Re: "Desktop" chrooted
Thanks a lot for your reply. -- Are you saying there is too much overhead or the end result is not worth any overhead?? Why bother chrooting apache, for example, and not leaving it with your recommended systrace? My question is motivated by exploits through Internet access; it seems to me server vulnerabilities are comparable to user's visiting unsafe websites / opening unsafe emails, etc. Plus, more and more user activity involves Internet access. Stephan On 5/25/05, Mike <[EMAIL PROTECTED]> wrote: > Stephan Wehner wrote: > > Mainly I'm worried about running a lot of user applications which > > connect to the Internet. But I can't estimate the overhead. > > > > choose wisely your applications and systrace(1) would most likely give > you some extra security.
Re: "Desktop" chrooted
Ok, thanks a lot for your patience with this ! > The kinds of attacks you're talking about--bad emails, trojan web pages, etc. may seem like remote attacks, but from an OS standpoint, they're really not: they originate someplace else, but they trick users into doing something locally, and they need to be treated as such. I don't understand -- could you elaborate on "they need to be treated as such" ? I wrote earlier : > Why bother chrooting apache, for example, and not leaving it with your > recommended systrace? What's the answer to this one? I was also toying around with this setup: * One jail for the XServer * One jail for the "desktop clients" with the required libraries for these and not more (no sh, no gcc), * and ssh-xterm-login connect to outside the jail, where all system files are available In particular, one directory /jails/xserver/ from the xserver runs, a directory /jails/xclients/ which has for example the whole gnome system. It also has a subdirectory /jails/xclients/home/ so that the home directories are visible from the "desktop". Does that solve your "and if it goes, you will have lost the system for all practical purposes just as effectively as if the jail weren't in place." ? Stephan On 5/26/05, Jay Savage <[EMAIL PROTECTED]> wrote: > On 5/26/05, Stephan Wehner <[EMAIL PROTECTED]> wrote: > > Thanks a lot for your reply. -- Are you saying there is too much > > overhead or the end result is not worth any overhead?? > > > > Why bother chrooting apache, for example, and not leaving it with your > > recommended systrace? > > > > My question is motivated by exploits through Internet access; it seems > > to me server vulnerabilities are comparable to user's visiting unsafe > > websites / opening unsafe emails, etc. Plus, more and more user > > activity involves Internet access. > > I can speak for Mike, but I'd say "both". In order to give your users > a useable system, you'd have to compy almost everything into the jail, > which would mean maintaining two version of everything. And at the end > of the day, what have you gained? > > Look at it this way: assuming you have any reasonable hardware > policy, any system that a user logs on to with a graphical interface > exists primarily to run user applications--Joe L'User shouldn't be > running a KDE session on any of your file, internet, mail, database, > etc. servers. So anything that would make a workstation/X server > usable would need to be chrooted. If it wouldn't need to be chrooted > so the users have access, why have it on that machine at all? Once > you realize that, you realize that, given the purpose of workstations > and X servers, if anything happens inside the jail, it's just as bad > as if it had happened outside the jail: you'll just as big a mess on > your hands, because *everything important*--executables, spool files, > password files, log files, all of it--will have to be in the jail. and > if it goes, you will have lost the system for all practical purposes > just as effectively as if the jail weren't in place. > > chrooting is a technique to protect leaky programs from remote > attacks; OpenBSD provides other tools--file permissions, file system > flags, etc.--to protect against locl exploits. Use the appropriate > tools for the job. > > The kinds of attacks you're talking about--bad emails, trojan web > pages, etc. may seem like remote attacks, but from an OS standpoint, > they're really not: they originate someplace else, but they trick > users into doing something locally, and they need to be treated as > such. > > -- jay > > daggerquill [at] gmail [dot] com > http://www.engatiki.org
Re: Another gnumeric printing problem
You're looking for lpq ? Also lprm might be useful for you for the next little while :) Stephan On 6/9/05, Dave Feustel <[EMAIL PROTECTED]> wrote: > I generated a pdf file of a dead simple 1 page spreadsheet > (no formulas) using the gnumeric print command. > I examined the file using xpdf and the file looked ok. > When I attempted to print the file using the command > lpr -P aps1 , > I am getting page after page, each with 1 printed line of garbage. > I don't know where the problem lies, but this makes > my printer unusable. I used to have this problem when I > printed kde files before I installed aps1, but not since then > until now. > > What command shows the names of files in the print queue? > (I've looked but just can't find it) > Dave Feustel
Re: customised network installation...
Did you look at http://openbsd.org/faq/faq4.html#site Stephan
Interrupting df
I'm running df and it just hangs. ^C doesn't interrupt it. ^Z doesn't interrupt it. My guess is that some filesystem is not responding; still I should be able to get my console back, shouldn't I? Is this the BSD way? (My other linux machine responds to interrupts). Stephan #uname -a OpenBSD myosin.sugarmotor.net 3.7 GENERIC#50 i386
Re: Interrupting df
Let's get at this the other way round: What good comes from a designing the df command so that it might hang? I took it for granted there were no advantages. Stephan On 6/28/05, Otto Moerbeek <[EMAIL PROTECTED]> wrote: > > On Tue, 28 Jun 2005, Stephan Wehner wrote: > > > I'm running df and it just hangs. > > > > ^C doesn't interrupt it. ^Z doesn't interrupt it. > > > > My guess is that some filesystem is not responding; still I should be > > able to get my console back, shouldn't I? > > > > Is this the BSD way? (My other linux machine responds to interrupts). > > > > Stephan > > > > #uname -a > > OpenBSD myosin.sugarmotor.net 3.7 GENERIC#50 i386 > > > This got to be a contender for "the most useless problem report this year." > > Since you do not provide any details on your setup (dmesg, are you using NFS, > how are the filesystems mounted, anything in the log files or console) > we cannot help you. > > Check http://www.openbsd.org/mail.html and report.html and try again. > > -Otto
Safe development
What is recommended for bare-metal backups? Scenario: I build a new application, but something breaks and I want to revert back. I thought a neat way would be to have the whole system under version control. Can it be done reliably with one PC only? How do porters go about this? I feel this sounds a little naive, but any advice would be good. Stephan
Re: Safe development
What am I trying to back up? What happened to me was I was running Mepis, and did an apt-get xfce4 (I think it was xfcr4). But then startx wouldn't work any longer. I thought apt-get would be pretty safe... Then I switched to FreeBSD and after a port-upgrade installed the new version of firefox. Then firefox wouldn't work any more. In both cases I had no clue what had changed, or how to undo it. Hence my original question. I think starting over with OpenBSD will be worth it. But I'm trying to decide on a good way to set up backups right from the start. Are you saying I should put the /usr and /etc directories and so on in a cvs repository? Will I get to know which files to checkout as I install more ports? Or instead of a cvs repository I thought of just taking snapshots before any system changes. But then I thought this should be a common problem so I asked how to go about it. Thanks Stephan On 5/19/05, Aaron Glenn <[EMAIL PROTECTED]> wrote: > On 5/19/05, Stephan Wehner <[EMAIL PROTECTED]> wrote: > > What is recommended for bare-metal backups? Scenario: I build a new > > application, but something breaks and I want to revert back. I thought > > a neat way would be to have the whole system under version control. > > Can it be done reliably with one PC only? How do porters go about > > this? > > what do you expect to break? rcs works pretty well for system > configuration files. what are you trying to backup? > > aaron.glenn
Re: Safe development
The manual pages of dump(8) in my FreeBSD 5.3 system mention that it works with a snapshot (mksnap_ffs(8)) if asked to dump a live filesystem. OpenBSD doesn't seem to have snapshots as such... So is dump safe to use when the system changes during its operation??? Anyway, I'm pretty happy about the responses! Thanks a lot. Stephan On 5/20/05, Simon Slater <[EMAIL PROTECTED]> wrote: > It depends what you mean by a snapshot, I used > snapshot to mean an image of the system at a > particular point in time. This is a different type of > snapshot to the ones that are provided by the OpenBSD > people if that is what you mean, those are simply > tar'ed and gzip'ed file of the entire filesystem. > > Dump is what you use to make a backup of your system. > You could use dump to backup your system before you > make any changes and if there is a problem later you > can use restore to get the old version of your entire > system back. Dump is very simple to use and works at > the partition level instead of the file level. Given a > raw disk partition such as /dev/rwd0a it will read > through the contents of that partition and write this > into one large binary file including all filenames and > directories. The restore command can read this file > and re-create its contents back on to the disk. I > myself use this before I perform any major upgrades > just in case the upgrade fails. > > I hope this helps you > > - Simon > > > --- Stephan Wehner <[EMAIL PROTECTED]> wrote: > > Does dump make use of file system snapshots if > > possible? Should one > > not work with a snapshot? > > > > Stephan > > > > Stephan > > On 5/20/05, Simon Slater <[EMAIL PROTECTED]> > > wrote: > > > Using cvs to back up the system is going to be > > very > > > inefficient, especially with binary files. I'd > > suggest > > > going with your idea of a system snapshot before > > any > > > major system changes. A straightforward dump(8) > > and > > > restore(8) is easy to set up and your backed up > > data > > > can also be restored just by booting from any > > OpenBSD > > > CD providing it is stored on a local disk. > > > > > > I run the following script from the cron every > > Sunday > > > night so that I can always restore back to a few > > days > > > ago if the worst happens. (The /scratch partition > > is a > > > separate disk to the rest of the system) > > > > > > Works well enough for me. > > > > > > - Simon > > > > > > --- BEGIN --- > > > > > > #!/bin/sh > > > > > > dump -af - /dev/wd0a | gzip > > > > /scratch/backup/root.dump.gz > > > dump -af - /dev/ccd0a | gzip > > > > /scratch/backup/usr.dump.gz > > > dump -af - /dev/ccd0b | gzip > > > > /scratch/backup/var.dump.gz > > > dump -af - /dev/ccd0d | gzip > > > > /scratch/backup/home.dump.gz > > > dump -af - /dev/ccd0g | gzip > > > > /scratch/backup/cvs.dump.gz > > > > > > disklabel wd0 > /scratch/backup/disklabel_wd0.txt > > > disklabel wd1 > /scratch/backup/disklabel_wd1.txt > > > disklabel ccd0 > > > /scratch/backup/disklabel_ccd0.txt > > > > > > cp /etc/ccd.conf /scratch/backup > > > > > > dd if=/dev/rwd0a of=/dev/rwd1a bs=16b seek=1 > > skip=1 > > > conv=noerror > > > fsck -y /dev/rwd1a > > > > > > --- END --- > > > > > > > > > > > > > > > --- Stephan Wehner <[EMAIL PROTECTED]> > > wrote: > > > > What am I trying to back up? > > > > > > > > What happened to me was I was running Mepis, and > > did > > > > an apt-get xfce4 > > > > (I think it was xfcr4). But then startx wouldn't > > > > work any longer. I > > > > thought apt-get would be pretty safe... > > > > Then I switched to FreeBSD and after a > > port-upgrade > > > > installed the new version of > > > > firefox. Then firefox wouldn't work any more. > > > > > > > > In both cases I had no clue what had changed, or > > how > > > > to undo it. > > > > > > > > Hence my original question. I think starting > > over > > > > with OpenBSD will be > > > > worth it. But I'm trying to decide on a good way > > to > > > > set up backups > > > > rig
filesystem snapshots?
Is mksnap_ffs(8) from FreeBSD available in OpenBSD? (It allows taking a snapshot of a filesystem.) It seems not available as far as I can tell. Are there plans? Stephan
Re: filesystem snapshots?
Is there something usable right now? Stephan On 5/24/05, Pedro Martelletto <[EMAIL PROTECTED]> wrote: > On Tue, May 24, 2005 at 11:03:25AM -0700, Stephan Wehner wrote: > > Is mksnap_ffs(8) from FreeBSD available in OpenBSD? > > nope > > > Are there plans? > > yup > > -p.
Re: djbdns DNS server? Status, Pros and Cons?
Is it not just a license problem that keeps djbdns out of the BSD's ? If it wasn't pretty secure it would be well known; there is a "djbdns security guarantee", http://cr.yp.to/djbdns/guarantee.html Stephan On 5/24/05, Anders Jvnsson <[EMAIL PROTECTED]> wrote: > Hello folks. > I recently bought a very good book: Mastering FreeBSD and OpenBSD security > They have a chapter dealing with DNS servers and there they mention > djbdns, they think it has some strong point s so I am somewhat curios > about if anybody out there has any viewpoint about using this instead of > BIND, especially since the last version djbdns I found was from 2001??! > I can't believe that it is so good that it is no need to patch it now > and then?
"Desktop" chrooted
Does it make sense to run the "Desktop" (e.g., X11 / Gnome / clients) chroot'ed? Non-technical users can live without all the rest. Stephan
Re: djbdns DNS server? Status, Pros and Cons?
The OP was unsure about the quality of djbdns. By "just" I meant that if the license allowed, it would be included, at least in ports. That's my guess. Stephan On 5/24/05, Theo de Raadt <[EMAIL PROTECTED]> wrote: > > Is it not just a license problem that keeps djbdns out of the BSD's ? > >"just" > > That word really does not belong there. That's a phrase used in english > often used to express how small a problem is. > > It is not a small problem. It is fatal.
Re: "Desktop" chrooted
> Please don't reply to a message when starting a new thread. Ok. > What problem are you trying to solve? If the user is chrooted into the > home directory, what programs would they run? No, I had in mind all home directories set below an extra root: /separate/usr/... /separate/etc... and /separate/home/... What programs? I was thinking of all programs usually accessible through desktop systems. (Word Processing,Web,Mail,Chat,Scanning,Music--all that non-technical users run nowadays) It struck me there may be only little overhead (file duplication, shared libraries, etc), but then no GUI exploit could get to the rest of the system. The rest of the system may then be in a better position to monitor the "Desktop" environment. (Maybe it is possible to arrange that the chroot environment has not even a root account). Mainly I'm worried about running a lot of user applications which connect to the Internet. But I can't estimate the overhead. Stephan On 5/24/05, Steve Shockley <[EMAIL PROTECTED]> wrote: > Stephan Wehner wrote: > > Does it make sense to run the "Desktop" (e.g., X11 / Gnome / clients) > > chroot'ed? Non-technical users can live without all the rest. > > Please don't reply to a message when starting a new thread. > > What problem are you trying to solve? If the user is chrooted into the > home directory, what programs would they run?
