Re: Image::Magick help
Sorry, i did'nt ment 'of coure' that way. :)
The script right now is just 'as is'. Not in a chroot environment.
I use mod_perl for apache to load dynamic modules for chrooted cgi scripts.
2008/12/5 Alexander Hall <[EMAIL PROTECTED]>
> Gabri Mate wrote:
>
>> On 12:24 Thu 04 Dec , Jesse Zbikowski wrote:
>>
>>> On Thu, Dec 4, 2008 at 12:12 PM, Gabri Mate <[EMAIL PROTECTED]>
>>> wrote:
>>>
'/usr/local/libdata/perl5/site_perl/i386-openbsd/auto/Image/Magick/Magick.so'
>>> Does this file exist?
>>>
>> Yes, of course.
>>
>
> No, not "of course", since it is not obvious. People (yes, including you
> and me) do happen to screw up things from time to time.
>
> ls /usr/local/libdata/perl5/site_perl/i386-openbsd/auto/Image/Magick/
>>
>> Magick.bsMagick.soautosplit.ix
>>
>>
> Is this script running in a chroot, e.g. by apache (which chroots to
> /var/www by default)? If so, you need to copy the file to
>
> '/var/www/usr/local/libdata/perl5/site_perl/i386-openbsd/auto/Image/Magick/Magick.so'
> also exist, or make perl load it before the forking starts (e.g. in a
> BEGIN{...}).
>
> If anyone knows if there is a way to force preloading of dynamically loaded
> modules, I'd love to know about it.
>
> /Alexander
Re: bash for root?
2008/11/30 Nick Holland <[EMAIL PROTECTED]> > farhan ahmed wrote: > > Question is how can you make shell statically linked? I thought when you > > install package it should be linked rather than manual compiling and > > installing > > I think that is best left as an exercise for the asker. > > Here's what it boils down to: > There is nothing wrong with a properly implemented 'bash' or any > other shell for root. Hint: when the system comes up single user > mode, it will ASK you what shell to use. The statically compiled > part isn't even critical in OpenBSD, unless you are intent on > running bash in single-user mode before all partitions are mounted. > > The problem is when you break things, you break 'em BIG. Original > thread is a case in point. You win awards for courage, not wisdom, > for still being intent on using bash as the root shell while you are > still walking with a limp from your last experience. > > There's a lot of stuff that can go wrong when changing a user's > default shell over the lifecycles of the system (think upgrades!), > virtually all operator error, all avoidable, but errors that can > happen tend to happen. When you break JoeAverage's account, no big > deal, as long as you can get back as root and fix it. When you > break root, you have a problem. Yes, the goal is to do everything > right, but another goal is to make it more difficult to do things > wrong. > > If you don't know how to do it right, test it right, and recover it > right, don't change the root shell. I realize how it is such finger > breaking work to type the five keystrokes "b a s h [enter]" at a > command prompt after logging in...so horrible, I know, but until you > know what you are doing, just manually invoke bash. > > You will know you know what you are doing when you realize you don't > need or want to use bash on OpenBSD. The only good reason I've > found to use bash on OpenBSD is to make it feel like some other OS, > and that's really not a good thing when you are administering the > system (i.e., logging in as root!). > > ksh rocks on OpenBSD. :) > > Nick. > > At first i've also used bash because i missed the comfortable options shipped default with the bash based other system. But after some time i learned to handle ksh and i like it better than bash now. Just add a few options to /etc/profile and it's like at home again. export HISTFILE=~/.sh_history export HISTSIZE=10 export PS1='[EMAIL PROTECTED] \w \$ ' Any suggestions? :)
Re: bash for root?
2008/12/5 Paul de Weerd <[EMAIL PROTECTED]> > On Fri, Dec 05, 2008 at 09:29:43AM -0500, Alfredo Perez wrote: > | > Just add a few options to /etc/profile and it's like at home again. > | > > | > export HISTFILE=~/.sh_history > | > export HISTSIZE=10 > | > > | > export PS1='[EMAIL PROTECTED] \w \$ ' > | > > | > Any suggestions? :) > | > > | I would add set -o vi if you use vi as a command line editor > > If you prefer vi and want to use it for most everything, simply export > VISUAL=vi. This has the same effect as set -o vi on your command line > editor. > > Paul 'WEiRD' de Weerd (happy VISUAL=vi user for years now ;) > > -- > >[<++>-]<+++.>+++[<-->-]<.>+++[<+ > +++>-]<.>++[<>-]<+.--.[-] > http://www.weirdnet.nl/ > What does it do if i set this variable?
