Re: Removing FUSE would theoretically make a system more secure?

[who one]

Hello, 

"> And what are you defending against?"

there was/is a great guy that investigated the security of the BSDs, reported a 
few bugs too: 

https://www.youtube.com/watch?v=rRg2vuwF1hY=youtu.be=1522

that lead to ex.: 

https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/017_fuse.patch.sig

So would the mentioned method, by removing the "grep -i fuse /sys/conf/GENERIC" 
and doing re-compile would "disable FUSE"? 

Thanks for the syspatch/relinking hint, I forgot about them if I touch the 
kernel!

Thanks!


> Sent: Sunday, January 28, 2018 at 5:15 AM
> From: mar...@martinbrandenburg.com
> To: misc@openbsd.org, whoonet...@mail.com
> Subject: Re: Removing FUSE would theoretically make a system more secure?
>
> > afaik if I would remove the lines that contains "FUSE" and "fuse" from 
> > /sys/conf/GENERIC and re-compile the kernel, that would mean, there will be 
> > no more FUSE support in my kernel after reboot.
> >
> > If so, would this step help to make my system more secure? Ex.: from a 
> > future FUSE related security issue? 
> >
> > just asking theoretically, since I don't use FUSE related stuff, so 
> > thinking of that is unneeded. 
> >
> > or it would just create an unsupported kernel which didn't had any tests 
> > regarding the missing fuse and maybe cause bigger issues and security 
> > issues vs. if I wouldn't touched it? 
> 
> I daresay that removing FUSE support will make you invulnerable to any
> kind of bug in FUSE.  jca has already given you an outline of the
> reasons to believe such a bug, if it exists, is rather unlikely to be
> exploitable.
> 
> You had better consider what you're giving up when you make this change.
> You won't be able to use FUSE.  You won't be able to use syspatch.  I'm
> not sure how it affects kernel relinking.  You'll have to build your
> kernels yourself on all architectures you run for each release and every
> kernel-related erratum.  You'll have to maintain your changes.  You
> can't just say "I'm not sure" as I just did.  You'll have to take
> responsibility for the possibility that running a non-standard
> configuration may introduce bugs.
> 
> And what are you defending against?  Somebody has to get root or a way
> to mount filesystems without root.  We'll assume he's got a way to mount
> filesystems without root, because if he had a way to get root, he
> wouldn't need bother with anything else.  Then he's got to have his FUSE
> exploit which gives him root.  Since he probably doesn't have an account
> on your system, he's got to have a third exploit to start running code
> to begin with.
> 
> Defense in depth is good, but this isn't worth the effort on your part.
> 
> Your security need only be good enough to require an attacker spend more
> than he's willing to spend.
> 
> Martin
> 
> 

Removing FUSE would theoretically make a system more secure?

[who one]

Hello, 

afaik if I would remove the lines that contains "FUSE" and "fuse" from 
/sys/conf/GENERIC and re-compile the kernel, that would mean, there will be no 
more FUSE support in my kernel after reboot.

If so, would this step help to make my system more secure? Ex.: from a future 
FUSE related security issue? 

just asking theoretically, since I don't use FUSE related stuff, so thinking of 
that is unneeded. 

or it would just create an unsupported kernel which didn't had any tests 
regarding the missing fuse and maybe cause bigger issues and security issues 
vs. if I wouldn't touched it? 

Many thanks!

Re: OpenBSD !HTTPS websites - why?

[who one]

Hello, 

> hosted on various machines run by different people. I'm not sure if
> there's any viable way to handle keys and certificates for this type
> of situation.

-->>

###
letsencrypt: 

Can one domain have multiple servers controlled by different entities

Yes, but there will need to be some coordination for getting the SSL 
certificates
How can the coordination work (depends on the ACME challenge used)

HTTP

Working together

        Whenever one of the 2 hosts wants to renew a cert they would need to 
deploy a .well_known file to both servers, so that no matter which one 
letsencrypt access they get the right file.

Centralised

You can run an additional server, which both parties can push files to, 
and have both servers redirect any requests for .well_known to this server
DNS

Full access

Either of the 2 hosts would need to be able to add DNS records to pass 
the checks

Custom API

An API can be setup so that the 2 hosts can submit an ACME response and 
have it served

Limiting impact of breaches

As the servers need to be able to generate SSL certificates if they are 
breached they will be able to generate certs.

Using Must-Staple ( https://scotthelme.co.uk/ocsp-must-staple/ ) the impact of 
current certs leaking can be reduced, but this will not help if the host is 
instructed to make new certs without this after generation.

Using CT logs you can watch for invalid certs, and using CAA you can limit 
which CAs will issue certs, which will help reduce the breach impact.

You could even use CAA to disable certs entirely, and only allow issuance by 
contacting you and manually removing the record until the cert has been issued, 
reducing your attack window, but increasing the management overhead.

###

> Sent: Monday, January 15, 2018 at 1:37 PM
> From: "Stuart Henderson" <s...@spacehopper.org>
> To: misc@openbsd.org
> Subject: Re: OpenBSD !HTTPS websites - why?
>
> On 2018-01-15, who one <whoonet...@mail.com> wrote:
> > Hello, 
> >
> > http://www.openbsdfoundation.org/
> > http://firmware.openbsd.org/firmware/
> >
> > When can we have HTTPS connection on these websites? 
> >
> > What website remains that doesn't have HTTPS yet and related to OpenBSD? 
> >
> > Security should be in layers, HTTPS is one additional layer. 
> >
> > 70% of the websites in the world uses HTTPS: https://letsencrypt.org/stats/ 
> > , see "Percentage of Web Pages Loaded by Firefox Using HTTPS". If OpenBSD 
> > is security oriented, HTTPS should be de facto. 
> >
> > Many thanks.
> >
> >
> 
> I can't speak for openbsdfoundation, but for firmware.openbsd.org it's
> hosted on various machines run by different people. I'm not sure if
> there's any viable way to handle keys and certificates for this type
> of situation.
> 
> Firmware packages do have signify(1) signatures themselves. These
> are verified early - before passing to gzip to decompress them.
> However there is a remaining issue that a MITM could suppress
> certain packages, or provide older signed versions.
> 
> 
> 

Re: Kernel panic with openbsd 6.2

[who one]

Could it be related to: 
https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/

?

