Re: extracting new login.conf from /usr/src/etc in -current

[Todd C. Miller]

Is it really so difficult to run mklogin.conf?

 - todd

Re: A question to lib/libc/gen/daemon.c

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Alexander Farber (alexander.farber):

 In the file /usr/src/lib/libc/gen/daemon.c
 
if (!noclose  (fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
 (void)dup2(fd, STDIN_FILENO);
 (void)dup2(fd, STDOUT_FILENO);
 (void)dup2(fd, STDERR_FILENO);
 if (fd  2)
 (void)close (fd);
 }
 
 is same as:
 
if (!noclose  (fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
 (void)dup2(fd, 0);
 (void)dup2(fd, 1);
 (void)dup2(fd, 2);
 if (fd  2)
 (void)close (fd);
 }
 
 right?

Right.

 What is this last check (fd  2) needed for? Isn't fd always  2, 
 because the first 3 are already taken by the STDxxx streams at the
 program start?

Nope.  There is no guarantee that fds 0-2 are open when a program
starts.  In that case, fd will fall in the range 0-2 and without
the check we can close one of the descriptors 0-2.

Bonus trivia:  There's also no guarantee that argc  0 when a program
starts.  Lots of programs make bad assumptions...

 - todd

Re: isc_log_open 'named.run' failed

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Todd C. Miller (Todd.Miller):

 If you know the exact pathnames named is trying to use you may be
 able to just create them in the right place, owned by user named.

If all you need to write is the dump file you should be able
to add something like:
dump-file /subdir/named.dump.db

where subdir is some subdir of /var/named that is writable by user
named.

 - todd

cheap mini-pci ral(4) cards

[Todd C. Miller]

The MSI MP54G4 (aka MSI MS-6833) seems to be readily available in
the US now.  I just picked one up from www.thenerds.net but a cheaper
price can be found at newegg.com.  It seems to work fine in my Sony
SRX77.

The trick is to search for both the model name (MP54G4) and the
part number (MS-6833) since some stores list the card one way and
some the other.

 - todd

Re: ccdconfig not giving me all available space?

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Erik Sabowski (sabowski):

 i thought that leaving 63 sectors free at the start of each disk would be 
 enough room, but apparently not. when i bumped it up to an offset of 3120 
 sectors, it worked perfectly.

You need to leave at least 8192 bytes free.  This corresponds to
the BBSIZE #define in ufs/ffs/fs.h.

In general, it is simplest to just leave the first cylinder free.

 - todd

Re: UKC and VGA configuration

[Todd C. Miller]

Go into your bios config menu and look for an option to expand or
stretch the display to match the given resolution.  The problem is
that flat panels are fixed frequency and so to do VGA text mode you
either have to tell the BIOS to scale things or you end up with a
smaller display using the native resolution.  I'm guessing that the
Linux you tried uses a bitmapped console driver of some sort
instead of normal VGA text mode.

 - todd

FYI: new mailing list anti-spam measures

[Todd C. Miller]

The mailing list server is now using several blacklists from the
SORBS project (http://www.sorbs.net) to prevent spam.  So far it
is using the SORBS zombie, spam, web form and dialup blacklists.

This does mean that people sending mail from a dynamic IP address
(cable modem, dynamic DSL or dialup) will need to relay messages
through their ISP's mail server.  This will probably have the biggest
impact on cable modem users running their own SMTP servers.

 - todd

Re: FYI: new mailing list anti-spam measures

[Todd C. Miller]

After talking to some folks who would be negatively impacted by
this I've decided to drop the dial-ups blacklist and hope that
greylisting catches the bulk of the spam (which for most compromised
windows hosts is the case).

 - todd

Re: sudo/env_keep/pkg_add

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Stuart Henderson (stu):

 Does anyone feel it would be useful to add PKG_PATH to the
 default env_keep for sudo? Otherwise there are going to be an
 awful lot of pkg_add is broken posts...

Since that is OpenBSD-specific I don't think it makes sense
to hard-code it into sudo.   However, we can certainly
add it to the default sudoers file.

 - todd

Re: looking for confirmed working dvd record on amd64

[Todd C. Miller]

I've had good luck with the Sony NEC Optiarc Model 7170A-0B.
It's cheap too ($30 from newegg).

 - todd

Re: list of all files in the filesystem

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Tom Bombadil (grlists):

 I guess this is a stupid question...
 
 But is there any way to get a list of all files in the filesystem
 without using 'find'?
 
 For a big drive with millions of small files, running find is just too slow.

If all you want is a list of all files on the filesystem you could
use ncheck, assuming this is a local filesystem.  Since ncheck reads
the filesystem metadata itself it is pretty fast.

 - todd

Re: DocBook and OBSD man pages

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Gustavo Rios (rios.gustavo):

 i wonder if there is a docbook template for those that would like to
 write OpenBSD manpages. I know about there is a template in
 /usr/share/somewhere but it's not docbook.

The OpenBSD man pages are writtern in mdoc(7), not docbook.

 - todd

Re: Bind 9 - nsc or similar tool?

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Jack J. Woehr (jax):

 Is there anything on OBSD like nsc on Linux which generates Bind 9
 config files?

The default named.conf that ships with OpenBSD (aka named-simple.conf)
is a good starting point.  You can then just plug in your zones.

 - todd

Re: Dell HW?

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake chefren (chefren):

 Hm, I cannot get the audio working on the SC400's, I believe something is
 wrong with the mixer. Tried 3.6 and all kind of patches.

Dell seems to hook up the ac97 stuff differently than most others.
On the Dells I've seen the line-out was actually wired to the
headphone jack.  Anyway, try un-muting all input and try all
the jacks--one is bound to work...

 - todd

Re: Getting Yesterday's Date (Repost due to error)

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Timothy A. Napthali (timothya):

 How can I do this in OpenBSD? I've mucked about with date -r $(expr
 $(date +%d) - 86400) but I can't get it to work properly.

In sh or ksh you could do:
date -r $(( `date +%s` - 86400 )) +%Y%m%d

 - todd

Re: perl crashes

[Todd C. Miller]

Same on current.  My guess is perl has a bug that is being exposed
by the mmap malloc with address randomization.

 - todd

Re: Compiling Sendmail

[Todd C. Miller]

Edit devtools/OS/OpenBSD and remove -DNETISO from confENVDEF

 - todd

Re: perl crashes

[Todd C. Miller]

As I suspected this was caused by the change to random addresses
returned by malloc.  In this specific case, PL_oldbufptr is NULL
and, depending on the addresses of the other buf pointers, the
while() loop that trims spaces can go off into la la land.

The fix is to simply check that the buf ptr is non-NULL before
dereferencing it.

 - todd

Index: toke.c
===
RCS file: /home/cvs/openbsd/src/gnu/usr.bin/perl/toke.c,v
retrieving revision 1.9
diff -u -r1.9 toke.c
--- toke.c  15 Jan 2005 21:30:22 -  1.9
+++ toke.c  6 Jun 2005 23:15:03 -
@@ -7755,8 +7755,9 @@
 
 if (!yychar || (yychar == ';'  !PL_rsfp))
where = at EOF;
-else if (PL_bufptr  PL_oldoldbufptr  PL_bufptr - PL_oldoldbufptr  200 

-  PL_oldoldbufptr != PL_oldbufptr  PL_oldbufptr != PL_bufptr) {
+else if (PL_oldoldbufptr  PL_bufptr  PL_oldoldbufptr 
+  PL_bufptr - PL_oldoldbufptr  200  PL_oldoldbufptr != PL_oldbufptr 
+  PL_oldbufptr != PL_bufptr) {
/*
Only for NetWare:
The code below is removed for NetWare because it abends/crashes 
on NetWare
@@ -7771,8 +7772,8 @@
context = PL_oldoldbufptr;
contlen = PL_bufptr - PL_oldoldbufptr;
 }
-else if (PL_bufptr  PL_oldbufptr  PL_bufptr - PL_oldbufptr  200 
-  PL_oldbufptr != PL_bufptr) {
+else if (PL_oldbufptr  PL_bufptr  PL_oldbufptr 
+  PL_bufptr - PL_oldbufptr  200  PL_oldbufptr != PL_bufptr) {
/*
Only for NetWare:
The code below is removed for NetWare because it abends/crashes 
on NetWare

Re: How do I restart sendmail?

