Re: UEFI boot attempt on AM1 platform with logs (9/16 snapshot)

[Brian Conway]

> Can you try the diff following or
>
>   http://yasuoka.net/~yasuoka/BOOTX64.EFI
>
> ?  Then enter "machine memory" on "boot> " prompt and check the last line.
> It shows whether the memory area for kernel is free or not.  Like
>
>   Load address: Conventional(7) 0x for KB
>
> is good sign.

Great, thanks. I grabbed the binary.

machine memory:

http://i.imgur.com/gtiAIxc.jpg

Another boot attempt, with hang (hd0d is intentional):

http://i.imgur.com/tcVm4r6.jpg

>> boot> machine disk
>> DiskBIOS#   TypeCylsHeads   SecsFlags   Checksum
>> hd0 0x80label   956 64  32  0x2 0xe4afa028
>> hd1 0x81label   1023255 63  0x0 0x0
>> boot>
>
> Isn't this a result of BIOS boot?

Yes, my bad.

Thanks.

Brian

Re: Making IPv6 NAT prefer privacy address

[Giancarlo Razzolini]

Em 22-09-2015 15:06, Daniel Gillen escreveu:
> Hi
>
> I currently have the following rule to nat traffic out to the internet:
>
> match out on $if_ext inet6 from $if_int:network to any nat-to ($if_ext)
>
> But this chooses from one of the configures addresses (using round-robin).
>
> Is there a way I can configure pf to prefer the privacy address (the one
> without my MAC in it)?
>
> Thx in advance
>
> Daniel
>
Nat on IPv6? Why? Also, if I'm not mistaken, if your card has a privacy
address, it will be the one used, but for connections originated from
the firewall itself. I'm not aware of any rule you could make that would
get you only privacy address. I didn't read the code, but ($if_ext)
would give you the first address, IIRC. Which, in your case, is not the
privacy address. Also, you could check if your CPE (router) answer to
DHCPv6 requests. If so, and if it follows RFC 7084, you could ask a
IA_NA from it, and you'd get an address which is not the privacy
address, but also is not based on your MAC address.

Cheers,
Giancarlo Razzolini

Re: speedup shutdown

[Joel Rees]

2015/09/22 3:21 "Quartz" :
>>
>> The two daemons you refer to, treat SIGHUP as a "please re-read your
>> configuration files and restart".  This is semi-common.  This happens to
>> also be the two daemons you are testing this with, causing some
confusino.
>
>> Not everything, but some things will still be running.
>
> It wasn't just syslogd and sshd, -HUP also doesn't shut down any of the
pflogd/dhclient/cron stuff either. The only process it actually stops is
sndiod, all the others restart on their own.
>
>
>> After running commands #1, #3 and #5; almost everything should be
>> killed.  Command #1 should take care of the vast majority of daemons
>> started at boot; #3 and #5 are to catch the ones that aren't.
>
> Well, -TERM stops every PID I typed in (the four I didn't being init, two
ksh's and ps itself), so I'm not sure where that leave me. I guess it's
some kind of timing thing or race condition?
>

I haven't tried this on openbsd, but I wrote a little tool for someone who
was fussing about debian taking too long to shut down:

http://joels-programming-fun.blogspot.jp/2014/08/this-is-demonstration-of-way-to.html

You'll want to tune some of it, probably, may not need to grep, may want to
change the timing. Just remember, writing to a file at shutdown will
interfere with the shutdown, especially if you use timing too fast to
finish one log entry before the next one starts. And you may want to
deliberately kill the process before the shutdown process does the final
sync.

And don't forget to remove things before you put the thing into production.

Joel Rees

Computer memory is just fancy paper,
CPUs just fancy pens.
All is a stream of text
flowing from the past into the future.

Making IPv6 NAT prefer privacy address

[Daniel Gillen]

Hi

I currently have the following rule to nat traffic out to the internet:

match out on $if_ext inet6 from $if_int:network to any nat-to ($if_ext)

But this chooses from one of the configures addresses (using round-robin).

Is there a way I can configure pf to prefer the privacy address (the one
without my MAC in it)?

Thx in advance

Daniel

-- 
Unix _IS_ user friendly - it's just
selective about who its friends are!

Re: update/upgrade

[Patrick Dohman]

> On Sep 20, 2015, at 9:36 PM, Quartz  wrote:
> 
>> Does your embedded storage run NOR/NAND or something like SDHC Memory
>> Cards?
>> 
>> If your systems are running SDHC you can easily create clones with a
>> laptop&  the DD utility.
> 
> A couple of them do, but it doesn't matter in this case. The main issue with 
> compiling is that it can effectively knock the system offline for hours which 
> isn't acceptable. Any process that involves shutting the machine off or 
> booting into a separate OS image has the same problem.
> 
> It's just a question of minimizing downtime.
> 


Is it possible to upgrade via separate OS? Chroot into a new system, run 
sysmerge & voila?

dhclient broken on 2015-09-21 amd64 snapshot

[Kurt Mosiejczuk]

I just updated my current box to yesterdays (2015-09-21) snapshot.  Now
it won't keep a network address.  

eisenhower# dhclient -d em0
DHCPREQUEST on em0 to 255.255.255.255
DHCPACK from 129.21.208.254 (d0:c2:82:f2:94:00)
SIOCAIFADDR failed (129.21.208.29): File exists
bound to 129.21.208.29 -- renewal in 5400 seconds.
Active address (129.21.208.29) deleted; exiting
eisenhower# ifconfig
lo0: flags=8049 mtu 32768
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff00
em0: flags=8843 mtu 1500
lladdr 00:1c:c4:1e:40:10
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
enc0: flags=0<>
priority: 0
groups: enc
status: active
pflog0: flags=141 mtu 33144
priority: 0
groups: pflog

I'm seeing a note on the current FAQ from the 12th indicating the
ifmedia options have been extended to 64 bits.  I'm seeing a change to
ifconfig in the tree for this, but I don't see a corresponding change to
dhclient in the tree (looking at cvsweb).  

