Re: Mac G4 Cube Problems

[patrick keshishian]

On 10/24/17, Daniel Boyd  wrote:
> I'm into week 2 of trying to get OpenBSD installed on my G4 Cube.
>
> I first tried installing via CD, but the CD-ROM drive is broken.
>
> I then tried DHCP/TFTP/NFS booting but couldn't get that working.
>
> I then tried attaching another IDE CD-ROM drive to the Cube, but I
> couldn't get the CD to boot (tried install62.iso and cd62.iso).
>
> boot cd:,ofwboot /6.2/macppc/bsd.rd DISK-LABEL: read of block 0 failed
> ATAPI-DISK: open of DISK-LABEL failed can't OPEN: cd:,ofwboot
>
> I guess maybe the IDE drive is having issues reading the CD?  I have no
> idea.
>
> Abandoning that idea, I am now attempting to boot the installer from
> the internal hard drive.  I read in INSTALL.macppc that the bootloader
> has to be on a DOS partition (or HFS if dual booting which I'm not), so
> I looked at the macppc install.md for clues as to how this works.
> Here's what I've done so far:
>
> 1) Installed OpenBSD 6.2 on old spare Dell with IDE hard drive/CD-ROM
> 2) Bought Torx T10 screw driver off Amazon
> 3) unscrewed some things to get to the IDE connector and then hooked
> the Cube hard drive up to the Dell as IDE secondary master
> 4) copied /usr/mdec/mbr from macppc base62.tgz
> 5) reading from macppc install.md:
> 5a) dd if=/dev/zero of=/dev/rwd1c bs=1M count=1  #assume this is
> wiping out the old MBR
> 5b) fdisk -f mbr -iy wd1 #write default macppc mbr to disk
> 6) newfs -t msdos wd1i

my guess is this step screws your process. You are running into an
endianess issue. Your DELL is little endian while MacPPC is bigendian
and OpenBSD assumes native endianness on file-systems (I am pretty
sure I've read that somewhere).

Need to find another MacPPC based system to run your steps through.

--patrick


> 7) newfs all the openbsd partitions
> 8) mount dos partition and wd1a ffs partition
> 9) copy ofwboot to dos partition
> 10) copy bsd.rd and installation tgz files to ffs partition
>
> 11) Hooked the hard drive back into the Cube, powered it on and then
> typed this into OpenFirmware
>
> 0 > boot hd:,ofwboot /bsd.rd
>
> the system added things to the end of that line after I pressed enter:
> 0 > boot hd:,ofwboot /bsd.rd load-size=fcbc adler32=c626975c
>
> and...
>
> Loading ELF
>>> OpenBSD/macppc BOOT 1.6
> /pci@f200/mac-io@17/ata-4@1f000/disk@0:/etc/boot.conf: line too
> long
> boot >
> booting /pci@f200/mac-io@17/ata-4@1f000/disk@0:/bsd.rd /pci@f20
> 0/mac-io@17/ata-4@1f000/disk@0:/bsd.rd: Inappropriate file type or
> format
>  failed(12304). will try /bsd
>
> So...what am I doing wrong?  It's finding ofwboot, but not the kernel.
> Where is ofwboot looking for bsd.rd??  I assume it shouldn't go in the
> DOS partition since it's only recommended to be 1MB.
>
>

Mac G4 Cube Problems

[Daniel Boyd]

I'm into week 2 of trying to get OpenBSD installed on my G4 Cube.

I first tried installing via CD, but the CD-ROM drive is broken.

I then tried DHCP/TFTP/NFS booting but couldn't get that working.

I then tried attaching another IDE CD-ROM drive to the Cube, but I
couldn't get the CD to boot (tried install62.iso and cd62.iso).  

boot cd:,ofwboot /6.2/macppc/bsd.rd DISK-LABEL: read of block 0 failed
ATAPI-DISK: open of DISK-LABEL failed can't OPEN: cd:,ofwboot

I guess maybe the IDE drive is having issues reading the CD?  I have no
idea.

Abandoning that idea, I am now attempting to boot the installer from
the internal hard drive.  I read in INSTALL.macppc that the bootloader
has to be on a DOS partition (or HFS if dual booting which I'm not), so
I looked at the macppc install.md for clues as to how this works. 
Here's what I've done so far:

1) Installed OpenBSD 6.2 on old spare Dell with IDE hard drive/CD-ROM
2) Bought Torx T10 screw driver off Amazon
3) unscrewed some things to get to the IDE connector and then hooked
the Cube hard drive up to the Dell as IDE secondary master
4) copied /usr/mdec/mbr from macppc base62.tgz
5) reading from macppc install.md:
5a) dd if=/dev/zero of=/dev/rwd1c bs=1M count=1  #assume this is
wiping out the old MBR
5b) fdisk -f mbr -iy wd1 #write default macppc mbr to disk
6) newfs -t msdos wd1i
7) newfs all the openbsd partitions
8) mount dos partition and wd1a ffs partition
9) copy ofwboot to dos partition
10) copy bsd.rd and installation tgz files to ffs partition

11) Hooked the hard drive back into the Cube, powered it on and then 
typed this into OpenFirmware

0 > boot hd:,ofwboot /bsd.rd

the system added things to the end of that line after I pressed enter:
0 > boot hd:,ofwboot /bsd.rd load-size=fcbc adler32=c626975c

and...

