Re: flush?
On Jan 6 Mark wrote: Nope, sync won't do it. ;) I can sync all I want, but df (and dd, effectively, by adding the deleted size to its image) keeps reporting the added size (which is considerable: about 4 G extra) to the partition, and only falls back to the true value after a while. Besides, being in disk-cache would not itself adversely affect dd. This could be the `softupdates' effect. -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: tcpdump problem
On Jan 8 Brendan Kosowski wrote: I am running FreeBSD 3.4 with the GENERIC kernel which has the line pseudo-device bpfilter 1 uncommented in the config. I also re-built and re-installed GENERIC just to be sure. /dev/bpf0 has rw permissions for the owner (root). There are no other bpf devices in /dev. When I su to root and run tcpdump, I get the message tcpdump: /dev/bpf1: No such file or directory. Can anyone help? Maybe /dev/bpf0 already in use by another process. The simplest solution is to rebuild the kernel with increased number of devices, like `pseudo-device bpfilter 4'. -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: security vulnerability in dump
Today Mark wrote: I believe I have found a security vulnerability in dump, which, under the right conditions, allows any user with shell-access to gain root-privileges. When dumping to a file, dump writes this file chmod 644. When the root-partition is being backed-up, this leaves the dump-file vulnerable to scanning by unprivileged users for the duration of the dump. I tested this, and, as a non-privileged user, was able to extract the root-password from the dump-file using a simple regex: (/root:(.*?):0:0::0:0:Superuser:/). This, of course, based on the fact that /etc/master.passwd also becomes part of the dump-file. As to how high to rank this exploitability, I am not sure. Certain conditions need to be met. The dump must be made to file, and the unprivileged user must, naturally, know the name of the dump-file; and the dump, of course, must be made in multi-user mode. Still, I would feel a lot better if the FreeBSD development team made a small adjustment to dump, writing its dump-file chmod 600, which would immediately solve any and all exploitability. If people deem it serious enough, I will file a report. Thanks for listening. P.S. I understand, of course, that the dump-file, when written to a directory to which non-privileged users have no access, would still be safe. But I deem it best to make dump safe on its own, and not have its safety depend on external factors. Normally the master.passwd is backed up regularly by cron (/var/backups), so maybe no need to backup it again. hint: chflags nodump /etc/master.passwd -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: security vulnerability in dump
Today Mark wrote: I believe I have found a security vulnerability in dump, which, under the right conditions, allows any user with shell-access to gain root-privileges. When dumping to a file, dump writes this file chmod 644. When the root-partition is being backed-up, this leaves the dump-file vulnerable to scanning by unprivileged users for the duration of the dump. I tested this, and, as a non-privileged user, was able to extract the root-password from the dump-file using a simple regex: (/root:(.*?):0:0::0:0:Superuser:/). This, of course, based on the fact that /etc/master.passwd also becomes part of the dump-file. As to how high to rank this exploitability, I am not sure. Certain conditions need to be met. The dump must be made to file, and the unprivileged user must, naturally, know the name of the dump-file; and the dump, of course, must be made in multi-user mode. Still, I would feel a lot better if the FreeBSD development team made a small adjustment to dump, writing its dump-file chmod 600, which would immediately solve any and all exploitability. If people deem it serious enough, I will file a report. Thanks for listening. Normally the master.passwd is backed up regularly by cron (/var/backups), so maybe no need to backup it again. hint: chflags nodump /etc/master.passwd -andrew P.S. I understand, of course, that the dump-file, when written to a directory to which non-privileged users have no access, would still be safe. But I deem it best to make dump safe on its own, and not have its safety depend on external factors. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Deleted VAR
Today Kenzo wrote: Help, I accidently deleted everything in the /var dir. ( fat fingered ). Is there a way to retrive it? or do i have to reinstall. I'm now getting alot of error message since it's also a mail server. well not anymore. You can restore the directory structure -- at least -- with mtree: `mtree -deU -f /etc/mtree/BSD.var.dist -p /var', to make sendmail(?) happy. Don't forget to create the logfiles for syslogd. -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: permissions issue help ?!?!
