hange their
> mind.
>
If you want to disable core dump for a program, you could (should ?)
configure your RLIMIT_CORE to 0.
$ ulimit -c 0
$ firefox
--
Sebastien Marie
/pkg.conf which is deprecated.
But I seems to me that /etc/installurl should be present in your system
too. The installer adds it on upgrade (but maybe only if you uses an
http mirror for sets - I didn't checked the exact conditions).
Thanks.
--
Sebastien Marie
vsep for X
(starting X with -keepPriv)
- makes X server to crash
(playing with LibreOffice and CSV ?)
- look at /var/crash and profit
--
Sebastien Marie
t
to have a block log just before would permit you to check if pf is
blocking some other thing "by default" using tcpdump -i pflog0 -n.
--
Sebastien Marie
snapshots would always work for everyone all the time.
> >
>
> I won't answer to that. See above.
>
Hi Lars,
I think you miss the point of using snapshots: helping the project and
permit progress for everybody.
Please at least post a dmesg: developers will at least know on which
hardware there is a problem. A detailed bug report would be welcome too.
Thanks.
--
Sebastien Marie
On Sun, Jun 11, 2017 at 06:48:07PM +0200, Sebastien Marie wrote:
>
> Please at least post a dmesg
sorry, I just saw you posted it in your first message.
--
Sebastien Marie
t; This is why I asked if the pledge is too tight on cpio.
I agree that it could be disappointing. but cpio is pledged, so it
couldn't open /etc/spwd.db, because we considered this operation as
a privilegied operation.
in order to backup this file, you need another tool. someone already
mentioned dump(8) as example.
thanks.
--
Sebastien Marie
void a pledged root program to
open and put in memory the content of /etc/spwd.db when password access
was not strictly required.
Maybe it could be revisited.
--
Sebastien Marie
ort response is: no.
The long one is that currently `tls no-verify' applies only for
smarthost configuration (`relay' with `host url', when tls is implied).
smtpd(8) should complains if you try the syntax you mentioned with:
tls no-verify may not be specified without host on a dispatcher
Thanks
--
Sebastien Marie
ddress show up in /etc/resolv.conf?
No.
rad(8) has support for sending rdns information, but currently nothing
in base has support to get resolv.conf configured with such information.
thanks.
--
Sebastien Marie
3 &&
239 !strcmp(&kshname[strlen(kshname) - 3], "/sh"))) {
240 Flag(FSH) = 1;
241 version_param = "SH_VERSION";
242 }
243
--
Sebastien Marie
ames/adventure/io.c
> cc -o setup /usr/src/games/adventure/setup.c
> ./setup /usr/src/games/adventure/glorkz > data.c
> Abort trap (core dumped)
please check your dmesg. I am expecting some pledge failure regarding
recent vm.malloc_conf sysctl.
rebuild a new kernel, *reboot*, and next launch your make build.
thanks.
--
Sebastien Marie
r bios init. For
me, I had problem with this method too: when my sata disk is plugged in sata
connector it is showed with 512 bytes/sector, whereas with USB/SATA connector it
showed with 4096 bytes/sector and so disklabel is incoherent.
I hope it helps.
--
Sebastien Marie
lopers which follow this list. So they
might already know.
Thanks.
--
Sebastien Marie
mit reverted, and try to
see if your webcam works.
the commit seems relatively self contained (do not introduce too much changes),
and posterious commits seems to not rely on it, so I assume just reverting it
should works.
this way it would be know that it is this commit which introduces a regression,
and someone might figure why.
thanks.
--
Sebastien Marie
Hi,
A fix has been commited.
Thanks for investigated the problem and provided a test case. It was very
useful to properly found the state corruption.
--
Sebastien Marie
On Wed, Jun 03, 2020 at 07:22:52PM +0200, Fabian Keil wrote:
> TJ wrote:
>
> > I'm migrating my system
hd daemon will use user's uid to open the authorized_keys
file.
I assume the file permission of '/var/home/user/.ssh/authorized_keys' doesn't
allow 'user' to open it ?
Please note it could be a problem with permission of the file, or with one
directory in the path.
Thanks.
--
Sebastien Marie
act
the man page is installed without binary.
