Symbolic link insecure?
Hi list, i am getting a daily insecurity report from my system system saying: ## Checking special files and directories. Output format is: filename: criteria (shouldbe, reallyis) etc/pf.conf: type (file, link) permissions (0600, 0755) ## I am actually using a symbolic link for /etc/pf.conf: ls -l /etc/pf.conf* lrwxr-xr-x 1 root wheel 11 Nov 30 17:04 /etc/pf.conf - pf.conf.001 -rw--- 1 root wheel 10529 Nov 14 10:18 /etc/pf.conf.000 -rw--- 1 root wheel 10582 Nov 30 18:12 /etc/pf.conf.001 I do this in order to save different versions of the file. My question: Is a symbolic link really insecure? Or is this just a deficiency of /etc/security? I could use hard links instead of soft links as a workaround, but then one cannot as easily see where the link points to. Sorry if this might sound like nitpicking, but i do not want to get used to ignoring security warnings. Thanks for any help, Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Re: ppp.conf for ueagle and pppoa
On Wed, 29 Nov 2006 11:46:00 +0100, Przemyslaw Nowaczyk [EMAIL PROTECTED] said: On Wed, Nov 29, 2006 at 08:27:14AM +0100, Damien Bergamini wrote: You must recompile user ppp with ATM enabled: cd /usr/src/usr.sbin/ppp/ppp/ vi Makefile remove line NOATM= /usr/include/netnatm required then run make make install then ppp -dedicated adsl this is explained here: http://damien.bergamini.free.fr/ueagle/ppp.html (just skip the synchronizing the modem section which is outdated). hi, i'm also having some difficulties in making my sagem fast 800 e2t work, i'm running a generic kernel with ueagle and noatm enabled (dmesg below), recompiled ppp (as you mentioned above, since i'm using pppoa) and after booting the machine the modem doesn't synchronize.. running ppp -dedicated adsl in that state (ppp.conf from your page, with vpi and vci set to 0 35) shows: Warning: PPPoA:ueagle0:0.35: connect: Device not configured Warning: deflink: Device (PPPoA:ueagle0:0.35) must begin with a '/', a '!' or contain at least one ':' I have now followed the FAQ 5.3.* sections and also Damien's guidelines in the ppp.html as above. And it STILL comes back with: Warning: deflink: Device (PPPoA:ueagle0:0.35) must begin with a '/', a '!' or contain at least one ':' That message is contained in physical.c in the ppp-directory btw. After having to add new file systems for /usr/src and /usr/obj, editing and building a new GENERIC, re-compiling ppp etc etc - all first-time experiences, I think I a will call it a day with this driver. While everything else in OpenBSD just works this driver seems to be the opposite. And I am apparently not the only one having this problem. Rgds -- http://www.fastmail.fm - Does exactly what it says on the tin
Re: Symbolic link insecure?
etc/pf.conf: type (file, link) permissions (0600, 0755) Change the permissons for the symbolic link from 0755 to 0600 (same permissions like on your other pf.conf.xxx files). My question: Is a symbolic link really insecure? Only with wrong permissions. Tas.
Re: Symbolic link insecure?
Heinrich Rebehn wrote: Hi list, i am getting a daily insecurity report from my system system saying: ## Checking special files and directories. Output format is: filename: criteria (shouldbe, reallyis) etc/pf.conf: type (file, link) permissions (0600, 0755) ## I do this in order to save different versions of the file. My question: Is a symbolic link really insecure? Or is this just a deficiency of /etc/security? I could use hard links instead of soft links as a workaround, but then one cannot as easily see where the link points to. Sorry if this might sound like nitpicking, but i do not want to get used to ignoring security warnings. A good habit, I'd say. Have a look at mtree(8), /etc/security and /etc/mtree/special. In the latter, you should be able to set type=link for pf.conf. I cannot tell if it has any obvious downsides, as long as you know what you're doing and (maybe) not pointing it to /tmp/feedme or so. /Alexander
Re: Symbolic link insecure?
etc/pf.conf: type (file, link) permissions (0600, 0755) Change the permissons for the symbolic link from 0755 to 0600 (same permissions like on your other pf.conf.xxx files). My question: Is a symbolic link really insecure? Only with wrong permissions. Sorry, I was too fast, I just saw that symbolic links don't have modes. I don't now then, sorry! Tas.
Re: pf load balancer and server health
On 30/11/06, Miguel [EMAIL PROTECTED] wrote: Hi, how can i check the servers' health and delete a server from the pool when it loses connection with the load balancer, is such thing posible? thanks Something crude I've been working on: http://www.screamingelectron.org/forum/showthread.php?t=2765 I've got this running on a couple of carp'd load balancers. Works great for me. Cheers z0mbix
File ownership of setuid processes
Hi everyone!, I'm trying to migrate a sympa installation (sympa is a perl written mailing list manager) from a Linux system into an OpenBSD one, and I'm getting into a strange problem. The way a message reaches the sympa is trough a C written, setuid binary called queue which is setuid to sympa's user. The MTA pipes the message into this binary, which its only mission is to create a file into a spool direcotry, where the main sympa process can read it. The problem here is that queue in OpenBSD isn't creating files with sympa ownership, so the main process can't read them(they are owned by daemon). I have done a small test program to be run in both systems, and thats what I get: #include sys/types.h #include sys/stat.h #include fcntl.h int main (void) { int fd; char msg1[] = Cannot open file\n; umask(027); if (!(fd = open(/tmp/testfile, O_CREAT| O_WRONLY , 0600))) { write(2,msg1, sizeof(msg1)); } close(fd); } OpenBSD System # make test cc -O2 -pipe-o test test.c # chown _sympa._sympa test # chmod u+s test # ./test # ls -l total 32 -rw--- 1 _sympa wheel 2984 Nov 30 16:02 ayud drwx-- 2 _clamav wheel512 Dec 1 09:30 clamav-1cd2ff8e8aea8f7f -rwsr-xr-x 1 _sympa _sympa 6641 Dec 1 09:31 test -rw-r--r-- 1 root wheel255 Dec 1 09:29 test.c -rw--- 1 root wheel 0 Dec 1 09:30 testfile [EMAIL PROTECTED] tmp]# make test cc test.c -o test [EMAIL PROTECTED] tmp]# chown sympa.sympa test [EMAIL PROTECTED] tmp]# chmod u+s test [EMAIL PROTECTED] tmp]# ./test [EMAIL PROTECTED] tmp]# ls -l total 16 -rwsr-xr-x1 sympasympa 14092 dic 1 09:33 test -rw-r--r--1 root root 312 dic 1 09:27 test.c -rw---1 symparoot0 dic 1 09:34 testfile It's ok this different behaviour? or may be there is something that I'm doing wrong? Thanks in advance.
