A few /etc/ksh.kshrc tweaks
1) telnetd removed, so it won't be a parent process
2) Restricted shells can redirect window decor to > /dev/tty
3) In wcd(), only do _ignore() if cd (e.g: can't cd /root)
Index: ksh.kshrc
===
RCS file: /cvs/src/etc/ksh.kshrc,v
retrieving revision 1.19
diff -u -p -r1.19 ksh.kshrc
--- ksh.kshrc 11 Jul 2014 21:12:39 - 1.19
+++ ksh.kshrc 25 Oct 2014 16:32:36 -
@@ -82,14 +82,19 @@ case "$-" in
xterm*)
ILS='\033]1;'; ILE='\007'
WLS='\033]2;'; WLE='\007'
- parent="`ps -ax 2>/dev/null | grep $PPID | grep -v grep`"
- case "$parent" in
- *telnet*)
- export TERM=xterms;;
- esac
- ;;
*) ;;
esac
+
+ #[[ -o restricted ]] & $-r not set until after
+ # processing of shell init files. The best we can do:
+ # TODO: find a better way to test for restrictions on /bin/{k}sh
+ [[ ${SHELL} == '/bin/rksh' ]] &&
+ {
+ # Restricted shells can't cd, nor redirect output
+ print -n "${WLS}$USER@$HOST ($tty) ~${WLE}" > /dev/tty
+ unset ILS ILE WLS WLE
+ }
+
# do we want window decorations?
if [ "$ILS" ]; then
function ilabel { print -n "${ILS}$*${ILE}">/dev/tty; }
@@ -103,7 +108,7 @@ case "$-" in
function wftp { ilabel "ftp $*"; "ftp" "$@"; _ignore eval
istripe; }
- function wcd { \cd "$@"; _ignore eval stripe; }
+ function wcd { \cd "$@" && _ignore eval stripe; }
function wssh{ \ssh "$@";_ignore eval 'istripe;
stripe'; }
function wtelnet { \telnet "$@"; _ignore eval 'istripe;
stripe'; }
Re: rcctl: find(1) service files in /etc/rc.d
On 2014-10-14 Tue 00:24 AM |, Antoine Jacoutot wrote:
>
> Makes sense yes. Not sure I'd want a function just for that one liner though.
> I'll commit something tomorrow.
>
Nice one, using shell internals.
This restricts the listing to files which are also executable:
Index: rcctl.sh
===
RCS file: /cvs/src/usr.sbin/rcctl/rcctl.sh,v
retrieving revision 1.45
diff -u -p -r1.45 rcctl.sh
--- rcctl.sh15 Oct 2014 07:38:24 - 1.45
+++ rcctl.sh15 Oct 2014 09:01:35 -
@@ -39,10 +39,12 @@ needs_root()
ls_rcscripts() {
local _s
- cd /etc/rc.d && set -- *
+ cd /etc/rc.d || exit
+ set -- *
for _s; do
[ "${_s}" = "rc.subr" ] && continue
- [ ! -d "${_s}" ] && echo "${_s}"
+ [[ -d "${_s}" ]] && continue
+ [[ -f "${_s}" && -x "${_s}" ]] && echo "${_s}"
done
}
rcctl: find(1) service files in /etc/rc.d
Move 2 duplicate searches into a function.
The diff also ignores (RCS) subdirectories.
$ find /etc/rc.d ! -type f
/etc/rc.d
/etc/rc.d/RCS
Index: rcctl.sh
===
RCS file: /cvs/src/usr.sbin/rcctl/rcctl.sh,v
retrieving revision 1.43
diff -u -p -r1.43 rcctl.sh
--- rcctl.sh11 Oct 2014 19:12:19 - 1.43
+++ rcctl.sh13 Oct 2014 20:10:34 -
@@ -93,7 +93,7 @@ svc_get_defaults()
print -r -- "$(svc_default_enabled_flags ${_svc})"
svc_default_enabled ${_svc}
else
- for _i in $(ls -A /etc/rc.d | grep -v rc.subr); do
+ get_svc_list | while read _i; do
echo "${_i}_flags=$(svc_default_enabled_flags ${_i})"
done
for _i in ${_special_services}; do
@@ -134,7 +134,7 @@ svc_get_status()
svc_get_flags ${_svc}
svc_is_enabled ${_svc}
else
- for _i in $(ls -A /etc/rc.d | grep -v rc.subr); do
+ get_svc_list | while read _i; do
echo "${_i}_flags=$(svc_get_flags ${_i})"
done
for _i in ${_special_services}; do
@@ -175,6 +175,12 @@ svc_is_special()
[ -n "${_svc}" ] || return
echo ${_special_services} | grep -qw ${_svc}
+}
+
+get_svc_list()
+{
+ # Ignore rc.subr & (RCS) subdirectories:
+ find /etc/rc.d -type f -maxdepth 1 ! -name rc.subr
}
append_to_pkg_scripts()
rcctl: un-hardcode /etc/rc.conf{.local}
Some notes to demo the diff below:
# -=-=-=-=-=-=-= Assignment:
me$ _STATIC_RCCONF='/etc/rc.conf'
me$ _RCCONF="${_STATIC_RCCONF}.local"
# -=-=-=-=-=-=-= Test 1:
me$ print ${_STATIC_RCCONF} ${_RCCONF}
/etc/rc.conf /etc/rc.conf.local
me$ print ${_RCCONF%/*} ${_RCCONF##*/}
/etc rc.conf.local
# -=-=-=-=-=-=-= Test 2:
me$ _TMP_RCCONF=$(mktemp -p ${_RCCONF%/*} -t ${_RCCONF##*/}.XX) ||
print $?
mktemp: cannot make temp file /etc/rc.conf.local.luzxGjy18I: Permission denied
1
# -=-=-=-=-=-=-= Reassignment:
me$ _STATIC_RCCONF='/tmp/rc.conf'
me$ _RCCONF="${_STATIC_RCCONF}.local"
# -=-=-=-=-=-=-= Test 3:
me$ _TMP_RCCONF=$(mktemp -p ${_RCCONF%/*} -t ${_RCCONF##*/}.XX) ||
print $?
