Re: Three questions about login classes: Use for setting up memory quotas, and do they have anything to do with escalated privileges?

[Tinker]

On 2017-02-03 15:04, Tinker wrote:

Hi,

Three questions below about login classes, on the themes of what's a


One more question:


QUESTION 4:

I see there's a unix group by the name "staff" too.

What is its function, does it imply any privileges?


(Presuming I would be using the "staff" login class for my users a, b,c, 
in the first place,) there is *no* reason for me to attribute those 
users to the "staff" unix group also, right, so if I want them to be 
able to "su" I should add them to the "wheel" group (and NOT to the 
"staff" group) and otherwise i just keep them away from both the "staff" 
and "wheel" groups, right?



(Similar questions to this thread were discussed here 
http://daemonforums.org/showthread.php?t=3807 .)


Tinker

Three questions about login classes: Use for setting up memory quotas, and do they have anything to do with escalated privileges?

[Tinker]

Hi,

Three questions below about login classes, on the themes of what's a 
sensible way to work with them and how they relate to user privilege 
escalation (not at all I hope).



WHAT I'M TRYING TO DO:
I am going to run some processes that have higher memory and file 
descriptor quota requirements than the other processes that OpenBSD runs 
otherwise.


I will have some designated user accounts for those processes to run in 
(user accounts a, b and c, all non-root), so I can as well have the 
quotas associated with those user accounts -


My idea is that OpenBSD's pre-installed services have optimal settings 
already, so I shouldn't alter any of their settings, but instead, I 
better associate my separate memory and descriptor quotas which are 
especially designated for those particular activities that I am up to, 
to those user accounts I designated for my activities (a, b, c).


(Also I like those users to have a particular default umask for all 
files they create.)



QUESTION 1:
Looking for a "best practice" way of doing this, it is quite clear from 
the documentation that I should attribute those special quotas to a 
login class that I have and that is designated for my activities, and 
then assign those users (a, b, c) to that login class.


I got it right, right?


QUESTION 2:
To understand the ramifications of the login class concept:

(As long as noone flips on the "wheel" option for any login class,) a 
user's login class belonging *DOES NOT* imply any particular user 
privileges of any kind, right?


And in particular, the "staff" login group does not imply any particular 
significant privileges, right?


(I see that it has an ":ignorenologin" setting, that would be all. So no 
particular OS call abilities, and no particular admin-like privileges.)



QUESTION 3:
Looking in /etc/master.passwd at what login class belonging present 
users have,


 * "root" belongs to the "daemon" login class,

 * "_pbuild" belongs to the "pbuild" login class, "unbound" belongs to 
the "unbound" login class,


 * and all other users that are pre-setup at OS install time either 
belong to the "daemon" login class or to no login class at all, which is 
interpreted as belonging to the "default" login class.


This means we have one login class predefined by OpenBSD at installation 
time namely the "staff" login class, which has no member users at OS 
install time.


This means that I can use the "staff" login class for anything I want - 
it's even proper to say that the "staff" login class is really well 
suited for my use case as it already exists so why create a new one, 
right?



So, all in all, do you think it makes sense for me to add the extra 
memory and file descriptor quotas and umask rules to the "staff" login 
class and attribute my users to it, or should I create a new login class 
e.g. a class "high_resource_users"?



Thanks,
Tinker

httpd rewrite

[Uwe Werler]

Hello guys,

I try to move from nginx to httpd. But I have a problem with rewrite. I try to
use this nginx-rule:

rewrite ^/Microsoft-Server-ActiveSync?(.*)$ 
/tine20/index.php?frontend=activesync$1;

with httpd:

location "/Microsoft-Server-ActiveSync" {
block return 302 
"/tine20/index.php?frontend=activesync$QUERY_STRING"
}

The redirect seems to work - but no auth takes place.

Is it generally possible what I try to do? And if yes - what I'm missing?

The output looks not bad at a first glance:

webtest.local 192.168.176.12 - - [03/Feb/2017:01:01:01 +0100] "POST 
/Microsoft-Server-ActiveSync?Cmd=Sync%26User=USER%26DeviceId=DEVICEID%26DeviceType=SAMSUNGSMG930F
 HTTP/1.1" 302 0
server webtest.local, client 64 (3 active), 192.168.176.12:60819 -> 
192.168.177.100:443, 
/tine20/index.php?frontend=activesyncCmd=Sync%26User=USER%26DeviceId=DEVICEID%26DeviceType=SAMSUNGSMG930F
 (302 Found)
webtest.local 192.168.176.12 - - [03/Feb/2017:01:01:02 +0100] "GET 
/tine20/index.php?frontend=activesyncCmd=Sync%2526User=USER%2526DeviceId=DEVICEID%2526DeviceType=SAMSUNGSMG930F
 HTTP/1.1" 200 0

Thanks in advance.

