sticker of transparant, white puffy hits Switzerland

[Stephan A. Rickauer]

Was also included in the 3.9 CD parcel I've received today! Aweseome,
now the directors have to look at puffy everytime they enter my door ;)

Thanks, guys.

--

 Stephan A. Rickauer

 ---
 Institut f|r Neuroinformatik  Tel: +41 44 635 30 50
 Universitdt / ETH Z|rich  Sek: +41 44 635 30 52
 Winterthurerstrasse 190   Fax: +41 44 635 30 53
 CH-8057 Z|richWeb:  www.ini.ethz.ch

 RSA public key: https://www.ini.ethz.ch/~stephan/pubkey.asc
 ---

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: OpenBSD todo list?

[Joachim Schipper]

On Tue, Apr 11, 2006 at 12:40:45AM -0401, Ray Lai wrote:
 On Mon, Apr 10, 2006 at 08:44:36PM -0700, Shawn Nock wrote:
  A quick search of the archive and google didn't turn anything up, so 
  I'll ask here.
  
  Is there (if not could there be) a document that describes portions of 
  the tree that particularly need attention? I am looking for a way to 
  contribute and without a little direction the task seems daunting. The 
  FreeBSD folks recently started maintaining such a todo list. It seems to 
  have worked out fairly well for them. I realize that those in a position 
  to put together such a list are also the ones not likely to have the 
  time, but I believe this could prove useful (I assume there are more 
  like me who are new and/or haven't found a comfort zone/focus yet).
 
 OpenRCS needs help.  Diffs that implement missing functionality,
 diffs that match GNU RCS behavior in existing functions, and
 additional regression tests are all welcome.
 
 I look forward to your code.

There was also an open request for help with m4, not too long ago, on
[EMAIL PROTECTED] IIRC, Marc Espie would like traceback functionality.

Not sure if someone is already working on it.

Joachim

Re: gcc miscompiles ntohs16() inline assembly in OpenBSD 3.8

[Otto Moerbeek]

On Thu, 6 Apr 2006, chefren wrote:

 On 04/05/06 02:07, Andrew Pinski wrote:
 
  Actually I bet ntohs16 is violating C aliasing rules.
  
  So getting rid of GCC actually is wrong.  Getting rid
  of these aliasing violations is the correct way.
  
  -- Pinski
 
 Interesting, how do you figure that?
 
 The relevant definition is:
 
 #define __swap16md(x) ({   \
u_int16_t __swap16md_x = (x);   \
\
__asm (rorw $8, %w1 : +r (__swap16md_x));   \
__swap16md_x;   \
 })
 
 i.e. a block that returns a short value (a compound statement expression
 is the gcc terminology, we believe).
 
 Where would aliasing rules enter into this situation?
 
 
 Thanks for looking at this, if we can help or assist with solving this: please
 don't hesitate to ask.

The following diff (backported from gcc PR
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=10692) seems to fix the
problem.  I hardly know i386 assembly, so please check if the produced
code is correct.

If I see things correctly, this fix is not in either 3.3.5 or 3.3.6.
Debian -stable backported it into their 3.3.5 gcc. 

Now the funny thing is that according to the PR, this is a mk68k
specific bug, although the fix is not in target specific code.

-Otto

Index: gcc/reload1.c
===
RCS file: /cvs/src/gnu/usr.bin/gcc/gcc/reload1.c,v
retrieving revision 1.3
diff -u -p -r1.3 reload1.c
--- gcc/reload1.c   25 Dec 2004 00:23:11 -  1.3
+++ gcc/reload1.c   11 Apr 2006 08:48:39 -
@@ -6923,6 +6923,10 @@ do_input_reload (chain, rl, j)
  actually no need to store the old value in it.  */
 
   if (optimize
+  /* Only attempt this for input reloads; for RELOAD_OTHER we miss
+that there may be multiple uses of the previous output reload.
+Restricting to RELOAD_FOR_INPUT is mostly paranoia.  */
+   rl-when_needed == RELOAD_FOR_INPUT
(reload_inherited[j] || reload_override_in[j])
rl-reg_rtx
GET_CODE (rl-reg_rtx) == REG

Re: Limiting userland RAM utilization

[Joachim Schipper]

On Mon, Apr 10, 2006 at 07:18:02PM -0700, Michael Favinsky wrote:
 I have a userland process that once in a while goes haywire and starts
 consuming lots of RAM. While I'm troubleshooting the problem, I need to set
 up a way to limit this process's RAM consumption, to something along the
 lines of 200MB.
 
 I was looking at using some of the RAM limiting parameters in
 /etc/login.conf. The three I found most relevant are memorylocked,
 memoryuse, and vmemoryuse. I'm not sure which one of these is the one I need
 to tweak. At this point I'm ready to set them all to 200MB. If someone can
 provide some info on which one of these I should actually be using (or point
 to somewhere that does) I'd appreciate it.
 
 And please, no flaming about how I should use an app that doesn't consume
 too much RAM. I'm working on that, but I need a short term solution to
 control this app's RAM consumption without bringing my whole system down.

See ulimit, in the manual for whatever shell you are using. It can be
used much more elegantly to set per-process limits.

Joachim

Re: PFlog

[Joachim Schipper]

On Mon, Apr 10, 2006 at 09:27:53PM +0100, Gaby vanhegan wrote:
 On 10 Apr 2006, at 17:29, Joachim Schipper wrote:
 
  The only problem here is that I'm running 3.6 and pmacct requires
  libpcap = 0.6, and 0.3 is what I have.  I can't do an upgrade at the
  moment, there's too many variables, but if I were to build libpcap
  from source, would it clobber the version that's currently installed
  and break other programs?
 
  The OpenBSD libpcap is a pretty heavily hacked version - most  
  should be
  in it.
 
