Re: vic(4) on ESX 3.0.2

[Christian Plattner]

Sometimes it is very annoying that your settings in the .vmx won't be 
respected / changed back by the VI client.


A very slow, but bullet-proof method is the following:

1.) Connect directly with the VI client to the ESX
(I do not have virtual center)

2.) Stop the VM and remove it from the inventory.
(right click on the vm in the left pannel,
then "Remove from the Inventory")

3.) Change the .vmx file, i.e., append something like

(if you want to use the em driver and have 3 interfaces)

ethernet0.virtualDev = "e1000"
ethernet1.virtualDev = "e1000"
ethernet2.virtualDev = "e1000"

or (if you want to use use the vic driver)

ethernet0.virtualDev = "vmxnet"
ethernet1.virtualDev = "vmxnet"
ethernet2.virtualDev = "vmxnet"

4.) Add the VM again to the repository.

(With the VI client, go to the global Configuration Tab,
click on "Storage (SCSI, SAN and NFS)", then right-click
on the storage (i.e., typically "storage1") and choose "Browse
Datastore...". Search for the .vmx file and then via
right-click "Add to Inventory".)

MegaRAID SAS 8204XLP (amd64)

[Taso N. Devetzis]

Hello,

Per the man page, the mfi driver supports the MegaRAID SAS family of
RAID controllers, including the 8208XLP.  Can anyone confirm/deny
support for the 4-port version (8204XLP) in 4.x?  While the LSI/Dell
MegaRAID SAS controller family is mentioned on the amd64 platform
page, I would like to confirm support for this specific model.  I have
searched the mail archives and Google with no results.

Opinions on this HBA are welcome as well (trying to avoid 3Ware).

Thanks,
/taso

Max clients of OpenSSH

[Bibby]

Hi, folks,

Where/How can i set the max client number of OpenSSH?
sshd_config(5) and sshd(8) do not contain any info about this.

I use OpenSSH 4.3p2(RHEL 5 Client).

Thanks very much.

--
Best Regards.

Re: misplacement in dhclient.conf.5

[Jason McIntyre]

On Mon, Oct 15, 2007 at 02:56:14PM +0200, Vincent GROSS wrote:
> Hi folks,
> 
> I found a misleading statement in dhclient.conf.5 : the description of
> the 'script' statement is in the lease declaration section, which can
> lead someone to think the script statement is a part of the static
> lease declaration.
> 

fixed now, thanks.
jmc

Re: dmesglog request

[Antti Harri]

On Mon, 15 Oct 2007, Marco S Hyman wrote:


You find it strange that a site with a well known address and thus
a magnet for spam would use spam filtering?   I'd find it strange
if it didn't.


Yes, I do that it uses *such* mechanisms to achieve that and
like I already said I didn't even get errors back. I got really frustrated
from typing the sendbug form at least ten times. The bug wasn't
fixed either when I finally got it through but that's a different story ;-)

--
Antti Harri

Re: dmesglog request

[Marco S Hyman]

Antti Harri writes:

 > > Standard anti-spam action these days.
 > [rest snipped]
 > 
 > Maybe so, but I find it very strange for sendbug's server to have
 > such restrictions. I even didn't get any errors back.

You find it strange that a site with a well known address and thus
a magnet for spam would use spam filtering?   I'd find it strange
if it didn't.

// marc

Re: dmesglog request

[Antti Harri]

On Mon, 15 Oct 2007, Marco S Hyman wrote:


> Some time ago I tried to submit a bug report through sendbug
> but couldn't get it through. I didn't investigate much but IIRC
> it was because the hostname of the box wasn't valid (missing MX records
> or whatever) and the receiving smtp daemon discarded the message.

Standard anti-spam action these days.

[rest snipped]

Maybe so, but I find it very strange for sendbug's server to have
such restrictions. I even didn't get any errors back.

--
Antti Harri

Re: dmesglog request

[Marco S Hyman]

 > Some time ago I tried to submit a bug report through sendbug
 > but couldn't get it through. I didn't investigate much but IIRC
 > it was because the hostname of the box wasn't valid (missing MX records
 > or whatever) and the receiving smtp daemon discarded the message.

Standard anti-spam action these days.  The contents of /etc/myname had
better be a full qualified doman name that matches the address of the
box and the reverse DNS should point back to that name, too.  If it
doesn't then your mail will often be rejected.

That's assuming you're not getting your address from dhcp, of course.
If you get your address from your ISP via dhcp you'll have to find out
what your ISP needs to set the hostname to something of your liking.
Otherwise it is likely to be something like 206-45-94-138.static.mts.net
(someone currently stuck in my greytrap database :-)

// marc

Re: dmesglog request

[Antti Harri]

On Tue, 16 Oct 2007, Sunnz wrote:


Excuse me for my n00bish question, I always have tried the command:

dmesg | mail -s "old p5 rescued from the dump" [EMAIL PROTECTED]

But it always seem like it doesn't work and that I am suppose to
set-up sendmail first? So I ended up copy the dmesg stuff and send it
in my own e-mail client later, which may not always be the best thing
to do.

Has any had a similar experience before?


Some time ago I tried to submit a bug report through sendbug
but couldn't get it through. I didn't investigate much but IIRC
it was because the hostname of the box wasn't valid (missing MX records
or whatever) and the receiving smtp daemon discarded the message.

--
Antti Harri

Re: dmesglog request

[Darrin Chandler]

On Tue, Oct 16, 2007 at 01:15:28PM +1000, Sunnz wrote:
> Excuse me for my n00bish question, I always have tried the command:
> 
> dmesg | mail -s "old p5 rescued from the dump" [EMAIL PROTECTED]
> 
> But it always seem like it doesn't work and that I am suppose to
> set-up sendmail first? So I ended up copy the dmesg stuff and send it
> in my own e-mail client later, which may not always be the best thing
> to do.
> 
> Has any had a similar experience before?

Yes, your sendmail must be able to send mail for the mail command to
work. You can either copy as you've been doing, or wait until you have
your box sending mail properly.

-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
[EMAIL PROTECTED]   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

Re: dmesglog request

[Sunnz]

Excuse me for my n00bish question, I always have tried the command:

dmesg | mail -s "old p5 rescued from the dump" [EMAIL PROTECTED]

But it always seem like it doesn't work and that I am suppose to
set-up sendmail first? So I ended up copy the dmesg stuff and send it
in my own e-mail client later, which may not always be the best thing
to do.

Has any had a similar experience before?

2007/10/16, Theo de Raadt <[EMAIL PROTECTED]>:
> I would like to remind people that we all benefit greatly whenever our
> users send copies of their systems's boot messages to our archive.
>
> Please do not send MIME encoded mail.  Please do not send messages
> which have been line-wrapped.  Messages which are in plain-text are
> easier for our developers to grep and search through.
>
> The best way to send the messages is by doing this directly on the
> machine in question:
>
> dmesg | mail -s "old p5 rescued from the dump" [EMAIL PROTECTED]
>
> A clear subject helps us know what the machine is (as developers we
> continue to try to include more detailed BIOS information in the dmesg
> output, but you as users can help us even more by providing other
> details).
>
> If at all possible, it is best if the dmesg is from a standard project
> compiled GENERIC, GENERIC.MP, or RAMDISK kernel of some kind, perhaps
> with subsystems like acpi enabled if need be.  This is just so that we
> have less variables to deal with.
>
> If you feel like it, you can also include other information before the
> dmesg, such as sensor output, or a commentary on things that work or
> don't work on the machine.
>
> The archive is only ever read by developers, so the secrets about your
> hardware are safe.  We don't promise that your submission will improve
> our support, but it definately gives us a feeling as to what types of
> hardware are more urgently needing support in our community.
>
> Thanks a lot.
>
>


-- 
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

Re: How can i boot a bsd.rd from windows 2000 ?

[nikolai]

> Hello everyone. My situation is this:
> i've a laptop, a Sharp pc-ax10 with Windows 2000 preinstalled , without
> cdrom, floppy. I wish install OpenBSD on it. Naturally bios can't boot
> from USB.
> So i've thinked to boot the bsd.rd , but how ? The faq explain the
> procedure from an older OpenBSD operating system... i've Windows 2000 on
> it.
>
> Is it possible ? and if is possible, in which way ? Where i must put the
> bsd.rd and in which way i can boot from him ?
>
> I've tried google, but nothing :-(
>
> Thanks for the attention
>
> Christopher Bianchi
>
>

Christopher,

Check out http://www.openbsd.org/faq/faq4.html#Multibooting,
the "Windows NT/2000/XP NTLDR" section.
Worked perfectly for me on W2K.