Uwe

Re: IPSEC from behind NAT stage 2 failure

[Philip Higgins]

On 2016-12-06 12:05, Robert Szasz wrote:

I'm trying to set up an L2TP/IPSEC tunnel for roaming windows users to
tunnel in to our office network.

I'm testing with the following setup

Win10 ->obsd5.9(firewall doing nat)->{}->obsd5.9(IPSEC)



Windows needs a registry entry set for L2TP and IPSEC to work properly 
with NAT.

Seems to apply whether it is the server or client or both behind NAT.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:0002

https://support.microsoft.com/en-au/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t-device-in-windows-vista-and-in-windows-server-2008


-Phil

Re: -current installer error

[Pedro Caetano]

Sorry, sloppy fingers' fault. It is sd0.

On Thu, Feb 2, 2017 at 10:11 PM, Jiri B  wrote:

> On Thu, Feb 02, 2017 at 09:28:14PM +, Pedro Caetano wrote:
> > Hi misc@
> >
> > Today while upgrading a few vms i noticed an error while auto_upgrade was
> > running.
> > Release build from today sources on amd64 arch.
> > This does not impact upgrade of the system.
> >
> >
> > # more /tmp/ai/ai.log
> > Choose your keyboard layout ('?' or 'L' for list) [default] default
> > Available disks are: sd0.
> > Which disk is the root disk? ('?' for details) [sd0] sr0
>
> 'sr0' ? really?
>
> > Checking root filesystem (fsck -fp /dev/sd0a /mnt)...OK
> > Mounting root filesystem (mount -o ro /dev/sd0a /mnt)...OK.
> > Force checking of clean non-root filesystems? [no] no
> > dd: /mnt/var/db/host.random: No such file or directory
> > /dev/sd0a (17f9850d83e601df.a) on /mnt type ffs (rw, local, wxallowed)
>
> j.

Re: -current installer error

[Jiri B]

On Thu, Feb 02, 2017 at 09:28:14PM +, Pedro Caetano wrote:
> Hi misc@
> 
> Today while upgrading a few vms i noticed an error while auto_upgrade was
> running.
> Release build from today sources on amd64 arch.
> This does not impact upgrade of the system.
> 
> 
> # more /tmp/ai/ai.log
> Choose your keyboard layout ('?' or 'L' for list) [default] default
> Available disks are: sd0.
> Which disk is the root disk? ('?' for details) [sd0] sr0

'sr0' ? really?

> Checking root filesystem (fsck -fp /dev/sd0a /mnt)...OK
> Mounting root filesystem (mount -o ro /dev/sd0a /mnt)...OK.
> Force checking of clean non-root filesystems? [no] no
> dd: /mnt/var/db/host.random: No such file or directory
> /dev/sd0a (17f9850d83e601df.a) on /mnt type ffs (rw, local, wxallowed)

j.

-current installer error

[Pedro Caetano]

Hi misc@

Today while upgrading a few vms i noticed an error while auto_upgrade was
running.
Release build from today sources on amd64 arch.
This does not impact upgrade of the system.


# more /tmp/ai/ai.log
Choose your keyboard layout ('?' or 'L' for list) [default] default
Available disks are: sd0.
Which disk is the root disk? ('?' for details) [sd0] sr0
Checking root filesystem (fsck -fp /dev/sd0a /mnt)...OK
Mounting root filesystem (mount -o ro /dev/sd0a /mnt)...OK.
Force checking of clean non-root filesystems? [no] no
dd: /mnt/var/db/host.random: No such file or directory
/dev/sd0a (17f9850d83e601df.a) on /mnt type ffs (rw, local, wxallowed)


Cheers,
Pedro Caetano

disable touchpad while leave trackpoint on

[P Bielecki]

Hi,

In output from xinput I have one pointing device and it is wsmouse
$ xinput
⎡ Virtual core pointer  id=2[master pointer
(3)]
⎜   ↳ Virtual core XTEST pointerid=4[slave  pointer
(2)]
⎜   ↳ /dev/wsmouse  id=7[slave  pointer
(2)]
Reporting 3 classes:
Class originated from: 7. Type: XIButtonClass
Buttons supported: 7
Button labels: "Button Left" "Button Middle" "Button
Right" None None None None
Button state:
Class originated from: 7. Type: XIValuatorClass
Detail for Valuator 0:
  Label: Rel X
  Range: -1.00 - -1.00
  Resolution: 1 units/m
  Mode: relative
Class originated from: 7. Type: XIValuatorClass
Detail for Valuator 1:
  Label: Rel Y
  Range: -1.00 - -1.00
  Resolution: 1 units/m
  Mode: relative

but both trackpoint and touchpad work. I'd like to switch the touchpad
off; is there a way to do it while keeping trackpoint enabled?
I do not have bios option for disabling neither.
My laptop is hp 8470p.

many thanks,
--
P

Re: init: can't open /dev/console: Device not configured.

