Re: Correct shebang for Python 3
On 23 October 2016 at 03:01, john slee <indig...@oldcorollas.org> wrote: > Meta: this "how do I manage multiple Pythons?" thing has come up a couple > of times lately; are people interested in a FAQ section? > > On 23 October 2016 at 03:54, Eugene Yunak <e.yu...@gmail.com> wrote: >> I'd set the shebang to `/usr/bin/env python3`, or `/usr/bin/env python` if >> you >> do not care whether 2 or 3 would be used. > > Use `virtualenv' > if you need to use a mix of Python versions, and always use the latter > shebang > form. > > Hope this helps. I fail to see how's virtualenv relevant to this question. Clearly, Ovidiu is the *developer*, and he explores his options as a developer. It's up to the user (or his sysadmin) to have the correct base python or a virtualenv set up - you say so yourself. -- The best the little guy can do is what the little guy does right
Re: Correct shebang for Python 3
On 22 October 2016 at 18:04, Ovidiu Mwrote: > Hi everyone, > > I wrote a script which may end up as part of a package on various > Linux and BSD flavors, and I have hit the problem of getting the > shebang working everywhere. You might know that Python is installed in > different locations, with the binary having different names (for > example python sometimes points to python2.x, sometimes to python3.x > etc.). > > Currently my code is compatible with both Python 2 and 3, but to keep > things simple I'd rather use only one of them, probably 3. > > What is the correct way to write a shebang on OpenBSD? I thought that > the following would work on most Unixes: > > #!/usr/bin/env python3 > > or even this, with the risk of not knowing if it points to 2 or 3: > > #!/usr/bin/env python > > Unfortunately when I install the python3 package with pkg_add > (actually 3.5) on OpenBSD, no symlink is created from python3 to 3.5, > so this fails. I do not want to add a hard dependency on specifically > 3.5 in the shebang of my script, since it may become obsolete in a > couple of years, and it may be incompatible with other OSes which > might not have 3.5, but maybe 3.4 or 3.6. > > Should I instead use an installation-time script that generates the > right shebang? > > How about a wrapper shell script which searches for a python > executable and then calls it with a path to the script? For example > the following polyglot script would work: > > #!/bin/sh > which python3 >/dev/null 2>&1 && exec python3 "$0" "$@" # ''' > which python3.6 >/dev/null 2>&1 && exec python3.6 "$0" "$@" # ''' > which python3.5 >/dev/null 2>&1 && exec python3.5 "$0" "$@" # ''' > which python3.4 >/dev/null 2>&1 && exec python3.4 "$0" "$@" # ''' > exec echo "fatal: cannot find python3 binary" # ''' > > All these methods seem quite convoluted for doing something so simple. > Please let me know what you think. > > Thanks in advance for your advice. > Ovidiu > Hi Ovidiu, Personally I expect the system administrator to configure the necessary symlinks, it's something I always do on my systems. Most python software relies on these to exist, and the OpenBSD package readme recommends their creation for new users. I'd set the shebang to `/usr/bin/env python3`, or `/usr/bin/env python` if you do not care whether 2 or 3 would be used. Cheers, Eugene -- The best the little guy can do is what the little guy does right
Re: Turning off Nvidia GPU card in Optimus configuration
On Sunday, November 9, 2014, Lampshade lampsh...@poczta.fm wrote: Hi I was trying half year ago to use OpenBSD 5.5, but system heated my laptop. I have Intel and Nvidia GPU in laptop. I can not disable Nvidia GPU via BIOS. Laptop always exposes and enables two GPUs by default. OpenBSD does not disabled Nvidia GPU, so it heated laptop. I have tried OpenBSD 5.6 and it still heats my laptop. On Linux Nvidia's GPU is disabled automatically. I wanted to find how to disable my card manually, I used acpi_call Linux module (on Linux of course). In my laptop script turn_off_gpu.sh is disabling GPU when I strip methods variable to: methods= \_SB.PCI0.PEG0.PEGP._OFF and enables when: methods= \_SB.PCI0.PEG0.PEGP._ON Is there any way in OpenBSD to send first (disabling) command to hardware? It is the only reason I don't use OpenBSD. Maybe somebody can write few lines of code and I will compile kernel for myself? References: http://linux-hybrid-graphics.blogspot.com/2010/07/u ⦠ch-onoff.html https://github.com/mkottman/acpi_call acpi_call support would be awesome! Another use case for it is setting minimum and maximum battery charge levels for thinkpads newer than xx30 line. -- The best the little guy can do is what the little guy does right
Re: videos in the browser
