Re: About the OpenBSD repository
Hi! On Mon, Jun 22, 2009 at 10:16:12PM +0100, Anil Madhavapeddy wrote: Pretty much every single new revision control system can import/export from CVS, so use whatever you want... I tried git cvsimport on OpenBSD's tree and it failed, alas. cvs2svn doesn't grok some peculiarities of OpenBSD's tree either. Kind regards, Hannah.
Re: About the OpenBSD repository
Hi! On Mon, Jun 22, 2009 at 02:11:21PM -0500, Marco Peereboom wrote: What is wrong with CVS? And no I am not talking about the hypotheticals and some bugs that exist in the current code (that can also be easily worked around). - It's *slow* (once you've seen git's speed, both cvs and svn are snails against it; hg and bzr might perhaps compare with it, though). - How often you've seen people (devs with commit access) do development without committing it because it wasn't ready for prime time, then committing it in chunks that can't be grokked any more because they have accumulated for months or even over a year? You can't have off-site development branches in centralized version control systems. You *can* with distributed ones. You can merge them *and keep history* later somewhat easier than without having distributed vcs abilities. - Non-committers can keep track of their local modifications in a more structured ways (because they can too have local inofficial branches) with a distributed vcs. So submission of patches can be more structured. - Did I mention: most current dvcs are *fast*. And you can usually mirror the repo (just as cvsync does, just you don't need an addon tool for it). - The history is still kept at a file level. While we see commit mails in a changeset form, if I want to look at what has been changed, I have to check per file (first cvs log, then cvs diff, or the equivalent thereof on the web). Even with svn I can do so with *one* svn log, then svn diff for the *whole* commit. With git I can do so with *one* git log -p for the whole commit (no further diff operation). - Disconnected operation. With cvs I can do nearly nothing (related to version control, that is) offline. (Devs working on the plane, anyone?) With svn I can just check the status and the diff against the *current* pristine version. With git, for example, I can inspect the *whole* history up to now, and I can create new structured history from now. The only thing I can't do offline is get new history from others (upstream or other devs or other users) or export my new history (to an official repository or peer-to-peer to other users/devs). - Sometimes even little features like git stash (put away uncommitted stuff for a moment in order to do something else, but ready to be retrieved again) or git add -i (prepare to only *selectively* commit changes) come handy. - Oh, when I notice a mistake immediately after the fact, I can (a)mend it with git up to the moment I exported my history! Less of oops I committed this port to the wrong place. Of course without having to completely *manually* hacking the repository tree. - For versioning local things (like /etc), I don't need to dedicate a completely different place for the repository. One .git directory is good enough for everything (where cvs needs a CVS/ directory for every directory in the working tree *and* a separate repository directory hierarchy). Same gripe about svn, btw (a .svn in every directory in the working directory, even more bloated than cvs, and a separate repository tree, also quite fat). I have used just about all versioning systems, including ones that have the price tag of islands in the pacific, and ultimately they all suck in their special ways. CVS works well-enough. I beg to differ. I was somewhat relieved when we switched from cvs to svn at work (for our work projects). svn does suck, too, of course. For example, non-first-class tags and branches, big overhead in its working copies, and it's slow too, but at least it has real versioning across directory *trees*, so operations like ... log and ... diff actually make sense, you can actually look at the history in a tree/changeset granularity. Nowadays I still scorn svn here. But at the same time, I dislike cvs more. cvs up -APd on /usr/src, or /usr/ports is just *so slow* even with a *local* (cvsync) mirror. Even with async,noatime mounts and export CVSREADONLYFS=1. cvs commit is slow (and non-atomic!). Nowadays I use git-svn to make working with the company's svn service a bit more bearable. And I profit of the ability to keep local branches, to exporting new history at a time when *I* see fit, etc. Kind regards, Hannah.
Re: About the OpenBSD repository
Hi! On Mon, Jun 22, 2009 at 09:58:04PM -0500, Eugene Prodeguene wrote: [...] http://www.openbsd.org/why-cvs.html Because none of the above mentioned will allow for 70+ developers to update ~1.2GB/~140,000 files of source code, allow anonymous checkouts, has an available web based interface and interfaces with ssh. Now, that page uses outdated comparisons. Ok, cvs works better than sup... Wow. sup is such a current comparison ;-) Now, git allows even more efficient updates and checkins, both authenticated via ssh, and anonymously. For anonymous readonly access you don't need ssh, because git uses sha1 hashes for everything. (Ok, the use of sha1 becomes more and more debatable, of course.) You can even gpg sign tags if you like (but unsigned tags are also available, and tags and branches are *cheap*, no churning through thousands of files for creating a tag or branch!). Of course it has a standard web interface, too. And it's more convenient, because you can look at changes in changesets instead of spreading *one* commit over all the files touched as if it were independent changes. git is very efficient both for deep history and quite large trees. Just as an example (other dvcs seem to perform well too on those lines of comparison). Of course svn offers similar features too (web interface, of course, svn via ssh or own service or https/dav). It has some drawbacks (I'm not a great fan of it anymore): non-first-class tags/branches, bloated working-directory format, bigger repository (IIRC git has one of the most compact repository packing algorithms). [...] Kind regards, Hannah.
Re: About the OpenBSD repository
Hi! On Tue, Jun 23, 2009 at 12:48:33PM +0200, Artur Grabowski wrote: Mic J michael.cogn...@gmail.com writes: But to imply that CVS is better than (or equal to) Mercurial or Git is a bit ridiculous :) Mercurial and Git are crap. Why do you think so? My experiences with git are quite good. [...] From two hours ago at work: $ svn cleanup svn: Working copy 'lib/common' locked svn: run 'svn cleanup' to remove locks (type 'svn help cleanup' for details) $ svn cleanup lib/common svn: Working copy 'lib/common' locked svn: run 'svn cleanup' to remove locks (type 'svn help cleanup' for details) Never happened for me. ok. And of course the atomic commits are bullshit because even though the commit failed and left a corrupted local checkout that I had to manually nuke and then copy the right files over, it still did commit some parts of my work. At least it didn't corrupt the database like it did a year ago where we lost two days of work because the only solution was to restore from backup. Now, only the tree was broken until I could figure out wtf it was doing. Never happened for me. That old Berkeley db stuff was shit, yes. fsfs seems to do okish (though it's still bloated compared to git *g*). But I didn't see half-commits. And at our companies we *did* switch to svn at Berkeley db times. And I do know some points where svn sucks. At least we know and understand the bugs and limitations of cvs. You don't like it - don't use it, but god sake, stop telling people what your favourite color is and why it should be their favourite color too. Of course I respect the right of the devs (and finally Theo) to choose. Still I wanted to put forth what *I* (not you or other devs!) like about other systems and what I came to dislike about cvs over the years (and that me, who first was one pressuring to introduce cvs here at work in the first place; then cvs was much better than no version control at all, and then there were definitely no better alternatives available, and first I wasn't really fond of the decision to switch to svn). Kind regards, Hannah.
Re: About the OpenBSD repository
Hi! On Tue, Jun 23, 2009 at 08:11:42AM -0400, Kenneth R Westerback wrote: [...] To assume that it is not superiour in the particular application to which it is being put is also ridiculous. Having 1000 extra features you don't use and will never use is not an advantage. If one hasn't tried it out, it's difficult to assume one would never use features like disconnected operations (devs on planes), local/inofficial branches (devs working on new features that aren't ready for prime time yet; I'm committing this, disconnected from the build, so others can work on it wouldn't be completely necessary either, for example, if one could share experimental branches using a dvcs). But even for traditional operations... I'm for example hooked on the mere speed of git compared to svn or cvs even for a not so big tree like a private web project. And even for that I use the fact that both repositories are equals. At home, I commit to the local repository on the home box. Elsewhere I might remote-login to a leased server where another repository lies (and where also the http server is, using a 3rd copy which always is on the public branch, while the other repositories also have other branches). Or I might temporarily clone the repository from the leased server, work locally (perhaps doing more than one revision), then push the work (in one hunk!) back to the leased server and publish (i.e. update the public branch to the http server's directory). Especially over slow lines, definitely an advantage over having only one central cvs/svn repo on the leased server and only working copies on the other boxes. Local operations are *fast* (e.g. switching from one branch to another with git checkout, compared to cvs up -r... for switching the branch or svn switch or ...). Ken Kind regards, Hannah.
Re: About the OpenBSD repository
Hi! On Tue, Jun 23, 2009 at 07:39:41AM -0500, Marco Peereboom wrote: Manure alert! On Tue, Jun 23, 2009 at 02:16:39PM +0200, Hannah Schroeter wrote: On Mon, Jun 22, 2009 at 02:11:21PM -0500, Marco Peereboom wrote: What is wrong with CVS? And no I am not talking about the hypotheticals and some bugs that exist in the current code (that can also be easily worked around). - It's *slow* (once you've seen git's speed, both cvs and svn are snails against it; hg and bzr might perhaps compare with it, though). It isn't slow. I can check out a tree in a minute. Here is a nickel kid go buy yourself some real disks. Ok, just checked with git: Linux-2.6 tree. Update after about one month: I did by purpose separate the update into two parts: git fetch, then git merge instead of the usual git pull, so I can measure timing separately. git fetch origin (roughly equivalent to cvsync): about one minute, received a bit more than 17 MiB of data, roughly 8,5k changes (not files, but tree changes/commits) from the last update. git merge origin/master (roughly equivalent to cvs up with appropriate options, up-to-date-check/check for conflicts, reset the local branch to the remote branch and checkout files): 7738 files touched, 1m51 real time. That's with a normal local desktop style disk, not with a high end raid system or something like that. That is, a disk where it takes *several* minutes to cvs up, and where it takes *several* minutes to check for changes even after less time. (time git status, i.e. check for local changes: less than 10 seconds on the same tree). - How often you've seen people (devs with commit access) do development without committing it because it wasn't ready for prime time, then committing it in chunks that can't be grokked any more because they have accumulated for months or even over a year? You can't have off-site development branches in centralized version control systems. You *can* with distributed ones. You can merge them *and keep history* later somewhat easier than without having distributed vcs abilities. Oh I guess the cvsync tree I have on my laptop and all my development trees don't count. This is all uninteresting blabbing of someone who doesn't know how to use cvs. I have a cvsync tree too. But your local trees etc. aren't versioned the same way as they were with a dvcs. You can't commit to a cvsync tree the same way as you can commit locally with a dvcs. (Because your local commits would be overwritten on the next cvsync call.) You can, of course, have several local checkouts from the local cvsync tree with non-versioned, non-committed modifications. But if you have *one* strand of local development going on where one step depends on the next one, you can't version those steps in a structured *tool-supported* way with a centralized version control system. (You can do so without tool support if you copy out every version/commit to a separate directory tree, which takes more time and space than a local commit in a dvcs. That's about the same degree of organization as it was when one had foo.c.version1, foo.c.version2 in times when our company didn't use version control at all.) - Non-committers can keep track of their local modifications in a more structured ways (because they can too have local inofficial branches) with a distributed vcs. So submission of patches can be more structured. see previous. - Did I mention: most current dvcs are *fast*. And you can usually mirror the repo (just as cvsync does, just you don't need an addon tool for it). *yawn* - The history is still kept at a file level. While we see commit mails in a changeset form, if I want to look at what has been changed, I have to check per file (first cvs log, then cvs diff, or the equivalent thereof on the web). Even with svn I can do so with *one* svn log, then svn diff for the *whole* commit. With git I can do so with *one* git log -p for the whole commit (no further diff operation). Sure you found a nice feature but hardly killer or worth any downtime and relearning of some other retarded system that is full of unknown bugs. My experience is different. I deferred that learning curve for some time, too, when friends already were telling of their (in their experience, of course) good experiences with dvcs. Later I took some spare time for that. Now even some co-workers sometimes moan about some lacks of the company's centralized-only version control. I haven't really, yet, stumbled over annoying problems of git, btw. While OpenBSD committers seem to do so over problems of cvs, if I see things right on source-chan...@. - Disconnected operation. With cvs I can do nearly nothing (related to version control, that is) offline. (Devs working on the plane, anyone?) With svn I can just check the status and the diff against the *current* pristine version. With git, for example, I can inspect the *whole* history up
Re: ntpd dies on startup if using -s option
Hi! On Thu, Jun 18, 2009 at 12:17:12PM +, Stuart Henderson wrote: Jumping the clock doesn't play well with rtsol. If it jumps too far, ipv6 timers expire, you lose your rtsol'd address/route, and it takes a little time to reacquire them. Shouldn't rtsold use something like clock_gettime and CLOCK_MONOTONIC then? (Or if it's about kernel parts, the kernel equivalent thereof, i.e. monotime, if I remember things correctly w/o looking at the source.) Kind regards, Hannah.
