Re: httpd: need root privileges
On 20/03/19 3:01 AM, Ingo Schwarze wrote: > Hi Alfred, > > Alfred Morgan wrote on Tue, Mar 19, 2019 at 08:05:33AM -0500: > >> I tried starting a temporary httpd server on port 8080 >> as a user to serve some files and I found this error: >> httpd: need root privileges >> >> I would think there would be value in letting httpd be run >> by standard users. > For security reasons, you absolutely do *not* want that. > > You do not want to run a network daemon as your normal login user. > If the network daemon contained a bug, remote attackers might > read or modify the private files of your local user. > > You really want the network daemon to run as a *dedicated* user > which doesn't have access to resources it doesn't need. On OpenBSD, > that low-privileged user is called "www": > >$ ps -Ao user,command | grep [h]ttpd > www httpd: server (httpd) > root /usr/sbin/httpd > www httpd: server (httpd) > www httpd: logger (httpd) > www httpd: server (httpd) > > This is *privilege separation*. In particular, you want the "logger" > process and the "server" processes chroot(2)ed and setresuid(2)ed to > www, see proc.c, proc_run(), all of which requires root privileges > to set up. > > Starting up a network daemon without root privileges would be > inherently insecure. Yes. But is the error message: httpd: need root privileges Accurate? -- If not me then who? If not now then when? If not here then where? So, here I stand, I can do no other r...@worik.org 021-1680650, (03) 4821804 Aotearoa (New Zealand)
puri.sm What is the quality of this work?
https://puri.sm/learn/freedom-roadmap/ I stumbled on this today. I am interested in the criticisms of it. They seem quite pleased with themselves. I have seen https://marc.info/?l=openbsd-misc=142242615002878=2 from three years ago. Purism claim is that they are still having problems removing FSP. But is this comment (from the linked email from Theo) still applicable: "Don't waste your money on a false ideal by someone who misunderstands modern hardware and the market forces." Of course, but does that description fit these folks? Worik -- If not me then who? If not now then when? If not here then where? So, here I stand, I can do no other r...@worik.org 021-1680650, (03) 4821804 Aotearoa (New Zealand)
Re: Writing "ones" instead of "zeroes" when wiping disk
On 12/01/18 11:09, Jan Stary wrote: > On Jan 11 14:45:21, andreasthu...@gmail.com wrote: >> Hi! >> >> Again, an ignorant question (as usual): >> >> How might I do something similar to >> >> # dd if=/dev/one of=/dev/sd0 bs=1M >> >> as a complement to the usual and well-described >> >> # dd if=/dev/zero of=/dev/sd0 bs=1M >> >> followed by >> >> # dd if=/dev/urandom of=/dev/sd0 bs=1M >> >> in order to achieve paranoid disk-wiping? > Ones are not nearly as secure as zeros. > Why not? Is it not arbitrary? Worik -- If not me then who? If not now then when? If not here then where? So, here I stand, I can do no other r...@worik.org 021-1680650, (03) 4821804 Aotearoa (New Zealand)
Re: A branded USB stick as an alternative to the CD set?
