Re: Add rtable capability to login.conf
On 2022-02-06, Ted Unangst wrote:
> On 2022-02-05, Matthew Martin wrote:
> > On Sat, Jan 29, 2022 at 06:25:32PM -0600, Matthew Martin wrote:
> > > On Sat, Jan 29, 2022 at 07:10:00PM -0500, Ted Unangst wrote:
> > > > I believe it would be better to add setrtable to id pledge.
> >
> > ping
> >
> > Also are there any opinions on adding LOGIN_SETRTABLE to doas?
>
> I think this diff looks fine.
>
> For doas, we can use setall with an extra note in the man page.
Final auction for oks. I think all the login.conf.d changes are in now.
Plan is add setrtable to pledge first so people don't get caught, then libc.
>
>
> Index: doas.1
> ===
> RCS file: /home/cvs/src/usr.bin/doas/doas.1,v
> retrieving revision 1.25
> diff -u -p -r1.25 doas.1
> --- doas.116 Jan 2021 09:18:41 - 1.25
> +++ doas.16 Feb 2022 18:41:53 -
> @@ -54,6 +54,8 @@ and
> and the
> .Xr umask 2
> are set to values appropriate for the target user.
> +Other values may also be set as specified in
> +.Pa /etc/login.conf .
> .Ev DOAS_USER
> is set to the name of the user executing
> .Nm .
> Index: doas.c
> ===
> RCS file: /home/cvs/src/usr.bin/doas/doas.c,v
> retrieving revision 1.93
> diff -u -p -r1.93 doas.c
> --- doas.c30 Nov 2021 20:08:15 - 1.93
> +++ doas.c6 Feb 2022 18:39:38 -
> @@ -450,10 +450,7 @@ main(int argc, char **argv)
> if (targpw == NULL)
> errx(1, "no passwd entry for target");
>
> - if (setusercontext(NULL, targpw, target, LOGIN_SETGROUP |
> - LOGIN_SETPATH |
> - LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
> - LOGIN_SETUSER) != 0)
> + if (setusercontext(NULL, targpw, target, LOGIN_SETALL) == -1)
> errx(1, "failed to set user context for target");
>
> if (pledge("stdio rpath exec", NULL) == -1)
>
>
Re: Use installboot(8) in armv7 install.md
Lovely.
Visa Hankala wrote:
> Use installboot(8) in armv7 install.md.
>
> OK?
>
> Index: distrib/armv7/ramdisk/install.md
> ===
> RCS file: src/distrib/armv7/ramdisk/install.md,v
> retrieving revision 1.51
> diff -u -p -r1.51 install.md
> --- distrib/armv7/ramdisk/install.md 7 Feb 2022 20:24:30 - 1.51
> +++ distrib/armv7/ramdisk/install.md 18 Feb 2022 14:14:46 -
> @@ -31,7 +31,6 @@
> # machine dependent section of installation/upgrade script.
> #
>
> -NEWFSARGS_msdos="-F 16 -L boot"
> MOUNT_ARGS_msdos="-o-l"
>
> md_installboot() {
> @@ -47,10 +46,14 @@ md_installboot() {
> *) ;; # XXX: Handle unknown platform?
> esac
>
> - # Mount MSDOS partition, extract U-Boot and copy UEFI boot program
> + if ! installboot -r /mnt ${1}; then
> + echo "\nFailed to install bootblocks."
> + echo "You will not be able to boot OpenBSD from ${1}."
> + exit
> + fi
> +
> + # Apply some final tweaks on selected platforms
> mount ${MOUNT_ARGS_msdos} ${_disk}i /mnt/mnt
> - mkdir -p /mnt/mnt/efi/boot
> - cp /mnt/usr/mdec/BOOTARM.EFI /mnt/mnt/efi/boot/bootarm.efi
>
> _mdec=/usr/mdec/$_plat
>
> @@ -82,6 +85,8 @@ md_installboot() {
> bs=1024 seek=8 >/dev/null 2>&1
> ;;
> esac
> +
> + umount /mnt/mnt
> }
>
> md_prep_fdisk() {
> @@ -91,7 +96,6 @@ md_prep_fdisk() {
> local bootsectorstart="32768"
> local bootsectorsize="32768"
> local bootfstype="msdos"
> - local newfs_args=${NEWFSARGS_msdos}
>
> while :; do
> _d=whole
> @@ -106,8 +110,7 @@ md_prep_fdisk() {
> echo -n "Creating a ${bootfstype} partition and an
> OpenBSD partition for rest of $_disk..."