Re: Quagga and OpenBGP
On 30/11/06, Demuel I. Bendano, R.E.E [EMAIL PROTECTED] wrote: All, I cannot still see the logic as to why Quagga is part of the OpenBSD ports tree when it has OpenBGP at all in the default install? The documentation of OpenBGP tells us that it is far superior in design as compared to Zebra/Quagga. Side comments? Why is emacs in the ports tree when we have vi ? -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, I couldn't help it, it's my nature =-
Re: File ownership of setuid processes
On Fri, 1 Dec 2006, Samuel Moqux wrote: Hi everyone!, I'm trying to migrate a sympa installation (sympa is a perl written mailing list manager) from a Linux system into an OpenBSD one, and I'm getting into a strange problem. The way a message reaches the sympa is trough a C written, setuid binary called queue which is setuid to sympa's user. The MTA pipes the message into this binary, which its only mission is to create a file into a spool direcotry, where the main sympa process can read it. The problem here is that queue in OpenBSD isn't creating files with sympa ownership, so the main process can't read them(they are owned by daemon). My bet would be that you are executing the program from a file system that is mounted nosuid. -Otto I have done a small test program to be run in both systems, and thats what I get: #include sys/types.h #include sys/stat.h #include fcntl.h int main (void) { int fd; char msg1[] = Cannot open file\n; umask(027); if (!(fd = open(/tmp/testfile, O_CREAT| O_WRONLY , 0600))) { write(2,msg1, sizeof(msg1)); } close(fd); } OpenBSD System # make test cc -O2 -pipe-o test test.c # chown _sympa._sympa test # chmod u+s test # ./test # ls -l total 32 -rw--- 1 _sympa wheel 2984 Nov 30 16:02 ayud drwx-- 2 _clamav wheel512 Dec 1 09:30 clamav-1cd2ff8e8aea8f7f -rwsr-xr-x 1 _sympa _sympa 6641 Dec 1 09:31 test -rw-r--r-- 1 root wheel255 Dec 1 09:29 test.c -rw--- 1 root wheel 0 Dec 1 09:30 testfile [EMAIL PROTECTED] tmp]# make test cc test.c -o test [EMAIL PROTECTED] tmp]# chown sympa.sympa test [EMAIL PROTECTED] tmp]# chmod u+s test [EMAIL PROTECTED] tmp]# ./test [EMAIL PROTECTED] tmp]# ls -l total 16 -rwsr-xr-x1 sympasympa 14092 dic 1 09:33 test -rw-r--r--1 root root 312 dic 1 09:27 test.c -rw---1 symparoot0 dic 1 09:34 testfile It's ok this different behaviour? or may be there is something that I'm doing wrong? Thanks in advance.
Re: Symbolic link insecure?
On Fri, 1 Dec 2006, Alexander Hall wrote: Heinrich Rebehn wrote: Hi list, i am getting a daily insecurity report from my system system saying: ## Checking special files and directories. Output format is: filename: criteria (shouldbe, reallyis) etc/pf.conf: type (file, link) permissions (0600, 0755) ## I do this in order to save different versions of the file. My question: Is a symbolic link really insecure? Or is this just a deficiency of /etc/security? No, it is not a deficiency in /etc/security. Symbolic links have their problems, depending on where they are pointing to. Also, /etc/security is designed to warn for non-standard things. If you are deviating from that, you are on your own. As for general background info, you might want to google for symbolic link race. -Otto
Re: Symbolic link insecure?
Alexander Hall wrote: Tasmanian Devil wrote: Sorry, I was too fast, I just saw that symbolic links don't have modes. I don't now then, sorry! I'd say they do have modes, but they are not very useful: $ umask 777; ln -s a b $ umask 000; ln -s a c $ ls -lF total 0 l- 1 alexander staff 1 Dec 1 11:47 b@ - a lrwxrwxrwx 1 alexander staff 1 Dec 1 11:47 c@ - a $ echo test a $ cat b test $ cat c test Ok... can someone please make this clear to me? Looking into the man pages, it is stated over and over again that symbolic links do not have modes. Do they _really_ not have them (see example above), or are they just never used? /Alexander
funny log message: beck's greytrapper trapped bobeck :)
Nov 30 09:32:49 mercury greytrapper[96425]: Trapped 195.182.143.86: Mailed from sender bobeck.net with no MX or A see bobeck banned by awesome tool from beck@ ;)
Note to russian users: wdputte@ in Moscow
If you're living in Moscow, Russian Federation, and want to have beer with Wim Vandeputte, and to get magic OpenBSD stuff from him, see http://www.toxahost.ru/wim.html ;)
Re: bioctl compatible LSIs?
L. V. Lammert wrote: Is there a list somewhere of exactly which LSI controllers are bioctl compatible? We're getting ready to build some new servers, and the You can have a look at the man pages (ami, mfi), which list all controllers supported by bioctl. In case you're fond of SATA controllers, read this: http://marc.theaimsgroup.com/?l=openbsd-miscm=116103468316956w=2 Not a big deal though, unless you can't afford to reboot on disk failure. It's on Marco's 'radar' anyway ;) -- Stephan A. Rickauer --- Institut f|r Neuroinformatik Tel: +41 44 635 30 50 Universitdt / ETH Z|rich Sek: +41 44 635 30 52 Winterthurerstrasse 190 Fax: +41 44 635 30 53 CH-8057 Z|richWeb: www.ini.ethz.ch RSA public key: https://www.ini.ethz.ch/~stephan/pubkey.asc --- [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
CF boot and Ramdisk
Hi, we're going to build a simple Wlan between a friends apartment and my house. We decided to run obsd 4.0 as we want to use ipsec for encryption. One of these systems will have to boot from a CF Card (or any other really silent media if you have suggestions). Since flash media only has limited write cycles and we will need to modify some files from time to time (Port forwards in pf.conf, some files in /var and so on..., logging isn't that important) we want to use a ramdisk (or tmpfs, don't know the exact name) and then sync the data to disk every hour or so. Is there a Howto for booting openbsd from a CF-Card (using an IDE adapter) and then mounting a ramdisk over /var? (I think we could just symlink files in /etc which we will need to modify to the ramdisk). -- Greetings Chris
Re: prepping for big spamd(8) rollout
On Fri, Dec 01, 2006 at 07:43:05AM +0100, Srebrenko Sehic wrote: AFAIK, amd64 does not support 4GB, unless that patch from tech@ somehow sneaked into the tree without me noticing. this one? http://marc.theaimsgroup.com/?l=openbsd-techm=114498992417267w=2 it's not in -current. i'll make a kernel with it and see if the memory reported changes, and then soon as i get things on the 2850 w/12GB same there too. -- jared
Re: CF boot and Ramdisk
On Fri, 1 Dec 2006, Chris C. wrote: Hi, we're going to build a simple Wlan between a friends apartment and my house. We decided to run obsd 4.0 as we want to use ipsec for encryption. One of these systems will have to boot from a CF Card (or any other really silent media if you have suggestions). Since flash media only has limited write cycles and we will need to modify some files from time to time (Port forwards in pf.conf, some files in /var and so on..., logging isn't that important) we want to use a ramdisk (or tmpfs, don't know the exact name) and then sync the data to disk every hour or so. Is there a Howto for booting openbsd from a CF-Card (using an IDE adapter) and then mounting a ramdisk over /var? (I think we could just symlink files in /etc which we will need to modify to the ramdisk). -- Greetings Chris Chris Take a look at flashboot, http://www.mindrot.org/projects/flashboot/ . This is what we use on dual soekris firewalls at a friend's business. diana
Re: CF boot and Ramdisk
On Fri, Dec 01, 2006 at 02:16:11PM +0100, Chris C. wrote: Hi, we're going to build a simple Wlan between a friends apartment and my house. We decided to run obsd 4.0 as we want to use ipsec for encryption. One of these systems will have to boot from a CF Card (or any other really silent media if you have suggestions). Since flash media only has limited write cycles and we will need to modify some files from time to time (Port forwards in pf.conf, some files in /var and so on..., logging isn't that important) we want to use a ramdisk (or tmpfs, don't know the exact name) and then sync the data to disk every hour or so. Is there a Howto for booting openbsd from a CF-Card (using an IDE adapter) and then mounting a ramdisk over /var? (I think we could just symlink files in /etc which we will need to modify to the ramdisk). Perhaps there is one, but: RTF[ine]M mfs(8) # Have a look at -P A mfs line for fstab /tmp: swap /tmp mfs rw,-s=2048000,noexec,noatime,nosuid,nodev 0 0 # ^-- Might be somewhat to big for a router/fw ;) Booting from an IDE adapter means booting an IDE-Disk. Should just work(tm). -- Greetings Chris Regrads, ahb
Re: PHP5 install error
On 11/30/06, Brendan Grossman [EMAIL PROTECTED] wrote: Hmm, in the Makefile it has this: # the hardened flavor is used by both core and extensions FLAVORS+= hardened FLAVOR?= It starts to compile hardened after completing core. I loaded the core module then in Apache and it doesn't give any errors, however php code isn't executed (just a blank screen). I also tried just adding the core package from ftp and same problem. I don't know why I'm having problems... Have followed the instructions that I used that worked perfectly on 3.8 and 3.9. I noticed this when one of my build scripts started failing in 4.0. Now I just do make install in www/php5/core and www/php5/extensions rather than in www/php5 and problem solved. A related question is say that you have decided you want to use the hardened version of php5 for a dependent package like phpMyAdmin. Is there a way short of makefile hacking to get the hardened version to satisfy the RUN_DEPENDS clause? -N
Re: MYSQL-5.0.24a on amd64 - How is it supposed to work for Apache in chroot ?
