Re: error: storage size of `ksym_tab_by_ksym'
On Wednesday 12 July 2006 19:22, Miod Vallat wrote: > > a make obj and a make came up with this: > > > > /usr/src/sbin/wsconsctl/keysym.c:51: error: storage size of > > `ksym_tab_by_ksym' > > isn't known > > *** Error code 1 > > > > Any ideas? It happened on another 3.9 machine too. > > You did not ``make depend''. > > Miod Thanks :)
error: storage size of `ksym_tab_by_ksym'
Hello.. I used cvsup with the OPENBSD_3_9 tag to get the latest src. a make obj and a make came up with this: /usr/src/sbin/wsconsctl/keysym.c:51: error: storage size of `ksym_tab_by_ksym' isn't known *** Error code 1 Stop in /usr/src/sbin/wsconsctl. *** Error code 1 Stop in /usr/src/sbin. *** Error code 1 Stop in /usr/src. Any ideas? It happened on another 3.9 machine too. Cheers, Josh
Re: Chrooted sftp-server and /dev/null
On Friday 23 June 2006 22:24, Joachim Schipper wrote:
>
> You could set up a named pipe (mkfifo(1)), and have a process
> continually drain it (cat /home/john/dev/null >/dev/null &); however,
> while this would work for the most likely use (writing to /dev/null), it
> wouldn't allow for reading.
> I'm not sure if sftp-server ever reads from /dev/null, but it is not
> impossible. Strange errors will occur if this is the case.
>
>
Im thinking it might just be easier to make a copy of the /dev/null device,
but i need to investigate and test this...
> Yes, make sure you also set real uid. A small part of
> /usr/src/usr.sbin/tcpdump/privsep.c:
>
> /* Child - drop suid privileges */
> gid = getgid();
> uid = getuid();
>
> if (setresgid(gid, gid, gid) == -1)
> err(1, "setresgid() failed");
> if (setresuid(uid, uid, uid) == -1)
> err(1, "setresuid() failed");
>
> Do note that this is only necessary if the shell is suid and/or sgid;
> however, normal users don't have the rights to call chroot(2), so these
> additional priviliges are necessary.
>
> Also, you are aware that you perform chroot(), setresuid() and
> setresgid(), and only then execve()? This means that you'll need some
> binaries in the home directories...
>
> So, be aware that deleting a file or directory requires write priviliges
> on the parent directory; i.e., john can replace
> /home/john/bin/sftp-server by an arbitrary binary if john has write
> priviliges on his home directory, hence my suggestion to use /home
> (which is typically only writable by root) above.
> (An alternate solution is to make /home/john owned by root, group john,
> and with priviliges 0750; this would break too many things to be
> feasible if shells are allowed, but just might work if only considering
> sftp.)
>
> Finally, be aware of the many other options sshd allows, like various
> ways of tunneling. For the same reason as above, those cannot be
> disabled in /home/john/.ssh/authorized_keys only (disabling them there
> works iff the user cannot mess with this file, which is clearly not the
> case if the user has access to sftp). Either disable them sshd-wide or
> set AuthorizedKeysFile (see sshd_config(5)) to something like
> /home/.keys/%u/authorized_keys.
> Note that running any number of ssh daemons in parallel works just fine,
> subject to some caveats (they can, of course, not listen on the same
> ports on the same interfaces; they are quite CPU intensive; and random
> number quality may degrade if the pool is drained sufficiently fast).
>
> Joachim
I am going to write another program which is used to setup, check, and update
the chroot environments with the right files and permissions. Im going to
have it chown the home dirs to root/wheel, and there will only be a single
writeable dir owned by the user ( which will contain their website files for
example ).
Here is a copy of the code ive got so far... its by no means finished, or
formatted in the proper way, or even checked over properly again:
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
char home_dir[1024];
int argc;
char **argv;
void print_arguments(void);
void check_arguments(void);
void check_user(void);
char * find_end_part(char *buff);
void setup_env(void);
int
main(int _argc, char **_argv) {
char *exec_args[2];
argc = _argc;
argv = _argv;
openlog("jshell", LOG_PID | LOG_NDELAY, LOG_AUTH);
check_arguments();
check_user();
if (chroot(home_dir) != 0 || chdir("/") != 0) {
syslog(LOG_ERR, "chroot(%s) failed: %s", home_dir, strerror(errno));
return 1;
}
/* drop privledges */
if (seteuid(getuid()) != 0 || setuid(getuid()) != 0) {
syslog(LOG_ERR, "setuid(%d) failed: %s", getuid(), strerror(errno));
return 1;
}
exec_args[1] = NULL;
exec_args[0] = find_end_part(argv[2]);
execve(argv[2], exec_args, NULL);
syslog(LOG_ERR, "execve failed");
return 1;
}
/* print arguments to syslog */
void
print_arguments(void) {
int x;
for (x = 0; x < argc; x++) {
syslog(LOG_ERR, "%d arg is '%s'", x, argv[x]);
}
}
/*
* for now we only allow -c /usr/libexec/sftp-server as an argument
*/
void
check_arguments(void) {
/* compare second argument ( should be -c ) */
if (argc != 3 || strcmp("-c", argv[1]) != 0) {
syslog(LOG_ERR, "invalid arguments\n");
print_arguments();
exit(1);
}
/* compare third argument */
if (strcmp("/usr/libexec/sftp-server", argv[2]) != 0) {
syslog(LOG_ERR, "invalid arguments\n");
print_arguments();
exit(1);
}
}
/*
* check the user has some sane permissions and settings
* and what not on their home dir.
*/
void
check_user(void) {
struct passwd *pw = NULL;
/*
* do we bother checking for a root login?
* why would root be using jsh
Re: Chrooted sftp-server and /dev/null
Thanks for the reply... It is sftp-server that tries to open /dev/null. As I dont want to modify sftp-server or anything like that, I think im going to just populate each chroot environment with a /dev/null. However, as I dont want /home to have any devices on it, is there a way to have some sort of file type that simply throws the data away like /dev/null does? As for the shell, Yep, I am being carefull with it.. all the shell actaully does, is checks if the arguments given to it is '-c /usr/libexec/sftp-server', and if it is, it then chroots to the users home dir, and then it sets effective uid to the uid that called the shell, and then it executes /usr/libexec/sftp-server. Not much code at all. I want to research more into possible security hassles ( like /home/foo/.ssh ) and stuff like that later on. Any suggestions in this area? ( security ) Cheers, Josh On Thursday 22 June 2006 22:26, Joachim Schipper wrote: > Well, since nobody else seems to respond... > > If you can set it up in a controlled testing environment, you could > ktrace(1) it. This would tell you, at the very least, what program > actually opens /dev/null. > > A quick grep through /usr/src/usr.bin/ssh suggests that ssh (and, most > likely, sftp) interacts with /dev/null quite a bit. It might be possible > to change the code to work without, but that would take quite a bit of > work I fear. > > An alternative hack would be to change sftp directly; in this case, it > can safely open /dev/null and then call chroot() at the appropriate > time. OTOH, you have a custom patch that you should apply at the > appropriate time and place, which, too, has its disadvantages. > > Also, be *very* careful in writing the shell, as it must be suid root > for what you want it to do... this, in fact, suggests that the best > solution might be to write a trivial shell and just have > /home/*/dev/null. Or, for that matter, /home/dev/null and chroot into > /home. > > Joachim
Re: Chrooted sftp-server and /dev/null
Can anyone help here? Ive played wih fcntl's FD_CLOEXEC and what not.. it was set to 0, and yeah... If someone can help solve this mystery then there is one less file required in the chroot environment. A cleaner scponly shell :) On Wednesday 21 June 2006 09:41, Joshua Sandbrook wrote: > Gidday > > Im writing a shell at the moment that chroots into a users home dir and > then runs only the sftp-server program ( which is in the uses home dir ). > > Anyway, it wont work unless /dev/null is present in the chroot... > > I am using execve to run sftp-server, and I am wondering if it has > something to do with stdout / stdin / stderr fd's being closed on execve? > > Can anyone help me here? > > Thanks, > Josh
Chrooted sftp-server and /dev/null
Gidday Im writing a shell at the moment that chroots into a users home dir and then runs only the sftp-server program ( which is in the uses home dir ). Anyway, it wont work unless /dev/null is present in the chroot... I am using execve to run sftp-server, and I am wondering if it has something to do with stdout / stdin / stderr fd's being closed on execve? Can anyone help me here? Thanks, Josh
Re: Toshiba Tecra 8000 xorg.conf
Yeah I saw that. But xorg does not just 'work by default' at 1024x768 for me. It just runs at 800x600 and it seems thats all it can be bothered doing right now... On Thursday 08 June 2006 19:59, you wrote: > Hi Joshua, > > On Thu, Jun 08, 2006 at 07:39:15PM +1200, Joshua Sandbrook wrote: > | Anyone out there running 3.9 on a Toshiba Tecra 8000 ? Im trying to get > | it to run at 1024x768 but its being grumpy. > > Check http://www.openbsd.org/i386-laptop.html - the machine is listed > there with several tips on how to get it working. Xorg did not require > any config for me (Just Works (tm)). > > Cheers, > > Paul 'WEiRD' de Weerd
Toshiba Tecra 8000 xorg.conf
Gidday...
Anyone out there running 3.9 on a Toshiba Tecra 8000 ? Im trying to get it to
run at 1024x768 but its being grumpy.
Dmesg for good measure:
OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 233 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem = 167288832 (163368K)
avail mem = 145674240 (142260K)
using 2067 buffers containing 8466432 bytes (8268K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(63) BIOS, date 12/30/99
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 26%
apm0: AC on, battery charge low, charging, estimated 0:37 hours
apm0: flags 20102 dobusy 0 doidle 1
pcibios at bios0 function 0x1a not configured
bios0: ROM list: 0xc/0xc000 0xe8000/0x4000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX" rev 0x02
vga1 at pci0 dev 4 function 0 "Neomagic Magicgraph NM2200" rev 0x12
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 5 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 5 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA, 28615MB, 58605120 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 5 function 2 "Intel 82371AB USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
piixpm0 at pci0 dev 5 function 3 "Intel 82371AB Power" rev 0x02: SMI
iic0 at piixpm0
admtemp0 at iic0 addr 0x4e: adm1021
"Toshiba Fast Infrared Type O" rev 0x23 at pci0 dev 9 function 0 not
configured
cbb0 at pci0 dev 11 function 0 "Toshiba ToPIC97 CardBus" rev 0x05pci_intr_map:
no mapping for pin A
: couldn't map interrupt
cbb1 at pci0 dev 11 function 1 "Toshiba ToPIC97 CardBus" rev 0x05pci_intr_map:
no mapping for pin B
: couldn't map interrupt
isa0 at pcib0
isadma0 at isa0
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 26%
apm0: AC on, battery charge low, charging, estimated 0:37 hours
apm0: flags 20102 dobusy 0 doidle 1
pcibios at bios0 function 0x1a not configured
bios0: ROM list: 0xc/0xc000 0xe8000/0x4000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX" rev 0x02
vga1 at pci0 dev 4 function 0 "Neomagic Magicgraph NM2200" rev 0x12
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 5 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 5 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA, 28615MB, 58605120 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 5 function 2 "Intel 82371AB USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
piixpm0 at pci0 dev 5 function 3 "Intel 82371AB Power" rev 0x02: SMI
iic0 at piixpm0
admtemp0 at iic0 addr 0x4e: adm1021
"Toshiba Fast Infrared Type O" rev 0x23 at pci0 dev 9 function 0 not
configured
cbb0 at pci0 dev 11 function 0 "Toshiba ToPIC97 CardBus" rev 0x05pci_intr_map:
no mapping for pin A
: couldn't map interrupt
cbb1 at pci0 dev 11 function 1 "Toshiba ToPIC97 CardBus" rev 0x05pci_intr_map:
no mapping for pin B
: couldn't map interrupt
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
sb0 at isa0 port 0x220/24 irq 5 drq 1: dsp v3.01
midi0 at sb0:
audio0 at sb0
opl0 at sb0: model OPL3
midi1 at opl0:
wss0 at isa0 port 0x530/8 irq 10 drq 0: CS4231 or AD1845 (vers 4)
audio1 at wss0
pcppi0 at isa0 port 0x61
midi2 at pcppi0:
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
pcic0 at isa0 port 0x3e0/2 iomem 0xd/65536
pcic0 controller 0: has sockets A and B
pcmcia0 at pcic0 controller 0 socket 0
pcmcia1 at
Default Gateway, PF, BAD State
Hello There. Ive got two openbsd gateways: 192.168.3.253 +192.168.4.254 - gateway to 192.168.4.0/24 subnet. this obsd box has a default gateway set to 192.168.3.254, and all hosts on the 192.168.4.0/24 subnet have their gateway set to 192.168.4.254. PF turned OFF. 192.168.3.254 - gateway to the internet, is set as default gateway for hosts on the 192.168.3.0/24. This box has a route set for 192.168.4.0/24 to 192.168.3.253. Now then... What happens is when a workstation ( 192.168.3.0/24 hosts ) trys to transfer a file to a host on the 192.168.4.0/24 subnet, it transfers around 60Kb, before it hangs and starts eventually times out or gets reset. This is with pf turned ON on the 192.168.3.254 box. Rules are to pass out and pass in everything. I 'set debug loud' in pf.conf, and in /var/log/messages lots of these types of messages showed up: Apr 6 17:21:31 sidb /bsd: pf: BAD state: TCP 192.168.3.222:33085 192.168.3.222:33085 192.168.4.51:22 [lo=2515403070 high=2515336655 win=49640 modulator=0] [lo=0 high=49640 win=1 modulator=0] 2:0 A seq=2515403070 ack=0 len=1460 ackskew=0 pkts=64:0 dir=out,fwd Now, if I turn pf OFF, everything works fine. And if I manually add a route to a workstation for 192.168.4.0/24 then it also works fine, because it then does not use the 192.168.3.254 gateway to get to 192.168.4.0/24. So then... any ideas how to fix this? Thanks, Josh
Re: telldir(), etc: prevent memory leak
Just today I found my openbsd server curiously stalled... not completely dead, could switch consoles, ping it.. but otherwise unresponsive. Found out that smbd was eating huge amounts of memory, and I put the crash down to smbd. I applied ( by hand, patch did not work ) the patches Paul wrote.. and now smbd is behaving in a more sane fashion, though still seems to be very slowly climbing in memory useage, though nothing like it was before. It was climbing at around 1Mb of ram per second before hand, now it is only using 6mb of ram ( started at 2.7 ish mb of ram ) according to top. So either there is still some memory leakage in telldir and friends, or smbd has other memory leaks in it, or this is just normal behaviour for smbd. But the patch definately put a stop on the rapid memory consumtion. Thanks Paul
Two gateways...
Hello... Ive got two obsd firewalls, A and B. Both are using DSL routers, plugged into a nic via a crossover cable... and A and B's default routes are set to the DSL routers. A and B are also on the same LAN. What I want to do, is redirect incoming traffic from A to B, but to have B route it back out of A without any NAT. B will further forward the traffic on to internal servers. Is this possible? If so, how? Any suggestions/hints/comments welcome. Thanks, Josh
Re: Sun 220R, cdrom problem
Greetings Earthlings... Ok I ended up putting another 220R in the rack and trying that out. Booted straight away, and has an earlier version of the firmware/openboot. I think the problem was a busted/faulty scsi controller or something.. because booting either disk0 or cdrom never ever came up with any errors, it always hung. But on the other E220R, it just says 'The file just loaded does not appear to be executable' or some such. So yep. Anyhow, OpenBSD still does not boot up properly on it (stops somewhere after talking about rootdevices or some such ), but thats another story, and I will upgrade the firmware first. Cheers, Josh.
Re: Sun 220R, cdrom problem
Ah ha! Now this is a good idea. Cheers :) On Wednesday 15 February 2006 19:24, you wrote: > Joshua Sandbrook wrote: > > The thing about that though, is it assumes I already have a working > > system.. eg, solaris is already installed. > > > > Any ways around this? > > The firmware update is distributed as a bootable file. Sun hardware can > boot from the net. Set up another machine according to diskless(8), and > net boot the firmware update on the Sun.
Re: Sun 220R, cdrom problem
The thing about that though, is it assumes I already have a working system.. eg, solaris is already installed. Any ways around this? On Sunday 12 February 2006 23:13, you wrote: > Brad wrote: > > Hi, > > > > I just thought I should point out the fact that some > > Sun systems need firmware updates. The 220R specifically > > needed an update on the system that was used for the > > initial OpenBSD/sparc64 port, I do not know the details > > as to why that was necessary. > > > > Unfortunately with the change in licensing of Solaris and > > the way Sun supports Solaris and their systems you can no > > longer download these updates from the SunSolve FTP site > > without a support contract. I do not know if its possible > > to find these updates elsewhere. > > For a system in http://sunsolve.sun.com/handbook_pub/Systems/ > follow the "Flash PROM Patch" that is located in the "Quick > Facts" box. > > /Sigfred
Sun E220R, cdrom problem
Hello.. Im trying to install openbsd onto an E220R. It has a toshiba DVD drive in it, and when I type boot cdrom, it just hangs.. the drive light does not blink or anything. probe-scsi shows the cdrom drive, and devalias for cdrom points to the right device, slice f. Any ideas on what to try next? Thanks, Josh.