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Timothy Horie (tak):

 I changed some options in the .mc file and rebuilt the 
 /etc/mail/sendmail.cf file.
 How do I restart sendmail?

This is what I do (as root):
kill -HUP `sed q /var/run/sendmail.pid`

Sending SIGHUP to sendmail causes it to re-exec itself.

 - todd

Re: problem with www.openbsd.org/spamd/SBL.cidr.gz

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Tristan Delsol (tdelsol):

 OK. Do I need to change the URL in the spamd.conf or will you use another sou
 rce pretty soon?

Bob is back from camping so this is fixed now ;-)

 - todd

Re: sudo vulnerability

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Steffen Kluge (kluge):

 Is it recommendable to fetch and install 1.6.8p9 straight away?

No, you should grab the OpenBSD patch, as announced on the
security-announce list.

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/018_sudo.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/003_sudo.patch

 - todd

Re: sudo vulnerability

[Todd C. Miller]

 No, you should grab the OpenBSD patch, as announced on the
 security-announce list.
 
 ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/018_sudo.patch
 ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/003_sudo.patch

ftp.openbsd.org is having problems at the moment but the patch
is available from the main usa ftp mirror:

ftp://ftp.usa.openbsd.org/pub/OpenBSD/patches/3.6/common/018_sudo.patch
ftp://ftp.usa.openbsd.org/pub/OpenBSD/patches/3.7/common/003_sudo.patch

 - todd

Re: spamd greylisting and server pools

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Heinrich Rebehn (rebehn):

 Would it be possible to change this behaviour so that the whitelisting 
 is done as soon as  the same sender/receiver pair is seen again, 
 ignoring the ip address? This could speed up things a bit.

This would allow in mail from the various virii/worms that forge
the From: and To: lines.  I suppose it depends on how likely a
certain sender/receiver pair is to show up from such a thing.

 - todd

Re: can't find /etc/crontab ?

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Neta (netasys):

 Hello All,
 I have fresh install machine openbsd 3.7, i couldn't locate any /etc/crontab 
 ?
 is this crontab disable by default?
 how i can enable it?

/etc/crontab is not used by default, it predates the availability
of per-user crontab files.  As such it is not included by default,
though you can create it if you really must.  I don't suggest this
as you lose the syntax checking of crontab (1).

 - todd

Re: perl -MCPAN checksum mismatch on anything

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake WR (gen2):

 Checksum mismatch for distribution file. Please investigate.
 
 I'd recommend removing
 /root/.cpan/sources/authors/id/R/RE/REATMON/Net-Jabber-2.0.tar.gz. Its MD5
 checksum is incorrect. Maybe you have configured your 'urllist' with
 a bad URL. Please check this array with 'o conf urllist', and
 retry.

The problem is that lynx is helpful and will automatically
uncompress files for you.  If you don't tell CPAN to use lynx it
should work fine.

 - todd

Re: Is it possible to run named not in chroot?

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Rene Rivera (grafik.list):

 Because my configuration files, named.conf and all the zone files, must 
 be at /export/config/named/... And there's no way, other than removing 
 the chroot AFAIK, to get named to read the configuration from where I 
 have the files. And you'll ask why don't I just put the files in 
 /var/named/etc? Because those files are version control managed, backup 
 managed, and RAID managed. Or more precisely my entire /export is highly 
 controlled to have fault tolerance, backups, complete file histories, 
 and access controls.

You will be better off writing a simple script that syncs things
from your revision controlled directory into /var/named (perhaps
using rsync) and then starts/reloads named.  Alternately, you could
just have named chroot to your /export dir.

 - todd

Re: OpenBSD-specific Perl problem

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Dan Brosemer (odin):

 I've been trying to make a forking daemon in Perl with little success.  The
 whole daemon terminates as soon as the first child terminates.
 
 This exact same code performs as I'd expect (ie perfectly) on other
 platforms (even including win32/ActivePerl) and so I'm wondering what it is
 about my OpenBSD-3.7/i386 machine that is causing the parent to eat itself.
 
 I've included the code below in case anyone can spot anything.  I would
 really appreciate any insight that can be offered.

I bet accept() is getting EINTR.  Try checking for that and restarting
the loop in that case.

 - todd

Re: OpenBSD-specific Perl problem

[Todd C. Miller]

 I bet accept() is getting EINTR.  Try checking for that and restarting
 the loop in that case.

Here's the relevant bits from perlipc(1)

   Restartable system calls
   On systems that supported it, older versions of Perl
   used the SA_RESTART flag when installing %SIG han-
   dlers.  This meant that restartable system calls would
   continue rather than returning when a signal arrived.
   In order to deliver deferred signals promptly, Perl
   5.7.3 and later do not use SA_RESTART.  Consequently,
   restartable system calls can fail (with $! set to
   EINTR) in places where they previously would have
   succeeded.

   Note that the default :perlio layer will retry
   read, write and close as described above and
   that interrupted wait and waitpid calls will
   always be retried.

Re: perl -MCPAN checksum mismatch on anything

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake WR (gen2):

 This does not appear to be true --
 
 see my posting from 6/18/05
 
 using only wget (lynx disabled in the mcpan conf), I get the same error

Then I have no idea what the problem is.  Cpan works for me out of
the box and uses Net::FTP (not lynx or wget) by default.  Try
removing your ~/.cpan directory and see if the problem persists.

 - todd

Re: ATRUN Job / Cron file

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Dave Beckstrom (dbeck):

 I've been using a cron file (shown below) for some years and it references
 the atrun command.  It appears that the atrun command no longer exists as
 the man pages no longer reference it.
 
 Is there a replacement for the atrun command or is there a means to add it
 to my system?

atrun is no longer needed, cron now runs at jobs like on most other
Unix systems (and with much better granularity than atrun did).

 - todd

Re: sleep patterns...

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake unixadmin99 (unixadmin99):

 Accidently emptied half the contents of src.tar.gz into /usr/bin while
 undergoing an install under the intoxication of sleep.

Be glad you didn't do this in /usr (as I have done).  Things
get downright unhappy when /usr/libexec/ld.so is a directory ;-)

 - todd

Re: No DMA? What's going on here?

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Dave Anderson (dave):

 If I'm reading it correctly, this bit of the dmesg says that my hard
 drive is not using DMA -- and so is running very inefficiently:

The IDE controller on that machine does not have working PCI-based
IDE so you are stuck with PIO ISA IDE.  If memory serves the
controller claims to support it but it is horribly buggy.  If you
really want DMA, drop in a cheapo PCI IDE controller and hook the
drives up to that.

 - todd

Re: 005_libz.patch - fails to change directory

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Uwe Dippel (udippel):

 Strange, we had the same thing with the last patch.

