Symbolic link insecure?

[Heinrich Rebehn]

Hi list,

i am getting a daily insecurity report from my system system saying:

##
Checking special files and directories.
Output format is:
filename:
criteria (shouldbe, reallyis)
etc/pf.conf:
type (file, link)
permissions (0600, 0755)
##

I am actually using a symbolic link for /etc/pf.conf:

ls -l /etc/pf.conf*
lrwxr-xr-x  1 root  wheel 11 Nov 30 17:04 /etc/pf.conf - pf.conf.001
-rw---  1 root  wheel  10529 Nov 14 10:18 /etc/pf.conf.000
-rw---  1 root  wheel  10582 Nov 30 18:12 /etc/pf.conf.001

I do this in order to save different versions of the file.

My question: Is a symbolic link really insecure? Or is this just a 
deficiency of /etc/security?


I could use hard links instead of soft links as a workaround, but then 
one cannot as easily see where the link points to.


Sorry if this might sound like nitpicking, but i do not want to get used 
to ignoring security warnings.


Thanks for any help,

Heinrich Rebehn

University of Bremen
Physics / Electrical and Electronics Engineering
- Department of Telecommunications -

Phone : +49/421/218-4664
Fax   :-3341

Re: ppp.conf for ueagle and pppoa

[Stefan Olsson]

On Wed, 29 Nov 2006 11:46:00 +0100, Przemyslaw Nowaczyk
[EMAIL PROTECTED] said:
 On Wed, Nov 29, 2006 at 08:27:14AM +0100, Damien Bergamini wrote:
  You must recompile user ppp with ATM enabled:
  
  cd /usr/src/usr.sbin/ppp/ppp/
  vi Makefile
  remove line NOATM= /usr/include/netnatm required
  then run make  make install
  
  then ppp -dedicated adsl
  
  this is explained here:
  http://damien.bergamini.free.fr/ueagle/ppp.html
  (just skip the synchronizing the modem section
  which is outdated).
  
 
 hi,
 i'm also having some difficulties in making my sagem fast 800 e2t work,
 i'm running a generic kernel with ueagle and noatm enabled (dmesg below),
 recompiled ppp (as you mentioned above, since i'm using pppoa) and after
 booting the machine the modem doesn't synchronize.. running ppp
 -dedicated adsl
 in that state (ppp.conf from your page, with vpi and vci set to 0 35)
 shows:
 
 Warning: PPPoA:ueagle0:0.35: connect: Device not configured 
 Warning: deflink: Device (PPPoA:ueagle0:0.35) must begin with a '/', a
 '!' or contain at least one ':' 

I have now followed the FAQ 5.3.* sections and also Damien's guidelines
in 
the ppp.html as above. And it STILL comes back with: 
Warning: deflink: Device (PPPoA:ueagle0:0.35) must begin with a '/', a
'!' or contain at least one ':'

That message is contained in physical.c in the ppp-directory btw.
 
After having to add new file systems for /usr/src and /usr/obj, editing
and building a new GENERIC, re-compiling ppp etc etc - all first-time
experiences, I think I a will call it a day with this driver. While 
everything else in OpenBSD just works this driver seems to be the
opposite. And I am apparently not the only one having this problem.

Rgds




-- 
http://www.fastmail.fm - Does exactly what it says on the tin

Re: Symbolic link insecure?

[Tasmanian Devil]

etc/pf.conf:
type (file, link)
permissions (0600, 0755)


Change the permissons for the symbolic link from 0755 to 0600 (same
permissions like on your other pf.conf.xxx files).


My question: Is a symbolic link really insecure?


Only with wrong permissions.

Tas.

Re: Symbolic link insecure?

[Alexander Hall]

Heinrich Rebehn wrote:

Hi list,

i am getting a daily insecurity report from my system system saying:

##
Checking special files and directories.
Output format is:
filename:
criteria (shouldbe, reallyis)
etc/pf.conf:
type (file, link)
permissions (0600, 0755)
##



I do this in order to save different versions of the file.

My question: Is a symbolic link really insecure? Or is this just a 
deficiency of /etc/security?


I could use hard links instead of soft links as a workaround, but then 
one cannot as easily see where the link points to.


Sorry if this might sound like nitpicking, but i do not want to get used 
to ignoring security warnings.


A good habit, I'd say.

Have a look at mtree(8), /etc/security and /etc/mtree/special. In the 
latter, you should be able to set type=link for pf.conf. I cannot tell 
if it has any obvious downsides, as long as you know what you're doing 
and (maybe) not pointing it to /tmp/feedme or so.


/Alexander

Re: Symbolic link insecure?

[Tasmanian Devil]

 etc/pf.conf:
 type (file, link)
 permissions (0600, 0755)

Change the permissons for the symbolic link from 0755 to 0600 (same
permissions like on your other pf.conf.xxx files).

 My question: Is a symbolic link really insecure?

Only with wrong permissions.


Sorry, I was too fast, I just saw that symbolic links don't have
modes. I don't now then, sorry!

Tas.

Re: pf load balancer and server health

[z0mbix]

On 30/11/06, Miguel [EMAIL PROTECTED] wrote:

Hi, how can i check the servers' health  and delete a server from the
pool when it  loses connection with the load balancer, is such thing
posible?
thanks



Something crude I've been working on:

http://www.screamingelectron.org/forum/showthread.php?t=2765

I've got this running on a couple of carp'd load balancers. Works great for me.

Cheers z0mbix

File ownership of setuid processes

[Samuel Moñux]

Hi everyone!,

I'm trying to migrate a sympa installation (sympa is a perl written
mailing list manager) from a Linux system into an OpenBSD one, and I'm
getting into a strange problem.

The way a message reaches the sympa is trough a C written, setuid
binary called queue which is setuid to sympa's user. The MTA pipes
the message into this binary, which its only mission is to create a
file into a spool direcotry, where the main sympa process can read it.

The problem here is that queue in OpenBSD isn't creating files with
sympa ownership, so the main process can't read them(they are owned by
daemon).

I have done a small test program to be run in both systems, and thats
what I get:

#include sys/types.h
#include sys/stat.h
#include fcntl.h

int main (void) {
   int fd;
   char msg1[] = Cannot open file\n;

   umask(027);
   if (!(fd = open(/tmp/testfile, O_CREAT| O_WRONLY , 0600))) {
   write(2,msg1, sizeof(msg1));
   }
   close(fd);
}

 OpenBSD System
# make test
cc -O2 -pipe-o test test.c
# chown _sympa._sympa test
# chmod u+s test
# ./test
# ls -l
total 32
-rw---  1 _sympa   wheel   2984 Nov 30 16:02 ayud
drwx--  2 _clamav  wheel512 Dec  1 09:30 clamav-1cd2ff8e8aea8f7f
-rwsr-xr-x  1 _sympa   _sympa  6641 Dec  1 09:31 test
-rw-r--r--  1 root wheel255 Dec  1 09:29 test.c
-rw---  1 root wheel  0 Dec  1 09:30 testfile


[EMAIL PROTECTED] tmp]# make test
cc test.c   -o test
[EMAIL PROTECTED] tmp]# chown sympa.sympa test
[EMAIL PROTECTED] tmp]# chmod u+s test
[EMAIL PROTECTED] tmp]# ./test
[EMAIL PROTECTED] tmp]# ls -l
total 16
-rwsr-xr-x1 sympasympa   14092 dic  1 09:33 test
-rw-r--r--1 root root  312 dic  1 09:27 test.c
-rw---1 symparoot0 dic  1 09:34 testfile

It's ok this different behaviour? or may be there is something that
I'm doing wrong?

Thanks in advance.

Re: Quagga and OpenBGP

[tony sarendal]

On 30/11/06, Demuel I. Bendano, R.E.E [EMAIL PROTECTED] wrote:

 All,

 I cannot still see the logic as to why Quagga is part of the OpenBSD ports
 tree when it has OpenBGP at all in the default install? The documentation
 of OpenBGP tells us that it is far superior in design as compared to
 Zebra/Quagga.

 Side comments?


Why is emacs in the ports tree when we have vi ?

-- 
Tony Sarendal - [EMAIL PROTECTED]
IP/Unix
   -= The scorpion replied,
   I couldn't help it, it's my nature =-

Re: File ownership of setuid processes

[Otto Moerbeek]

On Fri, 1 Dec 2006, Samuel Moqux wrote:

 Hi everyone!,

 I'm trying to migrate a sympa installation (sympa is a perl written
 mailing list manager) from a Linux system into an OpenBSD one, and I'm
 getting into a strange problem.

 The way a message reaches the sympa is trough a C written, setuid
 binary called queue which is setuid to sympa's user. The MTA pipes
 the message into this binary, which its only mission is to create a
 file into a spool direcotry, where the main sympa process can read it.

 The problem here is that queue in OpenBSD isn't creating files with
 sympa ownership, so the main process can't read them(they are owned by
 daemon).

My bet would be that you are executing the program from a file system
that is mounted nosuid.

-Otto


 I have done a small test program to be run in both systems, and thats
 what I get:

 #include sys/types.h
 #include sys/stat.h
 #include fcntl.h

 int main (void) {
int fd;
char msg1[] = Cannot open file\n;

umask(027);
if (!(fd = open(/tmp/testfile, O_CREAT| O_WRONLY , 0600))) {
write(2,msg1, sizeof(msg1));
}
close(fd);
 }

  OpenBSD System
 # make test
 cc -O2 -pipe-o test test.c
 # chown _sympa._sympa test
 # chmod u+s test
 # ./test
 # ls -l
 total 32
 -rw---  1 _sympa   wheel   2984 Nov 30 16:02 ayud
 drwx--  2 _clamav  wheel512 Dec  1 09:30 clamav-1cd2ff8e8aea8f7f
 -rwsr-xr-x  1 _sympa   _sympa  6641 Dec  1 09:31 test
 -rw-r--r--  1 root wheel255 Dec  1 09:29 test.c
 -rw---  1 root wheel  0 Dec  1 09:30 testfile

 
 [EMAIL PROTECTED] tmp]# make test
 cc test.c   -o test
 [EMAIL PROTECTED] tmp]# chown sympa.sympa test
 [EMAIL PROTECTED] tmp]# chmod u+s test
 [EMAIL PROTECTED] tmp]# ./test
 [EMAIL PROTECTED] tmp]# ls -l
 total 16
 -rwsr-xr-x1 sympasympa   14092 dic  1 09:33 test
 -rw-r--r--1 root root  312 dic  1 09:27 test.c
 -rw---1 symparoot0 dic  1 09:34 testfile

 It's ok this different behaviour? or may be there is something that
 I'm doing wrong?

 Thanks in advance.

Re: Symbolic link insecure?

[Otto Moerbeek]

On Fri, 1 Dec 2006, Alexander Hall wrote:

 Heinrich Rebehn wrote:
  Hi list,
  
  i am getting a daily insecurity report from my system system saying:
  
  ##
  Checking special files and directories.
  Output format is:
  filename:
  criteria (shouldbe, reallyis)
  etc/pf.conf:
  type (file, link)
  permissions (0600, 0755)
  ##
 
  I do this in order to save different versions of the file.
  
  My question: Is a symbolic link really insecure? Or is this just a
  deficiency of /etc/security?

No, it is not a deficiency in /etc/security. Symbolic links have their
problems, depending on where they are pointing to. Also, /etc/security
is designed to warn for non-standard things. If you are deviating from
that, you are on your own. 

As for general background info, you might want to google for symbolic
link race.

-Otto

Re: Symbolic link insecure?

[Alexander Hall]

Alexander Hall wrote:

Tasmanian Devil wrote:



Sorry, I was too fast, I just saw that symbolic links don't have
modes. I don't now then, sorry!


I'd say they do have modes, but they are not very useful:

$ umask 777; ln -s a b
$ umask 000; ln -s a c
$ ls -lF
total 0
l-  1 alexander  staff  1 Dec  1 11:47 b@ - a
lrwxrwxrwx  1 alexander  staff  1 Dec  1 11:47 c@ - a
$ echo test  a
$ cat b
test
$ cat c
test


Ok... can someone please make this clear to me?

Looking into the man pages, it is stated over and over again that 
symbolic links do not have modes. Do they _really_ not have them (see 
example above), or are they just never used?


/Alexander

funny log message: beck's greytrapper trapped bobeck :)

[Anton Karpov]

Nov 30 09:32:49 mercury greytrapper[96425]: Trapped 195.182.143.86: Mailed
from sender bobeck.net with no MX or A

see bobeck banned by awesome tool from beck@ ;)

Note to russian users: wdputte@ in Moscow

[Anton Karpov]

If you're living in Moscow, Russian Federation, and want to have beer with
Wim Vandeputte, and to get magic OpenBSD stuff from him, see
http://www.toxahost.ru/wim.html ;)

Re: bioctl compatible LSIs?

[Stephan A. Rickauer]

L. V. Lammert wrote:
 Is there a list somewhere of exactly which LSI controllers are bioctl
 compatible? We're getting ready to build some new servers, and the

You can have a look at the man pages (ami, mfi), which list all
controllers supported by bioctl.

In case you're fond of SATA controllers, read this:
http://marc.theaimsgroup.com/?l=openbsd-miscm=116103468316956w=2

Not a big deal though, unless you can't afford to reboot on disk
failure. It's on Marco's 'radar' anyway ;)

--

 Stephan A. Rickauer

 ---
 Institut f|r Neuroinformatik  Tel: +41 44 635 30 50
 Universitdt / ETH Z|rich  Sek: +41 44 635 30 52
 Winterthurerstrasse 190   Fax: +41 44 635 30 53
 CH-8057 Z|richWeb:  www.ini.ethz.ch

 RSA public key: https://www.ini.ethz.ch/~stephan/pubkey.asc
 ---

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

CF boot and Ramdisk

[Chris C.]

Hi,

we're going to build a simple Wlan between a friends apartment and my house.
We decided to run obsd 4.0 as we want to use ipsec for encryption.
One of these systems will have to boot from a CF Card (or any other really 
silent media if you have suggestions). Since flash media only has limited 
write cycles and we will need to modify some files from time to time (Port 
forwards in pf.conf, some files in /var and so on..., logging isn't that 
important) we want to use a ramdisk (or tmpfs, don't know the exact name) and 
then sync the data to disk every hour or so. Is there a Howto for booting 
openbsd from a CF-Card (using an IDE adapter) and then mounting a ramdisk 
over /var? (I think we could just symlink files in /etc which we will need to 
modify to the ramdisk).

-- 
Greetings
Chris

Re: prepping for big spamd(8) rollout

[jared r r spiegel]

On Fri, Dec 01, 2006 at 07:43:05AM +0100, Srebrenko Sehic wrote:
 
 AFAIK, amd64 does not support 4GB, unless that
 patch from tech@ somehow sneaked into the tree without me noticing.

  this one?

  http://marc.theaimsgroup.com/?l=openbsd-techm=114498992417267w=2

  it's not in -current.  i'll make a kernel with it and see if the
  memory reported changes, and then soon as i get things on the
  2850 w/12GB same there too.

-- 

  jared

Re: CF boot and Ramdisk

[Diana Eichert]

On Fri, 1 Dec 2006, Chris C. wrote:

 Hi,

 we're going to build a simple Wlan between a friends apartment and my house.
 We decided to run obsd 4.0 as we want to use ipsec for encryption.
 One of these systems will have to boot from a CF Card (or any other really
 silent media if you have suggestions). Since flash media only has limited
 write cycles and we will need to modify some files from time to time (Port
 forwards in pf.conf, some files in /var and so on..., logging isn't that
 important) we want to use a ramdisk (or tmpfs, don't know the exact name) and
 then sync the data to disk every hour or so. Is there a Howto for booting
 openbsd from a CF-Card (using an IDE adapter) and then mounting a ramdisk
 over /var? (I think we could just symlink files in /etc which we will need to
 modify to the ramdisk).