Re: Image::Magick help
2008/12/4 Gabri Mate <[EMAIL PROTECTED]> > Dear List, > > I'm running 4.3 and installed p5-PerlMagick from packages. When i try to > load this module with one of my perl scripts it says: > > Can't load > > '/usr/local/libdata/perl5/site_perl/i386-openbsd/auto/Image/Magick/Magick.so' > for module Image::Magick: Cannot load specified object at > /usr/libdata/perl5/i386-openbsd/5.8.8/DynaLoader.pm line 230. > > Of course i have installed ImageMagick with x11 support. > > What do you suggest? > > Thanks in advance! > -- > Gabri Mate > [EMAIL PROTECTED] > > Thank You for your help sofar. Today i've upgraded the system to 4.4 and now the script works flawless. I don't have the slightest idea what was the problem on 4.3.
Re: 4.4 apachectl configtest segfaul
2008/12/6 Stuart Henderson <[EMAIL PROTECTED]> > On 2008-12-05, Gabri Mate <[EMAIL PROTECTED]> wrote: > > Dear List, > > > > I've upgraded 4.3 to 4.4 today. Apachectl configtest returns with Syntax > > OK but right after that it segfaults. I can't run gdb on the dump file > > because it says it can't recognize the file. Please give me some advice > > where to start because i'm totally noob on debugging. > > > > Thanks in advance! > > Did you upgrade your packages? > > Yes. Apache runs smoothyl. Just the configtest segfaults.
Re: 4.4 apachectl configtest segfaul
Also my error.log file is filled up with this: [Mon Dec 22 08:56:24 2008] [notice] child pid 9102 exit signal Segmentation fault (11) [Mon Dec 22 11:01:56 2008] [notice] child pid 28953 exit signal Segmentation fault (11) [Mon Dec 22 11:02:14 2008] [notice] child pid 23240 exit signal Segmentation fault (11) [Mon Dec 22 12:54:18 2008] [notice] child pid 2948 exit signal Segmentation fault (11) [Mon Dec 22 12:56:11 2008] [notice] child pid 3545 exit signal Segmentation fault (11) [Mon Dec 22 12:59:25 2008] [notice] child pid 21327 exit signal Segmentation fault (11) I've attached my dmesg output. 2008/12/5 Gabri Mate > Dear List, > > I've upgraded 4.3 to 4.4 today. Apachectl configtest returns with Syntax > OK but right after that it segfaults. I can't run gdb on the dump file > because it says it can't recognize the file. Please give me some advice > where to start because i'm totally noob on debugging. > > Thanks in advance! > -- > Gabri Mate > gabrim...@ippimail.com [demime 1.01d removed an attachment of type application/octet-stream which had a name of dmesg]
Re: 4.4 apachectl configtest segfaul
After further testing it seems that the segmentation fault is caused by my php_value options in my virtualhost configuration blocks. 2008/12/5 Gabri Mate > Dear List, > > I've upgraded 4.3 to 4.4 today. Apachectl configtest returns with Syntax > OK but right after that it segfaults. I can't run gdb on the dump file > because it says it can't recognize the file. Please give me some advice > where to start because i'm totally noob on debugging. > > Thanks in advance! > -- > Gabri Mate > gabrim...@ippimail.com
slow network
Hey there! I've installed OpenBSD 4.2 on a Compaq DL580 machine and i dunno why but the initial phase of the network connections are really slow. The machine is behing a linksys router with fix ip address, resolv.conf set up correclty. It has an intel pro 100 ethernet card. PF is disabled. If i try to reach it with ssh from the local network i have to wait for the password prompt for 30 seconds but after that the data flow is normal. When i give the netstat command i only see the columns name and then it halts. Though other machines on the network can be accessed normally. Do You know why can this be happening? Thank You! -- Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: slow network
Mon, 4 Feb 2008 20:48:21 +0100 -n GC!bri MC!tC) <[EMAIL PROTECTED]> C-rta: > Hey there! > > I've installed OpenBSD 4.2 on a Compaq DL580 machine and i dunno why > but the initial phase of the network connections are really slow. The > machine is behing a linksys router with fix ip address, resolv.conf > set up correclty. It has an intel pro 100 ethernet card. PF is > disabled. If i try to reach it with ssh from the local network i have > to wait for the password prompt for 30 seconds but after that the > data flow is normal. When i give the netstat command i only see the > columns name and then it halts. Though other machines on the network > can be accessed normally. > Do You know why can this be happening? > > Thank You! > > -- > Gabri Mate > [EMAIL PROTECTED] > DUOSOL Bt. > http://www.duosol.hu > > [demime 1.01d removed an attachment of type application/pgp-signature > which had a name of signature.asc] > Thank You everyone! It seems that problems accessing my OpenBSD machine are because of rDNS lookup. But why is it slow to access anything, even on the internet from OpenBSD? Is it also related to the DNS issue? -- Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: slow network
