Re: Cron logs in /var/cron/log instead of /var/log/cron?

2016-10-02 Thread Theo de Raadt 
> > That's the kind of comment that leads me to take bug reports less
> > seriously in the future... diagnostic logs which would have solved
> > the problem, will have been lost INTENTIONALLY.  And then we get
> > asked for help?  Crazy.
> > 
> 
> Thank you for that information; The impression I got about softdep was
> that it guarantees file system integrity so fsck is not needed.

"file system integrity" refers to the directory-tree heirarchy. Not
the contents of files.  When softdep is in use, blocks go to the disk
slower.  Therefore if you crash, you have less context.  Doing this
with important log files is entirely backwards.

Re: Cron logs in /var/cron/log instead of /var/log/cron?

2016-10-02 Thread bytevolcano 
On Sun, 02 Oct 2016 22:45:00 -0600
"Theo de Raadt"  wrote:

> > Why is it in /var/cron/log and not /var/log/cron by default? To me
> > it makes more sense to have it all in /var/log/, but given it has
> > been the default for several years, is there a reason (other than
> > historic) that the default is like that?  
> 
> That dates back to more than 20 years actually.
> 
> Back in the CSRG days, a lot of new daemon imports got their own /var
> directories for reasons we can only guess at.

So it appears this is merely historic then.

> 
> > Is there any harm or issue with setting the log location
> > of cron logs to /var/log/cron instead, or is it best to leave it
> > in /var/cron/log?  
> 
> You can do whatever you want.
> 
> Before we talk about changing this, we must know what the downsides
> are.

Indeed; I was wondering whether there are any issues/downsides with
changing this. I have changed this for the last 5 years without any
adverse effects on my end, but I only have done this on about 8
different machines, with different purposes.

> 
> > I am interested to know as I keep /var/log in a separate UFS
> > partition mounted with rw,softdep,noatime,nodev,noexec,nosuid to
> > store all the syslog logs, and /var/cron/log is the odd one out
> > here.  
> 
> With softdep???  That is completely insane.  So clearly you don't
> actually care to have the contents of logs after a crash -- since
> softdep is quite likely to lose data buffers during circumstances like
> memory pressure, etc etc.
> 
> That's the kind of comment that leads me to take bug reports less
> seriously in the future... diagnostic logs which would have solved
> the problem, will have been lost INTENTIONALLY.  And then we get
> asked for help?  Crazy.
> 

Thank you for that information; The impression I got about softdep was
that it guarantees file system integrity so fsck is not needed.

I have softdep enabled on all the partitions as per this:
https://www.openbsd.org/faq/faq14.html#SoftUpdates
I guess it is time for me to evaluate my setup again.

Re: Cron logs in /var/cron/log instead of /var/log/cron?

2016-10-02 Thread Theo de Raadt 
> Why is it in /var/cron/log and not /var/log/cron by default? To me it
> makes more sense to have it all in /var/log/, but given it has been the
> default for several years, is there a reason (other than historic) that
> the default is like that?

That dates back to more than 20 years actually.

Back in the CSRG days, a lot of new daemon imports got their own /var
directories for reasons we can only guess at.

> Is there any harm or issue with setting the log location
> of cron logs to /var/log/cron instead, or is it best to leave it
> in /var/cron/log?

You can do whatever you want.

Before we talk about changing this, we must know what the downsides
are.

> I am interested to know as I keep /var/log in a separate UFS partition
> mounted with rw,softdep,noatime,nodev,noexec,nosuid to store all the
> syslog logs, and /var/cron/log is the odd one out here.

With softdep???  That is completely insane.  So clearly you don't
actually care to have the contents of logs after a crash -- since
softdep is quite likely to lose data buffers during circumstances like
memory pressure, etc etc.

That's the kind of comment that leads me to take bug reports less
seriously in the future... diagnostic logs which would have solved
the problem, will have been lost INTENTIONALLY.  And then we get
asked for help?  Crazy.

Cron logs in /var/cron/log instead of /var/log/cron?

2016-10-02 Thread bytevolcano 
I have noticed for the last 5 years of OpenBSD usage that the cron log
location is /var/cron/log, instead of /var/log/cron:

#   $OpenBSD: syslog.conf,v 1.19 2015/11/26 15:25:14 deraadt Exp $
#

*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
kern.debug;syslog,user.info /var/log/messages
auth.info   /var/log/authlog
authpriv.debug  /var/log/secure
cron.info   /var/cron/log

...

Why is it in /var/cron/log and not /var/log/cron by default? To me it
makes more sense to have it all in /var/log/, but given it has been the
default for several years, is there a reason (other than historic) that
the default is like that?

Is there any harm or issue with setting the log location
of cron logs to /var/log/cron instead, or is it best to leave it
in /var/cron/log?

I am interested to know as I keep /var/log in a separate UFS partition
mounted with rw,softdep,noatime,nodev,noexec,nosuid to store all the
syslog logs, and /var/cron/log is the odd one out here.

Fix paxtest output on OpenBSD 6.0?

2016-10-02 Thread Peter Janos 
Fix paxtest output on OpenBSD 6.0?

Hallo :)

Also I included a few other OS.

Mirror for the post is here: 
https://pastebin.com/raw/y9qHwZxi

Tests are after a default/fresh install (not livecd), using 
https://www.grsecurity.net/~spender/paxtest-0.9.15.tar.gz


All OS were installed/tested in VirtualBox-5.1.6_110634_el7-1.x86_64 on a RHEL 
7.2 / T450.



When I used 'paxtest-0.9.15' on OpenBSD, had to ADD two lines: 

$ grep -n 'randarg1: randbody.o randarg1.o' Makefile.OpenBSD
157:randarg1: randbody.o randarg1.o
$ grep -n 'randarg2: randbody.o randarg2.o' Makefile.OpenBSD
159:randarg2: randbody.o randarg2.o
$ 

or else compile would fail, thx for the hint from Pinter Oliver!



On FreeBSD/HBSD I had to use paxtest-0.9.14-freebsd.tar compiled on FBSD9 from 
https://github.com/HardenedBSD/tools/blob/master/tests/paxtest-freebsd/paxtest-0.9.14-freebsd.tgz



If anyone has outputs for NetBSD and DragonFlyBSD, please post. 


Always used blackhat mode. 

