Re: Microsoft gets the Most Secure Operating Systems award
The One wrote: But how would it spread? There have been 2 OS X viruses, yet they spread terribly. And Apple has already fixed the issue. :) -The One On 9/2/07, Kennith Mann III <[EMAIL PROTECTED]> wrote: On 9/1/07, The One <[EMAIL PROTECTED]> wrote: On 3/23/07 2:53 AM, Theo de Raadt wrote: Symantec have been trying to demonise OS X for a long while. And it is going to work soon. Because OS X has no Propolice-like compiler stack protection, nor anything like W^X which makes parts of the address space non-executable, nor anything like address space randomization which makes certain attacks very difficult, especially with the previous two techniques. So when they have a bug, it is exploitable just like bugs are on any other powerpc or i386 machine running some other operating system. These days even operating systems like Vista have the above 3 security technologies. First of all, "bugs" and "viruses" are two different things. Second, OS X does not need third-party "protection". All of the protection is built into the OS! If Vista is so secure, then why does one need to download "virus/spyware protection" when it can simply be built into the OS? -The One I don't have "virus/spyware protection" and I've been fine before with Vista and XP. Perhaps you mean to say "why do users who install things they shouldn't need virus/spyware protection?" which I would argue that the OS doesn't matter. I could write a script that asks for rootly permission in OS X and start nuking stuff with the promise of prettier icons for their desktop or IM client. If you were to argue for worms and things of the like, then I would agree. The only virus I will probably ever catch is some zero-day that hits the world and gets in my work network (won't happen at my house -- I live alone) Here we hit the heart of the issue. The virus and spyware detection software for Windows isn't really to protect to the OS. It's to protect the user from themselves.
Re: OpenBSD 3.9 on a Sun Fire x4100
Paul, Actually, all I wanted to do was see if it worked. I'm loading current atm, and will post a dmesg when I get done... Nick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul de Weerd Sent: Monday, June 05, 2006 10:30 PM To: [EMAIL PROTECTED] Cc: misc@openbsd.org Subject: Re: OpenBSD 3.9 on a Sun Fire x4100 Hi Nick, On Mon, Jun 05, 2006 at 09:51:13PM -0700, [EMAIL PROTECTED] wrote: | I have been looking high and low for instructions on how to get 3.9 | running on an x4100. Not finding any, I decided to play w/ it myself. I | was able to make it work. While I have included the entire dmesg, here is | the interesting (for the SAS controller, anyway) bit: | | mpi0 at pci2 dev 3 function 0 "Symbios Logic SAS1064" rev 0x02: apic 6 int | 0 (irq 11) | scsibus0 at mpi0: 63 targets | sd0 at scsibus0 targ 2 lun 0: SCSI2 | 0/direct fixed | sd0: 69618MB, 69618 cyl, 16 head, 128 sec, 512 bytes/sec, 142577664 sec total Good to see your mpi-controller is working as it should ;) | The kernel is the bsd.mp from the amd64 snapshots section, and the rest of | the system is amd64 3.9 That's not good. You're mixing -current kernel with -stable userland. Don't do that. You'll get all sorts of strange things, the longer after -stable became stable you take -current, the more weird things will happen until at some point your system may not make it past loading the kernel anymore. It's OK to play around with stuff like this (to see if your SAS controller is supported by a newer kernel), but don't run anything important in such a configuration. See that the new kernel supports your hardware and then *UPGRADE*. Not just the kernel, your entire system. If running -current is not for you then you have a limited set of options : o Wait for 4.0 which should be released in November (only 5 months from now ;) o Backport the mpi(4) driver to 3.9 (good luck, you're on your own) o Bite the bullet, run -current. If any of the issues you mention below reappear with a complete snapshot or a complete -RELEASE system, feel free to try again ;) Cheers, Paul 'WEiRD' de Weerd PS: Thanks for including a dmesg. -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: OpenBSD 3.9 on a Sun Fire x4100
I have not put -current on this system. Would making this machine public and available to developers be of any use? I would also include ilom access. Thoughts? Nick
Re: OpenBSD 3.9 on a Sun Fire x4100
Er, rather I have put current on the x4100. Hmmm... I must still be brain dead from work... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Shank Sent: Thursday, June 08, 2006 6:54 PM To: misc@openbsd.org Subject: Re: OpenBSD 3.9 on a Sun Fire x4100 I have not put -current on this system. Would making this machine public and available to developers be of any use? I would also include ilom access. Thoughts? Nick
Sensors setup
I've looked, I've read, and, maybe I'm just blind, but after enabling sensors via sysctl, I still get "no sensors found". I expect the answer is obvious and staring me in the face, but I'm asking anyway... What am I missing here? Nick
Re: Sensors setup
Steve, Here is what dmesg says... Nick piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus disabled Steve Shockley wrote: Nick Shank wrote: after enabling sensors via sysctl, I still get "no sensors found". Do you have any supported sensors in your dmesg, such as lm? See iic(4).