> fdisk -iy -b
> "${bootsectorsize}@${bootsectorstart}:${bootparttype}" ${_disk} >/dev/null
> echo "done."
> - disklabel $_disk 2>/dev/null | grep -q "^ i:" ||
> disklabel -w -d $_disk
> - newfs -t ${bootfstype} ${newfs_args} ${_disk}i
> + installboot -p $_disk
> return ;;
> [eE]*)
> # Manually configure the MBR.
> Index: distrib/armv7/ramdisk/list
> ===
> RCS file: src/distrib/armv7/ramdisk/list,v
> retrieving revision 1.46
> diff -u -p -r1.46 list
> --- distrib/armv7/ramdisk/list4 Oct 2021 01:34:29 - 1.46
> +++ distrib/armv7/ramdisk/list18 Feb 2022 14:14:47 -
> @@ -63,6 +63,7 @@ LINKinstbin
> usr/bin/sed
> LINK instbin usr/bin/signify
> LINK instbin usr/bin/tee
> LINK instbin usr/sbin/chroot
> +LINK instbin usr/sbin/installboot
> LINK instbin usr/sbin/mkuboot
> LINK instbin usr/sbin/pwd_mkdb
> ARGVLINK ksh -sh
>
Re: Use installboot(8) in armv7 install.md
> Date: Fri, 18 Feb 2022 14:20:03 +
> From: Visa Hankala
>
> Use installboot(8) in armv7 install.md.
>
> OK?
ok kettenis@
> Index: distrib/armv7/ramdisk/install.md
> ===
> RCS file: src/distrib/armv7/ramdisk/install.md,v
> retrieving revision 1.51
> diff -u -p -r1.51 install.md
> --- distrib/armv7/ramdisk/install.md 7 Feb 2022 20:24:30 - 1.51
> +++ distrib/armv7/ramdisk/install.md 18 Feb 2022 14:14:46 -
> @@ -31,7 +31,6 @@
> # machine dependent section of installation/upgrade script.
> #
>
> -NEWFSARGS_msdos="-F 16 -L boot"
> MOUNT_ARGS_msdos="-o-l"
>
> md_installboot() {
> @@ -47,10 +46,14 @@ md_installboot() {
> *) ;; # XXX: Handle unknown platform?
> esac
>
> - # Mount MSDOS partition, extract U-Boot and copy UEFI boot program
> + if ! installboot -r /mnt ${1}; then
> + echo "\nFailed to install bootblocks."
> + echo "You will not be able to boot OpenBSD from ${1}."
> + exit
> + fi
> +
> + # Apply some final tweaks on selected platforms
> mount ${MOUNT_ARGS_msdos} ${_disk}i /mnt/mnt
> - mkdir -p /mnt/mnt/efi/boot
> - cp /mnt/usr/mdec/BOOTARM.EFI /mnt/mnt/efi/boot/bootarm.efi
>
> _mdec=/usr/mdec/$_plat
>
> @@ -82,6 +85,8 @@ md_installboot() {
> bs=1024 seek=8 >/dev/null 2>&1
> ;;
> esac
> +
> + umount /mnt/mnt
> }
>
> md_prep_fdisk() {
> @@ -91,7 +96,6 @@ md_prep_fdisk() {
> local bootsectorstart="32768"
> local bootsectorsize="32768"
> local bootfstype="msdos"
> - local newfs_args=${NEWFSARGS_msdos}
>
> while :; do
> _d=whole
> @@ -106,8 +110,7 @@ md_prep_fdisk() {
> echo -n "Creating a ${bootfstype} partition and an
> OpenBSD partition for rest of $_disk..."
> fdisk -iy -b
> "${bootsectorsize}@${bootsectorstart}:${bootparttype}" ${_disk} >/dev/null
> echo "done."
> - disklabel $_disk 2>/dev/null | grep -q "^ i:" ||
> disklabel -w -d $_disk
> - newfs -t ${bootfstype} ${newfs_args} ${_disk}i
> + installboot -p $_disk
> return ;;
> [eE]*)
> # Manually configure the MBR.