On 01/12/15 10:40, Petr Ročkai wrote: > Theo de Raadtwrites: >> I don't know, but I'll think about it later, because I am busy. >> I am spending my day making a non-writeable USB stick for the OP. > That's nice. Although a simple 'no' would have sufficed of course. I > have been told that buying CD sets is useful for the project, but I have > no use for CDs. That's all. Maybe I could get a poster instead... > Wasting breath. Last time I tried the CD shop took money for not sending a CD. CDs are a waste of time for me too. Not quite useless, but close. But expressing other ideas here is a waste of breath. W -- Why is the legal status of chardonnay different to that of cannabis? r...@worik.org 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love
Re: httpd and Server Side Includes
I have been digging a bit to find the correct software to use for a little website that makes some light use of SSI and I came upon this. I have some questions about it On 07/03/15 08:42, Florian Obser wrote: > On Fri, Mar 06, 2015 at 07:13:13PM +, Peter Fraser wrote: >> The web sites that are involved make heavy use of Server Side Includes >> which the new httpd does not yet have any support. > > I wouldn't hold my breath. I'm fairly certain that we won't implement > it. Why is that? [snip] > > Seems reasonable. httpd(8) does not try to be the all singing all > dancing http daemon. Use the right tool for the job. For some jobs > that might be nginx, for others that might be httpd(8). What are the sorts of jobs that httpd is the right tool for? Is it only serving static HTML? I have seen some reference to "slow CGI" but my needs and research have not gone there. Does httpd support CGI? cheers Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love -- Why is the legal status of chardonnay different to that of cannabis? r...@worik.org 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love
Fund raising
I got a lot of shit on this list for suggesting that the OpenBSD project sell documentation collections (that are freely available elsewhere) as a method of raising funds for the project as CD rom sales dry up. A lot of shit on list and especially off list (one clown made up a gmail address especially to tell me to fuck off. Way too much time some people have) Today I spent $US5 on an ebook containing tutorials for software I am considering using. By exercising my mouse I could have got it for free. I did not. So I am bringing this up again. I do not want CDROMs. I have been to the trouble of paying for one and insisting they do not post it, but it was a lot of bother. I would pay for a collection of release notes for each new release. I support this project and I would like to support Theo directly - as CD sales do. So once again (at the risk of infuriating idle clowns) I respectfully suggest that the project consider such a release beside and as well as CDROMs. I do realise that I am proposing a good idea for some one else to do. I cannot lead such a task as I am a OpenBSD newbie. W PS For those who might care I bought Backbone Tutorials by Thomas Davis. https://leanpub.com/backbonetutorials -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love
Re: I found a sort bug! - How to sort big files?
On 16/03/15 06:43, Steve Litt wrote: But IMHO, sorting 60megalines isn't something I would expect a generic sort command to easily and timely do out of the box. I would. These days such files are getting more and more common. But there is a warning in the man page for sort under BUGS: To sort files larger than 60MB, use sort -H; files larger than 704MB must be sorted in smaller pieces, then merged. So it seams there is a bug in... files larger than 60MB, use sort -H since that did not work for the OP. Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love
Re: lynx is gone?
On 07/03/15 11:59, worik wrote: On 06/03/15 22:29, Raf Czlonka wrote: By the way, is there a list a common risk-prone idioms ? +1 https://duckduckgo.com/?q=%22common+risk-prone+idioms%22t=canonical common risk-prone idioms appears only here. Interesting concept, and would be illuminating to expand on Sigh! If I had read *all* the thread before replying I would have seen some illumination. Nice W -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love
Re: lynx is gone?
On 06/03/15 22:29, Raf Czlonka wrote: By the way, is there a list a common risk-prone idioms ? +1 https://duckduckgo.com/?q=%22common+risk-prone+idioms%22t=canonical common risk-prone idioms appears only here. Interesting concept, and would be illuminating to expand on W -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love
Re: Raspberry Pi 2 Model B
On 03/02/15 03:20, Janne Johansson wrote: But it still requires a blob to actually run, does it not? The fact that there is docs for the blob isn't as important as being forced to have someone elses code running alongside your kernel in order to even boot it, let alone produce graphics on it. Very interesting discussion. Is there a list of supported and unsupported hardware maintained any place? I have searched and cannot find one, which may be a reflection on me! There is a lot of discussion on this list about the performance of such and such hardware... For people interested in Raspberry PI (that includes me, I own two) the beaglebone black is an interesting device and I did find http://www.tedunangst.com/flak/post/OpenBSD-on-BeagleBone-Black I am especially interested in the discussion about blobs in the kernel. This is a discussion you almost never hear in Linux circles. cheers Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love
Re: Raspberry Pi 2 Model B
On 03/02/15 12:49, Mihai Popescu wrote: So, I can't resist to ask, Raspberry Pi is the answer to what question? It is a toy. Cheap. Can do simple computing tasks cheaper than anything else. Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love
awstats
I am looking for some simple analytic software like awstats. Is there a guide to setting it up on OpenBSD/nginx? Or is there a better/alternative package? Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love
nginx question...
