A few /etc/ksh.kshrc tweaks
1) telnetd removed, so it won't be a parent process 2) Restricted shells can redirect window decor to > /dev/tty 3) In wcd(), only do _ignore() if cd (e.g: can't cd /root) Index: ksh.kshrc === RCS file: /cvs/src/etc/ksh.kshrc,v retrieving revision 1.19 diff -u -p -r1.19 ksh.kshrc --- ksh.kshrc 11 Jul 2014 21:12:39 - 1.19 +++ ksh.kshrc 25 Oct 2014 16:32:36 - @@ -82,14 +82,19 @@ case "$-" in xterm*) ILS='\033]1;'; ILE='\007' WLS='\033]2;'; WLE='\007' - parent="`ps -ax 2>/dev/null | grep $PPID | grep -v grep`" - case "$parent" in - *telnet*) - export TERM=xterms;; - esac - ;; *) ;; esac + + #[[ -o restricted ]] & $-r not set until after + # processing of shell init files. The best we can do: + # TODO: find a better way to test for restrictions on /bin/{k}sh + [[ ${SHELL} == '/bin/rksh' ]] && + { + # Restricted shells can't cd, nor redirect output + print -n "${WLS}$USER@$HOST ($tty) ~${WLE}" > /dev/tty + unset ILS ILE WLS WLE + } + # do we want window decorations? if [ "$ILS" ]; then function ilabel { print -n "${ILS}$*${ILE}">/dev/tty; } @@ -103,7 +108,7 @@ case "$-" in function wftp { ilabel "ftp $*"; "ftp" "$@"; _ignore eval istripe; } - function wcd { \cd "$@"; _ignore eval stripe; } + function wcd { \cd "$@" && _ignore eval stripe; } function wssh{ \ssh "$@";_ignore eval 'istripe; stripe'; } function wtelnet { \telnet "$@"; _ignore eval 'istripe; stripe'; }
Re: rcctl: find(1) service files in /etc/rc.d
On 2014-10-14 Tue 00:24 AM |, Antoine Jacoutot wrote: > > Makes sense yes. Not sure I'd want a function just for that one liner though. > I'll commit something tomorrow. > Nice one, using shell internals. This restricts the listing to files which are also executable: Index: rcctl.sh === RCS file: /cvs/src/usr.sbin/rcctl/rcctl.sh,v retrieving revision 1.45 diff -u -p -r1.45 rcctl.sh --- rcctl.sh15 Oct 2014 07:38:24 - 1.45 +++ rcctl.sh15 Oct 2014 09:01:35 - @@ -39,10 +39,12 @@ needs_root() ls_rcscripts() { local _s - cd /etc/rc.d && set -- * + cd /etc/rc.d || exit + set -- * for _s; do [ "${_s}" = "rc.subr" ] && continue - [ ! -d "${_s}" ] && echo "${_s}" + [[ -d "${_s}" ]] && continue + [[ -f "${_s}" && -x "${_s}" ]] && echo "${_s}" done }
rcctl: find(1) service files in /etc/rc.d
Move 2 duplicate searches into a function. The diff also ignores (RCS) subdirectories. $ find /etc/rc.d ! -type f /etc/rc.d /etc/rc.d/RCS Index: rcctl.sh === RCS file: /cvs/src/usr.sbin/rcctl/rcctl.sh,v retrieving revision 1.43 diff -u -p -r1.43 rcctl.sh --- rcctl.sh11 Oct 2014 19:12:19 - 1.43 +++ rcctl.sh13 Oct 2014 20:10:34 - @@ -93,7 +93,7 @@ svc_get_defaults() print -r -- "$(svc_default_enabled_flags ${_svc})" svc_default_enabled ${_svc} else - for _i in $(ls -A /etc/rc.d | grep -v rc.subr); do + get_svc_list | while read _i; do echo "${_i}_flags=$(svc_default_enabled_flags ${_i})" done for _i in ${_special_services}; do @@ -134,7 +134,7 @@ svc_get_status() svc_get_flags ${_svc} svc_is_enabled ${_svc} else - for _i in $(ls -A /etc/rc.d | grep -v rc.subr); do + get_svc_list | while read _i; do echo "${_i}_flags=$(svc_get_flags ${_i})" done for _i in ${_special_services}; do @@ -175,6 +175,12 @@ svc_is_special() [ -n "${_svc}" ] || return echo ${_special_services} | grep -qw ${_svc} +} + +get_svc_list() +{ + # Ignore rc.subr & (RCS) subdirectories: + find /etc/rc.d -type f -maxdepth 1 ! -name rc.subr } append_to_pkg_scripts()
rcctl: un-hardcode /etc/rc.conf{.local}
Some notes to demo the diff below: # -=-=-=-=-=-=-= Assignment: me$ _STATIC_RCCONF='/etc/rc.conf' me$ _RCCONF="${_STATIC_RCCONF}.local" # -=-=-=-=-=-=-= Test 1: me$ print ${_STATIC_RCCONF} ${_RCCONF} /etc/rc.conf /etc/rc.conf.local me$ print ${_RCCONF%/*} ${_RCCONF##*/} /etc rc.conf.local # -=-=-=-=-=-=-= Test 2: me$ _TMP_RCCONF=$(mktemp -p ${_RCCONF%/*} -t ${_RCCONF##*/}.XX) || print $? mktemp: cannot make temp file /etc/rc.conf.local.luzxGjy18I: Permission denied 1 # -=-=-=-=-=-=-= Reassignment: me$ _STATIC_RCCONF='/tmp/rc.conf' me$ _RCCONF="${_STATIC_RCCONF}.local" # -=-=-=-=-=-=-= Test 3: me$ _TMP_RCCONF=$(mktemp -p ${_RCCONF%/*} -t ${_RCCONF##*/}.XX) || print $? me$ ls ${_TMP_RCCONF} /tmp/rc.conf.local.ZLyVBCNMtk Index: rcctl.sh === RCS file: /cvs/src/usr.sbin/rcctl/rcctl.sh,v retrieving revision 1.41 diff -u -p -r1.41 rcctl.sh --- rcctl.sh10 Oct 2014 15:59:36 - 1.41 +++ rcctl.sh11 Oct 2014 12:41:22 - @@ -18,7 +18,9 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. _special_services="accounting check_quotas ipsec multicast_host multicast_router pf spamd_black" -readonly _special_services +_STATIC_RCCONF='/etc/rc.conf' +_RCCONF="${_STATIC_RCCONF}.local" +readonly _special_services _STATIC_RCCONF _RCCONF # get local functions from rc.subr(8) FUNCS_ONLY=1 @@ -38,21 +40,21 @@ needs_root() rcconf_edit_begin() { - _TMP_RCCONF=$(mktemp -p /etc -t rc.conf.local.XX) || exit 1 - if [ -f /etc/rc.conf.local ]; then + _TMP_RCCONF=$(mktemp -p ${_RCCONF%/*} -t ${_RCCONF##*/}.XX) || exit + if [ -f ${_RCCONF} ]; then # only to keep permissions (file content is not needed) - cp -p /etc/rc.conf.local ${_TMP_RCCONF} || exit 1 + cp -p ${_RCCONF} ${_TMP_RCCONF} || exit 1 else - touch /etc/rc.conf.local || exit 1 + touch ${_RCCONF} || exit 1 fi } rcconf_edit_end() { sort -u -o ${_TMP_RCCONF} ${_TMP_RCCONF} || exit 1 - mv ${_TMP_RCCONF} /etc/rc.conf.local || exit 1 - if [ ! -s /etc/rc.conf.local ]; then - rm /etc/rc.conf.local || exit 1 + mv ${_TMP_RCCONF} ${_RCCONF} || exit 1 + if [ ! -s ${_RCCONF} ]; then + rm ${_RCCONF} || exit 1 fi } @@ -62,7 +64,7 @@ svc_default_enabled() [ -n "${_svc}" ] || return local _ret=1 - _rc_parse_conf /etc/rc.conf + _rc_parse_conf ${_STATIC_RCCONF} svc_is_enabled ${_svc} && _ret=0 _rc_parse_conf @@ -166,7 +168,7 @@ append_to_pkg_scripts() if [ -z "${pkg_scripts}" ]; then echo pkg_scripts="${_svc}" >>${_TMP_RCCONF} elif ! echo ${pkg_scripts} | grep -qw ${_svc}; then - grep -v "^pkg_scripts.*=" /etc/rc.conf.local >${_TMP_RCCONF} + grep -v "^pkg_scripts.*=" ${_RCCONF} >${_TMP_RCCONF} echo pkg_scripts="${pkg_scripts} ${_svc}" >>${_TMP_RCCONF} fi rcconf_edit_end @@ -182,7 +184,7 @@ rm_from_pkg_scripts() rcconf_edit_begin sed "/^pkg_scripts[[:>:]]/{s/[[:<:]]${_svc}[[:>:]]//g s/['\"]//g;s/ *= */=/;s/ */ /g;s/ $//;/=$/d;}" \ - /etc/rc.conf.local >${_TMP_RCCONF} + ${_RCCONF} >${_TMP_RCCONF} rcconf_edit_end } @@ -193,7 +195,7 @@ add_flags() if svc_is_special ${_svc}; then rcconf_edit_begin - grep -v "^${_svc}.*=" /etc/rc.conf.local >${_TMP_RCCONF} + grep -v "^${_svc}.*=" ${_RCCONF} >${_TMP_RCCONF} if ! svc_default_enabled ${_svc}; then echo "${_svc}=YES" >>${_TMP_RCCONF} fi @@ -219,7 +221,7 @@ add_flags() fi rcconf_edit_begin - grep -v "^${_svc}_flags.*=" /etc/rc.conf.local >${_TMP_RCCONF} + grep -v "^${_svc}_flags.*=" ${_RCCONF} >${_TMP_RCCONF} if [ -n "${_flags}" ] || \ ( svc_is_base ${_svc} && ! svc_default_enabled ${_svc} ); then echo ${_svc}_flags=${_flags} >>${_TMP_RCCONF} @@ -234,12 +236,12 @@ rm_flags() rcconf_edit_begin if svc_is_special ${_svc}; then - grep -v "^${_svc}.*=" /etc/rc.conf.local >${_TMP_RCCONF} + grep -v "^${_svc}.*=" ${_RCCONF} >${_TMP_RCCONF} if svc_default_enabled ${_svc}; then echo "${_svc}=NO" >>${_TMP_RCCONF} fi else - grep -v "^${_svc}_flags.*=" /etc/rc.conf.local >${_TMP_RCCONF} + grep -v "^${_svc}_flags.*=" ${_RCCONF} >${_TMP_RCCONF} if svc_default_enabled ${_svc}; then echo "${_svc}_flags=NO" >>${_TMP_RCCONF} fi
