Re: Purpose of primary and secondary user groups

2019-01-13 Thread Bryan Harris 

On 12/30/2018 12:33 AM, Philip Guenther wrote:

On Sat, Dec 29, 2018 at 11:29 AM Ipsen S Ripsbusker <
ip...@ripsbusker.no.eu.org> wrote:


Aside from compatibility, what is the purpose of primary groups,
compared to secondary groups?

Said otherwise, why do we have both primary and secondary groups
rather than only secondary groups?

Yet another phrasing: Why do I need to set a primary group?


Secondary groups can only be set, all at once, when running as root (e.g.,
login, sshd), while the primary group can be altered by setgid binaries and
then switched among using set*gid(2).

For filesystem objects like files and directories, the BSD behavior is for
the object to get its group from the directory in which it was created,
ignoring the groups of the process that created it.  On more SysV-like
systems the default is to take the primary group of the process that
created it.  However, for objects that exist in the kernel but not the
filesystem such as pipes, sockets, and SysV shared memory segments,
semaphores, and message queues, the common behavior is to take the primary
group of the process that created it.  This  doesn't have much effect other
than fstat() for pipes and sockets, but for SysV stuff it affects what
operations processes can perform.


Philip Guenther



Is there also a difference when creating a file in a folder with set GID 
bit on that folder and owned by secondary group? I think in normal 
behavior, if folder allows a user to create a file (sec. group w/ 770 
perm.) then the new file group will not take the group of the folder but 
will take the group of the user's primary group. But if you have set GID 
bit then the new file will take the group of the folder it's in (which 
will be one of the user's secondary groups).



I thought in OpenBSD there is also a flag to mount the filesystem to 
always do this regardless of set GID but I can't remember. I don't see 
it in the man page so maybe with all of this I'm really thinking of 
Linux but I can't remember.



V/r,

Bryan

OpenIKED traffic question

2018-11-21 Thread Bryan Harris 

Hello,

I have a semi-working vpn from Windows 10 client to OpenBSD 6.4
running iked using machine certificates authentication method.

When I connect to the VPN, I can ping from Win 10 to the ip address of
enc0 on the other side (10.1.0.2). Unbound is listening on that ip
address, and DNS queries from my Windows 10 machine get to the unbound
and work correctly.

Unfortunately, regular web browsing from the Windows 10 PC does not
work. It appears the VPN or else my pf rules are not directing the
traffic back out of the egress interface, but I can't figure out why.
Likewise if I start a ping to a public IP address while the VPN is
running, the ping doesn't work. I do have net.inet.ip.forwarding=1
enabled in /etc/sysctl.conf. If I do the same ping without the VPN,
it works fine.

I have tried a few things as I'm having trouble understanding
basic VPN concepts, and therefore I can't seem to understand what might
be the cause of the problem.

1. Put a line "from 0.0.0.0/0 to 10.2.0.0/24" into the configuration.
2. Remove the "configure address 10.2.0.1/24" line
3. Various incarnations with/without srcid or "local  peer any"
4. Turning off Windows firewall
5. Trying to pass more and more traffic through pf
6. Rearranging the match out...nat-to lines at the bottom of pf.conf

My iked.conf and pf.conf configurations are down below.

Also some info about the vpn ca and certificates--The server cert CN is
the server ip. It's also named the server ip. The Windows 10 cert is
just named desktop- and the CN is the same. The CA cert is on the
machine store Trusted Auth. The desktop- cert is on the machine
store Personal.

Is there anything obviously wrong in the configuration? Can anyone point
me in the direction of the mistake?

Any help would be greatly appreciated. Thanks in advance.

V/r,
Bryan

# $OpenBSD: iked.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
#
# See iked.conf(5) for syntax and examples.
ikev2 "win10" passive esp \
   from 10.1.0.0/24 to 10.2.0.0/24 \
   local any peer any \
   srcid ...OMITTED... \
   config address 10.2.0.1/24 \
   config name-server 10.1.0.2 \
   tag "$name-$id"


# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

ssh_nets="{ ...OMITTED... }"


set skip on { lo0, enc0 }
set limit table-entries 40

# rules for spamd(8)
table  persist
table  persist file "/etc/mail/common_domains_white"
table  persist file "/etc/mail/nospamd"
table  persist

block drop log all
antispoof for egress
match in all scrub (no-df max-mss 1440)

pass quick inet proto icmp icmp-type { echoreq, unreach }

pass in on egress inet proto tcp from $ssh_nets to egress:0 port 22
pass in on egress inet proto udp from any to egress:0 port 53
pass in on egress inet proto tcp from any to egress:0 \
    port { 53 80 443 }
pass in on egress inet proto tcp from $ssh_nets to egress:0 \
    port { 465 587 993 }

pass in on egress proto { ah, esp } from any to any
pass in on egress proto udp from any to any port { 500, 4500 }

pass in on egress inet proto tcp from any to any port smtp \
    rdr-to lo0 port spamd
pass in on egress inet proto tcp from  to any port smtp \
    rdr-to lo0 port smtp
pass in log on egress inet proto tcp from  to any \
    port smtp rdr-to lo0 port smtp
pass in log on egress inet proto tcp from  to any \
    port smtp rdr-to lo0 port smtp
pass in log quick on egress inet proto tcp from  \
    to any port smtp rdr-to lo0 port smtp

pass on { vether tap }

pass out all

match out on egress inet from vether0:network nat-to (egress)
match out on egress inet from enc0:network nat-to (egress)

Re: Cloud-Storage & OpenBSD

2018-09-02 Thread Bryan Harris 
Tarsnap?

Sent from my iPhone

> On Sep 2, 2018, at 10:43 AM, Kurtis  wrote:
> 
> Hey all,
> 
> I'm just wondering if anyone has any suggestions with any Online File Backup 
> / Synchronization services?
> 
> I used Dropbox for a long time but decided to drop it in favor of pCloud. 
> It's about time to do another annual subscription so I'm looking at options.
> 
> I use the same service for backing up photos from my phone, backing up 
> documents from computers, and syncing files between multiple machines (Mac, 
> Windows, and Linux, Android).
> 
> Specifically, I'm looking for a service that is compatible with the major 
> operating systems but also has a good client for OpenBSD.
> 
> Bonus feature would be the ability to share the service with my family using 
> different accounts.
> 
> The ability to generate credentials that can only access certain folders 
> would be _really_ cool. For example, my machines could generate reports and 
> store them in my sync'd service so I could simplify viewing them from any 
> machine.
> 
> Thanks!
> 
> 
>

Re: NSA encryption algorithms in Linux kernel, OpenBSD too?

2018-08-07 Thread Bryan Harris 





> On Aug 7, 2018, at 7:15 AM, Kevin Chadwick  wrote:
> 
> On Mon, 6 Aug 2018 15:52:11 -0500

> It may be more likely that some zealous chrome devs
> decided https everywhere was utterly important and so misleading
> messages were the order of the day.

For some reason I thought https everywhere was a government initiative. Or 
perhaps they just followed the trend.

Bryan

Re: Backup of OpenBSD under VMware

2018-06-30 Thread Bryan Harris 
Last resort shut down VM then backup.

I like the tool called tarsnap. It backs up to a remote service and you keep a 
private key. Everything is encrypted before it “exits” your VM for the remote 
side. Also very cheap. 

I only backup a few files and spent barely a penny.

> Your current account balance is
> $4.990771969348983750.

V/r,
Bryan

Sent from my iPhone

> On Jun 30, 2018, at 8:23 AM, Paolo Aglialoro  wrote:
> 
> Hello,
> 
> the scenario is a cluster of ESXi nodes on which OpenBSD should run as a VM.
> 
> Currently the cluster is being backed up by Veeam, I tried to insert th
> obsd VM inside the backup job but no success, with following "Error: An
> error occurred while saving the snapshot: Failed to quiesce the virtual
> machine.". This looks strange to me because the open-vm-tools implemented
> inside the kernel are usually functional to ESXi hosts.
> 
> Questions:
> 1. has anybody found a way to use Veeam to backup OpenBSD VMs?
> 2. are there any other suggested softwares to perform a similar task?
> 
> Thanks

Re: Partitioning recommendations for 6.3?

2018-06-25 Thread Bryan Harris 
The webserver is called httpd (not the apache one). I like this book but
some people don't need the extra help of a book (I do).

https://www.michaelwlucas.com/tools/relayd

On Mon, Jun 25, 2018 at 11:49 AM John Long  wrote:

> On Mon, 2018-06-25 at 10:15 -0500, Vijay Sankar wrote:
> > Here is my df -h output -- Just as an FYI I was testing some
> > workarounds for the samba virusfilter issue and then made some
> > mistakes that screwed up KDE etc. So decided to build it from
> > scratch
> > and have about 5000 packages built right now with the following
> > disk
> > usage.
> >
> > $ df -h
> > Filesystem SizeUsed   Avail Capacity  Mounted on
> > /dev/sd0a 1005M102M852M11%/
> > /dev/sd0l  3.9G1.8G2.0G48%/builds
> > /dev/sd0k  127G1.3G119G 1%/home
> > /dev/sd0d  3.9G7.2M3.7G 0%/tmp
> > /dev/sd0f  5.9G1.9G3.8G33%/usr
> > /dev/sd0g  2.0G185M1.7G10%/usr/X11R6
> > /dev/sd0h 19.7G9.4G9.3G50%/usr/local
> > /dev/sd0j  5.9G3.3G2.3G59%/usr/obj
> > /dev/sd0i  2.0G990M929M52%/usr/src
> > /dev/sd0e 31.5G   57.9M   29.9G 0%/var
> > /dev/sd0m  243G   83.7G147G36%/usr/ports
>
> Thanks, this is good info.
>
> I am trying to find out about /usr/xenocara if it is still needed and
> also whether it's still recommended to build from source and track
> -stable or whether syspatch does away with that.
>
> What is the recommended http server these days? I remember the
> transition from apache to nginx. What's the conventional wisdom?
>
> My plan for this box is sftp, http, and minidlna server.
>
> Thank you,
>
> /jl
>
>

-- 
So the HP guy comes up to me and he says, 'If you say nasty things like
that to vendors you're not going to get anything'. I said 'no, in eight
years of saying nothing, we've got nothing, and I'm going to start saying
nasty things, in the hope that some of these vendors will start giving me
money so I'll shut up'.

 -Theo De Raadt

Re: acme-client new cert error

2018-05-25 Thread Bryan Harris 
Ah okay. In my different situation I did

mv /etc/ssl/cert /tmp

Then ran command again.

I will try -D next time instead.

V/r,
Bryan 



> On May 25, 2018, at 5:51 PM, Scott Vanderbilt <li...@datagenic.com> wrote:
> 
>> On 5/25/2018 2:41 PM, Bryan Harris wrote:
>> Did you already have a cert for datagenic.com but which didn’t include the 
>> new name?
>> I think the -A argument only makes a new cert when old one doesn’t exist. 
>> Otherwise tries to use found cert and failed because old cert doesn’t have 
>> new name. At least that’s my understanding.
>> Or maybe I misunderstood the error message.
>> V/r,
>> Bryan
> 
> Thanks for chipping in.
> 
> Regrettably, I get the same error with -D flag only (i.e., no -A).
> 
> 
>>> On May 25, 2018, at 4:10 PM, Scott Vanderbilt <li...@datagenic.com> wrote:
>>> 
>>> I'm having difficulty creating a new SSL cert for a virtual host I'm just 
>>> standing up for the first time. I get the following error on successive 
>>> attempts:
>>> 
>>> urn:acme:error:unauthorized
>>> Error creating new cert :: authorizations for these names not found or 
>>> expired: aeneas.datagenic.com
>>> 
>>> I've verified it's not a web server access issue, as I am able to 
>>> successfully retrieve a static HTML file from the challenge directory
>>> 
>>>aeneas$ curl 
>>> http://aeneas.datagenic.com/.well-known/acme-challenge/test.html
>>>Foo
>>>aeneas$
>>> 
>>> Complete verbose error message, config file, and dmesg follow.
>>> 
>>> Thanks in advance for any assistance you can lend.
>>> 
>>> 
>>> 
>>> aeneas# acme-client -vvAD aeneas.datagenic.com
>>> acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: domain 
>>> key exists (not creating)
>>> acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not 
>>> creating)
>>> acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: loaded 
>>> RSA domain key
>>> acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
>>> acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
>>> acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250
>>> acme-client: transfer buffer: [{ "key-change": 
>>> "https://acme-v01.api.letsencrypt.org/acme/key-change;, "meta": { 
>>> "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": 
>>> "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;, 
>>> "website": "https://letsencrypt.org; }, "new-authz": 
>>> "https://acme-v01.api.letsencrypt.org/acme/new-authz;, "new-cert": 
>>> "https://acme-v01.api.letsencrypt.org/acme/new-cert;, "new-reg": 
>>> "https://acme-v01.api.letsencrypt.org/acme/new-reg;, "revoke-cert": 
>>> "https://acme-v01.api.letsencrypt.org/acme/revoke-cert;, "sw0ePngTU-0": 
>>> "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417;
>>>  }] (658 bytes)
>>> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: 
>>> aeneas.datagenic.com
>>> acme-client: acme-v01.api.letsencrypt.org: cached
>>> acme-client: acme-v01.api.letsencrypt.org: cached
>>> acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": 
>>> "aeneas.datagenic.com" }, "status": "pending", "expires": 
>>> "2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01", "status": 
>>> "pending", "uri": 
>>> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624;,
>>>  "token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type": 
>>> "dns-01", "status": "pending", "uri": 
>>> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625;,
>>>  "token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type": 
>>> "http-01", "status": "pending", "uri": 
>>> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIci

Re: acme-client new cert error

2018-05-25 Thread Bryan Harris 
Did you already have a cert for datagenic.com but which didn’t include the new 
name?

I think the -A argument only makes a new cert when old one doesn’t exist. 
Otherwise tries to use found cert and failed because old cert doesn’t have new 
name. At least that’s my understanding. 

Or maybe I misunderstood the error message.

V/r,
Bryan

> On May 25, 2018, at 4:10 PM, Scott Vanderbilt  wrote:
> 
> I'm having difficulty creating a new SSL cert for a virtual host I'm just 
> standing up for the first time. I get the following error on successive 
> attempts:
> 
> urn:acme:error:unauthorized
> Error creating new cert :: authorizations for these names not found or 
> expired: aeneas.datagenic.com
> 
> I've verified it's not a web server access issue, as I am able to 
> successfully retrieve a static HTML file from the challenge directory
> 
>aeneas$ curl 
> http://aeneas.datagenic.com/.well-known/acme-challenge/test.html
>Foo
>aeneas$
> 
> Complete verbose error message, config file, and dmesg follow.
> 
> Thanks in advance for any assistance you can lend.
> 
> 
> 
> aeneas# acme-client -vvAD aeneas.datagenic.com
> acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: domain 
> key exists (not creating)
> acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not 
> creating)
> acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: loaded 
> RSA domain key
> acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
> acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
> acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250
> acme-client: transfer buffer: [{ "key-change": 
> "https://acme-v01.api.letsencrypt.org/acme/key-change;, "meta": { 
> "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": 
> "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;, 
> "website": "https://letsencrypt.org; }, "new-authz": 
> "https://acme-v01.api.letsencrypt.org/acme/new-authz;, "new-cert": 
> "https://acme-v01.api.letsencrypt.org/acme/new-cert;, "new-reg": 
> "https://acme-v01.api.letsencrypt.org/acme/new-reg;, "revoke-cert": 
> "https://acme-v01.api.letsencrypt.org/acme/revoke-cert;, "sw0ePngTU-0": 
> "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417;
>  }] (658 bytes)
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: 
> aeneas.datagenic.com
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": 
> "aeneas.datagenic.com" }, "status": "pending", "expires": 
> "2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01", "status": 
> "pending", "uri": 
> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624;,
>  "token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type": 
> "dns-01", "status": "pending", "uri": 
> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625;,
>  "token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type": 
> "http-01", "status": "pending", "uri": 
> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;,
>  "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co" } ], "combinations": 
> [ [ 1 ], [ 0 ], [ 2 ] ] }] (998 bytes)
> acme-client: 
> /var/www/htdocs/default/acme/iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co: 
> created
> acme-client: 
> https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626:
>  challenge
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", 
> "uri": 
> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;,
>  "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co", "keyAuthorization": 
> "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co.oHnB0_JsMCOWBPKhfVMYsIDZr_T2Wo-Y5z0fh-cmkA4"
>  }] (336 bytes)
> acme-client: 
> https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626:
>  status
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad HTTP: 403
> acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized", 
> "detail": "Error creating new cert :: authorizations for these names not 
> found or expired: aeneas.datagenic.com", "status": 403 }] (176 bytes)
> acme-client: bad

Re: httpd - serving index.html & index.php at the same time

2018-04-11 Thread Bryan Harris 
I'll ask a dumb question. Why do you need extra root directives? Can't you
do this?

location "^/phpapp/*" {
  directory index "index.php"
}
location "*.php" {
  fastcgi socket "/run/php-fmp.sock
}

Bryan

On Wed, Apr 11, 2018 at 10:32 AM, Mischa  wrote:

> > On 11 Apr 2018, at 12:14, Gregory Edigarov  wrote:
> >
> > On 11.04.18 11:40, Mischa wrote
> >> Ok, good to know. It doesn't work as written. The only thing I see in
> the error.log is the fact that the PHP script is not found.
> >>
> >> Access to the script '/htdocs/s/' has been denied (see
> security.limit_extensions)
> >>
> >> Which tells me index.php is not requested.
> >>
> >> Browser tells me: File not found
> >>
> >> Running in debug mode it shows the following
> >>
> >> default 46.xx.xx.xx - - [11/Apr/2018:10:24:26 +0200] "GET /s/ HTTP/1.1"
> 404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0)
> Gecko/20100101 Firefox/58.0"
> >> default 46.xx.xx.xx - - [11/Apr/2018:10:24:27 +0200] " " 408 0
> "" ""
> >> server default, client 1 (1 active), 46.xx.xx.xx:4824 -> xx.xx.xx.xx,
> timeout (408 Request Timeout)
> >> Primary script unknown
> >> default 46.xx.xx.xx - - [11/Apr/2018:10:24:27 +0200] "GET /s/ HTTP/1.1"
> 404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0)
> Gecko/20100101 Firefox/58.0"
> >>
> >> Not sure what else to look at. :((
> > Did some tests.
> > here's how it works:
> >
> > location "/test" {
> > block return 301 "/test/"
> > }
> > location "/test/" {
> > root strip 1
> > root "/htdocs/phpapp"
> > directory index "test.php"
> > }
> >
> > note "root strip 1" directive.
>
> I had tried with strip 1 as well, it seems problem is with: fastcgi socket
> "/run/php-fpm.sock"
> The working end result is something like:
>
> server "default" {
> listen on $ext_addr port 80
> root "/htdocs/default"
> location "^/phpapp/*" {
> root { "/htdocs/phpapp", strip 1 }
> directory index "index.php"
> }
> location match "^/phpapp/[%l%u%d]+$" {
> root "/htdocs/phpapp/index.php"
> fastcgi socket "/run/php-fpm.sock"
> }
> location "/*.php*" {
> fastcgi socket "/run/php-fpm.sock"
> }
> }
>
> Thank you very much for your response and testing. Really appreciate it.
>
> Mischa
>
>


-- 
So the HP guy comes up to me and he says, 'If you say nasty things like
that to vendors you're not going to get anything'. I said 'no, in eight
years of saying nothing, we've got nothing, and I'm going to start saying
nasty things, in the hope that some of these vendors will start giving me
money so I'll shut up'.

 -Theo De Raadt

Re: httpd howto redirect port 80 to 443 in vm

2018-03-01 Thread Bryan Harris 
Alternate?: go back to original config and change

server "default"

to

server "example.com"

And maybe an alias for "www.example.com."

Just a thought.

V/r,
Bryan

Re: Strange message from syspatch

2018-01-12 Thread Bryan Harris 
I once had incorrect VM time causing OCSP response like it was out of date,
and syspatch refused in a similar way. But different than your situation I
think.

V/r,
Bryan

On Fri, Jan 12, 2018 at 7:19 AM, Stuart Henderson 
wrote:

> On 2018-01-12, dmitry.sensei  wrote:
> > Strange message from syspatch:
> > # syspatch
> > ftp: SSL write error: no OCSP URLs in peer certificate
> > #
>
> Simplest workaround is to download the files yourself and use a local
> url in /etc/installurl, e.g. file:///tmp/syspatch.
>
> > what does this message mean and what to check?
> >
> > OpenBSD 6.2-stable GENERIC.MP#2 amd64
> >
> > we have a fortinet in the middle. Previously, it did not interfere with
> the
> > utility, since I added its certificate
>
> Most likely the fortinet doesn't include any OCSP URL in its MITM
> certificate, but just to be sure, which mirror? (cat /etc/installurl),
> and what's in the cert?
>
> $ openssl s_client -connect $hostname:443 -servername $hostname
>
> then copy the server cert and paste into "openssl x509 -text -noout".
>
> CA/B Forum requires an OCSP URL in certs unless stapling is used. But I
> don't see how a CA is going to know whether stapling is used so I would
> expect certs from the cabal to always have this set so we're unlikely to
> run into this with normal servers. So, although we're unlikely to bump
> into problems with this code without MITM, I think libtls may be going
> a little beyond usual requirements in needing this.
>
>

Re: Community-driven OpenBSD tutorials wiki?

2018-01-04 Thread Bryan Harris 
My preference is to purchase a book. I have had a good experience with
Absolute OpenBSD, Httpd & Relayd, the tarsnap book, and the Book of PF.

I would buy a book about OpenSMTPD and also ikev2 but I didn't see any.

Just my $0.02, I like books better than online tutorials.

V/r,
Bryan

On Thu, Jan 4, 2018 at 10:38 AM, Marko Cupać  wrote:

> Feel free to contribute to [!WARNING - BLATANT SELF PROMOTION BELOW!]
>
> [https://www.mimar.rs/blog/tag:openbsd]
>
> As a side note, setting up apache and grav [https://getgrav.org/] took
> me an hour or so. Writing simple article takes whole day, sometimes
> much more.
> --
> Before enlightenment - chop wood, draw water.
> After  enlightenment - chop wood, draw water.
>
> Marko Cupać
> https://www.mimar.rs/
>
>

Re: The "like" factor

2017-11-20 Thread Bryan Harris 
Re: question:

> How did you solve the "like" factor?

I don't know how true, but I like these passages.

"My mother had a favorite saying (origin unknown): "You can get used to
anything if you do it long enough. Even hanging." She trotted out that
saying whenever my siblings or I complained about something that wasn't
going to change."

And later:

"Persuasion Tip #22: People automatically get used to minor annoyances over
time."

"My mom’s point of view captures an important rule in persuasion. People
can get past minor annoyances if you give them enough time. Humans quickly
adapt to just about anything that doesn't kill them."

From Win Bigly by Scott Adams

V/r,
Bryan

On Sun, Nov 19, 2017 at 8:25 PM, Rupert Gallagher 
wrote:

> Yes, this may well be the problem: easier to understand if we speak of
> teddy bear, much harder if we speak
> of software upgrades! And yet, here we are...
>
> Sent from ProtonMail Mobile
>
> On Mon, Nov 20, 2017 at 02:17,  wrote:
>
> > I wrote: > > In that case, I'd interpret the beancounter's reponse as
> 'have to make > sacrifices, don't we? *sigh*'. I amend that. Isn't it just
> loss? We experienced techies try not to allow ourselves to get too attached
> to an environment, don't we? But hasn't there been a 'first time' this has
> happened, for us all? And were *we* that prepared for it? It's like a
> replacement teddy bear, isn't it? The old one might be in pieces and still
> the new one won't ever feel as real. Or one's first love. It never quite
> feels the same again, does it? Perhaps a shared drink to mark the
> transition will help the grieving process along a little. I could still be
> all wrong, so I'll just shut up for now and see what others have to say.
> --schaafuit.
>

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Bryan Harris 
I don't know the answer but I'm curious.  What does "pfctl -sr" command
show?  Can you do dns lookups?

PS - my rules have the "pass out all" rule at the bottom.

V/r,
Bryan

On Fri, Oct 20, 2017 at 6:59 AM, Markus Rosjat  wrote:

> Hi there,
>
> I was wondering, after reading mr hansteens excelent book about pf and the
> man pages, if I got it all wrong :)
>
> so here is my example pf.conf
>
> ext_if="hvn0"
>
> set skip on lo
>
> block return# block stateless traffic
> block inet6
>
> pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh
> pass in on $ext_if inet proto tcp from any to ($ext_if) port 443
>
> pass out on $ext_if inet proto tcp from ($ext_if) port { https, submission
> }
>
> and what I expect is the following:
>
>  - traffic ipv4 and ipv6 gets blocked -> general deny
>  - I let enter ssh traffic
>  - I let enter https traffic
>  - I let out treffic on https und submission port
>  - I should not be able to establish a ssh connection from this host to
>another machine but should connect to be able to connect to this
>machine
>
> what I notice is I can initiate a ssh connection from this machine. So
> there are three possible answers to this:
>
>  - 1st with allowing ssh traffic in the first place ssh port will be
>considered passable from both sites of the nic. Which would somehow
>makes no sense to me at all because its a explicit in rule
>  - 2nd the ssh connection initiated is somehow considered coming fom lo
>and for that not passed to the following rules
>  - 3rd my rules are just wrong :)
>
> So for all the more skilled human beings out there can you help me with it?
>
> regards
>
> --
> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
>
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
> 
>
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
> you print it, think about your responsibility and commitment to the
> ENVIRONMENT
>
>

Re: Security question / idea

2017-10-17 Thread Bryan Harris 
Re: physical access, it seems not a technical problem.  I.e. keep laptop
with you, hire a guard, etc.  I'm not very technical, but could the hash be
stored in usb stick or online?

Maybe construct yourself a "computer safe" to make it harder for people to
get access while you're away?  I.e. increase the time/difficulty for them.

On Tue, Oct 17, 2017 at 6:21 AM, flipchan  wrote:

> Hey I also run libreboot :)
>
> I have read research about signing all the components and then verifying
> all that while you both , anyhow I think this would be very problematic
> with the new karl implementation that has taken place in openbsd 6.2
>
> On October 14, 2017 4:26:21 PM GMT+02:00, "Bryan C. Everly" <
> br...@bceassociates.com> wrote:
> >Hi misc@,
> >
> >In playing around with Libreboot and Coreboot, my belief that physical
> >access to the hardware really ups an attacker’s ability to win against
> >most
> >security has been massively reinforced.  For example, someone with
> >enough
> >practice could take my Thinkpad T500 apart, force flash the BIOS (as I
> >have
> >been doing), reassemble it and put it back on my desk in ten to fifteen
> >minutes (or maybe faster). The payload they flash could easily include
> >a
> >root kit and keylogger which would mitigate the advantage of Full Disk
> >Encryption (because they could grab your passphrase keystrokes and send
> >them off to the mother ship). So my happy little bubble that FDE would
> >give
> >me protection against all but a brute force attack has been popped.
> >
> >Here’s my thought. What if we modified our boot code to do a hash of
> >the
> >BiOS and stored it persistently across boots?  Then we could compare it
> >this time to the last value and take some action / issue some warning
> >that
> >something changed. It would be mildly annoying if you actually did just
> >update your BIOS to a new version but that would be a small trade off
> >in my
> >mind at least.
> >
> >The sticking point is this - where do you store the previous hash?  If
> >we
> >stored it outside of the FDE container, the attacker could just rewrite
> >it
> >on boot and we wouldn’t be able to detect a change. Put it inside the
> >FDE
> >and you would have to type your passphrase (sending it to the attacker)
> >to
> >read it.
> >
> >So now to my ask - would a feature like this be of any interest to
> >others?
> >If so, any thoughts on how to securely persist the hash to solve the
> >problem I describe above?
> >
> >Thanks for any and all feedback.
> >
> >--
> >
> >Thanks,
> >Bryan
>
> --
> Take Care Sincerely flipchan layerprox dev

Re: Need help setting http headers using relayd (and httpd)

2017-10-12 Thread Bryan Harris 
There is a book called relayd and httpd. I think it has what you need.

V/r,
Bryan



> On Oct 12, 2017, at 1:33 PM, Andreas Thulin  wrote:
> 
> Hi!
> 
> Before anything, thanks for yet another awesome OpenBSD release! I’ll
> extend my gratitude into the pockets of the Foundation and finally donate
> this time.
> 
> Then:
> 
> I’m a relayd virgin. Consider all the following a lab exercise, I want to
> learn and understand more.
> 
> My target:
> Understanding how to score an A+ on the htbridge web server security test.
> https://www.htbridge.com/websec/?id=BT1UmswV
> 
> First objective:
> Set HTTP headers, such as
> 
> CONTENT-SECURITY-POLICY
> X-CONTENT-TYPE-OPTIONS
> X-XSS-PROTECTION
> 
> using relayd (since httpd can’t help out here).
> 
> Assumptions etc:
> - I suppose only https traffic is in scope, since all http traffic is
> redirected to https.
> - Both httpd and relayd are (will be) run on the same 6.2 machine.
> - httpd runs just fine and scores an A+ on the htbridge TLS Server Test
> more or less out of the box. The web server test, however, was a
> disappointing F. :-)
> 
> I’m only a mortal, so simply reading the relayd.conf man page and do some
> trial-and-error has so far only made me go all CAPS. I seek examples (of
> something similar to the above use-case), a guide, turorial, or even a
> how-to to make this happen. I can learn all the config options and settings
> afterwards, and keep tweaking and understanding.
> 
> Anyone?
> 
> Humbly,
> Andreas

Re: relayd TLS load balancer for multiple websites

2017-09-28 Thread Bryan Harris 
Here is what I did, which I learned from the httpd & relayd book by Michael
W Lucas (I recommend).  I cannot remember why I set the top header options,
I must have been trying to learn about them.  The host ones are to figure
out the site and send the connection to the table above.

ext_addr="..."
int_addr="127.0.0.1"
vm1_addr="192.0.2.11"
vm2_addr="192.0.2.12"
vm3_addr="192.0.2.13"
vm4_addr="192.0.2.14"

table  { $int_addr }
table  {
  $vm1_addr
  $vm2_addr
  $vm3_addr
  $vm4_addr
}

# Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration
http protocol https {
  # playing with these options
  match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
  match request header append "X-Forwarded-By" value
"$SERVER_ADDR:$SERVER_PORT"
  match request header set "Keep-Alive" value "$TIMEOUT"
  match request header set "Connection" value "close"

  match request header "Host" value "website.example.com" forward to

  match request header "Host" value "example.com" forward to 
  match request header "Host" value "www.example.com" forward to 

}

relay wwwtls {
  # Run as a SSL/TLS accelerator
  listen on $ext_addr port 443 tls
  protocol https

  forward to  port 80 check tcp
  forward to  port 80 mode loadbalance check tcp
}

V/r,
Bryan

On Thu, Sep 28, 2017 at 7:32 AM, mabi  wrote:

> Hi,
>
> I was wondering if it is possible to use relayd as load balancer with TLS
> termination for multiple different websites residing on different server.
>
> From reading the man page I understand that for this purpose I will need
> to use one "relay" entity per website which will then have its own "http
> protocol" entity. If this is correct, this means I will require one public
> IP address per website which seems to me a bit a waste hence my asking.
>
> The alternative would be to have one "relay" entity but this means I can
> only have one "http protocol" entity assigned to it from my understanding.
> This also means that I would have to have to use one single SSL certificate
> file which includes every CN for each of my website. My feeling tells me
> that this does not sound good practice. Then how would relayd know that
> website www.website1.com has to be forwarded to the hosts in  and
> that website www.website2.com has to be forwarded to the hosts in
> ? Would you in the "http protocol" entity filter using the HTTP
> "Host" header (such as SNI)?
>
> Sorry for all these questions but I am trying to find out the best
> way/good practice to setup a relayd TLS load balancer for a different
> websites/webapps/domains and can't find much documentation about this
> specific case.
>
> Note here that I will be using the acme-client for all of the domains.
>
> Thanks for your input.
>
> Best,
> Mabi

Re: relayd https relay

2017-09-20 Thread Bryan Harris 
I don't think you can know the host header unless you decrypt the https
using a certificate.  It seems that idea would require SNI but I don't know
if they have SNI in relayd/httpd.  (I could be wrong about that.)

In mine I have listen on $ext_addr port 443 tls.  Then exists
/etc/ssl/ipaddr:443.crt file.  Look at phrase "/etc/ssl/address:port.crt"
in relayd.conf(5).

The book below shows this scenario and how to use acme-client to get a free
certificate from Let's Encrypt.

https://www.michaelwlucas.com/tools/relayd

V/r,
Bryan

On Wed, Sep 20, 2017 at 4:37 AM, rosjat  wrote:

> there is of course a tls to much in the config
>
> its just
>
> relay "proxyssl" {
> listen on $gateway  port https
> protocol "httpproxy"
>
> forward to   port https
> }
>
>
> Am 20.09.2017 um 10:19 schrieb rosjat:
>
>> Hi there,
>>
>> just a simple question about the  relaying of https connections. Is it
>> possible to simple pass the https traffic to the webserver with relayd? My
>> naive approach was simply checking the host name in the header and then
>> forward it to http or https port. This works for http  but with https it
>> doesnt.
>>
>>
>> here are my relayd.conf parts
>>
>>
>> http protocol "httpproxy" {
>>
>>  match request quick header "Host" value
>> "random-domain1.tld" forward to 
>>  match request quick header "Host" value
>> "random-domain2.tld" forward to 
>>
>> }
>>
>> relay "proxy" {
>> listen on $gateway  port http
>> protocol "httpproxy"
>>
>> forward to   port http
>> forward to  port http
>>
>>}
>>
>> relay "proxyssl" {
>> listen on $gateway  port https
>> protocol "httpproxy"
>>
>> forward to   port https tls
>> }
>>
>> with this I dont get a relay for https it seems, if I add tls to the
>> listen part I got told relayd cant find the certificates. And that is
>> totally understanable because there are no certs on this machine for these
>> domains because the are on the webserver machine.
>>
>>
>> So it all boils down to the question, do I have to set up my certificates
>> on the relay host to be able to use a https relay ?
>>
>>
>> regards
>>
>>
>>
> --
> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
>
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
>
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
> you print it, think about your responsibility and commitment to the
> ENVIRONMENT
>
>

Re: OpenBSD's HTTPD troubles AGAIN - Can't find any man page that explains how to properly set up directory authentication.

2017-09-15 Thread Bryan Harris 
I got curious so I looked at the man page.  It seems to me one could 
authenticate a location i.e. folder/directory based on this part. 

> A location section may include most of the server configuration rules except 
> alias, connection,hsts, listen on, location, tcp and tls.

V/r,
Bryan 




Sent from my iPhone

> On Sep 15, 2017, at 6:08 PM, Wiremu Demchick  
> wrote:
> 
> You may find this helpful:
>   https://marc.info/?l=openbsd-arm=149507490119056=2
> 
>> On 9/16/17, tec...@protonmail.com  wrote:
>> Hello,
>> 
>> Can someone with knowledge of OpenBSD's HTTPD please tell me how to properly
>> set up a password protected directory and where you found ALL of the
>> information to do so.  I am really struggling to find enough information
>> within the man pages to even make it work corrctly.  I want to love the man
>> pages, I really do, but.. Yeah, you get the drift - frustration.
>> 
>> Thanks and regards.
>> 
> 
> [snip]
>

Re: vio(4) tap(4) question

2017-08-28 Thread Bryan Harris 
Hi Trond,

We must have been typing at the same time, yes that ended up working.
I tried a * character first but that didn't work (and wasn't in the
man page anyway).

V/r,
Bryan

On Mon, Aug 28, 2017 at 9:32 PM, trondd <tro...@kagu-tsuchi.com> wrote:
> On Mon, August 28, 2017 6:03 pm, Bryan Harris wrote:
>>
>> pass on { vether0 tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9 }
>>
>> Thanks all.
>>
>> V/r,
>> Bryan
>>
>
> Can't you just use the interface group 'tap'?
>
> pass on { vether0 tap }
>

Re: vio(4) tap(4) question

2017-08-28 Thread Bryan Harris 
Somehow this thread gave me the idea to try:

pass on { vether* tap* }

Which did not work.  But it lead to the idea to use the group names:

pass on { vether tap }

Which does work.  It's funny because I like using group names (like
egress) and I noticed earlier today that all taps are in a group
called tap, but I never connected the dots.

V/r,
Bryan

On Mon, Aug 28, 2017 at 6:52 PM, Mike Larkin <mlar...@azathoth.net> wrote:
> On Mon, Aug 28, 2017 at 06:48:20PM -0400, Bryan Harris wrote:
>> On Mon, Aug 28, 2017 at 6:18 PM, Mike Larkin <mlar...@azathoth.net> wrote:
>> > On Mon, Aug 28, 2017 at 06:03:16PM -0400, Bryan Harris wrote:
>>
>> >> If the vio is connected to the virtual switch, and the switch is
>> >
>> > But the vio(4) interface isn't visible to the host. So what you said there
>> > doesn't make sense. It's connected to the switch *via* the corresponding
>> > tap interface on the host.
>>
>> I think I understand now.
>>
>> >> pass on { vether0 tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9 }
>> >
>> > what about just:
>> >
>> > pass
>>
>> Does that allow traffic to come in on the egress?  I want to have
>> normal traffic rules that are "more safe than nothing" during the
>> learning process.  But I also want to pass the VM traffic so that I
>> can experiment with things in the VM without the worry that I made a
>> pf.conf mistake.
>>
>>  ssh_nets="{ <home, work, stuff like that goes here> }"
>> vm_if = "vether0"
>> vm_net = $vm_if:network
>>
>> block all
>> set skip on lo
>> antispoof for egress
>> antispoof for $vm_if
>> match in all scrub (no-df max-mss 1440)
>>
>> # match in log (matches) on $vm_if from $vm_net tag localnet
>> # match log (matches) inet proto tcp from any to egress:0 port 53 tag dns
>> # match log (matches) inet proto udp from any to egress:0 port 53 tag dns
>>
>> pass inet proto icmp icmp-type { echoreq, unreach }
>> pass in on egress inet proto tcp from $ssh_nets to egress:0 port 22
>> pass in on egress inet proto udp from any to egress:0 port 53
>> pass in on egress inet proto tcp from any to egress:0 port { 53 80 443 }
>> # pass in on egress proto tcp from any to egress port 80 rdr-to
>> 192.0.2.12 port 80
>> # pass in on egress proto tcp from any to egress port 443 rdr-to
>> 192.0.2.12 port 443
>>
>> pass on { vether0 tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9 }
>>
>> pass out all
>>
>> match out on egress inet from $vm_net nat-to (egress)
>>
>> V/r,
>> Bryan
>>
>
> Your pf config is more complex than mine. Perhaps someone with more pf
> expertise can comment. Mine is pretty basic, just has a rule for the NAT
> for the VM traffic and a few other unrelated rules.
>
> -ml

Re: vio(4) tap(4) question

2017-08-28 Thread Bryan Harris 
On Mon, Aug 28, 2017 at 6:18 PM, Mike Larkin <mlar...@azathoth.net> wrote:
> On Mon, Aug 28, 2017 at 06:03:16PM -0400, Bryan Harris wrote:

>> If the vio is connected to the virtual switch, and the switch is
>
> But the vio(4) interface isn't visible to the host. So what you said there
> doesn't make sense. It's connected to the switch *via* the corresponding
> tap interface on the host.

I think I understand now.

>> pass on { vether0 tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9 }
>
> what about just:
>
> pass

Does that allow traffic to come in on the egress?  I want to have
normal traffic rules that are "more safe than nothing" during the
learning process.  But I also want to pass the VM traffic so that I
can experiment with things in the VM without the worry that I made a
pf.conf mistake.

 ssh_nets="{ <home, work, stuff like that goes here> }"
vm_if = "vether0"
vm_net = $vm_if:network

block all
set skip on lo
antispoof for egress
antispoof for $vm_if
match in all scrub (no-df max-mss 1440)

# match in log (matches) on $vm_if from $vm_net tag localnet
# match log (matches) inet proto tcp from any to egress:0 port 53 tag dns
# match log (matches) inet proto udp from any to egress:0 port 53 tag dns

pass inet proto icmp icmp-type { echoreq, unreach }
pass in on egress inet proto tcp from $ssh_nets to egress:0 port 22
pass in on egress inet proto udp from any to egress:0 port 53
pass in on egress inet proto tcp from any to egress:0 port { 53 80 443 }
# pass in on egress proto tcp from any to egress port 80 rdr-to
192.0.2.12 port 80
# pass in on egress proto tcp from any to egress port 443 rdr-to
192.0.2.12 port 443

pass on { vether0 tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9 }

pass out all

match out on egress inet from $vm_net nat-to (egress)

V/r,
Bryan

vio(4) tap(4) question

2017-08-28 Thread Bryan Harris 
Hi folks,

I am in the learning process about vmd.  When I read the vmctl(8) man
page I have incorrectly got the idea that I can have a VM that has a
vio interface but without a mapping to a host tap interface, simply by
omitting the -i option from the "vmctl start vmX" command.  However,
if I read carefully the vm.conf(5) man page I see that there is no way
to create any VM vio which does not map to a host tap.

>From vmctl(8) page:

 If the -i option is specified during VM startup, a corresponding number
 of host-side tap(4) interfaces will be allocated and mapped to the vio(4)
 interfaces inside the guest VM.

>From vm.conf(5) page:

 Network interface to add to the VM.  The optional name can be
 either `tap' to select the next available tap(4) interface on the
 VM host side (the default) or tapN to select a specific one.

Hopefully I am reading properly.  There is no such way to have a VM
vio without a mapping to the host tap.  Is there any future idea to
have a vio inside the VM which does not connect to the tap on the
host?

If the vio is connected to the virtual switch, and the switch is
connected to vether0, and the vether0 is on the host, and the host has
forwarding=1, then I thought it might be possible.

Here is my purpose in asking about all this.  Every time I create a VM
I have to put stuff in the host pf.conf in order to pass the traffic,
and I have had a hard time using any rule except one like below.  Is
there any way to pass all VM vio<->host tap traffic, or is there a way
to bypass this need to change the pf rules each time?

pass on { vether0 tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9 }

Thanks all.

V/r,
Bryan

Re: vmm workflow

2017-08-17 Thread Bryan Harris 
I had the same issue with boot option in vm.conf and never solved my
difficulty using the vm.conf file itself (I assumed I must have
misunderstood the doc).  Instead I used the command line option for vmctl
starting the machine.  After I installed the O/S using bsd.rd I did not
need that option anymore.

My vm.conf looks like this.

switch "my_switch" {
  # interface bridge0
  add vether0
}

vm "vm1" {
  memory 512M
  disk /home/VM/disk.img
  owner user:group
  interface tap {
switch "my_switch"
  }
  disable
}

And the commands which seem to work (as root) are like so.

vmctl create /home/VM/disk2.img -s 10G
vmctl start vm2 -c -b /home/user/bsd.rd -m 512m -n my_switch -d
/home/VM/disk2.img

V/r,
Bryan


On Wed, Aug 16, 2017 at 10:50 PM, Carlos Cardenas 
wrote:

> Howdy.
>
> I've been playing around with vmm(4) on 6.1 and have noticed a few
> things that seem odd.
>
> Take the following vm.conf:
> ramdisk="/home/los/vmm/bsd.rd-current"
> switch "local" {
> add vether0
> }
> vm "test.vm" {
> boot $ramdisk
> disable
> owner los
> memory 2G
> disk "/home/los/vmm/test.vm.img"
> interface { switch "local" }
> }
>
> Doing vmd -n yields:
> /etc/vm.conf:6: syntax error
>
> Removing the boot line yields a warning about unused macro (referring
> to ramdisk).
>
> So now my config is:
> switch "local" {
> add vether0
> }
> vm "test.vm" {
> disable
> owner los
> memory 2G
> disk "/home/los/vmm/test.vm.img"
> interface { switch "local" }
> }
>
> vmd(8) is happy and am expecting
> vmctl start "test.vm" -b "/home/los/vmm/bsd.rd-current" -c
> to work since all the other params have been defined in vm.conf.
>
> Instead I get:
> vmctl: starting without disks
> vmctl: starting without network interfaces
> vmctl: start vm command failed: Operation not permitted
>
> Increasing verbose log on vmd gets me:
> startup
> /etc/vm.conf:4: switch "local" registered
> /etc/vm.conf:11: vm "test.vm" registered (disabled)
> vm_priv_brconfig: interface bridge0 description switch1-local
> vm_priv_brconfig: interface bridge0 add vether0
> vmd_configure: not creating vm test.vm (disabled)
> denied request 3 from uid 1000
>
> However, if I perform a "doas vmctl start" first (along with
> install) and then define it in vm.conf, "vmctl start 'test.vm'" works as
> expected.
>
> What is the expected workflow for vmm?
>
> Any ideas on why the boot $ramdisk line is error'ing out?
>
> +--+
> Carlos
>
>

Re: syspatch question

2017-08-09 Thread Bryan Harris 
After reading this thread I wondered why haven't I gotten an update in a
while.  So I checked and syspatch -c show no output but found it had a 1
return code.  It turns out my URL in /etc/installurl was no longer a valid
mirror for some reason (didn't investigate, just fixed).  I suppose it's a
good idea to check the return code rather than
misinterpreting/misunderstanding an empty output.

On Wed, Aug 9, 2017 at 11:04 AM, Marko Cupać  wrote:

> On Tue, 8 Aug 2017 18:17:35 -0400
> Taylor Stearns  wrote:
>
> > On Tue, Aug 08, 2017 at 01:10:22PM -0400, tec...@protonmail.com wrote:
> > > I had this exact issue a few days ago, I just re-partitioned to a
> > > bigger size so not have to face the issue again as was a new install
> > > anyway. But, sure would be nice to see this added. Thanks
> > >
> > > > From: marko.cu...@mimar.rs
> > > > - at the moment of writing this, there are 025 patches. If
> > > > applying them all at once, they (perhaps needlessly) need quite
> > > > some space in /tmp (my mfs for /tmp is 256m, and it got filled
> > > > already at 012), as a result of (I guess)
> > > > deleting /tmp/syspatch.XX only after all the patches are
> > > > applied, or after /tmp gets filled up. Perhaps it is possible to
> > > > flush /tmp earlier in the process (maybe after each patch is
> > > > applied successfully)?
> >
> > Have you tried with -current? Here is a change from June that might be
> > what you're looking for:
> > https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/
> syspatch/syspatch.sh#rev1.108
>
> That's it, thank you. Also rev1.108 appears to work on 6.1-release
> without problems - I've just overwritten rev1.93 included in
> 6.1-release.
> --
> Before enlightenment - chop wood, draw water.
> After  enlightenment - chop wood, draw water.
>
> Marko Cupać
> https://www.mimar.rs/
>
>

Re: sftp chroot

2017-06-14 Thread Bryan Harris 
On Linux I have mounted another fs inside the user's home folder (it is
mounted twice).  I don't know if OpenBSD has that feature.

On Wed, Jun 14, 2017 at 6:38 AM, Ville Valkonen 
wrote:

> Hi,
>
> one option is to use local nfs mounts. That's what I've done.
>
> --
> Regards,
> Ville
>
>
> On Jun 14, 2017 11:34 AM, "Markus Rosjat"  wrote:
>
> Hi there,
>
> I want to build an sftp environment where the user is chrooted to his home
> dir. So far so good but then again the user might need access to a
> webserver resource like /var/www/htdocs/some_dir
>
> As far as I understand a symlink doesnt work in the chroot setup and Im not
> quiet sure how to achieve this.
>
> I could simply make /var/www/htdocs/some_dir the home dir of the user but
> Im not sure if this is the recommended way.
>
> so once again adivce  is helpful :)
>
> regards
>
> --
> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
>
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
>
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
> you print it, think about your responsibility and commitment to the
> ENVIRONMENT
>