Re: strict separation base system and third party software
On Fri, 28 Oct 2016 01:21:13 -0600 "Theo de Raadt" wrote: > > > > Different design, different philosophy, and different goals [1] but the > > > > same BSD heritage. > > > > > > There is no philosophy involved. > > > > > > England and the US and Canada are not differences in philosophy. > > > > > > They are just different. philosophy has little to do with it. > > > > > > Stop using that word incorrectly, please. > > > > > > Try: > > > > > > Different texture, different pantone. > > > > > > See, it fails to reuse words which are out of scope, and is just as > > > accurate. > > > > actually, philosophy was used accurately here. > > > > the relevant definition from wordnet: > > any personal belief about how to live or how to deal with a situation > > and the equivalent from merriam-webster.com: > > a set of ideas about how to do something or how to live > > > > it's only because you have a different philosophy that you use only /etc > > instead of /usr/local/etc. that's how you deal with the situation of where > > to > > put configuration files. > > > > people/groups have different ideas of "how to deal with a situation" or "how > > to do something", which means they have different philosophies. > > there is no philosophy. > > there was no belief. > > maybe there was a touch of idealism, but nothing as refined as you > suggest. i made no such suggestion. a 'philosophy' doesn't have to be a doctrine. > > it was simply a decision made for a handful of things which got reused > for the rest of them. > > back decades ago. > > your philosphy is that you can copy things from a dictionary and > that we should live according to that as a rule? i never said you "should live according to that as a rule". and where the FUCK did you get that, eh? all i did was to point out that you were wrong about the use of the word philosophy. i have heard it used innumerable times in my life in exactly the manner it was originally used in this thread. and yes, when dealing with definitions of words, my philosophy is to go to the dictionary. > you weren't there. were you even born? perhaps your philosophy is > that you can speak authoritatively upon things you didn't experience > directly? > > oh wait, that's religion and what the FUCK does this have to do with anything? this is completely irrelevant anyway. you said the word philosophy was used wrong, and i *cited* authoritative sources. i could have said that i have always heard philosophy used in that manner all of my life, as i have, but instead i *cited* recognized authorities on the meanings of words.
Re: strict separation base system and third party software
On Thu, Oct 27, 2016 at 23:16:50 -0600, Theo de Raadt wrote: > > Different design, different philosophy, and different goals [1] but the > > same BSD heritage. > > There is no philosophy involved. > > England and the US and Canada are not differences in philosophy. > > They are just different. philosophy has little to do with it. > > Stop using that word incorrectly, please. > > Try: > > Different texture, different pantone. > > See, it fails to reuse words which are out of scope, and is just as > accurate. actually, philosophy was used accurately here. the relevant definition from wordnet: any personal belief about how to live or how to deal with a situation and the equivalent from merriam-webster.com: a set of ideas about how to do something or how to live it's only because you have a different philosophy that you use only /etc instead of /usr/local/etc. that's how you deal with the situation of where to put configuration files. people/groups have different ideas of "how to deal with a situation" or "how to do something", which means they have different philosophies.
Re: help with kshrc
On Mon, 18 Apr 2016 16:42:56 +0200 Marko =?ISO-8859-1?Q?Cupa=3F?= wrote: > Hi, > > in tcsh on FreeBSD, I use the following line in .tcshrc in order to > start xfce when looging on ttyv3: > > if ($tty == ttyv3) then > startxfce4 --with-ck-launch > logout > endif > > How can I achieve the same with OpenBSD's default ksh and .kshrc? > > Thank you in advance, > -- > Before enlightenment - chop wood, draw water. > After enlightenment - chop wood, draw water. > > Marko CupaÄ > https://www.mimar.rs/ > it's been more years than i can count since i've used either tcsh or FreeBSD, but if you are trying to detect the current tty (which is what i am assuming is what is in $tty), you can use ps (the variable '$$' is a reference to the current shell's pid): $ ps -o pid,tt | sed -n "s/^$$ //p" p3 now i don't know what v3 is, but the console ttys are ttyC? on OpenBSD, so if you want only the first window at the console, if [[ $(ps -o pid,tt | sed -n "s/^$$ //p") = C0 ]];then startxfce4 --with-ck-launch exit fi should do the trick. i also assume that 'logout' exits the shell, and thus logs you out, hence logout -> exit, which will exit the script (or in this case the shell since it's in the startup script).
Re: Post pkg_delete messages, change message format?
On Fri, 25 Mar 2016 12:47:01 -0500 Chris Bennett wrote: > After I delete packages, especially pkg_delete -X, I get a long list of > instructions like: > > > -2.1.3 --- > You should also run rm -rf /etc/cups/*.conf.O /var/log/cups > You should also run rm -rf /var/cache/cups > You should also run rm -rf /var/spool/cups > --- -cups-pdf-2.6.1p0 --- > You should also run rm -rf /var/spool/cups-pdf/ > --- -dbus-1.10.8v0 --- > Remember to update /var/db/dbus/machine-id > Remember to update /etc/machine-id > --- -dconf-0.24.0p1 --- > You should also run rm -rf /etc/dconf/db/* > You should also run rm -rf /etc/dconf/profile/* > --- -foo2zjs-20140627p1 --- > You should also run rm -f /usr/local/share/foo2hbpl/icm/* > You should also run rm -f /usr/local/share/foo2hiperc/icm/* > You should also run rm -f /usr/local/share/foo2hp/icm/* > You should also run rm -f /usr/local/share/foo2lava/icm/* > You should also run rm -f /usr/local/share/foo2oak/icm/* > You should also run rm -f /usr/local/share/foo2qpdl/icm/* > You should also run rm -f /usr/local/share/foo2slx/icm/* > You should also run rm -f /usr/local/share/foo2xqx/firmware/* > You should also run rm -f /usr/local/share/foo2zjs/firmware/* > You should also run rm -f /usr/local/share/foo2zjs/icm/* > --- -hplip-3.16.2 --- > You should also run rm -rf /usr/local/share/hplip/data/firmware > You should also run rm -rf /usr/local/share/hplip/data/plugins > You should also run rm -rf /usr/local/share/hplip/fax/plugins > You should also run rm -rf /usr/local/share/hplip/prnt/plugins > You should also run rm -rf /usr/local/share/hplip/scan/plugins > You should also run rm -f /usr/local/share/hplip/plugin.spec > --- -hplip-common-3.16.2 --- > You should also run rm -rf /var/log/hp/tmp/* > You should also run rm -f /var/log/hp/* 2>/dev/null || true > --- -net-snmp-5.7.3p6 --- > You should also run rm -rf /var/net-snmp/* > --- -sane-backends-1.0.25p2 --- > You should also run rm -rf /var/spool/lock/sane/* > > With this format, I have to copy/paste each rm -rf, groupdel, etc by hand. > Could these messages be changed to something easier to use like: > > > --- -hplip-3.16.2 --- > You should also run > rm -rf /usr/local/share/hplip/data/firmware > rm -rf /usr/local/share/hplip/data/plugins > rm -rf /usr/local/share/hplip/fax/plugins > rm -rf /usr/local/share/hplip/prnt/plugins > rm -rf /usr/local/share/hplip/scan/plugins > rm -f /usr/local/share/hplip/plugin.spec > > This would make these commands very simple to run. > > Chris Bennett > the magic of unix; you can work around this with some sed. # pkg_delete -X 2>&1 | tee you_should # sed -n 's/^You should also run //p' you_should >also_run # cat also_run #to verify # ksh ./also_run alternately, as non-root $ doas pkg_delete -X 2>&1 | tee you_should $ sed -n 's/^You should also run /doas /p' you_should >also_run $ cat also_run $ ksh ./also_run the above would allow doas to log each command. you could also make this into a script pkg_scrub: #!/bin/ksh raw=$TMPDIR/$$.you_should cooked=$TMPDIR/$$.also_run if [[ "$1" = all ]];then doas pkg_delete -X 2>&1 | tee $raw else doas pkg_delete $* 2>&1 | tee $raw fi sed -n 's/^You should also run /doas /p' $raw >$cooked rm -f $raw if [ ! -s $cooked ];then rm -f $cooked return 0 fi cat $cooked prompt run?"run these commands? [type 'Yes' to confirm] " if [[ "$run" = Yes ]];then ksh $cooked rm -f $cooked else echo "not running commands, saved in $cooked" fi i didn't properly test this, but you would use this like $ pkg_scrub all or $ pkg_scrub pkg1 pkg2 ...
Re: how to mount encription volume
On Sat, 12 Mar 2016 12:19:59 + freeu...@ruggedinbox.com wrote: > hi, I use the bioctl encryption on boot volume. > > example A: > fdisk -iy sd0 > echo -n "a a\n64\n\nRAID\np\nw\nq\n\n" |disklabel -E sd0 > bioctl -c C -l /dev/sd0a softraid0 > > then, OpenBSD detect sd1 and I install the OpenBSD on sd1a. > It's OK. X and any process are running on these drive[call A:]. > > > I have problem. I tried mount this dirve[A:] on other OpenBSD machine. > (other OpenBSD machine uses drive wd0a[call B:]) > > but, I can't mount the encrytion volume[A:]. > > example B: > vnconfig -ck vnd0 /dev/sd0a > Encryption key:[any words] > vnconfig -l > vnd0: covering /dev/sd0a on wd0a, inode [any number] > mount /dev/vnd0a /mnt > mount_ffs: /dev/vnd0a on /mnt: Device not configured > > any ideas? > softraid and vnconfig are completely separate systems. if you want to mount the softraid, you need to use the bioctl command you used above (it's not just for creation, it also configures it). check out bioctl(8) (check under EXAMPLES), and the archives at https://marc.info/?l=openbsd-misc&r=1&w=2 (search "softraid crypto").
Re: some problems with disks
On Tue, 8 Mar 2016 00:20:08 +0100 arrowscr...@mail.com wrote:
> I'm having some problems with disks. Probably because I still don't
> understand enough of how BSD manage them:
>
> 1. I was going to install -current on a USB flash drive. I did the
> install media using install59.fs and booted. I scape from installer to
> shell because I wanted to wipe the drive using dd(1) and to create a
> RAID partition (for FDE). I could not find the disk on /dev/, however.
> The system print on screen that the disk is located at "sd5" interface
> ("dmesg | grep sd" confirm this), but I cound not find it using "disklabel
> /dev/sd5". The only interfaces there was sd0 and wd0, none was my disk.
> How can I find it? The ./install script can find the sd5 normally, but I
> can't find it manually.
# (cd /dev && ./MAKEDEV sd5)
>
> 2. I gave up of the FDE idea temporarily and I just did the install
> normally. No problem to install, but the speed of the system was too
> slow... at the point that it was basically unusable (>4 hours to install
> 10 packages and ~4 minutes to startx).
> The device, a USB flash drive, have about 10MB/s write speed. It's kinda
> slow, but I don't think this was the cause of the slowliness. I checked
> the signature of the snapshot and the installed sets had no problem with
> SHA256 too, so it's not a problem with corrupted snapshot.
>
on quick way to check to check if it is the drive itself is to use dd:
# dd if=/dev/zero of=/mnt/testfile bs=1M count=20
but if the install was not slow that is unlikely to be the problem.
elite smtpd control
i caught this in a process listing, and did a double take. $ ps ax|grep control 31337 ?? I 0:00.09 smtpd: control (smtpd) $ ps auxw|grep control _smtpd 31337 0.0 0.0 1592 4 ?? I 21Jan160:00.09 smtpd: control (smtpd) i thought it was interesting enough to share given the improbability, and relation to openbsd. i know processes are going to have this pid often enough, but many of those processes don't stick around that long, and fewer form a sentence fragment.
Re: piping stderr to tee log (so I can have my log and watch it, too)
On Mon, 18 Jan 2016 10:09:14 +0900 Joel Rees wrote:
> Trying to put some scripts together so I can set an update going one
> night, check it in the morning, reboot, and finish the update while
> I'm at work.
>
> So I want to do something like
>
>cd /usr/src && cvs -d$CVSROOT up -Pd | tee /var/log/build/cvssrc.log
>cd /usr/xenocara && cvs -d$CVSROOT up -Pd | tee
> /var/log/build/cvsxenocara.log
>cd /usr/ports && cvs -d$CVSROOT up -Pd | tee /var/log/build/cvsports.log
>cd /usr/src/sys/arch/`machine`/conf && config GENERIC.MP && \
>cd ../compile/GENERIC.MP && make clean && make && \
>make install | tee /var/log/build/buildsys.log 2>&1
>...
i've been down this road, and there are a few problems with this. you don't
check to see if the commands fail before you move on, so if cvs fails, it
will continue with the next cvs or make, etc.
when you pipe something, the error code will come from the last command in
the pipe, which would be tee, so you can't test the error code directly.
one way around this is what i do for commands that fail is i have some
functions:
make_failed() {
[ $# -ge 1 ] || return 1
[ ${#1} -gt 0 ] || return 1
tail -1 "$1" | grep -q "\*\*\* Error "
}
cvs_failed()
[ $# -ge 1 ] || return 1
[ ${#1} -gt 0 ] || return 1
tail -1 "$1" | grep -q "\[update aborted\]"
}
which will return true if the last line has an error (since a function
returns the error code of the last program executed, and grep here fails
or not depending on the presence of the error string.)
i use it like this:
make 2>&1 | tee $_logfile_build
make_failed $_logfile_build && errx "make failed"
or using your example:
cd /usr/src && cvs -d$CVSROOT up -Pd 2>&1 | tee /var/log/build/cvssrc.log
cvs_failed /var/log/build/cvsrsc.log && errx "cvs src failed"
where errx is another function of mine:
err() { echo "$0: ERR $*" >&2; }
errx() { echo "$0: ERR $*" >&2; exit 1; }
i have an include file with basic functions i use in many of my scripts like
this, at the head of the script i have a line:
. ~/.func
a few more notes on the shell. you can do something like
if ! make;then
err "make failed"
fi 2>&1 | tee logfile
which will send all output from the 'if' statement to tee, much like the
{ cmd1; cmd2; } examples you were given earlier. one issue with this is
that when you pipe it like this, it spawns a subshell, so nothing in the
if statement goes outside. an 'exit' will only exit the 'if' statement (or
'while', 'for', etc) and not the program, so my 'errx' function above does
not exit the whole script, only the subshell.
the same holds true for '(cmd)' statements, which start a subshell, which
is why you can do (cd /usr/src && ls) and it returns to its original directory
afterwards, since the 'cd' only changes the subshell's working directory.
you also can't set varibles in '(cmd)' or in anything in a pipeline (like
that 'if'), and have them carry over to the rest of the script. you CAN
however set variables in '{ cmd; }' statements.
a good place to learn some interesting shell techiniques in in things like
the /etc/rc* scripts and the install scripts in /usr/src/distrib/miniroot/.
sometimes you learn the hard way though through experimentation and failure
(even if you RTFM sometimes the meaning only becomes clear after you
experience it.)
Re: tsort: pledge: invalid agument (building -current)
i ran into this myself the other day. you already got good advice, so i will just make one comment. On Sat, 9 Jan 2016 18:54:22 +0900 Joel Rees wrote: > Do I need to backup my data, wipe the OS, and re-install from a snapshot > kernel? > it's unlikely you will ever have to nuke the system. upgrading from snapshots should always work.