Re: DNS control port additions to /etc/services
On 2014-07-15 Tue 16:04 PM |, Theo de Raadt wrote: > >On Tue, Jul 15, 2014 at 12:22:37PM +0100, Craig R. Skinner wrote: > >> > >> Suggestion of add NSD, Unbound & BIND control ports to /etc/services: > > > >Makes sense to me. Anyone want to OK this? > > > >> Index: etc/services > >> === > >> RCS file: /cvs/src/etc/services,v > >> retrieving revision 1.87 > >> diff -u -p -r1.87 services > >> --- etc/services 12 Jul 2014 14:51:07 - 1.87 > >> +++ etc/services 15 Jul 2014 11:17:31 - > >> @@ -181,6 +181,8 @@ kerberos-adm 749/tcp # > >> Kerberos 5 kad > >> kerberos-adm 749/udp # Kerberos 5 kadmin > >> rsync 873/tcp # rsync server > >> cddb 888/tcp cddbp # Audio CD Database > >> +named-rndc953/tcp # Domain Name System > >> (DNS) BIND RNDC Service > >> +named-rndc953/udp # Domain Name System > >> (DNS) BIND RNDC Service > >> imaps 993/tcp # imap4 protocol over > >> TLS/SSL > >> imaps 993/udp # imap4 protocol over > >> TLS/SSL > >> pop3s 995/tcp spop3 # pop3 protocol over > >> TLS/SSL > > That means two more reserved ports are taken out of the bucket. > Strip out the Kerberos stuff?: $ fgrep -i Kerberos etc/services kerberos88/udp kerberos-sec# Kerberos 5 UDP kerberos88/tcp kerberos-sec# Kerberos 5 TCP kpasswd 464/tcp # Kerberos 5 password changing kpasswd 464/udp # Kerberos 5 password changing klogin 543/tcp # Kerberos authenticated rlogin kshell 544/tcp krcmd # Kerberos remote shell ekshell 545/tcp # Kerberos encrypted shell kerberos-adm749/tcp # Kerberos 5 kadmin kerberos-adm749/udp # Kerberos 5 kadmin kpop1109/tcp# Pop with Kerberos eklogin 2105/tcp# Kerberos encrypted rlogin rkinit 2108/tcp# Kerberos remote kinit kx 2111/tcp# X over kerberos kip 2112/tcp# IP over kerberos iprop 2121/tcp# Kerberos incremental propagation krb524 /tcp# Kerberos 5->4 krb524 /udp# Kerberos 5->4 afs3-kaserver 7004/tcp# AFS kerberos authentication server afs3-kaserver 7004/udp# AFS kerberos authentication server kerberos-iv 750/udp kdc # Kerberos authentication--udp kerberos-iv 750/tcp kdc # Kerberos authentication--tcp kerberos_master 751/udp # Kerberos 4 kadmin kerberos_master 751/tcp # Kerberos 4 kadmin krb_prop754/tcp hprop # Kerberos slave propagation krbupdate 760/tcp kreg# BSD Kerberos registration
Re: /etc/services records for squid & cvsyncd
On 2014-07-15 Tue 22:11 PM |, Antoine Jacoutot wrote: > > I run both squid and cvsyncd and never needed these entries. > Doubtful anyone _needs_ the Microsoft-SQL-* entries. > > > > > > > Index: etc/services > > === > > RCS file: /cvs/src/etc/services,v > > retrieving revision 1.87 > > diff -u -p -u -r1.87 services > > --- etc/services12 Jul 2014 14:51:07 - 1.87 > > +++ etc/services15 Jul 2014 19:28:37 - > > @@ -294,9 +294,11 @@ support1529/tcp > > # GNATS, cygnus bug > > datametrics1645/udp > > ekshell2 2106/tcp# Encrypted kshell - UColorado, > > Boulder > > webster2627/tcp# Network dictionary > > +squid 3128/tcp# Squid caching web > > proxy > > canna 5680/tcp# Kana->Kanji server > > sane-port 6566/tcp# SANE Control Port > > icb7326/tcp# Internet Citizen's > > Band > > +cvsyncd/tcp# CVS sync daemon > > spamd 8025/tcp# spamd(8) > > spamd-sync 8025/udp# spamd(8) synchronisation > > spamd-cfg 8026/tcp# spamd(8) configuration > > > > -- > Antoine > -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
/etc/services records for squid & cvsyncd
The IANA names don't match these popular OpenBSD package's port numbers: http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=3128 = ndl-aas, not web cache/squid http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search= = cbt, not cvsync Index: etc/services === RCS file: /cvs/src/etc/services,v retrieving revision 1.87 diff -u -p -u -r1.87 services --- etc/services12 Jul 2014 14:51:07 - 1.87 +++ etc/services15 Jul 2014 19:28:37 - @@ -294,9 +294,11 @@ support1529/tcp# GNATS, cygnus bug datametrics1645/udp ekshell2 2106/tcp# Encrypted kshell - UColorado, Boulder webster2627/tcp# Network dictionary +squid 3128/tcp# Squid caching web proxy canna 5680/tcp# Kana->Kanji server sane-port 6566/tcp# SANE Control Port icb7326/tcp# Internet Citizen's Band +cvsyncd/tcp# CVS sync daemon spamd 8025/tcp# spamd(8) spamd-sync 8025/udp# spamd(8) synchronisation spamd-cfg 8026/tcp# spamd(8) configuration
DNS control port additions to /etc/services
Suggestion of add NSD, Unbound & BIND control ports to /etc/services: Index: etc/services === RCS file: /cvs/src/etc/services,v retrieving revision 1.87 diff -u -p -r1.87 services --- etc/services12 Jul 2014 14:51:07 - 1.87 +++ etc/services15 Jul 2014 11:17:31 - @@ -181,6 +181,8 @@ kerberos-adm749/tcp # Kerberos 5 kad kerberos-adm 749/udp # Kerberos 5 kadmin rsync 873/tcp # rsync server cddb 888/tcp cddbp # Audio CD Database +named-rndc 953/tcp # Domain Name System (DNS) BIND RNDC Service +named-rndc 953/udp # Domain Name System (DNS) BIND RNDC Service imaps 993/tcp # imap4 protocol over TLS/SSL imaps 993/udp # imap4 protocol over TLS/SSL pop3s 995/tcp spop3 # pop3 protocol over TLS/SSL @@ -301,6 +303,8 @@ spamd 8025/tcp# spamd(8) spamd-sync 8025/udp# spamd(8) synchronisation spamd-cfg 8026/tcp# spamd(8) configuration dhcpd-sync 8067/udp# dhcpd(8) synchronisation +nsd-cntl 8952/tcp# NSD authoritative DNS server control +unbound-cntl 8953/tcp# Unbound validating, recursive, and caching DNS server control hunt 26740/udp # hunt(6) # # Appletalk
Re: lynx: disable old protocols
On 2014-07-11 Fri 03:03 AM |, Theo de Raadt wrote: > If lynx was removed from base, and only available in ports... how many of > you would even know of it's existance and use it? > Several times a week I use lynx for http or local html docs. If it wasn't in base, I'd install it/some similar package via siteXX.tgz
