Re: high-end audio drivers [was: OSS audio drivers]

[Alexandre Ratchov]

On Wed, Oct 24, 2007 at 12:55:39AM +0200, Jan Stary wrote:
   What is the relation of OpenBSD's audio drivers to the OSS project?
   What, if anything, does opensourcing (GPL, I know) their code mean for
   our audio drivers? In particular, does that mean (future) support for
   the high-end soundcards such as M-Audio Delta?
  
  There's work in progress on adding support for Delta cards (1010,
  1010LT, 66, 44), and required features to make them usable (32bit
  encodings, 12 channel capture, higher sample rate, etc...)
 
 Where can I get in touch with this work and possibly test it?
 Is anything commited - available in curent?
 

it's not in cvs yet. Below's a diff you can test. It probably only
works on delta-1010 and delta-1010LT cards and it's enabled on i386
only. The diff adds support for 32bit samples and 10 channels.
Neither capture nor mixer are implemented yet. Feel free to contact
me privately if you have questions on that.

Anyway if you have any delta card, i'm interested in seeing your
card's eeprom contents (in dmesg), the kernel should be compiled on
i386 with these options:

option  ENVY_DEBUG

envy* at pci?
audio* at envy?

Also, let me know if you notice regression with other audio
drivers.

cheers,

-- Alexandre

Index: arch/i386/conf/GENERIC
===
RCS file: /cvs/src/sys/arch/i386/conf/GENERIC,v
retrieving revision 1.583
diff -u -p -r1.583 GENERIC
--- arch/i386/conf/GENERIC  14 Oct 2007 17:39:46 -  1.583
+++ arch/i386/conf/GENERIC  24 Oct 2007 05:54:38 -
@@ -628,6 +628,7 @@ maestro* at pci?# ESS Maestro PCI
 esa*   at pci? # ESS Maestro3 PCI
 yds*   at pci? flags 0x# Yamaha YMF Audio
 emu*   at pci? # SB Live!
+#envy* at pci? # VIA Envy24 (aka ICE1712)
 sb0at isa? port 0x220 irq 5 drq 1  # SoundBlaster
 sb*at isapnp?
 ess*   at isapnp?  # ESS Tech ES188[78], ES888
Index: dev/pci/envy.c
===
RCS file: dev/pci/envy.c
diff -N dev/pci/envy.c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ dev/pci/envy.c  24 Oct 2007 05:54:38 -
@@ -0,0 +1,699 @@
+/*
+ * Copyright (c) 2007 Alexandre Ratchov [EMAIL PROTECTED]
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include sys/param.h
+#include sys/systm.h
+#include sys/device.h
+#include sys/ioctl.h
+#include sys/audioio.h
+#include sys/malloc.h
+#include dev/pci/pcivar.h
+#include dev/pci/pcidevs.h
+#include dev/pci/envyvar.h
+#include dev/pci/envyreg.h
+#include dev/audio_if.h
+#include machine/bus.h
+
+#ifdef ENVY_DEBUG
+#define DPRINTF(...) do { if (envydebug) printf(__VA_ARGS__); } while(0)
+#define DPRINTFN(n, ...) do { if (envydebug  (n)) printf(__VA_ARGS__); } 
while(0)
+int envydebug = 1;
+#else
+#define DPRINTF(...) do {} while(0)
+#define DPRINTFN(n, ...) do {} while(0)
+#endif
+#define DEVNAME(sc) ((sc)-dev.dv_xname)
+
+int  envymatch(struct device *, void *, void *);
+void envyattach(struct device *, struct device *, void *);
+int  envydetach(struct device *, int);
+
+int  envy_ccs_read(struct envy_softc *sc, int reg);
+void envy_ccs_write(struct envy_softc *sc, int reg, int val);
+int  envy_cci_read(struct envy_softc *sc, int index);
+void envy_cci_write(struct envy_softc *sc, int index, int data);
+void envy_i2c_wait(struct envy_softc *sc);
+int  envy_i2c_read(struct envy_softc *sc, int dev, int addr);
+void envy_i2c_write(struct envy_softc *sc, int dev, int addr, int data);
+int  envy_gpio_read(struct envy_softc *sc);
+void envy_gpio_write(struct envy_softc *sc, int data);
+void envy_eeprom_read(struct envy_softc *sc, unsigned char *);
+void envy_reset(struct envy_softc *sc);
+void envy_ak_write(struct envy_softc *sc, int dev, int addr, int data);
+int  envy_intr(void *);
+
+int envy_open(void *, int);
+void envy_close(void *);
+void *envy_allocm(void *, int, size_t, int, int);
+void envy_freem(void *, void *, int);
+int envy_query_encoding(void *, struct audio_encoding *);
+int envy_set_params(void *, int, int, struct audio_params *, 
+struct audio_params *);
+int envy_round_blocksize(void *, int);
+size_t envy_round_buffersize(void *, 

Non-x86 (was: About Xen: maybe a reiterative question but ..)

[Lars Noodén]

Theo de Raadt wrote:
 x86 virtualization is about basically placing another nearly full
 kernel, full of new bugs, on top of a nasty x86 architecture which
 barely has correct page protection.

He probably meant psychological security, or job security.

 ...  Then running your operating
 system on the other side of this brand new pile of shit.

Seriously, what (affordable) non-x86 hardware options are available,
especially those without AMT or AMT-like backdoors?

http://softwarecommunity.intel.com/articles/eng/1148.htm
http://www.intel.com/pressroom/archive/releases/20050301net.htm
http://www.intel.com/cd/ids/developer/asmo-na/eng/320959.htm

Or is workstation and server hardware covered by CALEA now, too?

-Lars

Re: : Network Time Synchronization using timed or ntpd or a Combination?

[Raimo Niskanen]

There is one thing I really miss in OpenBSD's ntpd, and that is
some way of asking the status. It need not be something like
ntpq for standard ntpd. Sending it e.g SIGUSR1 so it would
dump current servers, their status and ntpd's general status
would be nice.

When there is nothing for a while in the syslogs it gets
tedious to find out if and what is going on with ntpd on OpenBSD...



On Tue, Oct 23, 2007 at 01:52:46PM -0700, Clint Pachl wrote:
 Darrin Chandler wrote:
 On Tue, Oct 23, 2007 at 11:49:57AM -0600, Chris Kuethe wrote:
   
 On 10/23/07, Boris Goldberg [EMAIL PROTECTED] wrote:
 
   The  ntpd  from  OBSD  is  raw  and lame yet. It takes days (!) to 
   really
 synchronize, adjusting time and clock frequency back and forth (even if 
 you
 start  with  -s) so it's too early to say that using it is right. It 
 will
 be right after it matures, gets more useful synchronization algorithm 
 and
 it's own ntpdate (or a parameter to synchronize and exit).
   
 Blah blah blah.
 
 time1 and time2.srv.ualberta.ca are both running openntpd driven by
 nmea(4) sensors. As is my home workstation. They wibble around within
 a microsecond or two of the sensor's time, probably due to a)
 interrupt handling and b) temperature changes caused by the air
 conditioner or cats sleeping on the case.
 
 
 And my servers are in a windowless room under a lot of concrete and
 steel, so there's no good way to get GPS or radio data, and I'm using
 other time servers on the internet to sync.
 
 They keep time very well, on sparc64 and amd64, and both are in
 pool.ntp.org and score quite well. In fact, they compare favorably to
 servers running the more heavyweight ntp daemons.
   
 
 That is a very interesting anecdote. That has got to make Henning proud; 
 hell I'm proud of him. The amazing thing is that the ntpd binary on my 
 i386 is only 34.4K. The ntpd binary (non-OpenNTPD) on my i386 FreeBSD 
 media center is 263K, not to mention all of the other ntp* binaries, 
 which bring total size to 426K. Plus, OpenNTPD has privilege separation!

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: About Xen: maybe a reiterative question but ..

[Henning Brauer]

* [EMAIL PROTECTED] [EMAIL PROTECTED] [2007-10-24 03:03]:
 Virtualization seems to have a lot of security benefits

seems?
to whom?
to people who never wrote a line of code and don't understand how 
things work?


-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: max-src-conn-rate rule question

[Henning Brauer]

* Rob [EMAIL PROTECTED] [2007-10-24 00:05]:
 I'm not a pf newbie by any means, but I'm not really qualified to
 answer questions about it either. That said, I don't usually use an
 '=' sign in my pf rules, and the pf faq doesn't list that as one of
 the accepted operators for the port range

well, it is valid. the parser is morepermissive than what we document.

 (http://www.openbsd.org/faq/pf/filter.html). If the rule wasn't being
 parsed correctly, it would cause the behavior you're seeing. Try,

hell no! if the rule can't be parsed correctly, pfctl throws an error 
of course!

 block in log quick proto tcp port ssh keep state \
(source-track rule, max-src-conn-rate 3 / 30 overload
 sshd_attackers, src.track 30)
 
 Note that I wouldn't use a flush global directive for a rule like
 this, because it can lead to a neat DoS where somebody can spoof one
 of your own IP addresses and shut down any ssh sessions you have
 active.

no. src-conn-rate works w/ established tcp conns, AFTER the 3whs, thus 
making spoofing unfeasible. that info, of course, is in the manpage... 
very loud and clear. why don't you check there before spreading fud on 
the list? this doesn't only comply to you, but is completely beyond me. 
why dowe invest lots of time and nerves and whatnot in manpages when 
people do not read them, and instead guess a bit and then spread shit 
because the guess was of course wrong? read the damn manpages!

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

HW selection for openBSD based web/Multimedia server and NAS

[Insan Praja SW]

Guys,
I'm currently in-charge in assembling a generic multimedia server (like  
youtube) but in much more smaller scale. Before we invest on something big  
on server platform like ibm, sun, hp or dell, we're thinking of using  
intel or tyan serverboard.
In this testing environment, we will simulate web/multimedia server and  
Network Attached Storage.
I'm really looking forward for an advice on motherboard or H/W selection,  
and maybe some expert who has experience with similar setup/environment in  
an openBSD platform, off-course, could share their knowledge.

Many Thanks,

--
Insan Praja SW

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Henning Brauer]

* Boris Goldberg [EMAIL PROTECTED] [2007-10-23 18:15]:
   It's always better to don't run a demon if you don't have to. :)

It's always better to not write a nonsense mail if you don't have to.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Henning Brauer]

* Martin Schrvder [EMAIL PROTECTED] [2007-10-24 00:51]:
 2007/10/23, Darrin Chandler [EMAIL PROTECTED]:
  pool.ntp.org and score quite well. In fact, they compare favorably to
  servers running the more heavyweight ntp daemons.
 
 While we are talking about ntpd: Is there hope of an update of the
 portable version? The debian port is still at 3.9...

I can't nor want to do the portable, and the portable maintainer 
vanished. If you wanna do the work and be the -stable guy, pick ntpd 
sources, make and test the portable and send it to me :)

 PS: http://www.openntpd.org is also still at 3.9...

due to exactly that. I'll fix it for 4.2 (if I don't forget again)

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Henning Brauer]

* Clint Pachl [EMAIL PROTECTED] [2007-10-24 00:45]:
 Henning Brauer wrote:
 * Boris Goldberg [EMAIL PROTECTED] [2007-10-23 15:50]:
   
 CP One  system  would  get time from the NTP pool and all other servers 
 on
 CP the network would sync to the local server.
   You  don't  really  need ntpd on all systems. One (timeserver) runs 
 ntpd,
 and others use rdate, called from cron (once a day is usually enough).
 

 that is bad advice.
 it is not only much more work to set up, it also doesn't remotely yield 
 the same results. ntpd is much much better, since it doesn't rely on a 
 single answer from soem server to set the clock, and because it adjusts 
 the clock frequency over time.
 there is not much point in using rdate at all.
   

 From what I have read in this thread, it looks like only one guy prefers 
 the old timed and rdate tools. A few are even telling him he is giving bad 
 advice when promoting the usage of these tools. Henning mentioned that 
 rdate and timed are pretty much useless and others have said that timed is 
 obsolete. So why don't we remove them from the source tree?

rdate has an ntp mode, that is useful for checking/monitoring/debugging 
ntp servers, so it'll stay.

timed might indeed be a candidate for the Attic.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: MegaRAID SAS 8204ELP not working ?

[David Gwynne]

From looking at the lsi site and the driver names it ships on these
model controllers, it looks like these nics are really mpi(4) based
with a driver that does software raid on top of it. Way to sully the
MegaRAID name LSI...

Anyway, I think you're going to have to move up from the value line
of megaraid sas controllers to get a real mfi. Another option is to
get an areca controller. They've been extremely friendly and extremely
supportive of OpenBSD's development of a driver for their hardware,
and it's all hardware raid.

dlg

On 24/10/2007, at 3:55 AM, Walter B|rger wrote:


Hi,

just installed a MegaRAID SAS 8204ELP Controller and according to
the BIOS:

LSI MegaRAID Software RAID BIOS Version M1068e.01.01021804R
LSI Logic MPT RAID Found at PCI Bus No:04 Dev No:00
SAS/SATA RAID key is Detected.
Bringing up the Controller. Please wait...
Scanning for Port 00... Responding. WDC WD800JD-75MS 75781MB
Scanning for Port 01... Responding. WDC WD800AAJS-00 75807MB
Scanning for Port 02... Not Responding.
Scanning for Port 03... Not Responding.
Scanning for Port 04... Not Responding.
Scanning for Port 05... Not Responding.
Scanning for Port 06... Not Responding.
Scanning for Port 07... Not Responding.

01 Logical drive(s) Configured.
Array#  ModeStripe Size No.Of Stripes   DriveSize   
Status
00 RAID1   64KB  02
75340MBOnline

Press CTRL-M or Enter to run LSI Logic Software RAID Setup Utility.

all goes well so far.

But:
Normally, if a logical drive is recognized by OpenBSD, there are NO
two sd
(sd0, sd1) drives at scsibus0.
At this installation i had sd0 and sd1 for root disk choice at
scsibus0.

Also there is no mention of a logical drive in the dmesg.

After the installation OpenBSD 4.2 booted from sd0.

From the manpage mfi(4) the MegaRAID SAS 820'8'ELP should be
recognized as
mfi0,
so i thought the MegaRAID SAS 820'4'ELP should be recognized as mfi0
too.

No, the MegaRAID SAS 8204ELP is recognized as mpi0 as the following
dmesg
shows.

bioctl mpi0 gives: bioctl: Can't locate mpi0 device via /dev/bio
bioctl mfi0 gives: bioctl: Can't locate mfi0 device via /dev/bio

So I think, I do not have a functioning RAID.

Why is the MegaRAID SAS 8204ELP recognized as mpi0 ?
Is there a patch to correct the assignment of MegaRAID SAS 8204ELP
to mfi0 ?
(If the Controller could made to be recognized as mfi0, then I could
use
bioctl :-))
What method exists to let me know if Raid works, without bioctl ?

Thanks,
Walter.


dmesg:
OpenBSD 4.2-current (GENERIC) #405: Thu Sep 13 16:06:09 MDT 2007
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Core(TM)2 CPU 6320 @ 1.86GHz (GenuineIntel 686-
class) 1.87
GHz
cpu0:
FPU
,V86
,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-
CPL,VMX,EST,TM2,CX16,
xTPR
real mem  = 1064464384 (1015MB)
avail mem = 1021571072 (974MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 06/05/07, BIOS32 rev. 0 @
0xf0010,
SMBIOS rev. 2.4 @ 0xf04e0 (56 entries)
bios0: vendor American Megatrends Inc. version 1004date
06/05/2007
bios0: ASUSTek Computer INC. P5L-MX
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf7a50/240 (13 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev
0x00)
pcibios0: PCI bus #4 is the last bus
bios0: ROM list: 0xc/0xae00! 0xcb000/0x1800 0xcc800/0x5000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82945GP rev 0x02: rng active,
800Kb/sec
ppb0 at pci0 dev 1 function 0 Intel 82945GP PCIE rev 0x02
pci1 at ppb0 bus 4
mpi0 at pci1 dev 0 function 0 Symbios Logic SAS1068E rev 0x04: irq
11
scsibus0 at mpi0: 173 targets
sd0 at scsibus0 targ 0 lun 0: ATA, WDC WD800JD-75MS, 1E03 SCSI3 0/
direct
fixed
sd0: 76293MB, 76294 cyl, 16 head, 127 sec, 512 bytes/sec, 15625
sec total
sd1 at scsibus0 targ 1 lun 0: ATA, WDC WD800AAJS-00, 6H05 SCSI3 0/
direct
fixed
sd1: 76319MB, 76320 cyl, 16 head, 127 sec, 512 bytes/sec, 156301488
sec total
vga1 at pci0 dev 2 function 0 Intel 82945G Video rev 0x02:
aperture at
0xe000, size 0x1000
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01
pci2 at ppb1 bus 3
ppb2 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x01
pci3 at ppb2 bus 2
Attansic Technology L1 rev 0xb0 at pci3 dev 0 function 0 not
configured
uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: irq 5
uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: irq 10
uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: irq 14
uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: irq 15
ehci0 at pci0 dev 29 function 7 Intel 

Re: Performance problem with CF card on AMD CS5536 IDE

[Stefan Klein]

As I mentioned in my first mail, it appears to be an OpenBSD - specific 
problem. On the exact same hardware, I can measure a throuphput of about 10 
MB/second when using FreeBSD.
This matches more or less the CF specifications (PQI industrial Turbo 
Compact Flash Card). UDMA33 is used under FreeBSD


Any ideas?