Today Brent Bailey wrote: Hello, Im using FBSD 4.6 R i recently installed something (i dont know what ) that changed the permissions on my /tmp directory.making things like mysql php and other programs not function correctly. as things are now on the broken box the permissions are: drwx-- root wheel /tmp I have another FBSD box thats working fine ..and the permissions on its /tmp dir are:drwxrwxrwt root wheel /tmp now to restore the permissions on the broken box ..i did #chmod 777 /tmp however im not sure how to get the t on the permissions back (im not even sure what the t means) it's a sticky bit in a directory with the `sticky bit' set, only the file owner and the user (process) with root privileges can unlink the file. Can anyone tell me how to get the permissions back to: drwxrwxrwt root wheel /tmp??? chmod 41777 /tmp -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Deleted VAR
Today Mike Meyer wrote: In [EMAIL PROTECTED], Andrew Prewett [EMAIL PROTECTED] typed: Today Mike Meyer wrote: [Context lost to top posting.] In [EMAIL PROTECTED], Kenzo [EMAIL PROTECTED] typed: Yes, that worked, but now I can't sshd to it anymore. looking in the auth.log file, it sais Bind to port 22 on 0.0.0.0 failed address already in use. so I edit the file /etc/ssh/sshd_config to ListenAddress 10.25.2.60 ( the server's address ) then restart. in auth.log, it says Server Listening on 10.25.2.60 port 22 but it still doesn't work. what else do I need to do? Put /etc/ssh/sshd_config back the way it was. Then kill and restart the ssh daemon. Again, rebooting the system to cause any daemons that have files in /var open to close them - thus freeing the space - and reopen with real files is a good idea. No, except few cases (new kernel, hw change), you newer must reboot the system. It's not a windoze. If a program (process) is killed/terminated, then all opened files will be closed (implicitly or explicitly). True, you don't have to reboot. However, I'd do it because that's faster than finding every process that has an open file and /var and killing and restarting those processes. If you really don't want him to reboot, please tell him how to find and restart all those processes. as a privileged user, use `shutdown now' (or `kill -15 pid of init', or `init 1'), to go in single user mode, logout to go back. There is a little more work, if you don't want to kick out the logged in users. In the case of sshd (and many other daemons), it's enough to send a process a SIGHUP signal (kill -1 sshd-pid, killall -1 sshd) to reread the config file. To terminate the process send a SIGTERM signal (killall sshd). You can restart it later from the commandline. If sshd started from inetd, then you must comment out the sshd line in /etc/inetd.conf and send a HUP signal to inetd, to ensure that sshd (inetd really) not listening on the 22 port. -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: security vulnerability in dump
Today Kirk Strauser wrote: At 2003-01-07T17:35:49Z, Andrew Prewett [EMAIL PROTECTED] writes: Normally the master.passwd is backed up regularly by cron (/var/backups), so maybe no need to backup it again. Were you joking? Surely you're not implying that there's no need to copy the data to tape (which is the most common use for dump) since it now exists in two places on the same hard drive - are you? If /etc and /var are on the same HD, then it's not a production machine or the setup is simly wrong. -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Deleted VAR
Today Mike Meyer wrote: [Context lost to top posting.] In [EMAIL PROTECTED], Kenzo [EMAIL PROTECTED] typed: Yes, that worked, but now I can't sshd to it anymore. looking in the auth.log file, it sais Bind to port 22 on 0.0.0.0 failed address already in use. so I edit the file /etc/ssh/sshd_config to ListenAddress 10.25.2.60 ( the server's address ) then restart. in auth.log, it says Server Listening on 10.25.2.60 port 22 but it still doesn't work. what else do I need to do? Put /etc/ssh/sshd_config back the way it was. Then kill and restart the ssh daemon. Again, rebooting the system to cause any daemons that have files in /var open to close them - thus freeing the space - and reopen with real files is a good idea. No, except few cases (new kernel, hw change), you newer must reboot the system. It's not a windoze. If a program (process) is killed/terminated, then all opened files will be closed (implicitly or explicitly). -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: security vulnerability in dump
Today Mike Meyer wrote: In [EMAIL PROTECTED], Andrew Prewett [EMAIL PROTECTED] typed: Today Kirk Strauser wrote: At 2003-01-07T17:35:49Z, Andrew Prewett [EMAIL PROTECTED] writes: Normally the master.passwd is backed up regularly by cron (/var/backups), so maybe no need to backup it again. Were you joking? Surely you're not implying that there's no need to copy the data to tape (which is the most common use for dump) since it now exists in two places on the same hard drive - are you? If /etc and /var are on the same HD, then it's not a production machine or the setup is simly wrong. It may not be a machine you'd want to use for what you use production machines for, but there are a fair number of production uses where you only have one hd, or where having /var and /etc on the same file system are acceptable. Yes, it depends. Sure, if it's not a home pc, then backup is a must, regardless how many hd's are in the machine. But I wouldn't put / and /var on the same fs, even on my home pc. -andrew P.S.: sorry for the double post, my sendmail got SIGSEGV after I hacked a bit, and doesn't checked the queue before reposting the same article. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Older versions
Today Nathan Kinkade wrote: On Tue, Jan 07, 2003 at 02:30:57PM -0700, [EMAIL PROTECTED] wrote: I have a VERY, VERY old laptop (1.9 Megs of memory IBM), and I was wondering if I could get FreeBSD 1 for it. If so, where? Thanks! lattera To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message What type of processor does it have? 1.9MB of RAM is not very much. Even PicoBSD, the single floppy version of FreeBSD, would like to have 8MB of memory. I have serious doubts that you will be able to get virtually anything to run in 1.9MB of memory. I could be wrong, and if someone knows of a tiny OS that will run under these conditions I'd be curious to know about it. I have recently been looking around at some tiny Linux installations, but even those absolutely require at least 4MB of memory. minix? from the minix install.txt: ... 1. REQUIREMENTS The minimum system MINIX can be installed on comfortably is an IBM PC/AT or PS/2 with a 286 processor, 640 KB memory, a 720 kb diskette drive, and 25-30 MB free space on an AT, ESDI, or SCSI hard disk (the latter controlled by an Adaptec 1540.) MINIX for the 386 (MINIX-386 for short) can be installed on a machine with at least a 386sx processor, 3 MB memory and at least 25-30 MB of disk space. ... -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: security vulnerability in dump
