subject:"\[Testers wanted\] \/dev\/console cleanups"

Re: [Testers wanted] /dev/console cleanups

2008-11-21 Thread Garrett Cooper

On Thu, Nov 20, 2008 at 8:31 AM, Freddie Cash [EMAIL PROTECTED] wrote:
 On November 20, 2008 02:42 am Nate Eldredge wrote:
 On Thu, 20 Nov 2008, Jeremy Chadwick wrote:
  On Wed, Nov 19, 2008 at 11:48:36PM -0800, Nate Eldredge wrote:
  On Wed, 19 Nov 2008, Jeremy Chadwick wrote:
  On Thu, Nov 20, 2008 at 05:39:36PM +1100, Peter Jeremy wrote:
  I hope that never gets committed - it will make debugging kernel
  problems much harder.  There is already a kern.msgbuf_clear sysctl
  and maybe people who are concerned about msgbuf leakage need to
  learn to use it.
 
  And this sysctl is only usable *after* the kernel loads, which
  means you lose all of the messages shown from the time the kernel
  loads to the time the sysctl is set (e.g. hardware
  detected/configured).  This is even less acceptable, IMHO.
 
  But surely you can arrange that the contents are written out to
  /var/log/messages first?
 
  E.g. a sequence like
 
  - mount /var
  - write buffer contents via syslogd
  - clear buffer via sysctl
  - allow user logins
 
  This has two problems, but I'm probably missing something:
 
  1) See my original post, re: users of our systems use dmesg to find
  out what the status of the system is.  By status I don't mean from
  the point the kernel finished to now, I literally mean they *expect*
  to see the kernel device messages and all that jazz.  No, I'm not
  making this up, nor am I arguing just to hear myself talk (despite
  popular belief).  I can bring these users into the discussion if
  people feel it would be useful.

 I forgot about that point.  I can sympathize with those users; I
 feel the same way.  It's a good way to learn about a system as a
 mere user (since usually sysadmins don't remember or bother to
 disable it).

 However, in my experience dmesg isn't really the best thing for that
 purpose; the kernel message buffer tends to get wiped out once the
 system has been up for a while.  (It fills with ipfw logs, ethernet
 link state changes, etc.)

 Maybe a better approach would be to point them to /var/log/messages
 or whichever log file stores them permanently.

 I think what you are looking for is /var/run/dmesg.boot, which stores just
 the dmesg info from the initial boot.  Nothing gets logged to this after
 the boot is complete.  This file has been a life saver quite a few times
 since I discovered it, and is something I really miss when working with
 mis-behaving Linux systems.

 --
 Freddie Cash
 [EMAIL PROTECTED]

[EMAIL PROTECTED] ~]$ grep -rs dmesg.boot /usr/src/
/usr/src/contrib/ntp/scripts/freq_adj.in:  open(DM, /var/run/dmesg.boot);
/usr/src/etc/defaults/rc.conf:dmesg_enable=YES# Save
dmesg(8) to /var/run/dmesg.boot
/usr/src/etc/rc.d/dmesg:dmesg_file=/var/run/dmesg.boot
/usr/src/sbin/dmesg/dmesg.8:.Bl -tag -width .Pa /var/run/dmesg.boot -compact
/usr/src/sbin/dmesg/dmesg.8:.It Pa /var/run/dmesg.boot
[EMAIL PROTECTED] ~]$

/etc/rc.d/dmesg does this.

-Garrett
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: [Testers wanted] /dev/console cleanups

2008-11-20 Thread Dag-Erling Smørgrav

Jeremy Chadwick [EMAIL PROTECTED] writes:
 Peter Jeremy [EMAIL PROTECTED] writes:
  This is deliberate.  If the system panics, stuff that was in the
  message buffer (and might not be on disk) can be read when the
  system reboots.  If there is no crashdump, this might be the only
  record of what happened.
 That doesn't sound deliberate at all -- it sounds like a quirk that
 people (you?) are relying on.

No, it is deliberate.  Just because you don't like it doesn't mean we're
morons.

 You're under the mentality that the information is *always* available
 after a panic/reboot -- it isn't.  I have 4 different Supermicro
 motherboards (all from different years) which will most of the time
 lose the msgbuf after rebooting from single-user -- but sometimes the
 msgbuf is retained.  And no, bad hardware is not responsible for the
 randomness of the problem.

We know there are systems where it doesn't work.  That doesn't mean it's
not useful when it *does* work.  There are also systems where it works
reliably, including most SoC and SFF systems.

 I think it's been discussed in the past how/why this can happen.  It has
 to do with what each BIOS manufacturer chooses to do with some parts of
 memory during start-up.

Mostly whether memory remains powered-on through the reset process.

Speaking only of i386 / amd64 systems, there are several ways to reboot
a computer:

 - Return to real mode and call the BIOS reboot subroutine.  This will
   perform a cold boot (memory is cleared) or a warm boot (memory should
   not be cleared, but the BIOS may do so anyway) depending on the value
   stored at a specific location in memory.

 - On systems with an i8042 keyboard controller, one of the controller's
   output lines is usually wired to the CPU's reset pin.  Writing a
   specific value to one of the keyboard controller's control registers
   causes it to pull that pin low.

 - Triple fault: set up an empty interrupt descriptor table and trigger
   an interrupt (e.g. divide by zero).  The CPU will fail to invoke the
   corresponding interrupt descriptor, causing a double fault interrupt,
   which will fail to execute, causing a CPU reset.

