Re: Three questions about login classes: Use for setting up memory quotas, and do they have anything to do with escalated privileges?
On 2017-02-03 15:04, Tinker wrote: Hi, Three questions below about login classes, on the themes of what's a One more question: QUESTION 4: I see there's a unix group by the name "staff" too. What is its function, does it imply any privileges? (Presuming I would be using the "staff" login class for my users a, b,c, in the first place,) there is *no* reason for me to attribute those users to the "staff" unix group also, right, so if I want them to be able to "su" I should add them to the "wheel" group (and NOT to the "staff" group) and otherwise i just keep them away from both the "staff" and "wheel" groups, right? (Similar questions to this thread were discussed here http://daemonforums.org/showthread.php?t=3807 .) Tinker
Three questions about login classes: Use for setting up memory quotas, and do they have anything to do with escalated privileges?
Hi, Three questions below about login classes, on the themes of what's a sensible way to work with them and how they relate to user privilege escalation (not at all I hope). WHAT I'M TRYING TO DO: I am going to run some processes that have higher memory and file descriptor quota requirements than the other processes that OpenBSD runs otherwise. I will have some designated user accounts for those processes to run in (user accounts a, b and c, all non-root), so I can as well have the quotas associated with those user accounts - My idea is that OpenBSD's pre-installed services have optimal settings already, so I shouldn't alter any of their settings, but instead, I better associate my separate memory and descriptor quotas which are especially designated for those particular activities that I am up to, to those user accounts I designated for my activities (a, b, c). (Also I like those users to have a particular default umask for all files they create.) QUESTION 1: Looking for a "best practice" way of doing this, it is quite clear from the documentation that I should attribute those special quotas to a login class that I have and that is designated for my activities, and then assign those users (a, b, c) to that login class. I got it right, right? QUESTION 2: To understand the ramifications of the login class concept: (As long as noone flips on the "wheel" option for any login class,) a user's login class belonging *DOES NOT* imply any particular user privileges of any kind, right? And in particular, the "staff" login group does not imply any particular significant privileges, right? (I see that it has an ":ignorenologin" setting, that would be all. So no particular OS call abilities, and no particular admin-like privileges.) QUESTION 3: Looking in /etc/master.passwd at what login class belonging present users have, * "root" belongs to the "daemon" login class, * "_pbuild" belongs to the "pbuild" login class, "unbound" belongs to the "unbound" login class, * and all other users that are pre-setup at OS install time either belong to the "daemon" login class or to no login class at all, which is interpreted as belonging to the "default" login class. This means we have one login class predefined by OpenBSD at installation time namely the "staff" login class, which has no member users at OS install time. This means that I can use the "staff" login class for anything I want - it's even proper to say that the "staff" login class is really well suited for my use case as it already exists so why create a new one, right? So, all in all, do you think it makes sense for me to add the extra memory and file descriptor quotas and umask rules to the "staff" login class and attribute my users to it, or should I create a new login class e.g. a class "high_resource_users"? Thanks, Tinker
httpd rewrite
Hello guys, I try to move from nginx to httpd. But I have a problem with rewrite. I try to use this nginx-rule: rewrite ^/Microsoft-Server-ActiveSync?(.*)$ /tine20/index.php?frontend=activesync$1; with httpd: location "/Microsoft-Server-ActiveSync" { block return 302 "/tine20/index.php?frontend=activesync$QUERY_STRING" } The redirect seems to work - but no auth takes place. Is it generally possible what I try to do? And if yes - what I'm missing? The output looks not bad at a first glance: webtest.local 192.168.176.12 - - [03/Feb/2017:01:01:01 +0100] "POST /Microsoft-Server-ActiveSync?Cmd=Sync%26User=USER%26DeviceId=DEVICEID%26DeviceType=SAMSUNGSMG930F HTTP/1.1" 302 0 server webtest.local, client 64 (3 active), 192.168.176.12:60819 -> 192.168.177.100:443, /tine20/index.php?frontend=activesyncCmd=Sync%26User=USER%26DeviceId=DEVICEID%26DeviceType=SAMSUNGSMG930F (302 Found) webtest.local 192.168.176.12 - - [03/Feb/2017:01:01:02 +0100] "GET /tine20/index.php?frontend=activesyncCmd=Sync%2526User=USER%2526DeviceId=DEVICEID%2526DeviceType=SAMSUNGSMG930F HTTP/1.1" 200 0 Thanks in advance. Uwe
