Re: OpenBSD on EC2/Amazon
+1 Would be nice to drop my linux ami. tls Hi all, I have a question: ?Is anyone working to make possible run OpenBSD on Amazon EC2? now, It is possible to run NetBSD and FreeBSD, but I can not find much information about the progress of OpenBSD on this topic. Thanks in advanced. -- -- Fernando Quintero http://nonroot.blogspot.com/ Just a nonroot User
Re: VPN on OpenBSD: OpenSSH or OpenVPN?
On Apr 24, 2012, at 11:07 PM, jin&hitman&Barracuda wrote: >>> If you could write an article for undeadly (or only some short notes) >>> on how you did this, it would be much appreciated. I'm sure there are >>> lots of people besides me that are interested in this topic. >> >> +1 > > > -- > *There is no place like "/home"* > *From HemiB A R R A C U D A !* > I just submitted a quick write to undeadly.org. Screenshots for client configuration are missing yet, as I don' have them. But I'll post them as soon as I have them. //maxim
Campamento para Ejecutivos de Alto Desempeño ¡Fortalezca su plana Gerencial!
[IMAGE] Campamento Ejecutivo de Alto Desempeqo 27 y 28 de Abril 2012, Mazamitla, Jalisco. 18 y 19 de Mayo 2012, Cuernavaca, Morelos. Un evento especializado para Directores, Gerentes, Ejecutivos y Lmderes! 2 dmas de Entrenamiento, Reflexione, Potencialice sus Habilidades y Destrezas! Dinamicas, Practicas y temas que fortalecen al individuo. !Reciba la informacisn completa y Reserve YA Cupo Limitado! Por favor responda este e-mail con los datos siguientes. Empresa Nombre Telifono Email Nzmero de Interesados En breve recibira temario, reseqa de expositor y tarifas. Pms Capacitacisn Efectiva de Mixico es una empresa Registrada ante la STPS Trabajamos con expertos en la materia para poder brindar herramientas tacticas, vanguardistas y de facil aplicacisn. Si lo prefiere comunmquese a los telifonos donde con gusto uno de nuestros ejecutivos le atendera. Telifonos: (0133) 8851-2365, (0133) 8851-2741 con mas de 10 lmneas. Smguenos en Twitter@pmscapacitacion o bien en Facebook PMS de Mixico Copyright (C) 2011, PMS Capacitacisn Efectiva de Mixico S.C. Derechos Reservados. E-Mail MARKETING SERVICE POWERED BY MEDIAMKTOOLS. Este Mensaje ha sido enviado a misc@openbsd.org como usuario de Pms de Mixico o bien un usuario le refiris para recibir este boletmn. Como usuario de Pms de Mixico, en este acto autoriza de manera expresa que Pms de Mixico le puede contactar vma correo electrsnico u otros medios. ALTO, si en esta ocasisn la informacisn recibida no fue de su interis pero desea recibir informacisn personalizada en relacisn a otros temas favor de indicarlo. Si usted ha recibido este mensaje por error, haga caso omiso de el y de antemano una sincera disculpa por la molestia, reporte su cuenta respondiendo este correo con el subject BAJACAMPAMENTO Unsubscribe to this mailing list, reply a blank message with the subject UNSUBSCRIBE BAJACAMPAMENTO Tenga en cuenta que la gestisn de nuestras bases de datos es de suma importancia para nosotros y no es intencisn de la empresa la inconformidad del receptor, nuestra intencisn es promover herramientas de utilidad para el [demime 1.01d removed an attachment of type image/jpeg which had a name of imagecamp001.jpg]
Re: OpenBSD on EC2/Amazon
On Wed, Apr 25, 2012 at 12:42:30AM -0500, Fernando Quintero wrote: > Hi all, > > I have a question: > > ?Is anyone working to make possible run OpenBSD on Amazon EC2? > > now, It is possible to run NetBSD and FreeBSD, but I can not find much > information about the progress of OpenBSD on this topic. > > Thanks in advanced. I don't think anybody is working on this. But there are several VPS companies around (arpnetworks.com is one) that are OpenBSD friendly. *If* I want to run a VPS, I rather give my money to a small compmay that some behemoth. But note that virtual systems have many drawbacks. Most importantly, the security of OpenBSD (or any system run on a virtual system) is bounded by the security of the VM implementation. It's another layer that could cause security problems. -Otto
Re: PF match word
On 2012-04-24, Theron ZORBAS wrote: > Hello Misc, > > What is the difference beetwen these two rules: > match out on egress inet from $int_if:network to any nat-to (egress) > > pass out on egress inet from $int_if:network to any nat-to (egress) > Or there is no difference? > > I could not understand when to use match word. > > 'match' lets you separate natting, queue assignment, routing table selection, qos marking etc from the main firewall pass/block logic. for example I find this easier to understand and edit: (contrived example, but I think you'll get the idea..) match from 10/8 to any nat-to egress:0 match from 10.0.5.9 to any nat-to $somehost block pass proto tcp from 10/8 to port 22 pass proto tcp from 10/8 to port 80 pass proto tcp from 10/8 to port 1433 than this: block pass proto tcp from 10/8 to port 22 nat-to egress:0 pass proto tcp from 10/8 to port 80 nat-to egress:0 pass proto tcp from 10/8 to port 1433 nat-to egress:0 pass proto tcp from 10.0.5.9 to port 22 nat-to $somehost pass proto tcp from 10.0.5.9 to port 80 nat-to $somehost pass proto tcp from 10.0.5.9 to port 1433 nat-to $somehost > P.S. It's been very near time that i started to use OpenBSD as a firewall. > I'm asking this question as a newbie. > Sorry if it is a time wasting question to you. > > Thanks. > Theron ZORBAS general advice: rather than just writing rules, start by working out (and making notes on) what you want the firewall to allow, then *after* you've done this, write some rules. then you can check them against your original notes to make sure they do what you want. keep a copy of these notes, they will help a lot if you leave the config alone for a while and then want to make changes to it after a few months..