##
SUM (copy it to a simple editor, ex.: gedit, then from there to LibreOffice 
Calc): 

###
CentOS-7-x86_64-Everything-1511.txt Executable anonymous mappingKilled
debian-8.6.0-amd64-CD-1.txt Executable anonymous mappingKilled
Fedora-Server-dvd-x86_64-24-1.2.txt Executable anonymous mappingKilled
Fedora-Workstation-netinst-x86_64-24-1.2.txtExecutable anonymous mapping
Killed
FreeBSD-10.3-RELEASE-amd64-dvd1.txt Executable anonymous mappingKilled
FreeBSD-11.0-RC3-amd64-dvd1.txt Executable anonymous mappingKilled
FreeBSD-9.3-RELEASE-amd64-dvd1.txt  Executable anonymous mappingKilled
HardenedBSD-11-STABLE-v46.5-amd64-disc1.txt Executable anonymous mapping
Killed
install60.txt   Executable anonymous mappingKilled
linuxmint-18-cinnamon-64bit.txt Executable anonymous mappingKilled
openSUSE-Leap-42.1-DVD-x86_64.txt   Executable anonymous mappingKilled
SLE-12-SP1-Server-DVD-x86_64-GM-DVD1.txtExecutable anonymous mapping
Killed
ubuntu-16.04.1-desktop-amd64.txtExecutable anonymous mappingKilled
ubuntu-16.04.1-server-amd64.txt Executable anonymous mappingKilled
###
CentOS-7-x86_64-Everything-1511.txt Executable bss  Killed
debian-8.6.0-amd64-CD-1.txt Executable bss  Killed
Fedora-Server-dvd-x86_64-24-1.2.txt Executable bss  Killed
Fedora-Workstation-netinst-x86_64-24-1.2.txtExecutable bss  Killed
FreeBSD-10.3-RELEASE-amd64-dvd1.txt Executable bss  Killed
FreeBSD-11.0-RC3-amd64-dvd1.txt Executable bss  Killed
FreeBSD-9.3-RELEASE-amd64-dvd1.txt  Executable bss  Killed
HardenedBSD-11-STABLE-v46.5-amd64-disc1.txt Executable bss  Killed
install60.txt   Executable bss  Killed
linuxmint-18-cinnamon-64bit.txt Executable bss  Killed
openSUSE-Leap-42.1-DVD-x86_64.txt   Executable bss  Killed
SLE-12-SP1-Server-DVD-x86_64-GM-DVD1.txtExecutable bss  Killed
ubuntu-16.04.1-desktop-amd64.txtExecutable bss  Killed
ubuntu-16.04.1-server-amd64.txt Executable bss  Killed
###
CentOS-7-x86_64-Everything-1511.txt Executable data Killed
debian-8.6.0-amd64-CD-1.txt Executable data Killed
Fedora-Server-dvd-x86_64-24-1.2.txt Executable data Killed
Fedora-Workstation-netinst-x86_64-24-1.2.txtExecutable data Killed
FreeBSD-10.3-RELEASE-amd64-dvd1.txt Executable data Killed
FreeBSD-11.0-RC3-amd64-dvd1.txt Executable data Killed
FreeBSD-9.3-RELEASE-amd64-dvd1.txt  Executable data Killed
HardenedBSD-11-STABLE-v46.5-amd64-disc1.txt Executable data Killed
install60.txt   Executable data Killed
linuxmint-18-cinnamon-64bit.txt Executable data Killed
openSUSE-Leap-42.1-DVD-x86_64.txt   Executable data Killed
SLE-12-SP1-Server-DVD-x86_64-GM-DVD1.txtExecutable data Killed
ubuntu-16.04.1-desktop-amd64.txtExecutable data Killed
ubuntu-16.04.1-server-amd64.txt Executable data Killed
###
CentOS-7-x86_64-Everything-1511.txt Executable heap Killed
debian-8.6.0-amd64-CD-1.txt Executable heap Killed
Fedora-Server-dvd-x86_64-24-1.2.txt Executable heap Killed
Fedora-Workstation-netinst-x86_64-24-1.2.txtExecutable heap Killed
FreeBSD-10.3-RELEASE-amd64-dvd1.txt Executable heap Killed
FreeBSD-11.0-RC3-amd64-dvd1.txt Executable heap Killed
FreeBSD-9.3-RELEASE-amd64-dvd1.txt  Executable heap Killed
HardenedBSD-11-STABLE-v46.5-amd64-disc1.txt Executable heap Killed
install60.txt   Executable heap Killed
linuxmint-18-cinnamon-64bit.txt Executable heap Killed
openSUSE-Leap-42.1-DVD-x86_64.txt   Executable heap Killed
SLE-12-SP1-Server-DVD-x86_64-GM-DVD1.txtExecutable heap Killed
ubuntu-16.04.1-desktop-amd64.txtExecutable heap Killed

Re: signify: write to stdout: Broken pipe

2016-10-02 Thread lvdd 
Hi,

with some help from Alex Greif offlist helping me reproducing the
issue, I decided to reinstall the system using a different mirror and
different approaches.

After lot of trying I found that I am running into the issue as soon as
I install either quodlibet or keepassx on my system. Removing those
packages and restarting X fixes the error messages.

So, the combination of jwm, messagebus (with the dbus-session
configured in my xinitrc) and either quodlibet or keepassx shows the
problem for me. I have reproduced this now at least 3 times. 

I don't know what to make of this but I would put this issue
into the packages area. So it probably makes more sense to move this
to ports@.

Since I am oviously not a developer I have no idea how to properly
debug this. My trial and error method doesn't get me anywhere closer to
the real issue. Maybe the issue will disappear with later package
builds and updates.
Sorry I cannot be of better help.

Lars

Re: OpenBSD 6.0 bsd.rd doesn't boot on soekris net4801 [solved, but ...]

2016-10-02 Thread Peer Janssen 
Am 02.10.2016 um 21:24 schrieb Paul Suh:
>> On Oct 2, 2016, at 3:06 PM, Peer Janssen  wrote:
>>
>> Now I reinstalled on another CF-Disk (4GB Transcend) with another method
>> (miniboot.fs), this went through and first-rebooted just fine.
>>
>> But now halting the machine produces a panic:
> I suspect that part of the problem with your 4801 is just old age. I'm phasing
> out the four units that I own, since they're all becoming unreliable with
> inexplicable and unrepeatable crashes, freezes, and panics. Some of the
> problem can be traced to bad power supplies, but overall a big part is just
> plain old age. Any 4801 must be at least ten to twelve years old (date of
> manufacture, not date of sale). I think by now enough of the capacitors have
> gone bad or are on the way to going bad that they're dying. :-(
>
> Also, for my use they don't have enough CPU power to run IPSec tunnels at full
> WAN speed so I need new hardware anyway.
>
> Hope this helps.
This surely is interesting background information.

Only, the installed system also showed a panic when I put that same
CF-Disk in an alix board (the one I talked in my message with this
"[misc] tfdpd doesn't deliver pxeboot file" title). It booted just fine,
but also panicked on halt.

So there might be more to it. Of course, these systems probably are
rarely halted anyway. But still, who knows what else is hiding behind
such a panic.

Peer


-- 
Peer Janssen - p...@pjk.de

Re: OpenBSD 6.0 bsd.rd doesn't boot on soekris net4801 [solved, but ...]

2016-10-02 Thread Paul Suh 
> On Oct 2, 2016, at 3:06 PM, Peer Janssen  wrote:
>
> Now I reinstalled on another CF-Disk (4GB Transcend) with another method
> (miniboot.fs), this went through and first-rebooted just fine.
>
> But now halting the machine produces a panic:

Peer,

I suspect that part of the problem with your 4801 is just old age. I'm phasing
out the four units that I own, since they're all becoming unreliable with
inexplicable and unrepeatable crashes, freezes, and panics. Some of the
problem can be traced to bad power supplies, but overall a big part is just
plain old age. Any 4801 must be at least ten to twelve years old (date of
manufacture, not date of sale). I think by now enough of the capacitors have
gone bad or are on the way to going bad that they're dying. :-(

Also, for my use they don't have enough CPU power to run IPSec tunnels at full
WAN speed so I need new hardware anyway.

Hope this helps.


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: OpenBSD 6.0 bsd.rd doesn't boot on soekris net4801

2016-10-02 Thread Nick Holland 
On 10/02/16 11:53, Peer Janssen wrote:
> Goal: Upgrade a working soekris net4801 from OpenBSD 4.6 to 6.0.

good.

> First I copied the complete 256 MB SiliconDrive CF-Disk to a newer
> SanDisk 8 GB Ultra one and rebootet, which worked smoothly and fine.

well, probably don't want to use that 256MB CF now, but ...

> I took the bsd.rd from an OpenBSD 6.0 i386 machine:
> 
> # ls -l /bsd.rd
> -rw-r--r--  1 root  wheel  7173390 Sep 20 19:17 /bsd.rd
> # md5 /bsd.rd
> MD5 (/bsd.rd) = 191559b8c5907ca34c144462366b021a
> # dmesg
> OpenBSD 6.0 (GENERIC) #1917: Tue Jul 26 12:48:33 MDT 2016
> dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC

note: this is NOT bsd.rd

> cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD"
> 586-class) 499 MHz
> cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
> 
> [snip]
> 
> put it in / of a working soekris net4801 with OpenBSD 4.6 in order to
> jump-upgrade the system, but it doesn't boot the 6.0 bsd.rd install image:

bzzzt.

you put the newer (install) KERNEL in with the very old boot loader
(/boot).  One of the things that changed was the serial console support.

Since you are changing your media and doing a wipe and reload, just use
the miniroot60.fs to overwrite the beginning of your 8G CF, and boot that.

(or netboot, or any of the other ways to bring up such a system)

Nick.

Re: OpenBSD 6.0 bsd.rd doesn't boot on soekris net4801 [solved, but ...]

2016-10-02 Thread Peer Janssen 
Now I reinstalled on another CF-Disk (4GB Transcend) with another method
(miniboot.fs), this went through and first-rebooted just fine.

