Today's snapshot brokes some Qt app?
Folks, I just run: pkg_add -D snap -u After that I've discovered that some Qt apps are crashing with errors like: Cannot add multiple registrations for QtQuick Abort trap (core dumped) for example telegram-desktop crashes but wireshark doesn't. -- wbr, Kirill
Re: No coloring with colorls
This method also works! Instead of vt220 I now used xterm-256color. Thank you! Op 30-03-2024 om 11:51 schreef Stuart Henderson: On 2024-03-29, Karel Lucas wrote: What should I put in /etc/ttys, taking into account that I regularly use multiple virtual consoles? And where in that file do I place that? At the beginning or the end? Or somewhere in between? Replace "vt220" with your preferred option on "console" and "ttyC" lines.
Re: Minimum viable HW for OpenBSD
On 3/30/24 14:18, Peter J. Philipp wrote: PS: I'll probably do this next week I have a need for different hardware in my 9U rackmount cabinet. And one particular one needs powercycles (and possibly console) as well. It's the mango pi, which is currently in panic mode most likely or it's hung up, I was building ports on it and the 100 Mbit connection went down. Hi, I rebooted the mango pi, btw and I've enabled the watchdogd, hoping it will work. It's awesome that sxidog(4) configures on these! Best, -pjp
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
On Wednesday, March 27, 2024, Dan wrote: > Hello, I have 3 security-related questions: > (1) Does OpenBSD have a mechanism like Ctrl-Alt-Delete on Windows (Secure > Attention Key, or SAK) to prevent malware (or a website in fullscreen, for > example) from faking a logout process and/or faking a login prompt? On > Windows the kernel ensures that the operating system captures this key > combination and takes over with a real login prompt that malware can't fake > without first defeating the OS security. > (Let me clarify for the rest of this message: malware is any program that acts maliciously; it doesn't *necessarily* bypass exploit mitigations or security features of the OS (e.g. it could work around them, or abuse the lack of them).) Something recent that I found that's relevant: https://www.bleepingcomputer.com/news/security/decade-old-linux-wall-bug-helps-make-fake-sudo-prompts-steal-passwords/ (From March 28, 2024. Note that this isn't a vulnerability in how the OS separates users or enforces security, this is a vulnerability that could be used to make a convincing "phishing" attack.) This isn't exactly the issue that SAK prevents, because the SAK is meant to be used at login time (not when already logged in as one user and trying to doas/sudo one program/command into another user), but I'll repeat the two links I sent before: https://security.stackexchange.com/a/34975 https://learn.microsoft.com/windows/win32/winstation/desktops The second link being the more relevant one. Notice how Microsoft describes that User Account Control takes over the screen with a secure desktop mode. UAC is the equivalent of doas/sudo. There's an additional problem though: malware and websites in fullscreen could mimic the sound and visual dimming effect that UAC does on Windows. While UAC doesn't ask the user to press a privileged key combination like Ctrl-Alt-Delete (so the user has no guarantee that the UAC prompt is authentic, even with the said perceptual effects), it does something else: it asks for authorization (and details what is authorized exactly) without relying on knowledge of the passphrase as proof for authorization. Malware on OpenBSD that knows the root passphrase, or the passphrase of a doas-capable/sudoer user, can escalate its privileges; malware on Windows (including web content that escapes the browser's sandbox) that knows the passphrase of a user in the Administrators group cannot escalate its privileges without first compromising the integrity of Windows, because asking Windows to escalate privileges would ensure that the user authorizes the escalation regardless of the passphrase (let's assume that UAC is set to its highest (fourth) level, rather than the default (third) level that excepts some system programs from causing a UAC prompt when escalating). (Web content that escapes the browser's sandbox of Chromium, Firefox, and Tor Browser on OpenBSD would need to compromise the integrity of OpenBSD, because it sandboxes them further using pledge(2) and unveil(2) (or find a weakness in how these two are set up). So that's already a very good thing, but that alone is not enough.) It's important to emphasize that it doesn't matter whether UAC asks or doesn't ask for a passphrase to authorize, rather the important thing here is that it takes over the computer temporarily in a way that cannot be interfered with by normal programs and asks for explicit authorization; it could as well ask for a passphrase too as a second factor. Malware that fakes a UAC prompt and get "authorized" by the user would achieve nothing, as it hasn't really asked Windows to escalate, whereas malware on OpenBSD that convincingly fakes a doas prompt and gets "authorized" by the user can then impersonate the "authorizing" user going forward.
Re: configure rad for ULA addresses
Ok, think I figured it out.
My core problem was that I was assigning prefixes manually in rad.conf,
then assigning each interface an address *in the same prefix*. This
created some kind of conflictâthe nature of which I still don't fully
understand.
This was the key line I missed in rad.conf(5):
> The default is to discover prefixes to announce by inspecting the IPv6
> addresses configured on an interface.
So as long as my interface has both addresses assigned in their
respective prefixes, rad can serve those without any extra
configuration.
Here's my final /etc/hostname.igc1:
inet 192.168.1.1 255.255.255.0 NONE
inet6 autoconf
inet6 alias fdd0:c720:85fa:100::1 64
And my final /etc/rad.conf:
interface igc1 {
dns {
nameserver {
fdd0:c720:85fa:100::1
}
}
}
Now devices on my network are getting both GUA and ULA addresses
assigned automatically through SLAAC.
Re: silence logging of dhcpd deny unknown-clients
> Is there any way to silence these logs? I only want to hand out a > small number of IPv4 addresses on my IPv6 network to those machines > that won't function properly without them. That leaves many machines > on my network constantly requesting IPv4 addresses, and dhcpd is > clogging my /var/log/daemon file: > >> ... dhcpd[13399]: DHCPDISCOVER from xx:xx:xx:xx:xx:xx via igc3 >> ... dhcpd[13399]: no free leases on subnet 192.168.3.0 > > ... over and over and over again. > > I didn't see any logging options in dhcpd(8) or dhcpd.conf(5). I wasn't able to figure out how silence specific messages from a given daemon at a specific level. I read up on syslog.conf(5) and saw that I could silence all warnings from dhcpd, but I don't want to do thatâjust those for this specific directive. In the meantime, I realized that my list of machines that need IPv4 addresses is so small I'm probably better off statically-assigning those machines their addresses instead of running dhcpd at all, so I've done that. If there is a way to silence a log message from a "facility" at a given "level" without affecting other messages at the same "facility" and "level," I'd be curious to know, as I'm sure I'll run into this issue again with something else.
Booting with secure boot enabled
Is it possible to boot OpenBSD with secure boot enabled? I'd like to try unattended installation over WiFi on ThinkPad X1 and my UEFI firmware supports PXE over WiFi, but it works only in Secure Boot mode. Best regards, Chris Narkiewicz
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
El Sun, 31 Mar 2024 01:10:15 + Dan escribió: > On Wednesday, March 27, 2024, Dan wrote: > Hi @list! Lots of discussion and useless talk when the solution is in your hands @Dan: 1.- Are you worried about the fact that apps on X11 may suffer input-spoofing? Great, start writing all the code necessary to prevent that from happening and help us improve the security of OpenBSD and any other OS that uses X11. Coming here and saying that we are not attentive to security and that is why we "HAVE" to do something, is utter idiocy. Start doing something yourself, if you want to collaborate beyond a stupid speech. 2.- Do you want a mechanism that prevents logins being stolen? Same story, start writing kid, crying at the list doesn't help. 3.- Do you want more applications to have pledge/unveil to improve security? Same story...start writing the code necessary for it and stop crying. Nobody is here to serve your designs or needs. Want something? Write it down, it contributes to the project more than tantrums and tears. My last and unique message in this thread: Don´t feed the fucking troll! This thread to /dev/null -- * Dios en su cielo, todo bien en la Tierra
I DEMAND TO KNOW (re recent activity)
Friends, Some recent activity here (you will remember the threads) had me want to post this earlier, but I was bowled over by a stomach bug and only found the reference again now - https://mastodon.social/deck/@danielbowen/112173051434619556 which reads: Daniel Bowen @danielbowen@mastodon.social >From a tweet of mine from 2011, but evergreen: I DEMAND TO KNOW WHY YOUR GROUP OF OVERWORKED VOLUNTEERS, WHICH I AM NOT A MEMBER OF, IS NOT PURSUING MY PERSONAL GRIEVANCE. Mar 28, 2024, 12:22 PM -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: I DEMAND TO KNOW (re recent activity)
El Sun, 31 Mar 2024 22:59:01 +0200 "Peter N. M. Hansteen" escribió: > Friends, > > Some recent activity here (you will remember the threads) had me want > to post this earlier, but I was bowled over by a stomach bug and only > found the reference again now - > > https://mastodon.social/deck/@danielbowen/112173051434619556 > > which reads: > > Daniel Bowen @danielbowen@mastodon.social > > From a tweet of mine from 2011, but evergreen: > > I DEMAND TO KNOW WHY YOUR GROUP OF OVERWORKED VOLUNTEERS, WHICH > I AM NOT A MEMBER OF, IS NOT PURSUING MY PERSONAL GRIEVANCE. > > Mar 28, 2024, 12:22 PM > They demand, but they do not collaborate in any way. They do not lift a finger to improve things, but they demand and demand that their designs be fulfilled. Trolls, who only know how to do one thing: cry loudly. Don't give them importance, filter the garbage and we continue our lives. -- * Dios en su cielo, todo bien en la Tierra
Re: I DEMAND TO KNOW (re recent activity)
On 2024-03-31, Peter N. M. Hansteen wrote: > Some recent activity here (you will remember the threads) had me want to post > this earlier, but I was bowled over by a stomach bug and only found the > reference > again now - Just block the senders, ignore the threads and move on.
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
On Sunday, March 31, 2024, Jose Maldonado wrote: > El Sun, 31 Mar 2024 01:10:15 + > Dan escribió: > > On Wednesday, March 27, 2024, Dan wrote: > > > > Hi @list! > > Lots of discussion and useless talk when the solution is in your hands > @Dan: > > 1.- Are you worried about the fact that apps on X11 may suffer Emphasis on "may". > input-spoofing? Great, start writing all the code necessary to prevent > that from happening and help us improve the security of OpenBSD and any > other OS that uses X11. There's already rootless X on OpenBSD, it may prevent that? The thing is, I don't know. So I asked. And there's already efforts to replace X11 with Wayland, and already efforts to port Wayland to OpenBSD. > > Coming here and saying that we are not attentive to security and that Where did I say that? False accusation. > is why we "HAVE" to do something, is utter Where did I say anybody has to do anything? False accusation. > idiocy. Start doing > something yourself, if you want to collaborate beyond a stupid speech. "Speech"? These are important questions. > > 2.- Do you want a mechanism that prevents logins being stolen? Same Why should I want something to be added when it might already exist and I'm missing it? Again, I asked. > story, start writing kid, crying at the list doesn't help. Where did I "cry" or whine about OpenBSD? False accusation. Quite the contrary, I praised OpenBSD at various times, and I wouldn't have come here in the first place if I wouldn't have had appreciation for OpenBSD. > > 3.- Do you want more applications to have pledge/unveil to improve Which "more" applications? I do not know whether this: https://openports.pl/search?file=unveil https://openports.pl/search?descr=unveil Is the exhaustive list of all third-party apps that are sandboxed with pledge/unveil. I asked whether people knew of other programs or whether it's possible to list other programs beyond that. It seems that you expect me to assume that these links list all sandboxed programs exhaustively, but I do not assume, I ask. > security? Same story...start writing the code necessary for it and stop > crying. Where did I "cry" or whine about OpenBSD? False accusation. > > Nobody is here to serve your designs or needs. Which ones? I didn't know I had any. > Want something? Write it > down, it contributes to the project more than What if it's already written down? > tantrums and tears. Which ones? > > My last and unique message in this thread: Don´t feed the fucking > troll! In case you're referring to me feeding trolls rather than being the troll: Peter N. M. Hansteen said he blocked me after merely my second message in this thread. Because of his reputation, I lost sense of whether I'm perceived as a troll here.
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
If I'm explaining security or lack of security, or saying things like "this is not enough", it's not as part of a speech that's meant to whine. I'll explain: I could've just asked, in my first message, whether OpenBSD has a mechanism like Ctrl-Alt-Delete on Windows, and whether it has sandboxing for desktop apps, without explaining the rationale of having such security features. Then, someone could've come and tell me that these security features aren't necessary, or that I'm focusing on a minor security aspect. I wanted an informed discussion, so I was explaining the rationale behind these to make readers understand why I was asking about them. Furthermore, in my recent message about the faking of a doas/sudo prompt and User Account Control (UAC) on Windows, there was a part where I said that the sandboxing that OpenBSD provides for certain apps "[that alone] is not enough"; I said that in the context of explaining the security that UAC provides on Windows compared to what there seems to be with the default installation of OpenBSD, notice the rest of the message and how that comment of mine was in parantheses. It may sound like I'm completely knowledgeable about OpenBSD, but I'm not. I understand certain generally-applying concepts, but I don't know if, for example, there's a sysctl(2) or something that can optionally toggle into that. (As an example, until recently, I didn't know there was an optional sysctl(2) that can enable extra hardening for malloc.) I hope this clears up why I'm writing things the way I do.
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
This thread is now closed, please don't try to continue it. - todd
Re: Today's snapshot brokes some Qt app?
On 2024-03-31, Kirill A. Korinsky wrote: > Folks, > > I just run: pkg_add -D snap -u > > After that I've discovered that some Qt apps are crashing with errors like: > > Cannot add multiple registrations for QtQuick > Abort trap (core dumped) > > for example telegram-desktop crashes but wireshark doesn't. > > -- > wbr, Kirill > Telegram-desktop (net/tdesktop) also crashed here after a package update. I then noticed it was caused by linking issues with the qt6 libraries. Deleting and adding net/tdesktop simply solved that. That should not be a problem tho. Applications are normally reinstalled after the library is updated (or does that only happen when a major version of the library is installed?).