Re: the location of openbsd.pbr
On Wed, 30 Dec 2015 22:50:08 -0700 "Jack J. Woehr" wrote: > Brian McCafferty wrote: > > Are you referring to the file you need to create for dual booting with the > > windows ntldr? Check the FAQ: > > http://www.openbsd.org/faq/obsd-faq.txt > > Just out of curiousity, I dd'ed that sector and it didn't end in AA55. Did I > get something wrong? I'm doing full-disk > encryption so I'm not sure how grabbing > the "real" boot sector works in that circumstance. > > -- > Jack J. Woehr # Science is more than a body of knowledge. It's a way of > www.well.com/~jax # thinking, a way of skeptically interrogating the universe > www.softwoehr.com # with a fine understanding of human fallibility. - Carl > Sagan > even with FDE, in order to boot at all it needs "plaintext" instructions. the bios loads the boot sector to run. the boot sector on my disk (wd0) which contains my softraid partition ends in the proper 0xaa55. as far as i am aware the bios will not load a boot sector that doesn't end with 0xaa55. did you dd the 'c' partition on the underlying disk (not the softraid disk)?
Re: owncloud and php5-libsmbclient / occ
On Tue, 29 Dec 2015 20:43:49 -0500 Johan Huldtgren wrote: > > Also, if one would like to use occ utility from CLI, considering that the > > whole owncloud runs chrooted under /var/www/ and that occ therefore looks > > for /owncloud/apps folder (which is obviously /var/www/owncloud/apps) and > > that www user is a nologin one, trying to run the following command: > > > > # doas -u www /var/www/owncloud/occ > > > > provides the following result: > > > > PHP Notice: Undefined index: SERVER_PROTOCOL in > > /var/www/owncloud/lib/private/response.php on line 77 > > App directory "/owncloud/apps" not found! Please put the ownCloud apps > > folder in the ownCloud folder or the folder above. You can also configure > > the location in the config.php file. > > > > How can occ then be run? > > I solved this by temporarily symlinking the directory it asked for > to the root, which let me run occ, and then I removed the symlink. > I'm sure there is a better solution, but I needed something which > worked quickly. so something like this: > > ln -s /var/www/owncloud/apps /owncloud/apps > doas -u www /usr/local/bin/php-5.6 /var/www/owncloud/occ > > .jh > how about: $ doas chroot -u www /var/www /owncloud/occ which should run /owncloud/occ after entering the chroot fs.
Re: TCL in a chroot
On Mon, 28 Dec 2015 19:53:47 -0500 Paul Pereira wrote:
> Has anyone had luck running tcl within a chroot? I have the required
> libraries reported by ldd in place, but the interpreter cannot find
> them.
>
> # chroot /var/www /usr/local/bin/tclsh8.5
> /usr/local/bin/tclsh8.5: can't load library 'libtcl85.so.1.7'
>
> # ldd `which tclsh8.5`
> /usr/local/bin/tclsh8.5:
> StartEnd Type Open Ref GrpRef Name
> 1a646000 3a64a000 exe 10 0 /usr/local/bin/tclsh8.5
> 0c0e6000 2c105000 rlib 01 0 /usr/local/lib/libtcl85.so.1.7
> 0a26d000 2a276000 rlib 02 0 /usr/lib/libm.so.9.0
> 0ce86000 2cea4000 rlib 01 0 /usr/lib/libc.so.80.1
> 02688000 02688000 rtld 01 0 /usr/libexec/ld.so
>
> # ls /var/www/usr/local/lib/libtcl85.so.1.7
> /var/www/usr/local/lib/libtcl85.so.1.7
>
> Regards,
> Paul
>
have you run ldconfig?
i do the following to set up my chroots (_jailroot=/var/www in your case)
sudo mkdir $_jailroot/{sbin,usr/libexec}
sudo cp -p /sbin/ldconfig $_jailroot/sbin
sudo cp -p /usr/libexec/ld.so $_jailroot/usr/libexec
sudo chroot $_jailroot ldconfig /usr/{,X11R6,local}/lib
that should create /var/www/var/run/ld.so.hints which aids the linker in
locating the shared libs.
Re: DESTDIR chroot for Mailman from ports
On Sun, 27 Dec 2015 11:22:56 + (UTC) Juuso Lapinlampi wrote: > I'm having a bit of hard time installing Mailman from ports to an > alternative `DESTDIR` chroot on OpenBSD 5.8 -stable, GENERIC.MP amd64. I > have a working Mailman setup in a non-chroot environment and I'm trying > to move it to a chroot. I've partially succeeded in doing so, but it > seems `DESTDIR` is not working on this port. > > For those not yet aware, Mailman is a mailing list software written in > Python that interacts with CGI to provide a web interface for mail > archives and control panel. > > By default, Mailman packages will install to `/usr/local/lib/mailman/`. > For this to work with Mailman's web interface, both OpenBSD httpd(8) and > slowcgi(8) must be chrooted to `/` to be able to access Mailman's needed > files. For obvious reasons, running slowcgi with `-p /` is not > recommended from security perspective and is actively discouraged by > OpenBSD developers. > > Ideally, Mailman should be installed to a chroot at `/var/www` > (`/var/www/usr/local/lib/mailman/`). This is what I'm looking for. > Because the packages for Mailman don't do this by default, I am trying > to use the ports to customize the DESTDIR. > > It seems this port doesn't play very well with `DESTDIR` however. I've > tried at least > > cd /usr/ports/mail/mailman/ > make > DESTDIR="/var/www" make install > > among other similar things (e.g. using `env DESTDIR="/var/www"`), but it > seems Mailman will be installed to `DESTDIR=/` (that is, > `/usr/local/lib/mailman/`). > > The Makefile itself has this comment: > > # gnu still breaks the pathes as prefix is actually mailman's home > CONFIGURE_STYLE=simple > > This might be the blocker, but I am not sure what to do with it. Maybe > any of porters have a better idea. > > Right now I also tried creating a package and installing it with > `pkg_add(1)` to work around the issue: > > cd /usr/ports/mail/mailman/ > make > make uninstall package clean > pkg_add -B /var/www /usr/ports/packages/amd64/all/mailman-2.1.20.tgz if i am reading you right, you probably only need that last pkg_add. i regularly use chroot for a number of packages (and their complex dependencies), and the packages are the normally compiled versions. the line from my scripts which is pretty much identical, is: $ env PKG_DBDIR=$_dbdir pkg_add -B $_jaildir $_pkg except i use PKG_DBDIR for an alternative to /var/db/pkg. but your pkg_add should install to '/var/www/usr/local/lib/mailman/'. and within the the chroot it will see it as /usr/local/lib/mailman so there shouldn't be a problem unless mailman doesn't play nice in a chroot (there are a number of packages that don't). my notes on using chroot here may be useful: https://marc.info/?l=openbsd-misc&m=142676615612510&w=2 > > and this seems to be a success, assuming the dependencies are okay and > also in the chroot (they're not, yet). Now my problem is getting > `DESTDIR` for the dependencies. I'm not also sure if using `pkg_add(1)` > like this is a great idea. i think you are looking in the wrong direction with DESTDIR. i have never found modifying ports/packages necessary. > > The closest advice I found for installing Mailman to an OpenBSD chroot > was a `mailman-users` mailing list post from 2008.[1] However, this > advice is quite dated and relies too much on copying Mailman manually > and building Mailman from source instead of ports. Not what I'm looking > for. > > It seems `/ports/mail/mailman/` hasn't changed in `-current` tree or in > the past 8 months, so I could probably reproduce my issue there but I've > not yet tested so. > > I could move or copy Mailman and all of its dependencies manually under > `/var/www` chroot, but this doesn't seem to be a good idea from > maintenance perspective. > > Can I do something to build Mailman and its dependencies with > `DESTDIR=/var/www` for easier maintenance? > > [1]: https://mail.python.org/pipermail/mailman-users/2008-April/061331.html > for maintainance, just do the reverse, and 'pkg_delete -B /var/www ...' or if you use PKG_DBDIR=/var/www/pkgdb (or something similar) you can just delete the packages and the pkg database manually, and install the new versions.
Re: if I were to make a pkg-add diff
On Fri, 25 Dec 2015 16:09:27 -0600 Luke Small wrote: > I suppose folks could opt for the more stable yet higher latency > official mirrors even if they aren't local to canada and they would > never be surprised. It may not be too much trouble for me to implement > a mere stdout statement in the perl pkg-add to advise the user to > update PKG-PATH to randomly offer one of the official mirrors as the > PKG-PATH (as an easy to implement fix) and steer the user to install a > web-browser to discover the current list of http/ftp package mirrors > if Firefox or lynx exists on the system; since they don't by default. > It wouldn't be too dissimilar to the kind of messages delivered by > pkg-add itself to rm folder contents at the end of a run. talk is cheap. if you see a problem, show a fix instead of talking about it. (i am really starting to feel for the devs. this gets wearying.) so lynx is gone, but you don't need to install a web browser. ftp(1) is in base and functions quite well. you want the mirrors? ftp -o - http://www.openbsd.org/ftp.html | more will display the html source of the page, which is pretty easy to read even unrendered. if you wanted to format it better, you could do: ftp -o - http://www.openbsd.org/ftp.html | \ sed -n \ -e 's:$::' \ -e 's: \([^<]*\)<.*:\1 :p' \ -e 's:^\( [hfr].*\):\1:p' (all whitespace in the above sed are single tabs, copy & paste will not work) will display them all (http,ftp,rsync) as below: Australia (Adelaide) http://mirror.internode.on.net/pub/OpenBSD/ Australia (Brisbane) http://mirror.aarnet.edu.au/pub/OpenBSD/ Australia (Perth) http://ftp.iinet.net.au/pub/OpenBSD/ ... if you want to test a mirror, just use ftp's return value as below: ftp -VM -o /dev/null $MIRROR && echo "$MIRROR" >>good-mirrors or if you had a list of possible mirrors (in file 'mirrors'): for MIRROR in $(< mirrors); do ftp -VM -o /dev/null $MIRROR && echo "$MIRROR" done >good-mirrors whenever i want something to work the way i want, i just script around it. the beauty of unix. > > On 12/25/15, Luke Small wrote: > > I suspect that if you did, it wouldn't check whether there was an > > astronaut ready to control the on-board computer and would sit there > > continuously trying to rev the rocket engines with no jet fuel. That > > is the way pkg-add acts right now. I felt pretty ridiculous wondering > > why pkg-add wasn't working only to figure out I was working with a > > mirror that was no longer active this week. > > > > On 12/24/15, Theo de Raadt wrote: > >>>I wanna make a c program that checks for a PKG_PATH that exists and > >>>connects to a workable link for pkg_add(). > >> > >> and I wanna build a rocket ship... > >> > > > > > > -- > > -Luke > > > > > -- > -Luke
Re: utilities in bsd.rd
On Mon, 21 Dec 2015 20:45:15 + "AHLSENGIRARD, EDWARD F CTR USAF AFMC AFNWC/NDBD" wrote: > By any chance is there a handy list of the utilities compiled into bsd.rd > (release or recent snap)? > > > -- > Edward Ahlsen-Girard > it may not be exhaustive but the kernel is compiled from /usr/src/distrib and: $ ls /usr/src/distrib/special/ CVS dhclient grep mkdirmv route Makefile disklabelgzip mknodnewfssed Makefile.inc dmesghostname mkuboot newfs_ext2fs signify arch ed ifconfig more newfs_msdos sleep bioctl eeprom init mountpax stty cat encrypt installboot mount_cd9660 pdisksync chmodfdiskkbd mount_ext2fs ping sysctl chroot fsck ksh mount_ffsping6umount cp fsck_ext2fs libstubs mount_msdos pwd_mkdb ztsscale date fsck_ffs ln mount_nfsreboot dd fsck_msdos ls mount_udfrestore df ftp md5 mt rm you can also use the process in https://marc.info/?l=openbsd-misc&m=141552533922277&w=2 which will allow you to look at the filesystem of the kernel itself.
Re: Is it possible to use pledge(2) to make something similar to firejail?
On Mon, 30 Nov 2015 23:30:49 +0100 Lampshade wrote: > Thanks for answers. > @dan mclaughlin. But how to prevent attacker going out of chroot? as far as i am aware only root can break out of a chroot. as long as nothing runs as root, and there are no suid root this shouldn't be a problem. > Do you think that this is possible to prevent this using pledge(2)? pledge may not be the best tool. see https://marc.info/?l=openbsd-ports&m=144822758614817&w=2 there is systrace(1) which does something similar. > > Thanks for links. Especially Jonathan's "Re: making firefox less > insecure" > mail dated 2014-11-23 is worth reading for me. I wonder if > pledge(2), in theory, can be used to extend his program. > see the above url re pledge.
Re: Is it possible to use pledge(2) to make something similar to firejail?
On Sun, 29 Nov 2015 07:08:57 -0700 "Anthony J. Bentley"
wrote:
> Lampshade writes:
> > Is it possible, in theory, to use pledge(2) to make something similar to
> > fire
> > jail?
> > https://packages.debian.org/sid/main/firejail
> > Firejail is a Gnu/Linux's program which executes Firefox as it's descendant
> > with reduced privilages.
> > For example I would like to restrict Firefox to not write and read to
> > directo
> > ry
> > outside /home/firefox directory. Let's assume that I run firefox as another
> > u
> > ser than
> > my normal account. I would restrict, using traditional Unix privilages,
> > Firef
> > ox
> > and all its descendants, logging as another user to regain privilages to
> > for example to /home/open. I imagine that would still leave huge attack
> > vecto
> > r
> > to pown system and/or sniff password, but I think it is better than nothing.
>
> After the recent Firefox pdf.js exploit (where malicious PDFs on an ad
> server were reading files under ~, including ssh keys), I started
> running Firefox as its own user, and tightened the permissions on my
> home directory so Firefox can't access it.
>
> There's a large class of attacks this doesn't help against (anything
> that uses X to access keystrokes or similar) but it stops a large set of
> potential Firefox exploits right away with nothing but Unix filesystem
> permissions.
>
> http://lists.dragonflybsd.org/pipermail/users/2015-August/228324.html
>
> --
> Anthony J. Bentley
>
you can mitigate those X attacks using 'ssh -X'. i detailed a number of
mitigations here in 'isolating untrusted programs in ssh chroot jails'
(https://marc.info/?l=openbsd-misc&m=142676615612510&w=2).
it has been reported that those methods work for firefox as well.
if going the route of chroot itself is too extreme, you would still profit
from some of the other information in that post ie X11 Security Extensions,
Xephyr.
for pdfs, i have a chroot under a user who is denied access to the net
via pf. i find it a good idea to only allow specific users access, eg:
pass out log quick on $intif proto tcp user { browse, 1000, pfetch }
pass out log quick on $intif proto udp user { browse, 1000, pfetch }
even root is denied net access with the above.
