Re: NFS mount option in fstab
On 9/7/24 11:03 AM, Rob Schmersel wrote: Hi, Where can I find a description of the options I can set in fstab for nfs mounts? They should be all described in the "-o options" sections of mount(8) and mount_nfs(8). However it looks like the list for mount_nfs(8) isn't complete (you can see them in /src/sbin/mount_nfs/mount_nfs.c). Additional options include "bg", "conn", "dumbtimer", "intr", "nfsv3", "rdirplus", "mntudp", "resvport", "soft", "tcp", and "nfsv2". Digging around a bit, https://man.freebsd.org/cgi/man.cgi?query=mount_nfs provides some info on their version of the flags, if that helps. Matthew
Re: How to configure fastcgi with httpd?
On 8/31/24 8:32 AM, Sadeep Madurange wrote: Hello, I have a python script (flask.py) with the following content on an OpenBSD 7.5 server: #! /usr/local/bin/python3 print("hello, world!") . . . Then I added the following config to /etc/httpd.conf: server "localhost" { listen on * port 8080 location "/*" { fastcgi { param SCRIPT_FILENAME "/cgi-bin/flask.py" } } } restarted httpd, and executed the following curl request: $ curl http://localhost:8080/ However, I keep getting 500 internal server error. Not sure what I'm doing wrong, so any help is much appreciated. First, it looks like your script is written with the expectation of behaving like a CGI script: a process spawned by the web server and configured so that stdout of the script is the body of the HTTP response. That's not how FastCGI works. Since your httpd.conf doesn't specify a socket, httpd(8) is looking for a Unix domain socket at /var/www/run/slowcgi.sock, created and managed by an external program (like your Python script) to speak FastCGI over. You probably want/need an existing Python3 FastCGI server to handle those details; I'm not a big Python developer but it seems like flup-py3 is what you want for that. That might be enough to get you started, or point you in the right direction. Matthew
Re: What is the best way to move a VM to a bigger image?
On 2023-05-06 11:54 am, Hannu Vuolasaho wrote: Hello, I made a silly mistake when I set up my VM and my disk image is too small for my next operation. My plan is to give the new image to the VM, run a minimal install on it so I get the boot loader installed. Also disklabel will be good. ... Is this a good way to skin this cat? Or is there a better way to do it? It's fine, but I took it a different route recently, for a VM that I've been using for a year or two but realized I needed more space. It wasn't that hard to resize. However, it is worth calling out that recreating a VM can be a good way to find out what you need, and don't need, on it. If you go for the resize, you'll need the qemu-img tool from the qemu package in order to make sure the disk image is in qcow2 format (you can convert from a raw image if necessary), and then change its size. From there you can do partition and filesystem manipulation from within the VM. If you need to do something more complicated than add filesystems or grow the last partition, you should probably add more disk images or consider starting from a fresh install. Matthew
Re: Home folder default permission
On 2023-03-23 11:53 am, ch...@qatland.com wrote: I did not look at the code at all for this. Only using existing programs. If this should not be working then a patch will be needed somewhere. I didn't give it a try, but I took your report at face value and looked closer at the code. When it copies /etc/skel over, it does so with a command like "pax -rw -pe /etc/skel /home/$USER"(https://github.com/openbsd/src/blob/869ed59d760a94e6086f364d91f2b56074421cc9/usr.sbin/user/user.c#L316) which sets all permissions, starting with /etc/skel. That's why it behaved as you observed, the way the original poster wanted. However I will state that having the ability to set the default permissions somewhere would be useful, and a requirement in some environments. I agree, not that I have any say. It's also worth pointing out that you can have multiple skeleton directories and specify which one you want to use when you run the program; there's no need to change the default skeleton directory (or, it's possible to keep a traditional readable-by- all skeleton directory around even if you make it not the default). Matthew
Re: Home folder default permission
On 2023-03-23 7:54 am, ch...@qatland.com wrote: useradd makes use of the permissions of /etc/skel The defaults is 755. If you change it to 750 new user directories will then have 750 as the default on their home directories. Does it? Looking at the code, it doesn't copy /etc/skel, it runs "mkdir -p $HOME" (https://github.com/openbsd/src/blob/869ed59d760a94e6086f364d91f2b56074421cc9/usr.sbin/user/user.c#L1208) I wonder if running UMASK=`umask` && umask 077 && useradd ; umask "$UMASK" would be sufficient. The related adduser command (https://github.com/openbsd/src/blob/master/usr.sbin/adduser/adduser.perl) explicitly creates the home directory with permissions 0755, although that should be affected by umask as well. Matthew
Re: SSL error wth dovecot + roundcube
On 7/8/20 7:57 PM, Aisha Tammy wrote: On dovecots side, I get: Jul 8 20:28:59 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=98.109.25.191, lip=108.61.81.40, TLS handshaking: SSL_accept() failed: error:14037418:SSL routines:ACCEPT_SR_KEY_EXCH:tlsv1 alert unknown ca: SSL alert number 48, session= I think this might be some error with either ssl lib things in php or something similar. (An unlikelier scenario is that I have some errors with my dovecot imap ssl, but every other client, thunderbird/fairmail/k-9 mail are authenticating fine) I think it's actually a lot more likely, but you don't provide much information about how you configured dovecot. The dovecot error is that it doesn't recognize the CA, which suggests the client (roundcube) is *sending* a certificate. If you a) turned on 'ssl_verify_client_cert' in Dovecot, b) set 'local_cert' in $config['imap_conn_options']['ssl'] in Roundcube, c) did not configure a client certificate with any other client, and d) did not have 'ssl_ca' set correctly in dovecot, I believe you would get this error. -- Matthew Weigel hacker unique & idempot . ent
Re: Cannot start conversation using talk
On 2020-02-19 9:48, b...@0x1bi.net wrote: I verified the output of rcctl and inetd is running. Did you restart inetd after editing inetd.conf? It has to decide what ports to listen on when it starts up, which means it isn't going to notice edits. -- Matthew Weigel
Re: Generate ctags recursively.
On 2017-11-21 8:43, Venu Chakravorty wrote: Hello all, Although the ctags manual page for a typical Linux machine (https://linux.die.net/man/1/ctags) says that that the `-R` switch can be used to generate a "tags" file recursively, [the manual page for OpenBSD (https://man.openbsd.org/OpenBSD-6.2/ctags) does not mention how to achieve this. So how do I do this on OpenBSD? Am I missing something? Please help. rm tags; find . \( -name '*.h' -o -name '*.c' \) | xargs ctags -a Let find(1) manage the recursive part. -- Matthew Weigel hacker unique & idempot . ent
Re: Would you use OpenBSD on Power8, and if so what applications? (IBM asks! They're thinking about donating hw.)
On 2016-10-18 12:43, Jack J. Woehr wrote: Routing, firewalling, DMZing, net address translation, OpenSSL, LibreSSL. :-) -- Matthew Weigel hacker unique & idempot . ent
Re: What do you use to manage contact info?
On 2016-03-03 21:36, Joe Er wrote: What do you use to manage your contacts? I am currently using the address book in Thunderbird and am wondering if there is something that is better. I'm not proud of it, but I use egroupware. I almost never actually use the web interface, however; I rely on its CardDAV service. It keeps my contacts synchronized between Thunderbird on multiple computers and operating systems (via SoGo Connector), RoundCube (via the carddav plugin), and multiple Apple devices (used by different people in my family). In general I mostly interact directly with the Addressbook in iOS; Thunderbird and Roundcube are integrated primarily to make sure I can easily look up email addresses. If I were starting over I would also consider ownCloud, but the security of this stuff is all terrible. Google's CardDAV service is probably more secure, to everyone but Google anyway, but I prefer to host my own. I do what I can to mitigate the security problems, and keep backups. -- Matthew Weigel hacker unique & idempot . ent
Re: 'ldap_bind: Operations error (1)' with ldapd-5.6
On 7/18/15 4:27 AM, Olivier Mehani wrote: My root user is authenticated with BSDAUTH. The rest of the users with an md5crypt in the userPassword. This works with the version from 5.5 with a range of applications (ownCloud, Wordpress, PHPLDAPAdmin, ...). md5crypt...? Well, there's your problem. From http://www.openbsd.org/plus56.html: * Removed md5crypt from crypt(3). So ldapd(8) is passing the hash string along to crypt(3) when checking the user's password and crypt(3) is unable to handle it. You'll need to start migrating these password hashes. -- Matthew Weigel hacker unique & idempot . ent
Re: 'ldap_bind: Operations error (1)' with ldapd-5.6
On 2015-07-14 6:07, Olivier Mehani wrote: Did anybody encounter the same issue? Is there a known cause? How could this be solved? I'm running 5.6 and using ldapd without issue. Can you clarify how your test user is authenticated (BSD Auth? A crypt hash in the userPassword attribute?)? -- Matthew Weigel hacker unique & idempot . ent
Re: Failed cron jobs are silent
On 1/3/15 1:05 PM, Fred wrote: man 5 crontab not man 1 crontab :~) No, the behavior he described is accurate: cron(8) sends email if a job produced output, irrespective of its exit status. Google is littered with people trying to figure out how to get cron(8) to send email based on exit code... so it's certainly a common problem. Maybe some Unix decided to send email based on exit status, but OpenBSD's does not. -- Matthew Weigel hacker unique & idempot . ent
Re: OpenBSD embedded?
On 12/4/14, 6:53 AM, Brad Smith wrote: On 12/04/14 07:05, Alan McKay wrote: On Thu, Dec 4, 2014 at 1:15 AM, Vivek Vinod wrote: We have been using Mikrotik routerboards since 7 years Huh? With OpenBSD on them? There are 3 PowerPC based RouterBOARDs. AFAIK the RB600 is supported at the moment by the socppc port. The RB800 and RB850Gx2 boards would probably be relatively easy to add support for. I wish. :-( They both have e500v2 PowerPC cores in them, which have a different floating point unit from the e300 (the core supported by socppc), meaning the powerpc binaries shared by socppc and macppc can't run on those boards... never mind the Book E changes required in the kernel. Later Power cores (e500mc, e5500, e6500) revert the FPU, so I think they 'should' be able to share arch/powerpc binaries, but a) nobody (including me) has done the necessary work in the kernel to run on them, and b) I'm not aware of hardware such as RouterBoards that use the newer cores. -- Matthew Weigel hacker unique & idempot . ent
Re: LDAPD indexed key doesn't exist!