Summary: The files under /var/www/htdocs are by default it seems all owned by root:wheel. What are the issues with changing that to be a normal user? The long version My work flow involves building a directory structure on another machine and using 'rsync' when I am ready to transfer it to the OpenBSD machine to be served by the public facing webserver. Having the files owned by a user other than the one I log in as for a rsync session is causing all sorts of headaches and warnings from rsync. So I have changed the ownership of all the files and directories to be foo:foo where 'foo' is the user/group name I login as. This makes my life much simpler. But I have a nagging doubt that I am doing some thing I will regret. Perhaps I need to use rsync differently or modify my workflow Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love
Re: Xmas
On 24/12/14 12:46, Jason Adams wrote: On 12/23/2014 03:23 PM, David Higgs wrote: Beer things? By Jove, I believe you are on to something. It is fast approaching beer o'clock. Of course it is beer o'clock! That was 1992! Been beering since W -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love
Re: DigitalOcean's BSD debut is FreeBSD only
On 19/12/14 08:21, Adam Thompson wrote: The last time I filed a bugreport on OpenBSD in a virtualized environment, I got flamed for not running it on real hardware. Haven't bothered since. Ummm... Harden up. Flames are common around here. But I feel your pain. I use VPS to run OpenBSD in two places. I have been following this thread with interest. Some cheap VPS providers allow you to use a custom ISO which is a straight forward process, but looking at this thread I am wondering if I have the whole picture. Is this a suggestion for a new chapter in the FAQ? Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love
Re: DigitalOcean's BSD debut is FreeBSD only
On 17/12/14 05:25, jungle Boogie wrote: I have not personally tested openBSD on https://www.vultr.com/ but I have read (tweets, probably) that it will work. I am doing so, twice. Working well. You can use a custom ISO, they do not specifically enable OpenBSD. I have a digital Ocean instance too, but they do not (last time I checked) allow custom ISOs. Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love
Generic Question: Floating point, MMU
On the thread: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox) ch...@nmedia.net commented: For ones that lack MMU or floating-point, Linux is it. Other ones that have MMU and FP can run OpenBSD, although significant porting effort is required. And they have 8MB to 16MB flash, which means you are running a ramdisk kernel and that's about it. Why is OpenBSD the choice only if you have a floating point? And I would have thought Linux would not do well without a MMU. I know people have ported Linux to all sorts of things, but no MMU? cheers Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love
Re: making firefox less insecure
On 17/11/14 10:55, Jorge Gabriel Lopez Paramount wrote: [snip] I restart every week that server as read-write to patch it and that's all, [snip] I have been using that VM more than half a year and invested like 4 hours setting it up. Is it not worth 4 hours a software that you use every day for things as important as banking? So you do not have bookmarks? For banking that is a risk. If you miss-type your URL you may end up on a phishing page. I always load my banking URL from a bookmark. Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Question about FAQ section 10.3
Processes local and package scripts in /etc/rc.d is listed as the last thing rc does after boot. What does Processes mean in this context? Naively I would think this means that the scripts are all executed. But that seems odd in this context as most of (all of?) the scripts take an argument that they pass to rc_cmd from rc.subr, and rc is not passing start to all those scripts. Looking at https://en.wikipedia.org/wiki/Init it seems my naive assumption is correct, but why run all those scripts? I am puzzled. Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand)
Re: Question about FAQ section 10.3