Alternatively, by looking at the man page itself, you could guess things about
the tool:
NAME
tpmtool - GnuTLS TPM tool
[...]
Thanks.
--
Sebastien Marie
en 1-5 added (80x25, vt100 emulation)
The modesetting failed, but X11 could still work with mesa. It needs
machdep.allowaperture=2 (sysctl) to be set.
You should just add "machdep.allowaperture=2" line in /etc/sysctl.conf and
reboot (this sysctl setting requires to be set at boot-time).
Thanks.
--
Sebastien Marie
e under PF_LOCK() or not (I am not familiar
enough with pf(4) code to find the code which do the check).
Thanks.
--
Sebastien Marie
On Fri, Aug 28, 2020 at 09:27:10AM -0400, Daniel Jakots wrote:
> On Fri, 28 Aug 2020 08:32:59 +0200, Sebastien Marie
> wrote:
>
> > On Thu, Aug 27, 2020 at 03:27:58PM -0400, Daniel Jakots wrote:
> > > Hi,
> > >
> > > I'm chasing a weird
601 childpid, status&0xFF);
602 }
213 is octal number (139, 0x8b) of exit code of child process.
As the status is &0xFF, I am not 100% sure, but usually an exit code
of 139 means that the process terminated due to receipt of signal 11,
and generated a coredump.
Do you have a dump.core file ? Can you extract the backtrace ?
Thanks.
--
Sebastien Marie
ded file or sent/received on the network should
be considered compromised.
Just don't do that.
Thanks.
--
Sebastien Marie
adds the second swap with priority 0 (as configured in fstab(5))
- rc(8) via rc.local changes the boot disk swap with priority 1
- system will run with two swaps:
- second swap, priority 0, so used first
- boot disk swap, priority 1, used if second swap is full or by kernel for
dumping kernel core
I hope it helps.
--
Sebastien Marie
ing here?
you could also playing with SQL.
$ doas pkg_add sqlports
$ sqlite3 /usr/local/share/sqlports
sqlite> select fullpkgpath from distfiles where value like 'linux-4.20%';
sysutils/dtb
--
Sebastien Marie
ing an explicit rule with allow-opts should do the trick.
depending your need (block or allow):
block return proto igmp to 224/4 allow-opts
or
pass proto igmp to 224/4 allow-opts
Please note it is untested.
Thanks.
--
Sebastien Marie
to
coexist. This way you could use cupsd (using ugen) with a GENERIC kernel.
see https://marc.info/?l=openbsd-tech&m=151618565000531&w=2 for details
Thanks.
--
Sebastien Marie
machine, and next doing a upgrade will
run the right command, so it is the more simple approch.
Thanks.
--
Sebastien Marie
this kind of problem.
syscall 4 is for SYS_write (see /usr/include/sys/syscall.h).
It means the request in the (uncommited) tame call in sleep is wrong: it
should be expected to the program to call usage() as some point.
It means also a dev will not have cookie :)
Thanks.
--
Sebastien Marie
were just added to bgpd, according to Theo's diff.
>
the revision 1.46 of src/sys/kern/kern_tame.c should have corrected the
problem.
bgpd use IPv6 setsockopts that weren't allowed.
--
Sebastien Marie
ho.c:77: if (pledge("stdio rpath getpw tty", NULL) == -1)
/usr/src/usr.bin/who/who.c:293: if (pledge("stdio rpath getpw", NULL)
== -1)
/usr/src/usr.bin/who/who.c:296: if (pledge("stdio getpw", NULL) == -1)
For example, line 77: if (pledge("stdio rpath getpw tty abort", NULL) == -1)
When you get a who.core, you can use gdb to extract the backtrace:
$ gdb who who.core
(gdb) bt
Thanks.
--
Sebastien Marie
k that I found it - Nagios. Now the question is how to debug it
> further?
>
deraadt@ has committed two fix:
- on kernel: src/sys/kern/sys_generic.c (rev 1.107)
- on userland: src/usr.bin/who/who.c (rev 1.25)
could you check it corrects the problem on your side ?
thanks.
--
Sebastien Marie
ommit on
src/sys/kern/sys_generic.c (rev 1.107)
Please rebuild a new kernel (or wait for snapshots) for testing.