Did the dhclient change get overlooked?  Am I doing something else
obviously wrong?

(dmesg below)

--Kurt

OpenBSD 5.8-current (GENERIC.MP) #1375: Mon Sep 21 20:01:15 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4135260160 (3943MB)
avail mem = 4005974016 (3820MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xeb920 (68 entries)
bios0: vendor Hewlett-Packard version "786E1 v01.16" date 08/17/2011
bios0: Hewlett-Packard HP Compaq dc7700 Small Form Factor
acpi0 at bios0: rev 0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC ASF! MCFG TCPA SLIC HPET
acpi0: wakeup devices COM1(S4) COM2(S4) PCI0(S4) PEG1(S4) IGBE(S4) PCX1(S4) 
PCX2(S4) HUB_(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3) EUS1(S3) 
EUS2(S3) PBT
N(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM)2 CPU 6700 @ 2.66GHz, 2660.32 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF,SENSOR
cpu0: 4MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 265MHz
cpu0: mwait min=64, max=64, C-substates=0.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 CPU 6700 @ 2.66GHz, 2659.99 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF,SENSOR
cpu1: 4MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 1
acpimcfg0 at acpi0 addr 0xf400, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG1)
acpiprt2 at acpi0: bus 32 (PCX1)
acpiprt3 at acpi0: bus -1 (PCX2)
acpiprt4 at acpi0: bus 7 (HUB_)
acpicpu0 at acpi0: C1(@1 halt!), PSS
acpicpu1 at acpi0: C1(@1 halt!), PSS
acpibtn0 at acpi0: PBTN
cpu0: Enhanced SpeedStep 2660 MHz: speeds: 2667, 2128, 1596 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82Q965 Host" rev 0x02
vga1 at pci0 dev 2 function 0 "Intel 82Q965 Video" rev 0x02
intagp0 at vga1
agp0 at intagp0: aperture at 0xe000, size 0x1000
inteldrm0 at vga1
drm0 at inteldrm0
inteldrm0: 1024x768
wsdisplay0 at vga1 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel 82Q965 HECI" rev 0x02 at pci0 dev 3 function 0 not configured
em0 at pci0 dev 25 function 0 "Intel ICH8 IGP AMT" rev 0x02: msi, address 
00:1c:c4:1e:40:10
uhci0 at pci0 dev 26 function 0 "Intel 82801H USB" rev 0x02: apic 1 int 20
uhci1 at pci0 dev 26 function 1 "Intel 82801H USB" rev 0x02: apic 1 int 21
ehci0 at pci0 dev 26 function 7 "Intel 82801H USB" rev 0x02: apic 1 int 22
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
azalia0 at pci0 dev 27 function 0 "Intel 82801H HD Audio" rev 0x02: msi
azalia0: codecs: Realtek ALC262
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 82801H PCIE" rev 0x02: msi
pci1 at ppb0 bus 32
uhci2 at pci0 dev 29 function 0 "Intel 82801H USB" rev 0x02: apic 1 int 20
uhci3 at pci0 dev 29 function 1 "Intel 82801H USB" rev 0x02: apic 1 int 21
ehci1 at pci0 dev 29 function 7 "Intel 82801H USB" rev 0x02: apic 1 int 20
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb1 at 

Re: console color

[lists]

> OK, thanks. After some searching based on this info and some messing 
> around, it looks like 'export TERM=ansi' and setting t_Co=8 will get me 
> limited colors in vim without screwing anything up.

Further to the excellent write-up by miod@ simply put if you're on x86
PC console any of these enables colors:

$ export TERM=wsvt25
$ export TERM=pccon

To confirm:

$ echo $TERM ; tput colors
$ tmux

These are defined in /etc/termcap

Hint: in the file search for (open|net)bsd|colou?r and Co#8|Co#256 for a
broader range of TERM capabilities.

You can also reference for an understanding what do the definitions in
/etc/termcap mean

$ man 5 terminfo
$ man 5 termcap

If you get sick of console colors and your eyes start hurting from dark
blue fg on black bg and other high-low contrast issue just set it back
to vt220:

$ export TERM=vt220

Or even better, use xterm. In X you can use

$ export TERM=xterm-256color
$ export TERM=screen-256color # slant instead of reverse highlight
$ export TERM=tmux-256color

You could also set TERM in .profile testing whether you're on the PC
console or in X, and whether you're running an interactive shell and/or
a tmux session.