But now halting the machine produces a panic:

# halt -q -p
syncing disks... panic: init died (signal 11, exit 0)
Stopped at  Debugger+0x7:   leave
   TIDPIDUID PRFLAGS PFLAGS  CPU  COMMAND
*1  1  0   0x802 0x20000  init
Debugger(d09ee194,f35e5e08,d09c5b88,f35e5e08,cf7c0004) at Debugger+0x7
panic(d09c5b88,b,0,0,2) at panic+0x71
exit1(d5774000,b,1,0,d576b210,0,6cfd49fd,d5772000) at exit1+0x548
sigexit(d5774000,b,0,0,0) at sigexit+0x76
trapsignal(d5774000,b,1,1,17b50e00) at trapsignal+0xe2
trap() at trap+0x71f
--- trap (number 23636) ---
0xcf7c0004:
http://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb> trace
Debugger(d09ee194,f35e5e08,d09c5b88,f35e5e08,cf7c0004) at Debugger+0x7
panic(d09c5b88,b,0,0,2) at panic+0x71
exit1(d5774000,b,1,0,d576b210,0,6cfd49fd,d5772000) at exit1+0x548
sigexit(d5774000,b,0,0,0) at sigexit+0x76
trapsignal(d5774000,b,1,1,17b50e00) at trapsignal+0xe2
trap() at trap+0x71f
--- trap (number 23636) ---
0xcf7c0004:
ddb> ps
   TID   PPID   PGRPUID  S   FLAGS  WAIT  COMMAND
 55507  85598  55507  0  2 0x3halt
 85598  1  85598  0  30x10008b  pause ksh
 92661  1  92661  0  30x100098  poll  cron
 57250  1  57250 99  30x100090  poll  sndiod
 63400  1  63400110  30x100090  poll  sndiod
 65906  81999  81999 95  30x100092  kqreadsmtpd
 72831  81999  81999103  30x100092  kqreadsmtpd
 10633  81999  81999 95  30x100092  kqreadsmtpd
 97068  81999  81999 95  30x100092  kqreadsmtpd
 81499  81999  81999 95  30x100092  kqreadsmtpd
 57906  81999  81999 95  30x100092  kqreadsmtpd
 81999  1  81999  0  30x100080  kqreadsmtpd
  7482  89821  89821 74  30x100090  bpf   pflogd
 89821  1  89821  0  30x80  netio pflogd
 93705  43872  43872 73  30x100090  kqreadsyslogd
 43872  1  43872  0  30x100080  netio syslogd
  9456  1   9456 77  30x100090  poll  dhclient
 86556  1  86556  0  30x80  poll  dhclient
 88578  0  0  0  2 0x14200zerothread
 85136  0  0  0  3 0x14200  aiodoned  aiodoned
  9148  0  0  0  3 0x14200  syncerupdate
 37019  0  0  0  3 0x14200  cleaner   cleaner
 79443  0  0  0  3 0x14200  reaperreaper
 69499  0  0  0  3 0x14200  pgdaemon  pagedaemon
 42714  0  0  0  3 0x14200  bored crynlk
 51880  0  0  0  3 0x14200  bored crypto
 69072  0  0  0  3 0x14200  pftm  pfpurge
 79050  0  0  0  3 0x14200  usbtskusbtask
 15996  0  0  0  3 0x14200  usbatsk   usbatsk
 42597  0  0  0  2 0x14200softnet
 40363  0  0  0  3 0x14200  bored systqmp
 89410  0  0  0  3 0x14200  bored systq
 29073  0  0  0  3  0x40014200idle0
 69980  0  0  0  3 0x14200  kmalloc   kmthread
*1  0  1  0  7  0x2802init
 0 -1  0  0  3 0x10200  scheduler swapper
ddb> show uvm
Current UVM status:
  pagesize=4096 (0x1000), pagemask=0xfff, pageshift=12
  61273 VM pages: 2530 active, 0 inactive, 0 wired, 55999 free (5913 zero)
  min  10% (25) anon, 10% (25) vnode, 5% (12) vtext
  pages  0 anon, 0 vnode, 0 vtext
  freemin=2042, free-target=2722, inactive-target=0, wired-max=20424
  faults=73549, traps=74028, intrs=146205, ctxswitch=22830 fpuswitch=76
  softint=61989, syscalls=134503, kmapent=16
  fault counts:
noram=0, noanon=0, noamap=0, pgwait=0, pgrele=0
ok relocks(total)=3723(3723), anget(retries)=35383(0), amapcopy=35109
neighbor anon/obj pg=2026/33638, gets(lock/unlock)=14623/3732
cases: anon=28842, anoncow=6541, obj=13191, prcopy=1423, przero=23543
  daemon and swap counts:
woke=0, revs=0, scans=0, obscans=0, anscans=0
busy=0, freed=0, reactivate=0, deactivate=0
pageouts=0, pending=0, nswget=0
nswapdev=1, nanon=0, nanonneeded=0 nfreeanon=0
swpages=65535, swpginuse=0, swpgonly=0 paging=0
  kernel pointers:
objs(kern)=0xd0b89580
ddb> show bcstats
Current Buffer Cache status:
numbufs 30 busymapped 1, delwri 0
kvaslots 765 avail kva slots 764
bufpages 114, dirtypages 0
pendingreads 0, pendingwrites 0
ddb> mount
No such command
ddb> show panic
init died (signal 11, exit 0)
ddb>

I could not reproduce this after a reboot (taking 2:17, of which 52 s
are

Re: OpenBSD 6.0 bsd.rd doesn't boot on soekris net4801

2016-10-02 Thread Etienne 

On 2016-10-02 16:54, Peer Janssen wrote:

Goal: Upgrade a working soekris net4801 from OpenBSD 4.6 to 6.0.

First I copied the complete 256 MB SiliconDrive CF-Disk to a newer
SanDisk 8 GB Ultra one and rebootet, which worked smoothly and fine.

[...]
Is a system like the soekris net4801 not supported any more? Or is 
there

something I can do to install the new version on it?


I upgraded the same machine to 6.0 today, and didn't see any problem. So 
I suspect your hardware (either the CF-Disk or the board itself) is 
defective.


Hope that helps.

Cheers,

--
Étienne

Re: Unexpected behavior in su/doas

2016-10-02 Thread Tinker 

On 2016-10-02 18:14, Chris Bennett wrote:

On Sun, Oct 02, 2016 at 01:03:28AM -0700, Philip Guenther wrote:

On Sun, Oct 2, 2016 at 12:35 AM, Otto Moerbeek  wrote:
> On Sat, Oct 01, 2016 at 05:15:31PM -0500, Chris Bennett wrote:
>
>> On Sat, Oct 01, 2016 at 03:54:40PM -0600, Theo de Raadt wrote:
>> > Use of su, doas, or sudo -- means you EXPLICITLY want the tty to
>> > remain the same.
>> >
>> > De-escalation using these "sudo" or "doas" like tools on a tty is
>> > somewhat unsafe - it has always been unsafe - because tty's have
>> > capabilities.
>> >
>> > If you wish to be safer, do these operations without retaining access
>> > to a tty.
>> >
>> > Escalation on the other hand (user -> root) is different, because then
>> > it is clear you want to do more / everything.  But de-escalation is a
>> > joke.
>> >
>> > This is just one mechanism on tty, there are others.  On other
>> > descriptors there are other abilities.
>> >
>>
>> Would you mind explaining this a little bit. I don't really mean the
>> sudo/doas part.
>>
>> How to do operations without retaining access to a tty?
>>
>> What other descriptors?
>
> Well, a lot of things are possible using descriptors. Descriptors can
> refer to files, devices, sockets to name a few. So if you have an open
> descriptor to any of them...

...and it's not just actual file descriptors that provide privileged
access: even if a process closes all fds for its controlling tty, it
remains the process's controlling tty and can still be reopened via
/dev/tty.  Similarly, simply being in the same session gives a process
additional rights that it wouldn't have otherwise, such as being able
to use tcsetpgrp() and see your login name via getlogin()...



So fork, as used in daemon does mitigate this, as long as used 
correctly?

Or does the same/other problems continue?

Chris Bennett


Doing "su" or "chroot" (symmetric with respect to this risk) is 
sometimes very convenient, as it can be done without external 
configuration as would be needed for ssh.


Would it be possible to cut the risk (file descriptors) while still 
outputting to the same terminal, ssh without ssh?