Today Ed Hall wrote: Today Kirk Strauser wrote: At 2003-01-07T17:35:49Z, Andrew Prewett [EMAIL PROTECTED] writes: Normally the master.passwd is backed up regularly by cron (/var/backups), so maybe no need to backup it again. Were you joking? Surely you're not implying that there's no need to copy the data to tape (which is the most common use for dump) since it now exists in two places on the same hard drive - are you? If /etc and /var are on the same HD, then it's not a production machine or the setup is simly wrong. Ri-i-ight... So I should add a second HD to every server in the rack, hmmm? It's standard practice to make /var its own filesystem, but where do you get the idea that it should be on its own drive? No, umgekehrt, ideally / should be on a separate drive and /home, /var, /usr on another drive(s). I mean, I wouldn't put my company database, fileserver, etc. on a machine with only one drive. So, my wording was maybe a little hard in the previous post - english is not my first language. -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Deleted VAR
On Jan 7 Mike Meyer wrote: In [EMAIL PROTECTED], Andrew Prewett [EMAIL PROTECTED] typed: Today Mike Meyer wrote: In [EMAIL PROTECTED], Andrew Prewett [EMAIL PROTECTED] typed: Today Mike Meyer wrote: [Context lost to top posting.] In [EMAIL PROTECTED], Kenzo [EMAIL PROTECTED] typed: Yes, that worked, but now I can't sshd to it anymore. looking in the auth.log file, it sais Bind to port 22 on 0.0.0.0 failed address already in use. so I edit the file /etc/ssh/sshd_config to ListenAddress 10.25.2.60 ( the server's address ) then restart. in auth.log, it says Server Listening on 10.25.2.60 port 22 but it still doesn't work. what else do I need to do? Put /etc/ssh/sshd_config back the way it was. Then kill and restart the ssh daemon. Again, rebooting the system to cause any daemons that have files in /var open to close them - thus freeing the space - and reopen with real files is a good idea. No, except few cases (new kernel, hw change), you newer must reboot the system. It's not a windoze. If a program (process) is killed/terminated, then all opened files will be closed (implicitly or explicitly). True, you don't have to reboot. However, I'd do it because that's faster than finding every process that has an open file and /var and killing and restarting those processes. If you really don't want him to reboot, please tell him how to find and restart all those processes. as a privileged user, use `shutdown now' (or `kill -15 pid of init', or `init 1'), to go in single user mode, logout to go back. There is a little more work, if you don't want to kick out the logged in users. That's a reboot. It's not clear you can do this properly without kicking out the logged in users. `shutdown now' = restart in single user mode, _not_ reboot or halt, and `kill pid-of-init' and `init 1' is equivalent with `shutdown now'. -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Older versions
On Jan 7 Nathan Kinkade wrote: On Wed, Jan 08, 2003 at 12:00:02AM +0100, Andrew Prewett wrote: Today Nathan Kinkade wrote: On Tue, Jan 07, 2003 at 02:30:57PM -0700, [EMAIL PROTECTED] wrote: I have a VERY, VERY old laptop (1.9 Megs of memory IBM), and I was wondering if I could get FreeBSD 1 for it. If so, where? Thanks! lattera To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message What type of processor does it have? 1.9MB of RAM is not very much. Even PicoBSD, the single floppy version of FreeBSD, would like to have 8MB of memory. I have serious doubts that you will be able to get virtually anything to run in 1.9MB of memory. I could be wrong, and if someone knows of a tiny OS that will run under these conditions I'd be curious to know about it. I have recently been looking around at some tiny Linux installations, but even those absolutely require at least 4MB of memory. minix? from the minix install.txt: ... 1. REQUIREMENTS The minimum system MINIX can be installed on comfortably is an IBM PC/AT or PS/2 with a 286 processor, 640 KB memory, a 720 kb diskette drive, and 25-30 MB free space on an AT, ESDI, or SCSI hard disk (the latter controlled by an Adaptec 1540.) MINIX for the 386 (MINIX-386 for short) can be installed on a machine with at least a 386sx processor, 3 MB memory and at least 25-30 MB of disk space. ... -andrew Right, this is why I asked what type of processor he had. Minix for i386 wants 3MB - more than he apparently has...unless 1.9 was a type or I misunderstood. Thanks for the tip, though. Although I have questions about the utility of Minix on a 286 with 640KB RAM, I will nevertheless take a look a it to see what can be done with such a system. I doesn't read the install.txt carefully, and didn't noticed the 3MB memory requirements, but on the official minix homepage, (http://www.cs.vu.nl/~ast/minix.html) the required ram for the 32bit version only 2MB, not 3MB - and 1.9 is near 2 :-)) -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: POP Server with Secure Password Authentication
On Mon, Jan 06, 2003 at 06:33:16PM -0800, Kory Hamzeh wrote: I need to setup a POP Server that supports Secure Password Authentication. I have some MicroSoft Outlook users that need to pull their mail, but they are coming in over the internet. I looked through the ports collection, and didn't notice anything. Is there something I have overlooked? No idea. But since Outlook supports IMAP and SSL, why not use them? -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: POP Server with Secure Password Authentication
On Mon, Jan 06, 2003 at 10:23:49PM -0800, Kory Hamzeh wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Andrew Prewett On Mon, Jan 06, 2003 at 06:33:16PM -0800, Kory Hamzeh wrote: I need to setup a POP Server that supports Secure Password Authentication. I have some MicroSoft Outlook users that need to pull their mail, but they are coming in over the internet. I looked through the ports collection, and didn't notice anything. Is there something I have overlooked? No idea. But since Outlook supports IMAP and SSL, why not use them? -andrew Andrew, I didn't know that. I found out it also supports POP3 and SMTP with SSL. Is there a POP3 server that supports SSL? pop3,pop3s,imap,imaps: /usr/ports/mail/imap-uw I couldn't figure out how to configure Outlook for IMAP. Is that also available with Outlook Express? Sure, http://computing.arizona.edu/help/email/outlook/o_exmap/index.shtml (and 100's of pages at www.google.com dealing with outlook and imap) Hope this helps, -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: fvwm2 mouse questions
Today dick hoogendijk wrote: In KDE and Windowmaker atc you can set the acceleration and threshold for the mousepointer. I need this set, 'cause otherwise my pointer moves way too slow ;-( I want to play a little with fvwm2 (heardsome great things about it) but can't find the place to set the values for accelerate/threshold.. Can this be doen in fvwm2 or not? If so, where? man xset -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: how can I filter on subject with sendmail 8.12.6?