> Sent: Friday, January 19, 2018 at 9:50 PM
> From: "Mik J" 
> To: Misc 
> Subject: Kernel panic with openbsd 6.2
>
> Hello,
> 
> I had many kernel panic these past days. This is a 6.2 openbsd VM running on 
> esxi 5.5
> 
> I took screenshots then followed
> https://www.openbsd.org/ddb.html
> 
> # objdump -dlr /sys/arch/amd64/compile/GENERIC.MP/obj/if_vmx.o > 
> /tmp/if_vmx.dis
> 
> # grep "" /tmp/if_vmx.dis
>     10f6:   e8 d5 00 00 00  callq  11d0 
>     1176:   e8 55 00 00 00  callq  11d0 
> 11d0 :
>     1857:   e8 74 f9 ff ff  callq  11d0 
> 
> # grep -n 10f6 /tmp/if_vmx.dis
> 1667:    10f6:  e8 d5 00 00 00  callq  11d0 
> 
> # grep ":" /tmp/if_vmx.dis
> 11d0 :
> 
> # printf '%x\n' $((0x11d0 + 0x263))
> 1433
> 
> vi /tmp/if_vmx.dis
>    2040 1433:   ba 01 00 00 00  mov    $0x1,%edx
> I find is on line 2040
> 
> => But the file is only 1251 line long
> nl -ba /sys/dev/pci/if_vmx.c | sed -n 2040p
> 
> => So that last command gives me nothing
> 
> Do you have an idea of what mistake I did so that I can make a report ?
> 
> Thank you
> 
>

Re: History documentation

[who one]

Hey, strange, there is 5.3 in 
https://cloudflare.cdn.openbsd.org/pub/OpenBSD/doc/history/

is this still maintained?

Many thanks. 

> Sent: Saturday, January 20, 2018 at 1:21 PM
> From: mazocomp 
> To: misc@openbsd.org
> Subject: History documentation
>
> Hi!
> Both obsd-faq.txt and pf-faq.txt in pub/OpenBSD/doc/ are same as
> obsd-faq52.txt and pf-faq52.txt in pub/OpenBSD/doc/history/
> So I wonder is there a point to keep them out of date?
> 
> 

OpenBSD !HTTPS websites - why?

[who one]

Hello, 

http://www.openbsdfoundation.org/
http://firmware.openbsd.org/firmware/

When can we have HTTPS connection on these websites? 

What website remains that doesn't have HTTPS yet and related to OpenBSD? 

Security should be in layers, HTTPS is one additional layer. 

70% of the websites in the world uses HTTPS: https://letsencrypt.org/stats/ , 
see "Percentage of Web Pages Loaded by Firefox Using HTTPS". If OpenBSD is 
security oriented, HTTPS should be de facto. 

Many thanks.

Re: Community-driven OpenBSD tutorials wiki?

[who one]

imho use the official documentation, not separated wiki. this is the right way. 

> Sent: Friday, January 05, 2018 at 8:32 PM
> From: "Karel Gardas" 
> To: "Andreas Thulin" 
> Cc: "misc@openbsd.org" 
> Subject: Re: Community-driven OpenBSD tutorials wiki?
>
> On Thu, 04 Jan 2018 14:17:51 +
> Andreas Thulin  wrote:
> 
> > Hi all!
> > 
> > Thought I'd create an OpenBSD wiki somewhere, where anyone (especially
> > non-developers like myself) could create and edit tutorials for stuff
> > non-developers like myself would find useful. I find that sometimes
> > existing tutorials become outdated, and was thinking that a wiki would make
> > updates easier.
> 
> Not bad idea, but when speaking about OpenBSD I would rather recommend to 
> update/fix/enhance OpenBSD's own man collection.
> 
> 

Re: Kernel memory leaking on Intel CPUs?

[who one]

sorry, didn't sent my original mail in plaintext

Google came out with a more detailed explanation: 

https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

Any hardening setting should be enabled? Or code needs to be updated? What is 
the advise for OpenBSD? 

Thanks, 

> Subject: Kernel memory leaking on Intel CPUs?

> https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
>  
> "It is understood the bug is present in modern Intel processors produced in 
> the past decade. It allows normal user programs – from database applications 
> to JavaScript in web browsers – to discern to some extent the layout or 
> contents of protected kernel memory areas."
> 
> "The fix is to separate the kernel's memory completely from user processes 
> using what's called Kernel Page Table Isolation, or KPTI. At one point, 
> Forcefully Unmap Complete Kernel With Interrupt Trampolines, aka FUCKWIT, was 
> mulled by the Linux kernel team, giving you an idea of how annoying this has 
> been for the developers."
>  
> "AMD processors are not subject"
>  
> https://www.postgresql.org/message-id/2018010354.qikjmf7dvnjgb...@alap3.anarazel.de
>  
> Did anyone hear about this?

Kernel memory leaking on Intel CPUs?

[who one]

https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/ "It is
understood the bug is present in modern Intel processors produced in the
past decade. It allows normal user programs – from database applications
to JavaScript in web browsers – to discern to some extent the layout or
contents of protected kernel memory areas." "The fix is to separate the
kernel's memory completely from user processes using what's called Kernel
Page Table Isolation, or KPTI. At one point, Forcefully Unmap Complete
Kernel With Interrupt Trampolines, aka FUCKWIT, was mulled by the Linux
kernel team, giving you an idea of how annoying this has been for the
developers." "AMD processors are not subject"
https://www.postgresql.org/message-id/2018010354.qikjmf7dvnjgb...@alap3.anarazel.de
Did anyone hear about this?

FW:Ordеr 10466117 let v-vitamin be the constructor of your macho-success!:

[Online~Express!Оrdеr#10466117 through thesnow there was just one=]

http://y.ahoo.it/QD0ir?/2010/10/her pass he repeated softlynightshade
stiffened.aspx









 


































for danger the
fearful remorselessness of!shrugged bishop oliver is said to

Oportunidad de Negocio | en U.S.A.

[Franquicia | Reduce One]

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
REDUCE ONE SEP 2010.001.jpg]

E-Mailing rémunéré au résultat

[Emailing One]

Si ce message ne s'affiche pas correctement, vous pouvez le visualiser en
suivant ce lien.

[IMAGE]

COMMUNIQUEZ SANS VOUS ENGAGER !

Enfin une solution de mise en place de campagnes e-mailing
rimuniries au risultat :

[IMAGE]

Nous vous offrons la possibiliti d’accider ` l’e-mailing
et de rialiser des ventes en toute siriniti financihre.

[IMAGE]

Email :*

Nom :*

Prinom :*

Tiliphone :*

Sociiti :*

Message :

Les champs marquis d'un * sont obligatoires.

e-mailingone -Sarl au capital de 15€
50 rue Henri Prou 78340 Les Clayes sous bois – Siret n0 49793861300013

Si vous ne souhaitez plus recevoir de message de notre part, cliquez ici

Re: Microsoft gets the Most Secure Operating Systems award

[The One]

On 9/19/07, Peter N. M. Hansteen [EMAIL PROTECTED] wrote:
 The One [EMAIL PROTECTED] writes:

  Security is one of the concerns Leopard will solve.

