Re: Disable/Passprotect single user mode
On Saturday, August 27, Dave Feustel wrote: On Saturday 27 August 2005 06:07, JSD wrote: I have a big root access problem. If someone has physical access to my OpenBSD box, than he/she can swith into single user mode (-s) and can change the password of root. It is a big problem for me and I would like to password protect this single user mode or to totally disable this function but I don't know how. In your bios, you should be able to set a boot password which will prevent booting until the password is given. Oh god, please just read the ttys(5) manual, and mark the console as not being secure. PC's in general are shitty pieces of hardware that are easy to circumvent. You BIOS password would prevent the machine from booting automatically after power outtage for example... --Toby.
Re: adding a partition, fdisk, disklabel, and other fun
On Tuesday, September 6, Kelly Martin wrote: I've got an A6 primary partition with various /usr and /var style partitions within. Pretty standard, but I ran out of disk space. I added a second primary A6 partition in the freespace of the same disk using fdisk, but cannot figure out how to use disklabel and newfs properly to add this new partition and then mount it as /var/www/htdocs. In general, we don't support two A6 partitions. Having said that, there is nothing preventing you from partitioning it as something else (say.. um, MSDOS-16, or... some other non-descript number), and then using disklabel to use that space (I forget the command that let's you edit the label with out-of-bounds portions). Not necessarily recommended, will void your warranty, and you could loose data... --Toby.
Re: adding a partition, fdisk, disklabel, and other fun
On Wednesday, September 7, Alexander Hall wrote: Well, I was referring to the OBSD MBR partition (of type A6) (aka BIOS partitions), a' la fdisk(8). Maybe a bit unclear on that. So, basically, I wondered if it would be possible to extend MBR: ||A6 partition..|Unpartitioned|...| OBSD: |.|wd0a|..|wd0f| into MBR: ||A6 partition|...| OBSD: |.|wd0a|..|wd0f|wd0g|wd0h|...| Yes, that is very possible. Just edit the A6 partition to have a new end where you want it. --Toby.
Re: Technical OpenBSD kernel documentation.
On Wednesday, September 14, Bernd Schoeller wrote: On Wed, Sep 14, 2005 at 10:03:36AM -0600, Tobias Weingartner wrote: Anything not covered by man pages is covered by the source. This is nicely said, but ... reading source code (any language) of a complex system is very difficult without information on concepts. It is like trying to find your way around a city without a map. I've done that. :) You start to build yourself a map. Take a small part of the world you see, and explore it. The move on from there. A map will only tell you that some things are connected. But it will in general not tell you that the really cool Pho place is just down that street, around a corner and 1/2 down a small tiny alley. And trust me, you want to find that Pho place... Perhaps this knowledge is one of the differences between the people that know the insides of OpenBSD and the others (that includes me, I am currently trying very hard to work myself into the code). Also, not ever part of the source code is easy to understand. C code tends to use acronyms for variable and function names. The man 9 pages are a great help (OpenBSD at least offers these, much better that many other OSs), but a query for more abstract information should not be answered by a 'read the source'. Unfortunately, in many cases it must be. You become fluent in various parts of the kernel source by reading it. Studying it, and changing it. The documentation that is out there is a guide or overview at the very best, and misleading at the worst. I am working with McKusick/Neville-Neil's Design and Implementation of the FreeBSD OS and the Stevens books (TCP Illustrated and Advanced Programming in the Unix environment), though I can not say yet how far this will help me with OpenBSD. Cross-reading the book with the man pages and the source might help. Again, for the concepts, I'm sure those books have value. Maybe for some bed-side reading. --Toby.
Re: Live dc
On Tuesday, September 20, Alex Stamatis wrote: I want to thank all of you who replied on my previous mail about the live cd. I've seen many of those links you sent me which talk on how you can create a live cd. I would have done it my self but unfortunatelly I cant due to tech reasons right now. Do the tech reasons happen to exist between your ears? Ok, that was a little harsh. I appologize. Also I dont know if it would have been good since i am an openbsd noob ! As i said I study at the American College of Greece and the head of dept agreed to use obsd for the teaching of unix instead of the crapy linux and asked me to get it to him. So, point your browser at www.openbsd.org/items.html and purchase a 3.8 CD set. Give that to you head of department. So if someone can create this live cd and upload it on the web just to download it and dist to all college I would really apriciate it. You want us to distribute a live cd to all the colleges? I know that time is precious for everybody so if noone can do it I will understand. But if you can you will help openbsd grow not only in many ppl but in the educational system of c.i.s as well. How precious do you think this time is? Enough to pay? Enough to actually go and look at some of the links that people have given you? Enough for you to spend some time, money, and frustration in following one or two of those links? --Toby.
Re: PostgreSQL/other DBs and OpenBSD?
On Monday, September 26, Szechuan Death wrote: What is wrong with dump/restore/tar is that nobody running a network larger than two computers uses it. Yes, I'm sure you can make it work with plenty of Perl scripting, some clever use of cron and ssh, and plenty of disk space. Nobody in their right mind wants to create such a Frankenstein's monster, or to maintain it. Also, dump/restore/tar et al. doesn't handle tape or pool management, so you get the limitless joy of having to figure out which tapes/volumes can be safely expired - woe betide you if you guess wrong! Oops, maybe there's data on all the tapes that you need, so you can't reuse any of them. How do you compact it? And so forth. I don't even want to _think about_ the scripting that would require. Oh, did I mention that dump/restore don't exist on anything but a Unix system? ports/misc/amanda - check it out. Administrators don't want that; they want a daemon that they can change the flags for in rc.conf from NO to , tweak the config file for five minutes, start the daemon, and feel the file-duplicating happiness as their clients are backed up painlessly. This is what I propose. Backup is as individual as you and me. I propose some default features - transparent encryption of backed-up files, perhaps, maybe even SSL for transport - that would make it a _secure_ backup solution that is usable over the big, bad Internet. Again, looking at the original post, the database seemed to me to be part and parcel of this, for efficiency reasons. As you might be aware, you can't have a dependency outside the src/ tree; you can't have an OpenBAK or whatever that pauses in the middle of make to say This requires PostgreSQL from the ports tree, go install it and come back. Not gonna work. That compels the introduction of a database as well. I *dont* want a database in my backup scheme. At least not the type you are thinking of. It has been my unfortunate experience that the database will usually let me down at the worst of times. Sure, if you need some indexes to search things faster, so be it, but be able to search without them. You've not thought this through beyond Hey, what is this kneejerking happening here? Oh, I get it, everything about OpenBSD is so easy, I wish files would just automagically be backed up as well! Nice thought, honestly. Now, do some research. --Toby.
Re: make build fails
On Tuesday, September 27, =?ISO-8859-15?Q?J=F6rg_Horchler?= wrote: I installed OpenBSD 3.7 via cd37.iso and HTTP. Now I want to build a new release. I checked out the source code via 'cvs co -P -rOPENBSD_3_7 src'. Then I did what is written in 'man release'. (Build a new kernel etc.) But when I do a 'make build' it fails with Ok, the documented proceedure does work... === usr.sbin/afs/usr.sbin/ydr ok... === usr.sbin/afs/lib === usr.sbin/afs/lib/libarla ln -sf /usr/src.new/usr.sbin/afs/lib/libarla/../../src/lwp/lwp_asm.c lwp.c ln -sf /usr/src.new/usr.sbin/afs/lib/libarla/../../src/lwp/lwp_asm.h lwp.h ../../usr.sbin/ydr/ydr -I/usr/src.new/usr.sbin/afs/lib/libarla /usr/src.new/usr.sbin/afs/lib/libarla/../../src/rxdef/vldb.xg ../../usr.sbin/ydr/ydr: not found *** Error code 1 hmm... Stop in /usr/src.new/usr.sbin/afs/lib/libarla (line 32 of /usr/src.new/usr.sbin/afs/lib/libarla/Makefile.rxdef.inc). *** Error code 1 Stop in /usr/src.new/usr.sbin/afs/lib. *** Error code 1 Stop in /usr/src.new/usr.sbin/afs. *** Error code 1 Stop in /usr/src.new/usr.sbin. *** Error code 1 Stop in /usr/src.new. *** Error code 1 Huh!?! Where in the documentation does it say to put the source in /usr/src.new? Stop in /usr/src.new (line 72 of Makefile). What can I do to build a release? Follow the documentation. --Toby.