Re: UEFI boot attempt on AM1 platform with logs (9/16 snapshot)

[YASUOKA Masahiko]

On Tue, 22 Sep 2015 14:20:22 -0500
Brian Conway  wrote:
>> Can you try the diff following or
>>
>>   http://yasuoka.net/~yasuoka/BOOTX64.EFI
>>
>> ?  Then enter "machine memory" on "boot> " prompt and check the last line.
>> It shows whether the memory area for kernel is free or not.  Like
>>
>>   Load address: Conventional(7) 0x for KB
>>
>> is good sign.
> 
> Great, thanks. I grabbed the binary.

Thanks,

> machine memory:
> 
> http://i.imgur.com/gtiAIxc.jpg

This picture shows

  Load address: Loader Data (2) 0xd0 for 4096KB FATAL

This is what I want to know.  0xd0 + 4M is overlapping the kernel
area.

I think the following diff or

  http://yasuoka.net/~yasuoka/BOOTX64.EFI
  (updated)

will fix the problem.

Index: sys/arch/amd64/stand/efiboot/Makefile.common
===
RCS file: /disk/cvs/openbsd/src/sys/arch/amd64/stand/efiboot/Makefile.common,v
retrieving revision 1.1
diff -u -p -u -p -r1.1 Makefile.common
--- sys/arch/amd64/stand/efiboot/Makefile.common2 Sep 2015 01:52:25 
-   1.1
+++ sys/arch/amd64/stand/efiboot/Makefile.common23 Sep 2015 02:45:52 
-
@@ -7,6 +7,8 @@ EFIDIR= ${.CURDIR}/../../efi
 OBJCOPY?=  objcopy
 OBJDUMP?=  objdump
 
+EFI_HEAP_LIMIT=0xc0
+
 LDFLAGS+=  -nostdlib -T${.CURDIR}/../${LDSCRIPT} -Bsymbolic -shared
 
 COPTS+=-DEFIBOOT -DNEEDS_HEAP_H -DLINKADDR=${LINKADDR} 
-I${.CURDIR}/..
@@ -65,6 +67,7 @@ ${PROG}: ${PROG.so}
 .include 
 CFLAGS+=   -Wno-pointer-sign
 CPPFLAGS+= -DSMALL -DSLOW -DNOBYFOUR -D__INTERNAL_LIBSA_CREAD
+CPPFLAGS+= -DHEAP_LIMIT=${EFI_HEAP_LIMIT}
 
 ${PROG.so}: ${OBJS}
${LD} ${LDFLAGS} -o ${.TARGET}.tmp ${OBJS} ${LDADD}
Index: sys/arch/amd64/stand/efiboot/efiboot.c
===
RCS file: /disk/cvs/openbsd/src/sys/arch/amd64/stand/efiboot/efiboot.c,v
retrieving revision 1.3
diff -u -p -u -p -r1.3 efiboot.c
--- sys/arch/amd64/stand/efiboot/efiboot.c  3 Sep 2015 09:22:40 -   
1.3
+++ sys/arch/amd64/stand/efiboot/efiboot.c  23 Sep 2015 02:45:53 -
@@ -42,7 +42,7 @@ EFI_RUNTIME_SERVICES  *RS;
 EFI_HANDLE  IH, efi_bootdp = NULL;
 EFI_PHYSICAL_ADDRESSheap;
 EFI_LOADED_IMAGE   *loadedImage;
-UINTN   heapsiz = 3 * 1024 * 1024;
+UINTN   heapsiz = 1 * 1024 * 1024;
 UINTN   mmap_key;
 static EFI_GUID imgdp_guid = { 0xbc62157e, 0x3e33, 0x4fec,
  { 0x99, 0x20, 0x2d, 0x3b, 0x36, 0xd7, 0x50, 0xdf }};
@@ -199,7 +199,7 @@ efi_heap_init(void)
 {
EFI_STATUS   status;
 
-   heap = 0x100;   /* Below kernel base address */
+   heap = HEAP_LIMIT;
status = EFI_CALL(BS->AllocatePages, AllocateMaxAddress, EfiLoaderData,
EFI_SIZE_TO_PAGES(heapsiz), );
if (status != EFI_SUCCESS)

Re: doas and home directory of target user

[Joel Rees]

Ahem. Dmesg below. (Sorry about that.)

On Wed, Sep 23, 2015 at 8:29 AM, Joel Rees  wrote:
> Thank you, Dan, Ben, and Frank. I see that I have left out some
> important information:
>
> user2 is specified as a non-login class of user in /etc/login.conf,
> auth=reject: shell=/sbin/nologin, and has a default shell of
> /sbin/nologin in /etc/passwd .
>
> On Tue, Sep 22, 2015 at 5:41 PM, Joel Rees  wrote:
>> I have this rule in doas.conf:
>>
>> permit nopass user1 as user2
>>
>> As user1, I try this at the command line:
>>
>> doas -u user2 whoami
>>
>> and it tells me I am user2, as I expect. And
>>
>>doas -u user2 ls
>>
>> tells me I don't have permission. I kind of expect this.
>>
>> I'm looking for a way to do the equivalent of
>>
>> sudo -u user2 -s "cd; ls"
>>
>> I don't see a way to do this with doas, at least not without a short
>> intermediary script, which script is not going to be able to do cd ~/.
>>
>> Should I assume that doas is not intended to do this sort of thing?
>
> With this intermediary script:
>
> #! /bin/sh
> export USER=user2
> . /etc/ksh.kshrc
> printenv
> ls
>
> I get
>
> MAIL=/var/mail/user1
> LOGNAME=user1
> HOME=/home/classU/user1
> 
> PATH=/home/classU/user1/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.
> DISPLAY=:0.0
> TERM=xterm
> USER=user2
> ls: .: Permission denied
>
> Which, I guess, does surprise me.
>
>> (And therefore [I should] do things "right" by setting up ssh with public-key
>> authentication to do the user switch?)
>
> Which would also require enabling login for user2. (I tried this
> without thinking yesterday.)
>
>> (Or go all out and set up chroot to run an instance of X11 and firefox? ;-/
>> )
>
> Would this also require enabling login?