Re: IPSEC from behind NAT stage 2 failure
On 2016-12-06 12:05, Robert Szasz wrote: I'm trying to set up an L2TP/IPSEC tunnel for roaming windows users to tunnel in to our office network. I'm testing with the following setup Win10 ->obsd5.9(firewall doing nat)->{}->obsd5.9(IPSEC) Windows needs a registry entry set for L2TP and IPSEC to work properly with NAT. Seems to apply whether it is the server or client or both behind NAT. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PolicyAgent] "AssumeUDPEncapsulationContextOnSendRule"=dword:0002 https://support.microsoft.com/en-au/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t-device-in-windows-vista-and-in-windows-server-2008 -Phil
Re: -current installer error
Sorry, sloppy fingers' fault. It is sd0. On Thu, Feb 2, 2017 at 10:11 PM, Jiri Bwrote: > On Thu, Feb 02, 2017 at 09:28:14PM +, Pedro Caetano wrote: > > Hi misc@ > > > > Today while upgrading a few vms i noticed an error while auto_upgrade was > > running. > > Release build from today sources on amd64 arch. > > This does not impact upgrade of the system. > > > > > > # more /tmp/ai/ai.log > > Choose your keyboard layout ('?' or 'L' for list) [default] default > > Available disks are: sd0. > > Which disk is the root disk? ('?' for details) [sd0] sr0 > > 'sr0' ? really? > > > Checking root filesystem (fsck -fp /dev/sd0a /mnt)...OK > > Mounting root filesystem (mount -o ro /dev/sd0a /mnt)...OK. > > Force checking of clean non-root filesystems? [no] no > > dd: /mnt/var/db/host.random: No such file or directory > > /dev/sd0a (17f9850d83e601df.a) on /mnt type ffs (rw, local, wxallowed) > > j.
Re: -current installer error
On Thu, Feb 02, 2017 at 09:28:14PM +, Pedro Caetano wrote: > Hi misc@ > > Today while upgrading a few vms i noticed an error while auto_upgrade was > running. > Release build from today sources on amd64 arch. > This does not impact upgrade of the system. > > > # more /tmp/ai/ai.log > Choose your keyboard layout ('?' or 'L' for list) [default] default > Available disks are: sd0. > Which disk is the root disk? ('?' for details) [sd0] sr0 'sr0' ? really? > Checking root filesystem (fsck -fp /dev/sd0a /mnt)...OK > Mounting root filesystem (mount -o ro /dev/sd0a /mnt)...OK. > Force checking of clean non-root filesystems? [no] no > dd: /mnt/var/db/host.random: No such file or directory > /dev/sd0a (17f9850d83e601df.a) on /mnt type ffs (rw, local, wxallowed) j.
-current installer error
Hi misc@ Today while upgrading a few vms i noticed an error while auto_upgrade was running. Release build from today sources on amd64 arch. This does not impact upgrade of the system. # more /tmp/ai/ai.log Choose your keyboard layout ('?' or 'L' for list) [default] default Available disks are: sd0. Which disk is the root disk? ('?' for details) [sd0] sr0 Checking root filesystem (fsck -fp /dev/sd0a /mnt)...OK Mounting root filesystem (mount -o ro /dev/sd0a /mnt)...OK. Force checking of clean non-root filesystems? [no] no dd: /mnt/var/db/host.random: No such file or directory /dev/sd0a (17f9850d83e601df.a) on /mnt type ffs (rw, local, wxallowed) Cheers, Pedro Caetano
disable touchpad while leave trackpoint on
Hi, In output from xinput I have one pointing device and it is wsmouse $ xinput ⎡ Virtual core pointer id=2[master pointer (3)] ⎜ ↳ Virtual core XTEST pointerid=4[slave pointer (2)] ⎜ ↳ /dev/wsmouse id=7[slave pointer (2)] Reporting 3 classes: Class originated from: 7. Type: XIButtonClass Buttons supported: 7 Button labels: "Button Left" "Button Middle" "Button Right" None None None None Button state: Class originated from: 7. Type: XIValuatorClass Detail for Valuator 0: Label: Rel X Range: -1.00 - -1.00 Resolution: 1 units/m Mode: relative Class originated from: 7. Type: XIValuatorClass Detail for Valuator 1: Label: Rel Y Range: -1.00 - -1.00 Resolution: 1 units/m Mode: relative but both trackpoint and touchpad work. I'd like to switch the touchpad off; is there a way to do it while keeping trackpoint enabled? I do not have bios option for disabling neither. My laptop is hp 8470p. many thanks, -- P
Re: init: can't open /dev/console: Device not configured.