Thanks.
--
Sebastien Marie
0xcd5fe65bb33,0)
11502 openssl STRU pledge request="stdio rpath wpath cpath"
11502 openssl RET pledge 0
There are 2 pledge(2) call: so two "abort" to add to get a backtrace...
> /usr/bin/openssl enc... was working as of Sep 25 current.
> Not sure when this stopped w
t if you can grab the kernel version echoed at boot time.
You could use `boot -c' in the boot loader, in order to enter in config
mode, and have the time to read the OpenBSD version.
--
Sebastien Marie
On Tue, Oct 20, 2015 at 11:09:58AM +0200, Kim Zeitler wrote:
> Hello
>
> On 10/19/15 19:58, Sebastien Marie wrote:
> >
> >RELEASE 5.8 returns ENOSYS ("Function not implemented") on tame(2) call
> >(which is the old name for pledge, so with the same syscall num
start
script, and create a new-window (Ctrl+B "): tmux will send SIGWINCH
signal to the script process for telling it "beware, your window size
has changed". And the script process will (try to) send forward this
signal to subprocess.
Here a di
e: text/html\n\n";
I think you want:
print "Content-Type: text/html\n\n";
> print "hello world";
> ---
--
Sebastien Marie
sbin/pwd_mkdb.
Sorry for the inconvenience.
--
Sebastien Marie
don't allow using
whitepaths in pledge). And as tsort is used during building... "paf".
You should be able to recompile and reinstall tsort, before rerun your
make build.
Something like:
cd /usr/src/usr.bin/tsort && make clean && make obj && make depend && make &&
doas make install
Thanks.
--
Sebastien Marie
n in all
future generated KARL kernels.
So currently, you have to choose between:
- modifying /bsd with config(8) and don't benefice of KARL
- have KARL and using a default kernel
- makes your changes in /usr/src/sys, build and install a new no-GENERIC
kernel (and do it at each upgrade)
Thanks.
--
Sebastien Marie
On Sun, Nov 19, 2017 at 10:19:05PM -0800, Paul B. Henson wrote:
> On Mon, Nov 20, 2017 at 06:50:30AM +0100, Sebastien Marie wrote:
>
> > For me, there is currently no way to ask config(8) to alter the right
> > file in /usr/share/relink/kernel to "ship" the mo
rt, a way could be to have an HTTP proxy listener which forward its
traffic to SOCKS upstream server. Polipo is a program of this kind (see
socksParentProxy="localhost:9050" and socksProxyType=socks5 parameters
on polipo config file).
--
Sebastien Marie
but as
torsocks explicitly targets Tor proxy, I think it don't bother.
> Otherwise torsocks could wrap the pledge() function to weaken the pledge.
> It's easy to do but far less appealing.
In fact, I started in this direction... so if you want a working diff to
add "getpw" in pledge(2) promise, it is available.
but removing getpw calls if far better.
Thanks.
--
Sebastien Marie
, and having the date of your previous
version too.
thanks.
--
Sebastien Marie
uickly check with binary diffing for changes and snapshots have
uncommited changes.
It is why I asked for dmesg and previous working snap.
--
Sebastien Marie
Please note I don't use heavily: it is only for testing purpose for now.
Depending the tryton modules you need, py-cached_property could be
missing from ports. But I have packaged it and it lives in mystuff/ for
now, but I could propose it to import.
--
Sebastien Marie
u)
was from Jan 20:
$ grep pftop /var/log/messages
Dec 30 10:10:58 alf pkg_add: Added pftop-0.7p16->0.7p16
Jan 20 11:20:49 alf pkg_add: Added pftop-0.7p16->0.7p16
Feb 15 06:40:54 alf pkg_delete: Removed pftop-0.7p16
Feb 15 06:41:03 alf pkg_add: Added pftop-0.7p16
Thanks.
--
Sebastien Marie
sion of the
package you have, in case your mirror is lagging a bit and still provide
an "old" version (with old ABI, if it is the problem as it seems).
Thanks.
--
Sebastien Marie
will also provide fake
SHA256.sig and/or fake public key on the ISO. So there is no gain to
provide such material as people will think "it is safe" whereas it is
not.
