Re: What is the best way to move a VM to a bigger image?

2023-05-08 Thread Matthew Weigel 

On 2023-05-06 11:54 am, Hannu Vuolasaho wrote:

Hello,

I made a silly mistake when I set up my VM and my disk image is too
small for my next operation.

My plan is to give the new image to the VM, run a minimal install on
it so I get the boot loader installed. Also disklabel will be good.

...

Is this a good way to skin this cat? Or is there a better way to do it?


It's fine, but I took it a different route recently, for a VM that I've
been using for a year or two but realized I needed more space.  It
wasn't that hard to resize.  However, it is worth calling out that
recreating a VM can be a good way to find out what you need, and don't
need, on it.

If you go for the resize, you'll need the qemu-img tool from the qemu
package in order to make sure the disk image is in qcow2 format (you
can convert from a raw image if necessary), and then change its size.
From there you can do partition and filesystem manipulation from within
the VM.

If you need to do something more complicated than add filesystems or
grow the last partition, you should probably add more disk images or
consider starting from a fresh install.

Matthew

Re: Home folder default permission

2023-03-23 Thread Matthew Weigel 

On 2023-03-23 11:53 am, ch...@qatland.com wrote:

I did not look at the code at all for this.  Only using existing 
programs.

 If this should not be working then a patch will be needed somewhere.


I didn't give it a try, but I took your report at face value and looked
closer at the code.

When it copies /etc/skel over, it does so with a command like
"pax -rw -pe /etc/skel 
/home/$USER"(https://github.com/openbsd/src/blob/869ed59d760a94e6086f364d91f2b56074421cc9/usr.sbin/user/user.c#L316)
which sets all permissions, starting with /etc/skel. That's why it 
behaved

as you observed, the way the original poster wanted.


However I will state that having the ability to set the default
permissions somewhere would be useful, and a requirement in some
environments.


I agree, not that I have any say.  It's also worth pointing out that you
can have multiple skeleton directories and specify which one you want to
use when you run the program; there's no need to change the default
skeleton directory (or, it's possible to keep a traditional readable-by-
all skeleton directory around even if you make it not the default).

Matthew

Re: Home folder default permission

2023-03-23 Thread Matthew Weigel 

On 2023-03-23 7:54 am, ch...@qatland.com wrote:


useradd makes use of the permissions of /etc/skel  The defaults is 755.
If you change it to 750 new user directories will then have 750 as the
default on their home directories.


Does it?  Looking at the code, it doesn't copy /etc/skel, it runs "mkdir 
-p $HOME"

(https://github.com/openbsd/src/blob/869ed59d760a94e6086f364d91f2b56074421cc9/usr.sbin/user/user.c#L1208)

I wonder if running
  UMASK=`umask` && umask 077 && useradd  ; umask "$UMASK"
would be sufficient.

The related adduser command 
(https://github.com/openbsd/src/blob/master/usr.sbin/adduser/adduser.perl)
explicitly creates the home directory with permissions 0755, although 
that

should be affected by umask as well.

Matthew

Re: SSL error wth dovecot + roundcube

2020-07-08 Thread Matthew Weigel 

On 7/8/20 7:57 PM, Aisha Tammy wrote:

On dovecots side, I get:
Jul  8 20:28:59 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): 
user=<>, rip=98.109.25.191, lip=108.61.81.40, TLS handshaking: SSL_accept()
  failed: error:14037418:SSL routines:ACCEPT_SR_KEY_EXCH:tlsv1 alert unknown ca: SSL 
alert number 48, session=

I think this might be some error with either ssl lib things in php or something 
similar.
(An unlikelier scenario is that I have some errors with my dovecot imap ssl, 
but every other client, thunderbird/fairmail/k-9 mail are authenticating fine)


I think it's actually a lot more likely, but you don't provide much 
information about how you configured dovecot.


The dovecot error is that it doesn't recognize the CA, which suggests 
the client (roundcube) is *sending* a certificate. If you a) turned on  
'ssl_verify_client_cert' in Dovecot, b) set 'local_cert' in 
$config['imap_conn_options']['ssl'] in Roundcube, c) did not configure a 
client certificate with any other client, and d) did not have 'ssl_ca' 
set correctly in dovecot, I believe you would get this error.


--

 Matthew Weigel
 hacker
 unique & idempot . ent

Re: Cannot start conversation using talk

2020-02-19 Thread Matthew Weigel 

On 2020-02-19 9:48, b...@0x1bi.net wrote:

I verified the output of rcctl and inetd is running.


Did you restart inetd after editing inetd.conf?  It has to decide what 
ports to listen on when it starts up, which means it isn't going to 
notice edits.

--
 Matthew Weigel

Re: Generate ctags recursively.

2017-11-21 Thread Matthew Weigel 

On 2017-11-21 8:43, Venu Chakravorty wrote:

Hello all,

Although the ctags manual page for a typical Linux machine
(https://linux.die.net/man/1/ctags) says that that the `-R` switch can
be used to generate a "tags" file recursively, [the manual page for
OpenBSD (https://man.openbsd.org/OpenBSD-6.2/ctags) does not mention
how to achieve this. So how do I do this on OpenBSD? Am I missing
something? Please help.


rm tags; find . \( -name '*.h' -o -name '*.c' \) | xargs ctags -a

Let find(1) manage the recursive part.
--
 Matthew Weigel
 hacker
 unique & idempot . ent

Re: Would you use OpenBSD on Power8, and if so what applications? (IBM asks! They're thinking about donating hw.)

2016-10-18 Thread Matthew Weigel 

On 2016-10-18 12:43, Jack J. Woehr wrote:


Routing, firewalling, DMZing, net address translation, OpenSSL,


LibreSSL. :-)

--
 Matthew Weigel
 hacker
 unique & idempot . ent

Re: What do you use to manage contact info?

2016-03-04 Thread Matthew Weigel 

On 2016-03-03 21:36, Joe Er wrote:

What do you use to manage your contacts?  I am currently using the
address book in Thunderbird and am wondering if there is something that
is better.


I'm not proud of it, but I use egroupware.  I almost never actually
use the web interface, however; I rely on its CardDAV service.  It
keeps my contacts synchronized between Thunderbird on multiple computers
and operating systems (via SoGo Connector), RoundCube (via the carddav
plugin), and multiple Apple devices (used by different people in my
family).  In general I mostly interact directly with the Addressbook in
iOS; Thunderbird and Roundcube are integrated primarily to make sure I
can easily look up email addresses.

If I were starting over I would also consider ownCloud, but the security
of this stuff is all terrible.  Google's CardDAV service is probably
more secure, to everyone but Google anyway, but I prefer to host my own.
I do what I can to mitigate the security problems, and keep backups.
--
 Matthew Weigel
 hacker
 unique & idempot . ent

Re: 'ldap_bind: Operations error (1)' with ldapd-5.6

2015-07-18 Thread Matthew Weigel 

On 7/18/15 4:27 AM, Olivier Mehani wrote:


My root user is authenticated with BSDAUTH. The rest of the users with
an md5crypt in the userPassword. This works with the version from 5.5
with a range of applications (ownCloud, Wordpress, PHPLDAPAdmin, ...).


md5crypt...?  Well, there's your problem.

From http://www.openbsd.org/plus56.html:

 * Removed md5crypt from crypt(3).

So ldapd(8) is passing the hash string along to crypt(3) when checking 
the user's password and crypt(3) is unable to handle it.  You'll need to 
start migrating these password hashes.

--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: 'ldap_bind: Operations error (1)' with ldapd-5.6

2015-07-14 Thread Matthew Weigel 

On 2015-07-14 6:07, Olivier Mehani wrote:

Did anybody encounter the same issue? Is there a known cause? How could 
this be

solved?


I'm running 5.6 and using ldapd without issue.  Can you clarify how your 
test user is authenticated (BSD Auth?  A crypt hash in the userPassword 
attribute?)?


--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: Failed cron jobs are silent

2015-01-03 Thread Matthew Weigel 

On 1/3/15 1:05 PM, Fred wrote:


man 5 crontab not man 1 crontab
:~)


No, the behavior he described is accurate: cron(8) sends email if a job
produced output, irrespective of its exit status.

Google is littered with people trying to figure out how to get cron(8)
to send email based on exit code... so it's certainly a common problem.
Maybe some Unix decided to send email based on exit status, but
OpenBSD's does not.
--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: OpenBSD embedded?

2014-12-04 Thread Matthew Weigel 

On 12/4/14, 6:53 AM, Brad Smith wrote:

On 12/04/14 07:05, Alan McKay wrote:

On Thu, Dec 4, 2014 at 1:15 AM, Vivek Vinod vi...@icanconnect.com
wrote:

We have been using Mikrotik routerboards since 7 years


Huh?  With OpenBSD on them?


There are 3 PowerPC based RouterBOARDs. AFAIK the RB600 is supported
at the moment by the socppc port.

The RB800 and RB850Gx2 boards would probably be relatively easy to add
support for.


I wish. :-(  They both have e500v2 PowerPC cores in them, which have a
different floating point unit from the e300 (the core supported by
socppc), meaning the powerpc binaries shared by socppc and macppc can't
run on those boards... never mind the Book E changes required in the
kernel.

Later Power cores (e500mc, e5500, e6500) revert the FPU, so I think
they 'should' be able to share arch/powerpc binaries, but a) nobody
(including me) has done the necessary work in the kernel to run on
them, and b) I'm not aware of hardware such as RouterBoards that use
the newer cores.
--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: LDAPD indexed key doesn't exist!

2014-10-20 Thread Matthew Weigel 

On 10/19/14, 4:36 PM, Predrag Punosevac wrote:

I am using stack ldapd on the AMD 5.5 release to manage about 100 users
in our distributed UNIX environment. I have noticed the following log
message for three users

LDAPD indexed key [uid=somebody,ou=users,] doesn't exist!

There is nothing at first glance appearing different about those three
people. Could somebody point me into a right direction and where should
I look for the problem.



I haven't looked too closely at that code, but could you try to re-index
the ldapd database?
# ldapctl -v index

See if that either fixes the problem or says anything more about it...
--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: LDAP and default shell

2014-08-28 Thread Matthew Weigel 

On 8/28/14, 7:19 AM, Predrag Punosevac wrote:


The only weird thing I noticed comparing to 5.5 release is  that system
overrides default user shell defined in LDAP database.


From passwd(5):

 If the entry contains non-empty uid or gid fields, the specified
 numbers will override the information retrieved from the YP maps.
 Additionally, if the gecos, dir, or shell entries contain text, it
 will override the information included via YP.


# tail -n 1 /etc/master.passwd
+:/bin/ksh



Later in that same paragraph in passwd(5) is a recommendation for what 
to put in /etc/master.passwd instead.

--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: LDAPD attribute and ACL'S

2014-07-25 Thread Matthew Weigel 

On 07/25/2014 05:48 AM, Bambero wrote:

Hi

Is it possibile to give write access only for userPassword field ?

sth like:

allow write access to attr=userPassword by self


There are no per-attribute permissions in the base ldapd(8).

I think the 'normal' way to accomplish this is to create a user
who does have write permission to users' entries, and then write
a program that will authenticate as that DN to modify passwords
on users' behalf.
--
 Matthew Weigel
 hacker
 unique  idempot . ent

ldapd(8) binary incompatibility, 5.4 - 5.5

2014-07-22 Thread Matthew Weigel 

I finally upgraded my last machine - that runs ldapd(8) for user
logins, mail aliases, and a few other odds and ends - from 5.4 to 5.5.

I'm left wondering if I'm the only one who actually uses the stock
ldapd(8), because it is not called out at all in upgrade55.html as
having problems with the Year 2038 fixes that went into 5.5.

I ended up having to create a 5.4 VM (I stuck with the same amd64 arch
as my actual server, and have not investigated or tested under what
constraints this might work across architectures) to load the ldapd(8)
database files, use third party LDAP tools to create a text dump in
LDIF format, and then load the LDIF into an empty database of 5.5
ldapd(8).

