SSH config file rdist
Hi Misc, I got inspired by this answer https://marc.info/?l=openbsd-misc&m=156405651502000&w=2 and decided to try to use rdist to sync few files on bunch of my OpenBSD servers. Everything works as advertised https://man.openbsd.org/rdist with caveats. I noticed that having a space between -o and remove instead of install -oremove,chknfs ; per example in the man pages causes files not to sync. That is of course not a big deal but it seems undocumented. However when calling rdist from a command line rdist -D with an existing /etc/Distfile I noticed that my private ssh key from /root/.ssh/ was not read unless it was named id_rsa. I did call rdist -D as a root and I have a valid working and well tested /root/.ssh/config file. To make matters worse if the destination host sshd listens on a non-default port I don't see the way to specify port to be used by rdist when calling ssh. I don't see anything in log files. Is there anything I can do short of reading rdist code to understand how to force rdist to read a ssh config file. I am guessing I could play with /etc/ssh/* files on the local and destination hosts. Most Kind Regards, Predrag Punosevac
Re: perl privilege drop
On Thu, Jul 25, 2019 at 09:35:44AM -0600, Theo de Raadt wrote:
> Andrew Hewus Fresh wrote:
> > https://perldoc.perl.org/5.30.0/functions/chroot.html
> > > NOTE: It is good security practice to do chdir("/")
> > > (chdir to the root directory) immediately after a chroot.
> >
>
> The phrasing "good security practice" is quite dissapointing, when it
> is MANDATORY. Much like saying it is not good practice to wipe your bum.
I filed a ticket with some possibly improved wording, lightly based on
what's below.
https://rt.perl.org/Public/Bug/Display.html?id=134314
> It is mandatory because otherwise a program-user can arrange for cwd
> to be outside the jail, and utilize that fact to pivot, and in some
> program path utilizations the chroot then becomes not just pointless..
> it is worse than normal, because it creates a dual-namespace view of
> the filesystem, that is a condition that program and libraries are not
> prepared to operate in.
l8rZ,
--
andrew - http://afresh1.com
What are the unsurpassable real world weaknesses in OpenBSD,
that you know of?
-- Kevin Chadwick
Lots of fake people attacking the project on the mailing lists makes
them a poor resource for users.
-- Theo de Raadt
Re: Boot NVME device on sparc64
John Gould wrote: > Hi there, Does anyone have a way of booting a pcie nvme device on sparc64. > I can install OBSD on the device but of course there is no way OBP can see > it > as a boot device. I can also use it for storage under OpenBSD which works > fine. > > But! Is there any way to boot OpenBSD 6.5 installed on this drive on > sparc64. > > I'm using a Sun t5120. Booting is a firmware choice. We don't write the firmware.
Re: Write to DVD-RAM
On Jul 25, 2019, at 10:24 PM, gwes wrote: > > > On 7/24/19 10:19 PM, Zhi-Qiang Lei wrote: >> Hi, I’m trying to encrypt a DVD-RAM before putting some files onto it on my >> OpenBSD 6.5 desktop. But neither dd nor disklabel seems able to work on the >> drive. Did I miss something? >> >> $ dmesg | grep cd >> cd0 at scsibus3 targ 1 lun 0: ATAPI 5/cdrom >> removable serial.13fd3940302020202020 >> cd0 at scsibus3 targ 1 lun 0: ATAPI 5/cdrom >> removable serial.13fd3940302020202020 >> >> $ doas dd if=/dev/urandom of=/dev/rcd0c bs=1k >> dd: /dev/rcd0c: Invalid argument >> 1+0 records in >> 0+0 records out >> 0 bytes transferred in 0.000 secs (0 