On Jan 3 Fuzzy wrote:
we're having a problem with some cracker using addresses
harvested from whois and the abuse/www/webmaster with
domains they get from the database. The mail appears to
come from us but it cannot as the addresses are oneway incoming
only.
the subject is always
XXX templates
[...]
Try with this at the end of your sendmail.mc
(don't forget to rebuild the sendmail.cf file and restart sendmail)
LOCAL_CONFIG
C{RejectSubject}XXX templates
LOCAL_RULESETS
HSubject: $CheckSubject
SCheckSubject
R$={RejectSubject} $#error $@ 5.1.3 $: 554 Header error
R$* $@ OK
-andrew
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
Re: /etc/ftpchroot
Today Wayne Swart wrote: lo everyone is there a wildcdard type you can specify for /etc/ftpchroot ? joe*, doe[0-9], etc. won't work this is on bsd 4.7 using ftpd This is from ftpd(8): ... 5. If the user name appears in the file /etc/ftpchroot, or the user is a member of a group with a group entry in this file, i.e. one prefixed with `@', the session's root will be changed to the user's login directory by chroot(2) as for an ``anonymous'' or ``ftp'' account (see next item). This facil- ity may also be triggered by enabling the boolean ftp-chroot capability in login.conf(5). However, the user must still supply a password. This feature is intended as a compromise between a fully anonymous account and a fully privileged account. The account should also be set up as for an anony- mous account. ... Create a new group, add users to the group (see pw(8) for details), add `@groupname' to /etc/ftpchroot. -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: procmail security question
Today Dick Hoogendijk wrote: Maybe a silly question but still, security has to be as high as possible, so, here it is: I installed procmail and got the fbsd warning about the program running with set user and group ID (root/mail) known as a security risk. What about this message? Procmail has persmission 6755. Is it nessacery for the prog to be world readable/executable? do I need to set things different or do I see ghosts? :-)) How do you use procmail? Do you use it with sendmail? Is procmail the local delivery agent or invoked from the user ~/.forward* file? Is sendmail setuid root or running as root (confRUN_AS_USER/RunAsUser)? So there is many open question. Drop the setuid/setgid bits, and see what happens. -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: ttyv3 cons2511
Today Dick Hoogendijk wrote: In my /etc/ttys is a line which mentions ttyv3 as a cons2511 on secure resulting in a strange message when I log in on this tty. The console is not supported? Strange, as I never changed this file, so it is the one that came w/ the 4.7-release. I changed ttyv3 into cons25 fot the time being, but I wonder what the other cons2511 was for. It's cons25l1 (not cons2511!) FreeBSD ISO-8859-1 console. (see /usr/share/misc/termcap) -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: APM
On Dec 28 Adam Weinberger wrote: (12.28.2002 @ 2157 PST): Derision said, in 0.4K: What is the correct line in the kernel config for making halt -p work? Mine is currently device apm0 (FreeBSD 4.7) end of APM from Derision Make sure you also have: apm_enable=YES apmd_enable=YES I think, apmd not needed for halt/shutdown -p to work. I newer used, and it works just fine w/o them. -andrew in your /etc/rc.conf. # Adam To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: sshd and passwordauthentication
On Dec 27 Didier Wiroth wrote: I'm using a windows client, putty where I didn't find that kind of option, here is the output of ssh -v from linux test machine: OpenSSH_2.9.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090601f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 500 geteuid 500 anon 1 debug1: Connecting to sshd.somewhere.com [sshd.somewhere.com] port 22. debug1: temporarily_use_uid: 500/100 (e=500) debug1: restore_uid debug1: temporarily_use_uid: 500/100 (e=500) debug1: restore_uid debug1: Connection established. debug1: identity file /home/user_test/.ssh/identity type -1 debug1: identity file /home/user_test/.ssh/id_rsa type -1 debug1: identity file /home/user_test/.ssh/id_dsa type -1 id_rsa and/or id_dsa exists? debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1 FreeBSD-20020702 debug1: match: OpenSSH_3.4p1 FreeBSD-20020702 pat ^OpenSSH debug1: Local version string SSH-1.5-OpenSSH_2.9.9p2 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'sshd.somewhere.com' is known and matches the RSA1 host key. debug1: Found key in /home/user_test/.ssh/known_hosts:2 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Doing challenge reponse authentication. Password: Response: Does that help? [...] On Fri, Dec 27, 2002 at 04:02:52PM +0100, Didier Wiroth wrote: These are the only activated options: Protocol 2,1 ListenAddress x.y.z.x LoginGraceTime 40 PermitRootLogin no PasswordAuthentication no PermitEmptyPasswords no Subsystem sftp/usr/libexec/sftp-server Few options to experiment: RhostsRSAAuthentication yes HostbasedAuthentication yes IgnoreUserKnownHosts no UseLogin no -andrew All other options are commented with a '#'! Any clues? There is no warning in /var/log/messages! Hmmm... This looks OK to me. What output do you get if you log in to the box using `ssh -v my.host'? It should print details of protocol negotiation, authentication steps, etc. Dan To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: What are the SMTP rules for sending mail to FreeBSD
