Re: making firefox less insecure
Quoting Daniel Dickman didick...@gmail.com: On Sun, Nov 16, 2014 at 2:08 PM, Jonathan Thornburg jth...@astro.indiana.edu wrote: Are there other practical ways of securing an OpenBSD web browser? [I'm afraid just say no fails the practical test. :( ] one practical thing I'd love to see is for someone to port the Quark web browser: http://goto.ucsd.edu/quark/ I've no idea if it's good enough for practical use, but it seems like an interesting piece of work. I have other approach that has worked for me so far: I created a virtual machine with Debian GNU/kFreeBSD (sorry but I'm new here), and installed Firefox there and other software I would need like image and PDF viewers. After installing Firefox I configured things like proxy and after browsing no page at all shutdown my virtual machine. Then I start it as read-only, I mean, you can use the virtual machine as read-write but everything is gone after shutting it down and goes back to the initial state. I restart it at midnight every day so I have a newly-installed browser every morning, and I use the browser by ssh. So far the biggest drawback to me is not being able to have sound, but even videos play good enough through the network. If that VM becomes compromised it will go back to its initial state at midnight, and it's isolated and with no personal data so a compromise would be very likely harmless. Best regards, Jorge. This message was sent using IMP, the Internet Messaging Program.
Re: making firefox less insecure
Quoting Jason Adams adams...@gmail.com: On 11/16/2014 12:15 PM, Jorge Gabriel Lopez Paramount wrote: I have other approach that has worked for me so far: I created a virtual machine with Debian GNU/kFreeBSD (sorry but I'm new here), and installed Firefox there and other software I would need like image and PDF viewers. After installing Firefox I configured things like proxy and after browsing no page at all shutdown my virtual machine. Seems heavy, and probably harder to set up and maintain than (e) and (f). Sure it's harder to set up, but believe me, after setting up the maintenance is almost zero. I restart every week that server as read-write to patch it and that's all, and have to do that way because Debian publish a lot of patches frequently. If OpenBSD is as good as I have seen and there is a patch like once a month then you will have to care about it once a month. I have been using that VM more than half a year and invested like 4 hours setting it up. Is it not worth 4 hours a software that you use every day for things as important as banking? Best regards, Jorge. This message was sent using IMP, the Internet Messaging Program.
Re: making firefox less insecure
I use bookmarks, but I have them in my Drupal portal so no need to remember links, that by the way is restricted using apache authentication. The basic idea is this: any time I need to set something in Firefox I have to restart the VM as read-write, and while on it do not open any site. The first days I did that frequently, but last time I set something in Firefox was months ago. Best regards, Jorge. Worik Stanton worik.stan...@gmail.com wrote: On 17/11/14 10:55, Jorge Gabriel Lopez Paramount wrote: [snip] I restart every week that server as read-write to patch it and that's all, [snip] I have been using that VM more than half a year and invested like 4 hours setting it up. Is it not worth 4 hours a software that you use every day for things as important as banking? So you do not have bookmarks? For banking that is a risk. If you miss-type your URL you may end up on a phishing page. I always load my banking URL from a bookmark. Worik -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: making firefox less insecure
Quoting frantisek holop min...@obiit.org: Jorge Gabriel Lopez Paramount, 16 Nov 2014 15:55: Seems heavy, and probably harder to set up and maintain than (e) and (f). Sure it's harder to set up, but believe me, after setting up the maintenance is almost zero. I restart every week that server as read-write to patch it as if the browsers weren't memory hungry enough, and slow: so let's throw them inside a VM that is another pile of huge unadited codebase (especially when the guest is linux)? What can I say, I reserved 800 Mb. for the virtual machine running only Firefox. Bur to me it has a nice extra: I have an old netbook with an atom processor and 1 Gb. of RAM that I use on bed, and using the VM browser on it is very pleasant, not sluggish as you might expect of an old netbook. Another good extra is that I have the same browser with the same settings no matter what computer (in my home) I use. Did I mention that I'm new to OpenBSD?=) the browsing experience of resource hungry sites on older generation notebooks is abismal as it is, a VM is hardly the solution for me. It's as you say, but I have a resourceful server reserved for virtual machines and laptops that I use mostly to open terminals and remote sessions. regarding the ssh key stealing, they are password protected anyway, right? I did not get this, but the only password in that VM is the root one and is different of the others, and that VM is not accessible outside my home. Best regards, Jorge. This message was sent using IMP, the Internet Messaging Program.