bytes/sec) >> >> $ doas disklabel -E cd0 >> cd0> a >> partition: [a] >> offset: [0] >> size: [2236704] >> FS type: [4.2BSD] >> cd0> w >> cd0> p >> OpenBSD area: 0-2236704; size: 2236704; free: 0 >> #size offset fstype [fsize bsize cpg] >> a: 22367040 4.2BSD 2048 16384 1 >> c: 22367040 unused >> cd0> q >> No label changes. >> >> The same drive can be formatted and used on Mac OS X. >> >> Thanks and best regards, >> Siegfried >> > Did you try 2K blocks? The low level of CDROM only works that way. > Blocks larger than or equal to 2k get a "dd: /dev/rcd0c: short write on character device”. Regarding to cd(4) I thought the device is readonly, so dd(1) and disklabel(8) cannot write on it, but fdisk(8) works fine. $ doas dd if=/dev/urandom of=/dev/rcd0c bs=2k dd: /dev/rcd0c: short write on character device dd: /dev/rcd0c: Invalid argument 1+0 records in 0+1 records out 512 bytes transferred in 0.008 secs (57960 bytes/sec) $ doas dd if=/dev/urandom of=/dev/rcd0c bs=512 dd: /dev/rcd0c: Invalid argument 1+0 records in 0+0 records out 0 bytes transferred in 0.000 secs (0 bytes/sec)
Re: Sensorsd not executing commands
I did try some test commands earlier but they were not working, but now
its working all of a sudden so im clueless to why it wasnt working in
the first place. Thanks for the help.
On Thu, Jul 25, 2019 at 09:18:57PM -, Stuart Henderson wrote:
> On 2019-07-25, cheddar-cheeze wrote:
> > I am working on setting up sensorsd so that i can automatically turn on
> > my display when docking my laptop, but on doing so sensorsd does not
> > execute my shell script. In syslogd sensord shows the sensors being
> > tripped so i am confused on why the shell script will no execute.
> >
> > #/etc/sensorsd.conf
> > hw.sensors.acpidock0.indicator0:command=/etc/sensorsd/dock %2
> >
> >
> > #/etc/sensorsd/dock
> > #!/bin/sh
> >
> > if [ $1 = "On" ]
> > then
> > xrandr --output VGA-1 --auto --right-of LVDS-1
> > elif [ $1 = "Off" ]
> > then
> > xrandr --output VGA-1 --off
> > fi
> >
> >
>
> Are you sure that sensorsd doesn't run your script? Have it do something
> that always happens ('touch /tmp/somefile' or something) to be sure.
>
> If it is running but isn't working as you expect, that's not a surprise
> because a script started by sensorsd won't normally have access to your X
> session. You can try something like
>
> su username -c "env DISPLAY=:0 xrandr --output [...]"
>
>
Boot NVME device on sparc64
Hi there, Does anyone have a way of booting a pcie nvme device on sparc64. I can install OBSD on the device but of course there is no way OBP can see it as a boot device. I can also use it for storage under OpenBSD which works fine. But! Is there any way to boot OpenBSD 6.5 installed on this drive on sparc64. I'm using a Sun t5120. Kind regards John.
Re: Sensorsd not executing commands
On 2019-07-25, cheddar-cheeze wrote:
> I am working on setting up sensorsd so that i can automatically turn on
> my display when docking my laptop, but on doing so sensorsd does not
> execute my shell script. In syslogd sensord shows the sensors being
> tripped so i am confused on why the shell script will no execute.
>
> #/etc/sensorsd.conf
> hw.sensors.acpidock0.indicator0:command=/etc/sensorsd/dock %2
>
>
> #/etc/sensorsd/dock
> #!/bin/sh
>
> if [ $1 = "On" ]
> then
> xrandr --output VGA-1 --auto --right-of LVDS-1
> elif [ $1 = "Off" ]
> then
> xrandr --output VGA-1 --off
> fi
>
>
Are you sure that sensorsd doesn't run your script? Have it do something
that always happens ('touch /tmp/somefile' or something) to be sure.
