IPv6 Neighbor Discovery Issue
Hello, I am currently facing the following problem: I have a server with two interfaces: - em1 (Outbound / facing the Internet) - em0 (Internal use / LAN) (additionally: vlan1000 - parentdev is em0) The server runs OpenBSD 6.6-stable with the latest syspatches installed and rebooted to the patched kernel. I assigned one address of the /56 my provider gave me to em1. Let's say it looks like this (obfuscated): Prefix = 2a02:::cc00::/56 Gateway (provider) = 2a02:::cc00::1 I assigned to em1: 2a02:::cc00::2/56 ### /etc/hostname.em1 ### inet6 2a02:::cc00::2 56 !route add -inet6 default 2a02:::cc00::1 -soii --- This far, everything works (inbound and outbound IPv6 connectivity). In the next step I took a /64 from that range and assigned an address to the vlan1000 interface: 2a02:::ccff:dead::1 ### /etc/hostname.em0 ### up --- ### /etc/hostname.vlan1000 ### inet 10.20.30.40 255.255.255.0 vnetid 1000 parent em0 inet6 2a02:::ccff:dead::1 64 --- This worked "somehow" (e.g. for a short period of time) "Worked" means: This address was reachable from the outside world and vice versa. After it stopped working I did a reboot and then it worked again (for a limited amount of time) All i can see (from tcpdump) is that the provider gateway sends NDP solicitations, asking for 2a02:::ccff:dead::1 But no replies are appearing. The same behaviour occurs independently from either - pf disabled or - allowing anything IPv6 related (icmp-v6 etc.) I already enabled net.inet6.icmp6.nd6_debug but nothing shows up in dmesg. Has anyone encountered this as well and/or has hints on how to solve this? Thank you very much for your time. Best regards, Alex
Re: problems setting up PORTS_PRIVSEP
I didn't knew anything about the mystuff directory. Anyway I tried it. mkdir /usr/ports/mystuff mkdir /usr/ports/mystuff/x11 cp -r /usr/ports/x11/dmenu /usr/ports/mystuff/x11/dmenu chown -R user:wsrc /usr/ports/mystuff cd /usr/ports/mystuff/x11/dmenu make install And it was successfull, so you should check the file permissions in and of mystuff dir. If build was successfull in /usr/ports/x11/dmenu, then permission could be skewed in mystuff.("local user":"wsrc") If no conflict in that, I think you could have messed up your /usr/ports/x11/dmenu dir before copying it, did you edit it?
Re: problems setting up PORTS_PRIVSEP
On Thu, Mar 26, 2020 at 06:04:19PM +0530, putridsou...@gmail.com wrote: > I don't understand the logic of this > > mkdir /usr/ports/mystuff/x11 > cp -R /usr/ports/x11/dmenu /usr/ports/mystuff/x11/ > cd /usr/ports/mystuff/x11/dmenu > make package > > to build a package, one usually just runs command > > cd /usr/ports/x11/dmenu > make install > > try and see if this gives an error. > Yes, that works but I want to apply some private patches to the application. Thats why I copye the port to /usr/ports/mystuff, to make local changes
Re: MITM ?
On Wed, Mar 25, 2020 at 11:06:57PM +, Cord wrote: > > > Read a LOT of man pages and misc@ tech@ ports@ bugs@ > > > > Maybe even tell us which version of VAX your laptop runs on? > > VAX ??? > > > Is it OpenBSD version 4.9? > > > > 4.9 ??? > > I'm sorry, I'm in the future. But, my joking aside, you haven't provided much info for giving advice. They have now found out that a huge number of commercial VPN companies are both running tracker software and selling your data. Worse, many are running session recording which could be making your passwords stealable. In the USA, ISP's like Comcast have opened up all customers rented routers to the full public without the need for a password. If that is your case, your private network isn't private. If your laptop is Intel based, turn off HT/SMT. Run syspatch and pkg_add -u. Look at all of your logs in detail. Use NoScript and Ghostery plugins for Firefox. Assume that someone might be physically accessing your laptop. The laws in the USA since 9/11 allow this to be done without you being told. Good luck, hopefully you are not having this problem, but paranoia is a good thing in today's world. Chris Bennett
Re: Managing multiple OpenBSD systems with a single base install
On Wed, Mar 25, 2020 at 09:28:52PM -0400, Demi M. Obenour wrote: I am working on an OpenBSD-based QubesOS TemplateVM, and have run into a few problems. I don't have answers to your questions, but that sounds like an amazingly good and useful project and I wish you all the best in making it happen!