Re: Migration to PF - some questions
On Saturday, October 1, Travis H. wrote: Yeah, I neglected stateful matching. I should have said that every packet that has to run the gauntlet of rules, has to run all of them. Subsequent reading of the PF FAQ confirms that there's no deep evaluation-reordering magic going on, that quick rules really are faster. There are various optimizations going on, in particular, skip-steps is one that has proven to be effective... :) --Toby.
Re: Limiting Shell Access Damage (was Guruness)
On Wednesday, October 19, Will H. Backman wrote: Turning this into a learning experience: Does anyone have any hints or advice about hardening OpenBSD for shell accounts. Do people tweak things other than the login.conf settings? I have to deal with student shell accounts where students are learning to program and often create problems by accident. A number of things... login.conf is your best friend. We used to run labs of OpenBSD machines here. They were easily our most stable and workable platform. --Toby.
Re: Telnet daemon retired in 3.8 ?
On Tuesday, November 8, Shawn K. Quinn wrote: Telnet is a horribly insecure protocol subject to at least two attacks by third parties with access to any part of the network between the two hosts. Thus, telnetd is gone for a damn good reason, that being that it's a turd that has no place in a secure by default OS. nc(1) is an option... If you absolutely must have telnetd, I guess you can compile it from the source in 3.7, but please, you should be fully aware that this opens up security holes big enough that a tank can be driven through without the appropriate countermeasures; at a minimum, you should use one-time passwords (S/Key) to make password sniffing useless, and only allow telnet connections from networks where you know for sure nobody with root access will try to hijack or eavesdrop on connections (such as a LAN where either you are the sole admin or you know and trust the other admins). Or tunnel it... oh, say through ssh? :) :) :) --Toby.
Re: Very low sound
In article [EMAIL PROTECTED], Pieter Verberne wrote: outputs.lineout=125,125 outputs.lineout=85,85 Strange... Try changing these to 255. --Toby.
Laptop death...
Hi all, I hate doing this, but I'm in a tiny bit of a bind. I'm in need of a new laptop. My old IBM T40p is slowly giving up the ghost after 5+ years of faithful service. As this is my main terminal to hack on and do everything I do on a computer, it's impending doom will significantly affect me. I've looked at the options available, and there really are not that many. I know that there are *lots* of laptops out there that would work, but I am somewhat particular in what I get next. At the current time I'm looking at buying: 26238YU - T60P CD/2.0 1GB 100GB 14.1 SXGA+ DVDR WLS BT DOS Rough Price: $1,645.99 - $1,878.99 Along with this comes taxes and shipping, etc. Unfortunately my current financial situation is that I can only afford to spend $400-$500 dollars on this. Is there anyone out there that could help me out with the rest? Thanks a lot, --Toby.
Re: Laptop death...
On Thursday, August 2, [EMAIL PROTECTED] wrote: This is really bad that your laptop is dead.. It is unfortunate that it happened now. The timing sucks. but I personally always wonder how it can be that such over-qualified person can't even earn enough damn money for a laptop?! I mean it's not a airplane... I'm not a super hacker but I was able to get money to buy a pretty PowerBook5,7 when I needed it... Ahh, I shouldn't respond... I really shouldn't. Seriously, I tend to buy my own way most places. Unfortunately, this time lady luck decided to abandon me at a rather inconvenient time. My financial resources (yes, I have a job) were busy fixing other things. As such, my dead laptop will basically mean that I would not have had access to a hacking laptop for roughly 2-3 months. This would be ok except for the fact that several of us have been having mini hackathons on a weekly basis, and I'd like to keep going to them (and being more productive than a pop/food server). [rest snipped] --Toby.
Re: Swap priority and paging strategy... a couple of questions
[EMAIL PROTECTED], [EMAIL PROTECTED] wrote: My question is really around unreferenced state data that has been pushed out to swap and isn't being demand paged back in. Is there functionality in the swap strategy to migrate such pages to a lower priority device so that you can bias performance of pages referenced more often against the higher priority swap device? No, there is not. If there was, swap-off could be made to work. On the other hand, if it's never referenced... why would you care where and on what type of swap it happens to be? It would likely be better off on the slow swap so as to leave the fast stuff available to more active pages, no? -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: Atheros 5424
In article [EMAIL PROTECTED], Aaron Hsu wrote: I am just wondering if any work is going into the Atheros 5424 chipset? (I noticed some disturbing news about new code being added to the Atheros code.) How much work would be involved to get the chipset working? Documentation? Seriously, why not ask Atheros for programming docs for the chipset in question? -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: comics and recurring donations Was: Show your appreciation and get your 4.2 DVD
In article [EMAIL PROTECTED], Craig Brozefsky wrote: /me raids refrigerator for leftover curried rice... Curried rice! Hmm... gotta get me some new spices... -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: unstable and multiple reboot for 4.2 on Sun X4100 M2 with ACPI enable on AMD64 bsd.mp with SAS RAID 1 setup.
In article [EMAIL PROTECTED], Daniel Ouellet wrote: So, I am not sure what testing you did, unless you built your own. new Snapshots was just release now, witch I will be happy to test tonight and see the results and report back. If you guys could test out my ACPI diff I posted to tech@, that may help. -Toby. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: [Possibly OT] 16-bit Assembly Programming
In article [EMAIL PROTECTED], Aaron Hsu wrote: I am attempting to create an assembly program (for a class) on OpenBSD. The teacher has no issue with me developing the code based on the UNIX-based assembly (int 0x80 syscalls vs. int 0x21 Dos Function), but he does not want me to use 32-bit code. I believe this has something to do with him wanting me to use a Real-addressing Mode as opposed to the 32-bit protected mode. I'm doing x86 assembly. One thing your teacher may not know is that x86 assembly includes the 32-bit environment, and (now) also a 64-bit environment. However, running 16-bit code under OpenBSD i386 is going to be somewhat difficult. We don't bother supplying 16-bit services, and only consume 16-bit services (from the bios) for a few things necessary. It is hard, and somewhat error prone. I would recomment you run bochs and/or qemu with a freedos installation or somesuch. You can still use OpenBSD as your development platform, but your code would be run inside a 16-bit (to start with) environment. The other nice thing is that you'd have an ICE like debugger for your code, which can be very handy in debugging what is going wrong. Good luck, --Toby.
Re: sudo wheel group
Ted Unangst wrote: cp /bin/sh /usr/local/bin/xsh chmod u+s /usr/local/bin/xsh then only tell the trusted users about xsh, and you can avoid sudo altogether. Ohhh... EEEVVVILLL... :) -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: ACPI Security
Nick Guenther wrote: I just came across these notes on ACPI: http://lwn.net/2001/0704/kernel.php3 (search down for acpi) and got wondering what OpenBSD's take on securing ACPI is. Can AML code actually be an attack vector, or are there safeguards in place in OpenBSD against that? Well, if you have access to a machine before the OS loads, all bets are off. I can load up a different BIOS that gives me a backdoor, or load up a bunch of AML that does funky stuff. Really nothing you can do to prevent that. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: Speed Problems Part 2
rezidue wrote: kern.version=OpenBSD 4.0-stable (GENERIC.MP) #0: Thu Mar 15 07:28:19 CST Just for the hell of it, try running GENERIC, instead of GENERIC.MP. --Toby.