If it is running but isn't working as you expect, that's not a surprise
because a script started by sensorsd won't normally have access to your X
session. You can try something like
su username -c "env DISPLAY=:0 xrandr --output [...]"
Sensorsd not executing commands
I am working on setting up sensorsd so that i can automatically turn on my display when docking my laptop, but on doing so sensorsd does not execute my shell script. In syslogd sensord shows the sensors being tripped so i am confused on why the shell script will no execute. #/etc/sensorsd.conf hw.sensors.acpidock0.indicator0:command=/etc/sensorsd/dock %2 #/etc/sensorsd/dock #!/bin/sh if [ $1 = "On" ] then xrandr --output VGA-1 --auto --right-of LVDS-1 elif [ $1 = "Off" ] then xrandr --output VGA-1 --off fi
Re: vmd eating lots of memory
On Thu, Jul 25, 2019 at 09:54:22PM +0200, Paul de Weerd wrote:
> A little more follow-up on this vmd-memory-leak issue.
>
> Comparing the two VMs I have running, I started to stress parts where
> these two hosts differ. The testvm hardly does any traffic, while the
> undeadly vm sees quite a few visitors on a daily basis, so networking
> may be part of the leak.
>
> Running tcpbench against this machine (averaging at ~250Mbit/s)
> results in vmd growing by about 80MB to 100MB per minute. Running
> tcpbench against the testvm has similar results.
>
> The undeadly VM also has a second disk configured (on slower storage),
> but putting load on that didn't significantly change the memory
> consumption (above the 'expected' growth that I've been seeing).
>
> The growth during daily(8) runs still confuses me, as that doesn't do
> anything network-related...
>
> Paul
>
I'll try to look for leaks in that area then. Thanks for the report.
-ml
> On Sat, Jul 20, 2019 at 04:23:27PM +0200, Paul de Weerd wrote:
> | Hi all,
> |
> | I'm running two vmd(8) VMs:
> |
> | [weerd@despair] $ cat /etc/vm.conf
> | vm "undeadly" {
> | owner root
> | memory 2G
> | disk /home/vmm/undeadly.dsk
> | disk /storage/vmm/undeadly.dsk
> | interface switch "vmmswitch" lladdr "fe:e1:bb:02:6b:bf"
> | }
> |
> | vm "testvm" {
> | owner root
> | memory 2G
> | disk /home/vmm/testvm.dsk
> | interface switch "vmmswitch" lladdr "fe:e1:bb:02:6b:be"
> | }
> |
> | switch "vmmswitch" {
> | enable
> | interface bridge0
> | }
> |
> | Both machines have been up since boot of the host machine:
> |
> | [weerd@despair] $ vmctl status
> |ID PID VCPUS MAXMEM CURMEM TTYOWNERSTATE NAME
> | 2 23133 12.0G1.1G ttyp1 root running testvm
> | 1 42094 12.0G1.5G ttyp0 root running undeadly
> | [weerd@despair] $ uptime
> | 4:11PM up 43 days, 57 mins, 12 users, load averages: 0.02, 0.07, 0.07
> | [weerd@despair] $ ssh undeadly uptime
> | 4:11PM up 43 days, 57 mins, 2 users, load averages: 0.28, 0.12, 0.10
> | [weerd@despair] $ ssh testvm uptime
> | 4:11PM up 43 days, 57 mins, 0 users, load averages: 0.00, 0.00, 0.00
> |
> | However, the undeadly VM consumes signficantly more memory that the
> | other VM:
> |
> | [weerd@despair] $ ps wwwaux | grep -e vm[d] -e [P]ID
> | USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
