Re: no default httpd.conf?
Hey there. With the su-php question, try looking into php-fpm's pools. In there you can define a socket / port to listen on, and a username/group to run that pool as. So that means in httpd.conf you can assign different locations/virtualhosts to different php sockets/ports, and thereby assigning different uid/gid's. Cheers Josh On 17/05/18 14:50, justina colmena wrote: I just recently installed OpenBSD 6.3, and I was looking for an example httpd.conf, but I did not find one. The manual page does document more or less how to create one, but there still appears to be some lack of ease and safety putting up a basic web page with dynamic content (I am most used to PHP and PostgreSQL for that purpose, but of course there are many options that more or less replace the ubiquitous "LAMP" or "Linux/Apache/MySQL/PHP" stack. Now there is nothing in OpenBSD's httpd really like Apache's "UserDir" directive. Of course the real user directory has to dwell somewhere in the "/var/www" chroot on OpenBSD. The alternative to "UserDirs" of course, is wildcard subdomains, but those do not really cooperate all that well with https, dnssec, or caa records, or with certain other general goals of security. The other thing I am curious about is something like "su-php" which appears to be deprecated and outdated. So, assuming some sort of UserDir scenario, (probably more sophisticated than my very basic one I have hacked together below,) does php-fpm have a way to prevent one user's malicious php script from reading another user's database access credentials? %< # /etc/httpd.conf for amarillo.colmena.biz server "default" { listen on * port 80 listen on :: port 80 listen on * tls port 443 listen on :: tls port 443 tls certificate "/etc/ssl/fullchain.pem" directory index index.php location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 } location match "/~justina/.*%.php" { root "/justina" root strip 1 fastcgi socket "/run/php-fpm.sock" } location "*.php" { fastcgi socket "/run/php-fpm.sock" } location "/~justina/*" { root "/justina" root strip 1 directory auto index } location "/~justina" { block return 301 "/~justina/" } } types { include "/usr/share/misc/mime.types" }
no default httpd.conf?
I just recently installed OpenBSD 6.3, and I was looking for an example httpd.conf, but I did not find one. The manual page does document more or less how to create one, but there still appears to be some lack of ease and safety putting up a basic web page with dynamic content (I am most used to PHP and PostgreSQL for that purpose, but of course there are many options that more or less replace the ubiquitous "LAMP" or "Linux/Apache/MySQL/PHP" stack. Now there is nothing in OpenBSD's httpd really like Apache's "UserDir" directive. Of course the real user directory has to dwell somewhere in the "/var/www" chroot on OpenBSD. The alternative to "UserDirs" of course, is wildcard subdomains, but those do not really cooperate all that well with https, dnssec, or caa records, or with certain other general goals of security. The other thing I am curious about is something like "su-php" which appears to be deprecated and outdated. So, assuming some sort of UserDir scenario, (probably more sophisticated than my very basic one I have hacked together below,) does php-fpm have a way to prevent one user's malicious php script from reading another user's database access credentials? %< # /etc/httpd.conf for amarillo.colmena.biz server "default" { listen on * port 80 listen on :: port 80 listen on * tls port 443 listen on :: tls port 443 tls certificate "/etc/ssl/fullchain.pem" directory index index.php location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 } location match "/~justina/.*%.php" { root "/justina" root strip 1 fastcgi socket "/run/php-fpm.sock" } location "*.php" { fastcgi socket "/run/php-fpm.sock" } location "/~justina/*" { root "/justina" root strip 1 directory auto index } location "/~justina" { block return 301 "/~justina/" } } types { include "/usr/share/misc/mime.types" }