 It appears to be missing the function pcap_open_dead(), so I presume  
 the 3.6 libpcap version is a touch behind the 0.6 version that pmacct  
 requires.
 
  Of course, that looks like it's time for a port. ;-)
  Or just go with pfflowd, or somesuch.
 
 I already had a nice little system setup using pmacct to dump data  
 into an SQL db.  It would seem that using pfflowd and flowd together  
 could replace that part of the system, and the data analysis part  
 remains the same.
 
 The only difference here is that pfflowd would capture traffic at the  
 firewall stage, whereas pmacct captures it directly at the  
 interface.  A little more glue required, but it could be made to do  
 the same job.

Actually, since the firewall would do most of the packet processing,
it's quite likely to be faster, too.

Joachim

Re: aliases with carp

[Falk Brockerhoff]

Am 10.04.2006 um 18:05 schrieb Simon Slaytor:


inet 1.2.3.2 255.255.255.0 1.2.3.255 vhid 1 pass foo carpdev em0
inet alias 1.2.3.6 255.255.255.0 1.2.3.255

Try triming down your alias lines as see if that helps. Might be a  
shot in the dark but you never know.


With carp implemented in FreeBSD 5.4 this doesn't works:

Master:
ifconfig_carp0=vhid 1 pass secretpassword 192.168.0.2 netmask  
255.255.255.128

ifconfig_carp0_alias0=inet 192.168.0.10 netmask 255.255.255.128
ifconfig_carp0_alias1=inet 192.168.0.11 netmask 255.255.255.128

Backup:
ifconfig_carp0=vhid 1 advskew 100 pass secretpasswort 192.168.0.3  
netmask 255.255.255.128

ifconfig_carp0_alias0=inet 192.168.0.10 netmask 255.255.255.128
ifconfig_carp0_alias1=inet 192.168.0.11 netmask 255.255.255.128

But both servers assumes to be in master-state :-/ Is this a FreeBSD- 
specific or a generel carp-problem?


Regards,

Falk Brockerhoff

Re: bgpd, nexthop and dynamically created interfaces

[Henning Brauer]

I did find a bug. Not certain wethe rthis is what affects you.
We look at fields from rt_msghdr that the RTM_IFINFO messages do not 
have - they use if_msghdr instead. We do abort on rtm-rtm_errno != 0, 
but if_msghdr has no errno, so we look at something in the data part 
instead. Surprising that this didn't bite us before!
So we must only do these checks for RTM_ADD/CHANGE/DELETE that actually 
use rt_msghdr.
ospfd has teh same issue.

Index: kroute.c
===
RCS file: /cvs/src/usr.sbin/bgpd/kroute.c,v
retrieving revision 1.145
diff -u -p -r1.145 kroute.c
--- kroute.c22 Mar 2006 13:30:35 -  1.145
+++ kroute.c11 Apr 2006 11:07:27 -
@@ -2123,21 +2123,23 @@ dispatch_rtmsg(void)
lim = buf + n;
for (next = buf; next  lim; next += rtm-rtm_msglen) {
rtm = (struct rt_msghdr *)next;
-   sa = (struct sockaddr *)(rtm + 1);
-   get_rtaddrs(rtm-rtm_addrs, sa, rti_info);
-
-   if (rtm-rtm_pid == kr_state.pid)   /* cause by us */
-   continue;
-
-   if (rtm-rtm_errno) /* failed attempts... */
-   continue;
 
switch (rtm-rtm_type) {
case RTM_ADD:
case RTM_CHANGE:
case RTM_DELETE:
+   sa = (struct sockaddr *)(rtm + 1);
+   get_rtaddrs(rtm-rtm_addrs, sa, rti_info);
+
+   if (rtm-rtm_pid == kr_state.pid)   /* cause by us 
*/
+   continue;
+
+   if (rtm-rtm_errno) /* failed 
attempts... */
+   continue;
+
if (rtm-rtm_flags  RTF_LLINFO)/* arp cache */
continue;
+
if (dispatch_rtmsg_addr(rtm, rti_info) == -1)
return (-1);
break;


-- 
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: aliases with carp

[Henning Brauer]

* Falk Brockerhoff [EMAIL PROTECTED] [2006-04-11 13:01]:
 With carp implemented in FreeBSD 5.4 this doesn't works:

this is not a freebsd ist.

 Master:
 ifconfig_carp0=vhid 1 pass secretpassword 192.168.0.2 netmask  
 Backup:
 ifconfig_carp0=vhid 1 advskew 100 pass secretpasswort 192.168.0.3  

 But both servers assumes to be in master-state

they are, for their specific addresses. They do not match.

-- 
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: bgpd, nexthop and dynamically created interfaces

[tony sarendal]

On 11/04/06, Henning Brauer [EMAIL PROTECTED] wrote:

 I did find a bug. Not certain wethe rthis is what affects you.
 We look at fields from rt_msghdr that the RTM_IFINFO messages do not
 have - they use if_msghdr instead. We do abort on rtm-rtm_errno != 0,
 but if_msghdr has no errno, so we look at something in the data part
 instead. Surprising that this didn't bite us before!
 So we must only do these checks for RTM_ADD/CHANGE/DELETE that actually
 use rt_msghdr.
 ospfd has teh same issue.