Re: Get developers some big machines to support more RAM
Timo Schoeler wrote: AMD64 or EM64T machine with 8GB+ of RAM (or $1700 to buy one) needed in Edmonton. Contact [EMAIL PROTECTED] Having the hardware will help some. I've got access to some larger hardware here at the university, and have sent out the large mem diff for amd64 machines. I've had almost ZERO feedback. In the end I've given up for the time being. I'd still love having my own machine with 8GB+ of ram, it may motivate me in actually finishing the patch (for amd64 at least), and possibly help in motivating me testing any future buffer cache diffs... -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: CVS - Lock File
On Wednesday, May 4, Alan Finlay wrote: I have done significant work with ClearCase and CVS in a software development team environment, and some minor work with other revision control tools. Team size for ClearCase was around 20 developers, and with CVS around 10 developers. For an open source project like OpenBSD, CVS is quite likely the best choice, but for other situations ClearCase has advantages. *chuckle* Those are small teams. I've worked on projects (both open and commercial) that had significantly more developers than what you mention above. Locking has *never* been an issue for development. It has, however, been an issue for various PHBses that needed some way to satisfy their hunger for control over the people that actually get the coding done. --Toby.
Re: Sad boot problem (boot.conf: invalid argument)
On Thursday, June 9, Luciano ES wrote: Hello, Stuart. The answers to your latest questions: On 09/06/05 at 12:11, Stuart Henderson wrote in 7K: How does 'fdisk wd0' look? - The second slice (offset 63) was marked as unknown. Then I fixed it with OpenBSD's fdisk. Now it is marked as OpenBSD. The problem is that I have done that many times. The OpenBSD gets lost mysteriously. Often, between two reboots of OpenBSD (without booting any other system). Something is overwriting it. Where does your 'a' slice begin? What is the output of 'disklabel wd0'? --Toby.
Re: Problem booting from wd0
On Thursday, June 16, Uwe Dippel wrote: It installs your PBR boot block, IE: your partition boot block. Thanks for the info ! - But still, I don't see how this comes into view: the kernel was looking 'broken' at loading in the OP; OP? What is OP? then he wiped the MBR. Should he not better fdisk -u wd0 to get the MBR back ? That's one way. --Toby.
Re: GRUB's boot parameter
On Friday, June 17, ikesan wrote: panic: /boot too old; upgrade! Oh! I installed newest verson of OpenBSD, and how can I upgrade it. Because I could not boot OpenBSD. So I thought if GRUBS parameter was wrong. Use the chainloader. Use the chainloader. Use the chainloader. Use the chainloader. Use the chainloader. Use the chainloader. Use the chainloader. Use the chainloader. Use the chainloader. Use the chainloader. --Toby.
Re: A system for patches....
On Monday, June 20, [EMAIL PROTECTED] wrote: Somebody could write a shellscript wich includes the Checksums for a compiled (and patched) binary for each architecture. Sure, my company could do that. The rate I've quoted you before. Or you could do it yourself... only to findout that the checksum will be different for each time you compile a package/etc (in general). I would be happy if somebody else (even this somebody would kill -9 my idea) would answer and tell me his oppinion but the current status sucks a lot and it could be fixed easily (I think). If you think something is easy, please, step up, and provide a proof of concept (at least). Otherwise, step up and provide the money to have someone competant look at your idea. At least *you* won't look like a fool that way... --Toby.
Re: OT: Hardware keyloggers embedded in new keyboards?
On Monday, June 20, Dave Feustel wrote: I thought you had more insight. All of OpenBSD's security is at risk with this technology. Nope, he has lots of insight. You on the other hand are the security risk here... well, you were, and maybe, just maybe, if you smarten up and realize what you are looking at you will end up *not* being as big a security risk. To put it bluntly, insecure hardware will (usually) always screw over the software that runs on it. Use hardware that you know is secure, and you have no problem. Use hardware you don't know is secure, well, you just don't know. Another reason not to use an i-cafe except through a zaurus... --Toby.
Re: Honesty needed...
I'm late to the game... but why not split the load over a number of servers? Using carp for reduncancy, rdr/round-robin and/or hash, you should be able to spread the load some. --Toby. On Wednesday, June 29, Jeffrey Lim wrote: On 6/29/05, Matt Juszczak [EMAIL PROTECTED] wrote: Just spoke with the boss. My boss really wants to run SMP. He's an ill-informed business man and thinks that a single 3 ghz with 4 gb RAM couldn't handle our mail server, which I believe it would have no problems at all doing. sounds like somebody who wouldnt know the difference anyway if u just went right ahead and *not* used smp, and told him otherwise, doesnt it? I'm not saying outright that u should really give up smp - but this is an option for u. -jf 10,000 users isn't that many. Either way, if hes set on SMP, then I either need to go to another *BSD other than FreeBSD which wont have this problem (such as OpenBSD, although do you know whether or not OpenBSD's SMP can support Dual Xeon's?) or NetBSD. Otherwise, I have to go to linux or windows which I really don't want to do at all. Thanks again for your help. Regards, Matt
Re: IDE / SATA Filesystem Mounting Problem
On Sunday, July 24, bofh wrote: On 7/24/05, George Georgalis [EMAIL PROTECTED] wrote: I have the sense there is a way to use GENERIC, somehow I just need to tell the kernel the BIOS disk 0x80 is wd0, 0x81 is wd1, 0x82 is wd2 and so fourth, not the other way around. Maybe wd0 at pciide0 ... above is the easiest way. Are you saying 0x80 is *not* wd0? Wow, that's umm... very different from all the other OSes that I know of. 0x80 does not have to be wd0. --Toby.
Re: x86 rings?
On Thursday, August 4, Ed White wrote: Is there any plan to use x86 cpus rings (0..3) to improve OpenBSD security? Can you enlighten me how that would improve security? If you can show me a way that does not break the unix/posix model of the universe, I'm all ears. --Toby.
Re: syslogd udp port
On Thursday, August 4, poncenby wrote: I remember asking how to stop syslogd opening udp port 514 a while ago and never doing anything about it, here goes again... And people asked you to search the archives. Proto Recv-Q Send-Q Local Address Foreign Address(state) udp0 0 *.514 *.* Yes, yes, it's got a socket open. So what? reading the man page doesn't really answer why there is program listening on udp 514, seeing as I haven't passed syslogd the -u switch -u Select the historical ``insecure'' mode, in which syslogd will accept input from the UDP port. Some software wants this, but you can be subjected to a variety of attacks over the network, including attackers remotely filling logs. can anyone point me in the right direction so this annoying behaviour stops. also, is there a switch for netstat which shows the pid/process for each listening port? About 5 F*ING LINES later the man page says: syslogd opens an Internet domain socket as specified in /etc/services. Normally syslogd will only use this socket to send messages outwards, but in ``insecure'' mode it will also read messages from this socket. syslogd also opens and reads messages from the UNIX domain socket /dev/log, and from the special device /dev/klog (to read kernel mes- sages). syslogd opens the above described socket whether or not it is running in secure mode. If syslogd is running in secure mode, all incoming data on this socket is discarded. The socket is required for sending forwarded messages. Read, breathe, relax... Just because a program has a port open does not mean it is insecure. It could be having a port open in order to *SEND* data, and never *EVER* receive data. --Toby.
Re: stat() st_ctime
On Tuesday, November 15, B. Gas wrote: I run system call to stat from a little C program that show the status of a file,.. The time displayed is in seconds and therefore I need some help from anyone to show me how to make the time_stamp to look like something for example the example below: Access: 2005-11-09 09:17:46 (2005-11-09 08:17:46 UTC) Modify: 2005-11-09 09:17:01 (2005-11-09 08:17:01 UTC) Change: 2005-11-09 09:17:01 (2005-11-09 08:17:01 UTC) man ctime(3), date(1), etc... --Toby.