me$ ls ${_TMP_RCCONF}
/tmp/rc.conf.local.ZLyVBCNMtk
Index: rcctl.sh
===
RCS file: /cvs/src/usr.sbin/rcctl/rcctl.sh,v
retrieving revision 1.41
diff -u -p -r1.41 rcctl.sh
--- rcctl.sh10 Oct 2014 15:59:36 - 1.41
+++ rcctl.sh11 Oct 2014 12:41:22 -
@@ -18,7 +18,9 @@
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
_special_services="accounting check_quotas ipsec multicast_host
multicast_router pf spamd_black"
-readonly _special_services
+_STATIC_RCCONF='/etc/rc.conf'
+_RCCONF="${_STATIC_RCCONF}.local"
+readonly _special_services _STATIC_RCCONF _RCCONF
# get local functions from rc.subr(8)
FUNCS_ONLY=1
@@ -38,21 +40,21 @@ needs_root()
rcconf_edit_begin()
{
- _TMP_RCCONF=$(mktemp -p /etc -t rc.conf.local.XX) || exit 1
- if [ -f /etc/rc.conf.local ]; then
+ _TMP_RCCONF=$(mktemp -p ${_RCCONF%/*} -t ${_RCCONF##*/}.XX) ||
exit
+ if [ -f ${_RCCONF} ]; then
# only to keep permissions (file content is not needed)
- cp -p /etc/rc.conf.local ${_TMP_RCCONF} || exit 1
+ cp -p ${_RCCONF} ${_TMP_RCCONF} || exit 1
else
- touch /etc/rc.conf.local || exit 1
+ touch ${_RCCONF} || exit 1
fi
}
rcconf_edit_end()
{
sort -u -o ${_TMP_RCCONF} ${_TMP_RCCONF} || exit 1
- mv ${_TMP_RCCONF} /etc/rc.conf.local || exit 1
- if [ ! -s /etc/rc.conf.local ]; then
- rm /etc/rc.conf.local || exit 1
+ mv ${_TMP_RCCONF} ${_RCCONF} || exit 1
+ if [ ! -s ${_RCCONF} ]; then
+ rm ${_RCCONF} || exit 1
fi
}
@@ -62,7 +64,7 @@ svc_default_enabled()
[ -n "${_svc}" ] || return
local _ret=1
- _rc_parse_conf /etc/rc.conf
+ _rc_parse_conf ${_STATIC_RCCONF}
svc_is_enabled ${_svc} && _ret=0
_rc_parse_conf
@@ -166,7 +168,7 @@ append_to_pkg_scripts()
if [ -z "${pkg_scripts}" ]; then
echo pkg_scripts="${_svc}" >>${_TMP_RCCONF}
elif ! echo ${pkg_scripts} | grep -qw ${_svc}; then
- grep -v "^pkg_scripts.*=" /etc/rc.conf.local >${_TMP_RCCONF}
+ grep -v "^pkg_scripts.*=" ${_RCCONF} >${_TMP_RCCONF}
echo pkg_scripts="${pkg_scripts} ${_svc}" >>${_TMP_RCCONF}
fi
rcconf_edit_end
@@ -182,7 +184,7 @@ rm_from_pkg_scripts()
rcconf_edit_begin
sed "/^pkg_scripts[[:>:]]/{s/[[:<:]]${_svc}[[:>:]]//g
s/['\"]//g;s/ *= */=/;s/ */ /g;s/ $//;/=$/d;}" \
- /etc/rc.conf.local >${_TMP_RCCONF}
+ ${_RCCONF} >${_TMP_RCCONF}
rcconf_edit_end
}
@@ -193,7 +195,7 @@ add_flags()
if svc_is_special ${_svc}; then
rcconf_edit_begin
- grep -v "^${_svc}.*=" /etc/rc.conf.local >${_TMP_RCCONF}
+ grep -v "^${_svc}.*=" ${_RCCONF} >${_TMP_RCCONF}
if ! svc_default_enabled ${_svc}; then
echo "${_svc}=YES" >>${_TMP_RCCONF}
fi
@@ -219,7 +221,7 @@ add_flags()
fi
rcconf_edit_begin
- grep -v "^${_svc}_flags.*=" /etc/rc.conf.local >${_TMP_RCCONF}
+ grep -v "^${_svc}_flags.*=" ${_RCCONF} >${_TMP_RCCONF}
if [ -n "${_flags}" ] || \
( svc_is_base ${_svc} && ! svc_default_enabled ${_svc} ); then
echo ${_svc}_flags=${_flags} >>${_TMP_RCCONF}
@@ -234,12 +236,12 @@ rm_flags()
rcconf_edit_begin
if svc_is_special ${_svc}; then
- grep -v "^${_svc}.*=" /etc/rc.conf.local >${_TMP_RCCONF}
+ grep -v "^${_svc}.*=" ${_RCCONF} >${_TMP_RCCONF}
if svc_default_enabled ${_svc}; then
echo "${_svc}=NO" >>${_TMP_RCCONF}
fi
else
- grep -v "^${_svc}_flags.*=" /etc/rc.conf.local >${_TMP_RCCONF}
+ grep -v "^${_svc}_flags.*=" ${_RCCONF} >${_TMP_RCCONF}
if svc_default_enabled ${_svc}; then
echo "${_svc}_flags=NO" >>${_TMP_RCCONF}
fi
Re: DNS control port additions to /etc/services
On 2014-07-15 Tue 16:04 PM |, Theo de Raadt wrote: > >On Tue, Jul 15, 2014 at 12:22:37PM +0100, Craig R. Skinner wrote: > >> > >> Suggestion of add NSD, Unbound & BIND control ports to /etc/services: > > > >Makes sense to me. Anyone want to OK this? > > > >> Index: etc/services > >> === > >> RCS file: /cvs/src/etc/services,v > >> retrieving revision 1.87 > >> diff -u -p -r1.87 services > >> --- etc/services 12 Jul 2014 14:51:07 - 1.87 > >> +++ etc/services 15 Jul 2014 11:17:31 - > >> @@ -181,6 +181,8 @@ kerberos-adm 749/tcp # > >> Kerberos 5 kad > >> kerberos-adm 749/udp # Kerberos 5 kadmin > >> rsync 873/tcp # rsync server > >> cddb 888/tcp cddbp # Audio CD Database > >> +named-rndc953/tcp # Domain Name System > >> (DNS) BIND RNDC Service > >> +named-rndc953/udp # Domain Name System > >> (DNS) BIND RNDC Service > >> imaps 993/tcp # imap4 protocol over > >> TLS/SSL > >> imaps 993/udp # imap4 protocol over > >> TLS/SSL > >> pop3s 995/tcp spop3 # pop3 protocol over > >> TLS/SSL > > That means two more reserved ports are taken out of the bucket. > Strip out the Kerberos stuff?: $ fgrep -i Kerberos etc/services kerberos88/udp kerberos-sec# Kerberos 5 UDP kerberos88/tcp kerberos-sec# Kerberos 5 TCP kpasswd 464/tcp # Kerberos 5 password changing kpasswd 464/udp # Kerberos 5 password changing klogin 543/tcp # Kerberos authenticated rlogin kshell 544/tcp krcmd # Kerberos remote shell ekshell 545/tcp # Kerberos encrypted shell kerberos-adm749/tcp # Kerberos 5 kadmin kerberos-adm749/udp # Kerberos 5 kadmin kpop1109/tcp# Pop with Kerberos eklogin 2105/tcp# Kerberos encrypted rlogin rkinit 2108/tcp# Kerberos remote kinit kx 2111/tcp# X over kerberos kip 2112/tcp# IP over kerberos iprop 2121/tcp# Kerberos incremental propagation krb524 /tcp# Kerberos 5->4 krb524 /udp# Kerberos 5->4 afs3-kaserver 7004/tcp# AFS kerberos authentication server afs3-kaserver 7004/udp# AFS kerberos authentication server kerberos-iv 750/udp kdc # Kerberos authentication--udp kerberos-iv 750/tcp kdc # Kerberos authentication--tcp kerberos_master 751/udp # Kerberos 4 kadmin kerberos_master 751/tcp # Kerberos 4 kadmin krb_prop754/tcp hprop # Kerberos slave propagation krbupdate 760/tcp kreg# BSD Kerberos registration
Re: /etc/services records for squid & cvsyncd
On 2014-07-15 Tue 22:11 PM |, Antoine Jacoutot wrote: > > I run both squid and cvsyncd and never needed these entries. > Doubtful anyone _needs_ the Microsoft-SQL-* entries. > > > > > > > Index: etc/services > > === > > RCS file: /cvs/src/etc/services,v > > retrieving revision 1.87 > > diff -u -p -u -r1.87 services > > --- etc/services12 Jul 2014 14:51:07 - 1.87 > > +++ etc/services15 Jul 2014 19:28:37 - > > @@ -294,9 +294,11 @@ support1529/tcp > > # GNATS, cygnus bug > > datametrics1645/udp > > ekshell2 2106/tcp# Encrypted kshell - UColorado, > > Boulder > > webster2627/tcp# Network dictionary > > +squid 3128/tcp# Squid caching web > > proxy > > canna 5680/tcp# Kana->Kanji server > > sane-port 6566/tcp# SANE Control Port > > icb7326/tcp# Internet Citizen's > > Band > > +cvsyncd/tcp# CVS sync daemon > > spamd 8025/tcp# spamd(8) > > spamd-sync 8025/udp# spamd(8) synchronisation > > spamd-cfg 8026/tcp# spamd(8) configuration > > > > -- > Antoine > -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
/etc/services records for squid & cvsyncd
The IANA names don't match these popular OpenBSD package's port numbers: http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=3128 = ndl-aas, not web cache/squid http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search= = cbt, not cvsync Index: etc/services === RCS file: /cvs/src/etc/services,v retrieving revision 1.87 diff -u -p -u -r1.87 services --- etc/services12 Jul 2014 14:51:07 - 1.87 +++ etc/services15 Jul 2014 19:28:37 - @@ -294,9 +294,11 @@ support1529/tcp# GNATS, cygnus bug datametrics1645/udp ekshell2 2106/tcp# Encrypted kshell - UColorado, Boulder webster2627/tcp# Network dictionary +squid 3128/tcp# Squid caching web proxy canna 5680/tcp# Kana->Kanji server sane-port 6566/tcp# SANE Control Port icb7326/tcp# Internet Citizen's Band +cvsyncd/tcp# CVS sync daemon spamd 8025/tcp# spamd(8) spamd-sync 8025/udp# spamd(8) synchronisation spamd-cfg 8026/tcp# spamd(8) configuration
DNS control port additions to /etc/services