Re: Voice-chat on OpenBSD with nothing more than aucat and ssh
Hi! On Fri, Jun 05, 2009 at 06:02:01PM -0400, Ryan Flannery wrote: [...] deeper and more muted. Any other options, to aucat or perhaps audioctl, that one could play with to reduce this? I guess you could try to reduce the buffer size on the aucat *servers* (-b on the aucat *-l* invocations). Kind regards, Hannah.
Re: HD 'Analysis'
Hi! On Mon, May 18, 2009 at 03:21:25PM +0200, Tobias Walkowiak wrote: On Tue, May 05, 2009 at 01:46:00PM +0200, Hannah Schroeter wrote: dd if=/dev/sd1c of=/dev/null bs=64k ^r Do yourself a favor and use the raw device. why? If nothing else, it'll be much faster. Kind regards, Hannah.
Re: OpenBSD Libs
Hi! On Wed, May 13, 2009 at 03:34:17PM -0300, Joco Salvatti wrote: I've been working on a project to create a smaller, functional version of OpenBSD (50MB). One thing that I've noticed while carrying out this project is that there are four types of libraries, eg: libssl.a libssl.so.14.0 libssl_p.a libssl_pic.a What I would like to know is why are there four different types of libraries? Since disk consumption is a severe constraint, I would like to know which of these are of paramount importance, mandatory for the proper system operation. In general, libfoo.a Static library, normal build. Used only when you link a program against -lfoo and you either specify static linkage or there's no dynamic library available (or you're on an architecture that doesn't support dynamic libraries at all). libfoo_p.a Static library for profiling build (used when you link a program with -p or -pg). libfoo_pic.a Static library, but build from the object files that are compiled with -fpic or -fPIC (i.e. the object files that are used to build the dynamic library). I don't know whether that's used for linking with -lfoo at all (or only if you specify its full pathname). libfoo.so.x.y Dynamic library. Used for linking with -lfoo unless one of the others is used as described above. *Also needed at runtime* if a program is linked against it. If a program is linked against libfoo.so.x.y, you need version x.z with the same x and z = y. So bottom line, if you don't intend to compile or (re-)link anything on your target system, IMO you should be safe to remove the lib*.a files. You *should* keep the lib*.so.* unless you can be sure that you don't need any binary that is linked against that library (check with ldd). You can of course do test installations e.g. in a chroot environment or in a virtual machine (e.g. qemu) or on a spare machine where it doesn't hurt if you break things by removing too much. Kind regards, Hannah.
Re: Unable to update ports since 4.4 and now with 4.5
Hi! On Mon, May 11, 2009 at 04:33:51PM +0200, Helmut Schneider wrote: gf4o2m$lc...@ger.gmane.org (openbsd.bugs, 08.11.2008) I started the thread above when I upgraded from 4.3 to 4.4 and I never recieved a reply. Now with 4.5 the problem still persists and is very frustrating: [r...@ns3 ~]# export PKG_PATH=ftp://openbsd.informatik.uni-erlangen.de/pub/OpenBSD/$(uname -r)/packages/$(uname -m) [r...@ns3 ~]# pkg_add -ui Error from ftp://openbsd.informatik.uni-erlangen.de//pub/OpenBSD/4.5/packages/i386/: ftp: Error retrieving file: 502 Bad Gateway No packages available in the PKG_PATH [...] The problem is the extra / after the server name, fetch fails. I am highly frustrated. Really. Any suggestions? It sucks to copy all ports to the local disk to update ports. env | grep proxy? For me, pkg_add with a ftp_proxy never worked. And, try adding a / at the end of PKG_PATH (though IIRC pkg_add is more tolerant for missing slashes at the end now). I.e. unset ftp_proxy export PKG_PATH=ftp://openbsd.informatik.uni-erlangen.de/pub/OpenBSD/$(uname -r)/packages/$(uname -m)/ pkg_add -uiv Kind regards, Hannah.
Re: HD 'Analysis'
Hi! On Mon, May 04, 2009 at 06:34:07PM -0400, STeve Andre' wrote: [...] I have a pile of disks that I suspect. Looking at the drawer, I see 8 of them. As I have time I test them, usually with dd: dd if=/dev/sd1c of=/dev/null bs=64k ^r Do yourself a favor and use the raw device. [...] Kind regards, Hannah.
Re: Getting 4.5 from FTP
Hi! On Tue, May 05, 2009 at 11:39:31AM -0500, L. V. Lammert wrote: At 08:30 PM 5/5/2009 +0430, MANI wrote: [...] by the way I would happy to order OpenBSD CD,T-Shirts and support my beloved operating system but I am afraid I am living in Iran (No Credit Card!), If there is any other way to get OpenBSD CD's and T-Shirts please let me know! How about a Paypal? I believe there is another similar service in the EU? Since when is the Iran a member of the EU? Kind regards, Hannah.
Re: OT: Plea for HELP on dual boot MAC/OpenBSD disaster with refit that turn really bad! (Fixed)
Hi! On Sun, May 03, 2009 at 09:58:22PM +, Stuart Henderson wrote: On 2009-05-03, David dunnoseriou...@gmail.com wrote: Le dimanche 03 mai 2009 C 00:52 -0400, Daniel Ouellet a C)crit : [...] Then I did the image of the drive from the external broken one to the new clean internal one. dd if=/dev/rsd1c of=/dev/rwd0c bs=1m And let that go. Took for ever and I had no clue of progress. You can use Pipe Viewer (sysutils/pv) to get progress information. it's slower that way. reading from disk and outputting to /dev/null: - inside one dd process (dd if=foo of=bar) 0m32.33s real 0m0.24s user 0m9.42s system - dd if=foo | dd of=bar 0m39.27s real 0m0.55s user 0m14.96s system - dd if=foo | pv | dd of=bar 0m54.14s real 0m1.86s user 0m23.98s system Missed the original post. What about using stty status ^t before calling dd (e.g. the first variant) and hitting ^t every time you're interested in the status of the transfer? Kind regards, Hannah.
Re: How do I enable bsd.mp kernel in 4.4/i386?
Hi! On Sun, May 03, 2009 at 11:00:02AM -0700, J.C. Roberts wrote: [...] On all archs, when you wish to boot to a different on-disk kernel you cab do it either by copying/moving kernel file to /bsd, and/or specifying the kernel file at boot time `boot /mybsd.custom.hack` Rather set image ... so you still have the timeout so you can override your choice again. [...] Kind regards, Hannah.
Re: I need to mount in a normal account
Hi! On Thu, Apr 16, 2009 at 10:18:12PM +0200, Juan Jimenez Galdos wrote: Sorry, I pressed enter. Strange software to punish you for a mere press of enter. I add to sudoers (cd0 is the directory in /mnt/): db ALL=/sbin/mount /cd0,/sbin/umount /cd0 But when I try mount /dev/cd0c /mnt/cd0 and i write the password it says try again, and i have written the password correctly. Your own password? (Remember, sudo asks the *user*'s password!) I am trying to do the same without password: db ALL=NOPASSWD:/sbin/mount /cd0,/sbin/umount /cd0 But something is wrong, and it says password:. Thank you very much. I'm not sure, but might perhaps a space after NOPASSWD: be needed? Try sudo -l. Kind regards, Hannah.
Re: I need to mount in a normal account
Hi! On Thu, Apr 16, 2009 at 10:32:52PM +0200, Toma?? Bod??ar wrote: Why is there cd0 even if it's directory name? On this line you write only commands which you want to use without/with password and not name of directories. No, you can also name arguments if you want to permit them only if the arguments match instead of permitting the commands for any possible argument(s). [...] Kind regards, Hannah.
Re: I need to mount in a normal account
Hi! On Thu, Apr 16, 2009 at 04:29:48PM -0400, Nick Guenther wrote: On Thu, Apr 16, 2009 at 4:18 PM, Juan Jimenez Galdos juangmgald...@gmail.com wrote: I add to sudoers (cd0 is the directory in /mnt/): db ALL=/sbin/mount /cd0,/sbin/umount /cd0 But when I try mount /dev/cd0c /mnt/cd0 and i write the password it says try again, and i have written the password correctly. I am trying to do the same without password: db ALL=NOPASSWD:/sbin/mount /cd0,/sbin/umount /cd0 But something is wrong, and it says password:. ..are you sure? You've said here that db can run mount /cd0, not mount /mnt/cd0 Eeks, I even missed to see that argument mismatch in my last reply... *rolls eyes* Kind regards, Hannah.
Re: I can't connect to Internet
Hi! On Mon, Apr 06, 2009 at 04:35:42PM -0500, alvaro wrote: export env PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.4/packages/i386/; ^^^ Drop that. Kind regards, Hannah.
Re: Donations (was, sadly, European orders)
Hi! On Fri, Apr 03, 2009 at 10:18:30AM +, Stuart Henderson wrote: On 2009-04-03, Martin Schrvder mar...@oneiros.de wrote: 2009/4/3, Stuart Henderson s...@spacehopper.org: cards, http://www.openbsd.org/donations.html, since UK to euro-zone bank transfers are so expensive (cheapest is probably #8 for tipanet transfers, other ways can be much more). The UK is in pe, so -transfers to and from the UK should cost (next to) nothing; all the usual rules for the zone apply. the rule is not about the actual cost, it's that SEPA transfers in euros should cost no more than domestic transfers in euros. I haven't checked, but I suppose the banks handle this by making a high charge for domestic transfers on their euro-denominated accounts (which almost nobody has, anyway)... *nods* But IIRC it can be expensive between the UK and the Euro zone because the UK doesn't have the Euro. I've understood the rules in the way that the regulations apply only to transfers between countries that are both in the EU *and* that have the Euro. I.e. not for the Vatican, or for the UK. Kind regards, Hannah.
Re: Wim
Hi! On Thu, Apr 02, 2009 at 10:15:13PM +0200, Matthias Kilian wrote: Wim *does* filter traffic from cvs.openbsd.org. At least on ports 25 and 80: $ telnet www.kd85.com 25 Trying 62.116.6.182... [nothing] $ telnet www.kd85.com 80 Trying 62.116.6.182... [nothing] Port 80 works from a private dialup as well as a private rented server. Do you want to send mail to x...@*www.*kd85.com? I'd rather try the MX record of kd85.com, which is ok13.kd85.com. That worked for me too, from the same both sources (spamd's greeting with the first few octets stuttered). But JFTR, www.kd85.com also responds on 25, with a Sendmail greeting. Did you retry to double-check that it wasn't the machine being rebooted and just coming up pre-start of the daemons? Kind regards, Hannah.
Re: Wim
Hi! On Thu, Apr 02, 2009 at 06:48:48PM -0400, Ted Unangst wrote: On Thu, Apr 2, 2009 at 6:31 PM, Hannah Schroeter han...@schlund.de wrote: On Thu, Apr 02, 2009 at 10:15:13PM +0200, Matthias Kilian wrote: Wim *does* filter traffic from cvs.openbsd.org. At least on ports 25 and 80: Port 80 works from a private dialup as well as a private rented server. The problem is a man in the middle attack stealing all the ARP packets from cvs. That must be it. That I haven't thought of that... *rolls eyes* The gaping security hole in OpenBSD... *rolls eyes more* I can't sleep anymore as long as I keep running any OpenBSD host... SCNR, Hannah.
Re: PF Seems To Reload Its Default Rules Unexpectedly
Hi!
On Mon, Mar 09, 2009 at 07:06:10PM -0700, Hilco Wijbenga wrote:
[...]
ext_if = sk0
int_if = sk1
set skip on lo
set block-policy return
scrub in
nat log on $ext_if from $int_if:network to any - ($ext_if)
block log
pass out quick from $int_if to $int_if:network
pass out quick from $ext_if to any
^^^
#pass in quick on $ext_if proto { tcp, udp } from any to ($ext_if)
port { domain, ntp }
pass in quick on $int_if from $int_if:network to any
You missed the parens in the marked place.
[...]
Kind regards,
Hannah.