Re: I saw an oddity with firefox
I started firefox on a remote xhost and it somehow came up as a local instance (thru X?) with bookmarks from a local client account... the remote account was newly instanced and this was the first and *only* time I've seen it happen. But it did. That's a feature, not a bug.=) When you start Firefox it somehow can figure out how to run locally instead of remotely, if you need to run the remote Firefox you have to use the -no-remote flag. Best regards, Jorge. This message was sent using IMP, the Internet Messaging Program.
Re: OpenBSD Trademark Policy
I think the same, if running a command after installing it will make your system free enough, what is the need of a fork? I think that if you publish a web page with that information the OpenBSD community would not take that as an offense. I'm in the middle of leaving Debian after almost 15 years of using it, due to the systemd affair. And as you might guess it has not been easy, I have enough (personal) systems and experience invested to leave Debian only for a tantrum, but there is no easy way to install a new system and avoid systemd, and I guess this will become worse over time. Had I an one-command option to avoid or drop systemd, I might not be here. Best regards, Jorge. Luiz Roberto dos Santos arrowscr...@mail.com wrote: At 7 Dec 2014 12:42:41 + (UTC) from Kaspars Bankovskis kasp...@bankovskis.net: there are more useful things to do, don't you think so? Agree. Riley, I think you don't get the point here. The firmware blob are *not* running on the system, but on device. Why do you don't create just a script to remove these's files if you want? Why create a entire new system for this?
Re: AMD64 packages - Reflecting dynamic linking
Quoting FRIGN d...@frign.de: It may be a little far-fetched, but I'm sure it would be possible to have one package-manager for all distributions if there would just be the motivation to distribute statically linked binaries and not fuck things up with distribution-specific folder-structures. I'm not a hacker so I have no means to ponder your other arguments, but as a user you lost me with this. I'm running away from systemd so the concept of one package manager to rule them all does not appeal to me. http://0pointer.net/blog/revisiting-how-we-put-together-linux-systems.html -- Best regards, Jorge Lopez. This message was sent using IMP, the Internet Messaging Program.
Re: Upgrading issues (i386 on PPro class) 5.4-5.5 leaving system horked
Quoting Damon Getsman damo.g...@gmail.com: Hello everyone. Regardless, I just wanted to find out... I usually get people willing to give some advice, or at least willing to laugh and tell me the lesson that I needed to know on here. I was really kind of surprised that I haven't heard anything back on this for so long... As I see it would be very difficult to diagnose your problem remotely, but I'm new here. Yesterday I did my first (test) upgrade of 5.5 to 5.6 and was fine, the system was smart enough to not screw up things even when I set the wrong architecture and version on pkg.conf. I did four updates in total and the last one was very straightforward and quick. The process was simple: booted systems with the installation CD, selected upgrade and almost everything was the default selection, after that booted into the upgraded server, ran the sysmerge command, deleted the old files, rebooted, updated packages with pkg_add -u, rebooted, ran again pkg_add -u just in case and everything went fine. I even applied patches since I'm using stable. So, can anybody tell me, is my situation just so hosed that it's helpless? I mean, should I stop waiting for potential ways to fix this dependency hosed box and reinstall and try to find a way to re-inject all of my data into it, or are the gurus just swamped with new years tasks? :) If any of you could give me some feedback I'd really appreciate it. Like I said with the issue when I was first mentioning it, this system is really integral to a lot of the work that I do, and it's my sole external facing server... It's like a knife in my gut not having it working. If I was you I would install a clean system, check differences between the stock and your configuration files, restore your data and check if everything is working again. Anyway, if you have to do more than one upgrade operation on the same system it might take less effort just reinstalling than going through all the upgrades. Upgrading critical systems is an excellent case for virtual machines, if something goes wrong you just have to restore the backed up image that can be as easy as copying a file. I know that virtual machines are heresy here and viewed as a waste of resources, but in situations like this are priceless. -- Best regards, Jorge Lopez. This message was sent using IMP, the Internet Messaging Program.
