Re: just a friendly request

[Gleydson Soares]

Hi,

> I am looking for tutorials on developing any and every aspect of OpenBSD,
> from bootloaders to device drivers to writing a raspberry pi image of
> OpenBSD.
>
> The more tutorials the better, because it allows the end user to not only
> provide useful feedback to the developers, it allows the user to customize
> their install in a safe and easy manner.
>
> You could post tutorials for writing custom audio and graphics frameworks
> too as I am looking to write a few frameworks myself.
>
> so literally tutorials on any and every aspect of developing openBSD,
> including how to get software to run under openbsd would be great tutorials
> for the entire world of computers.

do you learn how to ride a bike by reading a tutorial ? :)

If you already know C, this is good enough to start reading OpenBSD src/
You will notice a high quality of code and documentation(manpages).

Re: VAX - are we dropping support in 5.9?

[Ted Unangst]

biggran...@tds.net wrote:
> Back in late 2013 or early 2014 a Vax 4000/96 died. I brought up using 
> emulators to build with, but Theo didn't feel it was a good idea (and I 
> agree with his reasons). Here is his quote "We do not wish to use a vax 
> emulator. That will use even more power than the vaxes, and actually we 
> are still looking for someone to pay the power bill around here."

I will add that one of the reasons we have support for all these museum pieces
is that people can build their very own museum and run something interesting
on it. But running on emulators doesn't really satisfy that goal. If there are,
in fact, no museum pieces left in the world, we no longer need to supply an OS
to run on them. 

Re: VAX - are we dropping support in 5.9?

[BiggRanger]

>>There hasn't been anything official. Vax is one of several 
architectures that Theo has had to stop building base >>snapshots for 
because the system is too unreliable / the hardware itself is unreliable 
/ the hardware is dead. The >>last snapshot is dated Oct 31. I assume 
that sebastia@'s cessation of package builds has related reasons.



Back in late 2013 or early 2014 a Vax 4000/96 died. I brought up using 
emulators to build with, but Theo didn't feel it was a good idea (and I 
agree with his reasons). Here is his quote "We do not wish to use a vax 
emulator. That will use even more power than the vaxes, and actually we 
are still looking for someone to pay the power bill around here."


I've been running a MicroVax 3100/40, and doing builds with it is 
painfully slow.


Darren Clark

Re: just a friendly request

[Chris Bennett]

On Sat, Jan 23, 2016 at 11:14:22PM +0100, Ingo Schwarze wrote:
> Hi,
> 
> ty armour wrote on Sat, Jan 23, 2016 at 04:29:07PM -0500:
> 
> > I am looking for tutorials on developing any and every aspect of
> > OpenBSD, from bootloaders to device drivers to writing a
> > raspberry pi image of OpenBSD.
> > 
> > The more tutorials the better,
> 
> OpenBSD developers tend to think the opposite.  We highly value
> reference documentation, in particular manual pages.  If you need
> more details than the manual pages offer, read the source code.  In
> general, we discourage writing tutorials because they are often
> written by people who barely know what they are talking about,
> because they encourage the wrong style of learning (gobbling together
> random bits and pieces without real understanding), and because
> they are almost impossible to maintain.  Besides, developers prefer
> to spend their time on code rather than on tutorials.
> 
> So please don't write tutorials, write reference manuals.
> 
> > because it allows the end user to not only provide useful feedback
> > to the developers, it allows the user to customize their install
> > in a safe and easy manner.
> 
> OpenBSD developers tend to think the opposite.  We generally
> discourage gratuitious customization, highly value sane defaults
> and encourage using them as much as possible.  It helps security,
> it helps to work on someone else's system when you need to, and
> it tremendously helps support.  Customization breeds bugs and
> hurts interoperability.
> 
> > You could post tutorials for writing custom audio and graphics
> > frameworks too as I am looking to write a few frameworks myself.
> 
> OpenBSD developers tend to avoid writing frameworks as much as
> possible - of course, some frameworks must exist, but as few as
> possible.  Usually, the less abstraction, the better.  It makes
> code easier to understand, audit, and debug.
> 
> [...]
> > including how to get software to run under openbsd
> 
> That does exist and is maintained:
> 
> http://www.openbsd.org/faq/ports/
> http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/bsd.port.mk.5
> 
> Yours,
>   Ingo
> 

OpenBSD is NOT like all those other operating systems out there.
Not liking Windows, I tried a few Linux distributions. I wasn't
thrilled. Then I stumbled on a web page that described OpenBSD. I
thought, this is exactly the kind of OS I want to use and learn.