- Original Message - 
From: Brian A. Seklecki [EMAIL PROTECTED]

To: Stefan Klein [EMAIL PROTECTED]
Cc: misc@openbsd.org
Sent: Monday, October 22, 2007 5:12 PM
Subject: Re: Performance problem with CF card on AMD CS5536 IDE


pciide0 at pci0 dev 15 function 2 AMD CS5536 IDE rev 0x01: DMA, channel 
0

wired to compatibility, channel 1 wired to compatibility

wd0 at pciide0 channel 0 drive 0: Turbo Industrial CF Card
wd0: 1-sector PIO, LBA, 1983MB, 4062240 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)


This looks normal.  I've yet to find a CF-IDE Adpater combination that 
makes it into full Ultra-DMA mode 4.


CF Media is generally slower than modern high perf. disks, depending a lot 
on the manufactuer quality.


For my bsd-appliance project, I use CF media strictly for booting a MD/RD 
kernel image.  If you're doing a full-install on the CF card, you've got 
the wrong approach.  You're going to nuke your CF media with all of that 
atime update and IO cache flush overhead.


There's no progress(1) in OpenBSD yea, so I'm not sure about the exact 
speed, but I'm able to un-pax(1) a 20-60 meg kernel image into MFS /usr 
in about 10 seconds.  ARInfotek AMD-Geode 800 SBC (500MHz)  ~BAS




IMPORTANT: This message contains confidential information and is intended 
only for the individual named. If the reader of this message is not an 
intended recipient (or the individual responsible for the delivery of this 
message to an intended recipient), please be advised that any re-use, 
dissemination, distribution or copying of this message is prohibited. 
Please notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

Re: : Network Time Synchronization using timed or ntpd or a Combination?

[Christian Weisgerber]

Raimo Niskanen [EMAIL PROTECTED] wrote:

 There is one thing I really miss in OpenBSD's ntpd, and that is
 some way of asking the status. It need not be something like
 ntpq for standard ntpd. Sending it e.g SIGUSR1 so it would
 dump current servers, their status and ntpd's general status
 would be nice.

If you send -current ntpd SIGINFO, it will syslog its status.

-- 
Christian naddy Weisgerber  [EMAIL PROTECTED]

Re: : : Network Time Synchronization using timed or ntpd or a Combination?

[Raimo Niskanen]

On Wed, Oct 24, 2007 at 09:43:56AM +, Christian Weisgerber wrote:
 Raimo Niskanen [EMAIL PROTECTED] wrote:
 
  There is one thing I really miss in OpenBSD's ntpd, and that is
  some way of asking the status. It need not be something like
  ntpq for standard ntpd. Sending it e.g SIGUSR1 so it would
  dump current servers, their status and ntpd's general status
  would be nice.
 
 If you send -current ntpd SIGINFO, it will syslog its status.
 

Swell!

But not 4.2, right?

 -- 
 Christian naddy Weisgerber  [EMAIL PROTECTED]

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: LDAP users

[Linus Swälas]

On Wed, 24 Oct 2007 07:26:39 +0200, [EMAIL PROTECTED] wrote:


Hi all.

I want the OpenBSD system to see system users in LDAP.
I know, that OpenBSD doesn't have anything, like nsswitch in other
Unix.

What can i do?


First of all post to the right list. ;) This would fit better in
the misc-list.

Now, for your question; what you're looking for is in the
/etc/login.conf file. There is a man-page for it, login.conf(5)

In /etc/login.conf you have a line that says:
auth-defaults:auth=passwd,skey:

You'd want to change that line to something like:
auth-defaults:auth=ldap

OpenBSD doesn't include an LDAP module though so you'd have to write
your own, details for how to do so is in the login.conf(5) man page.
Or perhaps you can google something, someone else has probably built
one already.

--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

Re: gpio support on ALIX board

[Marc Balmer]

Martin Hedenfalk wrote:

Hello list,

Is anyone working on getting the gpio pins supported on the PCEngines 
ALIX boards?
I'd like to be able to control the LEDs using gpioctl, just like on the 
WRAP.


I am.

- mb

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Marc Balmer]

Boris Goldberg wrote:

Hello Rogier,

Tuesday, October 23, 2007, 9:01:32 AM, you wrote:

RK On 10/23/07, Boris Goldberg [EMAIL PROTECTED] wrote:

You  don't  really  need ntpd on all systems. One (timeserver) runs ntpd,
and others use rdate, called from cron (once a day is usually enough).


RK While your suggestion would work, it would also entail more work
RK without adding benefit. Upon install, you get the question of whether
RK you want to use ntpd. Starting with 4.2, it even asks for a specific
RK NTP server.

  It's always better to don't run a demon if you don't have to. :)
  Talking  about  a more work - I don't think that someone avoiding small
after  install  tuning  like  this  should  be taking care of any network
besides his home one. ;) Anyway, for the last five years no version of OBSD
(including  4.2) worked for me without tuning a kernel, so an extra line in
a crontab is nothing. :)



This is a bad advice.  If you want your machines to be synchronized, use
ntpd.  The bad advice given above will not synchronize your machines time.

Re: LDAP users

[Marc Balmer]

Linus SwCFCB$las wrote:

On Wed, 24 Oct 2007 07:26:39 +0200, [EMAIL PROTECTED] wrote:


Hi all.

I want the OpenBSD system to see system users in LDAP.
I know, that OpenBSD doesn't have anything, like nsswitch in other
Unix.

What can i do?


First of all post to the right list. ;) This would fit better in
the misc-list.

Now, for your question; what you're looking for is in the
/etc/login.conf file. There is a man-page for it, login.conf(5)

In /etc/login.conf you have a line that says:
auth-defaults:auth=passwd,skey:

You'd want to change that line to something like:
auth-defaults:auth=ldap

OpenBSD doesn't include an LDAP module though so you'd have to write
your own, details for how to do so is in the login.conf(5) man page.
Or perhaps you can google something, someone else has probably built
one already.


unfortunately this is not enough.  the user ids and groupd ids must also
be present on the machine.  this means that you have to add the accounts
locally as well.



--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

Re: : : Network Time Synchronization using timed or ntpd or a Combination?

[Christian Weisgerber]

Raimo Niskanen [EMAIL PROTECTED] wrote:

  If you send -current ntpd SIGINFO, it will syslog its status.
 
 But not 4.2, right?

Right.

-- 
Christian naddy Weisgerber  [EMAIL PROTECTED]

current and fluxbox

[Pau Amaro-Seoane]

Hi,

I made a fresh install of current some five days ago and when I tried
to install fluxbox I get:


# pkg_add fluxbox
Can't install imlib2-1.4.0: lib not found png.6.0
Dependencies for imlib2-1.4.0 resolve to: png-1.2.18, bzip2-1.0.4,
libid3tag-0.15.1bp0, jpeg-6bp3, libungif-4.1.4p1, tiff-3.8.2p0
Full dependency tree is
png-1.2.18,bzip2-1.0.4,libid3tag-0.15.1bp0,jpeg-6bp3,libungif-4.1.4p1,tiff-3.8.2p0
png.6.0: partial match in /usr/local/lib: major=5, minor=2 (bad major)
Can't install fluxbox-0.9.15.1p0: can't resolve imlib2-1.4.0


I have tried different ftp mirrors (even the master one) in these days
but I get the same problem all the time.

I *know* that this is normal if you're following current but I wonder
whether it can take so long (i.e. almost a week) to fix the
dependencies.

Again, feel free to stone me. If my language is offensive it's a
matter of not being native in English. The email is meant to be very
nice.

I need current because of my bleedy-edge hardware (eek!).

Cheers,

Pau

Re: current and fluxbox

[Stuart Henderson]

On 2007/10/24 11:31, Pau Amaro-Seoane wrote:
 I have tried different ftp mirrors (even the master one) in these days
 but I get the same problem all the time.

At the moment, you need to build your own from ports or wait a
while. There have been some changed libraries recently and it will
take a while for new package snaps to finish.

 I *know* that this is normal if you're following current but I wonder
 whether it can take so long (i.e. almost a week) to fix the
 dependencies.

Yes - as well as actually building the packages, they must be
transferred to the ftp servers, which can be up to 4gb or so for
some arch, and this takes some time.

Re: current and fluxbox

[Pau Amaro-Seoane]

thanks for the answer!

Pau

2007/10/24, Stuart Henderson [EMAIL PROTECTED]:
 On 2007/10/24 11:31, Pau Amaro-Seoane wrote:
  I have tried different ftp mirrors (even the master one) in these days
  but I get the same problem all the time.

 At the moment, you need to build your own from ports or wait a
 while. There have been some changed libraries recently and it will
 take a while for new package snaps to finish.

  I *know* that this is normal if you're following current but I wonder
  whether it can take so long (i.e. almost a week) to fix the
  dependencies.

 Yes - as well as actually building the packages, they must be
 transferred to the ftp servers, which can be up to 4gb or so for
 some arch, and this takes some time.

Re: max-src-conn-rate rule question

[Rob]

On 10/24/07, Henning Brauer [EMAIL PROTECTED] wrote:
 * Rob [EMAIL PROTECTED] [2007-10-24 00:05]:
  Note that I wouldn't use a flush global directive for a rule like
  this, because it can lead to a neat DoS where somebody can spoof one
  of your own IP addresses and shut down any ssh sessions you have
  active.

 no. src-conn-rate works w/ established tcp conns, AFTER the 3whs, thus
 making spoofing unfeasible. that info, of course, is in the manpage...
 very loud and clear. why don't you check there before spreading fud on
 the list?

I was quoting that from memory, specifically from Joachim Schipper's
comment on August 9th: Or maybe not - 'flush' enables an attacker to
not only prevent you connecting, but actually to log you out as well.
(http://marc.info/?l=openbsd-miscm=118665539219389w=2)

I managed to miss the follow-up post on the 3-way-handshake.

 this doesn't only comply to you, but is completely beyond me.
 why dowe invest lots of time and nerves and whatnot in manpages when
 people do not read them, and instead guess a bit and then spread shit
 because the guess was of course wrong? read the damn manpages!

People read the man pages. I would sooner read, re-read, and then
study the man pages, then perform background research, experiment, and
then write sample code, before asking a question on this list.

The guy's question had languished for 2 days. I didn't bother to go
back through the 2,079 lines of pf.conf manpage to get the correct
answer; my bad. I had five minutes today in which I wasn't catching
shit from someone else, so I thought I'd give a best guess and catch
some shit here instead.

- R.

ifstated(8) missing if state changes?

[Heinrich Rebehn]

Hi list,

it seems that ifstated(8) sometimes does not see all events and thus 
fails to change state.

My setup consists of 2 boxes with 5 carp interfaces. CARP works fine, on 
box frw1 all are MASTER and on box frw2 all are in BACKUP state.
When i bring down all carp interfaces on frw1, all get MASTER on frw2.
However, ifstated(8) on frw2 does not change state.

[EMAIL PROTECTED] [~] # cat /etc/ifstated.conf

init-state auto
carp_up = carp0.link.up  carp1.link.up  carp2.link.up  
carp3.link.up  carp5.link.up
carp_down = carp0.link.down || carp1.link.down || carp2.link.down || 
carp3.link.down || carp5.link.down

state auto{
 if ($carp_up) set-state master
 if ($carp_down) set-state slave
}

state master{
 init{
 run logger CARP up!
#   run /root/scripts/carp-up.sh
 }
 if ($carp_down) set-state slave
}

state slave{
 init{
 run logger CARP down!
#   run /root/scripts/carp-down.sh
 }
 if ($carp_up) set-state master
}

I did a ktrace on the ifstated(8) process on frw2 and the dump gives:

[EMAIL PROTECTED] [~] # kdump -l | grep carp


\M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\f\0\M-w\^E\^F\0carp0\0\0^\0\^A
\M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\r\0\M-w\^E\^F\0carp1\0\0^\0\^A\v\0\
\M^?\M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\^N\0\M-w\^E\^F\0carp2\0\0^\0\



\0\0\0\0\0\0\0\^T\^R\^N\0\M-w\^E\^F\0carp2\0\0^\0\^A\f\0\^P\^B\0\0\M-,\^U\^A\
\M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\f\0\M-w\^E\^F\0carp0\0\0^\0\^A
\M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\r\0\M-w\^E\^F\0carp1\0\0^\0\^A\v\0\
\M^?\M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\^N\0\M-w\^E\^F\0carp2\0\0^\0\
\M^?\M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\^O\0\M-w\^E\^F\0carp3\0\0^\0\
\M^?\M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\^P\0\M-w\^E\^F\0carp5\0\0^\0\


The first 3 lines show the transition from BACKUP to MASTER. carp3 and 
carp 5 are missing!
The other lines show the transition from MASTER to BACKUP. I have 
verified in both cases that *all* carp devices changed state with 
ifconfig(8).

Are there known issues with ifstated(8) or kevent(2) about lost events?

As a workaround i will change my $carp_up definition to test if *any* of 
the interfaces is up, but that isnot a good solution.

Any clues?

Heinrich Rebehn

University of Bremen
Physics / Electrical and Electronics Engineering
- Department of Telecommunications -

Phone : +49/421/218-4664
Fax   :-3341
OpenBSD 4.2-stable (GENERIC) #2: Wed Oct 17 10:08:11 CEST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Athlon(tm) 64 Processor 3000+ (AuthenticAMD 686-class, 512KB L2 
cache) 1.81 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3
cpu0: AMD erratum 89 present, BIOS upgrade may be required
real mem  = 536113152 (511MB)
avail mem = 510750720 (487MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/03/05, BIOS32 rev. 0 @ 0xf0010, SMBIOS 
rev. 2.3 @ 0xf0530 (67 entries)
bios0: vendor American Megatrends Inc. version 0219 date 11/03/2005
bios0: ASUSTeK Computer Inc. A8V
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5980/192 (10 entries)
pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT8237 ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xb000 0xcb000/0x4000! 0xcf000/0x800 0xcf800/0x800
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 VIA K8HTB Host rev 0x00
pchb1 at pci0 dev 0 function 1 VIA K8HTB Host rev 0x00
pchb2 at pci0 dev 0 function 2 VIA K8HTB Host rev 0x00
pchb3 at pci0 dev 0 function 3 VIA K8HTB Host rev 0x00
pchb4 at pci0 dev 0 function 4 VIA K8HTB Host rev 0x00
pchb5 at pci0 dev 0 function 7 VIA K8HTB Host rev 0x00
ppb0 at pci0 dev 1 function 0 VIA K8HTB AGP rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 ATI Rage 128 Pro TF rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
skc0 at pci0 dev 10 function 0 Marvell Yukon 88E8001/8003/8010 rev 0x13, 
Yukon Lite (0x9): irq 10
sk0 at skc0 port A: address 00:13:d4:de:cf:88
eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 5
xl0 at pci0 dev 12 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 10, 
address 00:0a:5e:61:7a:2d
exphy0 at xl0 phy 24: 3Com internal media interface
xl1 at pci0 dev 14 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 3, address 
00:0a:5e:61:7a:04
exphy1 at xl1 phy 24: 3Com internal media interface
pciide0 at pci0 dev 15 function 0 VIA VT6420 SATA rev 0x80: DMA
pciide0: using irq 10 for native-PCI interrupt
wd0 at pciide0 channel 1 drive 0: Maxtor 6V080E0
wd0: 16-sector PIO, LBA48, 76293MB, 15625 sectors
wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5

System time 100% on Vmware Fusion

[Frank Denis]

  Hello,
  
  On Vmware Fusion (tested with Fusion 1.1 on a Core2duo imac), OpenBSD
(-current) is very slow on anything that is not just a pure computation task.