Suggestion of add NSD, Unbound & BIND control ports to /etc/services: Index: etc/services === RCS file: /cvs/src/etc/services,v retrieving revision 1.87 diff -u -p -r1.87 services --- etc/services12 Jul 2014 14:51:07 - 1.87 +++ etc/services15 Jul 2014 11:17:31 - @@ -181,6 +181,8 @@ kerberos-adm749/tcp # Kerberos 5 kad kerberos-adm 749/udp # Kerberos 5 kadmin rsync 873/tcp # rsync server cddb 888/tcp cddbp # Audio CD Database +named-rndc 953/tcp # Domain Name System (DNS) BIND RNDC Service +named-rndc 953/udp # Domain Name System (DNS) BIND RNDC Service imaps 993/tcp # imap4 protocol over TLS/SSL imaps 993/udp # imap4 protocol over TLS/SSL pop3s 995/tcp spop3 # pop3 protocol over TLS/SSL @@ -301,6 +303,8 @@ spamd 8025/tcp# spamd(8) spamd-sync 8025/udp# spamd(8) synchronisation spamd-cfg 8026/tcp# spamd(8) configuration dhcpd-sync 8067/udp# dhcpd(8) synchronisation +nsd-cntl 8952/tcp# NSD authoritative DNS server control +unbound-cntl 8953/tcp# Unbound validating, recursive, and caching DNS server control hunt 26740/udp # hunt(6) # # Appletalk
Re: lynx: disable old protocols
On 2014-07-11 Fri 03:03 AM |, Theo de Raadt wrote: > If lynx was removed from base, and only available in ports... how many of > you would even know of it's existance and use it? > Several times a week I use lynx for http or local html docs. If it wasn't in base, I'd install it/some similar package via siteXX.tgz
Re: 8 port serial card connections
On 2014-06-20 Fri 16:14 PM |, Maurice Janssen wrote: > ># FIXME No. 9 Moxa card port: > >moxa09:dv=/dev/tty10:common: > > > ># FIXME No. 10 Moxa card port: > >moxa10:dv=/dev/tty11:common: > > Try /dev/tty0a and /dev/tty0b > Perfect! Here's a man page diff to sync with lines 1383-1397 of /usr/src/sys/dev/pci/pucdata.c Index: share/man/man4/puc.4 === RCS file: /cvs/src/share/man/man4/puc.4,v retrieving revision 1.47 diff -u -p -r1.47 puc.4 --- share/man/man4/puc.42 Feb 2014 19:39:55 - 1.47 +++ share/man/man4/puc.420 Jun 2014 17:00:27 - @@ -85,6 +85,7 @@ The driver currently supports the follow .It Tn "Moxa Technologies Co., Ltd. PCI I/O Card 4S (4 port serial)" .It Tn "Moxa Technologies Co., Ltd. C104H/PCI (4 port serial)" .It Tn "Moxa Technologies Co., Ltd. CP104/PCI (4 port serial)" +.It Tn "Moxa Technologies Co., Ltd. C168H/PCI (8 port serial)" .It Tn "NEC PK-UG-X008 (serial)" .It Tn "NEC PK-UG-X001 K56flex PCI (modem)" .It Tn "NetMos 1P (1 port parallel)"
Re: sudo -u & environment help
FYI;- The sudo users mailing list quickly said the 3 issues I identified are known bugs, which have been fixed in newer sudo versions. http://www.sudo.ws/sudo/stable.html "The current stable release of sudo is 1.8.10p3" $ sudo -V Sudo version 1.7.2p8 $ uname -a OpenBSD teak.britvault.co.uk 5.4 GENERIC#37 i386 http://thread.gmane.org/gmane.comp.tools.sudo.user/4367 http://thread.gmane.org/gmane.os.openbsd.misc/211823/ > > Bug 387 refers to MAIL being fixed in 1.7.4: > http://www.sudo.ws/bugs/show_bug.cgi?id=387 > > Bug 527 (FreeBSD "sudo -i" doesn't use variables from /etc/login.conf) > seems to be similar: http://www.sudo.ws/bugs/show_bug.cgi?id=527 > which is logged as Fixed in sudo 1.8.4 > > Maybe that fix also covers the login.conf path & umask issues: > > http://www.sudo.ws/sudo/stable.html#1.8.4 > On systems that use login.conf, sudo -i now sets environment variables > based on login.conf. > > > http://www.sudo.ws/sudo/stable.html#1.8.5 > The initial evironment created when env_reset is in effect now includes > the contents of /etc/environment on AIX systems and the "setenv" and > "path" entries from /etc/login.conf on BSD systems. > > > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users
Re: sudo -u & environment help
FYI tech@, there was a thread on misc@ about sudo -iu not setting some environment variables: http://thread.gmane.org/gmane.os.openbsd.misc/211823/ On 2014-04-08 Tue 09:26 AM |, Craig R. Skinner wrote: > To clarify, there are no ~/. shell dot files. > > $PATH & umask are set in /etc/login.conf > $MAIL is the default set by login(1) > > /etc/profile sources /etc/ksh.kshrc, which just sets $PS1, > window decor & some aliases, nothing major. > > This arrangement works fine when logging in directly, > or via "sudo su -l user" > > From my reading of sudo(8), I thought the same environment could be > gained with something like "sudo -H -i -u username". > > Am I missing sudo flags or settings in /etc/sudoers? > > > On 2014-04-04 Fri 11:30 AM |, Craig R. Skinner wrote: > > Hi, > > > > When sudo'ing to another user, how can I obtain all of their environment > > settings as they receive when logging in themselves? > > > > When I use sudo in this manner, settings such as $PATH, $MAIL & umask > > aren't being honoured: > > > > > > $ echo $LOGNAME; echo $PATH; echo $MAIL; umask > > craig > > /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/usr/site/sbin:/home/craig/bin > > /var/mail/craig > > 027 > > > > > > > > Here, $PATH, $MAIL & umask are unchanged: > > > > $ sudo -H -i -u david > > $ echo $LOGNAME; echo $PATH; echo $MAIL; umask > > david > > /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/usr/site/sbin:/home/craig/bin > > /var/mail/craig > > 027 > > > > > > Compare the difference when logging in as that user: > > > > $ login david > > ... > > $ echo $LOGNAME; echo $PATH; echo $MAIL; umask > > david > > /usr/bin:/bin:/usr/local/bin:/usr/site/bin:/home/david/bin > > /var/mail/david > > 022 > > > > > > > > > > /etc/login.conf: > > default:\ > > :passwordcheck=/usr/local/bin/pwqcheck -1:\ > > :passwordtries=0:\ > > :path=/usr/bin /bin /usr/local/bin /usr/site/bin ~/bin:\ > > :umask=022:\ > > :datasize-cur= > > > > staff:\ > > :path=/usr/bin /bin /usr/sbin /sbin /usr/local/bin /usr/local/sbin > > /usr/site/bin /usr/site/sbin ~/bin:\ > > :umask=027:\ > > :datasize-cur= > > > > > > $ egrep 'env_|Defaults' /etc/sudoers | grep -v ^# > > Defaults env_keep +="DESTDIR DISTDIR EDITOR FETCH_CMD FLAVOR FTPMODE GROUP > > MAKE" > > Defaults env_keep +="MAKECONF MULTI_PACKAGES NOMAN OKAY_FILES OWNER > > PKG_CACHE" > > Defaults env_keep +="PKG_DBDIR PKG_DESTDIR PKG_PATH PKG_TMPDIR PORTSDIR" > > Defaults env_keep +="RELEASEDIR SHARED_ONLY SSH_AUTH_SOCK SUBPACKAGE VISUAL" > > Defaults env_keep +="WRKOBJDIR" > > Defaults always_set_home, ignore_dot, use_loginclass > > > > > > > > login(1): > > > > login enters information into the environment (see environ(7)) > > specifying > > the user's home directory (HOME), command interpreter (SHELL), search > > path (PATH), terminal type (TERM), and user name (both LOGNAME and > > USER). > > > > ENVIRONMENT > > login sets the following environment variables: > > > > HOME > > MAIL > > > > sudo(8): > > > > Command Environment > > .. On BSD systems, if the use_loginclass option is > > enabled, the environment is initialized based on the path and setenv > > settings in /etc/login.conf. The new environment contains the TERM, > > PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables > > in > > addition to variables from the invoking process permitted by the > > env_check and env_keep options. This is effectively a whitelist for > > environment variables. > > > > > > > > How can I become another user - without knowing their password, > > and gain their 'natural' environment? > > > > e.g. from wheel group to a users group member. > > > > 'su -l username' & 'login username' require their password. > > > > I thought 'sudo -H -i -u username' would do it. > > > > Any suggestions on what else I need to configure? >
Re: OpenSSH hole, April 9
On 2014-04-11 Fri 08:58 AM |, Bob Beck wrote: > sponsors having privileged access to the information (in other words > they aren't donors, they are paying for early access.) > Benefits with strings attached are not donations, ... more like bribes. Respect for freedom fighting and staying open!