Re: Mount ISO as read write
On Wed, 28 Oct 2015 07:45:05 + (UTC) Mik J wrote: > Hello everyone, > I asked this question on another list a long time ago. > * I would like to mount an iso in order to add some files# ls -l /mnt > drwxr-xr-x 2 root wheel 512 May 3 15:31 iso# vnconfig svnd0 Image.iso > # mount_cd9660 -o rw /dev/svnd0c /mnt/iso > After the mount, it's read only# ls -l /mnt > dr-xr-xr-x 1 root wheel 512 May 3 15:31 iso > The person who replied told me it was normal, cd9660 are always mounted as > read only and suggested that I have to remake the iso > * If that is correct, I would like to know how would I be able to remake > this iso, and particularly keeping the boot options. > When I want to make an OpenBSD iso I use -b i386/floppy58c.fs -c boot.catalog > I would like to know how can I find which -b and -c options have been used by > the person who made the iso in order to use it when I want to rebuild this iso > Thanks > you must be using a pretty old version of OpenBSD if you are using svnd0 (it is just vnd0 now). i don't know of a way to mount an iso9660 filesystem r/w either (makes sense as it is for read-only media), but you can mount the iso image as you did above, and then copy it into a new directory. # mkdir newiso # (cd /mnt/iso && tar cf - *) | tar xpf - -C newiso now you can modify the version in the newiso directory. i don't know how to get the parameters used on any random image, but the command used to create the install cd image is: mkhybrid -a -R -T -L -l -d -D -N -o /usr/src/distrib/i386/cdfs/obj/cd58.iso -v -v -A "OpenBSD 5.8 i386 bootonly CD" -P "Copyright (c) `date +%Y` Theo de Raadt, The OpenBSD project" -p "Theo de Raadt " -V "OpenBSD/i3865.8 boot-only CD" -b 5.8/i386/cdbr -c 5.8/i386/boot.catalog /usr/src/distrib/i386/cdfs/obj/cd-dir but i don't think it matters much which -b and -c options were used originally. when you recreate the image you have to redo that anyway. i'm not sure of your use of -b for a cd however. according to mkhybrid(8): This will work, for example, if the boot image is a LILO-based boot floppy. but i've never tried that. i use cdbr as in the example above (which is from the release(8) process, used to make the official releases). you can find cdbr as /usr/mdec/cdbr, and can copy it to the newiso dir if you don't already have a copy there.
Re: doas and home directory of target user
On Fri, 25 Sep 2015 02:09:40 +0900 Joel Rees wrote: > At any rate, I have convinced myself that doas follows the manual page > in preserving the calling user's key environment variables, including > HOME and USER. > > I had not grasped that this was considered desired behavior, so did > not initially read it that way. I still think the man page is a little > confusing, but do not at the moment have any suggestions for > clarifying things. (Now I'm not sure what doas is for, other than for > running build scripts more safely, which I think it will be much more > reliable at than sudo.) > > For the purpose below (allowing running firefox as a non-login user), > I've installed sudo, and note that sudo -s now passes quoted strings > as if the string itself were the command, such that scripts that were > > sudo -H -u user2 -s "cd; command" > > must now explicitly say sh -c, as > > sudo -H -u user2 sh -c "cd; command" > > For the larger purpose, providing a reliable sandbox, I'm going to see > whether chroot would allow me to use a non-login user as proxy user > for the stupid (pardon my French) bloated web browsers. i had a thread 'isolating untrusted programs in ssh chroot jails' (https://marc.info/?l=openbsd-misc&m=142676615612510&w=2) that covers this in detail. David Coppa reported that it was possible to do for firefox. you need a user with a shell for this to work however, but you can disable password authentication. from passwd(5): Similarly, login accounts not allowing password authentication but allowing other authentication methods, for example public key authentication, conventionally have 13 asterisks in the password field. so you can ensure that a local key is necessary to log in. and you can ensure that it only runs firefox with the ForceCommand directive (it's all in that thread, and more in the linked threads). > > On Wed, Sep 23, 2015 at 8:29 AM, Joel Rees wrote: > > Thank you, Dan, Ben, and Frank. I see that I have left out some > > important information: > > > > user2 is specified as a non-login class of user in /etc/login.conf, > > auth=reject: shell=/sbin/nologin, and has a default shell of > > /sbin/nologin in /etc/passwd . > > > > On Tue, Sep 22, 2015 at 5:41 PM, Joel Rees wrote: > >> I have this rule in doas.conf: > >> > >> permit nopass user1 as user2 > >> > >> As user1, I try this at the command line: > >> > >> doas -u user2 whoami > >> > >> and it tells me I am user2, as I expect. And > >> > >>doas -u user2 ls > >> > >> tells me I don't have permission. I kind of expect this. > >> > >> I'm looking for a way to do the equivalent of > >> > >> sudo -u user2 -s "cd; ls" > >> > >> I don't see a way to do this with doas, at least not without a short > >> intermediary script, which script is not going to be able to do cd ~/. > >> > >> Should I assume that doas is not intended to do this sort of thing? > > > > With this intermediary script: > > > > #! /bin/sh > > export USER=user2 > > . /etc/ksh.kshrc > > printenv > > ls > > > > I get > > > > MAIL=/var/mail/user1 > > LOGNAME=user1 > > HOME=/home/classU/user1 > > > > PATH=/home/classU/user1/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:. > > DISPLAY=:0.0 > > TERM=xterm > > USER=user2 > > ls: .: Permission denied > > > > Which, I guess, does surprise me. > > > >> (And therefore [I should] do things "right" by setting up ssh with > >> public-key > >> authentication to do the user switch?) > > > > Which would also require enabling login for user2. (I tried this > > without thinking yesterday.) > > > >> (Or go all out and set up chroot to run an instance of X11 and firefox? ;-/ > >> ) > > > > Would this also require enabling login? > > > > -- > > Joel Rees > > > > Be careful when you look at conspiracy. > > Arm yourself with knowledge of yourself, as well: > > http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html > > > > -- > Joel Rees > > Be careful when you look at conspiracy. > Arm yourself with knowledge of yourself, as well: > http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html
Re: doas and home directory of target user
On Tue, 22 Sep 2015 17:41:57 +0900 Joel Rees wrote: > I have this rule in doas.conf: > > permit nopass user1 as user2 > > As user1, I try this at the command line: > > doas -u user2 whoami > > and it tells me I am user2, as I expect. And > >doas -u user2 ls > > tells me I don't have permission. I kind of expect this. > > I'm looking for a way to do the equivalent of > > sudo -u user2 -s "cd; ls" > > I don't see a way to do this with doas, at least not without a short > intermediary script, which script is not going to be able to do cd ~/. > > Should I assume that doas is not intended to do this sort of thing? > > (And therefore do things "right" by setting up ssh with public-key > authentication to do the user switch?) > > (Or go all out and set up chroot to run an instance of X11 and firefox? ;-/ > ) > > Joel Rees > > Computer memory is just fancy paper, > CPUs just fancy pens. > All is a stream of text > flowing from the past into the future. > if you are just trying to run multiple commands, you can do it under a shell eg $ doas -u user2 ksh -c "cd; ls" although it may be better to do $ doas -u user2 ksh -c "cd && ls" so that you know it successfully changed dir. if you are trying to 'cd' to user2's home, thats slightly more tricky, since $HOME is maintained from the parent shell. there doesn't seem to be a simple way to get a login shell, but there is way using su. in /etc/doas.conf permit nopass user1 as root cmd su args -l user2 and you can run: $ doas su -l user2 but that doesn't seem let you run commands. although, if you just want to log in user2, you can use ssh (you don't need chroot necessarily). you can just set up /home/user2/.ssh/authorized_keys and do: $ ssh user2@localhost and you can run a command that way with no problem, and it's simpler: $ ssh user2@localhost ls if you are using firefox this would be better since you have -X (X11 security restrictions.) $ ssh -X user2@localhost firefox if you do want to go down that route though see this: https://marc.info/?l=openbsd-misc&m=142676615612510&w=2 you needn't go all the way, but the info is still good re ssh. if you just want to run the command as the user as if they were logged in, ssh is probably your best bet: $ ssh user2@localhost ksh -c "cd; ls" according to sudo(8) your original "cd; ls" would be passed to the shell just as above. so basically that last command is the equivalent to your 'sudo -u user2 -s "cd; ls"'.
Re: securing web browser
On Fri, 14 Aug 2015 16:45:52 + Frank White wrote:
> Hi, anyone has some advices to make more secure a browser like firefox ?
> chroot + systrace ?
>
>
>
> Thank you.
>
apparently it's been done. David Coppa reported that he succeeded chrooting
firefox here: https://marc.info/?l=openbsd-tech&m=143645383725835&w=2.
i think he was following this ('isolating untrusted programs in ssh chroot
jails'): https://marc.info/?l=openbsd-misc&m=142676615612510&w=2 which
details chrooting. that post also links to J. Thornburg's earlier work
securing firefox.
Re: Any way to tell what the last cvs module checked before a broken pipe was?
On Mon, 3 Aug 2015 21:17:12 +0900 Joel Rees wrote: > I try a cvs update on xenocara and it just sits there for over an hour > and then tells me I have a broken pipe. > > cvs log seems to yield the same behavior, which I might interpret as > re-assuring, or I might wonder whether the same network problems are > tarpitting the log command. > > cvs -t just gives me screensfull of "Sending [various configure, > makefile, aclocal]", which doesn't tell me a lot. > > Anyway (short of looking at every module on cvsweb to prove to myself > that there really wasn't anything to update in stable xenocara since > June 13th) to check that I got through all the modules? > > -- > Joel Rees > > Be careful when you look at conspiracy. > Arm yourself with knowledge of yourself, as well: > http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html > IIRC somebody else had a similar problem some months ago, so you might want to check the archives. have you tried other cvs sites? checking the cvs archives (https://marc.info/?l=openbsd-cvs&r=1&w=2) shows the last commit to xerocara was on July 30.
Re: Rescue /var from a dying 1TB softraid FDE disk
On Wed, 15 Jul 2015 22:23:43 +0200 Erling Westenvik wrote: > Hi, > > I've tried to do my homework (man ddrescue, info ddrescue, google) but > think I might need some OpenBSD spesific advice before embarking on my > first attempt ever to salvage data from a dying disk. > > Issue: > > I don't have a spare disk that is large enough to make a raw copy/image > of the original disk, so I'm forced to work directly with the original > disk. That involves bioctl(8) to unlock the crypto volume and then > hoping to be able to extract only /var (i.e /var/mysql) into an image > file or a partition on a safe disk using ddrescue. > > Question: > > ddrescue is said to be able to extract partitions and there are lots of > examples from Linux world, but for OpenBSD - which descriptor to use? > /dev/sd1e or the raw descriptor /dev/rsd1e? > > Any advice will be much appreciated. Thanks in advance, > > Erling > i've only used it on the 'c' partition myself, but i did so using the 'r' device. good luck.
Re: cvs files from attic show up in update
On Fri, 3 Jul 2015 13:37:45 +0200 (CEST) n.reu...@hxgn.net wrote:
> > dan mclaughlin hat am 3. Juli 2015 um 13:18
> > geschrieben:
> >
> >
> > On Fri, 3 Jul 2015 12:34:17 +0200 (CEST) n.reu...@hxgn.net wrote:
> > > > Nigel J Taylor hat am 3. Juli 2015 um 11:39
> > > > geschrieben:
> > > >
> > > >
> > > > On 07/03/15 09:33, n.reu...@hxgn.net wrote:
> > > > > Dear misc,
> > > > >
> > > > > i have a script running every night on my openbsd 5.7 -stable box
> > > > > to
> > > > > fetch
> > > > > the latest sources from cvs. If some files changed, it will send a
> > > > > mail.
> > > > > This morning i got the following output from last nights run:
> > > > >
> > > > > ? gnu/usr.bin/binutils-2.17/gas/testsuite/gas/mmix
> > > > >
> > > > > Here is the line of code:
> > > > >
> > > > > # update system sources
> > > > > cd /usr/src
> > > > > /usr/bin/cvs -d ${CVSROOT} -q up -rOPENBSD_5_7 -Pd \
> > > > > | /usr/bin/tee ${LOG}
> > > > >
> > > > > As far as is understand, the testsuite was importet by mistake and
> > > > > moved
> > > > > to the attic directly after the import approx. 4 years ago:
> > > > > http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/binutils-2.17/gas/.
> > > > > I also don't have the testsuite-folder on my disk.
> > > > >
> > > > > Now, is this a problem with cvs or somehow "buggy, but expected"
> > > > > behaviour? I have ever seen this message before, and i don't see
> > > > > any
> > > > > activity on binutils in -stable. Or is it safe to filter out line
> > > > > starting
> > > > > with '?' ?
> > > > >
> > > > > Any insight is greatly appreciated.
> > > > >
> > > > >
> > > > > Thanks and best regards
> > > > > Nils
> > > > >
> > > > >
> > > >
> > > > From man cvs(1)
> > > > ? filefile is in your working directory, but does not correspond
> > > > to
> > > > anything in the source repository, and is not in the list of files
> > > > for
> > > > cvs to ignore (see the description of the -I option).
> > > >
> > > >
> > > > $ cd /usr/src/usr.bin/sed
> > > > $ cvs -R -q up -Pd
> > > > $ touch extra
> > > > $ cvs -R -q up -Pd
> > > > ? extra
> > > > $ rm extra
> > > > $ cvs -R -q up -Pd
> > > > $
> > > >
> > >
> > > Hi Nigel,
> > >
> > > thanks for your mail. I should have written my initial mail more
> > > precisely; i knew that unknown files show up with a '?' (like in svn,
> > > git,
> > > ...), but my point was that the file did not exist on my disk before
> > > the
> > > update, appeared out of nowhere during the update (from the attic i
> > > guess)
> > > and disappeared again (without personally touching anything).
> > >
> > > Nils
> > >
> >
> > it does seem it was removed quite a while ago (2011). it may just be a
> > stray
> > bug. what is the result of:
> >
> > $ ls -ld /usr/src/gnu/usr.bin/binutils-2.17/gas/testsuite/gas/mmix
> >
> > is it even a directory, and what is the timestamp on it?
> >
>
> Hi Dan,
>
> that's the funny part, the directory does not exist:
>
> $ ls -ld /usr/src/gnu/usr.bin/binutils-2.17/gas/testsuite/gas/mmix
> ls: /usr/src/gnu/usr.bin/binutils-2.17/gas/testsuite/gas/mmix: No such
> file or directory
> $ ls -ld /usr/src/gnu/usr.bin/binutils-2.17/gas/testsuite/
> ls: /usr/src/gnu/usr.bin/binutils-2.17/gas/testsuite/: No such file or
> directory
> $ ls -ld /usr/src/gnu/usr.bin/binutils-2.17/gas
> drwxr-xr-x 6 root wsrc 2048 Jul 3 10:36
> /usr/src/gnu/usr.bin/binutils-2.17/gas
>
> Nils
>
some strange bug then. i'm no expert on cvs, and i know that it does create
directories that it then removes, but usually it shows me the unknown files
BEFORE doing updates. sometimes these don't get fixed because they are hard
to track down. i've had my share of odd bugs in the day. nothing seems to
have gone seriously wrong, so it mostly good.
Re: cvs files from attic show up in update
On Fri, 3 Jul 2015 12:34:17 +0200 (CEST) n.reu...@hxgn.net wrote:
> > Nigel J Taylor hat am 3. Juli 2015 um 11:39
> > geschrieben:
> >
> >
> > On 07/03/15 09:33, n.reu...@hxgn.net wrote:
> > > Dear misc,
> > >
> > > i have a script running every night on my openbsd 5.7 -stable box to
> > > fetch
> > > the latest sources from cvs. If some files changed, it will send a
> > > mail.
> > > This morning i got the following output from last nights run:
> > >
> > > ? gnu/usr.bin/binutils-2.17/gas/testsuite/gas/mmix
> > >
> > > Here is the line of code:
> > >
> > > # update system sources
> > > cd /usr/src
> > > /usr/bin/cvs -d ${CVSROOT} -q up -rOPENBSD_5_7 -Pd \
> > > | /usr/bin/tee ${LOG}
> > >
> > > As far as is understand, the testsuite was importet by mistake and
> > > moved
> > > to the attic directly after the import approx. 4 years ago:
> > > http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/binutils-2.17/gas/.
> > > I also don't have the testsuite-folder on my disk.
> > >
> > > Now, is this a problem with cvs or somehow "buggy, but expected"
> > > behaviour? I have ever seen this message before, and i don't see any
> > > activity on binutils in -stable. Or is it safe to filter out line
> > > starting
> > > with '?' ?