Loading ELF
>> OpenBSD/macppc BOOT 1.6
/pci@f200/mac-io@17/ata-4@1f000/disk@0:/etc/boot.conf: line too
long
boot >
booting /pci@f200/mac-io@17/ata-4@1f000/disk@0:/bsd.rd /pci@f20
0/mac-io@17/ata-4@1f000/disk@0:/bsd.rd: Inappropriate file type or
format
 failed(12304). will try /bsd

So...what am I doing wrong?  It's finding ofwboot, but not the kernel. 
Where is ofwboot looking for bsd.rd??  I assume it shouldn't go in the
DOS partition since it's only recommended to be 1MB.

Re: Forum software

[Fabio Scotoni]

On 10/24/2017 08:30 PM, flipchan wrote:
> Grtz *!
> Sry for going alittle bit off topic , me and a friend are trying to rebuild a 
> swedish openbsd forum (openbsd.se) it's been live since 2005 , and been 
> running punbb. 
> But punbb is not actively​ being developed and we wonder if anyone can 
> suggest a good forum software , we don't have time to write one from scratch 
> (both have full time jobs and kids and other stuff , but we want a swedish 
> openbsd forum to flurish) 
> 
> 
> Could anyone suggest some forum software that we can run?

You may want to consider Vanilla. It's fairly bare bones, though the
interface radically differs from PunBB with a focus on individual
conversations over categories/subforums.

Phorum and FluxBB, the most obvious alternatives, also seem to be stuck.
They don't seem to be making any progress in development.

There's also MyBB, but it's noticeably heavier and less minimalistic.
XenForo's headed in a similar direction as MyBB. It's fairly usable but
proprietary software.

Discourse is kind of its own thing. It also departs from the PHP stack
you seem to be running, so it'd be a major switchover in more than one way.

I hope this brief overview helps.

> We are also thinking about posting tutorials on the site to help more ppl 
> find openbsd throw search engines.
> 
> Take care all!
> And thanks in advance 
> 

On that note: There have been some conversations criticizing the notion
of tutorials; see
https://marc.info/?l=openbsd-misc=150216054831531=2. Of course, it's
your call how to proceed.

Re: is there something missing in pledge?

[Peter J. Philipp]

Do what you wish with it, it's a gift.  It is based on hours of
debugging to find out why exactly /etc/spwd.db does not read when
pledged, and when not pledged it was the same case for cpio.  It's all
irrelevant now since I managed to write my own cpio implementation in
code (easier than you think) and it bypasses all pledge checks, which
satisfies me.

When someone comes along and has the same problem all they have is
search engines to find out why this all is. :-)  I'm good with it.

Cheers,

-peter

On 10/24/17 20:25, Ingo Schwarze wrote:
> Hi Peter,
>
> Peter J. Philipp wrote on Tue, Oct 24, 2017 at 04:35:12PM +0200:
>
>> Index: open.2
>> ===
>> RCS file: /cvs/src/lib/libc/sys/open.2,v
>> retrieving revision 1.49
>> diff -u -p -u -r1.49 open.2
>> --- open.2   19 Jan 2015 15:54:11 -  1.49
>> +++ open.2   24 Oct 2017 14:28:30 -
>> @@ -235,6 +235,10 @@ and
>>  .Fn openat
>>  functions will fail if:
>>  .Bl -tag -width Er
>> +.It Bq Er EPERM
>> +When opening a special file and the program has requested certain
>> +.Xr pledge 2
>> +promises.
>>  .It Bq Er ENOTDIR
>>  A component of the path prefix is not a directory.
>>  .It Bq Er ENOTDIR
> I'm not convinced.
>
>  1) I don't like the idea of scattering pledge(2) documentation
> all over the place.
>
>  2) To me, this feel like a detail that might easily change without
> notice, and then we risk leaving a bug behind in the manual.
>
>  3) ERRORS sections are in a bad shape in general, both in POSIX
> and in our manuals.  In POSIX, they are quite incomplete, which
> makes POSIX quite confusing if you really want to code errno
> checks in a portable manner.  We have huge amounts of extensions
> in this area, many of them allowed by the standard, some
> forbidden, many documented, many undocumented, some documented
> in ways that are outright wrong, and we explain almost nowhere
> which ERRORS are standard and which are extensions.  We should,
> because otherwise people can't check them portably, and telling
> people to read POSIX itself just isn't realistic with respect
> to ERRORS, given the mess people will find there.
>
> What you add here is an extremely minor detail in an area that is
> severely under-documented and disorganized in much more relevant
> respects.  Besides, the number of ERRORS entries in the open(2)
> manual in particular is already excessive without this addition.
>
> So your patch feels a bit like lipstick on a grazing hippo, somewhere
> near the rear end, in the late afternoon shortly before it goes
> back into the water.
>
>
> I'm not saying such stuff should remain undocumented, but i *am*
> at a loss where to start.  Probably not with this particular detail.
>
> Yours,
>   Ingo