Today Harry Tabak wrote: Mail sent from my main server, gatehouse.quadtelecom.com (66.45.116.138) gets rejected. _450_Client_host_rejected:_cannot_find_your_hostname,_[66.45.116.138] If 450 is some error code, then it's only a _temporary_ error/failure (RFC 1893). Maybe the DNS servers using the old (cached) data. -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Problems with a C application that changes users and run 'screen-x'
On Dec 20 Paul Everlund wrote:
On Fri, 20 Dec 2002, Paul Everlund wrote:
Found an error in my reply...
On Fri, 20 Dec 2002, Aaron Burke wrote:
[big snip]
I think execlp is writing over your current process. So first your
process is exchanged with ppp, then ppp is exchanged with screen. You
have to make a copy of your current process, a.out, by using fork, and
then exchange the process image in this copy using execlp.
Correction... Your a.out process is replaced with ppp, then nothing
else happens, as screen never is called du to the replacement.
the process image replaced with su and the second execlp() newer called
if the first execlp() call succeeds... (which won't) else replaced with
screen if the second execlp() call succeeds (which won't)...
(if exec??() returns, then an error has occured)
Here is some code for the OP to start with:
#include sys/types.h
#include sys/wait.h
#include unistd.h
#include stdio.h
#include sysexits.h
int main(void)
{
pid_t pid;
int s;
switch (pid = fork()) {
case -1:
perror(fork);
exit(EX_OSERR);
case 0: /* I'm the child. */
execlp(/usr/bin/su, /usr/bin/su,
arg1, arg2, argn, NULL);
/* kaboom */
/* perror(execlp); */
exit(EX_SOFTWARE);
default: /* I'm the parent */
waitpid(pid, s, 0);
break;
}
return WEXITSTATUS(s);
}
-andrew
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
Re: ATX power down
Today Paulo Roberto wrote: --- Denis N. Peplin [EMAIL PROTECTED] wrote: # halt -p The system halts, but still no power down. Is there a sysctl for this thing or maybe a compile option in the kernel? 1) `device apm' in the kernel config 2) `apm_enable=YES' in /etc/rc.conf BTW PDWN in the keymap (the three-finger-salute) would have to power down the ATX also, right? Yes, if you dont have `options SC_DISABLE_REBOOT' in th kernel conf and not changed the keymap (/usr/share/syscons/*.kbd). -andrew thanks Paulo To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Adding to standard include path (GCC)
Today Ihsan Junaidi Ibrahim wrote: Hello all, I'm a starter to programming in FreeBSD after a few years in Visual C++ and would like to delve deeper into it. But I have a few questions which I need answers. I hope it wouldn't be too much a burden to you. I have two gccs installed, 2.95.4 (stock gcc) and 3.1.1. 1) How do add to the standard include path to a path that I designated without using the -I flag or is it fixed only to /usr/local/include and /usr/include. You can edit the `specs' file, but you don't need. gcc31 -v -E -dM - /dev/null is `/usr/local/include' along with `/usr/include' in the output? With the new gcc (3.x) you dont need to specify `-I/usr/local/include', `-I/usr/include', because it's already specified in the standard include path. 2) I notice that the gcc31 include files does not contain the standard C headers ie stdio.h, assert.h etc. Does this mean whenever I want to link to the header, it is sufficient to use the ones in /usr/include? if you mean include a header, then yes, for C code. Simply use `#include *.h' in the C source (both gcc) 3) I notice too that there are many C++ and STL include files I'm getting confused on which ones to use. The files are located at /usr/include/g++, this is for use with the system gcc (2.95) /usr/local/lib/i386-portbld-freebsd4.7/3.1.1/include/g++v3 and this is for the new gcc (3.x) /usr/local/lib/i386-portbld-freebsd4.7/3.1.1/include/g++v3/backward. this is for (older) C++ souces with `#include *.h' (gcc 3.x) Can someone enlighten me on which one should I use. use the standard include files, ie.: `#include iostream', `#include string', etc. in C++ source and (normally) the right header is pulled in I intend on programming purely in C++ with the exception that in later date, I might be forced to use some of the C include files. simply use `#include cstdio, #include cassert', etc. in the C++ source -andrew Thank you very much in advance. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: ATX power down