--
 Nick

Re: : Which remvable drive is connected to which USB port

[Edwards, David (JTS)]

> -Original Message-
> From: Antti Harri [mailto:[EMAIL PROTECTED]
> Sent: Monday, 15 October 2007 6:24 PM
> To: Edwards, David (JTS)
> Cc: misc@openbsd.org
> Subject: Re: : Which remvable drive is connected to which USB port
>
> Hi,
>
> I haven't followed this thread but this sounds like
> similar to the problem I had with USB printers.
> I had several and turning them randomly on made them have
> different ulptX device. I made a script for hotplug
> that creates symlink that points to the right
> device node. So, if you modify my script and
> use disklabel and labels beforehand, maybe it will
> help you.
>
> See for more details:
> http://users.openbsd.fi/iku/opensource/hotplug-1.1.tar.gz

Thanks for that.  I didn't actually want to use hotplugd
if I could help it as I was trying for a different
approach.

I was hoping to use physical lables on the USB disks
with labelled USB cables but I've just found out during
testing that the connection between a USB device and a
physical cable is not as simple as I first thought.

I unplugged all the disks and plugged one back into
a labelled port.  That port used to be /dev/usb4 "addr 5".
but it seems it's now /dev/usb4 "addr 3" and "addr 5" doesn't
seem to exist anymore.

Looks like I'm going to have to use disklabel to label each
disk and hotplug to mount them.  The backup script will
have to check the mount point to make sure the disk is
mounted and unmount it after the backup is finished.

In other words, the script I posted earlier is useless
folks..

My problem now is to figure out how to get our people
to work with this.  Preparing a new USB disk is not going
to be easy for them.  I'm probably going to have to write
a web interface for it .

Thanks for the help everyone!

ciao
dave
---
Dave Edwards

Re: Download or Fetch Packages w/o Install?

[Jeremy Evans]

On 10/15/07, Clint Pachl <[EMAIL PROTECTED]> wrote:
> Is it possible to download a package and its dependencies, to PKG_CACHE
> for instance, without installing anything?
>
>

Just use pkg_add -n.  It'll place the package and all dependencies in
PKG_CACHE without actually installing the package or dependencies.

Jeremy

dmesglog request

[Theo de Raadt]

I would like to remind people that we all benefit greatly whenever our
users send copies of their systems's boot messages to our archive.

Please do not send MIME encoded mail.  Please do not send messages
which have been line-wrapped.  Messages which are in plain-text are
easier for our developers to grep and search through.

The best way to send the messages is by doing this directly on the
machine in question:

dmesg | mail -s "old p5 rescued from the dump" [EMAIL PROTECTED]

A clear subject helps us know what the machine is (as developers we
continue to try to include more detailed BIOS information in the dmesg
output, but you as users can help us even more by providing other
details).

If at all possible, it is best if the dmesg is from a standard project
compiled GENERIC, GENERIC.MP, or RAMDISK kernel of some kind, perhaps
with subsystems like acpi enabled if need be.  This is just so that we
have less variables to deal with.

If you feel like it, you can also include other information before the
dmesg, such as sensor output, or a commentary on things that work or
don't work on the machine.

The archive is only ever read by developers, so the secrets about your
hardware are safe.  We don't promise that your submission will improve
our support, but it definately gives us a feeling as to what types of
hardware are more urgently needing support in our community.

Thanks a lot.

Re: hardening BSD (was systrace/stsh policies)

[Aaron]

Aaron wrote:

Joachim Schipper wrote:

On Thu, Oct 11, 2007 at 08:54:42PM +0200, Xavier Mertens wrote:
 

Hi *,

I'm busy with a systrace/stsh implementation but there is a lack of 
standard

policies (IMHO). Any idea where I can find some ready-to-use policies?

I must be missing some important ones, when the user logs in, he got 
immediately

the following error:

systrace: getcwd: Permission denied



You should probably do a Google search on systrace before continuing
further down this road. In particular, I believe the issue highlighted
by Robert Watson has not been fixed yet (although I could be wrong, and
would be happy to be wrong in this case).

Otherwise, I seem to recall a repository of configurations called 'hairy
eyeball'. And the interactive policy generators (xsystrace for instance)
can be pretty useful, too.

Joachim

  
I hope i'm not out of line changing the thread but this seemed like a 
good place to ask this question.


   I'm fairly new to OpenBSD and have set up a few machines, nothing 
production, trying out configurations, rebuilding, patching etc. 
before i felt comfortable putting one in production.  One thing I did 
read up on, where i could find it, was hardening beyond the default 
install.Two of the tools that most of the hardening articles i 
found, Securelevels and systrace, (the third one seems to be common 
sense), have now seemingly been rendered useless.  I followed the huge 
thread on "why can't openbsd's securelevels be saved" and now this 
thread has alerted me to the fact that systrace is able to be 
circumvented.  I also noticed that Joachim commented on both so I 
figured this for a good place for this topic.
   I'm wondering if there are other tools/ways besides these that I 
just haven't heard of to do similar things(hardening of the system) or 
if there is in effect no way to do the things that, these two tools, 
specifically systrace has historically handled(is there really a need 
in the first place?).  I say specifically systrace because from the 
discussions i've been reading, the whole securelevel methodology, to 
the people that do the work on OpenBSD,  is flawed.  I'm not here to 
dispute or even to discuss that point, as currently I can't program 
(nor afford to hire people that can) so my likes and dislikes are moot.
   Like i say, i'm still relatively new to OpenBSD so I'm just looking 
for insight, I haven't used systrace in the past, and until about a 
week ago was working with securelevels but then found the 
aforementioned article.  I had abandoned the securelevel method in 
light of the 'issue'(s)/false sense of security with securelevels and 
from the discussion had decided to pick up with systrace, until i saw 
this thread yesterday.
   Is it more common than not, to not worry as much about "hardening" 
the OS, via these methods, but rather just to make 'hopefully' wise 
decisions, install the least amount of software as you need, physical 
separations(i.e. logging to remote server instead of sappnd'ing your 
logs)(but what happens when after getting root on the system producing 
logs, the attacker proceeds to work towards your logging server?) and 
stay current w/at least the stable branch?
   I guess with all the hoopla about 'hardening'/trusted this and 
that/fuzzy knobs(i.e. SE Linux) i got a little overzealous looking for 
ways to tweak things (which i know can end up either making things 
less secure (especially with false sense of security) or just plain 
breaking them), but if there is/are acceptable, ways, I'd at least 
like to be aware of them and the scope of their use from the people 
that know OpenBSD best.


Thanks,

Aaron

   Thanks to everyone for answering/explaining what i know is in no way 
an easy question to answer with really an infinite number of answers 
depending on the skill set of the person answering and also the level of 
the person asking.  Like I said originally I'm fairly new to Openbsd, 
and to be honest, when i read that securelevels was able to be defeated 
and to move to systrace, i was a little overwhelmed reading up on it and 
looking at the examples.  The types of machines I will be running (when 
i feel comfortable enough with openbsd)(and am concerned about 
protecting, should i be more concerned about protecting my OBSD 
workstation too?  I run pf and only allow pass out w/return traffic 
allowed, no services at all) will be single or dual purpose servers.. 
i.e. http, smtp, imap etc, not machines that are running X and all my 
fav ports like amule (not that i would ever download anything from there 
anyway, that's just not safe :-)) I don't allow remote logins even via 
ssh except for the local networks, I always have a firewall in front of 
my public servers with rate limits (overload for pf fans) and I had  
decided a while back i was going to forgo the new bells and whistles in 
the latest and greatest versions of software, due to 
simplicity/security's sake. and only  run packages 

isakmpd vs. Cisco 3002

[Jeff Simmons]

Trying to get OpenBSD and the Cisco 3002 to set up an ipsec tunnel, it was 
fairly easy and straightforward to get them to authenticate each other via 
x.509 certs. But then the main mode negotiation breaks down after a lot of 
trying, and isakmpd gives up. Various attempts to get things running by 
adding 'main' and 'quick' statements to ipsec.conf failed. If anyone can tell 
me why this would be happening it would be greatly appreciated.