> > >
> > > Any insight is greatly appreciated.
> > >
> > >
> > > Thanks and best regards
> > > Nils
> > >
> > >
> >
> > From man cvs(1)
> > ? filefile is in your working directory, but does not correspond to
> > anything in the source repository, and is not in the list of files for
> > cvs to ignore (see the description of the -I option).
> >
> >
> > $ cd /usr/src/usr.bin/sed
> > $ cvs -R -q up -Pd
> > $ touch extra
> > $ cvs -R -q up -Pd
> > ? extra
> > $ rm extra
> > $ cvs -R -q up -Pd
> > $
> >
>
> Hi Nigel,
>
> thanks for your mail. I should have written my initial mail more
> precisely; i knew that unknown files show up with a '?' (like in svn, git,
> ...), but my point was that the file did not exist on my disk before the
> update, appeared out of nowhere during the update (from the attic i guess)
> and disappeared again (without personally touching anything).
>
> Nils
>
it does seem it was removed quite a while ago (2011). it may just be a stray
bug. what is the result of:
$ ls -ld /usr/src/gnu/usr.bin/binutils-2.17/gas/testsuite/gas/mmix
is it even a directory, and what is the timestamp on it?
Re: jail_bin_add: script to add binary and libs to chroot
On Mon, 8 Jun 2015 10:28:53 -0400 Jiri B wrote: > On Mon, Jun 08, 2015 at 01:46:17AM -0400, dan mclaughlin wrote: > > i figure this should be useful to some. > > ... it seems somebody doesn't know jailkit which is > in ports :) i try to use base whenever possible. there might still be flaws, but less of them. > > no idea why did you send it to tech@... > > j. i thought of sending to misc@, but i wanted to maybe get some opinions of coders who might see mistakes. though continuing this on misc@ is best now.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
On Mon, 1 Jun 2015 06:05:28 -0400 Josh Grosse wrote: > On Mon, Jun 01, 2015 at 04:45:01AM -0400, dan mclaughlin wrote: > > On Sun, 31 May 2015 22:20:17 -0500 Okupandolared wrote: > > > does not exist, > > > > > > so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami? > > > > > > that try "ls" and "/bin/ls" and "/var/www/bin/ls" > > > > > > and it does not work, > > > "/bin/ls" exist > > > "/var/www/bin/ls" exist > > > > > > thanks > > > > > > On 05/31/15 19:43, Zi Loff wrote: > > > > On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote: > > > >> -BEGIN PGP SIGNED MESSAGE- > > > >> Hash: SHA256 > > > >> > > > >> I like received variables POST and send to KSH script. > > > >> > > > >> But it seems that in OpenBSD 5.6 and php-fpm. > > > >> > > > >> exec() and exec_shell() not working. > > > >> > > > >> Could anyone help me? > > > >> > > > >> This link explain in detail what I've tried. > > > >> > > > >> http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shell-exec > > > >> > > > >> thanks > > > > > > > > If the server is chrooted at "/var/www" then "/usr/bin/whoami" (from the > > > > server's point of view) actually means "/var/www/usr/bin/whoami" (from > > > > your point of view). Does that file exist? > > > > > > > have you tried to copy /bin/sh to /var/www/bin/sh? > > Also, in a chrooted filesystem, every dynamically linked executable needs > access > to ld.so and its shared libraries. Which means /var/www/usr/lib and > /var/www/usr/libexec will need files populated -- every binary file should be > checked wiht ldd(1) to ensure required libraries are made available. > shared libraries. Each program should that reminds me, i did a write up on chrooting programs here: https://marc.info/?l=openbsd-misc&m=142676615612510&w=2 although it got into more, the basics of setting up a chroot jail are there. i also have a script that adds a binary and its dependencies automatically. i'll have to post it later, since i've actually been meaning to recently. just have to make a few adjustments for portability.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
On Sun, 31 May 2015 22:20:17 -0500 Okupandolared wrote: > does not exist, > > so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami? > > that try "ls" and "/bin/ls" and "/var/www/bin/ls" > > and it does not work, > "/bin/ls" exist > "/var/www/bin/ls" exist > > thanks > > On 05/31/15 19:43, Zé Loff wrote: > > On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote: > >> -BEGIN PGP SIGNED MESSAGE- > >> Hash: SHA256 > >> > >> I like received variables POST and send to KSH script. > >> > >> But it seems that in OpenBSD 5.6 and php-fpm. > >> > >> exec() and exec_shell() not working. > >> > >> Could anyone help me? > >> > >> This link explain in detail what I've tried. > >> > >> http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shell-exec > >> > >> thanks > > > > If the server is chrooted at "/var/www" then "/usr/bin/whoami" (from the > > server's point of view) actually means "/var/www/usr/bin/whoami" (from > > your point of view). Does that file exist? > have you tried to copy /bin/sh to /var/www/bin/sh?
Re: console prompt disappeared after login
On Mon, 18 May 2015 14:21:39 +0100 Pedro Tender wrote: > I'm not having problems with ksh nor zsh, going in and out of X (xfce). > âTTY's working fine.â > > > On Mon, May 18, 2015 at 12:56 PM, dan mclaughlin > wrote: > > > On Mon, 18 May 2015 11:24:13 +0100 Pedro Tender > > wrote: > > > I've updated another machine today to latest snapshot and it is fixed. > > > Have you tried the 18th May (ftp3.eu) snapshot ? > > > > > > > > > > > > On Sun, May 17, 2015 at 10:51 PM, dan mclaughlin < > > thev...@openmailbox.org> > > > wrote: > > > > > > > On Sun, 17 May 2015 14:29:07 - "Maurits Fennis" > > > > wrote: > > > > > > just not the TTY's > > > > > > > > > > same here. > > > > > > > > > > -- > > > > > Maurits Fennis > > > > > > > > > > () ascii ribbon campaign > > > > > /\ www.asciiribbon.org > > > > > > > > > > > > > here too. i just submitted a bug report "problems with console output". > > > > > > > it's a partial fix. the console works until you switch to X, which works > > fine until you switch back to console, then nothing displays right. > > > > my original bug report didn't go thru, so i'll retry. > i tried the same site, and i'm using ksh as well, though i am using fvwm as my window manager. looking further into it, my problem may be unrelated. it was just that i discovered it at the same time, and maybe conflated them. i reverted to an older snapshot that gives the the same problem as well. i think it has to do with the vesa driver.
Re: console prompt disappeared after login
On Mon, 18 May 2015 11:24:13 +0100 Pedro Tender wrote: > I've updated another machine today to latest snapshot and it is fixed. > Have you tried the 18th May (ftp3.eu) snapshot ? > > > > On Sun, May 17, 2015 at 10:51 PM, dan mclaughlin > wrote: > > > On Sun, 17 May 2015 14:29:07 - "Maurits Fennis" > > wrote: > > > > just not the TTY's > > > > > > same here. > > > > > > -- > > > Maurits Fennis > > > > > > () ascii ribbon campaign > > > /\ www.asciiribbon.org > > > > > > > here too. i just submitted a bug report "problems with console output". > it's a partial fix. the console works until you switch to X, which works fine until you switch back to console, then nothing displays right. my original bug report didn't go thru, so i'll retry.
Re: console prompt disappeared after login
On Sun, 17 May 2015 14:29:07 - "Maurits Fennis" wrote: > > just not the TTY's > > same here. > > -- > Maurits Fennis > > () ascii ribbon campaign > /\ www.asciiribbon.org > here too. i just submitted a bug report "problems with console output".
Re: swap on encrypted softraid, performance penalty?
On Sun, 17 May 2015 04:32:38 +0200 Fredrik Alm wrote: > > On 17 May 2015, at 02:19, dan mclaughlin wrote: > > > > On Sun, 17 May 2015 00:20:52 +0200 Fredrik Alm wrote: > >> Iâve seen a few âwhole disk encryptionâ > >> tutorials which puts the swap outside of the partition used for the > >> softraid > >> encryption, since openbsd already encrypts the swap partition anyway. I > >> assume that by putting the swap inside the encrypted partition, there will > >> be performance penalties because encryption is done twice? could someone > >> shed a little light on this issue? > >> > > > > where did you see those tutorials? i attempted this some months ago (6-7) > > and > > it was not possible to have swap outside of the softraid. i forget what the > > exact problem was (i should have taken better notes...). i believe the > > system wouldn't boot properly, and i think it was because the swap partition > > was on a different device. > > > > in the end i found it easier to just leave it all in the softraid for other > > reasons in addition to that issue. as to swap encryption, i disabled it. no > > need to encrypt twice. > > this is one of the tutorials: http://www.bsdnow.tv/tutorials/fde > > I found that when the swap was on a different disk > (sd0b instead of sd1b, with the rest of the encrypted stuff on the softraid > disk) > the swap had to be added manually to the fstab and even then it was > defaulted to /dev/sdb1 (which didnât exist) for coredumps. I assume this is > why ZZZ exited with a kernel error instead of hibernating when I tried this > disklayout. When I just put everything including the swap on the softraid it > worked like normal. Iâll just try turning the swap encryption off then, > seems > easier than reconfiguring the kernel to use sd0b as a dump device. > your experience sounds familiar (swap expected to be on the root device), and is why i think i abandoned the attempt to put the swap outside the partition. though i am pretty sure i had problems right at boot, not later. honestly though, i don't know how the guy who wrote that tutorial got it to work (if in fact he did...), i remember it being completely unworkable. i think the only option was to rebuild the kernel, as you said, which really isn't an option. also, those instructions to use bioctl will only work if there has not been a softraid crypto volume there previously. you need to clear the space via dd as in bioctl(8).
Re: swap on encrypted softraid, performance penalty?
On Sun, 17 May 2015 00:20:52 +0200 Fredrik Alm wrote: > Iâve seen a few âwhole disk encryptionâ > tutorials which puts the swap outside of the partition used for the softraid > encryption, since openbsd already encrypts the swap partition anyway. I > assume that by putting the swap inside the encrypted partition, there will > be performance penalties because encryption is done twice? could someone > shed a little light on this issue? > where did you see those tutorials? i attempted this some months ago (6-7) and it was not possible to have swap outside of the softraid. i forget what the exact problem was (i should have taken better notes...). i believe the system wouldn't boot properly, and i think it was because the swap partition was on a different device. in the end i found it easier to just leave it all in the softraid for other reasons in addition to that issue. as to swap encryption, i disabled it. no need to encrypt twice.
Re: offtopic: political correctness
On Fri, 08 May 2015 16:26:09 -0300 Giancarlo Razzolini wrote: > On 08-05-2015 11:38, Nick Holland wrote: > > In that case, you may wish to avoid reading the FAQ, the man pages, > > certainly not the commit message log. > > Come on. Those are hilarious! > > > You probably don't want to talk to the developers. > > Some at least. > > > > > The only thing PC about OpenBSD is ... a couple target platforms. :) > > I'm remembering someone that was offended by smtpd manual page(IIRC). > Even sent a patch to fix it and everything! > > > > > Nick. > > (making note to offend more in the future) > Oh no! Please don't! > > Cheers, > Giancarlo Razzolini > this just reminded me of something from MANY years ago (15+). someone was complaining about the jive port (which still exists, ha!) for PC reasons, talking about litigation or some such. i loved Theo's response, which was run thru jive, and said something similar to "People talkin' don't be scribblin' no code". (i think his sentiment holds here too!) i actually tried to find this in the archives a while back but couldn't (i thought it would be a good addition to mg/theo.c, i still remember it all these years later with a smile.)
Re: report:intranet PXE network install (by nginx...)
On Thu, 07 May 2015 08:13:55 -0400 Nick Holland wrote: > On 05/07/15 07:51, Paolo Aglialoro wrote: > > If it's correct and not against man pages it can be helpful for beginners > > to have a ready recipe, just like FAQs. > > IF it is correct, maybe. But OpenBSD's philosophy has never been "more > places of docs is better!". We really want one authoritative source. > > Unfortunately, he's been posting a lot of his "experiences" which > involve reinventing wheels with some really oddly shapes and making some > simple things complicated. That's not helpful. > > Nick. > given how often a certain site has given people bad information, and it doesn't get corrected until people ask questions here, it's at least slightly better. at least here you are aware of it and have a chance to respond and correct it, for posterity, while that certain site is still out there causing trouble.
Re: OpenBSD Foundation and OpenBSD Project
On Tue, 5 May 2015 09:49:13 +0530 Hrishikesh Muruk wrote: > Hi > > I dont want to purchase 5.7 CDs and pay international shipping (also done > have a CD drive). I would like to donate that amount instead. > > From the OpenBSD Project donations page ( > http://www.openbsd.org/donations.html) I gather that donations to OpenBSD > Project are different from donations to OpenBSD Foundation. > > When one purchases a OpenBSD CD from the OpenBSD store does that money > (after admin fees etc) go to Project or Foundation? > > Thanks > Hrishi > Theo talks about this here: https://marc.info/?l=openbsd-misc&m=140797419824100&w=2 and here: https://marc.info/?l=openbsd-misc&m=140797507424445&w=2
Re: pf.conf something is VERY wrong here, need advice.
On Sun, 19 Apr 2015 21:07:31 -0400 "System Administrator"
wrote:
> On 20 Apr 2015 at 0:11, Ton Muller wrote:
>
> > i have last week setup my old asus laptop, model A6000 ,1GB ram, 80GB HDD.
> >
> > SK0 is the internal interface.
> > RE0 is the WAN interface
> >
> > i kept my pf.conf as simple posible to get it start
> > START CONFIG ##
> > #
> > int_if = "sk0"
> > ext_if = "re0"
> >
> > tcp_services="{ 22,53,113 }"
> > icmp_types="echoreq"
> >
> > # options
> > # increase default state limit from 10'000 states on busy systems
> > #set limit states 10
> >
> > set block-policy return
> > set loginterface egress
> > set skip on lo
> >
> > # match rules
> > match out on egress inet from !(egress:network) to any nat-to (egress:0)
> > #
> > # filter rules
> > block in log
> > pass out quick
> > antispoof quick for { lo $int_if }
> >
> > pass in on egress inet proto tcp from any to (egress) port $tcp_services
> > #
> > pass in inet proto icmp all icmp-type $icmp_types
> > pass in on $int_if
> >
> > # end config ##
> >
> > this is my resolv.conf
> > # Generated by re0 dhclient
> > search xs4non.nl
> > nameserver 192.168.1.240
> > lookup file bind
> >
> > RE0 ip 192.168.1.240
> > SK0 ip 192.168.0.240
> >
> > mygate 192.168.1.240
> >
> > Well, as far i can remember ,if i set RE0 to dhcp ,it would get its ip
> > from the DHCP server from modem, that works (192.168.1.1) and mygate
> > would not be used.
> >
> > here comes the isue.
> > what ever combination i do, forced or not.
> > i can ping a host, and i get NO result back.
> > ping i its IP adres, i get a result back.
> > so my question is, what am i doing wrong here.
> >
> > i never changed my basic configs so i knowed that i would work.
> > but for some reasen this time i get a masive headache from it.
> >
> > anyone ideas?
> >
> > Tony.
> >
> >
>
> Here are some ideas that may (or may not) resolve your issues.