Re: What are the disadvantages of soft updates?
Quoting Predrag Punosevac punoseva...@gmail.com: I was following this discussion with the great interest but without intend to participate in it until today. Namely one of my OpenBSD servers (5.6 sparc64) runs Mollify and last night I received an e-mail from an angry user who could not upload files (the upload will fail or upload the file with file size zero). After running df I noticed that /tmp was 100% full (4GB used) but the size of individual files was only 12Kb. I thought for a second and I remember seeing this with HAMMER on DF. Long story short I checked /etc/fstab and sure enough I had rw,softdep next to each partition including tmp. I removed softdep rebooted the sytem and /tmp usage dropped to 0%. More importantly users could upload files again. Two things: UNIX servers like OpenBSD usually clean /tmp every reboot: $ ls -la /tmp total 20 drwxrwxrwt 5 root wheel 512 Jan 23 15:00 . drwxr-xr-x 16 root wheel 512 Jan 23 14:58 .. drwxrwxrwt 2 root wheel 512 Jan 23 15:00 .ICE-unix drwxrwxrwt 2 root wheel 512 Jan 23 15:00 .X11-unix drwxr-xr-x 2 root wheel 512 Jan 23 15:00 aucat $ uptime 3:00PM up 1 min, 1 user, load averages: 1.11, 0.41, 0.16 And one thing is space available and other different but related is inodes available: $ df -i /tmp Filesystem 512-blocks Used Avail Capacity iused ifree %iused Mounted on /dev/wd0a 1920764126340 1698388 7%2439 127479 2% / If you have lots of small files you might have plenty of space available, but will be unable to create more files if there are no inodes available. -- Best regards, Jorge Lopez. This message was sent using IMP, the Internet Messaging Program.
Re: Wouldn't `daemon_enable=YES` make more sense than `daemon_flags=` in rc.conf.local?
Quoting Ingo Schwarze schwa...@usta.de: Most of my daemons don't have any flags so it looks a bit strange (and messy) with all these empty flag specs. That's a matter of taste and purely aestetical without any functional consequences, so if it's an argument at all, it carries almost no weight. There are worse ways of starting up daemons, like systemd. -- Best regards, Jorge Lopez. This message was sent using IMP, the Internet Messaging Program.
Re: OpenBSD and disk slowliness
Hi all, Just for the record, I do not think that OpenBSD/i386 behavior with virtual disks running on KVM is a bug. Virtio was designed specially for virtual machines and all modern Linux distros and other modern operating systems support it, therefore the only good reason for not using virtio is having a legacy OS that does not support it. Since the default in QEMU/KVM is NOT virtio and there are people getting hit with this like myself I considered a good idea to share this, but I do not consider this a bug, maybe a nice-to-have. OpenBSD runs fine with virtio and virtio is the fastest interface for any OS, better to use it than not. -- Best regards, Jorge Lopez. Quoting Mark Kettenis mark.kette...@xs4all.nl: The way OpenBSD/i386 uses the xAPIC interrupt controller gives KVM (and other virtualization software) a hard time. OpenBSD/amd64 does things in a KVM-friendlier way, and we're trying to make it even friendlier. Fixing the interrupt handling on OpenBSD/i386 isn't very high on my priority list. I really recommend that people use OpenBSD/amd64 . You'll get much better address space randomization and NX bit support that way. This message was sent using IMP, the Internet Messaging Program.
Re: OpenBSD and disk slowliness
Quoting Kent Fritz fritz.k...@gmail.com: Hopefully this is not too bad advice... I've found the performance with cache=none to be unacceptable as well. I'm using cache=writeback. Of course you'll get much better performance if you remove Linux/KVM. :) It might be the case for OpenBSD/i386, but in general cache=writeback is discouraged because you get double caching (guest OS and host OS), performance is usually better with direct access, and it might not be desirable that the guest OS behaves like data has been written into disk when in reality the data is still lingering in the host OS cache. -- Best regards, Jorge Lopez. This message was sent using IMP, the Internet Messaging Program.
