On Sat, Mar 11, 2017 at 09:48:27PM -0800, Dave Cohen wrote:
> I'm struggling to figure out why network traffic is not making it to a
> service I'm running.
>
> What I'm trying to do is serve http and https from a non-standard server.
> (Called `caddy`, if you're curious). I want to run this
Hi,
Are there plans (or perhaps code already being worked on) to allow
doas(1) 'persist' to have a different time other than 5 minutes? I am
thinking of writing a patch for this, but I do not want to duplicate
effort if the devs have other/similar plans ahead.
I would like to configure the
>From your link:
AMD replied: "Thanks for the inquiry. Currently we do not have
plans to release source code but you make a good argument for
reasons to do so. We will evaluate and find a way to work with
security vendors and the community to everyone's benefit."
>In order for me to trust AMD's implementation, they first need to can
>that ridiculous Platform "Security" Processor. It is as useless and
>dangerous as Intel Management Engine, running unknown code.
Who know, maybe they are going to open source their firmware?
I'll ask the question: Why are you sure you need that?
> Are there plans (or perhaps code already being worked on) to allow
> doas(1) 'persist' to have a different time other than 5 minutes? I am
> thinking of writing a patch for this, but I do not want to duplicate
> effort if the devs have
Ciao Dave,
I'm also playing with relayd as a L7 gateway and as far as I can see from your
config there is no CA and key configured. In order for HTTPS to work relayd
needs to be able to do TLS inspection and of course you should redirect all
your https traffic to port 8443 (using PF for example).
Is mpath doable for vioscsi disks? At least if running OpenBSD
on Linux KVM one could use iSCSI with Ceph backend and thus assing
two iSCSI luns as vioscsi disks for OpenBSD VM.
IIUC vioblk strips SCSI commands so it cannot be used for this.
I'm not also sure if we would use iSCSI luns directly
> Could you be more precise on this point? I mean: if I correctly
> understand, you said that this can induce unwanted behavior due to the
> fact that, for example, firefox suppose it has the uid and gid of the
> user who launch it (and not a different egid)?
>
> If I'am right, does this can
> Thanks for your reply.
>
> > You are providing a program with an additional gid. The program has
> > not been coded be aware of that gid. Two potentially different
> > filesystem views now exist within the program, depending on the g=rwx
> > bits of directories and files in the tree. The
Thanks for your reply.
You are providing a program with an additional gid. The program has
not been coded be aware of that gid. Two potentially different
filesystem views now exist within the program, depending on the g=rwx
bits of directories and files in the tree. The program is no longer
This project is OpenBSD oriented - a use of the radio device driver
It is a program allowing web/HTTP control of a radio tuner card
It is a barebones HTTP server with ServerSentEvents (SSE) to notify
multiple client browsers of station/frequency changes
Published at github
> If I create a separate group for each program I want to allow, is there
> any additional risk induce by the use of the setgid?
Yes, it introduces a risk.
You are providing a program with an additional gid. The program has
not been coded be aware of that gid. Two potentially different
Hi @misc,
I have a question about pf and its possibility to filter packets by
process group: is it a reasonable practice to use setgid for add some
rules that allow only specific programs to use some services? For
example, only permit the ftp command and firefox to use HTTP and HTTPS
Thanks all, for the several helpful responses in this thread.
Here's what I currently have, in /etc/pf.conf. Appears to work. Although, I
am rethinking my approach and may terminate TLS at httpd in the future. Still
it is nice for me to learn what is possible.
match in on egress proto tcp
On Sun, Mar 12, 2017 at 07:13:08PM +0100, Jrme FRGACIC wrote:
> Hi @misc,
>
> I have a question about pf and its possibility to filter packets by process
> group: is it a reasonable practice to use setgid for add some rules that
> allow only specific programs to use some services? For example,
On one box I test configuration edits and backups, I find myself using
doas around once every 7-9 minutes, exceeding the 5 minute limit.
Another box is basically a gateway, so I don't exceed 2 minutes between
doas runs.
It would be nice to have the option of deviating from the default, and
the
I'm trying to debug the following panic.
I can't get a crash dump.
At the DDB prompt, either "boot sync" or "boot dump"
the system prints "Syncing disks: 2" and nothing more.
I've tried:
removing all disks and/or controllers other than
the disk holding the root
removing physical memory so
Hi there,
for the last 3~4 days (always running the latest of public
amd64-current) firefox behaviour was kind of "unfamiliar" - regular
crashes after a few minutes.
Starting firefox in a xterm gave me this:
~ $ firefox
firefox:/usr/local/lib/libicuuc.so.12.0:
/usr/local/lib/libicudata.so.12.0 :
On Sun, Mar 12, 2017 at 11:19:18PM +0100, Stefan Wollny wrote:
> Hi there,
>
> for the last 3~4 days (always running the latest of public
> amd64-current) firefox behaviour was kind of "unfamiliar" - regular
> crashes after a few minutes.
[...]
> Am I right supposing that the most likely
On Sun, Mar 12, 2017 at 09:26:53AM +0100, Salvatore Cuzzilla wrote:
> Ciao Dave,
>
> I'm also playing with relayd as a L7 gateway and as far as I can see from your
> config there is no CA and key configured. In order for HTTPS to work relayd
> needs to be able to do TLS inspection and of course
bytevolc...@safe-mail.net wrote:
> On one box I test configuration edits and backups, I find myself using
> doas around once every 7-9 minutes, exceeding the 5 minute limit.
> Another box is basically a gateway, so I don't exceed 2 minutes between
> doas runs.
The timeout was originally 10
You seem to be equating the setgid bit with the concept of "start a
process with a different gid".
No, that's not what it does. The setgid bit starts a new executable
with a disjoint mix of effective, saved, and real gid list, as well as
a gidlist.
Maybe it was not clear in my message but:
22 matches
Mail list logo