Re: Filesystem redundancy
On Wednesday, November 16, Will H. Backman wrote: Maybe OpenBSD can merge with OpenVMS, which should be easy given that four of the letters are already the same. OpenVMS has some amazing clustering capabilities. It's actually 5 letters... and if *you* can't even get that much right, how the *HELL* is such a merge ever going to get properly done!?! :) --Toby.
Re: Tyan Thunder LE SMP issues
On Wednesday, November 16, Lokkju wrote: Sorry, given in this context means someone is letting me play with them to see if I can get them working with OpenBSD. They display equivalent crashes in NetBSD - I have not tried FreeBSD or any linux distros. Ok, if 2 operating systems show similar crashes... I'd hazard a safe guess that there is something broken. As for Memcheck86+, I can leave it running for over 24 hours with no issues, and no errors reported. As far as I know, this is UP, and does not use SMP. Chances are you have some sort of SMP issue... maybe with the 2nd CPU. --Toby.
Re: Tyan Thunder LE SMP issues
On Thursday, November 17, Lokkju wrote: Well, according to Theo, this is something of a known bug - he told me that you (Toby) were working on it... I have yet to be convinced of that. All the bugs in this area have so far been hardware issues. But I've been wrong before... As Brain said, I have swapped the processors, and run memcheck86 with each of them being in the first slot. If anyone has any further suggestions on how I might test the hardware portion, I would love to try them, as I have a total of two duplicate motherboards, 4 duplicate processors, and 8 duplicate 256MB ram sticks I can try swapping around. Split it into 2 identical systems. See if both of them have the same problem. That would help me out somewhat. --Toby.
Re: finding duplicate files
On Friday, December 16, Smith wrote: Is there any unix utility or script or OpenBSD port that will find duplicate binary files within a directory? md5(1) and sort(1) should largely do what you want. --Toby.
Re: APIC
On Tuesday, January 3, martin wrote: Does OpenBSD 3.8 use the APIC (Advanced Programmable Interrupt Controller) ? In bsd.mp, yes. Some cards, e,g telephony and framegrabbers have issues with the limited standard XT 16 IRQ's. How so? APIC motherboards give you 24 or more (I've seen as many as 101) interrupts. Sure, let's see... You'd need 24 / 4 (A, B, C, and D) = 6 PCI slots. I suppose that's doable on a MB. Why you'd need 101 interrupt pins is beyond me... Besides doing a dmesg | grep irq, is there another way at seeing the assigned interrupts. e.g. For Linux cat /proc/interrupts reveals:- Dell PowerEdge 2850 (dual Xeon) cat /proc/interrupts CPU0 CPU1 0:6184515 72IO-APIC-edge timer 1: 8 1IO-APIC-edge i8042 9: 0 0 IO-APIC-level acpi 12: 65 1IO-APIC-edge i8042 14: 11 2IO-APIC-edge ide0 46: 19595 1 IO-APIC-level megaraid 64: 66366 1 IO-APIC-level eth0 65: 77045 1 IO-APIC-level eth1 101: 6113521 1 IO-APIC-level wctdm NMI: 1 0 LOC: 6184694 6184698 ERR: 0 MIS: 0 Ok, you've got 4 level, and 4 edge triggered interrupts. In order to manage these, you need at least 5 pins (ok, 2 would do, but I'll say that each edge should have it's own), and at most 8. Your APIC is not going to help in the department much over the older style PIC. It does tend to be faster though... --Toby.
Re: learning to code - suggestions needed
On Tuesday, January 3, Joe S wrote: Do you have any recommendations on how I should get started? Any help or recommendations would be appreciated. Just get started. Learn C. Look at code. Read code. Understand. --Toby.
Re: Blowfish still good enough?
On Wednesday, January 4, Andreas Bartelt wrote: In my personal opinion, I think, the weakest link is entering the password when opening a svnd device. Are there already solutions known which combine passwords (knowledge) with hardware devices (i.e. smartcards) or biometrics in order to access some secure storage? I don't own one, but don't at least a couple of newer IBM notebook models have a fingerprint reader and a TPM built in? Do you think a combination of these measures would improve overall security? Sure, if you can get me the datasheet/etc, I'll see about possibly writing a driver for the fingerprint reader. I've contacted the company that makes them, and they refused to even talk to me. Maybe you have better luck. Otherwise, it's all talk... --Toby.
Re: Apple MacBook Pro support
On Wednesday, January 11, Constantine A. Murenin wrote: Anyone has any plans on this matter? Do you have enough money to buy a few (note, more than 2) developers the required hardware, along with the documentation (if they are not using a standard PC bios) to do the port? Are you willing to part ways with it? If you say yes to both, I'll devote some time to having a good look at it... :) --Toby.
Re: pf by mac address?
On Sunday, January 22, David Benfell wrote: Is it possible? You have hostile users. They know how to change IP addresses. You want to block by another means they are able to change. Instead have a look at authpf. --Toby.
Re: Marvell Yukon 88E8053 PCI-E Gigabit
On Wednesday, January 25, Christoph Fritz wrote: Maybe the linux source is all docu they give out? Linux source is *not* documentation. --Toby.
Re: boot.conf timeout ignored on amd64?
On Friday, January 27, Toni Mueller wrote: - /etc/boot.conf --- set timeout 30 boot /bsd.mpr - /etc/boot.conf --- This should give me a 30 second pause before the machine boots the named kernel, but instead, it boots _immediately_, so I have no time to make up my mind to choose a different kernel. What am I doing wrong? No, boot.conf is just as if you had typed the stuff on the command line. When you say 'boot foo', the bootblocks go ahead, and boot foo. No wait. No sleep. What you want is something like: set timeout 30 set image /bsd.mpr --Toby.
Re: MAC filter Bridge
On Wednesday, February 1, Badbanchi Hossein wrote: Does this really mean that no hash function is used? I mean if I have 2 MAC Addresses and want to check **each packet** against this list serially, I suppose I had better forget about it! The immediate question that rises to the surface is... WHY? --Toby.
Re: MAC filter Bridge
On Wednesday, February 1, Badbanchi Hossein wrote: I intend to switch the traffic originating from unknown MACs to a quaranti ne subnet, connected to a third interface member of the bridge. Basing security policies on something as easily changable as a MAC address (and as public as a MAC address) is stupid. Rethink your approach. --Toby.
Re: Brain wash for live partition, or directory mirroring concept idea(s)?
On Wednesday, February 1, Daniel Ouellet wrote: The idea is to configure a directory on a master server to copy the file that are change in it's monitor directory to one or multiple other server(s) in the same directory structure. nfs? You keep the master copy on the nfs server, and the slave copies on the clients... You export the portion that you want to be able to mount. It's all there... :) Well, ok, except the part about what happens when the server goes down. --Toby.
Re: MAC filter Bridge
On Wednesday, February 1, Badbanchi Hossein wrote: Basing security policies on something as easily changable as a MAC address (and as public as a MAC address) is stupid. Thanks for the complement. You're welcome. Honestly though, what would you call it? Although this might seem (or actually BE) stupid in environments publicly accessible, but for a closed environment like our company LAN, this is good enough. Here I don't want to protect the LAN against the extreme hacker, but against our legitimate guests who come to visit someone or take part in some meeting, and simply open their laptop and connect the NIC to the nearest free LAN socket. This could be because they want to download the latest PowerPoint file for their presentation! Our policy is to provide Internet Access to our guests (of course while logging every activity), but we need to first distinguish them in order to provide them with at least an initial AUP (Acceptable User Policy), or even scan the machine for vulnerabilities and the like. And who's to say they actually read the AUP? Personally I'd do it slightly different. 1) Mac-lock the switch ports of the machines that are supposed to be connected permanently. (Yes, not perfect, but what can you do...) 2) vlan the ports that are plug-and-play to their own vlan 3) Use authpf to authenticate them, at least then you can ply them with your AUP before they accept (type a password). It will be a lot less implied, but an active action taken on their part. Rethink your approach. Other approaches like 802.1x is also known to me. But our need is more modest . Have a look at authpf. It's not the end-all be-all, but it does solve a lot of problems in a very elegant fashion. --Toby.