Re: Unexpected behavior in su/doas

2016-10-02 Thread Chris Bennett 
On Sun, Oct 02, 2016 at 01:03:28AM -0700, Philip Guenther wrote:
> On Sun, Oct 2, 2016 at 12:35 AM, Otto Moerbeek  wrote:
> > On Sat, Oct 01, 2016 at 05:15:31PM -0500, Chris Bennett wrote:
> >
> >> On Sat, Oct 01, 2016 at 03:54:40PM -0600, Theo de Raadt wrote:
> >> > Use of su, doas, or sudo -- means you EXPLICITLY want the tty to
> >> > remain the same.
> >> >
> >> > De-escalation using these "sudo" or "doas" like tools on a tty is
> >> > somewhat unsafe - it has always been unsafe - because tty's have
> >> > capabilities.
> >> >
> >> > If you wish to be safer, do these operations without retaining access
> >> > to a tty.
> >> >
> >> > Escalation on the other hand (user -> root) is different, because then
> >> > it is clear you want to do more / everything.  But de-escalation is a
> >> > joke.
> >> >
> >> > This is just one mechanism on tty, there are others.  On other
> >> > descriptors there are other abilities.
> >> >
> >>
> >> Would you mind explaining this a little bit. I don't really mean the
> >> sudo/doas part.
> >>
> >> How to do operations without retaining access to a tty?
> >>
> >> What other descriptors?
> >
> > Well, a lot of things are possible using descriptors. Descriptors can
> > refer to files, devices, sockets to name a few. So if you have an open
> > descriptor to any of them...
> 
> ...and it's not just actual file descriptors that provide privileged
> access: even if a process closes all fds for its controlling tty, it
> remains the process's controlling tty and can still be reopened via
> /dev/tty.  Similarly, simply being in the same session gives a process
> additional rights that it wouldn't have otherwise, such as being able
> to use tcsetpgrp() and see your login name via getlogin()...
> 

So fork, as used in daemon does mitigate this, as long as used correctly?
Or does the same/other problems continue?

Chris Bennett

OpenBSD 6.0 bsd.rd doesn't boot on soekris net4801

2016-10-02 Thread Peer Janssen 
Goal: Upgrade a working soekris net4801 from OpenBSD 4.6 to 6.0.

First I copied the complete 256 MB SiliconDrive CF-Disk to a newer
SanDisk 8 GB Ultra one and rebootet, which worked smoothly and fine.

I took the bsd.rd from an OpenBSD 6.0 i386 machine:

# ls -l /bsd.rd
-rw-r--r--  1 root  wheel  7173390 Sep 20 19:17 /bsd.rd
# md5 /bsd.rd
MD5 (/bsd.rd) = 191559b8c5907ca34c144462366b021a
# dmesg
OpenBSD 6.0 (GENERIC) #1917: Tue Jul 26 12:48:33 MDT 2016
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD"
586-class) 499 MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW

[snip]

put it in / of a working soekris net4801 with OpenBSD 4.6 in order to
jump-upgrade the system, but it doesn't boot the 6.0 bsd.rd install image:

$ cu -l /dev/ttyS0 -s 19200
Connected.
 1
Using drive 0, partition 3.
Loading...
probing: pc0 com0 com1 pci mem[639K 255M a20=on]
disk: hd0+
>> OpenBSD/i386 BOOT 3.02
switching console to com0
 >> OpenBSD/i386 BOOT 3.02
boot>  stty com0 19200

com0: 19200 baud
boot> set tty com0
switching console to com0
>> OpenBSD/i386 BOOT 3.02
boot> boot bsd.rd
booting hd0a:bsd.rd: 3211188+1318224+2061312+0+442368
[72+298576+282894]=0x744144
entry point at 0x2000d4
cu: Got hangup signal

Disconnected.
==> So here is where it brakes. Immediate reconnect:

$ cu -l /dev/ttyS0 -s 19200
Connected.

[snip: more empty lines]
==> it goes into a reboot like this:

comBIOS ver. 1.28  20050529  Copyright (C) 2000-2005 Soekris Engineering.

net4801

0256 Mbyte MemoryCPU Geode 266 Mhz

Pri Mas  SDCFHS-008G LBA Xlt 974-255-63  7831 Mbyte

Slot   Vend Dev  ClassRev Cmd  Stat CL LT HT  Base1Base2   Int
---
0:00:0 1078 0001 0600 0107 0280 00 00 00  
0:06:0 100B 0020 0200 0107 0290 00 3F 00 E101 A000 10
0:07:0 100B 0020 0200 0107 0290 00 3F 00 E201 A0001000 10
0:08:0 100B 0020 0200 0107 0290 00 3F 00 E301 A0002000 10
0:10:0 104C AC23 06040002 0107 0210 08 3F 01  
0:18:2 100B 0502 01018001 0005 0280 00 00 00  
0:19:0 0E11 A0F8 0C031008 0117 0280 08 38 00 A0003000  11
1:00:0 100B 0020 0200 0107 0290 00 3F 00 D001 A400 05
1:01:0 100B 0020 0200 0107 0290 00 3F 00 D101 A4001000 11
1:02:0 100B 0020 0200 0107 0290 00 3F 00 D201 A4002000 05
1:03:0 100B 0020 0200 0107 0290 00 3F 00 D301 A4003000 11

 1 Seconds to automatic boot.   Press Ctrl-P for entering Monitor.

comBIOS Monitor.   Press ? for help.
[snip]
==> For comparison and giving machine details, booting into the working
OpenBSD 4.6:
> boot
Using drive 0, partition 3.
Loading...
probing: pc0 com0 com1 pci mem[639K 255M a20=on]
disk: hd0+
>> OpenBSD/i386 BOOT 3.02
switching console to com0
 >> OpenBSD/i386 BOOT 3.02
boot>
booting hd0a:/bsd: 6563548+1052072 [52+345584+327881]=0x7e7ce8
entry point at 0x200120

[ using 673892 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2009 OpenBSD. All rights reserved.
http://www.OpenBSD.org

OpenBSD 4.6 (GENERIC) #58: Thu Jul  9 21:24:42 MDT 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by National Semi ("Geode by NSC"
586-class) 267 MHz
cpu0: FPU,TSC,MSR,CX8,CMOV,MMX
real mem  = 268005376 (255MB)
avail mem = 250331136 (238MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 20/50/29, BIOS32 rev. 0 @ 0xf7840
pcibios0 at bios0: rev 2.0 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc8000/0x9000
cpu0 at mainbus0: (uniprocessor)
cpu0: TSC disabled
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Cyrix GXm PCI" rev 0x00
sis0 at pci0 dev 6 function 0 "NS DP83815 10/100" rev 0x00, DP83816A:
irq 10, address 00:00:24:c6:20:c4
nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
sis1 at pci0 dev 7 function 0 "NS DP83815 10/100" rev 0x00, DP83816A:
irq 10, address 00:00:24:c6:20:c5
nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1
sis2 at pci0 dev 8 function 0 "NS DP83815 10/100" rev 0x00, DP83816A:
irq 10, address 00:00:24:c6:20:c6
nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1
ppb0 at pci0 dev 10 function 0 "TI PCI2250 PCI-PCI" rev 0x02
pci1 at ppb0 bus 1
sis3 at pci1 dev 0 function 0 "NS DP83815 10/100" rev 0x00, DP83816A:
irq 5, address 00:00:24:c4:fa:30
nsphyter3 at sis3 phy 0: DP83815 10/100 PHY, rev. 1
sis4 at pci1 dev 1 function 0 "NS DP83815 10/100" rev 0x00, DP83816A:
irq 11, address 00:00:24:c4:fa:31
nsphyter4 at sis4 phy 0: DP83815 10/100 PHY, rev. 1
sis5 at pci1 dev 2 function 0 "NS

HP MediaSmart 470 only recognizes 2 drives

2016-10-02 Thread Lawrence Wieser 
I’ve been running OpenBSD on an old HP MediaSmart 470 box. I just installed
5.9 yesterday. The BIOS reports 3 installed drives:

IDE Channel 2 Master : ST31500541AS CC34   (OpenBSD
disklabel)
IDE Channel 2 Slave  : WDC WD20EFRX-68EUZN0 82.00A82   (new, unformatted)
IDE Channel 3 Master : ST3500630AS 3.CHN   (OpenBSD
disklabel)
IDE Channel 3 Slave  : None

These are all SATA drives that report LBA, ATA. (The Serial ATA controller
mode is set to “4P(IDE)+4S(IDE)” in the BIOS.) The boot sequence shows:

disk: hd0+ hd1+* hd2 hd3*

System works fine with the 2 drives it recognizes. The Channel 2 and Channel 3
“Master” drives. The “Slave” drive is not recognized. Also, not sure I
understand the “disk:” line above.

The missing “Slave” drives are nothing new. I had the same problem with
prior versions of OpenBSD. I’d never spent much time on the problem since
the two drives still gave me a perfectly functional system. I’ve now spent
some time on it and I can’t find a way to get more than 2 drives recognized.
Am I missing something basic? Or do the vintage (c. 2008) hardware and drivers
prevent this? dmesg below:

OpenBSD 5.9 (GENERIC) #1761: Fri Feb 26 01:15:04 MST 2016
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 2097086464 (1999MB)
avail mem = 2029428736 (1935MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.2 @ 0xf (29 entries)
bios0: vendor Phoenix Technologies, LTD version "R02" date 07/13/2007
bios0: HP MediaSmart Server
acpi0 at bios0: rev 0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP BOOT SSDT MCFG APIC
acpi0: wakeup devices USB0(S5) USB1(S5) USB2(S5) USB3(S5) MAC0(S5) AMR0(S4)
HDA0(S5) PS2M(S5) PS2K(S4) PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Sempron(tm) Processor 3400+, 6840.53 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,EAPICSP,A
MCR8
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 256KB 64b/line
16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 200MHz
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 14, 24 pins
ioapic0: misconfigured as apic 2, remapped to apid 1
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!), PSS
acpitz0 at acpi0: critical temperature is 100 degC
acpibtn0 at acpi0: PWRB
cpu0: PowerNow! K8 6840 MHz: speeds: 1800 1000 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "SiS 761 PCI" rev 0x02
agp at pchb0 not configured
ppb0 at pci0 dev 1 function 0 "SiS 86C202 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "SiS 6330 VGA" rev 0x03
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 2 function 0 "SiS 966 ISA" rev 0x59
ohci0 at pci0 dev 3 function 0 "SiS 5597/5598 USB" rev 0x0f: apic 1 int 20,
version 1.0, legacy support
ohci1 at pci0 dev 3 function 1 "SiS 5597/5598 USB" rev 0x0f: apic 1 int 21,
version 1.0, legacy support
ehci0 at pci0 dev 3 function 3 "SiS 7002 USB" rev 0x00: apic 1 int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "SiS EHCI root hub" rev 2.00/1.00 addr 1
se0 at pci0 dev 4 function 0 "SiS 191" rev 0x01: apic 1 int 19, address
00:0a:e4:87:96:73
atphy0 at se0 phy 0: F1 10/100/1000 PHY, rev. 6
pciide0 at pci0 dev 5 function 0 "SiS 1183 SATA" rev 0x02: DMA
pciide0: using apic 1 int 17 for native-PCI interrupt
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 1430799MB, 2930277168 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6
wd1 at pciide0 channel 1 drive 0: 
wd1: 16-sector PIO, LBA48, 476940MB, 976773168 sectors
wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
pchb1 at pci0 dev 24 function 0 "AMD AMD64 0Fh HyperTransport" rev 0x00
pchb2 at pci0 dev 24 function 1 "AMD AMD64 0Fh Address Map" rev 0x00
pchb3 at pci0 dev 24 function 2 "AMD AMD64 0Fh DRAM Cfg" rev 0x00
kate0 at pci0 dev 24 function 3 "AMD AMD64 0Fh Misc Cfg" rev 0x00: core rev
DH-F2
ppb1 at pci0 dev 31 function 0 "SiS PCI-PCI" rev 0x00: apic 1 int 16
pci2 at ppb1 bus 2
pciide1 at pci2 dev 0 function 0 "Marvell 88SE6121 SATA" rev 0xb2: DMA
(unsupported), channel 0 configured to native-PCI, channel 1 configured to
native-PCI
pciide1: using apic 1 int 16 for native-PCI interrupt
pciide1: channel 0 ignored (not responding; disabled or no drives?)
pciide1: channel 1 ignored (not responding; disabled or no drives?)
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)

Fix paxtest output on OpenBSD 6.0?

2016-10-02 Thread Peter Janos 
Hallo :)

Also I included a few other OS. Mirror for the post: 
https://pastebin.com/raw/y9qHwZxi

Tests are after a default/fresh install (not livecd), using 
https://www.grsecurity.net/~spender/paxtest-0.9.15.tar.gz


All OS were installed/tested in VirtualBox-5.1.6_110634_el7-1.x86_64 on a RHEL 
7.2 / T450.



When I used 'paxtest-0.9.15' on OpenBSD, had to ADD two lines: 

$ grep -n 'randarg1: randbody.o randarg1.o' Makefile.OpenBSD
157:randarg1: randbody.o randarg1.o
$ grep -n 'randarg2: randbody.o randarg2.o' Makefile.OpenBSD
159:randarg2: randbody.o randarg2.o
$ 

or else compile would fail, thx for the hint from Pinter Oliver!



On FreeBSD/HBSD I had to use paxtest-0.9.14-freebsd.tar compiled on FBSD9 from 
https://github.com/HardenedBSD/tools/blob/master/tests/paxtest-freebsd/paxtest-0.9.14-freebsd.tgz



If anyone has outputs for NetBSD and DragonFlyBSD, please post. 


Always used blackhat mode. 

##
SUM (copy it to a simple editor, ex.: gedit, then from there to LibreOffice 
Calc): 

###
CentOS-7-x86_64-Everything-1511.txt Executable anonymous mappingKilled
debian-8.6.0-amd64-CD-1.txt Executable anonymous mappingKilled
Fedora-Server-dvd-x86_64-24-1.2.txt Executable anonymous mappingKilled
Fedora-Workstation-netinst-x86_64-24-1.2.txtExecutable anonymous mapping
Killed
FreeBSD-10.3-RELEASE-amd64-dvd1.txt Executable anonymous mappingKilled
FreeBSD-11.0-RC3-amd64-dvd1.txt Executable anonymous mappingKilled
FreeBSD-9.3-RELEASE-amd64-dvd1.txt  Executable anonymous mappingKilled
HardenedBSD-11-STABLE-v46.5-amd64-disc1.txt Executable anonymous mapping
Killed
install60.txt   Executable anonymous mappingKilled
linuxmint-18-cinnamon-64bit.txt Executable anonymous mappingKilled
openSUSE-Leap-42.1-DVD-x86_64.txt   Executable anonymous mappingKilled
SLE-12-SP1-Server-DVD-x86_64-GM-DVD1.txtExecutable anonymous mapping
Killed
ubuntu-16.04.1-desktop-amd64.txtExecutable anonymous mappingKilled
ubuntu-16.04.1-server-amd64.txt Executable anonymous mappingKilled
###
CentOS-7-x86_64-Everything-1511.txt Executable bss  Killed
debian-8.6.0-amd64-CD-1.txt Executable bss  Killed
Fedora-Server-dvd-x86_64-24-1.2.txt Executable bss  Killed
Fedora-Workstation-netinst-x86_64-24-1.2.txtExecutable bss  Killed
FreeBSD-10.3-RELEASE-amd64-dvd1.txt Executable bss  Killed
FreeBSD-11.0-RC3-amd64-dvd1.txt Executable bss  Killed
FreeBSD-9.3-RELEASE-amd64-dvd1.txt  Executable bss  Killed
HardenedBSD-11-STABLE-v46.5-amd64-disc1.txt Executable bss  Killed
install60.txt   Executable bss  Killed
linuxmint-18-cinnamon-64bit.txt Executable bss  Killed
openSUSE-Leap-42.1-DVD-x86_64.txt   Executable bss  Killed
SLE-12-SP1-Server-DVD-x86_64-GM-DVD1.txtExecutable bss  Killed
ubuntu-16.04.1-desktop-amd64.txtExecutable bss  Killed
ubuntu-16.04.1-server-amd64.txt Executable bss  Killed
###
CentOS-7-x86_64-Everything-1511.txt Executable data Killed
debian-8.6.0-amd64-CD-1.txt Executable data Killed
Fedora-Server-dvd-x86_64-24-1.2.txt Executable data Killed
Fedora-Workstation-netinst-x86_64-24-1.2.txtExecutable data Killed
FreeBSD-10.3-RELEASE-amd64-dvd1.txt Executable data Killed
FreeBSD-11.0-RC3-amd64-dvd1.txt Executable data Killed
FreeBSD-9.3-RELEASE-amd64-dvd1.txt  Executable data Killed
HardenedBSD-11-STABLE-v46.5-amd64-disc1.txt Executable data Killed
install60.txt   Executable data Killed
linuxmint-18-cinnamon-64bit.txt Executable data Killed
openSUSE-Leap-42.1-DVD-x86_64.txt   Executable data Killed
SLE-12-SP1-Server-DVD-x86_64-GM-DVD1.txtExecutable data Killed
ubuntu-16.04.1-desktop-amd64.txtExecutable data Killed
ubuntu-16.04.1-server-amd64.txt Executable data Killed
###
CentOS-7-x86_64-Everything-1511.txt Executable heap Killed
debian-8.6.0-amd64-CD-1.txt Executable heap Killed
Fedora-Server-dvd-x86_64-24-1.2.txt Executable heap Killed
Fedora-Workstation-netinst-x86_64-24-1.2.txtExecutable heap Killed
FreeBSD-10.3-RELEASE-amd64-dvd1.txt Executable heap Killed
FreeBSD-11.0-RC3-amd64-dvd1.txt Executable heap Killed
FreeBSD-9.3-RELEASE-amd64-dvd1.txt  Executable heap Killed
HardenedBSD-11-STABLE-v46.5-amd64-disc1.txt Executable heap Killed
install60.txt   Executable heap Killed
linuxmint-18-cinnamon-64bit.txt Executable heap Killed
openSUSE-Leap-42.1-DVD-x86_64.txt   Executable heap Killed
SLE-12-SP1-Server-DVD-x86_64-GM-DVD1.txtExecutable heap Killed
ubuntu-16.04.1-desktop-amd64.txtExecutable heap Killed
ubuntu-16.04.1-server-amd64.txt Executable heap Killed