Re: MIMO in athn(4)
Sun, 13 May 2018 11:07:19 +0500 Артур Истомин > On Sat, May 12, 2018 at 10:53:29PM +1000, tomr wrote: > > > > I've been playing with an apu2 and an AR9280, which is supported by athn(4). > > > > It seems to perform terribly when I connect a second antenna. Is this > > the expected behaviour currently? Is there some MIMO magic that isn't > > yet implemented? Or do I just need to get the antenna spacing right? > > > > I see a foreboding "No Tx aggregation" in the commit message... > > I have the same problems with the same hardware. Not only with n-mode, with > g-mode too. > If I remember correctly there was no problems with g-mode circa 5.0-5.3 > releases OpenBSD. > > I thought it is a hardware problem and planed to test it with linux. > > If you find solution, please post it here. > Hi Artur, I have a late 2010 laptop with a SISO (not MIMO) athn(4) AR9285 device: athn0 at pci2 dev 0 function 0 "Atheros AR9285" rev 0x01: apic 2 int 17 athn0: AR9285 rev 2 (1T1R), ROM rev 13, address 00:25:d3:xx:xx:xx athn(4) - Atheros IEEE 802.11a/b/g/n wireless network device http://man.openbsd.org/athn The maker put only 1 cable for an antenna, despite the card being B/G/N and I found similar problems which I could not sort with another cable. So, in my particular case the device defaulted to N mode (at one point) and I had to find the hard way the now obvious solution to run it as G: media autoselect mode 11g mediaopt hostap You could put this line in /etc/hostname.athn0 or skip mediaopt hostap. Hope the tip is for SISO devices with only 1 antenna, or prefer G mode. https://en.wikipedia.org/wiki/Single-input_single-output_system https://en.wikipedia.org/wiki/MIMO#Forms Kind regards, Anton Lazarov
Re: 6.3-current kernel panic: aml_die aml_parse:4194 on PowerEdge
On 2.5.2018. 11:28, Jan Vlach wrote: > R440 WAS( Re: Dell PowerEdge R430/R440 support) > Reply-To: > In-Reply-To: <20180425150215.gh20...@diehard.n-r-g.com> > > Hello misc@ > > > the Dell PowerEdge R440 server arrived for testing and it panics on boot > to installed system. Installer works fine, it's the reboot into > installed system that fails. Both 6.3-release and 6.3-current behave the > same. (OpenBSD 6.3-current (RAMDISK_CD) #12: Wed Apr 25 22:56:41 MDT > 2018; dmesg below) > > I've turned PERC H330 into HBA mode and setup raid1 softraid from 3 > disks. > > last screen on monitor with panic (rewritten by hand, sorry for possible > typos, photo at > https://synchronicity.cz/bsd/ ) > > ### LAST PANIC SCREEN > acpiprt81 at acpi0: bus -1 (SR3A) > acpiprt82 at acpi0: bus -1 (SR3B) > acpiprt83 at acpi0: bus -1 (SR3C) > acpiprt84 at acpi0: bus -1 (SR3D) > acpiprt85 at acpi0: bus -1 (MCP6) > acpiprt86 at acpi0: bus -1 (MCP7) > acpicpu0 at acpi0LoadTable > 0140 Called: \_SB_.SCK0.CP00.ISTT > 0140 Called: \_SB_.SCK0.CP00.ISTT > 034d Called: \_SB_.SCK0.CP00._OSC > arg0: 0x80620488 cnt:05 stk: 00 buffer: 10 {16, a6, 77, 40, > 0c, 29, be, 47, 9e, bd, d8, 70, 58, 71, 39, 53} > arg1: 0x80627988 cnt:01 stk:00 integer: 1 arg2: 0x80629388 > cnt:01 stk:00 integer: 2 > arg3: 0x8061d188 cnt:04 stk:00 buffer: 0c {00, 00, 00, 00, 3b, > 03, 00, 00, ff, ff, ff, ff} > 034d Called: \_SB_.SCK0.CP00._OSC > arg0: 0x80620488 cnt:05 stk: 00 buffer: 10 {16, a6, 77, 40, > 0c, 29, be, 47, 9e, bd, d8, 70, 58, 71, 39, 53} > arg1: 0x80627988 cnt:01 stk:00 integer: 1 > arg2: 0x80629388 cnt:01 stk:00 integer: 2 > arg3: 0x8061d188 cnt:04 stk:00 buffer: 0c {00, 00, 00, 00, 3b, > 03, 00, 00, ff, ff, ff, ff} > panic: aml_die aml_parse:4194 Hi, could you please try this diff from kettenis@ https://marc.info/?l=openbsd-tech&m=152650279308779&w=2
Re: OpenBSD 6.2: how to tear down partial ipsec tunnels without restarting ipsec/isakmpd?
Hello Philipp, sorry for the late answer Thanks for the hint with the cookies. Works in my environment I'm much happier now ;-) Best regards Andre Am 15.05.18 um 05:15 schrieb Philipp Buehler: Hello Andre, Am 14.05.2018 13:38 schrieb Andre Ruppert: I got the tips from this 2013 undeadly.org article: Managing Individual IPsec Tunnels On A Multi-Tunnel Gateway https://undeadly.org/cgi?action=article&sid=20131125041429 Apparently I wrote that article, and I feel your pain :-) 2.) less /var/run/isakmpd.result ... SA name: (Phase 1/Responder) src: dst: Flags 0x icookie 9f5bf7497f0ebe10 rcookie 8a6c7b1b1f5923ec ... Feeding the fifo with sh -c "echo 't ' > /var/run/isakmpd.fifo" only deletes phase 2. But I didn't have an SA name at this time... ?? The problem here is you only have an 'unnamed' SA, indeed; but you have cookies.. What you can do - found that a bit later after the undeadly article: echo 'd 9f5bf7497f0ebe108a6c7b1b1f5923ec -' > isakmpd.fifo which is "d $icookie$rcookie -" (no space between the cookie values). If I am changing a peer configuration, I also block 500/udp for the time being to avoid these 'Responder' SAs altogether. Think along pf.conf:pass in proto udp from to $myself port 500 pfctl -T delete -t vpn_peers $thatpeer pfctl -k $thatpeer ipsecctl -d -f $thatpeer.conf vi $thatpeer.conf ipsecctl -f $thatpeer.conf pfctl -T add -t vpn_peers $thatpeer HTH, smime.p7s Description: S/MIME Cryptographic Signature
Re: package request
On Wed 16/05/2018 08:58, Mayuresh Kathe wrote: > is there a process to adhere to while requesting creation of a new package? Making a port is not difficult. You could start with https://www.openbsd.org/faq/ports/ and discuss your work on po...@openbsd.org, which is a different mailing list (https://www.openbsd.org/mail.html).
package request
is there a process to adhere to while requesting creation of a new package?
Re: print usb printer by [ Google Cloud Print for Chromium ]
On 05/16/18 01:10, Erling Westenvik wrote: On Wed, May 16, 2018 at 12:45:12AM -0700, Jordan Geoghegan wrote: On 05/16/18 00:27, Tuyosi T wrote: hi i can not distinguish between lp and lpr . lpr(1) is a program used to print to an lpd server, wheras lp(4) is a driver that doesn't appear to have been ported from 4.4BSD yet. lp(1) gets installed as part of cups(1). Thanks for the clarification on lp. I'm a bit of a luddite when it comes to the software I run. If it ain't in base, I try to avoid having to run it. I got what I deserved: https://www.cups.org/doc/man-lp.html
Re: Is -current snapshot only used in current system?
Hi Peter & Otto, Thanks very much for your response! My laptop is very old: Fujitsu LifeBook T5010 (https://www.pcmag.com/article2/0,2817,2352819,00.asp) . During booting, it shows: >>OpenBSD/amd64 BOOT 3.39 Then it flashes one line (I can't see that line clearly, and it should display load something), and the system will reboot again. The system will loop the above flow, reboot again and again. Now I doubt it is related to partition issue, but not sure. I divided the whole disk (MBR) into 2 partitions: >From offset 64, 4G swap, the left is mounted as '/'. This method at least works for OpenBSD 6.2. Thanks very much! Best Regards Nan Xiao On Wed, May 16, 2018 at 5:07 PM, Otto Moerbeek wrote: > On Wed, May 16, 2018 at 04:51:24PM +0800, Nan Xiao wrote: > >> Hi misc@, >> >> Greeting from me! >> >> Maybe a dumb question here. I want to use -current snapshot, and >> my current OBSD is 6.3. So I download the newest -current bsd.rd, >> and use it to upgrade. It prompts me the upgrade is success, but >> the system can't boot. So I think this method only applies to system >> is already -current, right? Because I can't find answer from >> https://www.openbsd.org/faq/current.html, just want to confirm it. >> >> Thanks very much in advance! >> >> Best Regards >> Nan Xiao > > The bsd.rd upgrade from release/stable to current should work in > general. But since you neglect to give any details what did not work, > we cannot tell what is going on. > > -Otto
Re: Viewport for man.openbsd.org -- readability on phones
On 00:26 Wed 16 May, Solene Rapenne wrote: > See no offence here, I wonder what is the context leading to read man > pages on a phone? Because OpenBSD distributes it's documentation in man pages. There is no standalone documentation site.
Re: pledge violation in firefox-60 on snapshots
On Wed, May 16, 2018 at 08:41:17AM +, Stuart Henderson wrote: > On 2018-05-16, William Orr wrote: > > Clicking the password field will consistently cause that tab in firefox > > to crash with a pledge violation (calling fork): > > > > firefox[75379]: pledge "proc", syscall 2 > > firefox[99617]: pledge "proc", syscall 2 > > firefox[89996]: pledge "proc", syscall 2 > > firefox[29564]: pledge "proc", syscall 2 > > firefox[58111]: pledge "proc", syscall 2 > > firefox[97980]: pledge "proc", syscall 2 > > firefox[37363]: pledge "proc", syscall 2 > > > > Is anyone else seeing something similar? I've repro'd this in safe mode > > with add-ons disabled. I'm runnning a snapshot as of 3 days ago with > > firefox from packages. > > > > % pkg_info firefox > > Information for inst:firefox-60.0 > > > > Following is a full dmesg. Let me know if there's other info that I can > > provide. There are other firefox pledge violations in there, but I have > > no indication that they're related. > > The Firefox port currently includes some experimental pledge code, > see https://marc.info/?l=openbsd-ports&m=152623658627250&w=2 for > information about debugging and a way to disable it without > recompiling. > >From what I've seen, I'm reasonably sure the experiment should be turned off for now, while landry fixes the most obvious bad cases that various people have reported, then turn it back on for finer-grained issue. More reports of the same thing are useless/counter-productive. We're reaching the point of diminishing returns where it takes longer to answer emails/classify failures into "already known/new"... ... which is a recipe for issues to fall between the cracks, because people WON'T report new issues, or they will be dismissed as the same as something that's already known... BTW, if you're supposed to start dbus BEFORE firefox, that's cool, but then the firefox code should be tweaked to display "please start dbus" instead of the "helpful" error message "firefox crashed in a pledge violation (proc)".
Re: Viewport for man.openbsd.org -- readability on phones
On Tue, May 15, 2018 at 10:51:43PM +0200, Ingo Schwarze wrote: > Hi, > > x...@dr.com wrote on Tue, May 15, 2018 at 07:47:45PM +0200: > > > The "viewport" meta tag significantly improves readability and > > usability on my phone when I add it to http://man.openbsd.org pages: > > > > [meta name="viewport" content="width=device-width, initial-scale=1.0"] > > There is no way i will use that. > > It is not defined in any standard. As someone pointed it out, it is in a proposal, improves things on several devices, and is harmless on others. You quite well know that the web evolves by practice first, and standardization later. We are talking about something that's currently already written, will likely become a standard in some months, and helps using tools. Why resist ?
Re: Is -current snapshot only used in current system?
On Wed, May 16, 2018 at 04:51:24PM +0800, Nan Xiao wrote: > Hi misc@, > > Greeting from me! > > Maybe a dumb question here. I want to use -current snapshot, and > my current OBSD is 6.3. So I download the newest -current bsd.rd, > and use it to upgrade. It prompts me the upgrade is success, but > the system can't boot. So I think this method only applies to system > is already -current, right? Because I can't find answer from > https://www.openbsd.org/faq/current.html, just want to confirm it. > > Thanks very much in advance! > > Best Regards > Nan Xiao The bsd.rd upgrade from release/stable to current should work in general. But since you neglect to give any details what did not work, we cannot tell what is going on. -Otto
Re: Looking for discussions/threads on TLS v 1.3 (in OpenBSD context)
On Wed, 16 May 2018 10:21:47 +0200 > Hi all! > > Just out of curious interest, I've been googling a bit to find > discussions or threads related to TLS 1.3, what "you guys" think of > it, and what benefits and drawbacks it brings to the OpenBSD world. > However, I'm either unlucky or a poor googler, because I can't seem > to find any. If you know of any, I'd be grateful if you could point > me in the right direction. > > Kind regards, > Andreas It may affect relayds ssl splicing/interception proxy feature, but that is a good thing.
Re: Is -current snapshot only used in current system?
On Wed, May 16, 2018 at 04:51:24PM +0800, Nan Xiao wrote: > Maybe a dumb question here. I want to use -current snapshot, and > my current OBSD is 6.3. So I download the newest -current bsd.rd, > and use it to upgrade. It prompts me the upgrade is success, but > the system can't boot. So I think this method only applies to system > is already -current, right? Because I can't find answer from > https://www.openbsd.org/faq/current.html, just want to confirm it. I imagine most people who run snapshots tend to (like me) jump from one recent snapshot to slightly newer ones, but in principle going from the most recent release to a snapshot should not be much different from upgrading from one release to the next. With the info provided it's next to impossible to pinpoint just what fails in your case, but my hunch is that you made some sort of mistake during the upgrade process. Hard to tell which without more information about your environment and hardware (dmesg much appreciated when supplied). - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Is -current snapshot only used in current system?
Hi misc@, Greeting from me! Maybe a dumb question here. I want to use -current snapshot, and my current OBSD is 6.3. So I download the newest -current bsd.rd, and use it to upgrade. It prompts me the upgrade is success, but the system can't boot. So I think this method only applies to system is already -current, right? Because I can't find answer from https://www.openbsd.org/faq/current.html, just want to confirm it. Thanks very much in advance! Best Regards Nan Xiao
Re: pledge violation in firefox-60 on snapshots
On 2018-05-16, William Orr wrote: > Clicking the password field will consistently cause that tab in firefox > to crash with a pledge violation (calling fork): > > firefox[75379]: pledge "proc", syscall 2 > firefox[99617]: pledge "proc", syscall 2 > firefox[89996]: pledge "proc", syscall 2 > firefox[29564]: pledge "proc", syscall 2 > firefox[58111]: pledge "proc", syscall 2 > firefox[97980]: pledge "proc", syscall 2 > firefox[37363]: pledge "proc", syscall 2 > > Is anyone else seeing something similar? I've repro'd this in safe mode > with add-ons disabled. I'm runnning a snapshot as of 3 days ago with > firefox from packages. > > % pkg_info firefox > Information for inst:firefox-60.0 > > Following is a full dmesg. Let me know if there's other info that I can > provide. There are other firefox pledge violations in there, but I have > no indication that they're related. The Firefox port currently includes some experimental pledge code, see https://marc.info/?l=openbsd-ports&m=152623658627250&w=2 for information about debugging and a way to disable it without recompiling.
Looking for discussions/threads on TLS v 1.3 (in OpenBSD context)
Hi all! Just out of curious interest, I've been googling a bit to find discussions or threads related to TLS 1.3, what "you guys" think of it, and what benefits and drawbacks it brings to the OpenBSD world. However, I'm either unlucky or a poor googler, because I can't seem to find any. If you know of any, I'd be grateful if you could point me in the right direction. Kind regards, Andreas
Re: print usb printer by [ Google Cloud Print for Chromium ]
On Wed, May 16, 2018 at 12:45:12AM -0700, Jordan Geoghegan wrote: > On 05/16/18 00:27, Tuyosi T wrote: > > hi > > i can not distinguish between lp and lpr . > > > lpr(1) is a program used to print to an lpd server, wheras lp(4) is a driver > that doesn't appear to have been ported from 4.4BSD yet. lp(1) gets installed as part of cups(1). > https://man.openbsd.org/lpr.1 > https://man.openbsd.org/NetBSD-7.1/lp.4
Re: print usb printer by [ Google Cloud Print for Chromium ]
On 05/16/18 00:27, Tuyosi T wrote: hi i can not distinguish between lp and lpr . lpr(1) is a program used to print to an lpd server, wheras lp(4) is a driver that doesn't appear to have been ported from 4.4BSD yet. https://man.openbsd.org/lpr.1 https://man.openbsd.org/NetBSD-7.1/lp.4
Re: print usb printer by [ Google Cloud Print for Chromium ]
hi i can not distinguish between lp and lpr . anyway /etc/printcap 709a-wifi|709a-wifi:rm=bsd.my.domain:rp=709a-wifi: and the setting of print on leafpad is 'lp -d709a-wifi ' . it goes well . regards ps my /etc/cups/cupsd.conf is LogLevel warn PageLogFormat Listen localhost:631 Listen /var/run/cups/cups.sock Browsing On BrowseLocalProtocols dnssd DefaultAuthType Basic WebInterface Yes Order allow,deny Order allow,deny AuthType Default Require user @SYSTEM Order allow,deny AuthType Default Require user @SYSTEM Order allow,deny JobPrivateAccess default JobPrivateValues default SubscriptionPrivateAccess default SubscriptionPrivateValues default Order deny,allow Require user @OWNER @SYSTEM Order deny,allow AuthType Default Require user @SYSTEM Order deny,allow AuthType Default Require user @SYSTEM Order deny,allow Require user @OWNER @SYSTEM Order deny,allow Order deny,allow JobPrivateAccess default JobPrivateValues default SubscriptionPrivateAccess default SubscriptionPrivateValues default AuthType Default Order deny,allow AuthType Default Require user @OWNER @SYSTEM Order deny,allow AuthType Default Require user @SYSTEM Order deny,allow AuthType Default Require user @SYSTEM Order deny,allow AuthType Default Require user @OWNER @SYSTEM Order deny,allow Order deny,allow JobPrivateAccess default JobPrivateValues default SubscriptionPrivateAccess default SubscriptionPrivateValues default AuthType Negotiate Order deny,allow AuthType Negotiate Require user @OWNER @SYSTEM Order deny,allow AuthType Default Require user @SYSTEM Order deny,allow AuthType Default Require user @SYSTEM Order deny,allow AuthType Negotiate Require user @OWNER @SYSTEM Order deny,allow Order deny,allow