Re: openbsd's future plans?
On Wednesday, February 8, Felipe Scarel wrote: Just to explain better what happened, I was willing to install OpenBSD on the machine even if it somewhat lost some power because of the SMP stuff. However, my boss doesn't share the same views regarding security with me, so I had no choice. Since this is a CS Department, it's rather impossible to disagree with the people here when it comes to computers. Bull. You can always disagree. Run on the system what is needed. If you need high-performance SMP, see what there is available that will give you the performance you need. Stick it behind a decent firewall. If this is to be a firewall... well, you makes your choices... --Toby.
Re: Linksys (Cisco) = OpenBSD VPN config
On Wednesday, February 8, Jack Culpepper wrote: Encryption Key: 123456789012345678901234 Authentication Key: 12345678901234567890 So then on the OpenBSD end, those correspond to: Encryption Key: 3132333435363738393a3132333435363738393a31323334 Authentication Key: 3132333435363738393a3132333435363738393a Right? Because on the Linksys web interface, each character is a byte, and on the OpenBSD side, each pair of hex characters is a byte. I don't know... but 3a != 0. --Toby.
Re: openbsd's future plans?
On Wednesday, February 8, chefren wrote: On 02/08/06 14:56, Nickolay A Burkov wrote: Weee! I think OpenBSD kernel should be implemented in hardware part! Of course, big gate array and stellar performance. So the language should be VHDL! Ugh! That's akin to using C++ and C# at the same time. Use Verilog or something a little more sane... :) --Toby.
Re: Sudo
On Saturday, February 11, Dave Feustel wrote: I found out via a google search on 'tickets sudo' about the behavior I had discovered and reported. Then after Otto let me know how pathetic my post was, I went back to man sudo but found nothing about tickets or about sudo being active in all shells. There may be something in the sudo man page that describes this behavior, but I haven't spotted it yet. My reading skills must be deteriorating. From the first paragraph under DESCRIPTION: Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time (5 minutes unless overridden in sudoers). Note, it says user, not shell the user is using. --Toby.
Re: encrypted svnd and disk throughput
In article [EMAIL PROTECTED], Jacob Yocom-Piatt wrote: MachineSize K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP databank.x 300M 18877 91 22440 71 11985 77 20317 75 30745 68 -- You have a 150MB (roughly) machine? processor and 1 GB of 400 MHz DDR2 RAM on i386 4.0-release. Oh, nope. if there is anything further that i can do to up the write and read speeds of these drives besides what i've mentioned above, please let me know. Use a larger test case to test your hypothesis. using 4256 buffers containing 53764096 bytes (52504K) of memory So, out of your 300MB test, 52MB was likely cached in various ways. That being said, svnd/vnd devices have not really been optimized for speed. They are there and work, but could likely stand to be changed and developed significantly. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: Loading a Second Kernel
In article [EMAIL PROTECTED], Jon Steel wrote: I have gotten this to work with the use of a file to pass information between boots, but that is not an ideal solution. What I really want is either a way to pass a parameter to the BIOS so that it can pass it to boot upon restarting, or a way to reload the boot loader into memory and then execute it. This is not really possible on the PC architecture. The only way to currently do this is to hack things. Either by putting some stuff into RAM, with checksums and all, and have /boot search for it, and if it find it, execute it. This may or may not work. Some BIOS clear memory on reboot, others don't. Another way is to do some hacking to the unused parts of the NVRAM on PCs, and check for that in /boot again, modifying the boot process as you want. It would even be fine to use another operating system on the first boot. So it boots up into say Gentoo, and then when Im done with that, I want to load OpenBSD. If that is the case, run vmware with a windows/linux host. You can then boot different root disks for example. Does anybody have an idea how I can approach this? Bug Dell and other big consortium PC makers to have a BIOS API defined to store things and retrieve things from NVRAM. Hell to document what the BIOS will use to configure console redirection, boot ordering, etc, so that we can store and use the information in a compatible manner from userland. Oh, while you're at it, have them define a simple way to do a putc(3) and getc(3) through the bios as well (from 16-bit and 32-bit applications), that will respect console redirections of course. Lalalaa, -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: Webservers with Terrabytes of Data in - recomended setups
In article [EMAIL PROTECTED], Nick Holland wrote: Dumping the data from one disk to another is fine and dandy when you are talking about your 40G disk on your home or desktop computer, the fact that you are down for a few hours is no big deal. But what about a server? I don't care how fast your disks are, moving 300G of data to a new disk system is a lot of slow work. This I usually quantify as: we double storage capacity every 18 months, unfortunately, we double transfer speed (actual access/read/write speed) only much slower than that. Deal with it. --Toby.
Re: radeon driver in -current Xorg 7.2?
Matthew Szudzik wrote: Of course, but the kernel doesn't support drm, and somebody reading the documentation has no way to know. At the very least, there could be an Errata section at the bottom of the man page, mentioning that OpenBSD does not support hardware 3D acceleration. Rant, rant, rave, rave, why not submit a patch? -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: 4.1 packages on the ftp sites
In article [EMAIL PROTECTED], frantisek holop wrote: and all you others: so is it not a punishment that you have the cds and still can't use them? hypocrites, all of you! Last time I looked, there were packages on the cd too... -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: root on raid with external usb disks
Eugene Hercun wrote: I'm having a bit of a hard time trying to set up a root on software raid with raidctl with two external usb hard drives. The reason why I am trying to configure this as root on raid is because I have a fast notebook that is continually frying hard drives (I personally think that it has a blown capacitor, but this is not the point) that I do not want to go to waste. So basically what I wanted to do is to configure it as a small vpn and file server to store my personal photos, music, etc. and learn a little more about OpenBSD along the way. Well, you sure tore of a chunk a 'chew. You're learning now, right? Seriously, you're in the land of it's your own problem. Custom kernels, etc, etc. The problems that I am experiencing are appearing when I try to boot off of the the second disk by issuing the following command at boot: boot boot sd1a:/bsd In which case I get the following response: booting sd1a:/bsd; open sd1a:/bsd: Invalid argument failed(22). will try /obsd I have also tried issuing boot hd1a:/bsd which gives me the same result. What is strange is that at the boot prompt, it only sees hd0+, and not the other disk. Welcome to the land of the PC. There are times the BIOS will not see or report on any other disk, but the one you booted off of. Sorry, you loose. I have also tried leaving only the disk with the install copied over plugged in, in which case, OpenBSD starts booting, but then panics since it does not find /dev/console and init. Trace gives me: Debugger(d076e864,8,e8900f1c,cf71,0) at Debugger+0x4 panic(d06b2948,e8900f64,e8900f44,0,0) at panic+0x63 start_init(d764a000) at start_init+0x16d Bad frame pointer: 0xd0907ed8 No /dev/console and no init usually points to pilot error. I've issued the following commands when I copied over the install: mount /dev/raid0a /mnt cd /mnt mkdir usr tmp home var mount /dev/raid0d /mnt/tmp mount /dev/raid0e /mnt/var mount /dev/raid0g /mnt/usr mount /dev/raid0h /mnt/home cd /mnt tar -Xcpf - / | tar -xvpf - This only copies root. And it's a bad copy at that... hint, read the tar(1) manpage, in particular the '-X' option section. Also, what makes you think that '/boot' can actually boot things off a raid partition? Depending on things, you may or may not be able to boot a kernel off such a device. Which is entirely separate from having said device be a root partition in the end. I've included below, copies of disklabel information, and my dmesg. Thank you in advance for everyone's help. device: /dev/sd1a type: SCSI disk: SCSI disk label: MHV2080AH bytes/sector: 512 sectors/track: 32 tracks/cylinder: 64 sectors/cylinder: 2048 cylinders: 76319 total bytes: 76319.1M free bytes: 0.1M What the hell is this crap? Did you use '-p m' on this? It makes the output somewhat useless... 