Re: getopt(3) in echo(1)

2016-10-02 Thread Alexander Hall 
On September 30, 2016 5:16:57 PM GMT+02:00, Otto Moerbeek 
wrote:
>On Fri, Sep 30, 2016 at 04:47:33PM +0200, Paul de Weerd wrote:
>
>> On Fri, Sep 30, 2016 at 04:40:16PM +0200, Jan Stary wrote:
>> | echo.c says
>> |
>> |/* This utility may NOT do getopt(3) option parsing. */
>> |
>> | Why is that, for echo(1) specifically?
>> | Other binaries in /bin seem to use getopt(3) freely.
>>
>> Because echo should echo all arguments, including those that would
>> otherwise be parsed by getopt(3), except for '-n'.
>
>To be more specific: --
>
>See also http://pubs.opengroup.org/onlinepubs/9699919799/

Direct link to the pretty useless "definition", leaving lots of room for
various implementations, all fulfilling the specs.

http://pubs.opengroup.org/onlinepubs/9699919799/utilities/echo.html

/Alexander

>
>   -Otto

Re: signify: write to stdout: Broken pipe

2016-10-02 Thread lvdd 
Hi Alex,

On Sun, 2 Oct 2016 15:47:36 +0200
Alex Greif  wrote:

> I experienced the same. what I did:
> - install todays snapshot
> - sysmerge
> - pkg_add -nu ---> reported the problems
> - pkg_add -u sudo ---> reported problems but installed correctly
> anyway
> - reboot
> - pkg_add -nu ---> reported no problems
> - pkg_add -u ---> reported no problems
> 
> noc clue what the problem was, but it is gone now.

thank you for your suggestion, but I Don't have sudo installed on my
system. I am just using 'doas' with the default config file
from /etc/example/.

$ pkg_info | grep sudo 
$ 

Thanks 
Lars

Re: signify: write to stdout: Broken pipe

2016-10-02 Thread Alex Greif 
I experienced the same. what I did:
- install todays snapshot
- sysmerge
- pkg_add -nu ---> reported the problems
- pkg_add -u sudo ---> reported problems but installed correctly anyway
- reboot
- pkg_add -nu ---> reported no problems
- pkg_add -u ---> reported no problems

noc clue what the problem was, but it is gone now.

Alex.


On Sun, Oct 02, 2016 at 02:53:34PM +0200, lvdd wrote:
> Hi misc,
> 
> On Sat, 01 Oct 2016 14:50:35 -0400
> "Joe Gidi"  wrote:
> 
> > And, as is so often the case, I figured out the problem right after
> > sending
> > that email. My old 'sudo' package was apparently not entirely
> > functional after
> > updating the base system. 'doas pkg_add -u' got me an
> > up-to-date 'sudo' which
> > is once again working properly.
> > 
> > Sheepish apologies for the noise...
> > 
> 
> sorry for hijacking this but I am seeing the same problem and
> 'sudo' is not involved in my case. 
> 
> I did a new installation of the -snapshot yesterday and after much
> trial and error I can reliably reproduce the issue with
> enabling/disabling dbus-session in my .xinitrc. 
> 
> I am running jwm and as soon as I enable the dbus session as described
> in the dbus pkg-readme I am seeing the errors reported. JWM
> configuration doesn't seem to be involved here (tried the stock
> configuration and my own). 
> Starting CWM with the same .xinitrc (dbus enabled or disabled) doesn't
> show the errors. Removing my .xinitrc entirely and starting the default
> FVWM doesn't show the issue either. As far as I understand dbus is
> started with the default FVWM session. The problem does also not appear
> on the tty. 
> 
> BTW: Even with those error messages new software is installed fine using
> pkg_add -vi
> 
> The combination of jwm with dbus has worked for almot 2 years now. I am
> somewhat puzzled and don't understand what jwm, dbus, pkg_add and
> signify have to do with each other.
> 
> Some input is highly appreciated
> 
> Thanks
> Lars
> 
> .xinitrc:
> --
> # ignore this darn LVDD port on the motherboard
> xrandr --output DP1 --off
> 
> 
> if [ -x /usr/local/bin/dbus-launch -a -z "${DBUS_SESSION_BUS_ADDRESS}"
> ]; then
> eval `dbus-launch --sh-syntax --exit-with-session`
> fi
> 
> jwm
> #cwm
> 
> 
> $ doas rcctl ls started 
> cron
> messagebus
> ntpd
> pflogd
> smtpd
> sndiod
> sshd
> syslogd
> 
> 
> 
> dmesg:
> 
> OpenBSD 6.0-current (GENERIC.MP) #2511: Fri Sep 30 20:12:15 MDT 2016
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 8440098816 (8049MB)
> avail mem = 8179810304 (7800MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xec2f0 (67 entries)
> bios0: vendor American Megatrends Inc. version "0806" date 12/14/2015
> bios0: ASUS All Series
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP APIC FPDT LPIT SSDT SSDT MCFG HPET SSDT SSDT
> BGRT acpi0: wakeup devices UAR1(S4) PXSX(S4) RP01(S4) PXSX(S4) PXSX(S4)
> RP03(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) GLAN(S4) EHC1(S4)
> EHC2(S4) XHC_(S4) HDEF(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24
> bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0:
> apid 0 (boot processor) cpu0: Intel(R) Core(TM) i3-4360 CPU @ 3.70GHz,
> 3691.95 MHz cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
> cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
> cpu0: apic clock running at 99MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Core(TM) i3-4360 CPU @ 3.70GHz, 3691.45 MHz
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
> cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0
> cpu2 at mainbus0: apid 1 (application processor)
> cpu2: Intel(R) Core(TM) i3-4360 CPU @ 3.70GHz, 3691.45 MHz
> cpu2:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
> cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 1, core 0,

Re: OpenBSD 6.0 does not detect my USB ethernet interface

2016-10-02 Thread thrph.i...@gmail.com 
I'm also a newbie, but I think there is no drivers for your device on
OpenBSD.