[cjarry]

On 2017-01-31 22:59, Jiri B wrote:

Try booting bsd.rd from boot loader, then mount your root filesystem
at /mnt and inspect /mnt/etc/boot.conf. For desktop you generally
don't need this file at all.


Thank you for replying.

I booted on my USB key with:
boot hd1a:/bsd

Then, when asked, I pressed the S key to have a shell.
I mounted the root filesystem of wd0a with:
mount /dev/wd0a /mnt

But there is no /mnt/etc/boot.conf.

What is the file you are talking about when you say:
"For desktop you generally don't need this file at all."

Re: sendsyslog: dropped 4 messages, error 55

[Peter Fraser]

I agree I don't give much information. I have no idea what information to
give.

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Marcus MERIGHI
Sent: Tuesday, January 31, 2017 3:13 AM
To: Peter Fraser 
Cc: 'misc@openbsd.org' 
Subject: Re: sendsyslog: dropped 4 messages, error 55

p...@thinkage.ca (Peter Fraser), 2017.01.30 (Mon) 18:17 (CET):
> My /var/log/messages is filling up with messages like the following:
>
> Jan 30 10:28:06 gateway sendsyslog: dropped 4 messages, error 55 Jan
> 30 10:28:06 gateway sendsyslog: dropped 2 messages, error 55 Jan 30
> 10:28:06 gateway sendsyslog: dropped 2 messages, error 55 Jan 30
> 10:28:06 gateway sendsyslog: dropped 1 message, error 55 Jan 30
> 10:28:06 gateway sendsyslog: dropped 2 messages, error 55 Jan 30
> 10:28:06 gateway last message repeated 2 times Jan 30 10:28:06 gateway
> sendsyslog: dropped 4 messages, error 55 Jan 30 10:28:06 gateway
> sendsyslog: dropped 2 messages, error 55 Jan 30 10:28:06 gateway last
> message repeated 2 times Jan 30 10:28:06 gateway sendsyslog: dropped 1
> message, error 55 Jan 30 10:28:06 gateway sendsyslog: dropped 1
> message, error 55
>
> The messages occur in bursts with several hundred messages per burst,
> and here may be several seconds or hours between the bursts.
>
> I am quite willing to believe that I have done something stupid, but I
> have no idea what.
> Any hints to find out what is generating these messages.

src/lib/libc/gen/syslog_r.c, 188:
* If the sendsyslog() fails, it means that syslogd
* is not running or the kernel ran out of buffers.

sendsyslog(2)
RETURN VALUES
 Upon successful completion, the value 0 is returned; otherwise the
 value -1 is returned and the global variable errno is set to
 indicate the error.

errno(2)
 55 ENOBUFS No buffer space available. An operation on a socket or
pipe was not performed because the system lacked sufficient
buffer space or because a queue was full.

But I can't tell you why your kernel is running out of buffers. You did not
give much information...

Marcus

> !DSPAM:588f7557249121949212877!

relayd.conf http headers from file

[Frans Haarman]

Hi List,

Is it possible with relayd to match HTTP headers key and value from a file ?

I want to store JWT authorisation tokens in a file.

Pass request header "Authorize" value "123456" #works

Once I start adding the file option things get confusing. Manual mentions
we can only read keys from external files. Not the header values. Very
confusing.

Any clues?

Gr.FH

Re: Unable to install OpenBSD 6.0 to HP Probook 4540s in UEFi mode

[dmitry.sensei]