  While compiling something, or while running MySQL, PgSQL, Apache or
Sendmail, top always shows that the CPU spends 99% or 100% of its time in
the system state.

  This is of course with the vic(4) and mpi(4) drivers. But this is always
the case anyway, even without any disk or network I/O.

  Does anyone know what might be wrong?

  Best regards,
  
 -Frank.

Re: About Xen: maybe a reiterative question but ..

[carlopmart]

Dear sirs please: I will return to my original question. I just wondered if xen 
will be included into the OpenBSD's kernel to act as a para-virtualized DomU or 
not. Nothing more. I will not go into issues of the type is insecure or not.


Theo, or somebody from developer team: Will be para-virtualized domU xen kernel 
included on next OpenBSD release (4.3?) or not?? I only want to know this...


Many thanks to all.


--
CL Martinez
carlopmart {at} gmail {d0t} com

Re: About Xen: maybe a reiterative question but ..

[Chris Kuethe]

On 10/24/07, carlopmart [EMAIL PROTECTED] wrote:
 Dear sirs please: I will return to my original question. I just wondered if 
 xen
 will be included into the OpenBSD's kernel to act as a para-virtualized DomU 
 or
 not. Nothing more. I will not go into issues of the type is insecure or not.

 Theo, or somebody from developer team: Will be para-virtualized domU xen 
 kernel
 included on next OpenBSD release (4.3?) or not?? I only want to know this...

Not unless someone actually writes the code to do it. Notice the
extreme number of people with openbsd.org email addresses jumping up
and down, volunteering to do it (hint: none). Possibly not even if
someone writes the code. Diffs are not always merged. They should be
good diffs that improve OpenBSD. Notice the number of people with
openbsd.org email addresses who are not convinced that doing this a)
will improve OpenBSD and b) won't actually hurt.

So I'm going to guess the answer is No, integrating xen
paravirtualization is not a project priority at this time. Also, where
are your diffs?

CK

-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?

Re: About Xen: maybe a reiterative question but ..

[carlopmart]

Chris Kuethe wrote:

On 10/24/07, carlopmart [EMAIL PROTECTED] wrote:

Dear sirs please: I will return to my original question. I just wondered if xen
will be included into the OpenBSD's kernel to act as a para-virtualized DomU or
not. Nothing more. I will not go into issues of the type is insecure or not.

Theo, or somebody from developer team: Will be para-virtualized domU xen kernel
included on next OpenBSD release (4.3?) or not?? I only want to know this...


Not unless someone actually writes the code to do it. Notice the
extreme number of people with openbsd.org email addresses jumping up
and down, volunteering to do it (hint: none). Possibly not even if
someone writes the code. Diffs are not always merged. They should be
good diffs that improve OpenBSD. Notice the number of people with
openbsd.org email addresses who are not convinced that doing this a)
will improve OpenBSD and b) won't actually hurt.

So I'm going to guess the answer is No, integrating xen
paravirtualization is not a project priority at this time. Also, where
are your diffs?

CK

Many thanks Chris. A clear response. I am not a developer but I can offer to 
test xen based OpenBSD kernels on my servers ...




--
CL Martinez
carlopmart {at} gmail {d0t} com

Re: About Xen: maybe a reiterative question but ..

[L. V. Lammert]

On Wed, 24 Oct 2007, Henning Brauer wrote:

 * [EMAIL PROTECTED] [EMAIL PROTECTED] [2007-10-24 03:03]:
  Virtualization seems to have a lot of security benefits

 seems?
 to whom?

Virtualization provides near absolute security - DOM0 is not visible to
the user at all, only passing network traffic and handling kernel calls.
The security comes about in that each DOMU is totally isolated from the
the others, while the core DOM0 is isolated from any attacks.

There is also a big benefit when maintaing VM images - restoring a VM in
the case of corruption/attach/whatever is as simple as reloading a copy of
that image and connecting to system data on the local SAN.

Irrespective of the guest OS, there is good security between the
virtualized machines. Running OBSD as the guest OS provides the best of
both worlds, and it would be great if OBSD would run paravirtualized for
the best performance, but apparently nobody has a need for that
functionality.

 to people who never wrote a line of code and don't understand how
 things work?

Nobpdy has to write any code to understand that - the secuity benefits
are ovbious to everyone from the PHBs to the admins. Of course, this is
most obvious in 'enterprise space', which is pretty far removed from the
typical OBSD world.

Lee


  Leland V. Lammert[EMAIL PROTECTED]
Chief Scientist Omnitec Corporation
 Network/Internet Consultants   www.omnitec.net

Re: About Xen: maybe a reiterative question but ..

[Douglas A. Tutty]

On Tue, Oct 23, 2007 at 08:35:39PM -0700, Ben Goren wrote:
 On 2007 Oct 23, at 5:57 PM, [EMAIL PROTECTED] wrote:
 
   Virtualization seems to have a lot of security benefits.
 
 ``Seems'' is the key word, here.
 
 On hardware like an IBM mainframe that can acutally support what's
 necessary for  secure virtual machines, sure. On  x86? Well, it'll
 keep your kid sister out

Is there any hardware inbetween that would be secure?  Or, is there now
nothing between the two at all?  I thought that Opterons had some type
of hardware support on the CPU; perhaps its only enablers not secureors.

Doug.

Re: About Xen: maybe a reiterative question but ..

[Paul de Weerd]

On Wed, Oct 24, 2007 at 08:31:26AM -0500, L. V. Lammert wrote:
| On Wed, 24 Oct 2007, Henning Brauer wrote:
| 
|  * [EMAIL PROTECTED] [EMAIL PROTECTED] [2007-10-24 03:03]:
|   Virtualization seems to have a lot of security benefits
| 
|  seems?
|  to whom?
| 
| Virtualization provides near absolute security - DOM0 is not visible to
| the user at all, only passing network traffic and handling kernel calls.
| The security comes about in that each DOMU is totally isolated from the
| the others, while the core DOM0 is isolated from any attacks.

This is the theory. In theory, there's no bugs in OpenBSD. In
practice, many of the commits to the tree are not new features/drivers
but actual bugfixes. Read the paper by Tavis Ormandy, referenced by
Theo. There is a real problem with virtualization. Until all bugs are
fixed, virtualization is worse than real hardware. And it'll be hard
to prove all the bugs are fixed.

Cheers,

Paul 'WEiRD' de Weerd

-- 
[++-]+++.+++[---].+++[+
+++-].++[-]+.--.[-]
 http://www.weirdnet.nl/ 

Re: About Xen: maybe a reiterative question but ..

[Christoph Egger]

On Tuesday 23 October 2007 18:22:00 ropers wrote:
 Hi Christoph,

 Right now, on the OpenBSD misc mailing list, there is this discussion:
 http://www.sigmasoft.com/~openbsd/archives/html/openbsd-misc/2007-10/thread
s.html#01149 about OpenBSD/Xen.

 We last spoke last year, when I put your BSDtalk interview transcript
 online at http://ropersonline.com/openbsd/xen .

 It seems to me that most people on the misc mailing list currently are
 not very aware of your OpenBSD Xen port. Could I possibly ask you to
 participate in the discussion? I feel that you (and Theo) are the only
 guys who can provide authoritative answers on the issue.

 Some of the questions that I feel are unclear are:
 - Was your porting work fully completed? IIRC it was, but please clarify.

DomU support is ready. Dom0 is work in progress.
(apart from use-after-free bugs in MI buffer-cache and filesystem code,
which damages filesystem.)
Dom0 is work in progress, but is stalling on a NULL-pointer bug
in uvm_pglistalloc_simple().

This code piece in the kernel reproduces this crash:

void foo(void)
{
  struct pglist mlist;

  uvm_pglistalloc(PAGE_SIZE * 64, 0, 0x, 0, 0, mlist, 64, 0);
}


I didn't investigate further into this, because I have put my focus
on the xen-kernel and xen-tools to compile on OpenBSD and NetBSD
out-of-the-box. To finish this task, I need some things in OpenBSD:

- aio(2) support
- POSIX ptsname()  (this is used in a python binding module)
- newer gcc version due to a structure padding bug with
  an alignment attribute hidden in a typedef (this is fixed in gcc 3.4)
  I use gcc 4.2 from the ports FYI.
- I need i386 headers and libc on OpenBSD/amd64 for 64bit builds.
  gcc -m32 defines __i386__ so it is possible to distinguish if a
   #include stdint.h  must provide 32bit or 64bit integer type definitions.

Oh, a libc header cleanup is nice to have. I don't know why uvm kernel headers
should be in /usr/include/uvm/, for example.


 - Is your port still being maintained? Can it be run with OpenBSD
 -current or 4.2?

4.1. It needs an update. Maybe some of the nasty MI bugs are gone.

 - It seems to me that your port didn't achieve wide recognition and
 acclaim because of a lack of publicity.

I'm not a marketing guy.

 - AFAIK your OpenBSD/Xen port code hasn't found its way into the
 official OpenBSD distribution. Is this correct?

yes.

 - Are there any reasons why your code didn't go into the official
 OpenBSD distro? Was it lack of awareness? Have you ever talked to Theo
 and/or other central OpenBSD people?

I haven't found someone who is willing to commit the diffs.

 - Is there any hope that your port might still become part of the
 official OpenBSD distribution?
 (Theo: Could you possibly comment as well?)

I don't know.

 I'd personally be very interested to see your port become part of the
 official distribution, but I sadly can't code myself, so all I can do
 is ask and hope. :)

 Once again, thanks for your hard work. :)

You're welcome.

 Many thanks in advance and kind regards,
 Jens Ropers

Re: About Xen: maybe a reiterative question but ..

[Christoph Egger]

On Wednesday 24 October 2007 16:14:19 Chris Kuethe wrote:
 On 10/24/07, carlopmart [EMAIL PROTECTED] wrote:
  Dear sirs please: I will return to my original question. I just wondered
  if xen will be included into the OpenBSD's kernel to act as a
  para-virtualized DomU or not. Nothing more. I will not go into issues of
  the type is insecure or not.
 
  Theo, or somebody from developer team: Will be para-virtualized domU xen
  kernel included on next OpenBSD release (4.3?) or not?? I only want to
  know this...

 Not unless someone actually writes the code to do it. Notice the
 extreme number of people with openbsd.org email addresses jumping up
 and down, volunteering to do it (hint: none). Possibly not even if
 someone writes the code. Diffs are not always merged. They should be
 good diffs that improve OpenBSD. Notice the number of people with
 openbsd.org email addresses who are not convinced that doing this a)
 will improve OpenBSD and b) won't actually hurt.

 So I'm going to guess the answer is No, integrating xen
 paravirtualization is not a project priority at this time. Also, where
 are your diffs?

The OpenBSD/Xen source is at http://hg.recoil.org/openbsd-xen-sys.hg
Unfortunately, Anil has troubles with the availability of the server.

I rely on having a willing OpenBSD developer who commits the patches I send
to him. But as long as there is none, it doesn't go in.

Christoph

Re: About Xen: maybe a reiterative question but ..

[Henning Brauer]

* L. V. Lammert [EMAIL PROTECTED] [2007-10-24 16:46]:
 Virtualization provides near absolute security - DOM0 is not visible to
 the user at all, only passing network traffic and handling kernel calls.
 The security comes about in that each DOMU is totally isolated from the
 the others, while the core DOM0 is isolated from any attacks.

dream on.
that is what marketing wants to tell you.
in fact the isolation is incredibly poor.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Wake on LAN, tcpdump weirdness with two ethernet interfaces

[Lars Noodén]

I'm noticing some strangeness in conjunction with WOL(*), which seems
not to be working and am not sure where the problem lies(**).

The machine launching the packets has two interfaces, re0 and em0, with
the receiving machine connected to re0.  The machine does not wake up
either using port 9 or port 4.

A bit of strangeness in the diagnostics is that tcpdump appears not to
register and packets from or to re0.  It does not catch any packets on
re0, even from nmap  -P0 -e re0 -T5 a.b.c.d

tcpdump -i re0 ip proto 17

whereas the following catches packets, even from wol, when sent to
addresses on em0.

tcpdump -i em0 ip proto 17

Route shows the following:

Internet:
Destination GatewayFlagsRefs  UseMtu  Interface
a.b.c.d 00:0f:1f:78:82:07  UHLc1 8629  -   re0

and when the machine is already on, I can ping and connect via ssh.

pfctl -s rules
  are as simple as possible:
scrub in all fragment reassemble
pass in all flags S/SA keep state
pass out all flags S/SA keep state

What's up with tcpdump and, more importantly, wol?

-Lars

(*) Installed using pgk_add:
 http://www.openbsd.org/4.1_packages/i386/wol-0.7.1p1.tgz-long.html

(**) Hardware is a Dell DHP on which I've set the BIOS to allow remote
wakeup and have the lowpower mode (which hinders remote wakeup) off.

Re: About Xen: maybe a reiterative question but ..

[Christoph Egger]

On Wednesday 24 October 2007 17:25:25 Artur Grabowski wrote:
 Christoph Egger [EMAIL PROTECTED] writes:
   So I'm going to guess the answer is No, integrating xen
   paravirtualization is not a project priority at this time. Also, where
   are your diffs?
 
  The OpenBSD/Xen source is at http://hg.recoil.org/openbsd-xen-sys.hg
  Unfortunately, Anil has troubles with the availability of the server.
 
  I rely on having a willing OpenBSD developer who commits the patches I
  send to him. But as long as there is none, it doesn't go in.

 I'm willing to stretch as far as saying: This might be interesting for
 some testing purposes for kernel hackers if Xen could be hosted on
 OpenBSD.

 But this doesn't mean that I'm even close to volunteering doing the
 job. It just would be cool to have if it doesn't break stuff.

 //art

Actually it is good to find NULL-pointer (mostly use-after-free) bugs,
that are hard to find on real hardware.
Believe me or not: OpenBSD has tons of them.

Christoph

Re: About Xen: maybe a reiterative question but ..

[Dave Anderson]

On Wed, 24 Oct 2007, L. V. Lammert wrote:

Virtualization provides near absolute security - DOM0 is not visible to
the user at all, only passing network traffic and handling kernel calls.
The security comes about in that each DOMU is totally isolated from the
the others, while the core DOM0 is isolated from any attacks.

In theory, you're correct.

In practice there are (at least) four questions which all must be
answered in the affirmative for this to be true:

1) Does the hardware architecture provide all of the hooks needed to
   implement virtualization?
2) Does the specific hardware correctly implement that architecture?
3) Does the virtualization software architecture properly implement
   virtualization?
4) Does the specific software correctly implement that architecture?

Answering any of those questions takes both a lot of work and, all too
often, access to information which is not generally available.  And if
any of the answers is 'no', the security of anything run under that
virtualization may be fatally compromised -- no matter how secure that
software may be when run standalone.

Dave

-- 
Dave Anderson
[EMAIL PROTECTED]

spamdb expire value gets default value instead of spamd_flag value (-G)

[Claes Ström]

Hi,

When testing greylisting with synchronizing we noticed the following
strange behavior:
Machine A (10.100.64.234) is the machine we receive mail through.
Machine B (10.100.64.233) is synced through spamd

Check out the expire value on machine A after the state have gone from
Grey to White!
It has taken the default 36 days ahead instead of our 2 hour (testvalue)
from spamd_flags!!
But Machine B (the passive brother which gets synced through
spamd-sync) behaves as it should!?


spamdb (A):
WHITE|10.100.64.199|||1193231843|1193232057|1196342528|3|1

spamdb (B):
WHITE|10.100.64.199|||1193231843|1193232057|1193239279|3|1



pf.conf:

no rdr inet proto tcp from spamd-white to any port smtp
rdr pass inet proto tcp from !own_ips to $ext_if:0 port smtp -
127.0.0.1 port spamd
pass in quick log on $ext_if proto tcp from any to ($ext_if) port
$public_tcp
pass in log on $int_if proto tcp from own_ips to ($int_if) port $sec_tcp

/etc/rc.conf.local (B)

pf=YES
syslogd_flags=-a /var/spool/postfix/dev/log
spamd_flags=-y fxp0 -Y 10.100.64.234 -G 3:1:2
spamlogd_flags=-i fxp0 -Y 10.100.64.234

/etc/rc.conf.local (A)

pf=YES
syslogd_flags=-a /var/spool/postfix/dev/log
spamd_flags=-y fxp0 -Y 10.100.64.233 -G 3:1:2
spamlogd_flags=-i fxp0 -Y 10.100.64.233

---
Probably some small feature to fix

Regards
Claes Strvm

Re: About Xen: maybe a reiterative question but ..