> | _vmd 42094 3.7 57.9 28769236 19398792 ?? Ip 7Jun19 4741:37.66
> vmd: undeadly (vmd)
> | _vmd 4567 0.0 0.0 1384 1384 ?? Isp7Jun190:00.01 vmd: vmm
> (vmd)
> | root 84392 0.0 0.0 1564 1436 ?? Isp7Jun190:00.02
> /usr/sbin/vmd
> | _vmd 55269 0.0 0.0 1304 1468 ?? Isp7Jun190:00.01 vmd:
> control (vmd)
> | root 51181 0.0 0.0 1236 928 ?? Is 7Jun190:00.01 vmd: priv
> (vmd)
> | _vmd 23133 0.0 0.2 2100100 70272 ?? Ip 7Jun19 1886:16.18 vmd:
> testvm (vmd)
> |
> | All systems run snaps from around the same time:
> |
> | [weerd@despair] $ sysctl kern.version
> | kern.version=OpenBSD 6.5-current (GENERIC.MP) #6: Tue Jun 4 15:05:10 MDT
> 2019
> | dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> |
> | [weerd@despair] $ ssh undeadly sysctl kern.version
> | kern.version=OpenBSD 6.5-current (GENERIC) #7: Fri Jun 7 00:45:34 MDT 2019
> | dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
> |
> | [weerd@despair] $ ssh testvm sysctl kern.version
> | kern.version=OpenBSD 6.5-current (GENERIC) #6: Tue Jun 4 14:57:43 MDT 2019
> | dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
> |
> | So it looks like there's a memory leak, either only for busy VMs or it
> | shows more for busier VMs. Has anyone seen anything similar on their
> | vmm VMs?
> |
> | I'll reboot the undeadly VM for now, as other processes are getting
> | killed for out of memory reasons (bgpd, in my case; see end of below
> | dmesg of host machine 'despair').
> |
> | Paul
> |
> | --- despair dmesg
> | OpenBSD 6.5-current (GENERIC.MP) #6: Tue Jun 4 15:05:10 MDT 2019
> | dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> | real mem = 34332733440 (32742MB)
> | avail mem = 33282105344 (31740MB)
> | mpath0 at root
> | scsibus0 at mpath0: 256 targets
> | mainbus0 at root
> | bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe66d0 (57 entries)
> | bios0: vendor Dell Inc. version "1.2.3" date 07/21/2011
> | bios0: Dell Inc. PowerEdge R210 II
> | acpi0 at bios0: rev 2
> | acpi0: sleep states S0 S4 S5
> | acpi0: tables DSDT FACP SPMI ASF! HPET APIC MCFG BOOT SSDT ASPT SSDT SSDT
> SPCR DMAR HEST ERST BERT EINJ
> | acpi0: wakeup devices P0P1(S4) GLAN(S0) EHC1(S4) EHC2(S4) PXSX(S4) RP01(S5)
> PXSX(S4) RP02(S5) PXSX(S4) RP03(S5) PXSX(S4) RP04(S5) PXSX(S4) RP05(S5)
> PXSX(S4) R
Re: vmd eating lots of memory
A little more follow-up on this vmd-memory-leak issue.
Comparing the two VMs I have running, I started to stress parts where
these two hosts differ. The testvm hardly does any traffic, while the
undeadly vm sees quite a few visitors on a daily basis, so networking
may be part of the leak.
Running tcpbench against this machine (averaging at ~250Mbit/s)
results in vmd growing by about 80MB to 100MB per minute. Running
tcpbench against the testvm has similar results.
The undeadly VM also has a second disk configured (on slower storage),
but putting load on that didn't significantly change the memory
consumption (above the 'expected' growth that I've been seeing).
The growth during daily(8) runs still confuses me, as that doesn't do
anything network-related...
