Re: openBSD newbie: how to display INSTALL. during install
On 2/10/09, Jesus Sanchez wrote: > Josh Grosse escribis: > O.o... another computer with screen near?? > Yep! right in front of me ;-) > belive me, print out some pages would affect the subsistence of > trees, the paper factories use controlated environments with fast grown > trees species to don't cut forests (at least here in Spain). > OK, I guess I will select the more difficult parts and make a printout. I have some docs with a blank back anyhow - recycling! > Thanks for the replies. -- Best regards Neoklis Ham Radio call 5B4AZ Website: http://5b4az.chronos.org.uk/
Re: openBSD newbie: how to display INSTALL. during install
Josh Grosse escribis: On Tue, 10 Feb 2009 16:52:08 +0200, Neoklis Kyriazis wrote Is there a way to have the installation notes handy apart from a "dead tree" printout? One can have the notes present in machine-readable form. Handy? No. The ramdisk kernel operates in single-user mode, so there is no alternate console available. But, one can escape to a subshell. From there, one could mount a foreign file system containing the document, and view it with less(1) or more(1). One could also acquire it via ftp(1) over the network, but there is likely insufficient freespace to save it in the RAM filesystem. One could obviously create a spare FFS filesystem to store the file, but then, if one could do that, one would be familiar enough with OpenBSD to not need the installation documentation anyway. O.o... another computer with screen near?? belive me, print out some pages would affect the subsistence of trees, the paper factories use controlated environments with fast grown trees species to don't cut forests (at least here in Spain).
Re: openBSD newbie: how to display INSTALL. during install
On Tue, 10 Feb 2009 16:52:08 +0200, Neoklis Kyriazis wrote > Is there a way to have the installation notes handy apart from a > "dead tree" printout? One can have the notes present in machine-readable form. Handy? No. The ramdisk kernel operates in single-user mode, so there is no alternate console available. But, one can escape to a subshell. From there, one could mount a foreign file system containing the document, and view it with less(1) or more(1). One could also acquire it via ftp(1) over the network, but there is likely insufficient freespace to save it in the RAM filesystem. One could obviously create a spare FFS filesystem to store the file, but then, if one could do that, one would be familiar enough with OpenBSD to not need the installation documentation anyway.
openBSD newbie: how to display INSTALL. during install
Hi, I am new to *BSD and I am trying to instal openBSD 4.4 on an amd64 platform. I tried to find out how to have INSTALL.amd64 displayed somewhere during installation (like opening a second console and using less) but it seems that only one console is available during install. Is there a way to have the installation notes handy apart from a "dead tree" printout? My thanks in advance. -- Best regards Neoklis Ham Radio call 5B4AZ Website: http://5b4az.chronos.org.uk/
Re: OpenBSD Newbie
misiu wrote: Hello all, I'm new to OpenBSD, I installed it a few times but than did not know what to do realy. Right now I'm little more experienced with Linux and I thought give it a nother try. Now I'm runnin an Openbsd 3.9 Box. Default setup. I try to run a Webmailbox and later Openvpn. It did not work so I searched long for an answer. I started httpd -u and now Openwebmail is running. I read allso that it is insecure, how can I run httpd chrooted and Openwebmail? Did not find any (for me understandable) answer. You are getting some good advice on chrooting in GENERAL, but kinda missing your specific case by a wide margine. What does chroot do? Confine an untrusted app within a section of your file system, preferably one in which they have no write access, so if the app has a security problem, the damage is minimized. Doesn't make the app more secure by itself. BUT... you need write access. So you grant it. You need libraries, you copy them over. You need programs, you copy them over. You need root access, you grant it. by this point, you have lost just about all the advantage of chroot, and spent a lot of time doing it. Look at OpenWebmail. Neat program for a basic webmail app (and considerably better than some commercial webmail programs). Amazingly self-contained, doesn't need an IMAP server. Just off the top of my head, having installed it in a trial environment a few years ago, it needs AT LEAST the following: access to sendmail binaries access to /var/mail access to /home root (that's how it reads the mbox files in /var/mail and /home) perl The thing needs root. Gotta have root. No root, no work. If you got root, you can probably escape from a chroot. Much better than worrying about chroot'ing OpenWebmail, just put it on a "disposable" box, with no other secure apps, and make sure you use passwords/keys on it that don't show up elsewhere on machines you maintain. Box gets owned? shut it down, figure out what went wrong, rebuild and repair. Some places, chrooting is great. However, simply tossing enough stuff in the chroot to make your app run does NOT automatically mean the app (or your box!) is any more secure when done than it was before. By the time you copy everything over to the chroot, you have not really gained much advantage /in this case/. Openwebmail is not good explained too. Has anyone installed it ? (I guess for shure) would that one please contact me offlist? I don't whant step by step help just to shed a little light in been a while...but a few hints: var needs to be able to exec code and no "nosuid", which IS there on default OpenBSD installs. Put your home directories physically in /var if you expect quotas to work as expected, you can symlink them back to /home if that freaks you out excessively. That's about all I remember. Oh, and don't have 25 kids change their PWs all at the same time unless you have around 600M of RAM+Swap available. Ouch... Nick.