Re: Boot panic with bsd.mp on a Compaq ProLiant 2500
And, while I know it's a very different animal, it's still a Compaq
server... I get the same error on a Proliant ML370 when using bsd.mp.
I'll post a dmesg when I can...
Nick
Frangois Chambaud wrote:
Hello misc,
I have installed a second processor in my old Compaq ProLiant 2500 and
when I boot with a bsd.mp kernel, the system stop with panic. To "see"
the two processors in the BIOS, I must choose Unixware or Linux OS,
otherwise the second processor is seen as "deactivated"; "Other" is not
the good OS choice as I have read in the archives. I took "Linux" as the
OS choice. The second processor is referenced as "primary" when I use
the Compaq "Inspect" tool in the F10 partition.
Here are the informations:
$ sudo tip tty00
connected
OpenBSD/i386 BOOT 2.10
boot> machine mem [EMAIL PROTECTED]
Region 0: type 1 at 0x0 for 638KB
Region 1: type 1 at 0x10 for 261120KB
Low ram: 638KB High ram: 15360KB
Total free memory: 261758KB
boot> boot bsd.mp
booting hd0a:bsd.mp: 5004968+872840 [52+258352+239412]=0x614a3c
entry point at 0x100120
[ using 498188 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
Copyright (c) 1995-2006 OpenBSD. All rights reserved. http://www.OpenBSD.org
OpenBSD 3.9 (GENERIC.MP) #598: Thu Mar 2 02:37:06 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel Pentium Pro ("GenuineIntel" 686-class, 256KB L2 cache) 199 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV
real mem = 268017664 (261736K)
avail mem = 237518848 (231952K)
using 3297 buffers containing 13504512 bytes (13188K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 12/01/99, BIOS32 rev. 0 @ 0xf
pcibios0 at bios0: rev 2.1 @ 0xf/0x2000
pcibios0: PCI BIOS has 8 Interrupt Routing table entries
pcibios0: no compatible PCI ICU found
pcibios0: Warning, unable to fix up PCI interrupt routing
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000 0xe8000/0x6000 0xee000/0x2000!
mainbus0: Intel MP Specification (Version 1.4) (COMPAQ PROLIANT)
cpu0 at mainbus0: apid 1 (boot processor)
cpu0: apic clock running at 66 MHz
cpu1 at mainbus0: apid 0 (application processor)
cpu1: Intel Pentium Pro ("GenuineIntel" 686-class, 256KB L2 cache) 199 MHz
cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV
mainbus0: bus 0 is type PCI
mainbus0: bus 1 is type PCI
mainbus0: bus 9 is type EISA
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 28 pins
ioapic0: misconfigured as apic 0, remapped to apic 2
panic: can't deal with not-all-lapics interrupt yet!
Stopped at Debugger+0x4: leave
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb{0}> trace
Debugger(1b,0,0,d0c7fa1c,e3688963) at Debugger+0x4
panic(d0590a40,d0c7fa3c,d0717df8,d049b0f6,d0c7cfc0) at panic+0x63
mpbios_int(e3688963,d0c7fa1c,1,e3688973,fc) at mpbios_int+0x275
mpbios_scan(d0c7cfc0,2,d0c70fc0,d0c7cfd4,d05eba00) at mpbios_scan+0x30d
mainbus_attach(0,d0c7cfc0,0,0,d0717f10) at mainbus_attach+0x8e
config_attach(0,d05a8404,0,0,d05eb2a0) at config_attach+0xef
config_rootfound(d053f47c,0,d0717f58,d03454c0) at config_rootfound+0x27
cpu_configure(0,1,3,0,1000) at cpu_configure+0x1f
main(0,0,0,0,0) at main+0x36c
ddb{0}> ps
PID PPID PGRPUID S FLAGS WAIT COMMAND
*0 -1 0 0 7 0x80204 swapper
ddb{0}>
Here is the first boot sequence after the fresh install:
$ sudo tip tty00
connected
OpenBSD/i386 BOOT 2.10
boot> machine mem [EMAIL PROTECTED]
Region 0: type 1 at 0x0 for 638KB
Region 1: type 1 at 0x10 for 261120KB
Low ram: 638KB High ram: 15360KB
Total free memory: 261758KB
boot> boot
booting hd0a:/bsd: 4966344+867848 [52+255872+237161]=0x608d64
entry point at 0x100120
[ using 493460 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
Copyright (c) 1995-2006 OpenBSD. All rights reserved. http://www.OpenBSD.org
OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium Pro ("GenuineIntel" 686-class, 256KB L2 cache) 199 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV
real mem = 268017664 (261736K)
avail mem = 237568000 (232000K)
using 3297 buffers containing 13504512 bytes (13188K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 12/01/99, BIOS32 rev. 0 @ 0xf
pcibios0 at bios0: rev 2.1 @ 0xf/0x2000
pcibios0: PCI BIOS has 8 Interrupt Routing table entries
pcibios0: no compatible PCI ICU found
pcibios0: Warning, unable to fix up PCI interrupt routing
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000 0xe8000/0x6000
Re: Boot panic with bsd.mp on a Compaq ProLiant 2500
I happened to read this as I was on my way out of the office for the
week (yay for vacation, and a paid one at that) I don't recall the exact
error, but on 3 different SMP slot 1 machines, bsd.mp under 3.9
complains about apic, and dies. PS shows swapper as the only thing
active. Will look more into it on Friday when I get back, and post what
I find. Although, the thought of going back a version or two seems like
it might work, as I know I've had 3.7 or 3.8 working on at least one of
my dual slot 1 machines...
Hope that helps at least a little bit,
Nick
Frangois Chambaud wrote:
Steve Shockley <[EMAIL PROTECTED]> writes:
Nick Shank wrote:
And, while I know it's a very different animal, it's still a Compaq
server... I get the same error on a Proliant ML370 when using
bsd.mp.
I've got 3.9 running on a DL380 without trouble (GENERIC.MP), and that
should be the same mainboard as an ML370. Make sure you've got all
current firmware on the box, and try various "OS" settings until one
works properly (including "Other"). Incorrect settings will probably
result in a crash on boot, or only one CPU.
Today, I've try different "OS" settings in the BIOS like UnixWare,
Solaris, Windows (2000) and they all do a kernel panic with bsd.mp. I
have the "trace", "ps" and "show registers" for them if somebody want to
see the details.
"Unix with large disk geometry" and "Other" OS types only detect one
processor with the "Inspect" Compaq tool.
"Other" OS type does not panic the kernel with bsd.mp, but only one
processor is detected:
OpenBSD 3.9 (GENERIC.MP) #598: Thu Mar 2 02:37:06 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel Pentium Pro ("GenuineIntel" 686-class, 256KB L2 cache) 199 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV
real mem = 268017664 (261736K)
avail mem = 237518848 (231952K)
using 3297 buffers containing 13504512 bytes (13188K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 12/01/99, BIOS32 rev. 0 @ 0xf
pcibios0 at bios0: rev 2.1 @ 0xf/0x2000
pcibios0: PCI BIOS has 8 Interrupt Routing table entries
pcibios0: no compatible PCI ICU found
pcibios0: Warning, unable to fix up PCI interrupt routing
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000 0xe8000/0x6000 0xee000/0x2000!
cpu0 at mainbus0: (uniprocessor)
cpu0: Intel Pentium Pro ("GenuineIntel" 686-class, 256KB L2 cache) 199 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
ppb0 at pci0 dev 13 function 0 "IBM 82351 PCI-PCI" rev 0x01
[...]
I've "googling" for some time now, but I can't find a definitive answer
to that "panic: can't deal with not-all-lapics interrupt yet!" problem.