So, with basically no Unix/BSD experience, I needed a webserver in the
late 90's. I found a company that offered servers and could install
OpenBSD for me during setup.

So from there out, I got my OpenBSD training running a webserver and
upgrading to new versions, building ports, etc.
Manual pages are terse, but usually contain all of the pertinent facts
needed. Nobody trained me and I used the FAQ and after trying to figure
things out, I asked questions on the misc@ or ports@ mailing lists.
You can search for other people's similar questions at http://marc.info.
Do that first before posting to the mailing lists.

Frankly, if you can't figure it out mostly on your own, consider
something besides OpenBSD. I have given up on trying to get anyone to
use OpenBSD. Waste of my time.

Briefly, I wanted to try and translate some of the more important daily
use man pages into Spanish (stuff like in /bin /sbin /usr/bin
/usr/sbin).
I gave up on that stupid idea. Thanks Ingo for setting me straight on
that one!

I write perl and sh programs, but the command line has enormous powers
to do incredible tasks.

IMHO, read and understand the man page on ksh. Read the mandoc man page.
It can convert man pages into many different formats (HTML, PDF, etc).
Get a book on Korn shell programming and the "Llama Book" called
Learning Perl. Learn that much and also read carefully ALL of the man
pages for everything in /bin /sbin /usr/bin /usr/sbin.

After that, see if you, not us, wants to write any tutorials.
Bet you won't want to!

And a lot of changes keep happening. Hurray! So I am going to follow my
own advice and reread all of those man pages again myself.

Have fun!
Chris Bennett

Re: VAX - are we dropping support in 5.9?

[Bryan Everly]

I'm ready willing and able!

I'm currently trying to port the Linux display driver for the hppa
frame buffer on my C3700 so we can maybe get X on that platform
natively.

I have a PPC Mac Mini and a SunBlade 100 so I will most definitely help.

Thanks,
Bryan

> On Jan 23, 2016, at 6:43 PM, Christian Weisgerber  wrote:
>
>> On 2016-01-23, Bryan Everly  wrote:
>>
>> I hope to add some of my time on these less popular architectures to
>> try and fix that.
>
> It's the comparatively popular platforms like powerpc and sparc64
> that are in dire need of help if OpenBSD is not to turn into an
> amd64-only platform.
>
> I obviously can't tell people how to waste their time, but while
> investing in moribund museum architectures may offer personal
> satisfaction to some, it does not help in the bigger picture.
>
> --
> Christian "naddy" Weisgerber  na...@mips.inka.de

Re: VAX - are we dropping support in 5.9?

[Christian Weisgerber]

On 2016-01-23, Bryan Everly  wrote:

> I hope to add some of my time on these less popular architectures to
> try and fix that.

It's the comparatively popular platforms like powerpc and sparc64
that are in dire need of help if OpenBSD is not to turn into an
amd64-only platform.

I obviously can't tell people how to waste their time, but while
investing in moribund museum architectures may offer personal
satisfaction to some, it does not help in the bigger picture.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: just a friendly request

[Benjamin Heath]

On Jan 23, 2016 1:40 PM, "ty armour"  wrote:
>
> I am looking for tutorials on developing any and every aspect of OpenBSD,
> from bootloaders to device drivers to writing a raspberry pi image of
> OpenBSD.
>
> The more tutorials the better, because it allows the end user to not only
> provide useful feedback to the developers, it allows the user to customize
> their install in a safe and easy manner.
>
> You could post tutorials for writing custom audio and graphics frameworks
> too as I am looking to write a few frameworks myself.
>
> so literally tutorials on any and every aspect of developing openBSD,
> including how to get software to run under openbsd would be great
tutorials
> for the entire world of computers.
>
> Thanks
> -Ty
>

You're free to search this list for all the reasons why there isn't a
release on Raspberry Pi.

Might I ask, what brought this up exactly?

Re: VAX - are we dropping support in 5.9?

[Christian Weisgerber]

On 2016-01-23, "Bryan C. Everly"  wrote:

> I just noticed that the VAX packages directory was missing on
> openbsd.cs.toronto.edu and the other mirrors I checked.  I searched the
> MARC.info archives and didn't see anything announcing that the VAX was
> going away but perhaps I missed something?

There hasn't been anything official.

Vax is one of several architectures that Theo has had to stop
building base snapshots for because the system is too unreliable /
the hardware itself is unreliable / the hardware is dead.  The last
snapshot is dated Oct 31.  I assume that sebastia@'s cessation of
package builds has related reasons.

Going by previous experience, it's conceivable that somebody else
will step in to build the release and possibly a few packages.

Vax has been on life support with ever more perfunctory package
builds for years.  Again, from previous experience, it may take
several release cycles of hemming and hawing before people face the
facts and officially let it die.

Armish, socppc, and sparc are also on their death beds.  I'm not
divulging deep secrets here; you can just check the dates on ftp
and see that no recent snapshots have been built.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: em(4) bad checksums

[Pedro Caetano]

Hi Christian,

Thank you clarifying that point.

BR,
Pedro Caetano

On Sat, Jan 23, 2016 at 8:56 PM, Christian Weisgerber 
wrote:

> On 2016-01-23, Pedro Caetano  wrote:
>
> > The checksum errors are visible in tcpdump.
> >
> > pcaetano@soekris $ > doas tcpdump -nnvvr badchecksum.cap
> > 23:18:56.258991 89.115.7.49.38924 > 129.128.5.194.80: S [bad tcp cksum
> > e818! -> d08e] 2129156372:2129156372(0) win 16384  > 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 293911467 0> (DF) (ttl
> > 64, id 62808, len 64)
>
> These aren't real errors.  You'll note that they concern outgoing
> packets.  em(4) supports hardware checksum offloading.  The checksum
> is filled in only _after_ tcpdump has seen the packet.
>
> (I can't comment on your overall problem.)
> --
> Christian "naddy" Weisgerber  na...@mips.inka.de

Re: VAX - are we dropping support in 5.9?

[Bryan Everly]

Raf,

I hope to add some of my time on these less popular architectures to
try and fix that.

:)

Thanks,
Bryan

> On Jan 23, 2016, at 5:34 PM, Raf Czlonka  wrote:
>
>> On Sat, Jan 23, 2016 at 09:33:21PM GMT, Bryan C. Everly wrote:
>>
>> I run 5.9-current on my other machines so when i didn't see packages
>> in /pub/OpenBSD/snapshots/packages I jumped to that conclusion given
>> that the other architectures were under that directory and VAX was
>> absent.
>
> As you can see from the primary site[0], there's only a handful of
> architectures for which package snapshots are available, i.e. arm is not
> amongst them either.
>
>> Glad to hear that isn't the case.
>
> I never claimed to be an authoritative source and that it isn't indeed
> the case. I haven't noticed anything bar one comment on cvs@[1] which
> would point to that conclusion - and indeed, aviion is gone[2]...
>
>> Any idea why they aren't building packages in 5.9-current snapshots
>> for that architecture?
>
> As with anything - time, resources, etc.
>
> Raf
>
> [0] http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/
> [1] https://marc.info/?l=openbsd-cvs&m=144887159202054
> [2] https://marc.info/?l=openbsd-cvs&m=144895627013585

Re: VAX - are we dropping support in 5.9?

[Raf Czlonka]

On Sat, Jan 23, 2016 at 09:33:21PM GMT, Bryan C. Everly wrote:

> I run 5.9-current on my other machines so when i didn't see packages
> in /pub/OpenBSD/snapshots/packages I jumped to that conclusion given
> that the other architectures were under that directory and VAX was
> absent.

As you can see from the primary site[0], there's only a handful of
architectures for which package snapshots are available, i.e. arm is not
amongst them either.

> Glad to hear that isn't the case.

I never claimed to be an authoritative source and that it isn't indeed
the case. I haven't noticed anything bar one comment on cvs@[1] which
would point to that conclusion - and indeed, aviion is gone[2]...

> Any idea why they aren't building packages in 5.9-current snapshots
> for that architecture?

As with anything - time, resources, etc.

Raf

[0] http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/
[1] https://marc.info/?l=openbsd-cvs&m=144887159202054
[2] https://marc.info/?l=openbsd-cvs&m=144895627013585

Re: just a friendly request

[Ingo Schwarze]

Hi,

ty armour wrote on Sat, Jan 23, 2016 at 04:29:07PM -0500:

> I am looking for tutorials on developing any and every aspect of
> OpenBSD, from bootloaders to device drivers to writing a
> raspberry pi image of OpenBSD.
> 
> The more tutorials the better,

OpenBSD developers tend to think the opposite.  We highly value
reference documentation, in particular manual pages.  If you need
more details than the manual pages offer, read the source code.  In
general, we discourage writing tutorials because they are often
written by people who barely know what they are talking about,
because they encourage the wrong style of learning (gobbling together
random bits and pieces without real understanding), and because
they are almost impossible to maintain.  Besides, developers prefer
to spend their time on code rather than on tutorials.

So please don't write tutorials, write reference manuals.

> because it allows the end user to not only provide useful feedback
> to the developers, it allows the user to customize their install
> in a safe and easy manner.

OpenBSD developers tend to think the opposite.  We generally
discourage gratuitious customization, highly value sane defaults
and encourage using them as much as possible.  It helps security,
it helps to work on someone else's system when you need to, and
it tremendously helps support.  Customization breeds bugs and
hurts interoperability.

> You could post tutorials for writing custom audio and graphics
> frameworks too as I am looking to write a few frameworks myself.

OpenBSD developers tend to avoid writing frameworks as much as
possible - of course, some frameworks must exist, but as few as
possible.  Usually, the less abstraction, the better.  It makes
code easier to understand, audit, and debug.

[...]
> including how to get software to run under openbsd

That does exist and is maintained:

http://www.openbsd.org/faq/ports/
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/bsd.port.mk.5

Yours,
  Ingo

Re: dmesg: Asus 1015PX netbook (2011/2012)

[Neil Hughes]

On 22/01/2016 20:15, Mike Larkin wrote:

On Fri, Jan 22, 2016 at 10:11:23AM +, Neil Hughes wrote:


Notes
=
Came with Windows 7 Starter but when the hard drive died recently I replaced it 
with an SSD and tried OpenBSD 5.8.

Sleep + resume : works
Suspend + resume : works
Hibernate + resume : failed twice, now worksso far


Failed how?




The first time I saw the "Unhibernating @ block..." message as it went 
through the standard boot procedure...and then something bad happened. 
Unfortunately I didn't write down what it was. Sorry.


The second time it simply did a full reboot as if nothing had been saved.

--
Neil Hughes

just a friendly request

[ty armour]

I am looking for tutorials on developing any and every aspect of OpenBSD,
from bootloaders to device drivers to writing a raspberry pi image of
OpenBSD.

The more tutorials the better, because it allows the end user to not only
provide useful feedback to the developers, it allows the user to customize
their install in a safe and easy manner.

You could post tutorials for writing custom audio and graphics frameworks
too as I am looking to write a few frameworks myself.

so literally tutorials on any and every aspect of developing openBSD,
including how to get software to run under openbsd would be great tutorials
for the entire world of computers.

Thanks
-Ty

Re: VAX - are we dropping support in 5.9?

[Bryan C. Everly]

I run 5.9-current on my other machines so when i didn't see packages in
/pub/OpenBSD/snapshots/packages I jumped to that conclusion given that the
other architectures were under that directory and VAX was absent.

Glad to hear that isn't the case.  Any idea why they aren't building
packages in 5.9-current snapshots for that architecture?


Thanks,
Bryan

On Sat, Jan 23, 2016 at 3:50 PM, Raf Czlonka  wrote:

> On Sat, Jan 23, 2016 at 08:00:09PM GMT, Bryan C. Everly wrote:
>
> > Hi everyone,
>
> Hi Bryan,
>
> > I just noticed that the VAX packages directory was missing on
> > openbsd.cs.toronto.edu and the other mirrors I checked.
>
> http://openbsd.cs.toronto.edu/pub/OpenBSD/5.8/packages/vax/
>
> Not from where I'm sitting. And 5.9 hasn't been released yet so packages
> for it haven't been built.
>
> > I searched the MARC.info archives and didn't see anything announcing
> > that the VAX was going away but perhaps I missed something?
> >
> > I also checked the http://build-failures.rhaalovely.net/ site to see
> > if perhaps there was a failure in the build that I could take a look
> > at but the VAX directory was missing there as well.
> >
> > Sorry if I've missed a post but if someone could fill me in, I'd
> > appreciate it.
> >
> > Thanks,
> > Bryan
> >
>
> What gave you that idea?
>
> Raf

Re: em(4) bad checksums

[Christian Weisgerber]

On 2016-01-23, Pedro Caetano  wrote:

> The checksum errors are visible in tcpdump.
>
> pcaetano@soekris $ > doas tcpdump -nnvvr badchecksum.cap
> 23:18:56.258991 89.115.7.49.38924 > 129.128.5.194.80: S [bad tcp cksum
> e818! -> d08e] 2129156372:2129156372(0) win 16384  1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 293911467 0> (DF) (ttl
> 64, id 62808, len 64)

These aren't real errors.  You'll note that they concern outgoing
packets.  em(4) supports hardware checksum offloading.  The checksum
is filled in only _after_ tcpdump has seen the packet.

(I can't comment on your overall problem.)
-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: VAX - are we dropping support in 5.9?

[Raf Czlonka]

On Sat, Jan 23, 2016 at 08:00:09PM GMT, Bryan C. Everly wrote:

> Hi everyone,

Hi Bryan,

> I just noticed that the VAX packages directory was missing on
> openbsd.cs.toronto.edu and the other mirrors I checked.

http://openbsd.cs.toronto.edu/pub/OpenBSD/5.8/packages/vax/

Not from where I'm sitting. And 5.9 hasn't been released yet so packages
for it haven't been built.

> I searched the MARC.info archives and didn't see anything announcing
> that the VAX was going away but perhaps I missed something?
>
> I also checked the http://build-failures.rhaalovely.net/ site to see
> if perhaps there was a failure in the build that I could take a look
> at but the VAX directory was missing there as well.
>
> Sorry if I've missed a post but if someone could fill me in, I'd
> appreciate it.
> 
> Thanks,
> Bryan
> 

What gave you that idea?

Raf

VAX - are we dropping support in 5.9?

[Bryan C. Everly]

Hi everyone,

I just noticed that the VAX packages directory was missing on
openbsd.cs.toronto.edu and the other mirrors I checked.  I searched the
MARC.info archives and didn't see anything announcing that the VAX was
going away but perhaps I missed something?

I also checked the http://build-failures.rhaalovely.net/ site to see if
perhaps there was a failure in the build that I could take a look at but
the VAX directory was missing there as well.

Sorry if I've missed a post but if someone could fill me in, I'd appreciate
it.

Thanks,
Bryan

Re: security(8) mailbox check question

[Ingo Schwarze]

Hi Adam,

Adam Wolk wrote on Sat, Jan 23, 2016 at 07:54:44PM +0100:

> After some IRC talk with ebarret we came to the following conclusions:
>  - the script assumes the mailbox is a file (in my case it's a maildir)
>  - the comment should say 'unreadable by others'
> 
> I think check_mailboxes should be altered when the target entry
> in /var/mail is a directory. Instead of expecting u+rw it should expect
> u+rwx in that specific case.
> 
> If no one raises issues with this I'll send a patch to tech@ modifying
> security(8) to behave like that.

I already had that patch written before seeing this mail and will send
it to tech@ shortly.

Yours,
  Ingo


> On Sat, 23 Jan 2016 19:29:36 +0100
> Adam Wolk  wrote:
> 
> > Hi misc@
> > 
> > I'm using OpenSMTPD setup according to [1]. OpenBSD's security(8)
> > keeps complaining on the way I setup my maildir on the host.
> > 
> > TL;DR: why u+x on users maildir is considered a bad practice?
> > 
> > Running security(8):
> > 
> > Checking mailbox ownership.
> > user mulander mailbox is drwx--, group mulander
> > user nemessica mailbox is drwx--, group nemessica
> > 
> > Wanting to understand what I'm doing wrong I took a look at the code
> > (as man security(8) only states that it checks maildir permissions, no
> > details).
> > 
> > Code performing the check is located in /usr/libexec/security
> > 
> > # Mailboxes should be owned by the user and unreadable.
> > sub check_mailboxes {
> > 
> > I'm not exactly sure of the intent for the comment but the culprit in
> > my case is the +x bit for the owner of the folder.
> > 
> > Simply removing that leads to issues in my setup as dovecot sieve
> > scripts can't traverse the directory and file mail accordingly.
> > 
> > Jan 23 18:53:24 tintagel dovecot: lmtp(mulander): Error:
> > stat(/var/mail/mulander/tmp) failed: Permission denied
> > (euid=1000(mulander) egid=1000(muland er) missing +x
> > perm: /var/mail/mulander, dir owner missing perms) Jan 23 18:53:24
> > tintagel dovecot: lmtp(mulander): Error: K8AnMgm+o1YvIwAAl8n8gw:
> > sieve: msgid=<1453571593.2760914.500533218.6AFC4E87@webmail.messagin
> > gengine.com>: failed to store into mailbox 'INBOX': Internal error
> > occurred. Refer to server log for more information. [2016-01-23
> > 18:53:24] Jan 23 18:53:24 tintagel dovecot: lmtp(mulander): Error:
> > K8AnMgm+o1YvIwAAl8n8gw: sieve: Execution of
> > script /home/mulander/.dovecot.sieve was aborted due to temporary
> > failure (user logfile /home/mulander/.dovecot.sieve.log may reveal
> > additional details)
> > 
> > 
> > Now obviously I treat security(8) warnings seriously but I would like
> > to know why a +x flag is considered a bad practice here?

Re: security(8) mailbox check question

[Adam Wolk]

On Sat, 23 Jan 2016 19:29:36 +0100
Adam Wolk  wrote:

> Hi misc@
> 
> I'm using OpenSMTPD setup according to [1]. OpenBSD's security(8)
> keeps complaining on the way I setup my maildir on the host.
> 
> TL;DR: why u+x on users maildir is considered a bad practice?
> 
> Running security(8):
> 
> Checking mailbox ownership.
> user mulander mailbox is drwx--, group mulander
> user nemessica mailbox is drwx--, group nemessica
> 
> Wanting to understand what I'm doing wrong I took a look at the code
> (as man security(8) only states that it checks maildir permissions, no
> details).
> 
> Code performing the check is located in /usr/libexec/security
> 
> # Mailboxes should be owned by the user and unreadable.
> sub check_mailboxes {
> 
> I'm not exactly sure of the intent for the comment but the culprit in
> my case is the +x bit for the owner of the folder.
> 
> Simply removing that leads to issues in my setup as dovecot sieve
> scripts can't traverse the directory and file mail accordingly.
> 
> Jan 23 18:53:24 tintagel dovecot: lmtp(mulander): Error:
> stat(/var/mail/mulander/tmp) failed: Permission denied
> (euid=1000(mulander) egid=1000(muland er) missing +x
> perm: /var/mail/mulander, dir owner missing perms) Jan 23 18:53:24
> tintagel dovecot: lmtp(mulander): Error: K8AnMgm+o1YvIwAAl8n8gw:
> sieve: msgid=<1453571593.2760914.500533218.6AFC4E87@webmail.messagin
> gengine.com>: failed to store into mailbox 'INBOX': Internal error
> occurred. Refer to server log for more information. [2016-01-23
> 18:53:24] Jan 23 18:53:24 tintagel dovecot: lmtp(mulander): Error:
> K8AnMgm+o1YvIwAAl8n8gw: sieve: Execution of
> script /home/mulander/.dovecot.sieve was aborted due to temporary
> failure (user logfile /home/mulander/.dovecot.sieve.log may reveal
> additional details)
> 
> 
> Now obviously I treat security(8) warnings seriously but I would like
> to know why a +x flag is considered a bad practice here?
> 
> Regards,
> Adam
> 
> ---
> 
> [1]
> http://blog.tintagel.pl/2015/05/08/accept-from-any-for-any-relay-via.html
> 

After some IRC talk with ebarret we came to the following conclusions:
 - the script assumes the mailbox is a file (in my case it's a maildir)
 - the comment should say 'unreadable by others'

I think check_mailboxes should be altered when the target entry
in /var/mail is a directory. Instead of expecting u+rw it should expect
u+rwx in that specific case.

If no one raises issues with this I'll send a patch to tech@ modifying
security(8) to behave like that.

Regards,
Adam

Re: security(8) mailbox check question

[trondd]

On Sat, January 23, 2016 1:29 pm, Adam Wolk wrote:
> Hi misc@
>
> I'm using OpenSMTPD setup according to [1]. OpenBSD's security(8) keeps
> complaining on the way I setup my maildir on the host.
>
> TL;DR: why u+x on users maildir is considered a bad practice?
>
> Running security(8):
>
> Checking mailbox ownership.
> user mulander mailbox is drwx--, group mulander
> user nemessica mailbox is drwx--, group nemessica
>

My guess is that since the system uses mbox format mail storage, it's
expecting /var/mail/* to be *files* not folders in which case you wouldn't
want them to be executable.  If you want to put dovecot mail in var, use a
directory other than the system location.

Tim.

security(8) mailbox check question

[Adam Wolk]

Hi misc@

I'm using OpenSMTPD setup according to [1]. OpenBSD's security(8) keeps
complaining on the way I setup my maildir on the host.

TL;DR: why u+x on users maildir is considered a bad practice?

Running security(8):

Checking mailbox ownership.
user mulander mailbox is drwx--, group mulander
user nemessica mailbox is drwx--, group nemessica

Wanting to understand what I'm doing wrong I took a look at the code
(as man security(8) only states that it checks maildir permissions, no
details).

Code performing the check is located in /usr/libexec/security

# Mailboxes should be owned by the user and unreadable.
sub check_mailboxes {

I'm not exactly sure of the intent for the comment but the culprit in
my case is the +x bit for the owner of the folder.

Simply removing that leads to issues in my setup as dovecot sieve
scripts can't traverse the directory and file mail accordingly.

Jan 23 18:53:24 tintagel dovecot: lmtp(mulander): Error: 
stat(/var/mail/mulander/tmp) failed: Permission denied (euid=1000(mulander) 
egid=1000(muland
er) missing +x perm: /var/mail/mulander, dir owner missing perms)
Jan 23 18:53:24 tintagel dovecot: lmtp(mulander): Error: 
K8AnMgm+o1YvIwAAl8n8gw: sieve: 
msgid=<1453571593.2760914.500533218.6AFC4E87@webmail.messagin
gengine.com>: failed to store into mailbox 'INBOX': Internal error occurred. 
Refer to server log for more information. [2016-01-23 18:53:24]
Jan 23 18:53:24 tintagel dovecot: lmtp(mulander): Error: 
K8AnMgm+o1YvIwAAl8n8gw: sieve: Execution of script 
/home/mulander/.dovecot.sieve was aborted
 due to temporary failure (user logfile /home/mulander/.dovecot.sieve.log may 
reveal additional details)


Now obviously I treat security(8) warnings seriously but I would like
to know why a +x flag is considered a bad practice here?

Regards,
Adam

---

[1]
http://blog.tintagel.pl/2015/05/08/accept-from-any-for-any-relay-via.html

Re: Mismatch between config and documentation for dhcpd?

[Etienne]

On 2016-01-22 12:40, Stuart Henderson wrote:


I'm running 5.8/i386 on this machine.


You are trying to use syntax for OpenBSD's dhcpd with ISC dhcpd from 
packages.


That was it! Thank you so much, I was really confused.

It's a bit disappointing to see that ISC dhcp-options' manpage doesn't 
offer 'classless-static-routes' option while mentioning that 
'static-routes' is not used by the majority of DHCP clients anymore. I'm 
using ISC dhcpd for the failover option, on two Soekris boxes that do 
DNS, DHCP, packet filtering and a few more things on the edge of my 
local network. Any chance to see this failover option available in 
OpenBSD's dhcpd one day?


Cheers,

--
Étienne