 **BLAM**

 Security is never, ever a completely solved problem.  Your world just
 isn' that simple. Do NOT pass GO.

 I sincerely hope never to hear such nonsense on misc, ever again.

 Sure, the next release is always better.  But you won't hear me saying
 that OpenBSD 4.3 is your solution to all ills.  At the moment, both
 Leopard and OpenBSD 4.3 are clouds of virtual unobtanium, not to be
 confused with the final solution to anything.

 Don't bother following up, I won't be listening.  Or maybe I will, and
 I might even venture out from under my rock again before 4.4 ships.

If anyone can solve security, whether it is with Leopard or in the
future, Apple definitely can.

In my opinion, Apple performs 100% in the software field, and 90% in
the hardware field, which is due to, as I explained in my previous
messages, depending off of factories in third-world countries that are
not even Apple operated!

But Apple has done so much with software, it is obvious that, in the
end, Apple will reach the goal. Even when personal computers are
replaced with a different technology, Apple will be on top.

Re: Microsoft gets the Most Secure Operating Systems award

[The One]

Sorry but I am just disagreed with Theo saying that OS X is buggy and insecure.

On 9/21/07, Marc Espie [EMAIL PROTECTED] wrote:
 On Fri, Sep 21, 2007 at 12:08:55AM +1000, The One wrote:

  If anyone can solve security, whether it is with Leopard or in the
  future, Apple definitely can.
 
  In my opinion, Apple performs 100% in the software field, and 90% in
  the hardware field, which is due to, as I explained in my previous
  messages, depending off of factories in third-world countries that are
  not even Apple operated!
 
  But Apple has done so much with software, it is obvious that, in the
  end, Apple will reach the goal. Even when personal computers are
  replaced with a different technology, Apple will be on top.
 Stop sending this stuff to misc@openbsd.org, it is totally irrelevant
 here, and your email address tags you as a Troll as well.

Re: FW: Microsoft gets the Most Secure Operating Systems award

[The One]

On 9/21/07, stuart van Zee [EMAIL PROTECTED] wrote:
 The One [EMAIL PROTECTED] writes:
  If anyone can solve security, whether it is with Leopard or in the
  future, Apple definitely can.
 
  In my opinion, Apple performs 100% in the software field, and 90% in
  the hardware field, which is due to, as I explained in my previous
  messages, depending off of factories in third-world countries that are
  not even Apple operated!
 
  But Apple has done so much with software, it is obvious that, in the
  end, Apple will reach the goal. Even when personal computers are
  replaced with a different technology, Apple will be on top.
 

 Solve security? GEESH!

 Mr. The One

 I must humbly submit to you that you DO NOT KNOW WHEREFORE YOU SPEAK!
 There is no such thing as Solving Security.  It does not exist.
 It could only exist in a perfect world and as you know, or at least
 should know, this is NOT a perfect world.  My opinion is that Apple
 puts out a nice product for what it is.  I love my MacBook, I use it
 to play online games and work my second job as an internet radio
 show personality.  I use it when I don't want to think after a long
 day of thinking at work (thinking isn't my best subject after all).
 BUT!  I do not delude myself into thinking that it is some great
 bastion of security or ever will be.

 At work, I use OpenBSD for firewalls, mail servers, (gulp) an FTP
 server, NIDS, time server, etc... etc... etc...  Do I think that
 OpenBSD is the end-all-be-all of security?  nope.  A system, no
 matter how good it is, is only as good as the admin who sets it up.
 Some systems start out from a much better position than others,
 and my opinion is that OpenBSD is the very best at this, but
 ultimately, it has to be set up to do whatever job it needs to
 perform.  No matter how perfect the base system is, there is no way
 to get around this.  There is NO WAY an OS can SOLVE SECURITY.
 It is as impossible as making an ice machine that SOLVES the
 problem of ice melting.  It is as idiotic as the belief that the
 Titanic was unsinkable.

 Please, do not put so much blind faith in a system that is built
 more for user experience than it is for security.  Do not put so
 much blind faith in ANYTHING.  Nothing is infallible, everything
 eventually crumbles.  Even OpenBSD has had 2 remote exploits in
 the default install in the last 10 years.  It happens, even to the
 very best.  Nothing can, or ever will, be able to change this, it
 is an immutable fact.

 period.

 s


Hi Stuart,

Of course, nothing can ever be immune! Sorry for allowing you to have
such a misconception about myself! :)

But, as I have said before, Apple has virtually never failed in
software, why should it fail in security?

The One.

Re: Microsoft gets the Most Secure Operating Systems award

[The One]

But if OS X Tiger was to gain 100 % market share, I honestly believe
that my Mac would not be affected by any viruses or hacking,
whatsoever.

Of course, there may be some flaws discovered if such an event were to
occur, but I am a very careful being.

And with Safari's Private Browsing and helpful settings in System
Preferences, my Mac would be completely secure! :)

By the way, Apple makes sure to release security updates in relatively
quick amounts of time! ;)

With that in mind, and a stronger Leopard coming soon, what can
possibly occur in a negative connotation?

-The One

On 9/19/07, The One [EMAIL PROTECTED] wrote:
 What I meant to say was that Leopard's release will solve every
 current problem prevailant in OS X Tiger and people's opinions about
 the Macintosh platform, although their current, so-called opinions
 have no evidence behind them, whatsoever.

 Security is one of the concerns Leopard will solve.

 I was, in a way, issuing a final statement about the stance of
 operating systems and general computers, at least OS X and
 Windows-wise.

 OpenBSD and Linux both have functions that make them unique. The
 simple fact is that the Windows OS has nothing unique about it
 whatsoever ... except for the fact that it is the only flawed OS to
 gain massive poularity ... temporarily

 -The One

 On 9/18/07, Nick Guenther [EMAIL PROTECTED] wrote:
  Why are you still talking?
  Why are you topposting?
  Why does it matter to the world at all what your one random friend does?
  And the standard: What does this have to do with OpenBSD?
 
  On 9/17/07, The One [EMAIL PROTECTED] wrote:
   Apple will, undoubtedly, implement some of these basic techniques for 
   Leopard.
  
   But market share has completely NOTHING to do with OS X's security.
  
   Apple always has and will be 100 % when it comes to their software for
   OS X and OS X itself.
  
   Only time will tell. Leopard's release will solve every Mac user's
   concerns and PC fanboys idiocy!
  