Hello Uwe, On Fri, 01.12.2006 at 01:11:19 +0800, Uwe Dippel [EMAIL PROTECTED] wrote: unix domain sockets and went for IP sockets instead. Do you have a full description sharing the HowTo ? no. When you start MySQL, check that it listens on eg. localhost, port 3306, then configure your apps to talk to that TCP port instead of the Unix domain socket. That should be all. Best, --Toni++
Re: CF boot and Ramdisk
Hi, http://undeadly.org/cgi?action=articlesid=20061115152127 http://www.kaschwig.net/projects/openbsd/wrap/ http://blog.innerewut.de/articles/2005/05/14/openbsd-3-7-on-wrap http://www.pingwales.co.uk/2006/05/22/OpenBSD-on-Flash.html Some of this info is pretty old so you have to check if it still work. I installed my Soekris using tftp and used the /mfs technique described in the WRAP links with some modifications for personal needs. Michael
Re: VPN configuration for roadwarrior
Hello Claude, On Wed, 29.11.2006 at 03:03:12 -0800, Claude Brassel [EMAIL PROTECTED] wrote: client configuration (safenet on windows) I have just added the LAN I don't know the Safenet client. 192.168.50 as ip subnet in the Remote party and Adressing section. This work's fine because the hosts I join are only in this (192.168.50) LAN. I don't understand 'join'. You mean, your windows stuff joins a Windows-style domain when the VPN is active? other gateway's in this LAN, and assigning the clients an IP in this LAN will permit some ip based rules on other gateway's (that's for future use) But it will probably require you to do some proxy-arp like stuff on your VPN gateway. Opt for real routing instead and adjust the filters on that other machines, if needed. I think this will make life much simpler for you. But this doesn't explain me how i can connect more then one client from the same IP I don't understand what you mean by same IP. FWIW, I have no trouble connecting several mobile clients simultanously to one OpenBSD VPN gateway using X.509 certificates. I do advertise a default route to them, however, so they will only transfer data to that (protected) network, not try to bypass the VPN for Internet access. Best, --Toni++
Re: Mac Mini (intel) status
- Original message - You can pick up cheap VLAN-capable switches on eBay. I have a Dell ... Bleh - the last time I messed with them (2-3 years ago), they were crap. On 12/1/06, Jason Dixon [EMAIL PROTECTED] wrote: On Dec 1, 2006, at 1:16 AM, Antoine Jacoutot wrote: On Thu, 30 Nov 2006, Jason Dixon wrote: Yes, too bad it only includes 1 ethernet adapter. That's what VLANs are for. Just make sure your switch doesn't allow hopping. :) Ah yes ;-) Although, playing with the mini as a server looks more like something I would do at home where I don't have VLAN capable switches. I don't (yet?) feel like using a mini at work (well except for workstation stuffs)... but sure, VLANs are ok. You can pick up cheap VLAN-capable switches on eBay. I have a Dell 3024 at home which works fine and runs $100-150 used. I'd never use these in an enterprise environment, but they're fine for home testing. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: best hardware plattform for openbsd
Hi Claudio, On Fri, 13.10.2006 at 16:00:55 +0200, Claudio Jeker [EMAIL PROTECTED] wrote: Btw. 500kpps traffic as seen on the net is more than 3Gbps. I calculated this number as roughly the upper limit for a 100 MBit/s link. I wanted to make sure that the box doesn't melt down in case someone tries a DDoS against it. In such a case, I'd rather have only decreasing performance than falling off the net eg. because routes don't get out anymore. Best, --Toni++
OpenBSD Zaurus C3200 recommended N. American distributor
Hey, How are these companies for Zaurus hw support? Or is there a better recommended company for importing a Zaurus for OpenBSD? http://www.kurnspatrick.com/sharp.html http://www.sdgsystems.com/ Me thinks this would be just great for hotspot surfing, truly mobile admining etc... Which wifi cards do people recommend? How about bluetooth cards? Best REgards, [EMAIL PROTECTED]
Re: Mac Mini (intel) status
On Thursday 30 November 2006 15:34, Tasmanian Devil wrote: Boot Camp: No, it's not required, it works fine with a usual OpenBSD-only configured internal harddisk, at least with Boot-ROM-Version MM11.0055.B05 and Boot-ROM-Version MM11.0055.B08. Of course you can only upgrade if you install a minimal OS X... :-/ I don't have a mini (or any reasonably current Apple hardware) but the issue you mentioned reminded me of this post by Brian Keefer: http://marc.theaimsgroup.com/?l=openbsd-sparcm=116483175532387w=2 It may be possible to do something similar with the mini? Kind Regards, JCR
Re: OpenBSD Zaurus C3200 recommended N. American distributor
Pricejapan was really good, and much cheaper than many of the other vendors. -Jaime Fournier On Fri, 1 Dec 2006, dreamwvr wrote: Date: Fri, 1 Dec 2006 09:19:36 -0700 From: dreamwvr [EMAIL PROTECTED] To: misc@openbsd.org Subject: OpenBSD Zaurus C3200 recommended N. American distributor Hey, How are these companies for Zaurus hw support? Or is there a better recommended company for importing a Zaurus for OpenBSD? http://www.kurnspatrick.com/sharp.html http://www.sdgsystems.com/ Me thinks this would be just great for hotspot surfing, truly mobile admining etc... Which wifi cards do people recommend? How about bluetooth cards? Best REgards, [EMAIL PROTECTED]
Building sendmail with sasl fails at 4.0 -stable (20061201).