OpenBSD and disk slowliness
Hi all, A few months ago I tried to install OpenBSD 5.5 in a KVM virtual machine running Linux in an amd64 computer. First tried to install the i386 version since my Linux virtual machines are i686 and was painfully slow, so much that I almost decided to not use OpenBSD. Then I tried with the amd64 version and ran blazingly fast, was so impressed that I'm here. Time passed and installed some i386 virtual machines running in atom chips without issues and so far have been running fine so I forgot the issue, but last week started to upgrade them to 5.6 and was again painfully slow, one hour to upgrade each one. And since the slow part of upgrading was at untarring and the LED of the disk was blinking like crazy I supposed it was some issue with the virtual hard disk. Now that I know more about OpenBSD tried again to install the same 5.5 version in the same amd64 computer, but this time using the virtio drivers, and in less than 5 minutes installed a new OpenBSD server with no issues at all. As reference this is the kvm command I used: kvm -vnc :15 -m 256 -name openbsd -pidfile /qemu/OpenBSD/OpenBSD.pid -k es -net nic,macaddr=52:54:00:12:34:84,model=virtio -net tap,ifname=tap17 -drive file=/dev/eliseos/qemu-004,cache=none,if=virtio -cdrom /software/OpenBSD/5.5/i386/install55.iso -boot d -daemonize I would like to share this because I have read in many places about hard disk slowliness with OpenBSD, verly likely dissapointing new users when in fact OpenBSD is very good. -- Best regards, Jorge Lopez. This message was sent using IMP, the Internet Messaging Program.
Re: ntpd.drift values?
Quoting Christian Weisgerber na...@mips.inka.de: 2x e-08 (esxi) Oooh, interesting. I hadn't considered VMs that actually keep time. Indeed: # cat /var/db/ntpd.drift 3.970778e-09 OpenBSD 5.5/i386 with qemu on Linux host, worked fine so far. =) -- Best regards, Jorge Lopez. This message was sent using IMP, the Internet Messaging Program.
Re: Spanish discussion list
When I started learning OpenBSD half a year ago I checked communities and mailing lists and there is a list in Mexico, with something like three emails per month in average. I saw a site of BSD in general as well, with translated articles. Rather than having a Spanish mailing list I would like to join a group to chat about the joy of running OpenBSD, while drinking some beers, but since there is so few people in my area that is impossible. In my opinion having translated documentation would be a big effort with little impact, I think it's not too much to ask people to learn basic English in order to be able to run OpenBSD. Best regards, Jorge. agrquinonez agrquino...@agronomos.ca wrote: Hello Is there someone interested having a discussion list in Spanish? I have a OBSD server running current (httpd, smtpd, ftp), and i would like having a discussion list in Spanish, it could have blogs, foro, or any other related things. For now i have it at home, but i might pay for a dedicated site on a OBSD housing. The main idea is to make it easier for Spanish speakers, keeping the friendly environment of OpenBSD list. Thanks for your attention.
Re: isolating untrusted programs in ssh chroot jails
Quoting dan mclaughlin thev...@openmailbox.org: there seems to be some interest in this, so i thought i would post my notes, made more presentable. here i detail ways to use ssh to restrict access to the filesystem as well as X, mitigating the 'security nightmare' that is X11, not to mention preventing possible leaking of local data. this uses more proven code so may be better than eg virtualization for some things. This looks interesting but really complicated. As I commented before I use a virtual machine for running Firefox due to security concerns, now with OpenBSD at last. I know that a virtual machine would not resist a targeted attack, but since it would be complicated breaking away from a virtual machine and this is not a common setup I do not think a generic attack/worm/trojan would be able to do any harm. Also, I'm running Firefox for browsing but since it's common to get PDF files I have installed along a PDF viewer as well. And sometimes I want to print documents so I installed cups (fortunately everything works on OpenBSD as expected, thanks by the way!). Firefox, a PDF viewer and cups have a lot of dependencies, and I have not tried yet to forward sound so my Firefox is soundless. And Firefox alone eats lots of memory, I have reserved for this VM one gigabyte of RAM. To me that's one of the biggest virtual machines I have, and very likely would make a big jail. If I wanted to do it the OpenBSD way (the one I imagine) I would reserve an old laptop or netbook and put there OpenBSD with Firefox and friends instead of setting up a big and complicated jail. -- Best regards, Jorge Lopez. This message was sent using IMP, the Internet Messaging Program.