Re: Nginx: filedescriptors, users and login.conf confusion
Hi! On Wed, Mar 11, 2009 at 07:36:23AM -0700, Darrin Chandler wrote: [...] I'm kinda lost on which user / which (new) login.conf class I should give more filedescriptors. Or how to find out which particular users/deamon needs them. You can specify a the login class you desire when starting a daemon. See su(1), specifically the '-c login-class' option. A common practice is to copy the 'daemon' class to a new login.conf entry named whatever you like, start your daemon using that class, then tweak as desired. Why not write a new login class *referring* to the 'daemon' class using tc=? [...] Kind regards, Hannah.
Re: Upgrade on non-live disk
Hi! On Thu, Mar 05, 2009 at 12:09:31PM +1030, Damon McMahon wrote: Tue, 03 Mar 2009 07:17:56 -0500 steve.shock...@shockley.net: On 3/2/2009 7:31 PM, Damon McMahon wrote: Is it possible/wise to follow the upgrade instructions on a non-live OpenBSD disk mounted on /altroot? I have a second drive I use as a non-live mirror with dd(1); can I use the Upgrading without install kernel instructions to upgrade this disk by mounting its file systems in /altroot and then substituting /altroot for / in the Upgrading without install kernel instructions? Why not just continue to use your existing mirror process, and update the mirror once your prod drive is upgraded? To minimise down-time to a simple reboot - best not to rush these things, and there's nothing like a production system being down to cause me to rush! Thanks to Nick for the advice, it seemed to work fine. For the archives, just make REALLY sure you replace / with /altroot at every step in the upgrade instructions (I slipped a couple of times, thankfully both instances were recoverable) and I did find some minor steps e.g. running newaliases(8) that would seem to require the system being upgraded to be live and running. chroot /mountpoint /usr/bin/newaliases Kind regards, Hannah.
Re: Go order your 4.5 CD
Hi! On Thu, Mar 05, 2009 at 05:38:55PM -0500, Todd M. Boyer wrote: On 16:47, Thu 05 Mar 09, Daniel Ouellet wrote: Theo just open the pre-order. Go order your CD, T-Shirt, etc. 4.5 pre-order!!! I just ordered 4.4 (and 4.3) slow down and have a beer ;-) I ordered nothing. But this, added with the previous (even $1 donations matter) thread, inspired me to finally donate again. Both a one-time donation *now*, and ordering a periodical donation (bank-transfer, one order for unlimited duration periodical transfers, no overhead for me, on the recipient side it looks like manual orders, I hope they charge Theo's German account nothing for domestic incoming money; else tell and I could change it from monthly to two-monthly twice the amount, for example). Kind regards, Hannah.
Re: Inexpensive, low power, wall wart computer
Hi! On Wed, Feb 25, 2009 at 12:44:29PM +0200, Lars Noodin wrote: As far as stability goes, I find the USB connections somewhat unreliable. For me it just works (external USB2 hard disk). Kind regards, Hannah.
Re: Inexpensive, low power, wall wart computer
Hi! On Wed, Feb 25, 2009 at 12:04:01PM +0100, David Vasek wrote: [...] Perhaps. In case of firewire it depends on proper design of a connected device too, but I meant stability of your machine/OS. A device connected over firewire can do anything it wants with your machine, even crash it unintentionally if there is a bug in the device (quite likely). Disconnecting (or accidentally having disconnected) an USB harddisk/stick without unmounting it isn't exactly fun either. At least last time I tried it. Kind regards, Hannah.
Re: Slow CD/DVD read time (AMD64 current 4.5 02/19/2009 12:11:00 PM on Intel Q9550, 8GB RAM, 1TB WD)
Hi! On Sat, Feb 21, 2009 at 04:20:07PM -0500, David Heinrich wrote: I'm installing OpenBSD AMD64 current (4.5) as of 12/19/2009 12:11:00 PM. I am at the step where it says Getting base45.tgz..it started out saying it would require 40 or more minutes and seems to be transferring data from the CD to hard-drive at a rate of 20 KB/sec. Why is it going so slow? My DVD/CD drive has a DVD read-speed of 16X and a CD-ROM read speed of 48X. Given that, a trnasfer rate of 20 KB/sec seems awfully slow...am I missing something? MY HARDWARE INFO: Motherboard : Asus Intel P45 1600 FSB 4x DDR2 Core 2 Duo ATX P5Q-E RAM : OCZ TechnologyDDR2 PC2-6400 800MHz 8GB Quad Kit (OCZ2G8008GQ) Hard Drive : 1TB WD1001FALS SATA 7200RPM 32MB HDD Bare drive CPU : INTEL Core 2 Quad Q9550 BX80569Q95502.83ghz GPU : MSI Radeon HD4670 PCIE-512MB DDR3 Dual VGA/DVI (R46702D512) PSU : 1050W Revolution 85+ PSU ATX12V Version 2.3 80PLUS Silver Monitor : Sony GDM-F520 (CRT) DVD Drive (Internal) : Samsung DVD Burner 22X SH-S223Q CF Reader : CARD READER ROSEWILL|RCR-102 RTL USB DVD Drive : a LaCie Lightscribe drive (disconnected from workstation) So you're using the internal one? Keyboard : Northgate Omnikey Evolution Monitor : Sony gdm-f520 dmesg output? Kind regards, Hannah.
Re: Assistance OpenBSD
Hi! On Sat, Feb 21, 2009 at 11:32:22PM +0100, Maxime DERCHE wrote: [...] In short : * you *need* an Internet access to install third party software (like web browser, text processing tools, and so on); There are *some* packages delivered on the install CD. Or you can download packages on one machine and install them on another one (BTDT). * you have to setup a network interface in order to download the packages (see http://www.openbsd.org/faq/faq6.html#Setup for more information, but all you actually have to do is setup a /etc/hostname.if file, if this has not already been done in the intitial installation process); * you must setup the packaging tools, that is set the PKG_PATH environment variable (see http://www.openbsd.org/faq/faq15.html#Easy for more details); * then you can install third party software with the pkg_add command (pkg_add -i mozilla-firefox, for example). Or you pkg_add full_url_of_package. Of course, it's often more convenient with PKG_PATH. [...] Kind regards, Hannah.
Re: dmesglog
Hi! On Sat, Feb 14, 2009 at 09:47:38AM +0900, Jordi Beltran Creix wrote: [...] Hello, Forgive me, but wouldn't (echo Subject: type of machine ; dmesg ; sysctl hw.sensors) | sendmail -f$YOUR_EMAIL dm...@openbsd.org be better? Else, if the hostname is not a valid domain, the mail does not get through. Your gripe is valid a bit. Your command doesn't work either, though. 1. it misses a blank line after the subject header. 2. it doesn't set the envelope from if your user isn't in the trusted users list. Better once and for all setup your mail system to send out mail with a valid email address and host name (or use a smarthost to circumvent the latter). See masquerading for sendmail. Kind regards, Hannah.
Re: upgrading packages and ports, ugh
Hi! On Tue, Feb 10, 2009 at 10:00:31PM -0500, Juan Miscaro wrote: [...] Thanks everyone for these responses. I've since tried to reinstall (make reinstall) one of those ports and it now cries: === archivers/freeze === Cleaning for freeze-2.5 /usr/sbin/pkg_delete freeze-2.5 Can't remove freeze-2.5 without also removing: amavisd-new-2.6.2 *** Error code 1 (ignored) Really strange. Like I said, I installed amavisd-new via ports (which brought in freeze). Then 'pkg_add -u' upgraded amavisd-new using packages. Now those packages that need to be upgraded via ports (freeze) cannot do so without first removing amavisd-new! What does one do in such cases? make update, if the version number changes. Else make package and pkg_add -riv /path/to/package/that/was/just/built (copypaste the package path from the output of make package). Kind regards, Hannah.
Re: Reset root password on system with console insecure?
Hi! On Thu, Feb 05, 2009 at 07:27:56AM -0600, Phusion wrote: I am looking for advice on how to reset the root password on an OpenBSD system that has console set to insecure in /etc/ttys. I have booted off the install CD and into the shell and mounted the / partition read-write, but don't have access to vi to modify /etc/master.passwd. I was thinking I could clear out the root password and afterwards run pwd_mkdb. Let me know. Thanks. If you mount the original / partition (like in mount /dev/wd0a /mnt), you can then mount /usr, /var, too (e.g. mount /dev/wd0d /mnt/usr, mount /dev/wd0e /mnt/var). Then you can chroot into your system: /mnt/usr/sbin/chroot /mnt /bin/ksh. Then you can setup the terminal (export TERM=pcvt25) and the editor (export EDITOR=/usr/bin/vi) and use vipw. Kind regards, Hannah.
Re: Reset root password on system with console insecure?
Hi! On Thu, Feb 05, 2009 at 02:39:18PM +0100, Hannah Schroeter wrote: On Thu, Feb 05, 2009 at 07:27:56AM -0600, Phusion wrote: I am looking for advice on how to reset the root password on an OpenBSD system that has console set to insecure in /etc/ttys. I have booted off the install CD and into the shell and mounted the / partition read-write, but don't have access to vi to modify /etc/master.passwd. I was thinking I could clear out the root password and afterwards run pwd_mkdb. Let me know. Thanks. If you mount the original / partition (like in mount /dev/wd0a /mnt), you can then mount /usr, /var, too (e.g. mount /dev/wd0d /mnt/usr, mount /dev/wd0e /mnt/var). Then you can chroot into your system: /mnt/usr/sbin/chroot /mnt /bin/ksh. Then you can setup the terminal (export TERM=pcvt25) and the editor (export EDITOR=/usr/bin/vi) and use vipw. Of course, after chroot you could also use the passwd command (passwd root) to directly set a new password for root (and perhaps your own user account if you've lost that password too). passwd doesn't ask the old password if you use it as root. And then, perhaps setup sudo so you can get root from your user account... Kind regards, Hannah.
Re: fetch package dependencies
Hi! On Mon, Feb 02, 2009 at 08:00:21PM +0100, Marc Espie wrote: On Mon, Feb 02, 2009 at 02:02:59PM +0100, Hannah Schroeter wrote: On Sun, Feb 01, 2009 at 02:01:03PM +0100, Dorian B|ttner wrote: is there an easy way to fetch a package along with it's recursive dependencies? Scenario is: eee904ha does not have network access at all right now. In order to proceed installing useful things, let's say firefox, I'd like to suck packages onto a usb stick and installl from there. I thought I could go to the soekris box, which unfortunately isn't that -current, and do something like pkg_add -n mozilla -firefox, but the output is totally garbled with libc mismatches and things like that. Any idea? I'd think using a net connected box, setting PKG_CACHE and PKG_PATH and then pkg_add -n package_you_want. The required packages should end up in the PKG_CACHE directory. From there you should be able to transfer them over to the eeepc. If the soekris isn't current, you could try this in a chroot environment or a virtual machine (e.g. qemu) setup. Yep, that's the intent. PKG_CACHE + pkg_add -n will do it. There's perhaps one thing we've missed: If some dependency package is already installed (and current enough) on the source host, pkg_add -n will probably not refetch it, so it will end up missing in the PKG_CACHE, i.e. on the destination host. The playing with the signature trick will avoid that, probably. Or perhaps one would need another option to pkg_add (or a different, pkg_fetch or similar, frontend to the pkg_* toolchain) to fetch *all* dependency packages. Kind regards, Hannah.
Re: fetch package dependencies
Hi! On Sun, Feb 01, 2009 at 02:01:03PM +0100, Dorian B|ttner wrote: is there an easy way to fetch a package along with it's recursive dependencies? Scenario is: eee904ha does not have network access at all right now. In order to proceed installing useful things, let's say firefox, I'd like to suck packages onto a usb stick and installl from there. I thought I could go to the soekris box, which unfortunately isn't that -current, and do something like pkg_add -n mozilla -firefox, but the output is totally garbled with libc mismatches and things like that. Any idea? I'd think using a net connected box, setting PKG_CACHE and PKG_PATH and then pkg_add -n package_you_want. The required packages should end up in the PKG_CACHE directory. From there you should be able to transfer them over to the eeepc. If the soekris isn't current, you could try this in a chroot environment or a virtual machine (e.g. qemu) setup. Thanks, Dorian Kind regards, Hannah.