Re: Forum software

[garry]

- Original Message -
From: "flipchan" 
To:
Cc:
Sent:Tue, 24 Oct 2017 18:30:30 +
Subject:Forum software

 Grtz *!
 Sry for going alittle bit off topic , me and a friend are trying to
rebuild a swedish openbsd forum (openbsd.se) it's been live since 2005
, and been running punbb. 
 But punbb is not actively​ being developed and we wonder if anyone
can suggest a good forum software , we don't have time to write one
from scratch (both have full time jobs and kids and other stuff , but
we want a swedish openbsd forum to flurish) 

 Could anyone suggest some forum software that we can run?

 We are also thinking about posting tutorials on the site to help more
ppl find openbsd throw search engines.

 Take care all!
 And thanks in advance 
 -- 
 Take Care Sincerely flipchan layerprox dev

=
I have been using FluxBB on a OpenBsd server for a few months now, it
works fine, and installed very easy.  Also Drupal is in the OpenBsd
packages.
FluxBB use punbb type scripts as well.
  http://www.parrotsandopenbsd.org/
---
ttp://www.parrotsandopenbsd.org/myforum/index.php

Re: Running OpenVPN as a client breaks SSH access into same box? Is it a problem with default route being changed?

[tec...@protonmail.com]

I will have a look into this tonight and see if I can figure it out with that.

Thank you

>  Original Message 
> Subject: Re: Running OpenVPN as a client breaks SSH access into same box? Is 
> it a problem with default route being changed?
> Local Time: 24 October 2017 10:28 PM
> UTC Time: 24 October 2017 20:28
> From: danj+o...@chown.me
> To: misc@openbsd.org
>
> On Tue, 24 Oct 2017 16:25:08 -0400, 
> ["tec...@protonmail.com](mailto:%22tec...@protonmail.com)"
> tec...@protonmail.com wrote:
>
>> It's currently a bit tricky for me getting into the box physically.
>> If only I had SSH access ha!
>> I'm almost 100% certain that returning packets are being routed over
>> the tun0 (new default route) interface instead of em0.
>>
>> http://man.openbsd.org/pf.conf#reply-to should help you
>>
>>>  Original Message 
>>> Subject: Re: Running OpenVPN as a client breaks SSH access into
>>> same box? Is it a problem with default route being changed? Local
>>> Time: 24 October 2017 10:13 PM UTC Time: 24 October 2017 20:13
>>> From: kgo...@gmail.com
>>> To: tec...@protonmail.com tec...@protonmail.com
>>> you are more likely to receive help if you post the output of
>>> "ifconfig -a" and "netstat -nr" commands.
>>> On Tue, Oct 24, 2017 at 4:06 PM, tec...@protonmail.com
>>> tec...@protonmail.com wrote:
>>>
 Hi,
 I have a very very basic setup. Not using any other pf rules other
 than what comes default with 6.2-Release and almost every other
 release. Running OpenVPN works without a problem - able to connect
 as a client to a remote OpenVPN server. Everything is properly
 routing, verified by checking my IP. Problem is that as soon as
 OpenVPN is running, I cannot SSH in to my OpenBSD machine from any
 other machine on the Lan. Now, I'm guessing this has something to
 do with the default route being changed automatically by OpenVPN
 but I am still a total newbie with routing and pf so I have not a
 clue how to fix this, especially in any sort of manner which I can
 safely assume it to be the correct way. Can someone tell me how to
 resolve this? Thank

Re: Running OpenVPN as a client breaks SSH access into same box? Is it a problem with default route being changed?

[Daniel Jakots]

On Tue, 24 Oct 2017 16:25:08 -0400, "tec...@protonmail.com"
 wrote:

> It's currently a bit tricky for me getting into the box physically.
> If only I had SSH access ha!
> 
> I'm almost 100% certain that returning packets are being routed over
> the tun0 (new default route) interface instead of em0.

http://man.openbsd.org/pf.conf#reply-to should help you

> 
> >  Original Message 
> > Subject: Re: Running OpenVPN as a client breaks SSH access into
> > same box? Is it a problem with default route being changed? Local
> > Time: 24 October 2017 10:13 PM UTC Time: 24 October 2017 20:13
> > From: kgo...@gmail.com
> > To: tec...@protonmail.com 
> >
> > you are more likely to receive help if you post the output of
> > "ifconfig -a" and "netstat -nr" commands.
> >
> > On Tue, Oct 24, 2017 at 4:06 PM, tec...@protonmail.com
> > tec...@protonmail.com wrote:
> >  
> >> Hi,
> >> I have a very very basic setup. Not using any other pf rules other
> >> than what comes default with 6.2-Release and almost every other
> >> release. Running OpenVPN works without a problem - able to connect
> >> as a client to a remote OpenVPN server. Everything is properly
> >> routing, verified by checking my IP. Problem is that as soon as
> >> OpenVPN is running, I cannot SSH in to my OpenBSD machine from any
> >> other machine on the Lan. Now, I'm guessing this has something to
> >> do with the default route being changed automatically by OpenVPN
> >> but I am still a total newbie with routing and pf so I have not a
> >> clue how to fix this, especially in any sort of manner which I can
> >> safely assume it to be the correct way. Can someone tell me how to
> >> resolve this? Thank  

Re: Running OpenVPN as a client breaks SSH access into same box? Is it a problem with default route being changed?