https://lists.freebsd.org/pipermail/freebsd-bugs/2016-September/069781.html

On Mon, Jan 23, 2017 at 4:14 PM, dmitry.sensei  wrote:
> This is very similar?
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194063
>
> On Mon, Jan 23, 2017 at 2:42 PM, dmitry.sensei  
> wrote:
>> (CentOS 7)
>> lspci -v
>> 00:00.0 Host bridge: Intel Corporation 2nd Generation Core Processor
>> Family DRAM Controller (rev 09)
>> Subsystem: Hewlett-Packard Company Device 17f6
>> Flags: bus master, fast devsel, latency 0
>> Capabilities: [e0] Vendor Specific Information: Len=0c 
>>
>> 00:02.0 VGA compatible controller: Intel Corporation 2nd Generation
>> Core Processor Family Integrated Graphics Controller (rev 09) (prog-if
>> 00 [VGA controller])
>> Subsystem: Hewlett-Packard Company Device 17f6
>> Flags: bus master, fast devsel, latency 0, IRQ 31
>> Memory at c000 (64-bit, non-prefetchable) [size=4M]
>> Memory at b000 (64-bit, prefetchable) [size=256M]
>> I/O ports at 3000 [size=64]
>> Expansion ROM at  [disabled]
>> Capabilities: [90] MSI: Enable+ Count=1/1 Maskable- 64bit-
>> Capabilities: [d0] Power Management version 2
>> Capabilities: [a4] PCI Advanced Features
>> Kernel driver in use: i915
>> Kernel modules: i915
>>
>> 00:14.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset
>> Family USB xHCI Host Controller (rev 04) (prog-if 30 [XHCI])
>> Subsystem: Hewlett-Packard Company Device 17f6
>> Flags: bus master, medium devsel, latency 0, IRQ 28
>> Memory at c090 (64-bit, non-prefetchable) [size=64K]
>> Capabilities: [70] Power Management version 2
>> Capabilities: [80] MSI: Enable+ Count=1/8 Maskable- 64bit+
>> Kernel driver in use: xhci_hcd
>>
>> 00:16.0 Communication controller: Intel Corporation 7 Series/C216
>> Chipset Family MEI Controller #1 (rev 04)
>> Subsystem: Hewlett-Packard Company Device 17f6
>> Flags: bus master, fast devsel, latency 0, IRQ 32
>> Memory at c0914000 (64-bit, non-prefetchable) [size=16]
>> Capabilities: [50] Power Management version 3
>> Capabilities: [8c] MSI: Enable+ Count=1/1 Maskable- 64bit+
>> Kernel driver in use: mei_me
>> Kernel modules: mei_me
>>
>> 00:1a.0 USB controller: Intel Corporation 7 Series/C216 Chipset Family
>> USB Enhanced Host Controller #2 (rev 04) (prog-if 20 [EHCI])
>> Subsystem: Hewlett-Packard Company Device 17f6
>> Flags: bus master, medium devsel, latency 0, IRQ 16
>> Memory at c0919000 (32-bit, non-prefetchable) [size=1K]
>> Capabilities: [50] Power Management version 2
>> Capabilities: [58] Debug port: BAR=1 offset=00a0
>> Capabilities: [98] PCI Advanced Features
>> Kernel driver in use: ehci-pci
>>
>> 00:1b.0 Audio device: Intel Corporation 7 Series/C216 Chipset Family
>> High Definition Audio Controller (rev 04)
>> Subsystem: Hewlett-Packard Company Device 17f6
>> Flags: bus master, fast devsel, latency 0, IRQ 33
>> Memory at c091 (64-bit, non-prefetchable) [size=16K]
>> Capabilities: [50] Power Management version 2
>> Capabilities: [60] MSI: Enable+ Count=1/1 Maskable- 64bit+
>> Capabilities: [70] Express Root Complex Integrated Endpoint, MSI 00
>> Capabilities: [100] Virtual Channel
>> Capabilities: [130] Root Complex Link
>> Kernel driver in use: snd_hda_intel
>> Kernel modules: snd_hda_intel
>>
>> 00:1c.0 PCI bridge: Intel Corporation 7 Series/C216 Chipset Family PCI
>> Express Root Port 1 (rev c4) (prog-if 00 [Normal decode])
>> Flags: bus master, fast devsel, latency 0, IRQ 24
>> Bus: primary=00, secondary=01, subordinate=01, sec-latency=0
>> Memory behind bridge: c080-c08f
>> Capabilities: [40] Express Root Port (Slot+), MSI 00
>> Capabilities: [80] MSI: Enable+ Count=1/1 Maskable- 64bit-
>> Capabilities: [90] Subsystem: Hewlett-Packard Company Device 17f6
>> Capabilities: [a0] Power Management version 2
>> Kernel driver in use: pcieport
>> Kernel modules: shpchp
>>
>> 00:1c.2 PCI bridge: Intel Corporation 7 Series/C210 Series Chipset
>> Family PCI Express Root Port 3 (rev c4) (prog-if 00 [Normal decode])
>> Flags: bus master, fast devsel, latency 0, IRQ 25
>> Bus: primary=00, secondary=02, subordinate=02, sec-latency=0
>> Memory behind bridge: c070-c07f
>> Capabilities: [40] Express Root Port (Slot+), MSI 00
>> Capabilities: [80] MSI: Enable+ Count=1/1 Maskable- 64bit-
>> Capabilities: [90] Subsystem: Hewlett-Packard Company Device 17f6
>> Capabilities: [a0] Power Management version 2
>> Kernel driver in use: pcieport
>> Kernel modules: shpchp
>>
>> 00:1c.3 PCI bridge: Intel Corporation 7 Series/C216 Chipset Family PCI
>> Express Root Port 4 (rev c4) (prog-if 00 [Normal decode])
>> Flags: bus master, fast devsel, latency 0, IRQ 26
>> Bus: primary=00, secondary=03, subordinate=03, sec-latency=0
>> Memory