16 partitions: # sizeoffset fstype [fsize bsize cpg] a:512.0M 0.0M 4.2BSD 2048 16384 323 # Cyl 0*- 511 c: 76319.1M 0.0M unused 0 0 # Cyl 0 - 76319* d: 75807.0M512.0MRAID # Cyl 512 - 76318 Yup, I have no idea of the first partition starts too early or not. 16 partitions: # sizeoffset fstype [fsize bsize cpg] a:300.0M 0.0M 4.2BSD 2048 16384 323 # Cyl 0 - 599 Again... OpenBSD 4.0 (GENERIC.RAID) #0: Sun Apr 22 09:50:48 PDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.RAID And here we stop... as we don't have your GENERIC.RAID, and to be blunt, I certainly don't have the time to try and re-create your unique setup. Also, let's think about this for a while. No, go back and think. You wanted to learn about a new environment. That's a comendable goal in itself. But think about it again. What did you do wrong? Seriously. You expected to learn about a new environment on buggy hardware in a completely non-standard setup. Well, learn you will, a *very* steep learning curve. If you like pain, I recommend you keep going on the path you are on. Personally I salute you, it is the way that I wish more people would try to learn. However, if you want things easier. Find a stable box. No, just a capacitor is *not* a stable hardware platform. What makes you think that there is *NOTHING* else wrong with it? The argument of I don't have one does not hold up. Most places on this planet you can find an older computer to do the job. Then use a standard GENERIC setup for your first go around. Much less pain, much less steep learning curve. Good luck, -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: Prevent circumventing dansguardian with pf
Chad M Stewart wrote: On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote: pass in inet proto icmp all icmp-type $icmp_types keep state This can be used as a covert communication channel. Allowing internal IPs to send/receive ping is bad. Bull. Not allowing ICMP is just as bad. Worse actually, as you are violating RFCs. Quit spreading this FUD. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: Prevent circumventing dansguardian with pf
On Wednesday, April 25, Chad M Stewart wrote: I did NOT suggest blocking ALL ICMP, just echo-request and echo- replies from internal hosts to untrusted IPs. And how is this not violating RFCs? Trojans have used echo-request and echo-reply as a method of covert communication. I've you've been compromised, it's already too late. If you had read the original post you'd see that $icmp_types was defined to be echoreq. Irrelevant. I don't this is FUD. Telling people to worry about the door to the barn after the horse has left is not FUD? It's not misdirection? Tell them to solve the root of their problems instead. --Toby.
Re: NFS mount by non-root
In article [EMAIL PROTECTED], Douglas Maus wrote: Is it possible for users (non-root) to mount NFS exports? Mount, likely not, unless you do sudo. Have a look at nfsshell... -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: Binary kernel and base update
In article [EMAIL PROTECTED], Artur Grabowski wrote: Simple, I trust the people I drink beer with. Do they have to be drinking beer too? :) -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: Chances of this hardware running OpenBSD?
Timo Schoeler wrote: I was disappointed quite often by vaporware in the Amiga universe, However, as this really might become reality Don't hold your breath. $1500 for a system that is meant to cator to the amiga crowd. *shrug* If you want to start on a port, get in contact with P.A.Semi, and buy their SDK board. The amiga board looks like a 100% knock-off of it. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: 4.0 locked up over the weekend
In article [EMAIL PROTECTED], Nick Holland wrote: cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16 .. Is this an amd64 capable Sempron? It looks like it is, based on the rest of the dmesg. Nope, no LONG in that cpu flags... -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: configuration's errors with pf ?
In article [EMAIL PROTECTED], Yggdrasill Senecoen wrote: Ssh_Cyrrhus=443block in inet This line could be problematic. --Toby.
Re: 4.0 locked up over the weekend
Tobias Weingartner wrote: In article [EMAIL PROTECTED], Nick Holland wrote: cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16 .. Is this an amd64 capable Sempron? It looks like it is, based on the rest of the dmesg. Nope, no LONG in that cpu flags... And while this part is right, that CPU does not have LONG support, it may still exhibit the PAE bug. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: Failing to get [EMAIL PROTECTED] in X
In article [EMAIL PROTECTED], Alex Holst wrote: Quoting Jimmy Mitchener ([EMAIL PROTECTED]): Try `sudo 915resolution 4d 1680 1050 32` If 4d is the only one that has 1680x1050 available you only have 16bit color, and you're trying to use 24, so it's not changing anything. Thanks for commenting; this is the relevant output from 915resolution: tori$ sudo 915resolution -l | grep 1680 Mode 3a : 1680x1050, 8 bits/pixel Mode 3c : 1680x1050, 8 bits/pixel Mode 4b : 1680x1050, 16 bits/pixel Mode 4d : 1680x1050, 32 bits/pixel Mode 5a : 1680x1050, 24 bits/pixel Mode 5c : 1680x1050, 32 bits/pixel With those settings, I get [EMAIL PROTECTED] - but again xwininfo -root shows that my actual desktop size is 1680x1050. xdpyinfo | grep dim -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: Volume Management
In article [EMAIL PROTECTED], Sibastien Colmant wrote: I m quite new to OpenBSD but i m familiar with *nix systems. I m currently looking at using OpenBSD to build a nas appliance, however after looking into the packages list i havent found a Volume Manager, anyone able to point me in the right direction? fdisk(8), disklabel(8), bioctl(8), newfs(8), dump(8), restore(8) -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: Kernel MINIROOTSIZE 8192 = No Boot
Brian A. Seklecki wrote: The 1st stage loader just resets the prom before the kernel load. And the 1st stage loader would be? mbr? biosboot? /boot? lilo? winxp boot loader? Specifics make a difference. Can anyone else confirm this? You don't even need to elfrdsetroot(8) to test. Just compile bsd.rd with MINIROOTSIZE=16384. I've been using 32768 on my 4.0 systems for the bsd-appliance project. Could well be. You may be overwriting a 16MB hole... I've tested it on an AMD Athalon, an AMD Geode, and a VMWare machine. And no information about the machines beyond that? No dmesg, no information from the boot prompt (machine memory would be nice to have). Grr... -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: Kernel MINIROOTSIZE 8192 = No Boot
Brian A. Seklecki wrote: On Fri, 2007-06-15 at 16:51 +, Tobias Weingartner wrote: And no information about the machines beyond that? No dmesg, no information option NKPTP=16 ...fixed it. I wasn't going to burn 200k and 30 minutes on an e-mail about an issue that likely someone already knows about and has a quick one-line fix such as this. (only to get a you're not running GENERIC response) But you wanted us to burn that amount for you? Somewhat selfish, no? The dmesg, and the 'machine memory' may have helped the developers as well. We live in a world where information is like gold, the more you have it, the better we can support all hardware out there. Embedded systems are the type of systems that push the envelope of what it means to be X (a PC, etc). When you give more information along with your requests you help us out by enabling us to get a better generic view of the world out there, and possibly support fringe hardware in the future by generalizing our code. I know there are people out there running embedded environments who were testing 4.1 during -current. And? They may or may not be running *your* hardware. And we may or may not have the information from your hardware to add to our collective list of weird things out there. Again, thank you for your support... -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: facts about OpenBSD