[carlopmart]

Christoph Egger wrote:

On Wednesday 24 October 2007 17:25:25 Artur Grabowski wrote:

Christoph Egger [EMAIL PROTECTED] writes:

So I'm going to guess the answer is No, integrating xen
paravirtualization is not a project priority at this time. Also, where
are your diffs?

The OpenBSD/Xen source is at http://hg.recoil.org/openbsd-xen-sys.hg
Unfortunately, Anil has troubles with the availability of the server.

I rely on having a willing OpenBSD developer who commits the patches I
send to him. But as long as there is none, it doesn't go in.

I'm willing to stretch as far as saying: This might be interesting for
some testing purposes for kernel hackers if Xen could be hosted on
OpenBSD.

But this doesn't mean that I'm even close to volunteering doing the
job. It just would be cool to have if it doesn't break stuff.

//art


Actually it is good to find NULL-pointer (mostly use-after-free) bugs,
that are hard to find on real hardware.
Believe me or not: OpenBSD has tons of them.

Christoph



Christoph,

 One question about your Xen port: is it possible to compile a xen 
para-virtualized openbsd kernel to launch a clean OpenBSD 4.1 or 4.2 install??


Thanks for your great job Christoph.



--
CL Martinez
carlopmart {at} gmail {d0t} com

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Boris Goldberg]

Hello Clint,

Tuesday, October 23, 2007, 5:36:15 PM, you wrote:

CP  From what I have read in this thread, it looks like only one guy
CP prefers the old timed and rdate tools. A few are even telling him he is 
CP giving bad advice when promoting the usage of these tools. Henning 
CP mentioned that rdate and timed are pretty much useless and others have 
CP said that timed is obsolete. So why don't we remove them from the source 
CP tree?

  I've never suggested (or mentioned) the timed.
  Of course I was talking about the -n mode of rdate (as a replacement to
ntpdate like Paul de Weerd was suggesting in this thread).
  May  be  it makes sense to set -ncv as a default behavior of rdate, but
there is should be a way to synchronize time without running a demon (don't
understand  why  are  people  so  aggressive  about that) if you don't need
up-to-second  synchronization  (in my case modern hardware goes less than a
second off per day, and really old hardware - less than 10 seconds).

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

Re: max-src-conn-rate rule question

[Calomel]

David,

I would take a look at adding synproxy to your rules before worrying about
max-src-states. Synproxy will allow max-src-conn-rate to work more
reliably.


By default, pf(4) passes packets that are part of a tcp(4) handshake be-
tween the endpoints.  The synproxy state option can be used to cause pf(4)
itself to complete the handshake with the active endpoint, perform a
handshake with the passive endpoint, and then forward packets between the
endpoints.

No packets are sent to the passive endpoint before the active endpoint
has completed the handshake, hence so-called SYN floods with spoofed source
addresses will not reach the passive endpoint, as the sender can't complete
the handshake.

The proxy is transparent to both endpoints, they each see a single
connection from/to the other endpoint.  pf(4) chooses random initial se-
quence numbers for both handshakes.  Once the handshakes are completed, the
sequence number modulators (see previous section) are used to translate
further packets of the connection. Synproxy state includes modulate state.

(pf.conf man page)

--
 Calomel @ http://calomel.org

On Tue, Oct 23, 2007 at 11:23:05PM -0500, david l goodrich wrote:
On Tue, Oct 23, 2007 at 05:46:45PM -0400, Calomel wrote:
 David,

 Was the offending client completing the 3-way handshake everytime it
 connected?

 For stateful TCP connections, limits on established connections (connec-
 tions which have completed the TCP 3-way handshake) can also be enforced
 per source IP. The max-src-conn-rate number/seconds limit the rate of
 new connections over a time interval.  The connection rate is an
 approximation calculated as a moving average.

 You may also want to use synproxy for ssh and take a look at
 max-src-states. I have examples here: http://calomel.org/pf_config.html

I didn't respond to this until now, because I wanted to do some
research first.  As the hosts that are being blocked by this
aren't hosts I control, I needed to set up some access on the
outside.

So it looks like i can run  'nmap -sS -p22 25.103.82.80/28' until
doomsday and it will always show as a passed connection.

But when i start telnetting to port 22 on machines in this
subnet, the fourth 'telnet' connection is blocked, no matter
which host I hit previously.  So I think that you are correct
in that the attackers are not initially completing the 3-way
handshake, and are thus not tripping the filter.

I'll look in to max-src-states, but I think now that I've shown
that the actual attack (if that's what they are) attempts are
blocked properly, I'm not terribly concerned if they can scan the
subnet.

Thanks,
  --david


 --
  Calomel @ http://calomel.org

 On Tue, Oct 23, 2007 at 03:58:52PM -0500, david l goodrich wrote:
 Nobody?  Sad, it's still doing it.
 
 
 On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote:
  I've set up a max-src-conn-rate rule on my gateway router to
  mitigate brute-force ssh attacks.  This router protects a /28
  subnet, 25.108.82.80/28.
 
  The relevant rules:
 
  # pfctl -sr | grep attack
  block drop in log quick proto tcp from sshd_attackers to any
  pass in log proto tcp from any to any port = ssh keep state
  (source-track rule, max-src-conn-rate 3/30, overload
  sshd_attackers flush global, src.track 30)
  #
 
  What the three columns of output in the below tcpdump output are:
  timestamp, rule action, and target host.  As you can tell from
  the tcpdump command, the sending host is the same in all cases,
  208.53.147.204
 
  # tcpdump -enr /var/log/pflog host 208.53.147.204 \
 | awk '{print $1,$4,$11}' | sed s/.22:// | head -30
  reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
  12:09:45.849594 pass 25.103.82.80
  12:09:45.850279 pass 25.103.82.82
  12:09:45.850827 pass 25.103.82.83
  12:09:45.851310 pass 25.103.82.84
  12:09:45.852003 pass 25.103.82.85
  12:09:45.852496 pass 25.103.82.86
  12:09:45.853007 pass 25.103.82.87
  12:09:45.866580 pass 25.103.82.88
  12:09:45.867345 pass 25.103.82.89
  12:09:45.868339 pass 25.103.82.92
  12:09:45.902389 pass 25.103.82.95
  12:25:52.632295 pass 25.103.82.80
  12:25:52.632973 pass 25.103.82.82
  12:25:52.648804 pass 25.103.82.83
  12:25:52.684792 pass 25.103.82.84
  12:25:52.687989 pass 25.103.82.85
  12:25:52.688652 pass 25.103.82.86
  12:25:52.690882 pass 25.103.82.87
  12:25:52.691371 pass 25.103.82.88
  12:25:52.692290 pass 25.103.82.89
  12:25:52.695340 pass 25.103.82.92
  12:25:52.698864 pass 25.103.82.95
  13:08:36.949178 pass 25.103.82.87
  13:08:38.864585 pass 25.103.82.87
  13:08:40.452215 pass 25.103.82.87
  13:08:42.038388 pass 25.103.82.87
  13:08:46.923469 block 25.103.82.88
  13:08:49.922116 block 25.103.82.88
  13:08:50.212040 block 25.103.82.87
  13:08:51.099435 block 25.103.82.87
  #
 
  It seems to me like this host should have been blocked back at
  12:09:45, not 13:08:46.  Am I misunderstanding the rule?
--david
 
  [demime 1.01d removed an attachment of type application/pgp-signature

Re: About Xen: maybe a reiterative question but ..

[Adam Getchell]

On 10/24/07, Paul de Weerd [EMAIL PROTECTED] wrote:

 This is the theory. In theory, there's no bugs in OpenBSD. In
 practice, many of the commits to the tree are not new features/drivers
 but actual bugfixes. Read the paper by Tavis Ormandy, referenced by
 Theo. There is a real problem with virtualization. Until all bugs are

When you read Ormandy's paper, referenced by Damien Miller, in regards
to Xen, you find:

1. Ormandy states that Xen's design is congruent with good security

2. Ormandy doesn't actually demonstrate a Dom0 - DomU escalation, and
in fact, didn't test any HVMs at all.

3. Qemu compromises != Xen HVM Qemu compromises

Furthermore:

1. Upstream patches already exist [1] in response to Ormandy's bug report [2]

 fixed, virtualization is worse than real hardware. And it'll be hard
 to prove all the bugs are fixed.

Unless you are using a purely functional language implemented directly
on provably correct hardware, it's impossible to (mathematically)
prove a program is free of bugs. Since you want to solve real-world
problems, you make a tradeoff between features you want and issues you
can live with.

OpenBSD is very, very, very good at security.

On the other hand, if you want to program a fast, parallelized quantum
gravity model to run on a large cluster of OpenMosix nodes, it's not
the right tool for the job.

In the scientific cluster computing and enterprise spaces, it's
already well demonstrated, by many, many practitioners in those fields
[3], that virtualization is a very, very good tool.

 Paul 'WEiRD' de Weerd

[1] https://launchpad.net/ubuntu/+source/xen-3.1/

[2] http://secunia.com/advisories/26986/

[3] In addition to my own work, I can point to colleagues and
organizations, for example, http://cse.ucdavis.edu and
http://immunetolerance.org

Adam
-- 
Invincibility is in oneself, vulnerability in the opponent. -- Sun Tzu

Re: About Xen: maybe a reiterative question but ..

[Theo de Raadt]

 In the scientific cluster computing and enterprise spaces, it's
 already well demonstrated, by many, many practitioners in those fields
 [3], that virtualization is a very, very good tool.

So what?  Someone showed up here and said it is actually all about
security.

That is obviously false to anyone skilled in the field.  You don't
build better security by building another gigantic layer.  That
is obvious to anyone who actually works in the field.

The people who are being fooled are just being 'users'.  They need it,
so they invent all sorts of judgements to make it OK.

Re: About Xen: maybe a reiterative question but ..

[Jack J. Woehr]

On Oct 24, 2007, at 10:59 AM, Theo de Raadt wrote:

 You don't
 build better security by building another gigantic layer.  That
 is obvious to anyone who actually works in the field.

Having worked in REAL VM :-) (IBM VM/ESA now z/VM) it isn't per se
about security like we mean security ... preventing cracking  
attempts ...
it is about isolation of processes. Isolation of processes does  
contribute
to security but it's not the only point of flexion.

In practice, mainframe VM varies greatly in security from installation
to installation ... the protection of processes from one another in the
VM operating system is as hardware/software perfect as the wit and
skill of humankind can provide ... but I've found VM installations with
accounts like USER passwd USER :-(

All things being equal, the safest base installations in the universe
would be those whose user instances were encased in some kind of
solid VM and whose base instance administrators were provided
with and followed best practices.

In re that solid VM ... As Theo pointed out the other day, the
Intel hardware support for virtualization is less than complete, i.e.,
less mature than the 35-year-old support for virtualization in the
IBM 370/390 architecture.

So we still gots a ways to go.

-- 
Jack J. Woehr
Director of Development
Absolute Performance, Inc.
[EMAIL PROTECTED]
303-443-7000 ext. 527

multimode fiber card recs for OpenBGPD

[N.J. Thomas]

I have two servers that I would like to setup to run OpenBGPD for our
border routers.

I need to find a supported PCIe (not PCI-X) fiber card that runs
multi-mode and a supported PCIe (not PCI-X) fiber card that runs
single-mode. (One of our providers is coming to us with mm, the other
with sm.)

A dual port card is preferable, but we will take single port cards if
those are the only ones available.

Any recommendations? The supported cards page on the OpenBSD site only
lists PCI-X cards.

thanks,
Thomas

-- 
N.J. Thomas
[EMAIL PROTECTED]
Etiamsi occiderit me, in ipso sperabo

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Paul de Weerd]

On Wed, Oct 24, 2007 at 10:47:45AM -0500, Boris Goldberg wrote:
|   May  be  it makes sense to set -ncv as a default behavior of rdate, but
| there is should be a way to synchronize time without running a demon (don't
| understand  why  are  people  so  aggressive  about that) if you don't need
| up-to-second  synchronization  (in my case modern hardware goes less than a
| second off per day, and really old hardware - less than 10 seconds).

The problem here is the jump in time. You repeat a second or more (if
you have to jump back) or skip some (if you jump forward). This may
not be a problem for you in particular, but is considered bad in
general.

Another issue is the fact that the server you're syncing to may not be
perfectly sync'ed itself. Or maybe there's some (assymmetrical) delay
in the network. This may make time on your machine somewhat off (this
isn't as big a problem as the previous, IMO).

And it's totally unneccessary, simply run ntpd and be done
with it. It solves all the problems with syncing every once in a
while, and as I indicated in my earlier mail, I don't see any of the
problems with running another daemon on my machines that you
described. It's small, uses proven security techniques and is still
reasonably simple.

But hey, if using rdate from a cron is your thing, dont let me get in
your way. I used to do this before we had OpenNTPD too, since I wasn't
really happy with ntp.org's daemon. If you're not really happy with
OpenNTPD, more power to you ! But I dont think it's a good practice to
do so, so suggesting it to others on this mailinglist will get you
some replies from opponents of your solution...

Cheers,

Paul 'WEiRD' de Weerd

-- 
[++-]+++.+++[---].+++[+
+++-].++[-]+.--.[-]
 http://www.weirdnet.nl/ 

Re: About Xen: maybe a reiterative question but ..

[L. V. Lammert]

On Wed, 24 Oct 2007, Paul de Weerd wrote:

 On Wed, Oct 24, 2007 at 08:31:26AM -0500, L. V. Lammert wrote:
 | On Wed, 24 Oct 2007, Henning Brauer wrote:
 |
 |  * [EMAIL PROTECTED] [EMAIL PROTECTED] [2007-10-24 03:03]:
 |   Virtualization seems to have a lot of security benefits
 | 
 |  seems?
 |  to whom?
 | 
 | Virtualization provides near absolute security - DOM0 is not visible to
 | the user at all, only passing network traffic and handling kernel calls.
 | The security comes about in that each DOMU is totally isolated from the
 | the others, while the core DOM0 is isolated from any attacks.

 This is the theory.

Practice also. XEN is a great tool for 'duplicating' a machine in an
entererprise environment (IME running 'user level' tools for hundreds or
thousands of users). Separating applications is invaluable, and the
ability to do a machine restore in minutes, using the most recent data
from a local SAN is also a major advantage.

Nobody in the XEN (or VM) world in their right mind would put a VM on the
'Net without significant protection (an OBSD PF machine, perhaps), and
I'm certainly not suggesting that.

Remember that there is more than one world from a technology standpoint!
The vast majority of the SME marketspace (where we operate) is heavily
infiltrated with MS crap; OTOH, OBSD is the only choice for public
servers, or as a front-end to other OSs. The virtualization space
will have to mature significanty, if ever, to meet the security standards
of OBSD.

In the meantime, virtualization provides a great solution for those
applications that benefit from running separately  isolated, while
maximizing h/w utilization.

Lee


  Leland V. Lammert[EMAIL PROTECTED]
Chief Scientist Omnitec Corporation
 Network/Internet Consultants   www.omnitec.net

Re: About Xen: maybe a reiterative question but ..

[Marc Espie]

Bottom-line is, the more complicated your setup gets, the more chances
you get to fuck-up.

All that stuff about extra permissions, extra layers. Each thingie you
add you need to configure. And you won't be 100%, not all the time.

So, Xen is just another opportunity to get fucked.

Instead of designing security, you add another plugin, wave your magic
wand, and say `this is improved security' (take your deepest booming voice,
if you want to be convincing).

Security theater, once again.

Re: About Xen: maybe a reiterative question but ..

[L. V. Lammert]

At 05:12 PM 10/24/2007 +0200, Henning Brauer wrote:

* L. V. Lammert [EMAIL PROTECTED] [2007-10-24 16:46]:
 Virtualization provides near absolute security - DOM0 is not visible to
 the user at all, only passing network traffic and handling kernel calls.
 The security comes about in that each DOMU is totally isolated from the
 the others, while the core DOM0 is isolated from any attacks.

dream on.
that is what marketing wants to tell you.
in fact the isolation is incredibly poor.


