Re: sudo and globbing

[Alexey Kurinnij]

And what about difference? Explain please.

On Thu, Jan 7, 2016 at 7:03 PM, Jiri B  wrote:

> On Thu, Jan 07, 2016 at 11:43:14AM -0500, Jiri B wrote:
> > I discovered an article about sudo and globbing[1] and
> > there's difference how it does work on Linux and OpenBSD.
>
> I forgot to put the url
>
> http://zurlinux.com/?p=2244
>
> > - openbsd
> >
> > # su -s /usr/local/bin/bash - nobody
> > No home directory /nonexistent!
> > Logging in with home = "/".
> > -bash-4.3$ sudo bash -c "ls -l /var/tor/cache*"
> > -rw---  1 _tor  _tor20442 Dec 10 11:32 /var/tor/cached-certs
> > -rw---  1 _tor  _tor  1409287 Jan  7 15:56
> /var/tor/cached-microdesc-consensus
> > -rw---  1 _tor  _tor  5107307 Jan  7 17:23 /var/tor/cached-microdescs
> > -rw---  1 _tor  _tor0 Jan  7 17:23
> /var/tor/cached-microdescs.new
> > -bash-4.3$ sudo -s bash -c "ls -l /var/tor/cache*"
> > .cshrc   .profile altroot  bin  bsd  bsd.rd   bsd.sp   dev
> etc  home mnt  root sbin sys  tftpboot tmp
> usr  var
> >
> > - linux
> >
> > [root@slot-1 ~]# su -s /bin/bash nobody
> > bash-4.2$ exit
> > [root@slot-1 ~]# visudo
> > [root@slot-1 ~]# su -s /bin/bash nobody
> > bash-4.2$ sudo bash -c "ls -l /var/cache/ldconfig/aux*"
> > -rw---. 1 root root 26470 Dec 22 17:52 /var/cache/ldconfig/aux-cache
> > bash-4.2$ sudo -s bash -c "ls -l /var/cache/ldconfig/aux*"
> > -rw---. 1 root root 26470 Dec 22 17:52 /var/cache/ldconfig/aux-cache

kernel panic athn0

[Alexey Kurinnij]

kernel panic athn0 when I do
`sudo ifconfig athn0 scan`
 or
`sudo ifconfig athn0 inet 192.168.10.1 255.255.255.0 mediaopt hostap nwid
mynwid wpakey 1qaz1qaz up`
or
`sudo ifconfig athn0 up`

ifconfig
athn0: flags=28802BROADCAST,SIMPLEX,MULTICAST,NOINET6 mtu 1500
lladdr 00:00:ef:be:ad:de
priority: 4
groups: wlan
media: IEEE802.11 autoselect
status: no network
ieee80211: nwid 

pcidump
Domain
/dev/pci0:
[1/47]
 0:0:0: AMD AMD64 14h Host
 0:1:0: ATI Radeon HD 6320
 0:1:1: ATI Radeon HD 6310 HD Audio
 0:4:0: AMD AMD64 14h PCIE
 0:17:0: ATI SBx00 SATA
 0:18:0: ATI SB700 USB
 0:18:2: ATI SB700 USB2
 0:19:0: ATI SB700 USB
 0:19:2: ATI SB700 USB2
 0:20:0: ATI SBx00 SMBus
 0:20:2: ATI SBx00 HD Audio
 0:20:3: ATI SB700 ISA
 0:20:4: ATI SB600 PCI
 0:20:5: ATI SB700 USB
 0:21:0: ATI SB800 PCIE
 0:21:1: ATI SB800 PCIE
 0:21:2: ATI SB800 PCIE
 0:21:3: ATI SB800 PCIE
 0:22:0: ATI SB700 USB
 0:22:2: ATI SB700 USB2
 0:24:0: AMD AMD64 14h Link Cfg
 0:24:1: AMD AMD64 14h Address Map
 0:24:2: AMD AMD64 14h DRAM Cfg
 0:24:3: AMD AMD64 14h Misc Cfg
 0:24:4: AMD AMD64 14h CPU Power
 0:24:5: AMD AMD64 14h Reserved
 0:24:6: AMD AMD64 14h NB Power
 0:24:7: AMD AMD64 14h Reserved
 3:0:0: Atheros AR9300
 4:0:0: Realtek 8168
 5:0:0: ASMedia ASM1083/1085 PCIE-PCI
 6:1:0: Realtek 8169
 6:2:0: VIA VT6306 FireWire
 7:0:0: ASMedia ASM1042 xHCI