In article [EMAIL PROTECTED], Nikns Siankin wrote: # Stable release cycle. If you want to run latest bugfree ClamAV or FireFox - upgrade to CURRENT! But don't forget to buy release CD's!!! Well, by buying the release CD you get a fairly secure method of getting the majority of the bits. (Most snail-mails take security at least a little bit serious). # Secure By Default. OpenBSD uses broken WEP for securing WiFi networks. Has no WPA/WPA2 support. Do you have a need for WPA/WPA2 support? Please feel free to submit patches to implement this functionality. I'm sure that a nuymber of people will be pleased. # Do not let serious problems sit unsolved. OpenBSD doesn't need MAC because it has their own security flawed systrace. MAC? As in mandatory access control? Sure we have it. Any unix out there has it. It's called a uid and a list of gid's. Now, if that does not fit your needs, you have options. # Use of Cryptography. OpenBSD uses file-backed encryption (svnd) which is very suited for Full-disk-encryption. NOT. Again, feel free to submit patches. # Full Disclosure. OpenBSD at first denies remote exploitable flaws. DoS flaws gets marked as reliability not security issues. If your network/systems are setup in such a way that a DoS causes a security issue, the insecure portion is your system, not the machine that happens to tank. # Easy maintainable. OpenBSD distributes source patches to make your farm of Pentium2 firewalls updated easly. I've never had a problem. If you do, feel free to build an infrastructure that you (and others?) can use that is better. # Secure Distribution. The most secure operation system gets distributed on FTP servers as unsigned binaries. Nah, we sell you real CD's. The FTP servers are there for the convenience of people much less annoying than you. :) Disclaimer: Like it or not. I'm OpenBSD user for 4 years. Shit on my head - shit on all OpenBSD supporters. Huh? I'd prefer a toilet, but if you're really in the mood, I'm sure there is a place on the internet looking for someone with your particular type of phantasy... *shrug* to each his own I guess. -Toby. PS: Nah, I won't bother CC'ing you. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: facts about OpenBSD
In article [EMAIL PROTECTED], Nikns Siankin wrote: I don't believe anymore, that someone from side can make it better. The only people who could make it better are talking to community only when release CD needs to get sold or donations are needed. So you think that the community at large can have an effect on the actual code that gets written? Possibly. You think that the best way to do this is to shit on OpenBSD and somehow reduce the number of CD's sold? To reduce the minimal amount of funding that any of the developers could have? And to top it off, to piss them off and make coding a chore as opposed to a fun thing? While I certainly don't code as much as all the other OpenBSD developers, I can say that removing my enjoyment of spending any of my scarce time coding will be spent coding on things I enjoy first, and patches for people I enjoy working with second. People like you don't even come on the horizon. If you believe that these things need to be done, and can not be done from inside, by all means, the code is all there. Feel free to start producing this much needed code. -Toby. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: building a kernel for net4801 from dmassage
In article [EMAIL PROTECTED], Lars Noodin wrote: 2) Under what circumstances (generally) would one encounter a situation where it would strongly desirable to have a custom kernel? When I happened to get an obsd kernel running on an 8M memory machine by stripping out network support, unneeded drivers, etc. Yes it needed custom tweaks to make it compile, and yes it worked. Would I do it again? Likely not. -Toby. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: [OT] beefy steel cases
In article [EMAIL PROTECTED], Douglas A. Tutty wrote: I'm wondering if in your travels, have any of you seen a case (tower, desktop, or rackmount) that is: - Grab an old iron stove, and stuff a newer case into it. - Go to the nearest welding shop, have them weld a nice 500lb steel box. - ... -Toby. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: SMP
On Tuesday, February 21, Gustavo Rios wrote: I was wondering what is the state of art in SMP technologies ? The state of art in SMP tech is this misc@ list. Seriously, think about it. You've just made (and me too!) thousands of cpu's burn some useless energy in processing your question. How neat! And since this will turn into yet another flame fest, there will be more money and energy burned in this cause. I would like to know how close is OpenBSD to it? Well... chances are OpenBSD is running the lists, so we're the root (in some sense) of all this evil! Wow, we actually control (again to some extent) all of this power. We *ARE* the state of art in SMP technologies. Thanks in advance. You're welcome. --Toby.
Re: Atheros WG311T Rev 1, return it or not?
On Tuesday, February 21, Aaron Hsu wrote: ath0 at pci3 dev 7 function 0 Atheros AR5212 rev 0x01: irq 10 ath0: AR5213 7.9 phy 4.5 rf2112a 5.6: RF radio not supported I'd say that would give you a clue. Looks like the radio (rf2112a) is not supported yet. --Toby.
Re: boot.conf
On Friday, February 24, Michael Schmidt wrote: In case you put a boot into boot.conf or set timeout to zero then you do not have the opportunity to boot in single user when it may be necessary. Are there ways to circumvent the latter? With physical access to the machine, yes, there are many ways. --Toby.
Re: SMP process control
On Sunday, February 26, Sgt. Stedenko wrote: Is there a way to tell a process to switch which processor it's using in the SMP version of the obsd 3.8 system? Short of using the primary cpu with a UP kernel, no. Also, have there been any efforts into Ethernet device polling in the bge drivers? On a gigabit network the interrupts are eating a large portion of the cpu0 and thought it might help the situation. No. There is a lot more going on then you seem to possible fathom. --Toby.
Re: SMP process control
On Sunday, February 26, Sgt. Stedenko wrote: I had already seen that one and didn't find it to be any help. Thanks anyways though for taking the time. The author offers a solution but no explanation. I've tuned many sysctl's and experimented with the mtu's, changing from autoselect to 1000baseT, a few more things. It's two devices acting as a bridge and together they keep a dual opteron system at 70% on CPU0 and the second CPU1 doesn't see any action until CPU0 maxes out. I'd like to change this behaviour. I hope you can code. Seriously. --Toby.
Re: /etc and partitions
On Monday, February 27, Michael Schmidt wrote: version: 3.8 architecture: i386 I have seen that /etc cannot be located on a separated partition. Why can it be not on an extra partition? Where is the information located that tells it how/where to mount the /etc partition from? --Toby.
Re: Backup MX server
On Thursday, March 2, Rod.. Whitworth wrote: On Wed, 01 Mar 2006 23:16:59 -0600, Graham Toal wrote: If your DNS is on the same net as the mailer, its down too. Senders soon get no result at all when they look you up, with the result that mail *bounces* (unknown address) rather than requeues. NO - it does not! Well, not unless the sending MTA is broken. To quote from Postfix documentation referring to not getting an MX record from DNS: By default, the Postfix SMTP client defers delivery and tries again after some delay. This behavior is required by the SMTP standard. If the client can't find any DNS information on the destination, it tends to bounce. At least in all non-broken MTAs. Try it. Send email to [EMAIL PROTECTED] and see what happens. It also neglects the fact that lots of caching nameservers elsewhere will have a copy of the records that likely will not expire for quite sometime. I know mine are set to 3600 but I have had the sad experience of changing a domain from one dns hosting service to another and the old one had a TTL good for a week. This was 1/2 his argument. No DNS info means no DNS info. Not somewhere out there (sung like the song) we have a cache... Note that 5 days of pent-up mail arriving at once can kill a machine even if it is normally up to the peak loads you get, so you want a throttling control both on what the backup MX forwards to you when you return, and what you accept from other sources when you return. 5 days of pent up mail will NOT all arrive at once. Not all of the senders will try again simultaneously and it is also likely that each of them will also not even flush all of the delayed messages in one batch. Rate limiting in decent MTAs mitigates the problem. It most certainly will if the backup MTA sends it all at once. And if you read what you responded to, he said make sure that the backups to rate limiting. And you respond with Rate lmiting in decent MTAs mitigates the problem. So? Why are you saying what you are saying? That said, having backup DNS located elsewhere is never harmful as long as you can get it updated as fast as your master in house. scp, rsync, etc, etc. It will tend to get updated faster than the primary, considering you've got to edit the primiry's version by hand (usually). --Toby.
Re: OpenBSD 3.8 ports quality?
On Sunday, March 12, Wijnand Wiersma wrote: I have a problem with gnome and the gnome guys should just fix it. So, go bug the gnome guys. Switching is NOT the solution. I use crappy software, it crashes, I like the pain, I will not switch, please help. I have a LART here somewhere... --Toby.
Re: 4.0-beta
Bryan Irvine wrote: I can't wait to see what goodies you've been holding back for the 4.0release. ;) Hold back? Congrats on the momentum, and thanks for the good work. Thanks. :) -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: What is the equivalent to glibc's __libc_freeres?