Thanks.
--
Sebastien Marie
xorg.db
>
> Not having /bsd and /bsd.rd seems really strange.
>
hum ? for me, it is the opposite.
pkg_check looks at {src,xorg}.db and PKG_DB for the list of expected
files. But these files aren't in these lists, so it reports them as "not
found" in the list of expected files.
For /bsd{,.rd} it is normal: the files don't come with usual sets but
are copied "as it".
--
Sebastien Marie
lesystem (it is updated weekly).
so pkg_locate bsd.rd searchs if a file "bsd.rd" exists in some port
(installed or not); whereas locate bsd.rd searchs if a file "bsd.rd"
exists in current filesystem.
--
Sebastien Marie
e, rust FFI is a bit a shame: it is a *copy* of C headers, written
and maintained in Rust language. It is good for crosscompilation (as
Rust know how to build stuff without any C headers), but it is awful to
maintain and keep up-to-date.
--
Sebastien Marie
ust remove them:
# pkg_delete .libs-firefox-57 .libs-firefox-58 .libs-firefox-59
Thanks.
--
Sebastien Marie
nsure I will be able to provide a patch for all
architectures. Please comment if the direction is right or not.
Thanks.
--
Sebastien Marie
ould be able
to process them correctly.
Thanks.
--
Sebastien Marie
ernet" or "with_internet").
anchor "outgoing" out on internet received-on with_internet {
pass out label "outgoing"
match out set queue netq
match out received-on guess set queue guessq
}
I hope it helps, even if my network speeds isn't comparable to your :)
Thanks.
--
Sebastien Marie
recording and another for playing. A program which is
opening ONE device for playing AND recording couldn't work with this
trick (like firefox for example).
Thanks.
--
Sebastien Marie
be more
risky than pushing a newer version just because 'it is newer'.
We are not hostile to make changes, but at least please told us what
should be changed/adjusted and why it is important for your
use-case. And if it doesn't hurt us too, changes will be done: patches
are accepted.
Thanks.
--
Sebastien Marie
nf without it being overwritten.
resolvd doesn't override resolv.conf. it only prepends nameserver
lines obtained from dhcpleased (via dhcpv4) or slaacd (via stateless
ipv6).
could you share your expected resolv.conf and the "overrided" one ?
thanks.
--
Sebastien Marie
of copying the file: this way you have package update for the
script for free.
--
Sebastien Marie
tree. Am
> I missing something obvious?
did you installed xbase74 set ?
it seems that /usr/X11R6/lib/libfontconfig.so.13.1 and
/usr/X11R6/lib/libfreetype.so.30.3 are missing on your system, or at
least pkg_add(1) couldn't find them.
are the files present ?
thanks.
--
Sebastien Marie
A RAMDISK_CD kernel is a reduced kernel with only what is necessary to
install openbsd. radeondrm and amdgpu are NOT part of it, and it is
expected.
--
Sebastien Marie
/usr/X11R6/lib/libXfixes.so.6.1
loading: libX11.so.18.0 required by /usr/X11R6/lib/libXfixes.so.6.1
--
Sebastien Marie
for each release: 7.1 and 7.2
are both major versions (with potential breaking changes between versions). Do
not assume that a binary targeting 7.2 will be able to run on 7.3. OpenBSD
isn't
like Linux.
Thanks.
--
Sebastien Marie
statically linked in all programs).
Thanks.
--
Sebastien Marie
On Mon, Apr 10, 2023 at 06:21:03PM +0200, Martin Schröder wrote:
> Am Mo., 10. Apr. 2023 um 18:10 Uhr schrieb Sebastien Marie
> :
> > On Mon, Apr 10, 2023 at 11:49:50PM +0800, Siegfried Levin wrote:
> > > After I upgraded my OS from 7.2 to 7.3 with sysupgrade like 8 hou
L_TRIGGER), you need:
- kern.securelevel < 1 (on a running system, kern.securelevel = -1)
OR
- something related to the console (I suppose "having the tty of the current
process being the same than the console")
If you are connected to serial, but your console is on VGA, it might be related.
So you might need to set kern.securelevel to lower value ("sysctl
kern.securelevel=-1"
in /etc/rc.securelevel), or make your console on serial (with "set tty com0" on
bootloader).
Thanks.
--
Sebastien Marie
ap \
>authname 'redacted' authkey 'redacted' up
>mtu 1492
>llprio 0
>dest 0.0.0.1
>!/sbin/route add default -ifp pppoe0 0.0.0.1
so, could you check the configuration file of hostname.vlan2 is really
applied on the running system ?
else, could you send the whole output of ifconfig ? (but feel free to
remove pppoe0 authentification information).
thanks.
--
Sebastien Marie
se you want to look at exported MALLOC_OPTIONS environment
variable.
Thanks.
--
Sebastien Marie
211: nwid GUEST chan 6 bssid dc:08:56:15:be:14 -44dBm wpakey
wpaprotos wpa2 wpaakms psk wpaciphers ccmp wpagroupcipher ccmp
inet 192.168.1.107 netmask 0xff00 broadcast 192.168.1.255
Is it expected ? I did I miss something with Michael MIC failure ?
Thanks.
--
Sebastien Marie
://github.com/ajacoutot/toad/blob/master/toadd.c for source
code of the polling daemon.
--
Sebastien Marie
on hotplugd(8) as I didn't
check deeply the code path in kernel.
As previously noted, sysutils/toad has specific code part for dealing
with cdrom insertion.
For sysutils/hotplug-diskmount, I dunno.
--
Sebastien Marie
ernative way (and more secure in this context) is to use ssh(1). But
note it needs additionnal configuration. ssh(1) will allocate a new
pty(4) device for the user.
# tty
/dev/ttypa
# ssh user@localhost
Last login: ...
OpenBSD 6.0-current ...
...
$ tty
/dev/ttypb
Regards.
--
Sebastien Marie
al
> reversion
> of src/lib/libcrypto/x509/x509_vfy.c r1.54). Thanks for the report.
>
I could confirm that x509_vfy.c r1.54 makes it works again.
--
Sebastien Marie
but I didn't ask for making it a "supported" method. I know I use only a
trick.
--
Sebastien Marie
oxy" in the last rule
So it is related to the user.
>From ftp-proxy(8) man page:
ftp-proxy chroots to "/var/empty" and changes to user
"_ftp-proxy" to drop privileges.
> Does someone knows why ?
you should allow the "_ftp-proxy" user, and not the "proxy" user to make
it works as expecting.
thanks.
--
Sebastien Marie
ing from
> the ftp-proxy
> pass out quick on $int_if inet proto tcp from $int_add to
> $ftp_internal_address
> Thank you
>
There is a typo in man page (I will send a diff if nobody commit it
before):
the user is _ftp_proxy (and not _ftp-proxy).
Please try with that.
--
Sebastien Marie
port. Enlighten me please?
>
pledge(2) isn't a magic bullet, but a mitigation. By using pledge with
"dns", you ensure the program could reach network only on limited way.
As dig has also "rpath", it means a bug in dig could makes the program
to be able to exflitrate file contents. With "dns", the exfiltration is
more complex (but not impossible I agree: pledge is only a mitigation).
Thanks.
--
Sebastien Marie
nditional use of SOCK_DNS on the
socket(2) call, and as it is in library part (under src/usr.sbin/bind/lib/isc),
it would mean an invasive change in API.
--
Sebastien Marie
protection.
>
check your /etc/pf.conf if it contains a line like:
set skip on lo
(it is in default pf.conf file), and remove it.
pf(4) will not skip lo group, so lo0 will be filtered.
--
Sebastien Marie
org/faq/upgrade55.html#time_t
But generally, an old binary (from release X) is able to run on a new
kernel (from release X+1), but nothing more could be expected: old
things are cleaned, so an old binary could be able to run or not (it
just depends if relying on old API/ABI with kernel - syscalls, struct
size...).
--
Sebastien Marie
(self) port 443 rdr-to 127.0.0.1 port
8443
see pf.conf(5) and https://www.openbsd.org/faq/pf/rdr.html
--
Sebastien Marie
alue (datasize-cur) with:
ksh$ ulimit -d # value in kbytes
786432
Or read the value configured in login.conf:
$ getcap -f /etc/login.conf -s datasize-cur default staff
default: 768M
staff: 1536M
For obtain your current login-class:
$ id -c
default
Thanks.