Re: 8 port serial card connections
On 2014-06-20 Fri 16:14 PM |, Maurice Janssen wrote: > ># FIXME No. 9 Moxa card port: > >moxa09:dv=/dev/tty10:common: > > > ># FIXME No. 10 Moxa card port: > >moxa10:dv=/dev/tty11:common: > > Try /dev/tty0a and /dev/tty0b > Perfect! Here's a man page diff to sync with lines 1383-1397 of /usr/src/sys/dev/pci/pucdata.c Index: share/man/man4/puc.4 === RCS file: /cvs/src/share/man/man4/puc.4,v retrieving revision 1.47 diff -u -p -r1.47 puc.4 --- share/man/man4/puc.42 Feb 2014 19:39:55 - 1.47 +++ share/man/man4/puc.420 Jun 2014 17:00:27 - @@ -85,6 +85,7 @@ The driver currently supports the follow .It Tn "Moxa Technologies Co., Ltd. PCI I/O Card 4S (4 port serial)" .It Tn "Moxa Technologies Co., Ltd. C104H/PCI (4 port serial)" .It Tn "Moxa Technologies Co., Ltd. CP104/PCI (4 port serial)" +.It Tn "Moxa Technologies Co., Ltd. C168H/PCI (8 port serial)" .It Tn "NEC PK-UG-X008 (serial)" .It Tn "NEC PK-UG-X001 K56flex PCI (modem)" .It Tn "NetMos 1P (1 port parallel)"
Re: sudo -u & environment help
FYI;- The sudo users mailing list quickly said the 3 issues I identified are known bugs, which have been fixed in newer sudo versions. http://www.sudo.ws/sudo/stable.html "The current stable release of sudo is 1.8.10p3" $ sudo -V Sudo version 1.7.2p8 $ uname -a OpenBSD teak.britvault.co.uk 5.4 GENERIC#37 i386 http://thread.gmane.org/gmane.comp.tools.sudo.user/4367 http://thread.gmane.org/gmane.os.openbsd.misc/211823/ > > Bug 387 refers to MAIL being fixed in 1.7.4: > http://www.sudo.ws/bugs/show_bug.cgi?id=387 > > Bug 527 (FreeBSD "sudo -i" doesn't use variables from /etc/login.conf) > seems to be similar: http://www.sudo.ws/bugs/show_bug.cgi?id=527 > which is logged as Fixed in sudo 1.8.4 > > Maybe that fix also covers the login.conf path & umask issues: > > http://www.sudo.ws/sudo/stable.html#1.8.4 > On systems that use login.conf, sudo -i now sets environment variables > based on login.conf. > > > http://www.sudo.ws/sudo/stable.html#1.8.5 > The initial evironment created when env_reset is in effect now includes > the contents of /etc/environment on AIX systems and the "setenv" and > "path" entries from /etc/login.conf on BSD systems. > > > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users
Re: sudo -u & environment help
FYI tech@, there was a thread on misc@ about sudo -iu not setting some environment variables: http://thread.gmane.org/gmane.os.openbsd.misc/211823/ On 2014-04-08 Tue 09:26 AM |, Craig R. Skinner wrote: > To clarify, there are no ~/. shell dot files. > > $PATH & umask are set in /etc/login.conf > $MAIL is the default set by login(1) > > /etc/profile sources /etc/ksh.kshrc, which just sets $PS1, > window decor & some aliases, nothing major. > > This arrangement works fine when logging in directly, > or via "sudo su -l user" > > From my reading of sudo(8), I thought the same environment could be > gained with something like "sudo -H -i -u username". > > Am I missing sudo flags or settings in /etc/sudoers? > > > On 2014-04-04 Fri 11:30 AM |, Craig R. Skinner wrote: > > Hi, > > > > When sudo'ing to another user, how can I obtain all of their environment > > settings as they receive when logging in themselves? > > > > When I use sudo in this manner, settings such as $PATH, $MAIL & umask > > aren't being honoured: > > > > > > $ echo $LOGNAME; echo $PATH; echo $MAIL; umask > > craig > > /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/usr/site/sbin:/home/craig/bin > > /var/mail/craig > > 027 > > > > > > > > Here, $PATH, $MAIL & umask are unchanged: > > > > $ sudo -H -i -u david > > $ echo $LOGNAME; echo $PATH; echo $MAIL; umask > > david > > /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/usr/site/sbin:/home/craig/bin > > /var/mail/craig > > 027 > > > > > > Compare the difference when logging in as that user: > > > > $ login david > > ... > > $ echo $LOGNAME; echo $PATH; echo $MAIL; umask > > david > > /usr/bin:/bin:/usr/local/bin:/usr/site/bin:/home/david/bin > > /var/mail/david > > 022 > > > > > > > > > > /etc/login.conf: > > default:\ > > :passwordcheck=/usr/local/bin/pwqcheck -1:\ > > :passwordtries=0:\ > > :path=/usr/bin /bin /usr/local/bin /usr/site/bin ~/bin:\ > > :umask=022:\ > > :datasize-cur= > > > > staff:\ > > :path=/usr/bin /bin /usr/sbin /sbin /usr/local/bin /usr/local/sbin > > /usr/site/bin /usr/site/sbin ~/bin:\ > > :umask=027:\ > > :datasize-cur= > > > > > > $ egrep 'env_|Defaults' /etc/sudoers | grep -v ^# > > Defaults env_keep +="DESTDIR DISTDIR EDITOR FETCH_CMD FLAVOR FTPMODE GROUP > > MAKE" > > Defaults env_keep +="MAKECONF MULTI_PACKAGES NOMAN OKAY_FILES OWNER > > PKG_CACHE" > > Defaults env_keep +="PKG_DBDIR PKG_DESTDIR PKG_PATH PKG_TMPDIR PORTSDIR" > > Defaults env_keep +="RELEASEDIR SHARED_ONLY SSH_AUTH_SOCK SUBPACKAGE VISUAL" > > Defaults env_keep +="WRKOBJDIR" > > Defaults always_set_home, ignore_dot, use_loginclass > > > > > > > > login(1): > > > > login enters information into the environment (see environ(7)) > > specifying > > the user's home directory (HOME), command interpreter (SHELL), search > > path (PATH), terminal type (TERM), and user name (both LOGNAME and > > USER). > > > > ENVIRONMENT > > login sets the following environment variables: > > > > HOME > > MAIL > > > > sudo(8): > > > > Command Environment > > .. On BSD systems, if the use_loginclass option is > > enabled, the environment is initialized based on the path and setenv > > settings in /etc/login.conf. The new environment contains the TERM, > > PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables > > in > > addition to variables from the invoking process permitted by the > > env_check and env_keep options. This is effectively a whitelist for > > environment variables. > > > > > > > > How can I become another user - without knowing their password, > > and gain their 'natural' environment? > > > > e.g. from wheel group to a users group member. > > > > 'su -l username' & 'login username' require their password. > > > > I thought 'sudo -H -i -u username' would do it. > > > > Any suggestions on what else I need to configure? >
Re: OpenSSH hole, April 9
On 2014-04-11 Fri 08:58 AM |, Bob Beck wrote: > sponsors having privileged access to the information (in other words > they aren't donors, they are paying for early access.) > Benefits with strings attached are not donations, ... more like bribes. Respect for freedom fighting and staying open!