 Index: kroute.c
 ===
 RCS file: /cvs/src/usr.sbin/bgpd/kroute.c,v
 retrieving revision 1.145
 diff -u -p -r1.145 kroute.c
 --- kroute.c22 Mar 2006 13:30:35 -  1.145
 +++ kroute.c11 Apr 2006 11:07:27 -
 @@ -2123,21 +2123,23 @@ dispatch_rtmsg(void)
lim = buf + n;
for (next = buf; next  lim; next += rtm-rtm_msglen) {
rtm = (struct rt_msghdr *)next;
 -   sa = (struct sockaddr *)(rtm + 1);
 -   get_rtaddrs(rtm-rtm_addrs, sa, rti_info);
 -
 -   if (rtm-rtm_pid == kr_state.pid)   /* cause by us */
 -   continue;
 -
 -   if (rtm-rtm_errno) /* failed
 attempts... */
 -   continue;

switch (rtm-rtm_type) {
case RTM_ADD:
case RTM_CHANGE:
case RTM_DELETE:
 +   sa = (struct sockaddr *)(rtm + 1);
 +   get_rtaddrs(rtm-rtm_addrs, sa, rti_info);
 +
 +   if (rtm-rtm_pid == kr_state.pid)   /* cause
 by us */
 +   continue;
 +
 +   if (rtm-rtm_errno) /* failed
 attempts... */
 +   continue;
 +
if (rtm-rtm_flags  RTF_LLINFO)/* arp
 cache */
continue;
 +
if (dispatch_rtmsg_addr(rtm, rti_info) == -1)
return (-1);
break;


 --
 BS Web Services, http://www.bsws.de/
 OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
 Unix is very simple, but it takes a genius to understand the simplicity.
 (Dennis Ritchie)



I'll apply it tonight and see what it does in my environment.
Oh how productive one can be when the family is out of the country =)

--
Tony Sarendal - [EMAIL PROTECTED]
IP/Unix
   -= The scorpion replied,
   I couldn't help it, it's my nature =-

Re: bash: home and end keys

[Martin Schröder]

On 2006-04-10 23:38:38 +0200, viq wrote:
 (usually running things in screen - though that doesn't seem to matter much) 
 I 
 just did export TERM=xterm-xfree86 and that didn't help...

I use xterm and ssh.

 The only result of pressing home or end keys is ~ appearing where the cursor 
 is.

Best
Martin
-- 
http://www.tm.oneiros.de

Re: bash: home and end keys

[Otto Moerbeek]

On Tue, 11 Apr 2006, Martin Schrvder wrote:

 On 2006-04-10 23:38:38 +0200, viq wrote:
  (usually running things in screen - though that doesn't seem to matter
much) I
  just did export TERM=xterm-xfree86 and that didn't help...

 I use xterm and ssh.

  The only result of pressing home or end keys is ~ appearing where the
cursor
  is.


I've no idea why it's working for some people and for others not. But
setting the binding explicitly does the trick for me. Not that I use
them ever, I'm happy with ^E and ^A, which work out of the box.

bind '^[[H'=beginning-of-line
bind '^[[F'=end-of-line

-Otto

Re: Which Hardware for Firewall

[Giancarlo Razzolini]

Falk Husemann wrote:
 Hello misc!
 We're using OpenBSD on our Hardware since 2003 and have run our Firewall
 on OpenBSD since that time too (always following -STABLE).

 Now the box i once built for that purpose has broken down and I'm in
 need of a replacement I'll assemble myself again. The box serves a
 squid, a pf (with 2 and 1/2 pages DinA4 ruleset), named and httpd-SSL

 The hardware will be on the low to medium end (budget 400-600 EURO).



 Which processor architecture is faster for firewalling purposes? pf runs
 in kernelspace AFAIK, so will dual-core be useless? AMD64? Pentium 4?


 I thought about buying 2GB+ of RAM and running parts of the system from
 RAM (tmp, squid-cache). Is this possible on OpenBSD? A quick google
 search did not turn up anything.


 A quick hint would be sufficent, I don't want to get on someones wick,
 but theres no information about firewall hardware and obsd on the net.



 Thanks in advance,
 Falk



My home firewall is serving 4-5 machines, 2 of them full-time connected
to the internet. And 3 others sometimes are connected. I run apache,
dhcpd, named, openvpn, webmin, ifstated, plus some others things. I do
have a one and half pages of rules. But the better part, my hardware:
CPU: Pentium 133
Mem: 64MB EDO
Two 10Mbit ethernet cards: An ep(4) based card and an ne(4) based card.

It stays 80% idle most of the time (not counting when i download the
last lost episode using torrents and dht :))

So, unless you have a huge amount of traffic, i recommend buying a good
machine for yourself and using the one you have for the firewall.

My 3 cents,
--
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Snike Tecnologia em Informatica
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: OpenBSD todo list?

[Kent Watsen]

Christmas in April?  ;)  A couple requests I recall seeing (*cough* 
posting *cough*):


 - enable chroot-ed apps to dump core (this is an easy one)
 - enable openbsd to run as a para-virtualized Xen guest (this is more 
involved)


Kent


Shawn Nock wrote:
A quick search of the archive and google didn't turn anything up, so 
I'll ask here.


Is there (if not could there be) a document that describes portions of 
the tree that particularly need attention? I am looking for a way to 
contribute and without a little direction the task seems daunting. The 
FreeBSD folks recently started maintaining such a todo list. It seems 
to have worked out fairly well for them. I realize that those in a 
position to put together such a list are also the ones not likely to 
have the time, but I believe this could prove useful (I assume there 
are more like me who are new and/or haven't found a comfort zone/focus 
yet).


Cheers,
Shawn

Re: OpenBSD todo list?

[Eric Pancer]

On Tue, 2006-04-11 at 09:25:55 -0700, Kent Watsen proclaimed...

 Christmas in April?  ;)  A couple requests I recall seeing (*cough* 
 posting *cough*):
 
  - enable chroot-ed apps to dump core (this is an easy one)
  - enable openbsd to run as a para-virtualized Xen guest (this is more 
 involved)

I see your two requests, and up you the following.