Looks like the main ftp mirror is not updating.  I've left a
message but it may not get fixed for a while...

 - todd

Re: bugtracker is getting spammed

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Alexander Hall (alexander):

 I just noticed a lot of cannot mount cf/sd card with usb adapter and 
 could cause panic reports on the bugtracker. Some misconfigured 
 mailserver possibly?
 
 Just notifying since It's been going on for a while.
 Is anyone on it?

Fixed.

 - todd

Re: Frequency of 3.8 Malloc Options Check

[Todd C. Miller]

Note that you can also set the malloc options from within a program
you are developing.  I've found this to be quite useful for adding
a belt and suspenders mode during developement (the use after
free checks in particular).

 - todd

Re: exit and eject should have their second letter in upper-case in cdio(1) help output

[Todd C. Miller]

Actually, the correct thing to do is to make one match with a single
letter and the other match with two or more letters.  I chose to
make eject match e.  This resolves the ambiguity.

 - todd

Re: How Do I Get snprintf(3) to Return -1?

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Ray Lai (ray):

 I'm having trouble making snprintf return -1.  I've tried stuff like:
 
   len = snprintf(str, 0, %.-Z\n, 9);
   printf(%d, len);
 
 but that just prints `2'.  Does snprintf ever return -1?

Not on OpenBSD.  It can on other OSes when there is an encoding
error.  You only get those dealing with wide characters and we don't
do that yet.  From the C99 standard:

An encoding error occurs if the character sequence presented to the
underlying mbrtowc() function does not form a valid (generalized)
multibyte character, or if the code value passed to the underlying
wcrtomb() does not correspond to a valid (generalized) multibyte
character.  The wide character input/output functions and the byte
input/output functions store the value of the macro EILSEQ in errno
if and only if an encoding error occurs.

When our locale code support is better this will be possible on
OpenBSD too...

 - todd

Re: Moving to a bigger HD, is dump still the best way - dump problem

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Hannah Schroeter (hannah):

 dump/restore need some space in /tmp. Just mount a mfs to /tmp so
 that that doesn't fill up the initial ramdisk.

Or just point the TMPDIR environment variable to a mounted partition
with enough space.

 - todd

Re: Apple MacBook Pro support

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Dries Schellekens (gwyllion):

 The final Intel Macs use EFI (Extensible Firmware Interface) instead of 
 the old BIOS. So a new boot loader is required. Maybe code can be 
 borrowed from FreeBSD ia64.

EFI has a legacy mode that is supposedly BIOS-compatible.  It's
really pointless to speculate until someone actually tries booting
OpenBSD on one of them.

 - todd

for those following -current

[Todd C. Miller]

Due to some just-committed types changes you will have to build 
install gcc before a make build will succeed.

New snapshots will be available in the next few days.

 - todd

Re: skeyinit and lock - login class data unavailable (side effect of login_ldap permissions for login.conf)

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Rogier Krieger (rkrieger):

 Is there a way to open up login.conf without divulging the bindpw?
 Reading the login_ldap and login.conf man pages, I did not find any.
 
 So far, I see two possible remedies: [1] patching login_ldap to obtain
 sensitive data in a similar way as login_radius does from /etc/raddb
 or [2] make /etc/login.conf readable to the 'auth' group, as both lock
 and skeyinit have their SGID bits set.
 
 Since [2] is less intrusive, I am inclined to take that route. Are
 there any setbacks to expect? Other suggestions are more than welcome,
 of course.

I would suggest you go with [2].  There shouldn't be any real
downside.

 - todd

Re: Workaround/Solution for i386/5873: No sound on Eee PC 900 with OpenBSD 4.4-beta

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Dawe (dawedawe):

 I had the same problem with my eee pc 900 as stated in i386/5873:
 azalia(4) seemed to work, but the speakers didn't produce any output.
 
 Running a snapshot from last week, I played again with some mixerctl 
 settings and found the following setting to make the speakers work:
 
 mixerctl outputs.speaker.eapd=on
 
 I can't say, if this was always the case or the result of a recent commit.
 
 Several mp3, ogg and wave files I tested all sound like expected.
 However, I noticed one issue with the sound of flash applications in 
 opera. It's full of hick ups and high pitched. Could that be a sample 
 rate issue?
 
 I thought I let you know, so you could close the bug report...

Would you mind sending dmesg output from your eee pc 900 with the
working sound?

 - todd

Re: Question about sudo -v

[Todd C. Miller]

Sounds like you have a line like this in sudoers:

# Same thing without a password
%wheelALL=(ALL) NOPASSWD: SETENV: ALL

which would explain why you don't get prompted for a password.
But since you didn't include the output of sudo -l I
can't tell for sure.

 - todd

Re: Question about sudo -v

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Andreas Kahari (andreas.kahari):

 Here you go:
 
 $ sudo -l
 Matching Defaults entries for ak on this host:
 env_keep+=DESTDIR FETCH_CMD FLAVOR FTPMODE GROUP MAKE MULTI_PACKAGES,
 env_keep+=OKAY_FILES OWNER PKG_DBDIR PKG_DESTDIR PKG_CACHE PKG_PATH,
 env_keep+=PKG_TMPDIR PORTSDIR RELEASEDIR SUBPACKAGE WRKOBJDIR,
 env_keep+=SSH_AUTH_SOCK EDITOR VISUAL SHARED_ONLY, passwd_timeout=0,
 !insults
 
 User ak may run the following commands on this host:
 (ALL) SETENV: ALL
 (ALL) NOPASSWD: /usr/local/libexec/xfsm-shutdown-helper

That looks like a bug.  The verifypw setting is not being handled
correctly.

 - todd

Re: Question about sudo -v

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Andreas Kahari (andreas.kahari):

 Ah, I think I found it.  It is this line in my sudoers file that does it:
 
 %users ALL=(ALL) NOPASSWD: /usr/local/libexec/xfsm-shutdown-helper
 
 What's wrong with it? I was intending to let any member of the 'users'
 group execute the xfsm-shutdown-helper program, but this line has the
 side effect of making sudo -v not work properly.

The following patch should fix the behavior.  I need to do some
checking to make sure there are no other side effects but I believe
it is correct.

 - todd

Index: parse.c
===
RCS file: /home/cvs/openbsd/src/usr.bin/sudo/parse.c,v
retrieving revision 1.20
diff -u -p -u -r1.20 parse.c
--- parse.c 14 Nov 2008 11:58:08 -  1.20
+++ parse.c 8 Dec 2008 14:54:56 -
@@ -192,12 +192,9 @@ sudo_file_lookup(nss, validated, pwflag)
if ((pwcheck == any  nopass != TRUE) ||
(pwcheck == all  nopass != FALSE))
nopass = cs-tags.nopasswd;
-   if (match == ALLOW)
-   goto matched_pseudo;
}
}
}
-   matched_pseudo:
if (match == ALLOW || user_uid == 0) {
/* User has an entry for this host. */
SET(validated, VALIDATE_OK);

Re: lpd printing problem

[Todd C. Miller]

The (existing) abuse of toprec is a bit kludgy but this should fix
the problem for now.