Re: missing ports.tar.gz in snapshot
On 2014-03-06 Thu 15:42 PM |, Stuart Henderson wrote: > > Personally I'd keep them for releases (which also gives people a base > to speed up updates to -current) but probably drop them for snapshots.. > Sensible logic;- reducing workload, network & electricity costs!
Re: Alter daemon scheduling priority with renice for rc.d
On 2013-12-28 Sat 15:13 PM |, Theo de Raadt wrote: > > > Enhance rc.d/rc.subr with lowered/raised daemon running priority. > > You still have done nothing to prove the case for this extra > complexity. > When I managed customer's dedicated servers, it would have been useful, for example, to have sshd running at a higher priority than apache, so when their box bogged with some sad customer web-app, more than one ssh keystoke could be typed per minute to kill off their stuff. Maybe a general purpose box could have SpamAssassin running at a lower priority as working a queued mail spool is not user interactive. Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: Alter daemon scheduling priority with renice for rc.d
On 2013-12-28 Sat 21:16 PM |, Craig R. Skinner wrote: > On 2013-12-19 Thu 13:43 PM |, Craig R. Skinner wrote: > > Enhance rc.d/rc.subr with lowered/raised daemon running priority. > > > > Take 2: > > Replace /etc/rc.d/ rc_renice=X with > /etc/rc.conf.local _nice=X > Take 3 - simplify: Use nice directly between ${rcexec} & ${daemon} with rc_start(), rather than renice post start. Change rc_reprioritise() to rc_validate_rcnice() Backgrounding still works as expected. This now works with privilege separated binaries, such as ntpd: $ fgrep ntp /etc/rc.conf.local ntpd_flags="-s" ntpd_nice=YES $ ps -l -U _ntp UID PID PPID CPU PRI NI VSZ RSS WCHAN STAT TT TIME COMMAND 83 4226 1 0 2 10 708 1136 pollSNs ??0:00.09 ntpd: ntp engine (ntpd) 83 22421 4226 3 2 10 644 1020 pollINs ??0:00.01 ntpd: dns engine (ntpd) Index: rc.subr === RCS file: /cvs/src/etc/rc.d/rc.subr,v retrieving revision 1.70 diff -u -u -p -r1.70 rc.subr --- rc.subr 11 Jul 2013 09:34:33 - 1.70 +++ rc.subr 28 Dec 2013 23:10:14 - @@ -1,4 +1,4 @@ -# $OpenBSD: rc.subr,v 1.70 2013/07/11 09:34:33 otto Exp $ +# $OpenBSD: rc.subr,v 1.15 2013/12/28 22:57:21 skinner Exp $ # # Copyright (c) 2010, 2011 Antoine Jacoutot # Copyright (c) 2010, 2011 Ingo Schwarze @@ -54,7 +54,8 @@ rc_rm_runfile() { } rc_start() { - ${rcexec} "${daemon} ${daemon_flags} ${_bg}" + [[ -n ${_rcnice} ]] && _nice="$(which nice) -n ${_rcnice}" + ${rcexec} "${_nice} ${daemon} ${daemon_flags} ${_bg}" } rc_check() { @@ -104,6 +105,46 @@ rc_wait() { return 1 } +rc_validate_rcnice() +{ + [[ -x $(which nice) ]] || + { + # /usr not mounted? + unset _rcnice + return + } + + [[ ${_rcnice} == 'YES' ]] && + { + # nice(1): an increment of 10 is assumed. + _rcnice=10 + return + } + + # if digits present + printf "%d" ${_rcnice} > /dev/null 2>&1 && + { + # strip non-digits for comparison + _rcnice=$(printf "%d" ${_rcnice}) + [[ ${_rcnice} -eq 0 ]] && + { + unset _rcnice + return + } + } + + # nice(1): The priority can be adjusted over a + # range of -20 (the highest) to 20 (the lowest). + for _nice_level in $(jot 40 20 -20) + do + [[ ${_rcnice} == ${_nice_level} ]] && return + done + + # Shouldn't get this far: + print -u2 "$0: ignoring invalid ${_name}_nice level: ${_rcnice}" + unset _rcnice +} + rc_cmd() { local _bg _n @@ -136,6 +177,9 @@ rc_cmd() { fi [ -z "${INRC}" ] && rc_do rc_check && exit 0 echo $_n "${INRC:+ }${_name}" + + [[ -n ${_rcnice} ]] && rc_validate_rcnice + while true; do # no real loop, only needed to break if type rc_pre >/dev/null; then rc_do rc_pre || break @@ -203,6 +247,7 @@ _RC_RUNFILE=${_RC_RUNDIR}/${_name} eval _rcflags=\${${_name}_flags} eval _rcuser=\${${_name}_user} +eval _rcnice=\${${_name}_nice} getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1 && \ daemon_class=${_name} @@ -213,6 +258,7 @@ getcap -f /etc/login.conf ${_name} 1>/de [ -n "${_RC_FORCE}" ] && [ X"${_rcflags}" = X"NO" ] && unset _rcflags [ -n "${_rcflags}" ] && daemon_flags=${_rcflags} [ -n "${_rcuser}" ] && daemon_user=${_rcuser} +[[ ${_rcnice} == 'NO' ]] && unset _rcnice # sanitize daemon_flags=$(printf ' %s' ${daemon_flags}) Cheers, -- Craig Skinner | http://www.bbc.co.uk/programmes/b03mtrg9/clips
Re: Alter daemon scheduling priority with renice for rc.d
On 2013-12-19 Thu 13:43 PM |, Craig R. Skinner wrote: > Enhance rc.d/rc.subr with lowered/raised daemon running priority. > Take 2: Replace /etc/rc.d/ rc_renice=X with /etc/rc.conf.local _nice=X $ fgrep _nice /etc/rc.conf.local sshd_nice=-10 dhcpd_nice=15 inetd_nice=YES greyscanner_nice=YES $ sudo /etc/rc.d/dhcpd -d restart doing rc_read_runfile doing rc_read_runfile doing rc_check dhcpd doing rc_stop doing rc_wait stop doing rc_check doing rc_rm_runfile (ok) doing rc_read_runfile doing rc_check dhcpd doing rc_pre doing rc_start doing rc_write_runfile doing rc_reprioritise 6142: old priority 0, new priority 15 (ok) $ ps -l -U _dhcp UID PID PPID CPU PRI NI VSZ RSS WCHAN STAT TT TIME COMMAND 77 6142 1 0 2 15 672 880 pollINs ??0:00.00 /usr/sbin/dhcpd Index: rc.subr === RCS file: /cvs/src/etc/rc.d/rc.subr,v retrieving revision 1.70 diff -u -u -p -r1.70 rc.subr --- rc.subr 11 Jul 2013 09:34:33 - 1.70 +++ rc.subr 28 Dec 2013 21:02:51 - @@ -1,4 +1,4 @@ -# $OpenBSD: rc.subr,v 1.70 2013/07/11 09:34:33 otto Exp $ +# $OpenBSD: rc.subr,v 1.14 2013/12/28 20:46:25 skinner Exp $ # # Copyright (c) 2010, 2011 Antoine Jacoutot # Copyright (c) 2010, 2011 Ingo Schwarze @@ -104,6 +104,28 @@ rc_wait() { return 