> Index: distrib/armv7/ramdisk/list
> ===
> RCS file: src/distrib/armv7/ramdisk/list,v
> retrieving revision 1.46
> diff -u -p -r1.46 list
> --- distrib/armv7/ramdisk/list4 Oct 2021 01:34:29 - 1.46
> +++ distrib/armv7/ramdisk/list18 Feb 2022 14:14:47 -
> @@ -63,6 +63,7 @@ LINKinstbin
> usr/bin/sed
> LINK instbin usr/bin/signify
> LINK instbin usr/bin/tee
> LINK instbin usr/sbin/chroot
> +LINK instbin usr/sbin/installboot
> LINK instbin usr/sbin/mkuboot
> LINK instbin usr/sbin/pwd_mkdb
> ARGVLINK ksh -sh
>
>
Re: ping icmp ident collisions
On 2022-02-18 12:17 +10, Jonathan Matthew wrote:
> The only thing ping uses to determine whether a received icmp echo reply
> packet is a
> response to one of its requests is the 16 bit icmp ident field. If you ping
> enough
> stuff at the same time, eventually you'll have two concurrent pings using the
> same ident,
> and they will both see each other's replies. Since we do tricky MAC stuff on
> the ping
> payload, this results in signature mismatches that look like this:
>
> PING 172.23.94.210 (172.23.94.210): 56 data bytes
> 64 bytes from 172.23.94.210: icmp_seq=0 ttl=253 time=0.820 ms
> 64 bytes from 172.23.94.210: icmp_seq=1 ttl=253 time=0.419 ms
> 64 bytes from 172.23.94.210: icmp_seq=2 ttl=253 time=0.369 ms
> signature mismatch!
> 64 bytes from 172.23.94.210: icmp_seq=3 ttl=253 time=0.273 ms
>
> --- 172.23.94.210 ping statistics ---
> 4 packets transmitted, 5 packets received, -- somebody's duplicating packets!
> round-trip min/avg/max/std-dev = 0.273/0.376/0.820/0.265 ms
>
> ping is counting the packet with the signature mismatch as a reply it
> received, and it
> prints a misleading message about duplicated packets because it got more
> replies than
> the number of requests it sent.
>
> I think it would be more helpful not to count signature mismatch packets as
> replies.
> If you're actually getting corrupted replies, I'd say that's more like packet
> loss
> than normal operation. If you're getting extra replies due to ident
> collisions, this
> will result in ping sending and receiving the expected number of packets.
>
> Printing the source address and sequence number on signature mismatches would
> also help.
> I would have figured this out much quicker had ping told me the mismatch
> packets were
> from a completely different source. For example:
>
> PING 172.23.94.210 (172.23.94.210): 56 data bytes
> 64 bytes from 172.23.94.210: icmp_seq=0 ttl=253 time=2.645 ms
> 64 bytes from 172.23.94.210: icmp_seq=1 ttl=253 time=1.360 ms
> 64 bytes from 172.23.94.210: icmp_seq=2 ttl=253 time=0.506 ms
> 64 bytes from 172.23.94.210: icmp_seq=3 ttl=253 time=0.615 ms
> signature mismatch from 10.138.79.45: icmp_seq=0
> 64 bytes from 172.23.94.210: icmp_seq=4 ttl=253 time=0.431 ms
>
> --- 172.23.94.210 ping statistics ---
> 5 packets transmitted, 5 packets received, 0.0% packet loss
> round-trip min/avg/max/std-dev = 0.431/1.111/2.645/0.835 ms
>
> ok?
OK florian
I think we can go further and also check the from address in the echo
reply case, like this.
If something on the path is so confused as to answer to our pings with
the wrong source address I think it's tcpdump time...
Feel free to put this in at the same time if you agree.