Thank you Steve and Nick for your feedback.
Thanks again for your time and this great OS !
Francois
Re: Why ksh?
Eric Furman wrote: On Mon, 24 Jul 2006 12:25:03 +0100, "Pedro Timsteo" <[EMAIL PROTECTED]> said: Spruell, Darren-Perot wrote: These threads grow tiresome. If you want a shell that whistles like bash, and quacks like bash, and is shiny like bash, then use bash. No one is forcing you to use a certain shell. Please stop lamenting that something that is not bash is not bash. It seems clear that the precise functionality you are after isn't implemented in OpenBSD's ksh. So note it down as a "technical limitation" if you want and move on with life. Guys, I wasn't whining or complaining. I wasn't even requesting a feature. I just asked if there was a way to do it. There isn't, so I "move on with life", like you said. I guess you've had so many whiners in the past, that you're oversensitive to them. :) Yes we are oversensitive about this. This question comes up all the time. csh used to be the default shell and thank G. O. D. it was changed. POSIX 93 ksh with HUGE improvements was ported to OpenBSD. It was ported to OBSD a while ago. It kicks bash and zsh's ass all to hell. any other opinion is just based on ignorance. Really now? Hmmm... Where have I heard that before? Pleaese stop being ignorant and learn. Lastly; set -o vi Please learn it. This thread is increadibly tiresome... (BTW I alias c=clear: much cleaner than bash alternatives)
Re: sokeris output
Miod Vallat wrote: This is also what I experienced as a good size for a CF. By the way, does it make sense to turn off swap to extend the CF's life time? I am using that soekris only for ssh logins and won't need much ram anyways... what's the emergency action by OpenBSD's kernel if it runs out of RAM? It will happily kill processes with SIGSEGV. Miod
Lost time in vmware...
Hi all, I appear to be loosing time on a virtual machine running OpenBSD 3.9/release under vmware workstation. The system is a Sun Ultra 40, and the host OS is XP-64, and keeps time fine. Thoughts? Nick
Sensors experience...
Hi all, I'm looking for an older server (dual P3 or so) that I can use for a netmon server here at the office. I'm curious what experience people have had w/ compaq or hp 1U P3 servers. Do sensors work? Nick
Re: sendmail
Matthias Kilian wrote: On Thu, Jul 27, 2006 at 12:52:15PM +0200, Martin Schrvder wrote: Start with /usr/share/sendmail/README . It's dense, but has a wealth of information. And then there is http://sendmail.org/doc/sendmail-current/doc/op/op.pdf Or just /usr/share/doc/smm/08.sendmailop/op.me So far as I know, sendmail is just an MTA, so, you're user accounts are just regular users (or users with only mail access), and mail is stored by either you're popd or imapd. But I'm not a mail admin, and this advice should be taken w/ a grain of salt... Nick
Re: OpenBSD gets a "poor score" in security.
Alex Stamatis wrote: Ahmmm. Openbsd gets bad score in patching ? Well that maybe becuase the os is so good that doesnt need 30 patches a day like the linux distros. I have heard the linux 'fans' saying amazing crap about their os'es... Thank god in this world there are people that know that openbsd rules. We must all also help the openbsd community with donations for the amazing work that all the guys in the obsd team do. I did a donation 3-4 months ago to the obsd and if I had more i'd send out more. Let the linux guys talk. All the can do is talk ... Their os's suck bsd for life ;) On 7/27/06, chefren <[EMAIL PROTECTED]> wrote: On 07/27/06 11:17, [EMAIL PROTECTED] wrote: Someone has written an article under "Information Security News", entitled "Linux patch problems: Your distro may vary". As if OpenBSD were a "Linux distro". Well, OpenBSD gets mentioned, that's the most important. .. Good job Edmund! This is one of the worst articles on security I have ever read. Talk about missing the point. Yep, let's do talk about it since I see you as a blind horse that misses the point because you cannot read. The title contains the two words "patch problems" and that isn't a very strong point of OpenBSD. (Obviously because there are not as many developers as other distributions have.) The article is not about the strong points of OpenBSD, pro-active and integrated security, it's about patching and updates, a weak point of OpenBSD. And it's not at all about stupidities like the one you mentioned of Ubuntu, you provide chaos without a reason. +++chefren Poor score in security? Hmmm... In which config? Default install? Or 3rd party apps? If the apps are to blame, then, to some extent, isn't that a ding to the developer, and not the OS itself? Almost like saying OpenBSD sucks because there was an exploit in an Excel document opened with OpenOffice. As for Linux sucking, well, I use OpenBSD on anything public, but for client deployments (or non-technical people that want to try linux/unix/bsd) I use ubuntu. Both have their strengths, both have their weeknesses... Nick
Re: Tyan v. Supermicro for Opteron?