Paul
On Sat, Jul 20, 2019 at 04:23:27PM +0200, Paul de Weerd wrote:
| Hi all,
|
| I'm running two vmd(8) VMs:
|
| [weerd@despair] $ cat /etc/vm.conf
| vm "undeadly" {
| owner root
| memory 2G
| disk /home/vmm/undeadly.dsk
| disk /storage/vmm/undeadly.dsk
| interface switch "vmmswitch" lladdr "fe:e1:bb:02:6b:bf"
| }
|
| vm "testvm" {
| owner root
| memory 2G
| disk /home/vmm/testvm.dsk
| interface switch "vmmswitch" lladdr "fe:e1:bb:02:6b:be"
| }
|
| switch "vmmswitch" {
| enable
| interface bridge0
| }
|
| Both machines have been up since boot of the host machine:
|
| [weerd@despair] $ vmctl status
|ID PID VCPUS MAXMEM CURMEM TTYOWNERSTATE NAME
| 2 23133 12.0G1.1G ttyp1 root running testvm
| 1 42094 12.0G1.5G ttyp0 root running undeadly
| [weerd@despair] $ uptime
| 4:11PM up 43 days, 57 mins, 12 users, load averages: 0.02, 0.07, 0.07
| [weerd@despair] $ ssh undeadly uptime
| 4:11PM up 43 days, 57 mins, 2 users, load averages: 0.28, 0.12, 0.10
| [weerd@despair] $ ssh testvm uptime
| 4:11PM up 43 days, 57 mins, 0 users, load averages: 0.00, 0.00, 0.00
|
| However, the undeadly VM consumes signficantly more memory that the
| other VM:
|
| [weerd@despair] $ ps wwwaux | grep -e vm[d] -e [P]ID
| USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
| _vmd 42094 3.7 57.9 28769236 19398792 ?? Ip 7Jun19 4741:37.66 vmd:
undeadly (vmd)
| _vmd 4567 0.0 0.0 1384 1384 ?? Isp7Jun190:00.01 vmd: vmm
(vmd)
| root 84392 0.0 0.0 1564 1436 ?? Isp7Jun190:00.02
/usr/sbin/vmd
| _vmd 55269 0.0 0.0 1304 1468 ?? Isp7Jun190:00.01 vmd:
control (vmd)
| root 51181 0.0 0.0 1236 928 ?? Is 7Jun190:00.01 vmd: priv
(vmd)
| _vmd 23133 0.0 0.2 2100100 70272 ?? Ip 7Jun19 1886:16.18 vmd:
testvm (vmd)
|
| All systems run snaps from around the same time:
|
| [weerd@despair] $ sysctl kern.version
| kern.version=OpenBSD 6.5-current (GENERIC.MP) #6: Tue Jun 4 15:05:10 MDT 2019
| dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
|
| [weerd@despair] $ ssh undeadly sysctl kern.version
| kern.version=OpenBSD 6.5-current (GENERIC) #7: Fri Jun 7 00:45:34 MDT 2019
| dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
|
| [weerd@despair] $ ssh testvm sysctl kern.version
| kern.version=OpenBSD 6.5-current (GENERIC) #6: Tue Jun 4 14:57:43 MDT 2019
| dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
|
| So it looks like there's a memory leak, either only for busy VMs or it
| shows more for busier VMs. Has anyone seen anything similar on their
| vmm VMs?
|
| I'll reboot the undeadly VM for now, as other processes are getting
| killed for out of memory reasons (bgpd, in my case; see end of below
| dmesg of host machine 'despair').
|
| Paul
|
| --- despair dmesg
| OpenBSD 6.5-current (GENERIC.MP) #6: Tue Jun 4 15:05:10 MDT 2019
| dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
| real mem = 34332733440 (32742MB)
| avail mem = 33282105344 (31740MB)
| mpath0 at root
| scsibus0 at mpath0: 256 targets
| mainbus0 at root
| bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe66d0 (57 entries)
| bios0: vendor Dell Inc. version "1.2.3" date 07/21/2011
| bios0: Dell Inc. PowerEdge R210 II
| acpi0 at bios0: rev 2
| acpi0: sleep states S0 S4 S5
| acpi0: tables DSDT FACP SPMI ASF! HPET APIC MCFG BOOT SSDT ASPT SSDT SSDT
SPCR DMAR HEST ERST BERT EINJ
| acpi0: wakeup devices P0P1(S4) GLAN(S0) EHC1(S4) EHC2(S4) PXSX(S4) RP01(S5)
PXSX(S4) RP02(S5) PXSX(S4) RP03(S5) PXSX(S4) RP04(S5) PXSX(S4) RP05(S5)
PXSX(S4) RP06(S5) [...]