   Even my friend, who uses a PC, is considering the purchase of a Mac. I
   told him to wait until October, which is very near, to buy one. That
   way he will not have to pay extra for Leopard! ;)
  
   On 9/5/07, Nick Shank [EMAIL PROTECTED] wrote:
The One wrote:
 But how would it spread? There have been 2 OS X viruses, yet they
 spread terribly.

 And Apple has already fixed the issue. :)

 -The One

 On 9/2/07, Kennith Mann III [EMAIL PROTECTED] wrote:

 On 9/1/07, The One [EMAIL PROTECTED] wrote:

 On 3/23/07 2:53 AM, Theo de Raadt wrote:

 Symantec have been trying to demonise OS X for a long while.

 And it is going to work soon.

 Because OS X has no Propolice-like compiler stack protection, nor
 anything like W^X which makes parts of the address space
 non-executable, nor anything like address space randomization which
 makes certain attacks very difficult, especially with the previous 
 two
 techniques.

 So when they have a bug, it is exploitable just like bugs are on 
 any
 other powerpc or i386 machine running some other operating system.

 These days even operating systems like Vista have the above 3 
 security
 technologies.


 First of all, bugs and viruses are two different things.

 Second, OS X does not need third-party protection. All of the
 protection is built into the OS!

 If Vista is so secure, then why does one need to download
 virus/spyware protection when it can simply be built into the OS?

 -The One



 I don't have virus/spyware protection and I've been fine before 
 with
 Vista and XP.

 Perhaps you mean to say why do users who install things they
 shouldn't need virus/spyware protection? which I would argue that 
 the
 OS doesn't matter. I could write a script that asks for rootly
 permission in OS X and start nuking stuff with the promise of 
 prettier
 icons for their desktop or IM client.

 If you were to argue for worms and things of the like, then I would
 agree. The only virus I will probably ever catch is some zero-day 
 that
 hits the world and gets in my work network (won't happen at my house
 -- I live alone)



Here we hit the heart of the issue. The virus and spyware detection
software for Windows isn't really to protect to the OS. It's to protect
the user from themselves.

Re: Microsoft gets the Most Secure Operating Systems award

[The One]

What I meant to say was that Leopard's release will solve every
current problem prevailant in OS X Tiger and people's opinions about
the Macintosh platform, although their current, so-called opinions
have no evidence behind them, whatsoever.

Security is one of the concerns Leopard will solve.

I was, in a way, issuing a final statement about the stance of
operating systems and general computers, at least OS X and
Windows-wise.

OpenBSD and Linux both have functions that make them unique. The
simple fact is that the Windows OS has nothing unique about it
whatsoever ... except for the fact that it is the only flawed OS to
gain massive poularity ... temporarily

-The One

On 9/18/07, Nick Guenther [EMAIL PROTECTED] wrote:
 Why are you still talking?
 Why are you topposting?
 Why does it matter to the world at all what your one random friend does?
 And the standard: What does this have to do with OpenBSD?

 On 9/17/07, The One [EMAIL PROTECTED] wrote:
  Apple will, undoubtedly, implement some of these basic techniques for 
  Leopard.
 
  But market share has completely NOTHING to do with OS X's security.
 
  Apple always has and will be 100 % when it comes to their software for
  OS X and OS X itself.
 
  Only time will tell. Leopard's release will solve every Mac user's
  concerns and PC fanboys idiocy!
 
  Even my friend, who uses a PC, is considering the purchase of a Mac. I
  told him to wait until October, which is very near, to buy one. That
  way he will not have to pay extra for Leopard! ;)
 
  On 9/5/07, Nick Shank [EMAIL PROTECTED] wrote:
   The One wrote:
But how would it spread? There have been 2 OS X viruses, yet they
spread terribly.
   
And Apple has already fixed the issue. :)
   
-The One
   
On 9/2/07, Kennith Mann III [EMAIL PROTECTED] wrote:
   
On 9/1/07, The One [EMAIL PROTECTED] wrote:
   
On 3/23/07 2:53 AM, Theo de Raadt wrote:
   
Symantec have been trying to demonise OS X for a long while.
   
And it is going to work soon.
   
Because OS X has no Propolice-like compiler stack protection, nor
anything like W^X which makes parts of the address space
non-executable, nor anything like address space randomization which
makes certain attacks very difficult, especially with the previous 
two
techniques.
   
So when they have a bug, it is exploitable just like bugs are on any
other powerpc or i386 machine running some other operating system.
   
These days even operating systems like Vista have the above 3 
security
technologies.
   
   
First of all, bugs and viruses are two different things.
   
Second, OS X does not need third-party protection. All of the
protection is built into the OS!
   
If Vista is so secure, then why does one need to download
virus/spyware protection when it can simply be built into the OS?
   
-The One
   
   
   
I don't have virus/spyware protection and I've been fine before with
Vista and XP.
   
Perhaps you mean to say why do users who install things they
shouldn't need virus/spyware protection? which I would argue that the
OS doesn't matter. I could write a script that asks for rootly
permission in OS X and start nuking stuff with the promise of prettier
icons for their desktop or IM client.
   
If you were to argue for worms and things of the like, then I would
agree. The only virus I will probably ever catch is some zero-day that
hits the world and gets in my work network (won't happen at my house
-- I live alone)
   
   
   
   Here we hit the heart of the issue. The virus and spyware detection
   software for Windows isn't really to protect to the OS. It's to protect
   the user from themselves.

Re: Microsoft gets the Most Secure Operating Systems award

[The One]

Apple will, undoubtedly, implement some of these basic techniques for Leopard.

But market share has completely NOTHING to do with OS X's security.

Apple always has and will be 100 % when it comes to their software for
OS X and OS X itself.

Only time will tell. Leopard's release will solve every Mac user's
concerns and PC fanboys idiocy!

Even my friend, who uses a PC, is considering the purchase of a Mac. I
told him to wait until October, which is very near, to buy one. That
way he will not have to pay extra for Leopard! ;)

On 9/5/07, Nick Shank [EMAIL PROTECTED] wrote:
 The One wrote:
  But how would it spread? There have been 2 OS X viruses, yet they
  spread terribly.
 
  And Apple has already fixed the issue. :)
 
  -The One
 
  On 9/2/07, Kennith Mann III [EMAIL PROTECTED] wrote:
 
  On 9/1/07, The One [EMAIL PROTECTED] wrote:
 
  On 3/23/07 2:53 AM, Theo de Raadt wrote:
 
  Symantec have been trying to demonise OS X for a long while.
 
  And it is going to work soon.
 
  Because OS X has no Propolice-like compiler stack protection, nor
  anything like W^X which makes parts of the address space
  non-executable, nor anything like address space randomization which
  makes certain attacks very difficult, especially with the previous two
  techniques.
 