--
Sebastien Marie
be decoded (of type int, unless a width modifier has been
specified) and the second being a decoding directive string.
...
Thanks.
--
Sebastien Marie
Hi,
Just to report how it is a bad idea... at least two sql injection and
one shell injection in your files.
On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
> Hi,
>
> I have an web form.
>
> I need send of webform to script bash
>
> webform.html --> PHP proces --> create.sh
>
>
was been removed. So if the application don't let set a cafile
(from argument, configfile...) libssl don't use another cert_file than
/etc/ssl/cert.pem.
--
Sebastien Marie
gt;
> PROG=ikectl
> -SRCS=log.c ikeca.c ikectl.c parser.c
> +SRCS= log.c ikeca.c ikectl.c parser.c util.c
util.c is missing from diff
--
Sebastien Marie
uot;
`$ENV::CADB' wouldn't be expanded
> + len = strlen(buf);
> + if (write(ofd, buf, len) != len)
> + goto done;
> + }
> +
> + r = 0;
> +
> + done:
> + saved_errno = errno;
> + close(ofd);
> + if (ifp != NULL)
> + fclose(ifp);
> + if (r == -1)
> + errc(1, saved_errno, "open %s", dst);
> +
> + return (0);
> +}
> +
--
Sebastien Marie
) usage in this program is skipped. You couldn't use
systrace(4) and tame(2) in the same program.
The tame(2) documentation don't have this information. I will see to add
it.
Thanks.
--
Sebastien Marie
ake a look at dhclient.conf(5) man page for more information.
supersede option option-value;
Use option-value for the given option, regardless of the value
supplied by the server.
I hope it helps.
--
Sebastien Marie
gt; according to [1] I need to use some option about uid. But which ones?
>
- read/write permissions on /dev/fuse0
- mount point owned by the user
--
Sebastien Marie
else (calling
mprotect(2)).
you should add "stdio" promise (it is rare that it isn't needed).
the other possibility is to terminate your program with _exit(2) syscall
(but there are differencies from exit(3) function: atexit(3) functions
aren't called, streams aren't flushed, open streams aren't closed...)
--
Sebastien Marie
the pledge call will be "changed"
to access to the variable.
I hope it helps.
--
Sebastien Marie
ated by default.
You could check that with:
# ls -l /dev/rsd3c
I think you create a new (regular) file /dev/rsd3c in / partition (and
so filling / partition).
To make sd3 device:
# cd /dev && ./MAKEDEV sd3
--
Sebastien Marie
d to put your /auto_upgrade.conf file inside it.
There is no official method or tool for doing that, but it is possible:
see http://marc.info/?l=openbsd-misc&m=141552533922277&w=2 for a
possible way.
If I recall correctly, other examples exists in misc@.
Regards.
--
Sebastien Marie
...]
here, chrome (pid 537) has descriptor 25 opened to a file on /tmp
inode=48 (unlinked), the file size is 279793 bytes.
--
Sebastien Marie
t; local names the machines around the office (beside resolution).
you could use the following:
# route nameserver 127.0.0.1
it will tell resolvd(8) to use this particular nameserver.
Thanks.
--
Sebastien Marie
ial -current) to 7.0 isn't supported.
If you want to put your source tree back to 7.0, you could use:
$ cd /usr/src && cvs update -A -r OPENBSD_7_0
-A : Reset any sticky tags/date/kopts (not sure if 100% necessary or not, but
doesn't hurt)
-r : Update using tag for 7.0 (the tag will become sticky)
Thanks.
--
Sebastien Marie
rypto.so.48.0
>
> The first three have X509_STORE_get_by_subject (says nm(1)),
> but the newest one does not. So I believe X509_STORE_get_by_subject
> was recently dropped.
X509_STORE_get_by_subject was not dropped. It changed from function to
macro. There is no more symbol in object file for it, but it is still
usable in C source file.
Thanks.
--
Sebastien Marie
1 - 100 of 119 matches
Mail list logo