Maybe you can solve the problem with PPPoE:
http://man.openbsd.org/OpenBSD-current/man4/pppoe.4

Have a good day!
Raffaele

On Sun, 2 Oct 2016 08:15:31 + (UTC)
Farhad Benyamin  wrote:

> Hello, I installed OpenBSD 6.0 (GENERIC kernel) on a AMD64 machine. The
system
> can't detect my USB ethernet interface, altough LED of USB on modem is
light
> up. I also had this problem on NetBSD 7.0.1, during installation it can't
> detect this interface, but I don't try to solve it.
>
> I am grateful for the help to solve this problem. I am newbie.
>
> ==
>
> MODEM : Micronet ADSL2+ Modem Router, Model No. SP3361
>
> ### on OpenBSD  ###
>
> ***  ifconfig ***
>
> lo0: flags=8049 mtu 32768
>     index 2 priority 0 llprio 3
>     groups: lo
>     inet6 ::1 prefixlen 128
>     inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
>     inet 127.0.0.1 netmask 0xff00
> enc0: flags=0<>
>     index 1 priority 0 llprio 3
>     groups: enc
>     status: active
> pflog0: flags=141 mtu 33144
>     index 3 priority 0 llprio 3
>     groups: pflog
>
> *** dmesg | grep usb ***
>
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 "ATI EHCI root hub" rev 2.00/1.00 addr 1
> usb1 at ehci1: USB revision 2.0
> uhub1 at usb1 "ATI EHCI root hub" rev 2.00/1.00 addr 1
> usb2 at ohci0: USB revision 1.0
> uhub2 at usb2 "ATI OHCI root hub" rev 1.00/1.00 addr 1
> usb3 at ohci1: USB revision 1.0
> uhub3 at usb3 "ATI OHCI root hub" rev 1.00/1.00 addr 1
> usb4 at ohci2: USB revision 1.0
> uhub4 at usb4 "ATI OHCI root hub" rev 1.00/1.00 addr 1
> usb5 at ohci3: USB revision 1.0
> uhub5 at usb5 "ATI OHCI root hub" rev 1.00/1.00 addr 1
> usb6 at ohci4: USB revision 1.0
> uhub6 at usb6 "ATI OHCI root hub" rev 1.00/1.00 addr 1
>
> *** dmesg | grep rndis ***
>
> urndis0 at uhub2 port 2 configuration 1 interface 0 "vendor 0x12a7 product
> 0x3160" rev 1.10/0.01 addr 2
> urndis0: using Vendor: interface alternate setting 0 failed
>
> ### on Debian 8 ###
>
> *** ifconfig ***
>
> eth1      Link encap:Ethernet  HWaddr (removed by me)
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>
> lo        Link encap:Local Loopback 
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:65536  Metric:1
>           RX packets:20 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:1420 (1.3 KiB)  TX bytes:1420 (1.3 KiB)
>
> *** dmesg | grep usb ***
> (output is customized)
>
> [    1.962069] usb 3-2: new full-speed USB device number 2 using ohci-pci
> [    2.188927] usb 3-2: New USB device found, idVendor=12a7, idProduct=3160
> [    2.188969] usb 3-2: New USB device strings: Mfr=0, Product=0,
> SerialNumber=0
> [    7.228928] usbcore: registered new interface driver cdc_ether
> [   12.349310] rndis_host 3-2:1.0 eth0: register 'rndis_host' at
> usb-:00:12.0-2, RNDIS device, (MAC Addr, removed by me)
> [   12.349414] usbcore: registered new interface driver rndis_host
> [   12.379849] usbcore: registered new interface driver rndis_wlan
>
> *** dmesg | grep rndis ***
>
> [   12.349310] rndis_host 3-2:1.0 eth0: register 'rndis_host' at
> usb-:00:12.0-2, RNDIS device, (MAC Addr, removed by me)
> [   12.349414] usbcore: registered new interface driver rndis_host
> [   12.379849] usbcore: registered new interface driver rndis_wlan
>


--
thrph.i...@gmail.com

Re: signify: write to stdout: Broken pipe

2016-10-02 Thread lvdd 
Hi misc,

On Sat, 01 Oct 2016 14:50:35 -0400
"Joe Gidi"  wrote:

> And, as is so often the case, I figured out the problem right after
> sending
> that email. My old 'sudo' package was apparently not entirely
> functional after
> updating the base system. 'doas pkg_add -u' got me an
> up-to-date 'sudo' which
> is once again working properly.
> 
> Sheepish apologies for the noise...
> 

sorry for hijacking this but I am seeing the same problem and
'sudo' is not involved in my case. 

I did a new installation of the -snapshot yesterday and after much
trial and error I can reliably reproduce the issue with
enabling/disabling dbus-session in my .xinitrc. 

I am running jwm and as soon as I enable the dbus session as described
in the dbus pkg-readme I am seeing the errors reported. JWM
configuration doesn't seem to be involved here (tried the stock
configuration and my own). 
Starting CWM with the same .xinitrc (dbus enabled or disabled) doesn't
show the errors. Removing my .xinitrc entirely and starting the default
FVWM doesn't show the issue either. As far as I understand dbus is
started with the default FVWM session. The problem does also not appear
on the tty. 

BTW: Even with those error messages new software is installed fine using
pkg_add -vi

The combination of jwm with dbus has worked for almot 2 years now. I am
somewhat puzzled and don't understand what jwm, dbus, pkg_add and
signify have to do with each other.

Some input is highly appreciated

Thanks
Lars

.xinitrc:
--
# ignore this darn LVDD port on the motherboard
xrandr --output DP1 --off


if [ -x /usr/local/bin/dbus-launch -a -z "${DBUS_SESSION_BUS_ADDRESS}"
]; then
eval `dbus-launch --sh-syntax --exit-with-session`
fi

jwm
#cwm


$ doas rcctl ls started 
cron
messagebus
ntpd
pflogd
smtpd
sndiod
sshd
syslogd



dmesg:

OpenBSD 6.0-current (GENERIC.MP) #2511: Fri Sep 30 20:12:15 MDT 2016
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8440098816 (8049MB)
avail mem = 8179810304 (7800MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xec2f0 (67 entries)
bios0: vendor American Megatrends Inc. version "0806" date 12/14/2015
bios0: ASUS All Series
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT LPIT SSDT SSDT MCFG HPET SSDT SSDT
BGRT acpi0: wakeup devices UAR1(S4) PXSX(S4) RP01(S4) PXSX(S4) PXSX(S4)
RP03(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) GLAN(S4) EHC1(S4)
EHC2(S4) XHC_(S4) HDEF(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24
bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0:
apid 0 (boot processor) cpu0: Intel(R) Core(TM) i3-4360 CPU @ 3.70GHz,
3691.95 MHz cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i3-4360 CPU @ 3.70GHz, 3691.45 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i3-4360 CPU @ 3.70GHz, 3691.45 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i3-4360 CPU @ 3.70GHz, 3691.45 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins

OpenBSD 6.0 does not detect my USB ethernet interface

2016-10-02 Thread Farhad Benyamin 
Hello, I installed OpenBSD 6.0 (GENERIC kernel) on a AMD64 machine. The system
can't detect my USB ethernet interface, altough LED of USB on modem is light
up. I also had this problem on NetBSD 7.0.1, during installation it can't
detect this interface, but I don't try to solve it.

I am grateful for the help to solve this problem. I am newbie.

==

MODEM : Micronet ADSL2+ Modem Router, Model No. SP3361

### on OpenBSD  ###

***  ifconfig ***

lo0: flags=8049 mtu 32768
    index 2 priority 0 llprio 3
    groups: lo
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    inet 127.0.0.1 netmask 0xff00
enc0: flags=0<>
    index 1 priority 0 llprio 3
    groups: enc
    status: active
pflog0: flags=141 mtu 33144
    index 3 priority 0 llprio 3
    groups: pflog

*** dmesg | grep usb ***

usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "ATI EHCI root hub" rev 2.00/1.00 addr 1
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 "ATI EHCI root hub" rev 2.00/1.00 addr 1
usb2 at ohci0: USB revision 1.0
uhub2 at usb2 "ATI OHCI root hub" rev 1.00/1.00 addr 1
usb3 at ohci1: USB revision 1.0
uhub3 at usb3 "ATI OHCI root hub" rev 1.00/1.00 addr 1
usb4 at ohci2: USB revision 1.0
uhub4 at usb4 "ATI OHCI root hub" rev 1.00/1.00 addr 1
usb5 at ohci3: USB revision 1.0
uhub5 at usb5 "ATI OHCI root hub" rev 1.00/1.00 addr 1
usb6 at ohci4: USB revision 1.0
uhub6 at usb6 "ATI OHCI root hub" rev 1.00/1.00 addr 1

*** dmesg | grep rndis ***

urndis0 at uhub2 port 2 configuration 1 interface 0 "vendor 0x12a7 product
0x3160" rev 1.10/0.01 addr 2
urndis0: using Vendor: interface alternate setting 0 failed