On 2017-01-31 22:59, Jiri B wrote: Try booting bsd.rd from boot loader, then mount your root filesystem at /mnt and inspect /mnt/etc/boot.conf. For desktop you generally don't need this file at all. Thank you for replying. I booted on my USB key with: boot hd1a:/bsd Then, when asked, I pressed the S key to have a shell. I mounted the root filesystem of wd0a with: mount /dev/wd0a /mnt But there is no /mnt/etc/boot.conf. What is the file you are talking about when you say: "For desktop you generally don't need this file at all."
Re: sendsyslog: dropped 4 messages, error 55
I agree I don't give much information. I have no idea what information to give. -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Marcus MERIGHI Sent: Tuesday, January 31, 2017 3:13 AM To: Peter FraserCc: 'misc@openbsd.org' Subject: Re: sendsyslog: dropped 4 messages, error 55 p...@thinkage.ca (Peter Fraser), 2017.01.30 (Mon) 18:17 (CET): > My /var/log/messages is filling up with messages like the following: > > Jan 30 10:28:06 gateway sendsyslog: dropped 4 messages, error 55 Jan > 30 10:28:06 gateway sendsyslog: dropped 2 messages, error 55 Jan 30 > 10:28:06 gateway sendsyslog: dropped 2 messages, error 55 Jan 30 > 10:28:06 gateway sendsyslog: dropped 1 message, error 55 Jan 30 > 10:28:06 gateway sendsyslog: dropped 2 messages, error 55 Jan 30 > 10:28:06 gateway last message repeated 2 times Jan 30 10:28:06 gateway > sendsyslog: dropped 4 messages, error 55 Jan 30 10:28:06 gateway > sendsyslog: dropped 2 messages, error 55 Jan 30 10:28:06 gateway last > message repeated 2 times Jan 30 10:28:06 gateway sendsyslog: dropped 1 > message, error 55 Jan 30 10:28:06 gateway sendsyslog: dropped 1 > message, error 55 > > The messages occur in bursts with several hundred messages per burst, > and here may be several seconds or hours between the bursts. > > I am quite willing to believe that I have done something stupid, but I > have no idea what. > Any hints to find out what is generating these messages. src/lib/libc/gen/syslog_r.c, 188: * If the sendsyslog() fails, it means that syslogd * is not running or the kernel ran out of buffers. sendsyslog(2) RETURN VALUES Upon successful completion, the value 0 is returned; otherwise the value -1 is returned and the global variable errno is set to indicate the error. errno(2) 55 ENOBUFS No buffer space available. An operation on a socket or pipe was not performed because the system lacked sufficient buffer space or because a queue was full. But I can't tell you why your kernel is running out of buffers. You did not give much information... Marcus > !DSPAM:588f7557249121949212877!
relayd.conf http headers from file
Hi List, Is it possible with relayd to match HTTP headers key and value from a file ? I want to store JWT authorisation tokens in a file. Pass request header "Authorize" value "123456" #works Once I start adding the file option things get confusing. Manual mentions we can only read keys from external files. Not the header values. Very confusing. Any clues? Gr.FH
Re: Unable to install OpenBSD 6.0 to HP Probook 4540s in UEFi mode
https://lists.freebsd.org/pipermail/freebsd-bugs/2016-September/069781.html On Mon, Jan 23, 2017 at 4:14 PM, dmitry.senseiwrote: > This is very similar? > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194063 > > On Mon, Jan 23, 2017 at 2:42 PM, dmitry.sensei > wrote: >> (CentOS 7) >> lspci -v >> 00:00.0 Host bridge: Intel Corporation 2nd Generation Core Processor >> Family DRAM Controller (rev 09) >> Subsystem: Hewlett-Packard Company Device 17f6 >> Flags: bus master, fast devsel, latency 0 >> Capabilities: [e0] Vendor Specific Information: Len=0c >> >> 00:02.0 VGA compatible controller: Intel Corporation 2nd Generation >> Core Processor Family Integrated Graphics Controller (rev 09) (prog-if >> 00 [VGA controller]) >> Subsystem: Hewlett-Packard Company Device 17f6 >> Flags: bus master, fast devsel, latency 0, IRQ 31 >> Memory at c000 (64-bit, non-prefetchable) [size=4M] >> Memory at b000 (64-bit, prefetchable) [size=256M] >> I/O ports at 3000 [size=64] >> Expansion ROM at [disabled] >> Capabilities: [90] MSI: Enable+ Count=1/1 Maskable- 64bit- >> Capabilities: [d0] Power Management version 2 >> Capabilities: [a4] PCI Advanced Features >> Kernel driver in use: i915 >> Kernel modules: i915 >> >> 00:14.