On 10/19/14, 4:36 PM, Predrag Punosevac wrote: I am using stack ldapd on the AMD 5.5 release to manage about 100 users in our distributed UNIX environment. I have noticed the following log message for three users LDAPD indexed key [uid=somebody,ou=users,] doesn't exist! There is nothing at first glance appearing different about those three people. Could somebody point me into a right direction and where should I look for the problem. I haven't looked too closely at that code, but could you try to re-index the ldapd database? # ldapctl -v index See if that either fixes the problem or says anything more about it... -- Matthew Weigel hacker unique & idempot . ent
Re: LDAP and default shell
On 8/28/14, 7:19 AM, Predrag Punosevac wrote: The only weird thing I noticed comparing to 5.5 release is that system overrides default user shell defined in LDAP database. From passwd(5): If the entry contains non-empty uid or gid fields, the specified numbers will override the information retrieved from the YP maps. Additionally, if the gecos, dir, or shell entries contain text, it will override the information included via YP. # tail -n 1 /etc/master.passwd +:/bin/ksh Later in that same paragraph in passwd(5) is a recommendation for what to put in /etc/master.passwd instead. -- Matthew Weigel hacker unique & idempot . ent
Re: LDAPD attribute and ACL'S
On 07/25/2014 05:48 AM, Bambero wrote: Hi Is it possibile to give write access only for userPassword field ? sth like: allow write access to attr=userPassword by self There are no per-attribute permissions in the base ldapd(8). I think the 'normal' way to accomplish this is to create a user who does have write permission to users' entries, and then write a program that will authenticate as that DN to modify passwords on users' behalf. -- Matthew Weigel hacker unique & idempot . ent
Re: ldapd(8) binary incompatibility, 5.4 -> 5.5
On 7/22/14, 9:37 PM, Matthew Weigel wrote: into it, I started up ldapd(8) and connected to it with ldapvi(1) from ports. I wrote out the contents of that buffer to a separate file, and Actually I didn't notice it this weekend but ldapvi(1) has --in and --out arguments that do exactly the right thing - just read and write straight LDIF files. -- Matthew Weigel hacker unique & idempot . ent
Re: ldapd(8) binary incompatibility, 5.4 -> 5.5
On 7/22/14, 9:03 PM, Olivier Mehani wrote: I ended up having to create a 5.4 VM (I stuck with the same amd64 arch as my actual server, and have not investigated or tested under what constraints this might work across architectures) to load the ldapd(8) database files, use third party LDAP tools to create a text dump in LDIF format, and then load the LDIF into an empty database of 5.5 ldapd(8). I'm currently trying to cobble together a binary importer which reads 5.4 dbs, and writes them as 5.5 dbs. It's a bit ugly, based on frankensteined code from ldapd and ldapctl. I haven't found a straight way to write back into a file, so I'm trying go down the compacting way, which appears to be rewriting an entirely new database. Hopefully, it should work in the end. I thought about the VM/dump option, but all I could find was for slapd (using slapcat). Could you give more details on the tools you use? Someone else asked about this off the list. After setting up the VM and copying /etc/ldapd.conf, /etc/ldap/*.schema, and /var/db/ldap/*.db into it, I started up ldapd(8) and connected to it with ldapvi(1) from ports. I wrote out the contents of that buffer to a separate file, and that was my not-exactly-LDIF text backup. To add those entries to the 5.5 server, I replaced the numeric identifier ldapvi(1) uses for existing entries with the special key 'add' like so: 0 dc=example,dc=net objectClass: dcObject objectClass: organization objectClass: top dc: example o: example.net description: Account and Group LDAP Identity Database was changed to add dc=example,dc=net objectClass: dcObject objectClass: organization objectClass: top dc: example o: example.net description: Account and Group LDAP Identity Database I had to use ldapadd(1) from the openldap-client package to populate the root object before ldapvi(1) would work, however. I think I also had to add the structure of the LDAP tree first, and do a second round of edits to populate leaf nodes. It looks like particularly the btree_stat and btree_meta structs used in the ldapd(8) btree implementation are the culprits, as it looks like they are the only time_t bits actually stored on disk. Since it appears my problems are now solved, I'm mostly sending this message as a heads up in case there is anyone still getting ready to upgrade to 5.5 that uses ldapd(8). I think only the btree_meta is relevant, as I don't see the btree_stat being written on disk. Maybe, I didn't dig too deep into it once I solved my problems. -- Matthew Weigel hacker unique & idempot . ent
ldapd(8) binary incompatibility, 5.4 -> 5.5
I finally upgraded my last machine - that runs ldapd(8) for user logins, mail aliases, and a few other odds and ends - from 5.4 to 5.5. I'm left wondering if I'm the only one who actually uses the stock ldapd(8), because it is not called out at all in upgrade55.html as having problems with the Year 2038 fixes that went into 5.5. I ended up having to create a 5.4 VM (I stuck with the same amd64 arch as my actual server, and have not investigated or tested under what constraints this might work across architectures) to load the ldapd(8) database files, use third party LDAP tools to create a text dump in LDIF format, and then load the LDIF into an empty database of 5.5 ldapd(8). It looks like particularly the btree_stat and btree_meta structs used in the ldapd(8) btree implementation are the culprits, as it looks like they are the only time_t bits actually stored on disk. Since it appears my problems are now solved, I'm mostly sending this message as a heads up in case there is anyone still getting ready to upgrade to 5.5 that uses ldapd(8). Something probably deserves to be in update55.html as well, but I don't have a repeatable, documented procedure for what I did. -- Matthew Weigel hacker unique & idempot . ent
Re: new OpenSSL flaws
On 06/06/2014 10:04 PM, Solar Designer wrote: > OpenBSD having declined to use the tool shouldn't be interpreted e.g. by > OpenSSL as a reason not to notify LibreSSL directly. It seems worth noting that OpenBSD 5.5, the current release that many people are running, incorporates OpenSSL, not LibreSSL. There can't be really any question of OpenBSD users not being affected because they are using a forked version that might not be vulnerable; that fork is still in development. -- Matthew Weigel hacker unique & idempot . ent
Re: Authentication with LDAP on OpenBSD
On 05/27/2014 10:50 PM, Predrag Punosevac wrote: and edited /etc/ypldap.conf as: # $OpenBSD: ypldap.conf,v 1.4 2012/04/30 12:16:43 ajacoutot Exp $ domain "autonlab.org" interval60 provide map "passwd.byname" provide map "passwd.byuid" provide map "group.byname" provide map "group.bygid" # provide map "netid.byname" directory "atlas.int.autonlab.org" { # directory options binddn "cn=admin,dc=autonlab,dc=org" basedn "dc=autonlab,dc=org" # basedn "ou=users,dc=autonlab,dc=org" # starting point for groups directory search, default to basedn # groupdn "ou=group,dc=autonlab,dc=org" # passwd maps configuration (RFC 2307 posixAccount object class) passwd filter "(objectClass=posixAccount)" attribute name maps to "uid" fixed attribute passwd "*" attribute uid maps to "uidNumber" attribute gid maps to "gidNumber" attribute gecos maps to "cn" attribute home maps to "homeDirectory" attribute shell maps to "loginShell" fixed attribute change "0" fixed attribute expire "0" fixed attribute class "" That should be the login class you created in login.conf that authenticates via LDAP (in your case, "ldap"). Speaking somewhat vaguely, the way this *should* work is that when the username is supplied, the system looks up the user to determine the login class to determine how to proceed with authentication. With users coming from ypldap, it should set the class to one that you've configured to authenticate via login_ldap. From that point on I could do ldapsearch, I could /usr/libexec/auth/login_-ldap -d -s login USERNAME ldap without (see? That last argument is specifying the login class, which is why it works) and get loged in but could not make much sense of steps 3 and 4 of the article http://blogs.helion-prime.com/2009/05/07/authorization-with-ldap-on-openbsd.html In your case /etc/defaultdomain should probably contain "autonlab.org" The lines in /etc/master.passwd and /etc/group are necessary to tell login to do YP lookups. which is clearly related to my inability to use LDAP password to ssh into shell gateway. After starting portmap and ypldap I could start ypbind but ypserv and yppasswdd daemons would fail to start to me due to the obvious reason that my defaultdomain has no YP servers. The first paragraph of ypldap(8)'s description ends with "ypldap has the same role as ypserv(8) and the two daemons are exclusive." So don't run ypserv, just run ypldap and ypbind. You also can't run yppasswdd(8) in this context, because yppasswdd only knows how to change local (to the server) accounts. Unfortunately there isn't an LDAP version of yppasswdd(8) at the moment, nor does base ldapd(8) support the necessary LDAP extensions for simple password change. It's something I've put some effort into, but I haven't had time to progress on it in quite a while. " To use other directory services except YP, you either need to populate local configuration files from the directory, or you need a YP frontend to the directory. For example, you can use the sysutils/login_ldap port when you choose the former, while the ypldap(8) daemon provides the latter. " Which seems to indicate that I just need ypldap as a front end to my LDAP server. That is poorly worded for sure. I think right now the best combination is the one you're trying, login_ldap and ypldap together. -- Matthew Weigel hacker unique & idempot . ent
Re: ypldap
On 04/08/2014 04:31 PM, Friedrich Locke wrote: Dear list members, i have just configured my system (yp) to retrive information on groups and users. It's working 100% ok. Now, i would like to set some netgroups. How does netgroup works with ypldap ? Per ypldap.conf(5): "The currently implemented maps are: passwd.byname, passwd.byuid, group.byname, group.bygid." -- Matthew Weigel hacker unique & idempot . ent
Re: heartbleed ssl bug and ports or packages question
You should at least be able to know which of your packages have access to an SSL private key, and speak SSL. You also need to recursively check each library dovecot links to... That libdovecot looks like a likely candidate for linking ssl.so. That said, For dovecot, I THINK it uses dlopen at runtime to load ssl.so. You might try fstat on a running dovecot process that talks SSL. -- Matthew Weigel > On Apr 8, 2014, at 12:26 PM, Didier Wiroth wrote: > > Hello, > I'm not a developer but more of an openbsd hobbyist. > I'm using current with current packages that are a few days old. > > I patched my openbsd servers and revoked all my ssl keys, generated > new ones and changed every possible password. > Even though, as far as I understood, you can't be sure credentials > have not been read out of memory and your system has not been > compromised at some point in the past. > Anyway, I had a look at the following patch and was reading the comments: > <http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/002_openssl.patch.sig> > and came across this line: > "Also recompile any statically-linked binaries depending on it" > > F.ex. I use dovecot: > # ldd `which dovecot` > /usr/local/sbin/dovecot: > StartEnd Type Open Ref GrpRef Name > 04f81c50 04f81c913000 exe 10 0 /usr/local/sbin/dovecot > 04fa2152c000 04fa219f4000 rlib 01 0 > /usr/local/lib/dovecot/libdovecot.so.2.0 > 04fa1d89 04fa1dd7d000 rlib 01 0 /usr/lib/libc.so.74.0 > 04fa275a7000 04fa27aa4000 rlib 01 0 > /usr/local/lib/libiconv.so.6.0 > 04fa2bb0 04fa2bb0 rtld 01 0 /usr/libexec/ld.so > > The following library is not listed: /usr/lib/libssl.so.20.0 > So I guess ssl was statically compiled in the dovecot package/port, as > dovecot supports ssl and I currently use it. > > Is it possible to track which ports or packages have statically > compiled in ssl support? > > Do I need to recompile/rebuild the port with the patched libssl library? > or better ... but slower: > Do I need to recompile every ports to be sure the bug can't be > exploited on my openbsd systems? > > Thank you very much! > Kind regards, > Didier