  So when they have a bug, it is exploitable just like bugs are on any
  other powerpc or i386 machine running some other operating system.
 
  These days even operating systems like Vista have the above 3 security
  technologies.
 
 
  First of all, bugs and viruses are two different things.
 
  Second, OS X does not need third-party protection. All of the
  protection is built into the OS!
 
  If Vista is so secure, then why does one need to download
  virus/spyware protection when it can simply be built into the OS?
 
  -The One
 
 
 
  I don't have virus/spyware protection and I've been fine before with
  Vista and XP.
 
  Perhaps you mean to say why do users who install things they
  shouldn't need virus/spyware protection? which I would argue that the
  OS doesn't matter. I could write a script that asks for rootly
  permission in OS X and start nuking stuff with the promise of prettier
  icons for their desktop or IM client.
 
  If you were to argue for worms and things of the like, then I would
  agree. The only virus I will probably ever catch is some zero-day that
  hits the world and gets in my work network (won't happen at my house
  -- I live alone)
 
 
 
 Here we hit the heart of the issue. The virus and spyware detection
 software for Windows isn't really to protect to the OS. It's to protect
 the user from themselves.

Re: Microsoft gets the Most Secure Operating Systems award

[The One]

But how would it spread? There have been 2 OS X viruses, yet they
spread terribly.

And Apple has already fixed the issue. :)

-The One

On 9/2/07, Kennith Mann III [EMAIL PROTECTED] wrote:
 On 9/1/07, The One [EMAIL PROTECTED] wrote:
  On 3/23/07 2:53 AM, Theo de Raadt wrote:
   Symantec have been trying to demonise OS X for a long while.
  
   And it is going to work soon.
  
   Because OS X has no Propolice-like compiler stack protection, nor
   anything like W^X which makes parts of the address space
   non-executable, nor anything like address space randomization which
   makes certain attacks very difficult, especially with the previous two
   techniques.
  
   So when they have a bug, it is exploitable just like bugs are on any
   other powerpc or i386 machine running some other operating system.
  
   These days even operating systems like Vista have the above 3 security
   technologies.
  
 
  First of all, bugs and viruses are two different things.
 
  Second, OS X does not need third-party protection. All of the
  protection is built into the OS!
 
  If Vista is so secure, then why does one need to download
  virus/spyware protection when it can simply be built into the OS?
 
  -The One
 
 

 I don't have virus/spyware protection and I've been fine before with
 Vista and XP.

 Perhaps you mean to say why do users who install things they
 shouldn't need virus/spyware protection? which I would argue that the
 OS doesn't matter. I could write a script that asks for rootly
 permission in OS X and start nuking stuff with the promise of prettier
 icons for their desktop or IM client.

 If you were to argue for worms and things of the like, then I would
 agree. The only virus I will probably ever catch is some zero-day that
 hits the world and gets in my work network (won't happen at my house
 -- I live alone)

Re: filesystems?

[The One]

FAT32.

On 9/3/07, stan [EMAIL PROTECTED] wrote:
 I'm trying to decide what filesystem to use on a USB drive. I'd like to be
 able to access the unit from OpenBSD, FreeBSD, Linux, and perhaps Windows.

 What is the intersection of the sets of filesystems supported by these
 various OS's?

 --
 I'm sorry, no one here has any intentions of helping you with anything.
 I am the manager of all of Customer Service.

Re: Microsoft gets the Most Secure Operating Systems award

[The One]

On 3/23/07 2:53 AM, Theo de Raadt wrote:
 Symantec have been trying to demonise OS X for a long while.

 And it is going to work soon.

 Because OS X has no Propolice-like compiler stack protection, nor
 anything like W^X which makes parts of the address space
 non-executable, nor anything like address space randomization which
 makes certain attacks very difficult, especially with the previous two
 techniques.

 So when they have a bug, it is exploitable just like bugs are on any
 other powerpc or i386 machine running some other operating system.

 These days even operating systems like Vista have the above 3 security
 technologies.


First of all, bugs and viruses are two different things.

Second, OS X does not need third-party protection. All of the
protection is built into the OS!

If Vista is so secure, then why does one need to download
virus/spyware protection when it can simply be built into the OS?

-The One

Re: Pf question

[Logical One]

 Thanks for the info and I have learned a bit from it, but not quite what
I'm after.  I'm looking for how to direct traffic to a couple internal web
servers based on what IP alias of the external interface the traffic
connects to.  For example:

Traffic connecting to xxx.xxx.xxx.178:80 goes to 192.168.0.75:80
Traffic connecting to xxx.xxx.xxx.180:80 goes to 192.168.0.85:80
Where 178 and 180 are aliases on the same external interface.  I'm curious
what my rules would need to be to make that happen.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Daniel Ouellet
Sent: Sunday, December 18, 2005 12:16 AM
To: Logical One
Cc: misc@openbsd.org
Subject: Re: Pf question

Daniel Ouellet wrote:
 Logical One wrote:
 Can someone give me
 some idea of what RDR and PASS IN/OUT rules I'd need for just a 
 portion of this (say the web servers) and I can figure out the rest 
 on my own?
 
 Read here:
 
 http://www.bgnett.no/~peter/pf/en/pf-firewall.pdf in PDF or 
 http://www.bgnett.no/~peter/pf/en/ in html.
 
 Page 16 of th PDF for example for web server.


Sorry, page 33!

I was reading something else and was on page 16. Confuse the two...

Anyway, read it all, it's good learning anyway.

Daniel

Pf question

[Logical One]

Just a quick question I hope.

I have the following setup:
1 internal interface
1 external interface
3 static routable IP's assigned to external interface (one primary, two
aliases)

I want to use one IP for NAT and some port redirection to a client system
and a web server, another IP for a second web server, and the remaining IP
for a FTP server.  I've been playing with the rules and reading
documentation on this for several days now and haven't gotten anywhere.  I
know about BINAT and would prefer not to use it in favor of RDR'ing the
ports that are common between servers to the respective server based on the
IP address that is connected to from the outside world.  Can someone give me
some idea of what RDR and PASS IN/OUT rules I'd need for just a portion of
this (say the web servers) and I can figure out the rest on my own?  I can
make the ftp server work, but I don't know how to say that traffic to a
specific IP should be directed to it.

Thanks,
Logical_1

VMWare is b0rked?

[Frank Denis (Jedi/Sector One)]

 Hello,
 
 Is anyone still able to run ports/vmware/3 on OpenBSD 3.8 or -current?
 
 Even with a valid license, the configuration wizard crashes with

Unexpected output - VMware SLAVE PANIC: (UI) NOT_IMPLEMENTED F(638):637

 VMWare modules were properly loaded.
 