[tec...@protonmail.com]

It's currently a bit tricky for me getting into the box physically.  If only I 
had SSH access ha!

I'm almost 100% certain that returning packets are being routed over the tun0 
(new default route) interface instead of em0.

Thanks

>  Original Message 
> Subject: Re: Running OpenVPN as a client breaks SSH access into same box? Is 
> it a problem with default route being changed?
> Local Time: 24 October 2017 10:13 PM
> UTC Time: 24 October 2017 20:13
> From: kgo...@gmail.com
> To: tec...@protonmail.com 
>
> you are more likely to receive help if you post the output of
> "ifconfig -a" and "netstat -nr" commands.
>
> On Tue, Oct 24, 2017 at 4:06 PM, tec...@protonmail.com
> tec...@protonmail.com wrote:
>
>> Hi,
>> I have a very very basic setup. Not using any other pf rules other than what 
>> comes default with 6.2-Release and almost every other release. Running 
>> OpenVPN works without a problem - able to connect as a client to a remote 
>> OpenVPN server. Everything is properly routing, verified by checking my IP.
>> Problem is that as soon as OpenVPN is running, I cannot SSH in to my OpenBSD 
>> machine from any other machine on the Lan. Now, I'm guessing this has 
>> something to do with the default route being changed automatically by 
>> OpenVPN but I am still a total newbie with routing and pf so I have not a 
>> clue how to fix this, especially in any sort of manner which I can safely 
>> assume it to be the correct way.
>> Can someone tell me how to resolve this? Thanks

Re: Forum software

[flipchan]

Nice , thanks 

On October 24, 2017 8:55:52 PM GMT+02:00, Tommy Nevtelen  
wrote:
>On 2017-10-24 20:47, Jay Williams wrote:
>> Discourse is a popular option used by a number of open source
>projects.
>>
>> https://www.discourse.org
>
>That is probably a good choice but here is a list of different
>alternatives that might be worth to look at:
>https://github.com/Kickball/awesome-selfhosted/blob/master/README.md#social-networks-and-forums
>
>It's a pretty nice repo with cool projects other than forums as well.
>
>-- 
>Tommy Nevtelen

-- 
Take Care Sincerely flipchan layerprox dev

Running OpenVPN as a client breaks SSH access into same box? Is it a problem with default route being changed?

[tec...@protonmail.com]

Hi,

I have a very very basic setup.  Not using any other pf rules other than what 
comes default with 6.2-Release and almost every other release.  Running OpenVPN 
works without a problem - able to connect as a client to a remote OpenVPN 
server.  Everything is properly routing, verified by checking my IP.

Problem is that as soon as OpenVPN is running, I cannot SSH in to my OpenBSD 
machine from any other machine on the Lan.  Now, I'm guessing this has 
something to do with the default route being changed automatically by OpenVPN 
but I am still a total newbie with routing and pf so I have not a clue how to 
fix this, especially in any sort of manner which I can safely assume it to be 
the correct way.

Can someone tell me how to resolve this?  Thanks

Re: Forum software

[Sohrab Monfared]

NodeBB is also a good choice:

https://nodebb.org/

On Tue, Oct 24, 2017 at 10:17 PM, Jay Williams  wrote:

> Discourse is a popular option used by a number of open source projects.
>
> https://www.discourse.org
>
> --
> Jay Williams
>
> > On Oct 24, 2017, at 1:30 PM, flipchan  wrote:
> >
> > Grtz *!
> > Sry for going alittle bit off topic , me and a friend are trying to
> rebuild a swedish openbsd forum (openbsd.se) it's been live since 2005 ,
> and been running punbb.
> > But punbb is not actively​ being developed and we wonder if anyone can
> suggest a good forum software , we don't have time to write one from
> scratch (both have full time jobs and kids and other stuff , but we want a
> swedish openbsd forum to flurish)
> >
> >
> > Could anyone suggest some forum software that we can run?
> >
> > We are also thinking about posting tutorials on the site to help more
> ppl find openbsd throw search engines.
> >
> > Take care all!
> > And thanks in advance
> > --
> > Take Care Sincerely flipchan layerprox dev
>
>


-- 
Best regards
Sohrab Monfared

Re: Forum software

[Tommy Nevtelen]

On 2017-10-24 20:47, Jay Williams wrote:
> Discourse is a popular option used by a number of open source projects.
>
> https://www.discourse.org

That is probably a good choice but here is a list of different
alternatives that might be worth to look at:
https://github.com/Kickball/awesome-selfhosted/blob/master/README.md#social-networks-and-forums

It's a pretty nice repo with cool projects other than forums as well.

