Re: suexec: disabled; invalid wrapper /usr/sbin/suexec
Jeremy Huiskamp wrote: suexec: disabled; invalid wrapper /usr/sbin/suexec Did you read suexec(8)? I expect you mean this? Because this program is only used internally by httpd(8), there are no other ways to directly invoke suexec. No. I was looking at mod_perl and have no plans in the near future to try suexec. The error makes some sense in the context above. Regards -Lars
Re: suexec: disabled; invalid wrapper /usr/sbin/suexec
On 1-Sep-08, at 3:17 AM, Lars Noodin wrote: Jeremy Huiskamp wrote: suexec: disabled; invalid wrapper /usr/sbin/suexec Did you read suexec(8)? I expect you mean this? Because this program is only used internally by httpd(8), there are no other ways to directly invoke suexec. No. I was looking at mod_perl and have no plans in the near future to try suexec. The error makes some sense in the context above. Regards -Lars No, I meant this: In order to work correctly, the suexec binary should be owned by ``root'' and have the SETUID execution bit set. OpenBSD currently does not in- stall suexec with the SETUID bit set, so a change of file mode is neces- sary to enable it...
Re: suexec: disabled; invalid wrapper /usr/sbin/suexec
Jeremy Huiskamp wrote: No, I meant this: In order to work correctly, the suexec binary should be owned by ``root'' and have the SETUID execution bit set. OpenBSD currently does not in- stall suexec with the SETUID bit set, so a change of file mode is neces- sary to enable it... Thanks. Interesting. I thought SUID-root scripts were vulnerable to race condition-based vulnerabilities, among other things. Is that also the case for OpenBSD? If not, why? Alternately, how lame would it be to have one suexec per suexec-user and have each copy owned by that user? That would at least avoid having it operate as root. Regards, -Lars
Re: suexec: disabled; invalid wrapper /usr/sbin/suexec
On Mon, Sep 01, 2008 at 10:17:34AM +0300, Lars Nood??n wrote: Jeremy Huiskamp wrote: suexec: disabled; invalid wrapper /usr/sbin/suexec Did you read suexec(8)? I expect you mean this? Because this program is only used internally by httpd(8), there are no other ways to directly invoke suexec. No. The next paragraph.
Re: suexec: disabled; invalid wrapper /usr/sbin/suexec
* Lars Noodin [EMAIL PROTECTED] [2008-09-01 10:05]: Jeremy Huiskamp wrote: No, I meant this: In order to work correctly, the suexec binary should be owned by ``root'' and have the SETUID execution bit set. OpenBSD currently does not in- stall suexec with the SETUID bit set, so a change of file mode is neces- sary to enable it... Thanks. Interesting. I thought SUID-root scripts were vulnerable to race condition-based vulnerabilities, among other things. Is that also the case for OpenBSD? If not, why? [EMAIL PROTECTED] $ file /usr/sbin/suexec /usr/sbin/suexec: ELF 64-bit MSB executable, SPARC64, version 1, for OpenBSD, dynamically linked (uses shared libs), stripped - not a script. Alternately, how lame would it be to have one suexec per suexec-user and have each copy owned by that user? That would at least avoid having it operate as root. oh holy root, must be avoided at any cost, right. go read suexec code. even docs would be a good start. first thing it does after being invoked is dropping privileges to the target user account. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Changed source address for packets from ospfd causing breakage?
Afternoon misc,
I recently added an extra loopback interface to an OpenBSD host running
OpenOSPFd as a way of assigning specific IP addresses to the host in a
way that didn't tie them to a specific physical interface.
I'm using the addresses for NAT and also announcing them as a route into
an OSPF area where there is another OpenBSD box (matched with this one
running with carp/pfsync/sasync/openospfd) and two Linux machines
running quagga's ospfd.
Ever since I did this, my OSPF area fell over and I think it might be
because ospfd is now sending packets with a source address matching one
of the (public) addresses on this loopback interface instead of the
address on the interface it is speaking OSPF on which matches its
router-id. I've configured static routes for now, until I can figure out
exactly what's going on.
How does ospfd choose the address to send from? I thought it might be
something to do with the multicast route, but that's set to be on 'lo0',
whereas my new loopback interface is lo1.
This is on OpenBSD 4.2 (I attempted to upgrade to 4.3 and the other node
in the carp group died, so I'll be trying that again outside office
hours, I think!).