IPv6 enabled syslogd(8)

using a 122-key keyboard with OpenBSD

[Blair Sadewitz]

Does anyone here have any experience using TN3270-style keyboards
(such as http://www.pckeyboard.com/emulator.html) in OpenBSD?  I'm
thinking of starting to use them with the machines I build for
enhanced functionality (vim would be fantastic with all of those keys,
although I feel like an uebernerd for saying so), and am wondering if
there're any pre-existing keymaps/terminal entries/etc.  What to do in
X seems fairly self-explanatory overall, but I figured I'd put a
feeler out to see if anyone has anything they'd like to share with
me.

Regards,

--Blair Sadewitz

--
What is the practical application of a million galaxies?

--Alan W. Watts

Re: ADSL with pppoa (over ATM)

[Luca Losio]

 The WAN allocated from the ISP's RADUIS server will be passed through
 the DLink, via DHCP, to your NIC.

 If you aren't convinced, put a windows box with a DHCP NIC behind the
 DLink while in bridge mode, and see it get a routable address.

 Try this: unplug the telephone wire, reboot the DLink, and your NIC will
 get a private address (on windows, do an ipconfig /renew). Plug in the
 telephone wire, and it will get a public one. Job done.

Can you explain how to handle the authentication? I missed this point

generic driver inclusion

[Tim Leslie]

I'm interested in getting the clcs audio driver included in the
generic amd64 kernel, what is necessay to move this process forward?

--
Tim Leslie
Dept. Of Geography
Arizona State University

FAQ 10.11 disk quotas

[Frank Bax]

I'm trying to follow along with FAQ 10.11 and it just doesn't seem to work 
right for me.


$ grep quota /etc/fstab
/dev/wd0g /var ffs rw,nodev,nosuid,userquota,groupquota 1 2

$ man edquota | grep -A1 one.second
 should be imposed.  Setting a grace period to one second indicates that
 no grace period should be granted.

$ sudo edquota -t -u
Time units may be: days, hours, minutes, or seconds
Grace period before enforcing soft limits for users:
/var: block grace period: 1 second, file grace period: 0 days

$ sudo reboot   /* The FAQ mentions quotaon -a, but it seems a reboot is 
required to create the quota files expected by quotaon  */


$ sudo quota clgw
Disk quotas for user clgw (uid 1002):
 Filesystem  blocks   quota   limit   grace   files   quota   limit 
grace

   /var355240964096   1   0   0


$ cat 700K.txt | mail clgw

$ sudo quota clgw
Disk quotas for user clgw (uid 1002):
 Filesystem  blocks   quota   limit   grace   files   quota   limit 
grace

   /var4256*   40964096   7days   1   0   0


OpenBSD 3.7 (from cdrom).  3.9 has been ordered.

Q1) Is there a way to create quota files without reboot?
Q2) Why is grace still reported as '7 days' instead of '1 second'?
Q3) Why did mail get delivered?

Re: FAQ 10.11 disk quotas

[Otto Moerbeek]

On Tue, 11 Apr 2006, Frank Bax wrote:

 I'm trying to follow along with FAQ 10.11 and it just doesn't seem to work
 right for me.
 
 $ grep quota /etc/fstab
 /dev/wd0g /var ffs rw,nodev,nosuid,userquota,groupquota 1 2
 
 $ man edquota | grep -A1 one.second
  should be imposed.  Setting a grace period to one second indicates that
  no grace period should be granted.
 
 $ sudo edquota -t -u
 Time units may be: days, hours, minutes, or seconds
 Grace period before enforcing soft limits for users:
 /var: block grace period: 1 second, file grace period: 0 days
 
 $ sudo reboot   /* The FAQ mentions quotaon -a, but it seems a reboot is
 required to create the quota files expected by quotaon  */
 
 $ sudo quota clgw
 Disk quotas for user clgw (uid 1002):
  Filesystem  blocks   quota   limit   grace   files   quota   limit grace
/var355240964096   1   0   0
 
 
 $ cat 700K.txt | mail clgw
 
 $ sudo quota clgw
 Disk quotas for user clgw (uid 1002):
  Filesystem  blocks   quota   limit   grace   files   quota   limit grace
/var4256*   40964096   7days   1   0   0
 
 
 OpenBSD 3.7 (from cdrom).  3.9 has been ordered.
 
 Q1) Is there a way to create quota files without reboot?

Yes, run quotacheck -a. This should preferably be done before moving
to multi-user, or at least on a fs without activity. 

 Q2) Why is grace still reported as '7 days' instead of '1 second'?

No idea. Maybe this thas something to do with the fact that the
actual delivery got done by root, see below.

 Q3) Why did mail get delivered?

mail.local runs as root, and as such quota checking is not enforced..
I have a diff to solve that, which I'm running on a couple of mail
servers.  I posted it to tech@ a year ago or so, but due to lack of
testing it didn't got committed. Tell me if you're interested.

-Otto

Re: OpenBSD todo list?

[Otto Moerbeek]

On Mon, 10 Apr 2006, Shawn Nock wrote:

 A quick search of the archive and google didn't turn anything up, so I'll ask
 here.
 
 Is there (if not could there be) a document that describes portions of the
 tree that particularly need attention? I am looking for a way to contribute
 and without a little direction the task seems daunting. The FreeBSD folks
 recently started maintaining such a todo list. It seems to have worked out
 fairly well for them. I realize that those in a position to put together such
 a list are also the ones not likely to have the time, but I believe this could
 prove useful (I assume there are more like me who are new and/or haven't found
 a comfort zone/focus yet).

The PR database is one possible starting point.

-Otto

Re: generic driver inclusion

[Chris Cappuccio]

Compile your own amd64 kernel with clcs enabled (copy the clcs and audio
at clcs lines from i386 GENERIC)

Test it, see if it work as well in amd64 mode as it does in i386 mode

If so, file a PR or talk to someone who can enable clcs in amd64 GENERIC

Tim Leslie [EMAIL PROTECTED] wrote:
 I'm interested in getting the clcs audio driver included in the
 generic amd64 kernel, what is necessay to move this process forward?
 
 --
 Tim Leslie
 Dept. Of Geography
 Arizona State University

-- 
The map is not the territory; the word is not the thing defined.

Privilege revocation and privilege separation choice.

[Daniel Ouellet]

I am trying to see the best way or choice in design between privilege 
revocation and privilege separation.


A very simplistic explication of the application is, I have an 
application that I my putting together that provide network service from 
a daemon and that daemon gets data from a SQLite file on the server to 
be send back to the network.


Do I understand this properly that may be the separation should be use 
when part of the software needs to access system resources that are only 
accessible to root and the revocation should be use in all other cases?


Or is the separation should be use all the time anyway and then the part 
that needs to access files on the system that could be under a low right 
users like _Apps, and the part that run the daemon for the network part 
run under nobody or something.


Looking at bgpd  ntpd, they both start and have part of the design as 
root and then part under _bgpd or _ntp.


Or may be the proper design is always to use separation then, but if any 
parts doesn't need root access, why should it be, or should it anyway in 
case of future changes that might need it.


I am trying to come to peace with this.

Any inside as to how to go at this and be proper in the process?

Hope this question make sense.

Re: Privilege revocation and privilege separation choice.

[Adam]

On Tue, 11 Apr 2006 15:50:11 -0400 Daniel Ouellet [EMAIL PROTECTED] wrote:

 I am trying to see the best way or choice in design between privilege 
 revocation and privilege separation.

Its just a question of wether it needs root initially for startup, and
then never needs it again (revoke) or if it needs to keep doing stuff as
root all the time (seperate).

Adam

Re: Privilege revocation and privilege separation choice.

[Daniel Ouellet]

Adam wrote:
I am trying to see the best way or choice in design between privilege 
revocation and privilege separation.


Its just a question of wether it needs root initially for startup, and
then never needs it again (revoke) or if it needs to keep doing stuff as
root all the time (seperate).


Thanks for the answer. So, what would be a very good example in the tree 
of a revoke one then. I love looking and studying the ntpd and bgpd code 
as it is a very clean and understandable one. Specially ntpd for a small 
application where separation is needed. That's the best example by far I 
could find! Anything as good as that for revoke available as well that 
anyone could suggest for study  and example then?

Re: Privilege revocation and privilege separation choice.

[Ted Unangst]

On 4/11/06, Daniel Ouellet [EMAIL PROTECTED] wrote:
 Thanks for the answer. So, what would be a very good example in the tree
 of a revoke one then. I love looking and studying the ntpd and bgpd code
 as it is a very clean and understandable one. Specially ntpd for a small
 application where separation is needed. That's the best example by far I
 could find! Anything as good as that for revoke available as well that
 anyone could suggest for study  and example then?

ping

Re: Privilege revocation and privilege separation choice.

[Daniel Ouellet]

Ted Unangst wrote:

On 4/11/06, Daniel Ouellet [EMAIL PROTECTED] wrote:


Thanks for the answer. So, what would be a very good example in the tree
of a revoke one then. I love looking and studying the ntpd and bgpd code
as it is a very clean and understandable one. Specially ntpd for a small
application where separation is needed. That's the best example by far I
could find! Anything as good as that for revoke available as well that
anyone could suggest for study  and example then?



ping


Thank you!

Daniel

Re: gcc miscompiles ntohs16() inline assembly in OpenBSD 3.8

[Otto Moerbeek]

On Tue, 11 Apr 2006, chefren wrote:

 On 04/11/06 11:39, Otto Moerbeek wrote:
  On Thu, 6 Apr 2006, chefren wrote:
   On 04/05/06 02:07, Andrew Pinski wrote:
   
Actually I bet ntohs16 is violating C aliasing rules.
   
   Interesting, how do you figure that?
  
  The following diff (backported from gcc PR
  http://gcc.gnu.org/bugzilla/show_bug.cgi?id=10692) seems to fix the
  problem.  I hardly know i386 assembly, so please check if the produced
  code is correct.
 
 Cool! We patched  compiled gcc and inspected the new assembly output, it
 indeed fixes the bug.
 
 The bug is an over-enthusiastic optimization in gcc, which removes a store
 temporary value to stack without full justification.
 
 How did you manage to find that Bugzilla PR based on this problem description?
 It does not seem trivial!

I knew debian gcc 3.3.5 doesn't contain the bug. So I diffed debian's
gcc against our gcc, and went through the changelog. That gave me a
list of candidate diffs; I ordered the list based on a gut feeling.
Then I worked trough the diffs to test them. I was lucky, the second
diff I tried was the right one. Only later I saw the diff was
marked m68k.

 
  If I see things correctly, this fix is not in either 3.3.5 or 3.3.6.
  Debian -stable backported it into their 3.3.5 gcc.
 
 Yes.
 
 The Bugzilla PR indicates that someone applies the fix to gcc 3.4 and beyond,
 the Debian GCC maintainers suggest applying it to gcc 3.3, but the story
 ends there.
 
 The fix was never applied to the gcc 3.3 branch.
 
 (See line 6936 in
 http://gcc.gnu.org/viewcvs/branches/gcc-3_3-branch/gcc/reload1.c?view=markup )
 
 
 We notice that the upcoming OpenBSD 3.9 still uses gcc 3.3.5.
 
 Is the gcc 3.3 branch still a supported product for the gcc people, and this a
 fix that slipped through the cracks in their usual maintenance process?

I have no idea if the 3.3 branch is actively maintained by the gcc people.

 Or does OpenBSD 3.9 use a slightly long-in-the-tooth gcc? In that case, how
 is the process of back porting all bug fixes made to gcc 3.4 and onward
 arranged for OpenBSD?

We use 3.3.5, because it suits us. I believe that the 3.4 branch has
some changes that make it difficult to include our local changes like
propolice. Also, 3.4 is even slower and more memory hungry than 3.3.
As for bug fixes, we tend to do that on a as needed. 

  Now the funny thing is that according to the PR, this is a mk68k
  specific bug, although the fix is not in target specific code.
 
 Yes, the originator hit it with mk68k, we hit it with i686, but we see nothing
 obvious about the bug that makes clear that it can't be hit with i386 for
 example.
 
 Thanks for enlightening us.

I think the bug is misclassified by the gcc people.

I'm currently building on several platforms to see if there are any
regressions. 

-Otto

Re: Strange rxvt/xterm behavior

[Joachim Schipper]

On Mon, Apr 10, 2006 at 10:54:50PM -0300, Gustavo Rios wrote:
 Dear friends,
 
 i am running two xterm. When i run from any of them the w command i got 
 this:
 
 $ tty  w
 /dev/ttyp0
 10:47PM  up 8 mins, 2 users, load averages: 0.88, 0.50, 0.23
 USERTTY FROM  LOGIN@  IDLE WHAT
 griosp0 :0.0 10:45PM 0 w
 griosp1 :0.0 10:46PM 0 -sh
 $
 
 $ tty  w
 /dev/ttyp1
 10:48PM  up 8 mins, 2 users, load averages: 0.75, 0.49, 0.23
 USERTTY FROM  LOGIN@  IDLE WHAT
 griosp0 :0.0 10:45PM 0 -sh
 griosp1 :0.0 10:46PM 0 w
 $
 
 
 Now, from xterm terminal running over ttyp1, i start a new terminal,
 by means of rxvt. And the output from the same previous command
 execution is totally different:
 
 $ tty  w
 /dev/ttyp0
 10:50PM  up 10 mins, 2 users, load averages: 0.34, 0.44, 0.25
 USERTTY FROM  LOGIN@  IDLE WHAT
 griosp0 :0.0 10:45PM 0 w
 griosp2 :0.0 10:48PM 0 -sh
 $
 
 $ rxvt 
 [1] 28321
 $ tty  w
 /dev/ttyp1
 10:49PM  up 9 mins, 2 users, load averages: 0.56, 0.49, 0.26
 USERTTY FROM  LOGIN@  IDLE WHAT
 griosp0 :0.0 10:45PM 0 -sh
 griosp2 :0.0 10:48PM 0 -sh
 $
 
 $ tty  w
 /dev/ttyp2
 10:49PM  up 10 mins, 2 users, load averages: 0.44, 0.47, 0.25
 USERTTY FROM  LOGIN@  IDLE WHAT
 griosp0 :0.0 10:45PM 0 -sh
 griosp2 :0.0 10:48PM 0 w
 $
 
 
 What i could not understand is: ttyp1 terminal was associated with a
 xterm terminal. From that terminal, after starting a rxvt process,
 that association was broken. Although i am still running xterm on
 ttyp1, it is not shown on any of the three screen output. What i was
 expecting it was to have an entry for the same login (grios) on
 ttyp1.
 
 Anyhow, it does not make any sense to me.
 
 Thanks a lot for your time and cooperation.
 
 My .Xdefaults has the following relevant parts:
 *VT100.loginShell: true
 *VT100.scrollBar: off
 *VT100*colorULMode: on
 *VT100*underLine: off
 *VT100*colorBDMode: on
 *VT100*colorUL: red
 *VT100*colorBD: magenta
 *VT100*font: -misc-*-*-*-normal--*-*-*-*-c-*-*-*
 *VT100*background: black
 *VT100*cursorBlink: true
 *VT100*foreground: yellow
 *VT100*cursorColor: green
 *VT100*cursorOffTime: 200
 *VT100*cursorOnTime: 200
 *VT100.pointerColor: red
 *VT100.pointerColorBackground: black
 
 XTerm.termName: xterm
 
 Rxvt.loginShell: true
 Rxvt.scrollBar: off
 Rxvt*colorUL: red
 Rxvt*colorBD: magenta
 Rxvt*font: -misc-*-*-*-normal--*-*-*-*-c-*-*-*
 Rxvt*background: black
 Rxvt*foreground: darkgrey
 Rxvt*cursorColor: yellow
 Rxvt.pointerColor: red

Search the rxvt(1) page for 'utmp'. Essentially, unlike xterm, rxvt does
not write to utmp by default. use +ut/utmpInhibit: false to change this
behaviour, if desired.

Joachim

spamd not logging to /var/log/spamd

[Bryan Irvine]

I think I just need a second pair of eyes because I'm obviously
missing something.

I've just installed a new firewall, and i'm trying to get spamd to log
to /var/log/spamd.

It *does* log to /var/log/daemon though, and the greylisting daemon is
working fine.


fire:/var/log#ls -al spamd
-rw-r-  1 root  wheel  0 Apr  5 16:05 spamd



---/var/log/daemon---
Apr 11 15:33:29 fire spamd[8627]: 218.38.56.27: connected (7/6), lists: korea
Apr 11 15:33:34 fire spamd[8627]: 80.72.152.151: connected (8/6)



---My modifications to syslog.conf---
!spamd
daemon.err;daemon.warn;daemon.info  /var/log/spamd



---My modifications to newsyslog.conf---
/var/log/spamd  640  30100  * Z

[solved] spamd not logging to /var/log/spamd

[Bryan Irvine]

the problem was here:

 ---My modifications to syslog.conf---
 !spamd
 daemon.err;daemon.warn;daemon.info  /var/log/spamd

When I started syslog with syslogd -d I saw this error:
syslogd: unknown priority name info  /var/log/spamd

I double checked and between daemon.info and /var/log/spamd I had spaces.

I changed the spaces to tab chars, restarted syslog, and now all is well.

--Bryan

Re: spamd not logging to /var/log/spamd

[Rogier Krieger]

On 4/12/06, Bryan Irvine [EMAIL PROTECTED] wrote:
 I've just installed a new firewall, and i'm trying to get spamd to log
 to /var/log/spamd.

Have you SIGHUP'ed the syslogd process? It should re-read its
configuration file at that point, using your new configuration.


 !spamd
 daemon.err;daemon.warn;daemon.info  /var/log/spamd

Also, if you want spamd to only log to /var/log/spamd, try !!spamd in
/etc/syslog.conf. See syslog.conf(5) for more information.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: spamd not logging to /var/log/spamd

[Frank Bax]

At 06:42 PM 4/11/06, Bryan Irvine wrote:


I think I just need a second pair of eyes because I'm obviously
missing something.

I've just installed a new firewall, and i'm trying to get spamd to log
to /var/log/spamd.



Did you 'touch' the file? You need to create the file yourself.

Re: spamd not logging to /var/log/spamd

[jared r r spiegel]

On Tue, Apr 11, 2006 at 03:42:09PM -0700, Bryan Irvine wrote:
 
 ---My modifications to syslog.conf---
 !spamd
 daemon.err;daemon.warn;daemon.info  /var/log/spamd
 
 
  when you:

$ sed -ne '/spamd/l' /etc/syslog.conf

  do you have

!spamd\n$
daemon.err;daemon.warn;daemon.info  /var/log/spamd\n$

  or

!spamd\n$
daemon.err;daemon.warn;daemon.info\t\t\t/var/log/spamd\n$

  last sentence in first paragraph of manpage went under my
  radar for years and continually bit me in the ass

-- 

  jared

[ openbsd 3.9-current GENERIC ( mar 15 ) // i386 ]

Re: Strange rxvt/xterm behavior

[Gustavo Rios]

Excuse, but this is already accomplished by my .Xdefaults file.

On 4/11/06, Joachim Schipper [EMAIL PROTECTED] wrote:
 On Mon, Apr 10, 2006 at 10:54:50PM -0300, Gustavo Rios wrote:
  Dear friends,
 
  i am running two xterm. When i run from any of them the w command i got 
  this:
 
  $ tty  w
  /dev/ttyp0
  10:47PM  up 8 mins, 2 users, load averages: 0.88, 0.50, 0.23
  USERTTY FROM  LOGIN@  IDLE WHAT
  griosp0 :0.0 10:45PM 0 w
  griosp1 :0.0 10:46PM 0 -sh
  $
 
  $ tty  w
  /dev/ttyp1
  10:48PM  up 8 mins, 2 users, load averages: 0.75, 0.49, 0.23
  USERTTY FROM  LOGIN@  IDLE WHAT
  griosp0 :0.0 10:45PM 0 -sh
  griosp1 :0.0 10:46PM 0 w
  $
 
 
  Now, from xterm terminal running over ttyp1, i start a new terminal,
  by means of rxvt. And the output from the same previous command
  execution is totally different:
 
  $ tty  w
  /dev/ttyp0
  10:50PM  up 10 mins, 2 users, load averages: 0.34, 0.44, 0.25
  USERTTY FROM  LOGIN@  IDLE WHAT
  griosp0 :0.0 10:45PM 0 w
  griosp2 :0.0 10:48PM 0 -sh
  $
 
  $ rxvt 
  [1] 28321
  $ tty  w
  /dev/ttyp1
  10:49PM  up 9 mins, 2 users, load averages: 0.56, 0.49, 0.26
  USERTTY FROM  LOGIN@  IDLE WHAT
  griosp0 :0.0 10:45PM 0 -sh
  griosp2 :0.0 10:48PM 0 -sh
  $
 
  $ tty  w
  /dev/ttyp2
  10:49PM  up 10 mins, 2 users, load averages: 0.44, 0.47, 0.25
  USERTTY FROM  LOGIN@  IDLE WHAT
  griosp0 :0.0 10:45PM 0 -sh
  griosp2 :0.0 10:48PM 0 w
  $
 
 
  What i could not understand is: ttyp1 terminal was associated with a
  xterm terminal. From that terminal, after starting a rxvt process,
  that association was broken. Although i am still running xterm on
  ttyp1, it is not shown on any of the three screen output. What i was
  expecting it was to have an entry for the same login (grios) on
  ttyp1.
 
  Anyhow, it does not make any sense to me.
 
  Thanks a lot for your time and cooperation.
 
  My .Xdefaults has the following relevant parts:
  *VT100.loginShell: true
  *VT100.scrollBar: off
  *VT100*colorULMode: on
  *VT100*underLine: off
  *VT100*colorBDMode: on
  *VT100*colorUL: red
  *VT100*colorBD: magenta
  *VT100*font: -misc-*-*-*-normal--*-*-*-*-c-*-*-*
  *VT100*background: black
  *VT100*cursorBlink: true
  *VT100*foreground: yellow
  *VT100*cursorColor: green
  *VT100*cursorOffTime: 200
  *VT100*cursorOnTime: 200
  *VT100.pointerColor: red
  *VT100.pointerColorBackground: black
 
  XTerm.termName: xterm
 
  Rxvt.loginShell: true
  Rxvt.scrollBar: off
  Rxvt*colorUL: red
  Rxvt*colorBD: magenta
  Rxvt*font: -misc-*-*-*-normal--*-*-*-*-c-*-*-*
  Rxvt*background: black
  Rxvt*foreground: darkgrey
  Rxvt*cursorColor: yellow
  Rxvt.pointerColor: red

 Search the rxvt(1) page for 'utmp'. Essentially, unlike xterm, rxvt does
 not write to utmp by default. use +ut/utmpInhibit: false to change this
 behaviour, if desired.

Joachim

Installing X after OpenBSD 3.8 installation

[Andrew Ng]

Hi,

understand that there are options to select xbase, game etcs during
OpenBSD installation. Can I install these options, (particularly X)
post-install same as the standard install, and not for Ports or other
methods? I would not want to re-install the system unless necessary.
Appreciate any help. Thanks.

Regards
Andrew Ng
-- 
  Andrew Ng
  [EMAIL PROTECTED]

-- 
http://www.fastmail.fm - Same, same, but different

Re: Installing X after OpenBSD 3.8 installation

[Robby Workman]

Andrew Ng wrote:

Hi,

understand that there are options to select xbase, game etcs during
OpenBSD installation. Can I install these options, (particularly X)
post-install same as the standard install, and not for Ports or other
methods? I would not want to re-install the system unless necessary.
Appreciate any help. Thanks.




localmirror/faq/faq4.html#AddFileSet

--

http://rlworkman.net

Installing X after OpenBSD 3.8 installation

[Andrew Ng]

Hi,

understand that there are options to select xbase, game etcs during
OpenBSD installation. Can I install these options, (particularly X)
post-install same as the standard install, and not for Ports or other
methods? I would not want to re-install the system unless necessary.
Appreciate any help. Thanks.

Regards
Andrew Ng
-- 
  Andrew Ng
  [EMAIL PROTECTED]

-- 
http://www.fastmail.fm - Send your email first class

Re: Installing X after OpenBSD 3.8 installation

[Nick Guenther]

On 4/12/06, Andrew Ng [EMAIL PROTECTED] wrote:
 Hi,

 understand that there are options to select xbase, game etcs during
 OpenBSD installation. Can I install these options, (particularly X)
 post-install same as the standard install, and not for Ports or other
 methods? I would not want to re-install the system unless necessary.
 Appreciate any help. Thanks.

Since X is just contained in a .tgz file, just mount the CD (or
whatever other install media you used) and do something like:
$su
#cd /
#tar -zxvf /path/to/install/sets/x*
#exit
$startx

heads up about filesystem troubles

[Ted Unangst]

As part of the work to integrate FFS2 support, there have been several
changes to the filesystem code.  Unfortunately, there are cases where
it may cause data corruption.

The problematic change was altering the format of the on disk
superblock.  FFS2 uses a slightly different superblock than FFS1 used.
 As of two weeks ago, the kernel would automatically upgrade the
superblock to the new format, setting a flag that it had done so. 
Several fields in the block became redundant.

The userland utilities were not updated to work with this new format,
but instead would remove the flag, meaning the kernel would again read
the old fields and upgrade.  The problem is that fsck was not taught
to remove the flag until several days after the kernel was taught to
upgrade.  Meaning booting a new kernel but running old fsck could
result in superblock corruption because they were operating on
different structures.

The window of danger was booting a kernel from any time _after_ 2
weeks ago and running a fsck from any time _before_ 4 days ago.  If
you have booted a new kernel, do not use the old fsck.

I have backed out the new superblock changes.  The next snapshot will
not upgrade the superblock and will simply use the old format.  You
are encouraged to move away from any snapshot installed in the last 2
weeks.

Re: Installing X after OpenBSD 3.8 installation

[Andrew Smith]

tar -zxpf 

permissions are important 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Nick Guenther
Sent: 12 April 2006 04:21
To: OpenBSD-Misc
Subject: Re: Installing X after OpenBSD 3.8 installation

On 4/12/06, Andrew Ng [EMAIL PROTECTED] wrote:
 Hi,

 understand that there are options to select xbase, game etcs during
 OpenBSD installation. Can I install these options, (particularly X)
 post-install same as the standard install, and not for Ports or other
 methods? I would not want to re-install the system unless necessary.
 Appreciate any help. Thanks.

Since X is just contained in a .tgz file, just mount the CD (or
whatever other install media you used) and do something like:
$su
#cd /
#tar -zxvf /path/to/install/sets/x*
#exit
$startx

Re: OpenBSD todo list?

[Ted Unangst]

On 4/10/06, Shawn Nock [EMAIL PROTECTED] wrote:
 A quick search of the archive and google didn't turn anything up, so
 I'll ask here.

rewrite units.  it can convert euros to dollars at an awesome rate of
94 cents per euro, but can't convert temperature.

 Is there (if not could there be) a document that describes portions of
 the tree that particularly need attention? I am looking for a way to
 contribute and without a little direction the task seems daunting. The
 FreeBSD folks recently started maintaining such a todo list. It seems to
 have worked out fairly well for them. I realize that those in a position
 to put together such a list are also the ones not likely to have the
 time, but I believe this could prove useful (I assume there are more
 like me who are new and/or haven't found a comfort zone/focus yet).

 Cheers,
 Shawn


 --
 Shawn Nock (OpenPGP: 0xEF9B08E7)
 Broadcast Engineer; KUAT Communications Group
 University of Arizona
 nock 'at ' arizona 'dot' edu

Re: Installing X after OpenBSD 3.8 installation

[C. Bensend]

 Since X is just contained in a .tgz file, just mount the CD (or
 whatever other install media you used) and do something like:
 $su
 #cd /
 #tar -zxvf /path/to/install/sets/x*
 #exit
 $startx

Don't forget the 'p' flag in there, when dealing with install
sets:

tar zxvpf /path/to/install/sets/x*

Benny


-- 
God help us all if cats had thumbs. -- Me, 2006