1 } +rc_reprioritise() +{ + [[ ${_rcnice} == 'YES' ]] || + { + # nice(1): The priority can be adjusted over a + # range of -20 (the highest) to 20 (the lowest). + for _renice_level in $(jot 40 20 -20) + do + [[ ${_rcnice} == ${_renice_level} ]] && + { + _scheduling_priority=${_rcnice} + break + } + done + } + + # nice(1): an increment of 10 is assumed. + [[ -z ${_scheduling_priority} ]] && _scheduling_priority='10' + + renice -n ${_scheduling_priority} -p $(pgrep -f "^${pexp}") +} + rc_cmd() { local _bg _n @@ -136,6 +158,20 @@ rc_cmd() { fi [ -z "${INRC}" ] && rc_do rc_check && exit 0 echo $_n "${INRC:+ }${_name}" + + # sanitise _rcnice (only used for start) once before loop below + [[ ${_rcnice} == 'YES' ]] || + { + # if digits present + printf "%d" ${_rcnice} > /dev/null 2>&1 && + { + # strip non-digits for + # comparison in rc_reprioritise() + _rcnice=$(printf "%d" ${_rcnice}) + [[ ${_rcnice} -eq 0 ]] && unset _rcnice + } + } + while true; do # no real loop, only needed to break if type rc_pre >/dev/null; then rc_do rc_pre || break @@ -148,6 +184,7 @@ rc_cmd() { rc_do rc_wait start || break fi rc_do rc_write_runfile + [[ -n ${_rcnice} ]] && rc_do rc_reprioritise rc_exit ok done # handle failure @@ -203,6 +240,7 @@ _RC_RUNFILE=${_RC_RUNDIR}/${_name} eval _rcflags=\${${_name}_flags} eval _rcuser=\${${_name}_user} +eval _rcnice=\${${_name}_nice} getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1 && \ daemon_class=${_name} @@ -213,6 +251,7 @@ getcap -f /etc/login.conf ${_name} 1>/de [ -n "${_RC_FORCE}" ] && [ X"${_rcflags}" = X"NO" ] && unset _rcflags [ -n "${_rcflags}" ] && daemon_flags=${_rcflags} [ -n "${_rcuser}" ] && daemon_user=${_rcuser} +[[ ${_rcnice} == 'NO' ]] && unset _rcnice # sanitize daemon_flags=$(printf ' %s' ${daemon_flags}) Cheers, -- Craig Skinner | http://www.bbc.co.uk/programmes/b03mtrg9/clips
Re: Alter daemon scheduling priority with renice for rc.d
On 2013-12-21 Sat 17:13 PM |, Alexander Hall wrote: > > > >Comments/testing observations/? > > This is not the purpose nor responsibility off the rc.d scripts. > > What alternatives have you in mind? Maybe an /etc/rc.nicetab which a root run cron job parses for daemon values, then checks that against the process tree. Repeated every minute... in case some process was started. Unlikely. This is cleaner & works: > > > >ksh syntax used (which works with /bin/sh & bin/ksh being the same > >binary), but dinnae ken if that's "wrong"... for rc* stuff. > > > > > >> Use renice as simple nice didn't always work on daemons started in > >the > >> background. Niceness level sanity checked, defaulting to 10. > >> > >> Index: rc.subr > >> === > >> RCS file: /cvs/src/etc/rc.d/rc.subr,v > >> retrieving revision 1.70 > >> diff -u -u -p -r1.70 rc.subr > >> --- rc.subr11 Jul 2013 09:34:33 - 1.70 > >> +++ rc.subr19 Dec 2013 13:17:45 - > >> @@ -104,6 +104,25 @@ rc_wait() { > >>return 1 > >> } > >> > >> +rc_reprioritise() > >> +{ > >> + [[ ${rc_renice} != 'YES' ]] && > >> + { > >> + for _renice_level in $(jot 40 20 -20) > >> + do > >> + [[ ${rc_renice} == ${_renice_level} ]] && > >> + { > >> + _scheduling_priority=${rc_renice} > >> + break > >> + } > >> + done > >> + } > >> + > >> + [[ -z ${_scheduling_priority} ]] && _scheduling_priority='10' > >> + > >> + renice -n ${_scheduling_priority} -p $(pgrep -f "^${pexp}") > >> +} > >> + > >> rc_cmd() { > >>local _bg _n > >> > >> @@ -136,6 +155,17 @@ rc_cmd() { > >>fi > >>[ -z "${INRC}" ] && rc_do rc_check && exit 0 > >>echo $_n "${INRC:+ }${_name}" > >> + > >> + [[ ${rc_renice} == 'NO' ]] && unset rc_renice > >> + [[ -n ${rc_renice} ]] && > >> + { > >> + printf "%d" ${rc_renice} > /dev/null 2>&1 && > >> + { > >> + rc_renice=$(printf "%d" ${rc_renice}) > >> + [[ ${rc_renice} -eq 0 ]] && unset rc_renice > >> + } > >> + } > >> + > >>while true; do # no real loop, only needed to break > >>if type rc_pre >/dev/null; then > >>rc_do rc_pre || break > >> @@ -148,6 +178,7 @@ rc_cmd() { > >>rc_do rc_wait start || break > >>fi > >>rc_do rc_write_runfile > >> + [[ -n ${rc_renice} ]] && rc_do rc_reprioritise > >>rc_exit ok > >>done > >># handle failure > >> > -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: security(8) check maildir as well as mailbox permissions
On 2013-12-21 Sat 09:16 AM |, Theo de Raadt wrote: > > > You seem to be coming from the perspective that people do stupid > > > things, and our base system should handle those stupid things. > > > > > > > My perspective is maildir (backed IMAP) is commonly deployed, > > and such are as well being security checked. > > Yes, and perhaps that means they should use a different directory! No thanks. I say /var/mail is the right place for maildirs. The mailbox format is too limiting these days, with all of its file locking problems. A cluster of SMTP servers can concurrently write to a set of NFS mounted /var/mail directories, while simultaneously, a cluster of IMAP servers can concurrently both read and write to the same NFS mounted /var/mail directories. I'll continue to locally patch security, as I'm not fool who makes an idol out of archaic UNIX traditions. Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: security(8) check maildir as well as mailbox permissions
On 2013-12-21 Sat 08:55 AM |, Theo de Raadt wrote: > > You seem to be coming from the perspective that people do stupid > things, and our base system should handle those stupid things. > My perspective is maildir (backed IMAP) is commonly deployed, and such are as well being security checked.
Re: Alter daemon scheduling priority with renice for rc.d
On 2013-12-19 Thu 13:43 PM |, Craig R. Skinner wrote: > Enhance rc.d/rc.subr with lowered/raised daemon running priority. > Comments/testing observations/? ksh syntax used (which works with /bin/sh & bin/ksh being the same binary), but dinnae ken if that's "wrong"... for rc* stuff. > Use renice as simple nice didn't always work on daemons started in the > background. Niceness level sanity checked, defaulting to 10. > > Index: rc.subr > === > RCS file: /cvs/src/etc/rc.d/rc.subr,v > retrieving revision 1.70 > diff -u -u -p -r1.70 rc.subr > --- rc.subr 11 Jul 2013 09:34:33 - 1.70 > +++ rc.subr 19 Dec 2013 13:17:45 - > @@ -104,6 +104,25 @@ rc_wait() { > return 1 > } > > +rc_reprioritise() > +{ > + [[ ${rc_renice} != 'YES' ]] && > + { > + for _renice_level in $(jot 40 20 -20) > + do > + [[ ${rc_renice} == ${_renice_level} ]] && > + { > + _scheduling_priority=${rc_renice} > + break > + } > + done > + } > + > + [[ -z ${_scheduling_priority} ]] && _scheduling_priority='10' > + > + renice -n ${_scheduling_priority} -p $(pgrep -f "^${pexp}") > +} > + > rc_cmd() { > local _bg _n > > @@ -136,6 +155,17 @@ rc_cmd() { > fi > [ -z "${INRC}" ] && rc_do rc_check && exit 0 > echo $_n "${INRC:+ }${_name}" > + > + [[ ${rc_renice} == 'NO' ]] && unset rc_renice > + [[ -n ${rc_renice} ]] && > + { > + printf "%d" ${rc_renice} > /dev/null 2>&1 && > + { > + rc_renice=$(printf "%d" ${rc_renice}) > + [[ ${rc_renice} -eq 0 ]] && unset rc_renice > + } > + } > + > while true; do # no real loop, only needed to break > if type rc_pre >/dev/null; then > rc_do rc_pre || break > @@ -148,6 +178,7 @@ rc_cmd() { > rc_do rc_wait start || break > fi > rc_do rc_write_runfile > + [[ -n ${rc_renice} ]] && rc_do rc_reprioritise > rc_exit ok > done > # handle failure >
Re: security(8) check maildir as well as mailbox permissions
On 2013-12-16 Mon 12:11 PM |, Craig R. Skinner wrote: > Check the security of /var/mail/dirs similar to /var/mail/boxes: > Several skilled sysadmins have stated they deliberately avoid using /var/mail for maildirs as security(8) generates warnings about these. People are placing maildirs in /var/maildir, /var/vmail, /mail, /var/spool/mail, and who knows what other embarrassingly heinous hierarchical heresies are being committed. It's simple to alter security to include maildirs as well as mailboxes. Either with the code I hacked up, or something sublimely superior. Compare: http://openbsd.7691.n7.nabble.com/security-8-and-maildir-td67036.html#a67039 Additionally, here's a possible corresponding diff for heir(7): Index: hier.7 === RCS file: /cvs/src/share/man/man7/hier.7,v retrieving revision 1.109 diff -u -u -p -r1.109 hier.7 --- hier.7 14 Aug 2013 08:39:29 - 1.109 +++ hier.7 21 Dec 2013 15:21:55 - @@ -617,7 +617,7 @@ Log files for .El .Pp .It mail/ -User mailbox files. +User mailbox files and/or maildirs. .It named/ Chroot directory for .Xr named 8 . > Index: security > === > RCS file: /cvs/src/libexec/security/security,v > retrieving revision 1.23 > diff -u -u -p -r1.23 security > --- security 21 Mar 2013 09:37:37 - 1.23 > +++ security 16 Dec 2013 12:05:52 - > @@ -458,9 +458,16 @@ sub check_mailboxes { > my $gname = (getgrgid $fgid)[0] // $fgid; > nag $fname ne $name, > "user $name mailbox is owned by $fname"; > - nag S_IMODE($mode) != (S_IRUSR | S_IWUSR), > - sprintf 'user %s mailbox is %s, group %s', > - $name, strmode($mode), $gname; > + if (S_ISDIR($mode)) { > + nag S_IMODE($mode) != (S_IRUSR | S_IWUSR | S_IXUSR), > + sprintf 'user %s maildir is %s, group %s', > + $name, strmode($mode), $gname; > + } > + else { > + nag S_IMODE($mode) != (S_IRUSR | S_IWUSR), > + sprintf 'user %s mailbox is %s, group %s', > + $name, strmode($mode), $gname; > + } > } > closedir $dh; > } >
Re: security(8) check maildir as well as mailbox permissions
On 2013-12-18 Wed 20:48 PM |, J??r??mie Courr??ges-Anglas wrote: > skin...@britvault.co.uk (Craig R. Skinner) writes: > > > On 2013-12-18 Wed 15:54 PM |, Stuart Henderson wrote: > >> > > > > Check the security of /var/mail/dirs similar to /var/mail/boxes: > >> > > > >> > >> Indeed, but security(8) really reflects things in the base OS, > >> > > > > smtpd.conf(8) > > deliver to maildir path > > Mail is added to a maildir. Its location, path, may > > contain format specifiers that are expanded before use > > > > > > Therefore: ... deliver to maildir /var/mail/%{user.username} > > "Therefore"? How so? What's the logic, here? > THEREFORE software in base can deliver to maildir in /var/mail > >> Indeed, but security(8) really reflects things in the base OS, OK? -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: security(8) check maildir as well as mailbox permissions
On 2013-12-18 Wed 15:54 PM |, Stuart Henderson wrote: > > > > > Check the security of /var/mail/dirs similar to /var/mail/boxes: > > > > > Indeed, but security(8) really reflects things in the base OS, > smtpd.conf(8) deliver to maildir path Mail is added to a maildir. Its location, path, may contain format specifiers that are expanded before use Therefore: ... deliver to maildir /var/mail/%{user.username} OK for the patch then? Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: security(8) check maildir as well as mailbox permissions
On 2013-12-16 Mon 13:15 PM |, Craig R. Skinner wrote: > On 2013-12-16 Mon 12:22 PM |, Stuart Henderson wrote: > > On 2013/12/16 12:11, Craig R. Skinner wrote: > > > Check the security of /var/mail/dirs similar to /var/mail/boxes: > > > > Aren't maildirs usually in ~/Maildir? > > > > MTA's can deliver to maildirs in several places. > > Postfix example (the trailing slash changes from mbox to maildir format): > > $ postconf -h mail_spool_directory > /var/mail/ > Usually, all user web files are kept in ~/public_html OpenBSD places them in /var/www/users/$LOGIN By keeping all mail in a separately mounted /var/mail partition, (with simple mutt & dovecot configs) mail only users can have /var/empty has $HOME, authpf or nologin as $SHELL. This eliminates SQL or other complicated mail stores for 'virtual' users Separate 'black box' servers can be dedicated to mail only duties, without user shell logins, /var/mail can be NFS exported as there are no file locking problems with maildirs - each message is a unique file. New mail can be delivered without locking the box. Also, an annual dump cycle can be set on /home, with quarterly/monthly level 0 dumps on /var/mail, different quotas set on the different partitions. Possibilities abound, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: security(8) check maildir as well as mailbox permissions
On 2013-12-16 Mon 12:22 PM |, Stuart Henderson wrote: > On 2013/12/16 12:11, Craig R. Skinner wrote: > > Check the security of /var/mail/dirs similar to /var/mail/boxes: > > Aren't maildirs usually in ~/Maildir? > MTA's can deliver to maildirs in several places. Postfix example (the trailing slash changes from mbox to maildir format): $ postconf -h mail_spool_directory /var/mail/ Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
security(8) check maildir as well as mailbox permissions
Check the security of /var/mail/dirs similar to /var/mail/boxes: Index: security === RCS file: /cvs/src/libexec/security/security,v retrieving revision 1.23 diff -u -u -p -r1.23 security --- security21 Mar 2013 09:37:37 - 1.23 +++ security16 Dec 2013 12:05:52 - @@ -458,9 +458,16 @@ sub check_mailboxes { my $gname = (getgrgid $fgid)[0] // $fgid; nag $fname ne $name, "user $name mailbox is owned by $fname"; - nag S_IMODE($mode) != (S_IRUSR | S_IWUSR), - sprintf 'user %s mailbox is %s, group %s', - $name, strmode($mode), $gname; + if (S_ISDIR($mode)) { + nag S_IMODE($mode) != (S_IRUSR | S_IWUSR | S_IXUSR), + sprintf 'user %s maildir is %s, group %s', + $name, strmode($mode), $gname; + } + else { + nag S_IMODE($mode) != (S_IRUSR | S_IWUSR), + sprintf 'user %s mailbox is %s, group %s', + $name, strmode($mode), $gname; + } } closedir $dh; } Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: /etc/rc.d/rc.subr; prefix ${pexp} with script interpretor path
As the others here with brains have had a chance to sleep on this, what's the current thinking? As I understand it, there are 2 decisions to make: 1) How to decide if a $daemon is a script as opposed to a binary (*) file(1) (*) dd(d) (*) sed(1) Could stat(1) be tasked to switch case on file attributes (e.g: size)? 2) Whether to check if a script's interpreter is valid http://openbsd.7691.n7.nabble.com/etc-rc-d-rc-subr-prefix-pexp-with-script-interpretor-path-td234439.html Yes/No/Other? -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: /etc/rc.d/rc.subr; prefix ${pexp} with script interpretor path
On 2013-09-16 Mon 23:28 PM |, Alexander Hall wrote: > > sed can do it all. Really. This is getting beyond me Alexander. Is sed a mechanism to step away from using file(1) ? > Notes: > > - I separate re_quote() cause I think it can be useful in other places. > - I think re_quote() is (basic) regex complete. > - I don't care if the interpreter is (or seems) nonexistant, as that > shouldn't be a runtime error. > - I'm sure sed may die horribly if you try to feed it a 9GB oneline > file. However, if so, it should not produce any output anyway. ;) > If this would ever be considered a real problem, dd(1) would help > (as espie already mentioned). > > re_quote() { sed 's/\([]^$*.\\[]\)/\\\1/g'; } > > interpreter=$( > sed -n 's/^#![[:space:]]*\(.*\)/\1 /p;q' "${daemon}" | > re_quote) > pexp="$interpreter$pexp" > > Moreover, > > - you probably want to unset $interpreter when done. > - we might want to re_quote the entire $pexp later instead. >
Re: /etc/rc.d/rc.subr; prefix ${pexp} with script interpretor path
On 2013-09-16 Mon 15:12 PM |, Paul de Weerd wrote: > Hi Craig, > > --- cat bad_script.sh > # This is a VERY BAD example of a script! This will break your > # shebang thingambob > > echo Now what... > -- > > I think you'd be better of making sure the first two characters in the > file are actually "#!": > > head -n1 ${FILE} | grep '^#!' | sed 's/^#![[:blank:]]*//' > Good idea Paul. Implemented below, along with rudimentary testing for a valid interpreter: Index: rc.subr === RCS file: /cvs/src/etc/rc.d/rc.subr,v retrieving revision 1.70 diff -u -r1.70 rc.subr --- rc.subr 11 Jul 2013 09:34:33 - 1.70 +++ rc.subr 16 Sep 2013 18:19:14 - @@ -221,4 +221,15 @@ unset _rcflags _rcuser pexp="${daemon}${daemon_flags:+ ${daemon_flags}}" +file ${daemon} | fgrep -q script && +{ + shebang=$(head -n 1 ${daemon} | grep '^#!' | sed 's/^#![[:blank:]]*//') + interpreter=$(echo ${shebang} | cut -d' ' -f1) + if [[ -f ${interpreter} && -x ${interpreter} ]] + then + pexp="${shebang} ${pexp}" + else + rc_err "$0: invalid interpreter: ${interpreter}" + fi +} rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c" Test scripts: #-=-= /etc/rc.d/rcshebangtester -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #!/bin/sh #daemon="/home/me/bin/rcshebangtester.dud" #daemon="/home/me/bin/rcshebangtester.ksh" daemon="/home/me/bin/rcshebangtester.pl" . /etc/rc.d/rc.subr rc_bg=YES #pexp="/bin/ksh ${daemon}" #pexp="/usr/bin/perl -T ${daemon}" #pexp="/usr/bin/perl ${daemon}" rc_cmd $1 #-=-= /home/me/bin/rcshebangtester.dud -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- #!/var/empty #! /dev/null #! /usr/lib/libc.a # swap about above echo 'Busted!' #-=-= /home/me/bin/rcshebangtester.ksh =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #! /bin/ksh -x #! /bin/ksh # swap about above while true do uptime sleep 1 done #-=-= /home/me/bin/rcshebangtester.pl =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- #! /usr/bin/perl -T #!/usr/bin/perl # swap about above use strict; use warnings; for(;;) { print time(), "\n"; sleep 1; } #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- $ sudo /etc/rc.d/rcshebangtester -d -f start; \ cat /var/run/rc.d/rcshebangtester; echo; sleep 5; \ sudo /etc/rc.d/rcshebangtester -d -f stop doing rc_read_runfile doing rc_check rcshebangtester doing rc_start 1379357218 1379357219 doing rc_wait start doing rc_check doing rc_write_runfile (ok) /usr/bin/perl -T /home/me/bin/rcshebangtester.pl 1379357220 1379357221 1379357222 1379357223 1379357224 doing rc_read_runfile doing rc_check rcshebangtester doing rc_stop doing rc_wait stop doing rc_check doing rc_rm_runfile (ok) #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Any other thoughts? -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: /etc/rc.d/rc.subr; prefix ${pexp} with script interpretor path
On 2013-09-16 Mon 13:00 PM |, Antoine Jacoutot wrote: > > Heh, very interesting trick ;-) > But I don't think that is 100% full proof as is. > > e.g. > $ head -n 1 /usr/local/bin/xml2-config | cut -d! -f2 > /bin/sh > You have a white space before the interpreter. > > If you can improve that and make sure it works with all similar rc scripts > then I think it is definitely something that should be looked into. > Thanks. > Well spotted Antoine. I wrote a test script with various shebang lines of: #![space]/bin/ksh #![space][space]/bin/ksh #![space][tab]/bin/ksh -x #![tab]/bin/ksh -x #![space]/usr/bin/perl #![space][space]/usr/bin/perl #![space][tab]/usr/bin/perl -T #![tab][tab][tab]/usr/bin/perl -T This seems to work with these test scenarios (as seen in /var/run/rc.d/rcshebangtester): Index: rc.subr === RCS file: /cvs/src/etc/rc.d/rc.subr,v retrieving revision 1.70 diff -u -r1.70 rc.subr --- rc.subr 11 Jul 2013 09:34:33 - 1.70 +++ rc.subr 16 Sep 2013 12:09:42 - @@ -221,4 +221,9 @@ unset _rcflags _rcuser pexp="${daemon}${daemon_flags:+ ${daemon_flags}}" +file ${daemon} | fgrep -q script && +{ + shebang=$(head -n 1 ${daemon} | cut -d! -f2 | sed 's/^[[:blank:]]*//') + pexp="${shebang} ${pexp}" +} rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c" Would it also be worthwhile verifying the 1st element of $shebang is executable before prefixing $pexp? Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
/etc/rc.d/rc.subr; prefix ${pexp} with script interpretor path
For scripts (perl, shell, whatever...), prefix ${pexp} with the script's interpretor path as defined by the script. No need to override ${pexp} in the daemon's rc file. Index: rc.subr === RCS file: /cvs/src/etc/rc.d/rc.subr,v retrieving revision 1.70 diff -u -r1.70 rc.subr --- rc.subr 11 Jul 2013 09:34:33 - 1.70 +++ rc.subr 16 Sep 2013 10:26:09 - @@ -221,4 +221,9 @@ unset _rcflags _rcuser pexp="${daemon}${daemon_flags:+ ${daemon_flags}}" +file ${daemon} | fgrep -q script && +{ + shebang=$(head -n 1 ${daemon} | cut -d! -f2) + pexp="${shebang} ${pexp}" +} rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c" e.g. Remove pexp= from /etc/rc.d/greyscanner: --- greyscanner.pkg Mon Aug 19 14:46:01 2013 +++ greyscanner Mon Sep 16 11:30:33 2013 @@ -6,7 +6,6 @@ . /etc/rc.d/rc.subr -pexp="/usr/bin/perl ${daemon}" rc_reload=NO rc_cmd $1 $ sudo /etc/rc.d/greyscanner restart greyscanner(ok) greyscanner(ok) $ cat /var/run/rc.d/greyscanner /usr/bin/perl /usr/local/sbin/greyscanner $ ps auxwww | fgrep greyscanner root 25280 0.0 0.6 4896 2920 ?? Is11:35AM0:00.04 /usr/bin/perl /usr/local/sbin/greyscanner Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: useradd with empty -k doesn't chown/chmod new home directory
ping On 2013-09-05 Thu 14:48 PM |, Todd C. Miller wrote: > I changed my mind and decided it is better to just move the chown > and chmod out of copydotfiles() and add an explicit check for skeldir > set to the empty string. Much as I would like to prettify the > user.c code it is a losing battle so here is a minimal diff. > > - todd > > Index: usr.sbin/user/user.c > === > RCS file: /home/cvs/openbsd/src/usr.sbin/user/user.c,v > retrieving revision 1.95 > diff -u -r1.95 user.c > --- usr.sbin/user/user.c 2 Apr 2013 05:04:47 - 1.95 > +++ usr.sbin/user/user.c 5 Sep 2013 20:47:23 - > @@ -290,6 +290,8 @@ > DIR *dirp; > int n; > > + if (*skeldir != '\0') > + return 0; > if ((dirp = opendir(skeldir)) == NULL) { > warn("can't open source . files dir `%s'", skeldir); > return 0; > @@ -308,8 +310,6 @@ > (void) asystem("cd %s && %s -rw -pe %s . %s", > skeldir, PAX, (verbose) ? "-v" : "", dir); > } > - (void) asystem("%s -R -P %u:%u %s", CHOWN, uid, gid, dir); > - (void) asystem("%s -R u+w %s", CHMOD, dir); > return n; > } > > @@ -1177,6 +1177,9 @@ > err(EXIT_FAILURE, "can't mkdir `%s'", home); > } > (void) copydotfiles(up->u_skeldir, up->u_uid, gid, > home); > + (void) asystem("%s -R -P %u:%u %s", CHOWN, up->u_uid, > + gid, home); > + (void) asystem("%s -R u+w %s", CHMOD, home); > } > } > if (strcmp(up->u_primgrp, "=uid") == 0 && -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: diff: /etc/rc.d/spamd rc_reload=NO
ping On 2013-09-06 Fri 10:29 AM |, David Coppa wrote: > On Thu, Sep 5, 2013 at 9:31 PM, Craig R. Skinner > wrote: > > Doesn't seem to reload once chrooted: > > > > $ sudo /etc/rc.d/spamd -d reload > > doing rc_read_runfile > > doing rc_check > > spamd > > doing rc_reload > > Sep 5 19:57:54 oak spamd[22335]: greyreader failed (Error 0) > > doing rc_wait reload > > doing rc_check > > doing rc_check > > ... > > .. > > . > > doing rc_check > > (failed) > > > > > > > > > > > > Index: spamd > > === > > RCS file: /cvs/src/etc/rc.d/spamd,v > > retrieving revision 1.2 > > diff -u -r1.2 spamd > > --- spamd 8 Jul 2011 02:15:34 - 1.2 > > +++ spamd 5 Sep 2013 19:19:54 - > > @@ -7,6 +7,7 @@ > > . /etc/rc.d/rc.subr > > > > pexp="spamd: \[priv\]" > > +rc_reload=NO > > > > rc_pre() { > > [ X"${spamd_black}" != X"NO" ] && \ > > OK with me. > > ciao, > David -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: useradd with empty -k doesn't chown/chmod new home directory
Solved? On 2013-09-05 Thu 14:48 PM |, Todd C. Miller wrote: > I changed my mind and decided it is better to just move the chown > and chmod out of copydotfiles() and add an explicit check for skeldir > set to the empty string. Much as I would like to prettify the > user.c code it is a losing battle so here is a minimal diff. > > - todd > > Index: usr.sbin/user/user.c > === > RCS file: /home/cvs/openbsd/src/usr.sbin/user/user.c,v > retrieving revision 1.95 > diff -u -r1.95 user.c > --- usr.sbin/user/user.c 2 Apr 2013 05:04:47 - 1.95 > +++ usr.sbin/user/user.c 5 Sep 2013 20:47:23 - > @@ -290,6 +290,8 @@ > DIR *dirp; > int n; > > + if (*skeldir != '\0') > + return 0; > if ((dirp = opendir(skeldir)) == NULL) { > warn("can't open source . files dir `%s'", skeldir); > return 0; > @@ -308,8 +310,6 @@ > (void) asystem("cd %s && %s -rw -pe %s . %s", > skeldir, PAX, (verbose) ? "-v" : "", dir); > } > - (void) asystem("%s -R -P %u:%u %s", CHOWN, uid, gid, dir); > - (void) asystem("%s -R u+w %s", CHMOD, dir); > return n; > } > > @@ -1177,6 +1177,9 @@ > err(EXIT_FAILURE, "can't mkdir `%s'", home); > } > (void) copydotfiles(up->u_skeldir, up->u_uid, gid, > home); > + (void) asystem("%s -R -P %u:%u %s", CHOWN, up->u_uid, > + gid, home); > + (void) asystem("%s -R u+w %s", CHMOD, home); > } > } > if (strcmp(up->u_primgrp, "=uid") == 0 &&
Re: diff: /etc/rc.d/spamd rc_reload=NO
On 2013-09-06 Fri 10:29 AM |, David Coppa wrote: > > OK with me. > > ciao, > David Anyone else? -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
diff: /etc/rc.d/spamd rc_reload=NO
Doesn't seem to reload once chrooted: $ sudo /etc/rc.d/spamd -d reload doing rc_read_runfile doing rc_check spamd doing rc_reload Sep 5 19:57:54 oak spamd[22335]: greyreader failed (Error 0) doing rc_wait reload doing rc_check doing rc_check ... .. . doing rc_check (failed) Index: spamd === RCS file: /cvs/src/etc/rc.d/spamd,v retrieving revision 1.2 diff -u -r1.2 spamd --- spamd 8 Jul 2011 02:15:34 - 1.2 +++ spamd 5 Sep 2013 19:19:54 - @@ -7,6 +7,7 @@ . /etc/rc.d/rc.subr pexp="spamd: \[priv\]" +rc_reload=NO rc_pre() { [ X"${spamd_black}" != X"NO" ] && \ Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: useradd with empty -k doesn't chown/chmod new home directory
On 2013-08-31 Sat 11:18 AM |, Kenneth R Westerback wrote: > > This makes sense to me. ok krw@ > > Ken > ping? -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: useradd with empty -k doesn't chown/chmod new home directory
On 2013-08-31 Sat 11:45 AM |, patrick keshishian wrote: > On Sat, Aug 31, 2013 at 06:23:25AM -0600, Todd C. Miller wrote: > > Assuming we want to make this a non-fatal error the following should > > do. > > You meant non-existent skel dir, not empty. Unless you > meant empty argument for -k option, i.e., -k "" Yes, that was my intention. i.e. "don't copy the skel dir" > but is there a good use-case for that? > For example, if an organisation had a number of database administrators and they were added to the group 'dbas'. In /home/dba there could be files, scripts, passwords,... that only the DBA team should have common access to. Likewise for hostmasters, postmasters, webmasters, management, marketing, sales, http://article.gmane.org/gmane.os.openbsd.bugs/19980