| acpitimer0 at acpi0: 3579545 Hz, 24 bits
| acpihpet0 at acpi0: 14318179 Hz
| acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
| cpu0 at mainbus0: apid 0 (boot processor)
| cpu0: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz, 2400.39 MHz, 06-2a-07
| cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,
Re: Syncing unbound.conf
On 2019-07-25, Flipchan wrote: > Greetings everyone, > > Does anyone have a good solution for syncing unbound configuration files? > > > i have the senario where i have two internal LAN's that in two different > offices that need to have the same internal > dns system for the local systems, and there is a lot of changes being done in > the internal zone records so i need > a good way to sync them(the ideal way where to have a similar solution like > mysql's master-master replication). > > Both dns resolvers are running unbound on openbsd 6.5 and right now the > configuration file is synced with ansible. > Does anyone have a good solution on replicating dns records/configs for > unbound. In the future it will be scaled > even more so right now is a good time to implement some replication for the > unbound configs. > > Does anyone have a solution for this? > > There is people changing the config files on both instances so the ideal way > would be a replication real time sync function. > > Anyone got any ideas? > > > Thanks in advance > Ciao > flipchan > If multiple sites are updating records in the same internal zone at various times, they would probably be better off with a normal authoritative DNS server serving that zone (with e.g. stub-zone to point unbound at it), editing it in one place, and using normal DNS replication (zone-transfer and notify) to push the updates.
Re: perl privilege drop
Andrew Hewus Fresh wrote:
> On Thu, Jul 25, 2019 at 07:16:27AM -0500, Edgar Pettijohn wrote:
> >
> > On Jul 24, 2019 9:06 PM, Andrew Hewus Fresh wrote:
> > >
> > > On Sat, Jul 20, 2019 at 07:20:23PM -0500, Edgar Pettijohn wrote:
> > > > Is there a standard OpenBSD approved method for dropping privileges in
> > > > a perl server? Currently looking into Privileges::Drop, but since it
> > > > isn't in base makes me curious if there is a better way.
> > >
> > >
> > > It's relatively easy to do it yourself like I did in this Plack example.
> > >
> > > https://gist.github.com/afresh1/558fc0b4dfbeab0fbd59
> > >
> > > use POSIX qw( setuid setgid );
> > > chroot $root || die "Couldn't chroot to $root: $!";
> > > setgid($gid) || die "Couldn't setgid $group [$gid]: $!";
> > > setuid($uid) || die "Couldn't setuid $user [$uid]: $!";
> > >
> >
> > That's too easy. I was expecting it to be more difficult.
>
> It was pointed out to me that I missed the chdir after the chroot that
> is required to not have a possible leak.
>
> chroot $root || die "Couldn't chroot to $root: $!";
> chdir '/'|| die "Couldn't chdir to '/': $!";
>
>
> https://perldoc.perl.org/5.30.0/functions/chroot.html
> > NOTE: It is good security practice to do chdir("/")
> > (chdir to the root directory) immediately after a chroot.
>
> Sorry about that!
The phrasing "good security practice" is quite dissapointing, when it
is MANDATORY. Much like saying it is not good practice to wipe your bum.
It is mandatory because otherwise a program-user can arrange for cwd
to be outside the jail, and utilize that fact to pivot, and in some
program path utilizations the chroot then becomes not just pointless..
it is worse than normal, because it creates a dual-namespace view of
the filesystem, that is a condition that program and libraries are not
prepared to operate in.