Re: missing ports.tar.gz in snapshot
On 2014-03-06 Thu 15:42 PM |, Stuart Henderson wrote: > > Personally I'd keep them for releases (which also gives people a base > to speed up updates to -current) but probably drop them for snapshots.. > Sensible logic;- reducing workload, network & electricity costs!
Re: Alter daemon scheduling priority with renice for rc.d
On 2013-12-28 Sat 15:13 PM |, Theo de Raadt wrote: > > > Enhance rc.d/rc.subr with lowered/raised daemon running priority. > > You still have done nothing to prove the case for this extra > complexity. > When I managed customer's dedicated servers, it would have been useful, for example, to have sshd running at a higher priority than apache, so when their box bogged with some sad customer web-app, more than one ssh keystoke could be typed per minute to kill off their stuff. Maybe a general purpose box could have SpamAssassin running at a lower priority as working a queued mail spool is not user interactive. Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: Alter daemon scheduling priority with renice for rc.d
On 2013-12-28 Sat 21:16 PM |, Craig R. Skinner wrote:
> On 2013-12-19 Thu 13:43 PM |, Craig R. Skinner wrote:
> > Enhance rc.d/rc.subr with lowered/raised daemon running priority.
> >
>
> Take 2:
>
> Replace /etc/rc.d/ rc_renice=X with
> /etc/rc.conf.local _nice=X
>
Take 3 - simplify:
Use nice directly between ${rcexec} & ${daemon} with rc_start(),
rather than renice post start.
Change rc_reprioritise() to rc_validate_rcnice()
Backgrounding still works as expected.
This now works with privilege separated binaries, such as ntpd:
$ fgrep ntp /etc/rc.conf.local
ntpd_flags="-s"
ntpd_nice=YES
$ ps -l -U _ntp
UID PID PPID CPU PRI NI VSZ RSS WCHAN STAT TT TIME COMMAND
83 4226 1 0 2 10 708 1136 pollSNs ??0:00.09 ntpd: ntp
engine (ntpd)
83 22421 4226 3 2 10 644 1020 pollINs ??0:00.01 ntpd: dns
engine (ntpd)
Index: rc.subr
===
RCS file: /cvs/src/etc/rc.d/rc.subr,v
retrieving revision 1.70
diff -u -u -p -r1.70 rc.subr
--- rc.subr 11 Jul 2013 09:34:33 - 1.70
+++ rc.subr 28 Dec 2013 23:10:14 -
@@ -1,4 +1,4 @@
-# $OpenBSD: rc.subr,v 1.70 2013/07/11 09:34:33 otto Exp $
+# $OpenBSD: rc.subr,v 1.15 2013/12/28 22:57:21 skinner Exp $
#
# Copyright (c) 2010, 2011 Antoine Jacoutot
# Copyright (c) 2010, 2011 Ingo Schwarze
@@ -54,7 +54,8 @@ rc_rm_runfile() {
}
rc_start() {
- ${rcexec} "${daemon} ${daemon_flags} ${_bg}"
+ [[ -n ${_rcnice} ]] && _nice="$(which nice) -n ${_rcnice}"
+ ${rcexec} "${_nice} ${daemon} ${daemon_flags} ${_bg}"
}
rc_check() {
@@ -104,6 +105,46 @@ rc_wait() {
return 1
}
+rc_validate_rcnice()
+{
+ [[ -x $(which nice) ]] ||
+ {
+ # /usr not mounted?
+ unset _rcnice
+ return
+ }
+
+ [[ ${_rcnice} == 'YES' ]] &&
+ {
+ # nice(1): an increment of 10 is assumed.
+ _rcnice=10
+ return
+ }
+
+ # if digits present
+ printf "%d" ${_rcnice} > /dev/null 2>&1 &&
+ {
+ # strip non-digits for comparison
+ _rcnice=$(printf "%d" ${_rcnice})
+ [[ ${_rcnice} -eq 0 ]] &&
+ {
+ unset _rcnice
+ return
+ }
+ }
+
+ # nice(1): The priority can be adjusted over a
+ # range of -20 (the highest) to 20 (the lowest).
+ for _nice_level in $(jot 40 20 -20)
+ do
+ [[ ${_rcnice} == ${_nice_level} ]] && return
+ done
+
+ # Shouldn't get this far:
+ print -u2 "$0: ignoring invalid ${_name}_nice level: ${_rcnice}"
+ unset _rcnice
+}
+
rc_cmd() {
local _bg _n
@@ -136,6 +177,9 @@ rc_cmd() {
fi
[ -z "${INRC}" ] && rc_do rc_check && exit 0
echo $_n "${INRC:+ }${_name}"
+
+ [[ -n ${_rcnice} ]] && rc_validate_rcnice
+
while true; do # no real loop, only needed to break
if type rc_pre >/dev/null; then
rc_do rc_pre || break
@@ -203,6 +247,7 @@ _RC_RUNFILE=${_RC_RUNDIR}/${_name}
eval _rcflags=\${${_name}_flags}
eval _rcuser=\${${_name}_user}
+eval _rcnice=\${${_name}_nice}
getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1 && \
daemon_class=${_name}
@@ -213,6 +258,7 @@ getcap -f /etc/login.conf ${_name} 1>/de
[ -n "${_RC_FORCE}" ] && [ X"${_rcflags}" = X"NO" ] && unset _rcflags
[ -n "${_rcflags}" ] && daemon_flags=${_rcflags}
[ -n "${_rcuser}" ] && daemon_user=${_rcuser}
+[[ ${_rcnice} == 'NO' ]] && unset _rcnice
# sanitize
daemon_flags=$(printf ' %s' ${daemon_flags})
Cheers,
--
Craig Skinner | http://www.bbc.co.uk/programmes/b03mtrg9/clips
Re: Alter daemon scheduling priority with renice for rc.d
On 2013-12-19 Thu 13:43 PM |, Craig R. Skinner wrote:
> Enhance rc.d/rc.subr with lowered/raised daemon running priority.
>
Take 2:
Replace /etc/rc.d/ rc_renice=X with
/etc/rc.conf.local _nice=X
$ fgrep _nice /etc/rc.conf.local
sshd_nice=-10
dhcpd_nice=15
inetd_nice=YES
greyscanner_nice=YES
$ sudo /etc/rc.d/dhcpd -d restart
doing rc_read_runfile
doing rc_read_runfile
doing rc_check
dhcpd
doing rc_stop
doing rc_wait stop
doing rc_check
doing rc_rm_runfile
(ok)
doing rc_read_runfile
doing rc_check
dhcpd
doing rc_pre
doing rc_start
doing rc_write_runfile
doing rc_reprioritise
6142: old priority 0, new priority 15
(ok)
$ ps -l -U _dhcp
UID PID PPID CPU PRI NI VSZ RSS WCHAN STAT TT TIME COMMAND
77 6142 1 0 2 15 672 880 pollINs ??0:00.00
/usr/sbin/dhcpd
Index: rc.subr
===
RCS file: /cvs/src/etc/rc.d/rc.subr,v
retrieving revision 1.70
diff -u -u -p -r1.70 rc.subr
--- rc.subr 11 Jul 2013 09:34:33 - 1.70
+++ rc.subr 28 Dec 2013 21:02:51 -
@@ -1,4 +1,4 @@
-# $OpenBSD: rc.subr,v 1.70 2013/07/11 09:34:33 otto Exp $
+# $OpenBSD: rc.subr,v 1.14 2013/12/28 20:46:25 skinner Exp $
#
# Copyright (c) 2010, 2011 Antoine Jacoutot
# Copyright (c) 2010, 2011 Ingo Schwarze
@@ -104,6 +104,28 @@ rc_wait() {
return 1
}
+rc_reprioritise()
+{
+ [[ ${_rcnice} == 'YES' ]] ||
+ {
+ # nice(1): The priority can be adjusted over a
+ # range of -20 (the highest) to 20 (the lowest).
+ for _renice_level in $(jot 40 20 -20)
+ do
+ [[ ${_rcnice} == ${_renice_level} ]] &&
+ {
+ _scheduling_priority=${_rcnice}
+ break
+ }
+ done
+ }
+
+ # nice(1): an increment of 10 is assumed.
+ [[ -z ${_scheduling_priority} ]] && _scheduling_priority='10'
+
+ renice -n ${_scheduling_priority} -p $(pgrep -f "^${pexp}")
+}
+
rc_cmd() {
local _bg _n
@@ -136,6 +158,20 @@ rc_cmd() {
fi
[ -z "${INRC}" ] && rc_do rc_check && exit 0
echo $_n "${INRC:+ }${_name}"
+
+ # sanitise _rcnice (only used for start) once before loop below
+ [[ ${_rcnice} == 'YES' ]] ||
+ {
+ # if digits present
+ printf "%d" ${_rcnice} > /dev/null 2>&1 &&
+ {
+ # strip non-digits for
+ # comparison in rc_reprioritise()
+ _rcnice=$(printf "%d" ${_rcnice})
+ [[ ${_rcnice} -eq 0 ]] && unset _rcnice
+ }
+ }
+
while true; do # no real loop, only needed to break
if type rc_pre >/dev/null; then
rc_do rc_pre || break
@@ -148,6 +184,7 @@ rc_cmd() {
rc_do rc_wait start || break
fi
rc_do rc_write_runfile
+ [[ -n ${_rcnice} ]] && rc_do rc_reprioritise
rc_exit ok
done
# handle failure
@@ -203,6 +240,7 @@ _RC_RUNFILE=${_RC_RUNDIR}/${_name}
eval _rcflags=\${${_name}_flags}
eval _rcuser=\${${_name}_user}
+eval _rcnice=\${${_name}_nice}
getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1 && \
daemon_class=${_name}
@@ -213,6 +251,7 @@ getcap -f /etc/login.conf ${_name} 1>/de
[ -n "${_RC_FORCE}" ] && [ X"${_rcflags}" = X"NO" ] && unset _rcflags
[ -n "${_rcflags}" ] && daemon_flags=${_rcflags}
[ -n "${_rcuser}" ] && daemon_user=${_rcuser}
+[[ ${_rcnice} == 'NO' ]] && unset _rcnice
# sanitize
daemon_flags=$(printf ' %s' ${daemon_flags})
Cheers,
--
Craig Skinner | http://www.bbc.co.uk/programmes/b03mtrg9/clips
Re: Alter daemon scheduling priority with renice for rc.d
On 2013-12-21 Sat 17:13 PM |, Alexander Hall wrote:
> >
> >Comments/testing observations/?
>
> This is not the purpose nor responsibility off the rc.d scripts.
>
>
What alternatives have you in mind?
Maybe an /etc/rc.nicetab which a root run cron job parses for daemon
values, then checks that against the process tree. Repeated every
minute... in case some process was started.
Unlikely.
This is cleaner & works:
> >
> >ksh syntax used (which works with /bin/sh & bin/ksh being the same
> >binary), but dinnae ken if that's "wrong"... for rc* stuff.
> >
> >
> >> Use renice as simple nice didn't always work on daemons started in
> >the
> >> background. Niceness level sanity checked, defaulting to 10.
> >>
> >> Index: rc.subr
> >> ===
> >> RCS file: /cvs/src/etc/rc.d/rc.subr,v
> >> retrieving revision 1.70
> >> diff -u -u -p -r1.70 rc.subr
> >> --- rc.subr11 Jul 2013 09:34:33 - 1.70
> >> +++ rc.subr19 Dec 2013 13:17:45 -
> >> @@ -104,6 +104,25 @@ rc_wait() {
> >>return 1
> >> }
> >>
> >> +rc_reprioritise()
> >> +{
> >> + [[ ${rc_renice} != 'YES' ]] &&
> >> + {
> >> + for _renice_level in $(jot 40 20 -20)
> >> + do
> >> + [[ ${rc_renice} == ${_renice_level} ]] &&
> >> + {
> >> + _scheduling_priority=${rc_renice}
> >> + break
> >> + }
> >> + done
> >> + }
> >> +
> >> + [[ -z ${_scheduling_priority} ]] && _scheduling_priority='10'
> >> +
> >> + renice -n ${_scheduling_priority} -p $(pgrep -f "^${pexp}")
> >> +}
> >> +
> >> rc_cmd() {
> >>local _bg _n
> >>
> >> @@ -136,6 +155,17 @@ rc_cmd() {
> >>fi
> >>[ -z "${INRC}" ] && rc_do rc_check && exit 0
> >>echo $_n "${INRC:+ }${_name}"
> >> +
> >> + [[ ${rc_renice} == 'NO' ]] && unset rc_renice
> >> + [[ -n ${rc_renice} ]] &&
> >> + {
> >> + printf "%d" ${rc_renice} > /dev/null 2>&1 &&
> >> + {
> >> + rc_renice=$(printf "%d" ${rc_renice})
> >> + [[ ${rc_renice} -eq 0 ]] && unset rc_renice
> >> + }
> >> + }
> >> +
> >>while true; do # no real loop, only needed to break
> >>if type rc_pre >/dev/null; then
> >>rc_do rc_pre || break
> >> @@ -148,6 +178,7 @@ rc_cmd() {
> >>rc_do rc_wait start || break
> >>fi
> >>rc_do rc_write_runfile
> >> + [[ -n ${rc_renice} ]] && rc_do rc_reprioritise
> >>rc_exit ok
> >>done
> >># handle failure
> >>
>
--
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: security(8) check maildir as well as mailbox permissions
On 2013-12-21 Sat 09:16 AM |, Theo de Raadt wrote: > > > You seem to be coming from the perspective that people do stupid > > > things, and our base system should handle those stupid things. > > > > > > > My perspective is maildir (backed IMAP) is commonly deployed, > > and such are as well being security checked. > > Yes, and perhaps that means they should use a different directory! No thanks. I say /var/mail is the right place for maildirs. The mailbox format is too limiting these days, with all of its file locking problems. A cluster of SMTP servers can concurrently write to a set of NFS mounted /var/mail directories, while simultaneously, a cluster of IMAP servers can concurrently both read and write to the same NFS mounted /var/mail directories. I'll continue to locally patch security, as I'm not fool who makes an idol out of archaic UNIX traditions. Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: security(8) check maildir as well as mailbox permissions
On 2013-12-21 Sat 08:55 AM |, Theo de Raadt wrote: > > You seem to be coming from the perspective that people do stupid > things, and our base system should handle those stupid things. > My perspective is maildir (backed IMAP) is commonly deployed, and such are as well being security checked.
Re: Alter daemon scheduling priority with renice for rc.d
On 2013-12-19 Thu 13:43 PM |, Craig R. Skinner wrote:
> Enhance rc.d/rc.subr with lowered/raised daemon running priority.
>
Comments/testing observations/?
ksh syntax used (which works with /bin/sh & bin/ksh being the same
binary), but dinnae ken if that's "wrong"... for rc* stuff.
> Use renice as simple nice didn't always work on daemons started in the
> background. Niceness level sanity checked, defaulting to 10.
>
> Index: rc.subr
> ===
> RCS file: /cvs/src/etc/rc.d/rc.subr,v
> retrieving revision 1.70
> diff -u -u -p -r1.70 rc.subr
> --- rc.subr 11 Jul 2013 09:34:33 - 1.70
> +++ rc.subr 19 Dec 2013 13:17:45 -
> @@ -104,6 +104,25 @@ rc_wait() {
> return 1
> }
>
> +rc_reprioritise()
> +{
> + [[ ${rc_renice} != 'YES' ]] &&
> + {
> + for _renice_level in $(jot 40 20 -20)
> + do
> + [[ ${rc_renice} == ${_renice_level} ]] &&
> + {
> + _scheduling_priority=${rc_renice}
> + break
> + }
> + done
> + }
> +
> + [[ -z ${_scheduling_priority} ]] && _scheduling_priority='10'
> +
> + renice -n ${_scheduling_priority} -p $(pgrep -f "^${pexp}")
> +}
> +
> rc_cmd() {
> local _bg _n
>
> @@ -136,6 +155,17 @@ rc_cmd() {
> fi
> [ -z "${INRC}" ] && rc_do rc_check && exit 0
> echo $_n "${INRC:+ }${_name}"
> +
> + [[ ${rc_renice} == 'NO' ]] && unset rc_renice
> + [[ -n ${rc_renice} ]] &&
> + {
> + printf "%d" ${rc_renice} > /dev/null 2>&1 &&
> + {
> + rc_renice=$(printf "%d" ${rc_renice})
> + [[ ${rc_renice} -eq 0 ]] && unset rc_renice
> + }
> + }
> +
> while true; do # no real loop, only needed to break
> if type rc_pre >/dev/null; then
> rc_do rc_pre || break
> @@ -148,6 +178,7 @@ rc_cmd() {
> rc_do rc_wait start || break
> fi
> rc_do rc_write_runfile
> + [[ -n ${rc_renice} ]] && rc_do rc_reprioritise
> rc_exit ok
> done
> # handle failure
>
Re: security(8) check maildir as well as mailbox permissions
On 2013-12-16 Mon 12:11 PM |, Craig R. Skinner wrote:
> Check the security of /var/mail/dirs similar to /var/mail/boxes:
>
Several skilled sysadmins have stated they deliberately avoid using
/var/mail for maildirs as security(8) generates warnings about these.
People are placing maildirs in /var/maildir, /var/vmail, /mail,
/var/spool/mail, and who knows what other embarrassingly heinous
hierarchical heresies are being committed.
It's simple to alter security to include maildirs as well as mailboxes.
Either with the code I hacked up, or something sublimely superior.
Compare:
http://openbsd.7691.n7.nabble.com/security-8-and-maildir-td67036.html#a67039
Additionally, here's a possible corresponding diff for heir(7):
Index: hier.7
===
RCS file: /cvs/src/share/man/man7/hier.7,v
retrieving revision 1.109
diff -u -u -p -r1.109 hier.7
--- hier.7 14 Aug 2013 08:39:29 - 1.109
+++ hier.7 21 Dec 2013 15:21:55 -
@@ -617,7 +617,7 @@ Log files for
.El
.Pp
.It mail/
-User mailbox files.
+User mailbox files and/or maildirs.
.It named/
Chroot directory for
.Xr named 8 .
> Index: security
> ===
> RCS file: /cvs/src/libexec/security/security,v
> retrieving revision 1.23
> diff -u -u -p -r1.23 security
> --- security 21 Mar 2013 09:37:37 - 1.23
> +++ security 16 Dec 2013 12:05:52 -
> @@ -458,9 +458,16 @@ sub check_mailboxes {
> my $gname = (getgrgid $fgid)[0] // $fgid;
> nag $fname ne $name,
> "user $name mailbox is owned by $fname";
> - nag S_IMODE($mode) != (S_IRUSR | S_IWUSR),
> - sprintf 'user %s mailbox is %s, group %s',
> - $name, strmode($mode), $gname;
> + if (S_ISDIR($mode)) {
> + nag S_IMODE($mode) != (S_IRUSR | S_IWUSR | S_IXUSR),
> + sprintf 'user %s maildir is %s, group %s',
> + $name, strmode($mode), $gname;
> + }
> + else {
> + nag S_IMODE($mode) != (S_IRUSR | S_IWUSR),
> + sprintf 'user %s mailbox is %s, group %s',
> + $name, strmode($mode), $gname;
> + }
> }
> closedir $dh;
> }
>
Re: security(8) check maildir as well as mailbox permissions
On 2013-12-18 Wed 20:48 PM |, J??r??mie Courr??ges-Anglas wrote:
> skin...@britvault.co.uk (Craig R. Skinner) writes:
>
> > On 2013-12-18 Wed 15:54 PM |, Stuart Henderson wrote:
> >> > > > > Check the security of /var/mail/dirs similar to /var/mail/boxes:
> >> > >
> >>
> >> Indeed, but security(8) really reflects things in the base OS,
> >>
> >
> > smtpd.conf(8)
> > deliver to maildir path
> > Mail is added to a maildir. Its location, path, may
> > contain format specifiers that are expanded before use
> >
> >
> > Therefore: ... deliver to maildir /var/mail/%{user.username}
>
> "Therefore"? How so? What's the logic, here?
>
THEREFORE software in base can deliver to maildir in /var/mail
> >> Indeed, but security(8) really reflects things in the base OS,
OK?
--
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: security(8) check maildir as well as mailbox permissions
On 2013-12-18 Wed 15:54 PM |, Stuart Henderson wrote:
> > > > > Check the security of /var/mail/dirs similar to /var/mail/boxes:
> > >
>
> Indeed, but security(8) really reflects things in the base OS,
>
smtpd.conf(8)
deliver to maildir path
Mail is added to a maildir. Its location, path, may
contain format specifiers that are expanded before use
Therefore: ... deliver to maildir /var/mail/%{user.username}
OK for the patch then?
Cheers,
--
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: security(8) check maildir as well as mailbox permissions
On 2013-12-16 Mon 13:15 PM |, Craig R. Skinner wrote: > On 2013-12-16 Mon 12:22 PM |, Stuart Henderson wrote: > > On 2013/12/16 12:11, Craig R. Skinner wrote: > > > Check the security of /var/mail/dirs similar to /var/mail/boxes: > > > > Aren't maildirs usually in ~/Maildir? > > > > MTA's can deliver to maildirs in several places. > > Postfix example (the trailing slash changes from mbox to maildir format): > > $ postconf -h mail_spool_directory > /var/mail/ > Usually, all user web files are kept in ~/public_html OpenBSD places them in /var/www/users/$LOGIN By keeping all mail in a separately mounted /var/mail partition, (with simple mutt & dovecot configs) mail only users can have /var/empty has $HOME, authpf or nologin as $SHELL. This eliminates SQL or other complicated mail stores for 'virtual' users Separate 'black box' servers can be dedicated to mail only duties, without user shell logins, /var/mail can be NFS exported as there are no file locking problems with maildirs - each message is a unique file. New mail can be delivered without locking the box. Also, an annual dump cycle can be set on /home, with quarterly/monthly level 0 dumps on /var/mail, different quotas set on the different partitions. Possibilities abound, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: security(8) check maildir as well as mailbox permissions
On 2013-12-16 Mon 12:22 PM |, Stuart Henderson wrote: > On 2013/12/16 12:11, Craig R. Skinner wrote: > > Check the security of /var/mail/dirs similar to /var/mail/boxes: > > Aren't maildirs usually in ~/Maildir? > MTA's can deliver to maildirs in several places. Postfix example (the trailing slash changes from mbox to maildir format): $ postconf -h mail_spool_directory /var/mail/ Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
security(8) check maildir as well as mailbox permissions
Check the security of /var/mail/dirs similar to /var/mail/boxes:
Index: security
===
RCS file: /cvs/src/libexec/security/security,v
retrieving revision 1.23
diff -u -u -p -r1.23 security
--- security21 Mar 2013 09:37:37 - 1.23
+++ security16 Dec 2013 12:05:52 -
@@ -458,9 +458,16 @@ sub check_mailboxes {
my $gname = (getgrgid $fgid)[0] // $fgid;
nag $fname ne $name,
"user $name mailbox is owned by $fname";
- nag S_IMODE($mode) != (S_IRUSR | S_IWUSR),
- sprintf 'user %s mailbox is %s, group %s',
- $name, strmode($mode), $gname;
+ if (S_ISDIR($mode)) {
+ nag S_IMODE($mode) != (S_IRUSR | S_IWUSR | S_IXUSR),
+ sprintf 'user %s maildir is %s, group %s',
+ $name, strmode($mode), $gname;
+ }
+ else {
+ nag S_IMODE($mode) != (S_IRUSR | S_IWUSR),
+ sprintf 'user %s mailbox is %s, group %s',
+ $name, strmode($mode), $gname;
+ }
}
closedir $dh;
}
Cheers,
--
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: /etc/rc.d/rc.subr; prefix ${pexp} with script interpretor path
As the others here with brains have had a chance to sleep on this, what's the current thinking? As I understand it, there are 2 decisions to make: 1) How to decide if a $daemon is a script as opposed to a binary (*) file(1) (*) dd(d) (*) sed(1) Could stat(1) be tasked to switch case on file attributes (e.g: size)? 2) Whether to check if a script's interpreter is valid http://openbsd.7691.n7.nabble.com/etc-rc-d-rc-subr-prefix-pexp-with-script-interpretor-path-td234439.html Yes/No/Other? -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: /etc/rc.d/rc.subr; prefix ${pexp} with script interpretor path
On 2013-09-16 Mon 23:28 PM |, Alexander Hall wrote:
>
> sed can do it all. Really.
This is getting beyond me Alexander.
Is sed a mechanism to step away from using file(1) ?
> Notes:
>
> - I separate re_quote() cause I think it can be useful in other places.
> - I think re_quote() is (basic) regex complete.
> - I don't care if the interpreter is (or seems) nonexistant, as that
> shouldn't be a runtime error.
> - I'm sure sed may die horribly if you try to feed it a 9GB oneline
> file. However, if so, it should not produce any output anyway. ;)
> If this would ever be considered a real problem, dd(1) would help
> (as espie already mentioned).
>
> re_quote() { sed 's/\([]^$*.\\[]\)/\\\1/g'; }
>
> interpreter=$(
> sed -n 's/^#![[:space:]]*\(.*\)/\1 /p;q' "${daemon}" |
> re_quote)
> pexp="$interpreter$pexp"
>
> Moreover,
>
> - you probably want to unset $interpreter when done.
> - we might want to re_quote the entire $pexp later instead.
>
Re: /etc/rc.d/rc.subr; prefix ${pexp} with script interpretor path
On 2013-09-16 Mon 15:12 PM |, Paul de Weerd wrote:
> Hi Craig,
>
> --- cat bad_script.sh
> # This is a VERY BAD example of a script! This will break your
> # shebang thingambob
>
> echo Now what...
> --
>
> I think you'd be better of making sure the first two characters in the
> file are actually "#!":
>
> head -n1 ${FILE} | grep '^#!' | sed 's/^#![[:blank:]]*//'
>
Good idea Paul.
Implemented below, along with rudimentary testing for a valid
interpreter:
Index: rc.subr
===
RCS file: /cvs/src/etc/rc.d/rc.subr,v
retrieving revision 1.70
diff -u -r1.70 rc.subr
--- rc.subr 11 Jul 2013 09:34:33 - 1.70
+++ rc.subr 16 Sep 2013 18:19:14 -
@@ -221,4 +221,15 @@
unset _rcflags _rcuser
pexp="${daemon}${daemon_flags:+ ${daemon_flags}}"
+file ${daemon} | fgrep -q script &&
+{
+ shebang=$(head -n 1 ${daemon} | grep '^#!' | sed 's/^#![[:blank:]]*//')
+ interpreter=$(echo ${shebang} | cut -d' ' -f1)
+ if [[ -f ${interpreter} && -x ${interpreter} ]]
+ then
+ pexp="${shebang} ${pexp}"
+ else
+ rc_err "$0: invalid interpreter: ${interpreter}"
+ fi
+}
rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c"
Test scripts:
#-=-= /etc/rc.d/rcshebangtester -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
#!/bin/sh
#daemon="/home/me/bin/rcshebangtester.dud"
#daemon="/home/me/bin/rcshebangtester.ksh"
daemon="/home/me/bin/rcshebangtester.pl"
. /etc/rc.d/rc.subr
rc_bg=YES
#pexp="/bin/ksh ${daemon}"
#pexp="/usr/bin/perl -T ${daemon}"
#pexp="/usr/bin/perl ${daemon}"
rc_cmd $1
#-=-= /home/me/bin/rcshebangtester.dud -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#!/var/empty
#! /dev/null
#! /usr/lib/libc.a
# swap about above
echo 'Busted!'
#-=-= /home/me/bin/rcshebangtester.ksh =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
#! /bin/ksh -x
#! /bin/ksh
# swap about above
while true
do
uptime
sleep 1
done
#-=-= /home/me/bin/rcshebangtester.pl =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#! /usr/bin/perl -T
#!/usr/bin/perl
# swap about above
use strict;
use warnings;
for(;;)
{
print time(), "\n";
sleep 1;
}
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
$ sudo /etc/rc.d/rcshebangtester -d -f start; \
cat /var/run/rc.d/rcshebangtester; echo; sleep 5; \
sudo /etc/rc.d/rcshebangtester -d -f stop
doing rc_read_runfile
doing rc_check
rcshebangtester
doing rc_start
1379357218
1379357219
doing rc_wait start
doing rc_check
doing rc_write_runfile
(ok)
/usr/bin/perl -T /home/me/bin/rcshebangtester.pl
1379357220
1379357221
1379357222
1379357223
1379357224
doing rc_read_runfile
doing rc_check
rcshebangtester
doing rc_stop
doing rc_wait stop
doing rc_check
doing rc_rm_runfile
(ok)
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Any other thoughts?
--
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: /etc/rc.d/rc.subr; prefix ${pexp} with script interpretor path
On 2013-09-16 Mon 13:00 PM |, Antoine Jacoutot wrote:
>
> Heh, very interesting trick ;-)
> But I don't think that is 100% full proof as is.
>
> e.g.
> $ head -n 1 /usr/local/bin/xml2-config | cut -d! -f2
> /bin/sh
> You have a white space before the interpreter.
>
> If you can improve that and make sure it works with all similar rc scripts
> then I think it is definitely something that should be looked into.
> Thanks.
>
Well spotted Antoine.
I wrote a test script with various shebang lines of:
#![space]/bin/ksh
#![space][space]/bin/ksh
#![space][tab]/bin/ksh -x
#![tab]/bin/ksh -x
#![space]/usr/bin/perl
#![space][space]/usr/bin/perl
#![space][tab]/usr/bin/perl -T
#![tab][tab][tab]/usr/bin/perl -T
This seems to work with these test scenarios
(as seen in /var/run/rc.d/rcshebangtester):
Index: rc.subr
===
RCS file: /cvs/src/etc/rc.d/rc.subr,v
retrieving revision 1.70
diff -u -r1.70 rc.subr
--- rc.subr 11 Jul 2013 09:34:33 - 1.70
+++ rc.subr 16 Sep 2013 12:09:42 -
@@ -221,4 +221,9 @@
unset _rcflags _rcuser
pexp="${daemon}${daemon_flags:+ ${daemon_flags}}"
+file ${daemon} | fgrep -q script &&
+{
+ shebang=$(head -n 1 ${daemon} | cut -d! -f2 | sed 's/^[[:blank:]]*//')
+ pexp="${shebang} ${pexp}"
+}
rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c"
Would it also be worthwhile verifying the 1st element of $shebang is
executable before prefixing $pexp?
Cheers,
--
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
/etc/rc.d/rc.subr; prefix ${pexp} with script interpretor path
For scripts (perl, shell, whatever...), prefix ${pexp} with the script's
interpretor path as defined by the script.
No need to override ${pexp} in the daemon's rc file.
Index: rc.subr
===
RCS file: /cvs/src/etc/rc.d/rc.subr,v
retrieving revision 1.70
diff -u -r1.70 rc.subr
--- rc.subr 11 Jul 2013 09:34:33 - 1.70
+++ rc.subr 16 Sep 2013 10:26:09 -
@@ -221,4 +221,9 @@
unset _rcflags _rcuser
pexp="${daemon}${daemon_flags:+ ${daemon_flags}}"
+file ${daemon} | fgrep -q script &&
+{
+ shebang=$(head -n 1 ${daemon} | cut -d! -f2)
+ pexp="${shebang} ${pexp}"
+}
rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c"
e.g. Remove pexp= from /etc/rc.d/greyscanner:
--- greyscanner.pkg Mon Aug 19 14:46:01 2013
+++ greyscanner Mon Sep 16 11:30:33 2013
@@ -6,7 +6,6 @@
. /etc/rc.d/rc.subr
-pexp="/usr/bin/perl ${daemon}"
rc_reload=NO
rc_cmd $1
$ sudo /etc/rc.d/greyscanner restart
greyscanner(ok)
greyscanner(ok)
$ cat /var/run/rc.d/greyscanner
/usr/bin/perl /usr/local/sbin/greyscanner
$ ps auxwww | fgrep greyscanner
root 25280 0.0 0.6 4896 2920 ?? Is11:35AM0:00.04 /usr/bin/perl
/usr/local/sbin/greyscanner
Cheers,
--
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: useradd with empty -k doesn't chown/chmod new home directory
ping
On 2013-09-05 Thu 14:48 PM |, Todd C. Miller wrote:
> I changed my mind and decided it is better to just move the chown
> and chmod out of copydotfiles() and add an explicit check for skeldir
> set to the empty string. Much as I would like to prettify the
> user.c code it is a losing battle so here is a minimal diff.
>
> - todd
>
> Index: usr.sbin/user/user.c
> ===
> RCS file: /home/cvs/openbsd/src/usr.sbin/user/user.c,v
> retrieving revision 1.95
> diff -u -r1.95 user.c
> --- usr.sbin/user/user.c 2 Apr 2013 05:04:47 - 1.95
> +++ usr.sbin/user/user.c 5 Sep 2013 20:47:23 -
> @@ -290,6 +290,8 @@
> DIR *dirp;
> int n;
>
> + if (*skeldir != '\0')
> + return 0;
> if ((dirp = opendir(skeldir)) == NULL) {
> warn("can't open source . files dir `%s'", skeldir);
> return 0;
> @@ -308,8 +310,6 @@
> (void) asystem("cd %s && %s -rw -pe %s . %s",
> skeldir, PAX, (verbose) ? "-v" : "", dir);
> }
> - (void) asystem("%s -R -P %u:%u %s", CHOWN, uid, gid, dir);
> - (void) asystem("%s -R u+w %s", CHMOD, dir);
> return n;
> }
>
> @@ -1177,6 +1177,9 @@
> err(EXIT_FAILURE, "can't mkdir `%s'", home);
> }
> (void) copydotfiles(up->u_skeldir, up->u_uid, gid,
> home);
> + (void) asystem("%s -R -P %u:%u %s", CHOWN, up->u_uid,
> + gid, home);
> + (void) asystem("%s -R u+w %s", CHMOD, home);
> }
> }
> if (strcmp(up->u_primgrp, "=uid") == 0 &&
--
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: diff: /etc/rc.d/spamd rc_reload=NO
ping
On 2013-09-06 Fri 10:29 AM |, David Coppa wrote:
> On Thu, Sep 5, 2013 at 9:31 PM, Craig R. Skinner
> wrote:
> > Doesn't seem to reload once chrooted:
> >
> > $ sudo /etc/rc.d/spamd -d reload
> > doing rc_read_runfile
> > doing rc_check
> > spamd
> > doing rc_reload
> > Sep 5 19:57:54 oak spamd[22335]: greyreader failed (Error 0)
> > doing rc_wait reload
> > doing rc_check
> > doing rc_check
> > ...
> > ..
> > .
> > doing rc_check
> > (failed)
> >
> >
> >
> >
> >
> > Index: spamd
> > ===
> > RCS file: /cvs/src/etc/rc.d/spamd,v
> > retrieving revision 1.2
> > diff -u -r1.2 spamd
> > --- spamd 8 Jul 2011 02:15:34 - 1.2
> > +++ spamd 5 Sep 2013 19:19:54 -
> > @@ -7,6 +7,7 @@
> > . /etc/rc.d/rc.subr
> >
> > pexp="spamd: \[priv\]"
> > +rc_reload=NO
> >
> > rc_pre() {
> > [ X"${spamd_black}" != X"NO" ] && \
>
> OK with me.
>
> ciao,
> David
--
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: useradd with empty -k doesn't chown/chmod new home directory
Solved?
On 2013-09-05 Thu 14:48 PM |, Todd C. Miller wrote:
> I changed my mind and decided it is better to just move the chown
> and chmod out of copydotfiles() and add an explicit check for skeldir
> set to the empty string. Much as I would like to prettify the
> user.c code it is a losing battle so here is a minimal diff.
>
> - todd
>
> Index: usr.sbin/user/user.c
> ===
> RCS file: /home/cvs/openbsd/src/usr.sbin/user/user.c,v
> retrieving revision 1.95
> diff -u -r1.95 user.c
> --- usr.sbin/user/user.c 2 Apr 2013 05:04:47 - 1.95
> +++ usr.sbin/user/user.c 5 Sep 2013 20:47:23 -
> @@ -290,6 +290,8 @@
> DIR *dirp;
> int n;
>
> + if (*skeldir != '\0')
> + return 0;
> if ((dirp = opendir(skeldir)) == NULL) {
> warn("can't open source . files dir `%s'", skeldir);
> return 0;
> @@ -308,8 +310,6 @@
> (void) asystem("cd %s && %s -rw -pe %s . %s",
> skeldir, PAX, (verbose) ? "-v" : "", dir);
> }
> - (void) asystem("%s -R -P %u:%u %s", CHOWN, uid, gid, dir);
> - (void) asystem("%s -R u+w %s", CHMOD, dir);
> return n;
> }
>
> @@ -1177,6 +1177,9 @@
> err(EXIT_FAILURE, "can't mkdir `%s'", home);
> }
> (void) copydotfiles(up->u_skeldir, up->u_uid, gid,
> home);
> + (void) asystem("%s -R -P %u:%u %s", CHOWN, up->u_uid,
> + gid, home);
> + (void) asystem("%s -R u+w %s", CHMOD, home);
> }
> }
> if (strcmp(up->u_primgrp, "=uid") == 0 &&
Re: diff: /etc/rc.d/spamd rc_reload=NO
On 2013-09-06 Fri 10:29 AM |, David Coppa wrote: > > OK with me. > > ciao, > David Anyone else? -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
diff: /etc/rc.d/spamd rc_reload=NO
Doesn't seem to reload once chrooted:
$ sudo /etc/rc.d/spamd -d reload
doing rc_read_runfile
doing rc_check
spamd
doing rc_reload
Sep 5 19:57:54 oak spamd[22335]: greyreader failed (Error 0)
doing rc_wait reload
doing rc_check
doing rc_check
...
..
.
doing rc_check
(failed)
Index: spamd
===
RCS file: /cvs/src/etc/rc.d/spamd,v
retrieving revision 1.2
diff -u -r1.2 spamd
--- spamd 8 Jul 2011 02:15:34 - 1.2
+++ spamd 5 Sep 2013 19:19:54 -
@@ -7,6 +7,7 @@
. /etc/rc.d/rc.subr
pexp="spamd: \[priv\]"
+rc_reload=NO
rc_pre() {
[ X"${spamd_black}" != X"NO" ] && \
Cheers,
--
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: useradd with empty -k doesn't chown/chmod new home directory
On 2013-08-31 Sat 11:18 AM |, Kenneth R Westerback wrote: > > This makes sense to me. ok krw@ > > Ken > ping? -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: useradd with empty -k doesn't chown/chmod new home directory
On 2013-08-31 Sat 11:45 AM |, patrick keshishian wrote: > On Sat, Aug 31, 2013 at 06:23:25AM -0600, Todd C. Miller wrote: > > Assuming we want to make this a non-fatal error the following should > > do. > > You meant non-existent skel dir, not empty. Unless you > meant empty argument for -k option, i.e., -k "" Yes, that was my intention. i.e. "don't copy the skel dir" > but is there a good use-case for that? > For example, if an organisation had a number of database administrators and they were added to the group 'dbas'. In /home/dba there could be files, scripts, passwords,... that only the DBA team should have common access to. Likewise for hostmasters, postmasters, webmasters, management, marketing, sales, http://article.gmane.org/gmane.os.openbsd.bugs/19980