 - todd

Index: lib/libc/gen/getcap.c
===
RCS file: /home/cvs/openbsd/src/lib/libc/gen/getcap.c,v
retrieving revision 1.29
diff -u -r1.29 getcap.c
--- lib/libc/gen/getcap.c   10 Jul 2011 13:31:02 -  1.29
+++ lib/libc/gen/getcap.c   14 Oct 2011 13:30:07 -
@@ -658,11 +658,12 @@
 int
 cgetnext(char **cap, char **db_array)
 {
-   size_t len;
+   size_t len, otopreclen = topreclen;
int c, serrno, status = -1;
char buf[BUFSIZ], nbuf[BSIZE];
char *b_end, *bp, *r_end, *rp;
char *record = NULL;
+   char *otoprec = toprec;
u_int dummy;
off_t pos;
 
@@ -677,6 +678,7 @@
 */
if (toprec  !gottoprec) {
gottoprec = 1;
+   record = toprec;
goto lookup;
}
 
@@ -770,7 +772,6 @@
fseeko(pfp, (off_t)(bp - b_end), SEEK_CUR);
toprec = record;
topreclen = rp - record;
-   gottoprec = 1;
break;
}
}
@@ -787,7 +788,11 @@
fseeko(pfp, pos, SEEK_SET);
 done:
serrno = errno;
-   free(record);
+   if (toprec != otoprec) {
+   toprec = otoprec;
+   topreclen = otopreclen;
+   free(record);
+   }
if (status = 0)
(void)cgetclose();
errno = serrno;

Re: Bad MD5 of install42.iso

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake =?ISO-8859-2?B?UHJ6ZW15c7NhdyBQYXdls2N6eWs=?= (pp):

 1) MD5s for downloaded files
 md5sum install42.iso
 03dc43a1d18d3003843a1f13b3861917  install42.iso

03dc43a1d18d3003843a1f13b3861917 is correct.  The MD5 file has been
updated but will take some time to propagate to the mirrors.

 - todd

Re: can't change password with passwd comand

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Jumping Mouse (kafriki):

 When I try to change a user password I get an error.
 I do this:
 
 #  passwd  username
 enter a new password and  get: pwd_mkdb:  corrupted entrypwd_mkdb: at line
 #24pwd_mkdb: /etc/ptmp: Innapropriate file type or formatpasswd:
 etc/master.passwd unchanged
 
 how can I fix this?

This indicates that your /etc/master.passwd file has some errors
unrelated to your attempt to change the password.

You should run the vipw command as root to fix the problem on line
24.  It sounds like that line is missing at least one field.

 - todd

Re: login_radius possible changes.

[Todd C. Miller]

In message [EMAIL PROTECTED]
so spake Brad Arrington (bradla):

 Would it be possible to change login_radius.c actually raddauth.c so that:
 
 1. The admin can change what port login_radius uses, such as the
 old datametrics port. It is currently hard coded to radius(1812).

I have no objection to this part, though it cam be done a bit more
simply.

 2. Make it so it does not try an empty password 2 times before it kicks back 
 a
 prompt asking for a password.

I'm not at all sure about this.  I would have to test this using
challenge/response.

 - todd

Re: Tentakel and exec sudo ...

[Todd C. Miller]

In message c4bb3a29-8051-4d34-a691-53d4f035d...@smartterra.eu
so spake Falk Brockerhoff - smartTERRA GmbH (nmc):

 is there any way to execute sudo (in combination with a password to  
 provide) on remote servers using tentakel? Actualy tentakel hangs,  
 when I'm executing sudo ls -l / on a bunch of servers. Without sudo  
 anything works fine, as you can see from the example below.

Do you know whether tentakel is running ssh with the -t flag or
not?  Sudo will want to disable echo when reading the password so
ssh needs the -t flag so that it allocates a pty.

 - todd

Re: sudo 1.6.9p20 patch in OPENBSD_4_3 and OPENBSD_4_4

[Todd C. Miller]

In message 1234278635.17569.9.ca...@soundwave.ws.pitbpa0.priv.collaborativefus
ion.com
so spake Brian A. Seklecki (lavalamp):

 Do we want to slip this into presently supported branches containing
 1.6.9p17?  It's a quick patch:
 
 http://www.sudo.ws/cgi-bin/cvsweb/sudo/parse.c.diff?r1=1.160.2.21r2=1.160.2.
 22only_with_tag=SUDO_1_6_9
 
 I tested it on -rOPENBSD_4_3.  Just be sure to nuke the version string.

I think this is worth doing, though the bug won't affect most
people's configuration.  -current is unaffected as it contains
sudo 1.7.0.

 - todd

Re: sudo won't work with login_fingerprint

[Todd C. Miller]

login_fingerprint only supports login auth, not support challenge/response
mode which is what sudo (and other things) uses.

 - todd

Re: Weird sudo behavior?

[Todd C. Miller]

This is normal behavior for the version of sudo that ships with
OpenBSD.  You can enable per-tty timestamps by enabling the tty_tickets
option.  E.g., in sudoers add a line like:

Defaults tty_tickets

 - todd

Re: problem compiling userland in -current

[Todd C. Miller]

On Sun, 24 Feb 2013 21:10:30 GMT, Stuart Henderson wrote:

 On 2013-02-24, Chris Smith obsd_m...@chrissmith.org wrote:
  cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c /usr/src/usr.sbin/nsd/nsd-xfe
 r.c
  /usr/src/usr.sbin/nsd/nsd-xfer.c:175: error: static declaration of
  'tsig_get_algorithm_by_id' follows non-static declaration
  /usr/src/usr.sbin/nsd/tsig.h:161: error: previous declaration of
  'tsig_get_algorithm_by_id' was here
 
 It seems your tree is not clean, the tsig_get_algorithm_by_id prototype
 which it's complaining about was removed in tsig.h r1.1.1.3.

This looks like a bug in opencvs, which anoncvs3.usa.openbsd.org was
using for non-pserver connections.  I've now changed it to use GNU
cvs over ssh.

 - todd

Re: sudo configuration !ttytickets?

[Todd C. Miller]

On Wed, 11 Sep 2013 20:59:08 -0400, Michael W. Lucas wrote:

 I've noticed that the sudo on OpenBSD seems to have !ttytickets set by
 default. In other words, I authenticate sudo once on, say, ttyp4, and
 all of my login sessions on all my other ttyp* have authenticated to
 sudo.
 
 This, well, kind of surprised me. I'm sure you folks have thought this
 through in much more detail than I have, but I can't find anything on
 the rationale behind it.

It's quite simple really, the version of sudo in OpenBSD (a patched
version of 1.7.2p8) predates the change use tty_tickets by default.

I've always felt that tty_tickets gives a false sense of security,
though it is somewhat improved in more recent sudo versions where
the tty is determined via sysctl() rather than by ttyname().

 - todd

Re: sudo configuration !ttytickets?

[Todd C. Miller]

On Fri, 13 Sep 2013 12:44:45 +0200, Donovan Watteau wrote:

 Am I right thinking that sudo in base is still vulnerable to
 CVE-2013-1776 for those who enable tty_tickets?

Yes, but the situation is no worse than with tty_tickets disabled.
If you are really worried about this you can simply disable the
time stamp files by setting timestamp_timeout to 0.  This makes
sudo a lot less convenient to use though.

 - todd

Re: Sudo no longer working with RADIUS logins after upgrade to 5.4

[Todd C. Miller]

The only change I see to sudo between 5.3 and 5.4 that might be
related is this one.  You could try backing it out via patch -R
and see if the old behavior is restored.