Re: Porting from linux
Howdy Putrid... :) Kurt M and Mark Espie have given some talks available from U Tube https://www.youtube.com/watch?v=eyK_LloYZu4 https://www.youtube.com/watch?v=aw2Gezj-Nkw Peace out ... On Thu, 26 Mar 2020 at 12:53, wrote: > > I want to get into porting, I have experience > installing from source particularly on linux. > > Is there a difference in how package works on > linux and openbsd? Is there a guide anyone > can point me to porting linux packages to > openbsd? > > Are there different syscalls? > Directory systems are almost the same, in > concern to packages. > Is there a need to edit the source? > -- Kindest regards, Tom Smyth.
Re: Porting from linux
https://www.openbsd.org/faq/ports/index.html 2020-03-26 13:49 GMT+01:00, putridsou...@gmail.com : > I want to get into porting, I have experience > installing from source particularly on linux. > > Is there a difference in how package works on > linux and openbsd? Is there a guide anyone > can point me to porting linux packages to > openbsd? > > Are there different syscalls? > Directory systems are almost the same, in > concern to packages. > Is there a need to edit the source? > >
Porting from linux
I want to get into porting, I have experience installing from source particularly on linux. Is there a difference in how package works on linux and openbsd? Is there a guide anyone can point me to porting linux packages to openbsd? Are there different syscalls? Directory systems are almost the same, in concern to packages. Is there a need to edit the source?
Re: problems setting up PORTS_PRIVSEP
I don't understand the logic of this mkdir /usr/ports/mystuff/x11 cp -R /usr/ports/x11/dmenu /usr/ports/mystuff/x11/ cd /usr/ports/mystuff/x11/dmenu make package to build a package, one usually just runs command cd /usr/ports/x11/dmenu make install try and see if this gives an error.
Re: problems setting up PORTS_PRIVSEP
You only need to change permissions on the /usr/obj Run these as root install -dm0775 -o _pbuild -g _pbuild /usr/obj install -dm0775 -o _pbuild -g _pbuild /usr/obj/ports Also the variables DISTDIR and PACKAGE_REPOSITORY are redundant, since those are the default values anyway. In /etc/doas.conf, replace the three commands with their complete paths. This will save a headache, believe me. Setting WRKOBJDIR is not really usefull, the default location(/usr/ports/pobj) works fine, unless it's an aesthetic issue, since it deals mostly with temporary data Only real use according to me, is to set /usr/ports as read-only by pushing all work directories out of it.
Re: problems setting up PORTS_PRIVSEP
On Thu, Mar 26, 2020 at 07:50:27AM -, Stuart Henderson wrote: > Does _pbuild have write access to /usr/obj? If not, either grant it, > or create /usr/obj/ports yourself and grant _pbuild write access to > that. this where the permissions: drwxrwxr-x 4 build wobj 512 Mar 25 11:03 /usr/obj d2d35fe9f62eb1e1.i /usr/obj ffs rw,softdep,noatime,nodev,nosuid 1 2 because that is for building base I have changed WRKOBJDIR=/usr/ports/obj drwxr-xr-x 3 _pbuild _pbuild 512 Mar 26 10:12 /usr/ports/obj/ Now its working. Thanks! Now i'm getting this: sirius$ make package ===> Checking files for dmenu-4.9 >> Fetch https://dl.suckless.org/tools/dmenu-4.9.tar.gz dmenu-4.9.tar.gz 100% |*| 15972 00:00 >> (SHA256) dmenu-4.9.tar.gz: OK ===> Verifying specs: X11 Xft Xinerama c fontconfig ===> found X11.17.0 Xft.12.0 Xinerama.6.0 c.96.0 fontconfig.13.0 ===> Extracting for dmenu-4.9 make: don't know how to make do-extract Stop in . *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2641 '/usr/ports/obj/dmenu-4.9/.extract_done': @cd /usr/ports/mystuff/x11/dmenu &...) *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2089 '/usr/ports/packages/amd64/all/dmenu-4.9.tgz': @cd /usr/ports/mystuff/x11/dm...) *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2578 '_internal-package': @case X${_DEPENDS_CACHE} in X) _DEPENDS_CACHE=$(doas -...) *** Error 2 in /usr/ports/mystuff/x11/dmenu (/usr/ports/infrastructure/mk/bsd.port.mk:2557 'package': @lock=dmenu-4.9; export _LOCKS_HELD="...) in ports under /usr/ports/mystuff I just: mkdir /usr/ports/mystuff/x11 cp -R /usr/ports/x11/dmenu /usr/ports/mystuff/x11/ cd /usr/ports/mystuff/x11/dmenu make package But it doesn't seems related to PORT_PRIVSEP, I have build wmutils doing the same without problems > Allowing pkg_add with nopass opens a way for your account to get root > without a password. > > Since doas "persist" doesn't allow password persistence with how ports > uses it, I use sudo not doas on ports dev machines. (I use doas on > ports build machines, but dpb manages running pkg_add in that case, > and is started as root so it only needs to drop privs rather than > raise them). > So dpb for building just 3 or 4 ports is over-kill right?