-- 
Tommy Nevtelen

Re: Forum software

[Jay Williams]

Discourse is a popular option used by a number of open source projects.

https://www.discourse.org

-- 
Jay Williams

> On Oct 24, 2017, at 1:30 PM, flipchan  wrote:
> 
> Grtz *!
> Sry for going alittle bit off topic , me and a friend are trying to rebuild a 
> swedish openbsd forum (openbsd.se) it's been live since 2005 , and been 
> running punbb. 
> But punbb is not actively​ being developed and we wonder if anyone can 
> suggest a good forum software , we don't have time to write one from scratch 
> (both have full time jobs and kids and other stuff , but we want a swedish 
> openbsd forum to flurish) 
> 
> 
> Could anyone suggest some forum software that we can run?
> 
> We are also thinking about posting tutorials on the site to help more ppl 
> find openbsd throw search engines.
> 
> Take care all!
> And thanks in advance 
> -- 
> Take Care Sincerely flipchan layerprox dev

Forum software

[flipchan]

Grtz *!
Sry for going alittle bit off topic , me and a friend are trying to rebuild a 
swedish openbsd forum (openbsd.se) it's been live since 2005 , and been running 
punbb. 
But punbb is not actively​ being developed and we wonder if anyone can suggest 
a good forum software , we don't have time to write one from scratch (both have 
full time jobs and kids and other stuff , but we want a swedish openbsd forum 
to flurish) 


Could anyone suggest some forum software that we can run?

We are also thinking about posting tutorials on the site to help more ppl find 
openbsd throw search engines.

Take care all!
And thanks in advance 
-- 
Take Care Sincerely flipchan layerprox dev

Re: is there something missing in pledge?

[Ingo Schwarze]

Hi Peter,

Peter J. Philipp wrote on Tue, Oct 24, 2017 at 04:35:12PM +0200:

> Index: open.2
> ===
> RCS file: /cvs/src/lib/libc/sys/open.2,v
> retrieving revision 1.49
> diff -u -p -u -r1.49 open.2
> --- open.219 Jan 2015 15:54:11 -  1.49
> +++ open.224 Oct 2017 14:28:30 -
> @@ -235,6 +235,10 @@ and
>  .Fn openat
>  functions will fail if:
>  .Bl -tag -width Er
> +.It Bq Er EPERM
> +When opening a special file and the program has requested certain
> +.Xr pledge 2
> +promises.
>  .It Bq Er ENOTDIR
>  A component of the path prefix is not a directory.
>  .It Bq Er ENOTDIR

I'm not convinced.

 1) I don't like the idea of scattering pledge(2) documentation
all over the place.

 2) To me, this feel like a detail that might easily change without
notice, and then we risk leaving a bug behind in the manual.

 3) ERRORS sections are in a bad shape in general, both in POSIX
and in our manuals.  In POSIX, they are quite incomplete, which
makes POSIX quite confusing if you really want to code errno
checks in a portable manner.  We have huge amounts of extensions
in this area, many of them allowed by the standard, some
forbidden, many documented, many undocumented, some documented
in ways that are outright wrong, and we explain almost nowhere
which ERRORS are standard and which are extensions.  We should,
because otherwise people can't check them portably, and telling
people to read POSIX itself just isn't realistic with respect
to ERRORS, given the mess people will find there.

What you add here is an extremely minor detail in an area that is
severely under-documented and disorganized in much more relevant
respects.  Besides, the number of ERRORS entries in the open(2)
manual in particular is already excessive without this addition.

So your patch feels a bit like lipstick on a grazing hippo, somewhere
near the rear end, in the late afternoon shortly before it goes
back into the water.


I'm not saying such stuff should remain undocumented, but i *am*
at a loss where to start.  Probably not with this particular detail.

Yours,
  Ingo

Re: fuse version

[Zbyszek Żółkiewski]

Hi,

llfuse requires FUSE 2.9.0 or newer, i think OpenBSD uses 2.6, am I right?

thanks,

_
Zbyszek Żółkiewski

> Wiadomość napisana przez Stefan Sperling  w dniu 24.10.2017, 
> o godz. 11:44:
> 
> On Tue, Oct 24, 2017 at 11:21:17AM +0200, Zbyszek Żółkiewski wrote:
>> Hi,
>> 
>> Quick question: Any plans to support newer version of fuse?
>> 
>> thanks,
>> 
>> _
>> Zbyszek Żółkiewski
>> 
> 
> Your question is not specific enough.



signature.asc
Description: Message signed with OpenPGP

Re: is there something missing in pledge?