The short story:

grendel:~# cat /var/log/daemon

Oct 15 13:10:57 grendel isakmpd[22058]: message_negotiate_sa: no compatible 
proposal found
Oct 15 13:10:57 grendel isakmpd[22058]: dropped message from 10.20.20.10 port 
500 due to notification type NO_PROPOSAL_CHOSEN

The much longer story:

grendel:~# cat /etc/ipsec.conf

ike passive esp from 10.20.20.1 to 10.20.20.10

grendel:~# isakmpd -d -K -a -D 8=99

181458.243050 Default log_debug_cmd: log level changed from 0 to 99 for class 
8 [priv]
181613.644890 Negt 30 message_negotiate_sa: transform 4 proto 1 proposal 1 ok
181613.645087 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got 
3DES_CBC, expected AES_CBC
181613.645154 Negt 20 ike_phase_1_validate_prop: failure
181613.645220 Negt 30 message_negotiate_sa: proposal 1 failed
181613.645287 Negt 30 message_negotiate_sa: transform 5 proto 1 proposal 1 ok
181613.645395 Negt 70 attribute_unacceptable: ENCRYPTION_ALGORITHM: got 
3DES_CBC, expected AES_CBC
181613.645457 Negt 20 ike_phase_1_validate_prop: failure
181613.645517 Negt 30 message_negotiate_sa: proposal 1 failed
181613.645581 Negt 30 message_negotiate_sa: transform 6 proto 1 proposal 1 ok
181613.645673 Negt 70 attribute_unacceptable: GROUP_DESCRIPTION: got MODP_768, 
expected MODP_1024
181613.645732 Negt 20 ike_phase_1_validate_prop: failure
181613.645790 Negt 30 message_negotiate_sa: proposal 1 failed
181613.645882 Negt 30 message_negotiate_sa: transform 19 proto 1 proposal 1 ok
181613.645972 Negt 70 attribute_unacceptable: GROUP_DESCRIPTION: got 
MODP_1536, expected MODP_1024
181613.646030 Negt 20 ike_phase_1_validate_prop: failure
181613.646089 Negt 30 message_negotiate_sa: proposal 1 failed
181613.646153 Negt 30 message_negotiate_sa: transform 20 proto 1 proposal 1 ok
181613.646241 Negt 70 attribute_unacceptable: GROUP_DESCRIPTION: got 
MODP_1536, expected MODP_1024
181613.646300 Negt 20 ike_phase_1_validate_prop: failure
181613.646358 Negt 30 message_negotiate_sa: proposal 1 failed
181613.646422 Negt 30 message_negotiate_sa: transform 21 proto 1 proposal 1 ok
181613.646679 Negt 20 ike_phase_1_validate_prop: failure
181613.646749 Negt 30 message_negotiate_sa: proposal 1 failed
181613.646815 Negt 30 message_negotiate_sa: transform 22 proto 1 proposal 1 ok
181613.646958 Negt 70 attribute_unacceptable: HASH_ALGORITHM: got MD5, 
expected SHA
181613.647023 Negt 20 ike_phase_1_validate_prop: failure
181613.647137 Negt 30 message_negotiate_sa: proposal 1 failed
181613.647206 Negt 30 message_negotiate_sa: transform 23 proto 1 proposal 1 ok
181613.647459 Negt 20 ike_phase_1_validate_prop: failure
181613.647530 Negt 30 message_negotiate_sa: proposal 1 failed
181613.647595 Negt 30 message_negotiate_sa: transform 24 proto 1 proposal 1 ok
181613.647737 Negt 70 attribute_unacceptable: HASH_ALGORITHM: got MD5, 
expected SHA
181613.647803 Negt 20 ike_phase_1_validate_prop: failure
181613.647866 Negt 30 message_negotiate_sa: proposal 1 failed
181613.647931 Negt 30 message_negotiate_sa: transform 25 proto 1 proposal 1 ok
181613.648022 Negt 70 attribute_unacceptable: GROUP_DESCRIPTION: got 
MODP_1536, expected MODP_1024
181613.648081 Negt 20 ike_phase_1_validate_prop: failure
181613.648144 Negt 30 message_negotiate_sa: proposal 1 failed
181613.648209 Negt 30 message_negotiate_sa: transform 26 proto 1 proposal 1 ok
181613.648299 Negt 70 attribute_unacceptable: GROUP_DESCRIPTION: got 
MODP_1536, expected MODP_1024
181613.648358 Negt 20 ike_phase_1_validate_prop: failure
181613.648420 Negt 30 message_negotiate_sa: proposal 1 failed
181613.648485 Negt 30 message_negotiate_sa: transform 27 proto 1 proposal 1 ok
181613.648601 Negt 70 attribute_unacceptable: GROUP_DESCRIPTION: got 
MODP_1536, expected MODP_1024
181613.648661 Negt 20 ike_phase_1_validate_prop: failure
181613.648724 Negt 30 message_negotiate_sa: proposal 1 failed
181613.648791 Negt 30 message_negotiate_sa: transform 28 proto 1 proposal 1 ok
181613.648880 Negt 70 attribute_unacceptable: GROUP_DESCRIPTION: got 
MODP_1536, expected MODP_1024
181613.648937 Negt 20 ike_phase_1_validate_prop: failure
181613.649003 Negt 30 message_negotiate_sa: proposal 1 failed
181613.649003 Negt 30 message_negotiate_sa: proposal 1 failed
181613.649069 Negt 30 message_negotiate_sa: transform 29 proto 1 proposal 1 ok
181613.649159 Negt 70 attribute_unacceptable: GROUP_DESCRIPTION: got 
MODP_1536, expected MODP_1024
181613.649216 Negt 20 ike_phase_1_validate_prop: failure
181613.649278 Negt 30 message_negotiate_sa: proposal 1 failed
181613.649354 Default message_negotiate_sa: no compatib

Re: Download or Fetch Packages w/o Install?

[Nick Guenther]

On 10/15/07, Clint Pachl <[EMAIL PROTECTED]> wrote:
> Is it possible to download a package and its dependencies, to PKG_CACHE
> for instance, without installing anything?

afaik nope. Maybe later? The usual recommendation is to set up a test
system to download and install everything on. Then grab the PKG_CACHE
from there.
In principle you could use the pkg_* perl modules to parse and walk
the dependency tree for you, too.

-Nick

Download or Fetch Packages w/o Install?

[Clint Pachl]

Is it possible to download a package and its dependencies, to PKG_CACHE 
for instance, without installing anything?

Re: expansion of FAQ# 1.10 re OpenBSD as a desktop system

[Matthew Szudzik]

> > Never found a use for "3D acceleration" myself.  Seems to be mostly
> > for games and, well, games.
> > 
> 
> There are other uses. Like the silly 3D accelerated window managers (as
> a cwm user it's obvious I see no need for that). There's also other
> uses. For example last year for my final year university project I wrote
> a visualisation app. using vtk[1], I wrote it on OpenBSD. Of course I'd
> have liked acceleration then, it would have run faster (software GL
> isn't very fast).
> 


I'm a mathematician.  Concerns of logical simplicity and documentation led 
me to run OpenBSD on the desktop, but sometimes I need to run 3D 
visualization software, too.  Unfortunately, it's so slow on OpenBSD that 
it's only borderline usable.

Re: : expansion of FAQ# 1.10 re OpenBSD as a desktop system

[Douglas A. Tutty]

On Mon, Oct 15, 2007 at 03:57:19PM +0200, Jan Stary wrote:
> On Oct 15 09:16:39, Douglas A. Tutty wrote:
> > Well, at least I know that I'm not alone in needing to use flash to get
> > real work done (not for games or other time-wasters).  Which means that
> > for any box from which I want to get real work done, I can't use
> > OpenBSD.  It would be great if it were possible to somehow wrap up
> > fireforx + flash so that it was possible and safe to run as a normal
> > user on OpenBSD.  By which I don't mean to suggest that you need to be
> > root to run it but instead that I know that in general its not wise to
> > run any X app, especially a browser to the net, as root.
> 
> In general, it's not wise to use flash to get real work done.
> 

I need to look something up in a catalog.  The catalog doesn't come
in print.  I phone the supplier, they say look on the web.  Its in
flash.  So, I need flash to get work done.

Doug.

Re: : Which remvable drive is connected to which USB port

[Owain Ainsworth]

On Mon, Oct 15, 2007 at 11:54:12AM +0300, Antti Harri wrote:
> Hi,
>
> I haven't followed this thread but this sounds like
> similar to the problem I had with USB printers.
> I had several and turning them randomly on made them have
> different ulptX device. I made a script for hotplug
> that creates symlink that points to the right
> device node. So, if you modify my script and
> use disklabel and labels beforehand, maybe it will
> help you.
>
> See for more details: 
> http://users.openbsd.fi/iku/opensource/hotplug-1.1.tar.gz
>
> Sorry if I interpreted your message incorrectly and
> this isn't what you're looking for.

Thanks for that. It, if anything, proves an idea of mine that i've yet to
implement. It's an idea which I took from the "udev" filesystem on
linux. I intended on using amd(8) and hotplug (making the symlinks) to
attach usb disks/etc to the correct mountpoint.

With that and some magic for wireless networks (under design), I planned
to make all of the automagicall configured stuff possible for laptops.

When I finally get around to scripting this I'll post it to [EMAIL PROTECTED]
>
> -- 
> Antti Harri

-0-

-- 
Beware of bugs in the above code; I have only proved it correct, not
tried it.
-- Donald Knuth

Anyone using Accoom or SBE T1 cards?

[Joe Gibbens]

I'm thinking about replacing my Sangoma t1 card with a card that has current
native driver support.  Anyone using an Accoom or SBE?  If so how do you
like it?

-- 
Joe

Re: hardening BSD (was systrace/stsh policies)

[Joachim Schipper]

On Sun, Oct 14, 2007 at 03:27:20PM -0500, Aaron wrote:
> I hope i'm not out of line changing the thread but this seemed like a good 
> place to ask this question.

Not at all, and changing the thread title when changing the thread
subjet is a welcome relief from the usual misc@ practice.

>I'm fairly new to OpenBSD and have set up a few machines, nothing 
> production (...). One thing I did read up on (...) was hardening
> beyond the default install. Two of the tools that most of the
> hardening articles i found, Securelevels and systrace, (the third one
> seems to be common sense), have now seemingly been rendered useless.
> (...)
>I'm wondering if there are other tools/ways besides these that I just 
> haven't heard of to do similar things (hardening of the system) or if there 
> is in effect no way to do the things that, these two tools, specifically 
> systrace has historically handled(is there really a need in the first 
> place?).  I say specifically systrace because from the discussions i've 
> been reading, the whole securelevel methodology, to the people that do the 
> work on OpenBSD,  is flawed.  I'm not here to dispute or even to discuss 
> that point, as currently I can't program (nor afford to hire people that 
> can) so my likes and dislikes are moot.

I'm not aware of any current `replacement' for systrace in OpenBSD. This
is both a blessing and a curse; systrace gets its tentacles deep into
security-sensitive code, and I remember at least one instance where that
caused a bug (though not what bug).
On the other hand, systrace allows one to express a security policy
that's more fine-grained than the default UNIX permissions allow.

>Like i say, i'm still relatively new to OpenBSD so I'm just looking for 
> insight, I haven't used systrace in the past, and until about a week ago 
> was working with securelevels but then found the aforementioned article.  I 
> had abandoned the securelevel method in light of the 'issue'(s)/false sense 
> of security with securelevels and from the discussion had decided to pick 
> up with systrace, until i saw this thread yesterday.
>Is it more common than not, to not worry as much about "hardening" the 
> OS, via these methods, but rather just to make 'hopefully' wise decisions, 
> install the least amount of software as you need, physical separations(i.e. 
> logging to remote server instead of sappnd'ing your logs)(but what happens 
> when after getting root on the system producing logs, the attacker proceeds 
> to work towards your logging server?) and stay current w/at least the 
> stable branch?
>I guess with all the hoopla about 'hardening'/trusted this and 
> that/fuzzy knobs(i.e. SE Linux) i got a little overzealous looking for ways 
> to tweak things (which i know can end up either making things less secure 
> (especially with false sense of security) or just plain breaking them), but 
> if there is/are acceptable, ways, I'd at least like to be aware of them and 
> the scope of their use from the people that know OpenBSD best.

It's not entirely impossible to improve on OpenBSD's default security,
although the default security is pretty good. The most obvious
improvement is disabling SSH logins using passwords, as has already been
mentioned.
It might also be a good idea to periodically audit /etc/master.passwd
for weak passwords. John the Ripper 
might be useful here.

There is also something to be said for dropping all IPv6 traffic; the
IPv6 stack is not as thoroughly tested as the IPv4 stack, despite a lot
of work by the smart people of the KAME project.
In the same vein, a restrictive pf configuration might help prevent or
at least mitigate the effects of exploitation.

You could also take a good look at /etc/login.conf; it does a pretty
good job of limiting resource usage, but it's a bit more lenient than it
could be, especially for the 'daemon' group (daemons very rarely really
need the ability to allocate an unbounded amount of memory). It should
be noted that the 'daemon' group appears to be used only by ports,
though.
However, this merely prevents an attacker that has already gained access
from DoS'ing the rest of the applications on the machine.

If you have local users, you might also want to vet suid applications.
You could also move the 'root' entry in /etc/master.passwd away from the
first line; if there is a programming error whereby a suid app that can
be told to parse an arbitrary file, the password hash for root cannot be
discovered (see

for an example of this problem; while this is not the only example I
know of, this problem is not particularly common).
This also isn't much of a problem if root has a password that is too
complex to bruteforce, which should be the case.

It could also be argued that, should you require an MTA that is
accessible from the outside world, replacing sendmail with your
favourite alte

Re: Google employment opportunity

[Ted Unangst]

On 10/14/07, V. Karthik Kumar <[EMAIL PROTECTED]> wrote:
> mQGiBEa0y88RBACpSIuwbUvraagYtkWKMlwe+KI6Sh2UU2vipE8Fotkrq/iTnRiK
> pu2dJcP+jTNvbatcLGedWQOHiCvGfadZD/SxmYsJpQXazL/CORGvdzZwq4eBsDVV
> 94E/pibIT6ouaOFVMsvARPOyk+Q6N8T/tsvtCxFYrx/NnUIoMdb1DCXEZwCgs90U
> 9xQExo7OfJYyafTYLyXSzbsD/jqNhMJwnNsT+/GOqDeod98s54IImpgVA/bGyOQi
> ek+l2SGlrZ6LmZzGO/zVRqsPISAm7Wa5xbVe6qL+hUr1XIFOQoj+08yOCYPDrPoh
> m4QtFQHKlr5E0u6ev188wI6uIyz6jpzt6C/Aq3Q4irCj3Graeg9xGnHgsjMujubR
> WebABACgJzTS2mfEu5Rb75+KlgGgnA8zkTpf/Qqdwk/eo1WZPbcIijROEP4MNhVS
> IWacQXt4Ng8aWviFTZvysAc4k4hxnmFJgyRcUOSOmYd3uWkQI0OV1+cS5FoXmiQ2
> Oucsw4iBC3VHqQmNhtuCNZ4Nx1v0kexqfBQCRBSB3HGXGBKjQ7REVi4gS2FydGhp
> ayBLdW1hciAoaHR0cDovL2d1aWx0LmJhZnNvZnQubmV0KSA8a2FydGhpa2t1bWFy
> QGdtYWlsLmNvbT6IZgQTEQIAJgUCRrTLzwIbAwUJAeEzgAYLCQgHAwIEFQIIAwQW
> AgMBAh4BAheAAAoJEEc052Xw3SBP+dkAoI5xfNw/7M7OVpmquFAwRb0k9KbYAJ0e
> IOypL+F8bUsxqISUIw3GFeb60LkEDQRGtMvPEBAA4SptM/eorjFWmC1S7xBfvKMF
> UMyFQvkwiWtDsWIrD0AMU4acT7fjYlMEKmVsaymXppxyvK6e/4jOX72UcsJZ4LL/
> jtm4SGfknC6yEXdeyYz5Mmd6CN52LC/KfS4b771zO9yMDAl79/FxHIR7AvoSWb14
> sbc7yKiF7OwfEFeZNtOYsZwDsQabnuFd5mzIMev/W2hgs55DF4ZJnmaVYb/PQbbw
> X5g7OwsN17OESPF/syaCzqKJ0GuzhnGHYgwY/84eeWkzqnGTxG52HH6Y1sYwKEmJ
> 32XLkUEHxHKoCvMW8C6E/s72Aw/WrBzq2yHhqW5npBrCIBCYWC70wzkew2DaOG/j
> WYtRP2ahJKxV9598D86w97M+6kNX2efMdSgJyLlFyyXlqX95sobE8BJRxjXqkiJy
> uaLgXv3CQZ1+kizhnkZeInA85NNahb3f2j/jA03eVoAhRq64fqN8W1kfvQwv
> YF31G7dsLLI2gx2ui1ouj6phIIlZPzypoDkoYZiXn3qXMDiyxJb+4wT5MZz2hjTU
> w51Z5WPe2ylPXKPqmiDw6zMNQW8OWVIXFljxLcRAhY9DQC9MIgnw7wCz9Bdu8sUs
> kkZjSsLo6Mc1SPCwjcuD8bDuvc7JIugNn/QFrLtV0o/BVpxMX0ujm2gC8/y7ruBJ
> cGPvx99e7lj7cmgac7cAAwUP/2h7MDCA3o1Bt1mInBlC+LHdJIaipToVc72lF8nN
> H3InjMppUkgvHQ+D/4r5hcWtskkRY+YG1iG45RbWMQlprfONOWEYfjkc/WDRj+PO
> lFszhcOSc2IlgCYsY1yEIF6HfE2MZpFWjM0z0hjotEULxlvi9meMV0OZRqwDdhEp
> 871jk1+3WkdjGMcZI3AO3wGRwb60eYW0cVNMv1umH0Cgh2pgU/vTbCqB7P5DaNHf
> BxflFAWumm7P70qJMoCa9SRNKh7vitlLBLGnSuhgT22aE/N/zslcprS7tFM3JFAl
> Jvr9V3pXzMmkk4zGwzpfvA8LpCPNVqqABrkGsduTsTyoPjLDmPH/CuFMu6RZCUHL
> sSKKhTpbE3zTgmyGja8DiJFKWmtojFPDEnPDSQweJYItkfnGSbHQVx5wkKhjABQ6
> bCraNqgem0C+tKnDoRk/NlhKBCpGVdt8kIRNZ+iTA+4VB+R1usUY3ZpvrHYZFDX5
> RxJ4jYLnhlKspSYvKkLg4IP7KnGr9dC16XJCa2wqR68EJa0u5XxigV4zscaawGYA
> Mx56+PoouaWI24+9JUPTMkV3UvF5xU2BumOW/IsKqs2qYEkG3QdczVwTnNuAZFQa
> 1WJAKOT7elDsrYsrdGWZpge2d/uoIFKjDobz7eZnkSLiX2rIzbkDniDD+aZd8G60
> NVJliE8EGBECAA8FAka0y88CGwwFCQHhM4AACgkQRzTnZfDdIE91ngCgpgLiwwXQ
> MbyOCWjuWGY+phmYeagAnj7nMffLNWLpfVmKtA4yrtOHkSAM
> =RuU8

i heartily agree.

Re: where port installs have theire packages placed

[Brian]

Juan Miscaro wrote:
[...]
> I currently have the PACKAGE_REPOSITORY variable set to
>
> /home/ftp/4.2/packages
>
> but when I installed a port its package ended up under:
>
> /home/ftp/4.2/packages/i386/all
>
> How can I correct this?

After a glance at bsd.port.mk, it looks like you'll have to use a link:

mkdir /home/ftp/4.2/packages/i386
ln -s .. /home/ftp/4.2/packages/i386/all

Some ports will create a no-arch directory for architecture-independent
packages.  However, the two arch-independent ports I tested still create
the package hard link in i386/all/.  There may be some things I have
missed so take it for what it's worth.

-Brian

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Multi booting OpenBSD and OpenBSD and

[Tilo Stritzky]

On 11/10/07 07:46  RW wrote:
> On Wed, 10 Oct 2007 22:51:26 +0200, Tilo Stritzky wrote:
> 
> >On 10/10/07 21:37  RW wrote:
> >> Then (the devil made me do it!) I thought: Why not four OpenBSDs  as in
> >> Release, Release minus one, current and some experimental stuff. Just
> >> multiboot to whichever and away.
> >> 
> >> Is it at all possible? If so what is the trick? I  flag the new
> >> MBR entry as active and I can't see anything in the docs that
> >> contemplates this kind of set-up.
> >> 
> >It's actually not very difficult  but ... 
> >"If you have to ask, you shouldn't be doing it"
> 
> Pushing boundaries on a machine without internet connection and (unless
> it works) not a part of critical infrastructure is just fun for
> learning. If it blows up an OpenBSD flush and install another way is
> not exactly the punishment that Linux or Windows would inflict.
> ;-)
I think my dads Windoze takes more time to boot then a full OpenBSD install
on my laptop.

The main reason I tried this setup was I wnted to know if its ever
possible, just like you. And I was sure I would learn something
interesting. Now *that* part really worked out ;)
> 
> >
> >Start your first install. Make one fdisk partition (OpenbSD type).
> >disklabel as many slices as you want OpenbSD releases (plus swap, plus c).
> >Install one on slice a.
> 
> Hmmm. Right there is the showstopper. I  say it was so I could
> build stable for at least a couple of releases. I have 9 slices on my
> present builder and could probably lose a couple. but only one to build
> and clean on? Not for me. I have listened to the experienced crew about
> having filesystems you can just flush rather than rm -rf * on.
> 
I feel this 'put /usr/obj on a seperate slice, newfs ...' should really go
from the FAQ. release(8) shows a really nice way, which with softdep is
normally faster then newfs. And even if not - it happens in the
background, so what?

If you have lots of RAM mem_fs is really nice (I know, I know, you
haven't).

Regarding the number of slices: this is weird enough as it is, a lot
of slices does not make it any easier. When I tried it I had simply
one slice per install and it worked.

> Looks like a lost cause. I did really want to get out of all the drive
> swapping with wear on the connectors (the old IDE trays at least had
> rugged sockets like the old centronix ones, the SATA trays have an
> edgecon and I don't rate edgecons as suitable for lots of insert/remove
> cycles with a heavy mechanical load) but if it don't fly, c'est la vie.
> 
Not to mention that computer cases have lots of really sharp edges and a
proper connecter fit in the wrong place can go straight to the bone.

> Thanx,
> Rod
> 
regards
tilo

(Who is pestering the people at his favourite bookshop for two weeks now:
"Are they there yet?"
"Are they there yet?"
"Are they there yet?"
"No, on wendsday!"

Re: hardening BSD (was systrace/stsh policies)

[Janne Johansson]

Eduardo Tongson wrote:

Robert Watson's paper discusses concurrency vulnerabilities. Impact
include policy bypass and audit trail invalidation. A bypass means it
is useless. That pretty much hammered in the last nail on the coffin
for security tools based on system call interposition.



I actually dont think it is all worthless. Imagine a machine running a 
server daemon. If you systrace that particurlar daemon to not be able to 
fork()/exec*() or system(), you could be quite sure it wont start random 
apps on your machine in case someone manages to trick it somehow.


Now, if the attacker already has a local account and/or shell, he might 
run races and fool the systrace. But if this daemon was the only way for 
said attacker to gain such shell access, and it can be prevented from 
doing common stuff needed to get a local shell then you would have a 
"safer" system.


In this way, systrace might be usable still, even though it wont suffice 
for systrace'd shells given out to bad guys. Same as all other measures 
you might have like chroots, stack gaps, randomized mem layouts and 
library addresses, they never prevent 100% of all attacks, just many of 
them.



On 10/15/07, Steve Shockley <[EMAIL PROTECTED]> wrote:

Joachim Schipper wrote:

You should probably do a Google search on systrace before continuing
further down this road. In particular, I believe the issue highlighted
by Robert Watson has not been fixed yet (although I could be wrong, and
would be happy to be wrong in this case).

The white paper for the systrace vulnerability was a little bit beyond
me; what's the impact of the issue?  Is a system running systrace *more*
vulnerable than a normal system, or is the problem just that a
determined user can circumvent systrace (like the bottom of systrace(1)
suggests)?  If it's the latter, it seems like it'd still be useful for
policy enforcement to some extent.

Re: hardening BSD (was systrace/stsh policies)

[Ted Unangst]

On 10/14/07, Steve Shockley <[EMAIL PROTECTED]> wrote:
> The white paper for the systrace vulnerability was a little bit beyond
> me; what's the impact of the issue?  Is a system running systrace *more*
> vulnerable than a normal system, or is the problem just that a
> determined user can circumvent systrace (like the bottom of systrace(1)
> suggests)?  If it's the latter, it seems like it'd still be useful for
> policy enforcement to some extent.

two processes using shared memory can cooperate to circumvent
systrace.  this means it's not very useful to contain an app after
exploitation.  also, circumvention is not "silent".  if you log
failures, you'll see it happening.

systrace is still useful for keeping an eye on binary programs.  or to
make sure your apps are configured correctly (web server can't read
files outside of blah/, whatever).

where port installs have theire packages placed

[Juan Miscaro]

I'm running CURRENT and would like to put the packages that result from
a port install in a specific directory.

I currently have the PACKAGE_REPOSITORY variable set to

/home/ftp/4.2/packages

but when I installed a port its package ended up under:

/home/ftp/4.2/packages/i386/all

How can I correct this?

// juan

Re: vic(4) on ESX 3.0.2

[Piotrek Kapczuk]

Hi

2007/10/15, Fernando Braga <[EMAIL PROTECTED]>:
> Hi,
>
> I'm failing to use vic(4) driver on ESX 3.0.2 and OpenBSD 4.2. I've
> configuredethernet0.virtualDev = "vmxnet" as instructed on
> vic(4) man page.
>
> dmesg follows:
>
> OpenBSD 4.2 (GENERIC) #1: Fri Oct 12 16:00:29 BRT 2007
>[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC

[...]
> pcn0 at pci0 dev 17 function 0 "AMD 79c970 PCnet-PCI" rev 0x10,
> pcn1 at pci0 dev 18 function 0 "AMD 79c970 PCnet-PCI" rev 0x10,
[...]

pcn (!!)

Vmware still starts your VM with AMD NIC.
I wrote a quick solution to this.
http://communities.vmware.com/thread/31256


Regards
Piotrek

vic(4) on ESX 3.0.2

[Fernando Braga]

Hi,

I'm failing to use vic(4) driver on ESX 3.0.2 and OpenBSD 4.2. I've
configuredethernet0.virtualDev = "vmxnet" as instructed on
vic(4) man page.

dmesg follows:

OpenBSD 4.2 (GENERIC) #1: Fri Oct 12 16:00:29 BRT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz ("GenuineIntel" 686-class) 1.60 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3,DS-CPL,CX16
real mem  = 1073246208 (1023MB)
avail mem = 1030144000 (982MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 04/17/06, BIOS32 rev. 0 @
0xfd880, SMBIOS rev. 2.31 @ 0xe0010 (45 entries)
bios0: vendor Phoenix Technologies LTD version "6.00" date 04/17/2006
bios0: VMware, Inc. VMware Virtual Platform
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x1a00! 0xca000/0x1000
0xcb000/0x1000 0xdc000/0x4000! 0xe/0x4000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
pci1 at ppb0 bus 1
piixpcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 configured to compatibility, channel 1 configured to c
ompatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0
5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus disabled
vga1 at pci0 dev 15 function 0 "VMware Virtual SVGA II" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
mpi0 at pci0 dev 16 function 0 "Symbios Logic 53c1030" rev 0x01: irq 9
scsibus1 at mpi0: 16 targets
sd0 at scsibus1 targ 0 lun 0:  SCSI2 0/direct fixed
sd0: 10240MB, 1305 cyl, 255 head, 63 sec, 512 bytes/sec, 20971520 sec total
sd1 at scsibus1 targ 1 lun 0:  SCSI2 0/direct fixed
sd1: 20480MB, 2610 cyl, 255 head, 63 sec, 512 bytes/sec, 41943040 sec total
mpi0: target 0 Sync at 160MHz width 16bit offset 127 QAS 1 DT 1 IU 1
mpi0: target 1 Sync at 160MHz width 16bit offset 127 QAS 1 DT 1 IU 1
pcn0 at pci0 dev 17 function 0 "AMD 79c970 PCnet-PCI" rev 0x10,
Am79c970A, rev 0: irq 11, address 00:50:56:91:57:b6
pcn1 at pci0 dev 18 function 0 "AMD 79c970 PCnet-PCI" rev 0x10,
Am79c970A, rev 0: irq 10, address 00:50:56:91:16:e8
isa0 at piixpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask e365 netmask ef65 ttymask ffe7
pctr: 686-class user-level performance counters enabled
mtrr: CPU supports MTRRs but not enabled
dkcsum: sd0 matches BIOS drive 0x80
dkcsum: sd1 matches BIOS drive 0x81
root on sd0a swap on sd0b dump on sd0b


-- 
Fernando M. Braga
+55 82 8802-9559

Re: femail/chroot

[Henning Brauer]

* Gaby Vanhegan <[EMAIL PROTECTED]> [2007-10-15 17:41]:
> I'm struggling to make femail work in the Apache chroot.  I made  
> mini_sendmail work from ports, but this isn't ideal as it requires sh  
> inside the chroot, so I've done away with that idea.  femail is the  
> suggested alternative but I have had no success in making it work.
> 
> I have compiled the 0.97 version from source, that works fine.  I can  
> send mail from the command line fine, I have setup a very basic  
> femail.conf and put it in /etc/femail.conf, as well as /var/www/etc/ 
> femail.conf.

femail.conf is pretty vbesic by definition :)

> Both femail and mini_sendmail work fine on the command line,  
> mini_sendmail works fine in apache, femail does not.  The only error  
> output I see if in /var/www/logs/error_log, which is the line "Abort  
> Trap".  In order to get this, I still have to have sh inside the  
> chroot.  Is femail going to need this too?

femail itself does not use or need sh.
whatever invokes it might need it.

I would install the femail-0.97-static package.
My guess is that you actually use a dynamically linked femail and don't 
have libc installed / ldconfig set up.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Re: femail/chroot

[Stuart Henderson]

On 2007/10/15 16:37, Gaby Vanhegan wrote:
> I have compiled the 0.97 version from source, that works fine.  I can  
> send mail from the command line fine, I have setup a very basic  
> femail.conf and put it in /etc/femail.conf, as well as /var/www/etc/ 
> femail.conf.

that's optional if you can resolve your own hostname (e.g. hosts or
resolv.conf which you may well already have).

> mini_sendmail works fine in apache, femail does not.  The only error  
> output I see if in /var/www/logs/error_log, which is the line "Abort  
> Trap".

Sounds like you're trying to use a dynamically-linked version
without having ld.so present.

You want the static version:

cd /usr/ports/mail/femail && FLAVOR=static make install
-or-
pkg_add femail-0.97-static

> In order to get this, I still have to have sh inside the  
> chroot.  Is femail going to need this too?

femail doesn't need it, but iirc PHP does.

Reply-To: set to [EMAIL PROTECTED]

Re: hardening BSD (was systrace/stsh policies)

[Nick Guenther]

On 10/15/07, Eduardo Tongson <[EMAIL PROTECTED]> wrote:
>
> Robert Watson's paper discusses concurrency vulnerabilities. Impact
> include policy bypass and audit trail invalidation. A bypass means it
> is useless. That pretty much hammered in the last nail on the coffin
> for security tools based on system call interposition.

Oh really?
The abstract reads "System call interposition allows the kernel security model
to be extended. However, when combined with current operating systems,
it is open to concurrency vulnerabilities leading to privilege
escalation and audit bypass."
(Paper at 
)
and Neils Provos says

"The initial prototype of Systrace as described in the paper avoided
this problem by using a look-aside buffer in the kernel. This imposes
a slight performance penality but I hope that this obvious solution is
going to be included in the OpenBSD and NetBSD kernel soon."

How is this the "last nail" at all?

-Nick

femail/chroot

[Gaby Vanhegan]

Hi,

I'm struggling to make femail work in the Apache chroot.  I made  
mini_sendmail work from ports, but this isn't ideal as it requires sh  
inside the chroot, so I've done away with that idea.  femail is the  
suggested alternative but I have had no success in making it work.

I have compiled the 0.97 version from source, that works fine.  I can  
send mail from the command line fine, I have setup a very basic  
femail.conf and put it in /etc/femail.conf, as well as /var/www/etc/ 
femail.conf.

Both femail and mini_sendmail work fine on the command line,  
mini_sendmail works fine in apache, femail does not.  The only error  
output I see if in /var/www/logs/error_log, which is the line "Abort  
Trap".  In order to get this, I still have to have sh inside the  
chroot.  Is femail going to need this too?

Has anybody had any success setting up femail inside the apache chroot?

Gaby

--
Junkets for bunterish lickspittles since 1998!
http://www.playr.co.uk/

Re: : expansion of FAQ# 1.10 re OpenBSD as a desktop system

[Douglas A. Tutty]

On Mon, Oct 15, 2007 at 05:31:51AM -0500, Robert C Wittig wrote:
> Raimo Niskanen wrote:
> >Perhaps the best, but not the only. Flash i all over the net.
> >E.g to see the weather forecasts from the Swedish Meteorology
> >and Hydrology Institute (SMHI), you need Flash 8. Just a few
> >months ago you needed Internet Explorer as well, but they
> >are aware and improving...
> >
> >But Flash 7 via Opera and Linux emulation in OpenBSD does not
> >cut it, alas :-(
> 
> You're right, the Opera Flash Plugin doesn't really cut it, but I have 
> discovered a somewhat useful workaround.
> 
> By hitting 'Pause' on the Flash 9 movies that autostart, before they 
> have a chance to crash, (or just changing the setting on those that do 
> not autostart), I have been able to right-click and set the movie 
> quality to the lowest setting (default is highest quality), which 
> permits most movies to at least play.
> 

Well, at least I know that I'm not alone in needing to use flash to get
real work done (not for games or other time-wasters).  Which means that
for any box from which I want to get real work done, I can't use
OpenBSD.  It would be great if it were possible to somehow wrap up
fireforx + flash so that it was possible and safe to run as a normal
user on OpenBSD.  By which I don't mean to suggest that you need to be
root to run it but instead that I know that in general its not wise to
run any X app, especially a browser to the net, as root.

Doug.

Re: misplacement in dhclient.conf.5

[Vincent GROSS]

meh, forgot the demimer ... thank you Nick.

here is the inlined patch.

$ diff -Naur dhclient.conf.5.orig dhclient.conf.5

--- dhclient.conf.5.origSun Oct 14 22:01:48 2007
+++ dhclient.conf.5 Sun Oct 14 22:00:03 2007
@@ -345,19 +345,6 @@
 .Nm dhclient.conf ,
 the value that the user wishes the client configuration script to use if the
 predefined lease is used.
-.It Ic script Ar \&"script-name\&" ;
-The
-.Ic script
-statement is used to specify the pathname of the DHCP client configuration
-script.
-This script is used by the DHCP client to set each interface's initial
-configuration prior to requesting an address, to test the address once it
-has been offered, and to set the interface's final configuration once a
-lease has been acquired.
-If no lease is acquired, the script is used to test predefined leases, if
-any, and also called once if no valid lease can be identified.
-For more information, see
-.Xr dhclient.leases 5 .
 .It Ic medium Ar \&"media setup\&" ;
 The
 .Ic medium
@@ -485,6 +472,19 @@
 Whenever the client tries to renew the lease, it will use that same media type.
 The lease must expire before the client will go back to cycling through media
 types.
+.It Ic script Ar \&"script-name\&" ;
+The
+.Ic script
+statement is used to specify the pathname of the DHCP client configuration
+script.
+This script is used by the DHCP client to set each interface's initial
+configuration prior to requesting an address, to test the address once it
+has been offered, and to set the interface's final configuration once a
+lease has been acquired.
+If no lease is acquired, the script is used to test predefined leases, if
+any, and also called once if no valid lease can be identified.
+For more information, see
+.Xr dhclient.leases 5 .
 .El
 .Sh EXAMPLES
 The following configuration file is used on a laptop


On 10/15/07, Vincent GROSS <[EMAIL PROTECTED]> wrote:
> Hi folks,
>
> I found a misleading statement in dhclient.conf.5 : the description of
> the 'script' statement is in the lease declaration section, which can
> lead someone to think the script statement is a part of the static
> lease declaration.
>
> The joined gzip'ed patch fix that, but it's only a cut'n'paste at a
> more proper place.
>
> --
> Vincent GROSS
> "GUIs normally make it simple to accomplish simple actions and
> impossible to accomplish complex actions." --Doug Gwyn (22/Jun/91 in
> comp.unix.wizards)
>
>


-- 
Vincent GROSS
"GUIs normally make it simple to accomplish simple actions and
impossible to accomplish complex actions." --Doug Gwyn (22/Jun/91 in
comp.unix.wizards)

misplacement in dhclient.conf.5

[Vincent GROSS]

Hi folks,

I found a misleading statement in dhclient.conf.5 : the description of
the 'script' statement is in the lease declaration section, which can
lead someone to think the script statement is a part of the static
lease declaration.

The joined gzip'ed patch fix that, but it's only a cut'n'paste at a
more proper place.

-- 
Vincent GROSS
"GUIs normally make it simple to accomplish simple actions and
impossible to accomplish complex actions." --Doug Gwyn (22/Jun/91 in
comp.unix.wizards)

[demime 1.01d removed an attachment of type application/x-gzip which had a name 
of dhclient.conf.5.patch.gz]

Re: : How can i boot a bsd.rd from windows 2000 ?

[Rodrigo V. Raimundo]

According to grub documentation
http://www.gnu.org/software/grub/manual/grub.html#kernel ...

Em Sex, 2007-10-12 C s 09:57 +0200, Raimo Niskanen escreveu:
> Can grub actually boot a bsd kernel. I thought it was in a
> different binary format than Linux kernels.
> 

Grub can boot *BSD kernel and can detect in what binary format it is.
But in case it dont recognite the binary there is a --type=openbsd
parameter that can be used with the "kernel" command.

> Does grub pass kernel arguments to the bsd kernel in the
> right way.
> 


It is not possible to pass kernel parameters from grub to /bsd*


> Sorry about the doubts, but I have always chain loaded
> OpenBSD from grub through the PBR code in biosboot
> installed by installboot, which in its turn calls
> the boot program that loads the bsd or bsd.rd kernel.
> 
> Off-Topic: In that case, can SYSLINUX boot the
> bsd kernel from a DOS partition?
> 

Accordint to http://syslinux.zytor.com/faq.php it can only boot linux,
COM executables, pxeboot files, cdrom images and a few other, but no one
*BSD kernel.

> 
> 
> On Thu, Oct 11, 2007 at 12:34:13PM -0300, Rodrigo V. Raimundo wrote:
> > Em Qua, 2007-10-10 C s 21:49 +0200, Christopher Bianchi escreveu:
> > > Hello everyone. My situation is this:
> > > i've a laptop, a Sharp pc-ax10 with Windows 2000 preinstalled , without
> > > cdrom, floppy. I wish install OpenBSD on it. Naturally bios can't boot
> > > from USB.
> > > So i've thinked to boot the bsd.rd , but how ? The faq explain the
> > > procedure from an older OpenBSD operating system... i've Windows 2000 on 
> > > it.
> > > 
> > > Is it possible ? and if is possible, in which way ? Where i must put the
> > > bsd.rd and in which way i can boot from him ?
> > > 
> > > I've tried google, but nothing :-(
> > > 
> > > Thanks for the attention
> > > 
> > > Christopher Bianchi
> > > 
> > 
> > 1 - Use some free tool to create a new partition on your hard-disk, if
> > you lose Win 2k bye-bye
> > 
> > 2 - Install grub on Windows (*) and attach it's stage1 file to
> > boot.ini(**)
> > 
> > 3 - Add an entry to grub's menu.lst so it can boot bsd.rd from virtualy
> > anywhere on your hd. (***)
> > 
> > See: http://www.geocities.com/lode_leroy/grubinstall/
> > 
> > (***) menu.lst example:
> > 
> > title OpenBSD Installer
> > # Windows on the first partition of the first drive
> > root (hd0,0) 
> > # Grub will found the file if compiled with fat/ntfs support
> > kernel /boot/bsd.rd 
> > boot
> > 
> > --
> > 
> > (**) boot.ini example:
> > 
> > [boot loader]
> > timeout=30
> > default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
> > [operating systems]
> > multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows 200
> > Professional"
> > c:\boot\stage1="Grub"
> > 
> > -
> > 
> > (*) grubinstall command line example:
> > 
> > Run cmd.exe, them:
> > c:\> grubinstall -d (hd0,0) -1 C:\boot\stage1 -2 C:\boot\stage2

Re: arc0: unable to query firmware for sensor info

[David Gwynne]

fantastic, good to know :)

yay kettenis

dlg

On 15/10/2007, at 7:52 PM, Stephan A. Rickauer wrote:

For the archives: Mark has sent me a patch which fixes the problem  
(also in the tree now).


Thanks for this awesome support (once more)!

Stephan

On Sun, Sep 30, 2007 at 04:20:27PM +0200, Mark Kettenis wrote:


Can you run

# acpidump -o WTF2V028 > WTF2V028.acpidump

and send me all the files it generates?

Mark

Re: Transparent Firewall with NAT

[Cédric THIBAULT]

Firstly, thanks for your comments,

2007/10/12, ropers <[EMAIL PROTECTED]>:
>
> I don't fully understand your email, because some of your sentences
> aren't really gramatically correct, and some of them don't seem to me
> to be "technologically correct" (ie. the technology questions in them
> don't seem to make sense to me). From reading this thread, I suspect
> others are having similar problems.


Yes, it's true i'm not a native english. Sorry for my sentences which smell
good french pronunciation... I will do my best for avoid this mistakes..


Let me look at what you wrote:
>
> On 10/10/2007, Cidric THIBAULT <[EMAIL PROTECTED]> wrote:
> > Hello everybody,
> >
> > I work on BSD 4.1, with i386 hardware.
> >
> > I'm searching a way to enable a transparent firewall (without ip
> adress),
> > probably in bridge mode.., with a capability of NAT.
>
> Let me stop you there. Normally, you would EITHER use your OpenBSD box
> to do NAT, OR you would set your OpenBSD box up as a bridge. Let's
> take a step back and instead of talking about things in the abstract,
> let's make plain what you're trying to do:
>
> - Do you have a network w/ multiple hosts on the same physical network
> segment?
> - Do these hosts have private or public IP addresses?
> - Are these hosts' IP addresses in the same (logical) subnet? I.e. are
> they using the same network address and subnet mask, e.g.
> xxx.yyy.zzz.0/24?
> - You've mentioned bridging. Which hosts do you want to separate with
> a bridge? Are these hosts on the same logical subnet (and possibly
> already on the same physical network segment)? If they aren't, then
> how is what you're trying to do bridging?
> - You've mentioned NATing. Normally this involves translating between
> two DIFFERENT logical networks. What do you mean by "enable a
> transparent firewall (...) in bridge mode.., with a capability of
> NAT"? Do you want to set up a bridge NOW and only possibly separate
> your network LATER, and then change your OpenBSD bridge to an OpenBSD
> NAT router?



I ve got 2 physical network which are on the same IP subnet with the same
netmask. The openBSD is in middle of this networks. For exemple :

LAN1- OPEN BSD ---  LAN 2
192.168.0.1-10 INET1 - INET2  192.168.0.15-20
255.255.255.0
255.255.255.0


> I know the interest is
> > not evident to nat some computers on the same IP lan, but it's for a
> client,
> > so!
>
> Hm. Forgive my skepticism, but has the client asked you to put in a
> bridge that does NAT? Do you understand what they want? Do they?


I don't know precisely why he wants that, but for information i know cisco
offers this possibilitie.

> It seems that PF doesn't have this capability. Perhaps, it could be
> possible
> > with an another package ?
>
> OpenBSD/PF can do NAT while filtering the NATted traffic.
> OpenBSD/PF can also be used to set up a transparent bridge that is
> invisible to users, yet filters traffic. This can be done "out of the
> box"; no extra packages are required. I have personally in the past
> set up such an OpenBSD bridge. In my case, this was a physical network
> segment with multiple hosts, only some of which were under my control.
> The foreign and my own hosts were also on the same (logical) subnet. I
> needed to protect one of the hosts from the others (especially the
> ones I  didn't control). That sensitive host was a Windows Server 2003
> box ((which by default comes w/o a firewall and the Windows Firewall,
> while available in a service pack, cannot be enabled on Domain
> Controllers without serious hacking; really; it boggles the mind)). So
> I connected stuff thus:
>
> W2K3 Srv <---> OpenBSD bridge <---> rest of network, incl. Internet
> gateway
>
> I set up the bridge and configured pf.conf so that those boxes that
> needed to talk to the server could do so. It was NOT a totally
> bulletproof solution, but it was the best I could come up with, given
> the constraints I was operating within.


Your description is very interesting and i'm agree with your opinion. But my
question is :

Can i NAT an IP adress wich is not assign to my network interface, and
configure arp for
be able to receive an IP data destined to the IP i NAT ? If i keep my
precedent exemple :


LAN1- OPEN BSD ---  LAN 2
192.168.0.1-10 INET1 - INET2  192.168.0.15-20
255.255.255.0
255.255.255.0

With INET1 and INET2 in promiscious mode without IP adress assigned, i would
know if i could NAT the LAN1 with an arbitrary adress (192.168.0.11 for
exemple) and capture the answers to forward them to LAN1 (with a specific
ARP configuration perhaps..). With this configuration, LAN2 uses only 1
address to communicate with LAN1, but can't ping or touch the Firewall which
is totally transparent..

Maybe you could describe your network like I did above. I think that
> would help me and possibly others to understand you better. Please b

Re: : expansion of FAQ# 1.10 re OpenBSD as a desktop system

[Robert C Wittig]

Raimo Niskanen wrote:


Perhaps the best, but not the only. Flash i all over the net.
E.g to see the weather forecasts from the Swedish Meteorology
and Hydrology Institute (SMHI), you need Flash 8. Just a few
months ago you needed Internet Explorer as well, but they
are aware and improving...

But Flash 7 via Opera and Linux emulation in OpenBSD does not
cut it, alas :-(




OT noise I know. This thread climaxed on Henning's earlier post.




You're right, the Opera Flash Plugin doesn't really cut it, but I have 
discovered a somewhat useful workaround.


By hitting 'Pause' on the Flash 9 movies that autostart, before they 
have a chance to crash, (or just changing the setting on those that do 
not autostart), I have been able to right-click and set the movie 
quality to the lowest setting (default is highest quality), which 
permits most movies to at least play.



--
-wittig http://www.robertwittig.com/
http://robertwittig.net/
http://robertwittig.org/
.

Re: arc0: unable to query firmware for sensor info

[Stephan A. Rickauer]

For the archives: Mark has sent me a patch which fixes the problem (also in the 
tree now).

Thanks for this awesome support (once more)!

Stephan

On Sun, Sep 30, 2007 at 04:20:27PM +0200, Mark Kettenis wrote:


Can you run

# acpidump -o WTF2V028 > WTF2V028.acpidump

and send me all the files it generates?

Mark

Re: : Which remvable drive is connected to which USB port

[Otto Moerbeek]

On Mon, 15 Oct 2007, Edwards, David  (JTS) wrote:

> > -Original Message-
> > From: Otto Moerbeek [mailto:[EMAIL PROTECTED]
> > Sent: Friday, 12 October 2007 5:53 PM
> > To: Raimo Niskanen
> > Cc: Edwards, David (JTS); misc@openbsd.org
> > Subject: Re: : Which remvable drive is connected to which USB port
> >
> >
> > On Fri, 12 Oct 2007, Raimo Niskanen wrote:
> >
> [snip]
> > >
> > > Missing is still some way to find out what the kernel device
> > > tree looks like - the kernel must know that sd0 is attached
> > > to scsibus1 targ 1 lun 0 which is attached to umass0 which
> > > is attached to uhub1 port 1. The question is if there is
> > > a way of finding that without parsing dmesg.
> 
> I agree that's my problem in a nutshell.
> 
> > I can see an easy way to identify disks, without any dependency on the
> > physical stuff like cables etc.
> >
> > Use the disklabel: it has a disk name field that can be edited.
> 
> Thanks for the idea but unfortunately it doesn't help.
> Take three USB disks, plug them in and then tell me
> how to put the right label on the right physical disk?

Plug them in one by one and label them. That would be a manual process.

> 
> It would work of course if our "restore" procedure went:
> 
> for each backup disk available
>   Plug in the disk and check the lable to see if it's the right one
>   if it is the right one
> Restore from the disk
> end
>   fi
> end
> 
> I suspect this would get a bit tedious..

It's easy to make a script that produces the sdX -> label mappings and
vice versa.

-Oto

Re: : Which remvable drive is connected to which USB port

[Antti Harri]

Hi,

I haven't followed this thread but this sounds like
similar to the problem I had with USB printers.
I had several and turning them randomly on made them have
different ulptX device. I made a script for hotplug
that creates symlink that points to the right
device node. So, if you modify my script and
use disklabel and labels beforehand, maybe it will
help you.

See for more details: 
http://users.openbsd.fi/iku/opensource/hotplug-1.1.tar.gz


Sorry if I interpreted your message incorrectly and
this isn't what you're looking for.

--
Antti Harri

Re: Google employment opportunity

[Fergus Wilde]

> > As the messiah said when he was in Britain with his 4 brothers (BRT:3:1)
> >

Damn, must have been out that day.

-- 
Fergus Wilde
Chetham's Library
Long Millgate
Manchester
M3 1SB

Tel: 0161 834 7961
Fax: 0161 839 5797

http://www.chethams.org.uk

Re: : expansion of FAQ# 1.10 re OpenBSD as a desktop system

[Adrian Fisher]

I know what you mean, I have to use Flash 9 :S

A.

On 15/10/2007, Raimo Niskanen <[EMAIL PROTECTED]> wrote:
>
> On Fri, Oct 12, 2007 at 12:25:46PM -0700, Karsten McMinn wrote:
> > On 10/11/07, Nick Holland <[EMAIL PROTECTED]> wrote:
> > > Personally, I absolutely LOVE the fact that OpenBSD doesn't support
> > > flash natively.  I think that's a great selling point for using it
> > > on a desktop.  Oh, but you not only like flash, but demand it.
> > > That's ok, that's your measure of "desktop", it's my measure of
> > > annoying.  Are there some places I can't go?  Yep.  I rather suspect
> > > they lose more by not having me than I do by not having them.
> >
> > I'm in the same boat as you, however youtube/google video are
> > the best argument for flash. adobe should thank them, and possibly
> > myspace for keeping their macromedia pipe dreams alive.
> >
>
> Perhaps the best, but not the only. Flash i all over the net.
> E.g to see the weather forecasts from the Swedish Meteorology
> and Hydrology Institute (SMHI), you need Flash 8. Just a few
> months ago you needed Internet Explorer as well, but they
> are aware and improving...
>
> But Flash 7 via Opera and Linux emulation in OpenBSD does not
> cut it, alas :-(
>
>
>
> > OT noise I know. This thread climaxed on Henning's earlier post.
>
> --
>
> / Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: : : : Which remvable drive is connected to which USB port

[Raimo Niskanen]

On Fri, Oct 12, 2007 at 10:25:51AM -0400, Nick Guenther wrote:
> On 10/12/07, Stuart Henderson <[EMAIL PROTECTED]> wrote:
> > On 2007/10/12 11:47, Raimo Niskanen wrote:
> > > > Use the disklabel: it has a disk name field that can be edited.
> > >
> > > Great proposal!
> > >
> > > I may be blind, but can not find an editable name field. Which is it?
> > > And how can I edit it?
> >
> > Label - you can edit it with disklabel -e.
> >
> 
> But I thought the problem was that he wants the first USB cable to
> always be the first USB backup--with constant churn of USB keys (so
> that there are many). Each key is only used once. How does editing the
> disklabel help in that case?
> 

Ouch! My reading was too sloppy - I thought I recognized an old problem of mine.

Well,... to make editing the disklabel useful, one would have to change
strategy and tag the disks to which set they belong, and not use
the USB cable as set identifyer...



> -Nick

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: : expansion of FAQ# 1.10 re OpenBSD as a desktop system

[Raimo Niskanen]

On Fri, Oct 12, 2007 at 12:25:46PM -0700, Karsten McMinn wrote:
> On 10/11/07, Nick Holland <[EMAIL PROTECTED]> wrote:
> > Personally, I absolutely LOVE the fact that OpenBSD doesn't support
> > flash natively.  I think that's a great selling point for using it
> > on a desktop.  Oh, but you not only like flash, but demand it.
> > That's ok, that's your measure of "desktop", it's my measure of
> > annoying.  Are there some places I can't go?  Yep.  I rather suspect
> > they lose more by not having me than I do by not having them.
> 
> I'm in the same boat as you, however youtube/google video are
> the best argument for flash. adobe should thank them, and possibly
> myspace for keeping their macromedia pipe dreams alive.
> 

Perhaps the best, but not the only. Flash i all over the net.
E.g to see the weather forecasts from the Swedish Meteorology
and Hydrology Institute (SMHI), you need Flash 8. Just a few
months ago you needed Internet Explorer as well, but they
are aware and improving...

But Flash 7 via Opera and Linux emulation in OpenBSD does not
cut it, alas :-(



> OT noise I know. This thread climaxed on Henning's earlier post.

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB