Re: Rsnapshot configuration

2017-06-13 Thread Edgar Pettijohn
I appreciate this email. I really need to backup my data more/better and this 
gave​ me a lot to think about.

⁣Sent from BlueMail ​

On Jun 13, 2017, 7:51 PM, at 7:51 PM, Predrag Punosevac  
wrote:
>Somebody hiding behind a pseudonym G wrote:
>
>> 
>>
>> Most tutorials suggest not to backup tmp and var etc. I decided to
>> backup the whole var.
>>
>
>You were the last person I expected to ask a question on this mailing
>list after those "expert advises" you gave people on OpenBSD desktop in
>which you insulted 2 dozen port maintainer claiming that their ports
>are
>not up to date.
>
>
>> What do you suggest? I though rsnapshot was ok?
>>
>
>OK for what? The first question is do you really need a backup and what
>are you trying to backup? None of us can help you to answer that
>question but we can help you to understand different concepts.
>
>
>In my book there are three different things which people refer to as
>backup.
>
>1. Journaling
>2. Genuine Backup
>3. Archiving
>
>
>You can think of Journal as a file system level version control system.
>HAMMER of DragonFly BSD is the only file system which supports
>fine-grained journaling via history command which can be very finly
>tuned. ZFS is another file syste/volume manager which supports
>journaling via ZFS snapshots. You can read this post of mine
>
>https://marc.info/?l=openbsd-misc=144340431520709=2
>
>for a very naive comparison of the two.
>
>OpenBSD will hopefully one day have HAMMER 2 but in the mean time your
>only option is
>
>sysutils/glastree
>
>or you can become an expert on mtree I suppose.  You could also by a
>MAC
>when Apple finishes their Apple file system.  Journals are useful if
>you
>are dealing with bunch of users who should be really using a version
>control systems for whatever they are editing but they are too lazy or
>too dumb to do so.
>
>
>Now comes a genuine backup. A genuine backup is something which you
>expect to access on the regular basis with moderate seeking speed.
>rsynapshot is an example of a rsync Perl wrapper written for a genuine
>backup. Apple time machine is also just a wrapper around rsync. I would
>strongly suggest you read the following thread
>
>https://www.reddit.com/user/rsyncnet/?sort=hot
>
>In particular pay attention to the post which starts as
>
>" I have some expertise in this area[1] so I would like to provide some
>additional information for future readers of this thread - specifically
>on rsync snapshots, rsnapshot, duplicity, attic and borg.
>
>The simplest thing to do is to rsync from one system to another. Very
>simple, but the problem is it's just a "dumb mirror" - there is no
>history, no versions in the past (snapshots in time) and every day you
>do your rsync, you risk clobbering old data that you won't realize you
>need until tomorrow. "
>
>Very informative. The only thing I could add is that the guy is not
>familiar with HAMMER because otherwise he would notice that we went
>full
>circle. rsync paired with HAMMER is no longer "dumb mirror". If the
>target is HAMMER you can do something like
>
>SHELL=/bin/sh
>PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
># Order of crontab fields
># minutehourmdaymonth   wdaycommand
>0   7   *   *   *   /usr/local/bin/rsync -aW
>--inplace --delete /home/predrag rsync://predrag@192.168.3.2:873/ftp
>
>and you will have full history. That is how I backup my desktop to my
>DragonFly file server.
>
>Some other backup tools are dump/restore, Bacula (make sure you backup
>the data base because you will not be able to restore), Amanda, HAMMER
>mirror stream, ZFS rsnapshot.  The last one which I use at work is
>particularly robust in data center settings.
>
>Now that is not the full story of backup. The above is typically
>related
>to backup of data. Sometimes one wants to backup server configuration
>files in order to quickly restore the functionality of the server.
>OpenBSD way of backing up server configuration files is altroot
>
>https://www.openbsd.org/faq/faq14.html#altroot
>
>OpenBSD comes with a wonderful tool called softraid
>
>http://man.openbsd.org/softraid.4
>
>which can be used to fully encrypt your laptop but also for RAID 1
>installation of OpenBSD. Root on RAID 1 gives you a protection but it
>is
>not a backup. Typically I backup such OpenBSD server to an external USB
>device via altroot. People have noticed that sometimes it is useful to
>backup /var as well. You can use similar approach with /var which I do.
>Don't forget to dump your databases before you do /altvar backup.
>
>
>Finally most home users will really need Archiving. Archiving is
>a technique of "permanently" storing data in the case of unlikly loss
>of
>original data. There are many ways to do it. Backup type is time-tested
>way to do it. You can use sysutils/duplicity to archive your encrypted
>data to Amazon Glacer. Colin Percival will do that for you using the
>crypto function scrypt he decovered and this little tool
>

Re: Rsnapshot configuration

2017-06-13 Thread Predrag Punosevac
Somebody hiding behind a pseudonym G wrote:

> 
> 
> Most tutorials suggest not to backup tmp and var etc. I decided to
> backup the whole var.
> 

You were the last person I expected to ask a question on this mailing
list after those "expert advises" you gave people on OpenBSD desktop in
which you insulted 2 dozen port maintainer claiming that their ports are
not up to date.


> What do you suggest? I though rsnapshot was ok?
> 

OK for what? The first question is do you really need a backup and what
are you trying to backup? None of us can help you to answer that
question but we can help you to understand different concepts.


In my book there are three different things which people refer to as
backup. 

1. Journaling 
2. Genuine Backup
3. Archiving


You can think of Journal as a file system level version control system.
HAMMER of DragonFly BSD is the only file system which supports
fine-grained journaling via history command which can be very finly
tuned. ZFS is another file syste/volume manager which supports
journaling via ZFS snapshots. You can read this post of mine 

https://marc.info/?l=openbsd-misc=144340431520709=2

for a very naive comparison of the two. 

OpenBSD will hopefully one day have HAMMER 2 but in the mean time your
only option is 

sysutils/glastree 

or you can become an expert on mtree I suppose.  You could also by a MAC
when Apple finishes their Apple file system.  Journals are useful if you
are dealing with bunch of users who should be really using a version
control systems for whatever they are editing but they are too lazy or
too dumb to do so.


Now comes a genuine backup. A genuine backup is something which you
expect to access on the regular basis with moderate seeking speed.
rsynapshot is an example of a rsync Perl wrapper written for a genuine
backup. Apple time machine is also just a wrapper around rsync. I would
strongly suggest you read the following thread

https://www.reddit.com/user/rsyncnet/?sort=hot

In particular pay attention to the post which starts as 

" I have some expertise in this area[1] so I would like to provide some
additional information for future readers of this thread - specifically
on rsync snapshots, rsnapshot, duplicity, attic and borg.

The simplest thing to do is to rsync from one system to another. Very
simple, but the problem is it's just a "dumb mirror" - there is no
history, no versions in the past (snapshots in time) and every day you
do your rsync, you risk clobbering old data that you won't realize you
need until tomorrow. "

Very informative. The only thing I could add is that the guy is not
familiar with HAMMER because otherwise he would notice that we went full
circle. rsync paired with HAMMER is no longer "dumb mirror". If the
target is HAMMER you can do something like

SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
# Order of crontab fields
# minutehourmdaymonth   wdaycommand
0   7   *   *   *   /usr/local/bin/rsync -aW
--inplace --delete /home/predrag rsync://predrag@192.168.3.2:873/ftp

and you will have full history. That is how I backup my desktop to my
DragonFly file server. 

Some other backup tools are dump/restore, Bacula (make sure you backup
the data base because you will not be able to restore), Amanda, HAMMER
mirror stream, ZFS rsnapshot.  The last one which I use at work is
particularly robust in data center settings.

Now that is not the full story of backup. The above is typically related
to backup of data. Sometimes one wants to backup server configuration
files in order to quickly restore the functionality of the server.
OpenBSD way of backing up server configuration files is altroot

https://www.openbsd.org/faq/faq14.html#altroot

OpenBSD comes with a wonderful tool called softraid 

http://man.openbsd.org/softraid.4

which can be used to fully encrypt your laptop but also for RAID 1
installation of OpenBSD. Root on RAID 1 gives you a protection but it is
not a backup. Typically I backup such OpenBSD server to an external USB
device via altroot. People have noticed that sometimes it is useful to
backup /var as well. You can use similar approach with /var which I do.
Don't forget to dump your databases before you do /altvar backup.


Finally most home users will really need Archiving. Archiving is
a technique of "permanently" storing data in the case of unlikly loss of
original data. There are many ways to do it. Backup type is time-tested
way to do it. You can use sysutils/duplicity to archive your encrypted
data to Amazon Glacer. Colin Percival will do that for you using the
crypto function scrypt he decovered and this little tool 

sysutils/tarsnap

His prices are reasonable. Other formaly inexpensive methoods of
archiving involve burning DVDs and taking them to a remote storage. You
can find the following userful

sysutils/shunt

Anyhow, hopefully the above will give you enough to think about without
overburden you with concepts like incremental, differential, and 

Re: screen black after attaching to inteldrm, June snapshots

2017-06-13 Thread Ed Ahlsen-Girard
On Fri, 9 Jun 2017 06:27:56 -0500
Ed Ahlsen-Girard  wrote:

> Since the June 7 snapshot and the one before that, once inteldrm is
> attached:
> 
> inteldrm0 at pci0 dev 2 function 0 "Intel G41 Video" rev 0x03 
> 
> the screen goes black. Seems similar to the issue noted here:
> 
> http://marc.info/?l=openbsd-tech=144317809403958=2
> 
> dmesg below.
> 

Fixed in June 12 snapshot.

-- 

Edward Ahlsen-Girard
Ft Walton Beach, FL



Re: Rsnapshot configuration

2017-06-13 Thread G
Well as far as /var goes i decided to take a closer look because i am
thinking running aide for system integrity check. So this my rsnapshot.conf

I backup the following files

backup  /   localhost/

(Im not sure if i need anything else other than / for backup )

# backup  /altroot/   localhost/
# backup  /bin/   localhost/
# backup  /etc/   localhost/
# backup  /home/  localhost/
# backup  /root/  localhost/
# backup  /sbin   localhost/
# backup  /usr/   localhost/
# backup  /var/   localhost/


And exclude

exclude /var/authpf
exclude /var/cache
exclude /var/crash
exclude /var/cron
exclude /var/run
exclude /var/sasl
exclude /var/spool
exclude /var/tmp

exclude /dev/
exclude /mnt/usb/
exclude /mnt/cdrom/
exclude /tmp/
exclude /home/.snapshot/


On 06/14/17 00:22, Stuart Henderson wrote:
> On 2017-06-13, Paolo Aglialoro  wrote:
>> Have a full snapshot of your system, otherwise restore will be a nightmare.
> 
> Opinions vary. I couldn't care less about backing up things which I can
> just reinstall, I just need to know how to get back to that state easily.
> There are advantages to a script or config management recipe over a backup
> of those things: it also works for building on a new OS version, or the
> same one with fresh binaries in case you don't trust the ones you have
> for some reason.
> 
>> Do it with another tool, rsnapshot is mostly useful for data.
> 
> Any working backup that you understand is better than no backup..
> Especially if it runs automatically. rsnapshot is one of many things
> which will work (and you can't really argue with the ease of restore!).
> 
> 



Re: httpd and phpyMyAdmin

2017-06-13 Thread Ax0n
I'm generally not a fan of it, either, but sometimes the (l)users need
tools we don't like. So.

1) Run it over TLS only, so that usernames, passwords and other sensitive
data doesn't go across in the clear.
2) Lock it down to access only from trusted IP addresses (you can do this a
variety of ways with the help of pf, running on alternate ports, a
different IP, etc)
3) use the authenticate directive, e.g. authenticate "admin.example.com"
with htpasswd as a second layer of defense to the MySQL login for PHPMA
4) Make sure that MySQL users have the least privileges necessary to
operate.

On Tue, Jun 13, 2017 at 4:56 PM, Stuart Henderson 
wrote:

> On 2017-06-13, Markus Rosjat  wrote:
> > would like to get opinions on securing the whole thing  ...still :)
>
> Deleting phpmyadmin would be a good start :-)
>
>
>


Re: httpd and phpyMyAdmin

2017-06-13 Thread Stuart Henderson
On 2017-06-13, Markus Rosjat  wrote:
> would like to get opinions on securing the whole thing  ...still :)

Deleting phpmyadmin would be a good start :-)




Re: httpd and phpyMyAdmin

2017-06-13 Thread Markus Rosjat

heads up on the 403 error

fixed it by put diffrent locations for php and other files in the server 
config.


would like to get opinions on securing the whole thing  ...still :)

regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT




Re: Rsnapshot configuration

2017-06-13 Thread Stuart Henderson
On 2017-06-13, Paolo Aglialoro  wrote:
> Have a full snapshot of your system, otherwise restore will be a nightmare.

Opinions vary. I couldn't care less about backing up things which I can
just reinstall, I just need to know how to get back to that state easily.
There are advantages to a script or config management recipe over a backup
of those things: it also works for building on a new OS version, or the
same one with fresh binaries in case you don't trust the ones you have
for some reason.

> Do it with another tool, rsnapshot is mostly useful for data.

Any working backup that you understand is better than no backup..
Especially if it runs automatically. rsnapshot is one of many things
which will work (and you can't really argue with the ease of restore!).




httpd and phpyMyAdmin

2017-06-13 Thread Markus Rosjat

Hi there,

I need to setup phpMyAdmin for some webdesign folks and I got somehow 
something working ...


I still cant figure out why all the images css and js file get a 403 error.

so if someone has a phpmyadmin running he might can give me some advice 
on the httpd.conf ?


regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT




Re: Rsnapshot configuration

2017-06-13 Thread G
Most tutorials suggest not to backup tmp and var etc. I decided to
backup the whole var.

What do you suggest? I though rsnapshot was ok?

ps. On linux i was using backintime (which uses rsync) but it seems its
no longer on the packages.

On 06/13/17 19:05, Paolo Aglialoro wrote:
> +1
> 
> Have a full snapshot of your system, otherwise restore will be a nightmare.
> Do it with another tool, rsnapshot is mostly useful for data.
> 
> Il 13 giu 2017 11:05 AM, "Mark Carroll"  ha scritto:
> 
>> On 13 Jun 2017, G. wrote:
>>
>>> Hello!
>>> Im trying to take daily and weekly backups of my system rsnapshot.
>> (snip)
>>> Im not sure if there is anything in var that i should consider backup
>>> like sysmerge or syspatch.
>> (snip)
>>
>> I have various stuff across different machines that is worth backing up
>> in var/ like directories for nsd, unbound, www, etc. It all depends what
>> you're using your machine for thus what you've put in those.
>>
>> Storage these days is cheap: my usual approach is to back up everything
>> except stuff that I have hunted down via "du" and suchlike as being
>> actually rather large and decided I can certainly live without. Better
>> to back up a bit too much rather than too little. (Note that things like
>> logs are rather compressible so even "du" may badly overstate them.)
>>
>> -- Mark
>>
>>



Re: OpenBSD NFS: Windows 10 writes wrong uid

2017-06-13 Thread Raul Miller
On Tue, Jun 13, 2017 at 12:25 PM, Rupert Gallagher  wrote:
>> Worse, though, is if you think that a security issue on a file server
> is because of a problem in the default client configuration.
>
> I did not say that.

And yet:

On Mon, Jun 12, 2017 at 2:27 PM, Rupert Gallagher  wrote:
> I think the problem is how windows mounts the nfs folder by default (right 
> click
> on "this computer" then select to attach a network folder to a drive letter).

But, perhaps you were referring to some other problem here?

If so, we are not talking about "the problem" but about one of many
problems, each of which needs to be clearly identified...

(That said, Kenneth Gober has identified several issues that I was
overlooking - in particular, the nobody with id -2 thing. And if that
was "the problem" you were talking about there then I might also owe
you an apology.)

Thanks,

-- 
Raul



Re: OpenBSD NFS: Windows 10 writes wrong uid

2017-06-13 Thread Rupert Gallagher
I have non-root user on windows 10 that can delete read-only backup files and 
folders on NFS.

Sent from ProtonMail Mobile

On Tue, Jun 13, 2017 at 2:45 PM, Kenneth Gober  wrote: On 
Mon, Jun 12, 2017 at 12:58 PM, Rupert Gallagher wrote: > On problem 2, > > if a 
user has group write permission on a folder, it has permission to write its own 
files and those of same group membership in that folder, provided the group 
permission is set on the file by its owner. If a file belongs to me and I deny 
write permission to group and other, then nobody can write my file. File 
creation and destruction are forms of writing. This is what I am used to see. 
The ability of a windows nfs user to delete a file for which it has no write 
permission is a security This may be what you are used to seeing on other 
systems, but this is not how Unix works. It may help you understand the 
situation if you consider that in Unix, a directory is nothing more than a list 
of names associated with inode numbers. Creating a file is actually a two-step 
process under the hood: first a new inode is allocated for the file, then a 
name is added to some directory, linking to the new inode. You can then add as 
many additional links to that same file as you like, in that same directory or 
in other directories. A file can therefore have many names and be found in many 
folders within the same file system. Permissions to read or write the file 
content (the inode) are based on the file permissions, and because the file 
permissions are for the inode (not the name) those permissions always apply no 
matter which name you use (you cannot have one name that allows writing, and 
another name that's read-only). If you want to remove one of the (possibly 
many) names for a file, you need write permission on the directory containing 
that name, because what you are doing is removing a link that connects that 
name to the inode. It does not matter whether you have permissions to read or 
write the content of the file because you are not touching the file -- other 
links to that same file remain undisturbed unless you remove those as well 
(assuming you have the directory permissions required). When the last link to a 
file is removed, the inode is deallocated and the file's data blocks are freed. 
The rules in Unix are then: 1. if you want to allow users to create or delete 
file names in a directory, give them write permission to the directory. 2. if 
you want to allow users to modify file contents, give them write permissions to 
the file. These rules are very simple, but they may not be the rules you are 
used to, and they are likely not the rules you want. But if you want different 
rules then you must choose a different system. If you want to use this system 
you need to apply these rules. -ken P.S. 4294967294 is the NFS 'nobody' uid -2 
(expressed as an unsigned number), which is similar to but not the same as the 
'nobody' uid -1. If the files you create end up owned by that uid, it means 
your client (Windows 10) is asserting that your uid is 0 (root). It is an NFS 
convention that being root on the client should not mean that you get root 
access to files on the server, so a client claiming to be root gets no 
permissions by default rather than all permissions. The 'map' and 'mapall' 
options override this behavior. @protonmail.com>

Re: OpenBSD NFS: Windows 10 writes wrong uid

2017-06-13 Thread Rupert Gallagher
> Worse, though, is if you think that a security issue on a file server is 
> because of a problem in the default client configuration.

I did not say that.