Re: perl privilege drop
On Thu, Jul 25, 2019 at 07:16:27AM -0500, Edgar Pettijohn wrote:
>
> On Jul 24, 2019 9:06 PM, Andrew Hewus Fresh wrote:
> >
> > On Sat, Jul 20, 2019 at 07:20:23PM -0500, Edgar Pettijohn wrote:
> > > Is there a standard OpenBSD approved method for dropping privileges in
> > > a perl server? Currently looking into Privileges::Drop, but since it
> > > isn't in base makes me curious if there is a better way.
> >
> >
> > It's relatively easy to do it yourself like I did in this Plack example.
> >
> > https://gist.github.com/afresh1/558fc0b4dfbeab0fbd59
> >
> > use POSIX qw( setuid setgid );
> > chroot $root || die "Couldn't chroot to $root: $!";
> > setgid($gid) || die "Couldn't setgid $group [$gid]: $!";
> > setuid($uid) || die "Couldn't setuid $user [$uid]: $!";
> >
>
> That's too easy. I was expecting it to be more difficult.
It was pointed out to me that I missed the chdir after the chroot that
is required to not have a possible leak.
chroot $root || die "Couldn't chroot to $root: $!";
chdir '/'|| die "Couldn't chdir to '/': $!";
https://perldoc.perl.org/5.30.0/functions/chroot.html
> NOTE: It is good security practice to do chdir("/")
> (chdir to the root directory) immediately after a chroot.
Sorry about that!
>
> Thanks,
>
> Edgar
> > I don't know exactly what you're looking for though, so maybe
> > OpenBSD::Pledge(3p) or OpenBSD::Unveil(3p) are more what you want?
> >
> > http://man.openbsd.org/OpenBSD::Pledge
> > http://man.openbsd.org/OpenBSD::Unveil
> >
> >
> > l8rZ,
> > --
> > andrew - http://afresh1.com
> >
> > ($do || !$do) && undef($try) ; # Master of Perl, Yoda is. H?
> >
--
andrew - http://afresh1.com
Whatever happened to the days when hacking started at the cerebral cortex
and not the keyboard?
-- Sid from UserFriendly.org
Re: Write to DVD-RAM
On 7/24/19 10:19 PM, Zhi-Qiang Lei wrote: Hi, I’m trying to encrypt a DVD-RAM before putting some files onto it on my OpenBSD 6.5 desktop. But neither dd nor disklabel seems able to work on the drive. Did I miss something? $ dmesg | grep cd cd0 at scsibus3 targ 1 lun 0: ATAPI 5/cdrom removable serial.13fd3940302020202020 cd0 at scsibus3 targ 1 lun 0: ATAPI 5/cdrom removable serial.13fd3940302020202020 $ doas dd if=/dev/urandom of=/dev/rcd0c bs=1k dd: /dev/rcd0c: Invalid argument 1+0 records in 0+0 records out 0 bytes transferred in 0.000 secs (0 bytes/sec) $ doas disklabel -E cd0 cd0> a partition: [a] offset: [0] size: [2236704] FS type: [4.2BSD] cd0> w cd0> p OpenBSD area: 0-2236704; size: 2236704; free: 0 #size offset fstype [fsize bsize cpg] a: 22367040 4.2BSD 2048 16384 1 c: 22367040 unused cd0> q No label changes. The same drive can be formatted and used on Mac OS X. Thanks and best regards, Siegfried Did you try 2K blocks? The low level of CDROM only works that way.