 - todd

Index: sudo.c
===
RCS file: /home/cvs/openbsd/src/usr.bin/sudo/sudo.c,v
retrieving revision 1.43
diff -u -r1.43 sudo.c
--- sudo.c  8 Jul 2010 21:11:31 -   1.43
+++ sudo.c  6 Nov 2013 20:14:47 -
@@ -305,7 +305,7 @@
log_error(NO_STDERR|NO_EXIT, problem with defaults entries);
 
 /* Set login class if applicable. */
-set_loginclass(sudo_user.pw);
+set_loginclass(runas_pw ? runas_pw : sudo_user.pw);
 
 /* Update initial shell now that runas is set. */
 if (ISSET(sudo_mode, MODE_LOGIN_SHELL))

Re: Sudo no longer working with RADIUS logins after upgrade to 5.4

[Todd C. Miller]

On Wed, 06 Nov 2013 13:01:38 -0800, Andrew Klettke wrote:

 Which is odd, and definitely incorrect, as it works with the old binary, 
 and radius is set up correctly in login.conf (IP censored):
 
 radius:\
 :auth=radius:\
 :radius-server=***.***.***.***:\
 :ignorenologin:\
 :requirehome@:\
 :radius-challenge-styles=login:

This is almost certainly caused by revision 1.45 of sudo.c.  If you
back that out (see my previous messages) and rebuild sudo that
should fix it.

Basically, sudo is using the authentication style of the destination
user (in this case root) instead of the invoking user.  A workaround
may be to configure root to use radius authentication.

 - todd

Re: Sudo no longer working with RADIUS logins after upgrade to 5.4

[Todd C. Miller]

On Thu, 07 Nov 2013 00:08:00 -0500, Ted Unangst wrote:

 Is this the correct behavior? As I understand it, when I run sudo, it
 asks for my password because it wants me to prove I'm me. I don't have
 to authenticate as the destination user, so why is the destination
 user's auth style being used?

No, which is why I suggested he backout the change in question.
OpenBSD-current has the missing parts of the change from sudo 1.7.9.

 - todd

Re: sudo bad practice or inconsistency?

[Todd C. Miller]

On Tue, 14 Oct 2014 20:58:56 +0200, Alessandro DE LAURENZIS wrote:

 Now, launching sudo that way returns an error:
 
 just22@poseidon:[xfe] sudo su -c ls
 su: no such login class: ls
 
 so basically sudo is parsing the -c option instead of passing it to
 su. Probably this is just a bad practice in sudo usage, nevertheless I
 never encountered such a problem in the Linux world...

No, su is parsing the -c option instead of passing it to the
shell.  It should be running:

su root -c ls

or:

su -- -c ls

This really has nothing to do with sudo.

 - todd

Re: sudo nohup tcpdump at startup

[Todd C. Miller]

On Wed, 04 Feb 2015 15:06:41 +0100, Hrvoje Popovski wrote:

 is there any problem to just put this in crontab?
 
 @reboot /usr/sbin/tcpdump -lnqttti pflog0 2 error.log | /usr/bin/logger
 -t pf -p local2.info 

You should not try to run the command in the background since cron
runs commands asyncronously.  Otherwise that looks OK.

 - todd

Re: I found a sort bug! - How to sort big files?

[Todd C. Miller]

On Sat, 14 Mar 2015 12:29:21 -, Stuart Henderson wrote:

 I think the consensus was to try and replace it with another version but
 not sure what happened.

I have a port of the FreeBSD sort but it is slower than our current
sort (and slower than GNU sort).

 - todd

Re: Diffs for OpenBSD /src

[Todd C. Miller]

On Fri, 13 Mar 2015 10:42:21 -0500, Matthew Markfort wrote:

 What is an appropriate channel for relaying diffs for review?

The t...@openbsd.org list is usually the right place for diffs to
be reviewed.

 - todd

Re: modify /etc/ksh.kshrc

[Todd C. Miller]

On Fri, 20 Feb 2015 12:06:48 -0500, Ted Unangst wrote:

 butresin wrote:
  I surprised on this.
  Why discouraged to modify /etc/ksh.kshrc?
 
 Because you have to be root to do it? Why wouldn't it be better for users to
 edit their own .kshrc?

There's nothing wrong with wanting to have site-specific settings,
though it would make upgrades simpler to have those in a separate
file.

 - todd

Re: What happens to OpenBSD when Secure Boot becomes manditory?

[Todd C. Miller]

On Thu, 02 Apr 2015 16:38:29 -0400, Steve Litt wrote:

 What happens to OpenBSD when Secure Boot becomes manditory?

Please read those articles again, Secure Boot is *not* mandatory
for Windows 10.  The major change is that for Windows 8 Microsoft
*required* hardware vendors to provide a setting to disable Secure
Boot.  To be certified for Windows 10, the hardware is no longer
required to have this setting.

So no one is being forced to make Secure Boot mandatory.  If some
hardware vendors choose not to include a way to turn it off they'll
simply lose some business.  At worst this creates new opportunities
for vendors interested in PC sales for Linux, BSD, etc...

The sky is not falling.

 - todd

Re: What bad things could happen if we don't use sudoedit?

[Todd C. Miller]

On Tue, 28 Apr 2015 07:19:34 +0200, someone wrote:

 You are perfectly correct, it was ed, not vi and sudoedit could be the
 solution, thanks.
 I will try to search the internet how to do the LD_PRELOAD trick with ed.

You cannot as LD_PRELOAD only works with dynamic executables and
ed is static.  The best you could hope to do is monitor it via
ptrace(2).  It's really a moot point since if you can write to files
as root you can trivially get a root shell other ways, such as
editing /etc/sudoers.

The reason we have sudoedit is that there is no safe way to constrain
what an editor run as root can do.

 - todd

Re: spamdb - can't delete spam db entry (Error 22)

[Todd C. Miller]

On Mon, 27 Apr 2015 20:06:59 +0200, Adam Wolk wrote:

 Apr 27 19:54:55 tintagel spamd[27724]: can't delete 66.111.4.25
 out1-smtp.messagingengine.com adam.w...@koparo.com
 adam.w...@tintagel.pl from spamd db (Error 22)

 Does anyone know how serious that error is (should I be worried) and
 what might have caused it?

Error 22 is EINVAL.  I'm not sure how that can happen in this case
though.  Have you tried restating spamd?

You might also try running:

$ spamdb | fgrep 66.111.4.25

to see if that entry is really in the database and if so see if
spamdb -d can remove it.

 - todd

Re: man -m broken without man.conf ?

[Todd C. Miller]

On Wed, 06 May 2015 19:47:23 +0200, Ingo Schwarze wrote:

 Are you OK with the following patch?
 It uses the default path if and only if /etc/man.conf (or the -C
 argument) does not exist or does not contain any manpath or
 _whatdb directive.

That looks reasonable.  Having the logic in manconf_file() seems
less fragile.

 - todd

Re: man -m broken without man.conf ?

[Todd C. Miller]

On Wed, 06 May 2015 17:23:20 +0200, Jan Stary wrote:

 This is the latest amd64 snapshot.
 Is seems that there is a subtle bug in man(1).
 
 If I augment my man path with -m ~/man,
 as I do with alias man='man -m ~/man',
 man(1) does not find the system manpages, saying
 
   man: No entry for ls in the manual.
 
 but it does find and display those in ~/man correctly.
 This happens if /etc/man.conf does not exist.

It also works if the MANPATH environment variable is set.
The problem appears to be this:

if (conf-manpath.sz == 0)
manpath_parseline(conf-manpath, manpath_default, 0);

If -m is specified, conf-manpath.sz will be 1, not 0.
An ugly way to fix this is:

if (conf-manpath.sz == !!auxp)
manpath_parseline(conf-manpath, manpath_default, 0);

 - todd

Re: post mortem analysis

[Todd C. Miller]

On Thu, 02 Apr 2015 23:57:21 +0200, Riccardo Mottola wrote:

 I checked messages and I see the dmesg from one boot then directly the 
 other boot, no messages in between.
 Where else could I check?

Since you don't have a console you might want to add the following
to /etc/sysctl.conf if you don't already have them:

ddb.panic=0 # 0=Do not drop into ddb on a kernel panic
ddb.log=1   # 1=Log ddb output in kernel message buffer

With that you may be able to see the panic message in dmesg if there
is one.

 - todd

Re: sudoers documentation bug?

[Todd C. Miller]

It is far too late in the game to change this behavior as you will
break people's working sudoers files.

 - todd

Re: comsat-biff issue

[Todd C. Miller]

Is your mail being delivered to /var/mail/yourname or do you have
a .forward file?  The comsat daemon is notified by mail.local which
delivers mail to the local mail spool.  If you have a .forward file,
mail.local is not used and you won't get a biff notification.

 - todd

Re: comsat-biff issue

[Todd C. Miller]

On Mon, 06 Jul 2015 16:53:27 +0200, Walter Alejandro Iglesias wrote:

 Till you mentioned about it I've ignored the existence of
 /usr/libexec/mail.local. :-)  I'm a new to OpenBSD.  Is it some kind of
 procmail's alike functionality?

It's what delivers messages to /var/mail/username when invoked by
the MTA.

 I tried modifying the comsat line in inetd.conf, using just udp4,
 removing the ip limit prefix, etc.  I've tried installing procmail
 (telling smtpd to use it).  I did some tests stopping /etc/rc.d/inetd
 and running inetd -d form the command line.

It turns out mail.local only supported udp4 anyway (though I've
just committed a fix for that).

 With the default inetd.conf, after sending a mail to myself:
 
 # inetd -d
 ADD: 127.0.0.1:comsat proto=udp, wait.max=1.256 user:group=root:wheel builtin
 =0 server=/usr/libexec/comsat
 ADD: ::1:comsat proto=udp6, wait.max=1.256 user:group=root:wheel builtin=0 se
 rver=/usr/libexec/comsat
 ADD: daytime proto=tcp, wait.max=0.256 user:group=root:wheel builtin=1959e0e0
 8630 server=internal
 ADD: daytime proto=tcp6, wait.max=0.256 user:group=root:wheel builtin=1959e0e
 08630 server=internal
 someone wants comsat
 14937 execv /usr/libexec/comsat
 
 The last two lines appeared right after sending the email.  I understand
 (in my ignorance) that means inetd *receives* the notification (from
 mail.local?).  And the following is what netstat shows:

Correct, mail.local sends a message to the comsat port which inetd
listens on.  Then inetd will exec comsat with the socket hooked up
to standard input and output.

 I know biff isn't a big concern but I insisted because I thought it
 could be a symptom of some other more important issue.

The root cause was that mail.local sends a newline character after
the spool file offset which comsat was not expecting.  This used
to work but got broken by the conversion to strtonum().  I've
committed a fix for comsat similar to the diff I send earlier.

 - todd

Re: Resolve names from chroot'ed OpenBSD httpd

[Todd C. Miller]

On Fri, 22 May 2015 11:54:10 -0300, Daniel Bolgheroni wrote:

 On Fri, May 22, 2015 at 06:39:53AM -0400, Dain Bentley wrote:
  I had this issue a while back.  Have you tried restarting the server?
 
 Sure, but didn't solve the problem.
 
 http://marc.info/?l=openbsd-miscm=135603654831609w=2

You should ktrace the process and see what files it is unable to
open.  That should tell you what is missing from the chroot.

 - todd

Re: comsat-biff issue

[Todd C. Miller]

It looks like this is fallout from the strtonum() conversion in
comsat.  The issue is that mail.local writes a trailing newline
after the offset that we need to trim.  This fixes it.

 - todd

Index: libexec/comsat/comsat.c
===
RCS file: /cvs/src/libexec/comsat/comsat.c,v
retrieving revision 1.39
diff -u -p -u -r1.39 comsat.c
--- libexec/comsat/comsat.c 18 Apr 2015 18:28:37 -  1.39
+++ libexec/comsat/comsat.c 6 Jul 2015 14:56:23 -
@@ -191,6 +191,7 @@ doreadutmp(void)
}
(void)lseek(uf, 0, SEEK_SET);
nutmp = read(uf, utmp, statbf.st_size)/sizeof(struct utmp);
+   dsyslog(LOG_DEBUG, read %d utmp entries, nutmp);
}
(void)alarm(15);
 }
@@ -204,15 +205,22 @@ mailfor(char *name)
char *cp;
off_t offset;
 
+   dsyslog(LOG_DEBUG, mail for '%s', name);
+   cp = name + strlen(name) - 1;
+   while (cp  name  isspace((unsigned char)*cp))
+   *cp-- = '\0';
if (!(cp = strchr(name, '@')))
return;
*cp = '\0';
offset = strtonum(cp + 1, 0, LLONG_MAX, errstr);
-   if (errstr)
+   if (errstr) {
+   syslog(LOG_ERR, '%s' is %s, cp + 1, errstr);
return;
+   }
while (--utp = utmp) {
memcpy(utname, utp-ut_name, UT_NAMESIZE);
utname[UT_NAMESIZE] = '\0';
+   dsyslog(LOG_DEBUG, check %s against %s, name, utname);
if (!strncmp(utname, name, UT_NAMESIZE))
notify(utp, offset);
}

Re: no more sudo on openbsd 5.8

[Todd C. Miller]

On Fri, 07 Aug 2015 17:06:03 +0200, John Naggets wrote:

 I just installed OpenBSD snapshot (5.8) through an automated install
 and was surprise to login with my normal user and to find out that
 there is no sudo command available. Is this normal?

Yes, sudo has moved to ports.  The new doas(1) acts like a simplified
sudo.

 I have setup the autoinstall for no root password and only one user
 account so I was wondering how do I run something as root now? Do I
 really need to setup a root account from autoinstall?

You can either use doas(1) or install the sudo port.

 - todd

Re: passwd without argument in sudo

[Todd C. Miller]

On Wed, 15 Jul 2015 14:51:00 +0200, Alex Greif wrote:

 when I 'sudo su - ' into a root shell and issue a 'passwd' without a 
 username
 argument, then it does not try to change the passwd for the current user (in
 this case root) but for the user from which I issued the 'sudo'.

This is because passwd changes the password for the logged in user
by default, as returned by the logname system call.  You can run
the logname command to see that this is not changed when you run
su.

It's probably worth mentioning this in the passwd manual as it does
seem to cause some confusion.

 - todd

Re: ksh not loading .profile

[Todd C. Miller]

On Wed, 15 Jul 2015 17:05:51 +0100, Laurence Rochfort wrote:

 I've followed the faq at http://www.openbsd.org/faq/faq8.html#ksh and it
 still does not work.

The problem is that your .xsession file merges ~/.Xresources
but your actual XTerm*loginShell setting is in ~/.Xdefaults.
Copy that line into ~/.Xresources and it should work.

If you were using startx instead of xdm, the ~/.Xdefaults file would
have been used.

 - todd

Re: cron log in /var/log

[Todd C. Miller]

On Wed, 11 Nov 2015 12:29:30 -0500, Jiri B wrote:

> As cron got a quite interested recently, isn't
> right time to move its log to /var/log?
> Or does having /var/cron/log have any specific reason?

Since it is just another syslog file /var/log makes sense.
I worry a bit about people's log watching scripts, though.