On 24/10/14 14:53, Nick Holland wrote: On 10/23/14 21:36, worik wrote: Processes local and package scripts in /etc/rc.d is listed as the last thing rc does after boot. What does Processes mean in this context? like processing food -- do whatever needs to be done. (not my best analogy, I'll admit) [snip] Look at the /etc/rc script...yes it does execute each of the rc.d scripts, and yes it DOES pass start to them: [snip] now look how start_daemon is invoked... Interesting. In /etc/rc start_daemon is called for specific named scripts. Except that (at line 520) it runs it for all scripts in $pkg_scripts My shell scripting is really bad (I am going to have to up my game there if I am going to stick around here) but it seems it is set to an empty string in rc.conf (Mis)reading the FAQ I thought it meant *all* scripts in /etc/rc.d were Processed. . It actually says ...local and packaged scripts So if a package wants to be sure it is run at startup does it write that into the rc.conf where mine says... # rc.d(8) packages scripts # started in the specified order and stopped in reverse order pkg_scripts= I installed postgresql (with pkg_add) and it did not change this, I had to change /etc/rc.local by hand. Is there some reason why postgresql should not be started after a reboot? Have I completely got the wrong end of the stick? Worik Looking at https://en.wikipedia.org/wiki/Init it seems my naive assumption is correct, but why run all those scripts? um. because that's how we do it? Before 4.9 or so...we hard-coded the startup process for each daemon in /etc/rc, we decided to switch to the rc.d process for some additional flexibility. I'll admit I was dubious when it was first done, fearing we might be heading down the idiotic everything.d directories that many Linux distros are now doing, but it turns out I rather like it. Nick. -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Why .cshrc and .profile in / ?
In a fresh(ish) OpenBSD installation I note .cshrc and .profile in /. Why? Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love
Re: Why .cshrc and .profile in / ?
On 20/10/14 11:50, Daniel Dickman wrote: On Sun, Oct 19, 2014 at 6:32 PM, worik worik.stan...@gmail.com wrote: In a fresh(ish) OpenBSD installation I note .cshrc and .profile in /. Why? Not sure there's an answer but it was discussed at least one time before: http://marc.info/?t=11910307971r=1w=2 There are some theories there, but no facts. Puzzlement Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Shadow TCP stacks
On 20/10/14 12:01, Ian Grant wrote: Believe me, this would only scream on their filters. Hell, even someone capturing this with tcpdump and analyzing it later would see something it's not right. You think someone can analyse all the HTTP traffic in a country? So what if they could? By the time they've analysed the dumps the service won't be on that host anymore. Jumping in... Yes all traffic of a country can be analysed, fairly close to real time. With some basic statistics, smart sampling and a dedicated team crafting cleaver algorithms... That is what those big budgets are for! Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Can I turn off sndio?
On 18/08/14 19:58, Alexandre Ratchov wrote: [snip] What is the proper way to turn it off? set sndiod_flags=NO in /etc/rc.conf.local (create one if it doesn't exist). This is explained here: http://www.openbsd.org/faq/faq10.html#rc Thank you that is helpful. My bad, I had read that part of the FAQ but it did not sink in. I assume that I can just kill sndio in the meantime rather than rebooting. In the general case when editing /etc/rc (via changes in/etc/rc.conf.local) what is the way to set the state of the system daemons without having to reboot? Is it just a matter of killing and starting the daemons by hand or is there a general way to accomplish this without rebooting or entering single user mode? On Sat, Aug 16, 2014 at 09:31:03AM +1200, worik wrote: I do not use sound on my machine. I am new to OpenBSD and in examining the running system I see sndio is running. When unused, sndiod is very small (eg. smaller than getty) and disabling it won't save much memory. Think of it as a kernel service we moved in user-space. It's like all these features that you don't use but that consume a tiny amount of memory (drivers for file systems you don't have, softraid, drivers for hardware you don't have etc). Yes. But I am running OpenBSD for a reason, and it is not as a sound server, it will do no sound serving. So one less programme running is one less complication. Maybe a very small bit less, but still finitely less. cheers Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Can I turn off sndio?