-- 
Joel Rees

---
OpenBSD 5.8-current (GENERIC.MP) #1367: Sat Sep 12 14:59:55 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 1835790336 (1750MB)
avail mem = 1776250880 (1693MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP UEFI HPET APIC MCFG ASF! BOOT FPDT MSDM SSDT
SSDT SSDT SSDT SSDT
acpi0: wakeup devices GPP0(S5) GPP1(S4) OHC1(S3) OHC2(S3) OHC3(S3)
EHC1(S3) EHC2(S3) EHC3(S3) XHC0(S4) AWAD(S4)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpihpet0 at acpi0: 14318180 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD A4-1200 APU with Radeon(TM) HD Graphics, 998.27 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,ITSC,BMI1
cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 1MB
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD A4-1200 APU with Radeon(TM) HD Graphics, 998.13 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,ITSC,BMI1
cpu1: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 1MB
64b/line 16-way L2 cache
cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu1: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 0 pa 0xfec0, version 21, 24 pins
ioapic1 at mainbus0: apid 5 pa 0xfec01000, version 21, 32 pins
ioapic1: misconfigured as apic 0, remapped to apid 5
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (GPP0)
acpiprt2 at acpi0: bus 5 (GPP1)
acpiprt3 at acpi0: bus -1 (GPP2)
acpiprt4 at acpi0: bus -1 (GPP3)
acpiprt5 at acpi0: bus -1 (GFX_)
acpiec0 at acpi0
acpicpu0 at acpi0: !C2(0@400 io@0x414), C1(@1 halt!), PSS
acpicpu1 at acpi0: !C2(0@400 io@0x414), C1(@1 halt!), PSS
acpipwrres0 at acpi0: FN00, resource for FAN0
acpitz0 at acpi0: critical temperature is 118 degC
acpibtn0 at acpi0: PWRB
acpiac0 at acpi0: AC unit online
acpibat0 at acpi0: BAT0 model "Primary" serial 43346 03/09/2014 type
LIon oem "Hewlett-Packard"
acpibtn1 at acpi0: LID_
acpivideo0 at acpi0: VGA_
acpivideo1 at acpi0: VGA_
cpu0: 998 MHz: speeds: 1000 900 800 700 600 

Re: doas and home directory of target user

[Joel Rees]

Thank you, Dan, Ben, and Frank. I see that I have left out some
important information:

user2 is specified as a non-login class of user in /etc/login.conf,
auth=reject: shell=/sbin/nologin, and has a default shell of
/sbin/nologin in /etc/passwd .

On Tue, Sep 22, 2015 at 5:41 PM, Joel Rees  wrote:
> I have this rule in doas.conf:
>
> permit nopass user1 as user2
>
> As user1, I try this at the command line:
>
> doas -u user2 whoami
>
> and it tells me I am user2, as I expect. And
>
>doas -u user2 ls
>
> tells me I don't have permission. I kind of expect this.
>
> I'm looking for a way to do the equivalent of
>
> sudo -u user2 -s "cd; ls"
>
> I don't see a way to do this with doas, at least not without a short
> intermediary script, which script is not going to be able to do cd ~/.
>
> Should I assume that doas is not intended to do this sort of thing?

With this intermediary script:

#! /bin/sh
export USER=user2
. /etc/ksh.kshrc
printenv
ls

I get

MAIL=/var/mail/user1
LOGNAME=user1
HOME=/home/classU/user1

PATH=/home/classU/user1/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.
DISPLAY=:0.0
TERM=xterm
USER=user2
ls: .: Permission denied

Which, I guess, does surprise me.

> (And therefore [I should] do things "right" by setting up ssh with public-key
> authentication to do the user switch?)

Which would also require enabling login for user2. (I tried this
without thinking yesterday.)

> (Or go all out and set up chroot to run an instance of X11 and firefox? ;-/
> )

Would this also require enabling login?

-- 
Joel Rees

Be careful when you look at conspiracy.
Arm yourself with knowledge of yourself, as well:
http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html

Re: ugen0 instead of urtwn0

[Fred]

On 09/22/15 06:52, Thuban wrote:

Grab relevant

src/sys/dev/usb/if_urtwn.c
sys/dev/usb/usbdevs

from CVS, than cd sys/dev/usb && make, than rebuild/install kernel
as described in FAQ.


I rebuild and installed the kernel without any error, but still, the usb
stick isn't detected as urtwn.

What did I do wrong :

 # cd /usr
 # export CVSROOT=anon...@anoncvs.fr.openbsd.org:/cvs
 # cvs -d$CVSROOT checkout -rOPENBSD_5_7 -P src
 # cd //usr/src/sys/dev
 # cvs -d$CVSROOT -bOPENBSD_5_8 get src/sys/dev/usbdevs
 # cvs -d$CVSROOT -bOPENBSD_5_8 get src/sys/dev/if_urtwn.c
 # # rebuild/install kernel

--
Thuban


Hi

dmesg(8) and usbdevs(8) -v output would be useful.