The machine is connected to the ospf area via the 'vlan20' interface
which is configured with an IP address 192.168.50.10/24 and is supposed
to be announcing all the networks it is connected to on other
interfaces. I've anonymised the non-rfc1918 addresses, but (and this
might be important) they are the 'lowest' addresses on the router.
/etc/ospfd.conf:
cost_vpn=100
cost_gige=10
cost_gige_shared=12
cost_gige_crossover=8
router-id 192.168.50.10
auth-key censored
auth-type simple
hello-interval 6
retransmit-interval 5
router-dead-time 10
redistribute connected
redistribute static
area 0.0.0.0 {
interface trunk0 {
metric $cost_gige_crossover
}
interface trunk2 {
metric $cost_gige
passive
}
interface vlan1 {
metric $cost_gige_shared
passive
}
interface vlan5 {
metric $cost_gige_shared
passive
}
interface vlan6 {
metric $cost_gige_shared
passive
}
interface vlan8 {
metric $cost_gige_shared
passive
}
interface vlan10 {
metric $cost_gige_shared
passive
}
interface vlan20 {
metric $cost_gige_shared
}
interface lo1:1.2.3.4 {
metric $cost_gige
passive
}
interface lo1:1.2.3.5 {
metric $cost_gige
passive
}
interface lo1:1.2.3.6 {
metric $cost_gige
passive
}
interface lo1:1.2.3.7 {
metric $cost_gige
passive
}
interface lo1:1.2.3.8 {
metric $cost_gige
passive
}
}
--
Russell Howe, IT Manager. BMT Marine Offshore Surveys Ltd.
[EMAIL PROTECTED]
Re: isakmpd from XX to any; possible to offer choice of algorithm?
jared r r spiegel wrote: On Fri, Aug 29, 2008 at 11:02:18PM +, Stuart Henderson wrote: Now someone would like to add a device which (like some other devices connecting to this machine) is not on a fixed address so it needs to use the to any rule. Though it supports AES in phase 2, only DES or 3DES are permitted in phase 1 (which of course is already set to AES on other devices). just checked isakmpd.conf(5), it says you can have a list of proposed transforms (instead of just one). but i do recall for certain that i NEVER got that to work. any list of anything, i never got to work; transform lists, the thing where you're supposed to be able to specify a range of time/byte durations, etcetc :/ I used the following for phase 1 in my isakmpd.conf: [General] ... Default-phase-1-ID = My-Phase-1-Id [My-Phase-1-Id] Id-Type = FQDN Name= router.ant.uni-bremen.de [Phase 1] Default = Peer-Default [Peer-Default] Phase = 1 Transport = udp Configuration = Default-id-prot [Default-id-prot] DOI = IPSEC EXCHANGE_TYPE = ID_PROT Transforms = 3DES-SHA-RSA_SIG,AES-SHA-RSA_SIG This worked w/o problems. HTH, Heinrich -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Re: suexec: disabled; invalid wrapper /usr/sbin/suexec
Hi! On Sun, Aug 31, 2008 at 05:01:20PM -0400, Jeremy Huiskamp wrote: Did you read suexec(8)? Wouldn't one also need to copy over the suexec binary to the chroot for chrooted httpds, nowadays? That isn't mentioned in the suexec(8) manual page. Kind regards, Hannah.
Pre-Order 4.4
When can 4.4 be pre-ordered? Thanks, Brad -- View this message in context: http://www.nabble.com/Pre-Order-4.4-tp19253902p19253902.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: Pre-Order 4.4
new_guy [EMAIL PROTECTED] writes: When can 4.4 be pre-ordered? Wait for the commit message :) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Changed source address for packets from ospfd causing breakage?
On 2008-09-01, Russell Howe [EMAIL PROTECTED] wrote: How does ospfd choose the address to send from? I thought it might be something to do with the multicast route, but that's set to be on 'lo0', whereas my new loopback interface is lo1. Packets are sent out of interface X with the source IP address set to the IP address assigned to interface X (see send_packet() in packet.c). Where you set an address with the nic0:11.22.33.44 format in ospfd.conf, the address you configure there is the address used. otherwise it's the first IP address on the interface (I don't like to rely on that, better to set the address explicitly). I do use a loopback /32 on lo1 with bgpd/ospfd and don't see this sort of problem. (I do have to be careful and look out for problems with BGP nexthops when I restart things though, which may be connected with this but I'm not sure...) In my case it's from a separate subnet which is not announced as a whole subnet into OSPF, just as host routes. From the information you gave we can't tell how you arranged this, but if you're sending the loopbacks from a network which is otherwise announced, maybe it's worth trying that..
Re: Difference (bug?) in display in pfctl, pftop and systat for an anchor filter rule?
On 2008-08-31, Martin Gignac [EMAIL PROTECTED] wrote: 1. Why do pftop and systat report rule #4 as a kind of pass all rule when it's actually an 'anchor ftp-proxy/* all' rule? Is this normal and expected? looks like this isn't implemented yet. 2. Is it a bug for systat to report the direction of rule #4 as In while pftop reports it as Any? I'm assuming the difference indicates a bug in either one of the programs. this diff fixes systat. Index: usr.bin/systat/pftop.c === RCS file: /data/cvsroot/open/anoncvs/cvs/src/usr.bin/systat/pftop.c,v retrieving revision 1.4 diff -u -p -r1.4 pftop.c --- usr.bin/systat/pftop.c 16 Jul 2008 10:23:39 - 1.4 +++ usr.bin/systat/pftop.c 1 Sep 2008 14:16:48 - @@ -1281,7 +1281,13 @@ print_rule(struct pf_rule *pr) print_fld_size(FLD_BYTES, pr-bytes[0] + pr-bytes[1]); print_fld_uint(FLD_RULE, pr-nr); - print_fld_str(FLD_DIR, pr-direction == PF_OUT ? Out : In); + if (pr-direction == PF_OUT) + print_fld_str(FLD_DIR, Out); + else if (pr-direction == PF_IN) + print_fld_str(FLD_DIR, In); + else + print_fld_str(FLD_DIR, Any); + if (pr-quick) print_fld_str(FLD_QUICK, Quick);
Re: Pre-Order 4.4
On Mon, Sep 01, 2008 at 02:39:07PM +0200, Peter N. M. Hansteen wrote: new_guy [EMAIL PROTECTED] writes: When can 4.4 be pre-ordered? Wait for the commit message :) It's always announced on this mailing list and on undeadly.org as well. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Pre-Order 4.4
When can 4.4 be pre-ordered? Soon.
Re: Pre-Order 4.4
On Mon, Sep 01, 2008 at 10:43:26AM -0600, Theo de Raadt wrote: | When can 4.4 be pre-ordered? | | Soon. \o/ Sleepless nights watching [EMAIL PROTECTED] start now... Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
wd0(wdc1:0:0): timeout on openbsd 4.0 macppc
Hi, I'm running openbsd 4.0 (yeh old I know but it's a vital system that I'm replacing but it processes data that makes a lot of money). I'm getting these errors in dmesg. Should I be freaked out that the disk is failing or is it something else? I have tar backups but I want to make totally sure so I'm doing a dump in single user mode tonight (if it lets me who knows...). It's running on a powerpc mac mini. Errors are as follows: wd0(wdc1:0:0): timeout type: ata c_bcount: 32768 c_skip: 0 wd0a: device timeout reading fsbn 11840224 of 11840224-11840287 (wd0 bn 11843248; cn 11749 tn 4 sn 4), retrying wd0: soft error (corrected) wd0(wdc1:0:0): timeout type: ata c_bcount: 16384 c_skip: 0 wd0a: device timeout reading fsbn 56357056 of 56357056-56357087 (wd0 bn 56360080; cn 55912 tn 12 sn 28), retrying wd0: soft error (corrected) wd0(wdc1:0:0): timeout type: ata c_bcount: 65536 c_skip: 0 wd0a: device timeout reading fsbn 6779520 of 6779520-6779647 (wd0 bn 6782544; cn 6728 tn 11 sn 27), retrying wd0: soft error (corrected) wd0(wdc1:0:0): timeout type: ata c_bcount: 65536 c_skip: 0 wd0a: device timeout reading fsbn 68005280 of 68005280-68005407 (wd0 bn 68008304; cn 67468 tn 8 sn 56), retrying wd0: soft error (corrected) wd0(wdc1:0:0): timeout type: ata c_bcount: 16384 c_skip: 0 wd0a: device timeout reading fsbn 56950240 of 56950240-56950271 (wd0 bn 56953264; cn 56501 tn 4 sn 4), retrying wd0: soft error (corrected) wd0(wdc1:0:0): timeout type: ata c_bcount: 49152 c_skip: 0 wd0a: device timeout reading fsbn 51484608 of 51484608-51484703 (wd0 bn 51487632; cn 51079 tn 0 sn 0), retrying wd0: soft error (corrected) wd0(wdc1:0:0): timeout type: ata c_bcount: 16384 c_skip: 0 wd0a: device timeout reading fsbn 60454464 of 60454464-60454495 (wd0 bn 60457488; cn 59977 tn 10 sn 42), retrying wd0: soft error (corrected)
relayd and ftp
Hi, I want to load balance an ftp server, so I thought about setting up relayd in front of it. but due to the nature of the ftp protocol, using separate connection for control and data, therefore I expect some trouble. I found some sites, mentioning that ftp will not work with relayd, but otherwise, FTP is shortly mentioned in relayd.conf(5) as example of a protocol that output a banner. I thought, when I load balance the control connection, then the server will answer with a different address and port for the data connection, than where the client connected. I'll have some clients in parallel, and the file sizes are more or less equally, so I'd hope with a good chance the more bandwidth hungry data connections would be also hopefully, could this work? If anyone could share some experiences, that would be greatly appreciated. kind regards Sebastian
Re: wd0(wdc1:0:0): timeout on openbsd 4.0 macppc
Khalid Schofield wrote: Hi, I'm running openbsd 4.0 (yeh old I know but it's a vital system that I'm replacing but it processes data that makes a lot of money). I'm getting these errors in dmesg. Should I be freaked out that the disk is failing or is it something else? I have tar backups but I want to make totally sure so I'm doing a dump in single user mode tonight (if it lets me who knows...). It's running on a powerpc mac mini. Errors are as follows: wd0(wdc1:0:0): timeout type: ata c_bcount: 32768 c_skip: 0 wd0a: device timeout reading fsbn 11840224 of 11840224-11840287 (wd0 bn 11843248; cn 11749 tn 4 sn 4), retrying wd0: soft error (corrected) /snip I would get a new disk soon. Fred :~S PS Out of interest how is the disk partitioned?
Re: wd0(wdc1:0:0): timeout on openbsd 4.0 macppc
On Sep 1, 2008, at 11:44 AM, Khalid Schofield wrote: Hi, I'm running openbsd 4.0 (yeh old I know but it's a vital system that I'm replacing but it processes data that makes a lot of money). Better replace the disk tomorrow, then. Or, implement the software on a new system, and take the hit on some downtime while it's being replaced. Those are signs of odd errors on the physical media itself. OpenBSD can (and may) crash due to bad sectors and failed writes. I did allow a system to limp along on a bad drive for nearly a year while I tried to source a very old (no longer available) drive.
4.3 hoststated renamed to relayd
The upgrade43 guide does not mention that /etc/ftpusers shouldmust be changed.
Re: 4.3 hoststated renamed to relayd
The upgrade43 guide does not mention that /etc/ftpusers shouldmust be changed. Isn't it indicated here?: http://www.openbsd.org/faq/upgrade43.html#etcUpgrade -Martin
Re: Pre-Order 4.4
* Paul de Weerd [EMAIL PROTECTED] [080901 12:57]: On Mon, Sep 01, 2008 at 10:43:26AM -0600, Theo de Raadt wrote: | When can 4.4 be pre-ordered? | | Soon. \o/ Sleepless nights watching [EMAIL PROTECTED] start now... for the coveted title First 4.4 CD Set Purchaser. Might be cool to have Theo sign it. Jim
Re: Pre-Order 4.4
--- Jim Razmus [EMAIL PROTECTED] wrote: * Paul de Weerd [EMAIL PROTECTED] [080901 12:57]: On Mon, Sep 01, 2008 at 10:43:26AM -0600, Theo de Raadt wrote: | When can 4.4 be pre-ordered? | I think that misc@ will be the first in announce the news. Please be patient.! Regards | Soon. \o/ Sleepless nights watching [EMAIL PROTECTED] start now... for the coveted title First 4.4 CD Set Purchaser. Might be cool to have Theo sign it. Jim --- Therefore, if anyone is in Christ, he is a new creation; the old has gone, the new has come! - 2 Corinthians 5:17 (NIV) --- Francisco Valladolid Hdez. http://blog.bsdguy.net - http://flickr.com/photos/sigueme/