Today Paulo Roberto wrote: --- Denis N. Peplin [EMAIL PROTECTED] wrote: I don't know why some ATX systems can't. I'm tested halt -p on FreeBSD 5.0 and all work fine. It is strange, since I got Linux also on this machine, and halt powers down properly, but not on FreeBSD. BTW PDWN in the keymap (the three-finger-salute) would have to power down the ATX also, right? No, reboot. Is there a way to start a script when crtl+alt+del is pressed? /etc/rc.shutdown I looked at the keymap, and only found BOOT PDWN and HALT. I would need it to power down. `pdwn' does exactly what you want, see kbdmap(5) change your keymap (in /usr/share/syscons/keymaps/) as you like (in the appropriate line `boot' to `pdwn') -andrew And BTW, I got DP-2 and RC-2 on two different machines, and both of them keep outputing on the console a *lot* of calcru messages. Are you guys getting it also? thanks Paulo To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Refusing Connections
On Dec 21 Jimi Thompson wrote: OS - 5.0 RC2 Apache - 2.0.43 OpenSSL - 0.9.6g I'm having a rather odd problem and I can't quite put my finger on it. I can verify that the apache httpd is running but I am unable to connect to the box on port 80. - Check if apache really listening on port (ie.: netstat -an -finet -ptcp). - Check your httpd.conf for the following directives (main server config): Listen IP-ADDRESS:PORT ServerName FQDN - Check the httpd.conf syntax (ie.: httpd -t, ev. httpd -DSSL -t). - Try with telnet: prompt$ telnet IP-ADDRESS PORT GET / I verified that httpd.conf specifies port 80. I've verified that the firewall is disabled. And the default setting is `pass' any packet not `block'? -andrew I can connect on other ports so I know that the network settings are working properly.If someone could point out what I'm missing, I'd really appreciate it. I have a feeling that it's going to be a DOH! momemt. Thanks, Ms. Jimi Thompson To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Refusing Connections
On Dec 22 Jimi Thompson wrote: This is a strange one. Here's the deal. The traffic doesn't even appear to be making it as far as the Apache process. That's why I was looking for something in the OS that would be blocking it (like the firewall). # # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, in addition to the default. See also the VirtualHost # directive. # # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses (0.0.0.0) # #Listen 12.34.56.78:80 Listen 80 change this to `Listen 4.60.243.40:80' and see what happens... (assuming IP# 4.60.243.40 where apache should bind/listen) Yep and I'm not getting a thing in the error logs either. My access log is totally empty. My error log shows this when I stop and restart it by hand - [Sat Dec 21 23:48:19 2002] [notice] caught SIGTERM, shutting down [Sat Dec 21 23:48:25 2002] [warn] RSA server certificate CommonName (CN) `web1' does NOT match server name!? [Sat Dec 21 23:48:28 2002] [warn] RSA server certificate CommonName (CN) `web1' does NOT match server name!? [Sat Dec 21 23:48:28 2002] [notice] Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6g configured -- resuming normal operations Netstat, however, has other ideas - netstat -an -finet -ptcp Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp4 0 0 4.60.243.40.22 4.60.243.201.1277 ESTABLISHED tcp4 0 0 *.8021 *.*LISTEN tcp4 0 0 *.8080 *.*LISTEN this is a proxy? You dont changed the apache default port at compile time? tcp4 0 0 *.587 *.*LISTEN tcp4 0 0 *.25 *.*LISTEN tcp4 0 0 4.60.243.40.22 *.*LISTEN somewere in the netstat output should be a line like: tcp4 0 0 4.60.243.40.80 *.* LISTEN -andrew Thanks, Ms. Jimi Thompson To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Question about Apache with ssl.
Today Mark-Nathaniel Weisman wrote: I've replaced the original httpd executable with a new improved apachectl, apachectl is only a wrapper script to start, stop, restart apache (httpd)... and of course need the startssl to fire up my ssl installed Web Server. When the web server fires up, you need to enter the pass phrase for the security. How can I automate this? You mean, you want a decrypted key? prompt# openssl rsa -in encrypted.key -out decrypted.key [you get a password prompt here] prompt# chown root:wheel decrypted.key prompt# chmod 0400 decrypted.key (apache|ssl).conf file: SSLCertificateKeyFile /path/to/decrypted.key You should read the apache-ssl FAQ. Which file boots the web server? In this case the web server executable is httpd. You can start it directly and with a wrapper script, like apachectl or (if you have installed apache with the ports/packages system) with /usr/local/etc/rc.d/httpd.sh (IIRC). And where do I add the security phrase? Any help? If you use the decrypted version of the key, then you'll not be prompted again at apache startup. -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: hi there =)