MS Project taller para Gestionar Proyectos Eficientemente
[IMAGE] Pms de Mixico prestigiada firma de Capacitacisn presenta: Taller de Gestisn de Proyectos con MS Project 2 de Mayo 2012, Ciudad de Mixico Obtenga las herramientas necesarias para alcanzar un sptimo desempeqo en su funcisn. !Reciba la informacisn completa! Por favor responda este e-mail con los datos siguientes Empresa Nombre Telifono Email Nzmero de Interesados En breve recibira temario, reseqa de expositor y tarifas. Pms Capacitacisn Efectiva de Mixico es una empresa Registrada ante la STPS Trabajamos con expertos en la materia para poder brindar herramientas tacticas, vanguardistas y de facil aplicacisn. 100% Garantma de Satisfaccisn. Si lo prefiere comunmquese a los telifonos donde con gusto uno de nuestros ejecutivos le atendera. Telifonos: (0133) 8851-2365, (0133) 8851-2741 con mas de 10 lmneas. Smguenos en Twitter@pmscapacitacion o bien en Facebook PMS de Mixico Copyright (C) 2011, PMS Capacitacisn Efectiva de Mixico S.C. Derechos Reservados. E-Mail MARKETING SERVICE POWERED BY MEDIAMKTOOLS. Este Mensaje ha sido enviado a misc@openbsd.org como usuario de Pms de Mixico o bien un usuario le refiris para recibir este boletmn. Como usuario de Pms de Mixico, en este acto autoriza de manera expresa que Pms de Mixico le puede contactar vma correo electrsnico u otros medios. ALTO, si en esta ocasisn la informacisn recibida no fue de su interis pero desea recibir informacisn personalizada en relacisn a otros temas favor de indicarlo. Si usted ha recibido este mensaje por error, haga caso omiso de el y de antemano una sincera disculpa por la molestia, reporte su cuenta respondiendo este correo con el subject BAJAMS Unsubscribe to this mailing list, reply a blank message with the subject UNSUBSCRIBE BAJAMS Tenga en cuenta que la gestisn de nuestras bases de datos es de suma importancia para nosotros y no es intencisn de la empresa la inconformidad del receptor, nuestra intencisn es promover herramientas de utilidad para el [demime 1.01d removed an attachment of type image/jpeg which had a name of imagems project002.jpg]
Re: undeadly
Hi, Nice article about Paris. Can someone point out what text editors are open in that picture? I don't want to start the old war about editors, I'm just interested what other options are ... Thanks.
Re: undeadly
On 04/25/2012 11:52 AM, Mihai Popescu wrote: > Hi, > > Nice article about Paris. Can someone point out what text editors are > open in that picture? > I don't want to start the old war about editors, I'm just interested > what other options are ... > Thanks. > I think it is Window Manager and grouping. Forgot the name of this minimalistic WM. Anyone to point this out? P.S. I see at least two WM in use on those photos. One is from the base. //maxim
Re: Where's my bandwidth going?
I was using trafshow from packages, it was quick to install and very simple.
Re: SETUID perl script leaves backdoor open
After short testing I found a bug or at least a dangerous pitfall. This leaves a backdoor open (probably in the saved UID): #!/usr/bin/perl -wT use strict; require POSIX; sub ids () { print "RUID=$< EUID=$> RGID=$( EGID=$)\n" } print "Running $^X $0\n"; ids; $> = $< = $<; ids; $> = $< = 0; ids; === OUTPUT: Running /usr/bin/perl /dev/fd/3 RUID=1000 EUID=0 RGID=10 10 0 5 9 117 501 1001 EGID=10 10 0 5 9 117 501 1001 RUID=1000 EUID=1000 RGID=10 10 0 5 9 117 501 1001 EGID=10 10 0 5 9 117 501 1001 RUID=0 EUID=0 RGID=10 10 0 5 9 117 501 1001 EGID=10 10 0 5 9 117 501 1001 While this drops privileges permanently: #!/usr/bin/perl -wT use strict; require POSIX; sub ids () { print "RUID=$< EUID=$> RGID=$( EGID=$)\n" } print "Running $^X $0\n"; ids; $< = $> = $<; ids; $> = $< = 0; ids; === OUTPUT: Running /usr/bin/perl /dev/fd/3 RUID=1000 EUID=0 RGID=10 10 0 5 9 117 501 1001 EGID=10 10 0 5 9 117 501 1001 RUID=1000 EUID=1000 RGID=10 10 0 5 9 117 501 1001 EGID=10 10 0 5 9 117 501 1001 RUID=1000 EUID=1000 RGID=10 10 0 5 9 117 501 1001 EGID=10 10 0 5 9 117 501 1001 Backdoor is still open when doing "$> = $< = 1000" or "$< = 1000; $> = 1000;". POSIX::setuid($<) works fine.