Re: OpenBSD as base OS for Virtualization
I want to setup Virtualization server. Currently I am using xen with Linux + ZFS... And it uses files instead of ZFS volumes... Since I'm new to OpenBSD I won't tell you what OpenBSD supports for virtualization but what works for me, hope this helps. Keep in mind my lack of experience in OpenBSD, my (hopefully) long experience with Linux and that I'm in the middle to move from Linux to OpenBSD. I'm using Debian Wheezy for physical servers and for virtual ones too, for the physical ones I have the minimal installation since everything runs into the virtual machines. I use KVM and LVM, I really like them and I would be happy to see something like that on OpenBSD. All the OpenBSD servers I have are virtual, some with KVM and a few ones with QEMU, the ones with QEMU run good enough and with no issues despite QEMU being older, the ones running with KVM fly. This means to me not having a hard time with the hardware since the only purpose of the physical servers is running the virtual ones, and being able to run Linux and OpenBSD together, making it easy to replace Linux servers by OpenBSD servers one by one, not having to replace all or nothing at once. -- Best regards, Jorge Lopez. This message was sent using IMP, the Internet Messaging Program.
Re: offtopic: political correctness
Quoting Marko Cupa? marko.cu...@mimar.rs: I am reading 2nd edition of Absolute OpenBSD 2nd Edition and can't but notice paragraph Confidentiality on XXX page of Introduction: ---cut-here--- Confidentiality This means that secret data should remain secret. Your private infor- mation must not get into the public eye. That Eastern European kiddie porn syndicate should not get your credit card number. ---cut-here--- This sound quite nazi to me. Should Western European kiddie porn syndicate be able to get my credit card number, as opposed to Eastern European kiddie porn syndicate, which should not? Or does that mean that kiddie porn syndicate exists only in Eastern Europe, but not in - let's say - New Zealand or Canada? Feel free to ask to change Eastern European kiddie porn syndicate by Mexican kidnapping drug cartel, I'm Mexican and would not mind at all. -- Best regards, Jorge Lopez. This message was sent using IMP, the Internet Messaging Program.
Re: [OFFTOPIC] Re: Order Acknowledgement from OpenBSD Store - Order No. 40393
Quoting Maurice McCarthy m...@mythic-beasts.com: On 2015-07-02 18:10, Jorge Gabriel Lopez Paramount wrote: Hi all, I know this is not related to OpenBSD directly but hope someone might help; I ordered a CD set and a rucksack more than one month ago and I have not received them yet so I'm wondering what happened. I tried to write to the orders email address of the OpenBSD Store but got no response. This is the contact page for the store https://www.openbsdstore.com/cgi-bin/live/ecommerce.pl?site=shop_openbsdeurope_comstate=pagepage=contact They usually answer queries to ord...@openbsdstore.com very quickly Thanks, I already got a response by email. -- Best regards, Jorge Lopez. This message was sent using IMP, the Internet Messaging Program.
[OFFTOPIC] Re: Order Acknowledgement from OpenBSD Store - Order No. 40393
Hi all, I know this is not related to OpenBSD directly but hope someone might help; I ordered a CD set and a rucksack more than one month ago and I have not received them yet so I'm wondering what happened. I tried to write to the orders email address of the OpenBSD Store but got no response. I spent that money mainly as a contribution but would not mind receiving those goods, if someone have an idea how I could contact the Store besides calling I would appreciate it. -- Best regards, Jorge Lopez. Quoting Jorge Gabriel Lopez Paramount jorge.lopez.paramo...@googlemail.com: Hi all, Hope somebody could help, I placed this order one month ago and I had not received the goods in my address, would you please let me know the status of this order? If it has already been delivered, how can I check where the package is? Thanks for your kind help. -- Best regards, Jorge Lopez. Quoting ord...