Re: Dovecot bsdauth(user): unknown user
On 03/10/2014 02:57 AM, Атанас Владимиров wrote: Yes, the problem persist. Oof. I didn't notice this earlier, but you're running -current, and this has seen some changes in the last week. You might want to take a look at this thread: http://marc.info/?t=13910782254&r=1&w=2 I don't have an easy way to test (not running -current or using passwd/bsdauth), and it's not clear from the discussion whether the changes that fixed dovecot in Brad's testing were committed or not. However, it looks like one more fix to getpwent.c was committed after your last update, and it's probably worth trying. -- Matthew Weigel hacker unique & idempot . ent
Re: Dovecot bsdauth(user): unknown user
On 03/09/2014 03:25 PM, Атанас Владимиров wrote: >> What happens if you just run "pwd_mkdb -c /etc/master.passwd" as root? >> What about just "pwd_mkdb"? It looks like the error you're seeing in the >> log ("bsdauth(vlado): unknown user...") comes down to a failure in >> getpwent_r(), and would be causing problems before the user's login >> class is relevant. > > # pwd_mkdb > usage: pwd_mkdb [-c] [-p | -s] [-d directory] [-u username] file > # pwd_mkdb -c /etc/master.passwd > # > > It seems that everything is OK, isn't it?. Did the problems with "unknown user" persist afterward? -- Matthew Weigel hacker unique & idempot . ent
Re: Dovecot bsdauth(user): unknown user
On 03/09/2014 12:47 PM, Атанас Владимиров wrote: > No, they had default login class. I'm still trying to find out some pattern > when and why this behavior occurs. When I create new account with `useradd > accountname` then set a password with `passwd accountname` and then > `doveadm auth test accountname`, everything seems good. Then `usermod -L > default accountname` and doveadm auth failed. When I created new account > with adduser - doveadm failed. > An old account on the system works fine no matter in which loggin class I > move it. I tried to move my account to other class without any luck. > Here is my login.conf. I can provide other info, too. Thanks for your time. What happens if you just run "pwd_mkdb -c /etc/master.passwd" as root? What about just "pwd_mkdb"? It looks like the error you're seeing in the log ("bsdauth(vlado): unknown user...") comes down to a failure in getpwent_r(), and would be causing problems before the user's login class is relevant. -- Matthew Weigel hacker unique & idempot . ent
Re: openldap password fails to update
On 03/08/2014 03:11 PM, Stéphane Guedon wrote: > when I use 127.0.0.1 in php scripts, I can use ldap. > if the script is running with 'localhost' then, no ldap data... > > Any idea why ? > I have checked host resolution... > telnet localhost ldap gives the good behavior Is PHP running inside a chroot? Does that chroot have an /etc/hosts with an entry for localhost? -- Matthew Weigel hacker unique & idempot . ent
Re: openldap password fails to update
On 03/08/2014 12:16 PM, Stéphane Guedon wrote: >> I am looking through logs and config since the beginning of the >> day... Actually, asking help on forums or mailing lists is always >> my last step in solving problems... We try to help. But... giving detailed descriptions of the problem, and showing relevant configs and logs the first time, goes a long way to helping people help you. Reading manuals helps too. Among others, ypldap(8), ypldap.conf(5), login.conf(5), login_ldap(8) from ports, and whatever manuals for OpenLDAP. > But why can't I authenticate (using ssh or login) on the system ? Do I > really have to go through ypldap ? Sounds not efficient to have an > intermediate ! There are two separate mechanisms: how user information is looked up, and how users are authenticated. You provide zero details on how ypldap or login_ldap are configured, so it's hard to guess whether you have some configuration wrong. I can say it works for me. The user lookup is configured (via +:: entries in /etc/passwd and /etc/group) to use YP routines. Thus the user is looked up in ypldap when they attempt to login, which is configured to identify the user's login class as ldap. The ldap login class is configured in login.conf to authenticate via login_ldap talking to the LDAP server, which is configured to have the appropriate users. This is what I meant by "that's a lot more moving parts than just passwords in LDAP." -- Matthew Weigel hacker unique & idempot . ent
Re: openldap password fails to update
On Mar 8, 2014, at 6:29 AM, Stéphane Guedon wrote: > > Notably, the user fails to auth and do login (with openbsd login > system AND webpages) eventhough password is correct according to ldap > itself ! That's a lot more moving parts than just passwords in LDAP. Have you checked your configuration of all those moving parts? Looked at logs? You don't even mention what else you're using, much less how they've been configured or what their logs report. I am using ypldap from base and login_ldap from ports; your mileage may vary. > By the way, anybody use the light ldapd daemon included in base ? can > we update password with it ? I use it. It does not currently support the modify password extended operation (what ldappasswd relies on). I am working on a patch for it but I haven't finished it and it requires a bit more refactoring than just processing one new request. Until that's done I rely on a short Perl script I wrote. It's a pretty simple kind of thing to do; it is more a codification of a particular policy than a technically challenging problem. -- Matthew Weigel
Re: openldap password fails to update
On 03/07/2014 04:22 AM, Stéphane Guedon wrote: # ldappasswd -x -v -D "uid=test,ou=users,dc=22decembre,dc=eu" \ -w somesecret -s anothersec ldap_initialize( ) Result: Other (e.g., implementation specific) error (80) Additional info: password hash failed I'm sorry, it's not clear that this is an OpenBSD problem. See, for example, http://www.openldap.org/lists/openldap-technical/200902/msg00186.html There's another thing strange, maybe related to the problem : slappasswd never gives the same result ! # slappasswd New password: Re-enter new password: {SSHA}8ip4+k3gVAN6Gggf2szhJxo052sI3Fyc # slappasswd New password: Re-enter new password: {SSHA}JvduTI/JAX1G9AhtlCYEjNHl/6DbE6hs The whole point of salting is to make the hash different each time. A random salt is used to alter the hash and then that salt is added to the end of the hashed string before being base64-encoded to give you the hash you see. -- Matthew Weigel hacker unique & idempot . ent
Re: Native ldapd and ldappasswd
On 02/28/2014 05:19 AM, Joel Carnat wrote: > Feb 28 12:13:49.204 [18750] got extended operation 1.3.6.1.4.1.4203.1.11.1 > Feb 28 12:13:49.204 [18750] unimplemented extended operation > 1.3.6.1.4.1.4203.1.11.1 There, that's the problem. The ldappasswd utility relies on that extension to modify passwords, rather than trying to read/write the userPassword directly. It is not currently implemented in OpenBSD's ldapd. -- Matthew Weigel hacker unique & idempot . ent
Re: More OpenBSD on Hacker News -- RBAC and jails anyone?
On 02/23/2014 08:09 PM, openda...@hushmail.com wrote: > 1. Why doesn't OpenBSD have something like RBAC? RBAC has a lot more knobs to tweak, so you can always go back after a security incident and say "aha! I need to tweak *that* knob to prevent this next time!" But it has a steep learning curve, and everything you don't know about how your RBAC is configured is as much a problem as everything you got wrong. Most people use RBAC on Linux by turning it off. OpenBSD permissions are fairly simple, thoroughly considered, and set up with sane defaults. Most people continue to rely on just these basic controls, on OpenBSD *and* on systems with RBAC. > 2. Is chroot really inferior to FreeBSD jails? As best as I can tell, jail basically accomplishes three things: it severely restricts even the root user inside the jail, it lets you restrict some bad things from occurring inside a jail, and it hides processes outside the jail. The first part is interesting from a "virtual root access" standpoint, but adds a lot of code and complexity for that one use case. The second part (e.g., not allowing LKM inside the jail) is really only a good idea if you thought letting people do those things outside the jail is still good... on OpenBSD you can control most of those things globally. The last bit seems pretty uninteresting, unless (again) you are trying for "virtual root access." -- Matthew Weigel hacker unique & idempot . ent
Re: Generate hashed rootpw for native ldapd
On 2014-02-21 10:07, Raimo Niskanen wrote: I guess you can use 'openssl passwd' for that, or 'openssl passwd -1' for MD5 password however that is tagged if allowed in LDAP... It doesn't look like openssl passwd knows about bcrypt at all (either internally, or via crypt()). While I think ldapd would be fine with either the old DES-based crypt() hash or the MD5-based hash - you would just need to prefix it with "{CRYPT}" I think - neither of those is really a good idea for hashing passwords anymore. -- Matthew Weigel hacker unique & idempot . ent
Re: Generate hashed rootpw for native ldapd
On 2014-02-21 9:24, Matthew Weigel wrote: On 2014-02-21 5:09, Joel Carnat wrote: Here is a short script that should run fine on a stock OpenBSD machine to generate a bcrypt hash suitable for the userPassword attribute of ldapd. Nope nope nope. That script is incorrect in a couple of ways. Most significantly it leaks the first two bits of the user's password, because I didn't understand how to pass the salt correctly. I don't know if anyone actually WANTS a corrected version of the script, but I can't leave the uncorrected one out there. #! /usr/bin/perl use strict; while(<>) { my $salt = ''; my $new_pw = $_; chomp($new_pw); my @chars = split //, "./ABCDEFGHIJKLMN" . "OPQRSTUVWXYZabcd" . "efghijklmnopqrst" . "uvwxyz0123456789"; for (my $i = 0; $i < 21; $i++) { $salt .= $chars[int(rand($#chars+1))]; } $salt .= $chars[int(rand(4))*16]; my $rnd_salt = '$2a$08$' . $salt; my $hash = crypt($new_pw, $rnd_salt); print("$hash\n"); } -- Matthew Weigel hacker unique & idempot . ent
Re: Generate hashed rootpw for native ldapd
On 2014-02-21 5:09, Joel Carnat wrote: What is the (native) way to generate the "SSHA" hashed format for rootpw ? Is there a particular reason you want to use SSHA? Here is a short script that should run fine on a stock OpenBSD machine to generate a bcrypt hash suitable for the userPassword attribute of ldapd. #! /usr/bin/perl use strict; while(<>) { my $salt = ''; my $new_pw = $_; chomp($new_pw); my @chars = split //, "abcdefghijklmnopqrstuvwxyz" . "ABCDEFGHIJKLMNOPQRSTUVWXYZ" . "0123456789+/"; for (my $i = 0; $i < 21; $i++) { $salt .= $chars[int(rand($#chars+1))]; } my $rnd_salt = '$2a$06$' . $salt . $new_pw; my $hash = crypt($new_pw, $rnd_salt); print("{CRYPT}$hash\n"); } -- Matthew Weigel hacker unique & idempot . ent
Re: OpenBSD rootkits
On 02/18/2014 11:29 PM, Daniel Cegiełka wrote: https://github.com/freebsd/freebsd/blob/master/contrib/openpam/include/security/openpam.h#L358 It appears to be a way to embed fallback authentication modules in case the shared library can't be found. Go on, look at where else OPENPAM_STATIC_MODULES is used, and how. https://github.com/freebsd/freebsd/blob/master/contrib/openpam/lib/libpam/openpam_load.c#L54 is basically the only place. -- Matthew Weigel hacker unique & idempot . ent
Re: erlang : manpages : inaccessible
On 02/04/2014 05:48 PM, Mayuresh Kathe wrote: i am running 5.4 and have installed erlang using pkg_add. works well, just can't access the man pages. have added the following line to /etc/man.conf erlang/usr/local/lib/erlang/man/ am sure about either having done something wrong or missed a step somewhere. can i be helped? What command are you running to try to read them? I believe you should be using "man erlang " with that configuration. -- Matthew Weigel hacker unique & idempot . ent
Re: Is [binary] package signing planned?