I want sendmail with sask but when I try to build it it fails. --- # cat /etc/mk.conf WANT_SMTPAUTH=yes --- # cd /usr/src/gnu/usr.sbin/sendmail # make make install make clean ...[lots of output]... cc -L/usr/local/lib -L/usr/src/gnu/usr.sbin/sendmail/sendmail/../libsmutil/obj -L/usr/src/gnu/usr.sbin/sendmail/sendmail/../libsm/obj -o sendmail main.o alias.o arpadate.o bf.o collect.o conf.o control.o convtime.o daemon.o deliver.o domain.o envelope.o err.o headers.o macro.o map.o mci.o milter.o mime.o parseaddr.o queue.o ratectrl.o readcf.o recipient.o sasl.o savemail.o sfsasl.o shmticklib.o sm_resolve.o srvrsmtp.o stab.o stats.o sysexits.o timers.o tls.o trace.o udb.o usersmtp.o util.o version.o -lssl -lcrypto -lsasl2 -lsmutil -lsm -lwrap /usr/local/lib/libsasl2.so.2.21: warning: strcpy() is almost always misused, please use strlcpy() /usr/local/lib/libsasl2.so.2.21: warning: sprintf() is often misused, please use snprintf() /usr/local/lib/libsasl2.so.2.21: warning: strcat() is almost always misused, please use strlcat() main.o(.text+0x2288): In function `main': : undefined reference to `sm_sasl_init' srvrsmtp.o(.text+0x6112): In function `smtp': : undefined reference to `iptostring' srvrsmtp.o(.text+0x6167): In function `smtp': : undefined reference to `iptostring' srvrsmtp.o(.text+0x7e76): In function `saslmechs': : undefined reference to `intersect' usersmtp.o(.text+0x19fa): In function `attemptauth': : undefined reference to `iptostring' usersmtp.o(.text+0x1a76): In function `attemptauth': : undefined reference to `iptostring' usersmtp.o(.text+0x1be9): In function `smtpauth': : undefined reference to `intersect' collect2: ld returned 1 exit status *** Error code 1 Stop in /usr/src/gnu/usr.sbin/sendmail/sendmail (line 95 of /usr/share/mk/bsd.prog.mk). *** Error code 1 Stop in /usr/src/gnu/usr.sbin/sendmail. --- Full output is at http://www.liem.se/downloads/output.txt dmesg at http://www.liem.se/downloads/dmesg.txt What do I do wrong? -- Sebastian A. Liem www.liem.se
Re: Building sendmail with sasl fails at 4.0 -stable (20061201).
On Fri, Dec 01, 2006 at 06:30:32PM +0100, Sebastian Arvidsson Liem wrote: I want sendmail with sask but when I try to build it it fails. --- # cat /etc/mk.conf WANT_SMTPAUTH=yes --- # cd /usr/src/gnu/usr.sbin/sendmail # make make install make clean ...[lots of output]... cc -L/usr/local/lib -L/usr/src/gnu/usr.sbin/sendmail/sendmail/../libsmutil/obj -L/usr/src/gnu/usr.sbin/sendmail/sendmail/../libsm/obj -o sendmail main.o alias.o arpadate.o bf.o collect.o conf.o control.o convtime.o daemon.o deliver.o domain.o envelope.o err.o headers.o macro.o map.o mci.o milter.o mime.o parseaddr.o queue.o ratectrl.o readcf.o recipient.o sasl.o savemail.o sfsasl.o shmticklib.o sm_resolve.o srvrsmtp.o stab.o stats.o sysexits.o timers.o tls.o trace.o udb.o usersmtp.o util.o version.o -lssl -lcrypto -lsasl2 -lsmutil -lsm -lwrap /usr/local/lib/libsasl2.so.2.21: warning: strcpy() is almost always misused, please use strlcpy() /usr/local/lib/libsasl2.so.2.21: warning: sprintf() is often misused, please use snprintf() /usr/local/lib/libsasl2.so.2.21: warning: strcat() is almost always misused, please use strlcat() main.o(.text+0x2288): In function `main': : undefined reference to `sm_sasl_init' srvrsmtp.o(.text+0x6112): In function `smtp': : undefined reference to `iptostring' srvrsmtp.o(.text+0x6167): In function `smtp': : undefined reference to `iptostring' srvrsmtp.o(.text+0x7e76): In function `saslmechs': : undefined reference to `intersect' usersmtp.o(.text+0x19fa): In function `attemptauth': : undefined reference to `iptostring' usersmtp.o(.text+0x1a76): In function `attemptauth': : undefined reference to `iptostring' usersmtp.o(.text+0x1be9): In function `smtpauth': : undefined reference to `intersect' collect2: ld returned 1 exit status *** Error code 1 Stop in /usr/src/gnu/usr.sbin/sendmail/sendmail (line 95 of /usr/share/mk/bsd.prog.mk). *** Error code 1 Stop in /usr/src/gnu/usr.sbin/sendmail. --- Full output is at http://www.liem.se/downloads/output.txt dmesg at http://www.liem.se/downloads/dmesg.txt What do I do wrong? Do you have cyrus-sasl installed? No clue, but this works for me (sorry for formating, but it is copy-pasted from my install script): die() { echo $1 2 exit 1 } # Pre-setup ln -s /usr/local/lib/libsasl2.so.2.* /usr/local/lib/libsasl2.so \ || return 1 echo pwcheck_method: saslauthd /usr/local/lib/sasl2/Sendmail.conf \ || return 1 echo pwcheck_method: saslauthd /usr/local/lib/sasl2/Cyrus.conf \ || return 1 chmod 444 /usr/local/lib/sasl2/Sendmail.conf \ /usr/local/lib/sasl2/Cyrus.conf || return 1 echo WANT_SMTPAUTH=YES /etc/mk.conf || return 1 # Build new sendmail (cd /usr/src/gnu/usr.sbin/sendmail || die Error no src dir; \ make clean /root/sendmail_sasl.log 21; \ make /root/sendmail_sasl.log 21\ || die Error in make; \ make install /root/sendmail_sasl.log 21\ || die Error in make install; \ make clean /root/sendmail_sasl.log 21 \ || err Error in make clean) -- Sebastian A. Liem www.liem.se Regards, ahb
Re: Building sendmail with sasl fails at 4.0 -stable (20061201).
On 12/1/06, Andreas Bihlmaier [EMAIL PROTECTED] wrote: # Pre-setup ln -s /usr/local/lib/libsasl2.so.2.* /usr/local/lib/libsasl2.so \ Thanks, I forgot that step. By the way, wonderful OS, just wonderful. -- Sebastian A. Liem www.liem.se
Name resolution problem, local machine only, intermittent failure.