Karsten McMinn wrote: On 8/7/06, Dustin Lundquist <[EMAIL PROTECTED]> wrote: I've used both a Tyan S2892 and Supermicro H8SSL and H8DA8, the Tyan board had a number of weird BIOS issues - some times it would boot, reset the BIOS 5 times wave a dead chicken over it and then it would work. yea, their bios updating utilty fried the prom on mine. however they dropped me a flashed chip no questions asked the next day which was impressive. its worked fine since then. I'd probably trend toward supermicro. I doubt a distinction could be made in pcb/part/solder quality. Supermicro gets a extra vote in support of their case offerings. And, for what it's worth, I believe the Supermicro cases have full sensor reporting (for the backplanes, power stuff, etc), but I think Dustin would be a better source of info on that... Nick "Life's not fair, but the root password helps"
Re: Intel Pro/1000MT checksum problem - 82546GB rev 0x01
Bill wrote:
Hi,
I've been stuck with an Intel pro/1000MT card that is failing with the
checksum not valid.
I've found this in the archives:
http://marc.theaimsgroup.com/?l=openbsd-misc&m=113052293924074&w=2
That shows this may have been addressed for the 3.8 release which I am
on. Also the rev that did not work is the same as the one I have.
Has anyone had further luck on this? I am running it on OpenBSD 3.8,
but possibly this weekend I will be trying it on a 3.9 or newer.
Here is what I thought was the relevant part of the dmesg, followed by
a full dmesg:
Thanks!
em0 at pci1 dev 1 function 0 "Intel PRO/1000CT (82547GI)" rev 0x00: irq
5, address: 00:09:6b:7f:70:93 ppb1 at pci0 dev 28 function 0 "Intel
6300ESB PCIX" rev 0x02 pci2 at ppb1 bus 2
em1 at pci2 dev 2 function 0 "Intel PRO/1000MT (82546GB)" rev 0x01: irq
5
em1: The EEPROM Checksum Is Not Valid em1: Unable to initialize the
hardware em2 at pci2 dev 2 function 1 "Intel PRO/1000MT (82546GB)" rev
0x01: irq 5
em2: The EEPROM Checksum Is Not Valid em2: Unable to
initialize the hardware uhci0 at pci0 dev 29 function 0 "Intel 6300ESB
USB" rev 0x02: irq 11 usb0 at uhci0: USB revision 1.0
--
Full DMESG
--
OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) CPU 2.40GHz ("GenuineIntel" 686-class) 2.41
GHz cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID
real mem = 1609588736 (1571864K) avail mem = 1461350400 (1427100K)
using 4278 buffers containing 80580608 bytes (78692K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(49) BIOS, date 05/19/04, BIOS32 rev. 0 @
0xfd5b6 pcibios0 at bios0: rev 2.1 @ 0xfd520/0xae0
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde80/352 (20 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev
0x00) pcibios0: PCI bus #3 is the last bus
bios0: ROM list: 0xc/0x9000 0xc9000/0x1000 0xca000/0x1000
0xcb000/0x1800 cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82875P Host" rev 0x02
ppb0 at pci0 dev 3 function 0 "Intel 82875P PCI-CSA" rev 0x02
pci1 at ppb0 bus 1
em0 at pci1 dev 1 function 0 "Intel PRO/1000CT (82547GI)" rev 0x00: irq
5, address: 00:09:6b:7f:70:93 ppb1 at pci0 dev 28 function 0 "Intel
6300ESB PCIX" rev 0x02 pci2 at ppb1 bus 2
em1 at pci2 dev 2 function 0 "Intel PRO/1000MT (82546GB)" rev 0x01: irq
5em1: The EEPROM Checksum Is Not Valid em1: Unable to initialize the
hardware em2 at pci2 dev 2 function 1 "Intel PRO/1000MT (82546GB)" rev
0x01: irq 5em2: The EEPROM Checksum Is Not Valid em2: Unable to
initialize the hardware uhci0 at pci0 dev 29 function 0 "Intel 6300ESB
USB" rev 0x02: irq 11 usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 "Intel 5300ESB USB" rev 0x02: irq 5
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
"Intel 6300ESB WDT" rev 0x02 at pci0 dev 29 function 4 not configured
"Intel 6300ESB APIC" rev 0x02 at pci0 dev 29 function 5 not configured
ehci0 at pci0 dev 29 function 7 "Intel 6300ESB USB" rev 0x02: irq 11
usb2 at ehci0: USB revision 2.0
uhub2 at usb2
uhub2: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub2: 4 ports with 4 removable, self powered
ppb2 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x0a
pci3 at ppb2 bus 3
vga1 at pci3 dev 2 function 0 "ATI Radeon VE QY" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
fxp0 at pci3 dev 8 function 0 "Intel 82557" rev 0x0c, i82550: irq 11,
