Re: Segmentation fault / firefox (core dumped)

[meg...@r53sound.com]

>> Have you tried increasing datasize-cur and -max under "default:\"
>> in /etc/login.conf ? I have mine set to 2048M
>
>I have 512 MB there. My computer has 1024MB Ram.
 
It will be slow, but you can increase datasize
beyond physical RAM.
 
How much swap space do you have?
You can use swapctl to check,
blocks / 2 * 1024 = swap in MB
 
>For what does firefox need so much memory?!
 
I have no idea why browsers need so much RAM, now.
I remember Mozilla working fine on a SPARCstation
with 128 MB RAM. Probably all the ad scripts.
 
I've only used Firefox on OpenBSD, recently, so
I don't know about the other browsers.
 
-Meghan
 

Re: wxallowed flag

[Theo de Raadt]

I think you have interpreted the situation backwards.

The wxallowed flag is not on other filesystems.  Therefore, binaries
on those filesystems which misbehave will fail.

There are about 15 programs which need fixing, and the wxallowed could
become a piece of history.

Unfortunately some of those 15 are very large ecosystems, and their
upstreams are not yet concerned about this problem.

>Is this a really good idea to keep wxallowed flag on /usr/local by
>default? Is this so scary that many poop software will break (this is
>not a big loss at all)? After all not enabling this flag by default is
>the right thing to do, reliance on W|X should go to /dev/null
>
>The only problem I see after removing this flag and removing python
>is that it also removes packages which, for example, have
>devel/desktop-file-utils in run dependencies, but they work without it.
>
>

Re: Segmentation fault / firefox (core dumped)

[lists]

Fri, 26 Jan 2018 00:26:11 + (GMT) Roderick 
> I get continously this and other errors. In OpenBSD, in FreeBSD.
> 
> I think it is time to change browser, but I distrust chrome as comming
> from data collector google. 
> 
> The problem is that those that make WEB pages decide more or less what 
> browser I must use.
> 
> What is the real alternative?
> 
> Rodrigo.
> 

Hi Rodrigo,

Try the commands in this order, see what you get with a recent snapshot:

$ pkg_info -d lynx; pkg_info -d w3m--image; pkg_info -d dillo; \
  pkg_info -d pkg_mgr

Note, and beware Firefox IS dropping i386 and we all have issues with P3
and previous generations CPUs lacking SSEx (wtf).  Landry Breul packages
the latest Firefox for many years, if only we could get a -noJS flavour.

https://packages.rhaalovely.net/
https://rhaalovely.net/

Kind regards,
Anton Lazarov

on-line kernel debugging

[bijan]

Hi!

does OpenBSD supports on-line kernel debugging as FreeBSD does[1]?
The only tutorial I managed to find was a fairly old one[2] by QEMU
over GNU/Linux but it seems kgdb(7) is removed since 6.2 (apparently
for not even working before[3]).

Thank you!

[1]: 
https://www.freebsd.org/doc/en/books/developers-handbook/kerneldebug-online-ddb.html

[2]: https://markshroyer.com/2013/01/debugging-openbsd-via-qemu/
[3]: https://github.com/openbsd/src/commits/master/sys/sys/kgdb.h

Re: Unexpected security(8) output

[Ingo Schwarze]

Hi Clint,

Clint Pachl wrote on Fri, Jan 26, 2018 at 10:43:47AM -0700:

> I received the following output from security(8):
> 
> Running security(8):
> Can't 
> opendir(/home/pachl/.cache/mozilla/seamonkey/e8cxa4g0.default/safebrowsing-backup):
>  No such file or directory at /usr/libexec/security line 594.
> 
> I didn't realize security parses through user files; beyond a few dot 
> files.

It does so to find SUID/SGID files and special files, see the
function find_special_files().

Messages like the one you encountered are rare, and it would be hard
to suppress them without introducing a risk to hide actual problems.

> I don't understand perl. Is the script keeping state somewhere? 

Yes, in /var/backups/{setuid,device}.{current,backup}, see the
function check_filelist() for details.

I just looked at what we wrote in the security(8) manual.

In the DESCRIPTION, we say:

 * Check for changes in setuid/setgid files and devices.
 * Check for changes in the device file list.

Below FILES, /var/backups is listed, without any further details.

I guess the documentation is good enough.  As a rule, users are not
required to worry about the details of the algorithm or bookkeeping,
the script is supposed to just work and speak up if it notices anything
fishy.  If somebody is curious, they can inspect the code, it is not
very long.

> How did it know to even try opening the safebrowsing-backup directory?

It looks everywhere because dangerous special files might hide anywhere.
It uses File::Find(3p) to do so.

Arguably, part of these checks have become less important since
we are mounting /home/ and other directories nodev and nosuid
by default.  Then again, finding weird files in weird places is
still weird and should maybe still be noted.  In any case,
restricting the search would complicate matters and increase the
risk of missing something relevant.

> The missing directory isn't listed in /etc/changelist or 
> /etc/mtree/{special,*.secure}. I couldn't find any trace of it in /var/.
> 
> So I manually ran the security script again. It returned no output.

The file of the name you quote above probably was a dead symbolic
link; it may only have existed for a short time, for example while
your browser was shuffling stuff around.  Your seamonkey likely
removed it before your manual run - programs are kind of expected
to create and delete files in their own cache directories.

> I'm confused.
> Can anyone explain this?

I tried, with a bit of guessing.

Yours,
  Ingo

Re: Unexpected security(8) output

[Andrew Hewus Fresh]

On Fri, Jan 26, 2018 at 10:43:47AM -0700, Clint Pachl wrote:
> I received the following output from security(8):
> 
> Running security(8):
> Can't 
> opendir(/home/pachl/.cache/mozilla/seamonkey/e8cxa4g0.default/safebrowsing-backup):
>  No such file or directory at /usr/libexec/security line 594.

That likely comes from the File::Find inside of find_special_files where
security(8) looks for changed setuid files and devices.  Most likely
that cache directory was cleaned up between reading the directory
listing of the parent and actually trying to recurse into that
directory.

You could add your home directory to the SUIDSKIP environment variable
in /etc/daily.local to avoid searching there if this message keeps
annoying you and you don't care about devices and suid changes there.

http://man.openbsd.org/security#SUIDSKIP

l8rZ,
-- 
andrew - http://afresh1.com

Instructions are just another man's opinion of how to do something. 
  -- Weldboy #DPWisdom

Re: Segmentation fault / firefox (core dumped)

[Kevin Chadwick]

On Fri, 26 Jan 2018 17:50:02 +


> On Fri, 26 Jan 2018 17:13:47 + (GMT)
> 
> 
> > (1) "even *running* firefox on an i386 netbook with 1Gb of memory
> > is unbearable."  
> 
> We still have a 1.73 Ghz 1.5 Gigabyte Ram laptop that does OK with
> firefox. It is running fvwm 1 as a desktop though which requires
> clicks occasionally for some windows to show these days?

Oh and evince maximise controls don't work at all because they have
somehow hidden the fvwm ones... clever breakage whatever they have
done. Haven't found another app with the same issue.

I was thinking of switching from fvwm to either fvwm2 or xfce (not a
gnome fan) but not sure now, atleast until those laptops are replaced. I
also love it's single config file and reliability (config screw ups and
load failures have happened on xfce in the past on Debian, many years
ago though).

Re: Segmentation fault / firefox (core dumped)

[Jonathan Drews]

You can try Otter-browser. It is a fork of the Opera browser. My bank
website and a few other websites refuse secure logins but in general it
works well.

 I am using it on OpenBSD 6.1. It won't play videos until you install the
necessary plugins. Here is how to fix it.
>Description:
The Otter Browser cannot play videos such as at YouTube
>How-To-Repeat:
Go to YouTube and try to play a video. You will get an error
message.
>Fix:
The fix is to install gstreamer1-plugins-good-1.* and
gstreamer1-plugins-libav-1.*
as root do the following:
# export
PKG_PATH=https://mirrors.syringanetworks.net/pub/OpenBSD/6.1/packages/amd64/
# pkg_add gstreamer-plugins-good-0.10.31p18v0.tgz
and
# pkg_add gstreamer1-plugins-libav-1.10.4.tgz
The above is only an example. Your OpenBSD system may have
different versions.

The Otter-Browser will now play videos


On Jan 26, 2018 10:51 AM, "Kevin Chadwick"  wrote:

On Fri, 26 Jan 2018 17:13:47 + (GMT)


> (1) "even *running* firefox on an i386 netbook with 1Gb of memory is
> unbearable."

We still have a 1.73 Ghz 1.5 Gigabyte Ram laptop that does OK with
firefox. It is running fvwm 1 as a desktop though which requires
clicks occasionally for some windows to show these days?

Re: Segmentation fault / firefox (core dumped)

[Kevin Chadwick]

On Fri, 26 Jan 2018 17:13:47 + (GMT)


> (1) "even *running* firefox on an i386 netbook with 1Gb of memory is 
> unbearable."

We still have a 1.73 Ghz 1.5 Gigabyte Ram laptop that does OK with
firefox. It is running fvwm 1 as a desktop though which requires
clicks occasionally for some windows to show these days?

Re: Segmentation fault / firefox (core dumped)

[Kevin Chadwick]

On Fri, 26 Jan 2018 11:10:45 -0500


> > I have 512 MB there. My computer has 1024MB Ram. For what does
> > firefox need so much memory?!  

I think that puzzles everyone. Browsers are often full of memory leaks
too. I haven't had any crashes on 57 or 58 btw.

I haven't checked quantum but priorly it used ~300 Megabytes before
opening a web page. Chromium was similar but in many processes. Edge
used far less but I guess it goes up with every additional feature
they add like drawing over web pages, extensions etc..

Over a decade ago, firebird used to use ~30 megabytes if I remember
correctly.

Windows is terrible with hdd and ram usage, about a decade ago people
started marketing huge ram computers as it was apparent that it would
avoid Windows paging and thrashing so much. It's gone crazy since I
guess, though Windows update and installers are still terrible disk
users. Probably largely what has driven the SSD market too despite it's
downsides like capacity and cost (every time you boot or connect the
internet especially after being disconnected or off for a week, Windows
is crazy slow due to HDD contention).

Unexpected security(8) output

[Clint Pachl]

I received the following output from security(8):

Running security(8):
Can't 
opendir(/home/pachl/.cache/mozilla/seamonkey/e8cxa4g0.default/safebrowsing-backup):
 No such file or directory at /usr/libexec/security line 594.



I didn't realize security parses through user files; beyond a few dot 
files. I don't understand perl. Is the script keeping state somewhere? 
How did it know to even try opening the safebrowsing-backup directory?


The missing directory isn't listed in /etc/changelist or 
/etc/mtree/{special,*.secure}. I couldn't find any trace of it in /var/.


So I manually ran the security script again. It returned no output. I'm 
confused.


Can anyone explain this?

Thank you,
Clint

Re: Segmentation fault / firefox (core dumped)

[mathuin]

> > > I only need a browser.
> > 
> > Surf? w3m?
> 
> w3m is a phantastic tool! When it gets unbearable, I copy the location
> from firefox and feed w3m with it.
> 
> I will try later surf.
> 
> iridium does not convince me till now. It seems to be a new browser 
> (different from chrome) as any linux distribution is a new operating
> system. It seems to be slower than firefox, the window for everything
> (url, search, etc) is a risk.
> 
> Rodrigo.
> 

I can vouch for surf, not too hard to get running, composes well with
other unix tools and it's built by the suckless community, so you know 
they value a small footprint as well. But dont expect to have all websites
render and work flawlessly, it's browser engine wasnt the most up to date
last time I checked. 

Mathuin

Re: Segmentation fault / firefox (core dumped)

[Roderick]

On Fri, 26 Jan 2018, Allan Streib wrote:

> Mine is set to 2048M also. I almost never have Firefox crashes
> esp. on newer builds from Landry Breuil as described here:
> 
>   https://undeadly.org/cgi?action=article=20170425173917

(1) "even *running* firefox on an i386 netbook with 1Gb of memory is 
unbearable."

(2) "PS: No i can't do anything about the crashes or the OOMs ! Send your 
reports directly upstream !"

The Browser is a program I need that needs by far much more resources
than any other program I need.

> > I only need a browser.
> 
> Surf? w3m?

w3m is a phantastic tool! When it gets unbearable, I copy the location
from firefox and feed w3m with it.

I will try later surf.

iridium does not convince me till now. It seems to be a new browser 
(different from chrome) as any linux distribution is a new operating
system. It seems to be slower than firefox, the window for everything
(url, search, etc) is a risk.

Rodrigo.

Re: Segmentation fault / firefox (core dumped)

[Allan Streib]

Roderick  writes:

> On Thu, 25 Jan 2018, meg...@r53sound.com wrote:
>
>> Have you tried increasing  datasize-cur and -max under "default:\"
>> in /etc/login.conf ? I have mine set to 2048M
>
> I have 512 MB there. My computer has 1024MB Ram. For what does firefox
> need so much memory?!

Mine is set to 2048M also. I almost never have Firefox crashes
esp. on newer builds from Landry Breuil as described here:

  https://undeadly.org/cgi?action=article=20170425173917

I Run three or four browser profiles simultaneously, use Gmail, Google
Docs, Google Sheets, etc. quite well. With Firefox Quantum it's even
more stable than Chromium which is the reverse of my prior experience
using Google services.

> I only need a browser.

Surf? w3m?

Allan

Re: gzip compression and httpd/relayd

[Stuart Henderson]

On 2018-01-25, Thuban  wrote:
> I'm very happy with relayd + httpd.
> Relayd deals with headers and httpd serve files.
>
> I know httpd doesn't have gzip compression.
>
> 1. Do you know if it's planned in the future?

https://github.com/reyk/httpd/issues/21

Re: wxallowed flag

[mazocomp]

Well, I've just checked python's port and created a package
without USE_WXNEEDED and it works pretty well. How about I'll
send a patch to ports@ which will create "wx" or "no_wx" flavor?

Re: IPsec help: too much NAT!

[Kenneth Gober]

When faced with an ISP modem/router, I generally try to switch it to
bridge mode and move the PPPoE / DHCP client formerly handled by the
ISP hardware to the OpenBSD system instead.  This rather simplifies
things if you can make it work because then your OpenBSD system has
the Internet-facing address and you remove a layer of NAT.

It's unclear to me whether you are stuck with the ISP hardware (but
can change it to bridged if you like) or if you are also stuck with it
being configured as a NAT router as well so I don't know if this is
something you can do.

-ken


On Thu, Jan 25, 2018 at 6:01 PM, Stuart Henderson  wrote:
> On 2018-01-25, Lyndon Nerenberg  wrote:
>> I have an IPsec conundrum I'm trying to solve.  Yes, the scenario
>> is somewhat absurd; it's also the problem I've been taksed with
>> solving, so spare the peanut gallery comments, okay?
>>
>>
>> NET-P  GW-Q <-> internet <-> GW-H  GW-V  NET-V
>>
>> NET-P is 10.0.2.0/24
>> NET-V is 10.0.11.0/24
>>
>> GW-Q is an OpenBSD host with fixed addresses 10.0.2.1 (inside) and
>> 1.2.3.4 (internet).
>>
>> GW-H is some random ISP cable/DSL modem that NATs everything behind
>> it, with a random external address. (I.e., assume DHCP on the
>> "internet" side.)
>>
>> GW-V is an OpenBSD host. It has a variable upstream address obtained
>> from the back end of GW-H (DHCP).  On the other side, GW-V presents
>> 10.0.11.1 to NET-V.
>>
>> The goal here is to establish an IPsec tunnel that links NET-P and
>> NET-V together, in the face of all the other nonsense in between.
>>
>> In the schematic above, '' represents a NAT translation point.
>> '<->' is a regular router interconnect.
>>
>> I have tried setting up an IKEv2 passive connection from GW-V to
>> GW-Q (connections in the other direction are impossible), but I'll
>> be damned if I can figure out how to specify the SA associations
>> and ESP flows on GW-V, given the lack of fixed addresses on the
>> upstream sides of GW-V and GW-H.  (Or in the other direction, for
>> that matter.)
>>
>> Is there any hope this can possibly work?
>
> That's a pretty standard setup. I don't have an iked one handy to crib
> from but ipsec.conf/isakmpd looks like this:
>
> - natted side
>
> ike dynamic esp from $natted_side_net/27 to $other_net/21 \
> peer $remote_external_IP \
> main auth hmac-sha1 enc aes group modp3072 \
> quick enc aes-128-gcm group modp3072 srcid myname
>
> - side with real ip
>
> ike passive esp from $other_net/21 to any \
> main auth hmac-sha1 enc aes group modp3072 \
> quick enc aes-128-gcm group modp3072 srcid othername
>
> iked should be similar, use "ikev2 active" on the natted side, "ikev2
> passive" on the static-ip side.
>
> Watch out for "nat helpers" on GW-H that try to fix things up but actually
> break them but there aren't usually problems these days.
>
>

Re: nat-to (least-states / round-robin) problem

[Kapetanakis Giannis]

On 23/01/18 11:54, Kapetanakis Giannis wrote:
> On 23/01/18 11:08, Kapetanakis Giannis wrote:
>> Hi,
>>
>> I've discovered something that looks like a bug in nat translation with 
>> least-states or round-robin
>>
>> Instead of using the nat-pool is uses wrong IPs
>>
>> # pfctl -sr -R0
>> pass out log quick on vlan123 inet from xx.xx.xx.xx to 188.113.88.193 flags 
>> S/SA tagged from_internal nat-to xx.xx.yy.24/29 least-states
>>
>> Jan 23 10:59:06.602884 rule 0/(match) pass out on vlan123: 0.0.0.0.62722 > 
>> 188.113.88.193.80: S 3243156923:3243156923(0) win 29200 > 1460,sackOK,timestamp 3169583207 0,nop,wscale 9> (DF)
>> Jan 23 10:59:21.836380 rule 0/(match) pass out on vlan123: 0.0.0.1.57696 > 
>> 188.113.88.193.80: S 1280038032:1280038032(0) win 29200 > 1460,sackOK,timestamp 3169598441 0,nop,wscale 9> (DF)
>>
>> See the 0.0.0.0 address? That's the first packet. The second packet (2nd 
>> wget) uses the next IP, 0.0.0.1 etc.
>>
>> The same problem is with round-robin
>> 10:54:24.750786 0.0.0.2.50332 > 188.113.88.193.80: S 
>> 1923288633:1923288633(0) win 29200 > 0,nop,wscale 9> (DF)
>> 10:54:28.078831 0.0.0.3.50350 > 188.113.88.193.80: S 925801869:925801869(0) 
>> win 29200  (DF)
>>
>> If I use random or source-hash I have no problem.
>>
>> Maybe this is fixed in current but I though I should report.
>> # head -1 /var/run/dmesg.boot
>> OpenBSD 6.2-beta (GENERIC.MP) #104: Mon Sep 18 23:31:27 MDT 2017
>>
>> I'll try an upgrade later today...
>>
>> G
>>
> same problem with latest snapshot:
> OpenBSD 6.2-current (GENERIC.MP) #382: Sun Jan 21 14:13:38 MST 2018
> 
> G
> 

Hi, any luck with the above?

thanks,

G

Re: wxallowed flag

[Marc Espie]

On Fri, Jan 26, 2018 at 01:52:10PM +0200, mazocomp wrote:
> On Fri, Jan 26, 2018 at 12:28:00PM +0100, Marc Espie wrote:
> > On Fri, Jan 26, 2018 at 12:56:15PM +0200, mazocomp wrote:
> > > Hi!
> > > 
> > > Is this a really good idea to keep wxallowed flag on /usr/local by
> > > default? Is this so scary that many poop software will break (this is
> > > not a big loss at all)? After all not enabling this flag by default is
> > > the right thing to do, reliance on W|X should go to /dev/null
> > > 
> > > The only problem I see after removing this flag and removing python
> > > is that it also removes packages which, for example, have
> > > devel/desktop-file-utils in run dependencies, but they work without it.
> > 
> > I don't see your patches for fixing the rather important shit that still
> > requires wxallowed.
> > 
> 
> So you mean broken packages are more important than system's default
> security? Was that true when ProPolice was enabled by default?

Obviously, you don't understand the difference between fixing factually
broken software and enforcing supplementary restrictive semantics on 
top of the traditional posix api   that actually requires actual changes
to adapt.

Re: wxallowed flag

[Solène Rapenne]

Le 2018-01-26 12:52, mazocomp a écrit :

On Fri, Jan 26, 2018 at 12:28:00PM +0100, Marc Espie wrote:

On Fri, Jan 26, 2018 at 12:56:15PM +0200, mazocomp wrote:
> Hi!
>
> Is this a really good idea to keep wxallowed flag on /usr/local by
> default? Is this so scary that many poop software will break (this is
> not a big loss at all)? After all not enabling this flag by default is
> the right thing to do, reliance on W|X should go to /dev/null
>
> The only problem I see after removing this flag and removing python
> is that it also removes packages which, for example, have
> devel/desktop-file-utils in run dependencies, but they work without it.

I don't see your patches for fixing the rather important shit that 
still

requires wxallowed.



So you mean broken packages are more important than system's default
security? Was that true when ProPolice was enabled by default?


That doesn't change base system security if you don't install packages.

Re: wxallowed flag

[mazocomp]

On Fri, Jan 26, 2018 at 12:28:00PM +0100, Marc Espie wrote:
> On Fri, Jan 26, 2018 at 12:56:15PM +0200, mazocomp wrote:
> > Hi!
> > 
> > Is this a really good idea to keep wxallowed flag on /usr/local by
> > default? Is this so scary that many poop software will break (this is
> > not a big loss at all)? After all not enabling this flag by default is
> > the right thing to do, reliance on W|X should go to /dev/null
> > 
> > The only problem I see after removing this flag and removing python
> > is that it also removes packages which, for example, have
> > devel/desktop-file-utils in run dependencies, but they work without it.
> 
> I don't see your patches for fixing the rather important shit that still
> requires wxallowed.
> 

So you mean broken packages are more important than system's default
security? Was that true when ProPolice was enabled by default?

Re: wxallowed flag

[Marc Espie]

On Fri, Jan 26, 2018 at 12:56:15PM +0200, mazocomp wrote:
> Hi!
> 
> Is this a really good idea to keep wxallowed flag on /usr/local by
> default? Is this so scary that many poop software will break (this is
> not a big loss at all)? After all not enabling this flag by default is
> the right thing to do, reliance on W|X should go to /dev/null
> 
> The only problem I see after removing this flag and removing python
> is that it also removes packages which, for example, have
> devel/desktop-file-utils in run dependencies, but they work without it.

I don't see your patches for fixing the rather important shit that still
requires wxallowed.

Re: Segmentation fault / firefox (core dumped)

[Roderick]

On Thu, 25 Jan 2018, meg...@r53sound.com wrote:

> Have you tried increasing  datasize-cur and -max under "default:\"
> in /etc/login.conf ? I have mine set to 2048M

I have 512 MB there. My computer has 1024MB Ram. For what does firefox
need so much memory?!

And seemonkey seems to be more bloated than firefox. I only need a
browser.
 
Perhaps I should try iridium, but really reliable inspite of chrome
base?

Rodrigo.

wxallowed flag

[mazocomp]

Hi!

Is this a really good idea to keep wxallowed flag on /usr/local by
default? Is this so scary that many poop software will break (this is
not a big loss at all)? After all not enabling this flag by default is
the right thing to do, reliance on W|X should go to /dev/null

The only problem I see after removing this flag and removing python
is that it also removes packages which, for example, have
devel/desktop-file-utils in run dependencies, but they work without it.

Re: gzip compression and httpd/relayd

[Hiltjo Posthuma]

On Thu, Jan 25, 2018 at 09:37:06PM +0100, Michael Hekeler wrote:
> Am Thu, 25 Jan 2018 19:47:09 +0100
> schrieb Thuban :
> 
> > I'm very happy with relayd + httpd.
> > Relayd deals with headers and httpd serve files.
> > 
> > I know httpd doesn't have gzip compression.
> > 
> > 1. Do you know if it's planned in the future?
> > 2. Does anyone has a workaround to advise?
> > 
> > regards
> > 
> 
> to 1.
> https://marc.info/?l=openbsd-misc=142407262812306=2
> 
> 

Hi,

In some servers there were some security issues with compression like:
https://en.wikipedia.org/wiki/BREACH

I don't know if thats the reason httpd doesn't have it though.

> to 2.
> I never tested it myself, but ,maybe you can compress the files before
> you place them in htdocs!?
> 

Yes it's possible. Make sure to set the appriopriate HTTP headers aswell
with relayd: read "Accept-Encoding" and if it's acceptable set
"Content-Encoding".

> ...or use ngingx reverse-proxy?
> 

-- 
Kind regards,
Hiltjo