Re: problems setting up PORTS_PRIVSEP
On Wed, 25 Mar 2020 at 11:19, Moises Simon wrote: > > Hi misc, > > I'm trying to set the ports system to use PORT_PRIVSEP > according to bsd.port.mk(5) and > https://www.openbsd.org/faq/ports/ports.html#PortsConfig > > but I'm getting the following error: > > sirius$ make fetch > mkdir /usr/obj/ports: Permission denied at > /usr/ports/infrastructure/bin/portlock line 53. *** Error 255 in > /usr/ports/mystuff/x11/dmenu (/usr/ports/infrastructure/mk/bsd.port.mk:2557 > 'fetch': @lock=dmenu-4.9; export _LOCKS_HELD="... > > even after doing make fix-permissions. I'm not seens something. > > cat /etc/mk.conf > SUDO=doas > CLEANDEPENDS=Yes > PORTS_PRIVSEP=Yes > WRKOBJDIR=/usr/obj/ports > DISTDIR=/usr/ports/distfiles > PACKAGE_REPOSITORY=/usr/ports/packages > > cat /etc/doas.conf > permit nopass msv cmd touch > permit nopass setenv { TRUSTED_PKG_PATH TERM } msv cmd pkg_add > permit nopass setenv { TERM } msv cmd pkg_delete > > permit keepenv nopass msv as _pbuild > permit keepenv nopass msv as _pfetch > > permit msv as root > Hi, have you given a look at this tutorial: https://dataswamp.org/~solene/2020-01-11-privsep.html -- Ottavio Caruso
Re: problems setting up PORTS_PRIVSEP
On 2020-03-25, Moises Simon wrote: > Hi misc, > > I'm trying to set the ports system to use PORT_PRIVSEP > according to bsd.port.mk(5) and > https://www.openbsd.org/faq/ports/ports.html#PortsConfig > > but I'm getting the following error: > > sirius$ make fetch > mkdir /usr/obj/ports: Permission denied at > /usr/ports/infrastructure/bin/portlock line 53. *** Error 255 in > /usr/ports/mystuff/x11/dmenu (/usr/ports/infrastructure/mk/bsd.port.mk:2557 > 'fetch': @lock=dmenu-4.9; export _LOCKS_HELD="... Does _pbuild have write access to /usr/obj? If not, either grant it, or create /usr/obj/ports yourself and grant _pbuild write access to that. > even after doing make fix-permissions. I'm not seens something. > > cat /etc/mk.conf > SUDO=doas > CLEANDEPENDS=Yes > PORTS_PRIVSEP=Yes > WRKOBJDIR=/usr/obj/ports > DISTDIR=/usr/ports/distfiles > PACKAGE_REPOSITORY=/usr/ports/packages > > cat /etc/doas.conf > permit nopass msv cmd touch > permit nopass setenv { TRUSTED_PKG_PATH TERM } msv cmd pkg_add Allowing pkg_add with nopass opens a way for your account to get root without a password. Since doas "persist" doesn't allow password persistence with how ports uses it, I use sudo not doas on ports dev machines. (I use doas on ports build machines, but dpb manages running pkg_add in that case, and is started as root so it only needs to drop privs rather than raise them).
Re: Trusted Boot with OpenBSD
>> I can't tell from the instructions how the FDE encryption key is stored -- >> do we manually seal it to the TPM and then manually unseal and copy/paste it >> every time we boot? Or is it assumed the user will write a script to handle >> this -- a script which itself will have to be measured by the TPM? > > This is not possible with the current version. The Masterthesis was > about answering this Question: Did unencrypted software change since > the last time the user operated this system. > > What exactly is your use case? Do you want a system with FDE that does > not prompt you for the encryption key or do you want to improve the > security by storing a part of the key material inside the TPM while the > other half is provided by a user password? > > There are a lot of possibilities with a available TPM on boot, so if > you have a specific use case we can tailor that right in. > > Before we do that i think it is important to make this feature a lot > easier to install. Following this manual, patching and compiling source > code and updating the MBR and biosboot is not something the user should > have to worry about. > > The problem is, in order to make space for this feature in the MBR as > well as in biosboot i had to remove the code responsible for loading a > block from disk via CHS. This is obviously not acceptable if this should > be integrated back into OpenBSD. > > One possible solution would be to let the MBR and biosboot grow bigger > than 512 byte and let installboot(8) figure out what the user needs and > remove code paths that are not used to get the binary back to 512 byte. > > Everything else i thought of involves recompiling.