> Hopefully, they will at least get you started in the right direction:
>
> 1) Since you are using the 'egress' interface group name rather than
> the explicitly defined $ext_if macro variable, make sure that it is
> defined and for the correct interface. I know it works well when
> /etc/mygate is correctly defined, but never had the need to test with
> dhclient controlled interfaces.
i use the explicit interface myself, rather than egress, which works fine
for dhcp. for a simple setup like this it's probably best to go with the
interface.
some relevant pf.conf lines from my gateway (which uses dhcp):
block in log on $intif
#allow connections to my internal dns
pass in log quick on $intif proto udp from $intif:network to ($intif) port 53
#allow packets in destined for other places
pass in log quick on $intif inet from $intif:network to !$intif:network
pass out log quick on $extif inet from $intif:network to any nat-to ($extif)
>
> 2) You seem to want to allow DNS (port 53) traffic inbound, but are you
> aware that most DNS communication is over UDP? TCP DNS is used mostly,
> if not only, for zone transfers.
i think his 'pass out' rule should handle that. pf does treat udp protocols
as having state, so it should recognize the return packet.
>
> 3) Similarly, for ICMP (used by ping) you are allowing in only the
> query subtype and not the reply (icmp-type echorep).
>
> Good luck!
>
a few more points to help. first you want to see if traffic is passing, so
in one window do:
# tcpdump -np -i re0
(you especially need the -n option above if your dns is not working).
then try dns lookup
$ host www.openbsd.org
www.openbsd.org has address 129.128.5.194
you should see something like the following in tcpdump:
tcpdump: listening on lo0, link-type LOOP
01:29:29.147252 127.0.0.1.10553 > 127.0.0.1.53: 48987+ A? www.openbsd.org. (33)
01:29:29.147557 127.0.0.1.53 > 127.0.0.1.10553: 48987 1/9/2 A 129.128.5.194
(275)
01:29:29.149874 127.0.0.1.29232 > 127.0.0.1.53: 59987+ ? www.openbsd.org.
(33)
01:29:29.150050 127.0.0.1.53 > 127.0.0.1.29232: 59987 0/1/0 (79)
01:29:29.150495 127.0.0.1.29234 > 127.0.0.1.53: 57835+ MX? www.openbsd.org. (33)
01:29:29.150609 127.0.0.1.53 > 127.0.0.1.29234: 57835 0/1/0 (79)
except you should see your nameserver (192.168.1.240) and host (192.168.0.240)
instead of 127.0.0.1.
if that works, try ping again, first with the IP, then with the hostname and
watch the tcpdump output.
hopefully that will get you some useful information.
Re: ssh help with X11Forwarding
On Wed, 15 Apr 2015 11:35:21 +0300 Ville Valkonen wrote:
> Hello,
>
> On 13 April 2015 at 15:10, dan mclaughlin wrote:
> > On Mon, 13 Apr 2015 16:49:02 +0530 Hrishikesh Murukkathampoondi
> > wrote:
> >> Hello
> >>
> >> I am running OpenSD 5.6 on a x86 netbook. I am trying to setup X11
> >> forwarding in ssh.
> >>
> >> In sshd_config I have added
> >> X11Forwarding yes
> >>
> >> In ssh_config I have added
> >> ForwardAgent yes
> >> ForwardX11 yes
> >>
> >> I have restarted sshd (pkill -HUP sshd) and when I start ssh from the
> >> client using ssh -X I get DISPLAY is not set when trying to launch an
> >> xterm.
> >
> > this is probably a bad idea. that will send the signal to all sshd
> > processes,
> > and not just the main server.
> >
> > the proper way to restart sshd is to use the pid in /var/run/sshd.pid ie
> >
> > $ kill -1 $(
> Noup, kill HUP is completely okay. Have a look:
> $ uname -r
> 5.6
> $ grep -A 2 rc_reload /etc/rc.d/sshd
> rc_reload() {
> ${daemon} ${daemon_flags} -t && pkill -HUP -f "^${pexp}"
> }
>
> and for clarity:
> $ grep pexp= /etc/rc.d/rc.subr |tail -1
> pexp="${daemon}${daemon_flags:+ ${daemon_flags}}"
>
> --
> Regards,
> Ville
>
well, my thinking was that i generally don't send signals to non-involved
processes, but sshd is probably made to handle this well. this is in fact
probably the better method. from sshd(8):
/var/run/sshd.pid
Contains the process ID of the sshd listening for connections (if
there are several daemons running concurrently for different
ports, this contains the process ID of the one started last).
The content of this file is not sensitive; it can be world-
readable.
so my method may not work properly if there were multiple daemons running.
Re: ssh help with X11Forwarding
On Mon, 13 Apr 2015 16:49:02 +0530 Hrishikesh Murukkathampoondi wrote: > Hello > > I am running OpenSD 5.6 on a x86 netbook. I am trying to setup X11 forwarding > in ssh. > > In sshd_config I have added > X11Forwarding yes > > In ssh_config I have added > ForwardAgent yes > ForwardX11 yes > > I have restarted sshd (pkill -HUP sshd) and when I start ssh from the client > using ssh -X I get DISPLAY is not set when trying to launch an xterm. this is probably a bad idea. that will send the signal to all sshd processes, and not just the main server. the proper way to restart sshd is to use the pid in /var/run/sshd.pid ie $ kill -1 $( > Just to make sure the new config is being used I also tried after rebooting > the machine. > > I have X and xauth installed (/usr/X11R6/bin/xauth) - I can login via XDM and > use a window manager. > > Below is the output with -v. I dont see "Requesting X11 forwarding" in the > output. Is there anything else I need to add to forward X11? > > Thanks > Hrishi > > --- > Zeppelin:~ hrishi$ ssh -v -X hrishi@192.168.1.133 > OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 > debug1: Reading configuration data /etc/ssh_config > debug1: /etc/ssh_config line 20: Applying options for * > debug1: Connecting to 192.168.1.133 [192.168.1.133] port 22. > debug1: Connection established. > debug1: identity file /Users/hrishi/.ssh/id_rsa type 1 > debug1: identity file /Users/hrishi/.ssh/id_rsa-cert type -1 > debug1: identity file /Users/hrishi/.ssh/id_dsa type -1 > debug1: identity file /Users/hrishi/.ssh/id_dsa-cert type -1 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_6.2 > debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7 > debug1: match: OpenSSH_6.7 pat OpenSSH* > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-ctr hmac-sha1-...@openssh.com none > debug1: kex: client->server aes128-ctr hmac-sha1-...@openssh.com none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Server host key: RSA 49:32:6f:a7:c9:f1:ea:6b:66:36:92:e3:79:a1:ef:1d > debug1: Host '192.168.1.133' is known and matches the RSA host key. > debug1: Found key in /Users/hrishi/.ssh/known_hosts:20 > debug1: ssh_rsa_verify: signature correct > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: Roaming not allowed by server > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: > publickey,password,keyboard-interactive > debug1: Next authentication method: publickey > debug1: Offering RSA public key: /Users/hrishi/.ssh/id_rsa > debug1: Authentications that can continue: > publickey,password,keyboard-interactive > debug1: Trying private key: /Users/hrishi/.ssh/id_dsa > debug1: Next authentication method: keyboard-interactive > debug1: Authentications that can continue: > publickey,password,keyboard-interactive > debug1: Next authentication method: password > hrishi@192.168.1.133's password: > debug1: Authentication succeeded (password). > Authenticated to 192.168.1.133 ([192.168.1.133]:22). > debug1: channel 0: new [client-session] > debug1: Requesting no-more-sessi...@openssh.com > debug1: Entering interactive session. > debug1: Sending environment. > debug1: Sending env LC_CTYPE = UTF-8 > Last login: Mon Apr 13 15:57:09 2015 from 192.168.1.112 > OpenBSD 5.6 (GENERIC.MP) #299: Fri Aug 8 00:10:33 MDT 2014 > > Welcome to OpenBSD: The proactively secure Unix-like operating system. > > Please use the sendbug(1) utility to report bugs in the system. > Before reporting a bug, please try to reproduce it with the latest > version of the code. With bug reports, please try to ensure that > enough information to reproduce the problem is enclosed, and if a > known fix for it exists, include that as well. > > $ xterm & > [1] 29542 > $ xterm: Xt error: Can't open display: > xterm: DISPLAY is not set > > --- > what is DISPLAY where you invoke ssh (ie before you log in)? where are you starting ssh from (console, X11)? the DISPLAY variable is set automatically if you are running in X. if you are invoking ssh in a terminal, you need to set it manually before running ssh eg $ DISPLAY=:0 ssh -X user@host should send the data to the local X display (running on port 6000). what ssh is doing is opening up a connection to an X display on the machine it is being run from. when you log on to another system via 'ssh -X' then sshd on the remote system sets the DISPLAY variable to its own socket, so that any program writes to that socket (instead of X) and ssh forwards that data to the X11 on the system where it (ssh) was originally invoked. if however the original ssh is not given a DISPLAY variable to know where to send
Re: Following -stable, sources downloaded from mirror
On Sat, 11 Apr 2015 11:59:14 +0200 Johan Mellberg wrote: > dan mclaughlin skrev den 2015-04-11 10:55: > > On Sat, 11 Apr 2015 10:27:19 +0200 Johan Mellberg > > wrote: > >> Hi, > >> > >> I want to start following -stable so I have read > >> http://www.openbsd.org/anoncvs.html and > >> http://www.openbsd.org/faq/faq5.html#BldGetSrc as well as looking through > >> the mailing list archives > >> â for cvs from preloaded sourceâ > >> . > >> > >> I thought that I'd preload the sources so downloaded all of sys, src, ports > >> and xenocara and put them in /usr as per instructions. > >> > >> No problem, but I am left with one unclear issue > >> â (complete cvs noob). On http://www.openbsd.org/anoncvs.html > >> â â > >> it says > >> > >> "NOTE: If you are updating a source tree that you initially fetched from a > >> different server, or from a CD, you must add the -d [cvsroot] option to > >> cvs. > >> > >> # cd /usr/src > >> # cvs -d anon...@anoncvs.ca.openbsd.org:/cvs -q up -Pd" > >> > >> âI do not understand what version I then end up with, because on â > >> http://www.openbsd.org/faq/faq5.html#BldGetSrc > >> â and above the quoted section it says to add -rOPENBSD_5_6 to get > >> -stable > >> (for 5.6) when checking out from scratch. But I am not sure sinceâ this > >> is > >> the only example for updating preloaded files. IF I run that there is > >> updating of course, but there's no "Tag" that tells me if it is HEAD or > >> whatever. If I add -rOPENBSD_5_6 I get the Tag file of course but what > >> version do I get without it?!? And how should I update the next time? > >> > >> Thanks/Johan > >> > > > > the version you get without any tag is -current, the latest version, lagging > > by only a few hours at most from what the devs commit, depending on the > > server. > > > Ah, thanks! I suspected that, but as I said was not sure. I'll add the > -r from now on. Would it perhaps be something to add to the web > page then, in the interest of absolute clarity? > > Also, if I have updated to -current as per above what is the result if > I rerun the update, but with the tag? I have tried it and while I do get > the Tag file (saying "TOPENBSD_5_6") I again do not quite understand > what I should expect in that case. > really not sure what would happen, never used the tags myself (i just run -current). to be on the safe side though, you could just grab the src.tar.gz for 5.6 as a starting point and run the update again with the stable tag.
Re: Following -stable, sources downloaded from mirror
On Sat, 11 Apr 2015 10:27:19 +0200 Johan Mellberg wrote: > Hi, > > I want to start following -stable so I have read > http://www.openbsd.org/anoncvs.html and > http://www.openbsd.org/faq/faq5.html#BldGetSrc as well as looking through > the mailing list archives > â for cvs from preloaded sourceâ > . > > I thought that I'd preload the sources so downloaded all of sys, src, ports > and xenocara and put them in /usr as per instructions. > > No problem, but I am left with one unclear issue > â (complete cvs noob). On http://www.openbsd.org/anoncvs.html > â â > it says > > "NOTE: If you are updating a source tree that you initially fetched from a > different server, or from a CD, you must add the -d [cvsroot] option to cvs. > > # cd /usr/src > # cvs -d anon...@anoncvs.ca.openbsd.org:/cvs -q up -Pd" > > âI do not understand what version I then end up with, because on â > http://www.openbsd.org/faq/faq5.html#BldGetSrc > â and above the quoted section it says to add -rOPENBSD_5_6 to get -stable > (for 5.6) when checking out from scratch. But I am not sure sinceâ this is > the only example for updating preloaded files. IF I run that there is > updating of course, but there's no "Tag" that tells me if it is HEAD or > whatever. If I add -rOPENBSD_5_6 I get the Tag file of course but what > version do I get without it?!? And how should I update the next time? > > Thanks/Johan > the version you get without any tag is -current, the latest version, lagging by only a few hours at most from what the devs commit, depending on the server.
Re: .kshrc Definitions under X
On Fri, 10 Apr 2015 20:48:39 -0400 John Merriam wrote:
> On 4/10/2015 8:03 PM, Henrique Lengler wrote:
> > On Fri, Apr 10, 2015 at 07:51:01PM -0400, dan mclaughlin wrote:
> >> you should see an '-ls' option at the end as above. if not, that is your
> >> problem (it's not invoking a login shell), and this should work:
> >
> > I know that xterm isn't being started with -ls option and it solve thw
> > problem.
> >
> > But this couldn't be normal, is it? Because my intention is not to use
> > only xterm but also others term. emulators like st, and I would like to have
> > they working as it does in any other system.
> > If this is normal, will I need to configure and make sure that every
> > term. emulator I'm using is loading .profile.
> >
> >> On Sun, Apr 05, 2015 at 09:22:03PM -0700, Philip Guenther wrote:
> >>> B) tell xterm to start the shell inside it as a login shell, so that
> >>> *that* will read your .profile. This can be done by either:
> >>> B1) start xterm with the -ls option, or
> >>> B2) set "*loginShell: true" in your X resource database (c.f. xrdb(1))
> >>
> >> also, xterm may be invoked elsewhere like in your ~/.xinitrc, so you would
> >> need to fix it there, but the xrdb option should take care of that.
>
> See the -l option of ksh. Also search for the word login in the ksh man
> page. ksh (and most if not all other shells I believe) behave
> differently if they think they are a login shell. xterm does not not
> automatically tell the shell that is invoked when it starts that the
> shell should be a login shell. That is why the -ls xterm option exists.
>
> It can be useful not to tell the shell invoked by xterm that it is a
> login shell when you are running something in xterm besides an
> interactive command prompt session. See the xterm man page. You can
> run things in an xterm besides just a command prompt shell (shell
> scripts, other text programs, etc.) in which case you wouldn't want
> login shell type things being set up.
>
> --
>
> John Merriam
>
as far as i can tell this is the openbsd default to do a login shell, and
it makes sense. for those other functions, which are for a more expert set
anyway, they probably can figure it out ('xterm -e').