Cheers

Fred

doas and home directory of target user

[Joel Rees]

I have this rule in doas.conf:

permit nopass user1 as user2

As user1, I try this at the command line:

doas -u user2 whoami

and it tells me I am user2, as I expect. And

   doas -u user2 ls

tells me I don't have permission. I kind of expect this.

I'm looking for a way to do the equivalent of

sudo -u user2 -s "cd; ls"

I don't see a way to do this with doas, at least not without a short
intermediary script, which script is not going to be able to do cd ~/.

Should I assume that doas is not intended to do this sort of thing?

(And therefore do things "right" by setting up ssh with public-key
authentication to do the user switch?)

(Or go all out and set up chroot to run an instance of X11 and firefox? ;-/
)

Joel Rees

Computer memory is just fancy paper,
CPUs just fancy pens.
All is a stream of text
flowing from the past into the future.

Re: SR RAID5 rebuild/stability issue.

[Karel Gardas]

On Tue, Sep 22, 2015 at 3:20 AM, Chris Cappuccio  wrote:
> Karel Gardas [gard...@gmail.com] wrote:
>>
>> Let me ask, should SR RAID5 survive such testing or is for example
>> rebuilding with off-lined drive considered unsupported feature?
>>
>
> It's new, considered experimental and not well tested.

OK so I'll omit this from my testing.

> Are you working with someone to bring your RAID1 changes in tree? The
> complete, understood improvements should be individually labeled
> and committed, one by one.

So far on tech@ I was merely ignored, but this is probably due to the
fact that I posted patches[1][2][3] clearly marked as a
work-in-progress. Once the patch is complete I will offer my view how
it may be divided and perhaps discussion will start...

[1] https://www.mail-archive.com/tech@openbsd.org/msg25388.html
[2] https://www.mail-archive.com/tech@openbsd.org/msg25419.html
[3] https://www.mail-archive.com/tech@openbsd.org/msg25716.html

Re: ugen0 instead of urtwn0

[Kimmo Paasiala]

On Tue, Sep 22, 2015 at 8:52 AM, Thuban  wrote:
>> Grab relevant
>>
>> src/sys/dev/usb/if_urtwn.c
>> sys/dev/usb/usbdevs
>>
>> from CVS, than cd sys/dev/usb && make, than rebuild/install kernel
>> as described in FAQ.
>>
> I rebuild and installed the kernel without any error, but still, the usb
> stick isn't detected as urtwn.
>
> What did I do wrong :
>
> # cd /usr
> # export CVSROOT=anon...@anoncvs.fr.openbsd.org:/cvs
> # cvs -d$CVSROOT checkout -rOPENBSD_5_7 -P src


You don't want to do this if you're going to checkout src/sys/*, the
two cvs(1) commands below will
create /usr/src/sys/dev/src/sys/dev/* instead of updating
/usr/src/sys/dev/* as intended.
> # cd //usr/src/sys/dev


> # cvs -d$CVSROOT -bOPENBSD_5_8 get src/sys/dev/usbdevs
> # cvs -d$CVSROOT -bOPENBSD_5_8 get src/sys/dev/if_urtwn.c


> # # rebuild/install kernel
>
> --
> Thuban
> PubKey : http://yeuxdelibad.net/Divers/thuban.pub
>

-Kimmo

Re: solved qemu tap

[Tuyosi Takesima]

as homework

install
   run
CorePlus-5.1-jaOK(by cdrom)X   OK
puppy precise571fail


perhaps debian should be run as CUI (character base) in slow machine .

 is very attractive except its slowness .
in this vertual space  we develop defending power against evil crackers

Re: ugen0 instead of urtwn0

[Thuban]

> > I rebuild and installed the kernel without any error, but still, the usb
> > stick isn't detected as urtwn.
> >
> > What did I do wrong :
> >
> > # cd /usr
> > # export CVSROOT=anon...@anoncvs.fr.openbsd.org:/cvs
> > # cvs -d$CVSROOT checkout -rOPENBSD_5_7 -P src
>
>
> You don't want to do this if you're going to checkout src/sys/*, the
> two cvs(1) commands below will
> create /usr/src/sys/dev/src/sys/dev/* instead of updating
> /usr/src/sys/dev/* as intended.
> > # cd //usr/src/sys/dev
>
>
> > # cvs -d$CVSROOT -bOPENBSD_5_8 get src/sys/dev/usbdevs
> > # cvs -d$CVSROOT -bOPENBSD_5_8 get src/sys/dev/if_urtwn.c

Right, files were in wrong place. Thanks.
I tried to rebuild the kernel with usbdevs and if_urtwn.c at the correct
emplacement, but now build fail.

In if_urtwn.c, there are undecladerd variables :

if_urtwn.c:3556: error: 'R88E_HIMRE_TXERR' undeclared (first usr un
this function)
... #you know the song

I guess some file is missing, of course, because mixing 5.7 and 5.8
couldn't for like that.