Hi, I will proceed to describe my symptoms, and at the end of my email I will paste as much relevant data as I can think of. Sometimes, for ping(8), traceroute(8), lynx(8), and other applications, name resolution will fail, for some addresses but not for others. For example: $ ping www.google.com ping: unknown host: www.google.com $ ping www.openbsd.org PING www.openbsd.org (129.128.5.191): 56 data bytes 64 bytes from 129.128.5.191: icmp_seq=0 ttl=239 time=162.596 ms $ ping www.yahoo.com ping: unknown host: www.yahoo.com $ ping www.netbsd.org ping: unknown host: www.netbsd.org $ ping news.bbc.co.uk PING newswww.bbc.net.uk (212.58.226.29): 56 data bytes 64 bytes from 212.58.226.29: icmp_seq=0 ttl=56 time=77.718 ms However, dig(8) can resolve the failing hosts fine, as well as the successful ones. (see end for dig(8) logs). I am running BIND on this machine, and it is serving DNS to my local network (upon which all resolutions succeed). My /etc/resolv.conf is empty and /etc/resolv.conf.tail contains: lookup file bind search artyzan.net I don't understand what's going on here. Your advice appreciated. Please find attached dig(8) output, contents of /var/named/etc/named.conf and my dmesg. Oh, and sometimes www.google.com will resolve. It did last night, but not right now. I haven't rebooted the machine overnight or made any changes. Ah, and as I type this, it works again. Cheers, James $ ping www.yahoo.com ping: unknown host: www.yahoo.com $ dig @localhost www.yahoo.com ; DiG 9.3.2-P1 @localhost www.yahoo.com ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 3907 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 8, ADDITIONAL: 4 ;; QUESTION SECTION: ;www.yahoo.com. IN A ;; ANSWER SECTION: www.yahoo.com. 300 IN CNAME www.yahoo-ht2.akadns.net. www.yahoo-ht2.akadns.net. 60IN A 209.73.186.238 ;; AUTHORITY SECTION: akadns.net. 88536 IN NS usw5.akadns.net. akadns.net. 88536 IN NS asia4.akadns.net. akadns.net. 88536 IN NS za.akadns.org. akadns.net. 88536 IN NS zb.akadns.org. akadns.net. 88536 IN NS zc.akadns.org. akadns.net. 88536 IN NS zd.akadns.org. akadns.net. 88536 IN NS eur1.akadns.net. akadns.net. 88536 IN NS eur7.akadns.net. ;; ADDITIONAL SECTION: za.akadns.org. 14255 IN A 204.2.178.133 zb.akadns.org. 14255 IN A 206.132.100.105 zc.akadns.org. 14255 IN A 69.45.78.3 zd.akadns.org. 14255 IN A 63.209.3.132 ;; Query time: 240 msec ;; SERVER: ::1#53(::1) ;; WHEN: Fri Dec 1 18:27:50 2006 ;; MSG SIZE rcvd: 304 ~~~ // $OpenBSD: named-simple.conf,v 1.6 2004/08/16 15:48:28 jakob Exp $ // // Example file for a simple named configuration, processing both // recursive and authoritative queries using one cache. // Update this list to include only the networks for which you want // to execute recursive queries. The default setting allows all hosts // on any IPv4 networks for which the system has an interface, and // the IPv6 localhost address. // acl clients { 10.0.0.0/24; ::1; }; options { version ; // remove this to allow version queries listen-on{ 127.0.0.1; 10.0.0.1; }; allow-recursion { clients; }; }; logging { category lame-servers { null; }; }; // Standard zones // zone . { type hint; file standard/root.hint; }; zone localhost { type master; file standard/localhost; allow-transfer { localhost; }; }; zone 127.in-addr.arpa { type master; file standard/loopback; allow-transfer { localhost; }; }; zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa { type master; file standard/loopback6.arpa; allow-transfer { localhost; }; }; zone com { type delegation-only; }; zone net { type delegation-only; }; // Master zones zone artyzan.net { type master; file master/artyzan.net.zone; }; zone 0.0.10.in-addr.arpa { type master; file master/0.0.10.in-addr.arpa.zone; }; key rndc-key { algorithm hmac-md5; secret *hidden*; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; }; }; ~~~ OpenBSD 4.0-stable (GENERIC) #0: Mon Nov 27 00:42:48 GMT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium II (GenuineIntel 686-class, 512KB L2 cache) 349 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR real mem = 267939840 (261660K) avail mem = 236662784 (231116K) using 3296 buffers containing 13500416 bytes (13184K) of memory mainbus0 (root) bios0 at
Re: Name resolution problem, local machine only, intermittent failure.
Darren Spruell wrote: On 12/1/06, James Herbert (Lists) [EMAIL PROTECTED] wrote: My /etc/resolv.conf is empty and /etc/resolv.conf.tail contains: lookup file bind search artyzan.net I don't understand what's going on here. You have no nameserver lines in your resolv.conf file(s); how does your resolver library know who to consult for resolution? from man resolv.conf(5): If no nameserver entries are present, the default is to use the name server on the local machine. Also, as you will notice from my email, resolution does work most of the time. I have just added 'nameserver 127.0.0.1' and rebooted, to no avail. James
Re: Mac Mini (intel) status
http://marc.theaimsgroup.com/?l=openbsd-sparcm=116483175532387w=2 It may be possible to do something similar with the mini? Maybe, yes. Interesting! :-) At least Macs can do a netboot. Though you'd probably need an EFI guru to make that work... Bsically there might even be a more easy way to upgrade the firmware: If the firmware of a Mac is broken (e.g. due to power failture while upgrading), you can use a firmware restoration CD to repair it: http://www.apple.com/support/downloads/firmwarerestorationcd12.html If I understand that right, the CD contains a few floppy disk images, each for a different Mac. If the Mac's firmware is broken (and only then), you can make it boot from such a CD and the restore process will start and run automatically just from the CD. Unforunately the CD doesn't contain the latest Mac mini firmware version, so you'd again need a guru to put the latest firmware into such a floppy disk image, and you would have to destroy the firmware somehow to make the mini boot from the restoration CD... Sorry for being off-topic, all this has not much to do with OpenBSD. ;-) Tas.
Re: Name resolution problem, local machine only, intermittent failure. *SOLVED*
Sorry for being thick. My problem was solved by the following: --- /var/named/etc/named.conf.old Fri Dec 1 19:12:09 2006 +++ /var/named/etc/named.conf Fri Dec 1 19:11:11 2006 @@ -11,6 +11,7 @@ // acl clients { 10.0.0.0/24; + 127.0.0.1; }; options { Thanks to everyone who responded! James
Difference between co in OpenCVS and GNU RCS
Hi, I've just upgraded from OpenBSD/i386 3.8 to 4.0 (yeah, I know), and I've run across a difference between the behavior of co in OpenCVS RCS (version 3.6) and GNU RCS (version 5.7, in the ports). Try the following in an empty directory: $ touch foo $ mkdir RCS $ /usr/bin/ci -i foo RCS/foo,v -- foo enter description, terminated with single '.' or end of file: NOTE: This is NOT the log message! . initial revision: 1.1 done $ /usr/bin/co -l RCS/foo,v RCS/foo,v -- RCS/foo,v revision 1.1 (locked) RCS/foo,v exists; remove it? [ny](n): n co: writable RCS/foo,v exists; checkout aborted $ If I do the same thing with GNU RCS, the file is checked out for editing: $ touch foo $ mkdir RCS $ gci -i foo RCS/foo,v -- foo enter description, terminated with single '.' or end of file: NOTE: This is NOT the log message! . initial revision: 1.1 done $ gco -l RCS/foo,v RCS/foo,v -- foo revision 1.1 (locked) done $ The difference causes problems for vc mode in Emacs. I can work around it, but I'm reporting it here in case it is a bug in OpenCVS. I've googled, but nothing relevant came up. Regards, Alan
Re: ifstated wont work if started at boot. Only from command line
On Thu, November 30, 2006 17:19, Per-Olov Sjoholm wrote: Hi I run ifstated on command line without any flags and everything works prefect But when I add a statement to rc.local and a variable in rc.conf.local it starts at boot but simply refuse to work correctly. rc.local if [ X${ifstated} == XYES -a -x /usr/sbin/ifstated \ -a -e /etc/ifstated.conf ]; then echo -n ' ifstated'; /usr/sbin/ifstated fi rc.conf.local ifstated=YES # YES or NO After it started at boot it simply refuse to do the 10 sec poll that I have in the ifstated.conf. If I kill ifstated that was started at boot and start it from command line with the same statement as from rc.local it works as it should. Anybody with a clue about what is going on here? Do I have to use a sleep statement at startup so it will wait for everything else (have 10 carps, 3 vlans and 6 physical nics + pfsync etc)? I have tried with a 30 sec sleep in rc.local before starting it without success Thanks in advance Per-Olov -- GPG keyID: 4DB283CE GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE Really embarrassing... wget was specified in ifstated.conf without a full path and therefor ifstated refused to work at boot but later at manual start /P
Re: Satisfying dependencies (was: PHP5 install error)
On Fri, Dec 01, 2006 at 10:09:30AM -0500, Nick Bender wrote: Say that you have decided you want to use the hardened version of php5 for a dependent package like phpMyAdmin. Is there a way short of makefile hacking to get the hardened version to satisfy the RUN_DEPENDS clause? pkg_add the hardened version first?