### on Debian 8 ###

*** ifconfig ***

eth1      Link encap:Ethernet  HWaddr (removed by me)
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:20 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1420 (1.3 KiB)  TX bytes:1420 (1.3 KiB)

*** dmesg | grep usb ***
(output is customized)

[    1.962069] usb 3-2: new full-speed USB device number 2 using ohci-pci
[    2.188927] usb 3-2: New USB device found, idVendor=12a7, idProduct=3160
[    2.188969] usb 3-2: New USB device strings: Mfr=0, Product=0,
SerialNumber=0
[    7.228928] usbcore: registered new interface driver cdc_ether
[   12.349310] rndis_host 3-2:1.0 eth0: register 'rndis_host' at
usb-:00:12.0-2, RNDIS device, (MAC Addr, removed by me)
[   12.349414] usbcore: registered new interface driver rndis_host
[   12.379849] usbcore: registered new interface driver rndis_wlan

*** dmesg | grep rndis ***

[   12.349310] rndis_host 3-2:1.0 eth0: register 'rndis_host' at
usb-:00:12.0-2, RNDIS device, (MAC Addr, removed by me)
[   12.349414] usbcore: registered new interface driver rndis_host
[   12.379849] usbcore: registered new interface driver rndis_wlan

Re: Looking for DMVPN implementation

2016-10-02 Thread Remi Locherer 
On Sat, Oct 01, 2016 at 10:44:02PM +, Jens Sauer wrote:
> Hi OpenBSD community,
> 
> i'm looking for an OpenSource implementation of DMVPN (Dynamic Multipoint 
> Virtual private network).
> 
> Currently i just found the draft (from 2013) :
> https://tools.ietf.org/html/draft-detienne-dmvpn-00
> 
> Comming from Cisco and would be pleased to see it under OpenBSD.
> http://www.cisco.com/c/dam/en/us/products/collateral/security/dynamic-multipoint-vpn-dmvpn/DMVPN_Overview.pdf
> 
> Hope i could get an advice in how to implement (use) it under OpenDSD.

OpenBSD does not have support for mGRE and NHRP.

If you're not having hundreds of sites you want to connect you could set
up tunnels (gif or gre), protect it with ipsec and run a routing protocol
over that. It scales best if you automate it (I use ansible for this).

Remi

Re: Unexpected behavior in su/doas

2016-10-02 Thread Lampshade 
> > This is just one mechanism on tty, there are others.  On other
> > descriptors there are other abilities.
> > 
> 
> Would you mind explaining this a little bit. I don't really mean the
> sudo/doas part.
> 
> How to do operations without retaining access to a tty?
>
> What other descriptors?

Example:
If you have file descriptor to directory outside chroot
and you are root user you can escape chroot.

https://filippo.io/escaping-a-chroot-jail-slash-1/

Re: Unexpected behavior in su/doas

2016-10-02 Thread Philip Guenther 
On Sun, Oct 2, 2016 at 12:35 AM, Otto Moerbeek  wrote:
> On Sat, Oct 01, 2016 at 05:15:31PM -0500, Chris Bennett wrote:
>
>> On Sat, Oct 01, 2016 at 03:54:40PM -0600, Theo de Raadt wrote:
>> > Use of su, doas, or sudo -- means you EXPLICITLY want the tty to
>> > remain the same.
>> >
>> > De-escalation using these "sudo" or "doas" like tools on a tty is
>> > somewhat unsafe - it has always been unsafe - because tty's have
>> > capabilities.
>> >
>> > If you wish to be safer, do these operations without retaining access
>> > to a tty.
>> >
>> > Escalation on the other hand (user -> root) is different, because then
>> > it is clear you want to do more / everything.  But de-escalation is a
>> > joke.
>> >
>> > This is just one mechanism on tty, there are others.  On other
>> > descriptors there are other abilities.
>> >
>>
>> Would you mind explaining this a little bit. I don't really mean the
>> sudo/doas part.
>>
>> How to do operations without retaining access to a tty?
>>
>> What other descriptors?
>
> Well, a lot of things are possible using descriptors. Descriptors can
> refer to files, devices, sockets to name a few. So if you have an open
> descriptor to any of them...

...and it's not just actual file descriptors that provide privileged
access: even if a process closes all fds for its controlling tty, it
remains the process's controlling tty and can still be reopened via
/dev/tty.  Similarly, simply being in the same session gives a process
additional rights that it wouldn't have otherwise, such as being able
to use tcsetpgrp() and see your login name via getlogin()...


Philip Guenther

Re: Unexpected behavior in su/doas

2016-10-02 Thread Otto Moerbeek 
On Sat, Oct 01, 2016 at 05:15:31PM -0500, Chris Bennett wrote:

> On Sat, Oct 01, 2016 at 03:54:40PM -0600, Theo de Raadt wrote:
> > Use of su, doas, or sudo -- means you EXPLICITLY want the tty to
> > remain the same.
> > 
> > De-escalation using these "sudo" or "doas" like tools on a tty is
> > somewhat unsafe - it has always been unsafe - because tty's have
> > capabilities.
> > 
> > If you wish to be safer, do these operations without retaining access
> > to a tty.
> > 
> > Escalation on the other hand (user -> root) is different, because then
> > it is clear you want to do more / everything.  But de-escalation is a
> > joke.
> > 
> > This is just one mechanism on tty, there are others.  On other
> > descriptors there are other abilities.
> > 
> 
> Would you mind explaining this a little bit. I don't really mean the
> sudo/doas part.
> 
> How to do operations without retaining access to a tty?
>
> What other descriptors?

Well, a lot of things are possible using descriptors. Descriptors can
refer to files, devices, sockets to name a few. So if you have an open
descriptor to any of them...

> 
> And, I would especially appreciate any areas in src that could more
> fully give me an understanding of this. Studying code has to be
> essential to get this.

e.g. login(1), cron(8), daemon(3) and setsid(2) and friends.

-Otto

Re: Unexpected behavior in su/doas

2016-10-02 Thread Otto Moerbeek 
On Sun, Oct 02, 2016 at 07:10:12AM +0200, Sebastien Marie wrote:

> On Sat, Oct 01, 2016 at 05:15:31PM -0500, Chris Bennett wrote:
> > On Sat, Oct 01, 2016 at 03:54:40PM -0600, Theo de Raadt wrote:
> > > Use of su, doas, or sudo -- means you EXPLICITLY want the tty to
> > > remain the same.
> > > 
> > > De-escalation using these "sudo" or "doas" like tools on a tty is
> > > somewhat unsafe - it has always been unsafe - because tty's have
> > > capabilities.
> > > 
> > > If you wish to be safer, do these operations without retaining access
> > > to a tty.
> > > 
> > > Escalation on the other hand (user -> root) is different, because then
> > > it is clear you want to do more / everything.  But de-escalation is a
> > > joke.
> > > 
> > > This is just one mechanism on tty, there are others.  On other
> > > descriptors there are other abilities.
> > > 
> > 
> > Would you mind explaining this a little bit. I don't really mean the
> > sudo/doas part.
> > 
> > How to do operations without retaining access to a tty?
> > What other descriptors?
> > 
> > And, I would especially appreciate any areas in src that could more
> > fully give me an understanding of this. Studying code has to be
> > essential to get this.
> > 
> 
> there is a recent thread on oss-security about the specific problem of
> sharing tty:
> http://openwall.com/lists/oss-security/2016/09/25/1
> 
> or a more ancien stuff (same problem): 
> http://www.openwall.com/lists/oss-security/2011/12/20/2
> 
> when using doas/sudo you share a tty.
> 
> # tty
> /dev/ttypa
> # doas -u user -s
> $ tty
> /dev/ttypa
> 
> so at a moment, user has access to the tty device that root will use
> later.
> 
> for example, user is able to push chars in tty buffer, logout, and let
> the root process eats the controlled input.
> 
> alternative way (and more secure in this context) is to use ssh(1). But
> note it needs additionnal configuration. ssh(1) will allocate a new
> pty(4) device for the user.
> 
> # tty
> /dev/ttypa
> # ssh user@localhost
> Last login: ...
> OpenBSD 6.0-current ...
> ...
> 
> $ tty
> /dev/ttypb
> 
> Regards.
> -- 
> Sebastien Marie

Alternatively, you can run a command as a specific use without tty
using batch(1) or at(1).

# echo su otto -c "id; tty" | batch

The command will be executed without controlling tty. OUtput will be
reported by mail.

-Otto