[Peter J. Philipp]

On Tue, Oct 24, 2017 at 08:09:14AM -0600, Theo de Raadt wrote:
> > I agree that it could be disappointing. but cpio is pledged, so it
> > couldn't open /etc/spwd.db, because we considered this operation as
> > a privilegied operation.
> > 
> > in order to backup this file, you need another tool. someone already
> > mentioned dump(8) as example.
> 
> The solution is obvious.
> 
> The control program outside can be pledged, but it will run a non-pledged
> components to access files.  Which will be small, and contain no bugs.
> 
> Why is there an assumption that all processes of a privsep program
> have the same pledge?  Quite often, some of them are very small, and
> have no pledge.

Thank you to all who participated in this thread.  I'm a tad wiser now, but it
was hard work.  At last I'd like to give the community a small present, if it's
wanted.  So that efforts don't seem like a total waste of time.  Extra thanks
to Daniel, Theo and Sebastien.

Patch to open manpage after my signature.

-peter

Index: open.2
===
RCS file: /cvs/src/lib/libc/sys/open.2,v
retrieving revision 1.49
diff -u -p -u -r1.49 open.2
--- open.2  19 Jan 2015 15:54:11 -  1.49
+++ open.2  24 Oct 2017 14:28:30 -
@@ -235,6 +235,10 @@ and
 .Fn openat
 functions will fail if:
 .Bl -tag -width Er
+.It Bq Er EPERM
+When opening a special file and the program has requested certain
+.Xr pledge 2
+promises.
 .It Bq Er ENOTDIR
 A component of the path prefix is not a directory.
 .It Bq Er ENOTDIR

Re: is there something missing in pledge?

[Theo de Raadt]

> I agree that it could be disappointing. but cpio is pledged, so it
> couldn't open /etc/spwd.db, because we considered this operation as
> a privilegied operation.
> 
> in order to backup this file, you need another tool. someone already
> mentioned dump(8) as example.

The solution is obvious.

The control program outside can be pledged, but it will run a non-pledged
components to access files.  Which will be small, and contain no bugs.

Why is there an assumption that all processes of a privsep program
have the same pledge?  Quite often, some of them are very small, and
have no pledge.

Re: is there something missing in pledge?

[Theo de Raadt]

> > beta# cpio -o -F spwd.db
> > /etc/spwd.db
> > cpio: Unable to open /etc/spwd.db to read: Operation not permitted
> > 
> > This is why I asked if the pledge is too tight on cpio.
> 
> Yes, I'd say you are right.
> 
> Theo, run
> 
>   # find /etc | cpio -o >/dev/null
> 
> or
> 
>   # tar cf /dev/null /etc
> 
> Do you really expect that to fail for /etc/spwd.db?

Yes.  Absolutely.

No pledged process can read password hashes.

pledge is being misused here.

Re: Hyper-V Disk Performance

[Karel Gardas]

Last I checked running with softdeps in virtualized env, I got some
panices. It was few years (2 max) ago, but IIRC softdeps are not that
heavily developed in time like other parts of the kernel. From what I
remember from the analysis back than, slower the drive is, higher
chance you get panic. So I would definitely be careful in using
softdeps in exactly this situation where you do have high-latency
drive beneath the softdep mounted drive image. I had exactly the same
high-latency, VBox drive on fragmented ZFS on Solaris 11. Killer
option for softdeps. So try, but keep praying if you do that in
production...

Karel

On Tue, Oct 24, 2017 at 4:07 AM, Daniel Boyd  wrote:
> Also, out of curiosity, why is softdep not enabled by default?  Assume there 
> must be some downside to having it on?

Re: is there something missing in pledge?

[Sebastien Marie]

On Tue, Oct 24, 2017 at 01:13:39PM +0200, Daniel Hartmeier wrote:
> On Tue, Oct 24, 2017 at 12:31:50PM +0200, Peter J. Philipp wrote:
> 
> > beta# cpio -o -F spwd.db
> > /etc/spwd.db
> > cpio: Unable to open /etc/spwd.db to read: Operation not permitted
> > 
> > This is why I asked if the pledge is too tight on cpio.
> 
> Yes, I'd say you are right.
>
> Theo, run
> 
>   # find /etc | cpio -o >/dev/null
> 
> or
> 
>   # tar cf /dev/null /etc
> 
> Do you really expect that to fail for /etc/spwd.db?
> 
> But grep or hexdump (both pledged, too) work just fine on that file?
> 
> Daniel
> 

I redo some checks.

the "problem" is you got EPERM if you pledged for "getpw" and try to
open /etc/spwd.db, whereas if you don't have it (well "rpath" is still
necessary), it can open the file.

the semantic of failing for every call of open on /etc/spwd.db was done
at some point, but reverted later (it brokes pwd_mkdb).

I agree the current behaviour isn't really consistent (EPERM if "getpw"
and no problem without).

I think the purpose was initially to avoid a pledged root program to
open and put in memory the content of /etc/spwd.db when password access
was not strictly required.

Maybe it could be revisited.
-- 
Sebastien Marie

Re: is there something missing in pledge?

[Daniel Hartmeier]

On Tue, Oct 24, 2017 at 01:31:32PM +0200, Sebastien Marie wrote:

> > This is why I asked if the pledge is too tight on cpio.
> 
> I agree that it could be disappointing. but cpio is pledged, so it
> couldn't open /etc/spwd.db, because we considered this operation as
> a privilegied operation.
> 
> in order to backup this file, you need another tool. someone already
> mentioned dump(8) as example.

So all an attacker has to do is call pledge() again, with LESS
permissive promises, i.e. giving up getpw?

#include 
#include 

int main()
{
if (pledge("stdio rpath getpw", NULL) == -1)
err("pledge");
printf("first fopen %s\n", fopen("/etc/spwd.db", "r") ?
"succeeded" : "failed");
if (pledge("stdio rpath", NULL) == -1)
err("pledge");
printf("second fopen %s\n", fopen("/etc/spwd.db", "r") ?
"succeeded" : "failed");
return 0;
}

first fopen failed
second fopen succeeded

Daniel

Re: nobreak powers down openbsd

[Marcus MERIGHI]

friedrich.lo...@gmail.com (Friedrich Locke), 2017.10.23 (Mon) 20:08 (CEST):
> When i wrote nobreak, i really meant UPS.
> I don't have a model; may some one  suggest a model that power off
> openbsd ?

https://man.openbsd.org/upd.4

DESCRIPTION
The upd driver provides support for monitoring various sensors provided
by USB Power Devices (such as a UPS). Supported sensor values are made
available via the sysctl(8) interface.



$ sysctl hw.sensors.upd0
hw.sensors.upd0.indicator0=On (BatteryPresent), OK
hw.sensors.upd0.indicator1=Off (Charging), OK
hw.sensors.upd0.indicator2=Off (Discharging), OK
hw.sensors.upd0.indicator3=Off (NeedReplacement), OK
hw.sensors.upd0.indicator4=Off (ShutdownImminent), OK
hw.sensors.upd0.indicator5=On (ACPresent), OK
hw.sensors.upd0.indicator6=Off (Overload), OK
hw.sensors.upd0.percent0=100.00% (RemainingCapacity), OK
hw.sensors.upd0.percent1=100.00% (FullChargeCapacity), OK
hw.sensors.upd0.timedelta0=2055.00 secs (RunTimeToEmpty), OK

++

And see sensorsd(8) if you want it to act upon changes reported by your
UPS.

Marcus

> 
> Livre
> de v??rus. www.avast.com
> .
> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> 
> On Mon, Oct 23, 2017 at 11:45 AM, Sol??ne Rapenne  wrote:
> 
> > Je 2017-10-23 15:40, Friedrich Locke skribis:
> >
> >> Hi folks!
> >>
> >> I would like to have my openbsd server to be shutdown when my nobreak
> >> power
> >> becomes lower than 20% of its capacity; is that possible ?
> >> Any one with experience in this regard ?
> >>
> >> Thanks a lot.
> >>
> >>  >> =link_campaign=sig-email_content=webmail>
> >> Livre
> >> de v??rus. www.avast.com
> >>  >> =link_campaign=sig-email_content=webmail>.
> >> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> >>
> >
> > hello,
> >
> > Is a "nobreak" an UPS ? If so, what model is it ?
> >
> > Is it connected to your server or your LAN ? If no, no chance to know the
> > current state of the battery.
> >

Re: is there something missing in pledge?

[Sebastien Marie]

On Tue, Oct 24, 2017 at 12:31:50PM +0200, Peter J. Philipp wrote:
> [...]
> 
> Here is the output of the last few lines:
> 
> backing up file: /etc/spwd.db
> cpio: Unable to open /etc/spwd.db to read: Operation not permitted
> open: No such file or directory
> file was
> /tmp/backup/65f874c895d11c2ff614ee33f0ba623ff9f24000a9726a9418340380b4333b66-1024-78735-1.cpio

the ability of opening /etc/spwd.db is a privilegied operation that
requires the program to be unpledged.

so if this part of your code run under pledge(2), it will not be able to
read the file, whatever the promises it made.

several syscalls are forbidden when pledged. here, it is the ability to
open a specific file that contains sensitive information which is
forbidden. 

but we were nice: your program isn't killed by trying to open it (you
got EPERM error), whereas it would be killed if it tries to call
forbidden syscall, like chroot(2) for example.

> And here is a userland demonstration of why cpio doesn't work for
> backing up this file:
> 
> beta# cpio -o -F spwd.db
> /etc/spwd.db
> cpio: Unable to open /etc/spwd.db to read: Operation not permitted
> 
> This is why I asked if the pledge is too tight on cpio.

I agree that it could be disappointing. but cpio is pledged, so it
couldn't open /etc/spwd.db, because we considered this operation as
a privilegied operation.

in order to backup this file, you need another tool. someone already
mentioned dump(8) as example.

thanks.
-- 
Sebastien Marie

Re: is there something missing in pledge?