Here are dmesg and usbdevs -v as requested :

dmesg :

OpenBSD 5.7-stable (GENERIC.MP) #1: Tue Sep 22 07:41:56 CEST 2015
r...@openbsd.my.domain:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2128605184 (2029MB)
avail mem = 2068082688 (1972MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf0450 (76 entries)
bios0: vendor Dell Inc. version "2.2.0" date 03/29/2007
bios0: Dell Inc. OptiPlex 745
acpi0 at bios0: rev 2
acpi0: TCPA checksum error
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC BOOT ASF! MCFG HPET TCPA SLIC
acpi0: wakeup devices VBTN(S4) PCI0(S5) PCI4(S5) PCI2(S5) PCI3(S5)
PCI1(S5) PCI5(S5) PCI6(S5) MOU_(S3) USB0(S3) USB1(S3) USB2(S3) USB3(S3)
USB4(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz, 1862.22 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM
2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF
cpu0: 2MB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 266MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz, 1862.00 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM
2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF
cpu1: 2MB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 8
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 4 (PCI4)
acpiprt1 at acpi0: bus 2 (PCI2)
acpiprt2 at acpi0: bus -1 (PCI3)
acpiprt3 at acpi0: bus 1 (PCI1)
acpiprt4 at acpi0: bus 3 (PCI5)
acpiprt5 at acpi0: bus -1 (PCI6)
acpiprt6 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpibtn0 at acpi0: VBTN
memory map conflict 0x7fe03c00/0x1fc400
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82Q965 Host" rev 0x02
ppb0 at pci0 dev 1 function 0 "Intel 82Q965 PCIE" rev 0x02: msi
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "NVIDIA GeForce 210" rev 0xa2
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
azalia0 at pci1 dev 0 function 1 vendor "NVIDIA", unknown product 0x0be3
rev 0xa1: msi
azalia0: no supported codecs
uhci0 at pci0 dev 26 function 0 "Intel 82801H USB" rev 0x02: apic 8 int
16
uhci1 at pci0 dev 26 function 1 "Intel 82801H USB" rev 0x02: apic 8 int
17
ehci0 at pci0 dev 26 function 7 "Intel 82801H USB" rev 0x02: apic 8 int
22
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
azalia1 at pci0 dev 27 function 0 "Intel 82801H HD Audio" rev 0x02: msi
azalia1: codecs: Analog Devices AD1983
audio0 at azalia1
ppb1 at pci0 dev 28 function 0 "Intel 82801H PCIE" rev 0x02: msi
pci2 at ppb1 bus 2
ppb2 at pci0 dev 28 function 4 "Intel 82801H PCIE" rev 0x02: msi
pci3 at ppb2 bus 3
bge0 at pci3 dev 0 function 0 "Broadcom BCM5754" rev 0x02, BCM5754/5787 A2
(0xb002): msi, address 00:19:b9:2f:0a:50
brgphy0 at bge0 phy 1: BCM5787 10/100/1000baseT PHY, rev. 0
uhci2 at pci0 dev 29 function 0 "Intel 82801H USB" rev 0x02: apic 8 int
23
uhci3 at pci0 dev 29 function 1 "Intel 82801H USB" rev 0x02: apic 8 int
17

Re: ugen0 instead of urtwn0

[Stefan Sperling]

On Mon, Sep 21, 2015 at 11:14:22AM +0200, Thuban wrote:
> Hi,
> I have a usb wifi dongle supposed to work with urtwn firmware.
> usbdevs returns WNA 1000Mv2 Netgear listed here [0]
> 
> But the device is detected as ugen.
> 
> How can I fix this?

This device was added to -current after 5.8.
It will work out of the box in OpenBSD 5.9.

The easiest way to get support for it is to use snapshots (i.e. -current).
See the "Snapshots" section in http://www.openbsd.org/faq/faq5.html#Flavors

You can try to get it to work with 5.7 but this might not work.
Getting this device to work on 5.8 (to be released on Oct 18) should be
possible using the steps below.

Starting with pristine OpenBSD 5.8 kernel source (or 5.7, if you want to
try your luck), add the line

product NETGEAR WNA1000Mv2  0x9043  WNA1000Mv2

somewhere in the file /usr/src/sys/dev/usb/usbdevs

as shown here:

===
RCS file: /cvs/src/sys/dev/usb/usbdevs,v
retrieving revision 1.654
retrieving revision 1.655
diff -u -r1.654 -r1.655
--- src/sys/dev/usb/usbdevs 2015/07/15 13:25:49 1.654
+++ src/sys/dev/usb/usbdevs 2015/08/22 15:10:19 1.655
@@ -3135,6 +3135,7 @@
 product NETGEAR WNA11000x9030  WNA1100
 product NETGEAR WNA10000x9040  WNA1000
 product NETGEAR WNA1000M   0x9041  WNA1000M
+product NETGEAR WNA1000Mv2 0x9043  WNA1000Mv2
 
 /* Netgear(2) products */
 product NETGEAR2 MA101 0x4100  MA101


Now run 

  $ cd /usr/src/sys/dev/usb/
  $ make

to re-create the USB device list header files usbdevs.h and usbdevs_data.h.