Re: .kshrc Definitions under X
sorry to Henrique for the duplicate. On Fri, 10 Apr 2015 21:03:26 -0300 Henrique Lengler wrote: > On Fri, Apr 10, 2015 at 07:51:01PM -0400, dan mclaughlin wrote: > > On Fri, 10 Apr 2015 18:49:02 -0300 Henrique Lengler > > wrote: > > > On Fri, Apr 10, 2015 at 12:22:45AM -0400, dan mclaughlin wrote: > > > > On Thu, 9 Apr 2015 16:58:29 -0300 Henrique Lengler > > > > wrote: > > > > > On Sun, Apr 05, 2015 at 09:22:03PM -0700, Philip Guenther wrote: > > > > > > On Sun, Apr 5, 2015 at 9:12 PM, Andrew Fresh > > > > > > wrote: > > > > > > > On Sun, Apr 05, 2015 at 10:50:47PM -0300, Henrique Lengler wrote: > > > > > > >> And it is called in ~.profile with this: > > > > > > >> . /home/henri/.kshrc > > > > > > >> > > > > > > >> The problem is that these definitions work out of X, in the > > > > > > >> console, > > > > > > >> logged as the same user (henri) but don't work under X. > > > > > > >> I open a xterm window and and type clr, I receive: > > > > > > >> /bin/ksh: clr: not found > > > > > > >> But out of X it works, can someone help me to make this thing > > > > > > >> work > > > > > > >> normally? > > > > > > > > > > > > > > > > > > > > > What I have done is set "ENV=$HOME/.kshrc" in .profile, then > > > > > > > whenever you > > > > > > > open a new shell, it will use that file as a shell startup file. > > > > > > > > > > > > That's step one, but whether it's enough depends on how you start X. > > > > > > > > > > > > If you start X from the command line with 'startx' then yes, using > > > > > > export ENV=$HOME/.kshrc in your .profile should be enough, because > > > > > > your X clients will inherit that in the environment from startx. > > > > > > > > > > > > If you start X with xdm, then you need to either > > > > > > A) manually set ENV (or source your entire .profile) from your > > > > > > .xsession that xdm invokes, OR > > > > > > B) tell xterm to start the shell inside it as a login shell, so that > > > > > > *that* will read your .profile. This can be done by either: > > > > > >B1) start xterm with the -ls option, or > > > > > >B2) set "*loginShell: true" in your X resource database (c.f. > > > > > > xrdb(1)) > > > > > ... > > it really sounds like xterm is not starting a login shell. what is the > > output > > of: > > > > $ ps | grep xterm > > 27150 p6 I 0:00.01 /bin/sh -c xterm -fg white -bg black -ls > > 13224 p6 I 0:05.29 xterm > > 6542 p6 I 0:01.18 xterm > > 29777 p6 I 0:00.00 /bin/sh -c xterm -fg white -bg black -ls > > > > you should see an '-ls' option at the end as above. if not, that is your > > problem (it's not invoking a login shell), and this should work: > > I know that xterm isn't being started with -ls option and it solve thw > problem. > > But this couldn't be normal, is it? Because my intention is not to use > only xterm but also others term. emulators like st, and I would like to have > they working as it does in any other system. > If this is normal, will I need to configure and make sure that every > term. emulator I'm using is loading .profile. X has worked that way as long as i can remember. B2 below should work for other terminals as well, since the terminal should read in those values from xrdb (eg *loginShell). they are kind of like environment variables, and you can generally set them in ~/.Xresources or ~/.Xdefaults. on my system: $ cat ~/.Xdefaults ! $OpenBSD: dot.Xdefaults,v 1.3 2014/07/10 10:22:59 jasper Exp $ XTerm*loginShell:true so quite normal, really, but i don't know why it's not the default for you (since it seems to be for me). you probably want something like the above, without the 'XTerm' part, as Mr. Guenther mentioned, so other terminals match too. but only way to know if another terminal works is to try! > > > On Sun, Apr 05, 2015 at 09:22:03PM -0700, Philip Guenther wrote: > > > B) tell xterm to start the shell inside it as a login shell, so that > > > *that* will read your .profile. This can be done by either: > > >B1) start xterm with the -ls option, or > > >B2) set "*loginShell: true" in your X resource database (c.f. xrdb(1)) > > > > also, xterm may be invoked elsewhere like in your ~/.xinitrc, so you would > > need to fix it there, but the xrdb option should take care of that. > > -- > Regards > > Henrique Lengler
Re: .kshrc Definitions under X
On Fri, 10 Apr 2015 18:49:02 -0300 Henrique Lengler wrote: > On Fri, Apr 10, 2015 at 12:22:45AM -0400, dan mclaughlin wrote: > > On Thu, 9 Apr 2015 16:58:29 -0300 Henrique Lengler > > wrote: > > > On Sun, Apr 05, 2015 at 09:22:03PM -0700, Philip Guenther wrote: > > > > On Sun, Apr 5, 2015 at 9:12 PM, Andrew Fresh wrote: > > > > > On Sun, Apr 05, 2015 at 10:50:47PM -0300, Henrique Lengler wrote: > > > > >> And it is called in ~.profile with this: > > > > >> . /home/henri/.kshrc > > > > >> > > > > >> The problem is that these definitions work out of X, in the console, > > > > >> logged as the same user (henri) but don't work under X. > > > > >> I open a xterm window and and type clr, I receive: > > > > >> /bin/ksh: clr: not found > > > > >> But out of X it works, can someone help me to make this thing work > > > > >> normally? > > > > > > > > > > > > > > > What I have done is set "ENV=$HOME/.kshrc" in .profile, then whenever > > > > > you > > > > > open a new shell, it will use that file as a shell startup file. > > > > > > > > That's step one, but whether it's enough depends on how you start X. > > > > > > > > If you start X from the command line with 'startx' then yes, using > > > > export ENV=$HOME/.kshrc in your .profile should be enough, because > > > > your X clients will inherit that in the environment from startx. > > > > > > > > If you start X with xdm, then you need to either > > > > A) manually set ENV (or source your entire .profile) from your > > > > .xsession that xdm invokes, OR > > > > B) tell xterm to start the shell inside it as a login shell, so that > > > > *that* will read your .profile. This can be done by either: > > > >B1) start xterm with the -ls option, or > > > >B2) set "*loginShell: true" in your X resource database (c.f. > > > > xrdb(1)) > > > > > > Still not able to do this. My /home/henri/.profile have this: > > > > > > export ENV="$HOME/.kshrc" > > > export LC_CTYPE="en_US.UTF-8" > > > export GOPATH=$HOME/go > > > PATH=$PATH:$HOME/Scripts > > > > > > My .kshrc > > > - > > > export PS1='$PWD $ ' > > > alias quit=exit > > > alias clr=clear > > > alias logout=exit > > > alias bye=exit > > > alias j=jobs > > > > > > > > > BUT printenv says: > > > -- > > > /home/henri $ printenv > > > _=/usr/bin/printenv > > > XAUTHORITY=/home/henri/.Xauthority > > > LOGNAME=henri > > > WINDOWPATH=5 > > > WINDOWID=6291457 > > > HOME=/home/henri > > > LC_CTYPE=en_US.UTF-8 > > > DISPLAY=:0 > > > GOPATH=/home/henri/go > > > MAIL=/var/mail/henri > > > PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/home/henri/Scripts > > > SHELL=/bin/ksh > > > PS1=$PWD $ > > > TERM=st-256color > > > USER=henri > > > > > > Looks like it reads the PS1 env but not the rest, or they don't work. > > > Also I don't intend to use only xterm, but others term. emulators. > > > -- > > > Regards > > > > > > Henrique Lengler > > > > > > > try adding some 'echo' statements in all of your startup scripts. ie > > > > echo "sourcing .profile" > > echo "sourcing .kshrc" > > > > to see if it is running them. then maybe add 'printenv' and 'alias' to some > > to see what they print out during startup eg > > > > alias clr > > alias clr=clear > > alias clr > > > > the first should say 'not found', the one after should print your > > definition. > > It behave like this, when I log into ksh out of X. > This aliases are being applied correctly out of X, the problem is inside > it. > -- > Regards > > Henrique Lengler > it really sounds like xterm is not starting a login shell. what is the output of: $ ps | grep xterm 27150 p6 I 0:00.01 /bin/sh -c xterm -fg white -bg black -ls 13224 p6 I 0:05.29 xterm 6542 p6 I 0:01.18 xterm 29777 p6 I 0:00.00 /bin/sh -c xterm -fg white -bg black -ls you should see an '-ls' option at the end as above. if not, that is your problem (it's not invoking a login shell), and this should work: On Sun, Apr 05, 2015 at 09:22:03PM -0700, Philip Guenther wrote: > B) tell xterm to start the shell inside it as a login shell, so that > *that* will read your .profile. This can be done by either: >B1) start xterm with the -ls option, or >B2) set "*loginShell: true" in your X resource database (c.f. xrdb(1)) also, xterm may be invoked elsewhere like in your ~/.xinitrc, so you would need to fix it there, but the xrdb option should take care of that.
Re: Screwed up copying partition to another disk
On Fri, 10 Apr 2015 12:00:06 -0500 Chris Bennett wrote: > I have been copying home folders from several disks that should be near > failing due to age to an external USB disk. > > I have been using: > cd /SRC; tar cf - . | (cd /DST; tar xpf - ) > > Works fine, except I overlooked mounting /DST on first try, so > everything ended up in / until full. I also started deleting those files > until I realized I was in /SRC and Ctrl C it. > Now I have a problem, I have > /dev/sd0a 1005M 1005M -50.1M 105% / that is not unusual. the filesystem sets aside space that is unusable except by root, and not normally counted. > > I cannot find those files (would really like to have them). > I have tried fsck -fp, fsck and tried to upgrade it back. Upgrade gives > same file system full problem. what were you upgrading, openbsd? that has nothing to do with this problem. the files should be in /DST, unless it didn't exist, and then they should be in the invoking directory ie /SRC. you may still have the files you deleted from /SRC in /DST, but that entails a bit of luck ie if 'tar' copied in the same order that 'rm' deleted, they may be there (in /DST). you may need some space (but not much) to do this, but you can use 'find' to compare the contents of the directories, ie $ cd /SRC; find . | sort >../SRC.list $ cd /DST; find . | sort >../DST.list $ cd / $ comm -12 SRC.list DST.list the above 'comm -12' will give you a list of files that are common to both /SRC and /DST (thus duplicates). you may want to delete these after some checking, as such: OLDIFS="$IFS" IFS='\n' for _file in $(comm -12);do if [[ "$(cksum -q SRC/"$_file")" = "$(cksum -q DST/"$_file")" ]];then rm -f DST/"$_file" else echo "checksum mismatch for $_file" fi done IFS="$OLDIFS" this way you delete the files in /DST after ensuring that the identical version exists in /SRC. if there is a mismatch, probably the /DST version is corrupted (incomplete). check sizes and delete manually. the IFS stuff is to ensure filenames with spaces don't you give you problems. next: $ comm -13 SRC.list DST.list the 'comm -13' command above should give you a listing of files in /DST that are not in /SRC, which you could copy back to /SRC in case you deleted them. if however you deleted the file in /SRC, and it was not backed up in /DST, i'm pretty sure you are out of luck. but it seems if you still have that much space used, you probably didn't lose much (and like i said about the order of tar and rm above...). at the end of this, /DST should be clear, and you could start again (after mounting!). also, for future reference use '&&'. it may catch some rare problems (in this case if the directory did not exist). $ cd /SRC && tar cf - . | (cd /DST && tar xpf - ) > > I can go to install, but I would like to know if there is another fix. > > I would even more like to know what has happened in the file system. > So that information is more important to me than a fix. > > Thanks, > Chris Bennett > good luck
Re: Can't install latest snapshot over http
On Sat, 4 Apr 2015 09:08:35 +0900 Joel Rees wrote: > On Apr 4, 2015 8:33 AM, "Oriol Demaria" wrote: > > > > My problem got worse. So I tried finally to install the 2nd of April > snapshot usb image install57.iso. It actually has upgraded my kernel, and > now it doesn't completes boot. I get: > > > > Warning: /dev/console does not exist > > > > I was planning to reboot and build the system from source to upgrade, but > I can't. It doesn't boot on single mode either. > > > > During the upgrade I got the error "illegal instruction" when the script > is untaring the sets. > > > > Any idea of what could it be? > > > > Dmesg is in the previous email. > > > > Have you considered hardware issues? > > I'm losing the device entries for my disk drives on the expansion disk > controller in mid-build, and it seems heat related. (Not 100% positive, > though.) > while overheating can cause some strange behaviour, that seems a bit selective. nothing else on the file system disappearing? if you wanted to monitor the temperature, you could do a small script: #!/bin/ksh _sensor=$(sysctl hw.sensors | grep temp0 | sed 's/=.*//') while true;do echo "$(date +%Y%m%d.%H%M) $(sysctl $_sensor)" sleep 60 done | tee ~/watch-temp that would at least keep a log of the processor temp for you. i don't know what the other temperatures it tracks are, but if you needed them too: #!/bin/ksh _sensor=$(sysctl hw.sensors | grep temp[0-2] | sed 's/=.*//') while true;do echo -n "$(date +%Y%m%d.%H%M) " echo $(sysctl $_sensor | sed -e 's/.*temp/temp/' -e 's/ degC/degC/g') sleep 60 done | tee ~/watch-temp gives an output that looks like this: 20150403.2348 temp0=45.00degC temp1=34.00degC temp2=9.00degC > Joel Rees > > Computer memory is just fancy paper, > CPUs just fancy pens. > All is a stream of text > flowing from the past into the future.
Re: Can't install latest snapshot over http
this may not help you right now, but it is recommended that you save the last working kernel as /obsd so that you can boot from it if the new one doesn't work. i also keep the last release/snapshot in the root directory so that if something goes wrong i can restore it. On Sat, 04 Apr 2015 00:32:18 +0100 Oriol Demaria wrote: > My problem got worse. So I tried finally to install the 2nd of April > snapshot usb image install57.iso. It actually has upgraded my kernel, > and now it doesn't completes boot. I get: > > Warning: /dev/console does not exist > if you can boot the install image, escape to shell, mount your disk, and run '(cd /mnt/dev && ./MAKEDEV all)'. that should at least restore the console and other devices. > I was planning to reboot and build the system from source to upgrade, > but I can't. It doesn't boot on single mode either. > installing from source is probably not the best thing if it's your first time, and you are having other problems besides. did you try a different source for the snapshot? it's a courtesy to use a mirror, but if you want to be sure of the snapshot you get you could try the main site. > During the upgrade I got the error "illegal instruction" when the script > is untaring the sets. > > Any idea of what could it be? > > Dmesg is in the previous email. > you might get a better response if you restated it. it's a little hard to understand your problem. in an earlier mail you say: > So at work, the network seems to behave just fine. I have to investigate > this issue, not sure if this new snapshot it's just outlining a problem > in my home network or maybe it's some new feature that is creating some > conflict. As no one else seems to have this problem, I'm starting to > think that is the first one. I will compare network sysctl values and so > on. Older snapshots and stable work just fine at home. do you mean that installing/upgrading using the same hardware works, just on a different network? in that paragraph above you would need to say something like: 'so i hooked the computer up to my work network, and tried to upgrade again from the same snapshot and it didn't give me the network troubles.' (that is, if that is what you meant. that's what i thought you meant but was not sure.) Miod said to you previously: > We don't know what hardware you are installing on, which mirror you > obtained the installation media from, the result of the sha256 check, if > the installation media you had been booting was the snapshots' or an old > bsd.rd lying around, etc. and i think you did eventually answer all those questions, but not clearly, and in one place. so start from the very beginning, step by step, and don't leave ANYTHING out, even if it seems too much. it's better to give too much information than too little, and someone may be able to help that way.
Re: Secure PDF viewer
On Thu, 02 Apr 2015 23:11:57 -0400 Eric Furman wrote: > Thanks for the info and I expected someone to suggest this, > but I didn't really want to go all crazy. :) > I wanted to know if there was a secure one so I wouldn't have > to jump through all these kind of hoops. > Thanks anyway. > doing the whole thing may be extreme, but you needn't go that far. a good tradeoff between convenience and security here may be: a separate user, that you login to using 'ssh -X', and deny access via pf. that way they are unpriviledged, there is a filter between that user and X (ssh -X) and just in case, deny net access to prevent leaking or communicating and downloading more sophisticated code. shouldn't take more than a minute to set that up, and then just a single command line to use.
