Re: exit serial console on F4
On Aug 30 11:07 AM, Roger Neth Jr wrote: Hello List, I am experimenting with serial consoles and had tty00 open on fvwm X windows term. Closed the term and went to ctl-alt-F4 and logged in root to cu -l tty00 and connected successfully. I tried ^C and ^D to disconnect from the serial console without success. What I am trying to do is open tty00 back on the fvwm X windows term but ports are busy because tty00 is running on F4. I did a quick FAQ and Google but did not find anything. To disconnect from cu type enter then ~. Watch out because ssh also uses that sequence to disconnect - if you're going through ssh use ~~. so cu gets the disconnect and not ssh. Matt
Re: make /dev/pf world readable? CLOSED
On Aug 04 05:21 PM, Artur Grabowski wrote: Jan Sepp [EMAIL PROTECTED] writes: The answer was surprisingly simple. I just had to create a second pf device, chown it and make it read-only for the new owner, and I could get my statistics. These are the actual commands: soekris # mknod /dev/pf2 c 73 0 soekris # chown myUser /dev/pf2 soekris # chmod u-w /dev/pf2 soekris # ls -l /dev/pf2 cr--r--r-- 1 myUser wheel 73, 0 Aug 4 16:38 /dev/pf2 soekris # su - myUser $ pfctl -p /dev/pf2 -i sis0 -vvsI sis0(instance, attached) Cleared: Thu Aug 4 15:48:46 2005 etc. etc. If the idea is that the user isn't supposed to be able to write to the device, it doesn't really work. # mknod /dev/pf2 c 73 0 # chown art /dev/pf2 # chmod u-w /dev/pf2 # ls -l /dev/pf2 cr--r--r-- 1 art wheel 73, 0 Aug 4 17:19 /dev/pf2 # su - art $ chmod u+w /dev/pf2 $ ^D # ls -l /dev/pf2 crw-r--r-- 1 art wheel 73, 0 Aug 4 17:19 /dev/pf2 # rm /dev/pf2 # Right, you can use group permissions for that. Chown it to root:wheel, chmod 740, then anyone in the wheel group can read it but can't delete or chmod it. If you just need one user, make them have their own group and do the same. Matt
Re: make /dev/pf world readable?
On Jul 27 09:31 AM, Jan Sepp wrote: Hello, I am creating a shell script that gathers PF statistics for my various interfaces, as in pfctl -i if -vvsI . (Yes, I am aware of the existence of rpfcd, but as I want to monitor only one local box and write the output directly to console, that seems overkill to me.) I am running OpenBSD 3.6 on a Soekris. This script should not run as root. If I run it as a non-privileged user, I get an error. Basically, the problem is in the mode bits for /dev/pf, which are crw---, owner root. I googled around and found that Squid happily changes the group and group mode bits on /dev/pf. Is that safe, from a compatibility point of view? And is it secure? Can I do it too? What would be the implications (apart from being incompatible with squid, obviously)? What are the security implications if I go one step beyond that and make /dev/pf world readable? I understand that all my users then can read the rule set -- and good luck to them. Anything else? I just tried making a new pf device and changing permissions and it works ok for me. I assume that's why there is the -p switch to pfctl, so that you can have multiple device nodes. % sudo mknod /dev/pf2 c 73 0 % sudo chmod 555 /dev/pf2 % pfctl -srules -p /dev/pf2 rules follow % pfctl -srules pfctl: /dev/pf: Permission denied So maybe you can just make a copy of the device and chown it to the account that is running the script, and then use the -p switch to pfctl to use that device instead. Matt
Re: NFS Protocol not supported when mounting from a Linux machine.
On Jun 22 12:46 PM, Rene Rivera wrote: I'm trying to NFS mount from a Linux machine to my new OpenBSD setup and it just doesn't work. I've run out of things to try, and I keep getting the Protocol not supported error. Trying to force the NFS version: mount_nfs -2 x.x.x.x:/mnt/export /mnt/export Doesn't seem to work as the Linux server keeps saying: svc: unknown version (3) Any help appreciated. Did you try mounting using both tcp and udp? Also try using rpcinfo to see which protocols/versions are supported on the server: rpcinfo -u hostname nfs rpcinfo -u hostname mountd rpcinfo -t hostname nfs rpcinfo -t hostname mountd Matt
Re: in chroot -- convert: can't load library ...
On May 26 09:03 PM, Serban Giuroiu wrote: Hello! I'm playing with a fresh install of OpenBSD 3.7 running Apache in a chroot jail (/var/www/). My website requires ImageMagick to generate thumbnails and scaled images, so I installed the ImageMagick-6.0.0-2p3-no_x11.tgz package. I copied /usr/local/bin/convert into /var/www/bin/. Accordingly, I set up an environment for convert with the hierarchy of all its dynamic library dependencies retrieved from ldd: /usr/local/bin/convert: StartEnd Type Ref Name exe 1 /usr/local/bin/convert 05782000 2581e000 rlib 1 /usr/local/lib/libMagick.so.6.1 01eb6000 21ebc000 rlib 2 /usr/local/lib/libjbig.so.1.2 0f64e000 2f659000 rlib 2 /usr/local/lib/liblcms.so.1.12 0f91c000 2f93f000 rlib 2 /usr/local/lib/libtiff.so.36.1 04aa5000 24ab4000 rlib 2 /usr/local/lib/libjasper.so.1.0 018eb000 218f1000 rlib 2 /usr/local/lib/libjpeg.so.62.0 04d4e000 24d55000 rlib 2 /usr/local/lib/libpng.so.4.1 0b40d000 2b411000 rlib 2 /usr/local/lib/libbz2.so.10.2 009b7000 209ea000 rlib 2 /usr/local/lib/libxml2.so.9.0 0245b000 22537000 rlib 2 /usr/local/lib/libiconv.so.4.0 0a49b000 2a4a3000 rlib 3 /usr/lib/libz.so.4.0 0df8 2df87000 rlib 4 /usr/lib/libm.so.2.0 056bb000 256f2000 rlib 1 /usr/lib/libc.so.34.2 0aa86000 0aa86000 rtld 1 /usr/libexec/ld.so However, convert does not seem to find those libraries. Additionally, convert complains about a different library every time it is run inside the chroot. For example: # convert convert: can't load library 'libtiff.so.36.1' # convert convert: can't load library 'libpng.so.4.1' # convert convert: can't load library 'libjbig.so.1.2' # convert convert: can't load library 'libpng.so.4.1' # convert convert: can't load library 'libbz2.so.10.2' # convert convert: can't load library 'liblcms.so.1.12' # convert convert: can't load library 'libjasper.so.1.0' # convert convert: can't load library 'libxml2.so.9.0' What must I do for convert to find those libraries and run successfully? Thanks for any feedback! OpenBSD loads shared libraries in random order now, so that's why you get a different failure every time. http://www.openbsd.org/papers/auug04/mgp00020.html Try rebuilding /var/run/ld.so.hints inside the chroot (/var/www/var/run/ld.so.hints). Matt
Re: Certified Hardware
On May 24 12:49 PM, Habex Tim wrote: Dear, We are considering replacing our current CheckPoint FireWall-1 with openBSD. However our internal policies require us to have certified hardware to run on production systems. Therefore we are looking for certified hardware (+maintenance contract) to replace our current (expired) Nokia 440. I was unable to find this information from your website and on #openbsd (irc.freenode.net) they informed me to try this email address. The list of supported hardware is insufficient as we need a vendor who is aware of openBSD compatibility in case we need a replacement. e.g. Which hardware (vendor) are you using? We need at least 6 NICs in our firewall and our preferred vendor is HP. I'm not sure what kind of traffic you are pushing, but Soekris Engineering (www.soekris.com) certifies their hardware with OpenBSD. If you get a net4801 with 3 onboard NICs and one of their lan1641 quad cards you can get 7 interfaces. It also has room for a VPN accelerator card if you need one. This way you can get all the hardware from a single vendor who supports OpenBSD. I'm sure you can find lots of people talking about it on the archives. Matt
Re: OpenBSD 3.6, Intel 3.0 HT processor!!
On May 13 05:09 PM, Dries Schellekens wrote: Ted Unangst wrote: On Thu, 12 May 2005, Henning Brauer wrote: * J.D. Bronson [EMAIL PROTECTED] [2005-05-12 16:23]: No matter what I set the BIOS to - I cannot get SMP/HTT to work in OpenBSD, but it does work with others OpenBSD will only use HT on systems with an MPBIOS, which almost no uniprocessor board has. not that this is a loss... it's a security feature. :) Indeed: http://www.daemonology.net/hyperthreading-considered-harmful/ Cheers, Dries Was this the big security vulnerability that the FreeBSD guys were hiding back in March? http://openbsd.monkey.org/misc/200503/msg00097.html Matt