Re: openBSD newbie: how to display INSTALL. during install
On 2/10/09, Jesus Sanchez wrote: > Josh Grosse escribis: > O.o... another computer with screen near?? > Yep! right in front of me ;-) > belive me, print out some pages would affect the subsistence of > trees, the paper factories use controlated environments with fast grown > trees species to don't cut forests (at least here in Spain). > OK, I guess I will select the more difficult parts and make a printout. I have some docs with a blank back anyhow - recycling! > Thanks for the replies. -- Best regards Neoklis Ham Radio call 5B4AZ Website: http://5b4az.chronos.org.uk/
Re: openBSD newbie: how to display INSTALL. during install
Josh Grosse escribis: On Tue, 10 Feb 2009 16:52:08 +0200, Neoklis Kyriazis wrote Is there a way to have the installation notes handy apart from a "dead tree" printout? One can have the notes present in machine-readable form. Handy? No. The ramdisk kernel operates in single-user mode, so there is no alternate console available. But, one can escape to a subshell. From there, one could mount a foreign file system containing the document, and view it with less(1) or more(1). One could also acquire it via ftp(1) over the network, but there is likely insufficient freespace to save it in the RAM filesystem. One could obviously create a spare FFS filesystem to store the file, but then, if one could do that, one would be familiar enough with OpenBSD to not need the installation documentation anyway. O.o... another computer with screen near?? belive me, print out some pages would affect the subsistence of trees, the paper factories use controlated environments with fast grown trees species to don't cut forests (at least here in Spain).
Re: openBSD newbie: how to display INSTALL. during install
On Tue, 10 Feb 2009 16:52:08 +0200, Neoklis Kyriazis wrote > Is there a way to have the installation notes handy apart from a > "dead tree" printout? One can have the notes present in machine-readable form. Handy? No. The ramdisk kernel operates in single-user mode, so there is no alternate console available. But, one can escape to a subshell. From there, one could mount a foreign file system containing the document, and view it with less(1) or more(1). One could also acquire it via ftp(1) over the network, but there is likely insufficient freespace to save it in the RAM filesystem. One could obviously create a spare FFS filesystem to store the file, but then, if one could do that, one would be familiar enough with OpenBSD to not need the installation documentation anyway.
Re: OpenBSD Newbie
misiu wrote: Hello all, I'm new to OpenBSD, I installed it a few times but than did not know what to do realy. Right now I'm little more experienced with Linux and I thought give it a nother try. Now I'm runnin an Openbsd 3.9 Box. Default setup. I try to run a Webmailbox and later Openvpn. It did not work so I searched long for an answer. I started httpd -u and now Openwebmail is running. I read allso that it is insecure, how can I run httpd chrooted and Openwebmail? Did not find any (for me understandable) answer. You are getting some good advice on chrooting in GENERAL, but kinda missing your specific case by a wide margine. What does chroot do? Confine an untrusted app within a section of your file system, preferably one in which they have no write access, so if the app has a security problem, the damage is minimized. Doesn't make the app more secure by itself. BUT... you need write access. So you grant it. You need libraries, you copy them over. You need programs, you copy them over. You need root access, you grant it. by this point, you have lost just about all the advantage of chroot, and spent a lot of time doing it. Look at OpenWebmail. Neat program for a basic webmail app (and considerably better than some commercial webmail programs). Amazingly self-contained, doesn't need an IMAP server. Just off the top of my head, having installed it in a trial environment a few years ago, it needs AT LEAST the following: access to sendmail binaries access to /var/mail access to /home root (that's how it reads the mbox files in /var/mail and /home) perl The thing needs root. Gotta have root. No root, no work. If you got root, you can probably escape from a chroot. Much better than worrying about chroot'ing OpenWebmail, just put it on a "disposable" box, with no other secure apps, and make sure you use passwords/keys on it that don't show up elsewhere on machines you maintain. Box gets owned? shut it down, figure out what went wrong, rebuild and repair. Some places, chrooting is great. However, simply tossing enough stuff in the chroot to make your app run does NOT automatically mean the app (or your box!) is any more secure when done than it was before. By the time you copy everything over to the chroot, you have not really gained much advantage /in this case/. Openwebmail is not good explained too. Has anyone installed it ? (I guess for shure) would that one please contact me offlist? I don't whant step by step help just to shed a little light in been a while...but a few hints: var needs to be able to exec code and no "nosuid", which IS there on default OpenBSD installs. Put your home directories physically in /var if you expect quotas to work as expected, you can symlink them back to /home if that freaks you out excessively. That's about all I remember. Oh, and don't have 25 kids change their PWs all at the same time unless you have around 600M of RAM+Swap available. Ouch... Nick.
Re: OpenBSD Newbie
On Fri, May 26, 2006 at 03:02:04PM -0700, Chris Cappuccio wrote: > Joachim Schipper [EMAIL PROTECTED] wrote: > > On Fri, May 26, 2006 at 11:21:54PM +0200, misiu wrote: > > > Tony Abernethy schrieb: > > > > > > >The problem with a changed root is that everything you will ever > > > >need to access needs to be inside this changed root. > > > >All the libriaries, etc etc --- that's right, another copy. > > > > > > > >One advantage of OpenBSD is that they actually understand security. > > > >(Most that tries to pass for security ... isn't (bluntly)) > > > Tanx, > > > > > > so if I understand it right, I need to copy /var/www/cgi-bin into > > > /var/www/htdocs. > > > > Erm, no. > > > > Say I write a Perl CGI script. I'd then need to copy /usr/bin/perl into > > the chroot (i.e., to /var/www/usr/bin/perl). Of course, perl would fail > > to start, as the perl executable is dynamically linked and thus > > dependent on quite a few things. > > > > Or you could run mod_perl Yes, but that would neither be as instructive nor a proper solution, as you'd still require some perl include files, and most likely some external programs as well. Of course, mod_perl is a good idea for the fact that it's much faster than regular CGI. Though there are other solutions to that, from caching proxies to FastCGI. Joachim
Re: OpenBSD Newbie
Or you could run mod_perl Joachim Schipper [EMAIL PROTECTED] wrote: > On Fri, May 26, 2006 at 11:21:54PM +0200, misiu wrote: > > Tony Abernethy schrieb: > > > > >The problem with a changed root is that everything you will ever > > >need to access needs to be inside this changed root. > > >All the libriaries, etc etc --- that's right, another copy. > > > > > >One advantage of OpenBSD is that they actually understand security. > > >(Most that tries to pass for security ... isn't (bluntly)) > > Tanx, > > > > so if I understand it right, I need to copy /var/www/cgi-bin into > > /var/www/htdocs. > > Erm, no. > > Say I write a Perl CGI script. I'd then need to copy /usr/bin/perl into > the chroot (i.e., to /var/www/usr/bin/perl). Of course, perl would fail > to start, as the perl executable is dynamically linked and thus > dependent on quite a few things. > > $ ldd /usr/bin/perl > /usr/bin/perl: > StartEnd Type Open Ref GrpRef Name > exe 10 0 /usr/bin/perl > 02f9c000 22fbd000 rlib 01 0 /usr/lib/libperl.so.10.1 > 0d2f4000 2d2fb000 rlib 01 0 /usr/lib/libm.so.2.2 > 0acae000 2acb2000 rlib 01 0 /usr/lib/libutil.so.11.0 > 0331 23341000 rlib 01 0 /usr/lib/libc.so.39.0 > 0e40f000 0e40f000 rtld 01 0 /usr/libexec/ld.so > > This means I'd need to copy the mentioned libraries into /var/www, i.e. > /var/www/usr/lib/libc.so.39.0 and so on. > > Of course, this would run Perl but probably not the script. You most > likely used some modules, and so on. This'd entail copying (parts of) > /usr/libdata/perl5 and/or /usr/local/libdata/perl5 into /var/www. > > Joachim -- There is no certainty, there is only opportunity
Re: OpenBSD Newbie
On Fri, May 26, 2006 at 11:21:54PM +0200, misiu wrote: > Tony Abernethy schrieb: > > >The problem with a changed root is that everything you will ever > >need to access needs to be inside this changed root. > >All the libriaries, etc etc --- that's right, another copy. > > > >One advantage of OpenBSD is that they actually understand security. > >(Most that tries to pass for security ... isn't (bluntly)) > Tanx, > > so if I understand it right, I need to copy /var/www/cgi-bin into > /var/www/htdocs. Erm, no. Say I write a Perl CGI script. I'd then need to copy /usr/bin/perl into the chroot (i.e., to /var/www/usr/bin/perl). Of course, perl would fail to start, as the perl executable is dynamically linked and thus dependent on quite a few things. $ ldd /usr/bin/perl /usr/bin/perl: StartEnd Type Open Ref GrpRef Name exe 10 0 /usr/bin/perl 02f9c000 22fbd000 rlib 01 0 /usr/lib/libperl.so.10.1 0d2f4000 2d2fb000 rlib 01 0 /usr/lib/libm.so.2.2 0acae000 2acb2000 rlib 01 0 /usr/lib/libutil.so.11.0 0331 23341000 rlib 01 0 /usr/lib/libc.so.39.0 0e40f000 0e40f000 rtld 01 0 /usr/libexec/ld.so This means I'd need to copy the mentioned libraries into /var/www, i.e. /var/www/usr/lib/libc.so.39.0 and so on. Of course, this would run Perl but probably not the script. You most likely used some modules, and so on. This'd entail copying (parts of) /usr/libdata/perl5 and/or /usr/local/libdata/perl5 into /var/www. Joachim
Re: OpenBSD Newbie
misiu wrote: Tony Abernethy schrieb: The problem with a changed root is that everything you will ever need to access needs to be inside this changed root. All the libriaries, etc etc --- that's right, another copy. One advantage of OpenBSD is that they actually understand security. (Most that tries to pass for security ... isn't (bluntly)) Tanx, so if I understand it right, I need to copy /var/www/cgi-bin into /var/www/htdocs. no, you need to copy the system-libs for your cgi to /var/www/usr/lib/, /var/www/usr/include, ... i found this link very helpful (just read it to get a grip how apache-chroot works): http://www.openbsdsupport.org/ApacheSuexecChroot.html greets, chris
Re: OpenBSD Newbie
Tony Abernethy schrieb: The problem with a changed root is that everything you will ever need to access needs to be inside this changed root. All the libriaries, etc etc --- that's right, another copy. One advantage of OpenBSD is that they actually understand security. (Most that tries to pass for security ... isn't (bluntly)) Tanx, so if I understand it right, I need to copy /var/www/cgi-bin into /var/www/htdocs.
Re: OpenBSD Newbie
misiu wrote: > > Hello all, > > I'm new to OpenBSD, I installed it a few times but than did not know > what to do realy. Right now I'm little more experienced with Linux and I > thought give it a nother try. > Now I'm runnin an Openbsd 3.9 Box. > Default setup. I try to run a Webmailbox and later Openvpn. > It did not work so I searched long for an answer. I started httpd -u and > now Openwebmail is running. I read allso that it is insecure, how can I > run httpd chrooted and Openwebmail? Did not find any (for me > understandable) answer. > Openwebmail is not good explained too. Has anyone installed it ? (I > guess for shure) would that one please contact me offlist? > I don't whant step by step help just to shed a little light in > > Hope that mail was written in a good manner, my nativ language is > german, so sorry for bad english. > > misiu Hopefully you get better answers from people who actually know something (there are such on this list), but this may help a bit. The reason for running apache chrooted is not to secure apache, but to keep any insecurity in apache from messing with the rest of your system. The problem with a changed root is that everything you will ever need to access needs to be inside this changed root. All the libriaries, etc etc --- that's right, another copy. One advantage of OpenBSD is that they actually understand security. (Most that tries to pass for security ... isn't (bluntly)) fyi: good is an adjective, tries to modify nouns. doesn't like verbals. well is an adverb, modifies the messes of verb forms and adjectives. (I've seen worse English from natives ;)
Re: OpenBSD Newbie
misiu wrote: Hello all, I'm new to OpenBSD, I installed it a few times but than did not know what to do realy. Right now I'm little more experienced with Linux and I thought give it a nother try. Now I'm runnin an Openbsd 3.9 Box. Default setup. I try to run a Webmailbox and later Openvpn. It did not work so I searched long for an answer. I started httpd -u and now Openwebmail is running. I read allso that it is insecure, how can I run httpd chrooted and Openwebmail? Did not find any (for me understandable) answer. Openwebmail is not good explained too. Has anyone installed it ? (I guess for shure) would that one please contact me offlist? I don't whant step by step help just to shed a little light in You read this right? http://openbsd.org/faq/faq10.html#httpdchroot May be the section on: Example of chroot(2)ing an app: wwwcount might give the idea you need to do. In short you need to have all files needed to be access by httpd inside the chroot setup to get it to work. Daniel
Re: openbsd newbie question - lfs, ffs, and cf cards
On Wed, Jan 18, 2006 at 08:48:59AM -0500, Nick Bender wrote: > Kind of off topic, but has any work been done towards implementing > McKusick's snapshot and background fsck techniques in ffs? I just won't say that the number of people working on it is inversely proportional to the number of people wanting to see it done, because that wouldn't make sense for 1. -p.
Re: openbsd newbie question - lfs, ffs, and cf cards
Hello! On Wed, Jan 18, 2006 at 08:48:59AM -0500, Nick Bender wrote: >> > Wrt LFS .. is it production ready? >> no, it's a disaster. >Kind of off topic, but has any work been done towards implementing >McKusick's snapshot and background fsck techniques in ffs? Different project focuses it seems. FreeBSD has those, IIRC. And btw, NetBSD has or had a version of LFS which worked at least a bit (declared experimental, on your own risk, I tested it once, and it worked in the sense that I could extract archives on it and it didn't crash or obviously lose the data; much better than it is the case elsewhere, on OpenBSD it crashed on the first mount after creating the filesystem; i.e. if at all, the NetBSD code base would be a starting point for LFS). >-N Kind regards, Hannah.
Re: openbsd newbie question - lfs, ffs, and cf cards
> > Wrt LFS .. is it production ready? > > no, it's a disaster. > Kind of off topic, but has any work been done towards implementing McKusick's snapshot and background fsck techniques in ffs? -N
Re: openbsd newbie question - lfs, ffs, and cf cards
Hello! On Tue, Jan 17, 2006 at 06:43:15PM -0500, Andrew Atrens wrote: >> man mount >> look for noatime >Got it, thanks :) >Interesting I hadn't considered it before, huh, I wonder why it isn't the >default, >historical reasons I suppose. I guess, because you lose functionality over it. Yes, having the atime of files can be quite useful sometimes. Kind regards, Hannah.
Re: openbsd newbie question - lfs, ffs, and cf cards
On 1/17/06, Andrew Atrens <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 [a little paranoid, are we?] > Wrt LFS .. is it production ready? no, it's a disaster.
Re: openbsd newbie question - lfs, ffs, and cf cards
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alexander Hall wrote: > Andrew Atrens wrote: > >> ... >> And finally one last question that applies to both FFS and LFS - file >> access/creation/modification metadata updates. Specifically I'm thinking >> of atime's. Is there any way to switch off atime updates ? They don't >> add much value for me, and I'm worried they might unduly age my flash. :) > > > man mount > > look for noatime > Got it, thanks :) Interesting I hadn't considered it before, huh, I wonder why it isn't the default, historical reasons I suppose. Andrew Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDzYEP8It2CaCdeMwRAoONAJ9+1I/3s8v9oGM2unyqKVX23+yGXACgmxrS xWb7jF1hmm6ZiYhURH083fo= =v4r7 -END PGP SIGNATURE-
Re: openbsd newbie question - lfs, ffs, and cf cards
Andrew Atrens wrote: ... And finally one last question that applies to both FFS and LFS - file access/creation/modification metadata updates. Specifically I'm thinking of atime's. Is there any way to switch off atime updates ? They don't add much value for me, and I'm worried they might unduly age my flash. :) man mount look for noatime
