Re: pf firewall packet size

2021-03-11 Thread Kevin Chadwick
> > > There is just small ACK packets left. I wonder what is solution for > small packets in OpenBSD Checkout set prio in pf.conf...TCP ACKs with no data payload

Re: sysupgrade failure logs

2021-02-16 Thread Kevin Chadwick
On 2/15/21 2:14 PM, Ed Ahlsen-Girard wrote: > I am confident that I can speak for for ... a non-zero number of > people who use sysupgrade the way it says to on the box and would miss > it if it went away. +1 Even though it is a little surprising that some people don't realise how easy it

Dropping privileges and execve CAVEAT

2021-02-11 Thread Kevin Chadwick
If rather than setuid, a root process calls setgroups(1000) setresgid(1000, 1000, 1000) setresuid(1000, 1000, 1000) Is there anything to worry about in regard to the caveat in execve(2)? "If a program is setuid to a non-superuser, but is executed when the real uid is "root", then the process has

Re: Go language and pledge exec promises

2021-01-21 Thread Kevin Chadwick
On 1/21/21 3:06 PM, Theo de Raadt wrote: >> This is just testing with the most permissable settings. > That statement is wrong. The most permissable setting is to not use > pledge, and use full POSIX. > True, perhaps that explains it. I should have done more testing and not assumed it might be

Re: Go language and pledge exec promises

2021-01-21 Thread Kevin Chadwick
On 1/21/21 2:58 PM, Kevin Chadwick wrote: >>>840 beep CALL pledge(0xcf4000,0xcae384) >>>840 beep STRU promise="stdio rpath wpath cpath dpath tmppath inet >>> mcast fattr chown flock unix d\ >>> ns getpw sendfd recvfd tape

Re: Go language and pledge exec promises

2021-01-21 Thread Kevin Chadwick
On 1/21/21 2:54 PM, Theo de Raadt wrote: >>> Run your code under ktrace and see what is actually passed to pledge(), >>> that might give some clues. >>> >>> >>840 beep CALL pledge(0xcf4000,0xcae384) >>840 beep STRU promise="stdio rpath wpath cpath dpath tmppath inet >>

Re: Go language and pledge exec promises

2021-01-21 Thread Kevin Chadwick
On 1/21/21 2:18 PM, Stuart Henderson wrote: > Run your code under ktrace and see what is actually passed to pledge(), > that might give some clues. > > 840 beep CALL pledge(0xcf4000,0xcae384) 840 beep STRU promise="stdio rpath wpath cpath dpath tmppath inet mcast fattr

Go language and pledge exec promises

2021-01-21 Thread Kevin Chadwick
I can live without exec promises. However I believe I have stumbled across an issue on 6.8 and current. When I try to exec /bin/sh where promises is a string of all possible promises from the man page and the second parameter is exec promises. unix.Pledge(promises, "") I get sh[97964]: pledge

Re: Usermod -G failure without error

2021-01-19 Thread Kevin Chadwick
On 1/19/21 10:59 AM, Kevin Chadwick wrote: > Sorry, I think that I must have ran groupadd first which brought users and > groups IDs, out of sync. Ok, after failing to reproduce it this morning; With admin safely jumping to 1020, I worked it out. groupadd elansys useradd admin userdel

Re: Usermod -G failure without error

2021-01-19 Thread Kevin Chadwick
> For example, does 'admin' exist in /etc/passwd?  What does "grep elansyssftp > /etc/group" return? I had played a little. So it shows /bin/ksh and test user etc. /etc/passwd admin:*:1018:1018::/home/admin:/bin/ksh /etc/group admin:*:1019: elansyssftp:*:1018:test Sorry, I think that I must

Usermod -G failure without error

2021-01-18 Thread Kevin Chadwick
When I run the following commands, the elansyssftp group isn't populated. Yet using a differently named group seems to work. I seem to have been able to do so, on two different systems. useradd -m -s /sbin/nologin -p `cat /etc/ssh/ssh_host_ed25519_key.pub | /usr/bin/encrypt -b a` admin groupadd

Re: wg(4) listen on a specific interface / address

2020-10-29 Thread Kevin Chadwick
On 10/29/20 5:20 PM, Kevin Chadwick wrote: > I believe it actually operates at layer 2/3 below IP and uses the default gw > IP > to decide where to operate for a peer to peer link. I'm not actually sure how that makes any sense as it uses UDP which is layer 4. But this says layer

Re: wg(4) listen on a specific interface / address

2020-10-29 Thread Kevin Chadwick
On 10/29/20 4:00 PM, Pierre Emeriaud wrote: >>> Is there a reason why wg needs such a large bind? >> I don't know why wg does that, because I haven't looked at the code. >> Your configuration is definately pushing the limits. > Allright many thanks Theo. Maybe Jason can chime in on this topic. I

Re: Firefox Security 2020

2020-08-17 Thread Kevin Chadwick
On 2020-08-17 06:06, Stuart Henderson wrote: >> With the recent news. I decided to take a look again at Firefox and after a >> days >> use on multiple systems, it even seems to be faster than Chrome. >> >> I notice significant work on pledge support. Does anyone know if it's >> comparable >> to

Firefox Security 2020

2020-08-14 Thread Kevin Chadwick
With the recent news. I decided to take a look again at Firefox and after a days use on multiple systems, it even seems to be faster than Chrome. I notice significant work on pledge support. Does anyone know if it's comparable to Chrome on that front now or still held back by not being designed

TLS stall ftp or pkg_add

2020-07-18 Thread Kevin Chadwick
Has anyone else noticed stalls when using a https link in /etc/installurl. I found that downloading the following file works fine in Chrome but stalls at 128K every time via ftp before completing a significant time later. https://ftp.heanet.ie/pub/OpenBSD/snapshots/packages/amd64/bzip2-1.0.8.tgz

Re: An Athn ar9280 client seems to require cold boots of late?

2020-07-06 Thread Kevin Chadwick
With this patch I have been able to bring the device down and back up with a subsequently successful dhclient and http download. Annoying how quirky and poorly documented, chips often are! Thank You

Re: An Athn ar9280 client seems to require cold boots of late?

2020-06-29 Thread Kevin Chadwick
On 2020-06-29 08:35, Kevin Chadwick wrote: > After leaving this up all weekend, the issue seems to have occurred without an > ifconfig down command too. Though the down triggers it immediately. Perhaps it's a hw issue. I have tried updating the coreboot firmware to see if it helps a

Re: An Athn ar9280 client seems to require cold boots of late?

2020-06-29 Thread Kevin Chadwick
On 2020-06-29 07:36, Stefan Sperling wrote: > There is one interop problem in 6.7 which has been fixed in -current > by reverting a change which was committted between 6.6 and 6.7: > https://marc.info/?l=openbsd-cvs=159100149411516=2 > Perhaps that applies to your situation? Could you check if a

An Athn ar9280 client seems to require cold boots of late?

2020-06-26 Thread Kevin Chadwick
After upgrading via sysupgrade for a few releases, I have had to cold boot to get dhclient athn0 working on an ar9280 in client mode. Since my latest upgrade to a snapshot of Jun 17 kernel #275 with the previous kernel being from Jun 2nd #237. I seem to have to cold boot after running ifconfig

Re: Thoughts or links on optimally secure defaults for pf.conf and fstab, whilst aiming to minimise support issues.

2020-06-14 Thread Kevin Chadwick
On 2020-06-14 13:58, Kevin Chadwick wrote: > set reassemble yes no-df > match scrub (random-id max-mss 1389) > > Should I drop the no-df from set reassemble? Any other recommendations > welcome? To be clear. Previously, with scrub (no-df... the set reassemble line was missing/default.

Thoughts or links on optimally secure defaults for pf.conf and fstab, whilst aiming to minimise support issues.

2020-06-14 Thread Kevin Chadwick
We are basing the server part of our products on OpenBSD. We care more about reducing support issues than say performance. We will have batteries but I hope to deploy some kind of root partition redundancy, for upgrades. However, Is sync or softdep a better default for the best chance of

Re: OpenBSD Readonly File System

2020-06-12 Thread Kevin Chadwick
On 2020-06-11 23:47, Dirk Coetzee wrote: > I always thought that 'sync' mount option is enough to avoid corruption of the FS. > Am I just "fooling" myself ? > I guess it boils down to a matter of preference and business requirements. > > "slow writes" vs "no writes". It's a good point,

Re: Mounting encrypted drive on boot

2020-06-03 Thread Kevin Chadwick
On 2020-06-02 23:27, Chris Narkiewicz wrote: > Somebody on StackOverflow advised on modifying /etc/rc > and run bioctl before disks are mounted, but I'm not sure > if this is a right approach, especially that attaching > more disks might change the /dev/sd* numberign. That would cause yourself

Re: Could somebody please put unveil() in ftp(1)?

2020-06-01 Thread Kevin Chadwick
On 2020-06-01 13:30, Theo de Raadt wrote: >> I wonder, if 99% of users just use /etc/ssl/cert.pem? whether a flag that >> breaks/enables other use cases (removes capath support at runtime), might >> work? > I guess you don't understand unveil. You didn't understand what Stuart > just said *at

Re: Could somebody please put unveil() in ftp(1)?

2020-06-01 Thread Kevin Chadwick
On 2020-06-01 11:20, Stuart Henderson wrote: > We went through this earlier when unveil was added to nc. The way capath > directories are often populated in the real world is not compatible with > unveil, you would need to resolve all files in capath, recursively resolve > symlinks, and add the

Re: Article OpenBSD: Not Free Not Fuctional and Definetly Not Secure and BSD, the truth blog

2020-05-28 Thread Kevin Chadwick
On 2020-05-28 18:38, Amarendra Godbole wrote: > It indeed is written by someone lacking knowledge about everything. It > is funny, and gave me a good laugh - the comments are even funnier! Be aware that the author deletes your comments and replaces them with his own, under your name, whilst

Re: Intel wireless issue after upgrading to 6.7

2020-05-28 Thread Kevin Chadwick
On 2020-05-28 14:40, Michael Steeves wrote: > but I'm wondering if there's some other way to get any more detail out of the > laptop about what's going on? ifconfig has a debug flag. A packet capture from another device with monitor mode, may be a helpful option too. e.g. iwm or athn

Re: Dovecot and multi-factor auth support

2020-05-25 Thread Kevin Chadwick
>> Is there any sort of supported way of wiring up login_duo with >> OpenSMTPD and Dovecot, or using bsdauth in some way to enforce a >> second auth factor? > >bsdauth isn't really setup for multi factor, the only way I've seen >this >done is splitting the password field into a fixed-length OTP

Re: Why does OpenBSD still include Perl in its base installation?

2020-05-21 Thread Kevin Chadwick
On 2020-05-21 09:55, Anders Andersson wrote: >> I am a huge fan of minimal and custom installations >> as I mostly use OpenBSD to host simple HTTP servers. > ... >> I would like to get your opinion on that. > From what I've seen, those goals are not compatible with OpenBSD, as > in: You're just

Re: Howto change login mechanism on OpenBSD

2020-05-20 Thread Kevin Chadwick
On May 20, 2020 9:31:19 PM UTC, Edgar Pettijohn wrote: >On Wed, May 20, 2020 at 08:48:20PM +0200, Valdrin MUJA wrote: >> Hi Misc, >> >> I have an interactive shell program which has an authentication >section and I want to login via my program. How can I do that? >> >> Actually I want to run

unveil documentation

2020-05-13 Thread Kevin Chadwick
The unveil man page is perfectly correct and it is not hard to test it's behaviour. I just wonder if it may aid unveil adoption in languages other than C, if it explicitly mentioned that exec is not required on a dir to allow reading the files within, e.g. if the dev is more used to filesystem

Re: Mandate control in OpenBSD like SELinux or AppArmor

2020-05-11 Thread Kevin Chadwick
On May 11, 2020 7:27:49 PM UTC, i...@aulix.com wrote: >Please let me know, what are analogues of SELinux and AppArmor in OBSD > http://www.openbsd.org/mail.html You are supposed to "do your homework" and try googling and searching the mailing list archive before asking questions. Clearly you

Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-11 Thread Kevin Chadwick
Here's a game. Name as many operating systems as you can that encrypt the page file or swap space by default?

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

2020-05-09 Thread Kevin Chadwick
On 2020-05-09 16:25, i...@aulix.com wrote: > Note: Since these MS / U.S. government keys are deeply sticking in Intel XEON > processor hardware, it doesn’t play a role, what other OS you install or boot > afterwards: Debian/UBUNTU Linux, OpenBSD, … If your software uses Intel > AES-NI hardware

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

2020-05-09 Thread Kevin Chadwick
On 2020-05-09 14:34, i...@aulix.com wrote: > D-waves has too uncoupled qubits if I understand it correctly, it is nothing > to do about qubits quantity as we used to think about it. Like a "cluster" of > completely isolated hosts (which is already not a cluster or course). I don't care for the

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

2020-05-09 Thread Kevin Chadwick
On 2020-05-09 14:31, i...@aulix.com wrote: > guessed by quantum provided session symmetric cipher is strong enough? Quantum does not break any in use today and AES-256 symmetric is expected to be quantum resistant in any case. I personally prefer AES-256 ctr over the more complex GCM. I am not

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

2020-05-09 Thread Kevin Chadwick
On 2020-05-09 07:41, Martin wrote: > This one > https://www.tomshardware.com/news/d-wave-5000-qubit-first-sale,40470.html > is the most powerful 5000qbits quantum computer sells nowadays. D-waves definition of qubit is different and their machines will never be capable of breaking public key

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

2020-05-09 Thread Kevin Chadwick
On 2020-05-09 07:41, Martin wrote: > This one > https://www.tomshardware.com/news/d-wave-5000-qubit-first-sale,40470.html > is the most powerful 5000qbits quantum computer sells nowadays. > > Moreother, D-Wave opened online service to access 5000qbit remotely for > solving 'special' tasks which

Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-07 Thread Kevin Chadwick
On 2020-05-07 14:48, Aisha Tammy wrote: >> I wouldn't want to read an OS written in Rust and I would love to see secure >> developments in C even if it hampers potential performance. Things like Go >> are >> not suitable for an OS with many small programs. >> > Curious about why... though

Re: List a package's dependencies

2020-05-07 Thread Kevin Chadwick
On 2020-04-21 17:54, Kevin Chadwick wrote: >> Nope, it's definitely the wrong place to fix things. >> >> You should fix your pipes (change the timeouts or whatever). >> >> If worse comes to worst, pkg_add could *possibly* retry running ftp(1), >> but that ma

Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-07 Thread Kevin Chadwick
On 2020-05-07 14:10, Consus wrote: > On Thu, May 07, 2020 at 04:00:15PM +0200, i...@aulix.com wrote: >> Dear OpenBSD fans, >> >> Can you please comment negative appraisal from the following website: >> >> https://isopenbsdsecu.re/quotes/ >> >> I did not want to hurt anyone, just looking for a

Re: How to enable TLS 1.3?

2020-04-30 Thread Kevin Chadwick
On 2020-04-30 13:55, Chad Hoolie wrote: > Any idea about relayd though? I don't see any mentioning of 1.3 in man > relayd.conf: I'm not a dev but tls1.3 dropped RSA and I think requires ecdsa key support that relayd currently lacks. Although httpd was originally based on relayd. I assume the

Cross platform apps.

2020-04-22 Thread Kevin Chadwick
Go/Golang can cross compile non graphical programs for many systems including OpenBSD from Windows etc. This means that web apps can be almost as cross platform. Of course the browser isn't so easily built/bundled cross platform with many app creation technologies supporting OSX, Windows, Linux

Re: Has anyone launched Steam for Linux on openbsd?

2020-04-22 Thread Kevin Chadwick
der > > There's also the https://www.playonbsd.com/ website that has more > information on gaming with BSD systems. > Both very cool > Kevin Chadwick wrote: >> Not sure but there wouldn't be much incentive anyway as there >> aren't many steam games that run on

Re: List a package's dependencies

2020-04-21 Thread Kevin Chadwick
On 2020-04-20 22:47, Marc Espie wrote: > Nope, it's definitely the wrong place to fix things. > > You should fix your pipes (change the timeouts or whatever). > > If worse comes to worst, pkg_add could *possibly* retry running ftp(1), > but that makes little sense. I agree ftp/tcp should be

Re: List a package's dependencies

2020-04-20 Thread Kevin Chadwick
> There are some unavoidable complexities to the sheer size of the tree, > and the necessities of updates not to fail... I have noticed recently that I occasionally get a gz truncated message (I think due to tcp timeout) and then the dependent package doesn't get updated. I then re-run pkg_add

Re: WLAN throughput less 10Mb/s

2020-04-14 Thread Kevin Chadwick
On 2020-04-14 09:21, Stefan Sperling wrote: > Regarding other chipsets, if you want the fastest possible AP on OpenBSD > your best option right now is to get a bwfm(4) device, which offloads almost > all of its 802.11 operation into a firmware blob running in the embedded > system on the device.

Re: Will windows 10 boot after installing openBSD?

2020-04-14 Thread Kevin Chadwick
You can also install Windows after and boot OpenBSD quite easily by following the faq. This is not easy on grub/Linux as grub is greedy. Atleast the guides that I found for grub/Linux, failed to work. I have no interest in running Linux these days though and little interest then. I had the notion

Re: Iridium vs Chromium

2020-04-12 Thread Kevin Chadwick
On April 12, 2020 7:07:01 PM UTC, Patrick Harper wrote: >The effort to support Chromium and Firefox (sans ESR) on OpenBSD akin >to Windows/macOS/'Linux' has not happened. On atleast current as Theo showed, Chromium is just as well if not better supported on OpenBSD than on Linux, these days. I

Re: Has anyone launched Steam for Linux on openbsd?

2020-04-11 Thread Kevin Chadwick
Not sure but there wouldn't be much incentive anyway as there aren't many steam games that run on Linux!

Re: secure MTA

2020-04-09 Thread Kevin Chadwick
> Now this whole debate boils down to "how much effort is someone willing to > invest > into hacking Cord's computers?", and that's something I can't answer. And how competent Cord is at defending his computer because they may not be able to if he is competent enough, which is my point; It is

Re: secure MTA

2020-04-09 Thread Kevin Chadwick
On 2020-04-09 10:55, Rudolf Leitgeb wrote: > My point was, that security is an ongoing effort. Flaws and new > exploit venues are discovered. There will be different numbers > of flaws for different operating systems, but none remains unscathed > for years. As soon as your server does anything

Re: secure MTA

2020-04-08 Thread Kevin Chadwick
On 2020-04-08 18:39, Claus Assmann wrote: > - Client-side exploitation: This vulnerability is remotely exploitable > in OpenSMTPD's (and hence OpenBSD's) default configuration. Although You missed some out. I assume on purpose. Client-side exploitation: This vulnerability is remotely

Re: news from my hacked box

2020-04-08 Thread Kevin Chadwick
On 2020-04-08 18:02, Rudolf Leitgeb wrote: > A public facing server with ftp, http, smtp and sshd would have had to be > patched > in regular intervals to remain reasonably secure. False, even though you have lowered the bar from "anything/everything is hackable". httpd and libressl have done

Re: news from my hacked box

2020-04-08 Thread Kevin Chadwick
On 2020-04-08 12:08, Rudolf Leitgeb wrote: >> I believe that is false too. > You're kidding, yes? Did you somehow miss the opensmtp hole? > > https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/ OpenSMTPD does not listen to the internet, by default and even if you do set it to, it

Re: news from my hacked box

2020-04-08 Thread Kevin Chadwick
On 2020-04-07 18:21, Rudolf Leitgeb wrote: > You have no chance defending your desktop against each and every attacker, no > matter > which operating system you have running. True if you consider physical attacks and for most hardware, otherwise mostly false. Anything can be hacked is also one

Re: Guidance: How often to update -current?

2020-03-21 Thread Kevin Chadwick
My upgrades usually follow chromium pkg upgrades. In fact, I have a script on my phone that greps the chromium pkg version. I test on my own laptop first.

Re: Hosting a CDN question

2020-03-17 Thread Kevin Chadwick
On 2020-03-17 02:48, Aaron Mason wrote: > It's worth noting that httpd didn't go over ~30% in the test, whereas > the Go web server absolutely slammed the system. I wonder if this is linked to Go's concurrency. Personally I would look into tweaking httpd defaults and relayd as GOs net/http runs

Re: Hardening browser

2020-03-04 Thread Kevin Chadwick
On 2020-03-04 11:38, Ottavio Caruso wrote: > Probably not what you were looking for but, back in the days when I > was ultra paranoid about my web browsing, I used to use stripped down > live usb installations of Linux distros (DSL was one of them that I > remember). I ignore if OpenBSD comes with

Re: Hardening browser

2020-03-04 Thread Kevin Chadwick
On 2020-03-04 01:06, whistlez...@riseup.net wrote: > in the following message: > https://marc.info/?l=openbsd-misc=158110613210895=2 > Theo discourages to use unveil instead of chroot. > I asked if he suggests the same for the browser but he asked that chroot > is onlye for *root*. I thought that

Re: Full disk encryption including /boot, excluding bootloader?

2020-02-17 Thread Kevin Chadwick
On 2020-02-17 15:09, Julius Zint wrote: > Some feedback from the OpenBSD community on this would also be appreciated. > Are there > enought people interessted in a Trusted Boot with OpenBSD? I'm interested

Re: strange dmesg

2020-02-10 Thread Kevin Chadwick
On 2020-02-08 16:40, Otto Moerbeek wrote: > When booting, the contents of the existing dmesg buffer are examined. > If the current contents are deemed to be a dmesg, it is not cleared. > It's possible the (random) contents of the buffer are seen as valid by > chance and are thus regarded as dmesg

Re: strange dmesg

2020-02-08 Thread Kevin Chadwick
On February 8, 2020 2:24:21 PM UTC, Justin Noor wrote: >I have the same output on a Protecli firewall device (it’s not in >production yet) running 6.6 stable, and have yet to figure out what it >is. I have seen similar on an intel i3 but then it has just been short term (snapshot or maybe

Re: chroot vs unveil

2020-02-07 Thread Kevin Chadwick
> >> I am considering replacing all chroot use with unveil in my processes even >> where >> no filesystem access is required. > > I am discouraging this. > > unveil is a complicated mechanism, and we may still discover a bug in > it. > > Almost all the chroot in the tree are to empty

Re: Can't install OpenBSD 6.6 on apu4d4

2020-02-06 Thread Kevin Chadwick
On 2020-02-06 07:56, mabi wrote: > Thanks Mischa! I should have thought about that but I couldn't remember > having done this with previous APU models and OpenBSD versions. I expect you known but you can add this into /etc/boot.conf I also recently forgot or found I had to edit /etc/ttys too to

chroot vs unveil

2020-02-06 Thread Kevin Chadwick
I am considering replacing all chroot use with unveil in my processes even where no filesystem access is required. Is there any guidance on whether that is the best practice, where you only intend to run on OpenBSD?

Re: Process Isolation

2020-02-06 Thread Kevin Chadwick
On 2020-02-06 07:59, Charlie Burnett wrote: > I apologize if this was a question I've somehow missed the answer to! OpenBSD takes a more fine grained approach in isolating functions rather than whole programs ideally by the person best suited to do the job (the program developer). Isolating whole

Re: FreeBSD daemon(8)-like command for OpenBSD

2020-01-31 Thread Kevin Chadwick
On 2020-01-31 12:16, KatolaZ wrote: > For instance, golang has had native support > for pledge(2) and unveil(2) for a while now. The semantics are a little different to C unveil but it certainly works and bundled by default in the golang.org/x. Not sure the documentation is great. It's a little

Re: OpenBSD's extremely poor network/disk performance?

2020-01-30 Thread Kevin Chadwick
On 2020-01-30 10:57, Handreas wrote: > "Can't say much for the performance of a suite of servers which have > all been taken down to handle the security threat du jour." > > Repeat it again? >

Re: How did it happen?

2020-01-29 Thread Kevin Chadwick
On 2020-01-29 13:07, Oriol Demaria wrote: > I understand that root might be required to open privileged ports, but then > how commands are run as root when you exploit opensmtpd vulnerability? Giles has said further information is coming but it root isn't just required for privileged ports but

Re: FreeBSD daemon(8)-like command for OpenBSD

2020-01-29 Thread Kevin Chadwick
On 2020-01-27 19:13, Patrick Kristiansen wrote: > Is there something like the FreeBSD daemon(8) command for OpenBSD, which > can run a process in the background and restart it if it crashes? Of course init does this for getty but as others have pointed out, restarting daemons listening to the

Re: ownership of mailboxes with dovecot

2019-12-31 Thread Kevin Chadwick
On 2019-12-31 14:10, Kevin Chadwick wrote: > I believe the mail boxes are chrooted into too. Actually that may be incorrect with the chroot being more broad than that as they should be owned by root otherwise!

Re: ownership of mailboxes with dovecot

2019-12-31 Thread Kevin Chadwick
On 2019-12-31 13:13, Eike Lantzsch wrote: > I regret having mentioned fetchmail. > It happens as part of setting up dovecot with virtual users. Do you need virtual users. I saw all the guides recommending this and wrote scripts to manage system users instead. Every box is owned by the login user

Re: The OpenBSD talk at 36c3

2019-12-31 Thread Kevin Chadwick
On 2019-12-31 05:19, g...@isdaq.com wrote: > he completely misses the mark. > rather than think "hmm 75% of commits are only 20 chars or less which seem Having watched the video now, that particular part of the talk is poor. He doesn't seem to even know that stable exists. My original thought

Re: off-topic

2019-12-30 Thread Kevin Chadwick
On 2019-12-30 13:09, Gustavo Rios wrote: > Is qmail dead ? > Not Dead (I would hope the original unpatched verson is) https://www.fehcom.de/sqmail/sqmail.html > Does anyone here use openbsd with qmail+ldap ? > I switched to OpenSMTPD

Re: The OpenBSD talk at 36c3

2019-12-30 Thread Kevin Chadwick
> I liked the presentation. An excerpt from https://isopenbsdsecu.re/about/: >> This website was done because studying mitigations is fun, not to get >> involved in a huge flamewars or endless bike-shedding on mailing lists. It is not my place to comment, however I will say that it did not

Re: shell_exec() exec() and system() not working in php 5.6 openbsd 6.4

2019-07-09 Thread Kevin Chadwick
>Agree this is likely the problem, unfortunately in PHP-land sometimes >you can't avoid it. For platforms such as Drupal (just to pick an >example I am familiar with) some of the modules will run shell commands >to do things such as send email. > >Allan The php mail() function runs /bin/sh

Sidenote: Filesystem corruption on OpenBSD routers after power outage?

2019-06-18 Thread Kevin Chadwick
> Even after many tries, I have not yet been able to corrupt the > filesystem so fsck cannot repair it without manual intervention. Another less severe corner fail case I have found is that on a couple of buggy 386 laptops (that will be replaced soon anyway) with temperamental over temp

Openrsync poll Hangup

2019-06-15 Thread Kevin Chadwick
Whilst getting current packages from the leaseweb mirror. I kept getting a stall followed by poll:hangup with 6.5 openrsync -v -a --delete Eventually all the packages download as it gets further each time. I tried building the latest openrsync from the current src tree still on 6.5 but I get the

Re: OpenBSD runs only in RAM from a USB Flash Drive

2019-05-31 Thread Kevin Chadwick
>FFS isn't a journaling filesystem so any 'wear', even on primitive >flash storage, won't be enough to worry about. I disagree, depending on a few variables. If you can't get a better device then be prepared to replace the storage or count writes and create new files, keeping the old. KARL

Re: Debug Tool for golang

2019-05-31 Thread Kevin Chadwick
On 5/31/19 5:28 PM, Ted Unangst wrote: > Kevin Chadwick wrote: >> Does anyone debug golang on OpenBSD and can advise on llvm/gcc or provide any >> other insight? > > I just use log. > Yep, not missing a trick then and apparently the old recommendation, Thanks all.

Debug Tool for golang

2019-05-31 Thread Kevin Chadwick
It seems delve which is suggested by golang.org due to optimised binary support expects a Linux /proc and Linux threads (FreeBSD delve github issue tracker). So I guess without delve then building unoptimised binaries would be required which is possibly to be expected when debugging. I'm not sure

Re: PF firewall for desktop

2019-05-28 Thread Kevin Chadwick
On 5/24/19 8:30 PM, Jean-Francois Simon wrote: > Hi, > > Out of interest, I'd like to let you know a specific use of OpenBSD with PF, > in > virtualbox, 2 virtual network card Bridged to physical NIC, and building up a > subnet with NAT and hence running Packet Filter as the machine's firewall.

Re: One-shot upgrade script

2019-04-27 Thread Kevin Chadwick
On 4/25/19 9:27 PM, Christian Weisgerber wrote: > ... and this has now been supplanted by /usr/sbin/sysupgrade. How difficult would it be to have a sysupgrade flag to make the upgrade newfs /usr, to save having to rm the files shown in upgrade.html. (I guess it should work for all users with sane

Re: Malloc config became global sysctl in 6.5

2019-04-27 Thread Kevin Chadwick
On 4/27/19 8:23 AM, Otto Moerbeek wrote: > Additionally, in many cases using a symlink has unclear effects, since > it is hard to determine if the first malloc call (malloc inits itself > on first use) happens before of after the chroot call. I would argue > that in many cases people were thinking

Re: hacked for the second time

2019-04-04 Thread Kevin Chadwick
On 4/4/19 10:57 AM, Cord wrote: > Hi, my english seems very bad because my problem is not to make secure the > ssh key. My problem is how do not be hacked. > I have talked about the ssh key stealing to show signs that my pc was been > compromised. > I can for sure make secure my ssh key but how

Re: fluctuating error on chromium

2019-01-07 Thread Kevin Chadwick
On 1/7/19 9:47 AM, Mihai Popescu wrote: > Hello, > > Each first time i start chromium after reboot, i get this error: > libGL error: failed to open drm device: No such file or directory > libGL error: failed to load driver: r600 > Your user(s) needs access to atleast /dev/drm0, if you want

Re: current snapshot breaks ports? (strange libc versioning)

2018-11-22 Thread Kevin Chadwick
On 11/22/18 9:24 AM, Karel Gardas wrote: > in an attempt to update today from ftp.spline.de I've been kicked out > after -current update with pkg_add -u complaining about wrong libc > versions. Packages complains like: Likely you have a snapshot or packages out of sync. The packages take a lot

OT: Https very slow since openbsd 6.1/Cipher String

2018-11-22 Thread Kevin Chadwick
On 11/21/18 4:00 PM, Gerhard Schweiger wrote on bugs@: > Then comes in openbsd 6.1 amd64, and now the same huge speed difference > between with or without encryption as found on OpenBSD 6.4.Is there any > tweak I could test or is this just bad luck on my VPS or something else? > Speed goes down

Re: With all this CPU/hardware mess, any advice on what to use for an organization?

2018-11-22 Thread Kevin Chadwick
On 11/20/18 4:43 PM, Chris Bennett wrote: > AMD? I have read about problems with non-CPU chips being compromised. > Another architecture? I have never used anything other than Intel/AMD. I can't comment on SUN etc. but AMD would be the way to go if you can. Theo has said in a recent presentation

Re: OpenBSD with root FS mounted read only

2018-11-16 Thread Kevin Chadwick
On 11/16/18 3:43 PM, Jarkko Oranen wrote: > As far as I'm aware, they are/were originally separated largely due to > historical reasons anyway, not because it's inherently better to keep > them separate. However they came about it is inherently better. Linux often takes the easy rather than best

Re: OpenBSD with root FS mounted read only

2018-11-16 Thread Kevin Chadwick
On 11/15/18 9:53 PM, Stuart Henderson wrote: > well, it's not just time fsck'ing, those checks can fail, and then if > you don't have OOB you have to go visit the machine .. I assume sync doesn't solve that entirely?

Re: OpenBSD with root FS mounted read only

2018-11-16 Thread Kevin Chadwick
On 11/16/18 10:06 AM, Daniel Polak wrote: >>> The main benefit of read-only is not having to do disk checks but the time  >>> for >>> root is negligible. >> well, it's not just time fsck'ing, those checks can fail, and then if >> you don't have OOB you have to go visit the machine .. True, but

Re: OpenBSD with root FS mounted read only

2018-11-15 Thread Kevin Chadwick
On 11/15/18 4:00 PM, Jarkko Oranen wrote: > However, unless you're using really bad install media (like USB flash > memory or something) I don't think OpenBSD is very likely to suffer a > corrupted filesystem even on power outage unless you're doing very > heavy IO (and even then it's probably

Re: Bluetooth Support

2018-10-31 Thread Kevin Chadwick
On 10/31/18 9:42 AM, Marco Menne wrote: > Bluetooth I never liked. :-) Especially when the Bluetooth spec, specified ecdh without following the security requirements of must validate the curves as clearly laid out by GECC (guide to ECC). I guess Linux and some Intel products did the same or

Re: spamd and google smtp ips

2018-10-31 Thread Kevin Chadwick
On 10/30/18 8:05 PM, Mario Theodoridis wrote: > I ran into this problem as well. > I ended up writing a script that parses the SPF entries out of the greylist > and > if reasonable, whitelists those ranges and removes the grey > list entries. It runs every 15 minutes. smtpctl now has an spf walk

Re: Sndiod restart fixes Chrome sndio_output.cc failed to open device

2018-10-25 Thread Kevin Chadwick
On 10/25/18 9:12 AM, Alexandre Ratchov wrote: > i did a quick test, playback works in chrome; any hints on how to > reproduce the sound problem? Thankyou. It is my fault. I must have been tired or it's been working so long without any notice side effects that I missed the obvious. I use the

Sndiod restart fixes Chrome sndio_output.cc failed to open device

2018-10-24 Thread Kevin Chadwick
I've made the pledge and entered the veil with Chrome. Sound works without restarting sndiod in other applications like aucat and mozilla apps. For some reason the sound does not work in chrome even without enabling the veil but restarting sndiod makes it work. I found some pulseaudio

Re: Graphical debugger for C/C++ ?

2018-10-22 Thread Kevin Chadwick
On 10/21/18 4:49 PM, Edgar Pettijohn III wrote: I wanted to give cgdb a shot. How do I make sure its using egdb? cgdb --help cgdb -d egdb

  1   2   3   4   5   6   7   8   9   >