 - todd

Re: cron log in /var/log

[Todd C. Miller]

On Wed, 11 Nov 2015 12:52:51 -0500, Jiri B wrote:

> Other thing, when I was playing with most filesystems r/o I also
> found having '.sock' in /var/cron/tabs little annoying,
> as we usually use /var/run and I was already having /var/run
> as mfs. Since like piece of cake to move it to /var/run.

Funny you should mention that.  I was considering moving that to
/var/run/cron.sock.  The only reason for it to be in the cron dir
is for older systems that don't respect the file modes on Unix
domain sockets.  That's not an issue for us...

 - todd

Re: cron daily insecurity output

[Todd C. Miller]

On Wed, 11 Nov 2015 20:31:03 +0100, Adam Wolk wrote:

> cron started to be recently reported in my insecurity output after
> upgrading to snapshot from Nov 6:
> 
> Checking special files and directories.
> Output format is:
>   filename:
>   criteria (shouldbe, reallyis)
> var/cron/atjobs: 
>   permissions (01770, 0770)
> var/cron/tabs: 
>   permissions (01730, 0730)
> mtree special: exit code 2

This is a side effect of pledge(2) restrictions in cron coupled
with a minor bug in the code that caused it to change the mode when
it doesn't actually need to.

I committed a fix for the bug earlier today so the next snapshot
containing that fix will not strip the sticky bit from those
directories.  However, you'll need to fix up the directory permissions
manuall.  E.g.

# chmod chmod a+t /var/cron/atjobs /var/cron/tabs

 - todd

Re: missing mailing list message(s)?

[Todd C. Miller]

The mailing list server has been hitting a kernel bug that may have
caused some outgoing messages to be lost.

 - todd

Re: OpenBSD parts in Toyota Highlander

[Todd C. Miller]

On Sat, 26 Sep 2015 12:51:27 -0600, Diana Eichert wrote:

> Todd's is most likely sudo

That's probably strlcpy/strlcat.

 - todd

Re: dig and DNSSEC

[Todd C. Miller]

On Sat, 26 Sep 2015 22:03:50 +0200, Denis Fondras wrote:

> As Unbound/nsd are in base now, perhaps it could be easier to get
> drill in and drop dig ?

That's a great idea.  We'd need to add nslookup(1) and host(1)
wrappers though.

 - todd

Re: Inconsistency in utimes(2) manpage

[Todd C. Miller]

On Tue, 05 Jan 2016 16:38:46 +0100, Carsten Kunze wrote:

> the DESCRIPTION section of utimes(2) refers to "path" while
> the SYNOPSIS section uses the term "file".  Maybe the term
> "path" should be used instead of "file" in SYNOPSIS.

Fixed, thanks.

 - todd

Re: smtpd and syslog

[Todd C. Miller]

The trace messages are logged at the debug level.  You'll need to
edit /etc/syslog.conf and change:

mail.info   /var/log/maillog

to:

mail.debug  /var/log/maillog

Then you should see the trace information.

 - todd

Re: FW: smtpd and syslog

[Todd C. Miller]

On Fri, 10 Jun 2016 19:20:23 -, Peter Fraser wrote:

> But what bothered me was the thousands of lines in /var/log/messages
> saying
> 
> sendsyslog: dropped 2 messages, error 55
> 
> when I first noticed I had forgot that I had modified smtd_flags
> and had no idea why my log files were filling up.
> I had no success trying to find what error 55 was.

Look in /usr/include/sys/errno.h

#define ENOBUFS 55  /* No buffer space available */

> There was no hint as to what the source of the problem was.
> I did not know of any approach to find the cause, other than
> guessing that it was smtpd.

It used to be that syslog messages were silently dropped when syslogd
was out of buffers.  These days the kernel at least logs this
condition.  It would be hard for the kernel to provide more information
without trying to parse the log messages that were dropped.

 - todd

Re: sshfs key exchange fails

[Todd C. Miller]

On Fri, 17 Jun 2016 19:49:44 +0200, "Dennis Matthiesen" wrote:

> I'm not sure if this a configuration issue or could this be a general
> problem with the 'Diffie-Hellman Group Exchange Request' not being
> processed properly by OpenBSD.
> 
> Problem: OpenBSD SSH server isn't responding to the 'Diffie-Hellman Group
> Exchange Request' with 'Diffie-Hellman Group Exchange Group'. Server is
> sending a FIN ACK instead.

That sounds like a configuration issue.  Newer versions of OpenSSH
don't accept these weak key exchange algorithms by default:

diffie-hellman-group1-sha1
diffie-hellman-group-exchange-sha1

You can add them back in /etc/ssh/sshd_config using the KexAlgorithms
setting.  See sshd_config(5) for details.

Also see http://www.openssh.com/legacy.html

 - todd

Re: sudo and globbing

[Todd C. Miller]

You are comparing two very different versions of sudo.  The sudo
that used to ship with OpenBSD is version 1.7.2p8 which is rather
ancient.  On Linux you probably have some variant of sudo 1.8.x.
Newer versions of sudo escape spaces in the command run via "sudo
-s" whereas the ancient 1.7.2p8 does not.  That probably explains
the difference.

If you install sudo from ports you will get the same behavior you
see on linux.

 - todd

Re: question about fprintf()

[Todd C. Miller]

On Mon, 15 Feb 2016 19:22:59 +0300, Alexei Malinin wrote:

> Please tell me can fprintf() set errno to EINTR?

Yes, it is possible but see below.

> I have not found assignments such as "errno=EINTR" in libc sources
> (src/lib/libc/stdio, amd64 OpenBSD-5.6 ) but I'm not sure.
> 
> fprintf()'s man page does not say anything about errno but POSIX.1 says,
> "If an output error was encountered, these functions shall return a
> negative value and set /errno/ to indicate the error."

If a signal handler is installed without the SA_RESTART flag set,
the write(2) system call may fail with errno set to EINTR.  The
fprintf(3) function uses write(2) (deep) under the covers to write
to a file or terminal.  The signal(3) function always sets the
SA_RESTART flag unless siginterrupt(3) has been used to make system
calls interruptible.  If the sigaction(2) system call is used,
SA_RESTART must be explicitly set in sa_flags.

 - todd

Re: question about fprintf()

[Todd C. Miller]

On Mon, 15 Feb 2016 21:08:20 +0300, Alexei Malinin wrote:

> But can fprintf() set errno to EINTR if a program has no signal handlers
> (i. e. there are default handlers for all signals)?
> For example what will happen with fprintf() in a program with default
> signal dispositions if the program's window size changes (SIGWINCH)?

In that case the write(2) system call will be restarted and fprintf(3)
will continue without error.

 - todd

Re: doas(1) and $PATH

[Todd C. Miller]

On Wed, 13 Jan 2016 11:17:55 -0500, Philippe Meunier wrote:

> By the way, while playing with which(1) and doas(1) and $PATH, I
> managed to get which(1) to core dump, twice, although I have not been
> able to reproduce it reliably.

The crash in which was fixed recently.

 - todd

Re: doas(1) and $PATH

[Todd C. Miller]

On Fri, 19 Feb 2016 13:45:28 -0700, "Todd C. Miller" wrote:

> On Wed, 13 Jan 2016 11:17:55 -0500, Philippe Meunier wrote:
> 
> > By the way, while playing with which(1) and doas(1) and $PATH, I
> > managed to get which(1) to core dump, twice, although I have not been
> > able to reproduce it reliably.
> 
> The crash in which was fixed recently.

Whoops, looks like I was responding to an old message.