Re: perl privilege drop
On Jul 24, 2019 9:06 PM, Andrew Hewus Fresh wrote: > > On Sat, Jul 20, 2019 at 07:20:23PM -0500, Edgar Pettijohn wrote: > > Is there a standard OpenBSD approved method for dropping privileges in > > a perl server? Currently looking into Privileges::Drop, but since it > > isn't in base makes me curious if there is a better way. > > > It's relatively easy to do it yourself like I did in this Plack example. > > https://gist.github.com/afresh1/558fc0b4dfbeab0fbd59 > > use POSIX qw( setuid setgid ); > chroot $root || die "Couldn't chroot to $root: $!"; > setgid($gid) || die "Couldn't setgid $group [$gid]: $!"; > setuid($uid) || die "Couldn't setuid $user [$uid]: $!"; > That's too easy. I was expecting it to be more difficult. Thanks, Edgar > I don't know exactly what you're looking for though, so maybe > OpenBSD::Pledge(3p) or OpenBSD::Unveil(3p) are more what you want? > > http://man.openbsd.org/OpenBSD::Pledge > http://man.openbsd.org/OpenBSD::Unveil > > > l8rZ, > -- > andrew - http://afresh1.com > > ($do || !$do) && undef($try) ; # Master of Perl, Yoda is. H? >
Re: Syncing unbound.conf
Hi Flipchan, I am using rdist(1) for it: https://chargen.one/obsdams/rdist-1-when-ansible-is-too-much Mischa > On 25 Jul 2019, at 13:55, Flipchan wrote: > > Greetings everyone, > > Does anyone have a good solution for syncing unbound configuration files? > > > i have the senario where i have two internal LAN's that in two different > offices that need to have the same internal > dns system for the local systems, and there is a lot of changes being done in > the internal zone records so i need > a good way to sync them(the ideal way where to have a similar solution like > mysql's master-master replication). > > Both dns resolvers are running unbound on openbsd 6.5 and right now the > configuration file is synced with ansible. > Does anyone have a good solution on replicating dns records/configs for > unbound. In the future it will be scaled > even more so right now is a good time to implement some replication for the > unbound configs. > > Does anyone have a solution for this? > > There is people changing the config files on both instances so the ideal way > would be a replication real time sync function. > > Anyone got any ideas? > > > Thanks in advance > Ciao > flipchan
Syncing unbound.conf
Greetings everyone, Does anyone have a good solution for syncing unbound configuration files? i have the senario where i have two internal LAN's that in two different offices that need to have the same internal dns system for the local systems, and there is a lot of changes being done in the internal zone records so i need a good way to sync them(the ideal way where to have a similar solution like mysql's master-master replication). Both dns resolvers are running unbound on openbsd 6.5 and right now the configuration file is synced with ansible. Does anyone have a good solution on replicating dns records/configs for unbound. In the future it will be scaled even more so right now is a good time to implement some replication for the unbound configs. Does anyone have a solution for this? There is people changing the config files on both instances so the ideal way would be a replication real time sync function. Anyone got any ideas? Thanks in advance Ciao flipchan
Re: Write to DVD-RAM
On Thu, Jul 25, 2019 at 10:19:11AM +0800, Zhi-Qiang Lei wrote: > Hi, I’m trying to encrypt a DVD-RAM before putting some files onto it on my > OpenBSD 6.5 desktop. But neither dd nor disklabel seems able to work on the > drive. Did I miss something? > > $ dmesg | grep cd > cd0 at scsibus3 targ 1 lun 0: ATAPI 5/cdrom > removable serial.13fd3940302020202020 > cd0 at scsibus3 targ 1 lun 0: ATAPI 5/cdrom > removable serial.13fd3940302020202020 > > $ doas dd if=/dev/urandom of=/dev/rcd0c bs=1k > > > dd: /dev/rcd0c: Invalid argument > 1+0 records in > 0+0 records out > 0 bytes transferred in 0.000 secs (0 bytes/sec) > > $ doas disklabel -E cd0 > cd0> a > partition: [a] > offset: [0] > size: [2236704] > FS type: [4.2BSD] > cd0> w > cd0> p > OpenBSD area: 0-2236704; size: 2236704; free: 0 > #size offset fstype [fsize bsize cpg] > a: 22367040 4.2BSD 2048 16384 1 > c: 22367040 unused > cd0> q > No label changes. > > The same drive can be formatted and used on Mac OS X. Try growisofs from sysutils/dvd+rw-tools in ports.