Next, add the line

{ USB_VENDOR_NETGEAR,   USB_PRODUCT_NETGEAR_WNA1000Mv2 },

to /usr/src/sys/dev/usb/if_urtwn.c somewhere in the driver's ID table,
as shown here:

===
RCS file: /cvs/src/sys/dev/usb/if_urtwn.c,v
retrieving revision 1.48
retrieving revision 1.49
diff -u -r1.48 -r1.49
--- src/sys/dev/usb/if_urtwn.c  2015/06/12 15:47:31 1.48
+++ src/sys/dev/usb/if_urtwn.c  2015/08/22 15:19:33 1.49
@@ -110,6 +110,7 @@
{ USB_VENDOR_IODATA,USB_PRODUCT_IODATA_WNG150UM },
{ USB_VENDOR_IODATA,USB_PRODUCT_IODATA_RTL8192CU },
{ USB_VENDOR_NETGEAR,   USB_PRODUCT_NETGEAR_WNA1000M },
+   { USB_VENDOR_NETGEAR,   USB_PRODUCT_NETGEAR_WNA1000Mv2 },
{ USB_VENDOR_NETGEAR,   USB_PRODUCT_NETGEAR_RTL8192CU },
{ USB_VENDOR_NETGEAR4,  USB_PRODUCT_NETGEAR4_RTL8188CU },
{ USB_VENDOR_NETWEEN,   USB_PRODUCT_NETWEEN_RTL8192CU },

Now compile a new kernel and install it.

For more information on the steps involved in compiling the kernel,
see http://www.openbsd.org/faq/faq5.html#Bld and in particular this
section: http://www.openbsd.org/faq/faq5.html#BldKernel

Re: UEFI boot attempt on AM1 platform with logs (9/16 snapshot)

[YASUOKA Masahiko]

Hi,

On Thu, 17 Sep 2015 20:47:22 -0500
Brian Conway  wrote:
> The NUC 2820 I was previously testing snapshots with has moved on to a
> better place (and lacked any meaningful serial console support), but
> here are some logs from an MSI AM1I motherboard, both the attempted
> UEFI boot and the successful BIOS boot. It also appears to hang during
> kernel load. Let me know if I can provide any more info.

Can you try the diff following or

  http://yasuoka.net/~yasuoka/BOOTX64.EFI

?  Then enter "machine memory" on "boot> " prompt and check the last line.
It shows whether the memory area for kernel is free or not.  Like

  Load address: Conventional(7) 0x for KB

is good sign.

> Side note: Is com0 console not yet support by EFIBOOT? I got an error
> along those lines when attempting 'set tty com0', I assume this is
> already known.

No, it's not supported yet.

> boot> machine disk
> DiskBIOS#   TypeCylsHeads   SecsFlags   Checksum
> hd0 0x80label   956 64  32  0x2 0xe4afa028
> hd1 0x81label   1023255 63  0x0 0x0
> boot>

Isn't this a result of BIOS boot?

Index: sys/arch/amd64/stand/efiboot/efiboot.c
===
RCS file: /disk/cvs/openbsd/src/sys/arch/amd64/stand/efiboot/efiboot.c,v
retrieving revision 1.3
diff -u -p -u -p -r1.3 efiboot.c
--- sys/arch/amd64/stand/efiboot/efiboot.c  3 Sep 2015 09:22:40 -   
1.3
+++ sys/arch/amd64/stand/efiboot/efiboot.c  22 Sep 2015 10:35:40 -
@@ -193,6 +193,7 @@ next:
  * Memory
  ***/
 bios_memmap_t   bios_memmap[64];
+static int  efi_badloadaddr = 0;
 
 static void
 efi_heap_init(void)
@@ -224,6 +225,8 @@ efi_memprobe(void)
printf("%uK", bm->size / 1024);
}
}
+   if (efi_badloadaddr)
+   printf(" BAD");
printf("]");
 }
 
@@ -233,9 +236,10 @@ efi_memprobe_internal(void)
EFI_STATUS   status;
UINTNmapkey, mmsiz, siz;
UINT32   mmver;
+   UINT64   pend;
EFI_MEMORY_DESCRIPTOR   *mm0, *mm;
int  i, n;
-   bios_memmap_t*bm, bm0;
+   bios_memmap_t   *bm, bm0;
 