The latter two techniques can be used (and *have* been used) to switch
back from protected mode to real mode, because they are faster than the
documented method.  Memory is *not* cleared, and the CPU will start
executing whatever code is stored at 0xfff0 in real memory; this is
normally a far jump into the BIOS reboot subroutine, so if you don't
pull any tricks (e.g. jump to your own code that does whatever it was
you needed to do in real mode, then return to protected mode), they are
equivalent to the first technique.

 - ACPI reset: store the value specified by RESET_VALUE in the FADT into
   the register specified by RESET_REG in the FADT.  According to the
   ACPI spec, this results in a cold boot.  However, this part of the
   spec is optional, so not all motherboards support it.  FreeBSD will
   only use ACPI reset if the hw.acpi.handle_reboot sysctl is not zero,
   which it is by default (mostly, if I recall correctly, because ACPI
   reset is unreliable).

DES
-- 
Dag-Erling Smørgrav - [EMAIL PROTECTED]
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: [Testers wanted] /dev/console cleanups

2008-11-20 Thread Jeremy Chadwick

On Wed, Nov 19, 2008 at 11:48:36PM -0800, Nate Eldredge wrote:
 On Wed, 19 Nov 2008, Jeremy Chadwick wrote:

 On Thu, Nov 20, 2008 at 05:39:36PM +1100, Peter Jeremy wrote:

 I hope that never gets committed - it will make debugging kernel
 problems much harder.  There is already a kern.msgbuf_clear sysctl and
 maybe people who are concerned about msgbuf leakage need to learn to
 use it.

 And this sysctl is only usable *after* the kernel loads, which means
 you lose all of the messages shown from the time the kernel loads to
 the time the sysctl is set (e.g. hardware detected/configured).  This is
 even less acceptable, IMHO.

 But surely you can arrange that the contents are written out to  
 /var/log/messages first?

 E.g. a sequence like

 - mount /var
 - write buffer contents via syslogd
 - clear buffer via sysctl
 - allow user logins

This has two problems, but I'm probably missing something:

1) See my original post, re: users of our systems use dmesg to find
out what the status of the system is.  By status I don't mean from
the point the kernel finished to now, I literally mean they *expect*
to see the kernel device messages and all that jazz.  No, I'm not
making this up, nor am I arguing just to hear myself talk (despite
popular belief).  I can bring these users into the discussion if people
feel it would be useful.

2) I don't understand how this would work (meaning, technically and
literally: I do not understand).  How do messages like CPU: Intel(R)
Core(TM)2 Duo CPU E8400 @ 3.00GHz (2992.52-MHz K8-class CPU) get
written to syslog when syslogd isn't even running (or any filesystems)
mounted at that time?  There must be some magic involved there (since
syslog == libc, not syscall) when syslogd starts, but I don't know
how it works.

 This way the buffer is cleared before any unprivileged users get to do  
 anything.  No kernel changes needed, just a little tweaking of the init  
 scripts at most.

 If you should have a crash and suspect there is useful data in the 
 buffer, you can boot to single-user mode (avoiding the clear) and 
 retrieve it manually.

 Seems like this should make everyone happy.

What I'm not understanding is the resistance towards Rink's patch,
assuming the tunable defaults to disabled/off.

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: [Testers wanted] /dev/console cleanups

2008-11-20 Thread Jeremy Chadwick

On Thu, Nov 20, 2008 at 10:53:07AM +0100, Dag-Erling Smørgrav wrote:
 Jeremy Chadwick [EMAIL PROTECTED] writes:
  Peter Jeremy [EMAIL PROTECTED] writes:
   This is deliberate.  If the system panics, stuff that was in the
   message buffer (and might not be on disk) can be read when the
   system reboots.  If there is no crashdump, this might be the only
   record of what happened.
  That doesn't sound deliberate at all -- it sounds like a quirk that
  people (you?) are relying on.
 
 No, it is deliberate.  Just because you don't like it doesn't mean we're
 morons.

I said nothing about liking/disliking it, nor did I namecall or
condescend.

Thanks for being a complete prick, des.  Jesus christ...

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: [Testers wanted] /dev/console cleanups

2008-11-20 Thread Nate Eldredge


On Thu, 20 Nov 2008, Jeremy Chadwick wrote:


On Wed, Nov 19, 2008 at 11:48:36PM -0800, Nate Eldredge wrote:

On Wed, 19 Nov 2008, Jeremy Chadwick wrote:


On Thu, Nov 20, 2008 at 05:39:36PM +1100, Peter Jeremy wrote:



I hope that never gets committed - it will make debugging kernel
problems much harder.  There is already a kern.msgbuf_clear sysctl and
maybe people who are concerned about msgbuf leakage need to learn to
use it.


And this sysctl is only usable *after* the kernel loads, which means
you lose all of the messages shown from the time the kernel loads to
the time the sysctl is set (e.g. hardware detected/configured).  This is
even less acceptable, IMHO.


But surely you can arrange that the contents are written out to
/var/log/messages first?

E.g. a sequence like

- mount /var
- write buffer contents via syslogd
- clear buffer via sysctl
- allow user logins


This has two problems, but I'm probably missing something:

1) See my original post, re: users of our systems use dmesg to find
out what the status of the system is.  By status I don't mean from
the point the kernel finished to now, I literally mean they *expect*
to see the kernel device messages and all that jazz.  No, I'm not
making this up, nor am I arguing just to hear myself talk (despite
popular belief).  I can bring these users into the discussion if people
feel it would be useful.


I forgot about that point.  I can sympathize with those users; I 
feel the same way.  It's a good way to learn about a system as a 
mere user (since usually sysadmins don't remember or bother to 
disable it).