It looks like particularly the btree_stat and btree_meta structs used
in the ldapd(8) btree implementation are the culprits, as it looks like
they are the only time_t bits actually stored on disk.  Since it
appears my problems are now solved, I'm mostly sending this message as
a heads up in case there is anyone still getting ready to upgrade to
5.5 that uses ldapd(8).

Something probably deserves to be in update55.html as well, but I don't
have a repeatable, documented procedure for what I did.
--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: ldapd(8) binary incompatibility, 5.4 - 5.5

2014-07-22 Thread Matthew Weigel 

On 7/22/14, 9:03 PM, Olivier Mehani wrote:


I ended up having to create a 5.4 VM (I stuck with the same amd64 arch
as my actual server, and have not investigated or tested under what
constraints this might work across architectures) to load the ldapd(8)
database files, use third party LDAP tools to create a text dump in
LDIF format, and then load the LDIF into an empty database of 5.5
ldapd(8).


I'm currently trying to cobble together a binary importer which reads
5.4 dbs, and writes them as 5.5 dbs. It's a bit ugly, based on
frankensteined code from ldapd and ldapctl. I haven't found a straight
way to write back into a file, so I'm trying go down the compacting way,
which appears to be rewriting an entirely new database.

Hopefully, it should work in the end.

I thought about the VM/dump option, but all I could find was for slapd
(using slapcat). Could you give more details on the tools you use?


Someone else asked about this off the list.  After setting up the VM
and copying /etc/ldapd.conf, /etc/ldap/*.schema, and /var/db/ldap/*.db
into it, I started up ldapd(8) and connected to it with ldapvi(1) from
ports.  I wrote out the contents of that buffer to a separate file, and
that was my not-exactly-LDIF text backup.

To add those entries to the 5.5 server, I replaced the numeric
identifier ldapvi(1) uses for existing entries with the special key
'add' like so:

0 dc=example,dc=net
objectClass: dcObject
objectClass: organization
objectClass: top
dc: example
o: example.net
description: Account and Group LDAP Identity Database

was changed to

add dc=example,dc=net
objectClass: dcObject
objectClass: organization
objectClass: top
dc: example
o: example.net
description: Account and Group LDAP Identity Database

I had to use ldapadd(1) from the openldap-client package to populate
the root object before ldapvi(1) would work, however.  I think I also
had to add the structure of the LDAP tree first, and do a second round
of edits to populate leaf nodes.


It looks like particularly the btree_stat and btree_meta structs used
in the ldapd(8) btree implementation are the culprits, as it looks like
they are the only time_t bits actually stored on disk.  Since it
appears my problems are now solved, I'm mostly sending this message as
a heads up in case there is anyone still getting ready to upgrade to
5.5 that uses ldapd(8).


I think only the btree_meta is relevant, as I don't see the btree_stat
being written on disk.


Maybe, I didn't dig too deep into it once I solved my problems.
--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: ldapd(8) binary incompatibility, 5.4 - 5.5

2014-07-22 Thread Matthew Weigel 

On 7/22/14, 9:37 PM, Matthew Weigel wrote:


into it, I started up ldapd(8) and connected to it with ldapvi(1) from
ports.  I wrote out the contents of that buffer to a separate file, and


Actually I didn't notice it this weekend but ldapvi(1) has --in and
--out arguments that do exactly the right thing - just read and write
straight LDIF files.
--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: new OpenSSL flaws

2014-06-07 Thread Matthew Weigel 
On 06/06/2014 10:04 PM, Solar Designer wrote:

 OpenBSD having declined to use the tool shouldn't be interpreted e.g. by
 OpenSSL as a reason not to notify LibreSSL directly.

It seems worth noting that OpenBSD 5.5, the current release that many
people are running, incorporates OpenSSL, not LibreSSL. There can't be
really any question of OpenBSD users not being affected because they are
using a forked version that might not be vulnerable; that fork is still
in development.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: Authentication with LDAP on OpenBSD

2014-05-28 Thread Matthew Weigel 

On 05/27/2014 10:50 PM, Predrag Punosevac wrote:


and edited /etc/ypldap.conf as:

# $OpenBSD: ypldap.conf,v 1.4 2012/04/30 12:16:43 ajacoutot Exp $

domain  autonlab.org
interval60
provide map passwd.byname
provide map passwd.byuid
provide map group.byname
provide map group.bygid
# provide map   netid.byname

directory atlas.int.autonlab.org {
 # directory options
 binddn cn=admin,dc=autonlab,dc=org
 basedn dc=autonlab,dc=org
 # basedn ou=users,dc=autonlab,dc=org
 # starting point for groups directory search, default to 
basedn

 # groupdn ou=group,dc=autonlab,dc=org

 # passwd maps configuration (RFC 2307 posixAccount object 
class)

 passwd filter (objectClass=posixAccount)

 attribute name maps to uid
 fixed attribute passwd *
 attribute uid maps to uidNumber
 attribute gid maps to gidNumber
 attribute gecos maps to cn
 attribute home maps to homeDirectory
 attribute shell maps to loginShell
 fixed attribute change 0
 fixed attribute expire 0
 fixed attribute class 

   

That should be the login class you created in login.conf that 
authenticates via LDAP (in your case, ldap).


Speaking somewhat vaguely, the way this *should* work is that when the 
username is supplied, the system looks up the user to determine the 
login class to determine how to proceed with authentication.  With users 
coming from ypldap, it should set the class to one that you've 
configured to authenticate via login_ldap.



 From that point on I could do ldapsearch,
I could  /usr/libexec/auth/login_-ldap -d -s login USERNAME ldap 
without


(see?  That last argument is specifying the login class, which is why it 
works)



and get loged in but could not make much sense of steps 3 and 4 of the
article

http://blogs.helion-prime.com/2009/05/07/authorization-with-ldap-on-openbsd.html


In your case /etc/defaultdomain should probably contain autonlab.org

The lines in /etc/master.passwd and /etc/group are necessary to tell 
login to do YP lookups.



which is clearly related to my inability to use LDAP password to ssh
into shell gateway. After starting portmap and ypldap I could start
ypbind but ypserv and yppasswdd daemons would fail to start to me due 
to

the obvious reason that my defaultdomain has no YP servers.


The first paragraph of ypldap(8)'s description ends with ypldap has the 
same role as ypserv(8) and the two daemons are exclusive.  So don't run 
ypserv, just run ypldap and ypbind.


You also can't run yppasswdd(8) in this context, because yppasswdd only 
knows how to change local (to the server) accounts.  Unfortunately there 
isn't an LDAP version of yppasswdd(8) at the moment, nor does base 
ldapd(8) support the necessary LDAP extensions for simple password 
change.


It's something I've put some effort into, but I haven't had time to 
progress on it in quite a while.


 To use other directory services except YP, you either need to 
populate

local configuration files from the directory, or you need a YP frontend
to the directory. For example, you can use the sysutils/login_ldap port
when you choose the former, while the ypldap(8) daemon provides the
latter. 

Which seems to indicate that I just need ypldap as a front end to my
LDAP server.


That is poorly worded for sure.  I think right now the best combination 
is the one you're trying, login_ldap and ypldap together.


--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: heartbleed ssl bug and ports or packages question

2014-04-08 Thread Matthew Weigel 
You should at least be able to know which of your packages have access to an 
SSL private key, and speak SSL.

You also need to recursively check each library dovecot links to... That 
libdovecot looks like a likely candidate for linking ssl.so.

That said, For dovecot, I THINK it uses dlopen at runtime to load ssl.so. You 
might try fstat on a running dovecot process that talks SSL.
-- 
 Matthew Weigel


 On Apr 8, 2014, at 12:26 PM, Didier Wiroth dwir...@gmail.com wrote:
 
 Hello,
 I'm not a developer but more of an openbsd hobbyist.
 I'm using current with current packages that are a few days old.
 
 I patched my openbsd servers and revoked all my ssl keys, generated
 new ones and changed every possible password.
 Even though, as far as I understood, you can't be sure credentials
 have not been read out of memory and your system has not been
 compromised at some point in the past.
 Anyway, I had a look at the following patch and was reading the comments:
 http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/002_openssl.patch.sig
 and came across this line:
 Also recompile any statically-linked binaries depending on it
 
 F.ex. I use dovecot:
 # ldd `which dovecot`
 /usr/local/sbin/dovecot:
 StartEnd  Type Open Ref GrpRef Name
 04f81c50 04f81c913000 exe  10   0  /usr/local/sbin/dovecot
 04fa2152c000 04fa219f4000 rlib 01   0
 /usr/local/lib/dovecot/libdovecot.so.2.0
 04fa1d89 04fa1dd7d000 rlib 01   0  /usr/lib/libc.so.74.0
 04fa275a7000 04fa27aa4000 rlib 01   0
 /usr/local/lib/libiconv.so.6.0
 04fa2bb0 04fa2bb0 rtld 01   0  /usr/libexec/ld.so
 
 The following library is not listed: /usr/lib/libssl.so.20.0
 So I guess ssl was statically compiled in the dovecot package/port, as
 dovecot supports ssl and I currently use it.
 
 Is it possible to track which ports or packages have statically
 compiled in ssl support?
 
 Do I need to recompile/rebuild the port with the patched libssl library?
 or better ... but slower:
 Do I need to recompile every ports to be sure the bug can't be
 exploited on my openbsd systems?
 
 Thank you very much!
 Kind regards,
 Didier

Re: ypldap

2014-04-08 Thread Matthew Weigel 

On 04/08/2014 04:31 PM, Friedrich Locke wrote:

Dear list members,

i have just configured my system (yp) to retrive information on groups and
users. It's working 100% ok.

Now, i would like to set some netgroups. How does netgroup works with
ypldap ?


Per ypldap.conf(5): The currently implemented maps are: passwd.byname, 
passwd.byuid, group.byname, group.bygid.

--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: Dovecot bsdauth(user): unknown user

2014-03-10 Thread Matthew Weigel 

On 03/10/2014 02:57 AM, Атанас Владимиров wrote:


Yes, the problem persist.


Oof.  I didn't notice this earlier, but you're running -current, and 
this has seen some changes in the last week.  You might want to take a 
look at this thread: http://marc.info/?t=13910782254r=1w=2


I don't have an easy way to test (not running -current or using 
passwd/bsdauth), and it's not clear from the discussion whether the 
changes that fixed dovecot in Brad's testing were committed or not. 
However, it looks like one more fix to getpwent.c was committed after 
your last update, and it's probably worth trying.

--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: Dovecot bsdauth(user): unknown user

2014-03-09 Thread Matthew Weigel 
On 03/09/2014 12:47 PM, Атанас Владимиров wrote:
 No, they had default login class. I'm still trying to find out some pattern
 when and why this behavior occurs. When I create new account with `useradd
 accountname` then set a password with `passwd accountname` and then
 `doveadm auth test accountname`, everything seems good. Then `usermod -L
 default accountname` and doveadm auth failed. When I created new account
 with adduser - doveadm failed.
 An old account on the system works fine no matter in which loggin class I
 move it. I tried to move my account to other class without any luck.
 Here is my login.conf. I can provide other info, too. Thanks for your time.

What happens if you just run pwd_mkdb -c /etc/master.passwd as root?
What about just pwd_mkdb? It looks like the error you're seeing in the
log (bsdauth(vlado): unknown user...) comes down to a failure in
getpwent_r(), and would be causing problems before the user's login
class is relevant.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: Dovecot bsdauth(user): unknown user

2014-03-09 Thread Matthew Weigel 
On 03/09/2014 03:25 PM, Атанас Владимиров wrote:
 What happens if you just run pwd_mkdb -c /etc/master.passwd as root?
 What about just pwd_mkdb? It looks like the error you're seeing in the
 log (bsdauth(vlado): unknown user...) comes down to a failure in
 getpwent_r(), and would be causing problems before the user's login
 class is relevant.
 
 # pwd_mkdb
 usage: pwd_mkdb [-c] [-p | -s] [-d directory] [-u username] file
 # pwd_mkdb -c /etc/master.passwd
 #
 
 It seems that everything is OK, isn't it?.

Did the problems with unknown user persist afterward?
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: openldap password fails to update

2014-03-08 Thread Matthew Weigel 
On Mar 8, 2014, at 6:29 AM, Stéphane Guedon steph...@22decembre.eu wrote:

 Notably, the user fails to auth and do login (with openbsd login
 system AND webpages) eventhough password is correct according to ldap
 itself !

That's a lot more moving parts than just passwords in LDAP. Have you checked
your configuration of all those moving parts? Looked at logs? You don't even
mention what else you're using, much less how they've been configured or what
their logs report.

I am using ypldap from base and login_ldap from ports; your mileage may vary.

 By the way, anybody use the light ldapd daemon included in base ? can
 we update password with it ?

I use it. It does not currently support the modify password extended operation
(what ldappasswd relies on). I am working on a patch for it but I haven't
finished it and it requires a bit more refactoring than just processing one
new request.

Until that's done I rely on a short Perl script I wrote. It's a pretty simple
kind of thing to do; it is more a codification of a particular policy than a
technically challenging problem.
--
Matthew Weigel

Re: openldap password fails to update

2014-03-08 Thread Matthew Weigel 
On 03/08/2014 12:16 PM, Stéphane Guedon wrote:

 I am looking through logs and config since the beginning of the
 day... Actually, asking help on forums or mailing lists is always
 my last step in solving problems...

We try to help.

But... giving detailed descriptions of the problem, and showing relevant
configs and logs the first time, goes a long way to helping people help you.

Reading manuals helps too. Among others, ypldap(8), ypldap.conf(5),
login.conf(5), login_ldap(8) from ports, and whatever manuals for OpenLDAP.

 But why can't I authenticate (using ssh or login) on the system ? Do I 
 really have to go through ypldap ? Sounds not efficient to have an 
 intermediate !

There are two separate mechanisms: how user information is looked up,
and how users are authenticated. You provide zero details on how ypldap
or login_ldap are configured, so it's hard to guess whether you have
some configuration wrong. I can say it works for me.

The user lookup is configured (via +:: entries in /etc/passwd and
/etc/group) to use YP routines. Thus the user is looked up in ypldap
when they attempt to login, which is configured to identify the user's
login class as ldap. The ldap login class is configured in login.conf to
authenticate via login_ldap talking to the LDAP server, which is
configured to have the appropriate users.

This is what I meant by that's a lot more moving parts than just
passwords in LDAP.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: openldap password fails to update

2014-03-08 Thread Matthew Weigel 
On 03/08/2014 03:11 PM, Stéphane Guedon wrote:

 when I use 127.0.0.1 in php scripts, I can use ldap.
 if the script is running with 'localhost' then, no ldap data...
 
 Any idea why ?
 I have checked host resolution...
 telnet localhost ldap gives the good behavior

Is PHP running inside a chroot?  Does that chroot have an /etc/hosts
with an entry for localhost?

-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: openldap password fails to update

2014-03-07 Thread Matthew Weigel 

On 03/07/2014 04:22 AM, Stéphane Guedon wrote:


# ldappasswd  -x -v -D uid=test,ou=users,dc=22decembre,dc=eu \
-w somesecret -s anothersec
ldap_initialize( DEFAULT )
Result: Other (e.g., implementation specific) error (80)
Additional info: password hash failed


I'm sorry, it's not clear that this is an OpenBSD problem.  See, for 
example, 
http://www.openldap.org/lists/openldap-technical/200902/msg00186.html



There's another thing strange, maybe related to the problem :
slappasswd never gives the same result !

# slappasswd
New password:
Re-enter new password:
{SSHA}8ip4+k3gVAN6Gggf2szhJxo052sI3Fyc
# slappasswd
New password:
Re-enter new password:
{SSHA}JvduTI/JAX1G9AhtlCYEjNHl/6DbE6hs


The whole point of salting is to make the hash different each time.  A 
random salt is used to alter the hash and then that salt is added to the 
end of the hashed string before being base64-encoded to give you the 
hash you see.

--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: Native ldapd and ldappasswd

2014-02-28 Thread Matthew Weigel 
On 02/28/2014 05:19 AM, Joel Carnat wrote:


 Feb 28 12:13:49.204 [18750] got extended operation 1.3.6.1.4.1.4203.1.11.1
 Feb 28 12:13:49.204 [18750] unimplemented extended operation 
 1.3.6.1.4.1.4203.1.11.1

There, that's the problem.  The ldappasswd utility relies on that
extension to modify passwords, rather than trying to read/write the
userPassword directly.  It is not currently implemented in OpenBSD's ldapd.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: More OpenBSD on Hacker News -- RBAC and jails anyone?

2014-02-23 Thread Matthew Weigel 
On 02/23/2014 08:09 PM, openda...@hushmail.com wrote:

 1. Why doesn't OpenBSD have something like RBAC?

RBAC has a lot more knobs to tweak, so you can always go back after a
security incident and say aha! I need to tweak *that* knob to prevent
this next time! But it has a steep learning curve, and everything you
don't know about how your RBAC is configured is as much a problem as
everything you got wrong.  Most people use RBAC on Linux by turning it off.

OpenBSD permissions are fairly simple, thoroughly considered,
and set up with sane defaults.  Most people continue to rely on just
these basic controls, on OpenBSD *and* on systems with RBAC.

 2. Is chroot really inferior to FreeBSD jails?

As best as I can tell, jail basically accomplishes three things: it
severely restricts even the root user inside the jail, it lets you
restrict some bad things from occurring inside a jail, and it hides
processes outside the jail. The first part is interesting from a
virtual root access standpoint, but adds a lot of code and complexity
for that one use case. The second part (e.g., not allowing LKM inside
the jail) is really only a good idea if you thought letting people do
those things outside the jail is still good... on OpenBSD you can
control most of those things globally. The last bit seems pretty
uninteresting, unless (again) you are trying for virtual root access.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: Generate hashed rootpw for native ldapd

2014-02-21 Thread Matthew Weigel 

On 2014-02-21 5:09, Joel Carnat wrote:

What is the (native) way to generate the SSHA hashed format for 
rootpw ?


Is there a particular reason you want to use SSHA?  Here is a short 
script that should run fine on a stock OpenBSD machine to generate a 
bcrypt hash suitable for the userPassword attribute of ldapd.


#! /usr/bin/perl
use strict;

while() {
my $salt = '';
my $new_pw = $_;
chomp($new_pw);

my @chars = split //,
abcdefghijklmnopqrstuvwxyz .
ABCDEFGHIJKLMNOPQRSTUVWXYZ .
0123456789+/;

for (my $i = 0; $i  21; $i++) {
$salt .= $chars[int(rand($#chars+1))];
}

my $rnd_salt = '$2a$06$' . $salt . $new_pw;

my $hash = crypt($new_pw, $rnd_salt);
print({CRYPT}$hash\n);
}

--
Matthew Weigel
hacker
unique  idempot . ent

Re: Generate hashed rootpw for native ldapd

2014-02-21 Thread Matthew Weigel 

On 2014-02-21 9:24, Matthew Weigel wrote:

On 2014-02-21 5:09, Joel Carnat wrote:

Here is a short
script that should run fine on a stock OpenBSD machine to generate a
bcrypt hash suitable for the userPassword attribute of ldapd.


Nope nope nope.  That script is incorrect in a couple of ways.  Most 
significantly it leaks the first two bits of the user's password, 
because I didn't understand how to pass the salt correctly.  I don't 
know if anyone actually WANTS a corrected version of the script, but I 
can't leave the uncorrected one out there.


#! /usr/bin/perl
use strict;

while() {
my $salt = '';
my $new_pw = $_;
chomp($new_pw);

my @chars = split //,
./ABCDEFGHIJKLMN .
OPQRSTUVWXYZabcd .
efghijklmnopqrst .
uvwxyz0123456789;

for (my $i = 0; $i  21; $i++) {
$salt .= $chars[int(rand($#chars+1))];
}

$salt .= $chars[int(rand(4))*16];

my $rnd_salt = '$2a$08$' . $salt;

my $hash = crypt($new_pw, $rnd_salt);
print($hash\n);
}

--
Matthew Weigel
hacker
unique  idempot . ent

Re: Generate hashed rootpw for native ldapd

2014-02-21 Thread Matthew Weigel 

On 2014-02-21 10:07, Raimo Niskanen wrote:


I guess you can use 'openssl passwd' for that,
or 'openssl passwd -1' for MD5 password
however that is tagged if allowed in LDAP...


It doesn't look like openssl passwd knows about bcrypt at all (either 
internally, or via crypt()).  While I think ldapd would be fine with 
either the old DES-based crypt() hash or the MD5-based hash - you would 
just need to prefix it with {CRYPT} I think - neither of those is 
really a good idea for hashing passwords anymore.

--
Matthew Weigel
hacker
unique  idempot . ent

Re: OpenBSD rootkits

2014-02-18 Thread Matthew Weigel 

On 02/18/2014 11:29 PM, Daniel Cegiełka wrote:


https://github.com/freebsd/freebsd/blob/master/contrib/openpam/include/security/openpam.h#L358


It appears to be a way to embed fallback authentication modules in case 
the shared library can't be found.


Go on, look at where else OPENPAM_STATIC_MODULES is used, and how.

https://github.com/freebsd/freebsd/blob/master/contrib/openpam/lib/libpam/openpam_load.c#L54 
is basically the only place.



--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: Is [binary] package signing planned?

2014-02-04 Thread Matthew Weigel 

On 02/04/2014 01:11 PM, Daniel Cegiełka wrote:

2014-02-04 Marc Espie es...@nerim.net:

signify(1) makes things more transparent: no chain of trust, pure keys.

One cool thing is that the signatures are small enough that they can be
embedded directly in the package (which already has sha256 for 
everything).


This has the advantage of decentralization: package snapshots can be 
partially
synchronized, and still each package carries its own signature. Less 
margin
for strange errors - stuff that works most of the time - more 
trustworthy.


wow!? really? And how can I be sure that the public key that I
downloaded is exactly the same public key, which is stored on OpenBSD
servers (MITM)?


You can't.  But at least that's transparent, rather than obfuscated 
somewhere down a chain of trust.

--
Matthew Weigel
hacker
unique  idempot . ent

Re: erlang : manpages : inaccessible

2014-02-04 Thread Matthew Weigel 

On 02/04/2014 05:48 PM, Mayuresh Kathe wrote:

i am running 5.4 and have installed erlang using pkg_add.
works well, just can't access the man pages.
have added the following line to /etc/man.conf
erlang/usr/local/lib/erlang/man/
am sure about either having done something wrong or missed a step somewhere.
can i be helped?


What command are you running to try to read them?  I believe you should 
be using man erlang page with that configuration.

--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: Virtualize or bare-metal?

2014-01-13 Thread Matthew Weigel 
On 1/13/2014 9:11 PM, Christopher Ahrens wrote:
 Jack Woehr wrote:
 Christopher Ahrens wrote:

 Wish I could split everything off to physical, but all I have for
 space for is a mini-rack that fits under my desk in my apartment

 Sounds like you have answered your own question!

 
 What I meant by bare-metal was if I should run a bunch of services on the same
 installation of OpenBSD.

Well, hardware failures on a small pool of machines are still hardware
failures on a small pool of machines, whether you have virtual servers or not.

For security, chroot (especially with privilege separation) accomplishes a lot
of what virtualization claims to offer, with a much longer history of auditing
and better understood weaknesses.

It is usually easier, in my experience, to manage one system running many
services in individual chroot environments than to manage many (virtual)
systems.  Files in chroot environments will sometimes need to be updated when
you change the main system, but in my experience this is a much easier task to
identify and manage than applying those changes en masse to a collection of
virtual hosts.  Plus, there will be plenty of system updates to the main
system that don't need to trickle down to the chroot environments, but will
almost always need to be applied individually to each virtual host.

You may still want to physically separate some concerns if you have enough
machines (e.g., build machines vs. service machines, spreading out
disk-intensive services, etc.), but in general I don't think virtualization
will particularly help you.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: outgoing smtpd: Too many recipients

2013-12-17 Thread Matthew Weigel 
On 12/17/2013 5:37 AM, Jan Stary wrote:

 That's the relay which is rejecting my messages
 if there are too many recipients in them.
 
 I deleted all the failed ones from my queue
 and after some time, resent to the individual recipients (~120)
 one by one with a bit of grepawkery; that went fine.

http://www.sendmail.com/sm/open_source/docs/m4/tweaking_config.html (look for
MaxRecipientsPerMessage)

It seems that in this case sendmail really does just want the sending mailer
to retry those addresses later.

You might want to do a test run and just let deferred recipients sit for a
while, to see if they do eventually get delivered.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: ldapd user password change

2013-12-12 Thread Matthew Weigel 
 On Dec 12, 2013, at 12:49 AM, Predrag Punosevac punoseva...@gmail.com wrote:
 
 I just finished first of several LDAP deployment using LDAP server from
 the base. So far works like a charm. One quick question. I know that
 LDAP from the base is pretty bare bone but I was wondering it it
 supports user password change. My clients are by the way RedHat machines
 using SSSD instead of PAM for directory services. 

The base ldapd doesn't implement the RFC 3062 password modify extended 
operation. It appears that SSSD relies on that extended operation to work.

It seems like it would be MOSTLY straightforward to implement... Except for 
users with {BSDAUTH} values in userPassword.
-- 
 Matthew Weigel

Re: cvsync, rsync

2013-09-19 Thread Matthew Weigel 

On 09/19/2013 08:46 AM, hru...@gmail.com wrote:

From time to time I think I should follow Kenneth Westerbacks 
recomendation
and go to a  math-for-idiots list, for example to Usenet Group 
sci.math,
and then make a link to this thread in gmane: they will sure admire 
Marc

Espies wisdom and his efforts teaching idiots like me.


That seems like a useful exercise for you to do.  Like Marc said very 
early on, rsync is based in part on Andrew Tridgell's PhD Thesis, 
Efficient Algorithms for Sorting and Synchronization.  You can find it 
and read it at http://www.samba.org/~tridge/phd_thesis.pdf.


A little more searching might also lead you to 
http://www.big.info/2013/04/md5-hash-collision-probability-using.html 
which tries to answer your exact question.  It also points at 
http://en.wikipedia.org/wiki/Birthday_attack where you'll see pretty 
much your exact questions answered.  The probability of a collision of 
MD5, a 128-bit hash (used by modern rsync rather than MD4; ignoring the 
16-bit rolling signature), for 2 4TB files is about 10^(-12).


That's approximately on par with the likelihood of the hard drive 
reading a bit wrong after you're done using rsync (per Christian 
Weisberger). However, that's ignoring the rolling signature.  In fact, 
you need to have both the rolling signature (16 bits) *and* the MD5 hash 
match at the same time.  The probability of both combined is right about 
10^(-15) of a hard drive read error.


That is all of the math.  The references and documents are right there.  
If you are still worried about it, you are trolling either misc@ or 
yourself or both.

--
Matthew Weigel
hacker
unique  idempot . ent

Re: sudo configuration !ttytickets?

2013-09-12 Thread Matthew Weigel 

On 2013-09-11 19:59, Michael W. Lucas wrote:


This, well, kind of surprised me. I'm sure you folks have thought this
through in much more detail than I have, but I can't find anything on
the rationale behind it.

It seems insecure. Can anyone enlighten me as to the thinking here?


I can't say whether this is the thinking of the OpenBSD developers, but 
I have seen some concerns over the years that tty_tickets gives a false 
sense of security.

--
Matthew Weigel
hacker
unique  idempot . ent

Re: mysql.sock location

2013-08-18 Thread Matthew Weigel 
On 8/18/2013 5:29 AM, Ville Valkonen wrote:
 ehm.. 127.0.0.1 == localhost

http://dev.mysql.com/doc/refman/5.5/en/connecting.html

On Unix, MySQL programs treat the host name localhost specially, in a way
that is likely different from what you expect compared to other network-based
programs. For connections to localhost, MySQL programs attempt to connect to
the local server by using a Unix socket file.

So no, 127.0.0.1 != localhost in the context of MySQL on Unix.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: Install drivers

2013-08-12 Thread Matthew Weigel 

On 08/11/2013 10:35 AM, josef.win...@email.de wrote:


I want to support as much hardware as possible 'out of the box'
and since a network can't be assumed, I need to preinstall the
drivers.


GENERIC supports as much hardware as possible 'out of the box.'
--
Matthew Weigel
hacker
unique  idempot . ent

Re: SSHD setup

2013-08-09 Thread Matthew Weigel 

On 08/09/2013 03:24 PM, Lance Ferrer wrote:


I'm not sure if I need to create the keys or what, looking for a little
bit of guidance.  Sorry for the trouble with probably such a simple 
task.


Did quite a bit of googling, no luck


You could create them yourself by running ssh-keygen -A as root. 
However, that is run at every boot by /etc/rc (it only generates keys if 
there are no existing keys), so I would guess either a) you haven't 
rebooted yet or b) something is wrong with your system that is 
preventing these files from getting created.


You don't need sshd_flags in /etc/rc.conf.local unless you want to 
change the default set in /etc/rc.conf.


--
Matthew Weigel
hacker
unique  idempot . ent

Re: Upstream error: Nginx, slowcgi, and perl/cgi support.

2013-07-09 Thread Matthew Weigel 

On 2013-07-09 13:18, Özgür Kazanççı wrote:


And using nginx with chroot-disabled, (-u) didn't help neither.


That isn't surprising, because nginx's chroot won't affect things run
by slowcgi (which chroots itself separately).  Also, when running with
nginx chroot disabled, did you also adjust path to the slowcgi socket?


If you just want to see if nginx works try /var/www/cgi-bin/test-cgi
which uses /bin/sh, chmod it appropriately and copy /bin/sh to
/var/www/bin/sh (/bin/sh *is* statically linked)

Tried this, same error: 502 Bad Gateway


Have you run slowcgi with the -d flag to see its side of the story?
--
Matthew Weigel
hacker
unique  idempot . ent

Re: OpenCL/Cilk parallel computing on OpenBSD

2013-05-17 Thread Matthew Weigel 

On 2013-05-17 9:23, NU-g.lister wrote:

Hello misc,

I am interested to find out if anyone has done is using parallel
computing libraries on OpenBSD?

I did some web searches to no avail libs from AMD (OpenCL) have a
limiting clause and I cannot find whether a port/package exists for
OpenBSD (tried pkg_add opencl and pkg_info opencl). Cilk at least has
a more liberal license and I can find probably a OpenCL implementation
with a better license...

I am just looking for some pointers.


You might try simply building cilk and seeing how it goes.

OpenCL is going to be a non-starter, I believe it requires both 
proprietary userland tools and proprietary kernel bits that are not 
available.

--
Matthew Weigel
hacker
unique  idempot . ent

Re: A warm welcome to a gentoo hardened administrator?

2013-05-17 Thread Matthew Weigel 
On May 17, 2013, at 11:24 AM, Dārayavahush Khola da.kh...@gmail.com wrote:

 Just out of curiosity. Why is it damned?

You wanted ...blogs written by
knowledgeable people

But even when it's right at the time it was written, a blog post from a year 
ago is not as accurate as the man pages current for your release. 

It may take a bit more time to figure out than a breezy post that glosses over 
paths not taken, but you won't even know that you could have taken another, 
better path.
-- 
 Matthew Weigel

Re: Sturdy and secure mail server

2013-05-02 Thread Matthew Weigel 

On 2013-05-02 16:56, Chris Cappuccio wrote:


You are going to spend a bit of time in the MTA and Dovecot docs to
figure out some of these things. Now, if you use fdm, you really
don't need an MTA at all. fdm would have to deliver to the dovecot
LDA or use its own LDA in the same directory structure that
Dovecot retrieves mail from...


This is the important part: dovecot and postfix or opensmtpd can do what 
you need.  There are a ton of details to understand and get right, so 
reading the docs is really your best starting point.  Most of what 
you've described is a bog standard mail server with IMAP hosting, plus a 
mail client that knows about multiple mail accounts, plus an IMAP fetch 
(maybe?).


Or maybe there is something you're not being clear about in your 
description, in which case... you REALLY need to read the docs, because 
no one else can be sure they're describing how to do the thing you 
ACTUALLY want to do.  Are all of the accounts gmail, and you simply want 
to archive all gmail messages somewhere away from Google?  Do you intend 
to run the MX for some of these accounts, but not all?


Definitely read the docs.
--
Matthew Weigel
hacker
unique  idempot . ent

Re: mixing ports and non-ports programs

2013-04-14 Thread Matthew Weigel 
On 4/14/2013 10:03 AM, Alan Corey wrote:

 This is ridiculous.  A whole year and a half and it's been abandoned.

You get a year, free, where people will happily help you.

 Look at how long FreeBSD or Debian supports their versions.

Debian supports two releases back too, as I recall, they just take a lot
longer between releases.  FreeBSD does a lot of what looks like crazy work to
maintain multiple versions, but they also have the occasional $250k+ donor
(and they still don't release as frequently as OpenBSD).

 Now I actually /use/ OpenBSD, every day, on 3-4 machines.  Consider
 them production machines even though I'm retired.

Isn't it nice having free technical support for production machines?  Yet it
has its limits.

 I do experimental
 things with the likes of Gnuradio and the Osmocom suite lately, not
 the operating system.  I might replace an operating system once in the
 3-5 year expected life of a hard drive.

Poor security procedure, poor disaster recovery procedure.

 I could understand if Microsoft stopped supporting Vista, because it
 was so bad many places wouldn't even use it, but OpenBSD 5.0 isn't
 that different from 5.2.

I would understand it less if a software license I'd paid so much for came
with only a year of support.  It turns out the world makes at least a little
sense.

 Some things don't work under 5.2, just as some things don't work under
 5.0.  You fix bugs, you introduce new ones, it isn't always an
 improvement from the user's perspective.  We used to have a policy of
 never buying  a Windows version until the first service pack came out.

5.2 IS the service pack for 5.1.  5.1 IS the service pack for 5.0.  The
developers put a lot of effort into making each upgrade categorically better.

 Once again we're off on a tangent and I never got an answer to my
 question of how to mix ports and non-ports versions of things.
 Something like a way to uninstall a port without having to uninstall
 everything that depends on it.  Or replace a port from sources and
 leave everything else in place.

The main answer you got is run -current for the most current packages, where
this is less of a problem.  And you went off on a tangent on how it's
unacceptable that all of this software you are downloading for free didn't
come with all the free tech support you wanted.

Another answer might be use ports if they work for you, don't if they don't.
 You *can* maintain multiple versions of things if you use different paths,
introducing about as much heartache as you'd expect.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: Shell for PF

2013-02-16 Thread Matthew Weigel 
On Feb 16, 2013, at 5:28 AM, Vadim Zhukov persg...@gmail.com wrote:

 2013/2/16 Fil DiNoto fdin...@gmail.com:
 But this is all off-topic, I'm not slaming pf in any way i love it. I
 was just saying it can't hurt to try to emulate what people know if at
 all possible. And the fact is that junos/ios have the market share so
 thats what people know.

Sorry, Vadim, for responding to Fil through your email.

I think there is a real risk to trying to present an interface that is 
reminiscent of other systems, that behave differently and do less. People will 
begin to expect that pf does the same things - no more, no less. Power that is 
specific to pf over other systems will be ignored, because people will think 
that since they are familiar with the interface they know what they're doing.

Presenting a different interface is a FANTASTIC way to communicate 'difference' 
to the user. It forces them to  think about the difference sooner, rather than 
when things aren't working as expected (or after they've bought more equipment 
on top of the OpenBSD firewall because JunOS can't do that).

If that means people don't learn pf because they realize very quickly that it's 
unlike anything they know... That is a SERVICE being provided. They knew they 
didn't have the time to figure it out before they got ass-deep into it.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: rc.d start claims to have failed, but actually succeeds

2013-01-19 Thread Matthew Weigel 
On 1/19/2013 10:23 PM, Forman, Jeffrey wrote:

 One thing to note, is that the (failed) shows up after 5-10 seconds, not
 immediately. But the issue is that the Python script itself is actually
 running on the machine. Only rc.d claims it has failed.

When rc_bg=YES, rc_cmd start does the equivalent of rc_cmd check waiting
for the named daemon to show up in the process list.

Since /usr/local/pf-graphite/pfloggraphite is a Python script, the process
listing begins with /usr/local/bin/python (or whichever python), *not*
/usr/local/pf-graphite/pfloggraphite.

 I have read the rc.d and rc.subr man pages but perhaps am missing an import
 detail in my rc.d file or script itself. Anyone able to shed some light?

I believe you need to define pexp after sourcing rc.subr.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: A point about the BSD license I'm feeling edgy about

2012-12-28 Thread Matthew Weigel 
On 12/28/2012 7:20 PM, Live user wrote:
 The BSD license says that
 
  * Copyright (c)
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the
  * above  copyright notice and this permission notice appear in all
  * copies

Where did you find that?

http://www.openbsd.org/policy.html cites the Berkeley copyright notice as
saying (in part)

 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *notice, this list of conditions and the following disclaimer in the
 *documentation and/or other materials provided with the distribution.

Which seems to address your concern quite precisely.  Existing code with that
notice must retain that notice, even in derivative works.  Binary
distributions should include the notice, but not necessarily exclusively.

The version of the BSD license cited at opensource.org
(http://opensource.org/licenses/BSD-2-Clause) also makes it clear:

% Redistribution and use in source and binary forms, with or without
% modification, are permitted provided that the following conditions are met:

%Redistributions of source code must retain the above copyright notice,
% this list of conditions and the following disclaimer.
%Redistributions in binary form must reproduce the above copyright
% notice, this list of conditions and the following disclaimer in the
% documentation and/or other materials provided with the distribution.

And this is exactly what everyone is doing, and no one has found a way to sue
over it yet... which at least suggests your concern is misguided.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: responding to buttonpress ACPI event sent by KVM/Qemu (same behavior in v5.2)

2012-11-24 Thread Matthew Weigel 
On 11/24/2012 12:38 PM, Tomas Bodzar wrote:

 I'm not interested in assigning blame, or seeing it assigned. I'd simply 
 like to
 see the problem solved, somehow.

 Would a developer be willing to have a look, if I set up a v5.2 sandbox on 
 the
 debian host?
 
 I think that for start devs will be missing what type of
 virtualization you're using on Debian, then it will be fine to see
 complete dmesg from OpenBSD guest 5.2 and as well latest snapshot.

I would guess that they might also like to see some evidence that this
problem had been reported to the Qemu and libvirt developers, in the
interest of being not interested in assigning blame.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: Dilemma: between OpenBSD and NetBSD

2012-08-12 Thread Matthew Weigel 
On 08/12/2012 08:16 PM, Kevin Chadwick wrote:

 It is faster with softdep and safer without. My mail client has similar
 choices in it's options. Which do you think my mail client enables by
 default... The safe option of course. So does OpenBSD which isn't like
 Linux userspace.

Is 'safer' really the right word here?  As I understand it, with or
without softdeps, the filesystem on disk will be consistent and
recoverable (excepting, of course, that when a disk confirms a write is
completed isn't necessarily when the write is completed).

The difference is that with softdeps, you don't have the guarantee that
metadata writes have been completed (insofar as the kernel can know)
when the syscall to change it returns.

On the other hand, because predicting the state of your filesytem after
a crash is a bit harder with softdep enabled, leaving it turned off by
default seems like a sensible choice.

The really unsafe, choice, though, is mounting async, which can lead to
unrecoverable filesystems in the event of a crash.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: spamd greylisting: false positives

2012-05-25 Thread Matthew Weigel 

On 25.05.2012 01:09, David Diggles wrote:

Can messages get dropped if mail servers fail to resend within
time interval, after receiving the initial temporary failure message?


A qualified yes.  The message isn't dropped if the sending server 
fails
to resend before greyexp hours, it is dropped the first time delivery 
is
attempted; if other attempts to deliver occur before passtime minutes 
pass,

or after greyexp hours, the message will continue to be dropped.

You reduced the whitelisting interval from (25 minutes, 240 minutes] to
(5 minutes, 60 minutes], a pretty big cut.  Perhaps that is your 
problem.

--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: spamd greylisting: false positives

2012-05-25 Thread Matthew Weigel 

On 25.05.2012 01:09, David Diggles wrote:

Can messages get dropped if mail servers fail to resend within
time interval, after receiving the initial temporary failure message?


It's dropped when it's first received, and it will continue to get 
dropped
until passtime minutes have passed.  If it is then received before 
greyexp

hours have passed, it will be delivered and the remote host will be
whitelisted for sending mail.  If greyexp hours pass without seeing 
that
tuple again, the tuple is deleted and it's back to the beginning for 
that

host.

You reduced greyexp to 1 hour, which may well be causing your problems.
--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: spamd greylisting: false positives

2012-05-25 Thread Matthew Weigel 

On 25.05.2012 10:50, David Diggles wrote:

I wasn't receiving email, from lists.openbsd.org and also from my
work email address, until I added the respective smtp servers to
the whitelist table in pf.

I could see them in the greylist when I typed spamdb.


In the greylist, or in the whitelist (both are stored in
/var/db/spamdb)?  I'm wondering now whether your /var/db/spamdb
got wiped out when you upgraded.  If that happened, then all
pre-existing whitelist entries would be gone, and emails would
have to go through greylisting again.

Also, if your standard procedure when making changes was as below
(wiping out spamdb), you would be pretty much guaranteed to drop
a lot of mail on the floor given exponential back off.


I will go ahead and flush the spamdb database, and the pf tables
and start over with default everything, no whitelist pf entries.


Presumably you have at least some whitelist entries there, and some
mail in transit that you would like to eventually receive.  Flushing
the database now would mean that anything currently greylisted is
very unlikely to be whitelisted, and anything whitelisted will be
greylisted next time it tries to deliver mail.


This time I will sit on my hands and wait.  Maybe I was not
being patient enough.


With default settings, you need to be patient for 4 hours.  Past 4
hours, the chances are close to nil that you'll get that mail.  Until
4 hours have passed, though, it's completely possible you'll still
receive the mail.


As for gmail;
I have not had this issue sending email from gmail to spamd.


You will.


Seriously though, if I have to keep manually adding smtp servers
to a whitelist, I will run in blacklist only mode.


It's pretty straightforward to script pulling SPF records from Google
and whitelisting them.  Facebook is another company that sends a lot
of mail through many servers, but documents those servers in SPF
records you can poll (say, on a weekly basis).  There are very few
other mail server clusters that have that behavior, so once you
identify those two, and script it, the problem is basically solved.

For example, you could move your current nospamd file to
/etc/mail/nospamd.constant, and then do the following in
/etc/weekly.local:

next_part Whitelisting Google mail servers
/usr/sbin/dig _spf.google.com TXT + short | tr \  \n | grep ip4: \
 | cut -d: -f2 | sort -n  /etc/mail/nospamd.dynamic
cat /etc/mail/nospamd.constant /etc/mail/nospamd.dynamic  
/etc/mail/nospamd

/sbin/pfctl -t gmail-white -T replace -f /etc/mail/nospamd 21 \
 | grep -v 'no changes'

That's very close to something someone else shared on misc@ many
moons ago, I don't remember who.
--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: Upgrading OpenBSD

2012-05-22 Thread Matthew Weigel 

On 21.05.2012 23:55, Mehma Sarja wrote:

On 5/21/12 9:34 PM, Matthew Weigel wrote:

On 21.05.2012 22:45, Richards, Toby wrote:


Granted: I do hold an MCSE certification, but I don't need it.
The upgrade just works. Well... despite occasional BSOD's ;)


I admit this kind of made me chuckle:
http://www.linkedin.com/pub/toby-richards/37/71a/474

Oy vey,

And this guy holds a degree from Santa Clara Univ? Toby, $40K/ year 
for this?


To be clear, they are probably different people; it just amused me.
--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: Upgrading OpenBSD

2012-05-21 Thread Matthew Weigel 
On May 21, 2012, at 9:05 PM, Mike Erdely m...@erdelynet.com wrote:

 On Mon, May 21, 2012 at 9:43 PM, Richards, Toby
 toby.richa...@slo.courts.ca.gov wrote:
 OpenBSD does have an Upgrade
 option, but does it upgrade the installed packages?

 pkg_add -ui

Even more relevant: http://www.openbsd.org/faq/upgrade51.html

Interestingly, when I upgrade a Windows machine, there isn't a command like
pkg_add to update Acrobat Reader, Flash, Firefox, OpenOffice, Emacs, VLC, or
any of my other installed software. Even my Microsoft software like Visual
Studio or SQL Server doesn't get upgraded.
--
 Matthew Weigel

Re: Upgrading OpenBSD

2012-05-21 Thread Matthew Weigel 

On 21.05.2012 22:45, Richards, Toby wrote:

Okay, let's compare upgrading OpenBSD 4.9 + Nginx + PHP 5.2.x to
OpenBSD 5.0 + Nginx + PHP 5.3.x vice upgrading
Windows 2003 + IIS 6 + ASPDotNet 3.5 to Windows 2008 +
IIS 7.0 + ASPDotNet 4.0.

In my experience, the MicroEvil Upgrade works without breaking
any of my web apps.


First, can we just call it Microsoft?  Everyone knows what
you're talking about.

Second, can you confirm that you understand you are comparing
the default web stack on Windows with a custom web stack on
OpenBSD?  The default web stack on OpenBSD (although I think it's
changing or it has changed) is Apache + CGI.  What was wrong with
that?

Third, can we agree that if you are choosing to use Nginx and PHP,
you are trying to solve problems that IIS and ASP.Net can't, and
if you are content with IIS and ASP.Net, there was no reason for
you to go out of your way to use Nginx and PHP?  Whether you feel
you have no choice but to use packages... you do, PHP and Nginx
are separate software developed by people not working on OpenBSD.


The OpenBSD upgrade gets confused about
Nginx versions and PHP versions. Maybe it gets less confused
if I happen to know about some system variable that describes
the version of PHP that I want.


http://www.openbsd.org/faq/upgrade50.html#Pkgup

I actually disagree with one of the other responders, that doing
an OS upgrade and running pkg_add -ui is sufficient.  Reading
the upgrade guide painstakingly maintained by the developers, and
following it, is pretty much always your best path.  It's short,
to the point, and not any different from the release notes that
a responsible admin reads when upgrading Windows servers, or
Solaris servers, or hundreds of desktops of any kind.

The problem you describe was called out, emphasized, warned about.
The specific (simple) steps you needed to take to mitigate this
problem were documented, and documented in a place that's been
consistent every six months for 8 years.


Granted: I do hold an MCSE certification, but I don't need it.
The upgrade just works. Well... despite occasional BSOD's ;)


I admit this kind of made me chuckle:
http://www.linkedin.com/pub/toby-richards/37/71a/474
--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: SETUID perl script

2012-04-24 Thread Matthew Weigel 

On 24.04.2012 14:22, Christopher Zimmermann wrote:

Hi,

I'm trying to chroot and drop privileges in a perl script. But 
somehow

I'm not even able to run it setuid root. The setuid bit gets ignored
completely. But as I understand sys/sys/exec_script.h. The
SETUIDSCRIPTS feature is enabled by default. What am I missing?



/tmp% ls -l test.pl


Check the mount options for whatever filesystem /tmp lives on.  Chances 
are

good it's its own filesystem, and is mounted nosuid.
--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: PHP/HTTP config

2012-03-20 Thread Matthew Weigel 

On Tue, 20 Mar 2012 15:23:27 -0600, Duncan Patton a Campbell wrote:

Closest thing I can find are references to the upgrade doc:

in /var/www/conf/php5.sample; symbolic links for active modules were 
placed in
/var/www/conf/php5. These have moved to /etc/php-5.2.sample and 
/etc/php-5.2
respectively. You will need to check for existing links in 
/var/www/conf/php5


Which doesn't explain why...


I'm guessing it has something to do with nginx being incorporated into 
base, and
maybe also the move of the php port from www/ to lang/.  Technically, 
it *is*

possible to use PHP for system scripts, you know.
--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: Strange sshd + /etc/nologin behaviour

2012-03-14 Thread Matthew Weigel 

On Wed, 14 Mar 2012 22:04:59 +0100, AndrC) S. wrote:
After some more testing I dare to say that this whole 
/etc/nologin-thing

in conjunction with ssh can be considered buggy.


Previously in the thread it came out that the andre user could log in 
because
it was in the staff login class.  Can you confirm that root is in the 
daemon
login class (as is the default config), and that the daemon login class 
has

ignorenologin?

--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: Thanks a lot to all devs of OpenBSD

2011-08-29 Thread Matthew Weigel 
On 8/28/2011 10:50 AM, Marc Espie wrote:
 On Sun, Aug 28, 2011 at 05:00:46PM +0200, Tomas Bodzar wrote:
 (and main link which caused that
 http://lists.freebsd.org/pipermail/freebsd-arch/2011-August/011412.html)
 
 This link makes me a little sad. I don't quite get why that guy mentions
 that FreeBSD ports has problems, but then mentions only the netbsd work,
 and blatantly ignores our tools, even though they solve most of the problems
 he has...

They would have to reintroduce Perl into base in order to borrow any code
from OpenBSD ports, though.  If there was will to do that, they probably
wouldn't have taken Perl out in the first place.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: can't intall webalizer on OpenBSD 4.8

2011-06-30 Thread Matthew Weigel 

On Thu, 30 Jun 2011 20:50:20 -0300, Marcos Laufer wrote:
Hello list, i can't install webalizer. This is OpenBSD 4.8 stable, 
(with

pci.c rev 1.72 because this is a X336 IBM server)
Any ideas why?

ul6:/root{194}# pkg_add webalizer
Can't install gd-2.0.35p0 because of libraries
|library fontconfig.7.0 not found
| not found anywhere
|library freetype.17.1 not found
| not found anywhere


Those libraries are probably provided by install sets you didn't 
install...
like xbase48.tgz.  See http://www.openbsd.org/faq/faq4.html#FilesNeeded 
for

more information.
--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: OffTopic: ctags and vi (Don't read if you dislike offtopic)

2011-06-07 Thread Matthew Weigel 

On Tue, 7 Jun 2011 20:41:22 -0300, Friedrich Locke wrote:

Dear list users,

using vi to go from a funciont call to the function definition is
just hit ctrl ].
What should i press to get back to the point i left with ctrl ] ?


According vi(1),

 control-T
 Return to the most recent tag context.

--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: How to host multiple PHP versions

2011-02-17 Thread Matthew Weigel 

On Thu, 17 Feb 2011 05:33:01 +0800, Tito Mari Francis EscaCB1o wrote:

Good day.
I need to setup a development web server that should host both 
PHP5.2.x and
PHP5.3.x. Our goal is to maintain PHP5.2-based application versions 
while
having room for growth to have ready environment for PHP5.3 web 
development.

Can anybody please give me pointers on how this can be done?
One idea I have is to have both multiple web servers in one box like
built-in Apache 1.3 and Apache 2 with PHP5.2.x and PHP5.3.x 
respectively
each with individual virtual host configuration but it's quite 
complex,

hoping somebody could advise me on this.


I think you would be better off investigating FastCGI (and php-fastcgi) 
with
each version of PHP living in a separate chroot and communicating to 
the web

server over TCP (rather than Unix domain sockets).

I suggest the chroots so that you can better control what libraries, 
etc., get
pulled in by each version, but it may not be necessary.  The more 
important point
is using FastCGI so that Apache itself doesn't have to have PHP loaded, 
and is therefore

not restricted to a single version that it's running.
--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: OpenBSD + lighttpd + php5

2010-07-10 Thread Matthew Weigel 
On 7/10/2010 9:55 AM, mlanciau wrote:
 Hello !
 
 I'm trying to install lighttpd (no problem) and to add php to create a
 good web server. But, even if I didn't chroot lighttpd, I don't
 succeed.
 
 Have you any idea ?

What's the fastcgi configuration in lighttpd.conf look like?
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: OpenBSD + lighttpd + php5

2010-07-10 Thread Matthew Weigel 
On Sat, 10 Jul 2010 22:27:06 +0200, mlanciau mlanc...@gmail.com wrote:
 well.
 
 I have found a little error in my lighttpd.conf (the bin-path was wrong)
 
 fastcgi.server = ( .php =
( localhost =
  (
socket =
 /var/www/tmp/php-fastcgi.socket,
bin-path =
/usr/local/bin/php-fastcgi
  )
)
 )
 
 
 now it's ok, but it remains a problem...
 
 when I try to load a webpage, I get No input file specified.
 
 I have changed my php.ini but it's not enough...
 
 An other idea ?

This isn't really an OpenBSD problem, or an OpenBSD port issue.
Searching Google for lighttpd no input file specified would point you to
http://redmine.lighttpd.net/wiki/1/FrequentlyAskedQuestions which would
direct you to add cgi.fix_pathinfo = 1 to your php.ini.  You may also
find that you need to add 'broken-scriptfilename = enable' to your
lighttpd configuration in the block where you specify the socket and
bin-path, but I would recommend trying it without first.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: openbsd not blob free?

2010-05-05 Thread Matthew Weigel 
On Wed, 5 May 2010 17:44:48 +0200, Otto Moerbeek o...@drijf.net wrote:

 Blobs that run on hardware like PCI cards != blobs that run on the same
 processor as the kernel. 

What is the difference between inaccessible firmware on expansion cards
and firmware blobs uploaded to expansion cards by the operating system?

Uploaded firmware blobs generate more traffic on m...@.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: OT: multiple web servers on OpenBSD (WAS: OT: vmware blah blah)

2010-03-11 Thread Matthew Weigel 
On Thu, 11 Mar 2010 16:47:54 -0600, Claus cnie...@gmx.net wrote:

 I have the same setup running.  Each apache instance runs chrooted under

 their own user id and home directory.

That's a lot of apache instances running... and how much functionality are
you really getting out of them?

Lighttpd or NginX with FastCGI works very well.  I'm running php-fastcgi
once per domain, chrooted to its virtual host directory; I've also got
non-PHP FastCGI applications running in unrelated chroots.

One process (lighttpd) handles SSL and most logging (each PHP instance
logs
in its chroot, but that separates different users' PHP logs too). 
Maintenance
is still a pain, though, as I have to copy all relevant binaries, PHP
modules,
and dependent shared libraries into each chroot every upgrade.  I keep
meaning
to write a script to maintain that: copy new binaries (e.g., php-fastcgi)
over,
determine what shared objects they link to, copy those over, and delete
old
versions.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: SMP

2009-12-11 Thread Matthew Weigel 
On Fri, 11 Dec 2009 14:56:57 -0500, Daniel Ouellet dan...@presscom.net
wrote:

 Then using PostgreSQL should really work well for you then and you 
 wouldn't really need or benefit much from multicore kernel with the 
 giant lock removed as PostgreSQL is not and do not use threads anyway by

 design oppose to MySQL that does. So, that choice of database eliminate 
 your biggest concern form the start.

Although PostgreSQL uses multiple processes instead of multiple threads,
and that means that (on OpenBSD) PG can scale CPU utilization to all
available
processors where MySQL can't... if I understand the situation correctly,
PG would still benefit from a kernel locking approach that didn't restrict
kernel activity to a single CPU core.

However, I would be surprised if that starts being a serious problem
before
OpenBSD's limit of ~4GB on i386 and amd64 started being a problem.  And
you actually need a fairly big database before that's a problem, so...
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: mount /usr partition nosuid

2009-12-03 Thread Matthew Weigel 
On Thu, 3 Dec 2009 15:30:15 -0500, Mark Romer romes...@gmail.com wrote:
 All, thanks for the responses so far.
 
 I work for the Fed and we have to setup a dns sec bind server on our
end. 
 I
 was just reading some of their advice on setting up the server...
 
  2. Mount BIND's chroot filesystem with the noexec,nosuid,nodev options.

E, BIND is chrooted to /var/named.  Which is to say, on a standard
OpenBSD install with 'reasonable' partitions, you would mount /var
noexec,nosuid,nodev - but it defaults to nosuid,nodev, and you'd have to
make your own determination as to whether binaries in /var are okay or not
(I *think* /var/www/bin is the only thing you'd have to look at, but you
can do the digging on that).
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: Payment Card Industry (PCI) Data Security Standard HELP!

2009-10-22 Thread Matthew Weigel 

Stuart VanZee wrote:


The last is 8.5.13 locking users out after 6 failed login
attempts.  Quite frankly I find this to be a pretty stupid
requirement as it causes a built in denial of service. I see
how creating a custom Authentication style would allow me to
do this (in spite of my reservations), but I don't really do
much in the way of c coding these days.  I have been looking
at the code in login.c and login_passwd.c and I understand
about half of it (I think).  If anyone could give me a shove
in the right direction I would sincerely appreciate it.


You might also want to see if you can accomplish what you want with 
login_radius or login_ldap (the latter is in ports) and a RADIUS or LDAP 
server.

--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: Payment Card Industry (PCI) Data Security Standard HELP!

2009-10-21 Thread Matthew Weigel 

Stuart VanZee wrote:

The company I work for is having their yearly Payment Card Industry
(PCI) assessment and while I believe that OpenBSD is the most secure
OS going, I am having some problems proving it.  Here are some of
the issues I need to figure out.

8.5.9For a sample of system components, obtain and inspect system
 configuration settings to verify that user password parameters
 are set to require users to change passwords at least every
 90 days.
 I have no idea how to set OpenBSD to do this, any suggestions?


You configure this in the login class for users (probably the default 
and staff login classes) - see login.conf(5).



8.5.10   For a sample of system components, obtain and inspect system
 configuration settings to verify that user password parameters
 are set to require passwords to be at least seven characters long.
 I know that OpenBSD uses 6 characters, is there a way to change this?


login.conf(5)


8.5.12   For a sample of system components, obtain and inspect system
 configuration settings to verify that user password parameters
 are set to require that new passwords cannot be the same as the
 four previously used passwords.
 I have no idea how to set OpenBSD to do this, any suggestions?


You can specify a passwordcheck program in login.conf(5), which you 
could use to store (hashes of) passwords that have been previously used 
by each user.



8.5.13   For a sample of system components, obtain and inspect system
 configuration settings to verify that user password parameters
 are set to require that a users account is locked out after not
 more than six invalid logon attempts.

8.5.14   For a sample of system components, obtain and inspect system
 configuration settings to verify that user password parameters
 are set to require that once a users account is locked out, it
 remains locked for a minimum of 30 minutes or until a system
 administrator resets the account.
 13 and 14 go togeather, I know that this isn't the scheme that OpenBSD
 uses.  In OpenBSD, each time a user fails a password attempt it takes
 a little bit longer to get a new login prompt.  Maybe if there was a
 way that I could set it so that by the time six failures happen that
 it takes 30 minutes to get the next login prompt.  Does anyone know
 how to do this or have any other suggestion?


I don't, I'm afraid, and a quick Google (which could have answered some 
of your other questions) suggests that it's come up before both on misc@ 
and elsewhere.  I know you don't want to hear about how the PCI DSS is 
wrong, but in this case their wrongness is, I think, the reason it's not 
an available option.


You could likely implement this yourself with a custom login style, though.


8.5.15   For a sample of system components, obtain and inspect system
 configuration settings to verify that system/session idle time
 out features have been set to 15 minutes or less.
 This one requires that a user must re-enter the password if their
 terminal is idle for more than 15 minutes.  Any ideas how to do this
 with OpenBSD?


You might be able to do this with tmux(1), if you force it to be started 
for every user with some kind of global configuration.  You might also 
be able to go for strictly X11 logins, and then using xlock.

--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: ECL lisp

2009-10-02 Thread Matthew Weigel 

Pekka Niiranen wrote:

 From gmane.lisp.ecl.general:

* The OpenBSD port is only building in single threaded mode.
The reasons are


...it's probably not a bad idea when pthreads on OpenBSD are a work in 
progress and don't correspond to kernel threads yet.  Not that I'm 
sneering at threads, but what exactly would having it build in 
multithreaded mode buy you on OpenBSD?

--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: OpenBSD as MX server

2009-09-30 Thread Matthew Weigel 

Chris wrote:

Hi Sonjaya,

You ask a very open-ended question here.  To get into specifics would
be too difficult in one email.  But here is a rough outline to get you
started.


A rough outline of... something, certainly.  Definitely something mail 
related.  Setting up an MX server?  Not so sure.


   Some people use

Dovecot, but the version included in 4.5 does not include encryption
(though you could probably use stunnel to address that...).


Wait, what?

$ uname -mrsv
OpenBSD 4.5 GENERIC.MP#108 i386
$ grep imaps /etc/dovecot.conf
# Protocols we want to be serving: imap imaps pop3 pop3s
protocols = imaps pop3s
$ pkg_info | grep dovecot
dovecot-1.1.11p1-ldap compact IMAP/POP3 server

Original author wants to replace a Linux MX with an OpenBSD MX?  I think 
the logical approach is to - at least as a first step - look at what the 
Linux MX is doing now.  In all probability that involves using the same 
MTA as is already in use on the Linux machine, the same antispam 
software, and mostly the same configuration files.


Learning about OpenBSD's spamd would be a good idea once that's done, 
but at no point does it really involve dumping everything and just doing 
what someone on a mailing list said.

--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: question about spamd behaviour

2009-05-21 Thread Matthew Weigel 
On Thu, 21 May 2009 12:54:30 + (UTC), Stuart Henderson
s...@spacehopper.org wrote:
 On 2009-05-21, Robson Caetano inet1...@myself.com wrote:
 The problem is that changing the time of the hour or of the day you
 fetch the blacklist will avoid concurrency but is not fault proof.
 
 It isn't fault proof, but you should do it anyway.

Just to be clear... when spamd-setup is run in /etc/rc, with the -D flag,
it doesn't actually stick around, right?  It just does its job in the
background so that grabbing updated black/whitelists can't hang the
machine.

And then the sample spamd-setup line in crontab runs it every hour, if
it's a good idea for everyone to change it wouldn't it be a good idea
to give an example that only runs e.g. once a day?
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: question about spamd behaviour

2009-05-21 Thread Matthew Weigel 
On Thu, 21 May 2009 19:37:58 + (UTC), Stuart Henderson
s...@spacehopper.org wrote:

 As long as people pick their own value for the minutes column, there
 will be some reasonable kind of spread. Are the majority of people not
 doing this anyway? (actually, I guess probably not or this thread
 wouldn't have come up..)

I just followed the directions in spamd(8), 

 spamd-setup(8) should be run periodically by cron(8).  When run in
black-
 list-only mode, the -b flag should be specified.  Use crontab(1) to
un-
 comment the entry in root's crontab.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: 4.5 delivery - How do they do it?

2009-04-21 Thread Matthew Weigel 

Daniel A. Ramaley wrote:

If you can get precognition working in the network stack, can the same 
technology be applied to other areas? I'm thinking perhaps you could 
adapt the precognition algorithm to generating commits to the CVS tree. 


I'm more interested in seeing what Marco can do in softraid - failover 
prior to disk failure?

--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: spam from chrooted CMSes

2009-04-11 Thread Matthew Weigel 
Uwe Dippel wrote:

 I'm sorry, but I lack the experience to understand what you mean. I have
 200+ users, several of them having set up (sorry, yes, written!),
 who can install any CMS of their liking, using ftp; or any other script
 that
 sends mail. Some of them are official websites, so I can not shut down the
 whole mini_sendmail business in the chrooted Apache. I also cannot read,
 study,
 hundreds of thousands of lines of code to find out how and where a
 web-page hosted by me allows an attacker to inject a message of her own,
 to a recipient of her own choice.

Then you have grown your userbase too fast with a terrible setup, and now
you're caught in the middle of fixing the problem or avoiding downtime.

 Since mini_sendmail receives it through php from Apache, I wonder how I
 could log e.g. the website from which it was sent, or at least easily
 limit the number of calls of mini_sendmail.

Sure, if you go through and find every line of code where mail() is called,
you can add logging at that point.  But so far you've refused to make any
changes to the applications.

 Again, your idea being fine for an application developer, which I am not.

His idea is the right one.  Most PHP applications I've dealt with support, at
least through plugins or extensions, SMTP + AUTH for sending mail instead of
PHP's mail().

 The only two places where I, IMHO, can see a chance would be with an
 extended
 log or check of Apache or php; whenever a mail-call is logged, from
 which directory, e.g.

I don't think PHP ever changes the working directly except explicitly;
probably every call to mail() (which leads to mini_sendmail) occurs in the
chroot /.

 Yes. But that's a complete coder's work, isn't it? I wonder if there is no
 other solution, as mentioned above.

There are, but they require you to set the parameters of how web apps can work
in your environment so as to enforce a minimum of auditability.  You have
already said that you can't enforce that minimum, and it turns out that you're
left with nothing to audit.

 sendmail_path = /bin/mini_sendmail
 -t -i
 is what I have in php.ini. I wonder, if there are no logging features for
 mini_sendmail or so. I read the man-page online, but didn't see any.

Well, mini_sendmail is an external package... talk to the authors about that,
but I think they'll tell you they can't really track what you need tracked.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: spam from chrooted CMSes

2009-04-11 Thread Matthew Weigel 
Uwe Dippel wrote:
 Matthew Weigel unique at idempot.net writes:
 
 Then you have grown your userbase too fast with a terrible setup, and now
 you're caught in the middle of fixing the problem or avoiding downtime.
 
 Are you sure this is not a misunderstanding? When you host user accounts, on a
 tight, default, setup of OpenBSD (or any other OS), and allow them to ftp into
 their web-directories, how could one prevent them from uploading code that
 mail()-s something? Aside of removing mini_sendmail, that is.

Yes, that.

 Sure, if you go through and find every line of code where mail() is called,
 you can add logging at that point.  But so far you've refused to make any
 changes to the applications.
 
 Are you sure that this is not a misunderstanding? Which sysadmin can 'make
 changes to the applications' that his 200+ users run??

My point is that it's not much an option.  Logging how mail() was called
requires you to go in and log each time mail() is called.  PHP won't do it,
Apache won't do it.  So mail() is a terrible option.

 His idea is the right one.  Most PHP applications I've dealt with support, at
 least through plugins or extensions, SMTP + AUTH for sending mail instead of
 PHP's mail().
 
 Are you sure that this is not a misunderstanding? If you host, for example, 
 any
 CMS, it should have the functionality to the remote user, registered with that
 CMS, to request a password reset. Which SMTP+AUTH do you want to use here??

Huh?  I'm talking about the CMS itself authenticating to the SMTP server, and
giving each application a single set of credentials.  This should be set in
the CMS's config files, much like database credentials.  In fact, pretty much
EXACTLY like database credentials, in that (presumably) you've configured each
web application to have its own credentials with privileges specific to that
one application (e.g., what databases it can access).

Here's an example: I run a discussion board.  All email notifications coming
out of the board come from a particular email address; let's call it
bo...@idempot.net.  Then I configure that board's software to connect to my
SMTP server to send mail, and it has to authenticate as bo...@idempot.net to
send any mail.  Now, if my server starts sending out spam, I can check the
logs and see if the spam is coming from the user bo...@idempot.net to verify
that the particular board software I'm using is the compromised software or not.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: European orders

2009-03-30 Thread Matthew Weigel 

Artur Grabowski wrote:


At this moment we know that one side of the conflict said that future
European orders will be done through a different distributor because
the old distributor proved to fall behind on payments, the other side
hasn't said anything. Please, enlighten us about further details since
you seem to have some insight into the issue.


Wim hasn't posted to the list, but he has put up his perspective at 
http://accounting.kd85.com/ .  Dunno what's really happening...

--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: OpenBSD mta with postfix

2009-03-28 Thread Matthew Weigel 
Rod Whitworth wrote:

 Anybody run into this kind of logic before?
 Yes, that's part of how greytrapping works: 
 http://www.openbsd.org/cgi-bin/man.cgi?query=spamd#GREYTRAPPING
 
 No. That is NOT how greytrapping works. RTFM more carefully.
 
 spamd NEVER issues a 2xx code, because it NEVER accepts any mail.

I did RTFM carefully.  I don't see anything in the spamd manpage that
indicates one way or another what response is sent in the specific case of
greytrapping.  So I assumed it did, because that's the way I've seen other
greytrapping systems whose code I've read worked.  Perhaps you can point out
my mistake.

But your comment got me curious, so I poked at the source, and it looks like
it never lets the sender get far enough in the DATA to be done before issuing
a 450/550 (per -4/-5); it only issues 2xx codes (and it's not NEVER) to
string the connection along.

 I've seen other implementations do greytrapping for *every* invalid 
 address that comes through, too.
 
 And that's a great way to blacklist a genuine sender who misheard an
 email address and so misspelled it. S/he will never get a 5xx that
 flags the problem.

John Brooks asked if anyone had run into this before.  Yes, I have.  Hell, I'm
pretty sure this approach has been presented at LISA before.
-- 
 Matthew Weigel
 hacker
 unique  idempot.ent

Re: OpenBSD mta with postfix

2009-03-27 Thread Matthew Weigel 

John Brooks wrote:
I've just received this response from a large corporate email 
system regarding their claim that emails sent to them are not

getting through even though our logs contain acknowledgements
of accepting the mail sent. 


In our mail logs:
... status=sent (250 Message accepted for delivery) 



Their response:
... my understanding of the firmname removed security policy
is not to acknowledge mistakes in email addresses as a best 
practice defense against phishing and other types of email 
delivered attacks.


Anybody run into this kind of logic before?


Yes, that's part of how greytrapping works: 
http://www.openbsd.org/cgi-bin/man.cgi?query=spamd#GREYTRAPPING


I've seen other implementations do greytrapping for *every* invalid 
address that comes through, too.

--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: Sending email in Apache chroot?

2009-01-20 Thread Matthew Weigel 

Sunnz wrote:


I also tried the following:

`chroot -g www -u www / /var/www/bin/femail -t -i m...@myaddress.com` works, but


Setting the chroot to '/'?  I don't think that does anything.


`chroot -g www -u www /var/www/ /bin/femail -t -i m...@myaddress.com`
doesn't work, it says:

femail: non-recoverable failure in name resolution

I run out of ideas now, what needs to be done?


What files might be used in name resolution on the system, that aren't 
in /var/www?  Maybe... /etc/resolv.conf?

--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: package integrity, security and checks. .... where are they ?

2008-12-17 Thread Matthew Weigel 

Martin Schrvder wrote:

2008/12/17 Marc Espie es...@nerim.net:

We think it's worse to sign packages than not to sign them if you don't have
a fairly strict process that ensures you have a correct chain of trust.


Agreed. PGP provides that, but I can understand that nobody wants GnuPG
in base. :-{


Errr, no, PGP doesn't provide the *process* of key protection.  It 
provides some tools that are useful in the process, but the process and 
systems themselves are what protects e.g. the gpg private key used to 
sign packages.


Like Marc said, signing packages when the process doesn't protect the 
integrity of the signatures, the source used to compile the binaries 
that are signed, and the binaries themselves, you are providing a 
misleading sense of security instead of an actual benefit.


An example of the difference: 
http://rhn.redhat.com/errata/RHSA-2008-0855.html

--
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: Perl changes and majordomo

2008-11-25 Thread Matthew Weigel 

Marco S Hyman wrote:

I notices that majordomo now gives this warning when running the
digest command:

   $* is no longer supported at /usr/local/lib/majordomo/digest line 305.

I assume it started when perl was updated to 5.10.0.   As one who
dislikes perl enough to have never learned it a clue as to what it
means would be appreciated :-)

http://perldoc.perl.org/5.8.8/perlvar.html

Set to a non-zero integer value to do multi-line matching within a 
string, 0 (or undefined) to tell Perl that it can assume that strings 
contain a single line Use of $* is deprecated in modern Perl, 
supplanted by the /s and /m modifiers on pattern matching.


So whatever majordomo is doing with regular expressions, it thinks it's 
handling multi-line strings one way and is probably handling it the 
other way now.

--
Matthew Weigel

Re: openbsd sgi - uname -m, packages and mips64

2008-11-10 Thread Matthew Weigel 
Peter Kay - Syllopsium wrote:
 A bit of an oddity. On all other platforms (at least I think so), the
 output from 'uname -m' matches the name of the directory under packages,

For all supported platforms, the name of the package directory matches
'machine -a'.  Because packages are compiled for a specific processor type,
not a platform.  For example, the mac68k and mvme68k platforms both have a
'machine -a' output of 'm68k' - ditto with the macppc and socppc platforms.
-- 
 Matthew Weigel
 hacker
 unique  idempot.ent

Re: NTFS-3G Stable Read/Write Driver ready to merge on cvs obsd ?

2008-10-26 Thread Matthew Weigel 
Neko wrote:

 this is the future. people use multiple os on their machine

That's actually the past... multibooting seemed way more popular ten years ago
than now.  I'm going to go out on a limb here, and say that most people - even
if their machine is set up to boot multiple systems - really just use one OS
per computer.  On the other hand, CIFS/NFS network storage devices are cheap,
and people can use them whether they dual boot, or simply have multiple
machines on their network.  Then too, a lot of people just use boring old
thumb drives to store data that all their systems can use.
-- 
 Matthew Weigel
 hacker
 unique  idempot.ent

Re: NTFS-3G Stable Read/Write Driver ready to merge on cvs obsd ?

2008-10-26 Thread Matthew Weigel 
Denis Doroshenko wrote:

 have you done any analysis of statistical data in order to say so?
 otherwise all those way more popular, most people it is a big IYHO.

William Boshuck has the measure of my response to that.

 On Sun, Oct 26, 2008 at 9:10 AM, Matthew Weigel [EMAIL PROTECTED] wrote:
  On the other hand, CIFS/NFS network storage devices are cheap,
 and people can use them whether they dual boot, or simply have multiple
 machines on their network.  Then too, a lot of people just use boring old
 thumb drives to store data that all their systems can use.
 
 well with NFS i'd agree, in case there is a robust free NFS implementation
 for MS Windows (haven't looked for that myself, as I don't seem to have NFS
 storage in my home LAN).

I'm not sure exactly what you're saying here... I'm talking about NAS devices
that export their filesystem via CIFS and NFS, so that virtually every modern
operating system can use it.  See, for example, this device:
http://www.newegg.com/Product/Product.aspx?Item=N82E16822111012

 WRT thumb drives, well they still need some FS to be on them, and
 fat32 would be a winner (for actual primitiveness thus being supported
 by anyone), but there is a serious (these days it is) limitation like
 limited maximal size of a file like 2G (must be 2^31-1 perhaps).

Actually, (2^32)-1, or 4GB, is the max size per file
(http://support.microsoft.com/kb/314463).  I can see that being a problem if
you're trying to run a database off of your thumb drive, but otherwise... can
you give examples of files that you (or anyone you know) would like to access
in Windows and OpenBSD that exceed this limit?
-- 
 Matthew Weigel
 hacker
 unique  idempot.ent

Re: NTFS-3G Stable Read/Write Driver ready to merge on cvs obsd ?

2008-10-26 Thread Matthew Weigel 
Neko wrote:

 somhow here , most people i know use 4 os, dos/ms/lin/bsd

OK, I'm genuinely curious: why do you run DOS on a machine that you also run
Windows on?  Why do you run Linux and OpenBSD on the same machine?

 oddly enough freebsd / osx have compatibility by default. but they wouldnt 
 know would they.

So... run FreeBSD or OS X as your fourth operating system instead of OpenBSD?
 I'm not sure if you noticed, but the whole REASON
FreeBSD/NetBSD/OpenBSD/Linux are different projects run by different people is
that they have differences of opinion on what's important, and what the right
way to do something is.

If you're having a problem sharing files, there are solutions far more
effective than complaining on [EMAIL PROTECTED]  If your goal is to solve your 
problem,
you can solve it.
-- 
 Matthew Weigel
 hacker
 unique  idempot.ent

Re: Light HTTP servers.

2008-07-20 Thread Matthew Weigel 

Henning Brauer wrote:

lighttpd.


So far I am very happy with lighttpd, including running with PHP via FastCGI. 
 I don't really trust the PHP applications I run, so they operate in a 
separate chroot (via spawn-php.sh) as a separate user in addition to lighttpd 
itself being chroot as a separate user.


Another poster said lighttpd isn't being actively developed, but it's active 
enough for me - my bug reports have been fixed and new releases put out to 
address them.  Other than setting up the chroot FastCGI, it was quite easy to 
configure and get running.


I think the biggest problem will be running MySQL and PHP in 32MB, the OP may 
need to tweak MySQL to not use too much memory and restrict the number of PHP 
processes to run (1 or 2, I'd say).

--
 Matthew Weigel
 hacker
 unique  idempot.ent

Re: Correctly uninstall default Apache and install Apache 2.2.4?

2008-04-21 Thread Matthew Weigel 

Ed Flecko wrote:

Hi folks,
For a variety of reasons and features, I'd like to install the
apache-httpd-2.2.4.tgz package. As a side note, I tried to install it
on OpenBSD 4.2, and there are a few package dependencies it apparently
is missing (at least on my box, which runs 4.2 without X) because the
install fails.


http://www.openbsd.org/faq/faq4.html#FilesNeeded
http://www.openbsd.org/faq/upgrade42.html#libexpat

It was a bug in the 4.2 filesets, expat was moved from the package 
system to xbase42.tgz, which fewer people install than base42.tgz .



1.) Is there a correct way to uninstall the default Apache 1.3 that
ships with OpenBSD? I can't use a pkg_delete... can I?


No.  Just leave it.


2.) Maybe I don't need to? If I don't uninstall the original Apache,
will the new version overwrite the 1.3 version?


If you install the package of Apache 2.2, it won't owerwrite the base 
Apache.  You'll have two Apache installs in two different locations, 
both of which work and run independently of each other.  You may need to 
double check PATH settings, I'm not sure, but otherwise it should just 
work if you only run the one you want to run.  It's not like the base 
Apache starts automatically, or anything.



3.) Do I need to chroot the Apache 2.2.4 or will the default install
set it up that way?


I don't have an answer for this one. :-)
--
 Matthew Weigel
 hacker
 [EMAIL PROTECTED]

Re: Really large drives (was Re: Is there a badblocks-equivalent for OpenBSD?)

2008-04-20 Thread Matthew Weigel 

Chris Zakelj wrote:

... I'm wondering if 
thought is being given on how to make the physical size (not 
filesystem... I totally understand why those should be kept small) 
limitation of http://www.openbsd.org/faq/faq14.html#LargeDrive


http://www.openbsd.org/43.html

New Functionality:
...
 o The ffs layer is now 64-bit disk block address clean. This means that 
disks, partitions and filesystems larger than 2TB are now supported, with the 
exception of statfs(2) and quotas.


So, yes, thought is being given...


a non-issue on 64-bit platforms


Whether a system is 64-bit or not isn't very relevant to this - that mostly 
establishes what the memory address space is, *not* the size of integers that 
can be used by the system.

--
 Matthew Weigel
 hacker
 unique  idempot.ent

Re: Really large drives (was Re: Is there a badblocks-equivalent for OpenBSD?)

2008-04-20 Thread Matthew Weigel 

David Gwynne wrote:

solaris suffers from this problem. you cant use big disks with 32bit 
solaris kernels.


For UFS, at least, but doesn't ZFS on i386 (not amd64) scale?
--
 Matthew Weigel
 hacker
 unique  idempot.ent

Re: using sun storeedge d1000 with OpenBSD

2008-04-06 Thread Matthew Weigel 

Sebastian Reitenbach wrote:

I got such a storage device, mentioned in the subject. In the manual it 
says, when I want to connect the storage to a PCI based hosts, I need a PCI 
to dual differential UltraSCSI adapter, Model X6541A.


What you need is any differential UltraSCSI controller.  The D1000 can have 
its two SCSI buses joined and you can configure it so they don't have 
repeating SCSI IDs... or if you have two differential UltrasCSI channels, you 
can connect them separately.


However, the X6541A does work fine - I have one in a PowerEdge 1550, currently 
connected to a D1000:


siop0 at pci2 dev 6 function 0 Symbios Logic 53c875 rev 0x14: apic 3 int 13 
(irq 3), using 4K of on-board RAM

scsibus2 at siop0: 16 targets
sd2 at scsibus2 targ 0 lun 0: FUJITSU, MAA3182S SUN18G, 1907 SCSI2 0/direct 
fixed

sd2: 17274MB, 7508 cyl, 19 head, 248 sec, 512 bytes/sec, 35378533 sec total
sd3 at scsibus2 targ 1 lun 0: FUJITSU, MAA3182S SUN18G, 1907 SCSI2 0/direct 
fixed

sd3: 17274MB, 7508 cyl, 19 head, 248 sec, 512 bytes/sec, 35378533 sec total
sd4 at scsibus2 targ 2 lun 0: FUJITSU, MAA3182S SUN18G, 1907 SCSI2 0/direct 
fixed

sd4: 17274MB, 7508 cyl, 19 head, 248 sec, 512 bytes/sec, 35378533 sec total
safte1 at scsibus2 targ 14 lun 0: SYMBIOS, D1000, 2 SCSI2 3/processor fixed
siop1 at pci2 dev 6 function 1 Symbios Logic 53c875 rev 0x14: apic 3 int 14 
(irq 11), using 4K of on-board RAM

scsibus3 at siop1: 16 targets
sd5 at scsibus3 targ 8 lun 0: FUJITSU, MAA3182S SUN18G, 1907 SCSI2 0/direct 
fixed

sd5: 17274MB, 7508 cyl, 19 head, 248 sec, 512 bytes/sec, 35378533 sec total
sd6 at scsibus3 targ 9 lun 0: FUJITSU, MAA3182S SUN18G, 1907 SCSI2 0/direct 
fixed

sd6: 17274MB, 7508 cyl, 19 head, 248 sec, 512 bytes/sec, 35378533 sec total
sd7 at scsibus3 targ 10 lun 0: FUJITSU, MAA3182S SUN18G, 1907 SCSI2 0/direct 
fixed

sd7: 17274MB, 7508 cyl, 19 head, 248 sec, 512 bytes/sec, 35378533 sec total
safte2 at scsibus3 targ 15 lun 0: SYMBIOS, D1000, 2 SCSI2 3/processor fixed
--
 Matthew Weigel
 hacker
 unique  idempot.ent

Re: Fsck in background mode

2008-03-15 Thread Matthew Weigel 

Jordi Espasa Clofent wrote:

Hello all,

This is about fsck capability to run in background mode.
I found in http://www.freebsd.org/cgi/cvsweb.cgi/src/sbin/fsck/fsck.c 
(revision 1.5 by McKusick) that this feature was incorporated almost 7 
years ago in FreeBSD.


Have you tried searching the archives?  This was answered almost precisely a 
month ago on this very list... 
http://marc.info/?l=openbsd-miscm=120328567228893w=2


--
 Matthew Weigel
 hacker
 unique  idempot.ent

Re: Sun Creator 3D hardware wanted

2008-03-01 Thread Matthew Weigel 

Matthew Weigel wrote:

I have an Ultra 10 (400MHz from an Ultra 5, 512MB or 1GB RAM) I haven't 
used in a while, so I could definitely donate it - I need to double 
check what the UPA cards I have for it are.


The two UPA cards I have are a Creator Series 3 (501-4789) and a Creator3D 
Series 3 (501-5690).  Let me know if the cards themselves, or the Ultra 10 
with either card (or both) will be of help.

--
 Matthew Weigel
 hacker
 unique  idempot.ent

  1   2   >