Re: Secure PDF viewer
On Thu, 2 Apr 2015 11:47:04 -0400 Jiri B wrote:
> On Thu, Apr 02, 2015 at 12:33:25AM -0400, Eric Furman wrote:
> > I sometimes have to deal with PDF files (ugh) and all
> > I need is the ability to view and print them, nothing
> > fancy. With security in mind I would like to get opinions
> > on the best one to use.
> > Thanks.
hardly any existing software is written with security in mind, so...
mitigation is the word. and since sometimes even the best coders may
slip up...
>
> Run it chrooted under non-default (0) routing domain
> and you should be in 99 % fine.
and running under it's own user as well.
some of these mitigation techniques and more have been discussed
recently:
https://marc.info/?l=openbsd-misc&m=142703553113760&w=2
https://marc.info/?l=openbsd-misc&m=142637712203350&w=2
https://marc.info/?l=openbsd-misc&m=142676615612510&w=2
the last thread is my experiments with ssh chroot jailing. if you
decide to go the chroot route, you need to read that. you would
have to do some additional work (eg set up a device) to get a
printer working. there is also some info on using Xephyr. i use
a jailed xpdf myself just as in the examples.
and instead of routing, i use a pf rule:
block out log
pass out log quick on $intif proto tcp user { root, browse, 1000 }
pass out log quick on $intif proto udp user { root, browse, 1000 }
but you could just block the one user:
block out log quick on $intif proto tcp user pdf
block out log quick on $intif proto udp user pdf
pass out
at the very least, you want to run it under it's own user, using
'ssh -X' and Xephyr.
>
> (I still can't figure out how to make apps in Xephyr
> maximalized without help of a WM.)
many programs have command line options to control some of this.
eg 'xpdf -fullscreen'. although that doesn't always give me the
interface i want. but 'xpdf -geometry xXy' works too. i have
scripts that syncronize the Xephyr geometry and the app's.
>
> j.
>
in sum, a dedicated unpriviledged user, using ssh -X and Xephyr, with
a pf rule (as above), and maybe chroot. about the best you can do for
any program. one of those threads is about systrace, but that might
be more complicated to set up (haven't looked into it too much myself).
Re: differences between pk_add -u and building from source at stable
On Thu, 2 Apr 2015 11:50:12 +0200 Marc Espie wrote: > On Wed, Apr 01, 2015 at 11:48:16PM -0400, dan mclaughlin wrote: > > if you want the version that the port build will produce do: > > > > $ (cd /usr/ports/lang/gcc/4.8/ && make _print-packagename) > > gcc-4.8.4p2 > > > > there are alot of options for make that are in bsd.port.mk(5) (although the > > one i used above is technically an internal make command). you also might > > have better luck asking these questions on ports@ in the future. > > Bad puppy. Technically what you're looking for is > make show=PKGNAMES good to know. i stumbled across that when i was trying to figure that out before, and sometimes it's easier to read code than documentation. i was interestingly enough just now updating those scripts anyway (like literally opened it up right before i got this, for reasons unrelated to this thread...) > > which will give you everything in a clean, unchanging way... well i may not have been clear enough on that point, but i thought it was implied that since it was internal it was not documented, and thus ... > (especially since ffx is likely to want C++ on top of C. this may have something to do with his original problem. > > You don't even have to change directory... > > nausicaa$ SUBDIR=lang/gcc/4.8 make show=PKGNAMES > ===> lang/gcc/4.8 > gcc-4.8.4p2 g95-4.8.4p1 gobjc-4.8.4p1 g++-4.8.4p1 libstdc++-4.8.4p1 > gcj-4.8.4p1 gnat-4.8.4p1 > but you still have to be in /usr/ports. personally i am used to the '(cd ...)' construct myself for other things so it is easier for me. but i understand your meaning, you're just expounding upon the subtleties of the system.
Re: differences between pk_add -u and building from source at stable
On Thu, 2 Apr 2015 05:16:25 +0900 Joel Rees wrote: > Should there be a difference if I haven't botched the source tree for > /usr/ports at some point? > > firefox --version > > tells me > > Mozilla Firefox 31.0 > > (It also gives a warning about size mismatch in a couple of c++ libraries > and says I should relink the program, which is part of the message it sends > to the console every time I run it. I'vd been ignoring that message.) > > And > > pkg_add -u firefox > > just talks to itself, then says > > quirks-2.9 signed on 2014-08-02T11:06:132 > > but > > cd /usr/ports/www/firefox-esr > make -n > > tells me > > lock=firefox-esr-31.5.3 > > Without the -n, it would try to install firefox 31.5.3, but break on lack > of disk space for installing gcc 4.8.3. I installed gcc-4.8.3 from > packages, but the make process didn't see that, and still tried to install > it again. (gcc --version from the command line says 4.2.1.) for the package you need to check the patch version as well. whenever there is a change in the patches that the ports build system applies, it changes. if you want the version that the port build will produce do: $ (cd /usr/ports/lang/gcc/4.8/ && make _print-packagename) gcc-4.8.4p2 if you have gcc-4.8.4p1 that is considered a different package version. to get the installed one: $ pkg_info -I gcc gcc-4.8.4p2 GNU compiler collection: core C compiler there are alot of options for make that are in bsd.port.mk(5) (although the one i used above is technically an internal make command). you also might have better luck asking these questions on ports@ in the future. > > I've grabbed some space on another disk, changed /etc/fstab to mount those > partitions and rebuilt src and xenocara in nice roomy partitions there. > (Man, putting the src tree on a separate disk sure speeds cvs updates and > builds up like crazy!) /usr/ports is just sitting there after a cvs up to > stable (-rOPENBSD_5_6). > > And I'm hesitating before building firefox from source again. > > Joel Rees > > Computer memory is just fancy paper, > CPUs just fancy pens. > All is a stream of text > flowing from the past into the future.
Re: how much disk space does it take to build gcc 4.8?
On Mon, 23 Mar 2015 19:53:45 +0900 Joel Rees wrote:
> But this probably is not my real question.
but to answer it still, A LOT. (i vaguely remember it being over a gig).
>
> I saw the notice about libssl and decided it was time to update things.
>
> Updated kernel and system userland (5.6 stable).
>
> Forgetting what I was doing. My mind was shot, should not have had the hood
> up in the condition I was in. Instead of doing a pkg_add -u, I did a cvs up
> in /usr/ports. Got some updates, remember firefox and some other stuff
> among them.
tired? i think everybody who has been around long enough has done such
misjudging of their state.. when you realize it is taking longer to think
thru some things, it is time to go to sleep..
>
> Started to just do make in /usr/ports, and it started sequencing through
> the archivers, installing things like cabextract, which I'm pretty sure I
> don't need. Thought it was trying to install everything. I stopped that
> with a ctrl-c and scratched my head, did a make clean and a pkg_check.
>
it is indeed trying to build everything, since you started in /usr/ports.
if you started in one of the subdirs and did 'make' it would try to build
everything in that subdir (eg /usr/ports/net).
> Then tried a pkg_add -u and nothing gets added.
>
> I'm a bit worried about not updating firefox (31.0 to 31.5, if I read the
> text flying by on the screen right) even though it isn't specifically
> mentioned on the errata page. (Is it perhaps listed in the patches?) So I
> tried doing make update in www/firefox-esr, and it finds lots of things to
> update, then dies on a full disk. 1.6G for just /usr/ports, 104% in use.
i think you need more room on ports. there is some data in one of the faqs.
>
> make clean brings it down to 50% use, and I've located a ballooning build
> within gcc 4.8.3, which firefox 31.5 requires. (Why, I wouldn't care to
> guess.)
a lot of things need non-base versions of gcc anymore.
look in /usr/ports/pobj, where the ports are built. not everything cleans
itself up. i have a small script that removes at least what is installed.
it does't work for flavors though (the directories are pkgname,no_x11), but
you can just manually check what is installed and delete that dir.
ports_pobj_clean:
---
#!/bin/ksh
#@PURPOSE clean out ports/pobj, remove dirs of installed pkg
cd /usr/ports/pobj
#pkg_info can be very slow, save a local copy
pkg_info >pklist
for _port in *;do
[ -d $_port ] || continue
grep -q "^$_port[pv ]" pklist && { echo $_port; rm -fr $_port; }
done
rm pklist
>
> I thought gmp was the culprit, but trying to trap the culprit by teeing the
> output of make, it seems to get past that through some gnat-bind stuff and
> cp ecj-4.5.jar (bleaugh) and then a perl script that apparently tries to
> fix up some #defines related to GLIBCXX_HAVE_GETS and then starts in on
> patching.
tee-ing is a good idea, i have my scripts do this automatically so when
problems arise, it's easy to reference. especially with long builds (like
release).
>
> And patch-boehm-gc-dyn_load_c did not apply cleanly. And about five
> not-patched-cleanly patches later it reports no room left on the device.
> (I'm thinking about wiping each directory under lang/gcc and trying a cvs
> get there, but du seems to say the ballooned file is elsewhere.)
all build files are in /usr/ports/pobj, nothing gets saved in the main
directories.
>
> I have another 5.6 box that is currently building the userland, for
> reference, but while I'm waiting, I thought I'd ask about the ballooning
> build.
make sure your ports are in sync with your build. if you are using cvs, make
sure to update both /usr/src and /usr/ports. if you install from a snapshot
make sure to grab the ports.tar.gz in the snapshot dir as well.
>
> And if anyone cares to help me untangle my thinking, ...
>
> Joel Rees
>
> Computer memory is just fancy paper,
> CPUs just fancy pens.
> All is a stream of text
> flowing from the past into the future.
>
clear out pobj and try again. you can also just 'rm -fr /usr/ports/pobj' if
you don't mind deleting half-built ports. it may be a good idea anyway as
some things may apply, and some not, so your build will be in a bad state.
if a port won't compile right, delete and retry. this has worked for me for
some odd errors i couldn't explain, and they didn't recur. if they do recur
that is possibly a matter for ports@.
and if you want to answer your original question, after you have built gcc,
do a 'du -sk /usr/ports/pobj/gcc*'.
cheers
Re: running multiple simultaneous X sessions as different users
On Sat, 21 Mar 2015 14:14:22 -0700 luke...@onemodel.org wrote:
> On 03/16/15 19:38, Jean-Philippe Ouellet wrote:
> > On Sun, Mar 15, 2015 at 07:12:23PM -0400, Ted Unangst wrote:
> >> luke...@onemodel.org wrote:
> >>> The goal: I'd like to run multiple simultaneous X sessions and switch
> >>> among them with Ctrl-Alt-F8, Ctrl-Alt-F9, etc, each one as a different
> >>> user (separation of privileges, like general browsing vs. admin &
> >>> programming, vs. banking, etc, so that if one is compromised by a
> >>> browser flaw etc, the other user accounts are unaffected.
> >> I would probably start with Xnest here.
> > I've had better luck with a slightly hacked up Xephyr for this purpose.
> >
> > Just be aware that screen locking at the top level won't work while nested
> > sessions grabbed exclusive focus (unless you patch it to work differently),
> > and window resizing can be annoying at times.
> >
> > Be sure to actually isolate the different X server processes across
> > different
> > users and such and preferably chroot them and tell pf to block everything
> > for
> > those users.
> >
> > It's annoying and probably doesn't really gain you much anyway.
>
> That sounds doable, but too easy for me to make a mistake that
> invalidates it, and I don't know whether in that strategy a compromised
> app (such as a browser) could watch keystrokes on another app.
>
while i am no X guru by any means, i am pretty sure that the X11 SECURITY
extension prevents that. (that is at least what i take away from the section
for -X in ssh(1)).
> (This other thread is also interesting in this light (from ~2 days
> ago): "isolating untrusted programs in ssh chroot jails".)
that's mine. basically i detail how to do most of what Mssr. Ouellet mentioned
above.
>
> So, I was going to try doing as Miod kindly suggested in another part
> of this thread:
>
> On 03/15/15 04:15, Miod Vallat wrote:
> >> If you run another X server instance, it will use the seventh virtual
> >> console (ctrl-alt-F7). But I am not sure drm-enabled X servers can run
> >> multiple instances.
> > Thanks. Is there a way to turn off drm, such as via a sysctl
> > setting for kern.malloc.kmemstat.DRM, or somehow forcing it to use a
> > different (known stable) driver? Or, if not, anything else I can
> > try except non-drm video hardware?
>
> ...until I stumbled on this which looks the easiest/safest so far:
> > List: openbsd-misc
> > Subject:Re: Almost offtopic question to the "Improving Browser >
> > Security" question
> > From: Stuart Henderson
> > Date: 2015-03-04 8:37:03
> > Message-ID: slrnmfdh1f.8gs.stu () naiad ! spacehopper ! org
> >
> > On 2015-03-03, someone wrote:
> > > Wow, copying the .Xauthority to the "separated" user worked!
> > > But I'm still thinking that the "separated" user can give out the
> > > command:
> > > xinput test 6
> > > and can see what anyone types in via X.
> > See xauth(1) about generating an untrusted auth token. If you're
> > feeling lazy, enabling ssh X forwarding and using ssh -X
> > user@localhost might be easier, but will be slower.
> (http://marc.info/?l=openbsd-misc&m=142545841513214&w=2
> ...which started here (also useful):
> http://undeadly.org/cgi?action=article&sid=20150303075848 )
>
>
> So, if I use xauth after reading the manpage carefully, or use ssh -X
> from one localhost user to another, and launch a bunch of apps as
> different users all in the same X server, what are the risks of
> compromise between accounts?
>
> Thanks to all who've commented: this has been educational & useful.
>
> -Luke A Call
>
there is probably about as little chance of compromise as is possible. the
only real privilege separation on unix is having different users, and
restricting them as much as possible (like with chroot).
if you are running a command as another user, ie:
ssh -X pdf@localhost xpdf file.pdf
then the only way the program has to interact with your display is thru an
ssh tunnel which acts as a filter. so in this case xpdf will write to the
DISPLAY given to it from ssh, which is a tunnel created by ssh which restricts
the commands that can be sent along that tunnel to the real display.
it's not possible to isolate an account completely from the system unless it
is chroot(8)ed. that way that user will not have access to anything else in
the filesystem. if you read my notes though, i note it is not possible for all
programs to be locked up so.
you can skip the chroot part of my notes, near the end i explain using Xephyr.