However, in my experience dmesg isn't really the best thing for that 
purpose; the kernel message buffer tends to get wiped out once the system 
has been up for a while.  (It fills with ipfw logs, ethernet link state 
changes, etc.)


Maybe a better approach would be to point them to /var/log/messages 
or whichever log file stores them permanently.  Or, better yet, do some 
syslogd magic to make a logfile that can be appropriately readable but 
doesn't have any overly sensitive messages directed there (e.g. kernel 
yes, sshd no).



2) I don't understand how this would work (meaning, technically and
literally: I do not understand).  How do messages like CPU: Intel(R)
Core(TM)2 Duo CPU E8400 @ 3.00GHz (2992.52-MHz K8-class CPU) get
written to syslog when syslogd isn't even running (or any filesystems)
mounted at that time?  There must be some magic involved there (since
syslog == libc, not syscall) when syslogd starts, but I don't know
how it works.


I think you're conflating a couple of things, and I also explained my idea 
poorly.


As I understand it (from memory, which is a little vague), syslogd gets 
messages from two places: from the kernel via /dev/klog, and from other 
processes via a Unix domain socket in /var/run.  These messages then get 
sent to the appropriate log files.  The syslog(3) function of libc just 
connects and writes the message to the Unix domain socket.  If syslogd 
isn't running to listen on that socket, syslog(3) won't work very well.


Now /dev/klog should be a direct line to the kernel's message buffer.  So 
when syslogd starts and reads /dev/klog for the first time, it will get 
everything that's accumulated so far, including the earliest boot 
messages.  It should then write them to the appropriate log files.  This 
already works, which is why /var/log/messages contains the kernel 
copyright message, etc.


My idea is, after syslogd does this, but before the system goes 
multi-user, you should clear the kernel buffer.  Early boot messages are 
already in the log files, so they won't be lost.  Maybe the best thing 
would be to build this functionality into syslogd itself, to minimize the 
possibility of losing messages due to a race.



This way the buffer is cleared before any unprivileged users get to do
anything.  No kernel changes needed, just a little tweaking of the init
scripts at most.

If you should have a crash and suspect there is useful data in the
buffer, you can boot to single-user mode (avoiding the clear) and
retrieve it manually.

Seems like this should make everyone happy.


What I'm not understanding is the resistance towards Rink's patch,
assuming the tunable defaults to disabled/off.


It seems reasonable to me.  The only catch I can see is that if you have a 
crash and you want to look at the message buffer after rebooting, you'll 
have to remember to stop at the loader prompt and turn off that tunable. 
Which might be easy to forget in the heat of the moment.


--

Nate Eldredge
[EMAIL PROTECTED]
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: [Testers wanted] /dev/console cleanups

2008-11-20 Thread Kevin Day



On Nov 20, 2008, at 4:03 AM, Jeremy Chadwick wrote:


This has two problems, but I'm probably missing something:

1) See my original post, re: users of our systems use dmesg to find
out what the status of the system is.  By status I don't mean from
the point the kernel finished to now, I literally mean they *expect*
to see the kernel device messages and all that jazz.  No, I'm not
making this up, nor am I arguing just to hear myself talk (despite
popular belief).  I can bring these users into the discussion if  
people

feel it would be useful.


Sorry for jumping in late, but...

cat /var/run/dmesg.boot

Is that acceptable? I know it depends on what end users want, but some  
of my old hosting customers really just wanted to see the specs of the  
box and nothing else. Making dmesg a shell script that just cats that  
file satisfied everyone who asked.



Also:


On Thu, Nov 20, 2008 at 05:39:36PM +1100, Peter Jeremy wrote:
On 2008-Nov-19 02:47:31 -0800, Jeremy Chadwick [EMAIL PROTECTED]  
wrote:
There's a known issue with the kernel message buffer though:  
it's not

NULL'd out upon reboot.


This is deliberate.  If the system panics, stuff that was in the
message buffer (and might not be on disk) can be read when the system
reboots.  If there is no crashdump, this might be the only record of
what happened.


That doesn't sound deliberate at all -- it sounds like a quirk that
people (you?) are relying on.  I do not think any piece of the FreeBSD
system (e.g. savecore, etc.) relies on this behaviour.

You're under the mentality that the information is *always* available
after a panic/reboot -- it isn't.  I have 4 different Supermicro
motherboards (all from different years) which will most of the time
lose the msgbuf after rebooting from single-user -- but sometimes the
msgbuf is retained.  And no, bad hardware is not responsible for the
randomness of the problem.

I think it's been discussed in the past how/why this can happen.  It  
has
to do with what each BIOS manufacturer chooses to do with some parts  
of

memory during start-up.  I'm sure the Quick Boot (e.g. no extensive
memory test, which really doesn't test anything these days) option  
plays

a role, and that option is enabled by default on all motherboards I've
used in the past 10 years.


I've been involved with a few embedded systems, some BSD based some  
not. In a few cases we've used custom BIOSes on the motherboard.


At least one BIOS SDK specifically describes this as a feature. What  
is exposed to the end user as Quick Boot is actually several options  
that the motherboard designer/BIOS configurer can select. One of which  
is specifying which chunks of memory should be preserved after a  
reboot, up to memory tests should be as non-destructive as possible.  
While you can't *rely* on it, with careful use of atomic writes and  
state checking you can pick up where you left off after a reboot on an  
embedded device that has no long-term storage if it was a warm boot.  
Or, gathering crash dumps and sending them off to the network.


Here, the dmesg buffer is a simple ring buffer in the kernel. The  
start/end pointers and contents of the ring buffer are deliberately  
not cleared after a reboot in FreeBSD to at least make the information  
available if the BIOS didn't clobber it. This can be extremely useful  
in those a box on the other side of the world keeps rebooting with no  
panic, if you can tell the BIOS to skip the memory check. In one case  
I even (ab)used some extra video ram on the motherboard as a dmesg  
buffer since the video bios didn't wipe it on boot, but the system's  
bios insisted on doing a full memory test each time.


If you have a BIOS that's sometimes but not always wiping the buffer,  
it's probably because a few bits are being lost while the motherboard  
turns the DRAM refresh off during the reboot. Some DIMMS can handle no  
refresh for tens of seconds, some start popping bit errors rather  
quickly. Take a look at sys/kern/subr_msgbuf.c:msgbuf_reinit. There's  
a magic number it looks for as well as a checksum on the whole buffer  
that's updated after every write. If anything changes, the kernel  
throws out the whole buffer and starts fresh. If you boot with -v  
you'll probably see msgbuf cksum mismatch.


While I don't think any of the shipping FreeBSD tools rely on this  
behavior, I know I tried submitting a patch back in the FreeBSD-2.2(?)  
days to fix that overlooked uninitialized buffer and got educated by  
jkh pretty quickly. :)


___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: [Testers wanted] /dev/console cleanups

2008-11-20 Thread Freddie Cash

On November 20, 2008 02:42 am Nate Eldredge wrote:
 On Thu, 20 Nov 2008, Jeremy Chadwick wrote:
  On Wed, Nov 19, 2008 at 11:48:36PM -0800, Nate Eldredge wrote:
  On Wed, 19 Nov 2008, Jeremy Chadwick wrote:
  On Thu, Nov 20, 2008 at 05:39:36PM +1100, Peter Jeremy wrote:
  I hope that never gets committed - it will make debugging kernel
  problems much harder.  There is already a kern.msgbuf_clear sysctl
  and maybe people who are concerned about msgbuf leakage need to
  learn to use it.
 
  And this sysctl is only usable *after* the kernel loads, which
  means you lose all of the messages shown from the time the kernel
  loads to the time the sysctl is set (e.g. hardware
  detected/configured).  This is even less acceptable, IMHO.
 
  But surely you can arrange that the contents are written out to
  /var/log/messages first?
 
  E.g. a sequence like
 
  - mount /var
  - write buffer contents via syslogd
  - clear buffer via sysctl
  - allow user logins
 
  This has two problems, but I'm probably missing something:
 
  1) See my original post, re: users of our systems use dmesg to find
  out what the status of the system is.  By status I don't mean from
  the point the kernel finished to now, I literally mean they *expect*
  to see the kernel device messages and all that jazz.  No, I'm not
  making this up, nor am I arguing just to hear myself talk (despite
  popular belief).  I can bring these users into the discussion if
  people feel it would be useful.

 I forgot about that point.  I can sympathize with those users; I
 feel the same way.  It's a good way to learn about a system as a
 mere user (since usually sysadmins don't remember or bother to
 disable it).

 However, in my experience dmesg isn't really the best thing for that
 purpose; the kernel message buffer tends to get wiped out once the
 system has been up for a while.  (It fills with ipfw logs, ethernet
 link state changes, etc.)

 Maybe a better approach would be to point them to /var/log/messages
 or whichever log file stores them permanently.

I think what you are looking for is /var/run/dmesg.boot, which stores just 
the dmesg info from the initial boot.  Nothing gets logged to this after 
the boot is complete.  This file has been a life saver quite a few times 
since I discovered it, and is something I really miss when working with 
mis-behaving Linux systems.

-- 
Freddie Cash
[EMAIL PROTECTED]
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: [Testers wanted] /dev/console cleanups

2008-11-19 Thread Carlos A. M. dos Santos

On Tue, Nov 18, 2008 at 7:34 PM, Ed Schouten [EMAIL PROTECTED] wrote:
 Hello Carlos, others,

 * Ed Schouten [EMAIL PROTECTED] wrote:
 About the /dev/console issues: Robert Watson and I discussed this some
 time ago on IRC and what I did in HEAD (not RELENG_7) was that I changed
 TIOCCONS not to take a look at the permissions of /dev/console, but we
 changed it to use priv_check(). This means that right now you can only
 call TIOCCONS as root. I can't really understand why the problem exists
 on RELENG_7.

 About making xconsole setuid: I've read the messages you mentioned, but
 I think we could just alter console to call TIOCCONS and just drop
 privileges. An even better solution would be to just get rid of TIOCCONS
 and invent a better solution to capture syslog messages. I can't really
 understand why we want to abuse TTY's to do this.

 So I can't say we're working on this, but at least I can confirm the
 issue.

 One solution would be to let xconsole just display /var/log/messages.
 There shouldn't be a valid reason to let syslogd print messages to
 /dev/console and capture them again using TIOCCONS. We could just
 instruct xconsole to read its data from the log files.

 If you save the attached patch as /usr/ports/x11/xconsole/files/
 patch-xconsole.c (create directory first) and recompile xconsole, it
 will use the log file.

 I'll discuss this with others to decide if we should take such an
 approach.

It is not necessary to patch xconsole to accomplish this. Using the
-file command line argument would be enough. Be warned, however, that

1. messages sent straight to /dev/console will not show up at the
xconsole window;

2. with large files it will become slow and consume lots of memory,
because it will load the entire contents of /mar/log/messages to its
text buffer;

3. it will show *all* messages, not only the urgent ones, which is not
necessarily the desired behavior;

4. it will stop working upon log rotation.

-- 
cd /usr/ports/sysutils/life
make clean
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: [Testers wanted] /dev/console cleanups

2008-11-19 Thread Jeremy Chadwick

On Wed, Nov 19, 2008 at 02:02:42AM -0800, Garrett Cooper wrote:
 On Tue, Nov 18, 2008 at 1:49 PM, David Wolfskill [EMAIL PROTECTED] wrote:
  On Tue, Nov 18, 2008 at 10:34:10PM +0100, Ed Schouten wrote:
  ...
  One solution would be to let xconsole just display /var/log/messages.
 
  Errr... it may be rather a pathological case, but you might want to
  check the content of /etc/syslog.conf on the local machine before
  getting too carried away with that approach.
 
  For example, on my firewall box at home (where I really do not want to
  log anything to local disk files, though I do have a serial console on it):
 
  janus(6.4-P)[1] grep -v '^#' /etc/syslog.conf
  *.* @bunrab.catwhisker.org
  janus(6.4-P)[2]
 
  And then consider the fate of bunrab -- with stuff getting logged to
  /var/log/messages from various machines
 
  ...
  I'll discuss this with others to decide if we should take such an
  approach.
 
  I'm not trying to be obstructionist, here.  If the above case is really
  too pathological to consider -- or if it's a case of me bringing that
  fate upon myself, I suppose -- that's actually something I can live
  with.  It would be nice to be forwarned about it, though.  :-}
 
  Peace,
  david
 
 Uh, I second that. /var/log/messages shouldn't necessarily be
 accessible by non-root users. Also, OSX 10.5 protects against non-root
 access to dmesg. Not saying we should go that far, but it's already
 being implemented, so I don't see any harm in hiding the contents of
 `messages', as required by the sysadmin.

Footnote (not really applicable to the thread, but I want to point it
out to users/admins reading): inhibiting users viewing the kernel
message buffer (dmesg) can be accomplished by setting the
security.bsd.unprivileged_read_msgbuf sysctl to 0.

However, note that this can piss users off.  We have numerous users
on our system who rely on this information to see if anything weird is
going on with the box.  I set that sysctl one day (see below for why),
and I got flames in my mailbox within 48 hours.  Just something to keep
in mind if you have technically-savvy users.

There's a known issue with the kernel message buffer though: it's not
NULL'd out upon reboot.  Meaning, in some cases (depends on the BIOS or
system), the kernel message buffer from single-user mode is retained
even after a reboot!  A user can then do dmesg and see all the nifty
stuff you've done during single-user, which could include unencrypted
passwords if mergemaster was tinkering with passwd/master.passwd, etc..
I've brought this up before, and people said Yeah, we know, moving on.
Rink Springer created a patch where the kernel message buffer will start
with NULL to keep this from happening, but it needs to be made into a
loader.conf tunable.

Also, /var/log/messages is explicitly set to 0644 in newsyslog.conf.  If
people want to debate that, be my guest.  I'm not sure what security
hole we'd be plugging if it was set to 0600, especially given that many
userland programs use the LOG_NOTICE facility in syslog.  If people want
to debate those default perms, be my guest.  I would rather people
debate the default syslog.conf layout altogether; I'm surprised we
haven't moved to syslog-ng (as part of the base system) by now.  :-)

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: [Testers wanted] /dev/console cleanups

2008-11-19 Thread Garrett Cooper

On Tue, Nov 18, 2008 at 1:49 PM, David Wolfskill [EMAIL PROTECTED] wrote:
 On Tue, Nov 18, 2008 at 10:34:10PM +0100, Ed Schouten wrote:
 ...
 One solution would be to let xconsole just display /var/log/messages.

 Errr... it may be rather a pathological case, but you might want to
 check the content of /etc/syslog.conf on the local machine before
 getting too carried away with that approach.

 For example, on my firewall box at home (where I really do not want to
 log anything to local disk files, though I do have a serial console on it):

 janus(6.4-P)[1] grep -v '^#' /etc/syslog.conf
 *.* @bunrab.catwhisker.org
 janus(6.4-P)[2]

 And then consider the fate of bunrab -- with stuff getting logged to
 /var/log/messages from various machines

 ...
 I'll discuss this with others to decide if we should take such an
 approach.

 I'm not trying to be obstructionist, here.  If the above case is really
 too pathological to consider -- or if it's a case of me bringing that
 fate upon myself, I suppose -- that's actually something I can live
 with.  It would be nice to be forwarned about it, though.  :-}

 Peace,
 david

Uh, I second that. /var/log/messages shouldn't necessarily be
accessible by non-root users. Also, OSX 10.5 protects against non-root
access to dmesg. Not saying we should go that far, but it's already
being implemented, so I don't see any harm in hiding the contents of
`messages', as required by the sysadmin.
-Garrett
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: [Testers wanted] /dev/console cleanups

2008-11-19 Thread Peter Jeremy

On 2008-Nov-19 02:47:31 -0800, Jeremy Chadwick [EMAIL PROTECTED] wrote:
There's a known issue with the kernel message buffer though: it's not
NULL'd out upon reboot.

This is deliberate.  If the system panics, stuff that was in the
message buffer (and might not be on disk) can be read when the system
reboots.  If there is no crashdump, this might be the only record of
what happened.

  Meaning, in some cases (depends on the BIOS or
system), the kernel message buffer from single-user mode is retained
even after a reboot!  A user can then do dmesg and see all the nifty
stuff you've done during single-user, which could include unencrypted
passwords if mergemaster was tinkering with passwd/master.passwd, etc..

There shouldn't be unencrypted passwords, though there might be encrypted
passwords visible.

Rink Springer created a patch where the kernel message buffer will start
with NULL to keep this from happening, but it needs to be made into a
loader.conf tunable.

I hope that never gets committed - it will make debugging kernel
problems much harder.  There is already a kern.msgbuf_clear sysctl and
maybe people who are concerned about msgbuf leakage need to learn to
use it.

-- 
Peter Jeremy
Please excuse any delays as the result of my ISP's inability to implement
an MTA that is either RFC2821-compliant or matches their claimed behaviour.


pgp13Q2HNhDcL.pgp
Description: PGP signature

Re: [Testers wanted] /dev/console cleanups

2008-11-19 Thread Jeremy Chadwick

On Thu, Nov 20, 2008 at 05:39:36PM +1100, Peter Jeremy wrote:
 On 2008-Nov-19 02:47:31 -0800, Jeremy Chadwick [EMAIL PROTECTED] wrote:
 There's a known issue with the kernel message buffer though: it's not
 NULL'd out upon reboot.
 
 This is deliberate.  If the system panics, stuff that was in the
 message buffer (and might not be on disk) can be read when the system
 reboots.  If there is no crashdump, this might be the only record of
 what happened.

That doesn't sound deliberate at all -- it sounds like a quirk that
people (you?) are relying on.  I do not think any piece of the FreeBSD
system (e.g. savecore, etc.) relies on this behaviour.

You're under the mentality that the information is *always* available
after a panic/reboot -- it isn't.  I have 4 different Supermicro
motherboards (all from different years) which will most of the time
lose the msgbuf after rebooting from single-user -- but sometimes the
msgbuf is retained.  And no, bad hardware is not responsible for the
randomness of the problem.

I think it's been discussed in the past how/why this can happen.  It has
to do with what each BIOS manufacturer chooses to do with some parts of
memory during start-up.  I'm sure the Quick Boot (e.g. no extensive
memory test, which really doesn't test anything these days) option plays
a role, and that option is enabled by default on all motherboards I've
used in the past 10 years.

   Meaning, in some cases (depends on the BIOS or
 system), the kernel message buffer from single-user mode is retained
 even after a reboot!  A user can then do dmesg and see all the nifty
 stuff you've done during single-user, which could include unencrypted
 passwords if mergemaster was tinkering with passwd/master.passwd, etc..
 
 There shouldn't be unencrypted passwords, though there might be encrypted
 passwords visible.

Sorry, that's what I meant.

The point is that a lot of things can go on in single-user mode which
can/will disclose information or data in files which users do not have
access to.  Once the system is rebooted, a non-root user can do dmesg
-a and see this buffer, getting access to data he/she normally does not
have access to.

Do you and I agree that this is in fact a security risk/problem?

 Rink Springer created a patch where the kernel message buffer will start
 with NULL to keep this from happening, but it needs to be made into a
 loader.conf tunable.
 
 I hope that never gets committed - it will make debugging kernel
 problems much harder.  There is already a kern.msgbuf_clear sysctl and
 maybe people who are concerned about msgbuf leakage need to learn to
 use it.

And this sysctl is only usable *after* the kernel loads, which means
you lose all of the messages shown from the time the kernel loads to
the time the sysctl is set (e.g. hardware detected/configured).  This is
even less acceptable, IMHO.

I would like to see Rink's patch committed, as long as the loader
tunable defaults to *off* (e.g. current/historic behaviour).  I'll also
ask Rink to chime in here with his thoughts/opinions.

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: [Testers wanted] /dev/console cleanups

2008-11-19 Thread Nate Eldredge


On Wed, 19 Nov 2008, Jeremy Chadwick wrote:


On Thu, Nov 20, 2008 at 05:39:36PM +1100, Peter Jeremy wrote:



I hope that never gets committed - it will make debugging kernel
problems much harder.  There is already a kern.msgbuf_clear sysctl and
maybe people who are concerned about msgbuf leakage need to learn to
use it.


And this sysctl is only usable *after* the kernel loads, which means
you lose all of the messages shown from the time the kernel loads to
the time the sysctl is set (e.g. hardware detected/configured).  This is
even less acceptable, IMHO.


But surely you can arrange that the contents are written out to 
/var/log/messages first?


E.g. a sequence like

- mount /var
- write buffer contents via syslogd
- clear buffer via sysctl
- allow user logins

This way the buffer is cleared before any unprivileged users get to do 
anything.  No kernel changes needed, just a little tweaking of the init 
scripts at most.


If you should have a crash and suspect there is useful data in the buffer, 
you can boot to single-user mode (avoiding the clear) and retrieve it 
manually.


Seems like this should make everyone happy.

--

Nate Eldredge
[EMAIL PROTECTED]
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: [Testers wanted] /dev/console cleanups

2008-11-18 Thread Ed Schouten

Hello Carlos, others,

* Ed Schouten [EMAIL PROTECTED] wrote:
 About the /dev/console issues: Robert Watson and I discussed this some
 time ago on IRC and what I did in HEAD (not RELENG_7) was that I changed
 TIOCCONS not to take a look at the permissions of /dev/console, but we
 changed it to use priv_check(). This means that right now you can only
 call TIOCCONS as root. I can't really understand why the problem exists
 on RELENG_7.
 
 About making xconsole setuid: I've read the messages you mentioned, but
 I think we could just alter console to call TIOCCONS and just drop
 privileges. An even better solution would be to just get rid of TIOCCONS
 and invent a better solution to capture syslog messages. I can't really
 understand why we want to abuse TTY's to do this.
 
 So I can't say we're working on this, but at least I can confirm the
 issue.

One solution would be to let xconsole just display /var/log/messages.
There shouldn't be a valid reason to let syslogd print messages to
/dev/console and capture them again using TIOCCONS. We could just
instruct xconsole to read its data from the log files.

If you save the attached patch as /usr/ports/x11/xconsole/files/
patch-xconsole.c (create directory first) and recompile xconsole, it
will use the log file.

I'll discuss this with others to decide if we should take such an
approach.

-- 
 Ed Schouten [EMAIL PROTECTED]
 WWW: http://80386.nl/
--- xconsole.c
+++ xconsole.c
@@ -145,6 +145,11 @@
 {-saveLines,	*saveLines,		XrmoptionSepArg,	NULL},
 };
 
+#ifdef __FreeBSD__
+#define USE_FILE
+#define FILE_NAME /var/log/messages
+#endif
+
 #ifdef ultrix
 #define USE_FILE
 #define FILE_NAME /dev/xcons
@@ -252,7 +257,7 @@
 	if (!strcmp (app_resources.file, console))
 	{
 	/* must be owner and have read/write permission */
-#if !defined(__NetBSD__)  !defined(__OpenBSD__)  !defined(Lynx)  !defined(__UNIXOS2__)
+#if !defined(__FreeBSD__)  !defined(__NetBSD__)  !defined(__OpenBSD__)  !defined(Lynx)  !defined(__UNIXOS2__)
 	struct stat sbuf;
 # if !defined (linux)
 	if (!stat(/dev/console, sbuf) 
@@ -266,9 +271,11 @@
 		if (!stat(FILE_NAME, sbuf))
 # endif
 		input = fopen (FILE_NAME, r);
-# ifdef __UNIXOS2__
 		if (input)
 		{
+		struct stat sbuf;
+
+# ifdef __UNIXOS2__
 		ULONG arg = 1,arglen;
 		APIRET rc;
 		if ((rc=DosDevIOCtl(fileno(input), 0x76,0x4d,
@@ -278,8 +285,11 @@
 			fclose(input);
 			input = 0;
 		}
-		}
 # endif
+
+		if (!fstat(fileno(input), sbuf)  S_ISREG(sbuf.st_mode))
+			regularFile = TRUE;
+		}
 #endif
 		
 #ifdef USE_PTY


pgpt0FzOtlKLm.pgp
Description: PGP signature

Re: [Testers wanted] /dev/console cleanups

2008-11-18 Thread David Wolfskill

On Tue, Nov 18, 2008 at 10:34:10PM +0100, Ed Schouten wrote:
 ...
 One solution would be to let xconsole just display /var/log/messages.

Errr... it may be rather a pathological case, but you might want to
check the content of /etc/syslog.conf on the local machine before
getting too carried away with that approach.

For example, on my firewall box at home (where I really do not want to
log anything to local disk files, though I do have a serial console on it):

janus(6.4-P)[1] grep -v '^#' /etc/syslog.conf 
*.* @bunrab.catwhisker.org
janus(6.4-P)[2] 

And then consider the fate of bunrab -- with stuff getting logged to
/var/log/messages from various machines

 ...
 I'll discuss this with others to decide if we should take such an
 approach.

I'm not trying to be obstructionist, here.  If the above case is really
too pathological to consider -- or if it's a case of me bringing that
fate upon myself, I suppose -- that's actually something I can live
with.  It would be nice to be forwarned about it, though.  :-}

Peace,
david
-- 
David H. Wolfskill  [EMAIL PROTECTED]
Depriving a girl or boy of an opportunity for education is evil.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.


pgpLDVAJGmZrP.pgp
Description: PGP signature

Re: [Testers wanted] /dev/console cleanups

2008-11-01 Thread Eygene Ryabinkin

Ed, good day.

Tue, Oct 28, 2008 at 09:11:54AM +0100, Ed Schouten wrote:
 It's nice to hear that the patch didn't break anything on your system. I
 hope to receive more reviews, but I think I'll just commit it this
 weekend (with small modifications).

Just a quick me too message: patchset from October, 29th works
flawlessly on my systems.

Thanks!
-- 
Eygene
 ____   _.--.   #
 \`.|\.....-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' ` ,   __.--'  #  to read the on-line manual   
 )/' _/ \   `-_,   /#  while single-stepping the kernel.
 `-' `\_  ,_.-;_.-\_ ',  fsc/as   #
 _.-'_./   {_.'   ; /   #-- FreeBSD Developers handbook 
{_.-``-' {_/#


pgp3Kf6n39Z2O.pgp
Description: PGP signature

Re: [Testers wanted] /dev/console cleanups

2008-10-28 Thread Ed Schouten

Hello Carlos,

* Carlos A. M. dos Santos [EMAIL PROTECTED] wrote:
 The patched source builds and installs flawlessy. However I observed
 something that seems to be a regression. If I run either xconsole or
 xterm -C I only see kernel messages, even though my X startup (via
 XDM) changes the owner of /dev/console to the logged-in user. I mean,
 if I do some timg like echo OK  /dev/console, the message is echoed
 on /dev/ttyv0, not by xconsole
 
 This is the same problem reported by Jeff Blank on RELENG_7:
 
 http://lists.freebsd.org/pipermail/freebsd-stable/2008-September/044949.html
 http://lists.freebsd.org/pipermail/freebsd-stable/2008-October/045885.html

It's nice to hear that the patch didn't break anything on your system. I
hope to receive more reviews, but I think I'll just commit it this
weekend (with small modifications).

About the /dev/console issues: Robert Watson and I discussed this some
time ago on IRC and what I did in HEAD (not RELENG_7) was that I changed
TIOCCONS not to take a look at the permissions of /dev/console, but we
changed it to use priv_check(). This means that right now you can only
call TIOCCONS as root. I can't really understand why the problem exists
on RELENG_7.

About making xconsole setuid: I've read the messages you mentioned, but
I think we could just alter console to call TIOCCONS and just drop
privileges. An even better solution would be to just get rid of TIOCCONS
and invent a better solution to capture syslog messages. I can't really
understand why we want to abuse TTY's to do this.

So I can't say we're working on this, but at least I can confirm the
issue.

-- 
 Ed Schouten [EMAIL PROTECTED]
 WWW: http://80386.nl/


pgpe3Z4oSjMVU.pgp
Description: PGP signature

Re: [Testers wanted] /dev/console cleanups

2008-10-27 Thread Carlos A. M. dos Santos

On Sun, Oct 26, 2008 at 1:27 PM, Ed Schouten [EMAIL PROTECTED] wrote:
 Hello everyone,

 Most of you probably already know that I've been very busy improving our
 kernel's TTY implementation. I've committed the new MPSAFE TTY layer
 back in August. So far most of the things seem to work properly as far
 as I can see. There are always some small bugs, but I'm confident we'll
 get them fixed before 8.0.

 One of the things that I dislike about the code we have right now, is
 the way /dev/console is implemented. There is a small amount of
 complexity there, which is mainly because of the fact that our console
 code actually works on two different levels:

 - We've got kernel messages that are printed using very low-level
  routines and communicate directly with the drivers.

 - We've got user messages that are printed through /dev/console, which
  actually work on the TTY level, but make use of a similar device
  selection as the first set of routines.

 In an attempt to make /dev/console MPSAFE, I moved /dev/console into the
 TTY layer itself, which makes it a lot more simple than it is now.

 Well, to keep a long story short, it would be wonderful if some people
 could test the latest MPSAFE TTY patchset, just to make sure it doesn't
 wreck people's setups after I commit this. So just apply the patch and
 see if you can still boot your system, go into single user and multi
 user mode, use conscontrol(8), etc.

 I've stored the latest MPSAFE TTY patchsets at the usual location. Make
 sure you download the latest version.

http://people.FreeBSD.org/~ed/mpsafetty/

 The patchset also includes some other nice things, like some manual
 pages (not finished) and a port of snp(4) to the new TTY layer (also not
 finished).

 Thank you for your attention!

The patched source builds and installs flawlessy. However I observed
something that seems to be a regression. If I run either xconsole or
xterm -C I only see kernel messages, even though my X startup (via
XDM) changes the owner of /dev/console to the logged-in user. I mean,
if I do some timg like echo OK  /dev/console, the message is echoed
on /dev/ttyv0, not by xconsole

This is the same problem reported by Jeff Blank on RELENG_7:

http://lists.freebsd.org/pipermail/freebsd-stable/2008-September/044949.html
http://lists.freebsd.org/pipermail/freebsd-stable/2008-October/045885.html

-- 
cd /usr/ports/sysutils/life
make clean
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]

[Testers wanted] /dev/console cleanups

2008-10-26 Thread Ed Schouten

Hello everyone,

Most of you probably already know that I've been very busy improving our
kernel's TTY implementation. I've committed the new MPSAFE TTY layer
back in August. So far most of the things seem to work properly as far
as I can see. There are always some small bugs, but I'm confident we'll
get them fixed before 8.0.

One of the things that I dislike about the code we have right now, is
the way /dev/console is implemented. There is a small amount of
complexity there, which is mainly because of the fact that our console
code actually works on two different levels:

- We've got kernel messages that are printed using very low-level
  routines and communicate directly with the drivers.

- We've got user messages that are printed through /dev/console, which
  actually work on the TTY level, but make use of a similar device
  selection as the first set of routines.

In an attempt to make /dev/console MPSAFE, I moved /dev/console into the
TTY layer itself, which makes it a lot more simple than it is now.

Well, to keep a long story short, it would be wonderful if some people
could test the latest MPSAFE TTY patchset, just to make sure it doesn't
wreck people's setups after I commit this. So just apply the patch and
see if you can still boot your system, go into single user and multi
user mode, use conscontrol(8), etc.

I've stored the latest MPSAFE TTY patchsets at the usual location. Make
sure you download the latest version.

http://people.FreeBSD.org/~ed/mpsafetty/

The patchset also includes some other nice things, like some manual
pages (not finished) and a port of snp(4) to the new TTY layer (also not
finished).

Thank you for your attention!

-- 
 Ed Schouten [EMAIL PROTECTED]
 WWW: http://80386.nl/


pgp5jhSTM0G8z.pgp
Description: PGP signature

Re: [Testers wanted] /dev/console cleanups

Re: [Testers wanted] /dev/console cleanups

Re: [Testers wanted] /dev/console cleanups

Re: [Testers wanted] /dev/console cleanups

Re: [Testers wanted] /dev/console cleanups

Re: [Testers wanted] /dev/console cleanups

Re: [Testers wanted] /dev/console cleanups

Re: [Testers wanted] /dev/console cleanups

Re: [Testers wanted] /dev/console cleanups

Re: [Testers wanted] /dev/console cleanups

Re: [Testers wanted] /dev/console cleanups

Re: [Testers wanted] /dev/console cleanups

Re: [Testers wanted] /dev/console cleanups

Re: [Testers wanted] /dev/console cleanups

Re: [Testers wanted] /dev/console cleanups

Re: [Testers wanted] /dev/console cleanups

Re: [Testers wanted] /dev/console cleanups

Re: [Testers wanted] /dev/console cleanups

[Testers wanted] /dev/console cleanups

19 matches

Site Navigation

Mail list logo

Footer information