Re: KDE installation problem
Hi! On Sun, Feb 01, 2009 at 11:00:56PM +0100, Jean-Frangois wrote: I have a problem while installing KDE on my computer since the graphic mode used by default is not supported by my screen. I tried few things but it looks like I need to use first start of kde kdestart with some option that makes it run at some graphic mode. Since this occurs at the startkde, I am not sure I can change it by mod a conf file. Please could you help ? For me, KDE doesn't/didn't change the graphics mode, but the graphics mode is set by the X server itself. The configuration file is /etc/X11/xorg.conf. If it's not present, the X server autoconfigures, but sometimes the settings derived by autoconfiguration probably won't fit. You can generate a template xorg.conf by running X -configure (probably as root). That should terminate soon and leave a file (a message on the text console should tell you where the file is, usually in $HOME). Move that file to /etc/X11/xorg.conf and edit it to suit your needs. Test it using startx rather than xdm. (That is, disable xdm until everythin works.) For me, it works to symlink the .xinitrc and the .xsession in the home directory of my normal user account, so startx and xdm login sessions will work the same. On one box, I have to play with xrandr because the intel driver doesn't want to set my preferred resolution (the highest one available after selecting viable modelines) by default, but a much lower one... So there's a xrandr invocation early in .xsession/.xinitrc... Wasn't needed in the legacy driver for the i810 chips; that used the normal selection of the default resolution I was used to from all graphics drivers in Xorg and XFree86 I've used/seen before. Thanks a lot, JF Kind regards, Hannah.
Re: vnconfig and fsck
Hi! On Sat, Jan 31, 2009 at 08:51:46AM +0100, frantisek holop wrote: i have an encrypted ffs diskimage. it was created some time ago the usual way. after my update to -current this is what happens: $ sudo vnconfig -k svnd0 imagefile Encryption key: $ sudo mount /dev/svnd0a /mnt mount_ffs: /dev/svnd0a on /mnt: filesystem must be mounted read-only; you may need to run fsck when i mount the filesystem read-only, everything is ok. but when i say: $ sudo fsck /dev/svnd0a fsck: /dev/svnd0a: unknown special file or file system. Try fsck /dev/rsvnd0a [...] Kind regards, Hannah.
Re: Openbsd mounting
Hi! On Sat, Dec 20, 2008 at 09:14:39PM +, Dorian B|ttner wrote: rizzo0917 schrieb: and usb devices. keyword is hotplugd(8), includes example. And what does happen if someone uses the example and then unplugs that device? Then one has a mount with the block device used for it vanished. Even if I mount things manually and even if I forget to unmount it just once (e.g. an USB stick or an USB harddisk), my system is hosed. Not even a forced unmount works any more (at least last time I did that). Had to shutdown now, umount everything else so I had less unclean filesystems (remount the root fs readonly) and then reboot. amd, OTOH, would unmount the fs soon after it isn't used any more (which can be lucky enough to be before it's unplugged). And on trying to use it it would try to mount it which would either succeed (if it's plugged) or not (if it's not (yet) plugged). Kind regards, Hannah.
Re: /usr/obj slice size
Hi! On Mon, Dec 15, 2008 at 02:24:18PM +, Dave Wilson wrote: [...] On that note, does anyone know how to poke the restrictions set in login.conf on a temporary basis? The existence of datasize-cur and datasize-max suggest I should be able to do this, but I can't find the relevant command. ulimit in Bourne-like shells, limit in csh-like shells. I'd rather not do it in login.conf as its a useful restriction most of the time to stop things running away. I'm trying to create a 2G MFS for /usr/obj, but if I go much above 200 with mount_mfs I get an error: slash:~# mount_mfs -s 300 swap /mnt mount_mfs: mmap: Cannot allocate memory slash:~# mount_mfs -s 200 swap /mnt slash:~# # Works OK. You'll probably hit the intrinsic maximum datasize limit which you can't cross even if you set ulimit -d unlimited. Kind regards, Hannah.
Re: getarg(3)
Hi! On Mon, Dec 15, 2008 at 10:19:29AM +, Jason McIntyre wrote: On Mon, Dec 15, 2008 at 11:05:29AM +0100, Otto Moerbeek wrote: we don;t build libroken, so i'm guessing that getarg.3, parse_time.3, and rtbl.3 should not be installed. however i have no idea where to turn that stuff off about. any kerberos people want to pick this up? jmc It is not as simple as that, via lib/libkrb5 a lot of krb lib stuff --including linroken stuff-- gets built and installed. getarg seems to end up in libkrb5. it does? i do not have libroken here. we have asn1, com_err, hdb, and kafs all linked to krb5, but i don;t see a libroken. i presumed it was not built. Yes, it does. nm /usr/lib/libkrb5.a | less, search for getarg, and you'll see in getarg.o: 12a8 T getarg (on my system). jmc Kind regards, Hannah.
Re: fvwm - move a window freeze others
Hi! On Wed, Dec 10, 2008 at 04:05:45PM -0500, Ted Unangst wrote: On Wed, Dec 10, 2008 at 3:29 PM, Jesus Sanchez [EMAIL PROTECTED] wrote: I'm using FVWM as window manager and works really fine but when I have various windows (xterms for example) and drag one window to move it around, after a few seconds, all of them stops doing its work, also gkrellm freezes until I drop the moving window in any place, this is normal? I don't consider it particularly desirable, but that's normal for fvwm. Yes, I can confirm that, too, also for fvwm2 from ports, alas. Nice if that interrupts xmms from playing sound (because it blocks on updating its display), for example. Of course, for fvwm2, it's an upstream issue rather than an OpenBSD (or port maintainer) issue. Kind regards, Hannah.
Re: possible bug in OpenNTPD code?
Hi! On Tue, Dec 09, 2008 at 10:36:46PM -0800, Anirban Sinha wrote: How is it blocking indefinitely? Is wait() not returning -1 with errno == ECHILD when there are no children to reap? What led you to the conclusion that this code was blocking? (What platform are you running this on?) Hmm, agreed. Looks like I was wrong with my analysis. In any case, I am running the portable version of the ntpd on Linux. I am definitely observing the parent still alive and blocked (sleeping) even when the child is dead. I need to do some more digging on this. IIRC, you can show the wait channel on Linux too, using something like ps alxww|grep ntpd Then you perhaps can see what the parent ntpd process is really waiting for. Kind regards, Hannah.
Re: tar(1) bug?
Hi! On Wed, Nov 19, 2008 at 01:55:02PM +0100, LIVAI Daniel wrote: $ uname -mrsv OpenBSD 4.4 GENERIC#0 i386 $ pwd /home/daniell $ tar -C / -cvf test.tar ./home/daniell/.ksh* tar: Unable to access ./home/daniell/.ksh*: No such file or directory tar: WARNING! These file names were not selected: ./home/daniell/.ksh* $ ls -l /home/daniell/.ksh* -rw-r- 1 daniell daniell [...] /home/daniell/.ksh_logout -rw-r- 1 daniell daniell [...] /home/daniell/.kshrc Without the wildcard, it is working as expected. Anyone else experiencing this? Is this a known problem? Wildcards are expanded by the *shell*. The *shell*'s working directory is *not* changed by *tar*'s option -C. *tar* does *not* expand wildcards. Kind regards, Hannah.
Re: Apache 1.3 in base or 2.2.8 from ports ?
Hi! On Sat, Nov 08, 2008 at 09:17:53AM +0100, Marc Balmer wrote: Keep in mind that the Webserver in base has seen a lot of security and other improvements like chroot() by default etc. It is not a stock 1.3 Apache, it is only based on Apache 1.3. Apache 2 in ports was only imported to make it possible to test certain thinks. Also, some applications work only with Apache 2 IIRC, like the Subversion via http service. (However, svnserve works without any httpd, but that requires a different account/password management/database IIRC, and you can also do subversion via ssh.) Other webdav stuff, too, IIRC. [...] Kind regards, Hannah.
Re: Xorg: ABI mismatch
Hi! On Thu, Nov 06, 2008 at 09:18:13AM +0100, giovanni wrote: just updated latest Xorg. apart from the sync-to-vblank intel's issue no troubles at all at first glance but I start seeing this in the logs (excerpt) [...] I have many more issues. For this issue, I regenerated the configuration file (X -configure), and use only the modules named in the generated configuration file. These are: Section Module Load dbe Load dri Load extmod Load glx Load freetype EndSection So GLcore, record, xtrap and type1 are gone from the previous config file. However, my previous fontpath additions won't work. If I keep them, I get this *fatal* error: Fatal server error: could not open default cursor font 'cursor' giving up. If I keep only the default font path, things work. My font path additions would be these: + #FontPath /usr/local/share/fonts/override/ + #FontPath /usr/local/openoffice/share/fonts/truetype + #FontPath /usr/local/share/fonts/ + #FontPath /usr/local/lib/metamail/fonts + #FontPath /usr/local/lib/X11/fonts/terminus/ + #FontPath /usr/local/lib/X11/fonts/freefont/ + #FontPath /usr/local/lib/X11/fonts/mscorefonts + #FontPath /usr/local/lib/X11/fonts/ecoliercourt + #FontPath /usr/local/lib/X11/fonts/artwiz-aleczapka All @fontdirs from ports (not even the complete list from all my installed packages, as I see now, after a grep '[EMAIL PROTECTED]' /var/db/pkg/*/+CONTENTS). Another issue is even more glitches in xterm (when I move it around, occasionally a line remains where it doesn't belong, until it's either overwritten by text or a full redraw is triggered; and sometimes the line between the scrollbar and the text pane wasn't seen; maybe both issues are gone after I recompiled xenocara myself, at least couldn't reproduce it today). The old glitch (text is garbled after switching the font using the Ctrl-Mouse3 menu) that has been there since the switch from XF4 to xenocara is still there (and it's not necessarily from xorg, as it's *not* there on Debian Linux, and it's not graphics card specific, because it *is* there on two OpenBSD boxen with different graphics cards). At least the issue with Greek fonts seems to be gone with the latest update. :-) Kind regards, Hannah.
Re: Xorg: ABI mismatch
Hi! On Thu, Nov 06, 2008 at 02:35:30PM +, Owain Ainsworth wrote: [...] (EE) Failed to load module record (module requirement mismatch, 0) (EE) Failed to load module xtrap (module requirement mismatch, 0) for taking away it I've temporary added You should instead have removed the record, and trap extension from you config. Those extensions aren't there anymore in the new xserver. Why the strange error message? For me that occurred even after I wiped /usr/X11R6 and reinstalled the x*.tgz tarballs. Why not something akin to No such file or directory? Kind regards, Hannah.
Re: making man(1) to open a file
Hi! On Sun, Sep 21, 2008 at 09:22:24PM +0200, LIVAI Daniel wrote: I think there is a way for this but I can not find it in man's man :) Like in Linux there is a `-l' option to man(1) which opens a Local file, like man -l /usr/local/man/man1/somemanpage.1. I'm in trouble opening net-snmp package's snmpd(8) or snmpd.conf(5) man page, because it conflicts with the base's snmpd's man pages. Now I'm reading it with less, but it is less convenient :) No, but in your case, you can use the option -M /usr/local/man (or -m /usr/local/man) probably. Kind regards, Hannah.
Re: Patching a SSH 'Weakness'
Hi! On Fri, Sep 12, 2008 at 07:41:05PM +0300, Toni Spets wrote: Stuart Henderson wrote: On 2008-09-12, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: To all who opposed the suggestion to send one block of data when the Enter key is pressed: my suggestion strictly referred to the login procedure, not to the later data communication. I did not mention this because I thought it was clear from the context of the original poster who has expressively mentioned passwords. You may want to reconsider the suggestion in this light. The initial password is sent as a block (of course that simple case was taken care of). The problem OP mentions relates to passwords typed within the session e.g. su, sudo, ssh to another host, ... Wait, how do you know someone is typing a password inside the session and not just writing a text file or typing arbitrary commands? At least things like getpass() would probably use a terminal mode that's *line* oriented but with echo disabled. Because it's line oriented, you lose nothing (like response to single character input) by sending block-wise on the client's side, not even the echo because that's disabled. That would be ECHO and ECHONL unset and ICANON set in the terminal local flags. (Perhaps one could even don't care on ECHONL, because one will send anyway once one reads a newline.) One would have to do erase/werase/kill processing locally, though, i.e. one would have to know the erase/werase/kill characters that would be in force on the remote side to emulate that correctly. Kind regards, Hannah.
Re: SSH question (4.3)
Hi! On Wed, Sep 10, 2008 at 10:00:23PM +0200, Toni Mueller wrote: On Wed, 10.09.2008 at 13:56:23 +0200, Hannah Schroeter [EMAIL PROTECTED] wrote: (I.e. check whether there's some intervening dir that's not accessible to user admin/group admin, but to group wheel). that was the problem, thanks! You're welcome. Kind regards, --Toni++ Kind regards, Hannah.
Re: Little update to authpf
Hi!
On Thu, Sep 11, 2008 at 07:52:14AM -0500, Todd T. Fries wrote:
I think you might want to check to see if the file exists not just if the
asprintf succeeds..
But yes I do agree this is useful functionality that I've tested quite
thoroughly...
Another nit in the patch:
Index: authpf.c
===
RCS file: /cvs/src/usr.sbin/authpf/authpf.c,v
retrieving revision 1.107
diff -u -r1.107 authpf.c
--- authpf.c 14 Feb 2008 01:49:17 - 1.107
+++ authpf.c 11 Sep 2008 12:49:09 -
@@ -314,10 +314,22 @@
signal(SIGQUIT, need_death);
signal(SIGTSTP, need_death);
while (1) {
+ struct stat sb;
+ char *path_message;
+
printf(\r\nHello %s. , luser);
printf(You are authenticated from host \%s\\r\n, ipsrc);
setproctitle([EMAIL PROTECTED], luser, ipsrc);
- print_message(PATH_MESSAGE);
+
+ if (asprintf(path_message, %s/%s/authpf.message,
+ PATH_USER_DIR, luser) == -1)
+ do_death(1);
+ if (stat(path_message, sb) == -1) {
How about checking whether it's a regular file, too?
if (stat(path_message, sb) == -1 || ! S_ISREG(sb.st_mode)) {
...
}
[...]
Kind regards,
Hannah.
Re: Little update to authpf
Hi!
On Thu, Sep 11, 2008 at 03:28:07PM +0200, Henning Brauer wrote:
* Hannah Schroeter [EMAIL PROTECTED] [2008-09-11 15:20]:
On Thu, Sep 11, 2008 at 07:52:14AM -0500, Todd T. Fries wrote:
I think you might want to check to see if the file exists not just if the
asprintf succeeds..
But yes I do agree this is useful functionality that I've tested quite
thoroughly...
Another nit in the patch:
Index: authpf.c
===
RCS file: /cvs/src/usr.sbin/authpf/authpf.c,v
retrieving revision 1.107
diff -u -r1.107 authpf.c
--- authpf.c14 Feb 2008 01:49:17 - 1.107
+++ authpf.c11 Sep 2008 12:49:09 -
@@ -314,10 +314,22 @@
signal(SIGQUIT, need_death);
signal(SIGTSTP, need_death);
while (1) {
+ struct stat sb;
+ char *path_message;
+
printf(\r\nHello %s. , luser);
printf(You are authenticated from host \%s\\r\n, ipsrc);
setproctitle([EMAIL PROTECTED], luser, ipsrc);
- print_message(PATH_MESSAGE);
+
+ if (asprintf(path_message, %s/%s/authpf.message,
+ PATH_USER_DIR, luser) == -1)
+ do_death(1);
+ if (stat(path_message, sb) == -1) {
How about checking whether it's a regular file, too?
to preven symlinks? nah...
stat follows symlinks, so that's no problem. However it'll prevent
directories, pipes, sockets and devices.
Kind regards,
Hannah.
Re: SSH question (4.3)
Hi! On Wed, Sep 10, 2008 at 12:55:00PM +0200, Toni Mueller wrote: [...] debug1: trying public key file /H/admin/.ssh/authorized_keys2 ls -ld /H /H/admin /H/admin/.ssh /H/admin/.ssh/authorized_keys /H/admin/.ssh/authorized_keys2 (I.e. check whether there's some intervening dir that's not accessible to user admin/group admin, but to group wheel). [...] Kind regards, Hannah.
Re: Stop in line 888 of Makefile
Hi! On Thu, Sep 04, 2008 at 08:01:35AM -0700, Doug Milam wrote: ln: /obsd: Operation not permitted *** Error code 1 Stop in /usr/src/sys/arch/i386/compile/GENERIC (line 888 of Makefile). --running as root Have you ever set an immutable flag? (ls -lo /bsd /nbsd /obsd) Kind regards, Hannah.
Re: Can OpenBSD run in 24 MB of RAM?
Hi! On Thu, Sep 04, 2008 at 06:19:30PM +0200, Paul de Weerd wrote: On Thu, Sep 04, 2008 at 04:46:07PM +0200, Paul de Weerd wrote: | Oh come on .. there's no challenge in 16M. Less, that's where it gets | really interesting (if you're in to BSDM, of course ;) OK, at 8MB it runs with a non-GENERIC kernel, still booting with all the default services (including ntpd). Logging in over ssh is slow as molasses, but it works (swap is not an option - it's mandatory now ;) That were times when encrypted/kerberized telnet was really useful, back then, when I really used small boxen as router. Even with more RAM, ssh was *slow* (because of CPU) on some boxen, while e/k telnet was quite fast still. [...] The first idiot to send me a dmesg of a working (real, no VMWare trickery like I'm doing) machine with less memory can come by to pick up a better machine (at least with more RAM) for free. (I may have more machines I want to get rid of and am too lazy to take out to the trash, first come first served) About 10 years ago, I built a dedicated bridge-only system, using a 386 or 486 (don't remember any more, it was at times when obsd actually *did* run, when GPL_MATH_EMU wasn't dropped from the kernel yet). It ran on *4* MB of RAM, highly custom kernel, of course. Floppy only, no hard disk. The only way to fix/customize the box was to generate a new floppy image on my build host. The floppy was derived from the very old kernel install stuff (crunchgen/crunchide based binary, initialization shell script, but not ramdisk, but floppy as root filesystem!). IIRC the box could be run without any fan, i.e. noiseless, and bridged 2 10-mbit coax based ethernets quite fine (fine in relation to what was fine *then*!). Kind regards, Hannah.
Re: suexec: disabled; invalid wrapper /usr/sbin/suexec
Hi! On Sun, Aug 31, 2008 at 05:01:20PM -0400, Jeremy Huiskamp wrote: Did you read suexec(8)? Wouldn't one also need to copy over the suexec binary to the chroot for chrooted httpds, nowadays? That isn't mentioned in the suexec(8) manual page. Kind regards, Hannah.
Re: keyboard encoding
Hi! On Tue, Jul 29, 2008 at 05:20:55PM +, Christian Weisgerber wrote: Hannah Schroeter [EMAIL PROTECTED] wrote: This is a box that has *no* PS/2 connectors any more. But it still has a PS/2 keyboard controller. You're right: [...] That's quite unfortunate though if you can't affect the non-X11 keyboard mapping of secondary keyboards at all. If you don't want to touch the startup scripts, you can just disable pckbc in the kernel. Would also be possible, of course. But as currently I only touch the keyboard mapping in wsconsctl.conf, using /etc/kbdtype instead works for me for now. But thanks for the hint to yet another possibility, which helps once I need other wscons settings. Kind regards, Hannah.
Re: keyboard encoding
Hi! On Mon, Jul 28, 2008 at 07:30:35PM +, Christian Weisgerber wrote: Hannah Schroeter [EMAIL PROTECTED] wrote: Is your keyboard an USB one? I observe the same with an USB keyboard. - keyboard.encoding=us.swapctrlcaps has no effect (in /etc/wsconsctl.conf) These settings only affect the _first_ keyboard in the system (wskbd0). Unfortunately, for a PC that is usually the PS/2 keyboard, even if none is plugged in. This is a box that has *no* PS/2 connectors any more. But it still has a PS/2 keyboard controller. Check your dmesg. It probably includes something like this: pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 You're right: $ grep pckb /var/run/dmesg.boot pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 $ That's quite unfortunate though if you can't affect the non-X11 keyboard mapping of secondary keyboards at all. (And btw, in X11, somehow the setup of the keyboard mapping from /etc/X11/xorg.conf is delayed, since about mid-December 2007. Before, the mapping from there, and from a few xmodmap settings loaded in .xinitrc, took effect immediately when X was up from startx, now it takes quite some time, perhaps half a minute or so, for them to take effect. Related to X11 privsep changes? Later changes using setxkbmap take effect immediately, btw.) Kind regards, Hannah.
Re: keyboard encoding
Hi! On Tue, Jul 29, 2008 at 03:53:37PM +0200, Mats O Jansson wrote: On Tue, 29 Jul 2008, Hannah Schroeter wrote: On Mon, Jul 28, 2008 at 07:30:35PM +, Christian Weisgerber wrote: Hannah Schroeter [EMAIL PROTECTED] wrote: Is your keyboard an USB one? I observe the same with an USB keyboard. - keyboard.encoding=us.swapctrlcaps has no effect (in /etc/wsconsctl.conf) These settings only affect the _first_ keyboard in the system (wskbd0). Unfortunately, for a PC that is usually the PS/2 keyboard, even if none is plugged in. [...] That's quite unfortunate though if you can't affect the non-X11 keyboard mapping of secondary keyboards at all. Thats not correct. /sbin/kbd will change keyboard settings on ALL keyboards that has support for the requested keyboard map. wsconsctl has -f which allows you select which keyboard you are applying the change to. For keyboard operations /dev/wskbd0 is default if not specified. read the man page! Thanks for the hints. I see /etc/rc still can use /sbin/kbd to set the keyboard type from /etc/kbdtype, in addition to load wsconsctl settings from /etc/wsconsctl.conf (but the latter only to the default control devices, to load settings to a *specific* different control device, it seems you need to setup something on your own, e.g. in /etc/rc.local). (And btw, in X11, somehow the setup of the keyboard mapping from /etc/X11/xorg.conf is delayed, since about mid-December 2007. Before, the mapping from there, and from a few xmodmap settings loaded in .xinitrc, took effect immediately when X was up from startx, now it takes quite some time, perhaps half a minute or so, for them to take effect. Related to X11 privsep changes? Later changes using setxkbmap take effect immediately, btw.) It will always take the mapping from xorg.conf if it is defined there. If no keyboard language is specified X11 will now make a guess depending on which keyboard layout wscons has. But since X11 is reading the keyboard raw any change made to wscons after X11 is started doesn't change anything in X11. No problem. I set the X11 keyboard layout using X11 means (xorg.conf, setxkbmap, xmodmap). I just complained about the *delay* for the initial setup from xorg.conf. That delay was introduced around in December 07. Before that, the keyboard setup from xorg.conf used to be in effect immediately after startup, now, directly after startup, it seems to be the keyboard setup taken from wscons, and after about half a minute, it suddenly changes to be that from xorg.conf. Kind regards, Hannah.
Re: keyboard encoding
Hi! On Tue, Jul 29, 2008 at 05:33:42PM +0200, Louis V. Lambrecht wrote: Hannah Schroeter wrote: [...] No problem. I set the X11 keyboard layout using X11 means (xorg.conf, setxkbmap, xmodmap). I just complained about the *delay* for the initial setup from xorg.conf. That delay was introduced around in December 07. Before that, the keyboard setup from xorg.conf used to be in effect immediately after startup, now, directly after startup, it seems to be the keyboard setup taken from wscons, and after about half a minute, it suddenly changes to be that from xorg.conf. Rem: the XlbLayout option in xorg.conf is a list which happens to only have one member most of the time. This said, in order to use the keyboard applet under GNOME, I needed ln -s /etc/X11/xkb /usr/X11R6/lib/X11/xkb might explain some delay? I don't think so. X11 *does* eventually setup the keyboard right, it just has a delay, i.e. it first has the wrong keyboard mapping, later the right one, without any user action. And I do *not* use GNOME or any other desktop environment. Keyboard switching is present in XFCE, but only enable the default. Switching is planned for later versions. I don't use xfce either. I use fvwm2 from ports, but for keyboard switching (rarely needed, usually the initial mapping from xorg.conf plus a few xmodmap settings, once it's active after the initial delay, is ok for me) I use shell scripts involving setxkbmap and re-loading my xmodmap modifications, called either from xterm manually, or from the fvwm2 menu. Now, fir the VT's, there *must* be a way. Thinking of thre luit filter, now part of stock xorg. Luit filters source codeset and dislays target codeset. Intended for UTF-8 and the UNICODEs, what woud prevent it to translate US-8859-1 from/to DE-8859-15 ? Didn't try though. Stiil convinced there must be easier ways. luit isn't for keyboard mapping, but, as you said, for character encoding. I don't use it (usually doing iso-8859-1 using a non-utf-8 xterm, for the rare instances I need utf-8, I use uxterm, and I nearly never need anything besides those two). Kind regards, Hannah.
Re: keyboard encoding
Hi! On Mon, Jul 28, 2008 at 04:22:37PM +0200, Tony Berth wrote: I have in 4.3 with a default US keyboard. When I set wsconsctl keyboard.encoding=de in order to get a German one, nothing happens! I get following reply: keyboard.encoding - de but my keyboard is still on the US charset! What do I miss? Is your keyboard an USB one? I observe the same with an USB keyboard. - keyboard.encoding=us.swapctrlcaps has no effect (in /etc/wsconsctl.conf) - The keyboard doesn't work at all in the kernel (e.g. boot -a - no way to continue) It works before, i.e. up to and including the boot prompt, and then again when init starts. This is a box that has *no* PS/2 connectors any more. Kind regards, Hannah.
Re: OpenBSD 4.3 FAQ in PDF?
Hi!
On Tue, Jul 22, 2008 at 09:32:15AM -0500, Daniel A. Ramaley wrote:
On Tuesday July 22 2008 09:04, you wrote:
for i in 1 2 3 4 5 6 7 8 9; do
ftp http://openbsd.org/faq/faq0${i}.html
done
for i in 10 11 12 13 14 15; do
ftp http://openbsd.org/faq/faq${i}.html
done
Wouldn't it be simpler to be done in one loop?
for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do
ftp http://openbsd.org/faq/faq${i}.html
done
ftp http://openbsd.org/faq/index.html
Note that the 2 loops are not the same. You'd need:
for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do
ftp http://openbsd.org/faq/faq`printf %02d $i`.html
done
The number list could be collapsed into `seq 1 15` on a system with seq
installed.
jot(1) helps.
$ jot 15 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ jot -w%02d 15 1
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
$
Kind regards,
Hannah.
Re: UPDATE: mozilla-firefox-3.0
Hi! On Thu, Jul 17, 2008 at 12:54:15AM -0400, Jason Dixon wrote: On Wed, Jul 16, 2008 at 06:59:44PM -0700, Jason LaRiviere wrote: Flash has a place on the web, just like any other rich media format. It should be used responsibly, as semantically as possible, and degrade nicely for those who care not to use it. I make every effort to use it within these guidelines, and present them as gospel to my clients. Many (most?) modern web developers do too, except for the ones at a Flex conference who still think drawing entire websites in Flash is a good idea. Shame on them, but they are a dying breed. Flash has one huge technical benefit. There are a number of sites that generate large amounts of dynamic images. Doing this in a fast and efficient manner requires an enormous amount of computing resources. Using flash pushes that work out to the client where it can be rendered on their own system. What about four letters: Java? One advantage: No blob required. And at least a *bit* more portable. And will eventually be quite open source. Kind regards, Hannah.
Re: UPDATE: mozilla-firefox-3.0
Hi! On Wed, Jul 16, 2008 at 03:38:35PM -0600, Mark Pecaut wrote: On 7/16/08, Marco Peereboom [EMAIL PROTECTED] wrote: I for one am glad there is no plugin for that infectious disease called flash. But then how will I watch Ow! My balls! videos online? What will I do? There's plenty of add-ons for firefox/... to download them. E.g. DownloadHelper (which knows how to download the stuff from much more than youtube/google video). Kind regards, Hannah.
Re: OT: Dissertation ideas for my degree
Hello! On Tue, Jun 24, 2008 at 07:06:53PM +0400, Vadim Zhukov wrote: 20 June 2008 P3. 22:13:12 Julien Cabillot wrote: Le Wed, 18 Jun 2008 23:53:33 +0100, Edd Barrett [EMAIL PROTECTED] a C)crit : Paul Irofti wrote: Or a cli music database collection, that scans your media with given regexp and scans for ID3 Tags and what not, with minimal user interaction. mpd + ncmpc? In ports :) ncmpc is cool but, write password in clear text in arguments is not a good solution. You can set up password in environment variable. In such cases I write wrapper scripts (say, ~/bin/ncmpc.my) and, possibly, add a shell alias like ncmpc=~/bin/ncmpc.my. Writing clear text in the environment is no better than in arguments. See the -e option in ps(1) (look for -e in the manual page). Kind regards, Hannah.
Re: broken dependencies ?
Hi! On Sun, Jun 22, 2008 at 12:08:39PM +, Stuart Henderson wrote: On 2008-06-22, Mihai Popescu B.S. [EMAIL PROTECTED] wrote: [...] I can send the exact errors. It will be copy by hand, since my OBSD computer is almost not installed, without X. If you're using any unix-like system, you should definitely learn about redirection in the shell... Redirection is cool. E.g. make build 21 | tee make.out (if you want to watch it live too, however you can do that too by tail -f on the output file). or make build make.out 21 Assuming a bourne shell (or ksh or bash, i.e. anything of the bourne-like family). In the csh family tree that'd be make build | tee make.out or make build make.out Kind regards, Hannah.
Re: broken dependencies ?
Hi! On Sun, Jun 22, 2008 at 12:08:39PM +, Stuart Henderson wrote: [...] If you're using any unix-like system, you should definitely learn about redirection in the shell... In my last post, I got so distracted about redirection, but another point: script(1) can also be useful more often than not. Kind regards, Hannah.
Re: OT: Dissertation ideas for my degree
Hi! On Thu, Jun 19, 2008 at 07:53:49PM -0400, bofh wrote: On Thu, Jun 19, 2008 at 7:34 PM, Darrin Chandler [EMAIL PROTECTED] wrote: How about a distributed network file system with RAID-like redundancy. Bonus for self tuning behavior (this machine gets shut down every night, don't rely on it being there). Something like the infamous googlefs? I'd be interested. Lots of difficult things still left to do. For that, I'd think a generic user space filesystem binding layer would be cool. We *do* have the hooks for the AFS client (/sys/xfs/). But are they generic enough? Would it perhaps help to have FUSE compatible interfaces? [...] Kind regards, Hannah.
Re: OT: Dissertation ideas for my degree
Hi! On Thu, Jun 19, 2008 at 06:26:54PM -0500, Jacob Yocom-Piatt wrote: Paul Irofti wrote: [...] Do the CLI SIP Phone! I wanted to code that for so long, but the SIP protocol and its friends tend to go so far as time just wasn't enough. But it would be pretty cool to have that. i would absolutely love to see this one go and it would be very useful. maybe script some ssh-ing into it to allow for easy proper call encryption? ;) SIP/RTP are UDP based, so no fun with ssh. And... There're *standards* for encrypting both SIP and RTP. Just not with (enough) widespread implementation, alas. [...] Kind regards, Hannah.
Re: tcpdump -s0
Hi! On Wed, Jun 18, 2008 at 10:32:04AM -0400, arthur wrote: -s0 always error with 'invalid snaplen 0' and the man page doen't mention how to capture full frame. However, the man of tcpdump support s0 (http://www.tcpdump.org/tcpdump_man.html) You don't invoke the manual page of OpenBSD's tcpdump via looking at a foreign web page. Either use man tcpdump on your OpenBSD box or use http://www.openbsd.org/cgi-bin/man.cgi I see nothing about a special handling of 0 as value for the option -s there. How could I capture full messages. Use an appropriate high value (e.g. as high as the MTU of the interface) for -s. Kind regards, Hannah.
Re: tcpdump -s0
Hi! On Wed, Jun 18, 2008 at 10:52:43AM -0400, arthur wrote: On Wed, Jun 18, 2008 at 10:32:04AM -0400, arthur wrote: -s0 always error with 'invalid snaplen 0' and the man page doen't mention how to capture full frame. However, the man of tcpdump support s0 (http://www.tcpdump.org/tcpdump_man.html) You don't invoke the manual page of OpenBSD's tcpdump via looking at a foreign web page. Either use man tcpdump on your OpenBSD box or use http://www.openbsd.org/cgi-bin/man.cgi I see nothing about a special handling of 0 as value for the option -s there. Thanks for the quick reply. I did check the OpenBSD man and find out 'the man page doen't mention how to capture full frame' (as in my email, sorry for my English) Okay... Just: OpenBSD's tcpdump is not the same as the other tcpdump. How could I capture full messages. Use an appropriate high value (e.g. as high as the MTU of the interface) for -s. I will do that. BTW, do you know is there any limitiation of the number. I don't know of any, but I don't have the time now to check more thoroughly. Kind regards, Hannah.
Re: [Perl/locales] Warning about locales
Hi! On Sun, Jun 15, 2008 at 11:46:28AM -0700, F. Caulier wrote: [...] I tried to figure out why this problem occurs and following to that I noticed that this perllocale warning only comes up when dropping a pkg_* directly in xterm. When using screen in an xterm and dropping pkg_* to it everything will work fine. Same for tty shells without X where everything works fine too. I don't know much about this terminal stuff, but if everything beside XTerm works fine, could it be that XTerm itself and not the locales are the problems' source? Maybe XTerm doesn't manage to pass on the locales correctly? I don't get those warnings in xterm directly, either. Try env | egrep 'LANG|LC_' in xterm. That shows your environment settings. Then look for where those variables are set. The locations depend on your shell. /etc/profile, /etc/csh.*, /etc/ksh.kshrc, $HOME/.profile, $HOME/.login, $HOME/.bash*. grep them for LANG and LC_ For me, using the default (i.e. LANG and LC_... unset, which is the same as if they were set to C) works well. Could be screen just filters those settings out. Could be that xterm executes a login shell and screen not or vice versa. Some questions: - Is this bug a dangerous one or can I ignore it safely? Probably not dangerous. - Is this a bug related to XTerm? No. - Should I set the LC_TYPE and LANG variables in /etc/login.conf? (Is this a clean solution?) No. - If I want to get the OpenBSD's default locale (is this C/POSIX or another one?) back what file should I link to whom? (Following Pieter's workaround) No link. Just unset the environment variables in your shell startup files. Use the default /etc/profile etc. Setup your shell startup files in the home directories to *not* change the LANG and LC_... environment variables. - What about copying a CL_TYPE file from [0] in to the concerned directory which is listed by perl? [0] http://www.openbsd.org/cgi-bin/cvsweb/src/share/locale/ctype/?only_with_tag=OPENBSD_4_3_BASE What's CL_TYPE? locate CL_TYPE yielded nothing, even with a source tree and a CVS repository installed. Kind regards, Hannah.
Re: [Perl/locales] Warning about locales
Hi! On Sun, Jun 15, 2008 at 03:26:05PM -0600, Philip Guenther wrote: [...] ... I found a workaround: # ln -s /usr/share/locale/en_GB.ISO8859-1 /usr/share/locale/en_US.UTF-8 That seems like a really bad idea to me. UTF-8 and ISO8859-1 are fundamentally different: UTF-8 uses variable-length characters while ISO8859-* uses fixed-width (8bit) characters. Giving the locale calls the same data for those two is likely to result in incorrect behavior for all characters 127. Wouldn't it be better to simply not lie and just set the locale to en_US.ISO8859-1? Doesn't work for me either: $ LANG=en_GB.ISO8859-1 perl -e 1 perl: warning: Setting locale failed. [...] $ LANG=en_GB.ISO-8859-1 perl -e 1 perl: warning: Setting locale failed. [...] [...] If nothing obvious sticks out, consider debugging further by checking the environment seen by your .xsession (if you xdm) by adding a line like this: env $HOME/.xsession-env.out to it. Similarly, check the shell's environment by doing something similar from your .profile. Oh, right. grepping .xsession or .xinitrc for LANG and LC_ could help too. I tried to figure out why this problem occurs and following to that I noticed that this perllocale warning only comes up when dropping a pkg_* directly in xterm. When using screen in an xterm and dropping pkg_* to it everything will work fine. Same for tty shells without X where everything works fine too. Windows inside screen inherit their environment from the original screen process. So, how do you start the initial (daemon) screen process? From outside X, before running xinitrc? From your .xinitrc or .xsession? From an xterm? Or it could be a login-shell vs. non-login shell difference. I don't know much about this terminal stuff, but if everything beside XTerm works fine, could it be that XTerm itself and not the locales are the problems' source? Maybe XTerm doesn't manage to pass on the locales correctly? Something is setting LC_CTYPE to an unsupported value. That's the program that needs to be fixed. Or OpenBSD could get more locale support *ducks*. (No, I'm not complaining so much, and I'm currently not up to having enough time and energy for coding it). [...] Kind regards, Hannah.
Re: OpenSSL On Openbsd help
Hi! Even if I'm not the OP, this is a good guide... Cool. On Sat, Jun 14, 2008 at 10:42:37AM -0700, Dustin Lundquist wrote: [...] The process of setting up signed cert is as follows: 1. Generate your private key and secure file permissions (you want to do this in a secure fashion, i.e. on the box directly as a root or a private user). Guard this file: if it is compromised the security SSL provides is compromised.: openssl genrsa -out secure.example.com.key 4096 chmod 400 secure.example.com.key Before all that: umask 077, so there'll be no window of time when the key will be group/world readable. [...] 3. Send the CSR (you can open the file and copy and paste the contents into an email, or the certificate authority's website) to the certificate authority along with what ever other documentation they require (there job is to verify you are who you are requesting a certificate for before signing the key, they usally require some proof of domain ownership and everything else you entered in step 2). 4. You will then receive your signed certificate, you can either keep the certificate in a separate file from your private key, or cat them together to make a .pem file: cat secure.example.com.key secure.example.com.cert secure.example.com.pem; chmod 400 secure.example.com.pem Configure apache to use your new cert and key: SSLCertificateFile /etc/ssl/secure.example.com.cert SSLCertificateKeyFile /etc/ssl/secure.example.com.key - or - SSLCertificateFile /etc/ssl/secure.example.com.key Again, before the cat, use umask 077, for the same reason. Since apache is chrooted, have to restart it to read the new key and certificate. Dustin Lundquist Again, thanks for the cool explanations and step-by-step kind of guide. Will probably be helpful for more than the original poster. Kind regards, Hannah.
Re: Here's a trivial question. . .
Hi! On Thu, Jun 12, 2008 at 02:29:41AM -0700, Sean Kamath wrote: Why is sendmail in /usr/src/gnu/usr.sbin? sendmail is patently not a GNU application, and has a modified Berkeley license? The license is so severely modified that its effect is more like GPL than like BSDl/ISC. E.g. you must distribute source (1.b), under the same terms as the original license. That is, if you create a derivative work, the license is infective (just like the GPL), in my eyes. So it's just similarly restrictive as the GPL, just in less words. Kind regards, Hannah.
Re: make build question
Hi! On Wed, Jun 11, 2008 at 09:50:07AM +0200, Jesus Sanchez wrote: Hi, using 4.2. Can I do a make build of the base system without set previously a DESTDIR, and after the build take the bins I want from the /usr/obj tree?? What do you mean by take? Make build w/o DESTDIR already installs things in the running system. Does release(8) answer your question? Kind regards, Hannah.
Re: This seems like a good idea
Hi! On Sat, May 17, 2008 at 04:18:07PM +0200, ropers wrote: 2008/5/17 Curt Micol [EMAIL PROTECTED]: http://leaf.dragonflybsd.org/mailarchive/kernel/2008-05/msg00038.html Here is some more information including a list of keys: http://metasploit.com/users/hdm/tools/debian-openssl/ Thought I'd share. It's possible I am wrong and this isn't a good idea, but I can't think of any reason why it isn't. I can actually think of an entirely theoretical reason why the exclusion of the affected keys could conceivably, hypothetically be considered to be disadvantageous: It reduces the key space; i.e. future attackers of systems that have blacklisted these keys might know that they have a few less combinations to try. It excludes 32k or 64k possibilities out of *how many*? Frankly, how many 512 or even more bit primes numbers are there? (You generate two roughly 512 bit primes for a 1024 bit RSA key, that's the main grounds for the key space of 1024 RSA keys.) See http://en.wikipedia.org/wiki/Prime_number#Counting_the_number_of_prime_numbers_below_a_given_number for a basic reference on that question: The *rough* estimate is, the number of prime numbers below n is roughly n/ln n. So the number of 512 bit prime numbers is roughly (2^512 / ln 2^512) - (2^511 / ln 2^511). The base 2 logarithm of that, according to bc, is about 502. So we have about 502 bits of entropy to spend on *one* of the primes. If we exclude 2^16 of them, so what? Even if we excluded 2^501 of them, we'd still have 501 bits of entropy left. [...] Kind regards, Hannah.
Re: build a release
Hi!
On Thu, May 15, 2008 at 02:05:14PM +0100, banana split wrote:
slowly by slowly I'm approaching to openbsd.
I've made some humble progress in this last month and I've a couple of
questions concerning the building the system from sources.
1)
the $RELEASEDIR is filled with *.tgz after issued the make release but I have
these (ignored) errors at the end:
.
cd /usr/src/etc/../distrib/sets exec sh maketars 43
base: done.
comp: done.
etc: done.
game: done.
man: done.
misc: done.
cp /usr/dest/snapshot/*bsd* /usr/rel
cp /usr/dest/snapshot/*boot* /usr/rel
cp /usr/dest/snapshot/cdbr /usr/rel
cp /usr/dest/snapshot/*BOOT* /usr/rel
cp: /usr/dest/snapshot/*BOOT*: No such file or directory
*** Error code 1 (ignored)
cp /usr/dest/snapshot/cd*.iso /usr/rel
cp /usr/dest/snapshot/Packages /usr/rel
cp: /usr/dest/snapshot/Packages: No such file or directory
*** Error code 1 (ignored)
cp /usr/dest/snapshot/INSTALL.* /usr/rel
cp /usr/dest/snapshot/*.fs /usr/dest/snapshot/*.fs.gz /usr/rel
cp: /usr/dest/snapshot/*.fs.gz: No such file or directory
*** Error code 1 (ignored)
cd /usr/rel; md5 *bsd!(*.gz) *boot* cdbr *BOOT* INSTALL.* Packages *.fs
*.iso *.gz *.tgz MD5
md5: cannot open *BOOT*: No such file or directory
md5: cannot open Packages: No such file or directory
md5: cannot open *.gz: No such file or directory
cd /usr/rel sort -o MD5 MD5
(ignored): any explanation is welcomed
As others said, that's ok.
2)
after made the release I clean all the stuff around in the following way:
rm $RELEASEDIR
rm $DESTDIR
rm -rf /usr/obj/*
cd /usr/src make clean
No need for the last step. If you do a new build, my usual cleanup
sequence is
rm -rf /usr/obj/*
cd /usr/src
find . -type l -name obj -execdir rm {} \;
make obj
Starting from that, you can build again (special pre-build steps if
needed, build/install/reboot new kernel, make build, perhaps make
release).
Kind regards,
Hannah.
Re: fsck large filesystem, memory limit problem
Hi! On Mon, May 12, 2008 at 05:49:57PM +0200, Otto Moerbeek wrote: [...] De fsck_ffs code allocates a number of arrays directly depending on the # of indodes in setup(), totalling 4 bytes per inode. Some other data is also needed, so it's not surprise you hit the 1G data space limit. Any chance to get rid of that 1G limit that seems more and more arbitrary nowadays? I remember reading that just upping that define in /usr/src/sys/arch/i386/include/vmparam.h doesn't help, i.e. that something else interacts with that parameter too. I know that on processors that have neither PAE nor non-PAE NX support one might not be able to protect all writable data from execution eventually, if a program should in fact allocate more than 1G (once the kernel should need to allocate it with lower virtual addresses). However, the kernel could be made to prefer high addresses for writable, non-executable data (mmap without PROT_EXEC), and the super-user is to decide on how she sets up the data size resource limits, so if that's = 1G the protection should remain to be fine. [...] Kind regards, Hannah.
Re: fsck large filesystem, memory limit problem
Hi! On Mon, May 19, 2008 at 03:00:08PM +0200, Otto Moerbeek wrote: On Mon, May 19, 2008 at 02:38:35PM +0200, Hannah Schroeter wrote: On Mon, May 12, 2008 at 05:49:57PM +0200, Otto Moerbeek wrote: [...] Any chance to get rid of that 1G limit that seems more and more arbitrary nowadays? I remember reading that just upping that define in /usr/src/sys/arch/i386/include/vmparam.h doesn't help, i.e. that something else interacts with that parameter too. I know that on processors that have neither PAE nor non-PAE NX support one might not be able to protect all writable data from execution eventually, if a program should in fact allocate more than 1G (once the kernel should need to allocate it with lower virtual addresses). However, the kernel could be made to prefer high addresses for writable, non-executable data (mmap without PROT_EXEC), and the super-user is to decide on how she sets up the data size resource limits, so if that's = 1G the protection should remain to be fine. protection bits is only one of the things. there are more issues to consider when enlarging MAXDSIZE. for example, how do you divide the memory between sbrk() and mmap()? How does Linux do it (where you can allocate about 3G of memory, IIRC their kernel is mapped at about 0x3000u which sets the boundary)? Who does still use sbrk() after OpenBSD's malloc uses mmap only? Where does the break for sbrk() start? If mmap() tends to allocate far away from the break first, it impairs sbrk() as little as possible/as late as possible. Of course, one can always construct pathological scenarios where you can't allocate the full amount of memory due to fragmentation, but even then there'll be more available than the current 1G, and errors due to fragmentation can still be signalled (ENOMEM). No reason to refuse allocations that *would* succeed. -Otto Kind regards, Hannah.
Re: port/package messages about manual optional configuration?
Hi! On Sun, May 18, 2008 at 03:49:24PM +, Jay wrote: The important messages from installing packages/ports. There is something I have noticed in various package/port systems, including OpenBSD, Debian, and more. Here is an example: $ sudo pkg_add python--- python-2.5.2 ---If you want to use this package as your default system python, as rootcreate symbolic links like so (overwriting any previous default): ln -sf /usr/local/bin/python2.5 /usr/local/bin/python ln -sf /usr/local/bin/pydoc2.5 /usr/local/bin/pydoc Now, in this case, I have installed just one package, interactively, so the point is mostly moot.But for the scenario of installing something with dependencies, something that takes a while,where I walk away and come back much later, these important messages, these messages aboutoptional manual configuration, should be collected somewhere for my perusal. Maybe they already are? pkg_info -M package_name pkg_info -M -a man 1 pkg_info Thanks, - Jay Hope that helps. Kind regards, Hannah.
Re: port/package messages about manual optional configuration?
Hi! [Your quoting is severly messed up, please fix it; your line lengths too] On Sun, May 18, 2008 at 06:53:16PM +, Jay wrote: That helps, thanks. How about though for the scenario where I just installed something, and all its dependencies, without knowing what they are? Like: cd /usr/ports/x11/kde sudo make install Seems like maybe the install messages should be logged somewhere specific? maybe sudo make install | tee lookthroughthislater.txt I guess I should use tee or more. Ah, this is close: cd /var/db/pkg pkg_info -M * That's about the same as pkg_info -M -a You know, at least it tells me for everything installed on my machine, not necessarily sorted by time or anything. You can, of course, get an approximation by ls -tr on /var/db/pkg (however already installed packages where dependencies are registered get touched, too). Also see script to record what happens on a make install/pkg_add session. - Jay Kind regards, Hannah.
Re: Editing C with...
Hi! On Sun, May 04, 2008 at 11:42:53AM -0400, Nick Holland wrote: ropers wrote: 2008/5/4 Nick Holland [EMAIL PROTECTED]: [vim] alters files in unexpected ways, which I consider a major sin. I didn't know that, and cursory googling didn't turn up anything enlightening. Could you elaborate? Thanks and regards, --ropers It might have been better if I had said, alters my input, instead of implying that I edit a file with vim and it gets saved differently than loaded without my deliberately changing anything. And yes, tabs and auto indent were some of the things. Now, nvi has auto-indent too (:set ai), just not enabled by default. I also had an experience with it auto-inserting line breaks which caused me large amounts of problem. Could happen with nvi too (:set wrapmargin=42). Just not enabled by default. All this stuff is there for a reason, and is great for the intended purposes. HOWEVER, it's annoying as heck when one's purposes don't jive with the editor's defaults. Now, on *OpenBSD*, the defaults of vim are quite sane IMO. (I.e. syntax highlighting, auto-indent, text wrapping, smart-tabs, tab expansion, etc. *off* by default, I have to enable all the fancy I really want in my $HOME/.vimrc). It's vim as it's distributed on some Linux distributions that sucks rocks through tiny holes. Yes, all those defaults can be changed, but on the machine I was fighting with at the time, they were in some very inappropriate for my needs, and quite unexpected behavior for something I invoked with the command vi. I won't dispute vim is a great editor...I just dislike it pretending to be vi on some distributions of another OS. In all likelihood, it COULD pass as vi, but not with all the options turned on. Yes. Probably it works for me especially because I mostly use it on OpenBSD. :-) Nick. Kind regards, Hannah.
Re: Editing C with...
Hi! On Wed, May 07, 2008 at 04:55:55PM +0100, overdrive openbsd wrote: I don't want to start a flamewar, but I will say my experience; after lot of years using vi and vim, I decide 'taste' emacs. Now I can see that the major part of users those use vi/vim is because they never tried more than 5 minutes on emacs or directly they never tried. Now I am more productive (-; of course stupid devels will be stupid in vi or emacs, but they will be slower to write their stupid code! I beg to differ. Used emacs (back then when 19 was the current version, heck, even *ported* emacs 19 to my machine then) for quite a long time and moved to vim. Bottom line: YMMV. Find the tool(s) that fit(s) you best and get proficient in it/them. Borja Tarraso Kind regards, Hannah.
Re: mknod fails after wrong arch MAKEDEV
Hi! On Sun, May 04, 2008 at 03:09:25PM +, Paul Pruett wrote: Isn't /tmp mounted with option nodev, by chance? Would not explain it failing in /dev [...] How does it fail? Try for example (manually): mkfifo foo mknod foo c 1 1 You see mknod fail with File exists. Even on a filesystem *not* mounted nodev. (But then, MAKEDEV uses rm -f before mknod, as far as I can see, so that should not be the problem.) What *can* be an issue is that mknod inside a chroot is not allowed, as well as mknod as non-root (except for pipes, i.e. mknod path p, which is the same as mkfifo path). Kind regards, Hannah.
Re: Solved: Re: chroot issues with accessing /dev/ entries
Hi! On Sun, Apr 27, 2008 at 04:47:53PM +0200, Torsten wrote: OK, thank you, that got me onto the right track, now I think I know what the problem is: mount_mfs. /sbin/mount_mfs -s 9 swap /mnt Is there a way to have devices under that mountpoint? Of course, just mknod(8) them (each time after creating the mfs), Thanks everybody for your help. For whatever reason it did not work (for me) to just copy (pax) the /dev/* files from / to my ramdisk-mountpoint (/mnt). The files were there but always caused a failed to open error when used from within the chrooted environment. It also did not work to first chroot and then (within the chroot environment) create the files with mknod. The latter is clear: mknod is blocked even for root while chrooted. See the kernel sources, /usr/src/sys/kern/vfs_syscalls.c, function sys_mknod(): if ((error = suser(p, 0)) != 0) return (error); If you aren't root, forget it if (p-p_fd-fd_rdir) return (EINVAL); If you're inside a chroot, fail with error code EINVAL. What worked was first creating the files with mknod and then chroot. *nods* You can also use /dev/MAKEDEV for creating the devices. Kind regards, Hannah.
Re: chroot issues with accessing /dev/ entries
Hi! On Sat, Apr 26, 2008 at 05:51:22PM +0200, Torsten wrote: # tcpdump tcpdump: Failed to open bpf device for fxp0: Device not configured Is /tmp mounted nodev? OK, thank you, that got me onto the right track, now I think I know what the problem is: mount_mfs. This is how I set up the ramdisk: /sbin/mount_mfs -s 9 swap /mnt Is there a way to have devices under that mountpoint? Of course, just mknod(8) them (each time after creating the mfs), after having mounted the mfs without the nodev flag. Or use the -P flag to mount_mfs. Kind regards, Hannah.
Re: install42.iso hangs....any ideas?
Hi! On Wed, Apr 16, 2008 at 04:44:38AM -0700, Unix Fan wrote: [...] That was not what I was talking about, I know how to burn CD/DVD's, obviously, I was asking of DVD-RAM drives/disks can be used just as if they're sd(4) devices, read/write calls, i.e: UFS on a disk, mounted read/write. (Please wrap your lines) IIRC not, I have a DVD-RAM drive and it probes as cd(4), not as sd(4). And btw, IIRC our UFS/FFS implementation does still not cope well with sector sizes != 512 (which makes MO drive usage difficult too, as they *are* sd(4), but with 2048 byte sectors). Or has that, at least, been fixed in-between? IIRC, DVD-RAM has larger sectors, too, and *usually* one uses UDF2 there (our UDF support is 1.1, read-only, only). Kind regards, Hannah.
Re: VIA Announces Strategic Open Source Driver Development Initiative
Hi! On Wed, Apr 09, 2008 at 10:12:49PM +0200, frantisek holop wrote: hmm, on Wed, Apr 09, 2008 at 03:35:18PM -0400, bofh said that Sun learnt a lot of lessons when it tried to merge sparc and x86 code bases together around the solaris 2.4 time, iirc. That's why things like zfs are endian neutral. OpenBSD started in the multi cpu world to begin with. i might be wrong, but i thought as of yet, not everything is endian neutral in openbsd (carp?) FFS itself (the on-disk layout). In contrary, ext2 *is*. -f Kind regards, Hannah.
Re: Problems reading audio cdrom on 4.2 sparc64
Hi! On Wed, Apr 09, 2008 at 05:49:57PM +, Jacob Meuser wrote: On Wed, Apr 09, 2008 at 06:25:53PM +0200, Hannah Schroeter wrote: On Wed, Apr 09, 2008 at 03:47:26PM +, Stuart Henderson wrote: On 2008-04-09, Unix Fan [EMAIL PROTECTED] wrote: If you want to dump the contents into PCM audio, look in the ports.. install cdrtools and use the cdda2wav application. No need for 3rd party software for this simple task, take a look at cdio(1). It does a lot more than you probably expect. Nice, but it can't rip to stdout (for example to encode the data in a pipe, e.g. into mp3 or ogg/vorbis, w/o storing the uncompressed audio inbetween). cdda2wav/cdparanoia *can* do that. (Frontends like grip, can't, again, alas.) $ mkfifo track01.wav $ ffmpeg -i - track01.mp3 track01.wav $ cdio cdrip 1 Probably works, but *yuck*. Kind regards, Hannah.
Re: Use of 'Puffy' Logo
Hi! On Wed, Apr 09, 2008 at 01:21:34AM +0200, Martin Schrvder wrote: 2008/4/9, Matthew Smith [EMAIL PROTECTED]: A search of the site for a style guide or media pack has failed to turn up anything so I thought that I would ask here: how do I obtain Click on the logo on the front page. I read there (http://www.openbsd.org/art1.html): but do not make profit from them since our own T-shirt sales provide funding so that OpenBSD can continue to operate. Recently it was said on a mailing list, that T-shirt sales do *not* provide net funding, only donations and *CD* sales do. Which is true? Kind regards, Hannah.
Re: Firefox 2.0.0.12
Hi! On Wed, Apr 09, 2008 at 12:07:53AM +0200, Zbigniew Baniewski wrote: On Tue, Apr 08, 2008 at 09:50:21PM +, james wrote: Include /usr/local/mozilla-firefox in the ldconfig line and run the ldconfig command through /usr/local/mozilla-firefox/run-mozilla.sh (or manually set LD_LIBRARY_PATH to include /usr/local/mozilla-firefox) I think, the latter method is better suitable for including individual cases. Or perhaps: would be, instead of is - because there's still no desired effect. I can't see any difference. I'm afraid, it can't be solved right now; currently it's just the way it is, and one has to live with that. It *felt* a bit faster after this: cd /usr/local/mozilla-firefox/ : Include firefox dir to shared library path ldconfig -m /usr/local/mozilla-firefox : prebind ldconfig -PS mozilla-firefox-bin : Exclude firefox dir again ldconfig -U /usr/local/mozilla-firefox : Rescan the normal shared libraries, to be sure ldconfig -R Kind regards, Hannah.
Re: Use of 'Puffy' Logo
Hi! On Wed, Apr 09, 2008 at 09:46:00AM -0600, Theo de Raadt wrote: [...] The project does not receive a dime from tshirt (or poster or sticker or puffy doll) sales, and never has. [... more explanation ...] Thanks for your prompt explanation (and editing of the web page). Kind regards, Hannah.
Re: Problems reading audio cdrom on 4.2 sparc64
Hi! On Wed, Apr 09, 2008 at 03:47:26PM +, Stuart Henderson wrote: On 2008-04-09, Unix Fan [EMAIL PROTECTED] wrote: If you want to dump the contents into PCM audio, look in the ports.. install cdrtools and use the cdda2wav application. No need for 3rd party software for this simple task, take a look at cdio(1). It does a lot more than you probably expect. Nice, but it can't rip to stdout (for example to encode the data in a pipe, e.g. into mp3 or ogg/vorbis, w/o storing the uncompressed audio inbetween). cdda2wav/cdparanoia *can* do that. (Frontends like grip, can't, again, alas.) Kind regards, Hannah.
Re: Firefox 2.0.0.12
Hi! On Tue, Apr 08, 2008 at 04:34:49PM +0200, Zbigniew Baniewski wrote: On Tue, Apr 08, 2008 at 02:51:32PM +0200, Dusty wrote: I use Seamonkey. It works. Why use Seamonkey? It is more resource friendly than running Firefox+Thunderbird+whatever. Both are starting in about the same - long - time: 20 seconds... :/ (Pentium II 400, 256 MB RAM, SATA drive, OpenBSD 4.2) Perhaps someone could make a tip, how could I make that start-up period shorter? Yes, I know: buy new hardware. Any other available solutions? Doesn't help. With 1GHz and 768 MB RAM, it takes two-figure amounts of seconds, too. Deleting the files XPC.mfasl and XUL.mfasl files in your profile occasionally can help a *bit* in some aspects of performance, but as far as I can observe, not in startup time. There should be the other ones; on the NetBSD 3.1 Firefox is ready to work in about 4 seconds... quite a difference, isn't it? Do they already do prebinding? Kind regards, Hannah.
Re: zombies
Hi! On Wed, Mar 12, 2008 at 12:05:29PM +0200, Liviu Daia wrote: On 12 March 2008, Lars NoodC)n [EMAIL PROTECTED] wrote: [...] And, is there a generic way to prevent them? The cause is a perl CGI called by apache2 Depending on what you're doing, make the parent wait(2) for the processes or setsid(3). setsid(2) (yes, it's section 2 on OpenBSD) doesn't make the child lose the connection to the parent. See the source of daemon(3) for how to use setsid in connection with fork and exit (in fact _exit) to make a process disconnect from its parent and its controlling terminal etc. Kind regards, Hannah.
Re: floppy.fs
Hi! On Tue, Mar 04, 2008 at 11:22:11PM -0700, Paul Greidanus wrote: I'm just wondering how many people out there are using the floppy.fs installer still? I'm wondering if it would be a worthwhile thought to expand past the 1.44Mb limit for the CD and .rd install options if there are features that can be added to the installer. No, I'm not thinking a gui/menu based installer as the main reason, but there might be benefits to something like that. I used one recently to fix something on a box here at work. The box *has* a CD-ROM drive (even DVD-ROM) but we don't have easy access to CD/DVD *writers* and couldn't wait for shipment of a ready-made CD (e.g. the official OpenBSD one). So had to write an install floppy, boot it, use s and what is available there was enough to fix things up to being able to boot from hard disk again and fix the rest from there. Paul Kind regards, Hannah.
Re: /etc/ttys fields for reading from tty00
Hi! On Sun, Mar 02, 2008 at 09:05:53PM +0900, AE sysadmin wrote: Dear List, I am crafting C util to read data from tty00 (amd64, i386; connected to the data src device directly by serial cable). What should I put in /etc/ttys for the tty00 to make sure I am doing things correctly? The util is to be run as root. Would be grateful for any pointers. IMO you don't need /etc/ttys entries for terminals unless you need the terminal to be managed by init(8) or tty flags to be set by ttyflags(8) at boot, or your own program wants to read information from the ttys file using the ttyent family of functions (getttyent(), getttynam(), setttyent(), endttyend()). For normal tty access, you need open/close/read/write, perhaps adorned by O_NONBLOCK (if you need to open the terminal line even though no carrier is detected) and probably a few terminal controls (see tty(4) and termios(4), using ioctl(2) and/or the functions described in the tcsetattr(3) manual page). Kind regards, Hannah.
Re: Watching the prgress of dd if=drive1 of=drive2
Hi! On Sat, Feb 23, 2008 at 09:31:00PM +, Alexey Vatchenko wrote: On 2008-02-23, Brian A. Seklecki (Mobile) [EMAIL PROTECTED] wrote: It should accept SIGINFO (control+G) on most terminals. Isn't it control+T? By default it isn't mapped at all. So use stty status ^t, for example, before starting dd. (Or other commands that do something useful with SIGINFO, like ping or dump.) Kind regards, Hannah.
Re: ssh_config, chroot, or user rights to restrict user access?
Hi! On Thu, Feb 21, 2008 at 01:49:02PM +0200, Lars Noodin wrote: 1) What is the timeline for completely dropping scp? I hope never. [...] Kind regards, Hannah.