diff --git sbin/ping/ping.c sbin/ping/ping.c
index 6fa634bca3e..e47baa8912c 100644
--- sbin/ping/ping.c
+++ sbin/ping/ping.c
@@ -181,6 +181,9 @@ char *hostname;
int ident; /* random number to identify our packets */
int v6flag;/* are we ping6? */
+struct sockaddr_in dst4;
+struct sockaddr_in6 dst6;
+
/* counters */
int64_t npackets; /* max packets to transmit */
int64_t nreceived; /* # of packets we got back */
@@ -243,8 +246,8 @@ main(int argc, char *argv[])
struct addrinfo hints, *res;
struct itimerval itimer;
struct sockaddr *from, *dst;
- struct sockaddr_in from4, dst4;
- struct sockaddr_in6 from6, dst6;
+ struct sockaddr_in from4;
+ struct sockaddr_in6 from6;
struct cmsghdr *scmsg = NULL;
struct in6_pktinfo *pktinfo = NULL;
struct icmp6_filter filt;
@@ -1285,6 +1288,13 @@ pr_pack(u_char *buf, int cc, struct msghdr *mhdr)
}
if (echo_reply) {
+ if (v6flag) {
+ if (memcmp(&dst6, from, sizeof(dst6)) != 0)
+ return; /* 'Twas not our ECHO */
+ } else {
+ if (memcmp(&dst4, from, sizeof(dst4)) != 0)
+ return; /* 'Twas not our ECHO */
+ }
++nreceived;
if (cc >= ECHOLEN + ECHOTMLEN) {
SIPHASH_CTX ctx;
@@ -1302,7 +1312,10 @@ pr_pack(u_char *buf, int cc, struct msghdr *mhdr)
if (timingsafe_memcmp(mac, &payload.mac,
sizeof(mac)) != 0) {
- printf("signature mismatch!\n");
+ printf("signature mismatch from %s: "
+ "icmp_seq=%u\n", pr_addr(from, fromlen),
+ ntohs(seq));
+ --nreceived;
return;
}
timinginfo=1;
>
> Index: ping.c
> ===
> RCS file: /cvs/src/sbin/ping/ping.c,v
> retrieving revision 1.245
> diff -u -p -r1.245 ping.c
> --- pin
Use installboot(8) in armv7 install.md
Use installboot(8) in armv7 install.md.
OK?
Index: distrib/armv7/ramdisk/install.md
===
RCS file: src/distrib/armv7/ramdisk/install.md,v
retrieving revision 1.51
diff -u -p -r1.51 install.md
--- distrib/armv7/ramdisk/install.md7 Feb 2022 20:24:30 - 1.51
+++ distrib/armv7/ramdisk/install.md18 Feb 2022 14:14:46 -
@@ -31,7 +31,6 @@
# machine dependent section of installation/upgrade script.
#
-NEWFSARGS_msdos="-F 16 -L boot"
MOUNT_ARGS_msdos="-o-l"
md_installboot() {
@@ -47,10 +46,14 @@ md_installboot() {
*) ;; # XXX: Handle unknown platform?
esac
- # Mount MSDOS partition, extract U-Boot and copy UEFI boot program
+ if ! installboot -r /mnt ${1}; then
+ echo "\nFailed to install bootblocks."
+ echo "You will not be able to boot OpenBSD from ${1}."
+ exit
+ fi
+
+ # Apply some final tweaks on selected platforms
mount ${MOUNT_ARGS_msdos} ${_disk}i /mnt/mnt
- mkdir -p /mnt/mnt/efi/boot
- cp /mnt/usr/mdec/BOOTARM.EFI /mnt/mnt/efi/boot/bootarm.efi
_mdec=/usr/mdec/$_plat
@@ -82,6 +85,8 @@ md_installboot() {
bs=1024 seek=8 >/dev/null 2>&1
;;
esac
+
+ umount /mnt/mnt
}
md_prep_fdisk() {
@@ -91,7 +96,6 @@ md_prep_fdisk() {
local bootsectorstart="32768"
local bootsectorsize="32768"
local bootfstype="msdos"
- local newfs_args=${NEWFSARGS_msdos}
while :; do
_d=whole
@@ -106,8 +110,7 @@ md_prep_fdisk() {
echo -n "Creating a ${bootfstype} partition and an
OpenBSD partition for rest of $_disk..."
fdisk -iy -b
"${bootsectorsize}@${bootsectorstart}:${bootparttype}" ${_disk} >/dev/null
echo "done."
- disklabel $_disk 2>/dev/null | grep -q "^ i:" ||
disklabel -w -d $_disk
- newfs -t ${bootfstype} ${newfs_args} ${_disk}i
+ installboot -p $_disk
return ;;
[eE]*)
# Manually configure the MBR.
Index: distrib/armv7/ramdisk/list
===
RCS file: src/distrib/armv7/ramdisk/list,v
retrieving revision 1.46
diff -u -p -r1.46 list
--- distrib/armv7/ramdisk/list 4 Oct 2021 01:34:29 - 1.46
+++ distrib/armv7/ramdisk/list 18 Feb 2022 14:14:47 -
@@ -63,6 +63,7 @@ LINK instbin usr/bin/sed
LINK instbin usr/bin/signify
LINK instbin usr/bin/tee
LINK instbin usr/sbin/chroot
+LINK instbin usr/sbin/installboot
LINK instbin usr/sbin/mkuboot
LINK instbin usr/sbin/pwd_mkdb
ARGVLINK ksh -sh