 Any idea?


--
Frank - my stupid blog: http://00f.net
L'annuaire des professionnels de la manucure et de la pedicure :
http://www.manucure-pro.com

Re: VMWare is b0rked?

[Frank Denis \(Jedi/Sector One\)]

On Tue, Nov 15, 2005 at 03:49:52PM +0059, Frank Denis (Jedi/Sector One) wrote:

 Even with a valid license, the configuration wizard crashes with
Unexpected output - VMware SLAVE PANIC: (UI) NOT_IMPLEMENTED F(638):637


 It works with a manual configuration, though.

PPTP in 3.7

[Logical One]

I am trying to find some current documentation or pointers on how to setup a
PPTP connection from my OpenBSD 3.7 firewall to my work VPN running PPTP.
I've seen quite a few things, but most are outdated or conflicting in the
instructions they give.  I have seen some references to the kernel
supporting this functionality natively while other say that recompiling the
kernel is necessary and still others say a third party program is needed.  I
am just looking for somewhere to start that has current information or maybe
even a copy of the configs from someone who has set this up before.  I'd
also like to find information on what settings are needed in pf if a PPTP
connection is used, but the networks is bridges are using the same
addressing scheme.  I also need to know how to configure the router
(OpenBSD) to pass traffic to certain addresses out the VPN connection,
others back into the LAN, and the rest out my cable connection.  I need to
know how to configure the VPN so that it is not my default gateway out since
my home connection is much faster than the T1 at my office where the VPN
connects.

Thanks for any pointers, hints, advice, configs or whatever else anyone has
to contribute and I'm sorry for being a bother, but while the information is
out there, I have been unable to find what is relevant to my config.

Thanks,
Logical_1

Re: Mac Mini as Firewall

[Frank Denis \(Jedi/Sector One\)]

On Tue, Nov 01, 2005 at 11:32:32AM +0100, Antoine Jacoutot wrote:
You may want to have a look at the hard drive which is slow and might be 
a bottleneck...


 The Mac Mini hard drive can easily be replaced by a 7200 RPM drive. Mine
is running with a Hitachi 7K100 drive and it is way faster than the original
drive.

 And replacing the hard drive does *not* void the warranty.
 
 Best regards,


--
Frank - my stupid blog: http://00f.net
L'annuaire des professionnels de la manucure et de la pedicure :
http://www.manucure-pro.com

Re: powernow

[Frank Denis \(Jedi/Sector One\)]

On Fri, Oct 28, 2005 at 12:16:10AM -0700, Ted Unangst wrote:

thanks all.  there's some newer code in cvs now..


 It still hangs for me when changing hw.setperf

--
Frank - my stupid blog: http://00f.net
L'annuaire des professionnels de la manucure et de la pedicure :
http://www.manucure-pro.com

Re: powernow

[Frank Denis \(Jedi/Sector One\)]

On Wed, Oct 26, 2005 at 11:16:31PM -0700, Ted Unangst wrote:

there is a diff from gordon klok in the snapshots that should improve
support for k7 and k8 family powernow (cool and quiet).  i'd like to
know where/if it works, what messages get printed, and if hw.setperf
does anything useful.  md5 -t with setperf=0 and 100 would be nice.


 Changing hw.setperf totally freezes the system. Hardware is a Biostar
iDEQ 220K (VIA VT8237, AMD64 3400).

dmesg follows :

OpenBSD 3.8-current (GENERIC) #210: Tue Oct 25 23:07:20 MDT 2005
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Athlon(tm) 64 Processor 3400+ (AuthenticAMD 686-class, 512KB L2 
cache) 2.40 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2
cpu0: AMD Powernow: TS FID VID TTP
cpu0: AMD Cool`n'Quiet K8: 0 available states
real mem  = 535273472 (522728K)
avail mem = 481550336 (470264K)
using 4278 buffers containing 26865664 bytes (26236K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(c5) BIOS, date 07/27/05, BIOS32 rev. 0 @ 0xf9fa0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xc834
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc790/160 (8 entries)
pcibios0: PCI Exclusive IRQs: 3 5 10 12
pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT82C596A ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x1 0xd/0x1000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 VIA K8M800 Host rev 0x00
pchb1 at pci0 dev 0 function 1 VIA K8M800 Host rev 0x00
pchb2 at pci0 dev 0 function 2 VIA K8M800 Host rev 0x00
pchb3 at pci0 dev 0 function 3 VIA K8M400 Host rev 0x00
pchb4 at pci0 dev 0 function 4 VIA K8M800 Host rev 0x00
pchb5 at pci0 dev 0 function 7 VIA K8M800 Host rev 0x00
ppb0 at pci0 dev 1 function 0 VIA K8HTB AGP rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 ATI Radeon VE QY rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
wi0 at pci0 dev 8 function 0 Intersil PRISM2.5 rev 0x01: irq 5
wi0: PRISM2.5 ISL3874A(Mini-PCI) (0x8013), Firmware 1.1.1 (primary), 1.7.4 
(station), address 00:09:5b:41:d8:19
VIA VT6306 FireWire rev 0x80 at pci0 dev 11 function 0 not configured
rl0 at pci0 dev 13 function 0 Realtek 8139 rev 0x10: irq 12, address 
00:e0:4c:da:e1:ab
rlphy0 at rl0 phy 0: RTL internal phy
pciide0 at pci0 dev 15 function 0 VIA VT6420 SATA rev 0x80: DMA
pciide0: using irq 10 for native-PCI interrupt
wd0 at pciide0 channel 0 drive 0: HDS722525VLSA80
wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
pciide1 at pci0 dev 15 function 1 VIA VT82C571 IDE rev 0x06: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
wd1 at pciide1 channel 0 drive 0: IBM-DJNA-371800
wd1: 16-sector PIO, LBA, 17206MB, 35239680 sectors
wd2 at pciide1 channel 0 drive 1: IBM-DTLA-307045
wd2: 16-sector PIO, LBA, 43979MB, 90069840 sectors
wd1(pciide1:0:0): using PIO mode 4, DMA mode 2
wd2(pciide1:0:1): using PIO mode 4, DMA mode 2
atapiscsi0 at pciide1 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: TOSHIBA, DVD-ROM SD-M1612, 1004 SCSI0 5/cdrom 
removable
cd0(pciide1:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 16 function 0 VIA VT83C572 USB rev 0x81: irq 5
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 16 function 1 VIA VT83C572 USB rev 0x81: irq 5
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 16 function 2 VIA VT83C572 USB rev 0x81: irq 10
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
uhci3 at pci0 dev 16 function 3 VIA VT83C572 USB rev 0x81: irq 10
usb3 at uhci3: USB revision 1.0
uhub3 at usb3
uhub3: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub3: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 16 function 4 VIA VT6202 USB rev 0x86: irq 3
usb4 at ehci0: USB revision 2.0
uhub4 at usb4
uhub4: VIA EHCI root hub, rev 2.00/1.00, addr 1
uhub4: 8 ports with 8 removable, self powered
pcib0 at pci0 dev 17 function 0 VIA VT8237 ISA rev 0x00
auvia0 at pci0 dev 17 function 5 VIA VT8233 AC97 rev 0x60: irq 3
ac97: codec id 0x414c4760 (Avance Logic ALC655)
audio0 at auvia0
pchb6 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00
pchb7 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00
pchb8 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00
pchb9 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: 