Today Miguel haber wrote: Hi I just have a problem... I'm behind an http proxy, it's 10.1.1.1 port 8080.. this is the scan of the proxy: bash-2.05b$ nmap -P0 10.1.1.1 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (10.1.1.1): (The 1585 ports scanned but not shown below are in state: filtered) Port State Service 21/tcp openftp 110/tcpclosed pop-3 389/tcpopenldap 443/tcpclosed https 445/tcpclosed microsoft-ds 1002/tcp openunknown 1720/tcp openH.323/Q.931 5050/tcp closed mmcc 5190/tcp closed aol /tcp closed irc-serv 6667/tcp closed irc 6668/tcp closed irc 6699/tcp closed napster 6969/tcp closed acmsoda 7000/tcp closed afs3-fileserver 8080/tcp openhttp-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 422 seconds bash-2.05b$ As you see the port 8080 is open .. and I put this export HTTP_PROXY=10.1.1.1:8080 in .shrc so when I try to install something from ports it connects to the proxy and fetch the file. and that worked ..see this when i was installing epic4: migz# make epic4-1.0.1.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/epic4. Attempting to fetch from ftp://ftp.epicsol.org/pub/epic/EPIC4-PRODUCTION/. fetch: epic4-1.0.1.tar.bz2: size of remote file is not known Receiving epic4-1.0.1.tar.bz2: 32768 bytes You see it connects to the ftp server through proxy cause i found: bash-2.05b$ sockstat -4 USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root fetch 6643 tcp4 192.168.10.102:3686 10.1.1.1:8080 -- this The problem is .. when I try to ftp manually i get 421 remove server has closed the connection.. cause it doesn't connect to the ftp server through proxy.. check this: $ ftp ftp://ftp.epicsol.org/pub/epic/EPIC4-PRODUCTION/ Connected to epicsol.org. 421 Service not available, remote server has closed connection. Did you read the ftp man page? ftp: Can't connect or login to host `ftp.epicsol.org' $ in the same time i see: USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS migz ftp6773 tcp4 192.168.10.102:3687 209.100.173.7:21 -- it doesn't connect through the proxy server.. The question is how to make ftp and ssh connect through the proxy server 10.1.1.1:8080 ? What is exactly listening on port 8080? Squid? Socks? Squid is a http only proxy. For ssh, telnet, ftp, etc. you need Socks5 or NAT, it wouldn't work with a http-only proxy. -andrew I hope you reply as soon as possible. Thanks. P.S.: Please break the lines below 80 char if it's not a source code. Thanks. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Sendmail and localhost
Today Andrey Nepomnyaschih wrote: Hello everybody, I've got some problems with sendmail. Going through logs I've found that sendmail identifies itself as localhost.domain. where I would expect it should be just [localhost]. Dec 5 13:09:00 watchdog sm-msp-queue[339]: gB5A016S000321: to=xxx@domain, ctladdr=xxx (x/x), delay=00:08:59, xdelay=00:00:00, mailer=relay, pri=120314, relay=localhost.domain. [127.0.0.1], dsn=2.0.0, stat=Sent (gB5A90GS000340 Message accepted for delivery) I believe that it just canonify the localhost name by appending domain. to it. Because when I change /etc/hosts from 127.0.0.1 localhost to 127.0.0.1 localhost. The first one is relative, the second is absolute path. I think, in the second case is nothing to canonify. I get: Dec 5 12:12:41 watchdog sendmail[247]: gB59CfNb000247: to=xxx@domain, ctladdr=x (x/x), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30036, relay=[localhost] [127.0.0.1], dsn=2.0.0, stat=Sent (gB59CfQo000248 Message accepted for delivery) Sounds really strange because testing rules gives me the following: $ sendmail -bt ADDRESS TEST MODE (ruleset 3 NOT automatically invoked) Enter ruleset address 3 localhost canonify input: localhost Canonify2 input: localhost Canonify2returns: localhost canonify returns: localhost So the question is why do sendmail canonify the localhost name? See the docs for FEATURE(`nocanonify', `canonify_hosts'), CANONIFY_DOMAIN(`my.domain'), etc. /usr/src/contrib/sendmail/cf/README /usr/src/contrib/sendmail/doc/op/op.* -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Cant find /etc/resolv.conf
Today Tiago Andre wrote: Hello there... I've the last version of freebsd... But i cant find the file /etc/resolv.conf Why? Why??? Who knows? Maybe it's simply not there. But you can create one if you have write access to the /etc dir. It's nothing special with this file, i.e: nameserver xxx.xxx.xxx.xxx nameserver xxx.xxx.xxx.xxx nameserver xxx.xxx.xxx.xxx domain x.tld # - or - search x.tld See resolv.conf(5) for more. -andrew Tiago Camilo To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: run command on logfile before it's rotated
Today Akifyev Sergey wrote:
On Thu, 2002-12-05 at 01:02, Nathan Kinkade wrote:
On Wed, Dec 04, 2002 at 10:51:43PM +0100, Thomas von Hassel wrote:
I've got my system set up to rotate the maillog every day at midnight.
What do i do if i want to run a command on the logfile just before it's
rotated ?
/thomas
--
Thomas von Hassel
DarX @ irc
darxmac @ AIM/iChat
Powered by inkwell...!
How about just setting a cron job to run some reasonable period prior
to newsyslog being run?
It's incorrect way to do things, because some entries could be added to
syslog _after_ the command is run, but _before_ newsyslog. Instead you
should call some script via cron with crontab entry like this:
# rotate log files every hour, if necessary
0 * * * * root /usr/bin/lock_script.sh
And the script must contain something like:
#!/bin/sh
for $STR in `cat /etc/newsyslog.conf |grep -v '^[:space:]*#.*$'|cut
-f1`; do
lockf ${STR} newsyslog.sh ${STR}
done
This is _advisory_ lock, not _mandatory_. Syslogd could write to the
file happily while `your_command' is running or/and between `your_command'
and newsyslog.