Great idea. I think it would help if we all use the same destination email addresses as in big companies there are plenty of different points of contact and if each one of them only gets 1 or 2 emails we will likely remain unheard. Marc can you please share the email addresses you used to reach out to Facebook and Youtube? On 19 September 2014 13:48, Marc Espie es...@nerim.net wrote: with a recent configuration, videos work fine in the browser. *however* a lot of websites still give you only flash videos. Or do they ? There's this nifty extension in chrome to fudge the user-agent (called user-agent switcher) where you can play at browsing from a tablet. Surprise: those video sites work again (in some cases, you have to fight a bit more, go explicitly to the mobile version and not let them switch you back to the desktop mode). It's obvious those guys aren't testing on OpenBSD. It's also obvious they know how to switch to a non flash version on given user-agents. So what about a little mail your favorite website campaign. Figure out one website where you can't watch videos, and send some kind of email feedback to them. Tell them in no uncertain terms that flash does not exist on OpenBSD, and if they see OpenBSD in the user-agent, then they should go to plain h264 videos, which they have. Offenders include youtube (sometimes, mostly VEVO stuff), wimp.com, facebook. Probably some others. I don't think they will notice if I'm the only guy doing that. But if they get a few pointed emails over the coming weeks, maybe they might fix their act, and hey, maybe we'll get videos mostly everywhere... -- The best the little guy can do is what the little guy does right
Re: videos in the browser
As a webdeveloper, I don't care what you think. I have strong suspicion OpenBSD devs don't care either. On 19 September 2014 15:36, Matti Karnaattu mkarnaa...@gmail.com wrote: Hi, I don't think that any web developer care OpenBSD because OpenBSD doesn't have graphical browser in base system. They don't care even if 1000 OpenBSD users complain. Flash material will disappear from web less than three years and Flash videos will get replaced by Mpeg-4 AVC and WebM. I personally think that OpenBSD should embrace HTML5/ECMA Script by adding Web component + minimalistic browser around it to the base system in some point of future. Major reason for this is that web has become both defacto and dejure technology for graphical remote use and also it is standard way to create GUI. X clients are legacy today. This is even possible to do, because needed software components are almost completely available in BSD licenses. After all, I think top secure system should also allow running applications in secured manner, but it may cause challenges to avoid security holes. -- The best the little guy can do is what the little guy does right
Re: libmessage (New crazy sh*t)
Can you even read? Can you please stay away from public mailing lists for sane people? On 6 July 2014 16:25, Gustav Fransson Nyvell gus...@nyvell.se wrote: On 07/06/14 15:20, Thomas Adam wrote: On 6 July 2014 14:09, Gustav Fransson Nyvell gus...@nyvell.se wrote: This imsg looks pretty much like what I've done, however, libmessage does not require any bounds checking whatsoever. It's way easier to use. I'm I think you meant to say does not require any error checking. ;) Don't get me wrong, I don't wish to sound discouraging, but this sort of thing is just an academic exercise at this point. Just use imsg. I see absolutely no benefit to what you're doing, and this whole backend thing with sqlite seem proposterous. Good luck, just don't let others use this. Ever. -- Thomas Adam Other way around, libmessage is very dangerous, but it will take any buffer. If they use it, it's their own d*mn fault. :D -- This e-mail is confidential and may not be shared with anyone other than recipient(s) without written permission from sender. misc@openbsd.org Exempt -- The best the little guy can do is what the little guy does right
Re: ViewVC
It fails to create a socket (_sock is None). This can be an indicator of you hitting fd limits. On 2 Jul 2014 17:23, Predrag Punosevac punoseva...@gmail.com wrote: Stefan Sperling s...