On 02/04/2014 01:11 PM, Daniel Cegiełka wrote: 2014-02-04 Marc Espie : signify(1) makes things more transparent: no chain of trust, pure keys. One cool thing is that the signatures are small enough that they can be embedded directly in the package (which already has sha256 for everything). This has the advantage of decentralization: package snapshots can be partially synchronized, and still each package carries its own signature. Less margin for strange errors -> stuff that works most of the time -> more trustworthy. wow!? really? And how can I be sure that the public key that I downloaded is exactly the same public key, which is stored on OpenBSD servers (MITM)? You can't. But at least that's transparent, rather than obfuscated somewhere down a chain of trust. -- Matthew Weigel hacker unique & idempot . ent
Re: Virtualize or bare-metal?
On 1/13/2014 9:11 PM, Christopher Ahrens wrote: > Jack Woehr wrote: >> Christopher Ahrens wrote: >>> >>> Wish I could split everything off to physical, but all I have for >>> space for is a mini-rack that fits under my desk in my apartment >> >> Sounds like you have answered your own question! >> > > What I meant by bare-metal was if I should run a bunch of services on the same > installation of OpenBSD. Well, hardware failures on a small pool of machines are still hardware failures on a small pool of machines, whether you have virtual servers or not. For security, chroot (especially with privilege separation) accomplishes a lot of what virtualization claims to offer, with a much longer history of auditing and better understood weaknesses. It is usually easier, in my experience, to manage one system running many services in individual chroot environments than to manage many (virtual) systems. Files in chroot environments will sometimes need to be updated when you change the main system, but in my experience this is a much easier task to identify and manage than applying those changes en masse to a collection of virtual hosts. Plus, there will be plenty of system updates to the main system that don't need to trickle down to the chroot environments, but will almost always need to be applied individually to each virtual host. You may still want to physically separate some concerns if you have enough machines (e.g., build machines vs. service machines, spreading out disk-intensive services, etc.), but in general I don't think virtualization will particularly help you. -- Matthew Weigel hacker unique & idempot . ent
Re: outgoing smtpd: Too many recipients
On 12/17/2013 5:37 AM, Jan Stary wrote: > That's the relay which is rejecting my messages > if there are "too many recipients" in them. > > I deleted all the failed ones from my queue > and after some time, resent to the individual recipients (~120) > one by one with a bit of grepawkery; that went fine. http://www.sendmail.com/sm/open_source/docs/m4/tweaking_config.html (look for "MaxRecipientsPerMessage") It seems that in this case sendmail really does just want the sending mailer to retry those addresses later. You might want to do a test run and just let deferred recipients sit for a while, to see if they do eventually get delivered. -- Matthew Weigel hacker unique & idempot . ent
Re: ldapd user password change
> On Dec 12, 2013, at 12:49 AM, Predrag Punosevac wrote: > > I just finished first of several LDAP deployment using LDAP server from > the base. So far works like a charm. One quick question. I know that > LDAP from the base is pretty bare bone but I was wondering it it > supports user password change. My clients are by the way RedHat machines > using SSSD instead of PAM for directory services. The base ldapd doesn't implement the RFC 3062 password modify extended operation. It appears that SSSD relies on that extended operation to work. It seems like it would be MOSTLY straightforward to implement... Except for users with {BSDAUTH} values in userPassword. -- Matthew Weigel
Re: cvsync, rsync
On 09/19/2013 08:46 AM, hru...@gmail.com wrote: From time to time I think I should follow Kenneth Westerbacks recomendation and go to a math-for-idiots list, for example to Usenet Group "sci.math", and then make a link to this thread in gmane: they will sure admire Marc Espies wisdom and his efforts teaching idiots like me. That seems like a useful exercise for you to do. Like Marc said very early on, rsync is based in part on Andrew Tridgell's PhD Thesis, "Efficient Algorithms for Sorting and Synchronization." You can find it and read it at http://www.samba.org/~tridge/phd_thesis.pdf. A little more searching might also lead you to http://www.big.info/2013/04/md5-hash-collision-probability-using.html which tries to answer your exact question. It also points at http://en.wikipedia.org/wiki/Birthday_attack where you'll see pretty much your exact questions answered. The probability of a collision of MD5, a 128-bit hash (used by modern rsync rather than MD4; ignoring the 16-bit rolling signature), for 2 4TB files is about 10^(-12). That's approximately on par with the likelihood of the hard drive reading a bit wrong after you're done using rsync (per Christian Weisberger). However, that's ignoring the rolling signature. In fact, you need to have both the rolling signature (16 bits) *and* the MD5 hash match at the same time. The probability of both combined is right about 10^(-15) of a hard drive read error. That is all of the math. The references and documents are right there. If you are still worried about it, you are trolling either misc@ or yourself or both. -- Matthew Weigel hacker unique & idempot . ent
Re: sudo configuration !ttytickets?
On 2013-09-11 19:59, Michael W. Lucas wrote: This, well, kind of surprised me. I'm sure you folks have thought this through in much more detail than I have, but I can't find anything on the rationale behind it. It seems insecure. Can anyone enlighten me as to the thinking here? I can't say whether this is the thinking of the OpenBSD developers, but I have seen some concerns over the years that tty_tickets gives a false sense of security. -- Matthew Weigel hacker unique & idempot . ent
Re: mysql.sock location
On 8/18/2013 5:29 AM, Ville Valkonen wrote: > ehm.. 127.0.0.1 == localhost http://dev.mysql.com/doc/refman/5.5/en/connecting.html "On Unix, MySQL programs treat the host name localhost specially, in a way that is likely different from what you expect compared to other network-based programs. For connections to localhost, MySQL programs attempt to connect to the local server by using a Unix socket file." So no, 127.0.0.1 != localhost in the context of MySQL on Unix. -- Matthew Weigel hacker unique & idempot . ent
Re: Install drivers
On 08/11/2013 10:35 AM, josef.win...@email.de wrote: I want to support as much hardware as possible 'out of the box' and since a network can't be assumed, I need to preinstall the drivers. GENERIC supports as much hardware as possible 'out of the box.' -- Matthew Weigel hacker unique & idempot . ent
Re: SSHD setup
On 08/09/2013 03:24 PM, Lance Ferrer wrote: I'm not sure if I need to create the keys or what, looking for a little bit of guidance. Sorry for the trouble with probably such a simple task. Did quite a bit of googling, no luck You could create them yourself by running "ssh-keygen -A" as root. However, that is run at every boot by /etc/rc (it only generates keys if there are no existing keys), so I would guess either a) you haven't rebooted yet or b) something is wrong with your system that is preventing these files from getting created. You don't need "sshd_flags" in /etc/rc.conf.local unless you want to change the default set in /etc/rc.conf. -- Matthew Weigel hacker unique & idempot . ent
Re: Upstream error: Nginx, slowcgi, and perl/cgi support.
On 2013-07-09 13:18, Özgür Kazanççı wrote: And using nginx with chroot-disabled, (-u) didn't help neither. That isn't surprising, because nginx's chroot won't affect things run by slowcgi (which chroots itself separately). Also, when running with nginx chroot disabled, did you also adjust path to the slowcgi socket? "If you just want to see if nginx works try /var/www/cgi-bin/test-cgi which uses /bin/sh, chmod it appropriately and copy /bin/sh to /var/www/bin/sh (/bin/sh *is* statically linked)" Tried this, same error: "502 Bad Gateway" Have you run slowcgi with the "-d" flag to see its side of the story? -- Matthew Weigel hacker unique & idempot . ent
Re: A warm welcome to a gentoo hardened administrator?
On May 17, 2013, at 11:24 AM, Dārayavahush Khola wrote: > Just out of curiosity. Why is it "damned"? You wanted "...blogs written by knowledgeable people" But even when it's right at the time it was written, a blog post from a year ago is not as accurate as the man pages current for your release. It may take a bit more time to figure out than a breezy post that glosses over paths not taken, but you won't even know that you could have taken another, better path. -- Matthew Weigel
Re: OpenCL/Cilk parallel computing on OpenBSD
On 2013-05-17 9:23, NU-g.lister wrote: Hello misc, I am interested to find out if anyone has done is using parallel computing libraries on OpenBSD? I did some web searches to no avail libs from AMD (OpenCL) have a limiting clause and I cannot find whether a port/package exists for OpenBSD (tried pkg_add opencl and pkg_info opencl). Cilk at least has a more liberal license and I can find probably a OpenCL implementation with a better license... I am just looking for some pointers. You might try simply building cilk and seeing how it goes. OpenCL is going to be a non-starter, I believe it requires both proprietary userland tools and proprietary kernel bits that are not available. -- Matthew Weigel hacker unique & idempot . ent
Re: Sturdy and secure mail server
On 2013-05-02 16:56, Chris Cappuccio wrote: You are going to spend a bit of time in the MTA and Dovecot docs to figure out some of these things. Now, if you use fdm, you really don't need an MTA at all. fdm would have to deliver to the dovecot LDA or use its own LDA in the same directory structure that Dovecot retrieves mail from... This is the important part: dovecot and postfix or opensmtpd can do what you need. There are a ton of details to understand and get right, so reading the docs is really your best starting point. Most of what you've described is a bog standard mail server with IMAP hosting, plus a mail client that knows about multiple mail accounts, plus an IMAP fetch (maybe?). Or maybe there is something you're not being clear about in your description, in which case... you REALLY need to read the docs, because no one else can be sure they're describing how to do the thing you ACTUALLY want to do. Are all of the accounts gmail, and you simply want to archive all gmail messages somewhere away from Google? Do you intend to run the MX for some of these accounts, but not all? Definitely read the docs. -- Matthew Weigel hacker unique & idempot . ent
Re: mixing ports and non-ports programs
On 4/14/2013 10:03 AM, Alan Corey wrote: > This is ridiculous. A whole year and a half and it's been abandoned. You get a year, free, where people will happily help you. > Look at how long FreeBSD or Debian supports their versions. Debian supports two releases back too, as I recall, they just take a lot longer between releases. FreeBSD does a lot of what looks like crazy work to maintain multiple versions, but they also have the occasional $250k+ donor (and they still don't release as frequently as OpenBSD). > Now I actually /use/ OpenBSD, every day, on 3-4 machines. Consider > them production machines even though I'm retired. Isn't it nice having free technical support for production machines? Yet it has its limits. > I do experimental > things with the likes of Gnuradio and the Osmocom suite lately, not > the operating system. I might replace an operating system once in the > 3-5 year expected life of a hard drive. Poor security procedure, poor disaster recovery procedure. > I could understand if Microsoft stopped supporting Vista, because it > was so bad many places wouldn't even use it, but OpenBSD 5.0 isn't > that different from 5.2. I would understand it less if a software license I'd paid so much for came with only a year of support. It turns out the world makes at least a little sense. > Some things don't work under 5.2, just as some things don't work under > 5.0. You fix bugs, you introduce new ones, it isn't always an > improvement from the user's perspective. We used to have a policy of > never buying a Windows version until the first service pack came out. 5.2 IS the service pack for 5.1. 5.1 IS the service pack for 5.0. The developers put a lot of effort into making each upgrade categorically better. > Once again we're off on a tangent and I never got an answer to my > question of how to mix ports and non-ports versions of things. > Something like a way to uninstall a port without having to uninstall > everything that depends on it. Or replace a port from sources and > leave everything else in place. The main answer you got is "run -current for the most current packages, where this is less of a problem." And you went off on a tangent on how it's unacceptable that all of this software you are downloading for free didn't come with all the free tech support you wanted. Another answer might be "use ports if they work for you, don't if they don't." You *can* maintain multiple versions of things if you use different paths, introducing about as much heartache as you'd expect. -- Matthew Weigel hacker unique & idempot . ent
Re: Shell for PF
On Feb 16, 2013, at 5:28 AM, Vadim Zhukov wrote: > 2013/2/16 Fil DiNoto : >> But this is all off-topic, I'm not slaming pf in any way i love it. I >> was just saying it can't hurt to try to emulate what people know if at >> all possible. And the fact is that junos/ios have the market share so >> thats what people know. Sorry, Vadim, for responding to Fil through your email. I think there is a real risk to trying to present an interface that is reminiscent of other systems, that behave differently and do less. People will begin to expect that pf does the same things - no more, no less. Power that is specific to pf over other systems will be ignored, because people will think that since they are familiar with the interface they know what they're doing. Presenting a different interface is a FANTASTIC way to communicate 'difference' to the user. It forces them to think about the difference sooner, rather than when things aren't working as expected (or after they've bought more equipment on top of the OpenBSD firewall because "JunOS can't do that"). If that means people don't learn pf because they realize very quickly that it's unlike anything they know... That is a SERVICE being provided. They knew they didn't have the time to figure it out before they got ass-deep into it. -- Matthew Weigel hacker unique & idempot . ent
Re: "rc.d start" claims to have failed, but actually succeeds
On 1/19/2013 10:23 PM, Forman, Jeffrey wrote: > One thing to note, is that the (failed) shows up after 5-10 seconds, not > immediately. But the issue is that the Python script itself is actually > running on the machine. Only rc.d claims it has failed. When rc_bg=YES, "rc_cmd start" does the equivalent of "rc_cmd check" waiting for the named daemon to show up in the process list. Since /usr/local/pf-graphite/pfloggraphite is a Python script, the process listing begins with "/usr/local/bin/python" (or whichever python), *not* /usr/local/pf-graphite/pfloggraphite. > I have read the rc.d and rc.subr man pages but perhaps am missing an import > detail in my rc.d file or script itself. Anyone able to shed some light? I believe you need to define pexp after sourcing rc.subr. -- Matthew Weigel hacker unique & idempot . ent
Re: A point about the BSD license I'm feeling edgy about
On 12/28/2012 7:20 PM, Live user wrote: > The BSD license says that > > * Copyright (c) > * > * Permission to use, copy, modify, and distribute this software for any > * purpose with or without fee is hereby granted, provided that the > * above copyright notice and this permission notice appear in all > * copies Where did you find that? http://www.openbsd.org/policy.html cites the Berkeley copyright notice as saying (in part) * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright *notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright *notice, this list of conditions and the following disclaimer in the *documentation and/or other materials provided with the distribution. Which seems to address your concern quite precisely. Existing code with that notice must retain that notice, even in derivative works. Binary distributions should include the notice, but not necessarily exclusively. The version of the BSD license cited at opensource.org (http://opensource.org/licenses/BSD-2-Clause) also makes it clear: % Redistribution and use in source and binary forms, with or without % modification, are permitted provided that the following conditions are met: %Redistributions of source code must retain the above copyright notice, % this list of conditions and the following disclaimer. %Redistributions in binary form must reproduce the above copyright % notice, this list of conditions and the following disclaimer in the % documentation and/or other materials provided with the distribution. And this is exactly what everyone is doing, and no one has found a way to sue over it yet... which at least suggests your concern is misguided. -- Matthew Weigel hacker unique & idempot . ent
Re: responding to buttonpress ACPI event sent by KVM/Qemu (same behavior in v5.2)
On 11/24/2012 12:38 PM, Tomas Bodzar wrote: >> I'm not interested in assigning blame, or seeing it assigned. I'd simply >> like to >> see the problem solved, somehow. >> >> Would a developer be willing to have a look, if I set up a v5.2 sandbox on >> the >> debian host? > > I think that for start devs will be missing what type of > virtualization you're using on Debian, then it will be fine to see > complete dmesg from OpenBSD guest 5.2 and as well latest snapshot. I would guess that they might also like to see some evidence that this problem had been reported to the Qemu and libvirt developers, in the interest of being "not interested in assigning blame." -- Matthew Weigel hacker unique & idempot . ent
Re: Dilemma: between OpenBSD and NetBSD
On 08/12/2012 08:16 PM, Kevin Chadwick wrote: > It is faster with softdep and safer without. My mail client has similar > choices in it's options. Which do you think my mail client enables by > default... The safe option of course. So does OpenBSD which isn't like > Linux userspace. Is 'safer' really the right word here? As I understand it, with or without softdeps, the filesystem on disk will be consistent and recoverable (excepting, of course, that when a disk confirms a write is completed isn't necessarily when the write is completed). The difference is that with softdeps, you don't have the guarantee that metadata writes have been completed (insofar as the kernel can know) when the syscall to change it returns. On the other hand, because predicting the state of your filesytem after a crash is a bit harder with softdep enabled, leaving it turned off by default seems like a sensible choice. The really unsafe, choice, though, is mounting async, which can lead to unrecoverable filesystems in the event of a crash. -- Matthew Weigel hacker unique & idempot . ent
Re: spamd greylisting: false positives
On 25.05.2012 10:50, David Diggles wrote: I wasn't receiving email, from lists.openbsd.org and also from my work email address, until I added the respective smtp servers to the whitelist table in pf. I could see them in the greylist when I typed spamdb. In the greylist, or in the whitelist (both are stored in /var/db/spamdb)? I'm wondering now whether your /var/db/spamdb got wiped out when you upgraded. If that happened, then all pre-existing whitelist entries would be gone, and emails would have to go through greylisting again. Also, if your standard procedure when making changes was as below (wiping out spamdb), you would be pretty much guaranteed to drop a lot of mail on the floor given exponential back off. I will go ahead and flush the spamdb database, and the pf tables and start over with default everything, no whitelist pf entries. Presumably you have at least some whitelist entries there, and some mail in transit that you would like to eventually receive. Flushing the database now would mean that anything currently greylisted is very unlikely to be whitelisted, and anything whitelisted will be greylisted next time it tries to deliver mail. This time I will sit on my hands and wait. Maybe I was not being patient enough. With default settings, you need to be patient for 4 hours. Past 4 hours, the chances are close to nil that you'll get that mail. Until 4 hours have passed, though, it's completely possible you'll still receive the mail. As for gmail; I have not had this issue sending email from gmail to spamd. You will. Seriously though, if I have to keep manually adding smtp servers to a whitelist, I will run in blacklist only mode. It's pretty straightforward to script pulling SPF records from Google and whitelisting them. Facebook is another company that sends a lot of mail through many servers, but documents those servers in SPF records you can poll (say, on a weekly basis). There are very few other mail server clusters that have that behavior, so once you identify those two, and script it, the problem is basically solved. For example, you could move your current nospamd file to /etc/mail/nospamd.constant, and then do the following in /etc/weekly.local: next_part "Whitelisting Google mail servers" /usr/sbin/dig _spf.google.com TXT + short | tr "\ " "\n" | grep ip4: \ | cut -d: -f2 | sort -n > /etc/mail/nospamd.dynamic cat /etc/mail/nospamd.constant /etc/mail/nospamd.dynamic > /etc/mail/nospamd /sbin/pfctl -t gmail-white -T replace -f /etc/mail/nospamd 2>&1 \ | grep -v 'no changes' That's very close to something someone else shared on misc@ many moons ago, I don't remember who. -- Matthew Weigel hacker unique & idempot . ent
Re: spamd greylisting: false positives
On 25.05.2012 01:09, David Diggles wrote: Can messages get dropped if mail servers fail to resend within time interval, after receiving the initial temporary failure message? It's dropped when it's first received, and it will continue to get dropped until passtime minutes have passed. If it is then received before greyexp hours have passed, it will be delivered and the remote host will be whitelisted for sending mail. If greyexp hours pass without seeing that tuple again, the tuple is deleted and it's back to the beginning for that host. You reduced greyexp to 1 hour, which may well be causing your problems. -- Matthew Weigel hacker unique & idempot . ent
Re: spamd greylisting: false positives
On 25.05.2012 01:09, David Diggles wrote: Can messages get dropped if mail servers fail to resend within time interval, after receiving the initial temporary failure message? A qualified "yes." The message isn't dropped if the sending server fails to resend before greyexp hours, it is dropped the first time delivery is attempted; if other attempts to deliver occur before passtime minutes pass, or after greyexp hours, the message will continue to be dropped. You reduced the whitelisting interval from (25 minutes, 240 minutes] to (5 minutes, 60 minutes], a pretty big cut. Perhaps that is your problem. -- Matthew Weigel hacker unique & idempot . ent
Re: Upgrading OpenBSD
On 21.05.2012 23:55, Mehma Sarja wrote: On 5/21/12 9:34 PM, Matthew Weigel wrote: On 21.05.2012 22:45, Richards, Toby wrote: Granted: I do hold an MCSE certification, but I don't need it. The upgrade just works. Well... despite occasional BSOD's ;) I admit this kind of made me chuckle: http://www.linkedin.com/pub/toby-richards/37/71a/474 Oy vey, And this guy holds a degree from Santa Clara Univ? Toby, $40K/ year for this? To be clear, they are probably different people; it just amused me. -- Matthew Weigel hacker unique & idempot . ent
Re: Upgrading OpenBSD
On 21.05.2012 22:45, Richards, Toby wrote: Okay, let's compare upgrading OpenBSD 4.9 + Nginx + PHP 5.2.x to OpenBSD 5.0 + Nginx + PHP 5.3.x vice upgrading Windows 2003 + IIS 6 + ASPDotNet 3.5 to Windows 2008 + IIS 7.0 + ASPDotNet 4.0. In my experience, the MicroEvil Upgrade works without breaking any of my web apps. First, can we just call it Microsoft? Everyone knows what you're talking about. Second, can you confirm that you understand you are comparing the default web stack on Windows with a custom web stack on OpenBSD? The default web stack on OpenBSD (although I think it's changing or it has changed) is Apache + CGI. What was wrong with that? Third, can we agree that if you are choosing to use Nginx and PHP, you are trying to solve problems that IIS and ASP.Net can't, and if you are content with IIS and ASP.Net, there was no reason for you to go out of your way to use Nginx and PHP? Whether you feel you have "no choice" but to use packages... you do, PHP and Nginx are separate software developed by people not working on OpenBSD. The OpenBSD upgrade gets confused about Nginx versions and PHP versions. Maybe it gets less confused if I happen to know about some system variable that describes the version of PHP that I want. http://www.openbsd.org/faq/upgrade50.html#Pkgup I actually disagree with one of the other responders, that doing an OS upgrade and running "pkg_add -ui" is sufficient. Reading the upgrade guide painstakingly maintained by the developers, and following it, is pretty much always your best path. It's short, to the point, and not any different from the release notes that a responsible admin reads when upgrading Windows servers, or Solaris servers, or hundreds of desktops of any kind. The problem you describe was called out, emphasized, warned about. The specific (simple) steps you needed to take to mitigate this problem were documented, and documented in a place that's been consistent every six months for 8 years. Granted: I do hold an MCSE certification, but I don't need it. The upgrade just works. Well... despite occasional BSOD's ;) I admit this kind of made me chuckle: http://www.linkedin.com/pub/toby-richards/37/71a/474 -- Matthew Weigel hacker unique & idempot . ent
Re: Upgrading OpenBSD
On May 21, 2012, at 9:05 PM, Mike Erdely wrote: > On Mon, May 21, 2012 at 9:43 PM, Richards, Toby > wrote: >> OpenBSD does have an Upgrade >> option, but does it upgrade the installed packages? > > pkg_add -ui Even more relevant: http://www.openbsd.org/faq/upgrade51.html Interestingly, when I upgrade a Windows machine, there isn't a command like pkg_add to update Acrobat Reader, Flash, Firefox, OpenOffice, Emacs, VLC, or any of my other installed software. Even my Microsoft software like Visual Studio or SQL Server doesn't get upgraded. -- Matthew Weigel
Re: SETUID perl script
On 24.04.2012 14:22, Christopher Zimmermann wrote: Hi, I'm trying to chroot and drop privileges in a perl script. But somehow I'm not even able to run it setuid root. The setuid bit gets ignored completely. But as I understand sys/sys/exec_script.h. The SETUIDSCRIPTS feature is enabled by default. What am I missing? /tmp% ls -l test.pl Check the mount options for whatever filesystem /tmp lives on. Chances are good it's its own filesystem, and is mounted nosuid. -- Matthew Weigel hacker unique & idempot . ent
Re: PHP/HTTP config
On Tue, 20 Mar 2012 15:23:27 -0600, Duncan Patton a Campbell wrote: Closest thing I can find are references to the upgrade doc: in /var/www/conf/php5.sample; symbolic links for active modules were placed in /var/www/conf/php5. These have moved to /etc/php-5.2.sample and /etc/php-5.2 respectively. You will need to check for existing links in /var/www/conf/php5 Which doesn't explain why... I'm guessing it has something to do with nginx being incorporated into base, and maybe also the move of the php port from www/ to lang/. Technically, it *is* possible to use PHP for system scripts, you know. -- Matthew Weigel hacker unique & idempot . ent
Re: Strange sshd + /etc/nologin behaviour
On Wed, 14 Mar 2012 22:04:59 +0100, AndrC) S. wrote: After some more testing I dare to say that this whole /etc/nologin-thing in conjunction with ssh can be considered buggy. Previously in the thread it came out that the andre user could log in because it was in the staff login class. Can you confirm that root is in the daemon login class (as is the default config), and that the daemon login class has ignorenologin? -- Matthew Weigel hacker unique & idempot . ent
Re: Thanks a lot to all devs of OpenBSD
On 8/28/2011 10:50 AM, Marc Espie wrote: > On Sun, Aug 28, 2011 at 05:00:46PM +0200, Tomas Bodzar wrote: >> (and main link which caused that >> http://lists.freebsd.org/pipermail/freebsd-arch/2011-August/011412.html) > > This link makes me a little sad. I don't quite get why that guy mentions > that FreeBSD ports has problems, but then mentions only the netbsd work, > and blatantly ignores our tools, even though they solve most of the problems > he has... They would have to reintroduce Perl into base in order to borrow any code from OpenBSD ports, though. If there was will to do that, they probably wouldn't have taken Perl out in the first place. -- Matthew Weigel hacker unique & idempot . ent
Re: can't intall webalizer on OpenBSD 4.8
On Thu, 30 Jun 2011 20:50:20 -0300, Marcos Laufer wrote: Hello list, i can't install webalizer. This is OpenBSD 4.8 stable, (with pci.c rev 1.72 because this is a X336 IBM server) Any ideas why? ul6:/root{194}# pkg_add webalizer Can't install gd-2.0.35p0 because of libraries |library fontconfig.7.0 not found | not found anywhere |library freetype.17.1 not found | not found anywhere Those libraries are probably provided by install sets you didn't install... like xbase48.tgz. See http://www.openbsd.org/faq/faq4.html#FilesNeeded for more information. -- Matthew Weigel hacker unique & idempot . ent
Re: OffTopic: ctags and vi (Don't read if you dislike offtopic)
On Tue, 7 Jun 2011 20:41:22 -0300, Friedrich Locke wrote: Dear list users, using "vi" to go from a funciont call to the function definition is just hit "ctrl ]". What should i press to get back to the point i left with "ctrl ]" ? According vi(1), Return to the most recent tag context. -- Matthew Weigel hacker unique & idempot . ent
Re: How to host multiple PHP versions
On Thu, 17 Feb 2011 05:33:01 +0800, Tito Mari Francis EscaCB1o wrote: Good day. I need to setup a development web server that should host both PHP5.2.x and PHP5.3.x. Our goal is to maintain PHP5.2-based application versions while having room for growth to have ready environment for PHP5.3 web development. Can anybody please give me pointers on how this can be done? One idea I have is to have both multiple web servers in one box like built-in Apache 1.3 and Apache 2 with PHP5.2.x and PHP5.3.x respectively each with individual virtual host configuration but it's quite complex, hoping somebody could advise me on this. I think you would be better off investigating FastCGI (and php-fastcgi) with each version of PHP living in a separate chroot and communicating to the web server over TCP (rather than Unix domain sockets). I suggest the chroots so that you can better control what libraries, etc., get pulled in by each version, but it may not be necessary. The more important point is using FastCGI so that Apache itself doesn't have to have PHP loaded, and is therefore not restricted to a single version that it's running. -- Matthew Weigel hacker unique & idempot . ent
Re: OpenBSD + lighttpd + php5
On Sat, 10 Jul 2010 22:27:06 +0200, mlanciau wrote: > well. > > I have found a little error in my lighttpd.conf (the bin-path was wrong) > > fastcgi.server = ( ".php" => >( "localhost" => > ( >"socket" => > "/var/www/tmp/php-fastcgi.socket", >"bin-path" => >"/usr/local/bin/php-fastcgi" > ) >) > ) > > > now it's ok, but it remains a problem... > > when I try to load a webpage, I get "No input file specified". > > I have changed my php.ini but it's not enough... > > An other idea ? This isn't really an OpenBSD problem, or an OpenBSD port issue. Searching Google for "lighttpd no input file specified" would point you to http://redmine.lighttpd.net/wiki/1/FrequentlyAskedQuestions which would direct you to add "cgi.fix_pathinfo = 1" to your php.ini. You may also find that you need to add 'broken-scriptfilename => "enable"' to your lighttpd configuration in the block where you specify the socket and bin-path, but I would recommend trying it without first. -- Matthew Weigel hacker unique & idempot . ent
Re: OpenBSD + lighttpd + php5
On 7/10/2010 9:55 AM, mlanciau wrote: > Hello ! > > I'm trying to install lighttpd (no problem) and to add php to create a > good web server. But, even if I didn't chroot lighttpd, I don't > succeed. > > Have you any idea ? What's the fastcgi configuration in lighttpd.conf look like? -- Matthew Weigel hacker unique & idempot . ent
Re: openbsd not blob free?
On Wed, 5 May 2010 17:44:48 +0200, Otto Moerbeek wrote: > Blobs that run on hardware like PCI cards != blobs that run on the same > processor as the kernel. What is the difference between inaccessible firmware on expansion cards and firmware blobs uploaded to expansion cards by the operating system? Uploaded firmware blobs generate more traffic on m...@. -- Matthew Weigel hacker unique & idempot . ent
Re: OT: multiple web servers on OpenBSD (WAS: OT: vmware blah blah)
On Thu, 11 Mar 2010 16:47:54 -0600, Claus wrote: > I have the same setup running. Each apache instance runs chrooted under > their own user id and home directory. That's a lot of apache instances running... and how much functionality are you really getting out of them? Lighttpd or NginX with FastCGI works very well. I'm running php-fastcgi once per domain, chrooted to its virtual host directory; I've also got non-PHP FastCGI applications running in unrelated chroots. One process (lighttpd) handles SSL and most logging (each PHP instance logs in its chroot, but that separates different users' PHP logs too). Maintenance is still a pain, though, as I have to copy all relevant binaries, PHP modules, and dependent shared libraries into each chroot every upgrade. I keep meaning to write a script to maintain that: copy new binaries (e.g., php-fastcgi) over, determine what shared objects they link to, copy those over, and delete old versions. -- Matthew Weigel hacker unique & idempot . ent
Re: SMP
On Fri, 11 Dec 2009 14:56:57 -0500, Daniel Ouellet wrote: > Then using PostgreSQL should really work well for you then and you > wouldn't really need or benefit much from multicore kernel with the > giant lock removed as PostgreSQL is not and do not use threads anyway by > design oppose to MySQL that does. So, that choice of database eliminate > your biggest concern form the start. Although PostgreSQL uses multiple processes instead of multiple threads, and that means that (on OpenBSD) PG can scale CPU utilization to all available processors where MySQL can't... if I understand the situation correctly, PG would still benefit from a kernel locking approach that didn't restrict kernel activity to a single CPU core. However, I would be surprised if that starts being a serious problem before OpenBSD's limit of ~4GB on i386 and amd64 started being a problem. And you actually need a fairly big database before that's a problem, so... -- Matthew Weigel hacker unique & idempot . ent
Re: mount /usr partition nosuid
On Thu, 3 Dec 2009 15:30:15 -0500, Mark Romer wrote: > All, thanks for the responses so far. > > I work for the Fed and we have to setup a dns sec bind server on our end. > I > was just reading some of their "advice" on setting up the server... > > 2. Mount BIND's chroot filesystem with the noexec,nosuid,nodev options. E, BIND is chrooted to /var/named. Which is to say, on a standard OpenBSD install with 'reasonable' partitions, you would mount /var noexec,nosuid,nodev - but it defaults to nosuid,nodev, and you'd have to make your own determination as to whether binaries in /var are okay or not (I *think* /var/www/bin is the only thing you'd have to look at, but you can do the digging on that). -- Matthew Weigel hacker unique & idempot . ent
Re: Payment Card Industry (PCI) Data Security Standard HELP!
Stuart VanZee wrote: The last is 8.5.13 locking users out after 6 failed login attempts. Quite frankly I find this to be a pretty stupid requirement as it causes a built in denial of service. I see how creating a custom Authentication style would allow me to do this (in spite of my reservations), but I don't really do much in the way of c coding these days. I have been looking at the code in login.c and login_passwd.c and I understand about half of it (I think). If anyone could give me a shove in the right direction I would sincerely appreciate it. You might also want to see if you can accomplish what you want with login_radius or login_ldap (the latter is in ports) and a RADIUS or LDAP server. -- Matthew Weigel hacker unique & idempot . ent
Re: Payment Card Industry (PCI) Data Security Standard HELP!
Stuart VanZee wrote: The company I work for is having their yearly Payment Card Industry (PCI) assessment and while I believe that OpenBSD is the most secure OS going, I am having some problems proving it. Here are some of the issues I need to figure out. 8.5.9For a sample of system components, obtain and inspect system configuration settings to verify that user password parameters are set to require users to change passwords at least every 90 days. I have no idea how to set OpenBSD to do this, any suggestions? You configure this in the login class for users (probably the default and staff login classes) - see login.conf(5). 8.5.10 For a sample of system components, obtain and inspect system configuration settings to verify that user password parameters are set to require passwords to be at least seven characters long. I know that OpenBSD uses 6 characters, is there a way to change this? login.conf(5) 8.5.12 For a sample of system components, obtain and inspect system configuration settings to verify that user password parameters are set to require that new passwords cannot be the same as the four previously used passwords. I have no idea how to set OpenBSD to do this, any suggestions? You can specify a passwordcheck program in login.conf(5), which you could use to store (hashes of) passwords that have been previously used by each user. 8.5.13 For a sample of system components, obtain and inspect system configuration settings to verify that user password parameters are set to require that a users account is locked out after not more than six invalid logon attempts. 8.5.14 For a sample of system components, obtain and inspect system configuration settings to verify that user password parameters are set to require that once a users account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the account. 13 and 14 go togeather, I know that this isn't the scheme that OpenBSD uses. In OpenBSD, each time a user fails a password attempt it takes a little bit longer to get a new login prompt. Maybe if there was a way that I could set it so that by the time six failures happen that it takes 30 minutes to get the next login prompt. Does anyone know how to do this or have any other suggestion? I don't, I'm afraid, and a quick Google (which could have answered some of your other questions) suggests that it's come up before both on misc@ and elsewhere. I know you don't want to hear about how the PCI DSS is wrong, but in this case their wrongness is, I think, the reason it's not an available option. You could likely implement this yourself with a custom login style, though. 8.5.15 For a sample of system components, obtain and inspect system configuration settings to verify that system/session idle time out features have been set to 15 minutes or less. This one requires that a user must re-enter the password if their terminal is idle for more than 15 minutes. Any ideas how to do this with OpenBSD? You might be able to do this with tmux(1), if you force it to be started for every user with some kind of global configuration. You might also be able to go for strictly X11 logins, and then using xlock. -- Matthew Weigel hacker unique & idempot . ent
Re: ECL lisp
Pekka Niiranen wrote: From gmane.lisp.ecl.general: * The OpenBSD port is only building in single threaded mode. The reasons are ...it's probably not a bad idea when pthreads on OpenBSD are a work in progress and don't correspond to kernel threads yet. Not that I'm sneering at threads, but what exactly would having it build in multithreaded mode buy you on OpenBSD? -- Matthew Weigel hacker unique & idempot . ent
Re: OpenBSD as MX server
Chris wrote: Hi Sonjaya, You ask a very open-ended question here. To get into specifics would be too difficult in one email. But here is a rough outline to get you started. A rough outline of... something, certainly. Definitely something mail related. Setting up an MX server? Not so sure. > Some people use Dovecot, but the version included in 4.5 does not include encryption (though you could probably use stunnel to address that...). Wait, what? $ uname -mrsv OpenBSD 4.5 GENERIC.MP#108 i386 $ grep imaps /etc/dovecot.conf # Protocols we want to be serving: imap imaps pop3 pop3s protocols = imaps pop3s $ pkg_info | grep dovecot dovecot-1.1.11p1-ldap compact IMAP/POP3 server Original author wants to replace a Linux MX with an OpenBSD MX? I think the logical approach is to - at least as a first step - look at what the Linux MX is doing now. In all probability that involves using the same MTA as is already in use on the Linux machine, the same antispam software, and mostly the same configuration files. Learning about OpenBSD's spamd would be a good idea once that's done, but at no point does it really involve dumping everything and just doing what someone on a mailing list said. -- Matthew Weigel hacker unique & idempot . ent
Re: question about spamd behaviour
On Thu, 21 May 2009 19:37:58 + (UTC), Stuart Henderson wrote: > As long as people pick their own value for the minutes column, there > will be some reasonable kind of spread. Are the majority of people not > doing this anyway? (actually, I guess probably not or this thread > wouldn't have come up..) I just followed the directions in spamd(8), spamd-setup(8) should be run periodically by cron(8). When run in black- list-only mode, the -b flag should be specified. Use crontab(1) to un- comment the entry in root's crontab. -- Matthew Weigel hacker unique & idempot . ent
Re: question about spamd behaviour
On Thu, 21 May 2009 12:54:30 + (UTC), Stuart Henderson wrote: > On 2009-05-21, Robson Caetano wrote: >> The problem is that changing the time of the hour or of the day you >> fetch the blacklist will avoid concurrency but is not fault proof. > > It isn't fault proof, but you should do it anyway. Just to be clear... when spamd-setup is run in /etc/rc, with the -D flag, it doesn't actually stick around, right? It just does its job in the background so that grabbing updated black/whitelists can't hang the machine. And then the sample spamd-setup line in crontab runs it every hour, if it's a good idea for everyone to change it wouldn't it be a good idea to give an example that only runs e.g. once a day? -- Matthew Weigel hacker unique & idempot . ent
Re: 4.5 delivery - How do they do it?
Daniel A. Ramaley wrote: If you can get precognition working in the network stack, can the same technology be applied to other areas? I'm thinking perhaps you could adapt the precognition algorithm to generating commits to the CVS tree. I'm more interested in seeing what Marco can do in softraid - failover prior to disk failure? -- Matthew Weigel hacker unique & idempot . ent
Re: spam from chrooted CMSes
Uwe Dippel wrote: > Matthew Weigel idempot.net> writes: > >> Then you have grown your userbase too fast with a terrible setup, and now >> you're caught in the middle of fixing the problem or avoiding downtime. > > Are you sure this is not a misunderstanding? When you host user accounts, on a > tight, default, setup of OpenBSD (or any other OS), and allow them to ftp into > their web-directories, how could one prevent them from uploading code that > mail()-s something? Aside of removing mini_sendmail, that is. Yes, that. >> Sure, if you go through and find every line of code where mail() is called, >> you can add logging at that point. But so far you've refused to make any >> changes to the applications. > > Are you sure that this is not a misunderstanding? Which sysadmin can 'make > changes to the applications' that his 200+ users run?? My point is that it's not much an option. Logging how mail() was called requires you to go in and log each time mail() is called. PHP won't do it, Apache won't do it. So mail() is a terrible option. >> His idea is the right one. Most PHP applications I've dealt with support, at >> least through plugins or extensions, SMTP + AUTH for sending mail instead of >> PHP's mail(). > > Are you sure that this is not a misunderstanding? If you host, for example, > any > CMS, it should have the functionality to the remote user, registered with that > CMS, to request a password reset. Which SMTP+AUTH do you want to use here?? Huh? I'm talking about the CMS itself authenticating to the SMTP server, and giving each application a single set of credentials. This should be set in the CMS's config files, much like database credentials. In fact, pretty much EXACTLY like database credentials, in that (presumably) you've configured each web application to have its own credentials with privileges specific to that one application (e.g., what databases it can access). Here's an example: I run a discussion board. All email notifications coming out of the board come from a particular email address; let's call it "bo...@idempot.net". Then I configure that board's software to connect to my SMTP server to send mail, and it has to authenticate as "bo...@idempot.net" to send any mail. Now, if my server starts sending out spam, I can check the logs and see if the spam is coming from the user "bo...@idempot.net" to verify that the particular board software I'm using is the compromised software or not. -- Matthew Weigel hacker unique & idempot . ent
Re: spam from chrooted CMSes
Uwe Dippel wrote: > I'm sorry, but I lack the experience to understand what you mean. I have > 200+ users, several of them having set up (sorry, yes, written!), > who can install any CMS of their liking, using ftp; or any other script > that > sends mail. Some of them are official websites, so I can not shut down the > whole mini_sendmail business in the chrooted Apache. I also cannot read, > study, > hundreds of thousands of lines of code to find out how and where a > web-page hosted by me allows an attacker to inject a message of her own, > to a recipient of her own choice. Then you have grown your userbase too fast with a terrible setup, and now you're caught in the middle of fixing the problem or avoiding downtime. > Since mini_sendmail receives it through php from Apache, I wonder how I > could log e.g. the website from which it was sent, or at least easily > limit the number of calls of mini_sendmail. Sure, if you go through and find every line of code where mail() is called, you can add logging at that point. But so far you've refused to make any changes to the applications. > Again, your idea being fine for an application developer, which I am not. His idea is the right one. Most PHP applications I've dealt with support, at least through plugins or extensions, SMTP + AUTH for sending mail instead of PHP's mail(). > The only two places where I, IMHO, can see a chance would be with an > extended > log or check of Apache or php; whenever a mail-call is logged, from > which directory, e.g. I don't think PHP ever changes the working directly except explicitly; probably every call to mail() (which leads to mini_sendmail) occurs in the chroot /. > Yes. But that's a complete coder's work, isn't it? I wonder if there is no > other solution, as mentioned above. There are, but they require you to set the parameters of how web apps can work in your environment so as to enforce a minimum of auditability. You have already said that you can't enforce that minimum, and it turns out that you're left with nothing to audit. sendmail_path = "/bin/mini_sendmail > -t -i" > is what I have in php.ini. I wonder, if there are no logging features for > mini_sendmail or so. I read the man-page online, but didn't see any. Well, mini_sendmail is an external package... talk to the authors about that, but I think they'll tell you they can't really track what you need tracked. -- Matthew Weigel hacker unique & idempot . ent
Re: European orders
Artur Grabowski wrote: At this moment we know that one side of the conflict said that future European orders will be done through a different distributor because the old distributor proved to fall behind on payments, the other side hasn't said anything. Please, enlighten us about further details since you seem to have some insight into the issue. Wim hasn't posted to the list, but he has put up his perspective at http://accounting.kd85.com/ . Dunno what's really happening... -- Matthew Weigel hacker unique & idempot . ent
Re: OpenBSD mta with postfix
Rod Whitworth wrote: >>> Anybody run into this kind of logic before? >> Yes, that's part of how greytrapping works: >> http://www.openbsd.org/cgi-bin/man.cgi?query=spamd#GREYTRAPPING > > No. That is NOT how greytrapping works. RTFM more carefully. > > spamd NEVER issues a 2xx code, because it NEVER accepts any mail. I did RTFM carefully. I don't see anything in the spamd manpage that indicates one way or another what response is sent in the specific case of greytrapping. So I assumed it did, because that's the way I've seen other greytrapping systems whose code I've read worked. Perhaps you can point out my mistake. But your comment got me curious, so I poked at the source, and it looks like it never lets the sender get far enough in the DATA to be done before issuing a 450/550 (per -4/-5); it only issues 2xx codes (and it's not "NEVER") to string the connection along. >> I've seen other implementations do greytrapping for *every* invalid >> address that comes through, too. > > And that's a great way to blacklist a genuine sender who misheard an > email address and so misspelled it. S/he will never get a 5xx that > flags the problem. John Brooks asked if anyone had run into this before. Yes, I have. Hell, I'm pretty sure this approach has been presented at LISA before. -- Matthew Weigel hacker unique & idempot.ent
Re: OpenBSD mta with postfix
John Brooks wrote: I've just received this response from a large corporate email system regarding their claim that emails sent to them are not getting through even though our logs contain acknowledgements of accepting the mail sent. In our mail logs: ... status=sent (250 Message accepted for delivery) Their response: ... "my understanding of the security policy is not to acknowledge mistakes in email addresses as a best practice defense against phishing and other types of email delivered attacks." Anybody run into this kind of logic before? Yes, that's part of how greytrapping works: http://www.openbsd.org/cgi-bin/man.cgi?query=spamd#GREYTRAPPING I've seen other implementations do greytrapping for *every* invalid address that comes through, too. -- Matthew Weigel hacker unique & idempot . ent
Re: Sending email in Apache chroot?
Sunnz wrote: I also tried the following: `chroot -g www -u www / /var/www/bin/femail -t -i m...@myaddress.com` works, but Setting the chroot to '/'? I don't think that does anything. `chroot -g www -u www /var/www/ /bin/femail -t -i m...@myaddress.com` doesn't work, it says: femail: non-recoverable failure in name resolution I run out of ideas now, what needs to be done? What files might be used in name resolution on the system, that aren't in /var/www? Maybe... /etc/resolv.conf? -- Matthew Weigel hacker unique & idempot . ent
Re: package integrity, security and checks. .... where are they ?
Martin Schrvder wrote: 2008/12/17 Marc Espie : We think it's worse to sign packages than not to sign them if you don't have a fairly strict process that ensures you have a correct chain of trust. Agreed. PGP provides that, but I can understand that nobody wants GnuPG in base. :-{ Errr, no, PGP doesn't provide the *process* of key protection. It provides some tools that are useful in the process, but the process and systems themselves are what protects e.g. the gpg private key used to sign packages. Like Marc said, signing packages when the process doesn't protect the integrity of the signatures, the source used to compile the binaries that are signed, and the binaries themselves, you are providing a misleading sense of security instead of an actual benefit. An example of the difference: http://rhn.redhat.com/errata/RHSA-2008-0855.html -- Matthew Weigel hacker unique & idempot . ent
Re: Perl changes and majordomo
Marco S Hyman wrote: I notices that majordomo now gives this warning when running the digest command: $* is no longer supported at /usr/local/lib/majordomo/digest line 305. I assume it started when perl was updated to 5.10.0. As one who dislikes perl enough to have never learned it a clue as to what it means would be appreciated :-) http://perldoc.perl.org/5.8.8/perlvar.html "Set to a non-zero integer value to do multi-line matching within a string, 0 (or undefined) to tell Perl that it can assume that strings contain a single line Use of $* is deprecated in modern Perl, supplanted by the /s and /m modifiers on pattern matching." So whatever majordomo is doing with regular expressions, it thinks it's handling multi-line strings one way and is probably handling it the other way now. -- Matthew Weigel
Re: openbsd sgi - uname -m, packages and mips64
Peter Kay - Syllopsium wrote: > A bit of an oddity. On all other platforms (at least I think so), the > output from 'uname -m' matches the name of the directory under packages, For all supported platforms, the name of the package directory matches 'machine -a'. Because packages are compiled for a specific processor type, not a platform. For example, the mac68k and mvme68k platforms both have a 'machine -a' output of 'm68k' - ditto with the macppc and socppc platforms. -- Matthew Weigel hacker unique & idempot.ent
Re: NTFS-3G Stable Read/Write Driver ready to merge on cvs obsd ?
Neko wrote: > somhow here , most people i know use 4 os, dos/ms/lin/bsd OK, I'm genuinely curious: why do you run DOS on a machine that you also run Windows on? Why do you run Linux and OpenBSD on the same machine? > oddly enough freebsd / osx have compatibility by default. but they wouldnt > know would they. So... run FreeBSD or OS X as your fourth operating system instead of OpenBSD? I'm not sure if you noticed, but the whole REASON FreeBSD/NetBSD/OpenBSD/Linux are different projects run by different people is that they have differences of opinion on what's important, and what the right way to do something is. If you're having a problem sharing files, there are solutions far more effective than complaining on [EMAIL PROTECTED] If your goal is to solve your problem, you can solve it. -- Matthew Weigel hacker unique & idempot.ent
Re: NTFS-3G Stable Read/Write Driver ready to merge on cvs obsd ?
Denis Doroshenko wrote: > have you done any analysis of statistical data in order to say so? > otherwise all those "way more popular", "most people" it is a big IYHO. William Boshuck has the measure of my response to that. > On Sun, Oct 26, 2008 at 9:10 AM, Matthew Weigel <[EMAIL PROTECTED]> wrote: >> On the other hand, CIFS/NFS network storage devices are cheap, >> and people can use them whether they dual boot, or simply have multiple >> machines on their network. Then too, a lot of people just use boring old >> thumb drives to store data that all their systems can use. > > well with NFS i'd agree, in case there is a robust free NFS implementation > for MS Windows (haven't looked for that myself, as I don't seem to have NFS > storage in my home LAN). I'm not sure exactly what you're saying here... I'm talking about NAS devices that export their filesystem via CIFS and NFS, so that virtually every modern operating system can use it. See, for example, this device: http://www.newegg.com/Product/Product.aspx?Item=N82E16822111012 > WRT thumb drives, well they still need some FS to be on them, and > fat32 would be a winner (for actual primitiveness thus being supported > by anyone), but there is a serious (these days it is) limitation like > limited maximal size of a file like 2G (must be 2^31-1 perhaps). Actually, (2^32)-1, or 4GB, is the max size per file (http://support.microsoft.com/kb/314463). I can see that being a problem if you're trying to run a database off of your thumb drive, but otherwise... can you give examples of files that you (or anyone you know) would like to access in Windows and OpenBSD that exceed this limit? -- Matthew Weigel hacker unique & idempot.ent
Re: NTFS-3G Stable Read/Write Driver ready to merge on cvs obsd ?
Neko wrote: > this is the future. people use multiple os on their machine That's actually the past... multibooting seemed way more popular ten years ago than now. I'm going to go out on a limb here, and say that most people - even if their machine is set up to boot multiple systems - really just use one OS per computer. On the other hand, CIFS/NFS network storage devices are cheap, and people can use them whether they dual boot, or simply have multiple machines on their network. Then too, a lot of people just use boring old thumb drives to store data that all their systems can use. -- Matthew Weigel hacker unique & idempot.ent
Re: Light HTTP servers.
Henning Brauer wrote: lighttpd. So far I am very happy with lighttpd, including running with PHP via FastCGI. I don't really trust the PHP applications I run, so they operate in a separate chroot (via spawn-php.sh) as a separate user in addition to lighttpd itself being chroot as a separate user. Another poster said lighttpd isn't being actively developed, but it's active enough for me - my bug reports have been fixed and new releases put out to address them. Other than setting up the chroot FastCGI, it was quite easy to configure and get running. I think the biggest problem will be running MySQL and PHP in 32MB, the OP may need to tweak MySQL to not use too much memory and restrict the number of PHP processes to run (1 or 2, I'd say). -- Matthew Weigel hacker unique & idempot.ent
Re: "Correctly" uninstall default Apache and install Apache 2.2.4?
Ed Flecko wrote: Hi folks, For a variety of reasons and features, I'd like to install the apache-httpd-2.2.4.tgz package. As a side note, I tried to install it on OpenBSD 4.2, and there are a few package dependencies it apparently is missing (at least on my box, which runs 4.2 without X) because the install fails. http://www.openbsd.org/faq/faq4.html#FilesNeeded http://www.openbsd.org/faq/upgrade42.html#libexpat It was a bug in the 4.2 filesets, expat was moved from the package system to xbase42.tgz, which fewer people install than base42.tgz . 1.) Is there a "correct" way to uninstall the default Apache 1.3 that ships with OpenBSD? I can't use a "pkg_delete..." can I? No. Just leave it. 2.) Maybe I don't need to? If I don't uninstall the original Apache, will the new version overwrite the 1.3 version? If you install the package of Apache 2.2, it won't owerwrite the base Apache. You'll have two Apache installs in two different locations, both of which work and run independently of each other. You may need to double check PATH settings, I'm not sure, but otherwise it should just work if you only run the one you want to run. It's not like the base Apache starts automatically, or anything. 3.) Do I need to chroot the Apache 2.2.4 or will the "default" install set it up that way? I don't have an answer for this one. :-) -- Matthew Weigel hacker [EMAIL PROTECTED]
Re: Really large drives (was Re: Is there a "badblocks"-equivalent for OpenBSD?)
David Gwynne wrote: solaris suffers from this problem. you cant use big disks with 32bit solaris kernels. For UFS, at least, but doesn't ZFS on i386 (not amd64) scale? -- Matthew Weigel hacker unique & idempot.ent
Re: Really large drives (was Re: Is there a "badblocks"-equivalent for OpenBSD?)
Chris Zakelj wrote: ... I'm wondering if thought is being given on how to make the physical size (not filesystem... I totally understand why those should be kept small) limitation of http://www.openbsd.org/faq/faq14.html#LargeDrive http://www.openbsd.org/43.html "New Functionality: ... o The ffs layer is now 64-bit disk block address clean. This means that disks, partitions and filesystems larger than 2TB are now supported, with the exception of statfs(2) and quotas." So, yes, thought is being given... a non-issue on 64-bit platforms Whether a system is 64-bit or not isn't very relevant to this - that mostly establishes what the memory address space is, *not* the size of integers that can be used by the system. -- Matthew Weigel hacker unique & idempot.ent
Re: using sun storeedge d1000 with OpenBSD
Sebastian Reitenbach wrote: I got such a storage device, mentioned in the subject. In the manual it says, when I want to connect the storage to a PCI based hosts, I need a PCI to dual differential UltraSCSI adapter, Model X6541A. What you need is any differential UltraSCSI controller. The D1000 can have its two SCSI buses joined and you can configure it so they don't have repeating SCSI IDs... or if you have two differential UltrasCSI channels, you can connect them separately. However, the X6541A does work fine - I have one in a PowerEdge 1550, currently connected to a D1000: siop0 at pci2 dev 6 function 0 "Symbios Logic 53c875" rev 0x14: apic 3 int 13 (irq 3), using 4K of on-board RAM scsibus2 at siop0: 16 targets sd2 at scsibus2 targ 0 lun 0: SCSI2 0/direct fixed sd2: 17274MB, 7508 cyl, 19 head, 248 sec, 512 bytes/sec, 35378533 sec total sd3 at scsibus2 targ 1 lun 0: SCSI2 0/direct fixed sd3: 17274MB, 7508 cyl, 19 head, 248 sec, 512 bytes/sec, 35378533 sec total sd4 at scsibus2 targ 2 lun 0: SCSI2 0/direct fixed sd4: 17274MB, 7508 cyl, 19 head, 248 sec, 512 bytes/sec, 35378533 sec total safte1 at scsibus2 targ 14 lun 0: SCSI2 3/processor fixed siop1 at pci2 dev 6 function 1 "Symbios Logic 53c875" rev 0x14: apic 3 int 14 (irq 11), using 4K of on-board RAM scsibus3 at siop1: 16 targets sd5 at scsibus3 targ 8 lun 0: SCSI2 0/direct fixed sd5: 17274MB, 7508 cyl, 19 head, 248 sec, 512 bytes/sec, 35378533 sec total sd6 at scsibus3 targ 9 lun 0: SCSI2 0/direct fixed sd6: 17274MB, 7508 cyl, 19 head, 248 sec, 512 bytes/sec, 35378533 sec total sd7 at scsibus3 targ 10 lun 0: SCSI2 0/direct fixed sd7: 17274MB, 7508 cyl, 19 head, 248 sec, 512 bytes/sec, 35378533 sec total safte2 at scsibus3 targ 15 lun 0: SCSI2 3/processor fixed -- Matthew Weigel hacker unique & idempot.ent