 --
 Greetings
 Chris

Chris

Take a look at flashboot, http://www.mindrot.org/projects/flashboot/ .
This is what we use on dual soekris firewalls at a friend's business.

diana

Re: CF boot and Ramdisk

[Andreas Bihlmaier]

On Fri, Dec 01, 2006 at 02:16:11PM +0100, Chris C. wrote:
 Hi,
 
 we're going to build a simple Wlan between a friends apartment and my house.
 We decided to run obsd 4.0 as we want to use ipsec for encryption.
 One of these systems will have to boot from a CF Card (or any other really 
 silent media if you have suggestions). Since flash media only has limited 
 write cycles and we will need to modify some files from time to time (Port 
 forwards in pf.conf, some files in /var and so on..., logging isn't that 
 important) we want to use a ramdisk (or tmpfs, don't know the exact name) and 
 then sync the data to disk every hour or so. Is there a Howto for booting 
 openbsd from a CF-Card (using an IDE adapter) and then mounting a ramdisk 
 over /var? (I think we could just symlink files in /etc which we will need to 
 modify to the ramdisk).

Perhaps there is one, but: RTF[ine]M
mfs(8)  # Have a look at -P

A mfs line for fstab /tmp:
swap /tmp mfs rw,-s=2048000,noexec,noatime,nosuid,nodev 0 0
#   ^-- Might be somewhat to big for a router/fw ;)

Booting from an IDE adapter means booting an IDE-Disk.
Should just work(tm).

 
 -- 
 Greetings
 Chris

Regrads,
ahb

Re: PHP5 install error

[Nick Bender]

On 11/30/06, Brendan Grossman [EMAIL PROTECTED] wrote:

Hmm, in the Makefile it has this:

# the hardened flavor is used by both core and extensions
FLAVORS+=   hardened
FLAVOR?=

It starts to compile hardened after completing core. I loaded the core
module then in Apache and it doesn't give any errors, however php code isn't
executed (just a blank screen). I also tried just adding the core package
from ftp and same problem.

I don't know why I'm having problems... Have followed the instructions that
I used that worked perfectly on 3.8 and 3.9.


I noticed this when one of my build scripts started failing in 4.0. Now I
just do make install in www/php5/core and www/php5/extensions rather
than in www/php5 and problem solved.

A related question is say that you have decided you want to use the
hardened version of php5 for a dependent package like phpMyAdmin.
Is there a way short of makefile hacking to get the hardened version
to satisfy the RUN_DEPENDS clause?

-N

Re: MYSQL-5.0.24a on amd64 - How is it supposed to work for Apache in chroot ?

[Toni Mueller]

Hello Uwe,

On Fri, 01.12.2006 at 01:11:19 +0800, Uwe Dippel [EMAIL PROTECTED] wrote:
  unix domain sockets and went for IP sockets instead.
 Do you have a full description sharing the HowTo ?

no. When you start MySQL, check that it listens on eg. localhost, port
3306, then configure your apps to talk to that TCP port instead of the
Unix domain socket. That should be all.


Best,
--Toni++

Re: CF boot and Ramdisk

[Michael]

Hi,

http://undeadly.org/cgi?action=articlesid=20061115152127
http://www.kaschwig.net/projects/openbsd/wrap/
http://blog.innerewut.de/articles/2005/05/14/openbsd-3-7-on-wrap
http://www.pingwales.co.uk/2006/05/22/OpenBSD-on-Flash.html

Some of this info is pretty old so you have to check if it still work.

I installed my Soekris using tftp and used the /mfs technique described
in the WRAP links with some modifications for personal needs.

Michael

Re: VPN configuration for roadwarrior

[Toni Mueller]

Hello Claude,

On Wed, 29.11.2006 at 03:03:12 -0800, Claude Brassel [EMAIL PROTECTED] wrote:
 client configuration (safenet on windows) I have just added the LAN

I don't know the Safenet client.

 192.168.50 as ip subnet in the Remote party and Adressing section. This
 work's fine because the hosts I join are only in this (192.168.50) LAN.

I don't understand 'join'. You mean, your windows stuff joins a
Windows-style domain when the VPN is active?

 other gateway's in this LAN, and assigning the clients an IP in this LAN
 will permit some ip based rules on other gateway's (that's for future use)

But it will probably require you to do some proxy-arp like stuff on
your VPN gateway. Opt for real routing instead and adjust the filters
on that other machines, if needed. I think this will make life much
simpler for you.

 But this doesn't explain me how i can connect more then one client from the
 same IP

I don't understand what you mean by same IP. FWIW, I have no trouble
connecting several mobile clients simultanously to one OpenBSD VPN
gateway using X.509 certificates. I do advertise a default route to
them, however, so they will only transfer data to that (protected)
network, not try to bypass the VPN for Internet access.


Best,
--Toni++

Re: Mac Mini (intel) status

[bofh]

- Original message -
You can pick up cheap VLAN-capable switches on eBay. I have a Dell ...

Bleh - the last time I messed with them (2-3 years ago), they were crap.



On 12/1/06, Jason Dixon [EMAIL PROTECTED] wrote:

On Dec 1, 2006, at 1:16 AM, Antoine Jacoutot wrote:

 On Thu, 30 Nov 2006, Jason Dixon wrote:
 Yes, too bad it only includes 1 ethernet adapter.

 That's what VLANs are for.  Just make sure your switch doesn't
 allow hopping. :)

 Ah yes ;-)
 Although, playing with the mini as a server looks more like
 something I would do at home where I don't have VLAN capable switches.
 I don't (yet?) feel like using a mini at work (well except for
 workstation stuffs)... but sure, VLANs are ok.

You can pick up cheap VLAN-capable switches on eBay.  I have a Dell
3024 at home which works fine and runs $100-150 used.  I'd never use
these in an enterprise environment, but they're fine for home testing.

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Re: best hardware plattform for openbsd

[Toni Mueller]

Hi Claudio,

On Fri, 13.10.2006 at 16:00:55 +0200, Claudio Jeker [EMAIL PROTECTED] wrote:
 Btw. 500kpps traffic as seen on the net is more than 3Gbps.

I calculated this number as roughly the upper limit for a 100 MBit/s
link. I wanted to make sure that the box doesn't melt down in case
someone tries a DDoS against it. In such a case, I'd rather have only
decreasing performance than falling off the net eg. because routes
don't get out anymore.


Best,
--Toni++

OpenBSD Zaurus C3200 recommended N. American distributor

[dreamwvr]

Hey,
  How are these companies for Zaurus hw support? Or is there
a better recommended company for importing a Zaurus for OpenBSD?
  http://www.kurnspatrick.com/sharp.html
  http://www.sdgsystems.com/
Me thinks this would be just great for hotspot surfing, 
truly mobile admining etc... Which wifi cards do people recommend? 
How about bluetooth cards? 

Best REgards,
[EMAIL PROTECTED]

Re: Mac Mini (intel) status

[J.C. Roberts]

On Thursday 30 November 2006 15:34, Tasmanian Devil wrote:
 Boot Camp: No, it's not required, it works fine with a usual
 OpenBSD-only configured internal harddisk, at least with
 Boot-ROM-Version MM11.0055.B05 and Boot-ROM-Version MM11.0055.B08. Of
 course you can only upgrade if you install a minimal OS X... :-/

I don't have a mini (or any reasonably current Apple hardware) but the 
issue you mentioned reminded me of this post by Brian Keefer:

http://marc.theaimsgroup.com/?l=openbsd-sparcm=116483175532387w=2

It may be possible to do something similar with the mini?

Kind Regards,
JCR

Re: OpenBSD Zaurus C3200 recommended N. American distributor

[Jaime Fournier]

Pricejapan was really good, and much cheaper than many of the other 
vendors.


-Jaime Fournier


On Fri, 1 Dec 2006, dreamwvr wrote:


Date: Fri, 1 Dec 2006 09:19:36 -0700
From: dreamwvr [EMAIL PROTECTED]
To: misc@openbsd.org
Subject: OpenBSD Zaurus C3200 recommended N. American distributor

Hey,
 How are these companies for Zaurus hw support? Or is there
a better recommended company for importing a Zaurus for OpenBSD?
 http://www.kurnspatrick.com/sharp.html
 http://www.sdgsystems.com/
Me thinks this would be just great for hotspot surfing,
truly mobile admining etc... Which wifi cards do people recommend?
How about bluetooth cards?