@openbsdstore.com: =0D OpenBSD Store=0D =0D =0D OpenBSD Store, =0D =0D =0D Zednax Ltd, =0D Meadow House, =0D Meadow Lane, =0D Nottingham, =0D NG2 3HS, =0D United Kingdom, =0D =0D =0D Tel: 0115 986 8786, Fax: 0115 986 8737=0D =0D Order Acknowledgement=0D =0D Order Number: 40393=0D Order Date: 15/05/2015=0D =0D Mr. Jorge Gabriel Lopez Paramount=0D 85 Priv Gustavo A Becquer=0D =0D Tlaquepaque, =0D =0D Jalisco, =0D =0D 45600, =0D Mexico, =0D , =0D =0D =0D =0D =0D =0D Description=0D =0D Unit Price=0D =0D Quantity=0D =0D Cost=0D =0D =0D =0D =0D =0D OpenBSD version 5.7=0D =0D #8364;44.00=0D =0D 1=0D =0D #8364;44.00=0D =0D =0D =0D =0D =0D =0D =0D Lightweight Rucksack=0D =0D #8364;12.50=0D =0D 1=0D =0D #8364;12.50=0D =0D =0D =0D =0D =0D =0D =0D =0D =0D =0D =0D -=0D =0D =0D VAT Registration No. GB 855 4468 92=0D =0D =0D Company No. 5321754=0D =0D =0D VAT =C2=A39.41=0D =0D Export VAT =C2=A39.41=0D =0D =0D =0D Total: =C2=A356.50=0D Carriage/Transaction Fee: =C2=A315.00=0D Grand Total: =C2=A362.09=0D =0D PLEASE NOTIFY OF ANY DISCREPENCIES VIA EMAIL=0D Payment by Card (MC), last 4 digits 9302, Expires 09/19=0D =0D Authorisation Code: 094286=0D Merchant Number: =0D Terminal Number: =0D Order ID (SEQ ID): =0D =0D =0D =0D =0D =0D =0D =0D This message was sent using IMP, the Internet Messaging Program. This message was sent using IMP, the Internet Messaging Program.
Re: Microsoft Now OpenBSD Foundation Gold Contributor
Quoting Theo de Raadt dera...@cvs.openbsd.org: I would like to say only this: if people to not want big companies meddling with OpenBSD as it has been happening with Linux better its users support it. I said this in 2006: I think that contributions should have come first from the vendors, secondly from the corporate users, and thirdly from individual users. But the response has been almost entirely the opposite, with almost a 15 to 1 dollar ratio in favor of the little people. Thanks a lot, little people! As a non-director, I do not have any more insight into the current ratios of contributions to the Foundation, other than their annual financials which anyone can find. However I suspect it would take many years of big company money to move that ratio forward from a 20 year pattern... However you used a specific word that bothers me. Honestly, I don't see proof of any meddling, if I saw it, I would care deeply about it. You'll have to be significantly more detailed before raising what might appear as an allegation, supposition that it might occur in the future is simply not enough. Even your tiny hint is an attack on our character. I am not going to take that lightly. It's not about OpenBSD or its people, it's about Microsoft, I think that what happened to Nokia is a good example of that. I stopped following Microsoft in detail when I switched to Linux many years ago so I have no concrete and recent example about that, but one thing I remember is Microsoft threatening Linux users and companies about patents and IP, then SuSE entering into agreements with Microsoft to not be sued. I prefer to not opine whether if was good for SuSE its relationship with Microsoft, but I highly disliked Microsoft playing the patent troll with the Linux community. I personally think there is very little good about Microsoft besides its money. So I think and hope that OpenBSD people will keep doing the good job they have been doing. If not, well, there are other OSes out there, no need to make accusations or throw a tantrum about it. -- Best regards, Jorge Lopez. This message was sent using IMP, the Internet Messaging Program.
Re: Microsoft Now OpenBSD Foundation Gold Contributor
Quoting Christer Solskogen christer.solsko...@gmail.com: On Wed, Jul 8, 2015 at 4:49 PM, Gleydson Soares gsoa...@gmail.com wrote: Great news ! As I said on the OpenBSD facebook page: I have to say that I find it quite ironic of all of the vendors in the world, the foundation gets a huge donation from Microsoft which yet have implemented it yet. Huge kudos to Microsoft. I guess the next up is Oracle? :-) I do not find it ironic but suspicious and a little worrying, but have no good rant since I only have contributed buying a CD set and a rucksack. I would like to say only this: if people to not want big companies meddling with OpenBSD as it has been happening with Linux better its users support it. -- Best regards, Jorge Lopez. This message was sent using IMP, the Internet Messaging Program.