Sorry, the kernel hacking world is pretty far removed from 'enterprise 
reality' not that it's a bad thing - I often wish it were that simple!! 
In reality, there are tons of SMEs out there using MS Crap and other risky 
software! The few security risks you cite for XEN are negligable by comparison.


Anything we can do to increase security, *including* setting up VMs (of any 
flavor) is an improvement [that also increased hardware utilization].


Lee

Re: About Xen: maybe a reiterative question but ..

[Theo de Raadt]

I am just astounded by how some people who love virtualization
keep making the same mistakes.  Are you even listening?

 Practice also. XEN is a great tool for 'duplicating' a machine in an
 entererprise environment (IME running 'user level' tools for hundreds or
 thousands of users). Separating applications is invaluable, and the
   ^^

Who said it actually seperates?

 ability to do a machine restore in minutes, using the most recent data
 from a local SAN is also a major advantage.
 
 Nobody in the XEN (or VM) world in their right mind would put a VM on the
 'Net without significant protection (an OBSD PF machine, perhaps), and
 I'm certainly not suggesting that.
 
 Remember that there is more than one world from a technology standpoint!
 The vast majority of the SME marketspace (where we operate) is heavily
 infiltrated with MS crap; OTOH, OBSD is the only choice for public
 servers, or as a front-end to other OSs. The virtualization space
 will have to mature significanty, if ever, to meet the security standards
 of OBSD.
 
 In the meantime, virtualization provides a great solution for those
 applications that benefit from running separately  isolated, while
 ^

You believe it does seperation and isolation?

 maximizing h/w utilization.

This, it does do.  But the people who want to maximize hw utilization
are trying to lie to themselves about the security aspects.

You can't run more code and then have less failures.

Re: About Xen: maybe a reiterative question but ..

[Theo de Raadt]

 At 05:12 PM 10/24/2007 +0200, Henning Brauer wrote:
 * L. V. Lammert [EMAIL PROTECTED] [2007-10-24 16:46]:
   Virtualization provides near absolute security - DOM0 is not visible to
   the user at all, only passing network traffic and handling kernel calls.
   The security comes about in that each DOMU is totally isolated from the
   the others, while the core DOM0 is isolated from any attacks.
 
 dream on.
 that is what marketing wants to tell you.
 in fact the isolation is incredibly poor.
 
 Sorry, the kernel hacking world is pretty far removed from 'enterprise 
 reality' not that it's a bad thing - I often wish it were that simple!! 
 In reality, there are tons of SMEs out there using MS Crap and other risky 
 software! The few security risks you cite for XEN are negligable by 
 comparison.
 
 Anything we can do to increase security, *including* setting up VMs (of any 
 flavor) is an improvement [that also increased hardware utilization].

This last sentence is such a lie.  

The fact is that you, and most of the other fanboys, only care about
the [that also increased hardware utilization].  The yammering about
security is just one thing -- job security.  You've got to be able to
sell increased harwdare utilization in a way that does not hang you up
at the end of the day.

If people were saying:

Yes, it increased hardware utilization, and the nasty
security impact might be low

it would be fine.

But instead we have many uneducated people saying:

   Yes, it increased hardware utilization, and it improved security too.

And that's complete and utter bullshit.

Re: About Xen: maybe a reiterative question but ..

[Ted Unangst]

On 10/24/07, Christoph Egger [EMAIL PROTECTED] wrote:
 - aio(2) support

creaking along.

 - POSIX ptsname()  (this is used in a python binding module)

dunno.

 - newer gcc version due to a structure padding bug with
  an alignment attribute hidden in a typedef (this is fixed in gcc 3.4)
  I use gcc 4.2 from the ports FYI.

can you tell me which structure?  attribute packed/aligned should
never be used on typedefs because of this.  it's one of those
astounding things that gcc compiles, but then neglects to warn that it
completely ignores the attribute.

 Oh, a libc header cleanup is nice to have. I don't know why uvm kernel headers
 should be in /usr/include/uvm/, for example.

so that userland programs can talk to the kernel.  what's the problem?
 they're not in the way are they?  (where else would they go?)

Question about 4.2 Package availability

[Joe S]

I just wanted to confirm the following:

If I've installed OpenBSD 4.2 and I need a specific package (in this
case, net-smpd) which is not available on the CD, I must wait until
4.2 is officially released. Then I can get the packages I need from
the ftp site.

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Marc Balmer]

Boris Goldberg wrote:


  May  be  it makes sense to set -ncv as a default behavior of rdate, but
there is should be a way to synchronize time without running a demon (don't
understand  why  are  people  so  aggressive  about that) if you don't need
up-to-second  synchronization  (in my case modern hardware goes less than a
second off per day, and really old hardware - less than 10 seconds).


You don't understand the implications of changing the time of a computer
at runtime.

Time can be seen a continuum whos axis can be stretched or compressed or
as series of time units with fixed length.  In the first case the
computer clock runs faster or slower, but no time unit is lost.  In the
second case the computer runs at constant speed, but time units can be
lost.

If either case is acceptable depends on the software that runs on the
computer.  A computer that controls an insulin pump probably should
run at constant speed whereas a computer that does a task at a certain
time should not skip time units.  If a cronjob runs at 17:10 and at
17:00 your wise cronjob sets the time to 17:20, cron will not start that
job.

See?

Re: Question about 4.2 Package availability

[Nico Meijer]

Hi Joe,

 If I've installed OpenBSD 4.2 and I need a specific package (in this
 case, net-smpd) which is not available on the CD, I must wait until
 4.2 is officially released. Then I can get the packages I need from
 the ftp site.

Yes.

(Or you build it from ports. Still, 4.2 is very much unreleased at this
moment.)

HTH... Nico

pgt/Netgear WG511

[Daniel Melameth]

I have, what appears to be, v1 of this card, but I get the following from
dmesg--even when booting from the latest snapshot of cd42.iso:

 

Intersil, ISL3890, -, - (manufacturer 0xb, product 0x3890) Intersil Prism
GT/Duette rev 0x01 at cardbus1 dev 0 function 0 not configured

 

I'm not certain how to update pcidevs and related to accurately reflect this
(I noticed product 0x3890 is already in pcidevs.h), so some advice is
appreciated.

 

Thanks.

Re: About Xen: maybe a reiterative question but ..

[L. V. Lammert]

At 12:03 PM 10/24/2007 -0600, Theo de Raadt wrote:

 Anything we can do to increase security, *including* setting up VMs (of 
any

 flavor) is an improvement [that also increased hardware utilization].

This last sentence is such a lie.


That depends on your viewpoint. There certainly may be some issues at the 
OS level (which have been mentioned previously), however the majority of VM 
applications benefit from security *isolation*, which has nothing to do 
with security issues of the underlying OS, and that was the viewpoint I was 
communicating.


For example, say you have three departments within a company: Marketing, 
Development, Production. Allowing each department to maintain their own 
server instance allows each department to have their own users, home 
directory configuration, samba (possibly) network config  authorization, 
separate file/print sharing domain, etc.


That is simple not doable with a single OS, yet with a reasonable priced of 
h/w all can be maintained on one platform.


The security benefits are at the application level, *NOT* at the OS level.


If people were saying:

Yes, it increased hardware utilization, and the nasty
security impact might be low

it would be fine.

But instead we have many uneducated people saying:

   Yes, it increased hardware utilization, and it improved security 
too.


And that's complete and utter bullshit.


Perhaps more correctly:

Yes, it increased hardware utilization, and it improves 
security/isolation between different work domains


However few outside this community would have any comprehension of the 
difference.


Lee

Re: HP ProLiant DL320 v. Sun Fire V125

[Boris Goldberg]

Hello evo,

Wednesday, October 24, 2007, 12:51:13 AM, you wrote:

e I'm choosing firewall/proxy/mail-gateway hardware running (of course)
e OpenBSD for medium office and my shortlist is:
e (a) HP ProLiant DL320 and (b) Sun Fire V125

  I'm   upgrading   my  servers/firewalls  to HP ProLiant DL320 G5, and the
experience...  isn't  easy.  First  of  all you need to allow acpi in an MP
kernel,  otherwise it's slow and unstable (it's disabled by default and not
really documented).

  Then you have couple more issues I couldn't resolve yet:

  Fists - uhci (uhci4 in my case) giving an error during boot and shutdown:

OpenBSD 4.2-stable (GENERIC) #1: Thu Oct 18 12:35:10 CDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) D CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR
real mem  = 1071640576 (1021MB)
avail mem = 1028595712 (980MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS 
rev. 2.3 @ 0xee000 (47 entries)
bios0: vendor HP version W04 date 04/06/2007
bios0: HP ProLiant DL320 G5
pcibios0 at bios0: rev 3.0 @ 0xf/0x2000
pcibios0: PCI BIOS has 7 Interrupt Routing table entries
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev 0x00)
pcibios0: PCI bus #7 is the last bus
bios0: ROM list: 0xc/0xb000 0xcc400/0x1000 0xcd400/0x1000 0xce400/0x3400! 
0xe6000/0x2000!
acpi at mainbus0 not configured
ipmi0 at mainbus0: version 2.0 interface KCS iobase 0xca2/2 spacing 1
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel E7230 MCH rev 0xc0
ppb0 at pci0 dev 1 function 0 Intel E7230 PCIE rev 0xc0
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01
pci2 at ppb1 bus 2
ppb2 at pci2 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xb5
pci3 at ppb2 bus 3
bge0 at pci3 dev 4 function 0 Broadcom BCM5714 rev 0xa3, BCM5715 A3 (0x9003): 
irq 11, address 00:1b:78:07:c9:9a
brgphy0 at bge0 phy 1: BCM5714 10/100/1000baseT PHY, rev. 0
bge1 at pci3 dev 4 function 1 Broadcom BCM5714 rev 0xa3, BCM5715 A3 (0x9003): 
irq 10, address 00:1b:78:07:c9:9b
brgphy1 at bge1 phy 1: BCM5714 10/100/1000baseT PHY, rev. 0
ppb3 at pci3 dev 8 function 0 ServerWorks HT-1000 PCIX rev 0xb4
pci4 at ppb3 bus 4
ppb4 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01
pci5 at ppb4 bus 5
em0 at pci5 dev 0 function 0 Intel PRO/1000 PT (82571EB) rev 0x06: irq 11, 
address 00:1b:78:57:58:e0
em1 at pci5 dev 0 function 1 Intel PRO/1000 PT (82571EB) rev 0x06: irq 10, 
address 00:1b:78:57:58:e1
ppb5 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01
pci6 at ppb5 bus 6
uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: irq 5
uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: irq 5
uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: irq 5
uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: irq 5
ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: irq 5
usb0 at ehci0: USB revision 2.0
uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1
ppb6 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xe1
pci7 at ppb6 bus 7
vga1 at pci7 dev 3 function 0 ATI ES1000 rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
Compaq iLO rev 0x03 at pci7 dev 4 function 0 not configured
Compaq iLO rev 0x03 at pci7 dev 4 function 2 not configured
uhci4 at pci7 dev 4 function 4 Hewlett-Packard USB rev 0x00: irq 11
uhci4: cannot stop
Hewlett-Packard IPMI rev 0x00 at pci7 dev 4 function 6 not configured
usb1 at uhci4: USB revision 1.0
uhub1 at usb1: Hewlett-Packard UHCI root hub, rev 1.00/1.00, addr 1
ichpcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01: PM disabled
pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x01: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 31 function 2 Intel 82801GB SATA rev 0x01: DMA, channel 0 
configured to native-PCI, channel 1 configured to native-PCI
pciide1: using irq 7 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: FB160C4081
wd0: 16-sector PIO, LBA48, 152627MB, 312581808 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
usb2 at uhci0: USB revision 1.0
uhub2 at usb2: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb3 at uhci1: USB revision 1.0
uhub3 at usb3: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb4 at uhci2: USB revision 1.0
uhub4 at usb4: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb5 at uhci3: USB revision 1.0
uhub5 at usb5: Intel UHCI root hub, rev 1.00/1.00, addr 1
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, 

Re: About Xen: maybe a reiterative question but ..

[Can Erkin Acar]

L. V. Lammert wrote:
 At 05:12 PM 10/24/2007 +0200, Henning Brauer wrote:
* L. V. Lammert [EMAIL PROTECTED] [2007-10-24 16:46]:
  Virtualization provides near absolute security - DOM0 is not visible to
  the user at all, only passing network traffic and handling kernel calls.
  The security comes about in that each DOMU is totally isolated from the
  the others, while the core DOM0 is isolated from any attacks.

dream on.
that is what marketing wants to tell you.
in fact the isolation is incredibly poor.
 
 Sorry, the kernel hacking world is pretty far removed from 'enterprise 
 reality' not that it's a bad thing - I often wish it were that simple!! 
 In reality, there are tons of SMEs out there using MS Crap and other risky 
 software! The few security risks you cite for XEN are negligable by 
 comparison.

When all this crap/risky software is running on separate boxes, you only
have
the network as an attack path to the other crap. This path is well
understood,
and there are established policies, best practices, tools that you can
use to
control and monitor your network.

Now, when you put all this crap onto the same hardware, you remove the
well known
and trusted hardware from underneath the already crappy setups, and
introduce a
(possibly crappy/unknown) software layer that claims to provide isolation.


Advantages:

1. buzzword compliance
2. some 'cool features' like snapshots and migration
3. perhaps better utilize the (high performance/ultra expensive)
   hardware you just bought to gain 1  2.


Disadvantages:

1. isolation between the systems is in fact *reduced*
2. whole new attack paths through the VM system are introduced:
   you get access to the host OS, not necessarily through a guest,
   you compromise ALL guests.
3. A compromised guest could, at the very least cause stability problems
   and DoS affecting ALL the guests, at worst compromising the host OS.


 Anything we can do to increase security, *including* setting up VMs (of any 
 flavor) is an improvement [that also increased hardware utilization].

You do not get security improvements out of using a VM system at all.
Look at
the list above. This is *not* some kernel hackers' out of the world
scenario.
This is just common sense and security best practices that every enterprise
should be aware of.

You do have some benefits in terms of management and flexibility, and
perhaps faster recovery. VMs are invaluable for development/testing.
But there is absolutely *no* security improvement at all. You may accept
the risks in favor of the benefits to your business, but do not claim
that you are actually improving the security.

Can

Re: About Xen: maybe a reiterative question but ..

[Theo de Raadt]

 At 12:03 PM 10/24/2007 -0600, Theo de Raadt wrote:
 
   Anything we can do to increase security, *including* setting up VMs (of 
  any
   flavor) is an improvement [that also increased hardware utilization].
 
 This last sentence is such a lie.
 
 That depends on your viewpoint. There certainly may be some issues at the 
 OS level (which have been mentioned previously), however the majority of VM 
 applications benefit from security *isolation*, which has nothing to do 
 with security issues of the underlying OS, and that was the viewpoint I was 
 communicating.

The ends justify the means, even if the means don't actually perform as
you declare?  

 For example, say you have three departments within a company: Marketing, 
 Development, Production. Allowing each department to maintain their own 
 server instance allows each department to have their own users, home 
 directory configuration, samba (possibly) network config  authorization, 
 separate file/print sharing domain, etc.
 
 That is simple not doable with a single OS, yet with a reasonable priced of 
 h/w all can be maintained on one platform.
 
 The security benefits are at the application level, *NOT* at the OS level.

This has NOTHING to do with security.  You are just saving pennies.

You did zero actual security assessment, so you are just talking out
of your ass.

 If people were saying:
 
  Yes, it increased hardware utilization, and the nasty
  security impact might be low
 
 it would be fine.
 
 But instead we have many uneducated people saying:
 
 Yes, it increased hardware utilization, and it improved security 
  too.
 
 And that's complete and utter bullshit.
 
 Perhaps more correctly:
 
  Yes, it increased hardware utilization, and it improves 
 security/isolation between different work domains
 
 However few outside this community would have any comprehension of the 
 difference.

You're so full of it.  There is no security/isolation.  You are making
it up out of thin air to justify the pennies you saved.

It's a total lie.

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Henning Brauer]

* Paul de Weerd [EMAIL PROTECTED] [2007-10-24 19:28]:
 On Wed, Oct 24, 2007 at 10:47:45AM -0500, Boris Goldberg wrote:
 |   May  be  it makes sense to set -ncv as a default behavior of rdate, but
 | there is should be a way to synchronize time without running a demon (don't
 | understand  why  are  people  so  aggressive  about that) if you don't need
 | up-to-second  synchronization  (in my case modern hardware goes less than a
 | second off per day, and really old hardware - less than 10 seconds).
 