Best REgards,
[EMAIL PROTECTED]

Building sendmail with sasl fails at 4.0 -stable (20061201).

[Sebastian Arvidsson Liem]

I want sendmail with sask but when I try to build it it fails.

---

# cat /etc/mk.conf
WANT_SMTPAUTH=yes

---

# cd /usr/src/gnu/usr.sbin/sendmail
# make  make install  make clean
...[lots of output]...
cc  -L/usr/local/lib
-L/usr/src/gnu/usr.sbin/sendmail/sendmail/../libsmutil/obj
-L/usr/src/gnu/usr.sbin/sendmail/sendmail/../libsm/obj  -o sendmail
main.o alias.o arpadate.o bf.o collect.o conf.o control.o convtime.o
daemon.o deliver.o domain.o envelope.o err.o headers.o macro.o map.o
mci.o milter.o mime.o parseaddr.o queue.o ratectrl.o readcf.o
recipient.o sasl.o savemail.o sfsasl.o shmticklib.o sm_resolve.o
srvrsmtp.o stab.o stats.o sysexits.o timers.o tls.o trace.o udb.o
usersmtp.o util.o version.o -lssl -lcrypto -lsasl2 -lsmutil -lsm
-lwrap
/usr/local/lib/libsasl2.so.2.21: warning: strcpy() is almost always
misused, please use strlcpy()
/usr/local/lib/libsasl2.so.2.21: warning: sprintf() is often misused,
please use snprintf()
/usr/local/lib/libsasl2.so.2.21: warning: strcat() is almost always
misused, please use strlcat()
main.o(.text+0x2288): In function `main':
: undefined reference to `sm_sasl_init'
srvrsmtp.o(.text+0x6112): In function `smtp':
: undefined reference to `iptostring'
srvrsmtp.o(.text+0x6167): In function `smtp':
: undefined reference to `iptostring'
srvrsmtp.o(.text+0x7e76): In function `saslmechs':
: undefined reference to `intersect'
usersmtp.o(.text+0x19fa): In function `attemptauth':
: undefined reference to `iptostring'
usersmtp.o(.text+0x1a76): In function `attemptauth':
: undefined reference to `iptostring'
usersmtp.o(.text+0x1be9): In function `smtpauth':
: undefined reference to `intersect'
collect2: ld returned 1 exit status
*** Error code 1

Stop in /usr/src/gnu/usr.sbin/sendmail/sendmail (line 95 of
/usr/share/mk/bsd.prog.mk).
*** Error code 1

Stop in /usr/src/gnu/usr.sbin/sendmail.

---

Full output is at http://www.liem.se/downloads/output.txt

dmesg at http://www.liem.se/downloads/dmesg.txt

What do I do wrong?

--
Sebastian A. Liem  www.liem.se

Re: Building sendmail with sasl fails at 4.0 -stable (20061201).

[Andreas Bihlmaier]

On Fri, Dec 01, 2006 at 06:30:32PM +0100, Sebastian Arvidsson Liem wrote:
 I want sendmail with sask but when I try to build it it fails.
 
 ---
 
 # cat /etc/mk.conf
 WANT_SMTPAUTH=yes
 
 ---
 
 # cd /usr/src/gnu/usr.sbin/sendmail
 # make  make install  make clean
 ...[lots of output]...
 cc  -L/usr/local/lib
 -L/usr/src/gnu/usr.sbin/sendmail/sendmail/../libsmutil/obj
 -L/usr/src/gnu/usr.sbin/sendmail/sendmail/../libsm/obj  -o sendmail
 main.o alias.o arpadate.o bf.o collect.o conf.o control.o convtime.o
 daemon.o deliver.o domain.o envelope.o err.o headers.o macro.o map.o
 mci.o milter.o mime.o parseaddr.o queue.o ratectrl.o readcf.o
 recipient.o sasl.o savemail.o sfsasl.o shmticklib.o sm_resolve.o
 srvrsmtp.o stab.o stats.o sysexits.o timers.o tls.o trace.o udb.o
 usersmtp.o util.o version.o -lssl -lcrypto -lsasl2 -lsmutil -lsm
 -lwrap
 /usr/local/lib/libsasl2.so.2.21: warning: strcpy() is almost always
 misused, please use strlcpy()
 /usr/local/lib/libsasl2.so.2.21: warning: sprintf() is often misused,
 please use snprintf()
 /usr/local/lib/libsasl2.so.2.21: warning: strcat() is almost always
 misused, please use strlcat()
 main.o(.text+0x2288): In function `main':
 : undefined reference to `sm_sasl_init'
 srvrsmtp.o(.text+0x6112): In function `smtp':
 : undefined reference to `iptostring'
 srvrsmtp.o(.text+0x6167): In function `smtp':
 : undefined reference to `iptostring'
 srvrsmtp.o(.text+0x7e76): In function `saslmechs':
 : undefined reference to `intersect'
 usersmtp.o(.text+0x19fa): In function `attemptauth':
 : undefined reference to `iptostring'
 usersmtp.o(.text+0x1a76): In function `attemptauth':
 : undefined reference to `iptostring'
 usersmtp.o(.text+0x1be9): In function `smtpauth':
 : undefined reference to `intersect'
 collect2: ld returned 1 exit status
 *** Error code 1
 
 Stop in /usr/src/gnu/usr.sbin/sendmail/sendmail (line 95 of
 /usr/share/mk/bsd.prog.mk).
 *** Error code 1
 
 Stop in /usr/src/gnu/usr.sbin/sendmail.
 
 ---
 
 Full output is at http://www.liem.se/downloads/output.txt
 
 dmesg at http://www.liem.se/downloads/dmesg.txt
 
 What do I do wrong?

Do you have cyrus-sasl installed?

No clue, but this works for me (sorry for formating, but it is
copy-pasted from my install script):

die()
{
echo $1 2
exit 1
}
# Pre-setup
ln -s /usr/local/lib/libsasl2.so.2.* /usr/local/lib/libsasl2.so \
|| return 1
echo pwcheck_method: saslauthd  /usr/local/lib/sasl2/Sendmail.conf \
|| return 1
echo pwcheck_method: saslauthd  /usr/local/lib/sasl2/Cyrus.conf \
|| return 1
chmod 444 /usr/local/lib/sasl2/Sendmail.conf \
/usr/local/lib/sasl2/Cyrus.conf || return 1
echo WANT_SMTPAUTH=YES  /etc/mk.conf || return 1

# Build new sendmail
(cd /usr/src/gnu/usr.sbin/sendmail || die Error no src dir;   \
make clean  /root/sendmail_sasl.log 21; \
make  /root/sendmail_sasl.log 21\
|| die Error in make; \
make install  /root/sendmail_sasl.log 21\
|| die Error in make install; \
make clean  /root/sendmail_sasl.log 21  \
|| err Error in make clean)
 
 -- 
 Sebastian A. Liem  www.liem.se

Regards,
ahb

Re: Building sendmail with sasl fails at 4.0 -stable (20061201).

[Sebastian Arvidsson Liem]

On 12/1/06, Andreas Bihlmaier [EMAIL PROTECTED] wrote:

# Pre-setup
ln -s /usr/local/lib/libsasl2.so.2.* /usr/local/lib/libsasl2.so \

Thanks, I forgot that step.

By the way, wonderful OS, just wonderful.

--
Sebastian A. Liem  www.liem.se

Name resolution problem, local machine only, intermittent failure.

[James Herbert (Lists)]

Hi,

I will proceed to describe my symptoms, and at the end of my email I 
will paste as much relevant data as I can think of.


Sometimes, for ping(8), traceroute(8), lynx(8), and other applications, 
name resolution will fail, for some addresses but not for others. For 
example:


$ ping www.google.com
ping: unknown host: www.google.com

$ ping www.openbsd.org
PING www.openbsd.org (129.128.5.191): 56 data bytes
64 bytes from 129.128.5.191: icmp_seq=0 ttl=239 time=162.596 ms

$ ping www.yahoo.com
ping: unknown host: www.yahoo.com

$ ping www.netbsd.org
ping: unknown host: www.netbsd.org

$ ping news.bbc.co.uk
PING newswww.bbc.net.uk (212.58.226.29): 56 data bytes
64 bytes from 212.58.226.29: icmp_seq=0 ttl=56 time=77.718 ms

However, dig(8) can resolve the failing hosts fine, as well as the 
successful ones. (see end for dig(8) logs).