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset >> Family USB xHCI Host Controller (rev 04) (prog-if 30 [XHCI]) >> Subsystem: Hewlett-Packard Company Device 17f6 >> Flags: bus master, medium devsel, latency 0, IRQ 28 >> Memory at c090 (64-bit, non-prefetchable) [size=64K] >> Capabilities: [70] Power Management version 2 >> Capabilities: [80] MSI: Enable+ Count=1/8 Maskable- 64bit+ >> Kernel driver in use: xhci_hcd >> >> 00:16.0 Communication controller: Intel Corporation 7 Series/C216 >> Chipset Family MEI Controller #1 (rev 04) >> Subsystem: Hewlett-Packard Company Device 17f6 >> Flags: bus master, fast devsel, latency 0, IRQ 32 >> Memory at c0914000 (64-bit, non-prefetchable) [size=16] >> Capabilities: [50] Power Management version 3 >> Capabilities: [8c] MSI: Enable+ Count=1/1 Maskable- 64bit+ >> Kernel driver in use: mei_me >> Kernel modules: mei_me >> >> 00:1a.0 USB controller: Intel Corporation 7 Series/C216 Chipset Family >> USB Enhanced Host Controller #2 (rev 04) (prog-if 20 [EHCI]) >> Subsystem: Hewlett-Packard Company Device 17f6 >> Flags: bus master, medium devsel, latency 0, IRQ 16 >> Memory at c0919000 (32-bit, non-prefetchable) [size=1K] >> Capabilities: [50] Power Management version 2 >> Capabilities: [58] Debug port: BAR=1 offset=00a0 >> Capabilities: [98] PCI Advanced Features >> Kernel driver in use: ehci-pci >> >> 00:1b.0 Audio device: Intel Corporation 7 Series/C216 Chipset Family >> High Definition Audio Controller (rev 04) >> Subsystem: Hewlett-Packard Company Device 17f6 >> Flags: bus master, fast devsel, latency 0, IRQ 33 >> Memory at c091 (64-bit, non-prefetchable) [size=16K] >> Capabilities: [50] Power Management version 2 >> Capabilities: [60] MSI: Enable+ Count=1/1 Maskable- 64bit+ >> Capabilities: [70] Express Root Complex Integrated Endpoint, MSI 00 >> Capabilities: [100] Virtual Channel >> Capabilities: [130] Root Complex Link >> Kernel driver in use: snd_hda_intel >> Kernel modules: snd_hda_intel >> >> 00:1c.0 PCI bridge: Intel Corporation 7 Series/C216 Chipset Family PCI >> Express Root Port 1 (rev c4) (prog-if 00 [Normal decode]) >> Flags: bus master, fast devsel, latency 0, IRQ 24 >> Bus: primary=00, secondary=01, subordinate=01, sec-latency=0 >> Memory behind bridge: c080-c08f >> Capabilities: [40] Express Root Port (Slot+), MSI 00 >> Capabilities: [80] MSI: Enable+ Count=1/1 Maskable- 64bit- >> Capabilities: [90] Subsystem: Hewlett-Packard Company Device 17f6 >> Capabilities: [a0] Power Management version 2 >> Kernel driver in use: pcieport >> Kernel modules: shpchp >> >> 00:1c.2 PCI bridge: Intel Corporation 7 Series/C210 Series Chipset >> Family PCI Express Root Port 3 (rev c4) (prog-if 00 [Normal decode]) >> Flags: bus master, fast devsel, latency 0, IRQ 25 >> Bus: primary=00, secondary=02, subordinate=02, sec-latency=0 >> Memory behind bridge: c070-c07f >> Capabilities: [40] Express Root Port (Slot+), MSI 00 >> Capabilities: [80] MSI: Enable+ Count=1/1 Maskable- 64bit- >> Capabilities: [90] Subsystem: Hewlett-Packard Company Device 17f6 >> Capabilities: [a0] Power Management version 2 >> Kernel driver in use: pcieport >> Kernel modules: shpchp >> >> 00:1c.3 PCI bridge: Intel Corporation 7 Series/C216 Chipset Family PCI >> Express Root Port 4 (rev c4) (prog-if 00 [Normal decode]) >> Flags: bus master, fast devsel, latency 0, IRQ 26 >> Bus: primary=00, secondary=03, subordinate=03, sec-latency=0 >> Memory