Mon, 4 Feb 2008 14:10:37 -0600 (CST) -n "L. V. Lammert" <[EMAIL PROTECTED]> C-rta: > On Mon, 4 Feb 2008, [UTF-8] GC!bri MC!tC) wrote: > > > Hey there! > > > > I've installed OpenBSD 4.2 on a Compaq DL580 machine and i dunno why > > but the initial phase of the network connections are really slow. > > The machine is behing a linksys router with fix ip address, > > resolv.conf set up correclty. It has an intel pro 100 ethernet > > card. PF is disabled. If i try to reach it with ssh from the local > > network i have to wait for the password prompt for 30 seconds but > > after that the data flow is normal. When i give the netstat command > > i only see the columns name and then it halts. Though other > > machines on the network can be accessed normally. > > Do You know why can this be happening? > > > > Thank You! > > > Sounds like your DNS server is not resolving? > > Lee > Then why is it slow on the local network using ip addresses? :) -- Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
vmware & cvs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey there! I'm trying to run OpenBSD under the latest VmWare server, but i've got some problem: i can't use cvs to check out the repositories. It hangs at the connecting phase. It's strange, cause ftp and http connection works, like i can fetch the ports.tar.gz via wget or the ftp client...but thats a bit outdated, so i want to use cvs. I've tried the simple cvs checkout command with CVSROOT variable, and the login method with pserver, none of them succeeded. Any help would be appreciated! - -- Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu iD8DBQFG2IoY8najRxwF9nkRAic3AJ4kuOCm/nMBEcRXN6Nb/1BMVdjHeQCfaToX W5Ja0EIyZLILrsgQWP1HABE= =jkGg -END PGP SIGNATURE-
Re: vmware & cvs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thank You for all your help, but i didn't have time to try it out. And today VirtualBox 1.5.0 came out which supports OpenBSD 4.x, so i'll use that one instead of VmWare. Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu GC!bri MC!tC) C-rta: iD8DBQFG3BDP8najRxwF9nkRArivAJ0dUTr7oO45/b6Qrd4xRYrDhwDt2QCggaS4 CAlY1STBqw39amkfb5PtAIY= =e8N4 -END PGP SIGNATURE-
OBSD41 clamav update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey there! Is there any chance that the Clamav port in the 4.1 ports tree will be updated to the latest version or should i checkout the ports tree without a version tag? - -- Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu iD8DBQFG4VRi8najRxwF9nkRAg6/AJ48IuqiW7sdLaot+KLWJzz4WQcjiQCgr2lW zRlMGfjP5SJVr5kaumZJpy4= =xrQz -END PGP SIGNATURE-
sign and timestamp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey there! I've read a lot about timestamping a document, but dunno how it works in practice. How can i apply a timestamp to a digitally signed or encrypted document? Like i encrypt or sign a document with gnupg, but before the process how can i timestamp it? Sorry for the stupid question but i really can't imagine it. - -- Gabri Mate [EMAIL PROTECTED] iD8DBQFHA8Gh8najRxwF9nkRAiceAKC5E4GSj9DyBFhADFhB7oBLBKvUZQCgs+ct hGyUmMhM39QHXhf/XadvH+o= =SFZt -END PGP SIGNATURE-
Re: sign and timestamp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sorry i wasn't totally specific. Yes, later on the reciever need to verify the timestamp. I was looking for an oss application but couldn't find any for timestamping. Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu Douglas A. Tutty mrta: > On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote: >> I've read a lot about timestamping a document, but dunno how it works in >> practice. How can i apply a timestamp to a digitally signed or encrypted >> document? Like i encrypt or sign a document with gnupg, but before the >> process how can i timestamp it? >> Sorry for the stupid question but i really can't imagine it. >> > > I suppose the first question is: is the time stamp for info only or does > the recipient have to verify the accuracy of the timestamp? I.e. lets > say you take the file you want to encrypt and sign, put it in a tarball > that will protect the file's modification time, and encrypt and sign > that. This gives the recipient your opinion on the timestamp and > protects it from being changed enroute. However, the recipient can't > verify that you or your system are telling the truth. > > I don't know if there's an accepted strategy, but if I had to create one > from scratch, off the top of my head I'm thinking some time of time > server. It would have to publish a signed file of the current time, say > once per minute, so that you could include the hash in the above noted > tarball. The recipient could note the time of that hash file, query the > time server for the matching hash and compare the two. If they match, > then the time matches. > > This would have to be a time server that is trusted by the recipient. > > I'll be interested to hear from someone who really knows about this. > > Doug. iD8DBQFHA+E08najRxwF9nkRAkZnAJ9F83yBOJ7KhTgUngOtFAcCWJeDcwCeOEUS MxT2+9gw9WpbIi6BXfeeSSc= =0rKL -END PGP SIGNATURE-
Re: sign and timestamp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A service will gather data in a database and this data has to be signed and timestamped for security reasons, and the archives of these data are also need to signed and timestamped. The data will be used for internal purposes, so another internal server can issue the signs and stamps. Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu Douglas A. Tutty mrta: > Without a mutually-trusted source of time "cookies", it depends on > specific needs. > > Further infomation on the nature of the transaction is required since I > haven't heard of a pre-packaged oss application. > > Doug. > > > > On Wed, Oct 03, 2007 at 08:36:37PM +0200, G?bri M?t? wrote: >> Sorry i wasn't totally specific. Yes, later on the reciever need to >> verify the timestamp. I was looking for an oss application but couldn't >> find any for timestamping. >> > >> Douglas A. Tutty ?rta: >>> On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote: I've read a lot about timestamping a document, but dunno how it works in practice. How can i apply a timestamp to a digitally signed or encrypted document? Like i encrypt or sign a document with gnupg, but before the process how can i timestamp it? Sorry for the stupid question but i really can't imagine it. >>> I suppose the first question is: is the time stamp for info only or does >>> the recipient have to verify the accuracy of the timestamp? I.e. lets >>> say you take the file you want to encrypt and sign, put it in a tarball >>> that will protect the file's modification time, and encrypt and sign >>> that. This gives the recipient your opinion on the timestamp and >>> protects it from being changed enroute. However, the recipient can't >>> verify that you or your system are telling the truth. >>> >>> I don't know if there's an accepted strategy, but if I had to create one >>> from scratch, off the top of my head I'm thinking some time of time >>> server. It would have to publish a signed file of the current time, say >>> once per minute, so that you could include the hash in the above noted >>> tarball. The recipient could note the time of that hash file, query the >>> time server for the matching hash and compare the two. If they match, >>> then the time matches. >>> >>> This would have to be a time server that is trusted by the recipient. >>> >>> I'll be interested to hear from someone who really knows about this. >>> >>> Doug. >>> >>> >> -BEGIN PGP SIGNATURE- >> Version: GnuPG v1.4.5 (GNU/Linux) >> >> iD8DBQFHA+E08najRxwF9nkRAkZnAJ9F83yBOJ7KhTgUngOtFAcCWJeDcwCeOEUS >> MxT2+9gw9WpbIi6BXfeeSSc= >> =0rKL >> -END PGP SIGNATURE- iD8DBQFHA/Fa8najRxwF9nkRAhEEAJ4+TygfHgFyHF5ih+UElEVQoiSrFQCgrMpq JzzHM57RLOmKE4dWMOCCalA= =HV+v -END PGP SIGNATURE-
Re: sign and timestamp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yes, but i wan't to solve this without an outsider for practical reasons. Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu Joachim Schipper mrta: > On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote: >> Hey there! >> >> I've read a lot about timestamping a document, but dunno how it works in >> practice. How can i apply a timestamp to a digitally signed or encrypted >> document? Like i encrypt or sign a document with gnupg, but before the >> process how can i timestamp it? >> Sorry for the stupid question but i really can't imagine it. > > The Big G is your friend [1]: > > http://www.itconsult.co.uk/stamper.htm > > (Obviously, one could sent them a hash instead of the original if one > were afraid of sending data unencrypted over the net.) > > Joachim > > [1] Trust The Computer. The Computer is Your Friend. iD8DBQFHA/488najRxwF9nkRAk/sAKCFzKm7tBxsNHwFCYFdtHP8NWClXwCbBWcC jHWm4T+Eimk1p1ZQ2GyoKqc= =s5sI -END PGP SIGNATURE-
Re: sign and timestamp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 There'll be two main servers, a web server and a sql server. We have to insert a timestamp and a signature in the specified rows of tables. Periodically the sql server will make pdf documents from the data and we have to sign and timestamp these docs too. I also have to set up a firewall and a backup server, both of them will be OBSD. After what all of You wrote i guess one of the OBSD servers will act as the timestamping machine with the method of issuing a time file periodically, sign and hash it. I can setup a script for that, and another one for verification. Thats the easiest way i guess. As for why i dont want to use a public time stamping service: its much more flexible to do it on our own, and much more faster, and there are other reasons. Of course the results dont have to be verified buy total strangers, just those who work with the data from day-to-day. Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu Douglas A. Tutty mrta: > On Wed, Oct 03, 2007 at 09:45:30PM +0200, G?bri M?t? wrote: >> A service will gather data in a database and this data has to be signed >> and timestamped for security reasons, and the archives of these data are >> also need to signed and timestamped. The data will be used for internal >> purposes, so another internal server can issue the signs and stamps. >> > > OK. This service gathering the data: is it your own dedicated server or > is it an external service provider. Assuming that you don't controll > (in a security sense) the database itself (if you did, why bother with > this?). > > If I understand correclty: Database the data-gatherer can query. You > set up a dedicated, physically secure box and provide it with a secure > source of time (GPS?). > > Assuming that you don't want the latency for them to email the box a > hash, have the box append a time stamp, sign it, and mail it back. You > need a dedicated channel from the time server to the data-gatherer of > latency low enough to meet the time-stamp requirements. > > Do you need to send the timestamp back to the data-gatherer or will they > be sending the data to you by a slower method? > > You could either write a dedicated server or set up a lpd hack. > > They gather the data, tarball it, take a hash and put it in an index > file (like an MD5SUM file in an ftp archive). They send a file > containing only the hash and the unique tarball file name to the lpr on > the time server. A dummy spool there hands the file to a 'filter' that > takes that file, extracts the md5sum, file name, appends the time, and > appends that whole line to a file. For hard copy, each line could be > printed to dedicated dot-matrix printer as it is generated. > > Or your time server is running a database and the data-gather can issue > the SQL insert query directly and the database system itself fills in a > time-stamp field. > > Doug. iD8DBQFHBQDN8najRxwF9nkRAttfAKCJWn8wZuFbBH9Bjg+3jACkYaAw0gCbB+1Z 2eANpaLE6INNbm1DYeDw0xc= =JOK6 -END PGP SIGNATURE-
Re: sign and timestamp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The whole timestamping process was the idea of the procurer. I'll be concerned with the network security and similar stuff, so thats why i'm "researching" the available timestamping methods. I've learned a lot from all of your comments and i'm really thankful for that. I guess i'll reconsider this whole timestamping issue and i'm gonna discuss it with the procurer. Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu Douglas A. Tutty mrta: > On Thu, Oct 04, 2007 at 05:03:41PM +0200, G?bri M?t? wrote: >> There'll be two main servers, a web server and a sql server. We have to >> insert a timestamp and a signature in the specified rows of tables. >> Periodically the sql server will make pdf documents from the data and we >> have to sign and timestamp these docs too. I also have to set up a >> firewall and a backup server, both of them will be OBSD. >> After what all of You wrote i guess one of the OBSD servers will act as >> the timestamping machine with the method of issuing a time file >> periodically, sign and hash it. I can setup a script for that, and >> another one for verification. Thats the easiest way i guess. >> >> As for why i dont want to use a public time stamping service: its much >> more flexible to do it on our own, and much more faster, and there are >> other reasons. Of course the results dont have to be verified buy total >> strangers, just those who work with the data from day-to-day. >> > > I'm not clear on what you will gain over just having all the boxes > running ntp and having the SQL server inserting a time value on each row > of the table, and having each row be non-alterable (other than, of > course, by root), and having a time stamp put on the pdf document. > > Typical uses for real time stamps are for audit purposes. The only > reason for an audit trail is to prove that records havnen't been altered > either accidentally or intentionally/maliciously by someone within the > organization. If this is for internal auditing only and your internal > audit department requires something more than just a time-entry in an > SQL file, then they should have sole controll over the server that does > the time stamping. Nobody outside of the audit department should have > any root privlidges. In which case, a dedicated dot-matrix printer that > prints the file name, hash, and time stamp of files as they are received for > stamping, would be prudent. Put multi-part paper in the printer and > take a copy off-site (to the off-site auditors?) regularily. > > In any event, your system (policy, protocols, etc) should be approved by > the people who will be needing to verify the veracity of the timestamps. > > Doug. iD8DBQFHBl6s8najRxwF9nkRAkz+AKC5P7BcBqJ5LxknB3LBNo+TmrqAgACglXX/ SC8QX0PO3MHyffurfMWz3zM= =H5Pv -END PGP SIGNATURE-
pkill -HUP httpd won't fork new children
Dear List, I'm in the process of setting up httpd with ssl. When I want to reload the config with pkill -HUP httpd the parent process wouldn't fork the new children, so i have to kill it with level 9 and start httpd again. The other question is that what does kern.seminfo.semmni mean and what does it do? After i few httpd restart i had to increase this value, otherwise SSL won't work. Thank You!
Re: pkill -HUP httpd won't fork new children
Thank You! 2008/8/28 Otto Moerbeek <[EMAIL PROTECTED]> > On Thu, Aug 28, 2008 at 08:58:36AM +0200, G??bri M??t?? wrote: > > > Dear List, > > I'm in the process of setting up httpd with ssl. When I want to reload > the > > config with > > pkill -HUP httpd the parent process wouldn't fork the new children, so i > > have to kill it with level 9 and start httpd again. > > Restart won;t work because of chroot. See > http://www.openbsd.org/faq/faq10.html#httpdchroot for some more details. > > > > > The other question is that what does kern.seminfo.semmni mean and what > does > > it do? After i few httpd restart i had to increase this value, otherwise > SSL > > won't work. > > > > Thank You! > > If you kill http with kill -9 it will never cleanup. Use apachectl > stop and then apachectl start for proper restarting. After an > apachectl stop you can check with ipcs -s if there are still > semaphores allocated to www (it happens once in a while they are not > cleaned up up by apache). If so, remove them with ipcrm -s. > > If yo do that , you won't have to increase semmni. > >-Otto > -- Gabri Mate [EMAIL PROTECTED] DuoSol Bt. http://www.duosol.hu [EMAIL PROTECTED]
spamd: smtp clients from the outside
Dear List, i'd like to use spamd to create a gerylisting layer, but i have a few smtp clients on the internet with dynamic IPs. Is there a better way to let them through besides 2 sending attempts or authpf? Thanks!
Re: spamd: smtp clients from the outside
I thought about making an smtpd listening on a non-default port accepting clients for sending. What do you think about that? 2008/9/3 GC!bri MC!tC) <[EMAIL PROTECTED]> > Dear List, > i'd like to use spamd to create a gerylisting layer, but i have a few smtp > clients on the internet with dynamic IPs. Is there a better way to let them > through besides 2 sending attempts or authpf? > > Thanks!
insecurity output not coming
Dear List, In the past 2 days i didn't recieve the daily insecurity output. According to the maillog the daily script didn't even try to send it. I suspect that somehow the /etc/security script isn't running. Do you know where should i look for to solve this problem?
Re: insecurity output not coming
Yes, i've figured it out just after i've sent my e-mail. Sorry, its monday morning. :) Last output was on friday and i paniced a little what happened during the weekend. 2008/9/15 william dunand <[EMAIL PROTECTED]> > Hi Gabri, > > # tail -n 4 /etc/daily > sh /etc/security 2>&1 > $OUT > if [ -s $OUT ]; then >mail -s "`hostname` daily insecurity output" root < $OUT > fi > > So as you can see the "daily insecurity output" mail will only be sent > if /etc/security had something to say. > You should try to run it manually to check that indeed, it does not > give any output. > > Hope that helps. > William > > 2008/9/15 GC!bri MC!tC) <[EMAIL PROTECTED]>: > > Dear List, > > In the past 2 days i didn't recieve the daily insecurity output. > According > > to the maillog the daily script didn't even try to send it. I suspect > that > > somehow the /etc/security script isn't running. Do you know where should > i > > look for to solve this problem?
assembly for x86
Dear List, I'd like to study the assembly language of the x86 architecture. I've searched for books, but there are a lot of them. Could you please recommend me a good writer/book about this topic? Thank You!
Re: assembly for x86
Thank You! I've ordered this book. I like No Starch Press books anyway. 2008/9/22 jmc <[EMAIL PROTECTED]> > --- G??bri M??t?? [Mon, Sep 22, 2008 at 01:45:30PM +0200]: --- > > Dear List, > > I'd like to study the assembly language of the x86 architecture. I've > > searched for books, but there are a lot of them. Could you please > recommend > > me a good writer/book about this topic? > > i'm a beginner, but i picked up The Art of Assembly Language, a No Starch > Press book by Randall Hyde. ISBN 1886411972. > > i'm sure there's a much longer list of book an assembly programmer > should have at arm's reach, but this is the only one i'm using so far.
Re: assembly for x86
Great book indeed! Thank You! 2008/9/23 Mic J <[EMAIL PROTECTED]> > http://www.drpaulcarter.com/pcasm/ > > Gratis book. > Uses nasm as assembler. and you can use yasm (BSD license) if you want. > > > Mic
Re: assembly for x86
Thank You! Althought i'm a total beginner with assembly, but these will come in handy when i'll get the picture. 2008/9/23 Brynet <[EMAIL PROTECTED]> > I found this article to be exceptionally useful when using OpenBSD as a > primary development platform: > > http://www.phiral.net/openbsdasm.htm > > Hope that helps, the first few paragraphs of it anyway... :) > > P.S: Both Intel and AMD have documentation available, they might be a > better start: > > http://developer.amd.com/documentation/guides/Pages/default.aspx#manuals > http://www.intel.com/products/processor/manuals/ > > If you follow the "Order a printed copy" link on the Intel page, you can > get them free.. no shipping fees. > > -Brynet.
Re: apache 1.3.29 + PHP 5.2.6 on OpenBSD 4.4
2008/11/17 Andrei Pirvan <[EMAIL PROTECTED]> > 1. Why does it say "Starting Pure-FTPd"? Have no ideea. Anyway, > Pure-FTPd is already installed on the system, but don't know why it > shows here. > > 2. Nothing in the httpd error log? > # tail /var/www/logs/error_log > [Sat Nov 15 00:19:04 2008] [error] [client 192.168.1.2] file permissions > deny server execution: /cgi-bin/bgplg > [Sat Nov 15 00:19:16 2008] [error] [client 192.168.1.2] File does not > exist: /htdocs/c > [Sat Nov 15 01:15:16 2008] [notice] caught SIGTERM, shutting down > [Mon Nov 17 08:38:52 2008] [notice] Initializing etag > from /var/www/logs/etag-state > [Mon Nov 17 08:38:52 2008] [notice] chrooted in /var/www > [Mon Nov 17 08:38:52 2008] [notice] changed to uid 67, gid 67 > [Mon Nov 17 08:38:52 2008] [notice] Apache configured -- resuming normal > operations > [Mon Nov 17 08:38:52 2008] [notice] Accept mutex: sysvsem (Default: > sysvsem) > [Mon Nov 17 08:38:57 2008] [error] [client 127.0.0.1] File does not > exist: /htdocs/server-status > [Mon Nov 17 08:39:56 2008] [notice] caught SIGTERM, shutting down > > 3. What is the history of the machine? Upgraded from previous release? > Fresh install? > Yes, It's a fresh install on this machine. > > 4. What's in your config files outside the ordinary? > Just a few lines in httpd.conf to disable directory listing. > Options -Indexes > > >Options FollowSymLinks >AllowOverride None > > > >Options +Indexes >AllowOverride None > > > 5. What's your first line of php5.conf > # head -1 /var/www/conf/modules/php5.conf > LoadModule php5_module /usr/local/lib/php/libphp5.so > > 6. Do you have something showing up or nothing when you do: > cat /var/www/conf/httpd.conf | grep 'LoadModule php' > Here I get nothing. > > Thanks for replies. Is there a new line character at the end of this line: LoadModule php5_module /usr/local/lib/php/libphp5.so It could cause the syntax error problem.
CARP LAN outgoing IP address
Dear List, I have two firewalls with ngnix serving a few apache servers. I have to use CARP on the LAN side so i don't have to change the default gateway on the web servers when one of the firewalls goes down. My problem is, that in the apache logs i see the firewalls physical IP address not the CARP address. Lets say CARP is 192.168.1.100, firewall1 is 192.168.1.1 and firewall2 is 192.168.1.2. If a connection is through firewall1, then in the apache logs i see 192.168.1.1. This is normal, but is there a way to make the outgoing package to have the internal CARP device's address as source IP? I've read through the ngnix docs but found nothing helpful. I think the key is in PF. Thank You for your help and advice! -- Gabri Mate [EMAIL PROTECTED] http://www.duosol.hu Tel: 20/589-5456 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc ]
Re: CARP LAN outgoing IP address
Ezzel a datummal: Friday 18 April 2008 21.29.18 ezt mrta: > On Fri, Apr 18, 2008 at 11:48 AM, Gabri Mati <[EMAIL PROTECTED]> wrote: > > This is normal, but is there a way to make the outgoing package to have > > the internal CARP device's address as source IP? > > What would this accomplish? If one of the nginx machines goes down, > the TCP sessions won't be able to failover to the other carp peer. > I'd prefer to see in my logs which proxy a request came from so I can > better diagnose if a particular machine is misbehaving. You're right, but we need the carp'd IP for statistics on the web servers. If one of the machines goes down then the user just have to hit the refresh button and she has access to the content again. -- Gabri Mate [EMAIL PROTECTED] http://www.duosol.hu Tel: 20/589-5456 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc ]
Re: CARP LAN outgoing IP address
Ezzel a datummal: Saturday 19 April 2008 10.39.29 Claer ezt mrta: > On Fri, Apr 18 2008 at 32:21, G?bri M?t? wrote: > > Ezzel a datummal: Friday 18 April 2008 21.29.18 ezt mrta: > > > On Fri, Apr 18, 2008 at 11:48 AM, Gabri Mati <[EMAIL PROTECTED]> wrote: > > > > This is normal, but is there a way to make the outgoing package to > > > > have the internal CARP device's address as source IP? > > > > > > What would this accomplish? If one of the nginx machines goes down, > > > the TCP sessions won't be able to failover to the other carp peer. > > > I'd prefer to see in my logs which proxy a request came from so I can > > > better diagnose if a particular machine is misbehaving. > > > > You're right, but we need the carp'd IP for statistics on the web > > servers. If one of the machines goes down then the user just have to hit > > the refresh button and she has access to the content again. > > Did you try to NAT the LAN interface with the carp address ? It should > work for self outgoing traffic too. The problem is, if the connection is > issued from the backup firewall you will lost the connection. To bypass > this limitation, you can use ifstated and pf tables. > > - If the LAN interface is in master mode : add the carp address to > the NAT table > > - If the LAN interface is in backup mode : remove the carp address from > the nat table > > Claer Thank You for all your help! It seems that we found a workaround for this problem and we don't have to temper with the firewall. Mod_rpaf on the webservers will rewrite the incoming IP address. -- Gabri Mate [EMAIL PROTECTED] http://www.duosol.hu Tel: 20/589-5456 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc ]