Re: Where's my bandwidth going?
drop to a debain net and grab lsof On 04/25/12 03:14, Mihai Popescu wrote: I was using trafshow from packages, it was quick to install and very simple.
Re: undeadly
On 25.04.2012 13:04, mxb wrote: On 04/25/2012 11:52 AM, Mihai Popescu wrote: Hi, Nice article about Paris. Can someone point out what text editors are open in that picture? I don't want to start the old war about editors, I'm just interested what other options are ... Thanks. I think it is Window Manager and grouping. Forgot the name of this minimalistic WM. Anyone to point this out? P.S. I see at least two WM in use on those photos. One is from the base. //maxim calm wm (cwm)?
Re: fdisk flag bootable partition during install
On Tue, 2012-04-24 at 23:35 +0200, Louis V. Lambrecht wrote: > On Tue, 2012-04-24 at 22:52 +0200, Erling Westenvik wrote: > > On Tue, Apr 24, 2012 at 08:14:19PM +0200, Alexander Hall wrote: > > > You do not flag which "to use". Multiple A6 entries brings problems since > > > you get multiple disklabels. > > > > Trust me: I'll remember that in the future. > > > > > I am pretty sure this is documented and in the faq and archives. > > > > Maybe so, at least implicit, but I dare to say not explicit. I don't > > blame anyone but myself though. > > > > > You could try setting the partition not to be used to some other dummy > > > type. Backup first. Ymmv. > > > > I tried setting fdisk partition 1 back to NTFS (0x07). Then, after > > quitting fdisk, the system complained about missing parameteres when > > trying to run reboot, halt and eventually shutdown. I managed to reboot > > somehow but then no kernel was found. I then booted from CD and managed > > to get the system back online with the two "multiple A6 entries". > > > > 1. When I used "flag 1" in fdisk during install, did the installer place > > the new files in fdisk partition 1? > > > > 2. If so, does the original 5.0 installation still exists in fdisk > > partition 2? > > > > 3. If so, can my original disklabel be restored? > > > > > > Cheers > > Erling > > > First read the FAQ 14.7, > notice the "What can go wrong" chapter and fdisk with the -u option > and run installboot(8) from the proper label. > > Man boot(8) EXAMPLES > boot> boot hd2a:/bsd should get you in your large partition. > > In most cases, when installing an OS, most rewrite the MBR: last install > wins. > Oops, after a good sleep, noticed an error: hard drive hd0 remains hd0 whatever the labels. Can't figure out the label. Sorry. Now, stop playing with fdisk until you know what you are doing. :-6 Would have prefered to give you a plain OpenBSD solution. Instead download a copy of RIP-Linux (CDRom or USB) or GAG (floppy). What they do is to boot by-passing your (now whacked) fdisk. Both will discover the PBRs (Partition Boot Record) and let you boot from without writing anything to the drive (unless you say so). Repair your Win7: http://techchand.org/92/how-to-fix-bootmgr-error-in-windows-vista-and-windows-7 It is a PITA but possible to point to any PBR (henceyour OBSD sessions0 from within Windows boot manager. Must be free tools around.
Re: bnx[01] -> trunk0 -> vlan119 -> carp119 problem
BARDOU Pierre mipih.fr> writes: > > Hello, > > I have dozens of CARP interfaces over VLAN interfaces over LACP trunk > interfaces over physical EM/BGE/BNX. Carp is in multicast mode, multicast > routing is disabled. Works like a charm with various OpenBSD versions since > 4.4 to 5.0. OK, that is good to know. Are you using i386 or amd64? I'm wondering if somehow that is a factor here? > I can give you my hostname.if if that helps... Yes, that would be very useful. Can you email to matth at netsight.co.uk. I'm about to start setting up ospfd on these hosts, which also uses multicast so it will be interesting to see if that now also fails due to multicast being filtered out somewhere. -Matt
Maestría en Relaciones Internacionales
Pulse AQUÍ si no lo visualiza correctamente. www.udelmar-ief.com Si no quiere recibir mas publicidad de master, maestrmas o cursos de capacitacisn pulse aquí y su correo electrsnico se dara de baja de esta lista de distribucisn. Muchas gracias de antemano por su atencisn prestada. Reciba un cordial saludo.
Re: undeadly
First laptop looks like either wmii or i3 based on the dynamic tiling (tab layouts within tiled layout) and colorscheme, though xmonad could also be coaxed into providing a layout like that. Second laptop looks like fvwm to me based on the fact that the windows have titlebars. cwm doesn't have titlebars. Just my observation. On Wed, Apr 25, 2012 at 12:04:27PM +0200, mxb wrote: > On 04/25/2012 11:52 AM, Mihai Popescu wrote: > > > Hi, > > > > Nice article about Paris. Can someone point out what text editors are > > open in that picture? > > I don't want to start the old war about editors, I'm just interested > > what other options are ... > > Thanks. > > > > > I think it is Window Manager and grouping. > Forgot the name of this minimalistic WM. Anyone to point this out? > > P.S. > I see at least two WM in use on those photos. One is from the base. > > //maxim
Re: undeadly
On Wed, Apr 25, 2012 at 12:04:27PM +0200, mxb wrote: > On 04/25/2012 11:52 AM, Mihai Popescu wrote: > > > Hi, > > > > Nice article about Paris. Can someone point out what text editors are > > open in that picture? > > I don't want to start the old war about editors, I'm just interested > > what other options are ... > > Thanks. > > > > > I think it is Window Manager and grouping. > Forgot the name of this minimalistic WM. Anyone to point this out? > > P.S. > I see at least two WM in use on those photos. One is from the base. > > //maxim > Let's try that again without top-posting... O_o First laptop looks like either wmii or i3 based on the dynamic tiling (tab layouts within tiled layout) and colorscheme, though xmonad could also be coaxed into providing a layout like that. Second laptop looks like fvwm to me based on the fact that the windows have titlebars. cwm doesn't have titlebars. Just my observation.
Re: undeadly
On Wed, Apr 25, 2012 at 07:10:32AM -0400, Jeremy O'Brien wrote: > On Wed, Apr 25, 2012 at 12:04:27PM +0200, mxb wrote: > > On 04/25/2012 11:52 AM, Mihai Popescu wrote: > > > > > Hi, > > > > > > Nice article about Paris. Can someone point out what text editors are > > > open in that picture? > > > I don't want to start the old war about editors, I'm just interested > > > what other options are ... > > > Thanks. > > > > > > > > > I think it is Window Manager and grouping. > > Forgot the name of this minimalistic WM. Anyone to point this out? > > > > P.S. > > I see at least two WM in use on those photos. One is from the base. > > > > //maxim > > > > Let's try that again without top-posting... O_o > > First laptop looks like either wmii or i3 based on the dynamic tiling > (tab layouts within tiled layout) and colorscheme, though xmonad could > also be coaxed into providing a layout like that. Second laptop looks > like fvwm to me based on the fact that the windows have titlebars. cwm > doesn't have titlebars. Just my observation. > First laptop has ion3, editor is emacs with custom emacs.conf: https://www.poolp.org/~gilles/emacs/emacs.conf Also, how I managed to appear on a picture while only attending 3/4 hours is an achievement in itself ;-p -- Gilles Chehade https://www.poolp.org | http://pool.ps @poolpOrg
Re: after downgrade OpenBSD dmesg display wrong information
IRC EXPOSED@!@! READ THE NEWS NOW! drizztbsd is no synonym - it is Theo himself! On 04/18/12 21:37, Theo de Raadt wrote: Some machines keep previous dmessages in mem. Scroll down to see the most recent dmesg, or check /var/run/dmesg.boot A cold boot wipes the dmesg buffer. -Otto Did something change in -current? Might be surprising, but things always change in -current...
5.1 is shipping
We have started shipping. Thanks.
Re: undeadly
On Wed, Apr 25, 2012 at 01:21:06PM +0200, Gilles Chehade wrote: > On Wed, Apr 25, 2012 at 07:10:32AM -0400, Jeremy O'Brien wrote: > > On Wed, Apr 25, 2012 at 12:04:27PM +0200, mxb wrote: > > > On 04/25/2012 11:52 AM, Mihai Popescu wrote: > > > > > > > Hi, > > > > > > > > Nice article about Paris. Can someone point out what text editors are > > > > open in that picture? > > > > I don't want to start the old war about editors, I'm just interested > > > > what other options are ... > > > > Thanks. > > > > > > > > > > > > > I think it is Window Manager and grouping. > > > Forgot the name of this minimalistic WM. Anyone to point this out? > > > > > > P.S. > > > I see at least two WM in use on those photos. One is from the base. > > > > > > //maxim > > > > > > > Let's try that again without top-posting... O_o > > > > First laptop looks like either wmii or i3 based on the dynamic tiling > > (tab layouts within tiled layout) and colorscheme, though xmonad could > > also be coaxed into providing a layout like that. Second laptop looks > > like fvwm to me based on the fact that the windows have titlebars. cwm > > doesn't have titlebars. Just my observation. > > > > First laptop has ion3, editor is emacs with custom emacs.conf: > > https://www.poolp.org/~gilles/emacs/emacs.conf > > Also, how I managed to appear on a picture while only attending 3/4 hours > is an achievement in itself ;-p > I thought ion3, but i3 came out instead because that's what _I_ use. Thanks for the input. I'm also very nosy when it comes to the (windowing/editing) environments that people work/code in. Always looking for new ideas.
Re: 5.1 is shipping
On 25 April 2012 12:46, OpenBSD Europe wrote: > We have started shipping. > > Thanks. > Fantastic news. Sandybridge graphics here I come! Many thanks, as ever, to all the OpenBSD developers.
Re: OpenBSD on EC2/Amazon
> But there are several VPS companies around (arpnetworks.com is one) > that are OpenBSD friendly. > > *If* I want to run a VPS, I rather give my money to a small compmay > that some behemoth. +1. ARP Networks is a great group of guys, they've been fantastic the few times I've needed them to do something (most of the time, just swapping the ISO image attached to my VPS). Benny -- "The problem with quotes on the internet is that it's very hard to verify their authenticity." -- Abraham Lincoln
Re: OpenBSD on EC2/Amazon
BSDVM.COM is also great. Cheers, -- Wesley Le 2012-04-25 16:01, C. Bensend a C)critB : But there are several VPS companies around (arpnetworks.com is one) that are OpenBSD friendly. *If* I want to run a VPS, I rather give my money to a small compmay that some behemoth. +1. ARP Networks is a great group of guys, they've been fantastic the few times I've needed them to do something (most of the time, just swapping the ISO image attached to my VPS). Benny
Re: undeadly
Hi all you messy-int-typedef-mix rejectors, Jeremy O'Brien wrote [2012-04-25 13:56+0200]: > On Wed, Apr 25, 2012 at 01:21:06PM +0200, Gilles Chehade wrote: > > On Wed, Apr 25, 2012 at 07:10:32AM -0400, Jeremy O'Brien wrote: > > > On Wed, Apr 25, 2012 at 12:04:27PM +0200, mxb wrote: > > > > On 04/25/2012 11:52 AM, Mihai Popescu wrote: [reducing like grazy, very unpolite] > > > > > > > > > Nice article about Paris. > > > > > > > > I think it is Window Manager and grouping. > > > > Forgot the name of this minimalistic WM. Anyone to point this out? > > > > > > > > P.S. > > > > I see at least two WM in use on those photos. One is from the base. > > > > > > > > //maxim > > > > > > First laptop has ion3, editor is emacs with custom emacs.conf: > > > > https://www.poolp.org/~gilles/emacs/emacs.conf > > > > Also, how I managed to appear on a picture while only attending 3/4 hours > > is an achievement in itself ;-p > > > > Thanks for the input. I'm also very nosy when it comes to the > (windowing/editing) environments that people work/code in. Always > looking for new ideas. if you like then you should really give ahwm a try. I'm using it since 2002 (almost eight years on FreeBSD, and since about 4 months again on OpenBSD in addition). It's a real nifty thing and has an even smaller memory footprint than cwm, while being much more sweet, e.g., each desktop can have different window decoration colors (e.g. root-logins ALL RED). You can also send windows to specific workspaces automatically through their given name, as in # .xinitrc rxvt-unicode -title Ed -e vim & # .ahwmrc WindowName "Ed" { DefaultWorkspace = 1; #Sticky = True; #Omnipresent = True } I think cwm doesn't do that (at least yet). Read the .rc, it contains almost the entire docu (functions, selectors, options; do bindings, defines - whatever) But now the *absolute hammer*! The guy who wrote that grazy thing back in 2002 has just (!) modified his webpage and now states something like Please note: this page, and this code, haven't been updated in ten years. This is of historical value only. IT'S NOT!? I'M USING IT DAILY! Please do not hesitate to contact me Why should i? to report bugs Why should i?? or request new features Why should i, dammit??? Sat Feb 9 19:49:37 CST 2002 Released version 0.90. This is the initial beta release of AHWM. It may contain bugs. Fri Apr 20 02:12:35 PDT 2012 Did not release any new version in the preceeding ten years. Updated this page to make it clear that updates are unlikely. Ha! You don't say. Just because you don't touch your did-once-for-good piece of software means that it's historical. Maybe you see it as an OpenBSD package before 5.2 is released. Has a nice rather-BSD license, has it. Thanks for your understanding. P.S.: Forget your cat - my wild one is much more beautiful. --steffen Forza Figa!
Re: 5.1 is shipping
On Wed, Apr 25, 2012 at 12:46 PM, OpenBSD Europe wrote: > We have started shipping. > > Thanks. Hi, We've shipped the vast majority now. The rest will go tomorrow AM. Thanks,
Re: fdisk flag bootable partition during install
Thank you for your time everyone. Especially Gregor Best who pointed me in the right direction. I managed to get hold on the old 5.0 RELEASE in fdisk partition 2. However, afterwards I managed to do unspeakable things.. I learned a lot though. It's a first time for everything! :-D On Tue, Apr 24, 2012 at 11:12:55PM +0200, Gregor Best wrote: > On Tue, Apr 24, 2012 at 10:52:26PM +0200, Erling Westenvik wrote: > > > 1. When I used "flag 1" in fdisk during install, did the installer place > > the new files in fdisk partition 1? > > IIRC, behaviour with more than one A6 partition is undefined, but > I'd say so, since it was the first A6 the kernel encountered on > that disk. Strictly speaking, partition 1 wasn't the first A6 partition the kernel encountered since it was marked as 07 during CD boot, and was first changed to 0xA6 "live" during install, without rebooting in between? > > 2. If so, does the original 5.0 installation still exists in fdisk > > partition 2? > > May be. It did. Cheers, Erling
Re: SETUID perl script leaves backdoor open after dropping privileges
On Wed, Apr 25, 2012 at 07:15, Christopher Zimmermann wrote: > As requested, here's the same test case a little more readable: > > This leaves a backdoor open (possibly in the saved UID): Yes, if you don't clear the saved uid, you can still switch back to it. You should use setresuid if it's available, because the semantics of setting one uid at a time are a mess. www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf
ypldap, ypbind at boot
Hi, I've setup my openbsd machines so that ldap users can log into it. I've installed login_ldap, configured /etc/login.conf, /etc/ypldap.conf, domainname in /etc/defaultdomain, and added the + user and group in master.passwd and /etc/group. As far as I read ypldap cannot speak ldaps, so I configured relayd to do an ssl tunnel and made ypldap connect through the tunnel. Everything worked fine until I moved my server infrastructure (shutdown everything). ypbind is stuck because the ldap server is not yet reachable, which is understandable. I read that I won't be able to log in if this happens, but that I can use netid so that local non-ldap users can still log in. I've done this but boot process is stuck and even if sshd is already started, I'm not able to ssh in with the users defined in netid (ssh connection closed by server after a timeout). Is it possible to setup ypbind and ypldap so that even if the ldap server is not available I'm able to login with the local users either by having the login prompt on the console or by being able to ssh in? Thanks Michel
Re: undeadly
My laptop is running fvwm, from the system, because I reinstall often enough and rebuild enough packages that anything else is a chore. Besides, I have weird keyboard shortcuts, and I haven't been able to find anything else that caters to the idiosyncrasies I caught years ago. As editor, I use vim if it's installed, and downgrade to vi while it's building. I have a small script named "vim" that calls the most appropriate editor, and can at least emulate "vim -" with vi.
Re: fdisk flag bootable partition during install
On Tue, Apr 24, 2012 at 08:47:05PM -0600, Theo de Raadt wrote: > [...] > Undefined? > > Sorry. But if you go look at the code, that is exactly how it works. > > Some might not like it. But that is how it works, at this time. > > I don't know what the word "undefined" means in that context. > [...] Hence the IIRC. Apparently I did not completely remember correctly :) -- Gregor Best [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Where's my bandwidth going?
On Tue, Apr 24, 2012 at 9:27 PM, Alan Corey wrote: > I'm on a modem, so there's only about 3 K/sec anyway, but is there anything > that'll show me at least pids of what's using bandwidth? I've learned to > close Firefox and even mc sessions I'm not using, and I'm watching a wget > download and pftop and "netstat -b -I tun0 -w 1". > > I've got it under control right now by shutting off my wireless access point > because my Kindle Fire was talking to s3.amazonaws.com. Poking around in > userland ppp sources I see something called netgraph. How do I use that and > what does it do? > > Alan > Running OpenBSD, you shouldn't have much trouble with rouge processes sucking bandwidth. You should know what processes you started. To see the ins and outs of our network traffic, I like using pftop. I looked at iftop too, it has an interesting display but pftop was more useful for me. -Barry
Re: ypldap, ypbind at boot
On Wed, Apr 25, 2012 at 4:48 PM, Ganguin Michel wrote: > Hi, [cut] > server after a timeout). > > Is it possible to setup ypbind and ypldap so that even if the ldap server is > not available I'm able to login with the local users either by having the > login prompt on the console or by being able to ssh in? > > Thanks > Michel > On FreeBSD there is /etc/nsswitch.ldap in which you could say, for example: --- passwd: files ldap group: files ldap shells: files ldap # consult DNS first, we will need it to resolve the LDAP host. (If we # can't resolve it, we're in infinite recursion, because libldap calls # gethostbyname(). Careful!) hosts: files dns ldap # LDAP is nominally authoritative for the following maps. services: ldap [NOTFOUND=return] files networks: ldap [NOTFOUND=return] files protocols: ldap [NOTFOUND=return] files rpc:ldap [NOTFOUND=return] files ethers: ldap [NOTFOUND=return] files # no support for netmasks, bootparams, publickey yet. netmasks: files bootparams: files publickey: files automount: files # I'm pretty sure nsswitch.conf is consulted directly by sendmail, # here, so we can't do much here. Instead, use bbense's LDAP # rules ofr sendmail. aliases:files sendmailvars: files # Note: there is no support for netgroups on Solaris (yet) #netgroup: ldap [NOTFOUND=return] files netgroup: files --- It's my FreeBSD file, but I have never tried running user ldap authorizing on OpenBSD, can't say more. -- ### Coonardoo - PQP8P=P8QP:P0 Q QQP=Q / The Well In The Shadow / Le Puits Dans L'Ombre ###
Re: bnx[01] -> trunk0 -> vlan119 -> carp119 problem
On 2012-04-25, Matt Hamilton wrote: > BARDOU Pierre mipih.fr> writes: > >> >> Hello, >> >> I have dozens of CARP interfaces over VLAN interfaces over LACP trunk >> interfaces over physical EM/BGE/BNX. Carp is in multicast mode, multicast >> routing is disabled. Works like a charm with various OpenBSD versions since >> 4.4 to 5.0. > > OK, that is good to know. Are you using i386 or amd64? I'm wondering if > somehow that is a factor here? > >> I can give you my hostname.if if that helps... > > Yes, that would be very useful. Can you email to matth at netsight.co.uk. > > I'm about to start setting up ospfd on these hosts, which also uses > multicast so it will be interesting to see if that now also fails due to > multicast being filtered out somewhere. You can try something simple to test multicast; ping6 -w ff02::1%vlan119 you should see name responses from the local machine and other boxes on the same vlan. I setup carp-on-vlan-on-trunk-on-bnx0/1 on an R210-II running 5.1 the other day, no trouble. In this case they're webservers so I didn't set net.inet.ip.forwarding in sysctl.conf and i'm using ip balancing rather than simple carp failover. hostname.carp82 carpdev vlan82 pass bleh advbase 0 carpnodes 74:32,75:128 balancing ip xxx.xxx.xxx.xxx/32 hostname.vlan82 vlandev trunk0 vlan 82 xxx.xxx.xxx.yyy/28 hostname.trunk0 trunkproto failover trunkport bnx0 trunkport bnx1 up hostname.bnx0, hostname.bnx1 up (using "advbase 0" allows for much faster failover, you really want 5.1 if you want to use that, it was added in 5.0 but the timer was a bit over-sensitive). erm, do you have a default route configured? I haven't tested, but it wouldn't be a big surprise if that resulted in behaviour like you're seeing.
Re: OpenBSD on EC2/Amazon
On 4/25/2012 1:55 AM, Otto Moerbeek wrote: On Wed, Apr 25, 2012 at 12:42:30AM -0500, Fernando Quintero wrote: Hi all, I have a question: ?Is anyone working to make possible run OpenBSD on Amazon EC2? now, It is possible to run NetBSD and FreeBSD, but I can not find much information about the progress of OpenBSD on this topic. Thanks in advanced. I don't think anybody is working on this. But there are several VPS companies around (arpnetworks.com is one) that are OpenBSD friendly. *If* I want to run a VPS, I rather give my money to a small compmay that some behemoth. But note that virtual systems have many drawbacks. Most importantly, the security of OpenBSD (or any system run on a virtual system) is bounded by the security of the VM implementation. It's another layer that could cause security problems. -Otto Couldn't be timed better, VMWare confirms ESX source code leak: http://blogs.vmware.com/security/2012/04/vmware-security-note.html I'm sure hypervisor->guest VM exploits exist already, and hopefully this will lead to more, because it is nearly unaddressed in all the virtual computing I work with. --
Re: ypldap, ypbind at boot
On 2012-04-25, Vitali wrote: >> Is it possible to setup ypbind and ypldap so that even if the ldap server is >> not available I'm able to login with the local users either by having the >> login prompt on the console or by being able to ssh in? > > On FreeBSD there is /etc/nsswitch.ldap in which you could say, for example: [snip] > > It's my FreeBSD file, but I have never tried running user ldap > authorizing on OpenBSD, can't say more. This is not applicable to OpenBSD. (and I'd like to hear of any strategies for dealing with this too, there are various new and exciting ways of locking yourself out of your machines by misconfiguring ypldap!)
5.1 arrives in Arizona
Thanks again to all the developers for providing such a secure and stable operating system. Gary
Re: Where's my bandwidth going?
On 2012-04-25, Alan Corey wrote: > I'm on a modem, so there's only about 3 K/sec anyway, but is there > anything that'll show me at least pids of what's using bandwidth? You can watch each packet with "match log(all,user)" in pf.conf and running "tcpdump -enipflog0 -v". The *second* pid reported shows the associated program. (The *first* pid is that of the pfctl instance which added the rule). Or it may be easier to use some other program to grab the bandwidth figures (darkstat, perhaps?) and then look in pflog to identify the pid, in which case the per-packet information is probably not useful so maybe just do "match log(user)" which will just show one entry for each state that was setup.
Re: authorized_keys and security(8)
On 2012-04-24, Tyler wrote: > Hi, > > Is there a way to create logins that are only accessed via > authorized_keys so that security(8) doesn't complain about them every day? > > The general goal is to disable remote root login via SSH and allow an > unprivileged "admin" user access via key files and pass phrases (and > then sudo or su). > > My problem is security(8) complains about this every day: > > "Login admin is off but still has a valid shell and alternate access > files in home directory are still readable." vipw and set the crypted password to 13 *'s. pretty sure the old /etc/security script did the same thing in this respect.
Why does the ports system delete distfiles?
I've seen this before, I wonder if there's some environment variable I can set to stop it? I try make fetch on a port, it fails due to a bad site. I hit Ctrl-C to stop it, it goes to the next site and downloads the file. Then it deletes the file when it finishes. I type make install and it tries the bad site again... Alan
Re: Why does the ports system delete distfiles?
Alan Corey wrote: >I've seen this before, I wonder if there's some environment variable I >can set to stop it? > >I try make fetch on a port, it fails due to a bad site. I hit Ctrl-C >to >stop it, it goes to the next site and downloads the file. Then it >deletes >the file when it finishes. I type make install and it tries the bad >site >again... > > Alan I'd guess one or more subprocesses ignore SIGINT while others (=make?) don't, and thus the fetching proceeds but when it's done, make exits, after the appropriate cleanup. Don't know if it's trivially fixed. /Alexander
Re: Why does the ports system delete distfiles?
On Apr 25 23:34:24, Alan Corey wrote: > I've seen this before, I wonder if there's some environment variable > I can set to stop it? > > I try make fetch on a port, it fails due to a bad site. I hit > Ctrl-C to stop it, it goes to the next site and downloads the file. > Then it deletes the file when it finishes. I can confirm this happens; for example, audio/sox: # make fetch ===> Checking files for sox-14.4.0p1 >> Fetch http://downloads.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz ^C http fetch aborted. >> Fetch http://easynews.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz ^C>> Fetch http://puzzle.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz ^C>> Fetch http://optusnet.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz ftp: Error retrieving file: 404 Not Found >> Fetch http://heanet.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz ^C>> Fetch http://jaist.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz ^C http fetch aborted. >> Fetch http://nchc.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz ^C>> Fetch http://switch.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz ^C>> Fetch http://kent.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz ^C>> Fetch http://internap.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz ftp: no address associated with name: internap.dl.sourceforge.net >> Fetch http://mesh.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz ^C>> Fetch http://ovh.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz ^C>> Fetch http://surfnet.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz ^C>> Fetch http://ufpr.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz ^C>> Fetch http://ftp.openbsd.org/pub/OpenBSD/distfiles//sox-14.4.0.tar.gz sox-14.4.0.tar.gz 100% || 1079 KB 00:03 *** /usr/ports/distfiles/sox-14.4.0.tar.gz removed
Re: Why does the ports system delete distfiles?
On Wed, Apr 25, 2012 at 10:48 PM, Jan Stary wrote: > On Apr 25 23:34:24, Alan Corey wrote: >> I've seen this before, I wonder if there's some environment variable >> I can set to stop it? >> >> I try make fetch on a port, it fails due to a bad site. I hit >> Ctrl-C to stop it, it goes to the next site and downloads the file. >> Then it deletes the file when it finishes. > > I can confirm this happens; for example, audio/sox: as pointed out by Alexander Hall it is make doing this because before the target is build, the process is aborted: $ cat > touch_tmp_testdottxt.sh #!/bin/sh set -x touch /tmp/test.txt # sleep 5 second allow for ^C echo sleeping for 5 second. go ahead and control-C out of make sleep 5 echo done! $ cat > Makefile test.txt: /bin/sh touch_tmp_testdottxt.sh $ make -n /bin/sh touch_tmp_testdottxt.sh $ make /bin/sh touch_tmp_testdottxt.sh + touch /tmp/test.txt + echo sleeping for 5 second. go ahead and control-C out of make sleeping for 5 second. go ahead and control-C out of make + sleep 5 ^C*** test.txt removed HTH, --patrick > # make fetch > ===> Checking files for sox-14.4.0p1 >>> Fetch http://downloads.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz > ^C http fetch aborted. >>> Fetch http://easynews.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz > ^C>> Fetch http://puzzle.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz > ^C>> Fetch http://optusnet.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz > ftp: Error retrieving file: 404 Not Found >>> Fetch http://heanet.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz > ^C>> Fetch http://jaist.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz > ^C http fetch aborted. >>> Fetch http://nchc.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz > ^C>> Fetch http://switch.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz > ^C>> Fetch http://kent.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz > ^C>> Fetch http://internap.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz > ftp: no address associated with name: internap.dl.sourceforge.net >>> Fetch http://mesh.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz > ^C>> Fetch http://ovh.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz > ^C>> Fetch http://surfnet.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz > ^C>> Fetch http://ufpr.dl.sourceforge.net/sourceforge/sox/sox-14.4.0.tar.gz > ^C>> Fetch http://ftp.openbsd.org/pub/OpenBSD/distfiles//sox-14.4.0.tar.gz > sox-14.4.0.tar.gz 100% || 1079 KB 00:03 > *** /usr/ports/distfiles/sox-14.4.0.tar.gz removed
Re: Why does the ports system delete distfiles?
On Wed, Apr 25, 2012 at 11:34:24PM -0400, Alan Corey wrote: > I've seen this before, I wonder if there's some environment variable > I can set to stop it? Nope. > I try make fetch on a port, it fails due to a bad site. I hit > Ctrl-C to stop it, it goes to the next site and downloads the file. > Then it deletes the file when it finishes. I type make install and > it tries the bad site again... That's the way make works. Don't hit ^C. Changing this is impossible, since make sees the ^C, being the controlling process and all. Oh, and if the site is really bad, report the site. If it's not, fix your network config. I hardly notice anymore since dpb fetches things for me.