Re: sudo and globbing
And what about difference? Explain please. On Thu, Jan 7, 2016 at 7:03 PM, Jiri Bwrote: > On Thu, Jan 07, 2016 at 11:43:14AM -0500, Jiri B wrote: > > I discovered an article about sudo and globbing[1] and > > there's difference how it does work on Linux and OpenBSD. > > I forgot to put the url > > http://zurlinux.com/?p=2244 > > > - openbsd > > > > # su -s /usr/local/bin/bash - nobody > > No home directory /nonexistent! > > Logging in with home = "/". > > -bash-4.3$ sudo bash -c "ls -l /var/tor/cache*" > > -rw--- 1 _tor _tor20442 Dec 10 11:32 /var/tor/cached-certs > > -rw--- 1 _tor _tor 1409287 Jan 7 15:56 > /var/tor/cached-microdesc-consensus > > -rw--- 1 _tor _tor 5107307 Jan 7 17:23 /var/tor/cached-microdescs > > -rw--- 1 _tor _tor0 Jan 7 17:23 > /var/tor/cached-microdescs.new > > -bash-4.3$ sudo -s bash -c "ls -l /var/tor/cache*" > > .cshrc .profile altroot bin bsd bsd.rd bsd.sp dev > etc home mnt root sbin sys tftpboot tmp > usr var > > > > - linux > > > > [root@slot-1 ~]# su -s /bin/bash nobody > > bash-4.2$ exit > > [root@slot-1 ~]# visudo > > [root@slot-1 ~]# su -s /bin/bash nobody > > bash-4.2$ sudo bash -c "ls -l /var/cache/ldconfig/aux*" > > -rw---. 1 root root 26470 Dec 22 17:52 /var/cache/ldconfig/aux-cache > > bash-4.2$ sudo -s bash -c "ls -l /var/cache/ldconfig/aux*" > > -rw---. 1 root root 26470 Dec 22 17:52 /var/cache/ldconfig/aux-cache
kernel panic athn0
kernel panic athn0 when I do `sudo ifconfig athn0 scan` or `sudo ifconfig athn0 inet 192.168.10.1 255.255.255.0 mediaopt hostap nwid mynwid wpakey 1qaz1qaz up` or `sudo ifconfig athn0 up` ifconfig athn0: flags=28802BROADCAST,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:00:ef:be:ad:de priority: 4 groups: wlan media: IEEE802.11 autoselect status: no network ieee80211: nwid pcidump Domain /dev/pci0: [1/47] 0:0:0: AMD AMD64 14h Host 0:1:0: ATI Radeon HD 6320 0:1:1: ATI Radeon HD 6310 HD Audio 0:4:0: AMD AMD64 14h PCIE 0:17:0: ATI SBx00 SATA 0:18:0: ATI SB700 USB 0:18:2: ATI SB700 USB2 0:19:0: ATI SB700 USB 0:19:2: ATI SB700 USB2 0:20:0: ATI SBx00 SMBus 0:20:2: ATI SBx00 HD Audio 0:20:3: ATI SB700 ISA 0:20:4: ATI SB600 PCI 0:20:5: ATI SB700 USB 0:21:0: ATI SB800 PCIE 0:21:1: ATI SB800 PCIE 0:21:2: ATI SB800 PCIE 0:21:3: ATI SB800 PCIE 0:22:0: ATI SB700 USB 0:22:2: ATI SB700 USB2 0:24:0: AMD AMD64 14h Link Cfg 0:24:1: AMD AMD64 14h Address Map 0:24:2: AMD AMD64 14h DRAM Cfg 0:24:3: AMD AMD64 14h Misc Cfg 0:24:4: AMD AMD64 14h CPU Power 0:24:5: AMD AMD64 14h Reserved 0:24:6: AMD AMD64 14h NB Power 0:24:7: AMD AMD64 14h Reserved 3:0:0: Atheros AR9300 4:0:0: Realtek 8168 5:0:0: ASMedia ASM1083/1085 PCIE-PCI 6:1:0: Realtek 8169 6:2:0: VIA VT6306 FireWire 7:0:0: ASMedia ASM1042 xHCI OpenBSD/amd64 (router.local.lan) (tty00) login: panic: kernel diagnostic assertion pin sc-ngpiopins failed: file ../../../../dev/ic/ar9003.c, line 512 Stopped at Debugger+0x9: leave RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! IF RUNNING SMP, USE 'mach ddbcpu #' AND 'trace' ON OTHER PROCESSORS, TOO. DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb{0} trace Debugger() at Debugger+0x9 panic() at panic+0xfe __assert() at __assert+0x25 ar9003_gpio_write() at ar9003_gpio_write+0x9d athn_init() at athn_init+0xfb athn_ioctl() at athn_ioctl+0x1e6 in_ifinit() at in_ifinit+0xee in_control() at in_control+0x574 ifioctl() at ifioctl+0x201 sys_ioctl() at sys_ioctl+0x169 syscall() at syscall+0x297 --- syscall (number 54) --- end of kernel end trace frame: 0x53bb20, count: -11 acpi_pdirpa+0x3fc50a: ddb{0} ps PID PPID PGRPUID S FLAGS WAIT COMMAND * 1313 22629 1313 0 7 0x3ifconfig 22629 1819 22629 1000 30x8b pause ksh 19651 23472 6931 1000 30x83 ttyin more 23472 6931 6931 1000 30x8b pause sh 6931 12554 6931 1000 30x83 wait man 12554 1819 12554 1000 30x8b pause ksh 1819 1 1819 1000 30x80 kqreadtmux 28809 5207 28809 1000 30x83 kqreadtmux 5207 27936 5207 1000 30x8b pause ksh 27936 13045 13045 1000 30x90 selectsshd 13045 25024 13045 0 30x92 poll sshd 2078 1 2078 0 30x83 ttyin getty 17304 1 17304 0 30x83 ttyin getty 2330 1 2330 0 30x83 ttyin getty 24689 1 24689 0 30x83 ttyin getty 26914 1 26914 0 30x83 ttyin getty 16989 1 16989 0 30x83 ttyin getty 14046 1 14046 0 30x80 selectcron 10830 1 10830 0 30x80 nanosleep sensorsd 5153 1 5153 0 30x80 kqreadapmd 27414 1 27414 99 30x90 poll sndiod 26709 7533 7533 95 30x90 kqreadsmtpd 17924 7533 7533 95 30x90 kqreadsmtpd 17176 7533 7533 95 30x90 kqreadsmtpd 15696 7533 7533 95 30x90 kqreadsmtpd 27629 7533 7533 95 30x90 kqreadsmtpd 9046 7533 7533103 30x90 kqreadsmtpd 7533 1 7533 0 30x80 kqreadsmtpd 4849 1 4849 77 30x90 poll dhcpd 25024 1 25024 0 30x80 selectsshd 29737 21956 28576 83 30x90 poll ntpd 21956 28576 28576 83 30x90 poll ntpd 28576 1 28576 0 30x80 poll ntpd 19213 19275 19275 70 30x90 selectnamed 19275 1 19275 0 30x90 netio named 10253 2257 2257 74 30x90 bpf pflogd 2257 1 2257 0 30x80 netio pflogd 5672 12619 12619 73 30x90 poll syslogd 12619 1 12619 0 30x80 netio syslogd 8519 1 8519 77 30x90 poll dhclient 7102 1 7102 0 30x80 poll dhclient 28382 0 0 0 3 0x14200 bored
Re: kernel panic athn0
Sorry, in first message ddb only for one processor. This is fresh for both: # ifconfig athn0 up panic: kernel diagnostic assertion pin sc-ngpiopins failed: file ../../../../dev/ic/ar9003.c, line 512 Stopped at Debugger+0x9: leave RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! IF RUNNING SMP, USE 'mach ddbcpu #' AND 'trace' ON OTHER PROCESSORS, TOO. DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb{1} trace Debugger() at Debugger+0x9 panic() at panic+0xfe __assert() at __assert+0x25 ar9003_gpio_write() at ar9003_gpio_write+0x9d athn_init() at athn_init+0xfb athn_ioctl() at athn_ioctl+0x1e6 ifioctl() at ifioctl+0xb18 sys_ioctl() at sys_ioctl+0x169 syscall() at syscall+0x297 --- syscall (number 54) --- end of kernel end trace frame: 0x7f7bcca0, count: -9 acpi_pdirpa+0x3fc50a: ddb{1} mach ddbcpu 0 Stopped at Debugger+0x9: leave RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! IF RUNNING SMP, USE 'mach ddbcpu #' AND 'trace' ON OTHER PROCESSORS, TOO. DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb{0} trace Debugger() at Debugger+0x9 x86_ipi_handler() at x86_ipi_handler+0x64 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x1b --- interrupt --- Bad frame pointer: 0x80001ce45c08 end trace frame: 0x80001ce45c08, count: -3 __mp_lock+0x42: ddb{0} ps PID PPID PGRPUID S FLAGS WAIT COMMAND 19450 13014 19450 0 7 0x3ifconfig 13014 1 13014 0 30x8b pause ksh 25598 1 25598 0 30x83 ttyin getty 18456 1 18456 0 30x83 ttyin getty 11661 1 11661 0 30x83 ttyin getty 916 1916 0 30x83 ttyin getty 6800 1 6800 0 30x83 ttyin getty 26728 1 26728 0 30x80 selectcron 3038 1 3038 0 30x80 nanosleep sensorsd 19379 1 19379 0 30x80 kqreadapmd 12318 1 12318 99 30x90 poll sndiod 10631 30214 30214 95 30x90 kqreadsmtpd 9723 30214 30214 95 30x90 kqreadsmtpd 20447 30214 30214 95 30x90 kqreadsmtpd 32443 30214 30214 95 30x90 kqreadsmtpd 10158 30214 30214 95 30x90 kqreadsmtpd 26620 30214 30214103 30x90 kqreadsmtpd 30214 1 30214 0 30x80 kqreadsmtpd 25074 1 25074 77 30x90 poll dhcpd 5058 1 5058 0 30x80 selectsshd 13567 28172 22 83 30x90 poll ntpd 28172 22 22 83 30x90 poll ntpd 22 1 22 0 30x80 poll ntpd 12313 17356 17356 70 30x90 selectnamed 17356 1 17356 0 30x90 netio named 13591 11643 11643 74 30x90 bpf pflogd 11643 1 11643 0 30x80 netio pflogd 22160 30463 30463 73 30x90 poll syslogd 30463 1 30463 0 30x80 netio syslogd *16977 1 16977 77 70x90dhclient 26597 1 26597 0 30x80 poll dhclient 27019 0 0 0 3 0x14200 bored ttm_swap 27833 0 0 0 3 0x14200 aiodoned aiodoned 13860 0 0 0 3 0x14200 syncerupdate 12987 0 0 0 3 0x14200 cleaner cleaner 29718 0 0 0 3 0x14200 reaperreaper 9873 0 0 0 3 0x14200 pgdaemon pagedaemon 30462 0 0 0 3 0x14200 bored crypto 2 0 0 0 3 0x14200 pftm pfpurge 31001 0 0 0 3 0x14200 bored sensors 14441 0 0 0 3 0x14200 usbtskusbtask 13312 0 0 0 3 0x14200 usbatsk usbatsk 16136 0 0 0 3 0x40014200 acpi0 acpi0 27548 0 0 0 3 0x40014200idle1 20115 0 0 0 3 0x14200 bored systqmp 11558 0 0 0 3 0x14200 bored systq 14960 0 0 0 3 0x14200 bored syswq 14541 0 0 0 3 0x40014200idle0 1 0 1 0 30x82 wait init 0 -1 0 0 3 0x10200 scheduler swapper ddb{0}
match in nat-to rule
nat-to rule not work if match and work when pass: match out quick on egress inet from !(egress:network) to any nat-to (egress:0) - not work pass out quick on egress inet from !(egress:network) to any nat-to (egress:0) - work Today I install 5.5 and copy old pf.conf to new system, and remove queuing rules, but NAT not work with this config. I remove all restriction rules and put accept all outgoing on both interfaces and all input on internal interface. What I doing wrong? # cat /etc/pf.conf # macros int_if=re0 ext_if=rl0 tcp_ext_services={ 22, 443, 51413 } tcp_int_services={ 22, 53, 80 } udp_int_services={ 53, 69 } icmp_types=echoreq # options set block-policy drop set skip on lo # match rules pass out quick on egress inet from !(egress:network) to any nat-to (egress:0) match in on egress proto tcp from !$int_if to (egress) port 443 \ rdr-to (egress) port 22 # filter rules block log antispoof quick for { lo $int_if } pass in inet proto icmp all icmp-type $icmp_types # filter rules for (egress) pass in on egress inet proto tcp from any to (egress) \ port $tcp_ext_services pass out on egress from (egress) # filter rules for $int_if pass in on $int_if proto tcp from $int_if:network to $int_if port $tcp_int_servi ces pass in on $int_if proto udp from $int_if:network to $int_if port $udp_int_servi ces pass in on $int_if from $int_if:network to !$int_if pass out on $int_if to $int_if:network
Re: Acer aspire one 722 snapshot
I install 5.3 i386 and ZZZ works. 5.3, 5.4 amd64 not work ZZZ. Now I downloading 5.5 i386 snapshot and test it soon. 2014-02-18 0:04 GMT+02:00 Alexey Kurinnij alexey.kurin...@gmail.com: 2014-02-17 9:29 GMT+02:00 Mike Larkin mlar...@azathoth.net: On Sun, Feb 16, 2014 at 11:46:47AM +0200, Alexey Kurinnij wrote: I see resent thread about ZZZ and install snapshot for tests. What thread was this asking about testing 'ZZZ' ? We had a thread asking about testing 'zzz', but that is completely different than 'ZZZ'. Sorry, I missed thread name and make mistake. I now about diference with zzz and ZZZ. Anyway both not work and I want to make some tests. I don't understand what is said below, did 'ZZZ' work before? And if so, when did it start not working? -ml Today I tried ZZZ with 5.4 amd64 and it not work. Tomorrow I would try with i386.
Re: Acer aspire one 722 snapshot
ZZZ and zzz in 5.5 i386 snapshot work. And not work on amd64 at all. 2014-02-21 22:52 GMT+02:00 Alexey Kurinnij alexey.kurin...@gmail.com: I install 5.3 i386 and ZZZ works. 5.3, 5.4 amd64 not work ZZZ. Now I downloading 5.5 i386 snapshot and test it soon. 2014-02-18 0:04 GMT+02:00 Alexey Kurinnij alexey.kurin...@gmail.com: 2014-02-17 9:29 GMT+02:00 Mike Larkin mlar...@azathoth.net: On Sun, Feb 16, 2014 at 11:46:47AM +0200, Alexey Kurinnij wrote: I see resent thread about ZZZ and install snapshot for tests. What thread was this asking about testing 'ZZZ' ? We had a thread asking about testing 'zzz', but that is completely different than 'ZZZ'. Sorry, I missed thread name and make mistake. I now about diference with zzz and ZZZ. Anyway both not work and I want to make some tests. I don't understand what is said below, did 'ZZZ' work before? And if so, when did it start not working? -ml Today I tried ZZZ with 5.4 amd64 and it not work. Tomorrow I would try with i386.
Re: SSH and nopty
I do in sshd_config Match User myuser ForceCommand tail -f /home/myuser/1 $ cat /home/t/1 ยทยทยท hellooo 2014-02-17 16:59 GMT+02:00, Raimo Niskanen raimo+open...@erix.ericsson.se: On Mon, Feb 17, 2014 at 02:21:45PM +, Richard Heasman wrote: Good afternoon, Firstly, thanks for your ongoing development and good work. I have a question that I would like to pose to you, as I have not found any satisfactory answer despite long research. Background: We use ssh keys to distribute code and run commands. These are appropriately controlled and logged. However I wish to stop users/administrators using these as a back-door to the other systems. I have configured the notty option on the authorised_keys file, yet this still does not prevent the following: ssh SERVER ksh This will not return a prompt but will allow commands to be run interactively. Do you have any recommendation / setting that would prevent this? It seems you have to disallow the use of any command over ssh. One way is to force the command via authorized_keys (see sshd(8)) into a trusted program, e.g /bin/sh or /bin/ksh in restricted mode and then limit that restricted shell's command set. Regards, Richard Registered Office: Inveralmond House 200 Dunkeld Road Perth PH1 3AQ Registered in Scotland No. SC117119 www.sse.com ** -- / Raimo Niskanen, Erlang/OTP, Ericsson AB