cnvmem = extmem = 0;
bios_memmap[0].type = BIOS_MAP_END;
@@ -255,6 +259,11 @@ efi_memprobe_internal(void)
bm0.type = BIOS_MAP_END;
bm0.addr = mm->PhysicalStart;
bm0.size = mm->NumberOfPages * EFI_PAGE_SIZE;
+   pend = mm->PhysicalStart + mm->NumberOfPages * EFI_PAGE_SIZE;
+   if (!(pend <= 0x100 || 0x200 < mm->PhysicalStart) &&
+   mm->Type != EfiConventionalMemory)
+   efi_badloadaddr = 1;
+
if (mm->Type == EfiReservedMemoryType ||
mm->Type == EfiUnusableMemory ||
mm->Type == EfiRuntimeServicesCode ||
@@ -614,5 +623,49 @@ int
 Xpoweroff_efi(void)
 {
EFI_CALL(RS->ResetSystem, EfiResetShutdown, EFI_SUCCESS, 0, NULL);
+   return (0);
+}
+
+int
+Xmemory_efi(void)
+{
+   EFI_STATUS   status;
+   UINTNmapkey, mmsiz, siz;
+   UINT32   mmver;
+   UINT64   pend;
+   EFI_MEMORY_DESCRIPTOR   *mm0, *mm;
+   int  i, n;
+   const char  *typestr;
+
+   siz = 0;
+   status = EFI_CALL(BS->GetMemoryMap, , NULL, , ,
+   );
+   if (status != EFI_BUFFER_TOO_SMALL)
+   panic("cannot get the size of memory map");
+   mm0 = alloc(siz);
+   status = EFI_CALL(BS->GetMemoryMap, , mm0, , , );
+   if (status != EFI_SUCCESS)
+   panic("cannot get the memory map");
+   n = siz / mmsiz;
+   mmap_key = mapkey;
+
+   for (i = 0, mm = mm0; i < n; i++, mm = NextMemoryDescriptor(mm, mmsiz)){
+   pend = mm->PhysicalStart + mm->NumberOfPages * EFI_PAGE_SIZE;
+   if (pend <= 0x100 || 0x200 < mm->PhysicalStart)
+   continue;
+   typestr = 
+   (mm->Type == EfiLoaderCode)? "Loader Code " :
+   (mm->Type == EfiLoaderData)? "Loader Data " :
+   (mm->Type == EfiBootServicesCode)? "BS Code " :
+   (mm->Type == EfiBootServicesData)? "BS Data " :
+   (mm->Type == EfiConventionalMemory)? "Conventional" :
+   "Other";
+   printf("Load address: %s(%d) 0x%llx for %uKB%s\n",
+   typestr, mm->Type, mm->PhysicalStart,
+   (unsigned)((mm->NumberOfPages * EFI_PAGE_SIZE) / 1024),
+   (mm->Type != EfiConventionalMemory)? " FATAL" : "");
+   }
+   free(mm0, siz);
+
   

Re: doas and home directory of target user

[Benjamin Baier]

On Tue, 22 Sep 2015 17:41:57 +0900
Joel Rees  wrote:

> I have this rule in doas.conf:
> 
> permit nopass user1 as user2
> 
> As user1, I try this at the command line:
> 
> doas -u user2 whoami
> 
> and it tells me I am user2, as I expect. And
> 
>doas -u user2 ls
> 
> tells me I don't have permission. I kind of expect this.
> 
> I'm looking for a way to do the equivalent of
> 
> sudo -u user2 -s "cd; ls"

My two slightly different solutions

$ doas -u user2 -s << EOF 
> cd /home/user2
>  
> ls
> EOF

$ doas -u user2 env HOME=/home/user2 /bin/ksh << EOF
 
> cd
> ls
> EOF

Greetings ben

Recommended miniPCI express wireless module for PC Engines' APU system board?

[Adam]

If I recall correctly, some of you reported problems with PC Engines' default 
option Compex WLE200NX 802.11a/b/g/n.

Oh, there is a new Compex WLE600VX 802.11ac as well (for apu, please check 
software support first).

Or, perhaps, I'm better off buying a 3rd party one from Amazon? Intel modules 
are popular there.

Re: doas and home directory of target user

[dan mclaughlin]

On Tue, 22 Sep 2015 17:41:57 +0900 Joel Rees  wrote:
> I have this rule in doas.conf:
> 
> permit nopass user1 as user2
> 
> As user1, I try this at the command line:
> 
> doas -u user2 whoami
> 
> and it tells me I am user2, as I expect. And
> 
>doas -u user2 ls
> 
> tells me I don't have permission. I kind of expect this.
> 
> I'm looking for a way to do the equivalent of
> 
> sudo -u user2 -s "cd; ls"
> 
> I don't see a way to do this with doas, at least not without a short
> intermediary script, which script is not going to be able to do cd ~/.
> 
> Should I assume that doas is not intended to do this sort of thing?
> 
> (And therefore do things "right" by setting up ssh with public-key
> authentication to do the user switch?)
> 
> (Or go all out and set up chroot to run an instance of X11 and firefox? ;-/
> )
> 
> Joel Rees
> 
> Computer memory is just fancy paper,
> CPUs just fancy pens.
> All is a stream of text
> flowing from the past into the future.
> 

if you are just trying to run multiple commands, you can do it under a
shell eg

$ doas -u user2 ksh -c "cd; ls"

although it may be better to do

$ doas -u user2 ksh -c "cd && ls"

so that you know it successfully changed dir.

if you are trying to 'cd' to user2's home, thats slightly more tricky,
since $HOME is maintained from the parent shell. there doesn't seem to
be a simple way to get a login shell, but there is way using su.

in /etc/doas.conf

  permit nopass user1 as root cmd su args -l user2

and you can run:
  
  $ doas su -l user2

but that doesn't seem let you run commands.


although, if you just want to log in user2, you can use ssh (you don't
need chroot necessarily). you can just set up
/home/user2/.ssh/authorized_keys and do:

$ ssh user2@localhost

and you can run a command that way with no problem, and it's simpler:

$ ssh user2@localhost ls

if you are using firefox this would be better since you have -X (X11
security restrictions.)

$ ssh -X user2@localhost firefox

if you do want to go down that route though see this:
https://marc.info/?l=openbsd-misc=142676615612510=2

you needn't go all the way, but the info is still good re ssh.


if you just want to run the command as the user as if they were logged
in, ssh is probably your best bet:

$ ssh user2@localhost ksh -c "cd; ls"

according to sudo(8) your original "cd; ls" would be passed to the
shell just as above. so basically that last command is the equivalent 
to your 'sudo -u user2 -s "cd; ls"'.