Re: OpenBSD Newbie
On Fri, May 26, 2006 at 03:02:04PM -0700, Chris Cappuccio wrote: > Joachim Schipper [EMAIL PROTECTED] wrote: > > On Fri, May 26, 2006 at 11:21:54PM +0200, misiu wrote: > > > Tony Abernethy schrieb: > > > > > > >The problem with a changed root is that everything you will ever > > > >need to access needs to be inside this changed root. > > > >All the libriaries, etc etc --- that's right, another copy. > > > > > > > >One advantage of OpenBSD is that they actually understand security. > > > >(Most that tries to pass for security ... isn't (bluntly)) > > > Tanx, > > > > > > so if I understand it right, I need to copy /var/www/cgi-bin into > > > /var/www/htdocs. > > > > Erm, no. > > > > Say I write a Perl CGI script. I'd then need to copy /usr/bin/perl into > > the chroot (i.e., to /var/www/usr/bin/perl). Of course, perl would fail > > to start, as the perl executable is dynamically linked and thus > > dependent on quite a few things. > > > > Or you could run mod_perl Yes, but that would neither be as instructive nor a proper solution, as you'd still require some perl include files, and most likely some external programs as well. Of course, mod_perl is a good idea for the fact that it's much faster than regular CGI. Though there are other solutions to that, from caching proxies to FastCGI. Joachim
Re: OpenBSD Newbie
Or you could run mod_perl Joachim Schipper [EMAIL PROTECTED] wrote: > On Fri, May 26, 2006 at 11:21:54PM +0200, misiu wrote: > > Tony Abernethy schrieb: > > > > >The problem with a changed root is that everything you will ever > > >need to access needs to be inside this changed root. > > >All the libriaries, etc etc --- that's right, another copy. > > > > > >One advantage of OpenBSD is that they actually understand security. > > >(Most that tries to pass for security ... isn't (bluntly)) > > Tanx, > > > > so if I understand it right, I need to copy /var/www/cgi-bin into > > /var/www/htdocs. > > Erm, no. > > Say I write a Perl CGI script. I'd then need to copy /usr/bin/perl into > the chroot (i.e., to /var/www/usr/bin/perl). Of course, perl would fail > to start, as the perl executable is dynamically linked and thus > dependent on quite a few things. > > $ ldd /usr/bin/perl > /usr/bin/perl: > StartEnd Type Open Ref GrpRef Name > exe 10 0 /usr/bin/perl > 02f9c000 22fbd000 rlib 01 0 /usr/lib/libperl.so.10.1 > 0d2f4000 2d2fb000 rlib 01 0 /usr/lib/libm.so.2.2 > 0acae000 2acb2000 rlib 01 0 /usr/lib/libutil.so.11.0 > 0331 23341000 rlib 01 0 /usr/lib/libc.so.39.0 > 0e40f000 0e40f000 rtld 01 0 /usr/libexec/ld.so > > This means I'd need to copy the mentioned libraries into /var/www, i.e. > /var/www/usr/lib/libc.so.39.0 and so on. > > Of course, this would run Perl but probably not the script. You most > likely used some modules, and so on. This'd entail copying (parts of) > /usr/libdata/perl5 and/or /usr/local/libdata/perl5 into /var/www. > > Joachim -- There is no certainty, there is only opportunity
Re: OpenBSD Newbie
On Fri, May 26, 2006 at 11:21:54PM +0200, misiu wrote: > Tony Abernethy schrieb: > > >The problem with a changed root is that everything you will ever > >need to access needs to be inside this changed root. > >All the libriaries, etc etc --- that's right, another copy. > > > >One advantage of OpenBSD is that they actually understand security. > >(Most that tries to pass for security ... isn't (bluntly)) > Tanx, > > so if I understand it right, I need to copy /var/www/cgi-bin into > /var/www/htdocs. Erm, no. Say I write a Perl CGI script. I'd then need to copy /usr/bin/perl into the chroot (i.e., to /var/www/usr/bin/perl). Of course, perl would fail to start, as the perl executable is dynamically linked and thus dependent on quite a few things. $ ldd /usr/bin/perl /usr/bin/perl: StartEnd Type Open Ref GrpRef Name exe 10 0 /usr/bin/perl 02f9c000 22fbd000 rlib 01 0 /usr/lib/libperl.so.10.1 0d2f4000 2d2fb000 rlib 01 0 /usr/lib/libm.so.2.2 0acae000 2acb2000 rlib 01 0 /usr/lib/libutil.so.11.0 0331 23341000 rlib 01 0 /usr/lib/libc.so.39.0 0e40f000 0e40f000 rtld 01 0 /usr/libexec/ld.so This means I'd need to copy the mentioned libraries into /var/www, i.e. /var/www/usr/lib/libc.so.39.0 and so on. Of course, this would run Perl but probably not the script. You most likely used some modules, and so on. This'd entail copying (parts of) /usr/libdata/perl5 and/or /usr/local/libdata/perl5 into /var/www. Joachim
Re: OpenBSD Newbie
misiu wrote: Tony Abernethy schrieb: The problem with a changed root is that everything you will ever need to access needs to be inside this changed root. All the libriaries, etc etc --- that's right, another copy. One advantage of OpenBSD is that they actually understand security. (Most that tries to pass for security ... isn't (bluntly)) Tanx, so if I understand it right, I need to copy /var/www/cgi-bin into /var/www/htdocs. no, you need to copy the system-libs for your cgi to /var/www/usr/lib/, /var/www/usr/include, ... i found this link very helpful (just read it to get a grip how apache-chroot works): http://www.openbsdsupport.org/ApacheSuexecChroot.html greets, chris
Re: OpenBSD Newbie
Tony Abernethy schrieb: The problem with a changed root is that everything you will ever need to access needs to be inside this changed root. All the libriaries, etc etc --- that's right, another copy. One advantage of OpenBSD is that they actually understand security. (Most that tries to pass for security ... isn't (bluntly)) Tanx, so if I understand it right, I need to copy /var/www/cgi-bin into /var/www/htdocs.
Re: OpenBSD Newbie
misiu wrote: > > Hello all, > > I'm new to OpenBSD, I installed it a few times but than did not know > what to do realy. Right now I'm little more experienced with Linux and I > thought give it a nother try. > Now I'm runnin an Openbsd 3.9 Box. > Default setup. I try to run a Webmailbox and later Openvpn. > It did not work so I searched long for an answer. I started httpd -u and > now Openwebmail is running. I read allso that it is insecure, how can I > run httpd chrooted and Openwebmail? Did not find any (for me > understandable) answer. > Openwebmail is not good explained too. Has anyone installed it ? (I > guess for shure) would that one please contact me offlist? > I don't whant step by step help just to shed a little light in > > Hope that mail was written in a good manner, my nativ language is > german, so sorry for bad english. > > misiu Hopefully you get better answers from people who actually know something (there are such on this list), but this may help a bit. The reason for running apache chrooted is not to secure apache, but to keep any insecurity in apache from messing with the rest of your system. The problem with a changed root is that everything you will ever need to access needs to be inside this changed root. All the libriaries, etc etc --- that's right, another copy. One advantage of OpenBSD is that they actually understand security. (Most that tries to pass for security ... isn't (bluntly)) fyi: good is an adjective, tries to modify nouns. doesn't like verbals. well is an adverb, modifies the messes of verb forms and adjectives. (I've seen worse English from natives ;)
Re: OpenBSD Newbie
misiu wrote: Hello all, I'm new to OpenBSD, I installed it a few times but than did not know what to do realy. Right now I'm little more experienced with Linux and I thought give it a nother try. Now I'm runnin an Openbsd 3.9 Box. Default setup. I try to run a Webmailbox and later Openvpn. It did not work so I searched long for an answer. I started httpd -u and now Openwebmail is running. I read allso that it is insecure, how can I run httpd chrooted and Openwebmail? Did not find any (for me understandable) answer. Openwebmail is not good explained too. Has anyone installed it ? (I guess for shure) would that one please contact me offlist? I don't whant step by step help just to shed a little light in You read this right? http://openbsd.org/faq/faq10.html#httpdchroot May be the section on: Example of chroot(2)ing an app: wwwcount might give the idea you need to do. In short you need to have all files needed to be access by httpd inside the chroot setup to get it to work. Daniel
OpenBSD Newbie
Hello all, I'm new to OpenBSD, I installed it a few times but than did not know what to do realy. Right now I'm little more experienced with Linux and I thought give it a nother try. Now I'm runnin an Openbsd 3.9 Box. Default setup. I try to run a Webmailbox and later Openvpn. It did not work so I searched long for an answer. I started httpd -u and now Openwebmail is running. I read allso that it is insecure, how can I run httpd chrooted and Openwebmail? Did not find any (for me understandable) answer. Openwebmail is not good explained too. Has anyone installed it ? (I guess for shure) would that one please contact me offlist? I don't whant step by step help just to shed a little light in Hope that mail was written in a good manner, my nativ language is german, so sorry for bad english. misiu
Re: openbsd newbie question - lfs, ffs, and cf cards
On Wed, Jan 18, 2006 at 08:48:59AM -0500, Nick Bender wrote: > Kind of off topic, but has any work been done towards implementing > McKusick's snapshot and background fsck techniques in ffs? I just won't say that the number of people working on it is inversely proportional to the number of people wanting to see it done, because that wouldn't make sense for 1. -p.
Re: openbsd newbie question - lfs, ffs, and cf cards
Hello! On Wed, Jan 18, 2006 at 08:48:59AM -0500, Nick Bender wrote: >> > Wrt LFS .. is it production ready? >> no, it's a disaster. >Kind of off topic, but has any work been done towards implementing >McKusick's snapshot and background fsck techniques in ffs? Different project focuses it seems. FreeBSD has those, IIRC. And btw, NetBSD has or had a version of LFS which worked at least a bit (declared experimental, on your own risk, I tested it once, and it worked in the sense that I could extract archives on it and it didn't crash or obviously lose the data; much better than it is the case elsewhere, on OpenBSD it crashed on the first mount after creating the filesystem; i.e. if at all, the NetBSD code base would be a starting point for LFS). >-N Kind regards, Hannah.
Re: openbsd newbie question - lfs, ffs, and cf cards
> > Wrt LFS .. is it production ready? > > no, it's a disaster. > Kind of off topic, but has any work been done towards implementing McKusick's snapshot and background fsck techniques in ffs? -N
Re: openbsd newbie question - lfs, ffs, and cf cards
Hello! On Tue, Jan 17, 2006 at 06:43:15PM -0500, Andrew Atrens wrote: >> man mount >> look for noatime >Got it, thanks :) >Interesting I hadn't considered it before, huh, I wonder why it isn't the >default, >historical reasons I suppose. I guess, because you lose functionality over it. Yes, having the atime of files can be quite useful sometimes. Kind regards, Hannah.
Re: openbsd newbie question - lfs, ffs, and cf cards
On 1/17/06, Andrew Atrens <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 [a little paranoid, are we?] > Wrt LFS .. is it production ready? no, it's a disaster.
Re: openbsd newbie question - lfs, ffs, and cf cards
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alexander Hall wrote: > Andrew Atrens wrote: > >> ... >> And finally one last question that applies to both FFS and LFS - file >> access/creation/modification metadata updates. Specifically I'm thinking >> of atime's. Is there any way to switch off atime updates ? They don't >> add much value for me, and I'm worried they might unduly age my flash. :) > > > man mount > > look for noatime > Got it, thanks :) Interesting I hadn't considered it before, huh, I wonder why it isn't the default, historical reasons I suppose. Andrew Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDzYEP8It2CaCdeMwRAoONAJ9+1I/3s8v9oGM2unyqKVX23+yGXACgmxrS xWb7jF1hmm6ZiYhURH083fo= =v4r7 -END PGP SIGNATURE-
Re: openbsd newbie question - lfs, ffs, and cf cards
Andrew Atrens wrote: ... And finally one last question that applies to both FFS and LFS - file access/creation/modification metadata updates. Specifically I'm thinking of atime's. Is there any way to switch off atime updates ? They don't add much value for me, and I'm worried they might unduly age my flash. :) man mount look for noatime
openbsd newbie question - lfs, ffs, and cf cards
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi folks,
I'm working on a embedded project and have been cycling through some
tradeoffs wrt using cf cards as disks.
I know these devices support wear-leveling, but I'm not sure how this
could work well without knowledge about the filesystem wrt what is a
free block and what is an 'in-use' block. I suppose the algorithm could
keep track of how many times a block has been written to, and remap with
less used block - maybe using some kind of priority queue data structure
to keep that process relatively efficient.
At least I'm *hoping* that the cf device's wear levelling algo isn't
dependent on using a FAT filesystem or some other horrible hack :(
So that's my primary concern. Toshiba devices are typically good for
1 multi-cell write/erase cycles (see Kingston website). I'm thinking
if wear levelling works that means that doubling the device size
I use means effectively doubling the device's lifespan. Obviously I'd
like the device I'm working on to last forever, but 7 years is a good
engineering number to use I think. :)
Now, on to filesystems. :) I have a FreeBSD/DragonFly background ('bout
12 years) and am relatively new (<6 months) to OpenBSD.
Wrt LFS .. is it production ready? I know it's seriously bitrotted on
Free/DragonFly.
And finally one last question that applies to both FFS and LFS - file
access/creation/modification metadata updates. Specifically I'm thinking
of atime's. Is there any way to switch off atime updates ? They don't
add much value for me, and I'm worried they might unduly age my flash. :)
Long term I'm planning to run my root fs out of RAM and minimize flash
writes, but I'm a bit time-limited on this project and if I could get
away with treating a CF card as though it were a regular disk it would
simplify my life in more than one way. :)
Thanks for any help, advice, and even justified abuse (hehe if you think
I'm being an idiot and/or missing something obvious) you can provide would
be greatly appreciated.
Cheers,
Andrew.
- -BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (FreeBSD)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDzV9n8It2CaCdeMwRAruQAJ0TksxIT8O3ThiKMuSgUdgD0gDTZgCeJhZi
eh1rCVmU1xR3h7YVuo8C+Ds=
=UO+m
- -END PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDzWxj8It2CaCdeMwRAoNcAJ98+QpDPOKVtIxY1lsBBhaKnoX2jACffzkL
cwEpIni+R+MCrAJKTj8cZXY=
=Xw2o
-END PGP SIGNATURE-
Re: MTU Problem / OpenBSD Newbie
On Thu, Jun 09, 2005 at 07:46:18AM +0200, [EMAIL PROTECTED] wrote: > > [EMAIL PROTECTED]:~# ifconfig gre0 mtu 1376 > ifconfig: SIOCSIFMTU: Invalid argument > [EMAIL PROTECTED]:~# ifconfig gre0 mtu 1400 > ifconfig: SIOCSIFMTU: Invalid argument > [EMAIL PROTECTED]:~# ifconfig gre0 mtu 1450 > ifconfig: SIOCSIFMTU: Invalid argument Use a recent snapshot. Support for adjusting mtu of gre devices was added by brad@ in the last month or so. -- [EMAIL PROTECTED]
MTU Problem / OpenBSD Newbie
Hello, it's my first time OpenBSD problem: I setup a network configuration with IPsec and a GRE tunnel. There is an IPsec connection between a local loopback interface (lo1) and a remote loopback interface (dummy0 on a Linux box). The gre interface uses these loopbacks as tunnel src/dest. Following output shows OpenBSD config: [EMAIL PROTECTED]:~# ifconfig -A lo0: flags=8049 mtu 33224 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 le1: flags=8863 mtu 1500 address: 00:60:b0:fb:a4:f8 inet6 fe80::260:b0ff:fefb:a4f8%le1 prefixlen 64 scopeid 0x1 inet 213.xx.xx.xx netmask 0xff80 broadcast 213.xx.xx.127 le2: flags=8863 mtu 1500 address: 00:60:b0:cd:3d:15 inet 193.xx.xx.xx netmask 0xff80 broadcast 193.xx.xx.127 inet6 fe80::260:b0ff:fecd:3d15%le2 prefixlen 64 scopeid 0x2 pflog0: flags=0<> mtu 33224 pfsync0: flags=0<> mtu 2020 enc0: flags=0<> mtu 1536 lo1: flags=8049 mtu 33224 inet 192.168.254.7 netmask 0x gre0: flags=9011 mtu 1450 physical address inet 192.168.254.7 --> 192.168.254.1 inet 192.168.253.18 --> 192.168.253.17 netmask 0xfffc [EMAIL PROTECTED]:~# uname -a OpenBSD openbsd.my.domain 3.7 GENERIC#50 i386 My problem is to change MTU of gre tunnel. I tried several values, but everytimes the same result :-( The tunnel works until less then 1376 bytes have to be transferred. A MTU of 1376 works between a Cisco router an that Linux box, so I would think, 1376 bytes should also work for OpenBSD / Linux connection. [EMAIL PROTECTED]:~# ifconfig gre0 mtu 1376 ifconfig: SIOCSIFMTU: Invalid argument [EMAIL PROTECTED]:~# ifconfig gre0 mtu 1400 ifconfig: SIOCSIFMTU: Invalid argument [EMAIL PROTECTED]:~# ifconfig gre0 mtu 1450 ifconfig: SIOCSIFMTU: Invalid argument Any ideas ? Neither FAQ nor mailing list archives / Google showed a solution. best regards Christian Felsing - Powered by http://www.taunusstein.net