ld segfaults in OpenBSD 3.9
The default linker in OpenBSD 3.9 segfaults reproducibly: [EMAIL PROTECTED]:~$ gcc -o -Wall wav2bin wav2bin.c collect2: ld terminated with signal 11 [Segmentation fault], core dumped wav2bin(.init+0x0): In function `__init': : multiple definition of `__init' /usr/lib/crtbegin.o(.init+0x0): first defined here wav2bin(.text+0x0): In function `_start': : multiple definition of `__start' /usr/lib/crt0.o(.text+0x0): first defined here wav2bin(.data+0x0): multiple definition of `__progname' /usr/lib/crt0.o(.data+0x0): first defined here wav2bin(.text+0x0): In function `_start': : multiple definition of `_start' /usr/lib/crt0.o(.text+0x0): first defined here wav2bin(.fini+0x0): In function `__fini': : multiple definition of `__fini' /usr/lib/crtbegin.o(.fini+0x0): first defined here wav2bin(.text+0x18): In function `___start': : multiple definition of `___start' /usr/lib/crt0.o(.text+0x18): first defined here /tmp//cce21751.o(.text+0x91): In function `process_byte': : multiple definition of `process_byte' wav2bin(.text+0x249): first defined here /usr/bin/ld: Warning: size of symbol `process_byte' changed from 171 in wav2bin to 242 in /tmp//cce21751.o /tmp//cce21751.o(.text+0x183): In function `process_bit': : multiple definition of `process_bit' wav2bin(.text+0x2f4): first defined here /tmp//cce21751.o(.text+0x1d0): In function `process_time': : multiple definition of `process_time' wav2bin(.text+0x341): first defined here /tmp//cce21751.o(.text+0x27e): In function `squelch_reset': : multiple definition of `squelch_reset' wav2bin(.text+0x3ef): first defined here /tmp//cce21751.o(.text+0x2fb): In function `process_loud_sample': : multiple definition of `process_loud_sample' wav2bin(.text+0x46c): first defined here /tmp//cce21751.o(.text+0x37d): In function `process_sample': : multiple definition of `process_sample' wav2bin(.text+0x4ee): first defined here /tmp//cce21751.o(.text+0x3e4): In function `process_samples': : multiple definition of `process_samples' wav2bin(.text+0x555): first defined here /tmp//cce21751.o(.text+0x445): In function `main': : multiple definition of `main' wav2bin(.text+0x5b6): first defined here /usr/lib/crt0.o(.dynamic+0x0): multiple definition of `_DYNAMIC' /usr/lib/crt0.o(.got.plt+0x0): multiple definition of `_GLOBAL_OFFSET_TABLE_' bt full: (gdb) bt full #0 0x1c01a6a6 in bfd_getl32 () No symbol table info available. #1 0x1c0278a9 in bfd_elf32_swap_reloc_in () No symbol table info available. #2 0x1c038b51 in elf_link_sort_relocs () No symbol table info available. #3 0x1c03b4d7 in bfd_elf_final_link () No symbol table info available. #4 0x1c0107be in ldwrite () No symbol table info available. #5 0x1c00e69e in main () No symbol table info available. What should I do to diagnose the problem? The .c file follows. CL #include stdio.h #include string.h #include stdlib.h #define WAV_HDR_LEN 0x2c #define SAMPLERATE_OFFSET 0x18 #define BDRY1 340 /* us */ #define BDRY2 555 /* us */ #define BDRY3 700 /* us */ #define LEAD 100 /* 100 edges */ #define SQUELCH_TIME 300 /* us */ #define PRINT_TIMES 0 #define HDR_SIZE 16 unsigned char wav_header[WAV_HDR_LEN]; float sample_time; /* In microseconds */ unsigned leader_counter=0; int halfbit; int firstbit; unsigned byte_counter; unsigned char byte_checksum; unsigned char flagbyte; unsigned char type; unsigned char header[HDR_SIZE]; /* Tape header */ void read_wav_header(void) { unsigned short samplerate; unsigned char *srptr=wav_header+SAMPLERATE_OFFSET; fread(header, WAV_HDR_LEN, 1, stdin); if (memcmp(wav_header,RIFF,4)){ fprintf(stderr,wav2bin: Error: input not a WAV file\n); exit(1); } samplerate=*srptr+(*(srptr+1)8); sample_time=1e6/samplerate; } /* Gets all bytes, including flag byte. */ void process_byte(unsigned char byte) { byte_checksum^=byte; if (!byte_counter){ flagbyte=byte; if (flagbyte==0xff){ fprintf(stderr,Data\n); }else if (flagbyte==0x00){ fprintf(stderr,Header\n); }else{ fprintf(stderr,Invalid flagbyte\n); exit(1); } }else{ if (!flagbyte){ if (byte_counterHDR_SIZE) header[byte_counter]=byte; else{ fprintf(stderr,Header overrun!\n); exit(1); } } } if (byte_counter) printf(0x%02x\n,byte); byte_counter++; } void process_bit (int bit) { static int bits; static int byte=0; byte=1; byte|=bit; bits++; if (bits=8){ process_byte(byte); bits=0; byte=0; } } void process_time(float time) { if (leader_counter100){ if
WebDAV
Hi, Although the mail archives have little on the topic, as does google, are there any major security concerns I should be aware of when installing mod_dav under the stock OpenBSD apache1.3, with apache chrooted? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
asus m2npv-vm dmesg?
Hi all Anyone have any experience/info (best being a dmesg) with current support ASUS M2NPV-VM motherboard? quick search on marc didn't reveal any hits. for your convenience here is a link to the asus page http://usa.asus.com/products4.aspx?l1=3l2=101l3=296model=1138modelmenu=1 thanks a lot b Cheap talk? Check out Yahoo! Messenger's low PC-to-Phone call rates. http://voice.yahoo.com
Re: Mac Mini (intel) status
On Dec 1, 2006, at 8:25 AM, J.C. Roberts wrote: On Thursday 30 November 2006 15:34, Tasmanian Devil wrote: Boot Camp: No, it's not required, it works fine with a usual OpenBSD-only configured internal harddisk, at least with Boot-ROM-Version MM11.0055.B05 and Boot-ROM-Version MM11.0055.B08. Of course you can only upgrade if you install a minimal OS X... :-/ I don't have a mini (or any reasonably current Apple hardware) but the issue you mentioned reminded me of this post by Brian Keefer: http://marc.theaimsgroup.com/?l=openbsd-sparcm=116483175532387w=2 It may be possible to do something similar with the mini? Kind Regards, JCR I'm skeptical of that working on the MacIntels. Looking in /Applications/Utilities/MacBook Pro EFI Firmware Update.app/Contents/ Resources I see the following interesting bits: EFIUpdaterApp.efi LOCKED_MBP11_0055_08B.fd LOCKED_MBP12_0061_03B.fd According to file(1) the first is a MSDOS executable, and the next two are data files. I vaguely recollect from my DOS days that flashing the BIOS on PC motherboards required a flash utility, and a data file (unlike Sun, where you just boot the flash updater in place of a kernel--in my weak understanding). Now there is a Firmware Restoration CD available from Apple that you can burn to a CD, but apparently this only works if: 1.) You have partially flashed the firmware and suffered a failure and 2.) You have to play their power button + flashing lights game of whack-a-mole. I profess to know nothing about low-level workings of machinery, but if these MacIntels have a somewhat PC-like boot process, perhaps you could make a DOS boot CD with the three files above, boot while holding down 'c', and run EFIUpdaterApp.efi from a DOS prompt? I'm sure there are all kinds of good reasons why that's impossible, but that's my wild-ass-guess. In any case, I highly doubt you could do this with a net boot since the firmware update does not appear to be a self-contained executable and might need a command interpreter to work. Brian Keefer www.Tumbleweed.com The Experts in Secure Internet Communication
Re: Symbolic link insecure?
Alexander Hall wrote: Alexander Hall wrote: Tasmanian Devil wrote: Sorry, I was too fast, I just saw that symbolic links don't have modes. I don't now then, sorry! I'd say they do have modes, but they are not very useful: $ umask 777; ln -s a b $ umask 000; ln -s a c $ ls -lF total 0 l- 1 alexander staff 1 Dec 1 11:47 b@ - a lrwxrwxrwx 1 alexander staff 1 Dec 1 11:47 c@ - a $ echo test a $ cat b test $ cat c test Ok... can someone please make this clear to me? This is an excellent take home assignment. Just plug it into your shell and see for yourself. Looking into the man pages, it is stated over and over again that symbolic links do not have modes. Do they _really_ not have them (see example above), or are they just never used? The Devil is just demonstrating that symbolic link permissions are immaterial. Ultimately, it is the permissions of the target that determine rights. I am not sure why then symbolic links have permissions, but I can hypothesize that they exist for consistency. In the filesystem code it is probably easiest to treat everything uniformly. -pachl
Re: Symbolic link insecure?
Heinrich Rebehn wrote: Hi list, i am getting a daily insecurity report from my system system saying: ## Checking special files and directories. Output format is: filename: criteria (shouldbe, reallyis) etc/pf.conf: type (file, link) permissions (0600, 0755) ## I am actually using a symbolic link for /etc/pf.conf: ls -l /etc/pf.conf* lrwxr-xr-x 1 root wheel 11 Nov 30 17:04 /etc/pf.conf - pf.conf.001 -rw--- 1 root wheel 10529 Nov 14 10:18 /etc/pf.conf.000 -rw--- 1 root wheel 10582 Nov 30 18:12 /etc/pf.conf.001 I do this in order to save different versions of the file. My question: Is a symbolic link really insecure? Or is this just a deficiency of /etc/security? I could use hard links instead of soft links as a workaround, but then one cannot as easily see where the link points to. Sorry if this might sound like nitpicking, but i do not want to get used to ignoring security warnings. Thanks for any help, Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 Two things, use rcs.. that save you headaches, instead of multiple versions of file, use one file, with multiple diffs.. Other the email is really about the sym link as others pointed out. If you use RCS you can have the versioning system in place as you already have it, although in a scalable way IMO, and no /etc/security email about shouldbe, reallyis HTH Prabhu -
Re: ld segfaults in OpenBSD 3.9
On 12/1/06, Karel Kulhavy [EMAIL PROTECTED] wrote: The default linker in OpenBSD 3.9 segfaults reproducibly: [EMAIL PROTECTED]:~$ gcc -o -Wall wav2bin wav2bin.c Try $ gcc -Wall -o wav2bin wav2bin.c But there is still a problem. If you link a source file with its resulting binary, it segfaults ld: [EMAIL PROTECTED]:/home/anakha/dev/c/tmp$ cat test.c int main() { return 0; } [EMAIL PROTECTED]:/home/anakha/dev/c/tmp$ gcc -o test test.c [EMAIL PROTECTED]:/home/anakha/dev/c/tmp$ gcc -o -Wall test test.c collect2: ld terminated with signal 11 [Segmentation fault], core dumped test(.init+0x0): In function `__init': : multiple definition of `__init' /usr/lib/crtbegin.o(.init+0x0): first defined here test(.text+0x0): In function `_start': : multiple definition of `__start' /usr/lib/crt0.o(.text+0x0): first defined here test(.data+0x0): multiple definition of `__progname' /usr/lib/crt0.o(.data+0x0): first defined here test(.text+0x0): In function `_start': : multiple definition of `_start' /usr/lib/crt0.o(.text+0x0): first defined here test(.fini+0x0): In function `__fini': : multiple definition of `__fini' /usr/lib/crtbegin.o(.fini+0x0): first defined here test(.text+0x18): In function `___start': : multiple definition of `___start' /usr/lib/crt0.o(.text+0x18): first defined here /tmp//ccK15620.o(.text+0x0): In function `main': : multiple definition of `main' test(.text+0x1b8): first defined here /usr/lib/crt0.o(.dynamic+0x0): multiple definition of `_DYNAMIC' /usr/lib/crt0.o(.got.plt+0x0): multiple definition of `_GLOBAL_OFFSET_TABLE_' -- I'm trying to launch the internet; so I open a terminal and go percent sign 'Internet' at the prompt and it doesn't work. What gives??!! -- random troll
Re: Mac Mini (intel) status
Ah, yes, booting from CD. Maybe I was really a little bit lucky with that because it worked quite well here right from the beginning. ;-) I'm not being so lucky :-( Boot Camp: No, it's not required, it works fine with a usual OpenBSD-only configured internal harddisk, at least with Boot-ROM-Version MM11.0055.B05 and Boot-ROM-Version MM11.0055.B08. Of macos says I'm running MM11.0055.B08. When I first fired the system up (just to verify that it was working OK) it downloaded new firmware and had be go throught the power cycle dance holding the power button to do the update so I expect the box came with MM11.0055.B05. Some recent CD: The 4.0 release CD and snapshots from Nov. 12, 2006 or later should boot fine, a few snapshots between that didn't work. You don't need a -current boot CD to install a -current (or snapshot) file set. Not working for me. I get this far: CD_ROM: 90 Loading /CDBOOT probing: pc0 com0 mem(699K 991M a20=on) disk: hd0+* cd0 boot c and there it stays forever. I suspect the c following the boot prompt is left over from hold c to boot from cd. The keyboard at this point is dead. Any ideas? I'd really like to get OpenBSD up on this beasty. I've tried several different home grown CDs plus the 11/29 snapshot CD from ftp.openbsd.org. // marc