@openbsd.org wrote: On Tue, Jul 01, 2014 at 08:36:29PM -0400, Predrag Punosevac wrote: I am trying to run ViewVC in the stand alone server mode on the new svn server (OpenBSD 5.5 amd64). Since ViewVC is not in ports I downloaded 1.1.22 package from CollabNet website. ViewVC keeps crashing when while I browse my SVN repos. They are rather large. I am not using any kind a proxy but rather forcing built in server to listen on the port 80. IIRC viewvc uses Subversion's python bindings. Did you install them? pkg_add py-subversion Of course :) Built in stand alone server which comes with ViewVC runs fine until I start browsing repositories agresively. Than it crashes as in # uname -a OpenBSD svnhub.int.autonlab.org 5.5 GENERIC.MP#315 amd64 # /usr//local/bin/viewvc-1.1.22/bin/standalone.py -d -p 80 -h \ svnhub.int.autonlab.org server ready at http://svnhub.int.autonlab.org:80/viewvc # 10.8.0.6 - - [02/Jul/2014 11:16:47] GET /viewvc HTTP/1.1 200 - 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok 10.8.0.6 - - [02/Jul/2014 11:16:47] GET /viewvc/*docroot*/styles.css HTTP/1.1 200 - 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok 10.8.0.6 - - [02/Jul/2014 11:16:47] GET /viewvc/*docroot*/images/viewvc-logo.png HTTP/1.1 200 - 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok 10.8.0.6 - - [02/Jul/2014 11:16:47] GET /viewvc/*docroot*/images/dir.png HTTP/1.1 200 - 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok 10.8.0.6 - - [02/Jul/2014 11:16:47] GET /viewvc/*docroot*/images/favicon.ico HTTP/1.1 200 - 10.8.0.6 - - [02/Jul/2014 11:16:47] ViewVC exited ok 10.8.0.6 - - [02/Jul/2014 11:16:49] GET /viewvc/cvs/ HTTP/1.1 200 - 10.8.0.6 - - [02/Jul/2014 11:16:49] ViewVC exited ok 10.8.0.6 - - [02/Jul/2014 11:16:49] GET /viewvc/*docroot*/images/up.png HTTP/1.1 200 - 10.8.0.6 - - [02/Jul/2014 11:16:49] ViewVC exited ok 10.8.0.6 - - [02/Jul/2014 11:16:57] GET /viewvc/cvs/trunk/ HTTP/1.1 200 - Traceback (most recent call last): File /usr/local/bin/viewvc-1.1.22/bin/standalone.py, line 879, in module main(sys.argv) File /usr/local/bin/viewvc-1.1.22/bin/standalone.py, line 874, in main serve(options.host, options.port, ready) File /usr/local/bin/viewvc-1.1.22/bin/standalone.py, line 421, in serve ViewVCHTTPServer(host, port, callback).serve_until_quit() File /usr/local/bin/viewvc-1.1.22/bin/standalone.py, line 356, in serve_until_quit self.handle_request() File /usr/local/lib/python2.7/SocketServer.py, line 280, in handle_request self._handle_request_noblock() File /usr/local/lib/python2.7/SocketServer.py, line 297, in _handle_request_noblock self.handle_error(request, client_address) File /usr/local/lib/python2.7/SocketServer.py, line 350, in handle_error print '-'*40 File /usr/local/lib/python2.7/socket.py, line 324, in write self.flush() File /usr/local/lib/python2.7/socket.py, line 303, in flush self._sock.sendall(view[write_offset:write_offset+buffer_size]) AttributeError: 'NoneType' object has no attribute 'sendall' Any clues Stefan from the kernel hacker point of view? Most Kind Regards, Predrag Does anyone have any experience running ViewVC on OpenBSD recently? I am tempted to try to use Nginx as a proxy or install Apache 2 and use CGI mode via ScriptAlias for ViewVC. The latter is running fine in out current setup on Scientific Linux 6.2 which I am trying to migrate to OpenBSD. Unfortunately moving to Trac (which would be my strong preference) or WebSVN will probably cause ruffle feathers, a condition I want to avoid. Predrag WebSVN is fairly broken with SVN 1.8. Don't bother. (Which reminds me I've been meaning to remove it but was still waiting for patches promised by someone, which never arrived).
Re: a sftp user can enter into a directory which he does not have rights
On 21 May 2013 22:52, Jiri B ji...@devio.us wrote: I'm very surprised to see something like this. Comparing with normal unix filesystem, 'sftpuser' would not even enter such directory. Is this OK? * sftpuser has only group 'sftpuser' $ sftp sftpuser@localhost Connected to localhost. sftp cd / sftp ls -l drwxr-xr-x2 00 512 May 21 18:43 dev drwx-x 12 1000 1000 512 May 21 18:32 jirib drwxr-xr-x 10 1000 1000 512 May 21 18:32 pub sftp cd jirib sftp pwd Remote working directory: /jirib sftp ls -al remote readdir(/jirib): Permission denied j. You should (re)read your unix manuals. Execution permission on a directory means it can be traversed. What you observe is the correct behaviour for any system with POSIX file permissions. -- The best the little guy can do is what the little guy does right
Re: OpenBSD forked
On Sunday, 24 June 2012, Anonymous Remailer (austria) wrote: Marc Espie wrote: W. Richard Stevens was THE best unix books author *ever*, bar none. He's on a par with such CS giants as Don Knuth, writing-wise. Advanced Unix programming is *the* best book to understand how to write Unix code, PERIOD. Are you saying the 1992 edition is still worthwhile now in 2012? Absolutely. One book that i always recommend people to get to accompany Stevens' masterpiece is The Art of Unix Programming. These two books plus KR really is everything you need to get a good start. Cheers, Eugene -- The best the little guy can do is what the little guy does right
Re: AMD Zacate E350 (ASUS E35M1-M) dmesg/experiences?
On 1 June 2012 13:49, Manolis Tzanidakis mtzanida...@gmail.com wrote: On Fri (01/06/12), Marc Peters wrote: Be aware, that OpenBSD cannot boot from softraid. / needs to be on a single disk, but can be automatically backuped to an altroot device. Nowadays it does. My server's / is on a softraid(4) RAID-1 array. The basic idea is to have a small 'a' slice for the kernel on each disk and a 'd' (or whatever) for the raid. installboot(8) does the right thing automatically these days. I think there is an article on undeadly with more detailed instructions / explanations. A raid on USB devices is not a good idea for a whole lot of other reasons though. -- Manolis Tzanidakis http://mtzanidakis.com/ mtzanidakis[at]gmail[dot]com Oh you are obviously such a seasoned OpenBSD expert, please tell us more about your USB RAID experience and why it is a bad idea. It would be great if you could also go into deeper detail about / on softraid - you must be the first one to mention it here on misc and i'm sure everyone reading this is eager to learn how to make it work. Best regards
Re: AMD Zacate E350 (ASUS E35M1-M) dmesg/experiences?
On 1 June 2012 17:11, Manolis Tzanidakis mtzanida...@gmail.com wrote: On Fri (01/06/12), Eugene Yunak wrote: On 1 June 2012 13:49, Manolis Tzanidakis mtzanida...@gmail.com wrote: A raid on USB devices is not a good idea for a whole lot of other reasons though. Oh you are obviously such a seasoned OpenBSD expert, please tell us more about your USB RAID experience and why it is a bad idea. The most obvious is that NAND flash devices have shorter lifespan than hard disks. Imagine wearing out both devices simultaneously with the RAID-1. I think it's better to have a USB stick for /, /usr and dumprestore or rsync it to the 2nd stick for redundancy. You should repeat this on updates. You should keep /var, /usr/{obj,ports,src}, /home and any other fs with frequent writes on the hard disks to extend the life of the USB stick. Thank you for sharing your wisdom, now i know what i *should do*, you made it pretty clear. Have you considered three-way mirror? What do you think about mounting filesystems read-only? Have you heard of NFS and remote syslog? I'm sure you will grant us the mercy of knowing why all these are not a good idea. It would be great if you could also go into deeper detail about / on softraid - you must be the first one to mention it here on misc and i'm sure everyone reading this is eager to learn how to make it work. I guess Stuart covered this on this thread. You should also read this: http://undeadly.org/cgi?action=articlesid=20111002154251 Oh yes Stuart knows what he's talking about.
Re: umask in chroot'ed internal-sftp
On 29 March 2012 21:37, Rodolfo Gouveia rgouv...@cosmico.net wrote: On Wed, Mar 28, 2012 at 06:33:16PM +0200, Stefan Sieg wrote: are you overwriting existing files that have the previous file mode? No, these are new files. Let me explain better. When I copy a file over with sftp, the permissions of the file created on the server, are replicated from the client. This is in contrast, when I'm logged in on the server with that same account and create a file, the umask is correct as per /etc/login.conf. Even though reading sftp-server(8): -u umask Sets an explicit umask(2) to be applied to newly-created files and directories, instead of the user's default mask. I would assume that the files copied over by the client which don't exist on the server should be honor this flag. Are my assumptions correct? This is because your client *asks* the server to set the specific permissions. Regards, Eugene -- The best the little guy can do is what the little guy does right
Re: Is there a kernel walkthough for newbies?
On 26 July 2011 21:13, Jordi Espasa Clofent jespa...@minibofh.org wrote: http://www.atmnis.com/~proger/**openkyiv/openkyiv2009_proger_**sys.pdfhttp://www.atmnis.com/~proger/openkyiv/openkyiv2009_proger_sys.pdf Wow Stuart, what a great doc. Is it listed in OpenBSD website papers section? It should! -- I will face my fear. I will permit it to pass over me and through me. And when it has gone past I will turn the inner eye to see its path. Where the fear has gone there will be nothing. Only I will remain. As far as i remember, it was listed, but now it's not. For anyone who can do a bit of russian, the video from this talk might be helpful too - http://uaoug.org.ua/openkyiv/2009/materials/. -- The best the little guy can do is what the little guy does right
Re: vmware remote console
On 10 January 2011 21:56, Robert Yuri robert.yu...@gmail.com wrote: does anyone have running the vmware remote console on openbsd, or suggest anyway to connect to a vmware server to manager the virtual machines from an openbsd box ? thanks, If you mean ESX(i) and VMWare Infrastructure Client or VMWare VCenter Client (remote console), then beware that this client only runs on Windows, but you can use a VM to deploy it and manage your host. -- The best the little guy can do is what the little guy does right
Re: rtsp q
On 28 October 2010 15:14, Gregory Edigarov g...@bestnet.kharkov.ua wrote: Hello, Just wondering what is the best way to organize stream video translation from multiple rtsp enabled cameras? The thing that bother me most is that we need to let user to record (not just play) that stream at its pc. Is there anything ready for the user side? The users are all sitting on Windows, so may be some good person will share his/her thoughts or point me to the flash application with record capabilities? Thanks a lot. -- With best regards, B B B B Gregory Edigarov Hi Gregoryj, AFAIR, VLC is capable of recording RTSP stream. It is available for windows as well. Cheers, Eugene -- The best the little guy can do is what the little guy does right
Re: Happy Birthday OpenBSD
On 18 October 2010 20:13, STeve Andre' and...@msu.edu wrote: 15 years! Happy happy birthday!! -- The best the little guy can do is what the little guy does right
Re: jconsole - no connection possible
On 13 September 2010 17:36, Elmar Bschorer elmar.bscho...@bugconsulting.de wrote: Samir SAADA wrote: On Sun, Sep 12, 2010 at 11:37:37AM +0200, Elmar Bschorer wrote: hi list, when i try to connect to a jvm pid with jconsole for debugging i end up with a connection failed. i also tried connecting to a remote process ending up with the same error. when i try to connect with jconsole to the same remote process from a linux system it works. so it seems that jmx is configured successfully on the remote side. are there any security related issues on 4.7 that prevent me from establishing a connection with jconsole? you do not give detailed description of your problem, anyway, it works ok here, check your network settings including /etc/hosts. I didn't make any changes to /etc/hosts. I am running a fresh installation of OpenBSD 4.7 (stable). I installed tomcat5.5 via pkg_add. I start tomcat with startup.sh (as root) and then i start jconsole (as root as well). jconsole starts up and i can choose a process-id to connect to (localy running). I choose tomcat's pid but the connection fails after a minute or so. pfctl -d ? -- The best the little guy can do is what the little guy does right
Re: which monitoring do you use (on OpenBSD)
On 15 August 2010 00:16, Jiri B. ji...@live.com wrote: On Sat, 14 Aug 2010 13:08:57 + (UTC) Stuart Henderson s...@spacehopper.org wrote: I'm occasionally working on a port of icinga which looks quite interesting (forked from nagios a while ago, it's still compatible but has diverged quite a bit now - many problems have been fixed and improvements made, in particular the UI has been totally replaced). Would have been done sooner, but despite its general crappiness and the many improvements that could be made, nagios actually works surprisingly well... There's another fork of Nagios - http://opsview.com/ - which looks they gets huge list of enterprise users (just checking the web only). jirib Don't even bother to try - it's basically just a shitty web-frontend for nagios. It does not sort any of it's problems, and brings new ones. Did i mention it's shit and brings a lot of configuration and performance pain? Our monitoring solutions team wanted to switch to it from nagios (after all the pain of going to nagios from BigBrother), thanks god we've convinced them not to do that. But it does have nice support. -- The best the little guy can do is what the little guy does right
Re: which monitoring do you use (on OpenBSD)
On 15 August 2010 01:06, Stuart Henderson s...@spacehopper.org wrote: On 2010/08/14 23:59, Eugene Yunak wrote: On 15 August 2010 00:16, Jiri B. ji...@live.com wrote: On Sat, 14 Aug 2010 13:08:57 + (UTC) Stuart Henderson s...@spacehopper.org wrote: I'm occasionally working on a port of icinga which looks quite interesting (forked from nagios a while ago, it's still compatible but has diverged quite a bit now - many problems have been fixed and improvements made, in particular the UI has been totally replaced). Would have been done sooner, but despite its general crappiness and the many improvements that could be made, nagios actually works surprisingly well... There's another fork of Nagios - http://opsview.com/ - which looks they gets huge list of enterprise users (just checking the web only). jirib Don't even bother to try - it's basically just a shitty web-frontend for nagios. It does not sort any of it's problems, and brings new ones. Did i mention it's shit and brings a lot of configuration and performance pain? heh, it wouldn't be the first time... icinga looks quite a different thing, they do actually appear to be improving things. Sorry for the confusion, i was talking about opsview. As to icinga, i haven;t tried it myself but heard some positive feedback from a colleague of mine. -- The best the little guy can do is what the little guy does right
Re: which monitoring do you use (on OpenBSD)
On 10 August 2010 02:28, Jiri B. ji...@live.com wrote: Hello, I'm thinking to choose a monitoring tool which would run on OpenBSD of course. I have been working with Tivoli and Netview for couple of years so my idea is: * clients - heartbeats of course - simple interface to give a client some input as alert - text configuration on client node (can be pushed from central repo) - light * infrastructure nodes - proxy feature for far networks or dmz - filtering rules (thresholds, time filters ...) - text configuration - light * main server(s) - good filtering - surveillance console for monitoring center - be able to change status of an alert (acknowledge, closed, solved...) - be able to have some categories of clients based on roles I'm watching zabbix... not sure... If I wouldn't want event console I would probably check snmp - sec - snmptt. jirib Definitely nagios/cacti pair or zabbix. Having used nagios for a year or so, i would never want to get back to Tivoli. It also gives you lots of flexibility in how you setup your monitoring, and can neatly work with snmp as well. Eugene -- The best the little guy can do is what the little guy does right
Re: 302 redirection doesn't work ?
On 10 July 2010 16:06, Aaron Lewis aaron.lewis1...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, B B B B I'm trying to configure apache like this: when pages were not found on server , it returns a document moved message (301 or 302) , rather than a 404 error. B B B B So i put those: B B B B B B B B ErrorDocument 404 /error.html B B B B B B B B Rediret 302 /error.html http://my.host/ B B B B But still , it's a 404 error , additionally , a 302 Found error was encountered while trying to handle the request. B B B B Any ideas will appreciate , thanks ! Apart from the suggestion to check the spelling from Peter, you might also think of putting a javascript-based redirect in your custom error-404.html This is not the-best-way-to-do-it, because it won't work if you have js disabled or not present at all, but it's very simple and might serve your need. -- The best the little guy can do is what the little guy does right
Re: iked(8) and ikectl(8)
On 4 June 2010 00:06, Reyk Floeter r...@openbsd.org wrote: Hi! Today I imported iked(8) that is another automatic keying daemon for IPsec. B In difference to isakmpd(8), which supports the ISAKMP/Oakley a.k.a. IKEv1 protocol, iked(8) only supports the IKEv2 protocol at present. B The IKEv2 protocol in RFC 4306 has been simplified and provides many benefits over ISAKMP/IKEv1. iked(8) itself has been designed to fit the style of all the recent OpenBSD daemons and comes with a tool ikectl(8) for runtime configuration, status, working reloads, and integrated commands to maintain a simple X.509 CA for IKEv2. B I also have some important design goals that I will describe later. The current state is that iked(8) still lacks a few important features but works as a responder against different peer implementations. B That means, you can set up a running VPN with Windows 7 or libstrongswan libcharon clients connecting to iked(8) running as the server or security gateway. B I will add initiator (client) mode next. This is a very brief summary, more information will follow. reyk Good stuff Reyk! Will try it shortly. Looking forward to the details as well. -- The best the little guy can do is what the little guy does right
Re: Mysql connection from within php
On 1 June 2010 16:30, What you get is Not what you see wygin...@gmail.com wrote: Freshly installed on openbsd 4.6 mysql,php and php5-mysql packages. Done the configs. Now php and mysql works. But I couldnt make it connect to mysql from within php with such a command mysql_connect(localhost,user,pass) It used to give Cant connect to mysql through socket error till I change the command to mysql_connect(127.0.0.1,user,pass) I want to learn why? As you've been already told, this is because default apache is chrooted and thus cannot access mysql socket. To correct it, just do # mkdir -p /var/www/var/run/mysql # ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock -- The best the little guy can do is what the little guy does right
Re: Mysql connection from within php
On 2 June 2010 20:48, Liviu Daia liviu.d...@imar.ro wrote: On 2 June 2010, Eugene Yunak e.yu...@gmail.com wrote: On 1 June 2010 16:30, What you get is Not what you see wygin...@gmail.com wrote: Freshly installed on openbsd 4.6 mysql,php and php5-mysql packages. Done the configs. Now php and mysql works. But I couldnt make it connect to mysql from within php with such a command mysql_connect(localhost,user,pass) It used to give Cant connect to mysql through socket error till I change the command to mysql_connect(127.0.0.1,user,pass) I want to learn why? As you've been already told, this is because default apache is chrooted and thus cannot access mysql socket. To correct it, just do # mkdir -p /var/www/var/run/mysql # ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock B B Please, stop perpetrating this nonsense. B This only works until you restart mysqld. B The reason is mysqld removes the socket when it starts before creating it anew. B B If you really must use a socket instead of TCP then move the socket to jail and give programs different views to it from inside and outside the jail, using my.cnf. B Not tested: - in /etc/my.cnf: socket = /var/www/var/run/mysql/mysql.sock - in /var/www/etc/my.cnf: socket = /var/run/mysql/mysql.sock I fail to see how this is nonsense or what stops one from creating this hardlink in rc.local (which would be normally used to start mysql anyway). Your solution however works as well, of course. -- The best the little guy can do is what the little guy does right
Re: PF: antispoof vs URPF
On 4 April 2010 18:56, Pete Vickers p...@systemnet.no wrote: On 31. mars 2010, at 20.01, Claudio Jeker wrote: On Wed, Mar 31, 2010 at 08:08:01PM +0300, Eugene Yunak wrote: On 31 March 2010 19:27, N. Arley Dealey arley.dea...@gmail.com wrote: It would appear to me that antispoof and URPF achieve similar results. Is there a reason to prefer one over the other? Not at all. antispoof blocks ip packets that came in from the wrong interface, while URPF blocks packets from aliens (no entry in routing table for the source address). Just look at the output of pfctl -sr Not at all. URPF does not only check if a route exists it also checks that the route is pointing to the interface the packet came in. Antispoof is only for the LAN while URPF is actually capable of tracking stuff further down. This is at the same time the problem of URPF if you have asymetric routing URPF fails. Antispoof works in this case since it is hard to get asymetric routing on the LAN. -- :wq Claudio uRPF (at least recent incarnations of it) can be /configured/ to drop packets based of presence of /either/ : - a matching FIB prefix outbound on the same interface the packet arrived on (strict mode) - a matching FIB prefix outbound on any interface (loose mode) you can also mask uRPF effect to only a subset of packets/prefixes with an ACL. pretty extensive explanation here: http://www.cisco.com/web/about/security/intelligence/urpf.pdf Do you realise that this is an OpenBSD mailing list, and we are discussing OpenBSD's pf implementation of uRPF? -- The best the little guy can do is what the little guy does right
Re: PF: antispoof vs URPF
On 31 March 2010 19:27, N. Arley Dealey arley.dea...@gmail.com wrote: It would appear to me that antispoof and URPF achieve similar results. Is there a reason to prefer one over the other? Not at all. antispoof blocks ip packets that came in from the wrong interface, while URPF blocks packets from aliens (no entry in routing table for the source address). Just look at the output of pfctl -sr -- The best the little guy can do is what the little guy does right
Re: any known working configuration of OpenBGPd and CARP ?
On 7 March 2010 11:22, Claudio Jeker cje...@diehard.n-r-g.com wrote: When your new master is promoted, it will set up a new session with your peers. This is probably not the sort of failover you want to see happening in production. That's why you have multiple bgpd routers with redundant pathes. from the network point of view, packets will come from the same MAC an IP address (because of CARP), so ... if BACKUP will just continue to maintain a session, established by MASTER, B nobody will even know, 1 sec is nothing in terms of BGP You can not just continue to maintain a session, established by MASTER. That implies that you can migrate a running TCP session plus all the necessary state information of the session engine from one system to another. -- :wq Claudio Time for the bgpdsync (as in pfsync)? Sounds like a nice idea to me. On the other hand, i fail to see a problem with having two separate routers connect to your bgp peer(s), without carp on the outgoing interface. why would one want carp them? does your peer only allow for one session at a time from your side? -- The best the little guy can do is what the little guy does right
Re: PF log parser and dynamic PF rules...
2010/2/16 Per-Olov SjC6holm p...@incedo.org: Hi misc I am looking for a tool use as a trigger for dynamically open PF ports from certain IP:s. I will access non critical info but want at least a port knocker as security. If I access an IP on my DMZ that is not in use on a port that is fake I want to dynamically add a PF rule for a totally different purpose. Let's say I access http://1.2.3.4:45321 which is blocked and logged in PF, what is the easiest way to create a trigger from the PF log or the PF log device? A cron job with grep in the PF log and then run pfctl to add the rule is from many points of view a bad choice... I don't want to dig through the PF log as it can be huge, and I don't want to use a cron job as it takes to long.. Any suggestions appreciated. Thanks in advance /Per-Olov As many people have already suggested to you in this thread, you are doing it wrong. But if you _really_ want to do it that way, then probably you can simplify your configuration a bit. You can use log (to pflog10) to have a separate pflog device with only log entries about port-knocking attempts. Then you can have a small shellscript reading from tcpdump pflog10 in a cycle and adding IP addresses to a table of hosts with permitted access to your rss feed. This is much simpler and quicker than a cron job with full pflog parser. I would strongly encourage you to use per-user http authentication instead. Most rss readers i encountered actually _do_ support it, as they are all based on standard libraries, so you can just give them http://user:p...@host/path/file.rss url if they don't have a separate authentication field. -- The best the little guy can do is what the little guy does right
Re: Is OpenBSD + PF accredited or certified in any way ?
2010/2/2 Keith ke...@scott-land.net: I've used OpenBSD PF for a number of years without issue and am now in the position that I want to create a dmz between the Internet and my organisations WAN. Our security people are asking if the firewall that we use is accreditated by ITSEC and I am pretty sure it isn't but it turns out that our security people will be happy is the firewall is accredited for use by another government ! I am very happy with my PF firewalls and their reliability and don't want to be forced into purchasing some cisco / forenet comercial firewall that I've never used before so am desperate to find some details of any foreign governments that are using OpenBSD / PF as a firewall or any details of any certification of the PF firewall. Can anyone help me out ? Thanks Keith Ukrainian government has certified a distribution called BBOS that basically is a customised OpenBSD, modified for compatibility with local security standards, for the use as servers and clients with access to internet and protect information classified as government secret. http://www.atmnis.com/documents.php?lng=ENG http://www.atmnis.com/files/user_files/BBOS.pdf http://www.atmnis.com/files/user_files/BBOS_OS.pdf -- The best the little guy can do is what the little guy does right
Re: Disable SSH passwords per user
2010/1/5 Ted t...@pobox.com: Had a quick google and search or marc, but came up with no answers. Is it possible to disable password based logins per user (like with the adduser --disabled-password in linux) on OpenBSD, and therefore have the user only use SSH Keys? I'm aware of the sshd_config setting PasswordAuthentication no which makes this occur system wide. I just wanted to ensure I'm not missing something else, in setting up a single user on a system that doesn't have PasswordAuthentication no set for system wide SSH logins. Maybe using login classes? The reason: I'm trying to setup gitosis (http://eagain.net/gitweb/?p=gitosis.git;a=blob;f=README.rst) on an OpenBSD server, but the README is linux centric. You can use per user rules in sshd_config, just read the man page. -- The best the little guy can do is what the little guy does right
Re: Recommended laptop
2009/12/22 Tomas Bodzar tomas.bod...@gmail.com: Don't know about Thinkpads, but Dell E6400 works great. But it's around 950 $ or so. The benefits of western world... ;) My e6400 cost me almost $4000 here in Ukraine. But i am very happy of that purchase, the notebook is great and everything is supported by OpenBSD. I can recommend that one to everyone, it's no worse than Lenovo stuff. -- The best the little guy can do is what the little guy does right
Re: vi in /bin
2009/12/18 Gregory Edigarov g...@bestnet.kharkov.ua: On Fri, 18 Dec 2009 10:28:25 +0100 Igor Sobrado igor.sobr...@gmail.com wrote: On Fri, Dec 18, 2009 at 6:07 AM, David Gwynne l...@animata.net wrote: On 18/12/2009, at 1:26 PM, Raymond Lillard wrote: Real men use cat. :-) real men use COPY CON PROGRAM.EXE real men use EDIT/TECO. real men use XEDIT. REAL men use butterflies // http://xkcd.com/378/ -- The best the little guy can do is what the little guy does right
Re: mount /usr partition nosuid
2009/12/3 Mark Romer romes...@gmail.com: Hello All, Sorry if it has been asked in the past, but is it ok to mount the /usr partition as nosuid? What if any default programs will that break? B And also does that give me any added security benefits? Running 4.6 release generic i386 thanks, Mark find /usr -perm 4555 -ls will solve the question re wether it will break something. -- The best the little guy can do is what the little guy does right
Re: allow dhcp in pf
2009/11/24 Andreas Mueller andr...@stapelspeicher.org: Clients most certainly don't send dhcp request packets to your gateway but to multicast, so set destination to 255.255.255.255. Andreas Looks like someone doesn't even know how dhcp works, but keeps suggesting silly things and ignoring wise man (@claudio) sayings. dhcp clients may and will send requests directly to dhcp servers, apart from the fact that dhcpd ignores pf at all. -- The best the little guy can do is what the little guy does right
Re: E17 wiki page for OpenBSD
Thank you Dmitry for your great work in supporting E17 on OpenBSD! 2009/11/11 sda dmitry.serpok...@gmail.com: hello, http://trac.enlightenment.org/e/wiki/OpenBSD welcome to correct, improve, advise, etc... regards, sda [demime 1.01d removed an attachment of type application/pgp-signature] -- The best the little guy can do is what the little guy does right
Re: pf changes
2009/9/1 Henning Brauer henn...@openbsd.org: and now it is your time. test this as much as you can, to avoid surprises in 4.7, and bugs showing up after release... we really want to find them beforehands, right? Thanks a lot, guys! I'll deploy it to production tommorow. -- The best the little guy can do is what the little guy does right