Sent from ProtonMail Mobile

On Tue, Jun 13, 2017 at 1:10 PM, Raul Miller  wrote: 
Worse, though, is if you think that a security issue on a file server is 
because of a problem in the default client configuration. Mind you, this is not 
completely general (load issues and integrity issues do matter on the client 
side), but when we're talking about granting of permissions on those files it's 
about as wrong as you can get. -- Raul On Tue, Jun 13, 2017 at 1:47 AM, Otto 
Moerbeek wrote: > On Tue, Jun 13, 2017 at 01:24:19AM -0400, Rupert Gallagher 
wrote: > >> If a non-root user can delete a root owned file with read-only 
permissions, then there is a security problem. Good luck to you if you are 
thinking otherwise. > > This is not how unix permissions work. The directory 
permissions > detemine if you can remove a file. > > If you expect otherwise, 
you should adapt your expectations. > > -Otto > >> >> The windows nfs umask 
solves the problem of writing files to both user and group. It certainly does 
not solve the above security problem. >> >> Sent from ProtonMail Mobile >> >> 
On Mon, Jun 12, 2017 at 10:27 PM, Raul Miller wrote: You have a very odd idea 
of "security". Probably though, this is the >> wrong mailing list for what you 
are trying to do. >> >> Good luck, >> >> -- >> Raul >> >> On Mon, Jun 12, 2017 
at 2:27 PM, Rupert Gallagher wrote: >> > I think the problem is how windows 
mounts the nfs folder by default (right click on "this computer" then select to 
attach a network folder to a drive letter). The following article by Microsoft 
describes the mount option "fileaccess" to set a default umask: >> > >> > 
https://technet.microsoft.com/en-us/library/cc754350(v=ws.11).aspx >> > >> > 
This option is not available from the default menu. >> > >> > Sent from 
ProtonMail Mobile >> > >> > On Mon, Jun 12, 2017 at 7:24 PM, Raul Miller wrote: 
p.s. if you do not want windows files in that shared directory to be >> > 
executable, I think you can mount the nfs backing store partition >> > noexec. 
>> > >> > I haven't tested this, though - I mostly try to avoid networked file 
systems. >> > >> > Thanks, >> > >> > -- >> > Raul >> > >> > On Mon, Jun 12, 
2017 at 1:22 PM, Raul Miller wrote: >> >> Ok, look... >> >> >> >> Your problem 
1: all windows files are executable because the windows >> >> model for 
executable or not is proprietary and not supportable. It's >> >> also not clear 
why you should care about this in a shared directory. >> >> >> >> Your problem 
2: if we assume that a shared directory (rather than user >> >> specific 
directories) is the right approach, and if we also assume >> >> that each 
user's claim to a file name should deny write access to >> >> other users with 
that file name, we need to look at the permissions on >> >> the containing 
directory. >> >> >> >> In your case, you have drwxrwxr-x -- this means that 
everyone who is a >> >> member of the staff directory has the right to remove 
directory >> >> entries. If you do not want that, you need to change the 
permissions >> >> on the directory: http://man.openbsd.org/sticky.8 >> >> >> >> 
But, note that if you are changing the owner on the files to not match >> >> 
that of the user who created the files, you should expect that people >> >> 
will not be able to delete files that they themselves created. >> >> >> >> Your 
problem 3: this is a consequence of your having changed the owner >> >> of the 
file. Your file permissions say that only the owner can change >> >> the file. 
>> >> >> >> With this in mind, I think I can see how I would change things to 
>> >> match what you seem to be claiming that you want: >> >> >> >> (1) remove 
the user id mapping >> >> >> >> (2) set the sticky bit on the Shared directory. 
>> >> >> >> If you do not want this, I think you need to spend a little time >> 
>> thinking about what it is that you actually want, and whether or not >> >> 
that should even be possible. >> >> >> >> (So far, you have only mentioned an 
example uid value for a user as >> >> perhaps being an issue. This, combined 
with the subject line in this >> >> thread are the only clues I have as to why 
you might not have removed >> >> the user id mapping. But why this should even 
be an issue for you is >> >> unclear to me.) >> >> >> >> Thanks, >> >> >> >> -- 
>> >> Raul >> >> >> >> >> >> On Mon, Jun 12, 2017 at 12:58 PM, Rupert Gallagher 
wrote: >> >>> On problem 2, >> >>> >> >>> if a user has group write permission 
on a folder, it has permission to write its own files and those of same group 
membership in that folder, provided the group permission is set on the file by 
its owner. If a file belongs to me and I deny write permission to group and 
other, then nobody can write my file. File creation and destruction are forms 
of writing. This is what 

Re: OpenBSD NFS: Windows 10 writes wrong uid

2017-06-13 Thread Rupert Gallagher
I have the backup on NAS. Files and folders read only. Users can delete 
anything.

Sent from ProtonMail Mobile

On Tue, Jun 13, 2017 at 7:47 AM, Otto Moerbeek  wrote: On Tue, 
Jun 13, 2017 at 01:24:19AM -0400, Rupert Gallagher wrote: > If a non-root user 
can delete a root owned file with read-only permissions, then there is a 
security problem. Good luck to you if you are thinking otherwise. This is not 
how unix permissions work. The directory permissions detemine if you can remove 
a file. If you expect otherwise, you should adapt your expectations. -Otto > > 
The windows nfs umask solves the problem of writing files to both user and 
group. It certainly does not solve the above security problem. > > Sent from 
ProtonMail Mobile > > On Mon, Jun 12, 2017 at 10:27 PM, Raul Miller wrote: You 
have a very odd idea of "security". Probably though, this is the > wrong 
mailing list for what you are trying to do. > > Good luck, > > -- > Raul > > On 
Mon, Jun 12, 2017 at 2:27 PM, Rupert Gallagher wrote: > > I think the problem 
is how windows mounts the nfs folder by default (right click on "this computer" 
then select to attach a network folder to a drive letter). The following 
article by Microsoft describes the mount option "fileaccess" to set a default 
umask: > > > > 
https://technet.microsoft.com/en-us/library/cc754350(v=ws.11).aspx > > > > This 
option is not available from the default menu. > > > > Sent from ProtonMail 
Mobile > > > > On Mon, Jun 12, 2017 at 7:24 PM, Raul Miller wrote: p.s. if you 
do not want windows files in that shared directory to be > > executable, I 
think you can mount the nfs backing store partition > > noexec. > > > > I 
haven't tested this, though - I mostly try to avoid networked file systems. > > 
> > Thanks, > > > > -- > > Raul > > > > On Mon, Jun 12, 2017 at 1:22 PM, Raul 
Miller wrote: > >> Ok, look... > >> > >> Your problem 1: all windows files are 
executable because the windows > >> model for executable or not is proprietary 
and not supportable. It's > >> also not clear why you should care about this in 
a shared directory. > >> > >> Your problem 2: if we assume that a shared 
directory (rather than user > >> specific directories) is the right approach, 
and if we also assume > >> that each user's claim to a file name should deny 
write access to > >> other users with that file name, we need to look at the 
permissions on > >> the containing directory. > >> > >> In your case, you have 
drwxrwxr-x -- this means that everyone who is a > >> member of the staff 
directory has the right to remove directory > >> entries. If you do not want 
that, you need to change the permissions > >> on the directory: 
http://man.openbsd.org/sticky.8 > >> > >> But, note that if you are changing 
the owner on the files to not match > >> that of the user who created the 
files, you should expect that people > >> will not be able to delete files that 
they themselves created. > >> > >> Your problem 3: this is a consequence of 
your having changed the owner > >> of the file. Your file permissions say that 
only the owner can change > >> the file. > >> > >> With this in mind, I think I 
can see how I would change things to > >> match what you seem to be claiming 
that you want: > >> > >> (1) remove the user id mapping > >> > >> (2) set the 
sticky bit on the Shared directory. > >> > >> If you do not want this, I think 
you need to spend a little time > >> thinking about what it is that you 
actually want, and whether or not > >> that should even be possible. > >> > >> 
(So far, you have only mentioned an example uid value for a user as > >> 
perhaps being an issue. This, combined with the subject line in this > >> 
thread are the only clues I have as to why you might not have removed > >> the 
user id mapping. But why this should even be an issue for you is > >> unclear 
to me.) > >> > >> Thanks, > >> > >> -- > >> Raul > >> > >> > >> On Mon, Jun 12, 
2017 at 12:58 PM, Rupert Gallagher wrote: > >>> On problem 2, > >>> > >>> if a 
user has group write permission on a folder, it has permission to write its own 
files and those of same group membership in that folder, provided the group 
permission is set on the file by its owner. If a file belongs to me and I deny 
write permission to group and other, then nobody can write my file. File 
creation and destruction are forms of writing. This is what I am used to see. 
The ability of a windows nfs user to delete a file for which it has no write 
permission is a security @protonmail.com> @gmail.com> @gmail.com> 
@protonmail.com> @gmail.com>

Re: Rsnapshot configuration

2017-06-13 Thread Paolo Aglialoro
+1

Have a full snapshot of your system, otherwise restore will be a nightmare.
Do it with another tool, rsnapshot is mostly useful for data.

Il 13 giu 2017 11:05 AM, "Mark Carroll"  ha scritto:

> On 13 Jun 2017, G. wrote:
>
> > Hello!
> > Im trying to take daily and weekly backups of my system rsnapshot.
> (snip)
> > Im not sure if there is anything in var that i should consider backup
> > like sysmerge or syspatch.
> (snip)
>
> I have various stuff across different machines that is worth backing up
> in var/ like directories for nsd, unbound, www, etc. It all depends what
> you're using your machine for thus what you've put in those.
>
> Storage these days is cheap: my usual approach is to back up everything
> except stuff that I have hunted down via "du" and suchlike as being
> actually rather large and decided I can certainly live without. Better
> to back up a bit too much rather than too little. (Note that things like
> logs are rather compressible so even "du" may badly overstate them.)
>
> -- Mark
>
>


Re: inquiring about setting wxallowed on /home mountpoint

2017-06-13 Thread Marc Espie
WXNEEDED is already a compromise.  More compromise is fairly unlikely
to happen...



uticom0: error reloading device descriptor

2017-06-13 Thread marko.cupac
Hi,

I'm not 100% sure, but IIRC I was able to use Moxa Uport 1110 RS-232
USB to Serial Converter on previous versions of OpenBSD.

I have upgraded my ThinkPad T440 to 6.1, and I get the following in
dmesg:

uticom0: error reloading device descriptor

Thank you in advance, dmesg below.

OpenBSD 6.1 (GENERIC.MP) #7: Mon Jun 12 20:41:01 CEST 2017

rob...@syspatch-61-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8447561728 (8056MB)
avail mem = 8186863616 (7807MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xbcd3d000 (60 entries)
bios0: vendor LENOVO version "GJET91WW (2.41 )" date 09/21/2016
bios0: LENOVO 20B6005RUS
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SLIC DBGP ECDT HPET APIC MCFG SSDT SSDT SSDT SSDT SSDT 
SSDT SSDT SSDT PCCT SSDT UEFI MSDM ASF! BATB FPDT UEFI BGRT DMAR
acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP2(S4) XHCI(S3) EHC1(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiec0 at acpi0
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-4300U CPU @ 1.90GHz, 2494.62 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 2494619100 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i5-4300U CPU @ 1.90GHz, 2494.22 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Core(TM) i5-4300U CPU @ 1.90GHz, 2494.22 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i5-4300U CPU @ 1.90GHz, 2494.22 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG_)
acpiprt2 at acpi0: bus 2 (EXP1)
acpiprt3 at acpi0: bus 3 (EXP2)
acpiprt4 at acpi0: bus -1 (EXP3)
acpicpu0 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33), 
C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33), 
C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33), 
C1(1000@1 mwait.1), PSS
acpicpu3 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33), 
C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: PUBS, resource for XHCI, EHC1
acpipwrres1 at acpi0: NVP3, resource for PEG_
acpipwrres2 at acpi0: NVP2, resource for PEG_
acpitz0 at acpi0: critical temperature is 200 degC
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
"LEN0071" at acpi0 not configured
"LEN0036" at acpi0 not configured
acpibat0 at acpi0: BAT0 model "45N1109" serial 32908 type LION oem "SANYO"
acpibat1 at acpi0: BAT1 model "45N1125" serial 29922 type LION oem "SANYO"
acpiac0 at acpi0: AC unit online
acpithinkpad0 at acpi0
"PNP0C14" at acpi0 not configured
"PNP0C14" at acpi0 not configured
"PNP0C14" at acpi0 not configured
"INT340F" at acpi0 not configured
acpivideo0 at acpi0: VID_
acpivout at acpivideo0 not configured
acpivideo1 at acpi0: VID_
cpu0: Enhanced SpeedStep 2494 MHz: speeds: 2501, 2500, 2400, 2200, 2100, 1900, 
1800, 

Re: OpenBSD NFS: Windows 10 writes wrong uid

2017-06-13 Thread Kenneth Gober
On Mon, Jun 12, 2017 at 12:58 PM, Rupert Gallagher  wrote:
> On problem 2,
>
> if a user has group write permission on a folder, it has permission to write 
> its own files and those of same group membership in that folder, provided the 
> group permission is set on the file by its owner. If a file belongs to me and 
> I deny write permission to group and other, then nobody can write my file. 
> File creation and destruction are forms of writing. This is what I am used to 
> see. The ability of a windows nfs user to delete a file for which it has no 
> write permission is a security

This may be what you are used to seeing on other systems, but this is
not how Unix works.

It may help you understand the situation if you consider that in Unix,
a directory is nothing more than a list of names associated with inode
numbers.  Creating a file is actually a two-step process under the
hood: first a new inode is allocated for the file, then a name is
added to some directory, linking to the new inode.  You can then add
as many additional links to that same file as you like, in that same
directory or in other directories.  A file can therefore have many
names and be found in many folders within the same file system.
Permissions to read or write the file content (the inode) are based on
the file permissions, and because the file permissions are for the
inode (not the name) those permissions always apply no matter which
name you use (you cannot have one name that allows writing, and
another name that's read-only).

If you want to remove one of the (possibly many) names for a file, you
need write permission on the directory containing that name, because
what you are doing is removing a link that connects that name to the
inode.  It does not matter whether you have permissions to read or
write the content of the file because you are not touching the file --
other links to that same file remain undisturbed unless you remove
those as well (assuming you have the directory permissions required).
When the last link to a file is removed, the inode is deallocated and
the file's data blocks are freed.

The rules in Unix are then:

1. if you want to allow users to create or delete file names in a
directory, give them write permission to the directory.
2. if you want to allow users to modify file contents, give them write
permissions to the file.

These rules are very simple, but they may not be the rules you are
used to, and they are likely not the rules you want.  But if you want
different rules then you must choose a different system.  If you want
to use this system you need to apply these rules.

-ken

P.S. 4294967294 is the NFS 'nobody' uid -2 (expressed as an unsigned
number), which is similar to but not the same as the 'nobody' uid -1.
If the files you create end up owned by that uid, it means your client
(Windows 10) is asserting that your uid is 0 (root).  It is an NFS
convention that being root on the client should not mean that you get
root access to files on the server, so a client claiming to be root
gets no permissions by default rather than all permissions.  The 'map'
and 'mapall' options override this behavior.



Re: X on thinkpad x270 - "Inappropriate ioctl for device"

2017-06-13 Thread Pau
thanks, Daniel

Then the em0 problem will go away as soon as I delete linux, that's nice.

But the most urgent problem is X.

On Tue, Jun 13, 2017 at 2:26 PM, Daniel Jakots  wrote:
> On Tue, 13 Jun 2017 08:12:00 +0200, Pau  wrote:
>
>> em0 shows the error about "Unable to initialize the hardware". I guess
>> this will be fixed in upcoming snapshots (and again, thanks for the
>> hard work).
>
> This is probably because you're multibooting. You can see my bug report
> about it [1]. Since I've stopped switching to other OS, the problem
> never came back.
>
> [1]: https://marc.info/?l=openbsd-bugs=148093341307527=2



Re: splassert: pool_put: want 0 have 4

2017-06-13 Thread Marko Cupać
On Tue, 13 Jun 2017 11:38:46 + (UTC)
Stuart Henderson  wrote:

> On 2017-06-13, Marko Cupać  wrote:
> > Hi,
> >
> > I see these in my console log:
> > Jun  6 16:14:25 nat2 /bsd: splassert: pool_put: want 0 have 4
> >
> > I don't observe any negative effects. Should I be worried? :)  
> 
> Can you try "sysctl kern.splassert=2" to obtain a backtrace?
> 
> (This isn't on by default as there's a small risk of problems,
> though I run this on almost all my routers/firewalls and never
> had trouble from it).

I've turned it on, let's see what happens. I'll check back when I see
something related in log.

Some additional info: I noticed these messages always appear after pptp
user disconnects:

Jun  6 15:47:40 nat2 npppd[18637]: ppp id=10 layer=base
logtype=TUNNELUSAGE user="someuser" duration=241sec
layer2=COMPANY layer2from=IP.ADD.RE.SS:29019 auth=MS-CHAP-V2
data_in=90561bytes,634packets data_out=332801bytes,587packets
error_in=6 error_out=0 mppe=yes mppe_in=128bits,stateless
mppe_out=128bits,stateless iface=tun1
Jun  6 15:47:40 nat2 npppd[18637]: pptpd ctrl=10 call=34773
logtype=Terminated
Jun 6 15:47:40 nat2 npppd[18637]: pptpd ctrl=10 logtype=Finished
Jun 6 15:47:41 nat2 /bsd: splassert: pool_put: want 0 have 4
Jun 6 15:47:41 nat2 /bsd: splassert: pool_put: want 0 have 4

Regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/



Re: Findig the bad device in a degraded softraid RAID5

2017-06-13 Thread Stuart Henderson
On 2017-06-13, LÉVAI Dániel  wrote:
> Hi!
>
> Just got a message from sensorsd that one of my drives failed
> (softraid0.drive1: pfail, WARN -- I guess pfail means 'p'hysical fail?).
>
> Do you know any way of figuring out which actual HDD could be this?
> There are 4 identical ones in the PC. Is there a utility in eg. ports
> that could read eg. HW serial number from the HDD (like Linux's
> hdparm(1))?

>   3 Offline 3000592678912 1:3.0   noencl 

"bioctl sd5" should tell you the ser#.




Re: X on thinkpad x270 - "Inappropriate ioctl for device"

2017-06-13 Thread Daniel Jakots
On Tue, 13 Jun 2017 08:12:00 +0200, Pau  wrote:

> em0 shows the error about "Unable to initialize the hardware". I guess
> this will be fixed in upcoming snapshots (and again, thanks for the
> hard work).

This is probably because you're multibooting. You can see my bug report
about it [1]. Since I've stopped switching to other OS, the problem
never came back.

[1]: https://marc.info/?l=openbsd-bugs=148093341307527=2



Findig the bad device in a degraded softraid RAID5

2017-06-13 Thread LÉVAI Dániel
Hi!

Just got a message from sensorsd that one of my drives failed
(softraid0.drive1: pfail, WARN -- I guess pfail means 'p'hysical fail?).

Do you know any way of figuring out which actual HDD could be this?
There are 4 identical ones in the PC. Is there a utility in eg. ports
that could read eg. HW serial number from the HDD (like Linux's
hdparm(1))?