 The problem here is the jump in time. You repeat a second or more (if
 you have to jump back) or skip some (if you jump forward). This may
 not be a problem for you in particular, but is considered bad in
 general.

rdate can use adjtime, so that point is moot.

 Another issue is the fact that the server you're syncing to may not be
 perfectly sync'ed itself. Or maybe there's some (assymmetrical) delay
 in the network. This may make time on your machine somewhat off (this
 isn't as big a problem as the previous, IMO).

this is the key. rdate sets/skews the clock based on a single reply. 
which might get affected badly by network issues or whatever, or be 
spoofed, or... ntpd doesn't have that problem at all - last not least it 
never uses less than 8 packets to form a single update (just picking 
that one as example, there is more it can do, because it can develop 
thing over TIME instead of a single one-shot update  exit.

and it fixes the clock frequency permanently using adjtick. rdate 
doesn't.

 And it's totally unneccessary, simply run ntpd and be done
 with it.

exactly.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: About Xen: maybe a reiterative question but ..

[Paul de Weerd]

On Wed, Oct 24, 2007 at 01:41:38PM -0500, L. V. Lammert wrote:
| For example, say you have three departments within a company: Marketing, 
| Development, Production. Allowing each department to maintain their own 
| server instance allows each department to have their own users, home 
| directory configuration, samba (possibly) network config  authorization, 
| separate file/print sharing domain, etc.
| 
| That is simple not doable with a single OS, yet with a reasonable priced of 
| h/w all can be maintained on one platform.
| 
| The security benefits are at the application level, *NOT* at the OS level.

Let's have a look at the case.

Three departments all on one machine, each under one VM.

Why compare this to all departments on one machine, all on the same
OS ? That's not a fair comparison.

Compare your one machine with 3 VMs to three machines. What do you
think is more secure ? If you really, honestly think that the one
machine/3 VM's solution is more secure, I'm actually very interested
in your reasoning for this.

You seperate and isolate each department on their own machine. As
secure as the OS and/or application running on that machine.

Now you join three machines into one machine with three VMs, adding a
layer of complexity/code that is quite useful (as it saves on hardware
costs) but maybe not very mature yet.

How does that joining *add* security ? Please elaborate.

Cheers,

Paul 'WEiRD' de Weerd

-- 
[++-]+++.+++[---].+++[+
+++-].++[-]+.--.[-]
 http://www.weirdnet.nl/ 

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Henning Brauer]

* Marc Balmer [EMAIL PROTECTED] [2007-10-24 20:25]:
 Boris Goldberg wrote:

   May  be  it makes sense to set -ncv as a default behavior of rdate, 
 but
 there is should be a way to synchronize time without running a demon 
 (don't
 understand  why  are  people  so  aggressive  about that) if you don't 
 need
 up-to-second  synchronization  (in my case modern hardware goes less than 
 a
 second off per day, and really old hardware - less than 10 seconds).

 You don't understand the implications of changing the time of a computer
 at runtime.

 Time can be seen a continuum whos axis can be stretched or compressed or
 as series of time units with fixed length.  In the first case the
 computer clock runs faster or slower, but no time unit is lost.  In the
 second case the computer runs at constant speed, but time units can be
 lost.

that is NOT the damn point, rdate can use adjtime.

 If either case is acceptable depends on the software that runs on the
 computer.  A computer that controls an insulin pump probably should
 run at constant speed whereas a computer that does a task at a certain
 time should not skip time units.  If a cronjob runs at 17:10 and at
 17:00 your wise cronjob sets the time to 17:20, cron will not start that
 job.

 See?

bad example, since cron is the worst example you could pick, it is 
reasonably smart trying to deal with time jumps.

but it DOES NOT in the first place using rdate -a.

yet, ntpd is STILL a way better solution, but don't spread fud to push 
it either, it doesn't need that.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: About Xen: maybe a reiterative question but ..

[Matthew Weigel]

Can Erkin Acar wrote:
 L. V. Lammert wrote:
 At 05:12 PM 10/24/2007 +0200, Henning Brauer wrote:
 * L. V. Lammert [EMAIL PROTECTED] [2007-10-24 16:46]:
 Virtualization provides near absolute security - DOM0 is not visible to
 the user at all, only passing network traffic and handling kernel calls.
 The security comes about in that each DOMU is totally isolated from the
 the others, while the core DOM0 is isolated from any attacks.
 dream on.
 that is what marketing wants to tell you.
 in fact the isolation is incredibly poor.
 Sorry, the kernel hacking world is pretty far removed from 'enterprise 
 reality' not that it's a bad thing - I often wish it were that simple!! 
 In reality, there are tons of SMEs out there using MS Crap and other risky 
 software! The few security risks you cite for XEN are negligable by 
 comparison.
 
 When all this crap/risky software is running on separate boxes, you only
 have
 the network as an attack path to the other crap. This path is well
 understood,
 and there are established policies, best practices, tools that you can
 use to
 control and monitor your network.

Contrariwise, there is *some* security benefit to running all the
services virtualized, compared to running all the services on the same
machine but *not* virtualized.  In that case, though, you're not getting
any improved resource utilization, and you're going with a very
complicated and unaudited system (with arbitrary code execution bugs
coming to light *this month*) to achieve improved security.

You can achieve a lot of the  promises of virtualized servers (with
fewer moving parts, and more code audits) using chroot and login classes
to run many services on a single big machine.
-- 
 Matthew Weigel
 hacker
 [EMAIL PROTECTED]

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Boris Goldberg]

Hello Marc,

Wednesday, October 24, 2007, 1:13:23 PM, you wrote:

   May  be  it makes sense to set -ncv as a default behavior of rdate, but
 there is should be a way to synchronize time without running a demon (don't
 understand  why  are  people  so  aggressive  about that) if you don't need
 up-to-second  synchronization  (in my case modern hardware goes less than a
 second off per day, and really old hardware - less than 10 seconds).

MB You don't understand the implications of changing the time of a computer
MB at runtime.

  I believe I do. :)
  There  are  pros  and  cons  in  the  demon and in the cron schema. I
decided  to  use  cron and I know why. Every sysadmin/architect should make
that  decision  for  *his*  systems  (and  know  why).  Home users should
probably  stay  with the default (ntpd), but they are usually using Windows
and cheap hardware firewalls anyway. ;)

MB If  either  case is acceptable depends on the software that runs on the
MB computer.

  Exactly.  And  I  believe  that  usual  case is not a cluster, monetary
transaction server or traffic control system.

MB A  computer  that  controls  an  insulin  pump  probably  should run at
MB constant  speed  whereas  a computer that does a task at a certain time
MB should not skip time units.

  Have  you  seen  an  insulin  pump ran by OpenBSD system? ;) Give me some
*real* examples (if you want to).

MB If a cronjob runs at 17:10 and at 17:00 your wise cronjob sets the time
MB to 17:20, cron will not start that job.

  First  of  all,  this  is not a *real* case again. I was talking about 10
seconds  a  day,  not  20  minutes.  If  your *production* hardware goes 20
minutes off a day you will probably replace it (I believe, for new hardware
it's a warranty case).
  Second   of  all,  I've  seen  that  behavior  (with  much  smaller  time
adjustments)  on  SCO, but OpenBSD handles it pretty good - my cron doesn't
repeat itself after adjusting time back.

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

Re: About Xen: maybe a reiterative question but ..

[Darren Spruell]

On 10/24/07, L. V. Lammert [EMAIL PROTECTED] wrote:
 At 12:03 PM 10/24/2007 -0600, Theo de Raadt wrote:

   Anything we can do to increase security, *including* setting up VMs (of
  any
   flavor) is an improvement [that also increased hardware utilization].
 
 This last sentence is such a lie.

 That depends on your viewpoint. There certainly may be some issues at the
 OS level (which have been mentioned previously), however the majority of VM
 applications benefit from security *isolation*, which has nothing to do
 with security issues of the underlying OS, and that was the viewpoint I was
 communicating.

 For example, say you have three departments within a company: Marketing,
 Development, Production. Allowing each department to maintain their own
 server instance allows each department to have their own users, home
 directory configuration, samba (possibly) network config  authorization,
 separate file/print sharing domain, etc.

This is called a tangent. It has nothing to do with the reliable
security aspects of segmentation via virtualization.

The point you may try making here is that by segmenting your servers
into individual instances for each department, rather than having all
departments on a shared server, an attack against one department's
server doesn't affect the other. _In theory_, that's true. _In
reality_, this is only a surface assumption as without strong
segmentation at the network level to separate a compromised department
from another department, the attacker can compromise the other
departments' servers from the first one and have the same result.

Remember back 10-ish years ago when VLANs were being touted as the
ultimate network segmentation technology by marketers of managed
switches? And now everyone hopefully realizes that while VLANs
technically do offer network segmentation, it's really rudimentary and
cannot be relied on for truly reliable security due to various layer 2
attacks that subvert them? Or that if there's any communication
conduits that allows one to talk to the other, that can simply be
leveraged to subvert security? That simply segmenting networks with
VLANs can't be considering to fully isolate them? That when people
want solid assurance of isolating hosts they often still air gap them?
That is the point that VM-based segmentation is at right now.

This isn't supposed to be a remedial lesson on network architectures;
you're supposed to pick up the parallels to separation of
systems/applications via VM technology. VM based segmentation or
isolation (whichever buzzword you prefer ATM) is fine on the surface
level, but please stop acting as if it is a security measure. People
much smarter than $you are blowing that idea out of the water right
now.

http://www.intelguardians.com/ndss.pdf
http://www.pauldotcom.com/2007/08/27/pauldotcom_security_weekly_int_1.html
http://www.cutawaysecurity.com/blog/archives/170 (read Ed Skoudis'
comment on this post)

DS

Re: About Xen: maybe a reiterative question but ..

[Theo de Raadt]

 The security benefits are at the application level, *NOT* at the OS level.

What hogwash.

The security benefits are at the ability to buy a steak for dinner
level.

You've already made the decision to decrease security by
de-compartmentalizing onto one physical box, so you are just thrilled
with the ability to decrease security more by de-compartmentalizing
the software further.

Re: LDAP users

[Dorian Büttner]

Linus SwCFCB$las schrieb:


OpenBSD doesn't include an LDAP module though so you'd have to write
your own, details for how to do so is in the login.conf(5) man page.
Or perhaps you can google something, someone else has probably built
one already.


login_ldap no longer in ports?

Re: About Xen: maybe a reiterative question but ..

[bofh]

On 10/24/07, Jack J. Woehr [EMAIL PROTECTED] wrote:
 All things being equal, the safest base installations in the universe
 would be those whose user instances were encased in some kind of
 solid VM and whose base instance administrators were provided
 with and followed best practices.

My VM:  The World.

-- 
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.

Re: multimode fiber card recs for OpenBGPD

[Henning Brauer]

* N.J. Thomas [EMAIL PROTECTED] [2007-10-24 19:28]:
 I have two servers that I would like to setup to run OpenBGPD for our
 border routers.
 
 I need to find a supported PCIe (not PCI-X) fiber card that runs
 multi-mode and a supported PCIe (not PCI-X) fiber card that runs
 single-mode. (One of our providers is coming to us with mm, the other
 with sm.)
 
 A dual port card is preferable, but we will take single port cards if
 those are the only ones available.
 
 Any recommendations? The supported cards page on the OpenBSD site only
 lists PCI-X cards.

i have some pcie-ems, there are pcie-bnxs, and certainly others. fibre 
limits your options. i usually terminate wan fibres on a switch and use 
copper or plain sx (really just copper these days) to the routers - has 
the disadvantage that you don't see link state changes directly, has 
the advantage of added flexibility and just connecting two machines for 
redundancy reasons (details differ a lot depending on environment).

that said, it shouldn't be too hard to find a pcie-sx card. lx could 
get hairy.


-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: About Xen: maybe a reiterative question but ..

[Henning Brauer]

* Darren Spruell [EMAIL PROTECTED] [2007-10-24 21:48]:
 Remember back 10-ish years ago when VLANs were being touted as the
 ultimate network segmentation technology by marketers of managed
 switches? And now everyone hopefully realizes that while VLANs
 technically do offer network segmentation, it's really rudimentary and
 cannot be relied on for truly reliable security due to various layer 2
 attacks that subvert them?

err, that is a very bad comparision. I am not aware of any layer2 
attacks (you probably mean vlan hopping things) that work against any 
half reasonable configured switch from the last 10 years.
heck, these days even everybody except cisco has sane defaults.
(well, I dunno about those cheap switches, admittedly)

this comparision is wrong on another basis: vlans are dead simple, just 
a tiny and simple header before the ethernet segment. virtualization is 
certainly not.

 That simply segmenting networks with
 VLANs can't be considering to fully isolate them?

without bad config errors (that are getting harder to make, except on 
cisco, they got the semantics completely wrong and stupid defaults) and 
usedcorrectly, yes, VLANs perfectly isolate network segments.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: About Xen: maybe a reiterative question but ..

[Jason Dixon]

It's a very simple concept.

There is *nothing* in any virtualization software that makes having it  
*more secure* than not having it at all.


Period.

---
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Re: About Xen: maybe a reiterative question but ..

[L. V. Lammert]

On Wed, 24 Oct 2007, Theo de Raadt wrote:

  The security benefits are at the application level, *NOT* at the OS level.

 What hogwash.

 The security benefits are at the ability to buy a steak for dinner
 level.

Nah, I like steak, I hate enterprise computing.

 You've already made the decision to decrease security by
 de-compartmentalizing onto one physical box, so you are just thrilled
 with the ability to decrease security more by de-compartmentalizing
 the software further.

Quite the opposite!! A VM provides a safe, sane, decently
compartmentalized way to run a specific application domain. It's obvious
we have different viewpoints, but both are equally valid - your's from the
OS, mine from the application.

Lee


  Leland V. Lammert[EMAIL PROTECTED]
Chief Scientist Omnitec Corporation
 Network/Internet Consultants   www.omnitec.net

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Brian]

Boris Goldberg wrote:
[snip]
   There  are  pros  and  cons  in  the  demon and in the cron schema. I
 decided  to  use  cron and I know why. Every sysadmin/architect should make
 that  decision  for  *his*  systems  (and  know  why).  Home users should
 probably  stay  with the default (ntpd), but they are usually using Windows
 and cheap hardware firewalls anyway. ;)
[snip]

I hate beating a dead horse, but this one needs one more whack.

OpenNTPD runs as a 'daemon,' yes, but it does so using privilege
separation and other goodies.  The network code runs as a normal user,
isolated from other users.  This is superior to running rdate AS ROOT
from a cronjob.  OpenNTPD does not open any TCP or UDP ports by default.

It is true that rdate has about 63% less lines of code than ntpd and is
older, and may have had more code audits performed; However, ntpd is new
code, written with security in mind, runs as a normal user (privilege
separated for the most part) and has superior time keeping ability.

Your advice about not running a daemon if it's possible to do the task
otherwise may be true with a (bloated) daemon such as ntp.org ntpd,
however, with OpenNTPD the tables are turned.  It is far safer to run
the 'daemon' than to perform the task otherwise.

That being said, it is up to the individual users to decide what to do.
 Hopefully this above explanation will help those who don't necessarily
understand the risks of running programs as root vice daemons which
execute code with proper separation of privileges.

-Brian

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: About Xen: maybe a reiterative question but ..

[bofh]

On 10/24/07, Henning Brauer [EMAIL PROTECTED] wrote:
 without bad config errors (that are getting harder to make, except on
 cisco, they got the semantics completely wrong and stupid defaults) and
 usedcorrectly, yes, VLANs perfectly isolate network segments.

I'm curious about this.  Do you have any pointers I can go look up?  Thanx!


-- 
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.

Re: About Xen: maybe a reiterative question but ..

[Jason Dixon]

On Oct 24, 2007, at 4:16 PM, Henning Brauer [EMAIL PROTECTED]  
wrote:



* Darren Spruell [EMAIL PROTECTED] [2007-10-24 21:48]:

Remember back 10-ish years ago when VLANs were being touted as the
ultimate network segmentation technology by marketers of managed
switches? And now everyone hopefully realizes that while VLANs
technically do offer network segmentation, it's really rudimentary  
and
cannot be relied on for truly reliable security due to various  
layer 2

attacks that subvert them?


err, that is a very bad comparision. I am not aware of any layer2
attacks (you probably mean vlan hopping things) that work against any
half reasonable configured switch from the last 10 years.
heck, these days even everybody except cisco has sane defaults.
(well, I dunno about those cheap switches, admittedly)

this comparision is wrong on another basis: vlans are dead simple,  
just
a tiny and simple header before the ethernet segment. virtualization  
is

certainly not.