Maybe this is a little closer (not tested):
kill -17 syslogd pid; my_scrypt; newsyslog; kill -19 syslogd pid
Ie.: STOP syslogd; run the script(s); rotate logs; CONTinue syslogd.
But if there is to much logging between the two signals, then messages could
be lost.
-andrew
The newsyslog.sh should contain:
#!/bin/sh
your_command ${1}
newsyslog ${1}
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
Re: quotas
Today Mark wrote: - Original Message - From: Rick Fournier [EMAIL PROTECTED] To: Mark [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, December 05, 2002 10:06 PM Subject: Re: quotas every mount point with quota enabled will create a quota.user and or quota.group file in the root of each mount. Thanks! :) What you say makes perfect sense. Not properly understanding, I did a dumb thing; I symlinked /var/quota.user to /quota.user (thinking it all needed to be in one file; doh). Then the kernel paniced (and me along with it) on shutdown: freebsd panic: dqflush: stray dquot Well, it rebooted, saw some bad blocks, salvaged them, and everything is okay again. Pfew. As someone said here, FreeBSD is very forgiving. :) You can specify the exact location for the quota files in /etc/fstab, ie.: /dev/ad0s1h /home ufs rw,userquota=/var/quotas/user.home,groupquota=/var/quotas/grp.home 2 2 -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Opera
On Dec 3 Scott Robbins wrote: On Tue, Dec 03, 2002 at 04:11:29PM -0700, Peter Milne wrote: Opera was working fine. I now try to load a page and it crashes and closes. Every page, every site. I installed it from ports. How do I get rid of it all or how do I fix it? I had the same issue--and a search of google indicated that one or two others were as well. So, I then installed Linux-opera from ports. That worked. A day or two later, I tried the normal opera again. And that worked. shrug I can't see one being connected to the other, but who knows? If opera uses SysV IPC (I don't now, newer used) maybe not cleaning up correctly before exit/crash. List with ipcs, delete with ipcrm if apply. I had the same problem with compupic, which sometimes doesn't delete the shared memory segment. -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: is there a replace command ?
Today Malik Bülent wrote:
On Freebsd4.x
I have a file. I want to change some expressions with new ones
For example a file
touch /var/qmail/1
touch /var/qmail/2
touch /var/qmail/3
touch /var/qmail/4
touch /var/qmail/5
touch /var/qmail/6
I want to change touch with rm
How can i replace a newones in stead of a lot of expressions in a file on
FreeBSD ?
Which command(s) do i have to use ?
1) sed -e 's,^touch,rm,g' infile outfile
2) while read a b; do echo rm $b; done infile outfile
3) awk '{print rm $2}' infile outfile
-andrew
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
Re: is there a replace command ?
Today Conrad Sabatier wrote: On 02-Dec-2002 Malik Bülent wrote: On Freebsd4.x I have a file. I want to change some expressions with new ones For example a file touch /var/qmail/1 touch /var/qmail/2 touch /var/qmail/3 touch /var/qmail/4 touch /var/qmail/5 touch /var/qmail/6 I want to change touch with rm How can i replace a newones in stead of a lot of expressions in a file on FreeBSD ? Which command(s) do i have to use ? Recent versions of FreeBSD now have a version of 'sed' that can do these types of replacements in place, i.e., without the need for a temporary file: No. I'm pretty sure, there is a temporary file somewhere. You can't edit a file `in place' really, w/o a need temporary files (or ev. memory mapping the file). With the `-i' flag sed does this for you, ie. no need that you create a temporary file. -andrew sed -i -e 's/^touch /rm /' infile To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Run as owner
On Nov 30 Kirk Bailey wrote:
This script is not perl, it is in python. So far the python community has
failed in the search for clue, possibly this one can assist?
Python or not python is irrevelant here.
As last resort, if you don't want to use su, sudo or ksu, you can use
a setuid/setgid wrapper program to execute your script:
wrapper.c -
#include unistd.h
#include stdio.h
int main(void)
{
execlp(/full/path/to/script, script, arg1, arg2, NULL);
perror(script);
return 1;
}
---
arg1/arg2 is the first/second argument to the script, if any. ie:
-c filename. If there is no args, then leave them out.
Makefile -
PROG= wrapper
NOMAN= yep
.include bsd.prog.mk
---
- put the wrapper.c and the Makefile in a dir, and issue the make command.
- change the owner (group), ie.: chown joeuser:joegroup wrapper
- turn the setuid bit on: chmod 04555 wrapper (not the script)
Hope this helps,
-andrew
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
Re: Run as owner
On Nov 29 Kirk Bailey wrote: OK, man says to get a script to run as the owner, turn on the 4000 bit. If you execute a script, and the first line begins with `#!/usr/bin/perl -w' (in case of a perl script) and the sript is marked executable then the kernel executes it like: exec(/usr/bin/perl, perl, -w, script, NULL) (It's not exact, just to point out that the setuid/setgid bit is normally irrevelant on scripts) See execve(2) for more. OK, I did. No such luck, it continues to run as the apache identity 'nobody'. Any advice? If it's a `cgi' script, then you might need apache suexec. If you have the ksh shell, try with suid_exec. -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