# bioctl softraid0
Volume  Status   Size Device
softraid0 0 Online   240054493696 sd7 RAID1
  0 Online   240054493696 0:0.0   noencl 
  1 Online   240054493696 0:1.0   noencl 
softraid0 1 Degraded9001777889280 sd8 RAID5
  0 Online  3000592678912 1:0.0   noencl 
  1 Online  3000592678912 1:1.0   noencl 
  2 Online  3000592678912 1:2.0   noencl 
  3 Offline 3000592678912 1:3.0   noencl 
softraid0 2 Online   163444252672 sd9 CRYPTO
  0 Online   163444252672 2:0.0   noencl 
softraid0 3 Online  9001777487872 sd10CRYPTO
  0 Online  9001777487872 3:0.0   noencl 
softraid0 4 Online   512105629696 sd11CRYPTO
  0 Online   512105629696 4:0.0   noencl 
# disklabel sd5
# /dev/rsd5c:
type: SCSI
disk: SCSI disk
label: WDC WD30EFRX-68E
duid: b1340ed27eb30f55
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 364801
total sectors: 5860533168
boundstart: 64
boundend: 5860533168
drivedata: 0

16 partitions:
#size   offset  fstype [fsize bsize   cpg]
  a:   5860533104   64RAID
  c:   58605331680  unused
# fdisk sd5
Disk: sd5   geometry: 267349/255/63 [4294961685 Sectors]
Offset: 0   Signature: 0xAA55
Starting Ending LBA Info:
 #: id  C   H   S -  C   H   S [   start:size ]
---
 0: 00  0   0   0 -  0   0   0 [   0:   0 ] unused
 1: 00  0   0   0 -  0   0   0 [   0:   0 ] unused
 2: 00  0   0   0 -  0   0   0 [   0:   0 ] unused
*3: A6  0   1   2 - 267348 254  63 [  64:  4294961621 ] OpenBSD
# dmesg |F sd5
sd5 at scsibus1 targ 5 lun 0:  SCSI3 0/direct 
fixed naa.50014ee262ccb1f1
sd5: 2861588MB, 512 bytes/sector, 5860533168 sectors
sd5 at scsibus1 targ 5 lun 0:  SCSI3 0/direct 
fixed naa.50014ee262ccb1f1
sd5: 2861588MB, 512 bytes/sector, 5860533168 sectors
sd5 at scsibus1 targ 5 lun 0:  SCSI3 0/direct 
fixed naa.50014ee262ccb1f1
sd5: 2861588MB, 512 bytes/sector, 5860533168 sectors
sd5 at scsibus1 targ 5 lun 0:  SCSI3 0/direct 
fixed naa.50014ee262ccb1f1
sd5: 2861588MB, 512 bytes/sector, 5860533168 sectors
# sysctl hw |F sd5
hw.disknames=sd0:5594e3efd983ae85,sd1:d7b424577286863e,sd2:bc78dffe215ae5d9,sd3:d4945527f3b6f5b6,sd4:2e2a1c57ee8b6dc3,
02a11b61f9,sd11:493bc0dd8d86c23f



Thanks,
Daniel

-- 
LÉVAI Dániel
PGP key ID = 0x83B63A8F
Key fingerprint = DBEC C66B A47A DFA2 792D  650C C69B BE4C 83B6 3A8F



Re: OpenBSD NFS: Windows 10 writes wrong uid

2017-06-13 Thread Raul Miller
(also, once again, sticky bit)

-- 
Raul

On Tuesday, June 13, 2017, Raul Miller  wrote:

> Worse, though, is if you think that a security issue on a file server
> is because of a problem in the default client configuration.
>
> Mind you, this is not completely general (load issues and integrity
> issues do matter on the client side), but when we're talking about
> granting of permissions on those files it's about as wrong as you can
> get.
>
> --
> Raul
>
>
> On Tue, Jun 13, 2017 at 1:47 AM, Otto Moerbeek  > wrote:
> > On Tue, Jun 13, 2017 at 01:24:19AM -0400, Rupert Gallagher wrote:
> >
> >> If a non-root user can delete a root owned file with read-only
> permissions, then there is a security problem. Good luck to you if you are
> thinking otherwise.
> >
> > This is not how unix permissions work. The directory permissions
> > detemine if you can remove a file.
> >
> > If you expect otherwise, you should adapt your expectations.
> >
> > -Otto
> >
> >>
> >> The windows nfs umask solves the problem of writing files to both user
> and group. It certainly does not solve the above security problem.
> >>
> >> Sent from ProtonMail Mobile
> >>
> >> On Mon, Jun 12, 2017 at 10:27 PM, Raul Miller  > wrote: You have a very odd idea of "security". Probably
> though, this is the
> >> wrong mailing list for what you are trying to do.
> >>
> >> Good luck,
> >>
> >> --
> >> Raul
> >>
> >> On Mon, Jun 12, 2017 at 2:27 PM, Rupert Gallagher  > wrote:
> >> > I think the problem is how windows mounts the nfs folder by default
> (right click on "this computer" then select to attach a network folder to a
> drive letter). The following article by Microsoft describes the mount
> option "fileaccess" to set a default umask:
> >> >
> >> > https://technet.microsoft.com/en-us/library/cc754350(v=ws.11).aspx
> >> >
> >> > This option is not available from the default menu.
> >> >
> >> > Sent from ProtonMail Mobile
> >> >
> >> > On Mon, Jun 12, 2017 at 7:24 PM, Raul Miller  > wrote: p.s. if you do not want windows files in that
> shared directory to be
> >> > executable, I think you can mount the nfs backing store partition
> >> > noexec.
> >> >
> >> > I haven't tested this, though - I mostly try to avoid networked file
> systems.
> >> >
> >> > Thanks,
> >> >
> >> > --
> >> > Raul
> >> >
> >> > On Mon, Jun 12, 2017 at 1:22 PM, Raul Miller  > wrote:
> >> >> Ok, look...
> >> >>
> >> >> Your problem 1: all windows files are executable because the windows
> >> >> model for executable or not is proprietary and not supportable. It's
> >> >> also not clear why you should care about this in a shared directory.
> >> >>
> >> >> Your problem 2: if we assume that a shared directory (rather than
> user
> >> >> specific directories) is the right approach, and if we also assume
> >> >> that each user's claim to a file name should deny write access to
> >> >> other users with that file name, we need to look at the permissions
> on
> >> >> the containing directory.
> >> >>
> >> >> In your case, you have drwxrwxr-x -- this means that everyone who is
> a
> >> >> member of the staff directory has the right to remove directory
> >> >> entries. If you do not want that, you need to change the permissions
> >> >> on the directory: http://man.openbsd.org/sticky.8
> >> >>
> >> >> But, note that if you are changing the owner on the files to not
> match
> >> >> that of the user who created the files, you should expect that people
> >> >> will not be able to delete files that they themselves created.
> >> >>
> >> >> Your problem 3: this is a consequence of your having changed the
> owner
> >> >> of the file. Your file permissions say that only the owner can change
> >> >> the file.
> >> >>
> >> >> With this in mind, I think I can see how I would change things to
> >> >> match what you seem to be claiming that you want:
> >> >>
> >> >> (1) remove the user id mapping
> >> >>
> >> >> (2) set the sticky bit on the Shared directory.
> >> >>
> >> >> If you do not want this, I think you need to spend a little time
> >> >> thinking about what it is that you actually want, and whether or not
> >> >> that should even be possible.
> >> >>
> >> >> (So far, you have only mentioned an example uid value for a user as
> >> >> perhaps being an issue. This, combined with the subject line in this
> >> >> thread are the only clues I have as to why you might not have removed
> >> >> the user id mapping. But why this should even be an issue for you is
> >> >> unclear to me.)
> >> >>
> >> >> Thanks,
> >> >>
> >> >> --
> >> >> Raul
> >> >>
> >> >>
> >> >> On Mon, Jun 12, 2017 at 12:58 PM, Rupert Gallagher <
> r...@protonmail.com > wrote:
> >> >>> On problem 2,
> >> >>>
> >> >>> if a user has group write permission on a folder, it has permission
> to write its own 

Re: splassert: pool_put: want 0 have 4

2017-06-13 Thread Stuart Henderson
On 2017-06-13, Marko Cupać  wrote:
> Hi,
>
> I see these in my console log:
> Jun  6 16:14:25 nat2 /bsd: splassert: pool_put: want 0 have 4
>
> I don't observe any negative effects. Should I be worried? :)

Can you try "sysctl kern.splassert=2" to obtain a backtrace?

(This isn't on by default as there's a small risk of problems,
though I run this on almost all my routers/firewalls and never
had trouble from it).




splassert: pool_put: want 0 have 4

2017-06-13 Thread Marko Cupać
Hi,

I see these in my console log:
Jun  6 16:14:25 nat2 /bsd: splassert: pool_put: want 0 have 4

I don't observe any negative effects. Should I be worried? :)

Here's dmesg:

OpenBSD 6.1 (GENERIC.MP) #6: Mon May 22 20:34:30 CEST 2017

rob...@syspatch-61-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2128887808 (2030MB)
avail mem = 2059747328 (1964MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xee000 (69 entries)
bios0: vendor HP version "P58" date 05/02/2011
bios0: HP ProLiant DL360 G5
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP SPCR MCFG HPET SPMI ERST APIC  BERT HEST
SSDT acpi0: wakeup devices PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5420 @ 2.50GHz, 2500.44 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,NXE,LONG,LAHF,PERF,SENSOR
cpu0: 6MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 333MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.2, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5420 @ 2.50GHz, 2000.07 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,NXE,LONG,LAHF,PERF,SENSOR
cpu1: 6MB 64b/line 16-way L2 cache cpu1: smt 0, core 2, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Xeon(R) CPU E5420 @ 2.50GHz, 2500.09 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,NXE,LONG,LAHF,PERF,SENSOR
cpu2: 6MB 64b/line 16-way L2 cache cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Xeon(R) CPU E5420 @ 2.50GHz, 2500.09 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,NXE,LONG,LAHF,PERF,SENSOR
cpu3: 6MB 64b/line 16-way L2 cache cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
ioapic1 at mainbus0: apid 9 pa 0xfec8, version 20, 24 pins
acpiprt0 at acpi0: bus 1 (IP2P)
acpiprt1 at acpi0: bus 11 (IPE1)
acpiprt2 at acpi0: bus 10 (IPE4)
acpiprt3 at acpi0: bus 16 (P2P2)
acpiprt4 at acpi0: bus 9 (PT02)
acpiprt5 at acpi0: bus 6 (PT03)
acpiprt6 at acpi0: bus 19 (PT04)
acpiprt7 at acpi0: bus 3 (NB01)
acpiprt8 at acpi0: bus 5 (NB02)
acpiprt9 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: !C3(250@17 io@0x915), C1(1000@1 halt)
acpicpu1 at acpi0: !C3(250@17 io@0x915), C1(1000@1 halt)
acpicpu2 at acpi0: !C3(250@17 io@0x915), C1(1000@1 halt)
acpicpu3 at acpi0: !C3(250@17 io@0x915), C1(1000@1 halt)
acpitz0 at acpi0: critical temperature is 31 degC
"IPI0001" at acpi0 not configured
"PNP0303" at acpi0 not configured
"PNP0F13" at acpi0 not configured
"PNP0A06" at acpi0 not configured
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 5000P Host" rev 0xb1
ppb0 at pci0 dev 2 function 0 "Intel 5000 PCIE" rev 0xb1
pci1 at ppb0 bus 9
ppb1 at pci1 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01
pci2 at ppb1 bus 10
ppb2 at pci2 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01
pci3 at ppb2 bus 11
ppb3 at pci2 dev 1 function 0 "Intel 6321ESB PCIE" rev 0x01
pci4 at ppb3 bus 14
ppb4 at pci2 dev 2 function 0 "Intel 6321ESB PCIE" rev 0x01
pci5 at ppb4 bus 15
ppb5 at pci1 dev 0 function 3 "Intel 6321ESB PCIE-PCIX" rev 0x01
pci6 at ppb5 bus 16
ppb6 at pci0 dev 3 function 0 "Intel 5000 PCIE" rev 0xb1
pci7 at ppb6 bus 6
ciss0 at pci7 dev 0 function 0 "Hewlett-Packard Smart Array" rev 0x04:
apic 8 int 16 ciss0: 1 LD, HW rev 4, FW 7.24/7.24, 64bit fifo
scsibus1 at ciss0: 1 targets
sd0 at scsibus1 targ 0 lun 0:  SCSI3 0/direct
fixed sd0: 139979MB, 512 bytes/sector, 286677120 sectors
ppb7 at pci0 dev 4 function 0 "Intel 5000 PCIE x8" rev 0xb1
pci8 at ppb7 bus 19
em0 at pci8 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address
2c:27:d7:15:21:95 ppb8 at pci0 dev 5 function 0 "Intel 5000 PCIE" rev
0xb1 pci9 at ppb8 bus 22
ppb9 at pci0 dev 6 function 0 "Intel 5000 PCIE" rev 0xb1
pci10 at ppb9 bus 2
ppb10 at pci10 dev 0 function 0 "ServerWorks PCIE-PCIX" rev 0xc3
pci11 at ppb10 bus 3
bnx0 at pci11 dev 0 function 0 "Broadcom BCM5708" rev 0x12: apic 8 int
18 ppb11 at pci0 dev 7 function 0 "Intel 5000 PCIE" rev 0xb1
pci12 at ppb11 bus 4

Re: OpenBSD NFS: Windows 10 writes wrong uid

2017-06-13 Thread Raul Miller
Worse, though, is if you think that a security issue on a file server
is because of a problem in the default client configuration.

Mind you, this is not completely general (load issues and integrity
issues do matter on the client side), but when we're talking about
granting of permissions on those files it's about as wrong as you can
get.

-- 
Raul


On Tue, Jun 13, 2017 at 1:47 AM, Otto Moerbeek  wrote:
> On Tue, Jun 13, 2017 at 01:24:19AM -0400, Rupert Gallagher wrote:
>
>> If a non-root user can delete a root owned file with read-only permissions, 
>> then there is a security problem. Good luck to you if you are thinking 
>> otherwise.
>
> This is not how unix permissions work. The directory permissions
> detemine if you can remove a file.
>
> If you expect otherwise, you should adapt your expectations.
>
> -Otto
>
>>
>> The windows nfs umask solves the problem of writing files to both user and 
>> group. It certainly does not solve the above security problem.
>>
>> Sent from ProtonMail Mobile
>>
>> On Mon, Jun 12, 2017 at 10:27 PM, Raul Miller  wrote: 
>> You have a very odd idea of "security". Probably though, this is the
>> wrong mailing list for what you are trying to do.
>>
>> Good luck,
>>
>> --
>> Raul
>>
>> On Mon, Jun 12, 2017 at 2:27 PM, Rupert Gallagher  
>> wrote:
>> > I think the problem is how windows mounts the nfs folder by default (right 
>> > click on "this computer" then select to attach a network folder to a drive 
>> > letter). The following article by Microsoft describes the mount option 
>> > "fileaccess" to set a default umask:
>> >
>> > https://technet.microsoft.com/en-us/library/cc754350(v=ws.11).aspx
>> >
>> > This option is not available from the default menu.
>> >
>> > Sent from ProtonMail Mobile
>> >
>> > On Mon, Jun 12, 2017 at 7:24 PM, Raul Miller  
>> > wrote: p.s. if you do not want windows files in that shared directory to be
>> > executable, I think you can mount the nfs backing store partition
>> > noexec.
>> >
>> > I haven't tested this, though - I mostly try to avoid networked file 
>> > systems.
>> >
>> > Thanks,
>> >
>> > --
>> > Raul
>> >
>> > On Mon, Jun 12, 2017 at 1:22 PM, Raul Miller  wrote:
>> >> Ok, look...
>> >>
>> >> Your problem 1: all windows files are executable because the windows
>> >> model for executable or not is proprietary and not supportable. It's
>> >> also not clear why you should care about this in a shared directory.
>> >>
>> >> Your problem 2: if we assume that a shared directory (rather than user
>> >> specific directories) is the right approach, and if we also assume
>> >> that each user's claim to a file name should deny write access to
>> >> other users with that file name, we need to look at the permissions on
>> >> the containing directory.
>> >>
>> >> In your case, you have drwxrwxr-x -- this means that everyone who is a
>> >> member of the staff directory has the right to remove directory
>> >> entries. If you do not want that, you need to change the permissions
>> >> on the directory: http://man.openbsd.org/sticky.8
>> >>
>> >> But, note that if you are changing the owner on the files to not match
>> >> that of the user who created the files, you should expect that people
>> >> will not be able to delete files that they themselves created.
>> >>
>> >> Your problem 3: this is a consequence of your having changed the owner
>> >> of the file. Your file permissions say that only the owner can change
>> >> the file.
>> >>
>> >> With this in mind, I think I can see how I would change things to
>> >> match what you seem to be claiming that you want:
>> >>
>> >> (1) remove the user id mapping
>> >>
>> >> (2) set the sticky bit on the Shared directory.
>> >>
>> >> If you do not want this, I think you need to spend a little time
>> >> thinking about what it is that you actually want, and whether or not
>> >> that should even be possible.
>> >>
>> >> (So far, you have only mentioned an example uid value for a user as
>> >> perhaps being an issue. This, combined with the subject line in this
>> >> thread are the only clues I have as to why you might not have removed
>> >> the user id mapping. But why this should even be an issue for you is
>> >> unclear to me.)
>> >>
>> >> Thanks,
>> >>
>> >> --
>> >> Raul
>> >>
>> >>
>> >> On Mon, Jun 12, 2017 at 12:58 PM, Rupert Gallagher  
>> >> wrote:
>> >>> On problem 2,
>> >>>
>> >>> if a user has group write permission on a folder, it has permission to 
>> >>> write its own files and those of same group membership in that folder, 
>> >>> provided the group permission is set on the file by its owner. If a file 
>> >>> belongs to me and I deny write permission to group and other, then 
>> >>> nobody can write my file. File creation and destruction are forms of 
>> >>> writing. This is what I am used to see. The ability of a windows nfs 
>> >>> user to delete a file for 

Re: inquiring about setting wxallowed on /home mountpoint

2017-06-13 Thread Theo de Raadt
> However, the convenience of just installing packages is then lost.
> After a discussion on IRC, a couple of ways to deal with this came up:
> 
> 1. add a non-USE_WXNEEDED flavour of the python port
> 
> 2. have the python port(s) ship two binaries (one with, one without
>OPENBSD_WXNEEDED)
> 
> 3. allow running binaries that have the OPENBSD_WXNEEDED header from
>non-wxallowed filesystems, but simply kill them once they try W|X

4. Roll up sleeves and fix the issue.



Re: Xfce power manager and Brightness

2017-06-13 Thread Juan Francisco Cantero Hurtado
On Tue, Jun 13, 2017 at 10:39:00AM +0200, Erling Westenvik wrote:
> On Tue, Jun 13, 2017 at 10:54:27AM +0300, G wrote:
> > Hello.
> > I'm running xfce and xfce4-power-manager doesn't seems to work.
> > with lock screen.

Read the docs in /usr/local/share/doc/pkg-readmes. You need xscreensaver
or gnome-screensaver installed.

> >
> > Also I would like to know how can I change the brightness of the screen.
> 
> $ man -k bright
> xbacklight(1) - adjust backlight brightness using RandR extension
> 
> For further experimenting, consider xgamma(1). And there is a program in
> ports/packages called sct(1) (set color temperature) written by tedu@.


-- 
Juan Francisco Cantero Hurtado http://juanfra.info



Re: Use of upwexpire to configure user password expiry policy

2017-06-13 Thread Darren Marshall
Hi Ted,

Thanks for the info , Ok, at least I now know I was on the right lines.  I
just had a quick read through the adduser script and it seems to me that
there are no routines in there to deal with upwexpire , for instance I
guess it would need to take the input from adduser.conf (in my case "60d")
and convert this to a Unix epoch timestamp and write this into field 6 of
the password file.

wonder if this ever worked ?, Anyone ?

Thanks daz


On 9 June 2017 at 17:50, Ted Unangst  wrote:

> Darren Marshall wrote:
> > Hi guys,
> >
> > I'm trying to create a policy whereby a user added to an OpenBSD 6.0
> system
> > automatically gets their password expiry set to 60 days.
> >
> > I did think that this could be accomplished by adding upwexpire="60d" to
> > /etc/adduser.conf but subsequent adding of a test user using adduser
> > doesn't inherit this setting , field 6 of their passwd entry is set to 0.
> >
> > Anyone got any idea how to achieve this?
>
> From adduser:
>
> # obscure perl bug
> $new_entry = "$name\:" . "$cryptpwd" .
> "\:$u_id\:$g_id\:$log_cl:0:0:$fullname:$home/$name:$sh";
>
> I will leave it to the ancient wizards to tell us more about the obscure
> perl
> bug, but it's easy to see the hardcoded 0:0 for change and expiry.
>


Re: Use of upwexpire to configure user password expiry policy

2017-06-13 Thread Darren Marshall
Edgar ,

Thanks for the advice , unfortunately , usermgmnt.conf doesn't allow you to
set a password to expire in 60 days , you would have to work out (or write
a script to update the file each day) , the date in 60 days time -

 *expire* Sets the default time at which the new accounts expire.
Both

the expire and inactive fields should be entered in the form

``month day year'', where month is the month name (the first

three characters are sufficient), day is the day of the
month,

and year is the year.  Time in seconds since the Epoch (UTC)

is also valid.  A value of 0 can be used to disable this

feature.

Cheers daz

On 9 June 2017 at 17:36, Edgar Pettijohn  wrote:

> I think you are looking for usermgmt.conf, or useradd -D -e `date`
>
> Sent from BlueMail 
> On Jun 9, 2017, at 11:22 AM, Darren Marshall  wrote:
>>
>> Hi guys,
>>
>> I'm trying to create a policy whereby a user added to an OpenBSD 6.0 system
>> automatically gets their password expiry set to 60 days.
>>
>> I did think that this could be accomplished by adding upwexpire="60d" to
>> /etc/adduser.conf but subsequent adding of a test user using adduser
>> doesn't inherit this setting , field 6 of their passwd entry is set to 0.
>>
>> Anyone got any idea how to achieve this?
>>
>> Many thanks daz
>>
>>


Re: ocsp response not current

2017-06-13 Thread Stuart Henderson
On 2017-06-12, jungle Boogie  wrote:
> On 12 June 2017 at 03:28, Stuart Henderson  wrote:
>> On 2017-06-12, jungle boogie  wrote:
>>> Hi All,
>>>
>>> I'm attempting to fetch the latest bsd.rd snapshot, but it's failing
>>> because of the ocsp response.
>>>
>>> $ ftp https://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/bsd.rd
>>> Trying 129.128.5.191...
>>> Requesting https://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/bsd.rd
>>> ftp: SSL write error: ocsp verify failed: ocsp response not current
>>>
>>> Currently on
>>> OpenBSD 6.1-current (GENERIC.MP) #116: Sat Jun 10 22:34:37 MDT 2017
>>>
>>> Any clues as to what's happening with the ocsp response?
>>>
>>> Thanks,
>>> j.b.
>>>
>>>
>>
>> It's a server-side problem, same on www.openbsd.org. Not visible in
>> normal graphical browsers because they fallback to the CA's OCSP server
>> whereas ftp(1) just relies on the stapled cert.
>>
>
> Ah, that explains why I didn't see it within firefox.
>
>> Simplest workaround is to use a mirror, but it does mean that the
>> installer won't be showing the list of mirrors at the moment (or
>> feeding into initial RNG entropy) even if your clock is correct,
>> so you'll also need to type the mirror's hostname by hand in the
>> installer.
>>
>
> FreeBSD's fetch wasn't affected for some reason or another so I was
> able to fetch bsd.rd and scp it to my OpenBSD machine.

That one doesn't check ocsp (and neither does wget). curl can optionally
check it but only if you use --cert-status. ftp(1) checks it unless you
set -S noverifytime.

> The auto upgrade either downgraded to http or didn't care about the OCSP.

Ah, auto upgrade with a response-file providing the mirror's name
might mean you don't notice it. Any manual upgrades/installs while
the ocsp pinning was outdated would have failed to fetch the mirror
list. (It has since been fixed on the server).




sshd and key auth problem

2017-06-13 Thread Markus Rosjat

Hi there,

I have very strange behaviour here with my sshd setup. I run a 6.1 
release to test some stuff for sftp.


I created my user and created a ssh key pair, generated a ppk for a 
putty session all no problem.


Then I created a 2nd user for a sftp group and did the same as above. 
All worked well and I statrted to alter the permissions to test sftp and 
there sshd started to refuse my key for the 2nd user.


Ok so I changed all permissons back to the 2nd user but sshd still tells 
me it cant read the authorized_keys file. I checked twice ownership and 
permissions with my user and it should work but its seems I still miss 
something here.


Any advice is appreciated

Regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT




Re: Rsnapshot configuration

2017-06-13 Thread Stuart Henderson
On 2017-06-13, G  wrote:
> Hello!
> Im trying to take daily and weekly backups of my system rsnapshot.
>
> I backup
>
> backup/   localhost/
> backup/altroot/   localhost/
> backup/bin/   localhost/
> backup/etc/   localhost/
> backup/home/  localhost/
> backup/root/  localhost/
> backup/sbin   localhost/
> backup/usr/   localhost/
>
>
> and i exclude
>
> exclude   /dev/
> exclude   /mnt/usb/
> exclude   /mnt/cdrom/
> exclude   /tmp/
> exclude   /var/
> exclude /home/.snapshot/
>
> Im not sure if there is anything in var that i should consider backup
> like sysmerge or syspatch.

It depends what you're running - you'll have to look at what's in there
and decide for yourself.

Personally I backup /var by default and exclude any specific things
that I don't want.




Re: Rsnapshot configuration

2017-06-13 Thread Mark Carroll
On 13 Jun 2017, G. wrote:

> Hello!
> Im trying to take daily and weekly backups of my system rsnapshot.
(snip)
> Im not sure if there is anything in var that i should consider backup
> like sysmerge or syspatch.
(snip)

I have various stuff across different machines that is worth backing up
in var/ like directories for nsd, unbound, www, etc. It all depends what
you're using your machine for thus what you've put in those.

Storage these days is cheap: my usual approach is to back up everything
except stuff that I have hunted down via "du" and suchlike as being
actually rather large and decided I can certainly live without. Better
to back up a bit too much rather than too little. (Note that things like
logs are rather compressible so even "du" may badly overstate them.)

-- Mark



Re: inquiring about setting wxallowed on /home mountpoint

2017-06-13 Thread Paul de Weerd
On Tue, Jun 13, 2017 at 07:45:35AM +, Stuart Henderson wrote:
| On 2017-06-13, Josh Stephens  wrote:
| > Thank you Theo. After reading through your reply I would rather not
| > deal with a potential risk. I decided to go down the path of adding a
| > venv directory in /usr/local and giving my account as owner and wheel
| > as group. This should allow the python binaries to stay in /usr/local
| > and not have to set wxallowed on my /home directory. I believe this to
| > be a safer option but unfortunately security is not my strong suite so
| > I might be missing another security implication by going down this
| > road.
| >
| >
| 
| Note that python itself doesn't need W|X mappings, as long as you aren't
| using the very small number of python modules that need them (mostly
| webkit-related) you can remove the USE_WXNEEDED line from the port and
| rebuild from there..

So, I'm one of those people that use python but not the modules that
require W|X.  It seems to me that I can further improve the security
of my machine by mounting /usr/local without wxallowed and building
python without USE_WXNEEDED like you suggest.

However, the convenience of just installing packages is then lost.
After a discussion on IRC, a couple of ways to deal with this came up:

1. add a non-USE_WXNEEDED flavour of the python port

2. have the python port(s) ship two binaries (one with, one without
   OPENBSD_WXNEEDED)

3. allow running binaries that have the OPENBSD_WXNEEDED header from
   non-wxallowed filesystems, but simply kill them once they try W|X


The first one gets hairy quick, when you later decide to install one
of the python modules that require W|X (solution "don't do that
then"?).  The third option seems unlikely given the direction of
development in this area so far.  So, what about 2)?

I'll readily admit it's not my idea, but I do like it as a way of
further improving the security of my system (by ensuring nothing runs
with W|X), while still allowing me to use python (which, in my case,
shouldn't be using W|X).

Even if, at some point in the future, those few modules that require
W|X are fixed to no longer do that, you can still write python code
that needs it (much like you can still write C code that does this);
so how do we progress from here if the goal is to get rid of the
wxallowed flag and the OPENBSD_WXNEEDED header altogether and just
flat out always refuse W|X?

Thoughts?

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 



Rsnapshot configuration

2017-06-13 Thread G
Hello!
Im trying to take daily and weekly backups of my system rsnapshot.

I backup

backup  /   localhost/
backup  /altroot/   localhost/
backup  /bin/   localhost/
backup  /etc/   localhost/
backup  /home/  localhost/
backup  /root/  localhost/
backup  /sbin   localhost/
backup  /usr/   localhost/


and i exclude

exclude /dev/
exclude /mnt/usb/
exclude /mnt/cdrom/
exclude /tmp/
exclude /var/
exclude /home/.snapshot/

Im not sure if there is anything in var that i should consider backup
like sysmerge or syspatch.

Thanks!


My full /etc/rsnapshot.conf follows


#
# rsnapshot.conf - rsnapshot configuration file #
#
#   #
# PLEASE BE AWARE OF THE FOLLOWING RULE:#
#   #
# This file requires tabs between elements  #
#   #
#

###
# CONFIG FILE VERSION #
###

config_version  1.2

###
# SNAPSHOT ROOT DIRECTORY #
###

# All snapshots will be stored under this root directory.
#
snapshot_root   /home/.snapshots/

# If no_create_root is enabled, rsnapshot will not automatically create the
# snapshot_root directory. This is particularly useful if you are backing
# up to removable media, such as a FireWire or USB drive.
#
#no_create_root 1

#
# EXTERNAL PROGRAM DEPENDENCIES #
#

# LINUX USERS:   Be sure to uncomment "cmd_cp". This gives you extra
features.
# EVERYONE ELSE: Leave "cmd_cp" commented out for compatibility.
#
# See the README file or the man page for more details.
#
cmd_cp  /bin/cp

# uncomment this to use the rm program instead of the built-in perl routine.
#
cmd_rm  /bin/rm

# rsync must be enabled for anything to work. This is the only command that
# must be enabled.
#
cmd_rsync   /usr/local/bin/rsync

# Uncomment this to enable remote ssh backups over rsync.
#
#cmd_ssh/usr/bin/ssh

# Comment this out to disable syslog support.
#
cmd_logger  /usr/bin/logger

# Uncomment this to specify the path to "du" for disk usage checks.
# If you have an older version of "du", you may also want to check the
# "du_args" parameter below.
#
cmd_du  /usr/bin/du

# Uncomment this to specify the path to rsnapshot-diff.
#
cmd_rsnapshot_diff  /usr/local/bin/rsnapshot-diff

# Specify the path to a script (and any optional arguments) to run right
# before rsnapshot syncs files
#
#cmd_preexec/path/to/preexec/script

# Specify the path to a script (and any optional arguments) to run right
# after rsnapshot syncs files
#
#cmd_postexec   /path/to/postexec/script

# Paths to lvcreate, lvremove, mount and umount commands, for use with
# Linux LVMs.
#
#linux_lvm_cmd_lvcreate /path/to/lvcreate
#linux_lvm_cmd_lvremove /path/to/lvremove
#linux_lvm_cmd_mount/sbin/mount
#linux_lvm_cmd_umount   /sbin/umount

#
# BACKUP LEVELS / INTERVALS #
# Must be unique and in ascending order #
# e.g. alpha, beta, gamma, etc. #
#

retain  daily   3
retain  weekly  3

#retain delta   3


#  GLOBAL OPTIONS  #
# All are optional, with sensible defaults #


# Verbose level, 1 through 5.
# 1 Quiet   Print fatal errors only
# 2 Default Print errors and warnings only
# 3 Verbose Show equivalent shell commands being executed
# 4 Extra Verbose   Show extra verbose information
# 5 Debug mode  Everything
#
verbose 2

# Same as "verbose" above, but controls the amount of data sent to the
# logfile, if one is being used. The default is 3.
#
loglevel3

# If you enable this, data will be written to the file you specify. The
# amount of data written is controlled by the "loglevel" parameter.
#
#logfile/var/log/rsnapshot

# If enabled, rsnapshot will write a lockfile to prevent two instances
# from running simultaneously (and messing up the snapshot_root).
# If you enable this, make sure the lockfile directory is not world
# writable. Otherwise anyone can prevent the program from running.
#
lockfile/var/run/rsnapshot.pid

# By default, rsnapshot check lockfile, check if PID is running
# and if not, consider lockfile as stale, then start
# Enabling this stop rsnapshot if PID in lockfile is not running
#
#stop_on_stale_lockfile 0

# Default rsync args. All rsync commands have at least these options set.
#
#rsync_short_args   -a
#rsync_long_args--delete --numeric-ids --relative --delete-excluded

# ssh has no args passed by default, but you can specify some here.
#

Re: Xfce power manager and Brightness

2017-06-13 Thread Erling Westenvik
On Tue, Jun 13, 2017 at 10:54:27AM +0300, G wrote:
> Hello.
> I'm running xfce and xfce4-power-manager doesn't seems to work.
> with lock screen.
>
> Also I would like to know how can I change the brightness of the screen.

$ man -k bright
xbacklight(1) - adjust backlight brightness using RandR extension

For further experimenting, consider xgamma(1). And there is a program in
ports/packages called sct(1) (set color temperature) written by tedu@.

Erling



Xfce power manager and Brightness

2017-06-13 Thread G
Hello.
I'm running xfce and xfce4-power-manager doesn't seems to work.
with lock screen.

Also I would like to know how can I change the brightness of the screen.

Any ideas?

thanks in advance!



Re: inquiring about setting wxallowed on /home mountpoint

2017-06-13 Thread Stuart Henderson
On 2017-06-13, Josh Stephens  wrote:
> Thank you Theo. After reading through your reply I would rather not
> deal with a potential risk. I decided to go down the path of adding a
> venv directory in /usr/local and giving my account as owner and wheel
> as group. This should allow the python binaries to stay in /usr/local
> and not have to set wxallowed on my /home directory. I believe this to
> be a safer option but unfortunately security is not my strong suite so
> I might be missing another security implication by going down this
> road.
>
>

Note that python itself doesn't need W|X mappings, as long as you aren't
using the very small number of python modules that need them (mostly
webkit-related) you can remove the USE_WXNEEDED line from the port and
rebuild from there..




isakmpd memory usage

2017-06-13 Thread Nicolas
Hi everyone

I'm searching some help about isakmpd, which is eating a lot of memory, until 
the machine crash. It's an OpenBSD 6.1 on Qemu KVM (ganeti).
After 3 days, the process is using 650MB of memory.

When she's "freezed", she's unreachable on network, and on console she's 
blinking on tty, like normal, but we can't write anything on it.
No .core are generated.

I got a lot of errors like "INVALID_ID_INFORMATION" on "NO_PROPOSAL_CHOSEN" on 
ipsec logs, but ipsec connections are working.

Any idea how I can debug it?
Thanks,

Nicolas


Re: bgp-spamd added 192.43.244.163

2017-06-13 Thread Peter Hessler
I don't see that on either server.  Can you send me the output of
"bgpctl show rib detail 192.43.244.163"?  Is it actually coming from a
different list?


On 2017 Jun 13 (Tue) at 08:00:05 +0200 (+0200), Markus Rosjat wrote:
:just a short head up,
:
:192.43.244.163 got added to the 666 community again if anyone ist wondering
:why mails from the list dont show up.
:
:regards
:
:-- 
:Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
:
:G+H Webservice GbR Gorzolla, Herrmann
:Königsbrücker Str. 70, 01099 Dresden
:
:http://www.ghweb.de
:fon: +49 351 8107220   fax: +49 351 8107227
:
:Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you
:print it, think about your responsibility and commitment to the ENVIRONMENT
:

-- 
If two wrongs don't make a right, try three.
-- Laurence J. Peter



X on thinkpad x270 - "Inappropriate ioctl for device"

2017-06-13 Thread Pau
Hi:

I recently got an x270 at work. It is very nice and I hope to be able
to use OpenBSD on it.

Fortunately, the latest snapshot supports the wireless card via iwm0
(thanks!).

em0 shows the error about "Unable to initialize the hardware". I guess
this will be fixed in upcoming snapshots (and again, thanks for the
hard work).

However, I am not able to get X to work.

I have created a small partition with linux on it until I can get
OpenBSD to be working with X. It resides in the first part of the
drive, linux grub is managing the starting up. I am using UEFI, but
the bios allows me to also boot on "legacy".

I attach dmesg and also Xorg.0.log and my xorg.conf.

The xorg.conf is not working:

[87.907] (II) wsfb(0): using default device
[87.907] (EE) wsfb(0): no way to get depth info: Inappropriate
ioctl for device


Unfortunately I am not sure what this means. The same happens if I
boot on legacy.

However, I have noticed that there are no differences in the
resolution of the blue boot screen of OpenBSD when I start on uefi.
When I installed, the resolution was different. Maybe the error is
coming because linux is installed in the first part of the drive?

Should I be using a different driver than wsfb?

thanks

--- dmesg ---

OpenBSD 6.1-current (GENERIC.MP) #113: Fri Jun  9 20:32:02 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8112676864 (7736MB)
avail mem = 7861014528 (7496MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xbfb57000 (62 entries)
bios0: vendor LENOVO version "R0IET29W (1.07 )" date 01/10/2017
bios0: LENOVO 20HNA004CD
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP UEFI SSDT SSDT HPET APIC MCFG ECDT SSDT SSDT
BOOT BATB SSDT SSDT SSDT WSMT DBGP DBG2 MSDM ASF! FPDT UEFI
acpi0: wakeup devices GLAN(S4) XHC_(S3) XDCI(S4) HDAS(S4) RP01(S4)
RP02(S4) RP04(S4) RP05(S4) RP06(S4) RP07(S4) RP08(S4) RP09(S4)
RP10(S4) RP11(S4) RP12(S4) RP13(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 2399 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz, 2904.00 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 290400 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 24MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz, 2904.00 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz, 2904.00 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz, 2904.00 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins
acpimcfg0 at acpi0 addr 0xf000, bus 0-63
acpiec0 at acpi0
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 2 (RP01)
acpiprt2 at acpi0: bus -1 (RP02)
acpiprt3 at acpi0: bus 3 (RP03)
acpiprt4 

Re: bgp-spamd added 192.43.244.163

2017-06-13 Thread Markus Rosjat

just a short head up,

192.43.244.163 got added to the 666 community again if anyone ist 
wondering why mails from the list dont show up.


regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT