/bin/sh echo \n
Hello, I was testing some scripting using /bin/sh and I could not find this behaviour in the documentation : > $ /bin/sh > $ echo -n '\n' > > $ It seems that ksh even in sh (posix ?) mode does expansion of \n to an actual newline. First is there a way to turn off the \n expansion in simple quotes in /bin/sh ? Second I don't see this feature described neither in man sh nor man ksh so is it a known behaviour of ksh ? Thanks a ton, -- Thomas de Grivel kmx.io
Re: /bin/sh echo \n
On 4/26/20 12:27 PM, Thomas de Grivel wrote: > Hello, > > I was testing some scripting using /bin/sh and I could not find this > behaviour in the documentation : > >> $ /bin/sh >> $ echo -n '\n' >> >> $ > > It seems that ksh even in sh (posix ?) mode does expansion of \n to an > actual newline.> > First is there a way to turn off the \n expansion in simple quotes in /bin/sh > ? You mean placing an additional \ in front of it? $ echo '\\n' \n Or by calling the binary instead of the shell builtin? $ /bin/echo '\n' \n Or by adding -E? $ echo -E '\n' \n Now also note what POSIX itself says[0]: It is not possible to use echo portably across all POSIX systems unless both -n (as the first argument) and escape sequences are omitted. ... New applications are encouraged to use printf instead of echo. > > Second I don't see this feature described neither in man sh nor man > ksh so is it a known behaviour of ksh ? from echo(1): echo does not support any of the backslash character sequences mandated by XSI. from ksh(1): See the print command below for a list of other backslash sequences that are recognized. ... By default, certain C escapes are translated. These include ‘\b’, ‘\f’, ‘\n’, ‘\r’, ‘\t’, ‘\v’, and ‘\0###’ (‘#’ is an octal digit, of which there may be 0 to 3). > > Thanks a ton, > [0] https://pubs.opengroup.org/onlinepubs/9699919799/utilities/echo.html
Re: /bin/sh echo \n
On Sun, Apr 26, 2020 at 12:27:24PM +0200, Thomas de Grivel wrote: > Hello, > > I was testing some scripting using /bin/sh and I could not find this > behaviour in the documentation : > > > $ /bin/sh > > $ echo -n '\n' > > > > $ > > It seems that ksh even in sh (posix ?) mode does expansion of \n to an > actual newline. Nope, this is a property of the builtin 'echo'. echo (and the more general print) are described in the Command execution section of ksh(1). > > First is there a way to turn off the \n expansion in simple quotes in /bin/sh > ? Not with echo, but print has -r -Otto > > Second I don't see this feature described neither in man sh nor man > ksh so is it a known behaviour of ksh ? > > Thanks a ton, > > -- > Thomas de Grivel > kmx.io >
Re: /bin/sh echo \n
On Sun, Apr 26, 2020 at 01:04:05PM +0200, Otto Moerbeek wrote: > On Sun, Apr 26, 2020 at 12:27:24PM +0200, Thomas de Grivel wrote: > > > Hello, > > > > I was testing some scripting using /bin/sh and I could not find this > > behaviour in the documentation : > > > > > $ /bin/sh > > > $ echo -n '\n' > > > > > > $ > > > > It seems that ksh even in sh (posix ?) mode does expansion of \n to an > > actual newline. > > Nope, this is a property of the builtin 'echo'. echo (and the more > general print) are described in the Command execution section of > ksh(1). > > > > > First is there a way to turn off the \n expansion in simple quotes in > > /bin/sh ? > > Not with echo, but print has -r Oops, echo has -E of course > > -Otto > > > > Second I don't see this feature described neither in man sh nor man > > ksh so is it a known behaviour of ksh ? > > > > Thanks a ton, > > > > -- > > Thomas de Grivel > > kmx.io > >
pf rules vs late pppoe0 setup
This is current/amd64 on an APU2. The machine is connected via pppoe over vlan over em as follows: $ ifconfig em0 em0: flags=8843 mtu 1500 lladdr 00:0d:b9:56:5e:fc index 1 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex) status: active $ ifconfig vlan0 vlan0: flags=8843 mtu 1500 lladdr 00:0d:b9:56:5e:fc description: UVTNET index 7 priority 0 llprio 3 encap: vnetid 848 parent em0 txprio packet rxprio outer groups: vlan media: Ethernet autoselect (1000baseT full-duplex) status: active $ ifconfig pppoe0 pppoe0: flags=8851 mtu 1492 index 6 priority 0 llprio 3 dev: vlan0 state: session sid: 0x1 PADI retries: 5 PADR retries: 0 time: 00:00:32 sppp: phase network authproto pap authname "X" groups: pppoe egress status: active inet6 fe80::20d:b9ff:fe56:5efc%pppoe0 -> prefixlen 64 scopeid 0x6 inet 185.63.96.79 --> 10.11.5.146 netmask 0x That works just fine, but as the pppoe0 connection is not instantenuous, by the time pf.conf rules are evaluated, pppoe0 is still 0.0.0.0. Reading rc(8) and the boot up sequence messages pf enabled net.inet.ip.forwarding: 0 -> 1 starting network add net default: gateway 0.0.0.1 add net default: gateway fe80::%pppoe0 pf is enabled first with the default rules, then the network interfaces get their addresses, and then the "real" rules are applied (right?). The pppoe0 interface is set up as follows: $ cat /etc/hostname.pppoe0 inet 0.0.0.0 255.255.255.255 NONE pppoedev vlan0 \ authproto 'pap' authname 'X' authkey 'PASS' up dest 0.0.0.1 inet6 eui64 !/sbin/route add default 0.0.0.1 !/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0 Right after boot, it is still not entirely up: pppoe0: flags=8851 mtu 1492 index 6 priority 0 llprio 3 dev: vlan0 state: PADI sent sid: 0x0 PADI retries: 2 PADR retries: 0 sppp: phase establish authproto pap authname "X" groups: pppoe egress status: no carrier inet 0.0.0.0 --> 0.0.0.1 netmask 0x inet6 fe80::20d:b9ff:fe56:5efc%pppoe0 -> prefixlen 64 scopeid 0x6 and, accordingly, # pfctl -sr match out on egress inet from ! 0.0.0.0 to any nat-to 0.0.0.0 block drop in log quick on ! lo inet6 from ::1 to any block drop in log quick on ! lo inet from 127.0.0.0/8 to any block drop in log quick inet from 127.0.0.1 to any block drop in log quick on ! pppoe0 inet from 0.0.0.0 to any block drop in log quick inet from 0.0.0.0 to any block drop in log quick on ! em1 inet from 192.168.11.0/24 to any block drop in log quick inet from 192.168.11.1 to any block drop in log quick inet6 from ::1 to any block drop in log quick on lo0 inet6 from fe80::1 to any block drop in log quick on pppoe0 inet6 from fe80::20d:b9ff:fe56:5efc to any block return in log all pass out on egress all flags S/SA pass quick inet proto icmp all pass in on pppoe0 inet proto tcp from any to 0.0.0.0 port = 2200 flags S/SA rdr-to 127.0.0.1 port 22 pass in on pppoe0 inet proto tcp from any to 0.0.0.0 port = flags S/SA rdr-to 127.0.0.1 port 22 pass in on em1 inet from 192.168.11.0/24 to any flags S/SA Entire pf.conf below - but it's not about the indivdual rules, the problem is that pppoe0 is 0.0.0.0, and only becomes 185.63.96.79 after pf.conf has been applied. Is there a recommended way to deal with this? Having physical access to the machine, I just re-run pfctl -f /etc/pf.conf once pppoe0 gets its address; I could do that in rc.local after a minute of sleep, but that seems a bit crude. Jan set skip on lo set block-policy return match out on egress inet from !egress:network nat-to egress:0 antispoof log quick for { lo $ext $int } block in log all pass out on egress pass quick inet proto icmp pass in on $ext inet proto tcp to $ext port 2200 rdr-to localhost port ssh pass in on $ext inet proto tcp to $ext port rdr-to localhost port ssh pass in on $int inet from $int:network
Re: /bin/sh echo \n
Hi, Martijn van Duren wrote on Sun, Apr 26, 2020 at 12:52:38PM +0200: > On 4/26/20 12:27 PM, Thomas de Grivel wrote: >> Second I don't see this feature described neither in man sh nor man >> ksh so is it a known behaviour of ksh ? > from echo(1): > echo does not support any of the backslash character sequences mandated > by XSI. > > from ksh(1): > See the print command below for a list of other backslash sequences that > are recognized. > ... > By default, certain C escapes are translated. So Martijn answered this almost exhaustively. My only point to add is that i consider it intentional that the sh(1) manual page does not mention the "echo" builtin because "echo" cannot be used portably in a /bin/sh program (at least not with variable expansion following it), and the sh(1) manual starts like this: This manual page describes only the parts relevant to a POSIX compliant sh. If portability is a concern, use only those features described in this page. In conclusion, i think there is nothing to fix in the documentation, neither in echo(1) nor in ksh(1) nor in sh(1). Yours, Ingo
Re: pf rules vs late pppoe0 setup
On Sun, 26 Apr 2020 13:54:27 +0200, Jan Stary wrote: > Is there a recommended way to deal with this? If I correctly understood your problem, the solution: (from pf.conf(5)) > Host name resolution and interface to address translation are > done at ruleset load-time. When the address of an interface (or > host name) changes (under DHCP or PPP, for instance), the ruleset > must be reloaded for the change to be reflected in the kernel. > Surrounding the interface name (and optional modifiers) in > parentheses changes this behaviour. When the interface name is > surrounded by parentheses, the rule is automatically updated > whenever the interface changes its address. The ruleset does not > need to be reloaded. This is especially useful with NAT. Cheers, Daniel
Ospfd default route query
Hi, Hope someone can help, I am having a strange issue and can't seem to isolate the problem. We have "redistribute default" set globally on our bgp/ibgp speakers in the ospfd.conf. The bsd boxes are all 6.6. These routers are connected via ibgp to some other routers and have external bgp sessions taking at present a couple of basic network announcements from their egbp peers. e.g. 2.2.2.0/24 ( we have faked our transit provider) Connected to these routers we have a pair of firewalls, which previously received a default route from the bgp/ibgp speakers. I am trying to understand exactly what the redistribute default in the ospfd.conf does. I assume it is saying if i have a static default route or another default route from an upstream then tell other routers about it? Or is it saying tell others to use me as a default route. I can't seem to find anything specific in the docs to clarify this, and would like to understand it clearly if pos. In our case our previous configuration on 5.8 and this configuration has a static route on the bgp speakers of 0.0.0.0/24 -> 127.0.0.1. If I do a ospfctl sh rib or ospfctl sh data on the firewalls i just don't see any default route being provided by the bgp speakers. Hope this makes sense. I am sure I am missing something obvious... Effectively I want the bgp speakers to announce themselves as the default route for their neighbor firewalls over ospf. Thanks
multihomed routing issue
Hi, I have created a OpenBSD 6.6 VM in the Azures cloud that I plan to use as a Firewall, I had planned on using carp but I can't get it working in Azure so I think I can use an Internal load balancer to achieve my aim of having two redundany OBSD Firewalls in Azure. The problem I have is that the Azure Internal Load Balancer requires a health probe to work. So I create a load balancer health probe and set it to the SSH service on my FW Host and set it to every 5 seconds. I can see the traffic on my FW but the health probe doesn't work and I think it's because the traffic from the Azure discover ip "168.63.129.16" that is doing the probe is coming from within the azure nextwork, hitting my internal nic and then onto the ssh service ? and then finally leaving but on the external interface. tcpdump -n -e -ttt -i pflog0 -v tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG Apr 26 15:59:30.082436 rule 1/(match) [uid 0, pid 44293] block out on hvn0: [orig src 10.x.x.36:22, dst 168.63.129.16:54762] 10.x.x.4.65324 > 168.63.129.16.54762: S [bad tcp cksum 9d0b! -> 9e14] 252441079:252441079(0) ack 3958895254 win 16384 (DF) (ttl 64, id 2960, len 52, bad ip cksum 0! -> 52f0) Rule 1 = block log all 168.63.129.16 = Azure Discovery Address 10.x.x.4 = My External IP on hvn0 10.x.x.36 = My Internal IP on hvn1 I tried changing the state rules to allow the traffic out on the external interface and I thought I had it working earlier today by changing state-policy from if-bound to floating but I can't reproduce that again for some reason... anyway it didn't seem to work. I think I really just need to force the traffic back out the Internal interface but I just don't know how to do that ? If anyone could help me it would be really appreciated. Thanks Keith
Re: Ospfd default route query
Not sure how I missed the clear information in the man page... "If set to default, a default route pointing to this router will be announced over OSPF" It seems I am just having an issue and it should work as I expected. I will do some more diagnosis in the morning... On Sun, 26 Apr 2020, 17:09 Richard Chivers, wrote: > Hi, > > Hope someone can help, I am having a strange issue and can't seem to > isolate the problem. > > We have "redistribute default" set globally on our bgp/ibgp speakers > in the ospfd.conf. The bsd boxes are all 6.6. > > These routers are connected via ibgp to some other routers and have > external bgp sessions taking at present a couple of basic network > announcements from their egbp peers. e.g. 2.2.2.0/24 ( we have faked our > transit provider) > > Connected to these routers we have a pair of firewalls, which previously > received a default route from the bgp/ibgp speakers. > > I am trying to understand exactly what the redistribute default in the > ospfd.conf does. I assume it is saying if i have a static default route or > another default route from an upstream then tell other routers about it? Or > is it saying tell others to use me as a default route. I can't seem to find > anything specific in the docs to clarify this, and would like to understand > it clearly if pos. > > In our case our previous configuration on 5.8 and this configuration has a > static route on the bgp speakers of 0.0.0.0/24 -> 127.0.0.1. > > If I do a ospfctl sh rib or ospfctl sh data on the firewalls i just don't > see any default route being provided by the bgp speakers. > > Hope this makes sense. I am sure I am missing something obvious... > > Effectively I want the bgp speakers to announce themselves as the default > route for their neighbor firewalls over ospf. > > Thanks >
Re: couldn't find audio device
Hi, Thanks to your answers, I managed to record sounds using my webcam, connecting to rsnd device and, more important, I think I understood why aucat couldn't find the device earlier. I overlooked man sndio (7) because I misunderstood man sndiod (8) and tried to connect to /dev/ instead of sndio(7) devices that are described in man aucat(1) -f option. Best regards and many thanks, Damien Thiriet
OpenBSD smtpd to GoDaddy
I'm trying to send email from OpenBSD 6.6 via GoDaddy's smtp.secureserver.net. Unfortunately my GoDaddy SMTP username is "p...@munts.net" which doesn't seem to be a legal username for OpenBSD's smtpd. I've tried every escaping mechanism for the @ character I can think of, but nothing has worked. Is there some way to escape the @ character in smtpd.conf and secrets? Phil
Re: OpenBSD smtpd to GoDaddy
Am 26.04.2020 um 19:15 schrieb Philip Munts: I'm trying to send email from OpenBSD 6.6 via GoDaddy's smtp.secureserver.net. Unfortunately my GoDaddy SMTP username is "p...@munts.net" which doesn't seem to be a legal username for OpenBSD's smtpd. I've tried every escaping mechanism for the @ character I can think of, but nothing has worked. action "relay2GoDaddy" relay \ host smtps://f...@smtp.secureserver.net \ auth { foo = p...@munts.net:password } HTH
Re: pthreads, C and guacamole [Was: Reduce attack surface - Tomcat and guacamole...]
Hi Nick, Thanks very much for at validating my thought processes. I have managed to get guacamole compiled using a contemporary version of FreeRDP (with the pthread_mutexattr_setpshare commented out). It runs perfectly using ssh connections. The RDP sessions which I am interested in are quite flaky, but it's around the graphics handling and nothing to do with IPC. (When I click on the "Start" button of a Windows XP box in an RDP session, the connection closes because of some "glyph" issues that guacamole can't handle. The new version of FreeRDP changed the API quite a bit and it seems to have caused quite a bit of pain to the guacamole project. The newer version of FreeRDP also has an issue of POSIX or FD based timers required, neither of which OpenBSD has. But the timer requirements are very basic so I'm investigating some kind of *BSD based timer mechanism can be implemented in FreeRDP. Cheers, Steve W. On 25/04/2020 11:11 a.m., Nick Permyakov wrote: Hi Steve, You're talking about https://github.com/apache/guacamole-server/blob/master/src/libguac/pool.c , I presume? In that case you're right unless - the malloc and pthread_* functions are redefined to mean something weird, or - the physical page containing malloc'ed pool is later made shared between processes, or is flagged to be shared with a child after forking, or remapped to another virtual address in the same process, all of which are highly unlikely. So a process-shared mutex is unnecessary here on any POSIX system, not only on OpenBSD. Nick Permyakov Hi, I am looking into guacamole's use of pthread_mutexattr_setpshare. (an aside, if I comment out the 4 lines of code invoking pthread_mutexattr_setpshare, it compiles with gcc on OpenBSD 6.6 (GENERIC.MP) ) I am an experienced C programmer, but I've never looked in threading in C before so it has required quite a bit of reading. I haven't been able to find a comprehensive "architecture" document, just various man pages, some with sample code. For example: https://linux.die.net/man/3/pthread_mutexattr_init In the above documentation, it states: ...the possibility that an application may allocate the synchronization objects from this section in memory that is accessed by multiple processes (and therefore, by threads of multiple processes). That is the purpose of the guacamole's pthread_mutexattr_setpshared(foo, PTHREAD_PROCESS_SHARED) , to permit multiple threaded processes to access the resource protected by the MUTEX. However, from my reading of the code, the MUTEX is only protecting malloc'd memory, which as far as I know, isn't a resource that can be accessed by multiple processes. It is my newby (to pthreads) interpretation of the code that in all 4 cases, the code is malloc'ing memory that is being protected by the MUTEX. For example: src/libguac/pool.c: ... guac_pool* guac_pool_alloc(int size) { pthread_mutexattr_t lock_attributes; guac_pool* pool = malloc(sizeof(guac_pool)); ^^^ Allocate memory that will only be accessible by this process /* If unable to allocate, just return NULL. */ if (pool == NULL) return NULL; /* Initialize empty pool */ pool->min_size = size; pool->active = 0; pool->__next_value = 0; pool->__head = NULL; pool->__tail = NULL; /* Init lock */ pthread_mutexattr_init(&lock_attributes); pthread_mutexattr_setpshared(&lock_attributes, PTHREAD_PROCESS_SHARED); pthread_mutex_init(&(pool->__lock), &lock_attributes); This codes saves the MUTEX in the locally allocated memory No other process can find this MUTEX in malloc'd memory, so setting it to PTHREAD_PROCESS_SHARED seems totally irrelevant. If so, I *think* it's OK to just comment out that code as OpenBSD's pthread implementation will work fine within a process, just not multiple processes. Is this a correct assessment of the code and OpenBSD's pthread environnment? Thanks, Steve W. On 15/04/2020 10:19 a.m., Stuart Henderson wrote: On 2020-04-14, Steve Williams wrote: Guacamole (I believe) needs to run under something like tomcat to serve up the java war file & application. I looked at this before - it also requires guacamole-server to be built (written in C), it requires mutexes shared between different processes (pthread_mutexattr_setpshared(foo, PTHREAD_PROCESS_SHARED) which isn't supported in OpenBSD's thread library. But what you can do is run guacamole elsewhere and have a reverse http proxy running on OpenBSD doing http auth and feeding connections across. So, I was thinking of using some form of authpf to open up pf rules when I needed to access systems remotely. But, I don't want to open up Tomcat to the world when I'm using guacamole, so is it possible to have authpf tweak pf rules so that the originating IP address of the ssh session would be the only one that could access Tomcat? Th