SendmailDNSBL
Hi, I have sendmail configured for the following hypothetical domains: mydomaina.com mydomainb.com I would like sendmail to do DNSBL checking on mydomaina.com but not mydomainb.com, is this possible? -Mike
Re: Difference between co in OpenCVS and GNU RCS
On Fri, 1 Dec 2006, Alan Watson wrote: Hi, I've just upgraded from OpenBSD/i386 3.8 to 4.0 (yeah, I know), and I've run across a difference between the behavior of co in OpenCVS RCS (version 3.6) and GNU RCS (version 5.7, in the ports). This has been fixed in -current. -Otto Try the following in an empty directory: $ touch foo $ mkdir RCS $ /usr/bin/ci -i foo RCS/foo,v -- foo enter description, terminated with single '.' or end of file: NOTE: This is NOT the log message! . initial revision: 1.1 done $ /usr/bin/co -l RCS/foo,v RCS/foo,v -- RCS/foo,v revision 1.1 (locked) RCS/foo,v exists; remove it? [ny](n): n co: writable RCS/foo,v exists; checkout aborted $ If I do the same thing with GNU RCS, the file is checked out for editing: $ touch foo $ mkdir RCS $ gci -i foo RCS/foo,v -- foo enter description, terminated with single '.' or end of file: NOTE: This is NOT the log message! . initial revision: 1.1 done $ gco -l RCS/foo,v RCS/foo,v -- foo revision 1.1 (locked) done $ The difference causes problems for vc mode in Emacs. I can work around it, but I'm reporting it here in case it is a bug in OpenCVS. I've googled, but nothing relevant came up. Regards, Alan
Re: Difference between co in OpenCVS and GNU RCS
Many thanks. Alan
spews1- i/o error
Since 10:00 am EST: spamd-setup: Could not add blacklist spews1: Input/output error
Re: Mac Mini (intel) status
I'm not being so lucky :-( I'm sure you will not give up, it's worth it! :-) Some recent CD: The 4.0 release CD and snapshots from Nov. 12, 2006 or later should boot fine, a few snapshots between that didn't work. You don't need a -current boot CD to install a -current (or snapshot) file set. Not working for me. I get this far: CD_ROM: 90 Loading /CDBOOT probing: pc0 com0 mem(699K 991M a20=on) disk: hd0+* cd0 boot c and there it stays forever. I suspect the c following the boot prompt is left over from hold c to boot from cd. The keyboard at this point is dead. Any ideas? Of course! :-) And yes, you're probably right with the c key. I'd try it step by step now. The mini boots from CD without holding any key, even without a keyboard attached, as long as there's no OS on the harddisk. You want to use OpenBSD only, right? So I'd configure the internal harddisk with one MS-DOS partition using the Disk Utility on the Mac OS X install CD. You can even write a MS-DOS MBR with that utility, though that's not really necessary at this point, you can do that later with fdisk. Just remove the OS. The mini should boot from an OpenBSD boot CD then, also without a keybard and without pressing any key. Does it do that? If you have an ACPI enabled kernel on the boot CD, the USB keyboard should work fine then as soon as you attach it. Tas.
Re: Moving from tcsh to pdksh: how to recall partially typed in command? (ESC-p)
Hello Otto, On 11/30/06, Otto Moerbeek [EMAIL PROTECTED] wrote: Turns out matthieu@ already made an updated diff some time ago. Here it is. thank you for the patch. There seems to be a problem: I type an l (ell) and then use ESC-p to cycle through the previously typed commands starting with that letter. They are displayed fine, but they never stop (but cycle). And when I type ESC-n, then the displayed command sometimes stucks (doesn't change to the next one). Same problem is with the UP/DOWN arrow keys, when I define: bind '^XA'=history-search-backward bind '^XB'=history-search-forward BTW I've noticed an unchecked strdup() in emacs.c which is probably better written as: if ((orig_xbuf = strdup(xbuf)) == NULL) internal_errorf(1, unable to allocate memory); Regards Alex -- http://preferans.de
dynamic update of gateway for route-to rules in pf.conf on dhcp interface?
Is there a way to dynamically update the gateway ip address on the dhcp interface along with ip address in the load balancing rules? http://www.openbsd.org/faq/pf/pools.html has a sample pf.conf file ext_if1 = fxp0 ext_if2 = fxp1 ext_gw1 = 68.146.224.1 ext_gw2 = 142.59.76.1 pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any In this pass out rule it's my understanding that if the $ext_if2 or fxp1 ip address changes the firewall rules will be updated automatically. However, it looks to me like the $ext_gw2 will not be updated if it changes since the variable points to an explicit ip address. Is there a way to update the gateway ip address for that interface without writing some script to modify the pf.conf file and then reload the rule set? Thank You.
How is this BSD Auth error possible?
From /usr/src/lib/libc/gen/auth_subr.c. When using auth_userokay(3) I keep getting the message dup of backchannel: Bad file descriptor. Yet, I'm puzzled how the condition could even occur (the last line is the only place this message exists in the entire source tree): if (socketpair(PF_LOCAL, SOCK_STREAM, 0, pfd) 0) { syslog(LOG_ERR, unable to create backchannel %m); _warnx(internal resource failure); goto fail; } switch (pid = fork()) { case -1: syslog(LOG_ERR, %s: %m, path); _warnx(internal resource failure); close(pfd[0]); close(pfd[1]); goto fail; case 0: #define COMM_FD 3 #define AUTH_FD 4 if (dup2(pfd[1], COMM_FD) 0) err(1, dup of backchannel);
Re: OpenBSD 4.0 -current + cups-1.2.5p0
Well I fixed the permissions problem by chgrp /dev/ulpt0 to _cups. However now when I try to print there are no errors and nothing is sent to the printer. This might be my filters problem. I have a MFC-210C and the only drivers available are linux ones, but they are just a lpr and cups-wrapper shell script. If anyone has any other reasons why it won't print other then the filter I'd appreciate the suggestions.
Re: OpenBSD 4.0 -current + cups-1.2.5p0
Hint: Try setting the LogLevel to debug to find out more. James Turner wrote: Well I fixed the permissions problem by chgrp /dev/ulpt0 to _cups. However now when I try to print there are no errors and nothing is sent to the printer. This might be my filters problem. I have a MFC-210C and the only drivers available are linux ones, but they are just a lpr and cups-wrapper shell script. If anyone has any other reasons why it won't print other then the filter I'd appreciate the suggestions.
Re: OpenBSD 4.0 -current + cups-1.2.5p0
Forgot about that, thanks. It seems I miss spoke earlier. The package from Brother actually contained one linux binary and library file. After enabling linux emulation new errors keep popping up. It's so hard to debug this shit when each new shell script passes off it's output to another shell script using cat and pipes. Needless to say my eyes hurt to much to look at this anymore tonight. Pierre Lamy wrote: Hint: Try setting the LogLevel to debug to find out more. James Turner wrote: Well I fixed the permissions problem by chgrp /dev/ulpt0 to _cups. However now when I try to print there are no errors and nothing is sent to the printer. This might be my filters problem. I have a MFC-210C and the only drivers available are linux ones, but they are just a lpr and cups-wrapper shell script. If anyone has any other reasons why it won't print other then the filter I'd appreciate the suggestions.