OpenOffice.org 2.0 works on OpenBSD

[Frank Denis \(Jedi/Sector One\)]

 Hello,
 
 Just a little note to tell that the just-released OpenOffice.org 2.0

perfectly works on OpenBSD with the Linux emulation (tested with
OpenBSD-current).

 Basic instructions:
http://www.00f.net/php/show-article.php/openoffice_on_openbsd

 Best regards,

--
Frank - my stupid blog: http://00f.net
L'annuaire des professionnels de la manucure et de la pedicure :
http://www.manucure-pro.com

Re: Happy Birthday OpenBSD ! 10 years !

[Frank Denis \(Jedi/Sector One\)]

On Fri, Oct 14, 2005 at 08:39:15AM -0600, Theo de Raadt wrote:

Oct 14  OpenBSD born, Saturday 16:36 MST, 1995


Sorry, but so many of you are uninformed.

date: 1995/10/18 08:37:01;  author: deraadt;  state: Exp;

That is when the repository was created.  That is the official
date.  I don't know where people get the other date from.


 This is the calendar.openbsd entry for Oct 14.

Re: uvm_mapent_alloc: out of static map entries, check MAX_KMAPENT

[Frank Denis \(Jedi/Sector One\)]

On Fri, Oct 07, 2005 at 12:29:17PM -0400, Brad wrote:


Now instead of your system panicing, the kernel will try to allocate more
memory for additional map entries. The kernel will print ouf the usual
uvm_mapent_alloc: out of static map entries but not panic.


 Indeed, I upgraded a system that used to panic() without raising
MAX_KMAPENT and now if only prints the message without panic()ing.


Also, looking at the vmstat display of systat you will see that kmapent
has been added to the bottom right corner, this will show you the number of
map entries currently in use by the kernel.


 Unfortunately, that number is hidden in a 80x24 terminal.
 
 That host currently has 1583 kmap entries.


--
Frank - my stupid blog: http://00f.net
L'annuaire des professionnels de la manucure et de la pedicure :
http://www.manucure-pro.com

Re: nfs mounting

[Frank Denis \(Jedi/Sector One\)]

On Sat, Oct 08, 2005 at 05:27:59PM -0400, Chuck Robey wrote:
I have just ogtten usb networking up on my Zaurus, and now I'm tryingto 
get /usr/local, /usr/ports, and /usr/src remotely mounted from my nearby 
FreeBSD system.  I can get the mount done, but I can't affect any files 
... for example, if I tryi to touch (as root on the Zaurus) 
/usr/local/garbage, I get Permission denied.


 When you access a file as root, the access is made as the nobody user
by default. See the -mapproot= option in export(5).  


--
Frank - my stupid blog: http://00f.net
L'annuaire des professionnels de la manucure et de la pedicure :
http://www.manucure-pro.com

Re: cpuburn: operation not permitted

[Frank Denis \(Jedi/Sector One\)]

On Sun, Aug 07, 2005 at 12:49:02PM -0500, Matt Garman wrote:

I'd like to load the CPU as much as possible, while at the same time
monitoring temperatures, so that I can make sure my computer doesn't
overheat. 


 Try running blogbench - http://blogbench.pureftpd.org/ - it brings hardware
to its knees and it can help to discover overheating.

Re: Choices for Soekris disk drives

[Frank Denis \(Jedi/Sector One\)]

On Fri, Jul 15, 2005 at 07:55:59PM +0530, Mayuresh Kathe wrote:

*AVOID* 2.5 IDE Laptop drives.
I've had pretty bad experience with them,
1. They heat up a lot
2. Are slow
3. Fail quite often (this could be due to the heat)
   (face problems with Toshiba and IBM)


 I have the opposite experience. My Net4801 is running 24/7 for one year with
a Momentus drive (5400 RPMs) and it is neither slow nor hot.

 Hitachi also produces drives that are designed to run 24/7 (Eudurastar,
now obsoleted by E7K60 and E7K100 drives). My Mac Mini is running with a
7K100 (80 Gb, 7200 RPM, 8 Mb cache) drive and it is as fast as any 3,5
drive. It seems to heat up more than the Momentus since the fan often wakes
up, but it works reliably.

Re: Mini-PC recommendation?

[Frank Denis \(Jedi/Sector One\)]

On Sun, Jul 03, 2005 at 02:28:00PM -0500, Matthew Weigel wrote:
 Take a look at the BioStar iDeq 220K, which uses K8M800 and VT8237... 
 looks like on-board SATA, LAN*, and sound are supported, but useable
 graphics might be missing.

  I'm going to buy one.
  
  Support for the Via Unichrome chipset seems to be missing in OpenBSD Xorg
server, but it is in the Xorg CVS tree.

Re: Flash Plugin for Firefox

[Frank Denis \(Jedi/Sector One\)]

On Tue, Jul 05, 2005 at 05:44:01PM -0800, JR Dalrymple wrote:
 I think if you used Opera for 5 days you'd find it better in EVERY WAY
 POSSIBLE than Firefox... My 2 cents. I find page loads to be much faster,
 and nav is 10x faster with gestures and keyboard shortcuts.

  Except that there is nothing like AdBlock, DOM Inspector, CSS editor and
Developer Toolbar for Opera.

  swfdec is exciting, unfortunately it just never works with real-life Flash
files.

Re: sleep patterns...

[Frank Denis \(Jedi/Sector One\)]

On Tue, Jul 05, 2005 at 02:22:13PM +0100, Stuart Henderson wrote:
 Dragonfly have 'rm -I' (ask for confirmation if deleting 3 files or 
 -r) which works very well. Used routinely (e.g. in an alias in login 
 shells), I think it gives better protection than 'rm -i' since the 
 prompt is rare enough you don't train yourself to confirm automatically.

  You can apply the following old patch to do it in OpenBSD.
  
  http://42-networks.com/obsd_patches/rm_I.patch

Re: Mini-PC recommendation?

[Frank Denis \(Jedi/Sector One\)]

On Sun, Jul 03, 2005 at 12:57:04PM +0200, [EMAIL PROTECTED] wrote:
 This heavily depends on what you use it for.  We make good experiences with
 Geode based systems (like the Soekris 4801) as they are low power devices 
 for router/firewall applications.

  I also have a Net4801 that performs perfectly as a firewall and home server.
  
  But I was more looking for a workstation, preferably based supporting socket
AMD64. But in this area, every vendor seems to use nothing but Nforce or
Radeon chipsets.

Mini-PC recommendation?

[Frank Denis \(Jedi/Sector One\)]

  What experiences do people have with OpenBSD and a mini-PC like Biostar's
or Soltek's?

  Most interesting ones seems to based upon Nvidia chipsets, but unfortunately
they don't seem to be supported by OpenBSD.

Re: human-time limit.

[Frank Denis \(Jedi/Sector One\)]

On Sun, Jun 26, 2005 at 05:55:25PM +, David Pluoe wrote:
 Are you gonna add anytime soon a resource limit for human-time, so it would 
 be easier to keep dead locks and any other same kind of type processes in 
 control?
 httpd would really benefit from it when providing service for many newbie 
 users out there.

  http://www.42-networks.com/obsd_patches/rlimit_time.patch

How to set up a read-only CVS server?

[Frank Denis \(Jedi/Sector One\)]

  Hello,
  
  I'd like to offer a public OpenBSD CVS mirror, but I have no experience
with setting up CVS servers, especially public ones.

  My question may sound obvious: how to set up a read-only CVS server, using
the reference CVS or OpenCVS?
  
  I found various tutorials and scripts, but they all describe the insecure
pserver way. I tried to have different uids for the files and for the
anoncvs account, but the CVS server chokes when it comes to creating lock
files. The only working way I found was a systrace policy (just in case it
would be useful to anyone, you can find it here:
ftp://ftp.00f.net/misc/systrace/usr_bin_cvs). But there must be a most
obvious way to do it. How are you doing it, guys?

  TIA,
  
 -Frank.

Re: Gigabit Firewall NIC Interrupt Performance Problem

[Frank Denis \(Jedi/Sector One\)]

On Mon, May 30, 2005 at 11:37:16AM -0400, Jamie Yukes wrote:
 I have a Dell Poweredge 1750 with basically OpenBSD 3.6 (3.5-current Aug 2004)
 It has the dual onboard Gigabit links, using the Broadcom BCM5704C chipset.
 I can't seem to handle more than 120Mbps of VoIP traffic on this link.
 The system reports 96% time in Interrupts.

  Try to run bsd.mp even if you only have one processor. IOAPIC helps a lot.

Re: mounting ext3fs via ext2fs

[Frank Denis \(Jedi/Sector One\)]

On Mon, May 30, 2005 at 03:25:02PM +, Thorsten Glaser wrote:
 ports/sysutils/e2fsprogs

  Sure, but to be fair, if he cares about his data, it's probably a bad idea
to try a 3-years old version of e2fsprogs on a platform that the software
was almost never tested on and that refused to mount the filesystem for a
(yet) undetermined reason.

Re: mounting ext3fs via ext2fs

[Frank Denis \(Jedi/Sector One\)]

On Sun, May 29, 2005 at 11:00:34PM +0200, Rogier Krieger wrote:
 Feel free to correct me if I'm wrong, but as far as I know, ext3fs is
 not supported.

  ext3 is mostly ext2 with an extra inode to handle the journal.
  You can usually mount the partition as ext3 or ext2 without any special
tweak.

  However on some distributions (at least Fedora it seems), directory
hashing (htree) is enabled by default when partitions are formatted as
ext3. And *BSD don't support htree yet. So maybe this is your showstopper.

  While running Linux, try
tune2fs -O ^dir_index /dev/your volume
  in order to remove htree on the partition.

-- 
Frank - my stupid blog: http://00f.net

Re: Burn Testing

[Frank Denis \(Jedi/Sector One\)]

On Tue, May 24, 2005 at 04:00:20PM +0100, Gaby vanhegan wrote:
 I have acquired some second-hand dual processor servers with the 
 intention of putting OpenBSD with on them.  I have put Debian on one of 
 them and FreeBSD on another, and am pounding them as hard as I can with 
 setiathome to see if they fall over.
 Is there a similar burn-testing app that I can run on OpenBSD to test 
 the stability of the machines over a 12 day period?

  Try blogbench:
  
  http://blogbench.pureftpd.org/
  
  It stresses a lot your hardware and your OS, and if often triggers kernel
panics if something is wrong.

Re: Dell HW?

[Frank Denis \(Jedi/Sector One\)]

On Thu, May 19, 2005 at 02:10:06PM -0500, L. V. Lammert wrote:
 We have been requested to use Dell HW for some new systems. Any recommended 
 models (RM) for:
 
 1) Gateway/firewall?
 2) SAN?

  It really depends on your exact needs (how many NICs, how many disks, etc).
  
  Almost every Dell seems to work fine with OpenBSD, but definitely avoid
CERC controllers, especially the SATA ones. Go with PERC 4 that are way more
reliable.

  The company I'm working for is almost exclusively buying Dell 1850
nowadays. They work flawlessly with Linux, DragonFlyBSD and OpenBSD even in
64-bit mode.

  And unless you absolutely need Dell, also have a look at Transtec
hardware, which is almost half the price of Dell's for the same features and
the same support.

  http://www.transtec.de/D/E/index.html
  
  We use their Opteron systems (1001L for web servers and processing and
2500L for databases and file servers) with no issue so far. For a SAN, their
2500L are really nice, as you can put up to 10 disks there, without the need
for any external enclosure.

  Best regards,

-- 
Frank - my stupid blog: http://00f.net

Re: Nine months girl begin learning OpenBSD!

[Frank Denis \(Jedi/Sector One\)]

On Tue, May 17, 2005 at 09:24:04PM +0200, Frank Denis (Jedi/Sector One) wrote:
   Mine was also tainted by OpenBSD when she was 4 :
   http://www.c9x.org/jedi/openbaby.html

  Ah no, she was 8 months old, sorry :(

  OpenBSD still lacks software for kids like Tuxpaint or Gcompris, though.

Re: need help: system freezes unexpectedly

[Frank Denis \(Jedi/Sector One\)]

On Mon, May 09, 2005 at 09:30:52PM +0200, Georg Kremsner wrote:
 Could you tell me a good alternative to mount_null ?
 It's for my ftp-share and i don't want to share the whole disks, because
 not all data is to be shared.

  Use pure-ftpd and symbolic links.