address 00:0e:0c:50:d7:c4 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev.
4 ichpcib0 at pci0 dev 31 function 0 "Intel 6300ESB LPC" rev 0x02
pciide0 at pci0 dev 31 function 2 "Intel 6300ESB SATA" rev 0x02: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at
atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO
mode 4, Ultra-DMA mode 2 wd0 at pciide0 channel 1 drive 0: wd0: 16-sector PIO, LBA, 76324MB, 156312576 sectors
wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
"Intel 6300ESB SMBus" rev 0x02 at pci0 dev 31 function 3 not configured
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0:
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port
Re: Why no compiler on prod system [Was: Re: How to update httpd without a compiller]
David Terrell wrote: On Thu, Aug 24, 2006 at 12:38:26PM -0700, Nick Shank wrote: Through all of this, and maybe I've just missed it, what happens when a user tries to make spl01t.c? stop it, please, you're killing me. There is nothing special about your machine that makes binaries compiled somewhere else not be able to use exploits against it. Removing the compiler does not hurt any serious attacker. If you really care about defending your machine against idiots who can't figure out how to compile an exploit on another machine, well, congratulations, you're already running OpenBSD. Earth to Dave, Earth to Dave, there's another soap-box over on 42nd & Main... Erm, right... Regardless, I was simply asking if 1) The possibility of a user who has access to the system had been thought of, and 2) Would it matter. Yes, I install the compXX package. Why? It's convinient. Is it exploitable? Sure, why not. Do I care? No, not really. And please, reply just to the list, and not to me directly...
Re: Why no compiler on prod system [Was: Re: How to update httpd without a compiller]
Scott Plumlee wrote: NetNeanderthal wrote: On 8/24/06, Anton Karpov <[EMAIL PROTECTED]> wrote: Removing compiler doesn't bring much more security to your system, but it can make it a little bit safer. Very little bit, but safer. I mean, if your system has local root hole, for example, in this case cracker should compile his sploit somethere outside your box, and transfer binary file onto it, thus, it takes more time than "cat > /tmp/.slp01t.c && gcc /tmp/.spl01t.c && ./a.out". And usually, crackers limited in time resources. This patently futile measure contributes zero security to the system and it does not make the system even 'a little bit safer'. Please substantiate your claim based on the security record of a large Redmond-based OS that is distributed sans compiler. Disclaimer - I manage only a few, non-critical machines, and am at best a journeyman OpenBSD user. I like the point that Bruce Schneier often makes: security is about risk versus cost (or benefit versus cost). For different companies and different admins, these two choices have a different benefit and cost: having a compiler on a production machine or having to maintain another machine for performing make release (or whatever other method you prefer to use to upgrade - copy binaries, etc). If you don't have a second machine upon which to make release, then having the compiler on the production machine is acceptable because being able to patch the machine outweighs not having the compiler in terms of security benefit. As Nick said, if not having the compiler means you don't upgrade, then that's a pretty heavy risk for whatever benefit you do realize. I realize that this is a simplified way of looking at it, and there are other considerations (physical access to upgrade versus remote access, downtime needed, etc) but in the end any good business decision is risk/benefit versus cost. I don't think any of the methods that have been discussed are wrong or right, each is correct according the decisions that the admins have made for their own machines. Personally, I like to use make release, as I was pointed towards that method here once and it's worked for me. To each their own. Through all of this, and maybe I've just missed it, what happens when a user tries to make spl01t.c? Nick
Re: Sun X2100 on board RAID support?
Matt Kolb wrote: stan writes: I've got a bunch of Sun 2100 machines. Nice machine that i plan on doing a number of things with. I'd prefer to use OpenBSD on them for firewalls, and other network related tasks. I've got 2 x 250G drives in these machines, and want to mirror them. Under FreeBSD the built in RAID controller (OK semi-software RAID) works, but apparently it does not under OpenBSD. Is this correct? or am I missing something? If it's not supported, are there plans to add support for it? BTW, It's the 3.9 64 bit install set I'm trying to install. If I turn off RAID in the firmware, everything works fine. If I enable it the disks are not detected at all. As an aside to this, I would like to know if there are plans to support the x4[12]00 SAS controller -- this does work in FreeBSD -current. ./matt Using -current as of about a week after the last hack-a-thon, the x4?00 SAS worked. From a dmesg I posted on 6/6/06, here is the relevant part: | mpi0 at pci2 dev 3 function 0 "Symbios Logic SAS1064" rev 0x02: apic 6 int | 0 (irq 11) | scsibus0 at mpi0: 63 targets | sd0 at scsibus0 targ 2 lun 0: SCSI2 | 0/direct fixed | sd0: 69618MB, 69618 cyl, 16 head, 128 sec, 512 bytes/sec, 142577664 sec total It worked using both bsd and bsd.mp. But that was using the AMD64 port. As always, YMMV. Nick
Re: Website(s) being blocked by CARP/PF firewall
Chris Cameron wrote: On Thu, 2006-09-07 at 10:46 -0400, Asenchi wrote: On 9/7/06, Chris Cameron <[EMAIL PROTECTED]> wrote: Have two 3.8 firewalls in a CARP setup, and through this firewall I'm unable to get to ticketmaster.ca or .com. They both have different IPs. But make sure you have read and understand the FAQ [1] and the man pages for pf.conf [2], carp [3], pfsync [4] before responding. hth, Asenchi. [1] http://www.openbsd.org/faq/pf/index.html [2] http://urlx.org/openbsd.org/4a4bc [3] http://urlx.org/openbsd.org/5ca9f [4] http://urlx.org/openbsd.org/558dd I didn't see any "Can't access Tickmaster.ca" entries; but I think I have the rest covered. No other sites have this problem. The firewall sits in front of an office of 15 or so, so I believe I would have heard something. Logging is turned on for my default block rule, which isn't returning anything for the ticketmaster IPs. The connection is just refused though. Nothing gets "lost", or dropped. The server gets the request, replies, and the client sees it. I don't see how this could be a problem of my ruleset; if something was being blocked, no packets would have been received by the client. Again, does anyone have any ideas? Can other people access ticketmaster through their CARP'd NAT firewall? Chris Having just tried to hit ticketmaster.ca and ticketmaster.com, I get an error I've never seen before. Constant redirects. Like the page is starting to load, then redirecting to itself. Maybe it's a problem w/ the site? "Config": XP-64 using Firefox 1.5.0.6. Windows firewall: off Network firewall: Sonicwall Please keep in mind, this is just my initial observation, and I will re-test when I get home and have the "proper" equipment. Nick
Re: Secure file storage.
viq wrote: I was trying to google for some solution, but didn't come up with anything useful. I am looking for a way to securely store files. Like, say, your mail archive. Or home folder. I know, "use vnd" seems to be the main choice on OpenBSD. But, I want to be able to access those files from other systems too. Did anyone find a solution that would be practical to use? A filesystem solutions would be preferable, either encrypting a 'real' filesystem, or having a 'virtual' one in a file - but as I said, I'm looking for a solution that would let me mount it in several operating systems. Why not just encrypt it, using what ever method, and use file shares to access it over the network? Nick
