely, which I think it will be much more
> reliable at than sudo.)
> 
> For the purpose below (allowing running firefox as a non-login user),
> I've installed sudo, and note that sudo -s now passes quoted strings
> as if the string itself were the command, such that scripts that were
> 
> sudo -H -u user2 -s "cd; command"
> 
> must now explicitly say sh -c, as
> 
> sudo -H -u user2 sh -c "cd; command"
> 
> For the larger purpose, providing a reliable sandbox, I'm going to see
> whether chroot would allow me to use a non-login user as proxy user
> for the stupid (pardon my French) bloated web browsers.

i had a thread 'isolating untrusted programs in ssh chroot jails'
(https://marc.info/?l=openbsd-misc=142676615612510=2) that covers
this in detail.

David Coppa reported that it was possible to do for firefox.

you need a user with a shell for this to work however, but you can disable
password authentication. from passwd(5):

  Similarly, login accounts not allowing password authentication but
  allowing other authentication methods, for example public key
  authentication, conventionally have 13 asterisks in the password field.

so you can ensure that a local key is necessary to log in. and you can
ensure that it only runs firefox with the ForceCommand directive (it's
all in that thread, and more in the linked threads).

> 
> On Wed, Sep 23, 2015 at 8:29 AM, Joel Rees <joel.r...@gmail.com> wrote:
> > Thank you, Dan, Ben, and Frank. I see that I have left out some
> > important information:
> >
> > user2 is specified as a non-login class of user in /etc/login.conf,
> > auth=reject: shell=/sbin/nologin, and has a default shell of
> > /sbin/nologin in /etc/passwd .
> >
> > On Tue, Sep 22, 2015 at 5:41 PM, Joel Rees <joel.r...@gmail.com> wrote:
> >> I have this rule in doas.conf:
> >>
> >> permit nopass user1 as user2
> >>
> >> As user1, I try this at the command line:
> >>
> >> doas -u user2 whoami
> >>
> >> and it tells me I am user2, as I expect. And
> >>
> >>doas -u user2 ls
> >>
> >> tells me I don't have permission. I kind of expect this.
> >>
> >> I'm looking for a way to do the equivalent of
> >>
> >> sudo -u user2 -s "cd; ls"
> >>
> >> I don't see a way to do this with doas, at least not without a short
> >> intermediary script, which script is not going to be able to do cd ~/.
> >>
> >> Should I assume that doas is not intended to do this sort of thing?
> >
> > With this intermediary script:
> >
> > #! /bin/sh
> > export USER=user2
> > . /etc/ksh.kshrc
> > printenv
> > ls
> >
> > I get
> >
> > MAIL=/var/mail/user1
> > LOGNAME=user1
> > HOME=/home/classU/user1
> > 
> > PATH=/home/classU/user1/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.
> > DISPLAY=:0.0
> > TERM=xterm
> > USER=user2
> > ls: .: Permission denied
> >
> > Which, I guess, does surprise me.
> >
> >> (And therefore [I should] do things "right" by setting up ssh with 
> >> public-key
> >> authentication to do the user switch?)
> >
> > Which would also require enabling login for user2. (I tried this
> > without thinking yesterday.)
> >
> >> (Or go all out and set up chroot to run an instance of X11 and firefox? ;-/
> >> )
> >
> > Would this also require enabling login?
> >
> > --
> > Joel Rees
> >
> > Be careful when you look at conspiracy.
> > Arm yourself with knowledge of yourself, as well:
> > http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html
> 
> 
> 
> -- 
> Joel Rees
> 
> Be careful when you look at conspiracy.
> Arm yourself with knowledge of yourself, as well:
> http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html