I do not use sound on my machine. I am new to OpenBSD and in examining the running system I see sndio is running. I see it is started in /etc/rc, but the FAQ suggests that this file should not be edited. What is the proper way to turn it off? Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand)
Re: [Bulk] Re: a half-baked analysis of the verification chicken-and-egg problem, and request
On 13/08/14 22:13, Eric Furman wrote: [snip] The most absolutely best way any one can contribute to OBSD is to BUY CD'S. Buy some cd's and then buy some more. Buy them for the stickers. Buy them because they fund OBSD. Without cd sales OBSD would cease to exist. It is as simple as that. So, BUY CD'S! That is worth repeating; Without CD sales OpenBSD will cease to exist. PERIOD. Contrary to what a lot of you assholes think I would rather have a 5.5 T'shirt. I am new and when I am ready I will be back here asking questions but for now, I do not want a CD (totally useless to me) but a T'shirt would be cool. It would cover my nakedness. Looking on http://www.openbsd.org/tshirts.html I can see no 5.5 T'shirt. Actually given that today I am at home because of snow on the Lieth Saddle a 5.5 merino hoodie would be best. It would cover my nakedness and keep me warm(er) NOTHING IS FOR FREE. yea Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Donations to OpenBSD
I changed the subject line On 14/08/14 10:52, Eric Furman wrote: Fine, buy a T-shirt, but realize that only a small fraction of the cost actually goes to OpenBSD. When you buy a CD the vast majority of the cost goes to OpenBSD. Who cares whether you need the CD or not. Buy if for the cool stickers. Throw the CD in the trash for all I and the OpenBSD developers care. Respectfully I find that a bit offensive. Ask me for a donation if you want. But do not expect me to by an object to be manufactured, shipped 1/3 of the way around the globe and then I'll through it in the trash. Not cool at all. OpenBSD is, it seems, very cool and worth supporting. I am investigating using the mechanism detailed in http://www.openbsd.org/bank-donation.html... Looking at https://https.openbsd.org/cgi-bin/order there seems to be no difference in CDs and T'Shirts in so far as where the money goes. I do understand from conversations I have had that there is a difference. Lastly: IMO It is time to change. CDs are no longer useful. I have OpenBSD on a VPS so stickers are a waste of time too. I would like to donate some money, but it is not easy. I would like to know for sure that the money goes to the project. For expenses or to developers, who spend so much time on this, to spend on whatever they want (beer, fish, little rubber balls...) But I will not buy things I cannot use. Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Donations to OpenBSD
On 14/08/14 11:45, patrick keshishian wrote: You can do what I do. I purchase the CDs but request the vendor not to send me the actual, physical CDs. That's my preferred donation method. Cool. Where does the money all go in that case? Definitely the most simple option so far. How does it compare for using the SWIFT method outlined on the website? Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Donations to OpenBSD
On 14/08/14 11:55, Theo de Raadt wrote: Well OBVIOUSLY CDs accumulate more revenue than T-shirts, so recently we've not made any T-shirts because it isn't worth it, the setup costs and overheads are higher than the number sold. If you guys don't buy enough of them, then we don't do the setup. Other than that, there is no difference to you, expect that I would guess you don't buy any, and you don't fund the Project or the Foundation, and all of this is idle chatter. Nope. I have a Blow Fish T'shirt from years gone by. I bought a CD back then too. It was useful then. I fully get the set-up costs of T'shirts. That is a shame but if it is too much work I can go naked. Definitely not idle chatter. I am interested in getting beer into your fridge or biscuits into your dog or whatever. Absolutely not idle chatter! Suggestion: Package the release notes, FAQ and some other documentation into a PDF and sell that at the same price as the CD, from the same place. I'd buy that. It would be better quality than the (often) crap O'Reilly sell, and I buy that. Not idle chatter. Finding efficient ways to get you money given the date. W -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]