[Daniel Hartmeier]

On Tue, Oct 24, 2017 at 12:31:50PM +0200, Peter J. Philipp wrote:

> beta# cpio -o -F spwd.db
> /etc/spwd.db
> cpio: Unable to open /etc/spwd.db to read: Operation not permitted
> 
> This is why I asked if the pledge is too tight on cpio.

Yes, I'd say you are right.

Theo, run

  # find /etc | cpio -o >/dev/null

or

  # tar cf /dev/null /etc

Do you really expect that to fail for /etc/spwd.db?

But grep or hexdump (both pledged, too) work just fine on that file?

Daniel

Re: is there something missing in pledge?

[Peter J. Philipp]

Hi,

I've refactored my code, I added imsg and privsep in chroot.  Nothing
has changed.  Still ugly code of mine and still unable to cpio
/etc/spwd.db into a cpio file.  Only added bonus is that I was able to
tighten the pledge() in my code a wee bit.

Here is my (refactored) code:

http://centroid.eu/private/rbdaemon2.c.txt

Here is the output of the last few lines:

backing up file: /etc/spwd.db
cpio: Unable to open /etc/spwd.db to read: Operation not permitted
open: No such file or directory
file was
/tmp/backup/65f874c895d11c2ff614ee33f0ba623ff9f24000a9726a9418340380b4333b66-1024-78735-1.cpio

And here is a userland demonstration of why cpio doesn't work for
backing up this file:

beta# cpio -o -F spwd.db
/etc/spwd.db
cpio: Unable to open /etc/spwd.db to read: Operation not permitted

This is why I asked if the pledge is too tight on cpio.

Regards,

-peter


On 10/23/17 19:25, Theo de Raadt wrote:
> Oh hahahahahah, you are trying to backup / including this file /etc/spwd.db
> which you are not allowed to read!
>
> Look, your design is flawed.  Look at your pledge call:
>
>  stdio cpath rpath wpath inet dns exec proc
>
> Basically, you want your program to be able to do everything.
>
> pledge isn't a wand you wave over software and then it is secure.  The
> subsets of POSIX which remain come with downsides which you MUST
> consider.
>
> You aren't listening to what pledge is telling you -- that if you want
> security, you should redesign it to operate in a privsep fashion.

Re: nobreak powers down openbsd

[Boudewijn Dijkstra]

Op Mon, 23 Oct 2017 20:08:56 +0200 schreef Friedrich Locke  
:

When i wrote nobreak, i really meant UPS.
I don't have a model; may some one  suggest a model that power off  
openbsd ?


I'm using an APC UPS with apcupsd. You can define time-outs, thresholds,  
also script events and do more complicated stuff by parsing the UPC status  
report. Small caveat is this particular device requires disabling of  
uhidev(4) in the kernel.




--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: fuse version

[Stefan Sperling]

On Tue, Oct 24, 2017 at 11:21:17AM +0200, Zbyszek Żółkiewski wrote:
> Hi,
> 
> Quick question: Any plans to support newer version of fuse?
> 
> thanks,
> 
> _
> Zbyszek Żółkiewski
> 

Your question is not specific enough.

Re: Hyper-V Disk Performance

[Mike Belopuhov]

On Mon, Oct 23, 2017 at 16:41 -0500, Daniel Boyd wrote:
> Is there a recommended configuration for virtual disks in Hyper-V?  I
> have a virtual machine that I set up recently running 6.2 that has
> *very* slow disk performance.  It took well over an hour to untar
> ports.tar.gz.  The host server is a few years old, but it's running 3
> RAID-5 7200rpm drives, quad-core Xeon and 32 GB RAM... so not exactly a
> slow machine.  And this is the only Hyper-V VM it's hosting.
> 
> I've got the virtual disk configured as IDE / VHDX / Expanding (the
> Hyper-V defaults).  The controller can be IDE or SCSI.  The disk format
> can be VHD or VHDX.  And the disk can be configured as fixed or
> expanding.  I'm going to try converting the disk to fixed and
> defragging my NTFS.
> 
> Any thoughts on IDE vs SCSI and VHD vs VHDX?
> 

Hi,

Can you please tell us which OpenBSD version you're trying to use?
Could you please show us the dmesg?

You should be using 6.2 as it comes with a driver for the paravirtualized
disk interface, hvs(4).

Regards,
Mike

fuse version

[Zbyszek Żółkiewski]

Hi,

Quick question: Any plans to support newer version of fuse?

thanks,

_
Zbyszek Żółkiewski



signature.asc
Description: Message signed with OpenPGP

Re: nobreak powers down openbsd

[Marc Peters]

On Mon, Oct 23, 2017 at 06:08:56PM +, Friedrich Locke wrote:
> When i wrote nobreak, i really meant UPS.
> I don't have a model; may some one  suggest a model that power off openbsd ?
> 
> Thanks.

You can use NUT (network UPS Tools). It's in ports and supports a lot of
different brands.

hth,
Marc