OpenBSD/amd64 (router.local.lan) (tty00)

login: panic: kernel diagnostic assertion pin  sc-ngpiopins failed:
file ../../../../dev/ic/ar9003.c, line 512
Stopped at  Debugger+0x9:   leave
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
IF RUNNING SMP, USE 'mach ddbcpu #' AND 'trace' ON OTHER PROCESSORS, TOO.
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb{0} trace
Debugger() at Debugger+0x9
panic() at panic+0xfe
__assert() at __assert+0x25
ar9003_gpio_write() at ar9003_gpio_write+0x9d
athn_init() at athn_init+0xfb
athn_ioctl() at athn_ioctl+0x1e6
in_ifinit() at in_ifinit+0xee
in_control() at in_control+0x574
ifioctl() at ifioctl+0x201
sys_ioctl() at sys_ioctl+0x169
syscall() at syscall+0x297
--- syscall (number 54) ---
end of kernel
end trace frame: 0x53bb20, count: -11
acpi_pdirpa+0x3fc50a:
ddb{0} ps
   PID   PPID   PGRPUID  S   FLAGS  WAIT  COMMAND
* 1313  22629   1313  0  7 0x3ifconfig
 22629   1819  22629   1000  30x8b  pause ksh
 19651  23472   6931   1000  30x83  ttyin more
 23472   6931   6931   1000  30x8b  pause sh
  6931  12554   6931   1000  30x83  wait  man
 12554   1819  12554   1000  30x8b  pause ksh
  1819  1   1819   1000  30x80  kqreadtmux
 28809   5207  28809   1000  30x83  kqreadtmux
  5207  27936   5207   1000  30x8b  pause ksh
 27936  13045  13045   1000  30x90  selectsshd
 13045  25024  13045  0  30x92  poll  sshd
  2078  1   2078  0  30x83  ttyin getty
 17304  1  17304  0  30x83  ttyin getty
  2330  1   2330  0  30x83  ttyin getty
 24689  1  24689  0  30x83  ttyin getty
 26914  1  26914  0  30x83  ttyin getty
 16989  1  16989  0  30x83  ttyin getty
 14046  1  14046  0  30x80  selectcron
 10830  1  10830  0  30x80  nanosleep sensorsd
  5153  1   5153  0  30x80  kqreadapmd
 27414  1  27414 99  30x90  poll  sndiod
 26709   7533   7533 95  30x90  kqreadsmtpd
 17924   7533   7533 95  30x90  kqreadsmtpd
 17176   7533   7533 95  30x90  kqreadsmtpd
 15696   7533   7533 95  30x90  kqreadsmtpd
 27629   7533   7533 95  30x90  kqreadsmtpd
  9046   7533   7533103  30x90  kqreadsmtpd
  7533  1   7533  0  30x80  kqreadsmtpd
  4849  1   4849 77  30x90  poll  dhcpd
 25024  1  25024  0  30x80  selectsshd
 29737  21956  28576 83  30x90  poll  ntpd
 21956  28576  28576 83  30x90  poll  ntpd
 28576  1  28576  0  30x80  poll  ntpd
 19213  19275  19275 70  30x90  selectnamed
 19275  1  19275  0  30x90  netio named
 10253   2257   2257 74  30x90  bpf   pflogd
  2257  1   2257  0  30x80  netio pflogd
  5672  12619  12619 73  30x90  poll  syslogd
 12619  1  12619  0  30x80  netio syslogd
  8519  1   8519 77  30x90  poll  dhclient
  7102  1   7102  0  30x80  poll  dhclient
 28382  0  0  0  3 0x14200  bored 

Re: kernel panic athn0

[Alexey Kurinnij]

Sorry, in first message ddb only for one processor. This is fresh for both:

# ifconfig athn0 up
panic: kernel diagnostic assertion pin  sc-ngpiopins failed: file
../../../../dev/ic/ar9003.c, line 512
Stopped at  Debugger+0x9:   leave
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
IF RUNNING SMP, USE 'mach ddbcpu #' AND 'trace' ON OTHER PROCESSORS, TOO.
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb{1} trace
Debugger() at Debugger+0x9
panic() at panic+0xfe
__assert() at __assert+0x25
ar9003_gpio_write() at ar9003_gpio_write+0x9d
athn_init() at athn_init+0xfb
athn_ioctl() at athn_ioctl+0x1e6
ifioctl() at ifioctl+0xb18
sys_ioctl() at sys_ioctl+0x169
syscall() at syscall+0x297
--- syscall (number 54) ---
end of kernel
end trace frame: 0x7f7bcca0, count: -9
acpi_pdirpa+0x3fc50a:
ddb{1} mach ddbcpu 0
Stopped at  Debugger+0x9:   leave
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
IF RUNNING SMP, USE 'mach ddbcpu #' AND 'trace' ON OTHER PROCESSORS, TOO.
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb{0} trace
Debugger() at Debugger+0x9
x86_ipi_handler() at x86_ipi_handler+0x64
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x1b
--- interrupt ---
Bad frame pointer: 0x80001ce45c08
end trace frame: 0x80001ce45c08, count: -3
__mp_lock+0x42:
ddb{0} ps
   PID   PPID   PGRPUID  S   FLAGS  WAIT  COMMAND
 19450  13014  19450  0  7 0x3ifconfig
 13014  1  13014  0  30x8b  pause ksh
 25598  1  25598  0  30x83  ttyin getty
 18456  1  18456  0  30x83  ttyin getty
 11661  1  11661  0  30x83  ttyin getty
   916  1916  0  30x83  ttyin getty
  6800  1   6800  0  30x83  ttyin getty
 26728  1  26728  0  30x80  selectcron
  3038  1   3038  0  30x80  nanosleep sensorsd
 19379  1  19379  0  30x80  kqreadapmd
 12318  1  12318 99  30x90  poll  sndiod
 10631  30214  30214 95  30x90  kqreadsmtpd
  9723  30214  30214 95  30x90  kqreadsmtpd
 20447  30214  30214 95  30x90  kqreadsmtpd
 32443  30214  30214 95  30x90  kqreadsmtpd
 10158  30214  30214 95  30x90  kqreadsmtpd
 26620  30214  30214103  30x90  kqreadsmtpd
 30214  1  30214  0  30x80  kqreadsmtpd
 25074  1  25074 77  30x90  poll  dhcpd
  5058  1   5058  0  30x80  selectsshd
 13567  28172 22 83  30x90  poll  ntpd
 28172 22 22 83  30x90  poll  ntpd
22  1 22  0  30x80  poll  ntpd
 12313  17356  17356 70  30x90  selectnamed
 17356  1  17356  0  30x90  netio named
 13591  11643  11643 74  30x90  bpf   pflogd
 11643  1  11643  0  30x80  netio pflogd
 22160  30463  30463 73  30x90  poll  syslogd
 30463  1  30463  0  30x80  netio syslogd
*16977  1  16977 77  70x90dhclient
 26597  1  26597  0  30x80  poll  dhclient
 27019  0  0  0  3 0x14200  bored ttm_swap
 27833  0  0  0  3 0x14200  aiodoned  aiodoned
 13860  0  0  0  3 0x14200  syncerupdate
 12987  0  0  0  3 0x14200  cleaner   cleaner
 29718  0  0  0  3 0x14200  reaperreaper
  9873  0  0  0  3 0x14200  pgdaemon  pagedaemon
 30462  0  0  0  3 0x14200  bored crypto
 2  0  0  0  3 0x14200  pftm  pfpurge
 31001  0  0  0  3 0x14200  bored sensors
 14441  0  0  0  3 0x14200  usbtskusbtask
 13312  0  0  0  3 0x14200  usbatsk   usbatsk
 16136  0  0  0  3  0x40014200  acpi0 acpi0
 27548  0  0  0  3  0x40014200idle1
 20115  0  0  0  3 0x14200  bored systqmp
 11558  0  0  0  3 0x14200  bored systq
 14960  0  0  0  3 0x14200  bored syswq
 14541  0  0  0  3  0x40014200idle0
 1  0  1  0  30x82  wait  init
 0 -1  0  0  3 0x10200  scheduler swapper
ddb{0}

match in nat-to rule

[Alexey Kurinnij]

nat-to rule not work if match and work when pass:
match out quick on egress inet from !(egress:network) to any nat-to
(egress:0) - not work
pass out quick on egress inet from !(egress:network) to any nat-to
(egress:0) - work
Today I install 5.5 and copy old pf.conf to new system, and remove queuing
rules, but NAT not work with this config.
I remove all restriction rules and put accept all outgoing on both
interfaces and all input on internal interface.
What I doing wrong?