 - todd

Re: groupdel 'command' don't remove group id

[Todd C. Miller]

A user's active groups are set at login time.  Removing a group
from the group file does not affect processes that are already
running.  If you logout and login again after removing the group
you should no longer be a member of the group.

 - todd

Re: patch: fix usage of mkstemp() in rdistd

[Todd C. Miller]

I think it's best to just check the parent directories first and
then create the temp name.

 - todd

Index: server.c
===
RCS file: /cvs/src/usr.bin/rdistd/server.c,v
retrieving revision 1.40
diff -u -p -u -r1.40 server.c
--- server.c22 Dec 2015 08:48:39 -  1.40
+++ server.c28 Mar 2016 02:01:32 -
@@ -750,12 +750,9 @@ recvfile(char *new, opt_t opts, int mode
/*
 * Create temporary file
 */
-   if ((f = mkstemp(new)) < 0) {
-   if (errno != ENOENT || chkparent(new, opts) < 0 ||
-   (f = mkstemp(new)) < 0) {
-   error("%s: create failed: %s", new, SYSERR);
-   return;
-   }
+   if (chkparent(new, opts) < 0 || (f = mkstemp(new)) < 0) {
+   error("%s: create failed: %s", new, SYSERR);
+   return;
}
 
/*
@@ -1161,13 +1158,10 @@ recvlink(char *new, opt_t opts, int mode
/*
 * Make new symlink using a temporary name
 */
-   if (mktemp(new) == NULL || symlink(dbuf, new) < 0) {
-   if (errno != ENOENT || chkparent(new, opts) < 0 ||
-   mktemp(new) == NULL || symlink(dbuf, new) < 0) {
-   error("%s -> %s: symlink failed: %s", new, dbuf,
-   SYSERR);
-   return;
-   }
+   if (chkparent(new, opts) < 0 || mktemp(new) == NULL ||
+   symlink(dbuf, new) < 0) {
+   error("%s -> %s: symlink failed: %s", new, dbuf, SYSERR);
+   return;
}
 
/*

Re: patch: fix usage of mkstemp() in rdistd

[Todd C. Miller]

On Mon, 28 Mar 2016 10:19:12 +0200, Paul Kelly wrote:

> On 03/28/16 04:05, Todd C. Miller wrote:
>  > I think it's best to just check the parent directories first and
>  > then create the temp name.
>  >
>  >   - todd
> 
> This works for me and avoids my hacking around with new. I added a few 
> extra destination directories and it seems to hold up OK. Thanks!

Another option is to just open the file directly after creating the
intermediate directories.  This is effectively what used to happen
before mkstemp(3) was changed to return an error when no Xs are
found in the format.  That way you still save a stat call when there
directories already exist (the common case).

 - todd

Index: server.c
===
RCS file: /cvs/src/usr.bin/rdistd/server.c,v
retrieving revision 1.40
diff -u -p -u -r1.40 server.c
--- server.c22 Dec 2015 08:48:39 -  1.40
+++ server.c28 Mar 2016 12:35:53 -
@@ -752,7 +752,7 @@ recvfile(char *new, opt_t opts, int mode
 */
if ((f = mkstemp(new)) < 0) {
if (errno != ENOENT || chkparent(new, opts) < 0 ||
-   (f = mkstemp(new)) < 0) {
+   (f = open(new, O_CREAT|O_EXCL|O_RDWR, S_IRUSR|S_IWUSR)) < 
0) {
error("%s: create failed: %s", new, SYSERR);
return;
}
@@ -1163,7 +1163,7 @@ recvlink(char *new, opt_t opts, int mode
 */
if (mktemp(new) == NULL || symlink(dbuf, new) < 0) {
if (errno != ENOENT || chkparent(new, opts) < 0 ||
-   mktemp(new) == NULL || symlink(dbuf, new) < 0) {
+   symlink(dbuf, new) < 0) {
error("%s -> %s: symlink failed: %s", new, dbuf,
SYSERR);
return;

Re: Using "> /tmp/debug.log 2>&" in a startup script

[Todd C. Miller]

I suspect your are getting tripped up by the ">/dev/null 2>&1" in
_rc_do().  Try setting _RC_DEBUG=1 in the rc.d file and see if that
makes a difference.  I suppose you could also provide your own
implementation of _rc_do() in the rc.d file too.

 - todd

Re: reorder_libs() from /etc/rc when using NFS root FS

[Todd C. Miller]

On Sat, 09 Jul 2016 18:25:08 +0200, Frank Scheiner wrote:

> Running the command substitution alone after the machine has finished 
> booting - which takes a considerable extra amount of time as the 
> SPARCclassic is a slow machine and its root FS is mounted via NFS - 
> gives the following in my case:
> 
> ```
> # stat -L -f '%Sd' /usr/lib
> ??
> # echo $?
> 0
> ```

That makes sense.  What stat(1) actually does is call stat(2) on
/usr/lib and look up the resulting device number using devname(3).
Since it can't be found it returns "??" which is useful for ps but
not much else.

We can simplify the check and simply treat a value of "??" as
non-local and skip the reorder.

 - todd

Index: rc
===
RCS file: /cvs/src/etc/rc,v
retrieving revision 1.485
diff -u -p -u -r1.485 rc
--- rc  29 May 2016 15:36:06 -  1.485
+++ rc  10 Jul 2016 01:35:46 -
@@ -164,8 +164,8 @@ reorder_libs() {
local _dkdev=/dev/$(stat -L -f '%Sd' /usr/lib)
local _mp=$(mount | grep "^$_dkdev")
 
-   # Skip if /usr/lib is on a nfs mounted filesystem.
-   [[ $_mp == *' type nfs '* ]] && return
+   # Skip if /usr/lib is not on a local filesystem.
+   [ $_dkdev == '??' ] && return
 
echo -n 'reordering libraries:'

Re: Issue with numbers of pty

[Todd C. Miller]

On Fri, 01 Jul 2016 10:50:24 -0400, "Ted Unangst" wrote:

> Stuart Henderson wrote:
> > On 2016-06-30, Oriol Demaria  wrote:
> > > Trying tmuxinator here I have noticed that I ran out of pty, according
> > > to man pty(4) there is a kernel parameter specifiying the max
> > > number. I'm running a snapshot from last Friday, and I don't seem to
> > > have kern.tty.maxptys.
> > 
> > You probably just ran out of device nodes, the default (62) is a bit small
> > for some uses (often exhibited as not being able to open new xterms), but y
> ou
> > can create more like this:
> > 
> > cd /dev
> > sh MAKEDEV pty1
> 
> This shouldn't be a problem for software using openpty().

I don't think that is correct.  You still need to device nodes in
/dev to exist.  Otherwise, the PTMGET ioctl will fail.

 - todd

Re: rcs(1) and -I parameter

[Todd C. Miller]

On Sun, 03 Jul 2016 13:22:48 +0200, =?utf-8?Q?Sol=C3=A8ne?= RAPENNE wrote:

> I am not familiar with rcs(1), from the man page I found parameter "-I Intera
> ctive mode."
> and rcs usage displays "usage: rcs [-IiLqTUV] [...]"
> 
> When I type "rcs -I" I get
> 
> rcs: unknown option -I
> 
> Does the parameter -I really exists ?

It doesn't appear to actually be implemented in OpenRCS.  In GNU
rcs, the -I flag forces interactive mode even if the stdin is not
a terminal.

Implementing this is not hard, rcs_prompt() just needs to print the
promts even when no tty is present if -I is specified.

 - todd