I am running BIND on this machine, and it is serving DNS to my local 
network (upon which all resolutions succeed).


My /etc/resolv.conf is empty and /etc/resolv.conf.tail contains:

lookup file bind
search artyzan.net

I don't understand what's going on here. Your advice appreciated.
Please find attached dig(8) output, contents of 
/var/named/etc/named.conf and my dmesg.


Oh, and sometimes www.google.com will resolve. It did last night, but 
not right now. I haven't rebooted the machine overnight or made any 
changes. Ah, and as I type this, it works again.


Cheers,

James

$ ping www.yahoo.com
ping: unknown host: www.yahoo.com
$ dig @localhost www.yahoo.com

;  DiG 9.3.2-P1  @localhost www.yahoo.com
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 3907
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 8, ADDITIONAL: 4

;; QUESTION SECTION:
;www.yahoo.com. IN  A

;; ANSWER SECTION:
www.yahoo.com.  300 IN  CNAME   www.yahoo-ht2.akadns.net.
www.yahoo-ht2.akadns.net. 60IN  A   209.73.186.238

;; AUTHORITY SECTION:
akadns.net. 88536   IN  NS  usw5.akadns.net.
akadns.net. 88536   IN  NS  asia4.akadns.net.
akadns.net. 88536   IN  NS  za.akadns.org.
akadns.net. 88536   IN  NS  zb.akadns.org.
akadns.net. 88536   IN  NS  zc.akadns.org.
akadns.net. 88536   IN  NS  zd.akadns.org.
akadns.net. 88536   IN  NS  eur1.akadns.net.
akadns.net. 88536   IN  NS  eur7.akadns.net.

;; ADDITIONAL SECTION:
za.akadns.org.  14255   IN  A   204.2.178.133
zb.akadns.org.  14255   IN  A   206.132.100.105
zc.akadns.org.  14255   IN  A   69.45.78.3
zd.akadns.org.  14255   IN  A   63.209.3.132

;; Query time: 240 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Dec  1 18:27:50 2006
;; MSG SIZE  rcvd: 304

~~~

// $OpenBSD: named-simple.conf,v 1.6 2004/08/16 15:48:28 jakob Exp $
//
// Example file for a simple named configuration, processing both
// recursive and authoritative queries using one cache.


// Update this list to include only the networks for which you want
// to execute recursive queries. The default setting allows all hosts
// on any IPv4 networks for which the system has an interface, and
// the IPv6 localhost address.
//
acl clients {
10.0.0.0/24;
::1;
};

options {
version ; // remove this to allow version queries

listen-on{ 127.0.0.1; 10.0.0.1; };

allow-recursion { clients; };
};

logging {
category lame-servers { null; };
};

// Standard zones
//

zone . {
type hint;
file standard/root.hint;
};

zone localhost {
type master;
file standard/localhost;
allow-transfer { localhost; };
};

zone 127.in-addr.arpa {
type master;
file standard/loopback;
allow-transfer { localhost; };
};

zone 
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa {

type master;
file standard/loopback6.arpa;
allow-transfer { localhost; };
};

zone com {
type delegation-only;
};

zone net {
type delegation-only;
};


// Master zones

zone artyzan.net {
type master;
file master/artyzan.net.zone;
};

zone 0.0.10.in-addr.arpa {
type master;
file master/0.0.10.in-addr.arpa.zone;
};

key rndc-key {
  algorithm hmac-md5;
  secret *hidden*;
};

controls {
  inet 127.0.0.1 port 953
  allow { 127.0.0.1; } keys { rndc-key; };
};

~~~

OpenBSD 4.0-stable (GENERIC) #0: Mon Nov 27 00:42:48 GMT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II (GenuineIntel 686-class, 512KB L2 cache) 349 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR

real mem  = 267939840 (261660K)
avail mem = 236662784 (231116K)
using 3296 buffers containing 13500416 bytes (13184K) of memory
mainbus0 (root)
bios0 at 

Re: Name resolution problem, local machine only, intermittent failure.

[James Herbert (Lists)]

Darren Spruell wrote:

On 12/1/06, James Herbert (Lists) [EMAIL PROTECTED] wrote:

My /etc/resolv.conf is empty and /etc/resolv.conf.tail contains:

lookup file bind
search artyzan.net

I don't understand what's going on here.


You have no nameserver lines in your resolv.conf file(s); how does
your resolver library know who to consult for resolution?


from man resolv.conf(5):

If no nameserver entries are present, the default is to use the name 
server on the local machine.


Also, as you will notice from my email, resolution does work most of the 
time.


I have just added 'nameserver 127.0.0.1' and rebooted, to no avail.

James

Re: Mac Mini (intel) status

[Tasmanian Devil]

http://marc.theaimsgroup.com/?l=openbsd-sparcm=116483175532387w=2

It may be possible to do something similar with the mini?


Maybe, yes. Interesting! :-) At least Macs can do a netboot. Though
you'd probably need an EFI guru to make that work... Bsically there
might even be a more easy way to upgrade the firmware: If the firmware
of a Mac is broken (e.g. due to power failture while upgrading), you
can use a firmware restoration CD to repair it:
http://www.apple.com/support/downloads/firmwarerestorationcd12.html

If I understand that right, the CD contains a few floppy disk images,
each for a different Mac. If the Mac's firmware is broken (and only
then), you can make it boot from such a CD and the restore process
will start and run automatically just from the CD. Unforunately the CD
doesn't contain the latest Mac mini firmware version, so you'd again
need a guru to put the latest firmware into such a floppy disk image,
and you would have to destroy the firmware somehow to make the mini
boot from the restoration CD...

Sorry for being off-topic, all this has not much to do with OpenBSD. ;-)

Tas.

Re: Name resolution problem, local machine only, intermittent failure. *SOLVED*

[James Herbert (Lists)]

Sorry for being thick. My problem was solved by the following:

--- /var/named/etc/named.conf.old   Fri Dec  1 19:12:09 2006
+++ /var/named/etc/named.conf   Fri Dec  1 19:11:11 2006
@@ -11,6 +11,7 @@
 //
 acl clients {
10.0.0.0/24;
+   127.0.0.1;
 };

 options {

Thanks to everyone who responded!

James

Difference between co in OpenCVS and GNU RCS

[Alan Watson]

Hi,

I've just upgraded from OpenBSD/i386 3.8 to 4.0 (yeah, I know), and I've 
run across a difference between the behavior of co in OpenCVS RCS 
(version 3.6) and GNU RCS (version 5.7, in the ports).


Try the following in an empty directory:

$ touch foo
$ mkdir RCS
$ /usr/bin/ci -i foo
RCS/foo,v  --  foo
enter description, terminated with single '.' or end of file:
NOTE: This is NOT the log message!
 .
initial revision: 1.1
done
$ /usr/bin/co -l RCS/foo,v
RCS/foo,v  --  RCS/foo,v
revision 1.1 (locked)
RCS/foo,v exists; remove it? [ny](n): n
co: writable RCS/foo,v exists; checkout aborted
$

If I do the same thing with GNU RCS, the file is checked out for editing:

$ touch foo
$ mkdir RCS
$ gci -i foo
RCS/foo,v  --  foo
enter description, terminated with single '.' or end of file:
NOTE: This is NOT the log message!
 .
initial revision: 1.1
done
$ gco -l RCS/foo,v
RCS/foo,v  --  foo
revision 1.1 (locked)
done
$

The difference causes problems for vc mode in Emacs. I can work around 
it, but I'm reporting it here in case it is a bug in OpenCVS. I've 
googled, but nothing relevant came up.


Regards,

Alan

Re: ifstated wont work if started at boot. Only from command line

[Per-Olov Sjöholm]

On Thu, November 30, 2006 17:19, Per-Olov Sjoholm wrote:
 Hi


 I run ifstated on command line without any flags and everything works
 prefect

 But when I add a statement to rc.local and a variable in rc.conf.local it
  starts at boot but simply refuse to work correctly.

 rc.local if [ X${ifstated} == XYES -a -x /usr/sbin/ifstated \ -a -e
 /etc/ifstated.conf ]; then
 echo -n ' ifstated';   /usr/sbin/ifstated fi

 rc.conf.local ifstated=YES  # YES or NO

 After it started at boot it simply refuse to do the 10 sec poll that I
 have in the ifstated.conf. If I kill ifstated that was started at boot and
 start it from command line with the same statement as from rc.local it
 works as it should.

 



 Anybody with a clue about what is going on here?
 Do I have to use a sleep statement at startup so it will wait for
 everything else (have 10 carps, 3 vlans and 6 physical nics + pfsync etc)?
 I have tried
 with a 30 sec sleep in rc.local before starting it without success

 Thanks in advance
 Per-Olov
 --
 GPG keyID: 4DB283CE
 GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE






Really embarrassing...

wget was specified in ifstated.conf without a full path and therefor
ifstated refused to work at boot but later at manual start


/P

Re: Satisfying dependencies (was: PHP5 install error)

[Joachim Schipper]

On Fri, Dec 01, 2006 at 10:09:30AM -0500, Nick Bender wrote:
 Say that you have decided you want to use the hardened version of php5
 for a dependent package like phpMyAdmin. Is there a way short of
 makefile hacking to get the hardened version to satisfy the
 RUN_DEPENDS clause?

pkg_add the hardened version first?

ld segfaults in OpenBSD 3.9

[Karel Kulhavy]

The default linker in OpenBSD 3.9 segfaults reproducibly:

[EMAIL PROTECTED]:~$ gcc -o -Wall wav2bin wav2bin.c
collect2: ld terminated with signal 11 [Segmentation fault], core dumped
wav2bin(.init+0x0): In function `__init':
: multiple definition of `__init'
/usr/lib/crtbegin.o(.init+0x0): first defined here
wav2bin(.text+0x0): In function `_start':
: multiple definition of `__start'
/usr/lib/crt0.o(.text+0x0): first defined here
wav2bin(.data+0x0): multiple definition of `__progname'
/usr/lib/crt0.o(.data+0x0): first defined here
wav2bin(.text+0x0): In function `_start':
: multiple definition of `_start'
/usr/lib/crt0.o(.text+0x0): first defined here
wav2bin(.fini+0x0): In function `__fini':
: multiple definition of `__fini'
/usr/lib/crtbegin.o(.fini+0x0): first defined here
wav2bin(.text+0x18): In function `___start':
: multiple definition of `___start'
/usr/lib/crt0.o(.text+0x18): first defined here
/tmp//cce21751.o(.text+0x91): In function `process_byte':
: multiple definition of `process_byte'
wav2bin(.text+0x249): first defined here
/usr/bin/ld: Warning: size of symbol `process_byte' changed from 171 in wav2bin 
to 242 in /tmp//cce21751.o
/tmp//cce21751.o(.text+0x183): In function `process_bit':
: multiple definition of `process_bit'
wav2bin(.text+0x2f4): first defined here
/tmp//cce21751.o(.text+0x1d0): In function `process_time':
: multiple definition of `process_time'
wav2bin(.text+0x341): first defined here
/tmp//cce21751.o(.text+0x27e): In function `squelch_reset':
: multiple definition of `squelch_reset'
wav2bin(.text+0x3ef): first defined here
/tmp//cce21751.o(.text+0x2fb): In function `process_loud_sample':
: multiple definition of `process_loud_sample'
wav2bin(.text+0x46c): first defined here
/tmp//cce21751.o(.text+0x37d): In function `process_sample':
: multiple definition of `process_sample'
wav2bin(.text+0x4ee): first defined here
/tmp//cce21751.o(.text+0x3e4): In function `process_samples':
: multiple definition of `process_samples'
wav2bin(.text+0x555): first defined here
/tmp//cce21751.o(.text+0x445): In function `main':
: multiple definition of `main'
wav2bin(.text+0x5b6): first defined here
/usr/lib/crt0.o(.dynamic+0x0): multiple definition of `_DYNAMIC'
/usr/lib/crt0.o(.got.plt+0x0): multiple definition of `_GLOBAL_OFFSET_TABLE_'

bt full:
(gdb) bt full
#0  0x1c01a6a6 in bfd_getl32 ()
No symbol table info available.
#1  0x1c0278a9 in bfd_elf32_swap_reloc_in ()
No symbol table info available.
#2  0x1c038b51 in elf_link_sort_relocs ()
No symbol table info available.
#3  0x1c03b4d7 in bfd_elf_final_link ()
No symbol table info available.
#4  0x1c0107be in ldwrite ()
No symbol table info available.
#5  0x1c00e69e in main ()
No symbol table info available.

What should I do to diagnose the problem? The .c file follows.

CL

#include stdio.h
#include string.h
#include stdlib.h

#define WAV_HDR_LEN 0x2c
#define SAMPLERATE_OFFSET 0x18
#define BDRY1 340 /* us */ 
#define BDRY2 555 /* us */
#define BDRY3 700 /* us */
#define LEAD 100 /* 100 edges */
#define SQUELCH_TIME 300 /* us */

#define PRINT_TIMES 0
#define HDR_SIZE 16

unsigned char wav_header[WAV_HDR_LEN];
float sample_time; /* In microseconds */
unsigned leader_counter=0;
int halfbit;
int firstbit;
unsigned byte_counter; 
unsigned char byte_checksum;
unsigned char flagbyte;
unsigned char type;
unsigned char header[HDR_SIZE]; /* Tape header */

void read_wav_header(void)
{
unsigned short samplerate;
unsigned char *srptr=wav_header+SAMPLERATE_OFFSET;

fread(header, WAV_HDR_LEN, 1, stdin);
if (memcmp(wav_header,RIFF,4)){
fprintf(stderr,wav2bin: Error: input not a WAV file\n);
exit(1);
}
samplerate=*srptr+(*(srptr+1)8);
sample_time=1e6/samplerate;
}

/* Gets all bytes, including flag byte. */
void process_byte(unsigned char byte)
{
byte_checksum^=byte;
if (!byte_counter){
flagbyte=byte;
if (flagbyte==0xff){
fprintf(stderr,Data\n);
}else if (flagbyte==0x00){
fprintf(stderr,Header\n);
}else{
fprintf(stderr,Invalid flagbyte\n);
exit(1);
}
}else{
if (!flagbyte){
if (byte_counterHDR_SIZE) header[byte_counter]=byte;
else{
fprintf(stderr,Header overrun!\n);
exit(1);
}
}
}
if (byte_counter) printf(0x%02x\n,byte);
byte_counter++;
}

void process_bit (int bit)
{
static int bits;
static int byte=0;

byte=1;
byte|=bit;
bits++;
if (bits=8){
process_byte(byte);
bits=0;
byte=0;
}
}

void process_time(float time)
{

if (leader_counter100){
if 

WebDAV

[Gaby Vanhegan]

Hi,

Although the mail archives have little on the topic, as does google,  
are there any major security concerns I should be aware of when  
installing mod_dav under the stock OpenBSD apache1.3, with apache  
chrooted?

Gaby

--
Junkets for bunterish lickspittles since 1998!
http://www.playr.co.uk/sudoku/
http://weblog.vanhegan.net/

asus m2npv-vm dmesg?

[b h]

Hi all

Anyone have any experience/info (best being a dmesg) with current support ASUS 
M2NPV-VM motherboard?  quick search on marc didn't reveal any hits.

for your convenience here is a link to the asus page 
http://usa.asus.com/products4.aspx?l1=3l2=101l3=296model=1138modelmenu=1

thanks a lot
b





 

Cheap talk?
Check out Yahoo! Messenger's low PC-to-Phone call rates.
http://voice.yahoo.com

Re: Mac Mini (intel) status

[Brian Keefer]

On Dec 1, 2006, at 8:25 AM, J.C. Roberts wrote:


On Thursday 30 November 2006 15:34, Tasmanian Devil wrote:

Boot Camp: No, it's not required, it works fine with a usual
OpenBSD-only configured internal harddisk, at least with
Boot-ROM-Version MM11.0055.B05 and Boot-ROM-Version MM11.0055.B08. Of
course you can only upgrade if you install a minimal OS X... :-/


I don't have a mini (or any reasonably current Apple hardware) but the
issue you mentioned reminded me of this post by Brian Keefer:

http://marc.theaimsgroup.com/?l=openbsd-sparcm=116483175532387w=2

It may be possible to do something similar with the mini?

Kind Regards,
JCR


I'm skeptical of that working on the MacIntels.  Looking in
/Applications/Utilities/MacBook Pro EFI Firmware Update.app/Contents/ 
Resources


I see the following interesting bits:
EFIUpdaterApp.efi
LOCKED_MBP11_0055_08B.fd
LOCKED_MBP12_0061_03B.fd

According to file(1) the first is a MSDOS executable, and the next  
two are data files.  I vaguely recollect from my DOS days that  
flashing the BIOS on PC motherboards required a flash utility, and a  
data file (unlike Sun, where you just boot the flash updater in place  
of a kernel--in my weak understanding).


Now there is a Firmware Restoration CD available from Apple that  
you can burn to a CD, but apparently this only works if:

1.)  You have partially flashed the firmware and suffered a failure
and
2.)  You have to play their power button + flashing lights game of  
whack-a-mole.


I profess to know nothing about low-level workings of machinery, but  
if these MacIntels have a somewhat PC-like boot process, perhaps you  
could make a DOS boot CD with the three files above, boot while  
holding down 'c', and run EFIUpdaterApp.efi from a DOS prompt?  I'm  
sure there are all kinds of good reasons why that's impossible, but  
that's my wild-ass-guess.


In any case, I highly doubt you could do this with a net boot since  
the firmware update does not appear to be a self-contained executable  
and might need a command interpreter to work.


Brian Keefer
www.Tumbleweed.com
The Experts in Secure Internet Communication

Re: Symbolic link insecure?

[Clint Pachl]

Alexander Hall wrote:

Alexander Hall wrote:

Tasmanian Devil wrote:



Sorry, I was too fast, I just saw that symbolic links don't have
modes. I don't now then, sorry!


I'd say they do have modes, but they are not very useful:

$ umask 777; ln -s a b
$ umask 000; ln -s a c
$ ls -lF
total 0
l-  1 alexander  staff  1 Dec  1 11:47 b@ - a
lrwxrwxrwx  1 alexander  staff  1 Dec  1 11:47 c@ - a
$ echo test  a
$ cat b
test
$ cat c
test


Ok... can someone please make this clear to me?
This is an excellent take home assignment. Just plug it into your shell 
and see for yourself.


Looking into the man pages, it is stated over and over again that 
symbolic links do not have modes. Do they _really_ not have them (see 
example above), or are they just never used?
The Devil is just demonstrating that symbolic link permissions are 
immaterial. Ultimately, it is the permissions of the target that 
determine rights. I am not sure why then symbolic links have 
permissions, but I can hypothesize that they exist for consistency. In 
the filesystem code it is probably easiest to treat everything uniformly.


-pachl

Re: Symbolic link insecure?

[Prabhu Gurumurthy]

Heinrich Rebehn wrote:

Hi list,

i am getting a daily insecurity report from my system system saying:

##
Checking special files and directories.
Output format is:
filename:
criteria (shouldbe, reallyis)
etc/pf.conf:
type (file, link)
permissions (0600, 0755)
##

I am actually using a symbolic link for /etc/pf.conf:

ls -l /etc/pf.conf*
lrwxr-xr-x  1 root  wheel 11 Nov 30 17:04 /etc/pf.conf - pf.conf.001
-rw---  1 root  wheel  10529 Nov 14 10:18 /etc/pf.conf.000
-rw---  1 root  wheel  10582 Nov 30 18:12 /etc/pf.conf.001

I do this in order to save different versions of the file.

My question: Is a symbolic link really insecure? Or is this just a 
deficiency of /etc/security?


I could use hard links instead of soft links as a workaround, but then 
one cannot as easily see where the link points to.


Sorry if this might sound like nitpicking, but i do not want to get used 
to ignoring security warnings.


Thanks for any help,

Heinrich Rebehn

University of Bremen
Physics / Electrical and Electronics Engineering
- Department of Telecommunications -

Phone : +49/421/218-4664
Fax   :-3341




Two things, use rcs.. that save you headaches, instead of multiple versions of 
file, use one file, with multiple diffs.. Other the email is really about the 
sym link as others pointed out. If you use RCS you can have the versioning 
system in place as you already have it, although in a scalable way IMO, and no 
/etc/security email about shouldbe, reallyis


HTH
Prabhu
-

Re: ld segfaults in OpenBSD 3.9

[Arnaud Bergeron]

On 12/1/06, Karel Kulhavy [EMAIL PROTECTED] wrote:

The default linker in OpenBSD 3.9 segfaults reproducibly:

[EMAIL PROTECTED]:~$ gcc -o -Wall wav2bin wav2bin.c


Try

$ gcc -Wall -o wav2bin wav2bin.c

But there is still a problem.  If you link a source file with its
resulting binary, it segfaults ld:

[EMAIL PROTECTED]:/home/anakha/dev/c/tmp$ cat test.c
int main() {
   return 0;
}
[EMAIL PROTECTED]:/home/anakha/dev/c/tmp$ gcc -o test test.c
[EMAIL PROTECTED]:/home/anakha/dev/c/tmp$ gcc -o -Wall test test.c
collect2: ld terminated with signal 11 [Segmentation fault], core dumped
test(.init+0x0): In function `__init':
: multiple definition of `__init'
/usr/lib/crtbegin.o(.init+0x0): first defined here
test(.text+0x0): In function `_start':
: multiple definition of `__start'
/usr/lib/crt0.o(.text+0x0): first defined here
test(.data+0x0): multiple definition of `__progname'
/usr/lib/crt0.o(.data+0x0): first defined here
test(.text+0x0): In function `_start':
: multiple definition of `_start'
/usr/lib/crt0.o(.text+0x0): first defined here
test(.fini+0x0): In function `__fini':
: multiple definition of `__fini'
/usr/lib/crtbegin.o(.fini+0x0): first defined here
test(.text+0x18): In function `___start':
: multiple definition of `___start'
/usr/lib/crt0.o(.text+0x18): first defined here
/tmp//ccK15620.o(.text+0x0): In function `main':
: multiple definition of `main'
test(.text+0x1b8): first defined here
/usr/lib/crt0.o(.dynamic+0x0): multiple definition of `_DYNAMIC'
/usr/lib/crt0.o(.got.plt+0x0): multiple definition of `_GLOBAL_OFFSET_TABLE_'

--
I'm trying to launch the internet; so I open a terminal and go
percent sign 'Internet' at the prompt and it doesn't work. What
gives??!! -- random troll

Re: Mac Mini (intel) status

[Marco S Hyman]

  Ah, yes, booting from CD. Maybe I was really a little bit lucky with
  that because it worked quite well here right from the beginning. ;-)

I'm not being so lucky :-(

  Boot Camp: No, it's not required, it works fine with a usual
  OpenBSD-only configured internal harddisk, at least with
  Boot-ROM-Version MM11.0055.B05 and Boot-ROM-Version MM11.0055.B08. Of

macos says I'm running MM11.0055.B08.   When I first fired the system
up (just to verify that it was working OK) it downloaded new firmware
and had be go throught the power cycle dance holding the power button
to do the update so I expect the box came with MM11.0055.B05.

  Some recent CD: The 4.0 release CD and snapshots from Nov. 12, 2006 or
  later should boot fine, a few snapshots between that didn't work. You
  don't need a -current boot CD to install a -current (or snapshot) file
  set.

Not working for me. I get this far:

CD_ROM: 90
Loading /CDBOOT
probing: pc0 com0 mem(699K 991M a20=on)
disk: hd0+* cd0
boot c

and there it stays forever.   I suspect the c following the boot prompt
is left over from hold c to boot from cd.   The keyboard at this point
is dead.

Any ideas?  I'd really like to get OpenBSD up on this beasty.  I've
tried several different home grown CDs plus the 11/29 snapshot CD from
ftp.openbsd.org.

// marc

SendmailDNSBL

[Mike Spenard]

Hi,
I have sendmail configured for the following hypothetical domains:
mydomaina.com
mydomainb.com

I would like sendmail to do DNSBL checking on mydomaina.com but not 
mydomainb.com,

is this possible?

-Mike

Re: Difference between co in OpenCVS and GNU RCS

[Otto Moerbeek]

On Fri, 1 Dec 2006, Alan Watson wrote:

 Hi,
 
 I've just upgraded from OpenBSD/i386 3.8 to 4.0 (yeah, I know), and I've run
 across a difference between the behavior of co in OpenCVS RCS (version 3.6)
 and GNU RCS (version 5.7, in the ports).

This has been fixed in -current.

-Otto

 
 Try the following in an empty directory:
 
 $ touch foo
 $ mkdir RCS
 $ /usr/bin/ci -i foo
 RCS/foo,v  --  foo
 enter description, terminated with single '.' or end of file:
 NOTE: This is NOT the log message!
  .
 initial revision: 1.1
 done
 $ /usr/bin/co -l RCS/foo,v
 RCS/foo,v  --  RCS/foo,v
 revision 1.1 (locked)
 RCS/foo,v exists; remove it? [ny](n): n
 co: writable RCS/foo,v exists; checkout aborted
 $
 
 If I do the same thing with GNU RCS, the file is checked out for editing:
 
 $ touch foo
 $ mkdir RCS
 $ gci -i foo
 RCS/foo,v  --  foo
 enter description, terminated with single '.' or end of file:
 NOTE: This is NOT the log message!
  .
 initial revision: 1.1
 done
 $ gco -l RCS/foo,v
 RCS/foo,v  --  foo
 revision 1.1 (locked)
 done
 $
 
 The difference causes problems for vc mode in Emacs. I can work around it, but
 I'm reporting it here in case it is a bug in OpenCVS. I've googled, but
 nothing relevant came up.
 
 Regards,
 
 Alan

Re: Difference between co in OpenCVS and GNU RCS

[Alan Watson]

Many thanks.

Alan

spews1- i/o error

[Frank Bax]

Since 10:00 am EST:

spamd-setup: Could not add blacklist spews1: Input/output error

Re: Mac Mini (intel) status

[Tasmanian Devil]

I'm not being so lucky :-(


I'm sure you will not give up, it's worth it! :-)


  Some recent CD: The 4.0 release CD and snapshots from Nov. 12, 2006 or
  later should boot fine, a few snapshots between that didn't work. You
  don't need a -current boot CD to install a -current (or snapshot) file
  set.

Not working for me. I get this far:

CD_ROM: 90
Loading /CDBOOT
probing: pc0 com0 mem(699K 991M a20=on)
disk: hd0+* cd0
boot c

and there it stays forever.   I suspect the c following the boot prompt
is left over from hold c to boot from cd.   The keyboard at this point
is dead.

Any ideas?


Of course! :-) And yes, you're probably right with the c key. I'd
try it step by step now. The mini boots from CD without holding any
key, even without a keyboard attached, as long as there's no OS on the
harddisk. You want to use OpenBSD only, right? So I'd configure the
internal harddisk with one MS-DOS partition using the Disk Utility on
the Mac OS X install CD. You can even write a MS-DOS MBR with that
utility, though that's not really necessary at this point, you can do
that later with fdisk. Just remove the OS.

The mini should boot from an OpenBSD boot CD then, also without a
keybard and without pressing any key. Does it do that? If you have an
ACPI enabled kernel on the boot CD, the USB keyboard should work fine
then as soon as you attach it.

Tas.

Re: Moving from tcsh to pdksh: how to recall partially typed in command? (ESC-p)

[Alexander Farber]

Hello Otto,

On 11/30/06, Otto Moerbeek [EMAIL PROTECTED] wrote:

Turns out matthieu@ already made an updated diff some time ago. Here it is.


thank you for the patch. There seems to be a problem:

I type an l (ell) and then use ESC-p to cycle through the
previously typed commands starting with that letter.
They are displayed fine, but they never stop (but cycle).

And when I type ESC-n, then the displayed command
sometimes stucks (doesn't change to the next one).

Same problem is with the UP/DOWN arrow keys, when I define:

  bind '^XA'=history-search-backward
  bind '^XB'=history-search-forward

BTW I've noticed an unchecked strdup() in emacs.c which
is probably better written as:

   if ((orig_xbuf = strdup(xbuf)) == NULL)
   internal_errorf(1, unable to allocate memory);

Regards
Alex

--
http://preferans.de

dynamic update of gateway for route-to rules in pf.conf on dhcp interface?

[Bill Meigs]

Is there a way to dynamically update the gateway ip address on the dhcp 
interface along with ip address in the load balancing rules?


http://www.openbsd.org/faq/pf/pools.html has a sample pf.conf file

ext_if1 = fxp0
ext_if2 = fxp1
ext_gw1 = 68.146.224.1
ext_gw2 = 142.59.76.1

pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any


In this pass out rule it's my understanding that if the $ext_if2 or fxp1 
ip address changes the firewall rules will be updated automatically.
However, it looks to me like the $ext_gw2 will not be updated if it 
changes since the variable points to an explicit ip address.
Is there a way to update the gateway ip address for that interface 
without writing some script to modify the pf.conf file and then reload 
the rule set?


Thank You.

How is this BSD Auth error possible?

[William Ahern]

From /usr/src/lib/libc/gen/auth_subr.c. When using auth_userokay(3) I keep
getting the message dup of backchannel: Bad file descriptor. Yet, I'm
puzzled how the condition could even occur (the last line is the only place
this message exists in the entire source tree):

if (socketpair(PF_LOCAL, SOCK_STREAM, 0, pfd)  0) {
syslog(LOG_ERR, unable to create backchannel %m);
_warnx(internal resource failure);
goto fail;
}

switch (pid = fork()) {
case -1:
syslog(LOG_ERR, %s: %m, path);
_warnx(internal resource failure);
close(pfd[0]);
close(pfd[1]);
goto fail;
case 0:
#define COMM_FD 3
#define AUTH_FD 4
if (dup2(pfd[1], COMM_FD)  0)
err(1, dup of backchannel);

Re: OpenBSD 4.0 -current + cups-1.2.5p0

[James Turner]

Well I fixed the permissions problem by chgrp /dev/ulpt0 to _cups. 
However now when I try to print there are no errors and nothing is sent 
to the printer.  This might be my filters problem.  I have a MFC-210C 
and the only drivers available are linux ones, but they are just a lpr 
and cups-wrapper shell script.  If anyone has any other reasons why it 
won't print other then the filter I'd appreciate the suggestions.

Re: OpenBSD 4.0 -current + cups-1.2.5p0

[Pierre Lamy]

Hint: Try setting the LogLevel to debug to find out more.

James Turner wrote:
Well I fixed the permissions problem by chgrp /dev/ulpt0 to _cups. 
However now when I try to print there are no errors and nothing is 
sent to the printer.  This might be my filters problem.  I have a 
MFC-210C and the only drivers available are linux ones, but they are 
just a lpr and cups-wrapper shell script.  If anyone has any other 
reasons why it won't print other then the filter I'd appreciate the 
suggestions.

Re: OpenBSD 4.0 -current + cups-1.2.5p0

[James Turner]

Forgot about that, thanks.  It seems I miss spoke earlier.  The package 
from Brother actually contained one linux binary and library file. 
After enabling linux emulation new errors keep popping up.  It's so hard 
to debug this shit when each new shell script passes off it's output to 
another shell script using cat and pipes.  Needless to say my eyes hurt 
to much to look at this anymore tonight.


Pierre Lamy wrote:

Hint: Try setting the LogLevel to debug to find out more.

James Turner wrote:
Well I fixed the permissions problem by chgrp /dev/ulpt0 to _cups. 
However now when I try to print there are no errors and nothing is 
sent to the printer.  This might be my filters problem.  I have a 
MFC-210C and the only drivers available are linux ones, but they are 
just a lpr and cups-wrapper shell script.  If anyone has any other 
reasons why it won't print other then the filter I'd appreciate the 
suggestions.