# cat
/etc/pf.conf
# macros
int_if=re0
ext_if=rl0

tcp_ext_services={ 22, 443, 51413 }
tcp_int_services={ 22, 53, 80 }
udp_int_services={ 53, 69 }
icmp_types=echoreq

# options
set block-policy drop
set skip on lo

# match rules
pass out quick on egress inet from !(egress:network) to any nat-to
(egress:0)
match in on egress proto tcp from !$int_if to (egress) port 443 \
rdr-to (egress) port 22
# filter rules
block log
antispoof quick for { lo $int_if }
pass in inet proto icmp all icmp-type $icmp_types

# filter rules for (egress)
pass in on egress inet proto tcp from any to (egress) \
port $tcp_ext_services
pass out on egress from (egress)

# filter rules for $int_if
pass in on $int_if proto tcp from $int_if:network to $int_if port
$tcp_int_servi
ces
pass in on $int_if proto udp from $int_if:network to $int_if port
$udp_int_servi
ces
pass in on $int_if from $int_if:network to !$int_if

pass out on $int_if to $int_if:network

Re: Acer aspire one 722 snapshot

[Alexey Kurinnij]

I install 5.3 i386 and ZZZ works. 5.3, 5.4 amd64 not work ZZZ. Now I
downloading 5.5 i386 snapshot
 and test it soon.


2014-02-18 0:04 GMT+02:00 Alexey Kurinnij alexey.kurin...@gmail.com:

 2014-02-17 9:29 GMT+02:00 Mike Larkin mlar...@azathoth.net:

 On Sun, Feb 16, 2014 at 11:46:47AM +0200, Alexey Kurinnij wrote:
  I see resent thread about ZZZ and install snapshot for tests.
 

 What thread was this asking about testing 'ZZZ' ?

 We had a thread asking about testing 'zzz', but that is completely
 different than 'ZZZ'.

 Sorry, I missed thread name and make mistake. I now about diference with
 zzz and ZZZ.
 Anyway both not work and I want to make some tests.

 I don't understand what is said below, did 'ZZZ' work before? And if so,
 when did it start not working?

 -ml

 Today I tried ZZZ with 5.4 amd64 and it not work. Tomorrow I would try
 with i386.

Re: Acer aspire one 722 snapshot

[Alexey Kurinnij]

ZZZ and zzz in 5.5 i386 snapshot work. And not work on amd64 at all.


2014-02-21 22:52 GMT+02:00 Alexey Kurinnij alexey.kurin...@gmail.com:

 I install 5.3 i386 and ZZZ works. 5.3, 5.4 amd64 not work ZZZ. Now I
 downloading 5.5 i386 snapshot
  and test it soon.


 2014-02-18 0:04 GMT+02:00 Alexey Kurinnij alexey.kurin...@gmail.com:

 2014-02-17 9:29 GMT+02:00 Mike Larkin mlar...@azathoth.net:

 On Sun, Feb 16, 2014 at 11:46:47AM +0200, Alexey Kurinnij wrote:
  I see resent thread about ZZZ and install snapshot for tests.
 

 What thread was this asking about testing 'ZZZ' ?

 We had a thread asking about testing 'zzz', but that is completely
 different than 'ZZZ'.

 Sorry, I missed thread name and make mistake. I now about diference with
 zzz and ZZZ.
 Anyway both not work and I want to make some tests.

  I don't understand what is said below, did 'ZZZ' work before? And if so,
 when did it start not working?

 -ml

 Today I tried ZZZ with 5.4 amd64 and it not work. Tomorrow I would try
 with i386.

Re: SSH and nopty

[Alexey Kurinnij]

I do in sshd_config

Match User myuser
ForceCommand tail -f /home/myuser/1


$ cat /home/t/1

···
hellooo

2014-02-17 16:59 GMT+02:00, Raimo Niskanen raimo+open...@erix.ericsson.se:
 On Mon, Feb 17, 2014 at 02:21:45PM +, Richard Heasman wrote:
 Good afternoon,

 Firstly, thanks for your ongoing development and good work.

 I have a question that I would like to pose to you, as I have not found
 any satisfactory answer despite long research.

 Background:
 We use ssh keys to distribute code and run commands. These are
 appropriately controlled and logged. However I wish to stop
 users/administrators using these as a back-door to the other systems. I
 have configured the notty option on the authorised_keys file, yet this
 still does not prevent the following:

 ssh SERVER ksh

 This will not return a prompt but will allow commands to be run
 interactively.

 Do you have any recommendation / setting that would prevent this?

 It seems you have to disallow the use of any command over ssh.

 One way is to force the command via authorized_keys (see sshd(8))
 into a trusted program, e.g /bin/sh or /bin/ksh in restricted mode
 and then limit that restricted shell's command set.


 Regards,

 Richard
 Registered Office: Inveralmond House 200 Dunkeld Road Perth PH1 3AQ
 Registered in Scotland No. SC117119
 www.sse.com

 **

 --

 / Raimo Niskanen, Erlang/OTP, Ericsson AB