Vesselin Peev wrote: The glibc C runtime library has a function __libc_freeres to free any memory allocated by the runtime. What is the equivalent in OpenBSD's libc? exit(3) -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: GPL = BSD + DRM [Was: Re: Intel's Open Source Policy Doesn't Make Sense]
Martin Schrvder wrote: 2006/10/6, Adam [EMAIL PROTECTED]: Its complete and utter nonsense actually. The linux kernel is used in closed source products all the time, it has no effect there just like it Please show us one example of a closed source Linux device. Sure, the broadcom wireless device inside the linksys routers. Yes, they are open source devices, you can get the linux distribution from linksys, but good luck getting source for their blobs. On the contrary closed source Linux systems have been forced (even in court) to deliver the sources. This is impossible with BSD. Some yes, at the expense of other freedoms. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: Contributing and Shame [Was: Lenovo notebooks?]
In article [EMAIL PROTECTED], Breen Ouellette wrote: I feel that if the user base can meet the financial needs of the project then the user base is doing its part. Unfortunately, I know of several people who use OpenBSD that will never send in a flat penny. These are the same people that have 2TB of disk space on their main desktop, running a pirated copy of Windows XP, with 2000 CDs and DVDs of pirated music and movies sitting on their bookshelf. They feel that everything that isn't nailed down should be free. I believe that you mean they feel that anything that is not nailed down is free to be stolen. There is quite the chasm between free and stolen property. --Toby.
Re: [OT] sparc64 CPU specifications: pipelines
Paul Irofti wrote: Thanks, but I'm interested in specfic details regarding sparc, not generic concepts and fundamentals. Sparc as implemented by whom? I mean, you can find VHDL/Verilog source out there for the LEON implementation of the sparc CPU. But I'm sure that futjitsu, and everyone else out there likely did their own implementation of pipelining/etc. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: Boost OpenBSD security - Zophie for 3.9
Wijnand Wiersma wrote: Development cycle of OpenBSD4.0 support starts tomorrow and will be finished when 4.1 releases? Sure, why not. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: Firewall partially failing with high traffic
In article [EMAIL PROTECTED], Chris Cameron wrote: I have a 3.8 PF/CARP setup that I can reproducibly screw up simply by cat'ing lots of text over a telnet session. Chances are that you're hitting some bug in 3.8, that has likely been fixed in 3.9, or 4.0. Or the rule you're using to pass the traffic is wrong. You using keep state? Are you using 'flags S/SA' on that rule? With the amount of information you've given, it is hard to even theorize what could be wrong. People would need more information. --Toby.
Re: fdisk automation scripts? Autopartition?
In article [EMAIL PROTECTED], Michael Dexter wrote: Might anyone have any pointers to sources of fdisk automation scripts for OpenBSD that that can determine the size of a disk and follow a set of partitioning guidelines? Scenario: cookie-cutter systems with different drive sizes. Options like use the remainder for /usr are always handy. [Wrapping lines is handy...] fdisk -i What you're looking for is disklabel, and the manpage may help... -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: auto adding of hosts to bad_guys table
In article [EMAIL PROTECTED], Aaron Martinez wrote: For instance, i don't run telnetd anywhere and so if a connection to port 23 is made, i would like to add the connecting machine's IP to a 'bad_guys' table on the fly so subsequent connects will be dropped. For the life of me i can't find where i read this.. is it possible or was i imagining it? Nah, read the pf faq, or the pf/pf.conf manpage. Just set the connections per time to a really low value for a given time (like 1/60) on the rule/port which you are dealing with, which should pretty much give you what you're looking for. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: Google's Perftools and tcmalloc - Worth the risk?
In article [EMAIL PROTECTED], Richard Wilson wrote: I dunno. Am I being overly paranoid, or should I stick with nice dependable old-fashioned malloc? I usually take dependable and slightly slower over faster and nastier any day. Especially if it's fast enough. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: Google's Perftools and tcmalloc - Worth the risk?
On Monday, March 19, Chris 'Xenon' Hanson wrote: Optimally, you could switch between allocators as a compile-time define. U se a tougher allocator for debugging and stress testing. Use a lighter, faster one in situ ations where you are confident that the code is solid and needs speed more than bullet-res istance. If that was usefull, people would do this all the time. You're making a number of assumptions. Amoung them is that the ligther allocator does not have any bugs that are exploitable. That there is no interaction between it and the rest of your code (say it allocated free'd memory in a certain pattern that is exploitable by external code), and a host of other things. Also, as most people that have done large-scale real-world deployment of services will tell you, you need real-world excersizing of your code in order to find your bugs. The rest (test data, etc) is a way to get some assurance, but in the end it does not substitute for the real thing. Compile time options are bad. --Toby.
New cpuid code to test
Hello all, I'd love to get another round of cpuid testing done (i386/amd64). The code is available at: http://www.tepid.org/~weingart/cpuid.c I'd appreciate it if people could do something like the following on their i386 and amd64 boxes: make cpuid ./cpuid | mail -s 'cpuid output' [EMAIL PROTECTED] Thanks, --Toby.
Re: max number of groups
In article [EMAIL PROTECTED], Douglas A. Tutty wrote: There has to be _some_ solution but it doesn't have to revolve around groups. Surely we don't need a separate box for every 16 projects (and lets not get into another reason to use Xen :)) ) Group accounts with ssh keys controlling access. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: linux kills laptop hard drive... how does obsd behave?
Adliger Martinez von der Unterschicht wrote: I am a total amateur and new to the list. I moved recently from linux and I am running openbsd usually (not on this system) because of a number of things (I guess I don't need to be eloquent here). And asks me how my OS behaves. Is there a laptop mode for obsd? And, if so, is there a similar problem as explained in the web site? Unless you set this up yourself, OpenBSD does not do anything like this. Note, this does not help if the disks come with bogus firmware from the factory. -Toby. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: Embedding OpenBSD
In article [EMAIL PROTECTED], Nick Holland wrote: What have I forgotten? Is there anything else I can do to avoid slapping my forehead and saying, D'oh! Forgot to ... before I ship it out fully detached? The good news is I'm pretty sure there is at least one OpenBSD developer near-by, but that's just all the more reason to make sure I don't screw it up, I'll never live it down. :) Unless you have a need to keep state, I'd not bother in any way to write to the flash. I'd have a bsd.rd on there that get's loaded on boot. No fsck necessary, completely in ram, etc. -Toby. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: possible bug in CDROM recognition?
Russell Gadd wrote: I was going to ask for assistance as my new install of OBSD wouldn't recognise the cdrom. However after much investigation I fixed it by changing the physical position of the device from IDE slave on the secondary IDE interface to master (in dmesg speak, from channel 1 drive 1 to channel 1 drive 0), as I noticed that it was configured as slave but there was no master on this interface. Having a slave on an IDE channel without a master is undefined behaviour. IE: your machine was configured wrong. The fact that it worked with some software was a fluke. -Toby. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: Improving disk reliability
Stuart Henderson wrote: It wouldn't be more likely that the disk _crashes_ by doing this, and it may give _some_ protection against _some_ failure modes. It also gives new and exciting ones to take their place. Actually, since you'd be mirroring to two different portions of the same disk (assuming a non-flash device), chances are you would be more likely to crash. 1) You'll be running more code. More code more bugs. 2) You'll be writing everything to two parts of the same disk, making the disk continuously seek 1/2 a disk distance. Likely not something you want to promote. -Toby. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: Open Source Article Spawns Interesting Ethical Question
In article [EMAIL PROTECTED], chefren wrote: On 1/8/08 11:28 PM, Marco Peereboom wrote: 2. Same NIC without flash/ROM bad Eh, that's just a meaningless pile of transistors. Surely you jest? An FPGA is a meaningless pile of transistors? Weird... -Toby. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax