Fwd: Re: pledge() enhancement

-- Forwarded message -- From: "Ingo Schwarze" <schwa...@usta.de> Date: Nov 13, 2015 7:32 PM Subject: Re: pledge() enhancement To: "Luke Small" <lukensm...@gmail.com> Cc: <b...@openbsd.org> Hi Luke, Luke Small wrote on Fri, Nov 13, 2015 at

"# systrace -c1000:1000 kate" for privilege escalated editing?

I want to be able to use systrace for privilege escalation for kompare for sysmerge diffs and kate. Why isn't systrace able to do this? -Luke

Re: "# systrace -c1000:1000 kate" for privilege escalated editing?

>I can't quite figure out what you're trying to do, but running big GUI >programs and libraries with root privileges (whether that's from systrace or >doas or sudo or su or whatever) is usually not a good idea. Thinking about it now, I guess if you add root write privileges to writing files, you

Xscreensaver gets interrupted with no inputs

I am not on the web with my 5.8 virtualbox guest and it never blanks unless it is set to 1 minute and when it is locked, it is interrupted. Is it a bug, or is it possibly a virus? My windows host goes into the screensaver and stays just fine.

Re: "# systrace -c1000:1000 kate" for privilege escalated editing?

that doesn't suid but can open a privileged socket under systrace -c 1000:1000 ./server On Dec 2, 2015 19:44, "Vadim Zhukov" <persg...@gmail.com> wrote: > 03 дек. 2015 г. 4:27 пользователь "Luke Small" <lukensm...@gmail.com> > написал: >

Re: if I were to make a pkg-add diff

that on a specific file, whether the results may be skewed by inconsistent squid or similar program caching often downloaded files on mirrors. On Dec 27, 2015 18:17, "Luke Small" <lukensm...@gmail.com> wrote: > Even though I don't have an internet connection for my laptop I >

Re: if I were to make a pkg-add diff

I am realistically thinking more along the lines of less than once a release cycle. More like whenever it comes upon a user that their mirror of choice chooses to no longer be a mirror. I had that happen to me. It would be convenient to have a program that can easily compare mirror latencies and

Re: if I were to make a pkg-add diff

t; wrote: > All of the functionality you are requesting is already provided. > > look at finish_up() in src/distrib/miniroot/install.sub. > > There is no reason at all to modify pkg_add. Just setup /etc/pkg.conf. > > > On 2016 Jan 04 (Mon) at 04:02:07 -0600 (-0600), Luke Small wr

Re: if I were to make a pkg-add diff

What I meant is, if a program sends a handful of pings to each mirror, would it think it is being spammed and shutdown any further connections. I didn't mean to say that I want to connect the pkg_ping program to a of anchor. I tried an initial localhost pinging, pkg_ping program in virtualbox

Re: text-mode gui

> On 2015-12-20 17.25.14 -0600, Luke Small wrote: > >It would be very easy to write a C > >program to parse and edit fstab to make all the partitions softdep. > > Can we see your patch?

Re: text-mode gui

to fix the problem, when it can merely be an install option. -Luke On Sun, Dec 20, 2015 at 3:33 PM, <li...@wrant.com> wrote: > On Sun, 20 Dec 2015 14:03:18 -0600 Luke Small <lukensm...@gmail.com> > wrote: > > > I don't know the best way, but I like how there are &qu

Re: text-mode gui

Ha Ha. I got Theo to call me a whiny prick! I'm getting the t-shirt. >You play absolutely no part in the decisions that got OpenBSD to where it is. At least somebody is listening, even if they are ignoring everything. What point is there to having an automated machine, when you have to do

if I were to make a pkg-add diff

I can't type underscore on this device. Assuming i could do it: If I were to make a sloppy perl-based pkg-add program that used c and the installer code to (re)set the PKG-PATH environment variable using the "http" settings that are available for installing the modules from mirrors, if I made

Re: if I were to make a pkg-add diff

I wanna make a c program that checks for a PKG_PATH that exists and connects to a workable link for pkg_add(). If you ever upgraded using http mirrors on the install disk, it offers list# which links directly to numbered mirrors. It would likely ease the initial startup for whomever uses it while

Re: if I were to make a pkg-add diff

I suspect that if you did, it wouldn't check whether there was an astronaut ready to control the on-board computer and would sit there continuously trying to rev the rocket engines with no jet fuel. That is the way pkg-add acts right now. I felt pretty ridiculous wondering why pkg-add wasn't

Re: if I were to make a pkg-add diff

of messages delivered by pkg-add itself to rm folder contents at the end of a run. On 12/25/15, Luke Small <lukensm...@gmail.com> wrote: > I suspect that if you did, it wouldn't check whether there was an > astronaut ready to control the on-board computer and would sit there > continuousl

Re: if I were to make a pkg-add diff

Come to think about it, it might to be good to do tiny standalone program called pkg_ping and then I could make it in C like I'd prefer. I'd hope to make a port maybe, but then it would functionally defeat the intent. On 12/26/15, Luke Small <lukensm...@gmail.com> wrote: > I ju

Re: if I were to make a pkg-add diff

I just figure that adding a little complexity that doesn't adversely affect security, to ease initial entry into the system for new users could be good. pkg_add initialization and mirror selection can be automated in a way to not discourage someone from picking up a fresh install and running with

text-mode gui

If installer GUIs are bad, maybe features like full-disk encryption could be accomplished via lynx-like text -based HTML and/or JavaScript that could write to cookies that the installer could parse into commands? -Luke

Re: if I were to make a pkg-add diff

I guess I didn't really answer your question. It wouldn't rely upon the ramdisk. It is meant to run after install. So it would presumably have all the firmware. I was thinking about running it similarly to the install output though. I setup a local mirror once and it crapped out after a while and

Re: if I were to make a pkg-add diff

You could do that if you want to have noobs connect to one of the mirrors into perpituty that brings down the server like a ddos every release! > I think the best that can be done relatively easily would be to have >pkg_add fetch ftplist.cgi and pick the first result as a default if neither

Re: if I were to make a pkg-add diff

Even though I don't have an internet connection for my laptop I started the C program that pipes an execl call from ftp, to sed, (like the suggestions offered earlier in the thread, and back to the parent and it will use kqueue to test the pipe buffer capacities to a local buffer (I love

Re: text-mode gui

You are a normal user and have full disk encryption. You must have read the man page on how to do that? Found the installer option did you. I have read several books on openbsd and all the man pages I could find and didn't find out how to do it anywhere else other that how to webpages. On Dec 21,

Re: text-mode gui

they want to run a two nic gateway, let them read the man-pages. -Luke On Sun, Dec 20, 2015 at 7:45 PM, Dmitrij D. Czarkoff <czark...@gmail.com> wrote: > Luke Small said: > > There are other features that inexperienced users could benefit from, > like > > selecting

Re: text-mode gui

I suspect that there could be a number of minor implementation tweaks that could be addressed that would be convenient to avoid presumably to streamline the install process for folks that would prefer to avoid an incessant procession of questions. There are other features that inexperienced users

Re: text-mode gui

the user and doesn't self-destruct any time it needs to fsck: By Default. On 12/21/15, li...@wrant.com <li...@wrant.com> wrote: >> Luke Small <lukensm...@gmail.com> >> >[...] It would be very easy to write a C >> >program to parse and edit fstab to mak

Re: text-mode gui

00, li...@wrant.com wrote: > >> On Sun, 20 Dec 2015 10:51:20 + Tati Chevron <chev...@swabsit.com> >> wrote: >> >> On Sat, Dec 19, 2015 at 05:34:59PM -0600, Luke Small >>> <lukensm...@gmail.com> wrote: >>> > >>> >If installer

pledge and code profiling

Pledge does something odd, that I don't understand by reading the man page. It trips the system-call: SYS_PROFIL (44) when it ends its run in codeblocks IDE when profiling is enabled. Can I enable a pledge setting that enables this to complete? Is there a security reason that pledge is disabling

Is it possible and not unadvisable to make /src with the -O3 option?...

Re: Is it possible and not unadvisable to make /src with the -O3 option?...

Would it make it slower, more buggy or make the kernel not fit in the root partition? On Thu, Jun 16, 2016 at 9:07 AM Mike Burns <mike+open...@mike-burns.com> wrote: > On 2016-06-16 13.42.44 +0000, Luke Small wrote: > > Is it possible and not unadvisable to make /src with the

Re: Is it possible and not unadvisable to make /src with the -O3 option?...

break your system, you get to keep all the pieces. > > Short version: "if you had to ask, then the answer was no". > > > 2016-06-16 15:42 GMT+02:00 Luke Small <lukensm...@gmail.com>: > >> > > > -- > May the most significant bit of your life be positive.

Re: if I were to make a pkg-add diff

I made a small 500 line program I call pkg_ping that calls uname -rm, ftp, sed, on openbsd.org/ftp.html. then it changes all the parsed http and ftp mirrors into http and ftp downloads and changes them to non redundant http mirrors (it has to to easily call ftp on it). It takes them and downloads

I'm curious, why is queue() in style()

It seems to complicate things. Is there a security reason to use those functions?

Re: I have a program I wish to submit for the base

I wanted to use kqueue. Name another script or programming language that offers it from the base install. NONE! Why should I write it in another language. I already did it in C. Is there another way other than kqueue that you can wait for the ftp call to quit, while being able to kill it if it

Re: I have a program I wish to submit for the base

the program overwrites ONLY the installpath variable(s) in /etc/pkg.conf. The rest of the variables will remain. PKG_PATH environment variable takes precedence over any installpath initializations. I'm running 5.8. I don't know how to pledge it. I will make sure to, past the 5.9 release. I'm

Re: I have a program I wish to submit for the base

even more sloppy. The only problem is that the program is potentially subject to a man-in-the-middle attack from a non secured webpage. Manually setting the package mirror has the same problem too though. On Jan 30, 2016 06:50, <li...@wrant.com> wrote: > Fri, 29 Jan 2016 16:35:12 -0600

Re: if I were to make a pkg-add diff

even a big enough transfer to get TCP out of slow start. SHA256 is over 600 KB. -Luke On Wed, Jan 20, 2016 at 1:14 AM, Luke Small <thinkitdoitd...@gmail.com> wrote: > not knowing better... > > I always wanted to know the fastest mirrors for me, and at times it > cha

Re: bandwidth usage limits with pf, etc.

man pf.conf set limit

Re: if I were to make a pkg-add diff

here you go! Enjoy! -Luke On Tue, Jan 19, 2016 at 2:57 AM, Erling Westenvik < erling.westen...@gmail.com> wrote: > On Tue, Jan 19, 2016 at 01:26:15AM -0600, Luke Small wrote: > > I made a small 500 line program I call pkg_ping that calls uname -rm, > > ftp, sed, on

Re: if I were to make a pkg-add diff

Go to: *I have a mirror testing program for you.* in the tech mailing list. It copied there. -Luke On Tue, Jan 19, 2016 at 11:18 PM, Luke Small <thinkitdoitd...@gmail.com> wrote: > here you go! Enjoy! > > -Luke > > On Tue, Jan 19, 2016 at 2:57 AM, Erling Westen

Re: if I were to make a pkg-add diff

wrote: > On Tue, Jan 19, 2016 at 01:26:15AM -0600, Luke Small wrote: > > I made a small 500 line program I call pkg_ping that calls uname -rm, > > ftp, sed, on openbsd.org/ftp.html. > > A "program"? In what language? Is your code available somewhere? > >

ntpd commandline expansion

I often use virtualbox to run openbsd-amd64 and lately I haven't been able to "ntpd -s" and make it update the clock, which may have been after several days. It often adversely affects my use of google products, as they update their keys often and if the clock is wrong, it says there is a security

Re: ntpd commandline expansion

t; On Sat, May 7, 2016 at 9:06 AM, Luke Small <lukensm...@gmail.com> wrote: > > I often use virtualbox to run openbsd-amd64 and lately I haven't been > able > > to "ntpd -s" and make it update the clock, which may have been after > > several days. > >

Re: ntpd commandline expansion

:56 PM, Luke Small <lukensm...@gmail.com> wrote: > It is because I am saving the state in virtualbox, which is like putting > it in hibernate, except instead of refreshing the time, the time remains > the same as when it last ran, which can be some time ago. > > -Luke > >

Re: ntpd commandline expansion

I used to be able to run ntpd -s in 5.8 Now I can't. Apparently sometimes security causes incompatibilities. I ran sendbug with my complaint. -Luke On Sat, May 7, 2016 at 7:06 PM, Philip Guenther <guent...@gmail.com> wrote: > On Sat, May 7, 2016 at 4:27 PM, Luke Small <lukensm.

fork w/o execv

I'm trying to do some operations in which I fork and the child closes and simplifies socketpair listings and sends the simpler list of malloced file descriptors to a function and sends ioctl data after it opens a socket. The parent sends a short greeting to the child to show that it is ready. The

Re: fork w/o execv

, 05:58 Peter J. Philipp <p...@centroid.eu> wrote: > On Sun, Jul 31, 2016 at 09:05:52AM +0000, Luke Small wrote: > > I'm trying to do some operations in which I fork and the child closes and > > simplifies socketpair listings and sends the simpler list of malloced &

Best way to hardware AES.

I'm thinking about getting some intel or sparc system with AES hardware. What would be the cleanest way to access the Open Cryptographic Framework to access the hardware. I'm writing in C. I'd like to do 256 bit aes-ctr or preferably aes-gcm and use ultrasparc T2 and above, slightly older Xeons or

Best way to hardware AES.

I'm thinking about getting some intel or sparc system with AES hardware. What would be the cleanest way to access the Open Cryptographic Framework to access the hardware. I'm writing in C. I'd like to do 256 bit aes-ctr or preferably aes-gcm and use ultrasparc T2 and above, i7 or older Xeons. I'm

Server compatibility list oracle x86?...

make pf allow out on lo per user

if I have: "pass out quick on lo0 from self port 6379 to \ any user luke block out quick on lo0 from self port 6379 to any pass quick on lo0 from any to any" a local connection to port 6379 will go to the last rule... isn't this a useful feature to allow one of the first two rules to take

Re: Pf on lo0

ut quick on lo0 inet proto udp from 127.0.0.1 port = 6380 to any label "Rule 1h" [ Evaluations: 0 Packets: 0 Bytes: 0States: 0 ] [ Inserted: uid 0 pid 89214 State Creations: 0 ] @28 block drop out quick on lo0 inet proto udp from 10.0.2.15 port = 638

Re: Pf on lo0

It doesn't. The "pass in quick on lo0 proto {tcp,udp}from any port 6379 to self port 6379 user luke" works. On Mon, Jan 16, 2017, 23:48 Sebastien Marie <sema...@online.fr> wrote: > On Mon, Jan 16, 2017 at 11:04:48PM +, Luke Small wrote: > > I'm trying to have pf

Pf on lo0

I'm trying to have pf limit sending TCP packets over lo0 from a specific user. I made some rules, but they seem to be ignored when I check on pfctl -vvvs rules it goes to the default lo0 pass rule: "pass out quick on lo0 proto { tcp, udp } from self port 6379 to any port 6379 user luke" and "block

might it be better to have three paths lists

wouldn't it be more secure to have a write, read, and execute capable paths lists in pledge()

Re: might it be better to have three paths lists

wrote: > What is the use case ? > > 2016-09-03 4:15 GMT+02:00 Luke Small <lukensm...@gmail.com>: > > wouldn't it be more secure to have a write, read, and execute capable > paths > > lists in pledge() > > > > > > -- > > Cordialement, Coues Ludovic > +336 148 743 42

Re: might it be better to have three paths lists

, 04:41 ludovic coues <cou...@gmail.com> wrote: > 2016-09-03 11:04 GMT+02:00 Luke Small <lukensm...@gmail.com>: > > > > > > Sorry I was in the middle of something, but pledge can be a broad brush, > > unless you are dealing with one file, whether it is execut

fresh install to i386 kde4 only has UTC on clock...

odd microsoft mouse mappings

Can I change usbhidctrl to change how it is mapped. the middle scroll moves the mouse up. the left-right movement on the mouse works, but the up and down seems to right click. I don't know what the rest does.

Re: Why can I waitpid() but can't EVFILT_PROC under pledge("proc")

You could possibly make a separate "event" or "wait" pledge to register new events or NOTE_EXIT calls, but I suspect that that would complicate things, making the large presumption that that could be desired. On Thu, Jan 5, 2017, 15:42 Theo de Raadt wrote: > > I imagine

Re: Why can I waitpid() but can't EVFILT_PROC under pledge("proc")

Registering a EVFILT_PROC, NOTE_EXIT kevent requires proc On Thu, Jan 5, 2017, 15:25 Ted Unangst <t...@tedunangst.com> wrote: > Theo de Raadt wrote: > > > Luke Small wrote: > > > > What if I want to prevent a process from forking while I want to > create ne

Why can I waitpid() but can't EVFILT_PROC under pledge("proc")

What if I want to prevent a process from forking while I want to create new EVFILT_PROC events? Say, to accept the pid of a sibling fork from a pipe and load it into a kqueue. Is there a reason why waitpid() isn't beholden to this, or is there a reason that EVFILT_PROC is?

Re: Why can I waitpid() but can't EVFILT_PROC under pledge("proc")

ose it may be difficult to turn back now after pledging so much in a certain way. On Thu, Jan 5, 2017, 14:41 Ted Unangst <t...@tedunangst.com> wrote: Luke Small wrote: > What if I want to prevent a process from forking while I want to create new > EVFILT_PROC events? Say, to accept the pid

Is there something to replace zaurus?

I thought I read that there is an arm7 based mobile device, but I can't find anything about it.

I can't connect to openbsd.org in most cases.

I have an openbsd vm on a windows 7 host, windows 7 asus, iPhone, and Android phone. Only the iPhone 7+ seems to be able to connect to openbsd.org correctly without getting a https validation error. they are all going through the same wifi router. I am running firefox on everything. Safari also

Why isn't OpenBSD in Google Summer of Code 2017?...

Re: Topics for revised PF and networking tutorial

It might be a fun idea to share what a really locked down desktop system pf.conf would look like like if you are running a chain of DNS services (or something that would be good to tightly control) like local ntpd, unbound, and dnscrypt_proxy where you have local traffic locked down as well so

Re: Why isn't OpenBSD in Google Summer of Code 2017?...

org <owner-m...@openbsd.org> on behalf of Bob > Beck > > <b...@obtuse.com> > > Sent: April 2, 2017 10:16:21 PM > > To: Luke Small > > Cc: openbsd-misc > > Subject: Re: Why isn't OpenBSD in Google Summer of Code 2017?... > > > > We tried it fo

For the super paranoid

Is there a way to encrypt memory and keep the key on the CPU like a transparent partition so that if the ram cards are physically accessed, hey can't be read? Is it reasonable?

Re: For the super paranoid

are.intel.com/en-us/blogs/2016/02/26/memory-encryption-an-intel-sgx-underpinning-technology > > The Intel SGX Memory Encryption Engine: > > > You just have to ask yourself, Intel, who has the keys to the Intel ME... > Paranoia^2 > There is no perfect security, especially when on

Re: Why isn't OpenBSD in Google Summer of Code 2017?...

p especially if it > was a group effort/friendly competition. > > > From: owner-m...@openbsd.org <owner-m...@openbsd.org> on behalf of Bob > Beck <b...@obtuse.com> > Sent: April 2, 2017 10:16:21 PM > To: Luke Small > Cc: openbsd

Re: Why isn't OpenBSD in Google Summer of Code 2017?...

Bring on the Flaming Theo! On Wed, Apr 5, 2017 at 3:55 PM Flipchan <flipc...@riseup.net> wrote: > Ping Theo, couldnt someone create a needs improvments list n put it on > like OpenBSD.org? > > Luke Small <lukensm...@gmail.com> skrev: (2 april 2017 16:54:39 CEST) >

Re: Why isn't OpenBSD in Google Summer of Code 2017?...

nful > and much more effective to rewrite from scratch. So what's the point of > having that previous iteration? > > On 5 Apr 2017 at 13:10, Luke Small wrote: > > > I imagine there are some projects that need some love that are on the > back > > burner at the moment that

Re: kqueue

It looks like you will be limited to 4096 timers and to valid file descriptors that don't exceed INT_MAX. My guess is that if you need more, you could run another kqueue for more timers or different kevents on identical file descriptors. Otherwise, the man page says: kevent() returns the number

kqueue

I suspect that you will sooner run out of file descriptors. but I assume that if it runs into a problem, kevent() will return -1 and it may be unrecoverable. I suspect that it would first occur because the kernel is being overutilized. The information that is being created, I suspect, is being

pledge for sockets?

Would it be a good idea to make a pledge like call that limits a process from connecting to ports and/or hosts? Maybe it could be done in way that the kernel is made aware of the limitations like in a pledge call and while the process is alive, the kernel spawns pf rules based upon the socket

Re: pledge for sockets

Pledge will presumably have per process (including fork()ed process) **path limitations on rpath rpath and wpath calls, why not limitations on inet and unix? On Wed, Apr 26, 2017 at 6:26 AM Janne Johansson <icepic...@gmail.com> wrote: > 2017-04-26 13:19 GMT+02:00 Luke Small <lukensm.

Re: pledge for sockets

I'm not saying to alter pledge necessarily, maybe make new system call like pledge. There aren't any per-process pf rules that are applied. When a socket connects to a remote or local server and pf makes a state, it has the originating randomized port. Pf rules can be made that target those

Re: pledge for sockets

AM Reyk Floeter <r...@openbsd.org> wrote: > > > Am 26.04.2017 um 13:38 schrieb Luke Small <lukensm...@gmail.com>: > > > > Pledge will presumably have per process (including fork()ed process) > **path > > limitations on rpath rpath and wpath calls, why not

Re: pledge for sockets

a different user through pf (and when I get a more serious machine, possibly through a unique interface). Most importantly, I need it for session cache for multiple processes. On Sat, Apr 29, 2017 at 10:02 AM Luke Small <lukensm...@gmail.com> wrote: > I have a program that I believe needs ine

Pf with secondary DNS resolution

Is it worthwhile to set up a hook for pf to load rules that have URLs after the network services that can resolve them come into effect?

Re: Pf with secondary DNS resolution

ready done, but you could have a computer check into a target machine that often changes the ip address or system while the firewall is locked down to only send messages to that remote machine and if it is compromised, can't send it anywhere else. On Wed, May 3, 2017 at 3:16 PM Luke Small <lukensm

Pf with secondary DNS resolution

Four words Peter..."dynamic IP address". I'm sure that there are folks that ssh into machines that are on a dynamic IP address that don't have a modem on a power backup, or even possibly on an ISP that may down, possibly when they are out of town. I don't know if it is possible or already done,

why does unbound listen as root

pf rule execution says it listens as root, but it connects as the _unbound user, when configured to run as _unbound. Why doesn't it listen, bind, etc. as root, drop privileges and pledge away privilege escalation? Is it to avoid more #ifdef hell? Or can you not listen to a privileged port if you

Re: list all system users, eg. _x11

if I need to identify all > the user accounts (to recreate them on a new system or something), I > exclude uids under 1000 as a starting point. > > > On Mon, May 8, 2017 at 4:51 AM, Marcus MERIGHI <mcmer-open...@tor.at> > wrote: > >> and...@msu.edu (STeve Andre'),

How do you use EV_DISPATCH in kqueue(2)

Is EV_DISPATCH somehow like EV_ONESHOT or EVDISABLE ? What is a use case? If you have an open socket file descriptor with a EVEFILT_READ, does it close the socket upon getting some data? I don't run current.

Pledge paths[ ]

Is paths[] going to have permissions defined for each path? Like: char *paths[], int *mode, where mode is the same as in dbopen(3). Maybe so you don't have to clean up previous pledge calls, any pledge calls with a NULL paths argument doesn't have anything specified for mode. for simplicity,

80 users

As I recall, there is a build configuration of 80 users for some kernel components. What happens if the system exceeds that number?

list all system users, eg. _x11

Is there a way to determine all users on a system that the users command doesn't seem to show? like _x11 and _ntpd

Re: Automatically restarting services/daemons after crash

I read "hacking blind." Can you restart a daemon with another forked process that's only job is to monitor a pipe or a waitpid()-like operation and if the parent dies, it exec's to restart it, or even execs "rcctl restart ntpd" If the mitigations are successful at limiting execution to let's say,

Re: Automatically restarting services/daemons after crash

Maybe more things should be randomized like the stack canaries. Is that a new idea? On Fri, Oct 13, 2017 at 11:34 PM Theo de Raadt wrote: > > I read "hacking blind." Can you restart a daemon with another forked > > process that's only job is to monitor a pipe or a

Re: Automatically restarting services/daemons after crash

I am not versed in operating systems as well as you, but I would think that stack and buffer canaries would differ from each execution.

Re: Automatically restarting services/daemons after crash

If that's true, then why has Theo been speaking of the brop problems, when they begin with an incremental canary discovery that becomes all but impossible to guess when it becomes a random 4 byte datum each time rather than a datum that remains the same each restart? Braille should already be

Re: Automatically restarting services/daemons after crash

/Blind_return_oriented_programming seems to state so. I dont fully trust wikipedia. On Sat, Oct 14, 2017 at 3:06 AM Philip Guenther <guent...@gmail.com> wrote: > On Sat, Oct 14, 2017 at 12:49 AM, Luke Small <lukensm...@gmail.com> wrote: > >> If that's true, then why has Theo been speaking of th

pkg_add ignores -m

Using the -m flag it still gets warnings from pulseaudio and redis that I didn't use the -m flag

Can SSH report successful connections to pf?

Can SSH and possibly other programs more easily able to report successful connections so pf can make stricter bruteforce connection rejecting even better?

Re: Can SSH report successful connections to pf?

Cool! On Sat, May 5, 2018 at 3:17 AM Andreas Kusalananda Kähäri < andreas.kah...@icm.uu.se> wrote: > On Fri, May 04, 2018 at 11:56:33PM +, Kapfhammer, Stefan wrote: > > > > You might want to parse /var/log/authlog and the logrotated > authlog.[0-9].gz > > for successful and unsuccessful

anybody installed angr, eg. pip install angr

It doesn't natively support OpenBSD.

Can unveil pledge to only reduce?

Could you have a promise for unveil reductions only?

Re: Can unveil pledge to only reduce?

Ok. Thanks. On Thu, Aug 16, 2018 at 1:59 PM Theo de Raadt wrote: > Luke Small wrote: > > Could you have a promise for unveil reductions only? > > That won't actually help much, and people will fall into some > pretty significant traps. > > Sorry it would require a really long explanation. >

  1   2   >