Xephyr is probably not the most trustworthy, but it's a choice between writing
to it, or to the main server.
the only thing i don't really get into in my notes is what Mssr. Ouellet
mentions regarding using pf to block the user. this obviously is not a good
idea for a web browser, but for something like xpdf it is.
you just need some rules in pf.conf like:
block out log
pass out log quick on $intif proto tcp user { browse, 1000 }
pa
Re: isolating untrusted programs in ssh chroot jails
On Thu, 19 Mar 2015 08:52:09 -0600 Jorge Gabriel Lopez Paramount wrote: > Quoting dan mclaughlin : > > > there seems to be some interest in this, so i thought i would post my notes, > > made more presentable. > > > > here i detail ways to use ssh to restrict access to the filesystem as well > > as > > X, mitigating the 'security nightmare' that is X11, not to mention > > preventing > > possible leaking of local data. this uses more proven code so may be better > > than eg virtualization for some things. > > This looks interesting but really complicated. As I commented before I > use a virtual machine for running Firefox due to security concerns, > now with OpenBSD at last. I know that a virtual machine would not > resist a targeted attack, but since it would be complicated breaking > away from a virtual machine and this is not a common setup I do not > think a generic attack/worm/trojan would be able to do any harm. > > Also, I'm running Firefox for browsing but since it's common to get > PDF files I have installed along a PDF viewer as well. And sometimes I > want to print documents so I installed cups (fortunately everything > works on OpenBSD as expected, thanks by the way!). Firefox, a PDF > viewer and cups have a lot of dependencies, and I have not tried yet > to forward sound so my Firefox is soundless. And Firefox alone eats > lots of memory, I have reserved for this VM one gigabyte of RAM. > > To me that's one of the biggest virtual machines I have, and very > likely would make a big jail. If I wanted to do it the OpenBSD way > (the one I imagine) I would reserve an old laptop or netbook and put > there OpenBSD with Firefox and friends instead of setting up a big and > complicated jail. > > -- > Best regards, > Jorge Lopez. you have a point about it being complicated, which is why i said i don't think it would work with firefox. i mention already that i had trouble with a few simpler ports like qiv. and physical separation on its own machine is probably the best practice anyway (i use physical separation for security myself). but there may be cases where one may not be able to dedicate a whole machine to it, and it's something. it depends on one's use case. hence my statement above 'for some things'. firefox isn't in my use case. phsical separation would be more difficult for one of my main use cases, reading pdfs on my desktop. and not everybody always has access to such resources. the intent though was to make it possible to run any code, and also to use openbsd base, as that is a more trusted code base to build upon (ssh -X, chroot). one use is xpdf for instance. (which is only about ~135M of space, a good half of that X11 fonts). some do get bigger, like djview4 which has 70 packages and ~712M space. (i also use it for w3m, since one must be particularly careful with browsers given QUANTUMINSERT and the like.) as to RAM, this wouldn't take hardly any more than is already used. and it is much less complicated with scripts (i already invested time in them so i don't have to invest it later setting them up (and making mistakes)). it's a single command now. i also have scripts that automate starting up/taking down Xephyr and launching the proper account/commands (i just type 'open file' and everything is already done for me.) the beauty of scripts (and unix).
Re: isolating untrusted programs in ssh chroot jails
On Thu, 19 Mar 2015 20:08:34 +0800 "Jeff St. George" wrote: > You said at beginning of your comments "now i don't use > firefox (or any 'modern browser)" >may I ask which browser you like to use? And for what reasons? > > thanks in advance > like in the examples, i use w3m. which is one of the reasons i wanted to make this jail, since i don't trust the code at all. the reasons why, well, i'm an old unix guy, who still spends most of his time in a text console! there is also the bloat. my machines are too old to run firefox even if i wanted to (i tried some years ago with a livecd project i was doing, and i could not believe how SLOW it was). i use my computer mostly to read anyway, and unless there is a pdf i cannot convert, i have little need of graphics at all (mostly my own nature photos/ videos). besides, its also much quicker without all of those pictures. if i choose, i can view the one photo i want (which pops up in the Xephyr window).
Re: isolating untrusted programs in ssh chroot jails
here are the scripts i wrote to make this easier. these really were made
for my own use, but i hope others may find them useful. i would be
interested to know if anyone else actually does find them useful. would
also be glad to know of any errors/problems/things that can go wrong i
didn't think of.
the first one (jail_new) creates a new jail (and possibly the user).
the second one (jail_pkgadd) adds a package and its dependencies to an
existing jail. they are expected to be in the same directory (jail_new
cannot add packages (-p) otherwise).
to relate to my earlier examples:
$ jail_new -tu _inmate:_chaingang /home/jail
will create the jail in /home/jail and also the user _inmate and group
_chaingang. this case it will be just be a regular shell account (just
chrooted).
$ jail_new -t _inmate:_chaingang /home/jail
will create the jail, but will not create the user:group.
a real case:
$ jail_new -tux -k /home/null/.ssh/id_rsa.pub -p w3m,feh:/usr/release/pkg
browse /home/browse w3m -B
this command sets up the terminal (-t) and X (-x) in a directory (here
/home/browse), creates a user (-u) (in this case 'browse'), uses the given
key file (-k) for the authorized keys, installs the packages (-p) w3m and
feh (and all of their dependencies) from directory /usr/release/pkg, and
sets 'w3m -B' to run automatically via ForceCommand in sshd_config.
this is the equivalent of:
$ jail_new -tux -k /home/null/.ssh/id_rsa.pub browse /home/browse w3m -B
$ jail_pkgadd -p /usr/release/pkg w3m /home/browse
$ jail_pkgadd -p /usr/release/pkg feh /home/browse
if you want bzip2 in there as well, you can always add it later:
$ jail_pkgadd -p /usr/release/pkg bzip2 /home/browse
or, if PKG_PATH is set (and not remote) you can omit -p
$ jail_pkgadd bzip2 /home/browse
if PKG_PATH is set, and is remote, you need:
$ jail_pkgadd -r bzip2 /home/browse
(note: will only allow a single directory for PKG_PATH)
this can be used by running:
$ Xephyr :1 & env DISPLAY=:1 ssh -X browse@localhost
(side note: w3m runs 'display' to display an image, so i create a symlink
to feh to view images)
another case:
$ jail_new -tuxr -k /home/null/.ssh/id_rsa.pub -p
xpdf:scp://null@node02/usr/release/pkg pdf /home/pdf
you need to specify -r (remote) directly to use remote pkg src.
which is the equivalent of:
$ jail_new -tux -k /home/null/.ssh/id_rsa.pub pdf /home/pdf
$ jail_pkgadd -r -p scp://null@node02/usr/release/pkg xpdf /home/pdf
which can be used:
$ cp test.pdf /home/pdf/tmp
$ Xephyr :1 & env DISPLAY=:1 ssh -X browse@localhost xpdf -fullscreen
/tmp/test.pdf
(in this case it may be best not to use ForceCommand, since you may want to
open multiple documents.)
WARNING use at your own peril. if you can't read the scripts, you probably
shouldn't use them, and then i am certain there are other glaring security
flaws you need to know about. i include these because it is a dull pain in
the ass to do this manually, and hopefully someone may get some use out of
them.
other than that, do with it what you wish.
they are as fool-proof as i could make them, so that i don't shoot myself in
the foot accidently (and i have been around long enough to have done that a
few times, even while being careful). but you never know.
jail_new:
--
#!/bin/ksh
USAGE="${0##*/} [-jrtux] [-k authkeys] [-p pkg[,pkg2...][:pkgpath]]
user[:group] path [cmd [args ...]]"
[[ "$1" = -h ]] && { echo "USAGE $USAGE"; return 0; }
#-t sets PermitTTY and copies files for term
#-x sets X11Forwarding and copies files for X (fonts,xauth)
#-u creates user; fails if user exists
#-j joins group; needed to join existing group
#-p pkg[,pkg2...][:pkgpath]
#-r allows remote pkg access
#uses existing PKG_PATH
#pkgpath arg overrides PKG_PATH
#only accepts a lone pkgpath
PATH=/sbin:/bin:/usr/sbin:/usr/bin
echov() { eval echo \"\$$1\"; }
isemptyv() { eval [ \${#$1} -eq 0 ]; }
notemptyv() { eval [ \${#$1} -gt 0 ]; }
alias xt='set -o xtrace'
alias xt-='set +o xtrace'
if [ $(id -u) -eq 0 ];then
echo "ERR cannot run as root"
return 1
fi
_sshd_config=/etc/ssh/sshd_config
_sshd_config_tmp=/tmp/sshd_config
trap "rm -f $_sshd_config_tmp" 0 2
#for convenience
_fontdir=/usr/X11R6/lib/X11/fonts
_terminfo=/usr/share/misc/terminfo.db
_termcap=/usr/share/misc/termcap
_do_x=no
_do_tty=no
_do_useradd=
_do_joingrp=
_do_remote=
_authkeys=
_pkg=
_pkgpath=
_userhome=/home/cell
while getopts :jrtuxk:p: _opt;do
case "$_opt" in
j) _do_joingrp=yes ;;
r) _do_remote=-r ;;
t) _do_tty=yes ;;
u) _do_useradd=yes ;;
x) _do_x=yes ;;
k) _authkeys=$OPTARG
if [ ! -f "$_authkeys" ];then
echo "ERR no such file '$_authkeys'"
return 1
fi
;;
p) _pkg=$OPTARG
if [[ "$_pkg" = *:* ]];then
_pkgpath=${_pkg#*:}
_pkg=${_pkg%%:*}
export PKG_PATH=$_pkgpath
else
if isemptyv PKG_PATH;then
echo "ERR PKG_PATH not set and none given"
isolating untrusted programs in ssh chroot jails
there seems to be some interest in this, so i thought i would post my notes,
made more presentable.
here i detail ways to use ssh to restrict access to the filesystem as well as
X, mitigating the 'security nightmare' that is X11, not to mention preventing
possible leaking of local data. this uses more proven code so may be better
than eg virtualization for some things.
comments/questions/corrections/etc welcome. i'm sure i missed something.
this subject of isolating untrusted programs has been coming up recently,
though mostly in regards to web browsers (firefox, xombrero). now i don't use
firefox (or any 'modern browser'), but other X programs i have tested work
fine (xpdf mplayer xloadimage djview4 feh). there are some that don't seem
to work that i haven't tracked down the exact cause yet (qiv zathura; something
to do with glib). this works well with w3m+feh for me though.
if someone is ambitious enough to try firefox, for a start, they should read
faq 10.16 which has a basic method of working out dependences, though i've
expanded on that here.
also Johnathon Thornburg's work here saved me some time, and gets into the
security issues:
http://marc.info/?l=openbsd-misc&m=141616701418506&w=1
still, i'm not sure you can do this for firefox, but this may get you started.
if not, your best bet may be J. Thornburg's method here:
https://marc.info/?l=openbsd-misc&m=141867559504962&w=2
which you should read anyway.
much of the rest of the information is spread around various man pages (eg
sshd_config(5))
also note Xephyr is required for some programs using 'ssh -X' eg xpdf
0. intro
for simplicity, i will be setting up a single jail for multiple programs.
you could isolate each program with it's own user and jail. one issue though
would be that many dependencies would be duplicated. on the other hand you
could then use ssh's ForceCommand.
for future reference, i will assume there is a user:
/etc/passwd:
_inmate:*:::public jail account:/home/cell:/bin/sh
/etc/group:
_chaingang:*::
1. setting up ssh to chroot:
you need to add an entry like the following to /etc/ssh/sshd_config:
Match User _inmate
ChrootDirectory /home/jail
AuthorizedKeysFile /home/jail.authorized_keys
X11Forwarding yes
AllowTcpForwarding no
# PermitTTY no
# ForceCommand xpdf /tmp/*pdf
you may have to tweak this a bit depending on your use.
if you are using X11 programs you will need "X11Forwarding yes"
if you are using a terminal (eg a console web browser) you may need "PermitTTY
yes". (some X programs also require a terminal for some functions eg mplayer).
if you are using a single command, you will want to use ForceCommand.
remember also that the authorized_keys file must be owned by _inmate, but
in the above example i keep it outside of the jail so the user doesn't have
access.
N.B. remember that when the user's directory is processed, the home directory
in /etc/passwd will be appended to the above ChrootDirectory. in our example,
the ChrootDirectory is /home/jail and the user _inmate's home directory in
/etc/passwd is /home/cell, which ssh will be combine into /home/jail/home/cell.
example using ForceCommand:
Match User _inmate
ChrootDirectory /home/jail
AuthorizedKeysFile /home/jail.authorized_keys
X11Forwarding no
AllowTcpForwarding no
PermitTTY yes
ForceCommand w3m -B
2. setting up basic chroot filesystem
there are some files you need in the chroot in order for various programs to
function, at a minimum you need shared library support and the user's homedir:
essential user files
/home/jail/home/cell/
/home/jail.authorized_keys
(must be owned by user ie _inmate)
NOTE: all following files are relative to chroot directory ($_chroot), in
this case /home/jail. for the most part you can 'cp -p file $_chroot/file'.
to handle shared libs (required):
/sbin/ldconfig
/usr/libexec/ld.so
/var/run/
after these files are installed, you will need to run ldconfig
$ chroot $_chroot ldconfig /usr/{,X11R6,local}/lib
which will create /var/run/ld.so.hints.
basic directories that are needed:
/bin
/sbin
/etc
/usr/{,X11R6,local}/lib
/tmp
and since we are going to be installing packages, create:
/var/db/pkg/
to run X you will need a minimum:
/etc/fonts/
/usr/X11R6/lib/X11/fonts/
/usr/X11R6/bin/xauth
you will also need the shared libraries xauth depends on:
$ ldd /usr/X11R6/bin/xauth
/usr/X11R6/bin/xauth:
StartEnd Type Open Ref GrpRef Name
1669e000 366a3000 exe 10 0 /usr/X11R6/bin/xauth
09606000 2960a000 rlib 02 0 /usr/X11R6/lib/libXau.so.10.0
0b3fd000 2b401000 rlib 01 0 /usr/X11R6/lib/libXext.so.13.0
0e418000 2e41c000 rlib 01 0 /usr/X11R6/lib/libXmuu.so.6.0
0092e000 209ad000 rlib 03 0 /usr/X11R6/lib/libX11.so.16.0
0b40b000 2b43b000 rlib 01 0 /usr/
Re: Autoinstall without PXE.
On Sat, 14 Mar 2015 02:27:56 + Raf Czlonka wrote:
> On Fri, Mar 13, 2015 at 09:02:23PM GMT, Joshua Smith wrote:
>
> > Hello misc@,
>
> Hi Joshua,
>
> > Looking around the man pages for 5.6 and -current it doesn't seem like
> > it, but is it possible to perform an autoinstall/autoupgrade with out
> > utilizing pxe and an http server.
> >
> > I would like to put the autoinstall/autoupgrade file on a usbkey or
> > embed it on a custom cd.
>
> Well, probably not the way you have in mind (i.e. full autoinstall) as
> you still have to point the installer to the "{install,upgrade}.conf"
> manually: i.e. choose (A) for autoinstall, it'll then fail, escape to
> shell, mount the disk with your config file, go back to the installer
> and point it to the file - the rest of the installation/upgrade is then
> fully automatic.
>
> I use a 3-line (that includes a keyboard layout) 'upgrade.conf' to
> upgrade to new snapshots.
>
> Regards,
>
> Raf
>
there is a better way using rdsetroot to actually put the *.conf files in the
bsd.rd kernel itself. it was discussed previously here:
https://marc.info/?l=openbsd-misc&m=141552533922277&w=2
Re: GPU error: i915_hangcheck_hung on ThinkPad x201
i have the same error, except my system hangs. i just reported this to bugs@, you may want to keep an eye there: https://marc.info/?l=openbsd-bugs&m=142590300129925&w=2 On Fri, 6 Mar 2015 14:21:03 -0500 (EST) Charlie wrote: > Hi, > > I run OpenBSD 5.6-stable on a Lenovo x201 (patched to the latest errata - > 016). I use XFCE as my desktop environment. Every so often when I am > moving a window, specifically trying to snap it to the left-hand side of > my screen, X freezes up for a few seconds, and the following message is > printed to the console: > > error: [drm:pid31847:i915_hangcheck_hung] *ERROR* Hangcheck timer > elapsed... GPU hung > error: [drm:pid31847:i915_hangcheck_hung] *ERROR* Hangcheck timer > elapsed... GPU hung > error: [drm:pid31975:i915_reset] *ERROR* GPU hanging too fast, declaring > wedged! > error: [drm:pid31975:i915_reset] *ERROR* Failed to reset chip. > > After this occurs, everything continues working, but X is laggy, > especially in certain applications. The best fix I've found is to reboot > the system. > > This appears to be the only relevant entry from /var/log/Xorg.0.log: > > [ 62471.544] (EE) intel(0): Detected a hung GPU, disabling acceleration. > > If I can provide any further information that might lead to fixing this > problem, I will be happy to do so. > > Thank you! > > Charlie