That simply segmenting networks with
VLANs can't be considering to fully isolate them?


without bad config errors (that are getting harder to make, except on
cisco, they got the semantics completely wrong and stupid defaults)  
and

usedcorrectly, yes, VLANs perfectly isolate network segments.


Why does this continue to pop up in misc@ every year?

---
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Re: About Xen: maybe a reiterative question but ..

[Kevin Stam]

You have failed to satisfactorily explain why running a specific application
in a VM is more secure then running it in a standard OS. It's nonsense that
you think it's more secure that way. It saves a lot of money, yes -- you
don't necessarily want a separate box just to run an application - but
that's not the debate here. The debate is about security, and I'm amazed
that you think a virtual environment is somehow more secure then a dedicated
non-virtual environment.

On 10/24/07, L. V. Lammert [EMAIL PROTECTED] wrote:

 On Wed, 24 Oct 2007, Theo de Raadt wrote:

   The security benefits are at the application level, *NOT* at the OS
 level.
 
  What hogwash.
 
  The security benefits are at the ability to buy a steak for dinner
  level.
 
 Nah, I like steak, I hate enterprise computing.

  You've already made the decision to decrease security by
  de-compartmentalizing onto one physical box, so you are just thrilled
  with the ability to decrease security more by de-compartmentalizing
  the software further.
 
 Quite the opposite!! A VM provides a safe, sane, decently
 compartmentalized way to run a specific application domain. It's obvious
 we have different viewpoints, but both are equally valid - your's from the
 OS, mine from the application.

 Lee

 
   Leland V. Lammert[EMAIL PROTECTED]
 Chief Scientist Omnitec Corporation
 Network/Internet Consultants   www.omnitec.net
 

Re: About Xen: maybe a reiterative question but ..

[L. V. Lammert]

On Wed, 24 Oct 2007, Theo de Raadt wrote:

  At 12:03 PM 10/24/2007 -0600, Theo de Raadt wrote:
 
Anything we can do to increase security, *including* setting up VMs (of
   any
flavor) is an improvement [that also increased hardware utilization].
  
  This last sentence is such a lie.
 
  That depends on your viewpoint. There certainly may be some issues at the
  OS level (which have been mentioned previously), however the majority of VM
  applications benefit from security *isolation*, which has nothing to do
  with security issues of the underlying OS, and that was the viewpoint I was
  communicating.

 The ends justify the means, even if the means don't actually perform as
 you declare?

Huh? What does circular logic have to do with a simple statement? Running
different application domains on separate VMs provides isolation BETWEEN
those application domains. That's security by anyone's definition.

The fact is that the OS level security is *separate*, and could be an
issue has nothing to do with the point I'm making.

What if the client OS were Windoze? The security of that OS is crap, and
we all know it. Any sane sysadmin will have a good firewall in front of
that machine, whether it's running in a VM or on separate hardware.

What if the client OS were Linux with AppArmor? SE Linux is a BIG
improvement over regular Linux, and WAY more secure than ANY product from
Redmond.

Certainly there is a small, compount risk increase due to multiple OS
images involved, but the OS images must be analyzed independently FIRST,
and THOSE risks addressed.

**IF** OBSD were available as a host OS, that would be good security. If
not, then security issues compound due to multiple guest OSs and each set
of inherent vulnerabilities.

No matter how you twist the logic, however, a VM provides a good level of
application domain security, from the standpoint that each set of domain
users and applications can only see the services provided within that
domain guest OS.


Lee


  Leland V. Lammert[EMAIL PROTECTED]
Chief Scientist Omnitec Corporation
 Network/Internet Consultants   www.omnitec.net

Re: About Xen: maybe a reiterative question but ..

[Daniel Ouellet]

Theo de Raadt wrote:

The security benefits are at the ability to buy a steak for dinner
level.


I vote to add it to theo.c.

Thanks

Daniel

Index: src/usr.bin/mg/theo.c
===
RCS file: /cvs/src/usr.bin/mg/theo.c,v
retrieving revision 1.101
diff -u -p -r1.101 theo.c
--- src/usr.bin/mg/theo.c   28 Aug 2007 17:57:16 -  1.101
+++ src/usr.bin/mg/theo.c   24 Oct 2007 21:19:08 -
@@ -147,6 +147,7 @@ static const char *talk[] = {
cache aliasing is a problem that would have stopped in 1992 if 
someone had killed about 5 people who worked at Sun.,

Don't spread rumours about me being gentle.,
If municipal water filtering equipment was built by the gcc 
developers, the western world would be dead by now.,
+   The security benefits are at the 'ability to buy a steak for 
dinner' level.,

 };

 static const int ntalk = sizeof(talk)/sizeof(talk[0]);

Re: About Xen: maybe a reiterative question but ..

[Henning Brauer]

* L. V. Lammert [EMAIL PROTECTED] [2007-10-24 23:22]:
 Running
 different application domains on separate VMs provides isolation BETWEEN
 those application domains.

no, it does not.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: About Xen: maybe a reiterative question but ..

[Theo de Raadt]

 Certainly there is a small, compount risk increase due to multiple OS
 images involved, but the OS images must be analyzed independently FIRST,
 and THOSE risks addressed.

Certainly you pulled that assesment out of your ass.

 **IF** OBSD were available as a host OS, that would be good security.

You must be more qualified with regards to the actual code than I am
because I flat out don't believe this at all.

 If
 not, then security issues compound due to multiple guest OSs and each set
 of inherent vulnerabilities.

security issues and protections do not add up like numbers.

 No matter how you twist the logic, however, a VM provides a good level of
 application domain security, from the standpoint that each set of domain
 users and applications can only see the services provided within that
 domain guest OS.

The phrase application domain security is a cover-up statement that
means I have already decided to run the multiple things on one box
because I am cheap, and I need to invent reasons why I can continue
doing so.

Re: multimode fiber card recs for OpenBGPD

[Claudio Jeker]

On Wed, Oct 24, 2007 at 10:25:32PM +0200, Henning Brauer wrote:
 * N.J. Thomas [EMAIL PROTECTED] [2007-10-24 19:28]:
  I have two servers that I would like to setup to run OpenBGPD for our
  border routers.
  
  I need to find a supported PCIe (not PCI-X) fiber card that runs
  multi-mode and a supported PCIe (not PCI-X) fiber card that runs
  single-mode. (One of our providers is coming to us with mm, the other
  with sm.)
  
  A dual port card is preferable, but we will take single port cards if
  those are the only ones available.
  
  Any recommendations? The supported cards page on the OpenBSD site only
  lists PCI-X cards.
 
 i have some pcie-ems, there are pcie-bnxs, and certainly others. fibre 
 limits your options. i usually terminate wan fibres on a switch and use 
 copper or plain sx (really just copper these days) to the routers - has 
 the disadvantage that you don't see link state changes directly, has 
 the advantage of added flexibility and just connecting two machines for 
 redundancy reasons (details differ a lot depending on environment).
 
 that said, it shouldn't be too hard to find a pcie-sx card. lx could 
 get hairy.
 
 

http://www.transtec.co.uk/ they have em(4) based cards with sx and lx (lx
only as pci-x for some strange reason). The also offer msk(4) cards with
sx and lx but those are pci-x only.

-- 
:wq Claudio

Re: A (pf?) puzzler -- a single device invisible on the other side of an IPsec tunnel

[Stephen]

knitti wrote:

On 10/19/07, Stephen Bosch [EMAIL PROTECTED] wrote:

Other things I've tried:

- moving the Jetdirect to a different port on the same physical switch
- a variety of static and dynamic IPs in the subnet

I also forwarded the external port 9100 to this print server and tried
to access it from a public host, but this didn't work either.

This leads me to suspect a peculiar interaction between OpenBSD 4.1 and
this particular print server. Of course, it might well be the fault of
HP's IP stack, but I've already talked to them at great length and got
pretty much nowhere: We don't support JetDirect over WAN connections.


look with tcpdump, whether the packets of the printserver look like you expect.
perhaps it only has a ttl of 1 or 2 ;-)


No -- the damn thing is doing ARP for the remote address, even though it 
has a gateway configured.


The stupid thing is that this same model of printer works on another 
network, same configuration -- except the local VPN endpoint is a SonicWall.


-Stephen-

Re: About Xen: maybe a reiterative question but ..

[Theo de Raadt]

 You have failed to satisfactorily explain why running a specific application
 in a VM is more secure then running it in a standard OS. It's nonsense that
 you think it's more secure that way. It saves a lot of money, yes -- you
 don't necessarily want a separate box just to run an application - but
 that's not the debate here. The debate is about security, and I'm amazed
 that you think a virtual environment is somehow more secure then a dedicated
 non-virtual environment.

It's that extra 4MB of poo code, that is what makes it more secure.

It's slippery and sticky at the same time, so that the application
attackers slip and slide and fall into the page boundaries.

If the actual hardware let us do more isolation than we do today, we
would actually do it in our operating system.

The problem is the hardware DOES NOT actually give us more isolation
abilities, therefore the VM does not actually do anything what the say
they do.

While x86 hardware has the same page-protection hardware that an IBM
390 architecture machine has, modern PC machines are a mess.  They are
architecturally so dirty, that parts of the video, keyboard, and other
IO devices are interfaced with even to do simple things like context
switching processes and handling interrupts.  Those of us who have
experience with the gory bits of the x86 architecture can clearly say
that we know what would be involved in virtualizing it, and if it was
so simple, we would not still be fixing bugs in the exact same area in
our operating system going on 12 years.

We know what a VM operating system has to do to deal with the PC
architecture.  It is too complex to get perfectly right.

And now you've entered into the layered approach where *any error* in
the PC model exposed to the client operating system is not just a
crashing bug -- it is now exploitable.

It might be nice, but it is stupid.  And anyone who thinks there is
any security advantage at any level knows nothing about PC
architecture.

Re: About Xen: maybe a reiterative question but ..

[L. V. Lammert]

At 03:31 PM 10/24/2007 -0600, Theo de Raadt wrote:

 Certainly there is a small, compount risk increase due to multiple OS
 images involved, but the OS images must be analyzed independently FIRST,
 and THOSE risks addressed.

Certainly you pulled that assesment out of your ass.


I thought it was obvious, .. but I know you have beter things on your mind. 
I DO mind you liking my ass, however - ain't gonna happen.



 **IF** OBSD were available as a host OS, that would be good security.

You must be more qualified with regards to the actual code than I am
because I flat out don't believe this at all.


Believe what? OBSD is secure? I thought you were proud of the project? 
Sheesh! If our leader doesn't believe OBSD is secure, we ALL better be 
running for cover. Linux, anyone?


If you're saying that OBSD will never be modified to run AS a XEN 
hypervisor, that's probably a true statement. No need to corrupt a decent 
OS with GPL s/w.


 If not, then security issues compound due to multiple guest OSs and 
each set

 of inherent vulnerabilities.

security issues and protections do not add up like numbers.


Sure they do. If I'm running Windoze as a guest OS, there are hundreds or 
thousands of possible vulnerabilities. If I'm runng OBSD as a guest OS, 
guess what (I hope you don't have to??) - few to none. There is no way to 
'compound threat [interaction]', but that doesn't detract from the basic 
truth - the lower the risk/number of vulnerabilities of the OS, the better 
off you are. As a corollary, you might also say that there is no way to 
improve the security of a server without improving the security of the OS.



 No matter how you twist the logic, however, a VM provides a good level of
 application domain security, from the standpoint that each set of domain
 users and applications can only see the services provided within that
 domain guest OS.

The phrase application domain security is a cover-up statement that
means I have already decided to run the multiple things on one box
because I am cheap, and I need to invent reasons why I can continue
doing so.


Huh?? Do you know what an application domain is? Guess not - here's a 
definition:


Application + Users + Access Method = Application Domain

Examples: File/Print, httpd, DB, . . .

The more discrete the security model (i.e. File/Print users are not valid 
on the httpd server) the better.


Lee

Re: About Xen: maybe a reiterative question but ..

[L. V. Lammert]

At 11:26 PM 10/24/2007 +0200, Henning Brauer wrote:

* L. V. Lammert [EMAIL PROTECTED] [2007-10-24 23:22]:
 Running
 different application domains on separate VMs provides isolation BETWEEN
 those application domains.

no, it does not.


Is that your ostrich response?

Lee

Re: About Xen: maybe a reiterative question but ..

[Henning Brauer]

* L. V. Lammert [EMAIL PROTECTED] [2007-10-25 00:11]:
 At 11:26 PM 10/24/2007 +0200, Henning Brauer wrote:
 * L. V. Lammert [EMAIL PROTECTED] [2007-10-24 23:22]:
  Running
  different application domains on separate VMs provides isolation BETWEEN
  those application domains.

 no, it does not.

 Is that your ostrich response?

it has been pointed out several times that virtualization does not 
provide the isolation you keep talking about. you keep repeating it 
does. just like vmware marketing  co.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: About Xen: maybe a reiterative question but ..

[Tony Abernethy]

L. V. Lammert wrote:
gibberish

Re: About Xen: maybe a reiterative question but ..

[Matthew Weigel]

Paul de Weerd wrote:

 Why compare this to all departments on one machine, all on the same
 OS ? That's not a fair comparison.

Why?  Because that's what happens *anyway*.
-- 
 Matthew Weigel
 hacker
 [EMAIL PROTECTED]

Re: About Xen: maybe a reiterative question but ..

[L. V. Lammert]

At 05:27 PM 10/24/2007 -0500, Tony Abernethy wrote:

L. V. Lammert wrote:
gibberish


Wow, such intelligence Now we get crap instead of ostrich logic. Sheesh.

Lee

new dell install completed, but...

[metajunkie]

all,

I'm happy to read whatever I need to, in order to get this system
running.  I come before this list humbly.  Please don't flame my ass
with RTFMs :)

I have a new Dell Optiplex 745 with an Intel Core 2 Duo.

this system completed the install.  Now on boot it hangs after:
wskbd1:  connecting to wsdisplay0

the only issue I had during install was that the on-board nic would
not grab a dhcp address - but the pci nic did.

how can I troubleshoot this further?  I followed the FAQ for the
install - and I've looked at the common issues after install.

years ago I had an issue with a piece of hardware that I had to
exclude.  but I don't recall how I got into that particular sub
system to deactivate it.  Is there something I can do at the boot
prompt?

Humbly yours,

Metajunkie

-- 
010101010101010101010101010101010
010101010101010101010101010101010
0101010101 Meta Junkie 101010101010
010101010101010101010101010101010
010101010101010101010101010100101

Re: About Xen: maybe a reiterative question but ..

[Jack J. Woehr]

On Oct 24, 2007, at 3:41 PM, Theo de Raadt wrote:

 We know what a VM operating system has to do to deal with the PC
 architecture.  It is too complex to get perfectly right.

I concur with this assessment and the discussion of actual x86 PC
implementation vs. 390 architecture which led up to it.

-- 
Jack J. Woehr
Director of Development
Absolute Performance, Inc.
[EMAIL PROTECTED]
303-443-7000 ext. 527

Problem with disk size

[Jon Sjöstedt]

Hello all!

I have an OpenBSD-box with two 250G drives inside (and some SCSI). Trying
to use one of the drives as a whole gave this from disklabel


$ sudo disklabel -p g wd0
[snip]
16 partitions:
# sizeoffset  fstype [fsize bsize  cpg]
  c:233.8G  0.0G  unused  0 0  # Cyl 0
-486343
  d:233.8G  0.0G  4.2BSD   2048 16384   16 # Cyl
0*-486343*

but df -h says:

/dev/wd0d  7.8G7.4G4.2M   100%

and I cant create any new files on the drive. What could be the problem
here? Any hints appreciated.

dmesg attached.





Jon Sjvstedt   _O_
OpenBSD 3.9 (GENERIC) #617: Thu Mar  2 02:26:48 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III (GenuineIntel 686-class) 665 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem  = 536387584 (523816K)
avail mem = 482426880 (471120K)
using 4278 buffers containing 26923008 bytes (26292K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 05/31/00, BIOS32 rev. 0 @ 0xfdae0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf7710/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C686 ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x1 0xd/0x8000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 VIA VT82C691 PCI rev 0xc4
ppb0 at pci0 dev 1 function 0 VIA VT82C598 AGP rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 NVIDIA Riva TNT2 rev 0x15
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 VIA VT82C686 ISA rev 0x1b
uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x0e: irq 12
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 7 function 3 VIA VT83C572 USB rev 0x0e: irq 12
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
viaenv0 at pci0 dev 7 function 4 VIA VT82C686 SMBus rev 0x20
ahc0 at pci0 dev 9 function 0 Adaptec AHA-2940U rev 0x00: irq 10
scsibus0 at ahc0: 16 targets
sd0 at scsibus0 targ 0 lun 0: SEAGATE, ST39102LW, 0004 SCSI2 0/direct fixed
sd0: 8683MB, 6962 cyl, 12 head, 212 sec, 512 bytes/sec, 17783240 sec total
sd1 at scsibus0 targ 1 lun 0: SEAGATE, ST39102LW, 0004 SCSI2 0/direct fixed
sd1: 8683MB, 6962 cyl, 12 head, 212 sec, 512 bytes/sec, 17783240 sec total
sd2 at scsibus0 targ 2 lun 0: IBM, DNES-309170, SAH0 SCSI3 0/direct fixed
sd2: 8748MB, 11474 cyl, 5 head, 312 sec, 512 bytes/sec, 17916240 sec total
cd0 at scsibus0 targ 3 lun 0: SONY, CD-RW CRX140S, 1.0e SCSI4 5/cdrom 
removable
pciide0 at pci0 dev 10 function 0 CMD Technology PCI0680 rev 0x02
pciide0: bus-master DMA support present
pciide0: channel 0 configured to native-PCI mode
pciide0: using irq 9 for native-PCI interrupt
wd0 at pciide0 channel 0 drive 0: Maxtor 6L250R0
wd0: 16-sector PIO, LBA48, 239372MB, 490234752 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
pciide0: channel 1 configured to native-PCI mode
wd1 at pciide0 channel 1 drive 0: Maxtor 6L250R0
wd1: 16-sector PIO, LBA48, 239372MB, 490234752 sectors
wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
dc0 at pci0 dev 11 function 0 Davicom DM9102 rev 0x31: irq 12, address 
00:80:ad:72:3b:17
amphy0 at dc0 phy 1: DM9102 10/100 PHY, rev. 0
emu0 at pci0 dev 12 function 0 Creative Labs SoundBlaster Live rev 0x05: irq 
11
ac97: codec id 0x54524123 (TriTech Microelectronics TR28602)
audio0 at emu0
Creative Labs PCI Gameport Joystick rev 0x05 at pci0 dev 12 function 1 not 
configured
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
isapnp0 at isa0 port 0x279: read port 0x203
Maxi Sound 64 Series, ESS8600, ,  at isapnp0 port 0x800/8 not configured
Maxi Sound 64 Series, ESS8601, ,  at isapnp0 port 0x220/16,0x388/4,0x300/2 
irq 5 drq 1,0 not configured
Maxi Sound 64 Series, ESS8602, ,  at isapnp0 port 0x201/1 not configured
Maxi Sound 64 Series, ESS8603, ,  at isapnp0 port 0x330/6 irq 5 not configured
biomask f765 netmask f765 ttymask f7e7
pctr: 686-class user-level performance counters enabled

Re: How can i boot a bsd.rd from windows 2000 ?

[Alexander Hall]

Christopher Bianchi skrev:

Hello everyone. My situation is this:
i've a laptop, a Sharp pc-ax10 with Windows 2000 preinstalled , without
cdrom, floppy. I wish install OpenBSD on it. Naturally bios can't boot
from USB.
So i've thinked to boot the bsd.rd , but how ? The faq explain the
procedure from an older OpenBSD operating system... i've Windows 2000 on it.

Is it possible ? and if is possible, in which way ? Where i must put the
bsd.rd and in which way i can boot from him ?


If all other booting possibilities were unavailable, I'd try this 
(though I cannot say for sure it'd work):


first:

BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP 
BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP


(well no, I would probably not, but it's strongly recommended)

and then,


- make room for bsd partition with e.g. Partition Magic.

- create a primary partition (of any type) to use for the OpenBSD 
install. You'll probably have to change the type to A6 in fdisk during 
the OpenBSD install.


- create a virtual machine in vmware that uses the physical disk and a 
virtual cdrom (with mounted installXX.iso). Install openbsd carefully TO 
THE FREE'D PARTITION ONLY - do NOT ``use the entire disk for openbsd''!


(Yes, this requires some fiddling with fdisk manually, but having a 
Windows tool creating the partition with the right offset and size helps 
a lot - then you only need to change the type).


- After the installation is done, copy the mbr (as per the FAQ mentioned 
earlier in the thread) to the windows machine via network, usb stick, 
whatever.


- Throw the mbr into 'C:\openbsd.mbr' and fix C:\boot.ini (FAQ too).

- Boot your favourite os

and don't forget:

BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP 
BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP



cheers
/Alexander

Re: About Xen: maybe a reiterative question but ..

[Jeremy Huiskamp]

On 24-Oct-07, at 5:59 PM, L. V. Lammert wrote:

At 03:31 PM 10/24/2007 -0600, Theo de Raadt wrote:

You must be more qualified with regards to the actual code than I am
because I flat out don't believe this at all.


Believe what? OBSD is secure? I thought you were proud of the  
project? Sheesh! If our leader doesn't believe OBSD is secure, we  
ALL better be running for cover. Linux, anyone?


So you judge the security of the operating system by how many  
(possibly brash) risks its developers are willing to take with it?   
That's counter-intuitive.  If I'm looking for security, I'd rather  
get my software from a developer who isn't satisfied because (s)he is  
more likely to work harder to improve it and be much more careful  
while doing it.  If confidence is all that matters, then heck, lets  
get rid of all the privilege separation and other risk-minimizing  
techniques because you don't need them when your code is flawless right?

sanely designed hardware?

[Douglas A. Tutty]

After enjoying the Xen thread, and the comments about the horrid mess
that is x86 hardware design, I'm wondering what hardware on which
OpenBSD will run _is_ well designed.

Who makes a hardware architecture that is open (enough) that OpenBSD can
run fully on it, that has good performance.  I'm assuming that its not
COTS an so will cost more than x86.

Note that I'm not asking: who makes good hardware on which we can then
run Xen.  I'm talking about a solid piece of hardware on which to run
one and only one OpenBSD.

Doug.

Re: About Xen: maybe a reiterative question but ..

[Brian]

Hi!

I think you are missing the point about x86 hardware being a mess.  Theo
made an excellent point about the architecture itself having so many
filthy quirks.  If a VM is compromised through any means, that attacker
can now leverage the dirty architecture to bypass the hypervisors
(supposed) isolation techniques.  If the attacker can utilize the VM to
infiltrate the hypervisor, even more damage can be done.

The entire point is this:  You cannot increase security by putting more
things on one physical server.  You can run your different 'Application
Domains' on different physical servers.  That is much closer to security
than through obscurity.

-Brian

L. V. Lammert wrote:
 At 03:31 PM 10/24/2007 -0600, Theo de Raadt wrote:
  Certainly there is a small, compount risk increase due to multiple OS
  images involved, but the OS images must be analyzed independently
 FIRST,
  and THOSE risks addressed.

 Certainly you pulled that assesment out of your ass.

 I thought it was obvious, .. but I know you have beter things on your
 mind. I DO mind you liking my ass, however - ain't gonna happen.

  **IF** OBSD were available as a host OS, that would be good security.

 You must be more qualified with regards to the actual code than I am
 because I flat out don't believe this at all.

 Believe what? OBSD is secure? I thought you were proud of the project?
 Sheesh! If our leader doesn't believe OBSD is secure, we ALL better be
 running for cover. Linux, anyone?

 If you're saying that OBSD will never be modified to run AS a XEN
 hypervisor, that's probably a true statement. No need to corrupt a
 decent OS with GPL s/w.

  If not, then security issues compound due to multiple guest OSs and
 each set
  of inherent vulnerabilities.

 security issues and protections do not add up like numbers.

 Sure they do. If I'm running Windoze as a guest OS, there are hundreds
 or thousands of possible vulnerabilities. If I'm runng OBSD as a guest
 OS, guess what (I hope you don't have to??) - few to none. There is no
 way to 'compound threat [interaction]', but that doesn't detract from
 the basic truth - the lower the risk/number of vulnerabilities of the
 OS, the better off you are. As a corollary, you might also say that
 there is no way to improve the security of a server without improving
 the security of the OS.

  No matter how you twist the logic, however, a VM provides a good
 level of
  application domain security, from the standpoint that each set of
 domain
  users and applications can only see the services provided within that
  domain guest OS.

 The phrase application domain security is a cover-up statement that
 means I have already decided to run the multiple things on one box
 because I am cheap, and I need to invent reasons why I can continue
 doing so.

 Huh?? Do you know what an application domain is? Guess not - here's a
 definition:

 Application + Users + Access Method = Application Domain

 Examples: File/Print, httpd, DB, . . .

 The more discrete the security model (i.e. File/Print users are not
 valid on the httpd server) the better.

 Lee

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: About Xen: maybe a reiterative question but ..

[Darrin Chandler]

On Wed, Oct 24, 2007 at 05:44:37PM -0500, L. V. Lammert wrote:
 At 05:27 PM 10/24/2007 -0500, Tony Abernethy wrote:
 L. V. Lammert wrote:
 gibberish

 Wow, such intelligence Now we get crap instead of ostrich logic. 
 Sheesh.

Actually, that's a fair assessment at this point.

Looking at what you've written, you seem to consider OpenBSD to be
pretty secure. By extension, let's assume the developers, and Theo in
particular, have some darned good knowledge about security and some
priorities in that regard. Then, when Theo and developers (and others in
this community) weigh in and tell you that virtualization is not more
secure, but less, you continue and continue.

As someone who doesn't know a great deal about virtualization, I can
tell you that you're not convincing me of anything with your arguments.
I feel confident in saying that you're not convincing any of the devs,
either. And I doubt you've done much for this cause with the list
members at large.

So what the hell are you doing? Just flaming now? Gave up trying to show
something and just trying to get a few jabs in?

As someone who reads this list and would like to know more about
virtualization, pros and cons, I ask you to put more actual meat into
your posts if you're going to continue. As it stands, gibberish fits
all too well.

-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
[EMAIL PROTECTED]   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

Re: Problem with disk size

[Nick Holland]

Jon Sjvstedt wrote:
 Hello all!
 
 I have an OpenBSD-box with two 250G drives inside (and some SCSI). Trying
 to use one of the drives as a whole gave this from disklabel
 
 
 $ sudo disklabel -p g wd0
 [snip]

don't snip.

 16 partitions:
 # sizeoffset  fstype [fsize bsize  cpg]
   c:233.8G  0.0G  unused  0 0  # Cyl 0-486343
   d:233.8G  0.0G  4.2BSD   2048 16384   16 # Cyl 
 0*-486343*
 
 but df -h says:
 
 /dev/wd0d  7.8G7.4G4.2M   100%
 
 and I cant create any new files on the drive. What could be the problem
 here? Any hints appreciated.
 
 dmesg attached.

thanks for the dmesg.

You tried darned hard to obscure this (I really don't care how many G
your disk is, I care about which sectors you are using), but it does
appear that you opted to not properly partition your disk.  The fact
that you didn't show the output of fdisk causes me to believe you
knew it, though you may not have recognized the significance. ;)

Your OpenBSD subpartition appears to start at sector zero.  Bad idea.
This means, whether by design or by accident, you don't have an fdisk
partition table (aka, MBR) on the disk.  Also a bad idea.

On some platforms, i386 is one of them, you must use fdisk partitions,
and your disklabel partitions must start at a one track offset (in
your case, probably 63 sectors).

When you don't follow the rules, ugly things happen.  It isn't the
size of the disk, it's the way it's laid out that is giving you
problems.

See faq14.html...

Nick.

Re: new dell install completed, but...

[Nick Holland]

[EMAIL PROTECTED] wrote:
 all,
 
 I'm happy to read whatever I need to, in order to get this system
 running.  I come before this list humbly.  Please don't flame my ass
 with RTFMs :)
 
 I have a new Dell Optiplex 745 with an Intel Core 2 Duo.
 
 this system completed the install.  Now on boot it hangs after:
 wskbd1:  connecting to wsdisplay0
 
 the only issue I had during install was that the on-board nic would
 not grab a dhcp address - but the pci nic did.
 
 how can I troubleshoot this further?  I followed the FAQ for the
 install - and I've looked at the common issues after install.
 
 years ago I had an issue with a piece of hardware that I had to
 exclude.  but I don't recall how I got into that particular sub
 system to deactivate it.  Is there something I can do at the boot
 prompt?
 
 Humbly yours,
 
 Metajunkie
 

First, make sure you are trying a snapshot, not 4.1 or older.  If
you are using 4.2, still try a snapshot, a lot has happened since
4.2 already.  If that fixes your problem, you are done.  (the onboard
NIC problem is hinting to me that you are using an older version).

If that doesn't, the good news is since it installed with the bsd.rd
kernel but won't run GENERIC, it is probably just a matter of turning
the right device driver off.  GENERIC has more in it than bsd.rd does.

http://www.openbsd.org/faq/faq5.html#BootConfig  (see the next two
sections as well, which are also appropriate for you)

I don't recall if I ever installed OpenBSD on a 745.  Certainly did
a fair amount with a 620 (which worked fine).

Nick.

Re: About Xen: maybe a reiterative question but ..

[Can Erkin Acar]

L. V. Lammert [EMAIL PROTECTED] wrote:
  If not, then security issues compound due to multiple guest OSs and 
 each set
  of inherent vulnerabilities.

security issues and protections do not add up like numbers.
 
 Sure they do. If I'm running Windoze as a guest OS, there are hundreds or 
 thousands of possible vulnerabilities. If I'm runng OBSD as a guest OS, 
 guess what (I hope you don't have to??) - few to none. There is no way to 
 'compound threat [interaction]', but that doesn't detract from the basic 
 truth - the lower the risk/number of vulnerabilities of the OS, the better 
 off you are. As a corollary, you might also say that there is no way to 
 improve the security of a server without improving the security of the OS.

This has *nothing* to do with VM security.

The issue with VM security is that:

1. if any guest is compromised you all guests and the host are in danger.
2. if any user or admininstrator of a guest is malicious, all guests and
the host is in danger.

This threat is NOT because of any possible interaction (network/services
etc.) between
the guests and/or the host. It is because of a completely different
attack vector,
the VM system. The 'virtual hardware' that *all* host and guest OS
systems implicitly
trust to behave well can be subverted.

You should NEVER trust a virtual machine to properly isolate the guests.
It is a good approximation to having separate boxes, but it is NOT
a security barrier.


  No matter how you twist the logic, however, a VM provides a good level of
  application domain security, from the standpoint that each set of domain
  users and applications can only see the services provided within that
  domain guest OS.

The phrase application domain security is a cover-up statement that
means I have already decided to run the multiple things on one box
because I am cheap, and I need to invent reasons why I can continue
doing so.
 
 Huh?? Do you know what an application domain is? Guess not - here's a 
 definition:
 
 Application + Users + Access Method = Application Domain
 
 Examples: File/Print, httpd, DB, . . .
 
 The more discrete the security model (i.e. File/Print users are not valid 
 on the httpd server) the better.

What you try to describe in a somewhat clumsy and round about way
corresponds to
moving different applications to their respective/isolated machines.

This is actually a good thing to do for security. However, depending on the
applications and the interactions between them, you may sometimes end up
being
with a more complex/less secure architecture. But this is not the point.

What you fail to realize is that, when you try to implement this using a
VM system,
you actually break the isolation. The fact that well behaved
applications and OS's
work peacefully side by side under a VM setup DOES NOT mean that a
malicious program
and/or user is not able to break that isolation.

Consider a web application login form with an SQL injection vulnerability.
It validates the users and works perfectly fine %100 of the time, passes all
tests. Denies incorrect passwords etc. UNTIL one malicious user decides
to enter
' or 1=1;-- as his password.

In a VM system the security of the *entire* system depends on the
weakest link
in only one of the OS's.

To continue your example, you can install as many OpenBSD guests as you
like.
It takes one windows/linux whatever guest to break them all. That is why the
protections do not 'add up'.

Can