Re: no default httpd.conf?

[Vadim Zhukov]

17 мая 2018 г. 5:50:16 GMT+03:00, justina colmena  пишет:
>I just recently installed OpenBSD 6.3, and I was looking for an example
>httpd.conf, but I did not find one. The manual page does document
>more or less how to create one, but there still appears to be some lack
>of ease and safety putting up a basic web page with dynamic content (I
>am most used to PHP and PostgreSQL for that purpose, but of course
>there are many options that more or less replace the ubiquitous "LAMP"
>or "Linux/Apache/MySQL/PHP" stack.
>
>Now there is nothing in OpenBSD's httpd really like Apache's "UserDir"
>directive. Of course the real user directory has to dwell somewhere in
>the "/var/www" chroot on OpenBSD. The alternative to "UserDirs" of
>course, is wildcard subdomains, but those do not really cooperate all
>that well with https, dnssec, or caa records, or with certain other
>general goals of security.
>
>The other thing I am curious about is something like "su-php" which
>appears to be deprecated and outdated. So, assuming some sort of
>UserDir
>scenario, (probably more sophisticated than my very basic one I
>have hacked together below,) does php-fpm have a way to prevent one
>user's malicious php script from reading another user's database
>access credentials?
>
>%<
># /etc/httpd.conf for amarillo.colmena.biz
>
>server "default" {
>listen on * port 80
>listen on :: port 80
>listen on * tls port 443
>listen on :: tls port 443
>tls certificate "/etc/ssl/fullchain.pem"
>directory index index.php
>location "/.well-known/acme-challenge/*" {
>root "/acme"
>root strip 2
>}
>location match "/~justina/.*%.php" {
>root "/justina"
>root strip 1
>fastcgi socket "/run/php-fpm.sock"
>}
>location "*.php" {
>fastcgi socket "/run/php-fpm.sock"
>}
>location "/~justina/*" {
>root "/justina"
>root strip 1
>directory auto index
>}
>location "/~justina" {
>block return 301 "/~justina/"
>}
>}
>types {
>include "/usr/share/misc/mime.types"
>}

Did you ever looked in /etc/examples?

OpenBSD HTTPd is a web server, but not each web server is fully-featured Apache 
HTTP Server replacement. So, yes, no UserDir. If you need this functionality, 
then just install apache-httpd from packages.

Regarding su-php, I'd go with per-user php-fpm process, actually, that's much 
safer, and rarely used ones can easily wait in swap (I feel that you're trying 
to pack as much users as possible). You can ever use symlinks to create, e.g., 
/etc/rc.d/phpXY_fpm_USER1, /etc/rc.d/phpXY_fpm_USER2 and so on, and then set up 
different flags like "-u USER1" for those in rc.conf.

-- 
  WBR,
Vadim Zhukov

Re: no default httpd.conf?

[Vadim Zhukov]

2018-05-17 14:26 GMT+03:00 Stuart Henderson :
> On 2018-05-17, Vadim Zhukov  wrote:
>> 17 мая 2018 г. 5:50:16 GMT+03:00, justina colmena  
>> пишет:
>>
>> Regarding su-php, I'd go with per-user php-fpm process, actually,
>> that's much safer, and rarely used ones can easily wait in swap (I
>> feel that you're trying to pack as much users as possible). You
>> can ever use symlinks to create, e.g., /etc/rc.d/phpXY_fpm_USER1,
>> /etc/rc.d/phpXY_fpm_USER2 and so on, and then set up different flags
>> like "-u USER1" for those in rc.conf.
>
> No need to run multiple copies of php-fpm yourself, it handles multi
> uid itself. Various ways to handle chroot as well, you can chroot them
> separately, or use a shared chroot and rely on permissions. This should
> give you some ideas:
>
> [global]
> error_log = syslog
> syslog.facility = daemon
> log_level = notice
>
> [www]
> user = www
> group = www
> listen = /var/www/run/php-fpm.sock
> listen.owner = www
> listen.group = www
> listen.mode = 0600
> pm = dynamic
> pm.max_children = 20
> pm.start_servers = 2
> pm.min_spare_servers = 1
> pm.max_spare_servers = 3
> chroot = /var/www
>
> [web1]
> user = _web1
> group = _web1
> listen = /var/www/run/php-fpm-web1.sock
> listen.owner = www
> listen.group = www
> listen.mode = 0600
> pm = dynamic
> pm.max_children = 20
> pm.start_servers = 2
> pm.min_spare_servers = 1
> pm.max_spare_servers = 2
> chroot = /var/www
> env[TMP] = /var/www/web1/tmp
> env[TMPDIR] = /var/www/web1/tmp

Now that breakfast is gone I start to think you (and Josh earlier) are
right: single php-fpm process should be fine. :)

--
  WBR,
  Vadim Zhukov

Re: Viewport for man.openbsd.org -- readability on phones

[Vadim Zhukov]

If you REALLY want something like we had, without JS and non-standard
features, you can try something like:

@media screen and (min-width: 1000px) {
html { max-width: 100ex }
html { max-width: 80ch }
}

The @media queries is a long-standing feature and should just work.
The "ch" isn't supported by IE <=8 and Opera <=20, so if you really
care, you can use doubled declaration: this way browsers that don't
support "ch" will use old "ex". Using "ex" for specifying width is
ugly and it probably should be something like "65em" instead anyway...

--
  WBR,
  Vadim Zhukov


2018-05-18 4:08 GMT+03:00 Ingo Schwarze :
> Hi Ken,
>
> Ken M wrote on Thu, May 17, 2018 at 08:50:53PM -0400:
>
>> I will probably have to duck and run
>> for suggesting javascript as the answer here...
>
> Precisely.  :)
>
>> But for the most part the modern industry standard to make pages
>> scale well across many devices and screen orientations is to use
>> a responsive design library, most notably bootstrap.
>
> We are talking about a simplistic one-column layout here,
> and avoiding that kind of bloat (in particular javascript)
> is among the top four design goals, together with support
> for hyperlinks, support for semantic annotations, and avoiding
> gratuitous presentational differences when compared to terminal
> output (just to avoid misunderstandings, not every difference
> is gratuitous: for example, terminals naturally use fixed-width
> fonts, HTML naturally uses proportional fonts).
>
> But no, javascript is an even worse suggestion than the
> original idea of "meta viewport".
>
> Yours,
>   Ingo
>

Re: OpenBSD snapshot at EFI: no micro :(

[Vadim Zhukov]

4 июня 2018 г. 2:42:21 GMT+03:00, Leonid Bobrov  пишет:
>Additional output:
>
>mazocomp$ cat > /dev/audio < /dev/zero &   
>   
>[1] 68006
>mazocomp$ audioctl play.{bytes,errors}
>play.bytes=1251840
>play.errors=0
>mazocomp$ audioctl play.{bytes,errors} 
>play.bytes=1724160
>play.errors=0
>mazocomp$ audioctl play.{bytes,errors} 
>play.bytes=2807040
>play.errors=0
>mazocomp$ kill %1
>mazocomp$ fg %1
>cat > /dev/audio < /dev/zero 
>Terminated 
>mazocomp$ mixerctl -v
>inputs.dac-0:1_mute=off  [ off on ]
>inputs.dac-0:1=222,222 
>inputs.dac-2:3_mute=off  [ off on ]
>inputs.dac-2:3=222,222 
>inputs.beep=108 
>record.adc-0:1_source=mic2  [ mic2 mic ]
>record.adc-0:1_mute=off  [ off on ]
>record.adc-0:1=126,126 
>record.adc-2:3_source=mic  [ mic mic2 mix ]
>record.adc-2:3_mute=off  [ off on ]
>record.adc-2:3=126,126 
>inputs.mix_source=dac-0:1,dac-2:3  { dac-0:1 dac-2:3 }
>inputs.mix_dac-0:1=126,126 
>inputs.mix_dac-2:3=126,126 
>outputs.hp_source=dac-0:1  [ dac-0:1 dac-2:3 ]
>outputs.hp_boost=off  [ off on ]
>outputs.spkr_source=dac-2:3  [ dac-0:1 dac-2:3 ]
>inputs.mic=255,255 
>outputs.mic_dir=input-vr80  [ none input input-vr80 ]
>inputs.mic2=255,255 
>outputs.mic2_dir=input-vr80  [ none input input-vr80 ]
>outputs.hp_sense=unplugged  [ unplugged plugged ]
>outputs.mic_sense=unplugged  [ unplugged plugged ]
>outputs.spkr_muters=hp  { hp }
>outputs.master=255,255 
>outputs.master.mute=off  [ off on ]
>outputs.master.slaves=dac-0:1,dac-2:3  { dac-0:1 dac-2:3 beep }
>record.enable=sysctl  [ off on sysctl ]
>mazocomp$

It's a new sysctl: kern.audio.record=0, and there's also a per-device mixer 
knob in called record.enable.

Microphone, and any other audio recording, is now disabled by default.

This probably worths noting in current.html...
-- 
  WBR,
Vadim Zhukov

Re: "no route to host" from pkg_add

[Vadim Zhukov]

вт, 7 авг. 2018 г., 21:16 Benjamin Walkenhorst <
walkenhorst.benja...@gmail.com>:

> Hello everyone,
>
> I recently installed OpenBSD 6.3 in a VPS.
>
> In the last few days, I get an error message when running pkg_add, "no
> route to host".
> I have tried setting various hosts in /etc/installurl, but the problem
> remains.
>
> When I run pkg_add, this is the output I get I get:
> [20:02|root@myhost:~]# pkg_add nmap
> https://fastly.cdn.openbsd.org/pub/OpenBSD//6.3/packages-stable/amd64/:
> ftp: connect: No route to host
> https://fastly.cdn.openbsd.org/pub/OpenBSD//6.3/packages/amd64/: ftp:
> connect: No route to host
> https://fastly.cdn.openbsd.org/pub/OpenBSD//6.3/packages/amd64/: empty
> Can't find nmap
>
> When I try to ping the host specified in /etc/installurl or call
> traceroute, everything seems to work as expected.
>
> I checked the output of /usr/bin/env to make sure there is no proxy
> configured
> (I copied that .zshrc around quite a bit), but as far as I can tell,
> there are no proxies set up anywhere in
>  the environment (i.e. the output of "env | grep -i proxy" is empty).
>
> I have two systems (one laptop and one VM) running OpenBSD 6.3 on my home
> network, and they work fine, so I
> am fairly certain the problem is with the configuration of the VPS.
>
> What am I missing?
>
> Thank you very much for any suggestions,
> Benjamin
>

Most likely, you didn't allow outgoing connections for _pkgfetch user in
pf.conf.

Re: httpd with multiple php-fpm pools in separate chroots

[Vadim Zhukov]

I have setup like below working for me, with base httpd and php-7.3
package. I have PHP web app installed into /var/www/webapp directory,
with 'web' subdirectory serving as HTTP root, and I only want to
handle request paths starting with '/api' here.

The /etc/httpd.conf:

server "my.server" {
listen on * port 80
location "/api/*" {
root "/webapp/web"
directory index "index.php"
fastcgi socket "/run/php-webapp.sock"
}
}

And the PHP FastCGI conf snip:

[webapp]
user = $pool
group = $pool
listen = /var/www/run/php-$pool.sock
listen.owner = www
listen.group = www
listen.mode = 0660

chroot = /var/www/$pool

вс, 29 дек. 2019 г. в 02:21, Nazar Zhuk :
>
> Hello,
>
> I am trying to run multiple PHP sites, each in it's own chroot:
> /var/www/site1, /var/www/site2, etc. Document roots are
> /var/www/siteX/htdocs.
>
> The issue is that fastcgi DOCUMENT_ROOT and SCRIPT_FILENAME generated by
> httpd are relative to httpd chroot and include /siteX. php-fpm can't
> find scripts.
>
> I tried to change DOCUMENT_ROOT and SCRIPT_FILENAME with "fastcgi
> param". This works for DOCUMENT_ROOT, but for SCRIPT_FILENAME, I need to
> pass the actual script name.
>
> Conceptually I need:
>
> fastcgi param SCRIPT_FILENAME "/htdocs/"
>
> Built-in macros like in "block return" and "request rewrite" don't work
> here.
>
> I can make this work with a single php file like this:
>
> server "site1" {
>  listen on * port 80
>  root "/site1/htdocs"
>  location "*.php" {
>  fastcgi param DOCUMENT_ROOT "/htdocs"
>  fastcgi param SCRIPT_FILENAME "/htdocs/test.php"
>  fastcgi socket "/site1/run/php-fpm.sock"
>  }
> }
>
> This will serve http://site1/test.php which is located at
> /var/www/site1/htdocs/test.php
>
> Is there a solution or a workaround? Aside from running all php-fpm
> pools in /var/www chroot?
>
>
> Thanks.
>
> --
> Nazar
>


-- 
  WBR,
  Vadim Zhukov

Re: "# systrace -c1000:1000 kate" for privilege escalated editing?

[Vadim Zhukov]

03 дек. 2015 г. 4:27 пользователь "Luke Small"

написал:
>
> I want to be able to use systrace for privilege escalation for kompare for
> sysmerge diffs and kate. Why isn't systrace able to do this?

Because noone wrote a systrace policy for Kate and Kompare (for your
installation and user) yet? That's without mentioning that it would be hard
to restrict those applications in a correct manner: they do use a lot of
system resources by just being nice KDE apps.

That being said, I won't expect much security problems in Kompare itself.
Kate is more complex, but still doesn't run in terminal. Thus Kompare and
Kate likely not being hurt by some crazy escape codes in patch files.
Anything else lies outside of usage profile you're talking about, if I
understood you correctly.

--
Vadim Zhukov

Re: rc.d and rtable

[Vadim Zhukov]

27 янв. 2016 г. 21:29 пользователь "Jiri B" 
написал:
>
> On Wed, Jan 27, 2016 at 01:40:14PM +0100, Antoine Jacoutot wrote:
> > On Wed, Jan 27, 2016 at 06:47:57AM -0500, Jiri B wrote:
> > > Would it be worth to extend rc.d for rtable knobs?
> > >
> > > - daemon_rtable varible
> > > - rc_* functions (route exec, pgrep/pkill -T $rtable...)
> > >
> > > Or are routing tables not much used thus not worth to make
> > > rc.d more complicated?
> >
> > There has been several discussions about this. No decision made though.
> > If you can find a nice way to implement it, I can have a look.
>
> rc.d framework is so nice... not sure if this is nice way but it
> works. Maybe check for existing rtable is not great.

The code looks like more or less fine (I'll do a more careful review a bit
later), but there are documentation bits missing.

--
Vadim Zhukov

Re: Why would you use make show rather than make -V in ports?

[Vadim Zhukov]

2017-12-23 1:57 GMT+03:00 Thomas Levine <_...@thomaslevine.com>:
> The normal port Makefile includes this "show" target.
>
>   $ grep -A3 ^show: /usr/ports/infrastructure/mk/bsd.port.mk
>   show:
>   .for _s in ${show}
>   @echo ${${_s}:Q}
>   .endfor
>
> Why would one use it rather than make -V?

The "show" gives you expanded value when -V gives raw one. Just assign
"foo=$bar" in Makefile and see what happens in both cases.

--
  WBR,
  Vadim Zhukov

Re: Another potential ksh bug?

[Vadim Zhukov]

For me, this is a definite bug. I've opted my students to fix this
bug, so unless there's a hurry, there must be a fix till the end of
December. :)

пн, 7 дек. 2020 г. в 07:43, Jordan Geoghegan :
>
> Hello again,
>
> I was playing around with ksh array syntax and its behaviour when set as
> read-only. In my testing I noticed that ksh will allow you to overwrite
> the first element of a read-only array. Example snippet:
>
> #!/bin/ksh
> arr[0]=val1
> arr[1]=val2
> readonly arr
> echo "${arr[@]}"
> arr=yikes
> echo "${arr[@]}"
>
> I tested a few other shells, and this bug does exists in the original
> pdksh and is also present in zsh. This bug is not present in ksh93, mksh
> or bash, where they abort when trying to modify the read-only array.
>
> I don't have access to a proper ksh88 shell, but it would be nice if
> someone could confirm its behaviour.
>
> I was just hoping someone could confirm if this is intended behaviour,
> or if it's a bug.
>
> Regards,
>
> Jordan
>


-- 
  WBR,
  Vadim Zhukov

Re: Problem with a startup script

[Vadim Zhukov]

22.05.2013 10:19 пользователь "C. L. Martinez"

написал:
>
> Hi all,
>
>  I have a problem with some tcl rc.d startup scripts. Start and status
> works ok but stop and restart, doesn't.

Stupid question: does it stop if you kill it by pid directly? I've seen at
least one daemon do far that ignores SIGTERM...

>  Script:
>
> #!/bin/sh -x
> #
> # $OpenBSD: suricata_proxyin_agent,v 1.0
>
> daemon="/usr/local/bin/suricata_proxyin_agent.tcl"
> daemon_flags="-c /data/config/etc/sguil/suricata_proxyin_agent.conf -D"
>
> . /etc/rc.d/rc.subr
>
> pexp="/usr/local/bin/tclsh8.5 $daemon"
>
> rc_cmd $1
>
> I have tried several variants like to insert rc_stop specific option
> or changing pexp to "/usr/local/bin/tclsh8.5 $daemon $daemon_args"
> without luck.
>
> Debugging script, acts as like the other system startup scripts:
>
> .
>
> + echo NO
> + : NO
> + [ XNO = XYES ]
> + echo NO
> + : NO
> + domainname
> + [ X != X -a -d /var/yp/binding ]
> + echo NO
> + : NO
> + : NO
> + [ -n /usr/local/bin/suricata_proxyin_agent.tcl ]
> + unset _RC_DEBUG _RC_FORCE
> + getopts df c
> + shift 0
> + basename ./suricata_proxyin_agent
> + _name=suricata_proxyin_agent
> + _RC_RUNDIR=/var/run/rc.d
> + _RC_RUNFILE=/var/run/rc.d/suricata_proxyin_agent
> + eval _rcflags=${suricata_proxyin_agent_flags}
> + _rcflags=
> + eval _rcuser=${suricata_proxyin_agent_user}
> + _rcuser=
> + getcap -f /etc/login.conf suricata_proxyin_agent
> + > /dev/null
> + 2>&1
> + [ -z  ]
> + daemon_class=daemon
> + [ -z  ]
> + daemon_user=root
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + printf  %s -c /data/config/etc/sguil/suricata_proxyin_agent.conf -D
> + daemon_flags= -c /data/config/etc/sguil/suricata_proxyin_agent.conf -D
> + daemon_flags=-c /data/config/etc/sguil/suricata_proxyin_agent.conf -D
> + readonly daemon_class
> + unset _rcflags _rcuser
> + pexp=/usr/local/bin/suricata_proxyin_agent.tcl -c
> /data/config/etc/sguil/suricata_proxyin_agent.conf -D
> + rcexec=su -l -c daemon -s /bin/sh root -c
> + pexp=/usr/local/bin/tclsh8.5 /usr/local/bin/suricata_proxyin_agent.tcl
> + rc_cmd stop
>
> root@nsm10:/usr/local/etc/rc.d# ps xa |grep suricata_proxyin_agent.tcl
> | grep -v grep
> 17486 p2- I   0:00.29 /usr/local/bin/tclsh8.5
> /usr/local/bin/suricata_proxyin_agent.tcl -c
> /data/config/etc/sguil/suricata_proxyin_agent.conf -D
>
> Any idea why process is not stopped??

Re: extattr on OpenBSD

[Vadim Zhukov]

2013/6/7 Ted Unangst 

> On Thu, Jun 06, 2013 at 03:40, Jiri B wrote:
> > As now FUSE is in the tree, is there a plan to resuscitate
> > extattr on OpenBSD, so some filesystems in usespace could
> > work or benefit from it? I'd like to see to be able to access
> > glusterfs for example which uses extattr for its own metadata.
>
> I don't think so.
> Too many tools remain unaware of them, causing attributes to get
> stripped off doing rather mundane operations.
>
>
Samba 4 also may use extattr to save some network-share-specific
information, so this could be really useful in that case. But not for
generic use, of course - and adding a bloat to kernel just to the sake of
compatibility with other OS... oh, we already have Linux ABI, don't we? :)

--
  WBR,
  Vadim Zhukov

Re: /var/cache/fontconfig ??

[Vadim Zhukov]

2013/6/9 Otto Moerbeek 

> On Sun, Jun 09, 2013 at 10:10:06AM +0100, Jason McIntyre wrote:
>
> > On Sun, Jun 09, 2013 at 05:06:01AM -0400, Jiri B wrote:
> > > >Sorry but this seems to bizzare to make 'cache' appropriate
> > > >subdir in /var just because of one specific tool. Wouldn't be
> > > >better to customize it to use /var/db/fontconfig?
> > >
> > > Ahh, on other machine there's also 'cups' and 'libvirt' :)
> > >
> > > jirib
> >
> > in that case my diff is definitely wrong. so i need a general
> > description of what /var/cache is for.
> >
> > jmc
>
> A cache holds stuff the is relativey expensive to recompute. If the
> data is thrown away, it can be regenerated.
>

Is there any real difference with subdir under /var/tmp then?

--
  WBR,
  Vadim Zhukov

Re: slashdot rumours

[Vadim Zhukov]

01.11.2013 12:58 пользователь "Marko Cupać"
 написал:
>
> I just read an article on slashdot which says that a piece of
> malware made "Open BSD operating system (...) modify its
> settings and delete its data without explanation or prompting", and
> that malware is spreading over microphone and speakers.
>
> Is this just some kind of negative publicity on a day of OpenBSD 5.4
> release, or there is something to it?

Yes, there is. I should add that it does not require microphones for
spreading, ever. You need just to type blindly what your friend says.

Re: Only one headphone jack working - good or bad?

[Vadim Zhukov]

On 7 January 2009 c. 00:39:58 Jacob Meuser wrote:
> On Tue, Jan 06, 2009 at 09:29:37PM +, Jacob Meuser wrote:
> > this was deep into another thread, so I'm reposting so it will be
> > seen by more people (hopefully).
> >
> > so azalia users please let your voice be heard.  would you find it
> > annoying when playing *only* mono or stereo to have all outputs play
> > the audio, or would you like that?
>
> let me clarify a little.  the output jacks would still be mutable as
> they are now, but they would be getting the mono or stereo stream.
>
> I can see this being both useful and also annoying, so I'm asking what
> others' opinions are.

For me, it looks like having mono/stereo output on all jacks is better:
if you have >=4 speakers then you'll have all of them playing when, for
example, watching stereo-only video. And this will not differ much from
all those 4-5-6... channels enabled video. Otherwise it'll require too
much work every time you want to play something: you will have to check
number of sound channels in clip and, possibly, play with your
videoplayer or aucat(1) options. Much harder and non-obvious way than
just muting/unmuting, IMHO.

--
  Best wishes,
Vadim Zhukov

gmake "write error" and possible solution

[Vadim Zhukov]

Hello all.

Putting this on a misc@ list because this looks like not the port problem 
itself.

Recently I start running (too) often in GMake's "write error" problem. It 
was reported some times ago here with no result. And after some more 
digging I found that commit in DragonFlyBSD:

http://www.mail-archive.com/commits%40crater.dragonflybsd.org/msg02534.html

> Log:
> Do not set O_NONBLOCK on a threaded program's descriptors any more. 
> Instead, use the new system calls to directly issue non-blocking I/O. 
> Additionally, force blocking I/O for debug output.
>
> This partly solves the problem of programs such as bmake or gmake
> fork/exec'd children which happen to be threaded.  The children would
> set O_NONBLOCK on e.g. stdin, stdout, and stderr, resulting in
> unexpected operation if the unrelated parent program tries to issue a
> read or write.
>
> Solves: gmake 'write error' problem

Can anyone expirinced comment this, please?

-- 
  Best wishes,
Vadim Zhukov

Re: newbie - migrating - home drive, UIDs, and etc/group, and such

[Vadim Zhukov]

On 11 January 2009 c. 06:46:59 Ted Unangst wrote:
> On Sat, Jan 10, 2009 at 5:27 PM, Jim Barchuk  wrote:
> > /dev/wd1j   /home-b ext2fs  rw,nodev,nosuid 1 2
> > /dev/wd0i   /400ext2fs  rw,nodev,nosuid 1 2
> >
> > Sounds good?
>
> I would not recommend using ext2fs for long term storage.  It's fine
> for migration, but not intended to be a primary store.
>
> > Would it be 'better' to migrate /etc/passwd as described in
> > http://openbsd.rt.fm/faq/faq9.html#passwd, which I have already
> > built files for but not installed, or should I adduser them all from
> > scratch and let the system take care of UIDs and groups.
>
> Certainly, you are less likely to screw anything up by running adduser
> a few times compared to trying a bulk update, but then the user IDs
> aren't likely to match the ones on disk and fixing that later may pose
> trouble (wrong permissions).  But at least the system is always likely
> to work.  Messing with master.passwd yourself (by forgetting a > in

You can specify exact UIDs for each user you create with adduser.
Problems start to arrive only when existing (old) UIDs or GIDs interfere
with (new) system ones. And even in this case something like this will
do the job:

 set -e
 cd /home
 for U in alex joe paul; do
   set -- `ls -nld $U`
   OLDUID=$3
   OLDGID=$4
   groupadd $U
   useradd $U
   NEWUID=`id -u $U`
   NEWGID=`id -g $U`
   find $U -user $OLDUID -print0 | xargs -0r chown $NEWUID
   find $U -group $OLDGID -print0 | xargs -0r chown $NEWGID
 done

--
  Best wishes,
Vadim Zhukov

Re: Netscape Enterprise-Server under BSD License

[Vadim Zhukov]

On 17 January 2009 c. 11:01:28 Sebastian Rother wrote:
> Related to a Blog entry I strumbled over (wich can get found here:
> http://krow.livejournal.com/630580.html) the Netscape Enterprise
> Server was re-licensed by SUN under the BSD license.
>
> The Project-Website at sun can be found here if I am not wrong:
> http://blogs.sun.com/jyrivirkki/date/20090113
>
> So the webserver seams to be more free then Apache.
> Maybe it can replace Apache (in the base system) some day or somebody
> likes to make a port.

http://wikis.sun.com/display/wsFOSS/Build+Instructions

Personally I don't think that, for example, nspr will ever find it's way
to base..

--
  Best wishes,
Vadim Zhukov

Re: Apache file upload

[Vadim Zhukov]

On 22 January 2009 c. 16:26:08 pcnico...@freesurf.fr wrote:
> Hi
>
> I need a very simple web page to upload files on my Apache web server.
> I found some cgi script like this one
> http://www.raditha.com/megaupload/ but I always face "internal server
> error" message.

Did you look at the logs in /var/www/logs?

> Did anyone done some like that ?

See the code at the end of letter. I'm using such page myself,
secured by HTTP authorization, so there are not so many security
and reliability checks in the code. You need to install
php5-core package, of course.

--
  WBR,
Pereresus ne Vlezaet Buggy



http://www.w3.org/TR/html4/strict.dtd";>


  File download page


  File uploading
 0 && $_FILES['userfile']['tmp_name'] != '' &&
is_uploaded_file($_FILES['userfile']['tmp_name'])) {
$basename = basename($_FILES['userfile']['name']);
$t = time();
$newname = '/upl/files/'.$t.'_'.$basename;
if (rename($_FILES['userfile']['tmp_name'], $newname)) {
chmod($newname, 0644);
echo 'File '.htmlspecialchars($basename).
' uploaded successfully!';
$linkpath = '/dnl/auto/'.$t.'_'.$basename;
if (link($newname, '/htdocs'.$linkpath)) {
$url = 'http://'.$_SERVER['SERVER_NAME'].$linkpath;
echo 'File can be downloaded via link: '.htmlspecialchars($url).'';
} else {
$linkFailed = 1;
echo 'For downloading the file please ask the 
administrator.';
}
} else {
echo 'Sorry, server error occured. Please try again 
later.';
}

require 'Net/SMTP.php';

$host = 'mail.my.domain';
$subj = "Subject: New file uploaded\r\n";
$body = "New file\r\n$basename\r\n".
"can be found in /upl/files/ directory.\r\n";
if (isset($renameFailed))
$body .= "ERROR: failed to move uploaded file\r\n";
if (isset($linkFailed))
$body .= "WARNING: failed to create hard link in 
/htdocs/dnl/auto\r\n";

if (($smtp = new Net_SMTP($host))) {
if (!PEAR::isError($smtp->connect())) {
    if (!PEAR::isError($smtp->mailFrom('w...@my.domain'))) {
if (!PEAR::isError($smtp->rcptTo('ad...@my.domain'))) {
$smtp->data($subj . "\r\n" . $body);
}
}
$smtp->disconnect();
}
}

}
?>



 File:
 
 



  

--
  Best wishes,
Vadim Zhukov

5965 fixed

[Vadim Zhukov]

Can someone close PR/5965, please? "Autodisabling" wpi gone after 
suggestion (sorry, could not find that message now) to update a few 
weeks ago (there was some work on wpi(4)). Big thanks to all involved, 
BTW. ;)

... Or there is another, better way for such requests?

-- 
  Best wishes,
Vadim Zhukov

Re: (bit)torrent openbsd client

[Vadim Zhukov]

On 28 January 2009 c. 18:12:06 Mihai Popescu B.S. wrote:
> Hello,
>
> Could you make some suggestion for a good openbsd (bit)torrent client
> with or without GUI ? I know some names, but I want to have some user
> experience presented.
>
> Thanks.

KTorrent works well for me for about a year.

Just try and find what best suits your needs:

$ cd /usr/ports && make search key=torrent

--
  Best wishes,
Vadim Zhukov

Re: starting gnome session with gdm as non root

[Vadim Zhukov]

On 19 February 2009 c. 13:26:24 Moritz Herrmann wrote:
> hi everyone,
> I installed gdm to use gnome in a comfortable way. As root
> I can start gnome by just typing "gdm", and then log in as a user.
> But I dont think this is a right or secure way to use gnome.

It is (more or less) secure way to use gnome, GDM intentded to be run as
root. But better will be start gnome-session, as it was suggested
already.

--
  Best wishes,
Vadim Zhukov

Re: OpenBSD AMD64 4.4 install hangs at boot (softraid0 at root) on Intel Q9550, 8GB RAM, 1TB WD

[Vadim Zhukov]

On 20 February 2009 c. 08:24:28 David Heinrich wrote:
> I am trying to install OpenBSD 4.4 amd64 onto my system. I obtained
> the install CD ISO from
>
> ftp://ftp.openbsd.org/pub/OpenBSD/4.4/amd64/install44.iso
> and
> ftp://ftp.openbsd.org/pub/OpenBSD/4.4/amd64/cd44.iso
>
> (the same thing happens whether I use the full or mini boot CD made
> from those ISO files).
>
> If I boot from the CD, and let the CD auto-boot (or if I start typing
> when prompted with the "boot>" prompt and then type "boot"), it goes
> through the startup messages, and stalls at the "softraid0 at root"
> step. The boot hangs on "Softraid0 at root".
>
> I can't find information on this in the archives, and I have tried
> typing "disable softraid" and searching for how to disable softraid
> with no success. A friend suggested "boot -d" to boot in debugging
> mode, but this didn't give me any debugging options and just went
> through the normal boot, again stalling at softraid0. If this is
> something where the answer is online but I haven't been able to find
> it, please refer me to the site.

You should type "disable softraid" after entering UKC using "boot -c" at
the bootloader prompt. More details on UKC you can find here:
http://www.openbsd.org/cgi-bin/man.cgi?query=config&sektion=8&manpath=OpenBSD
+Current&arch=i386&format=html

If bug is fixed in CURRENT, you can give it a try: I'm sure you'll
realize that you want to reinstall OpenBSD due to some errors made
during installation soon. :)

--
  Best wishes,
Vadim Zhukov

Re: OpenBSD AMD64 4.4 install hangs at boot (softraid0 at root) on Intel Q9550, 8GB RAM, 1TB WD

[Vadim Zhukov]

On 20 February 2009 c. 09:32:24 Ted Unangst wrote:
> On Fri, Feb 20, 2009 at 1:22 AM, Vadim Zhukov 
wrote:
> > You should type "disable softraid" after entering UKC using "boot
> > -c" at the bootloader prompt. More details on UKC you can find here:
>
> no, he shouldn't because that's not the bug.

David says that in CURRENT installer works just fine, and in 4.4-RELEASE
it hangs after displaying "softraid0 at root" - what is it if not a bug?

--
  Best wishes,
Vadim Zhukov

Re: OpenBSD AMD64 4.4 install hangs at boot (softraid0 at root) on Intel Q9550, 8GB RAM, 1TB WD

[Vadim Zhukov]

On 20 February 2009 c. 12:10:51 Otto Moerbeek wrote:
> On Fri, Feb 20, 2009 at 12:05:12PM +0300, Vadim Zhukov wrote:
> > On 20 February 2009 c. 09:32:24 Ted Unangst wrote:
> > > On Fri, Feb 20, 2009 at 1:22 AM, Vadim Zhukov 
> >
> > wrote:
> > > > You should type "disable softraid" after entering UKC using
> > > > "boot -c" at the bootloader prompt. More details on UKC you can
> > > > find here:
> > >
> > > no, he shouldn't because that's not the bug.
> >
> > David says that in CURRENT installer works just fine, and in
> > 4.4-RELEASE it hangs after displaying "softraid0 at root" - what is
> > it if not a bug?
>
> Read carefully what tedu says: there is a bug, but it is not in
> softraid.

Sorry, I misunderstood him. Definitely I should learn live English more:(

--
  Best wishes,
Vadim Zhukov

Re: Assistance OpenBSD

[Vadim Zhukov]

On 21 February 2009 c. 23:17:48 Chris Cooper wrote:
> Hello All,
>
> I hope someone out there has plenty of patience and understanding.  I
> have been playing
> with open source for a number of years without much success.  The
> closest I have come
> to success is with Suse 10.2, but it is very unstable.  I have mouse
> freezes, icon
> disappearances, and at times the screen goes negative on me-white
> becomes black etc.
> I have downloaded PCBSD and DesktopBSD to where I had the desktop, but
> neither
> would connect to the internet.  And I could delete less from these OS
> than I could from Windows.  The smaller and much more secure OpenBSD
> seemed to fit the
> bill.  However, I need help.  Nothing I do seems to work.  I have five
> books on
> FreeBSD and "Absolute OpenBSD" by Lucas.  I can do simple stuff like
> pwd, cd, ls,
> mnt CD, etc., but I cannot pkg_add from the 4.3 CD or run executable
> files. What
> I would like to do is add a browser and get on the web.  My computer
> needs are
> small; 95% of my time is following the markets.  I do not have three
> degrees in
> computer science, in fact I only have one degree and it is in
> economics.  I do
> well in the market, but BSD really has me confused.  I know the
> OpenBSD community
> does not like to deal with simpletons like myself, but I would
> appreciate enough
> help to get me started.  I have OpenBSD on my spare HP Pavilion N5250
> notebook with
> an Intel pentium CPU but it is not connected to the internet.

Please share as much info about what you did and what you tried but
failed to did with your system, starting from installation process.

Please list all errors you encounter and when.

But at first, please, look in the FAQ:
http://www.openbsd.org/faq/

--
  Best wishes,
Vadim Zhukov

Re: get php uptime function out of apache chroot jail?

[Vadim Zhukov]

On 25 February 2009 c. 08:51:20 Jerome Santos wrote:
> hello, I want to put a php script in a site on an openbsd 4.2
> webserver. From what I understand because apache is chrooted, a
> function that uses an exec to a system call cannot work.
> ie.
>  $s = explode( " ", exec("/var/run/usr/bin/uptime") );
> $a = str_replace( ",", "", $s[3]);
> $uptime = time() - $a;
>
> $days = floor($uptime/60/60/24);
> $hours = $uptime/60/60%24;
> $mins = $uptime/60%60;
> $secs = $uptime%60;
> echo "This server is up " . $days . " days, " .  $hours  . "
> hours, " . $mins . " minutes and " . $secs . "seconds";
>
> ?>
>
> only echoes epoch time, "This server is up 14300 days, 5 hours, 49
> minutes and 24seconds"
>
> any ideas how to fix this?

a) Create a daemon running out of chroot that will open socket inside
chroot area or open a local port, and make your PHP app talk to it.
Until you'll do security mistakes in this daemon you'll be safe enough
(do not forget authentication). But this could be much work in some
cases.

b) Put needed static-linked executable ("/bin/sh" in your case inside
chroot). It's a mostly bad but easy way.

--
  Best wishes,
Vadim Zhukov

Re: route: network is unreachable

[Vadim Zhukov]

 256MB SDRAM non-parity PC133CL3
> auich0 at pci0 dev 31 function 5 "Intel 82801AA AC97" rev 0x02: irq
> 11, ICH AC97
> ac97: codec id 0x41445360 (Analog Devices AD1885)
> ac97: codec features headphone, Analog Devices Phat Stereo
> audio0 at auich0
> isa0 at ichpcib0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> pckbc0 at isa0 port 0x60/5
> pckbd0 at pckbc0 (kbd slot)
> pckbc0: using irq 1 for kbd slot
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pcppi0 at isa0 port 0x61
> midi0 at pcppi0: 
> spkr0 at pcppi0
> lpt0 at isa0 port 0x378/4 irq 7
> it0 at isa0 port 0x2e/2: IT8712F rev 0x04, EC port 0x290
> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
> fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
> usb0 at uhci0: USB revision 1.0
> uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> biomask ed65 netmask ff65 ttymask 
> mtrr: Pentium Pro MTRR support
> softraid0 at root
> root on wd0a swap on wd0b dump on wd0b

--
  Best wishes,
Vadim Zhukov

Re: route: network is unreachable

[Vadim Zhukov]

On 27 February 2009 c. 22:15:35 Sergey Khentov wrote:
> >> # cat /etc/hostname.pppoe0
> >> inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev rl2 \
> >>authproto pap authname szt authkey szt up
> >> !/sbin/route add default 0.0.0.1
> >
> > Looks like you messed up ifconfig(8) and hostname.if(5) syntax.
> > You need something like:
> >
> > inet 0.0.0.0 255.255.255.255 NONE pppoedev rl2
> > authproto pap authname szt authkey szt
> > dest 0.0.0.1
> > up
> > !/sbin/route add default 0.0.0.1
>
> Thanks a lot! At least sh -x /ets/netstart pppoe0 now works OK.
>
> I've configured pppoe according to the manual for 4.2 (got it ftom
> http://www.openbsdsupport.org), it seems that the manual is a
> little bit incorrect. I'll try to contact with the author.


You should look at man pages in your system first, there are all needed
examples. In particular, you should read pppoe(4).

--
  Best wishes,
Vadim Zhukov

Re: route: network is unreachable

[Vadim Zhukov]

On 27 February 2009 c. 22:48:29 Sergey Khentov wrote:
> Oops, it seems that the problem with disappearings of default route
> was not fixed. 30 minutes I was away from my PC - and route has
> disappeared. dmesg says nothing.
>
> Any ideas?

1) What daemons do you run? Show your /etc/rc.local script. Also, did you
modify your root's crontab? If yes, please show it too.

2) Try to set up connection thorough pppoe(8), this'll give you a lot of
information you could use for debugging, especially possible
reconnection logs.

> >> # cat /etc/hostname.pppoe0
> >> inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev rl2 \
> >>authproto pap authname szt authkey szt up
> >> !/sbin/route add default 0.0.0.1
> >
> > Looks like you messed up ifconfig(8) and hostname.if(5) syntax.
> > You need something like:
> >
> > inet 0.0.0.0 255.255.255.255 NONE pppoedev rl2
> > authproto pap authname szt authkey szt
> > dest 0.0.0.1
> > up
> > !/sbin/route add default 0.0.0.1

--
  Best wishes,
Vadim Zhukov

Re: Apache & PHP

[Vadim Zhukov]

On 8 March 2009 c. 10:13:58 new_guy wrote:
> I compile some c code and link it statically. It's the simple 'hello
> world' program. I name it 'hello' and put it in /var/www/test/
>
> I then try to execute it through php using the shell_exec function
> like so:
>
> $output = shell_exec("/var/www/test/hello");
> echo $output;
>
> I get no output at all. Same program runs fine via shell_exec on other
> Apache PHP setups. Being this is statically linked and ldd shows no
> shared libs (the chroot should not impact it, right?) and the php.ini
> files does not exclude shell_exec from running... what else might be
> wrong?

1. You need shell to run shell_exec().

2. You should specify path _inside_ chroot: "/test/hello".

For "real" exec() and friends see pcntl_* functions.

--
  Best wishes,
Vadim Zhukov

Re: Where is "Secure by default" ?

[Vadim Zhukov]

On 9 March 2009 P3. 21:29:47 Juan Miscaro wrote:
> 2009/3/9 bofh :
> > On Mon, Mar 9, 2009 at 11:48 AM, - Tethys  wrote:
> >> Maybe it's a troll. Maybe not. Can we afford to be turning away
> >> potential users on the off chance?
> >
> > OpenBSD exists solely for the developers
>
> That's a silly thing to say.

Then what do you do on this silly list made by silly people who also own
a silly website (and, as one Unix here says, silly OSes too) which says
such silly things too?

--
  Best wishes,
Vadim Silly Zhukov

Re: Jumbo Frame

[Vadim Zhukov]

On 12 March 2009 c. 18:01:24 Kleber Rocha wrote:
> Hello,
>
> OpenBSD supports jumbo frame, if yes, how I do this configuration?

man 8 ifconfig
man 4 name-of-your-nic-driver-here

--
  Best wishes,
    Vadim Zhukov

Re: linux binary emulation (corrected kdump)

[Vadim Zhukov]

On 12 March 2009 c. 20:45:12 Constantine Cusulos wrote:
> I am trying to run a linux binary on my OpenBSD 4.4/i386 system. The
> binary file (let's call it 'fpc') is a static executable.
>
> So far, i have done the following:
>
> 1. I have modified /etc/sysctl.conf so that it reads
>kern.emul.linux=1
> 2. Reboot
> 3. sudo pkg_add -i fedore_base
> 4. I have copied the file 'fpc' from /usr/bin of my Ubuntu/i386 system
> to /emul/linux/usr/bin/ of my OpenBSD installation.
> 5. $ /emul/linux/usr/bin/fpc
> Bad system call (core dumped)
> 6. $ cp /emul/linux/usr/bin/fpc /emul/linux/fedora/usr/bin/
> 7. $ /emul/linux/fedora/usr/bin/fpc
> Bad system call (core dumped)
> 8. $ ktrace /emul/linux/usr/bin/fpc
> 9. $ kdump -e linux
>4410 ktrace   RET   brk 0
>4410 ktrace   CALL  oldolduname(0xcfbe6107,0xcfbe5fb0,0xcfbe5fb8)
>4410 ktrace   NAMI  "/emul/linux/usr/bin/fpc"
>4410 fpc  EMUL  "native"
>4410 fpc  RET   execve 0
>4410 fpc  CALL  pathconf(0xcfbea7d0,0x805918b)
>4410 fpc  NAMI  "A`(3/4I"+?"
>4410 fpc  RET   pathconf -1 errno 2 No such file or directory
>4410 fpc  CALL  #76 (obsolete vhangup)()
>4410 fpc  PSIG  SIGSYS SIG_DFL code 0
>4410 fpc  NAMI  "fpc.core"
>
>
> Is there something i can do to run this binary??

If you really try to run FreePascal then you'd better talk with its
developers (they provided OpenBSD binaries a long time ago) or try to
bootstrap its build on another OS (cross-compilation is supported), or
via another compiler. I tried to do so but then need in FPC was gone, so
I had to abort the porting due to lack of time.

--
  Best wishes,
Vadim Zhukov

Re: creating release and kernels

[Vadim Zhukov]

On 13 March 2009 c. 22:13:35 Aaron Martinez wrote:
> I'm running 4.4 Stable on i386 hardware and was wanting to make a
> release.
>
> I was reading through the release man page and noticed it said a
> GENERIC kernel is included with the release.  I'm just wondering if
> there is a way to include or replace the generic kernel with a
> modified kernel.  The only change i'm making is adding NTFS read
> support.

Well, nothing stops you in replacing bsd* files in release directory with
your own built ones after building release itself. :) Or you want to
automate this work?

--
  Best wishes,
Vadim Zhukov

Re: creating release and kernels

[Vadim Zhukov]

On 13 March 2009 P3. 23:12:25 Aaron Martinez wrote:
> > On 13 March 2009 C#. 22:13:35 Aaron Martinez wrote:
> >> I'm running 4.4 Stable on i386 hardware and was wanting to make a
> >> release.
> >>
> >> I was reading through the release man page and noticed it said a
> >> GENERIC kernel is included with the release.  I'm just wondering if
> >> there is a way to include or replace the generic kernel with a
> >> modified kernel.  The only change i'm making is adding NTFS read
> >> support.
> >
> > Well, nothing stops you in replacing bsd* files in release directory
> > with your own built ones after building release itself. :) Or you
> > want to automate this work?
>
> Automating is always good, but copying a couple files one time is
> something I can handle, just didn't realize it wasn't creating a
> release of the current running kernel.

:)

> Would i also need to copy the
> /boot file as well or just the bsd* files?

No.

--
  Best wishes,
Vadim Zhukov

Re: pf state key linking mismatch

[Vadim Zhukov]

On 24 March 2009 G. 20:59:05 Stuart Henderson wrote:
> On 2009-03-24, Vadim Zhukov  wrote:
> > Hello all.
> >
> > As far as I remember, error message "pf: state key linking mismatch"
> > is not something anyone want to see on his console. For me it means
> > now that at some time machine will freeze up. Last tested kernel is
> > GENERIC one from the fresh snapshot (March, 23).
> >
> > Machine is (still) test proxy with 3 NICs: 2 two-port Intel gigabit
> > cards and internal BroadCom one, see dmesg below for details. One
> > NIC connects via its ports to different provider uplinks, and other
> > NICs are connected to LAN(s). More details may be found in PR 6095.
> >
> > A few minutes ago machine freezed, being stopped in
> > pf_icmp_mapping(). Keyboard did not work, and as far as I discovered
> > it fails to work in UKC, but that's totally different case I do not
> > bother much: there is SSH. So bad news are that I do not have "ps"
> > and "trace" output, sorry... There is no serial console either. :(
> > There is photo, though: http://77.108.65.40/dnl/P1030052.jpg
>
> So it should be short enough to re-type, yes? That will be easier than
> have whoever is interested in looking at this try and view your photo
> and find the URL isn't accessible.

Oops... I simply sent file over scp and didn't checked that KMail
extracted it (photographer is my co-worker, he sent photo attached in
private email) to /tmp with mode 0400... Sorry to all tried and
failed. :( Fixed now. And no, it was not short enough, until
skipping "linking mismatch" messages. But here it is without them:

kernel: page fault trap, code=0
Stopped at  pf_icmp_mapping+0x38:   movzwl  0x4(%rax),%eax
ddb{0}>

> Can you try a different type of keyboard though (PS/2 vs USB, or maybe
> even just change keyboard emulation settings in the BIOS)), or try and
> arrange serial console in case it happens again? it might be useful
> to get that trace.

As far as I remember, USB keyboards are useless in ddb(4) - am I wrong?
Of course, I tried different PS/2 keyboards, that worked fine on another
machines - just fail. There were other issues with keyboard
(controller), even during install, but I was too busy to worry about it.

Yes, I know that serial console should be very useful, but current
situation in my company do not give me opportunity to order one for
minimum next two months. :(

"pf: state key linking mismatch" message is very easy reproducible for
me, though: not directly ("touch that and it will happen"), but often
enough ("it'll eventually happen in a minute, just open and close some
connections").

--
  Best wishes,
Vadim Zhukov

Re: disabling drivers at runtime?

[Vadim Zhukov]

On 26 March 2009 c. 02:11:16 Sebastian Rother wrote:
> Is it possible to disable for example ehci at runtime?
> As far as I understand I can use config -e -f /bsd to modify the BSD
> kernel but the changes just get applied after a reboot.
>
> Is there any method to may disable a specific driver only at runtime?
> Lets say like ehci?
>
> Kind regards,
> Sebastian

boot -c

Search for the word UKC in FAQ for more details.

--
  Best wishes,
Vadim Zhukov

Re: shell history and page-up

[Vadim Zhukov]

On 2 April 2009 c. 08:37:25 Chris wrote:
> I am trying to get the shell history with page-up but looks like it's
> not working. I'm running -current with the default ksh and added
> HISTSIZE=50 and export HISTSIZE to ~/.profile.
>
> Does anyone know how to get it?

>From the ksh(8):

Note: If HISTFILE isn't set, no history file is used.  This
is
different from the original Korn shell, which uses
$HOME/.sh_history; in the future, pdksh may also use a
default
history file.

And, BTW, you don't need to export those variables.

--
  Best wishes,
Vadim Zhukov

A: Because it messes up the way people read text.
Q: Why is a top-posting such a bad thing?

Re: how to compile a debug version of Qt5.9.6 on OpenBSD 6.4 ?

[Vadim Zhukov]

You'd better use "FLAVOR=debug make" inside x11/qt5 directory to build
components you're interested in.
вс, 2 дек. 2018 г. в 03:06, stephane l1 :
>
> Hi,
> I have tried to compile a debug version of Qt5.9.6 on OpenBSD 6.4 with the
> mkspecs of the package release Qt5.9.6 and the platform openbsd-clang but I
> have linking error on the first lib libQt5Core on version-tag@Qt_5_8 ?
> Have I forgotten something to configure ?
>
> Thanks
> best regards
>
> Stéphane L . from france



-- 
  WBR,
  Vadim Zhukov

Re: how to compile a debug version of Qt5.9.6 on OpenBSD 6.4 ?

[Vadim Zhukov]

Well, I was talking about compiling from ports.

If you try to compile Qt from sources on your own you're, well, on
your own. find /usr/ports/x11/qt5 -name '*.patch' should give you a
clue how much on your own you are. :)
вс, 2 дек. 2018 г. в 15:03, stephane l1 :
>
> Hi,
>
> I have tryed with FLAVOR = debug make in the .pro and I have still this error 
> :
>
> /usr/bin/ld: libQt5Core.so.5.9.6: undefined versioned symbol name 
> qt_version_tag@Qt_5.8
> /usr/bin/ld: failed to set dynamic section sizes: Bad value
> clang++: error: linker command failed with exit code 1 (use -v to see 
> invocation)
>
>
> Le dim. 2 déc. 2018 à 12:14, Vadim Zhukov  a écrit :
>>
>> You'd better use "FLAVOR=debug make" inside x11/qt5 directory to build
>> components you're interested in.
>> вс, 2 дек. 2018 г. в 03:06, stephane l1 :
>> >
>> > Hi,
>> > I have tried to compile a debug version of Qt5.9.6 on OpenBSD 6.4 with the
>> > mkspecs of the package release Qt5.9.6 and the platform openbsd-clang but I
>> > have linking error on the first lib libQt5Core on version-tag@Qt_5_8 ?
>> > Have I forgotten something to configure ?
>> >
>> > Thanks
>> > best regards
>> >
>> > Stéphane L . from france
>>
>>
>>
>> --
>>   WBR,
>>   Vadim Zhukov



-- 
  WBR,
  Vadim Zhukov

Re: how to compile a debug version of Qt5.9.6 on OpenBSD 6.4 ?

[Vadim Zhukov]

вс, 2 дек. 2018 г. в 16:31, stephane l1 :
>
> Hi,
> Shall I make FLAVOR=debug make  in each Makefile of the modules of Qt in the 
> port  ?

Basically, yes. You can play with shell, of course, to run those in a
single command, though.

Please note that debug FLAVOR isn't linked to bulk builds, so it _may_
fail due to some unexpected condition on your system that differs from
mine. And make sure you have enough room for building... And I really,
really do not recommend doing it on HDD, only on SSD. :)

>>
>> ok thanks I will try to compile from the ports too..
>> Yes it was just a Qt problem in qversiontagging.h.
>> ok it would be more simple to use the ports thanks
>>
>> Le dim. 2 déc. 2018 à 14:02, Vadim Zhukov  a écrit :
>>>
>>> Well, I was talking about compiling from ports.
>>>
>>> If you try to compile Qt from sources on your own you're, well, on
>>> your own. find /usr/ports/x11/qt5 -name '*.patch' should give you a
>>> clue how much on your own you are. :)
>>> вс, 2 дек. 2018 г. в 15:03, stephane l1 :
>>> >
>>> > Hi,
>>> >
>>> > I have tryed with FLAVOR = debug make in the .pro and I have still this 
>>> > error :
>>> >
>>> > /usr/bin/ld: libQt5Core.so.5.9.6: undefined versioned symbol name 
>>> > qt_version_tag@Qt_5.8
>>> > /usr/bin/ld: failed to set dynamic section sizes: Bad value
>>> > clang++: error: linker command failed with exit code 1 (use -v to see 
>>> > invocation)
>>> >
>>> >
>>> > Le dim. 2 déc. 2018 à 12:14, Vadim Zhukov  a écrit :
>>> >>
>>> >> You'd better use "FLAVOR=debug make" inside x11/qt5 directory to build
>>> >> components you're interested in.
>>> >> вс, 2 дек. 2018 г. в 03:06, stephane l1 :
>>> >> >
>>> >> > Hi,
>>> >> > I have tried to compile a debug version of Qt5.9.6 on OpenBSD 6.4 with 
>>> >> > the
>>> >> > mkspecs of the package release Qt5.9.6 and the platform openbsd-clang 
>>> >> > but I
>>> >> > have linking error on the first lib libQt5Core on version-tag@Qt_5_8 ?
>>> >> > Have I forgotten something to configure ?
>>> >> >
>>> >> > Thanks
>>> >> > best regards
>>> >> >
>>> >> > Stéphane L . from france
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >>   WBR,
>>> >>   Vadim Zhukov
>>>
>>>
>>>
>>> --
>>>   WBR,
>>>   Vadim Zhukov



-- 
  WBR,
  Vadim Zhukov

Re: how to compile a debug version of Qt5.9.6 on OpenBSD 6.4 ?

[Vadim Zhukov]

вс, 2 дек. 2018 г. в 22:59, stephane l1 :
>
> does the conflicts come because I have already installed the package Qt5.9.6 
> (so release version) ?

Regarding conflicts - yes, you'll need to use "pkg_add -r" (replace
mode) to install alternative (FLAVORed) version of package. This is
documented in ports(7), packages(7) and pkg_add(1).

Regarding "not signed", you can set TRUSTED_PKG_PATH before running
pkg_add, or add -Dunsigned. Using "make install" in port directory
does this for you, but it won't use "pkg_add -r", though.

-- 
  WBR,
  Vadim Zhukov

Re: kde4-4.13.3p0 on OpenBSD 5.6 10/15/2014 AMD64 snapshot

[Vadim Zhukov]

05 нояб. 2014 г. 1:29 пользователь "Stan Gammons"

написал:
>
>
> On 11/04/14 00:44, Vadim Zhukov wrote:
>>
>> 04 нояб. 2014 г. 3:11 пользователь "Stan Gammons"

написал:
>> >
>> > Does anyone besides me experience crashes with Dolphin on
kde4-4.13.3p0?  When I click on the kde crash handler developer information
tab it churns forever and ever and ever and never returns any information.
>>
>> What the "ulimit -a" command says?
>
>
> $ ulimit -a
> time(cpu-seconds)unlimited
> file(blocks) unlimited
> coredump(blocks) unlimited
> data(kbytes) 524288
> stack(kbytes)4096
> lockedmem(kbytes)2701294
> memory(kbytes)   8101456
> nofiles(descriptors) 512

That's likely to be a problem. Please, adjust number-of-open-files limits
in /etc/login.conf and /etc/sysctl.conf. "pkg_info kde-runtime" will give
you some clues. Remember that you'll need to re-login to make login.conf
changes apply.

> processes128
> $
>
>
>> Also, could you post all uncommented global options in your
/etc/samba/smb.conf?
>>
>>
>
> [global]
>
>workgroup = WORKGROUP
>
>load printers = yes
>
>log file = /var/log/samba/smbd.%m
>
>max log size = 50
>
>dns proxy = no
>
> [homes]
>comment = Home Directories
>browseable = no
>writable = yes
>
> [printers]
>comment = All Printers
>path = /var/spool/samba
>browseable = no
>guest ok = no
>writable = no
>printable = yes
>
>
> Like Federico who also replied to this thread, I'm unable to put a finger
on an exact cause for the crashes.  But wonder if it's some combination of
running KDE, Firefox and Thunderbird.
>
> Oh, there is another thing I failed to mention.  I log in and manually
start kde with "startkde4"   Some times when I logout that way it will hang
and ctrl-alt-backspace is needed to return to the command line.  Some times
kwin will crash when I logout also.

--
Vadim Zhukov

Re: sole instance of a process

[Vadim Zhukov]

21 нояб. 2014 г. 10:00 пользователь "Pete Vickers"

написал:
>
> Hi,
>
> I suspect this may be the wrong list for this question. However although
strictly it's a Bourne shell script query, it only seem to act up under
OpenBSD (for me).
>
> Essentially I have a job which needs to be run periodically. So I have a
shell script to do the necessary commands, and this is scheduled via
(root's) crontab.
> It is however very important that multiple instances of the job are not
run concurrently (e.g. if an previous invocation hung), and so the script
should detect this upon invocation before proceeding.
>
> I don't want a single long running job (which could e.g. sleep between
loops) for various reasons. And I also don't like PID files and other
fragile locking hacks.
>
>
> So down to business, below is the gist of my script. Most of the time it
appears to run fine. However occasionally (once every couple of days?) it
reports via email that a duplicate process is detected, but the included ps
listing shows no other instance. I don't believe that this is just due to
an old instance exiting in the small time window between the pgrep, and the
ps invocations.  So basically I guess there is an error in my script or
it's logic, or something else I'm not seeing.
>
> Any hit with the clue bat gratefully received.
>
>
>
> #!/bin/sh
> #
> #
> SHOUT="/usr/bin/logger -i -t MYPERIODICJOB"
> #
> #
> # Ensure another instance of this is not running
> #
> MYNAME=`basename $0`
> MYPID=$$
> #
> /usr/bin/pgrep -fu root $MYNAME | /usr/bin/grep -v $MYPID && \

First problem: if first shell running script has PID 75 and second has PID
5, this grep command will ignore both.

Second problem: if you have anything in system with argument containing
script's name, like text editor, or file scanner, or whatever, it will
match, too, producing the problem you see.

I'd recommend you to save output of ps in a temporary variable, and run
grep on its content.

But the better solution should be locking of some sort. You can use
dolock(1) from ports infrastructure (don't forget to remove lock file in
EXIT trap), or just switch to Perl and proper file locks.

> {
> $SHOUT "HELP - duplicate process detected $?" ; \
> ps -axjwww | mail -s "HELP MYPERIODICJOB $MYPID $MYNAME
$PPID" m...@example.com ; \
> exit 1 ;
>  }
>
> #
> #
> # starting doing useful stuff here..
> #
>
>
> Disclaimer: I know my scripting is far from optimal...

--
Vadim Zhukov

Re: fastcgi support in httpd(8)

[Vadim Zhukov]

22 нояб. 2014 г. 12:54 пользователь "Riley Baird" <
bm-2cvqnduybau5do2dfjtrn7zbaj246s4...@bitmessage.ch> написал:
>
> Hi,
>
> I am running OpenBSD 5.6-stable (without the X packages).
>
> I have successfully setup the httpd(8) webserver, but only for static
> webpages. I have been unable to get cgi (perl) scripts to run.
>
> Due to the OpenBSD chroot, I have copied the folowing files into
> /var/www. The libraries were generated from `ldd /usr/bin/perl`.
> /usr/bin/perl
> /usr/lib/libc.so.77.0
> /usr/lib/libm.so.9.0
> /usr/lib/libperl.so.15.0
> /usr/lib/libpthread.so.18.0
> /usr/lib/libutil.so.12.1
> /usr/libexec/ls.so
>
> My httpd.conf is:
>
> # $OpenBSD: httpd.conf,v 1.10 2014/08/06 20:29:54 reyk Exp $
>
> #
> # Macros
> #
> ext_addr="egress"
>
> server "default" {
> listen on $ext_addr port 80
>
> location "/cgi-bin/*" {
> fastcgi
>
> # The /cgi-bin directory is outside of the document root
> root "/"
> }
> }
>
> Using a web browser on another computer,
> http://192.168.1.55/cgi-bin/script.pl simply says "500 Internal Server
> Error".
>
> A script as simple as the below brings up this error, but it has been
> tested with other scripts:
>
> #!/usr/bin/perl
> print "Hello!"
>
> Thanks for reading,

Crazy idea just out of head:

1. Put /bin/sh and /usr/bin/kdump (both are statically linked) inside
chroot. Rename them if you feel unsafe.
2. Write a shell script that runs 'exec ktrace -if ... perl ... "$@"'. Make
sure ktrace will be able to write its output file, it will be run as CGI
user!
3. Make this script handle a connection in your web server/FastCGI config.
4. Run kdump on resulting ktrace output file and investigate problems.

If you won't get ktrace output, you'll likely have problem with FastCGI
itself, look at its logs then.

--
Vadim Zhukov

Re: KDE4 crashes in 5.6

[Vadim Zhukov]

Also, make sure that you have your openfiles (for user) and kern.maxfiles
(sysctl) limits bumped.

--
Vadim Zhukov
03 дек. 2014 г. 13:14 пользователь "Federico Giannici"

написал:

> Hi!
> I'd like to know if I'm the only one that have experiences crashes with
> KDE4 under 5.6-release amd64.
>
> Often, during the startup or shutdown of KDE4, the bug report window
> appears saying that "Plasma Desktop Shell closed unexpectedly" (Executable
> "plasma-desktop", Signal "Segmentation fault(11)").
>
> Moreover, once every 3-4 times the startup of KDE get stuck after the
> final big KDE logo appears in the startup page (maybe this is related to
> the first problem).
>
> It happens in both my PCs where I installed KDE. I'd like to know if this
> happens only to me (to my hardware/software configuration), or is a common
> and known problem (and if there is any solution).
>
> Thanks.

Re: CVS: cvs.openbsd.org: ports

[Vadim Zhukov]

2014-12-08 23:33 GMT+03:00 Vadim Zhukov :
> CVSROOT:/cvs
> Module name:ports
> Changes by: z...@cvs.openbsd.org2014/12/08 13:33:51
>
> Log message:
> Import Qt 5.3.2.
>
> Qt is a full development framework with tools designed to streamline
> the creation of applications and user interfaces for desktop,
> embedded, and mobile platforms.
>
> This port is not enabled yet, because some ports will pick up Qt5
> instead of Qt4, breaking build. Those will be fixed separately soon.
>
> There are some non-critical things left to do:
>
> 1. Support for OpenBSD sensors framework.
> 2. V4L2 support.
> 3. -L${LOCALBASE}/* could come before -L${WRKBUILD}/* when linking is
> done across Qt module boundaries. This means that builds of Qt 5.y
> while having Qt 5.x installed (x < y) will be busted.
>
> Volunteers are welcome to come in and help fixing those problems.
>
> Last note: don't even try to build "debug" FLAVOR unless you know
> what you're doing and you have about 20GB of free space. You've
> been warned.
>
> landry@ agrees on continuing working in-tree
>
> Status:
>
> Vendor Tag: zhuk
> Release Tags:   zhuk_20141208
>
> N ports/x11/qt5/Makefile
> N ports/x11/qt5/distinfo
> N ports/x11/qt5/qt5.port.mk
> N ports/x11/qt5/patches/patch-qtbase_src_corelib_kernel_qcore_unix_p_h
> N 
> ports/x11/qt5/patches/patch-qtbase_src_network_kernel_qdnslookup_unix_cpp
> N 
> ports/x11/qt5/patches/patch-qtbase_src_network_socket_qnativesocketengine_unix_cpp
> N ports/x11/qt5/patches/patch-qtbase_mkspecs_openbsd-g++_qmake_conf
> N ports/x11/qt5/patches/patch-qtbase_qmake_generators_unix_unixmake2_cpp
> N ports/x11/qt5/patches/patch-qtbase_qmake_generators_unix_unixmake_cpp
> N ports/x11/qt5/patches/patch-qtbase_config_tests_unix_iconv_iconv_pro
> N ports/x11/qt5/patches/patch-qtbase_src_corelib_io_qfilesystemwatcher_cpp
> N 
> ports/x11/qt5/patches/patch-qtwebkit_Tools_qmake_config_tests_gccdepends_gccdepends_pro
> N 
> ports/x11/qt5/patches/patch-qtbase_config_tests_unix_pulseaudio_pulseaudio_pro
> N ports/x11/qt5/patches/patch-qtbase_configure
> N 
> ports/x11/qt5/patches/patch-qtbase_src_concurrent_qtconcurrentiteratekernel_cpp
> N ports/x11/qt5/patches/patch-qtbase_src_gui_image_qxbmhandler_cpp
> N 
> ports/x11/qt5/patches/patch-qtbase_src_network_kernel_qnetworkinterface_cpp
> N 
> ports/x11/qt5/patches/patch-qtwebkit_Tools_qmake_config_tests_libXcomposite_libXcomposite_pro
> N ports/x11/qt5/patches/patch-qtwebkit_Source_WebCore_Target_pri
> N 
> ports/x11/qt5/patches/patch-qtwebkit_Tools_qmake_config_tests_libXrender_libXrender_pro
> N ports/x11/qt5/patches/patch-qtdeclarative_src_qml_jit_qv4assembler_cpp
> N 
> ports/x11/qt5/patches/patch-qtdeclarative_src_qml_jsruntime_qv4engine_cpp
> N ports/x11/qt5/patches/patch-qtwebkit_Source_WebKit2_WebProcess_pro
> N 
> ports/x11/qt5/patches/patch-qtscript_src_3rdparty_javascriptcore_WebKit_pri
> N ports/x11/qt5/patches/patch-qtwebkit_Source_WTF_wtf_Platform_h
> N ports/x11/qt5/patches/patch-qtbase_qmake_generators_makefile_cpp
> N 
> ports/x11/qt5/patches/patch-qtsensors_src_plugins_sensors_dummy_dummy_pro
> N 
> ports/x11/qt5/patches/patch-qtwebkit_Source_JavaScriptCore_heap_MachineStackMarker_cpp
> N 
> ports/x11/qt5/patches/patch-qtwebkit_Tools_qmake_mkspecs_features_default_pre_prf
> N 
> ports/x11/qt5/patches/patch-qtwebkit_Source_WebKit2_Platform_CoreIPC_unix_ConnectionUnix_cpp
> N 
> ports/x11/qt5/patches/patch-qtwebkit_Tools_qmake_mkspecs_features_functions_prf
> N ports/x11/qt5/patches/patch-qtbase_mkspecs_features_qt_build_paths_prf
> N 
> ports/x11/qt5/patches/patch-qttools_src_assistant_clucene_qclucene-config_p_h
> N ports/x11/qt5/patches/patch-qtbase_qmake_Makefile_unix
> N 
> ports/x11/qt5/patches/patch-qtdeclarative_src_3rdparty_masm_wtf_Platform_h
> N 
> ports/x11/qt5/patches/patch-qtwebkit_Tools_qmake_config_tests_glx_glx_pro
> N 
> ports/x11/qt5/patches/patch-qtscript_src_3rdparty_javascriptcore_JavaScriptCore_JavaScriptCore_pri
> N ports/x11/qt5/pkg/PLIST-examples
> N ports/x11/qt5/pkg/PLIST-html
> N ports/x11/qt5/pkg/PLIST-main
> N ports/x11/qt5/pkg/PLIST-mysql
> N ports/x11/qt5/pkg/PLIST-psql
> N ports/x11/qt5/pkg/PLIST-sqlite2
> N ports/x11/qt5/pkg/PLIST-tds
> N ports/x11/qt5/pkg/DESCR-examples
> N ports/x11/qt5/pkg/DESCR-html
> N ports/x11/qt5/pkg/DESCR-main
> N ports/x11/qt5/pkg/DESCR-mysql
> N ports/x11/qt5/pkg/DESCR-psql
>   

Re: clementine stutters when playing local files

[Vadim Zhukov]

Yes, there are issues related to the fact that disk I/O causes major - from
the audio's point of view - pauses. Unfortunately I'm not expert in this
area, but this is what you could do:

1. Disable sonogram in Clementine. Yes, this helps a bit, but I was too
lazy to investigate, why. :)

2. Try to _lower_ buffer sizes. Larger buffer causes larger read.

Eventually I'll look at Clementine 2.x...

--
Vadim Zhukov
18 дек. 2014 г. 12:23 пользователь "Marko Cupać"

написал:

> On Thu, 18 Dec 2014 09:13:31 +0100
> Marko Cupać  wrote:
>
> > Hi,
> >
> > When playing local mp3 files in clementine, there are frequent short
> > skips. Listening to the same files over network (icecast) everything
> > is ok.
>
> I searched around, and It appears that I have I/O bottleneck, as vmstat
> constantly shows blocked processes even though laptop does close to
> nothing:
>
>  procsmemory   pagediskstraps  cpu
>  r b wavm fre  flt  re  pi  po  fr  sr sd0 sd1  int   sys   cs us
> sy id
>  1 5 0 817348 6063372  680   0   0   0   0   0  11 1068 1911 26543 4849
> 6  6 88
>  2 5 0 817364 6063352   41   0   0   0   0   0   0   0  131  7076  933  4
> 0 96
>  2 5 0 817424 6063288   37   0   0   0   0   0   0   0  135  7334  983  3
> 1 96
>  1 5 0 817436 6067428   37   0   0   0   0   0   0   0  143  6822  921  3
> 1 96
>  1 5 0 817516 6067348   43   0   0   0   0   0   0   0  134  7337  976  5
> 0 95
>  0 5 0 817520 6067340   25   0   0   0   0   0   0   0  133  7001  939  3
> 1 96
>  1 5 0 817744 6067116   80   0   0   0   0   0   0   0  136  7419  998  4
> 0 96
>  2 5 0 817760 6067100   38   0   0   0   0   0   0   0  134  6944  936  2
> 1 97
>  2 5 0 818096 6066764  176   0   0   0   0   0   0   0  134  7668 1147  4
> 1 95
>  2 5 0 818124 6066720   34   0   0   0   0   0   2   0  132  6949  941  3
> 0 97
>  2 5 0 818420 6066424  112   0   0   0   0   0   0   0  141  8124 1058  3
> 2 95
>  1 5 0 818416 6066428   27   0   0   0   0   0   0   0  134  7435  981  3
> 1 96
>  2 5 0 818656 6066236  136   0   0   0   0   0   0   0  168  7714 1069  4
> 1 95
>  1 5 0 818672 6075136   27   0   0   0   0   0   0   0  141  7140  947  4
> 2 94
>
> Here's atactl identify output:
>
> Model: KINGSTON SV300S37A240G, Rev: 521ABBF0, Serial #: 50026B72410EC74E
> Device type: ATA, fixed
> Cylinders: 16383, heads: 16, sec/track: 63, total sectors: 468862128
> Device capabilities:
> ATA standby timer values
> IORDY operation
> IORDY disabling
> Device supports the following standards:
> ATA-2 ATA-3 ATA-4 ATA-5 ATA-6 ATA-7 ATA-8
> Master password revision code 0xfffe
> Device supports the following command sets:
> NOP command
> READ BUFFER command
> WRITE BUFFER command
> Host Protected Area feature set
> Read look-ahead
> Write cache
> Power Management feature set
> Security Mode feature set
> SMART feature set
> Flush Cache Ext command
> Flush Cache command
> 48bit address feature set
> Set Max security extension commands
> Set Features subcommand required
> Power-up in standby feature set
> Advanced Power Management feature set
> DOWNLOAD MICROCODE command
> IDLE IMMEDIATE with UNLOAD FEATURE
> SMART self-test
> SMART error logging
> Device has enabled the following command sets/features:
> NOP command
> READ BUFFER command
> WRITE BUFFER command
> Host Protected Area feature set
> Read look-ahead
> Write cache
> Power Management feature set
> SMART feature set
> Flush Cache Ext command
> Flush Cache command
> 48bit address feature set
> Set Features subcommand required
> Advanced Power Management feature set
> DOWNLOAD MICROCODE command
>
> Any advice on where should I start looking for solution?
>
> Thank you in advance,
> --
> Marko Cupać
> https://www.mimar.rs/

Re: About special configs to do in OpenBSD for KVM environments

[Vadim Zhukov]

19 дек. 2014 г. 10:36 пользователь "C. L. Martinez"

написал:
>
> Hi all,
>
>  Please, first of all, I don't want to start a flame or quite similar.
> I only want to know what problems I can encounter when I need to
> install OpenBSD in kvm environments (mostly CentOS 6.x servers).
>
>  Yes, I know, OpenBSD is not supported to run in virtualization
> environments, but many of us only have access to that kind of
> environments for testing (new pf rules, updates, etc). We can't use
> physical server and although I am not a big fan of this type of
> technology, it is here to stay.
>
>  My questions are KVM specific. As far as I know:
>
>
> a) OpenBSD/i386: turn APIC off and set up vio flags to 0x02
>
> b) OpenBSD/amd64: set up vio flags to 0x02
>
>
> Anything else??

I have few 5.5/amd64 in production under CentOS 6.2, without either direct
or indirect access to Internet. No problems so far, no adjustments on
OpenBSD side.

--
Vadim Zhukov

Re: About special configs to do in OpenBSD for KVM environments

[Vadim Zhukov]

19 дек. 2014 г. 11:53 пользователь "Jiri B" 
написал:
>
> On Fri, Dec 19, 2014 at 11:57:19AM +0400, Vadim Zhukov wrote:
> > I have few 5.5/amd64 in production under CentOS 6.2, without either
direct
> > or indirect access to Internet. No problems so far, no adjustments on
> > OpenBSD side.
>
> Time to upgrade hosts? It's time of 6.6 now :)

Ouch. How did it happen that I missed 5 years???

More seriously - yes, of course. Just no hurry needed there.

--
Vadim Zhukov

Re: httrack

[Vadim Zhukov]

21 янв. 2015 г. 20:11 пользователь "Zuleyha Torku"

написал:
>
> Hi
>
> I would like to use httrack. But, when I was try to make it source
> (downloaded from svn), I have got plenty of errors like belov
>
> Is there anyone can give some advices about installation httrack on
OpenBSD
> 5.6 amd64 ?
>
> htscharset.c:1239: warning: comparison is always true due to limited range
> of data type

Please take a look for www/httrack port. It didn't get in OpenBSD 5.6,
unfortunately, but you likely could take it from -CURRENT (this is not a
supported method in general, but should work in that particular case):

$ cd /usr/ports
$ cvs up -APd www/httrack
$ cd www/httrack
$ make install

Alternatively, you could take patches from this port and adapt them to SVN
checkout you have.

--
Vadim Zhukov

Re: autonet - simple automatic wifi chooser

[Vadim Zhukov]

15 февр. 2015 г. 2:59 пользователь "Steve Dee"

написал:
>
> Hi misc,
>
> I hacked this utility together recently to scratch an itch. You might find
> it interesting if you use OpenBSD on a laptop and frequently move between
a
> few locations with stable networks:
>
> https://github.com/mrdomino/autonet
>
> If there's sufficient demand, I'd be happy to put together a port.
>
> (First post -- sorry in advance for cluelessness.)

There is an ongoing effort on this path, involving some kernel changes.
Current idea is to have network profiles containing all info about known
network and let kernel switch between them, pushing notifications to
userland when it's done. Feel free to contact me off-list if you're
interested to dig further.

--
Vadim Zhukov

Stable releases: KDE-way

[Vadim Zhukov]

It's too bad - I'm OpenBSD user.

It's too bad - I understand some words literally.

Say, the word "stable". Using OpenBSD I've got accustomed to
understand it as... you know, stable. And not as, say: "let's tweak
some system headers in OPENBSD_5_0 branch because ANSI published new
standard".

And, of course, KDE got it right: adding "-fno-exceptions" by default
for each and every KDE project is a nice idea, isn't it? It's so cool
to force packagers to patch CMakeLists.txt files here and there in
stable release (between 4.9.0 and 4.9.2).

IMHO, OpenBSD should go this way too. It's so funny. And the coding
should be fun, shouldn't it?

... back to WIP ports tree...
--
  WBR,
  Vadim Zhukov

Four "no"

[Vadim Zhukov]

Just look at this beautiful name for command-line parameter:

-Wno-non-virtual-dtor

Again, step by step:
Warnings
  No
Non
  Virtual
De-
  structor

"No", "Non", "Virtual" and "De-".

Four times "no".

Excellent example of brilliant software (all of the lang, compiler and
piece of shit being built) design, isn't it? :)

--
  WBR,
  Vadim Zhukov

Re: Can't use PerlMagick

[Vadim Zhukov]

24.11.2012 5:11 пользователь "Dmitrij D. Czarkoff"

написал:
>
> Hello!
>
> I'm running into a weird problem with PerlMagick:
>
>  $ perl -e 'use Image::Magick'
>  Can't load
'/usr/local/libdata/perl5/site_perl/amd64-openbsd/auto/Image/Magick/Magick.so
'
for module Image::Magick: Cannot load specified object at
/usr/libdata/perl5/amd64-openbsd/5.12.2/DynaLoader.pm line 200.
>   at -e line 1
>  Compilation failed in require at -e line 1.
>  BEGIN failed--compilation aborted at -e line 1.
>  &Image::Magick::constant not defined. The required ImageMagick libraries
are not installed or not installed properly.
>  END failed--call queue aborted at -e line 1.
>
> Am I missing something obvious? Is there anything I can do about it?
>
> OpenBSD -current amd64 (latest snapshot), PerlMagick from
> ImageMagick-6.7.7.7p2 package.
>
> Thanks in advance.

LD_PRELOAD for pthread library? OpenBSD Perl isn't threaded. This should be
mentioned in pkg-readme...

Re: Unused swap

[Vadim Zhukov]

2013/1/12 Christian Weisgerber :
> Constantine A. Murenin  wrote:
>
>> plus, last i checked, firefox was not even 64-bit friendly anyways
>
> Bullshit.

Well, not FireFox but JavaScript JIT, IIRC.
http://www.openbsd.org/papers/slackathon2011_64bitandjit/index.html

--
  WBR,
  Vadim Zhukov

Re: named not answer on external query

[Vadim Zhukov]

17.01.2013 12:31 пользователь "lilit-aibolit"

написал:
>
> This is weird trouble. Years ago I did authoritative server on openbsd
4.x and it's just works
> for both - local network and queries from Internet.
> But now it doesn't. I know - this is my issue, please help to resolve.
> ###named.conf###
> // $OpenBSD: named-simple.conf,v 1.10 2009/11/02 21:12:56 jakob Exp $
> acl tlk {
> 192.168.5.0/24;
> 192.168.55.0/24;
> 192.168.66.0/24;
> 192.168.99.0/24;
> 127.0.0.1; };
> options {
> version "";// remove this to allow version queries
> listen-on { 127.0.0.1; 192.168.5.254; 192.168.55.254; ext_if; };
> listen-on-v6 { none; };
> allow-transfer { none; };
> empty-zones-enable yes;
> //forward first;
> forwarders { provider's dns; };
> allow-recursion { tlk; };
> allow-query { any; };
> };
> view "allow-recursion" {
> match-clients { tlk; };
> //recursion yes;
>
> zone "." {
> type hint;
> file "etc/root.hint"; };
>
> zone "localhost" {
> type master;
> file "standard/localhost";
> //allow-transfer { localhost; };
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "standard/loopback";
> //allow-transfer { localhost; };
> };
>
> zone "zone.1" {
> type master;
> file "/master/zone.1"; };
>
> zone "zone.2" {
> type master;
> file "/master/zone.3"; };
>
> zone "zone.4" {
> type master;
> file "/master/zone.4"; };
>
> zone "168.192.in-addr.arpa" {
> type master;
> file "/master/168.192.in-addr.arpa"; };
>
> include "/master/forbidden.conf";
> };
>
> view "deny-recursion" {
> recursion no;
> additional-from-cache no;
> additional-from-auth no;
> zone "zone.5" {
> type master;
> file "/master/zone.5"; };
> };
>
> key "rndc-key" {
> algorithm hmac-md5;
> secret "**";
> };
>
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; } keys { "rndc-key"; };
> };
>
> logging {
> channel security_channel {
> # Send log messages to the specified file
> file"log/security.log";
> # Log all messages
> severitydebug;
> # Log the date and time of the message
> print-time  yes;
> # Log the category of the message
> print-category  yes;
> # Log the severity level of the message
> print-severity  yes;
> };
>
> channel default {
> # Send logs to the 'local0' syslog facility
> syslog  local0;
> # Log messages of severity 'info' or higher
> severityinfo;
> print-category  yes;
> print-severity  yes;
> };
>
> # Logs about approval and denial of requests
> category security {
> security_channel;
> default;
> };
>
> # Ignore logs about misconfigured remote servers
> category lame-servers { null; };
>
> # Default logging options
> category default { default; };
> };
>
> ###zone.5###
> ; $OpenBSD: db.localhost,v 1.2 2005/02/07 06:08:10 david Exp $
> $ORIGIN zone.5.
> $TTL 24h
> @INSOAns1.zone.5. admin.zone.com. (
> 10; serial
> 1h; refresh
> 30m; retry
> 7d; expiration
> 1h ); minimum
> NSns1.zone.5.
> NSns2.zone.5.
> @INAright.IP
> wwwINAright.IP
> ns1INAright.IP
> ns2INAright.IP2
>
>
> ###pf.conf related rules###
> pass in on $ext_if inet proto { tcp, udp } from any to em1 port domain
> pass in on $int_if inet proto { udp, tcp } from  to $int_if port {
ntp, domain }
> pass out on $ext_if inet proto udp from em1 to any
>
> I see a numbers of external queries to my server, but don't see the
answers:
> # tcpdump -i em1 -p udp 'port domain'
> 09:28:23.152111 smtp.eurocom.su.19716 > my.server.domain: 59597 [1au] A?
www.zone.5. (45)
> 09:28:24.136607 idbh.ru.47793 > my.server.domain: 26171% [1au] A?
www.zone.5. (45)
> 09:28:26.942971 smtp.eurocom.su.44341 > my.server.domain: 615 A?
www.zone.5. (34)
> 09:28:27.191067 smtp.eurocom.su.17302 > my.server.domain: 42979 [1au] A?
www.zone.5. (45)
> 09:28:29.417383 smtp.eurocom.su.34958 > my.server.domain: 53565 A?
www.zone.5. (34)
> 09:28:29.737934 idbh.ru.45564 > my.server.domain: 27837 A? www.zone.5.
(34)
>
> From local net:
> user@pc.local:~$ nslookup
> > zone.5
> Server: 192.168.5.254
> Address:192.168.5.254#53
> Non-authoritative answer:
> Name:   zone.5
> Address: right.IP
> # tcpdump -i em0 -p udp 'port domain'
> 10:00:41.702484 pc.local.46571 > my.server.domain: 50830+ A? zone.5. (30)
> 10:00:41.702625 my.server.domain > pc.local.46571: 50830 1/2/0 A right.IP
(82)
>

At first, find where the flow gets stopped: enable debug logging on
resolver and add "match log (matches) to port 53" rule as first one in your
firewall. Then probably you'll see the problem yourself.

Oh, and please, if you get "no packe

Re: How do I compile 32-bit binaries on amd64 OpenBSD?

[Vadim Zhukov]

22.01.2013 16:32 пользователь "Salil Wadnerkar"

написал:
>
> Thanks Peter. I found that many autotools packaged programs out there
> expect newer gcc environments.
> So, when I run
> ./configure
> make
> make install
> most of the time, make fails because the system gcc toolchain is old.
> I tried using a newer toolchain by setting the environment variables:
> export CC=egcc
> export CPP=egcc-cpp
> export MAKE=gmake
> But, libtool is picked up from the /usr/bin instead of /usr/local/bin.
>
> Can somebody guide me about how I can use the sandboxed gcc environment to
> build programs?

Probably it's easier to create ports, then Ports framework will care about
most problems you're fighting now, including libtool. Take a look at
http://www.openbsd.org/porting.html , especially checklist and GNU
specifics sections.

> On Tue, Jan 22, 2013 at 5:43 PM, Peter Hessler 
wrote:
>
> > On 2013 Jan 22 (Tue) at 17:37:18 +0800 (+0800), Salil Wadnerkar wrote:
> > :Hi,
> > :
> > :Some programs like smlnj, which is SML by New Jersey, support only
32-bit
> > :binaries. On Linux distros, I can use gcc multilib support. How do I do
> > :that in OpenBSD?
> >
> > OpenBSD does not support multilib, and has no intention to.
> >
> > Fix the code so it works on 64bit systems.
> >
> > --
> > The National Short-Sleeved Shirt Association says:
> > Support your right to bare arms!

Re: openBSD 5.2 amd64 on lenovo x201s, part 2 apm support and overheating

[Vadim Zhukov]

2013/1/29 Andriy Samsonyuk :
> Hi,
>
> is apm/apmd the only wat to change the fan speen?
>
> The fan speen never goes above:
> hw.sensors.acpithinkpad0.fan0=4527 RPM
> +- few RPMs
>
> if i set apmd -C or -A the laptop powers off after a while
> without any warnings.
>
> with apm -L or -H its running, but getting hotter.
>
> Any suggestions/ideas?

David Coppa already sent you a patch but probably I should clarify
some things more.

Many modern ThinkPad allow to either delegate management of fan speed
to BIOS or to set it manually. OpenBSD point of view is that manual
setting fans from userland is a BAD idea. So what's the patch
mentioned does is taking management from BIOS to OS.

BIOS does a good thing at managing fan speed until it gets too hot.
But when overheating happens, there are two complimentary ways to
handle the situation: a) raise the fan speed; b) lower CPU speed.

(a) is what OpenBSD with the patch mentioned starts to do. The fan is
put in so called "disengaged" mode, fan goes to 6000+ RPM and became
spinning as if it's trying to make your laptop flying. This probably
could damage the fan, but mine is still there for about two years.

The same functionality exists in the Linux kernel but the code is
(was? Didn't check for a year) disabled; I've actually picked up
register addresses from there.

(b) is what Windows does. Your videoplayer will start dropping frames
but it'll be more or less quiet around.

Probably some overheating logic could be added to apmd(8), but this
daemon already wants too many options and thus probably needs
refactoring. Or there could be some default scripts for sensorsd(8)
written...

--
  WBR,
  Vadim Zhukov

Re: Shell for PF

[Vadim Zhukov]

e a more popular choice in a lot of
>>> situations. Like me personally I have an ESXi server I lease, I'm not
>>> going buy/lease a hardware router/firewall to sit in front of a single
>>> machine with a handful of VMs on it, I use an OpenBSD VM as a router
>>> to the other VMs and it works wonderfully. My provider had a hard time
>>> understanding why I wanted another /29 routed to one of my IP
>>> addresses the sales guy kept saying "it won't work that way you need a
>>> router and all you have is one server" but eventually they made it
>>> happen.
>>
>> This I must say that's why I decided to answer your message as I can't
>> imagine of understand why you would like to run a router inside
>> VMWare!?!?!??!
>>
>> And don't say that it is to make it more secure please.
>>
>> You make everything more complex and you were talking about making
>> things simpler!?!?! A real paradox there don't you think?
>>
>> Forget that VMWare will not run on OpenBSD as the host and you know you
>> will loose a lots of efficiency too?
>>
>> There is a very long list why you shouldn't run a router in VMWare. Just
>> think about it a little and you will see why it make no sense really.
>>
>> Looks like everyone wants to run everything in VMWare these days and
>> thinks it's good for everything...
>>
>> May be you would gain by playing with PF more and setup routers for fun
>> with it.
>>
>> Just give it a chance and then after a few weeks you will wonder why
>> Cisco and JunOS don't do their syntax like PF really. (:>
>>
>> Just my $0.02 worth for using both and I see no need to have PF be like IOS.
>>
>> I would be way more in favor to see a company out there somewhere do
>> custom hardware for PF and OpenBSD to compete with Cisco routers for
>> example.
>>
>> Some network cards are pretty good as is, but yes it could be even
>> better and faster.
>>
>> I think if such a company would see the light of day, sooner then you
>> think Cisco would come and buy them flat out to avoid that competition.
>> I would be welling to bet that they would do all they can to make sure
>> such a thing never see the light of day!
>>
>> But wouldn't this be nice if it would

--
  WBR,
  Vadim Zhukov

Re: Shell for PF

[Vadim Zhukov]

2013/2/16 Matthew Weigel :
> On Feb 16, 2013, at 5:28 AM, Vadim Zhukov  wrote:
>
>> 2013/2/16 Fil DiNoto :
>>> But this is all off-topic, I'm not slaming pf in any way i love it. I
>>> was just saying it can't hurt to try to emulate what people know if at
>>> all possible. And the fact is that junos/ios have the market share so
>>> thats what people know.
>
> Sorry, Vadim, for responding to Fil through your email.
>
> I think there is a real risk to trying to present an interface that is 
> reminiscent of other systems, that behave differently and do less. People 
> will begin to expect that pf does the same things - no more, no less. Power 
> that is specific to pf over other systems will be ignored, because people 
> will think that since they are familiar with the interface they know what 
> they're doing.

Yes, there are people who wants to know enough to have work being done
somehow - those don't care what to use and don't want to learn in the
general place. Probably they aren't OpenBSD audience but they hurt
other people, "advanced" enough, to use OpenBSD either.

Those ones who don't care about tools they are actually using, WILL
fuck up their use. And hell, yes, I'd prefer netfilter-based solutiong
built by smart man than PF-based built by stupid one. But when
choosing between netfilter-based and PF-based firewalls built by the
same lazy man (I'm NOT talking about OP himself here)... who cares?

There is no point in caring about what tools other do use, until this
hurts you. If others just use netfilter, fine - it's their problem. :)
If you have to use netfilter because others do use PF - it becames
your problem. A real problem.

Just an example: I had to spent last few months in building
virtualized environment based on CentOS 6. Well, I could not say it's
full crap - just about 70% of it. :) I know that building the same
using OpenBSD could take a few weeks (including detailed documentation
of the whole process). But I had to use Linux, because other people
here don't know anything about BSDs at all, and because they really
need Sun JDK 1.6 for some stuff. It's really pain in the ass: for
example, I had to fight with udev, grub and LVM each time I clone a
virtual machine; I have to choose between old (CentOS/RHEL repos) and
badly tested (EPEL) packages most of the time, or build stuff on my
own; I have to debug PAM modules to allow logging in using 25 years
old technologies because "official HOWTOs" are not valid for given OS
and tools provided with distro fail silently, and ever then it doesn't
work the way I want...

But people don't want thing that Just Works(TM) if they could not fix
it later themselves (though I suspect they could not fix this
Linux-based infrastructure either). So many of us have to build
Linux-based environments for others and use OpenBSD for ourselves. A
bit frustrating but it's better than nothing. :)

And let see the problem from the other side. Remember the school. At
first you'd learn Newton's physics, where you could just accelerate
and run as fast as light could and even faster. And only then, a few
years off, the Einstein's theory come.

Don't think about shell-like interface for the PF as the right
solution for the final product - such thinking IS wrong, I totally
agree. But remember, when people will _really_ want some more
functionality, they _will_ learn. They just need an incentive.

Straightforward making people around learning the whole PF at once is
almost the same thing as trying to make the first grader learning
relativity theory. I've made enough such mistakes already, trust me.
:) And I don't want to say those people are stupid at all, they just
could not apprehend as quickly as you or me may want them do.

> Presenting a different interface is a FANTASTIC way to communicate 
> 'difference' to the user. It forces them to  think about the difference 
> sooner, rather than when things aren't working as expected (or after they've 
> bought more equipment on top of the OpenBSD firewall because "JunOS can't do 
> that").
>
> If that means people don't learn pf because they realize very quickly that 
> it's unlike anything they know... That is a SERVICE being provided. They knew 
> they didn't have the time to figure it out before they got ass-deep into it.

Everyone does mistakes. Everyone sometimes fucks up the things. I do.
:) If you want those happen more rarely than often, set up the
appropriate process: give the people as much info as they could handle
at the moment given, but not more - or they won't get any info at all.

Get they know that there is a PF. Just a few words. Then show some
things they use (or want to use) in netfilter/DamnSwitchOS/etc. that
are e

Re: Should I be tuning relayd?

[Vadim Zhukov]

26.02.2013 20:06 пользователь "Peter Farmer"
 написал:
>
> Hi All,
>
> Whilst load testing my website (being balanced via relayd) I see this from
> time to time (when running "relayd -d"):
>
> relay www, session 2410 (1 active), 0, 195.143.230.243 -> 10.201.0.7:80,
> done
> relay www, session 3479 (1 active), 0, 195.143.230.242 -> 10.201.0.6:80,
> done
> relay www, session 2411 (1 active), 0, 195.143.230.243 -> 10.201.0.6:80,
> done
> relay www, session 3480 (1 active), 0, 195.143.230.242 -> 10.201.0.7:80,
> done
> host 10.201.0.6, check http code (0ms), state up -> down, availability
> 92.31%
> host 10.201.0.7, check http code (0ms), state up -> down, availability
> 84.62%
> relay www, session 2412 (1 active), 0, 195.143.230.242 -> :80, session
> failed
> relay www, session 2413 (1 active), 0, 195.143.230.243 -> :80, session
> failed
> relay www, session 2414 (1 active), 0, 195.143.230.242 -> :80, session
> failed
>
> I also periodically see:
>
> relay www, session 1609 (1 active), 0, 195.143.230.243 -> 10.201.0.6:80,
> session failed
>
> I know that the webservers are available because I also have a tests
> running against each of the webservers and can see they are available all
> the time.
>
> Should I be adding something to relayd.conf or should I be tuning OpenBSD
> is anyway? There are typically between 6000 - 9000 states in the state
> table during the test.

And default PF limit is 1. Too close to be safe. Try to set it in
pf.conf to, e.g., 3 first.

> The ab command I am running is:
>
> ab -v -c100 -n10 http://beta.digidayoff.com/
>
> My relayd conf is:
>
> ext_addr="10.201.0.3"
> www1="10.201.0.6"
> www2="10.201.0.7"
>
> log all
>
> table  { $www1 $www2 }
> relay www {
> listen on $ext_addr port http
> forward to  port http mode roundrobin check http "/" code
200
> }
>
>
> My pf.conf is:
>
> set skip on lo
> anchor "relayd/*"
> pass quick on em1 proto pfsync keep state (no-sync)
> pass on em1 proto carp keep state
> pass# to establish keep-state
> # By default, do not permit remote connections to X11
> block in on ! lo0 proto tcp to port 6000:6010
>
>
> dmesg:
>
> OpenBSD 5.2 (GENERIC) #309: Wed Aug  1 09:58:55 MDT 2012
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
> real mem = 535756800 (510MB)
> avail mem = 499208192 (476MB)
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (268 entries)
> bios0: vendor Phoenix Technologies LTD version "6.00" date 09/21/2011
> bios0: VMware, Inc. VMware Virtual Platform
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S1 S4 S5
> acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
> acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3)
S3F0(S3)
> S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) Z00S(S3) Z00T(S3)
> Z00U(S3) Z00V(S3) Z00W(S3) Z00X(S3) Z00Y(S3) Z00Z(S3) Z010(S3) Z011(S3)
> Z012(S3) Z013(S3) Z014(S3) Z015(S3) Z016(S3) Z017(S3) Z018(S3) Z019(S3)
> Z01A(S3) Z01B(S3) Z01C(S3) Z01D(S3) Z01E(S3) P2P1(S3) S1F0(S3) S2F0(S3)
> S3F0(S3) S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) Z00S(S3)
> Z00T(S3) Z00U(S3) Z00V(S3) Z00W(S3) Z00X(S3) Z00Y(S3) Z00Z(S3) Z010(S3)
> Z011(S3) Z012(S3) Z013(S3) Z014(S3) Z015(S3) Z016(S3) Z017(S3) Z018(S3)
> Z019(S3) Z01A(S3) Z01B(S3) Z01C(S3) Z01D(S3) Z01E(S3) P2P2(S3) S1F0(S3)
> S2F0(S3) S3F0(S3) S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3)
> Z00S(S3) Z00T(S3) Z00U(S3) Z00V(S3) Z00W(S3) Z00X(S3) Z00Y(S3) Z00Z(S3)
> Z010(S3) Z011(S3) Z012(S3) Z013(S3) Z014(S3) Z015(S3) Z016(S3) Z017(S3)
> Z018(S3) Z019(S3) Z01A(S3) Z01B(S3) Z01C(S3) Z01D(S3) Z01E(S3) P2P3(S3)
> S1F0(S3) S2F0(S3) S3F0(S3) S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3)
> S9F0(S3) Z00S(S3) Z00T(S3) Z00U(S3) Z00V(S3) Z00W(S3) Z00X(S3) Z00Y(S3)
> Z00Z(S3) Z010(S3) Z011(S3) Z012(S3) Z013(S3) Z014(S3) Z015(S3) Z016(S3)
> Z017(S3) Z018(S3) Z019(S3) Z01A(S3) Z01B(S3) Z01C(S3) Z01D(S3) Z01E(S3)
> PE40(S3) S1F0(S3) PE50(S3) S1F0(S3) PE60(S3) S1F0(S3) PE70(S3) S1F0(S3)
> PE80(S3) S1F0(S3) PE90(S3) S1F0(S3) PEA0(S3) S1F0(S3) PEB0(S3) S1F0(S3)
> PEC0(S3) S1F0(S3) PED0(S3) S1F0(S3) PEE0(S3) S1F0(S3) PE41(S3) S1F0(S3)
> PE42(S3) S1F0(S3) PE43(S3) S1F0(S3) PE44(S3) S1F0(S3) PE45(S3) S1F0(S3)
> PE46(S3) S1F0(S3) PE47(S3) S1F0(S3) PE51(S3) S1F0(S3) PE52(S3) S1F0(S3)
> PE53(S3) S1F0(S3) PE54(S3) S1F0(S3) PE55(S3) S1F0(S3) PE56(S3) S1F0(S3)
> PE57(S3) S1F0(S3) PE61(S3) S1F0(S3) PE62(S3) S1F0(S3) PE63(S3) S1F0(S3)
> PE64(S3) S1F0(S3) PE65(S3) S1F0(S3) PE66(S3) S1F0(S3) PE67(S3) S1F0(S3)
> PE71(S3) S1F0(S3) PE72(S3) S1F0(S3) PE73(S3) S1F0(S3) PE74(S3) S1F0(S3)
> PE75(S3) S1F0(S3) PE76(S3) S1F0(S3) PE77(S3) S1F0(S3) PE81(S3) S1F0(S3)
> PE82(S3) S1F0(S3) PE83(S3) S1F0(S3) PE84(S3) S1F0(S3) PE85(S3) S1F0(S3)
> PE86(S3) S1F0(S3) PE87(S3) S1F0(S3) PE91(S3) S1F0(S3) PE92(S3) S1F0(S3)
> PE93(S3) S1F0(S3) PE94(S3) S1F0(S3) PE95(S3) S1F0(S3) PE96(S3) S1F0(S3)
> PE97(S3) S1F0(S3) PEA1(S3) S1F0(S3) PEA2(S3) S1F0(S3) PEA3(S3) S1F0(S3)
> PEA4(S3) S1F0(S3) PEA5(S3) S1F0(

Re: Can't cleanly umount a usb stick

[Vadim Zhukov]

2013/3/18 STeve Andre' :
>I've just run into something I can't explain.  Likely it's not a
> bug, but puzzling none the less.
>
>I normally run KDE, and then thunderbird, firefox and chrome
> as well as a bunch of other stuff.  Fine, mostly.
>
>I frequently mount a 32G usb stick to stuff my 'reagents' software
> on, for keeping Windows sheep (mostly) safe.  To do this I mount the
> stick on /dos, and copy stuff to it.
>
>Only today and maybe a couple of other times,  I finished copying
> data to /dos and did umount /dos, and got a device busy message.
> Only the one xterm touched /dos, from the mount, to the copy, to
> the umount.  Last time this happened I did a umount -f as I needed
> the data.  This time I went hunting and an  fstat | grep  doc revealed
> that firefox had /dos?  *I* didn't do anything.
>
>Any ideas as to whats going on, or things to check?  I am puzzled.

Probably some time ago you saved something from FireFox directly to
/dos (or subfolder of). Then FireFox remembered the last folder you
were using, and open it on start. Save something to a different
folder. Probably it's also a good idea to avoid asking about
destination folder at all. I use this setting personally to avoid
having a bunch of extra files spreading everywhere: things I really
need gets moved somewhere else, and then I just wipe the directory (or
rather use subdir in /tmp).

--
  WBR,
  Vadim Zhukov

Re: in current: chrootdirectory in ssh (cannot stat /usr/libexec/sftp-server)

[Vadim Zhukov]

08.04.2013 11:13 пользователь "Didier Wiroth" 
написал:
>
> Hello,
> (running current with OpenSSH_6.2, OpenSSL 1.0.1c 10 May 2012)
>
> I'm trying to setup chrootdirectory in sshd_config as a test configuration
> without success.
>
> Here is a snip from my sshd_config
> 
> #(this is the default line)
> Subsystem   sftp/usr/libexec/sftp-server
>
> #added the following match block
> Match Group remote-sync, Address 127.0.0.1
> ChrootDirectory /home/chroot/%u
> ForceCommand internal-sftp -f LOCAL0 -l INFO
> AllowAgentForwarding no
> AllowTcpForwarding no
> GatewayPorts no
> X11Forwarding no
> ---
>
> The home directory /home/chroot/sync is owned by root:wheel.
>
> When I try to connect I get the following error:
> cannot stat /usr/libexec/sftp-server: No such file or directory
>
> What do I miss?
> What is wrong with my test config?

It's obvious that global configuration parameter is involved. That means
that your Match rule doesn't work.

> Thanks for any input!!!
> Didier
>
> See the entire output here:
> $ sudo /usr/sbin/sshd -D -d -p  -f /etc/ssh/sshd_config
> debug1: sshd version OpenSSH_6.2, OpenSSL 1.0.1c 10 May 2012
> debug1: read PEM private key done: type RSA
> debug1: private host key: #0 type 1 RSA
> debug1: read PEM private key done: type DSA
> debug1: private host key: #1 type 2 DSA
> debug1: read PEM private key done: type ECDSA
> debug1: private host key: #2 type 3 ECDSA
> debug1: rexec_argv[0]='/usr/sbin/sshd'
> debug1: rexec_argv[1]='-D'
> debug1: rexec_argv[2]='-d'
> debug1: rexec_argv[3]='-p'
> debug1: rexec_argv[4]=''
> debug1: rexec_argv[5]='-f'
> debug1: rexec_argv[6]='/etc/ssh/sshd_
> config'
> debug1: Bind to port  on 0.0.0.0.
> Server listening on 0.0.0.0 port .
> debug1: Bind to port  on ::.
> Server listening on :: port .
> debug1: fd 5 clearing O_NONBLOCK
> debug1: Server will not fork when running in debugging mode.
> debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
> debug1: inetd sockets after dupping: 3, 3
> Connection from 127.0.0.1 port 31875
> debug1: Client protocol version 2.0; client software version OpenSSH_6.2
> debug1: match: OpenSSH_6.2 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_6.2
> debug1: permanently_set_uid: 27/27 [preauth]
> debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
> debug1: SSH2_MSG_KEXINIT sent [preauth]
> debug1: SSH2_MSG_KEXINIT received [preauth]
> debug1: kex: client->server aes128-ctr hmac-md5-...@openssh.com
> z...@openssh.com [preauth]
> debug1: kex: server->client aes128-ctr hmac-md5-...@openssh.com
> z...@openssh.com [preauth]
> debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
> debug1: SSH2_MSG_NEWKEYS sent [preauth]
> debug1: expecting SSH2_MSG_NEWKEYS [preauth]
> debug1: SSH2_MSG_NEWKEYS received [preauth]
> debug1: KEX done [preauth]
> debug1: userauth-request for user sync service ssh-connection method none
> [preauth]
> debug1: attempt 0 failures 0 [preauth]
> debug1: user sync matched group list remote-sync, at line 124
> debug1: connection from 127.0.0.1 matched 'Address 127.0.0.1' at line 124
> debug1: userauth_banner: sent [preauth]
> debug1: userauth-request for user sync service ssh-connection method
> publickey [preauth]
> debug1: attempt 1 failures 0 [preauth]
> debug1: test whether pkalg/pkblob are acceptable [preauth]
> debug1: temporarily_use_uid: 1001/999 (e=0/0)
> debug1: trying public key file /home/chroot/sync/.ssh/authorized_keys
> debug1: fd 4 clearing O_NONBLOCK
> debug1: matching key found: file /home/chroot/sync/.ssh/authorized_keys,
> line 3
> Found matching RSA key: c9:1b:a7:00:9c:52:08:44:1b:2f:7e:28:94:f4:e0:af
> debug1: restore_uid: 0/0
> Postponed publickey for sync from 127.0.0.1 port 31875 ssh2 [preauth]
> debug1: userauth-request for user sync service ssh-connection method
> publickey [preauth]
> debug1: attempt 2 failures 0 [preauth]
> debug1: temporarily_use_uid: 1001/999 (e=0/0)
> debug1: trying public key file /home/chroot/sync/.ssh/authorized_keys
> debug1: fd 4 clearing O_NONBLOCK
> debug1: matching key found: file /home/chroot/sync/.ssh/authorized_keys,
> line 3
> Found matching RSA key: c9:1b:a7:00:9c:52:08:44:1b:2f:7e:28:94:f4:e0:af
> debug1: restore_uid: 0/0
> debug1: ssh_rsa_verify: signature correct
> Accepted publickey for sync from 127.0.0.1 port 31875 ssh2
> debug1: monitor_child_preauth: sync has been authenticated by privileged
> process
> debug1: Enabling compression at level 6. [preauth]
> debug1: monitor_read_log: child log fd closed
> User child is on pid 2371
> Changed root directory to "/home/chroot/sync"
> debug1: Entering interactive session for SSH2.
> debug1: server_init_dispatch_20
> debug1: server_input_channel_open: ctype session rchan 1 win 2097152 max
> 32768
> debug1: input_session_request
> debug1: channel 0: new [server-session]
> debug1: session_new: session 0
> debu

Re: FAQ 8.1 - I forgot my root password...

[Vadim Zhukov]

2013/4/11 f5b :
> FAQ 8.1 - I forgot my root password...
>
> http://www.openbsd.org/faq/faq8.html#LostPW
>
> ...
> re:
> Mount the partitions. Both "/" and /usr will need to be mounted read-write. 
> Assuming they are on separate partitions (as they should be), the following 
> will work:
>
> # fsck -p / && mount -uw /
> # fsck -p /usr && mount /usr

Why do you need to mount /usr read-write for updating password, ever?
Read-only is enough, no?

--
  WBR,
  Vadim Zhukov

Re: ACPI hack for temperature control

[Vadim Zhukov]

2013/5/2 STeve Andre' 

> Can someone point me to the proper patch for ACPI so I don't reboot
> any more?  Thanks.
>

Do you mean disabling acpitz(4) when it does the Wrong Thing, or
ThinkPad-specific patch I was posting some time ago (and still want to
incorporate but after 64-bit time_t)?

--
  WBR,
  Vadim Zhukov

Re: qt4-4.8.6p0

[Vadim Zhukov]

07 мая 2015 г. 4:46 пользователь "Stan Gammons"

написал:
>
> Is qt4-4.8.6p0 broken in 5.7 release?  I tried to install KDE4 using
http://ftp.openbsd.org/pub/OpenBSD/5.7/packages/amd64/ as the package path
and when it gets to 98 percent while extracting qt4, it gets a fatal error
stating [lib/qt4/translations/qt_de.qml]: Premature end of archive. It
states a partial installation recorded as partial-qt4-4.8.6p0.2 at
/usr/libdata/perl5/OpenBSD/PkgAdd.pm line 817

Try a mirror. Actually, using mirrors is a recommended way.

Check if you could install other big packages - maybe some software, like
HTTP caching server, between you and the Internet has problems. Try to get
this file separately, and install locally, by pointing pkg_add directly to
it.

--
Vadim Zhukov

Re: doas, keepenv PATH segfault

[Vadim Zhukov]

2015-07-28 12:34 GMT+03:00 Zé Loff :
> Hi all
>
> On yesterday's amd64 -current (#1201), if PATH is added to the keepenv
> list in doas.conf, e.g.
>
>   permit keepenv { ENV PATH PKG_PATH PS1 SSH_AUTH_SOCK } :wheel as root
>
> when attempting to run an inexistent command, doas segfaults instead of
> exiting with "command not found" and retval 1.
>
> I actually have no idea if "keepenv PATH" makes any sense, I just had a
> couple of scripts in ~/bin that require sudo/doas -- but even if its a
> stupid idea, segfaulting didn't seem right.

Hi,

thank you for the report. I've just committed the fix; please check
that your usecase is happy now.

--
  WBR,
  Vadim Zhukov

Re: Maintaining CAs not in cert.pem

[Vadim Zhukov]

2015-07-30 3:02 GMT+03:00 trondd :
> I have my own CA for home use and my work also has their own CA and
> intermediate certificates.  What is the correct way of maintaining the
> certificates so that the system always knows about them?  I've been
> appending them to /etc/ssl/cert.pem but it gets replaced every update (not
> even maintained with sysmerge since it comes for libcrypto and not the etc
> package).
>
> Is there a place to put them that is automatically read in addition to
> cert.pem?

It depends on software you're using, actually. Qt 4 and 5 look at the
whole /etc/ssl (without subdirs) for certificates, for example.

--
  WBR,
  Vadim Zhukov

Re: Maintaining CAs not in cert.pem

[Vadim Zhukov]

2015-07-30 20:16 GMT+03:00 Stuart Henderson :
> On 2015-07-30, Ted Unangst  wrote:
>> Michael McConville wrote:
>>> > Another meat could be, why you're using self-signed certificates?
>>> > Given the plethora of options for getting free (valid) certificates.
>>>
>>> He mentioned in his original email that it's a requirement where he
>>> works. That's common, from what I hear, although probably not the
>>> safest.
>>
>> I would consider a cert signed by somebody I actually trust (me) safer than
>> delegating that trust to 300 strangers.
>
> I think cert.pem should move to the etc set, so you can remove
> CAs from the file (as well as add new ones) without risk of those
> changes getting reverted.
>
> Downside: CA changes will then only take effect after running
> sysmerge. Is that a problem?

I think it is. This is the same as with /etc/examples: less stuff to
merge, less errors to happen.

I'd ask another question: why can't software use /etc/ssl/myown.pem,
or /etc/ssl/*.pem, ever, instead of /etc/ssl/cert.pem? This will make
"trust" and "untrust" operations as simple as possible. Noone in
healthy mind would place junk in /etc/ssl anyway, right?

Or we may ship /etc/ssl/base.pem in base tgz, and install
/etc/ssl/cert.pem -> base.pem at installation time. This way things
will work by default, and if you need to have your own trust path, you
just change symlink. What do you think?


> Index: base/mi
> ===
> RCS file: /cvs/src/distrib/sets/lists/base/mi,v
> retrieving revision 1.716
> diff -u -p -r1.716 mi
> --- base/mi 16 Jul 2015 21:28:06 -  1.716
> +++ base/mi 30 Jul 2015 17:14:15 -
> @@ -221,7 +221,6 @@
>  ./etc/skel/.ssh
>  ./etc/ssh
>  ./etc/ssl
> -./etc/ssl/cert.pem
>  ./etc/ssl/lib
>  ./etc/ssl/private
>  ./etc/systrace
> Index: etc/mi
> ===
> RCS file: /cvs/src/distrib/sets/lists/etc/mi,v
> retrieving revision 1.199
> diff -u -p -r1.199 mi
> --- etc/mi  3 Jul 2015 22:52:52 -   1.199
> +++ etc/mi      30 Jul 2015 17:14:15 -
> @@ -42,6 +42,7 @@
>  ./etc/spwd.db
>  ./etc/ssh/ssh_config
>  ./etc/ssh/sshd_config
> +./etc/ssl/cert.pem
>  ./etc/ssl/openssl.cnf
>  ./etc/ssl/x509v3.cnf
>  ./etc/syslog.conf


--
  WBR,
  Vadim Zhukov

Re: Maintaining CAs not in cert.pem

[Vadim Zhukov]

2015-07-31 0:17 GMT+03:00 Stuart Henderson :
> On 2015-07-30, Vadim Zhukov  wrote:
>> 2015-07-30 20:16 GMT+03:00 Stuart Henderson :
>>> On 2015-07-30, Ted Unangst  wrote:
>>>> Michael McConville wrote:
>>>>> > Another meat could be, why you're using self-signed certificates?
>>>>> > Given the plethora of options for getting free (valid) certificates.
>>>>>
>>>>> He mentioned in his original email that it's a requirement where he
>>>>> works. That's common, from what I hear, although probably not the
>>>>> safest.
>>>>
>>>> I would consider a cert signed by somebody I actually trust (me) safer than
>>>> delegating that trust to 300 strangers.
>>>
>>> I think cert.pem should move to the etc set, so you can remove
>>> CAs from the file (as well as add new ones) without risk of those
>>> changes getting reverted.
>>>
>>> Downside: CA changes will then only take effect after running
>>> sysmerge. Is that a problem?
>>
>> I think it is. This is the same as with /etc/examples: less stuff to
>> merge, less errors to happen.
>
> cert.pem is pretty much a required file, we can't just move it to examples/.
> For people who don't touch it, it's a simple no-touch sysmerge update.
> For people who do, having sysmerge ask about merging it is a lot safer
> than just overwriting.

No, I didn't want to move /etc/ssl/cert.pem it to /etc/examples. I
think that its current contents could be provided in other way...

>> I'd ask another question: why can't software use /etc/ssl/myown.pem,
>> or /etc/ssl/*.pem, ever, instead of /etc/ssl/cert.pem? This will make
>> "trust" and "untrust" operations as simple as possible. Noone in
>> healthy mind would place junk in /etc/ssl anyway, right?
>
> Some software allows you to set a different certificate file; other
> software doesn't. Patching everything in ports that verifies SSL certs
> to allow the user to specify an alternative file would just be insane.

Hm-m, I always tried to live in a separate room with SSL beasts. Now I
realize that I saved a lot of nerves myself, and as a result I'm
living in a pink pony world. Thanks for getting back to the ground.

I thought that there was some "default" in OpenSSL (and its
decendants) that programs tends to use. Now I realize there is no such
place. Okay, this variant gets busted.

> And of course then there's no single way to tell programs to use the
> alternative file; "ftp -S cafile=/path/to/cert.pem",
> "env SSL_CERT_FILE=/path/to/cert.pem lynx"
>
>> Or we may ship /etc/ssl/base.pem in base tgz, and install
>> /etc/ssl/cert.pem -> base.pem at installation time. This way things
>> will work by default, and if you need to have your own trust path, you
>> just change symlink. What do you think?
>
> That doesn't really help. One common scenario is wanting to add a
> single CA to the standard file, but otherwise pick up updates (e.g. with
> sysmerge), this method doesn't allow that.

Well, I see four scenarios:

1. Using the defaults supplied with OpenBSD only. Typical for home/personal use.

2. Use the defaults supplied with OpenBSD, and one or more additional
CAs. Typical for corporate use.

3. Use personal set of CAs. Usually means either white-, or
blacklisting entries from "base" certs pack.

After more thinking I see that symlink idea is not good. But we can do
some other thing:

1. Have "base" certs installed into /etc/examples/certs.pem.
2. Additional certs, if any, should go into /etc/ssl/local.pem.
3. Have sysmerge handle certs specially: comparing not (old)
/etc/examples/cert.pem with /etc/ssl/cert.pem, but
/etc/examples/cert.pem+/etc/ssl/local.pem vs. /etc/ssl/cert.pem. In
case they do match, sysmerge would regenerate /etc/ssl/cert.pem by
concatentaing (new) /etc/examples/cert.pem and /etc/ssl/local.pem.

What do you think?

--
  WBR,
  Vadim Zhukov

Re: Maintaining CAs not in cert.pem

[Vadim Zhukov]

2015-07-31 0:48 GMT+03:00 Vadim Zhukov :
> 2015-07-31 0:17 GMT+03:00 Stuart Henderson :
>> On 2015-07-30, Vadim Zhukov  wrote:
>>> 2015-07-30 20:16 GMT+03:00 Stuart Henderson :
>>>> On 2015-07-30, Ted Unangst  wrote:
>>>>> Michael McConville wrote:
>>>>>> > Another meat could be, why you're using self-signed certificates?
>>>>>> > Given the plethora of options for getting free (valid) certificates.
>>>>>>
>>>>>> He mentioned in his original email that it's a requirement where he
>>>>>> works. That's common, from what I hear, although probably not the
>>>>>> safest.
>>>>>
>>>>> I would consider a cert signed by somebody I actually trust (me) safer 
>>>>> than
>>>>> delegating that trust to 300 strangers.
>>>>
>>>> I think cert.pem should move to the etc set, so you can remove
>>>> CAs from the file (as well as add new ones) without risk of those
>>>> changes getting reverted.
>>>>
>>>> Downside: CA changes will then only take effect after running
>>>> sysmerge. Is that a problem?
>>>
>>> I think it is. This is the same as with /etc/examples: less stuff to
>>> merge, less errors to happen.
>>
>> cert.pem is pretty much a required file, we can't just move it to examples/.
>> For people who don't touch it, it's a simple no-touch sysmerge update.
>> For people who do, having sysmerge ask about merging it is a lot safer
>> than just overwriting.
>
> No, I didn't want to move /etc/ssl/cert.pem it to /etc/examples. I
> think that its current contents could be provided in other way...
>
>>> I'd ask another question: why can't software use /etc/ssl/myown.pem,
>>> or /etc/ssl/*.pem, ever, instead of /etc/ssl/cert.pem? This will make
>>> "trust" and "untrust" operations as simple as possible. Noone in
>>> healthy mind would place junk in /etc/ssl anyway, right?
>>
>> Some software allows you to set a different certificate file; other
>> software doesn't. Patching everything in ports that verifies SSL certs
>> to allow the user to specify an alternative file would just be insane.
>
> Hm-m, I always tried to live in a separate room with SSL beasts. Now I
> realize that I saved a lot of nerves myself, and as a result I'm
> living in a pink pony world. Thanks for getting back to the ground.
>
> I thought that there was some "default" in OpenSSL (and its
> decendants) that programs tends to use. Now I realize there is no such
> place. Okay, this variant gets busted.
>
>> And of course then there's no single way to tell programs to use the
>> alternative file; "ftp -S cafile=/path/to/cert.pem",
>> "env SSL_CERT_FILE=/path/to/cert.pem lynx"
>>
>>> Or we may ship /etc/ssl/base.pem in base tgz, and install
>>> /etc/ssl/cert.pem -> base.pem at installation time. This way things
>>> will work by default, and if you need to have your own trust path, you
>>> just change symlink. What do you think?
>>
>> That doesn't really help. One common scenario is wanting to add a
>> single CA to the standard file, but otherwise pick up updates (e.g. with
>> sysmerge), this method doesn't allow that.
>
> Well, I see four scenarios:

Those should be "three", of course. :)

> 1. Using the defaults supplied with OpenBSD only. Typical for home/personal 
> use.
>
> 2. Use the defaults supplied with OpenBSD, and one or more additional
> CAs. Typical for corporate use.
>
> 3. Use personal set of CAs. Usually means either white-, or
> blacklisting entries from "base" certs pack.
>
> After more thinking I see that symlink idea is not good. But we can do
> some other thing:
>
> 1. Have "base" certs installed into /etc/examples/certs.pem.
> 2. Additional certs, if any, should go into /etc/ssl/local.pem.
> 3. Have sysmerge handle certs specially: comparing not (old)
> /etc/examples/cert.pem with /etc/ssl/cert.pem, but
> /etc/examples/cert.pem+/etc/ssl/local.pem vs. /etc/ssl/cert.pem. In
> case they do match, sysmerge would regenerate /etc/ssl/cert.pem by
> concatentaing (new) /etc/examples/cert.pem and /etc/ssl/local.pem.
>
> What do you think?

--
  WBR,
  Vadim Zhukov

Re: Maintaining CAs not in cert.pem

[Vadim Zhukov]

2015-07-31 3:15 GMT+03:00 Joel Rees :
> 2015/07/31 6:49 "Vadim Zhukov" :
>>
>> [...]
>>
>> Well, I see four scenarios:
>>
>> 1. Using the defaults supplied with OpenBSD only. Typical for
> home/personal use.
>>
>> 2. Use the defaults supplied with OpenBSD, and one or more additional
>> CAs. Typical for corporate use.
>>
>> 3. Use personal set of CAs. Usually means either white-, or
>> blacklisting entries from "base" certs pack.
>>
>> After more thinking I see that symlink idea is not good. But we can do
>> some other thing:
>>
>> 1. Have "base" certs installed into /etc/examples/certs.pem.
>> 2. Additional certs, if any, should go into /etc/ssl/local.pem.
>> 3. Have sysmerge handle certs specially: comparing not (old)
>> /etc/examples/cert.pem with /etc/ssl/cert.pem, but
>> /etc/examples/cert.pem+/etc/ssl/local.pem vs. /etc/ssl/cert.pem. In
>> case they do match, sysmerge would regenerate /etc/ssl/cert.pem by
>> concatentaing (new) /etc/examples/cert.pem and /etc/ssl/local.pem.
>>
>> What do you think?
>
> I know my opinions don't count much here, but it seems to me that
> mishandled certificates are such a huge cash cow that no one wants to do
> them right. Until the cash cow dies, anything we try now is likely to be
> wrong.
>
> With that caveat, try your ideas on your own system. You'll need to add
> some scripts of your own to extend what sysmerge and other tools do. Post
> to the list about how it works for you over the next year or so.
>
> That's my suggestion.

Discussed off-list. There was a misunderstanding that was (I hope) fixed.

--
  WBR,
  Vadim Zhukov

Re: wireshark illegal instruction on older systems

[Vadim Zhukov]

2016-03-15 21:33 GMT+03:00 Stuart Henderson :
> On 2016-03-15, Peter Kay  wrote:
>> It's a MOVSD SSE instruction. Tshark is ok. I can cope with that or tcpdump
>> if need be, but here's the output :
>
> I think this variant of MOVSD might be AVX?
>
>> Starting program: /usr/local/bin/wireshark
>> warning: Lowest section in /usr/local/lib/libicudata.so.9.0 is .hash at
>> 0154
>>
>> Program received signal SIGILL, Illegal instruction.
>> 0x06d685fb in _GLOBAL__sub_I_qguiapplication.cpp () from
>> /usr/local/lib/qt5/./libQt5Gui.so.1.1
>
> Looks like it's in Qt5 then. Wireshark still has the "legacy" gtk GUI
> (it's in a subpackage), you could try that instead for now.
>
> Looks like Qt autodetects at build time, we probably want to configure
> on i386 with no-avx, no-avx2, no-sse4.1, no-sse4.2, maybe no-ssse3.
> (SSE2 is probably reasonable to expect for Qt5 apps, it's present on
> Netburst, Pentium-M, Atom, C7 etc. which seems a sane cut-off point
> for heavy GUI apps).

Yeah. I've patched qmake files, but missed those bits. Modern amd64
makes you blind sometimes. :(

--
  WBR,
  Vadim Zhukov

Re: jabber client with conference history saving

[Vadim Zhukov]

2016-04-17 22:42 GMT+03:00 Joseph Oficre :
> Hello, @misc.
> Can someone give me an advice about xmpp client on OpenBSD, Im using Psi
> for now, but it doesnt save messages history properly (errors only).
> So i want to try another one.
> Doesnt matter if console or gui, just with chatroom/private chats history
> saving ability.
>
> OpenBSD-current.

Psi is actually one of the most powerful XMPP clients. And if it
doesn't save history for you, then something is wrong: I've just
checked, it works fine here, including UTF-8 stuff.

--
  WBR,
  Vadim Zhukov

Re: jabber client with conference history saving

[Vadim Zhukov]

2016-04-18 22:47 GMT+03:00 Joseph Oficre :
> Hm, i have just standart Psi package installation. In
> ~/.local/share/psi/profiles/default/history/some_conference.history i can
> see only "  |2015-07-05T02:53:35|4|from|N---|Resource constraint.\nThe
> server or recipient lacks the system resources necessary to service the
> request.\nTraffic rate limit is exceeded\n--\n " that kind of
> messages...

What happens if you stop Psi, rename both .config/psi and
.local/share/psi folders, and then start Psi again? Psi should ask
you, so set up one account and check if history starts being saved
okay.

If history now gets saved successfully, check your program & account
settings carefully.

If history will contain only error notifications still... Well, maybe
switch to another client won't be such bad idea. In theory I should
recommend you the Kopete, but I won't, since it doesn't work well
under cwm at least (probably a Qt4 bug, but still).

> 2016-04-18 21:42 GMT+03:00 Vadim Zhukov :
>>
>> 2016-04-17 22:42 GMT+03:00 Joseph Oficre :
>> > Hello, @misc.
>> > Can someone give me an advice about xmpp client on OpenBSD, Im using Psi
>> > for now, but it doesnt save messages history properly (errors only).
>> > So i want to try another one.
>> > Doesnt matter if console or gui, just with chatroom/private chats
>> > history
>> > saving ability.
>> >
>> > OpenBSD-current.
>>
>> Psi is actually one of the most powerful XMPP clients. And if it
>> doesn't save history for you, then something is wrong: I've just
>> checked, it works fine here, including UTF-8 stuff.

--
  WBR,
  Vadim Zhukov

Re: xlock permission problem

[Vadim Zhukov]

2016-07-17 21:31 GMT+03:00 Jyri Hovila [iki.fi] :
> Hello, world!
>
> I'm having an issue with xlock being unable to unlock a locked session.
>
> I'm running a CURRENT version of OpenBSD on amd64 architecture.
>
> I can lock my X session with xlock just fine, but when I enter my
> password the unlock, xlock says the password is invalid. However, the
> password I've entered (several times) is 100% correct.
>
> Authlog provides the following hints:
>
> ==
> xlock[82700]: Start: myusername, myusername, :0
> xlock[82700]: staff: getting class information: Permission denied
> xlock[82700]: daemon: getting classinformation: Permission denied
> xlock[82700]: xlock: failed unlock attempt on user myusername
> xlock[82700]: xlock: xio_error
> xlock[82700]: Stop: myusername, myusername, :0, 6m 5s
> ==
>
> I've googled thoroughly, checked the permissions of /etc/group etc, but
> have not found either a solution nor any hints on how to further
> diagnose the problem.
>
> Any ideas, anyone?

Check the following:

- you have root:auth mode rwxr-sr-x set for /usr/X11R6/bin/xlock;
- you do NOT have nosuid option set for /usr/X11R6.

--
  WBR,
  Vadim Zhukov

Re: xlock permission problem

[Vadim Zhukov]

2016-07-17 22:20 GMT+03:00 Jyri Hovila [iki.fi] :
> Hi, and thanks for your time!
>
> On Sun, 17 Jul 2016 21:52:53 +0300
> Vadim Zhukov  wrote:
>
>> Check the following:
>>
>> - you have root:auth mode rwxr-sr-x set for /usr/X11R6/bin/xlock;
>
> # ls -la /usr/X11R6/bin/xlock
> -rwxr-sr-x  1 root  auth  2970216 Jun  2 15:00 /usr/X11R6/bin/xlock

Jun, 2... is your base in sync? I mean, userland corresponds to kernel
and to xenocara?

>> - you do NOT have nosuid option set for /usr/X11R6.
>
> # mount
> /dev/sd1g on /usr/X11R6 type ffs (local, nodev)
>
> Still a mystery. =o

Then check what owner/group/rights do /etc/*passwd and /etc/login.conf
files, and /usr/libexec/auth directory have. They basically should be
(according to /etc/mtree/special):

-rw-r--r--  1 root  wheel   2770 Jan 14  2016 /etc/login.conf
-rw---  1 root  wheel  10350 Jul 12 17:25 /etc/master.passwd
-rw-r--r--  1 root  wheel   8522 Jul 12 16:42 /etc/passwd
drwxr-x---  2 root  auth 512 Jul  3 17:49 /usr/libexec/auth/

Most likely you have /etc/login.conf non-world-readable... If this
won't help, you'll probably need to use ktrace to find out the
problematic syscall.

--
  WBR,
  Vadim Zhukov

Re: Problem installing KDE4

[Vadim Zhukov]

12.07.2014 2:17 пользователь "Stan Gammons"
 написал:
>
> I downloaded install55.iso dated July 11, 2014 from ftp.openbsd.org this
afternoon and after a new install I tried to install kde4 using the
snapshot packages from the same site which are dated July 8, 2014. In doing
so I get can't resolve errors on glib2-2.40.0p7 and python-2.7.7 which
causes lots of other errors due to the dependency on these packages.   Is
the older snapshot of the packages the problem or is something else wrong?

It's just a consistency problem, packages and base sets are not built at
the same time (and sometimes with the same base code, ever). Even more,
currently there is a hackathon going on, so things get out of sync easily.
Your options are:

1) Wait for about a week.

2) Get & update ports tree, then run "dpb x11/kde4" (or whatever) to get a
consistent set of packages.

Re: Problem installing KDE4

[Vadim Zhukov]

2014-07-12 13:58 GMT+02:00 Stan Gammons :
> On 07/12/14 01:26, Vadim Zhukov wrote:
>>
>> 12.07.2014 2:17 пользователь "Stan Gammons"
>>  Ð½Ð°Ð¿Ð¸Ñ Ð°Ð»:
>>
>>> I downloaded install55.iso dated July 11, 2014 from ftp.openbsd.org this
>>
>> afternoon and after a new install I tried to install kde4 using the
>> snapshot packages from the same site which are dated July 8, 2014. In
>> doing
>> so I get can't resolve errors on glib2-2.40.0p7 and python-2.7.7 which
>> causes lots of other errors due to the dependency on these packages.   Is
>> the older snapshot of the packages the problem or is something else wrong?
>>
>> It's just a consistency problem, packages and base sets are not built at
>> the same time (and sometimes with the same base code, ever). Even more,
>> currently there is a hackathon going on, so things get out of sync easily.
>> Your options are:
>>
>> 1) Wait for about a week.
>>
>> 2) Get & update ports tree, then run "dpb x11/kde4" (or whatever) to get a
>> consistent set of packages.
>>
>
> I reinstalled the July 06 AMD64 install55.iso and KDE4 installed Ok with the
> packages dated July 08.
>
> Is there a way to find out whether or not a given date package(s) will work
> with a current build iso? Other than installing a current iso and finding
> out the hard way.

Yes, but not easy one: check the contents of base sets, and compare
library versions there with what requirements you have in fat compiled
packages (like kdelibs, chrome...). The latter could be done by manual
fetching & unpacking of package, and looking at the +CONTENTS for the
@wantlib lines.

--
  WBR,
  Vadim Zhukov

Re: i386: Updating ports conflicts'

[Vadim Zhukov]

2014-07-17 22:14 GMT+02:00 Stefan Wollny :
> Hi there,
>
> a cvs-update of /etc/ports on i386-current quits at the letter D:
>
> ~ $ dmesg | grep OpenBSD
> OpenBSD 5.6-beta (GENERIC.MP) #247: Wed Jul 16 22:09:54 MDT 2014
>
>
> 8< ---
> ? devel/p5-MooseX-Role-WithOverloading
> ? devel/p5-MooseX-SemiAffordanceAccessor
> ? devel/p5-MooseX-Traits
> ? devel/p5-MooseX-Traits-Pluggable
> RCS file: /cvs/ports/INDEX,v
> retrieving revision 1.427
> retrieving revision 1.428
> Merging differences between 1.427 and 1.428 into INDEX
> rcsmerge: warning: conflicts during merge
> cvs server: conflicts found in INDEX
> C INDEX

It looks like you called "make index" at some point in the past. Just
remove that file and then "cvs up INDEX" to get a clean version.

--
  WBR,
  Vadim Zhukov

Re: i386: Updating ports conflicts'

[Vadim Zhukov]

2014-07-17 22:14 GMT+02:00 Stefan Wollny :
> Hi there,
>
> a cvs-update of /etc/ports on i386-current quits at the letter D:
>
> ~ $ dmesg | grep OpenBSD
> OpenBSD 5.6-beta (GENERIC.MP) #247: Wed Jul 16 22:09:54 MDT 2014
>
>
> 8< ---
> ? devel/p5-MooseX-Role-WithOverloading
> ? devel/p5-MooseX-SemiAffordanceAccessor
> ? devel/p5-MooseX-Traits
> ? devel/p5-MooseX-Traits-Pluggable
> RCS file: /cvs/ports/INDEX,v
> retrieving revision 1.427
> retrieving revision 1.428
> Merging differences between 1.427 and 1.428 into INDEX
> rcsmerge: warning: conflicts during merge
> cvs server: conflicts found in INDEX
> C INDEX
> P archivers/freeze/Makefile
> P archivers/freeze/pkg/PLIST
> cvs server: cannot open directory /cvs/D: No such file or directory
> cvs server: skipping directory audio/gmpc-autoplaylist
> cvs server: cannot open directory /cvs/D: No such file or directory
> cvs server: skipping directory audio/gmpc-stopbutton
> cvs server: cannot open directory /cvs/D: No such file or directory
> cvs server: skipping directory audio/gmpccaa
> cvs server: cannot open directory /cvs/D: No such file or directory
> cvs server: skipping directory audio/gom
> cvs server: cannot open directory /cvs/D: No such file or directory
> cvs server: skipping directory audio/last.fm
> cvs server: cannot open directory /cvs/D: No such file or directory
> cvs server: skipping directory audio/libmpcdec
> cvs server: cannot open directory /cvs/D: No such file or directory
> cvs server: skipping directory audio/lopster
> cvs [server aborted]: could not find desired version 1.26 in
> /cvs/ports/books/Makefile,v
> quirks-1.146 signed on 2014-07-08T10:12:04Z

Sorry, typed Ctrl+Enter too fast.

It looks like as your AnonCVS mirror was broken, you realized it and
then switched to another one. But the broken files are still there...
Just get rid of the /usr/ports and reload it again; Given how many
chages were in the tree since 5.5, checking out could be faster than
updating from ports.tar.gz from 5.5.

--
  WBR,
  Vadim Zhukov

Re: kile-kde4

[Vadim Zhukov]

2014-08-03 20:51 GMT+04:00 Stefan Wollny :
> Hi there,
>
> has s.o. managed to get kile-kde4 from ports up and running properly?
>
> On my system (Lenovo T60 / Core2 / OpenBSD-current #315 - amd64)
> kile-kde4 did compile and does start - but that's about it. I cannot
> open any file as the system complains about wrong libraries and unknown
> mimetypes.
>
> If this is the first test 'out in the wild' take it as an error report.
> Otherwise I would appreciate any hints on how to do it properly.
>
> Some relvant information further down.

Please report actual error you see.

I've tested Kile at the time of import by starting and typing some
stuff. Not a Kile user myself, though.

--
  WBR,
  Vadim Zhukov

Re: kile-kde4

[Vadim Zhukov]

2014-08-03 21:24 GMT+04:00 Stefan Wollny :
> Am 08/03/14 um 19:00 schrieb Vadim Zhukov:
>> 2014-08-03 20:51 GMT+04:00 Stefan Wollny :
>>> Hi there,
>>>
>>> has s.o. managed to get kile-kde4 from ports up and running properly?
>>>
>>> On my system (Lenovo T60 / Core2 / OpenBSD-current #315 - amd64)
>>> kile-kde4 did compile and does start - but that's about it. I cannot
>>> open any file as the system complains about wrong libraries and unknown
>>> mimetypes.
>>>
>>> If this is the first test 'out in the wild' take it as an error report.
>>> Otherwise I would appreciate any hints on how to do it properly.
>>>
>>> Some relvant information further down.
>>
>> Please report actual error you see.
>>
>> I've tested Kile at the time of import by starting and typing some
>> stuff. Not a Kile user myself, though.
>>
>> --
>>   WBR,
>>   Vadim Zhukov
>>
> Hi Vadim,
>
> thank you for your super-fast reply.
>
> The error is that kile simply does not respond to any input
> (keyboard/mouse) after I try to open an existing .tex-document or start
> a new one.
>
> I had started kile from the command line to report the system's output
> with my initial mail. If I kill kile with ctrl-c and try to restart it
> from the command line it doesn't come up again - the splash screen is
> the last reaction.
>
> Does this help you:
> ~ $ kile -v
> kile:/usr/lib/libstdc++.so.57.0: /usr/local/lib/libestdc++.so.16.0 :
> WARNING: symbol(_ZN11__gnu_debug17_S_debug_messagesE) size mismatch,
> relink your program

This is normal for stuff built with non-base GCC...

> kile:/usr/local/lib/qt4/libQtScript.so.2.0:
> /usr/local/lib/kde4/libs/libkhtml.so.50.2 : WARNING:
> symbol(_ZTIN14WTFNoncopyable11NoncopyableE) size mismatch, relink your
> program

... and this one is not. It looks like you have different binaries
(libraries or kile executable itself) linked with different libraries.
Check for (normally hidden) .libs-* packages, e.g., "ls -d
/var/db/pkg/.libs*".

> Qt: 4.8.6
> KDE Development Platform: 4.13.3
> Kile: 2.1.3
>
>
>
> Would it be helpful if I delete kile-kde4 and kde4-libs and give it a
> new try from ports?

Why don't you use official packages?

--
  WBR,
  Vadim Zhukov

Re: kile-kde4

[Vadim Zhukov]

2014-08-03 22:24 GMT+04:00 Stefan Wollny :
> Am 08/03/14 um 19:39 schrieb Vadim Zhukov:
>>> Does this help you:
>>>> ~ $ kile -v kile:/usr/lib/libstdc++.so.57.0:
>>>> /usr/local/lib/libestdc++.so.16.0 : WARNING:
>>>> symbol(_ZN11__gnu_debug17_S_debug_messagesE) size mismatch,
>>>> relink your program
>> This is normal for stuff built with non-base GCC...
>>
>>>> kile:/usr/local/lib/qt4/libQtScript.so.2.0:
>>>> /usr/local/lib/kde4/libs/libkhtml.so.50.2 : WARNING:
>>>> symbol(_ZTIN14WTFNoncopyable11NoncopyableE) size mismatch,
>>>> relink your program
>> ... and this one is not. It looks like you have different binaries
>> (libraries or kile executable itself) linked with different
>> libraries. Check for (normally hidden) .libs-* packages, e.g., "ls
>> -d /var/db/pkg/.libs*".
>
> ~ $ sudo ld -d /var/db/pkg/.libs*
> /var/db/pkg/.libs-firefox-30.0p0: file not recognized: File truncated

Wut? Please look at the command line above AGAIN.

>>>> Qt: 4.8.6 KDE Development Platform: 4.13.3 Kile: 2.1.3
>>>>
>>>>
>>>>
>>>> Would it be helpful if I delete kile-kde4 and kde4-libs and
>>>> give it a new try from ports?
>> Why don't you use official packages?
>
> Because with kde4 kde3-based kile from packages gave me the same
> behaviour...

Wut? There are kile packages both for KDE3 and KDE4.

> I will de-install kile and the package in /usr/ports and give the
> official package a second try.

Please do.

--
  WBR,
  Vadim Zhukov

Re: kile-kde4

[Vadim Zhukov]

2014-08-04 2:46 GMT+04:00 Stefan Wollny :
> Am 08/03/14 um 20:25 schrieb Vadim Zhukov:
>> 2014-08-03 22:24 GMT+04:00 Stefan Wollny :
>>> Am 08/03/14 um 19:39 schrieb Vadim Zhukov:
>>>>> Does this help you:
>>>>>> ~ $ kile -v kile:/usr/lib/libstdc++.so.57.0:
>>>>>> /usr/local/lib/libestdc++.so.16.0 : WARNING:
>>>>>> symbol(_ZN11__gnu_debug17_S_debug_messagesE) size mismatch,
>>>>>> relink your program
>>>> This is normal for stuff built with non-base GCC...
>>>>
>>>>>> kile:/usr/local/lib/qt4/libQtScript.so.2.0:
>>>>>> /usr/local/lib/kde4/libs/libkhtml.so.50.2 : WARNING:
>>>>>> symbol(_ZTIN14WTFNoncopyable11NoncopyableE) size mismatch,
>>>>>> relink your program
>>>> ... and this one is not. It looks like you have different binaries
>>>> (libraries or kile executable itself) linked with different
>>>> libraries. Check for (normally hidden) .libs-* packages, e.g., "ls
>>>> -d /var/db/pkg/.libs*".
>>>
>>> ~ $ sudo ld -d /var/db/pkg/.libs*
>>> /var/db/pkg/.libs-firefox-30.0p0: file not recognized: File truncated
>>
>> Wut? Please look at the command line above AGAIN.
>>
>>>>>> Qt: 4.8.6 KDE Development Platform: 4.13.3 Kile: 2.1.3
>>>>>>
>>>>>>
>>>>>>
>>>>>> Would it be helpful if I delete kile-kde4 and kde4-libs and
>>>>>> give it a new try from ports?
>>>> Why don't you use official packages?
>>>
>>> Because with kde4 kde3-based kile from packages gave me the same
>>> behaviour...
>>
>> Wut? There are kile packages both for KDE3 and KDE4.
>>
>>> I will de-install kile and the package in /usr/ports and give the
>>> official package a second try.
>>
>> Please do.
>>
>> --
>>   WBR,
>>   Vadim Zhukov
>>
> Hi Vadim,
>
> sorry that it took so long for the next tests: I did an upgrade to
> amd64-current #316 and fsck'd the partitions while being there.
>
> OK - one more info that doesn't make a difference in reality: I had
> 'only' installed kde4-minimal so far prior to installing kile. Now for
> the sake of testing I accepted the pollution in particular of kde4-games
> just to be shure we do not miss a piece and installed kde4 from
> packages. So far I started X with fluxbox and now did an additional test
> with ../startkde4: Same result - kile becomes irresponsible after startup.
>
> I did thé last tests with all references under ~/.kde4/ to kile where
> deleted. Mmmh  - I will redo the test after having moved ~/.kde4 to
> ~/_kde4 - let's see if kile recreates this folder...
>
> Well - yes, it does. But just before as this is the second startup of
> kile it stops right here:
>
> ~ $ kile
> kile:/usr/lib/libstdc++.so.57.0: /usr/local/lib/libestdc++.so.16.0 :
> WARNING: symbol(_ZN11__gnu_debug17_S_debug_messagesE) size mismatch,
> relink your program
> kile:/usr/local/lib/qt4/libQtScript.so.2.0:
> /usr/local/lib/kde4/libs/libkhtml.so.50.2 : WARNING:
> symbol(_ZTIN14WTFNoncopyable11NoncopyableE) size mismatch, relink your
> program
> Object::connect: No such signal
> org::freedesktop::UPower::DeviceAdded(QString)
> Object::connect: No such signal
> org::freedesktop::UPower::DeviceRemoved(QString)
>
>
>
> Still I am requested to 'relink' the program ...
>
> It will be annoying - but unless you come up with a better suggestion I
> will reinstall the entire system from scratch to the bare minimum to be
> assured that I did not make an error with the present installation. But
> not before monday night.
>
> BTW: Any other tests related to kde4 you'd like me to do? (Just drop me
> a note privately to not pollute misc@)
>
> Have a nice week!

I reproduced your problem here. It looks like the root of problem is
in libinotify, which doesn't handle named pipes well. The Kile creates
two named pipes to talk with LyX server (see
http://wiki.lyx.org/LyX/LyXServer). And then at some point libinotify
tries to open those files...

You can try to run the two following commands:

$ kwriteconfig4  --file ~/.kde/share/config/kilerc --group DirWatch
--key PreferredMethod Fam
$ rm ~/{.lyx/,}.lyxpipe*

(if your KDEHOME isn't in the ~/.kde, tweak the first command accordingly)
And then start Kile again. See if it helps.

--
  WBR,
  Vadim Zhukov

Re: PF Tagging

[Vadim Zhukov]

2014-09-02 23:10 GMT+04:00 andy :
> Hi,
>
> Hoping this is a pretty dumb question and someone can just shoot me down
> with an instant answer but is there any reason why I can't compare against
> multiple tags?
>
> E.g.
> pass out quick on $if_dmz tagged { T_LAN, T_ENGINEERING, T_WIFI, T_OPS }
> queue (_wan_dflt,_wan_pri) set prio (1,4) keep state
>
> I seem to only be able compare against one tag at a time which seem to be
> quite limiting?

Yes, only one tag maximum. This makes actual comparison in PF fast &
easy: internal PF per-packet and per-rule structures both contain a
single number, reperesenting a tag. To allow multiple tags you'll need
to make size of those structures dynamic.

> Cheers, Andy.
>
> PS; Yes I am only just starting to get round to setting up policy based
> rules for the first time as part of a big rewrite for a new much larger
> office with *many* VLANs etc..

You'll probably want to play more with "match" rules.

--
  WBR,
  Vadim Zhukov

Re: mpd unable to start on recent snapshots

[Vadim Zhukov]

2014-09-04 0:29 GMT+04:00 Nicholas Fleisher :
> On Wed Sep 03  9:39 PM, David Coppa wrote:
>> > Thanks, but unfortunately getting rid of the corrupted database doesn't
>> > help.  mpd can't seem to create a good new one from scratch.
>>
>> Double check your /etc/mpd.conf, check that /var/spool/mpd has the
>> right owner/group and permissions, have a look at /var/log/mpd/mpd.log
>> for errors...
>
> I tried reinstalling (including userdel/groupdel _mpd, and so forth) and
> starting with a fresh /etc/mpd.conf, but still no luck.
> Owner/group/permissions on /var/spool/mpd are correct (i.e. owner and
> group both _mpd, writeable for both).  The log shows mpd adding several
> songs and then abruptly quitting.  It complains twice about the mpdstate
> file being missing, but even after touch'ing it and setting appropriate
> ownership/permissions, I get the same error as before.
>
> The only other info I can think of that might be helpful: after the
> fresh reinstall and mpd startup, the /var/spool/mpd directory contains
> only mpd.pid and the playlists directory, i.e. mpd.db and mpdstate are
> both missing.  (though, as mentioned above, manually creating them and
> then retrying does not solve the problem).
>
> Thanks for all the suggestions.  Running out of ideas here...

Try ktrace then. You'll need to set up a complex command line with
sudo involved, but this would give you what system call fails (if any,
but I'm sure there it is).

--
  WBR,
  Vadim Zhukov

Re: WARNING: symbol(_ZN11__gnu_debug17_S_debug_messagesE) size mismatch

[Vadim Zhukov]

2014-09-23 18:41 GMT+04:00 Stefan Wollny :
> I have this Lenovo T60 running amd64-current (full dmesg at the end):
>
> OpenBSD 5.6-current (GENERIC.MP) #388: Mon Sep 22 02:23:15 MDT 2014
> t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz, 1994.62 MHz
> real mem = 3203203072 (3054MB)
> avail mem = 3109261312 (2965MB)
>
> I follow current since
> OpenBSD 5.6 (GENERIC.MP) #310: Tue Jul 29 11:49:10 MDT 2014
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> All programs have been installed from packages. For KDE-programs I went
> for the first time with KDE4. Window-manager is Fluxbox. Whenever I
> fetch a fresh snapshot the first thing after reboot is "pkg_add -ui" and
> an update of /usr/src, /usr/ports, /usr/xenocara.
>
> Starting some usual programs in a xterm I get the following warnings:
>
> ~ $ okular
>
> okular:/usr/lib/libstdc++.so.57.0: /usr/local/lib/libestdc++.so.16.0 :
> WARNING: symbol(_ZN11__gnu_debug17_S_debug_messagesE) size mismatch,
> relink your program
> okular:/usr/local/lib/qt4/libQtScript.so.2.0:
> /usr/local/lib/kde4/libs/libkjsapi.so.50.2 : WARNING:
> symbol(_ZTIN14WTFNoncopyable11NoncopyableE) size mismatch, relink your
> program
>
> ~ $ xombrero
> xombrero:/usr/local/lib/libestdc++.so.16.0: /usr/lib/libstdc++.so.57.0 :
> WARNING: symbol(_ZN11__gnu_debug17_S_debug_messagesE) size mismatch,
> relink your program
> Bus error (core dumped)
>
> ~ $ konqueror
> konqueror:/usr/lib/libstdc++.so.57.0: /usr/local/lib/libestdc++.so.16.0
> : WARNING: symbol(_ZN11__gnu_debug17_S_debug_messagesE) size mismatch,
> relink your program
>
> ~ $ libreoffice
> /usr/local/lib/libreoffice/program/soffice.bin:/usr/lib/libstdc++.so.57.0:
> /usr/local/lib/libestdc++.so.16.0 : WARNING:
> symbol(_ZN11__gnu_debug17_S_debug_messagesE) size mismatch, relink your
> program
>
>
> Even though I am pretty confident that I followed all advisories given
> for current I might have missed something. Has anyone a clue what I
> could do better??? Reinstalling from ports?

That message is an unfortunate side-effect of switching KDE4 build to
newer GCC (from ports and not from base system). While actually such
messages ("symbol size mismatch") do indicate real problems (this is
why they do appear, at all), this particular one -
"_ZN11__gnu_debug17_S_debug_messagesE" - is mostly harmless and you
may ignore it safely.

--
  WBR,
  Vadim Zhukov

Re: kde4-4.13.3p0 on OpenBSD 5.6 10/15/2014 AMD64 snapshot

[Vadim Zhukov]

04 нояб. 2014 г. 3:11 пользователь "Stan Gammons"

написал:
>
> Does anyone besides me experience crashes with Dolphin on kde4-4.13.3p0?
When I click on the kde crash handler developer information tab it churns
forever and ever and ever and never returns any information.

What the "ulimit -a" command says?

Also, could you post all uncommented global options in your
/etc/samba/smb.conf?

--
Vadim Zhukov

Re: samba and e2fsprogs packages -- 5.4

[Vadim Zhukov]

2013/12/5 Peter Fraser :
> samba required the e2fsprogs package. The problem occurs when trying to use 
> samba's net command.
> The net command requires libuuid.
>  It was not easy to find where libuuid was located.

pkg_locate libuuid.so - no?

--
  WBR,
  Vadim Zhukov

Re: Cannot make state when using 'user' option in pf.conf

[Vadim Zhukov]

2014/1/26 Jiri B :
> Hello,
>
> I'm trying to understand why there's no PF state for a outgoing
> rule dedicated to dnscrypt-proxy (668) daemon.
>
> pf.conf says 'user' option needs effective ID...
>
> # ps -axo uid,ruid,gid,rgid,pid,args | grep dnscrypt
>   688   688   688   688 16665 /usr/local/sbin/dnscrypt-proxy -d 
> --local-address=127.0.0.1:5331 --user=_dnscrypt-proxy
>
> # pfctl -sr
> block drop out log quick on egress from ! (egress:0) to any
> anchor "test-out" all
> pass out log quick on egress inet proto udp from any to 208.67.220.220 port = 
> 443 user = 688
> pass out log quick on egress inet proto tcp from any to 208.67.220.220 port = 
> 443 user = 688 flags S/SA
> pass out log quick on egress inet proto icmp all icmp-type echoreq
> block drop in log quick from no-route to any
> block drop in log quick from urpf-failed to any
> block drop out log quick all
> block drop in log quick on egress inet from any to 255.255.255.255
> anchor "test-in" all
> pass in log quick on egress inet proto icmp from any to (egress:0) icmp-type 
> echoreq code 0
> pass in log quick on egress inet proto tcp from any to (egress:0) port = 22 
> flags S/SA
> block drop in log quick all
>
> Now when dnscrypt-proxy tries to make a connection it is blocked.
> Interestingly there's even no logged outgoing connection, but just
> blocked return.
>
> # tcpdump -i pflog0 -n -e -ttt -vv
> tcpdump: WARNING: snaplen raised from 116 to 160
> tcpdump: listening on pflog0, link-type PFLOG
> Jan 26 00:41:00.884036 rule 7/(match) [uid 0, pid 23524] block out on iwn0: 
> [uid 0, pid 16665] 192.168.1.100.10976 > 208.67.220.220.443: udp 512 (ttl 64, 
> id 9876, len 540, bad cksum 208! differs by e108)
>
> (from anchor)
> # pfctl -ss
> all tcp 192.168.1.100:16505 -> 66.7.199.108:22   ESTABLISHED:ESTABLISHED
>
> Well it works if I add dnscrypt-proxy rule for root but why?

Because the socket (hint: <1024) was opened with root rights, and
therefore the uid=0 was saved there.

--
  WBR,
  Vadim Zhukov

Re: sudo -u & environment help

[Vadim Zhukov]

sudo -i ?
04.04.2014 14:31 пользователь "Craig R. Skinner"

написал:

> Hi,
>
> When sudo'ing to another user, how can I obtain all of their environment
> settings as they receive when logging in themselves?
>
> When I use sudo in this manner, settings such as $PATH, $MAIL & umask
> aren't being honoured:
>
>
> $ echo $LOGNAME; echo $PATH; echo $MAIL; umask
> craig
>
>
/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/u
sr/site/sbin:/home/craig/bin
> /var/mail/craig
> 027
>
>
>
> Here, $PATH, $MAIL & umask are unchanged:
>
> $ sudo -H -i -u david
> $ echo $LOGNAME; echo $PATH; echo $MAIL; umask
> david
>
>
/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/u
sr/site/sbin:/home/craig/bin
> /var/mail/craig
> 027
>
>
> Compare the difference when logging in as that user:
>
> $ login david
> ...
> $ echo $LOGNAME; echo $PATH; echo $MAIL; umask
> david
> /usr/bin:/bin:/usr/local/bin:/usr/site/bin:/home/david/bin
> /var/mail/david
> 022
>
>
>
>
> /etc/login.conf:
> default:\
> :passwordcheck=/usr/local/bin/pwqcheck -1:\
> :passwordtries=0:\
> :path=/usr/bin /bin /usr/local/bin /usr/site/bin ~/bin:\
> :umask=022:\
> :datasize-cur=
>
> staff:\
> :path=/usr/bin /bin /usr/sbin /sbin /usr/local/bin /usr/local/sbin
> /usr/site/bin /usr/site/sbin ~/bin:\
> :umask=027:\
> :datasize-cur=
>
>
> $ egrep 'env_|Defaults' /etc/sudoers | grep -v ^#
> Defaults env_keep +="DESTDIR DISTDIR EDITOR FETCH_CMD FLAVOR FTPMODE GROUP
> MAKE"
> Defaults env_keep +="MAKECONF MULTI_PACKAGES NOMAN OKAY_FILES OWNER
> PKG_CACHE"
> Defaults env_keep +="PKG_DBDIR PKG_DESTDIR PKG_PATH PKG_TMPDIR PORTSDIR"
> Defaults env_keep +="RELEASEDIR SHARED_ONLY SSH_AUTH_SOCK SUBPACKAGE
> VISUAL"
> Defaults env_keep +="WRKOBJDIR"
> Defaults always_set_home, ignore_dot, use_loginclass
>
>
>
> login(1):
>
>  login enters information into the environment (see environ(7))
> specifying
>  the user's home directory (HOME), command interpreter (SHELL), search
>  path (PATH), terminal type (TERM), and user name (both LOGNAME and
> USER).
>
> ENVIRONMENT
>  login sets the following environment variables:
>
>  HOME
>  MAIL
>
> sudo(8):
>
>   Command Environment
>  ..  On BSD systems, if the use_loginclass option
> is
>  enabled, the environment is initialized based on the path and setenv
>  settings in /etc/login.conf.  The new environment contains the TERM,
>  PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables
> in
>  addition to variables from the invoking process permitted by the
>  env_check and env_keep options.  This is effectively a whitelist for
>  environment variables.
>
>
>
> How can I become another user - without knowing their password,
> and gain their 'natural' environment?
>
> e.g. from wheel group to a users group member.
>
> 'su -l username' & 'login username' require their password.
>
> I thought 'sudo -H -i -u username' would do it.
>
> Any suggestions on what else I need to configure?

Re: linux port of systrace

[Vadim Zhukov]

2014-05-13 19:06 GMT+04:00 Илья Аржанников :
> Hello.
>
> I am trying to use linux port systrace. And I found the problem. When I run 
> under systrace (it does not matter with -A or -a (actually it never came till 
> -a)) something that use vfork systrace and children processes hangup. I saw 
> in sources that linux port uses ptrace as backend because it's not a native 
> systrace subsystem. And linux systrace try to rewrite vfork system call on 
> sys_clone, but it give nothing. With fork everything is ok, because fork is 
> wrap around clone syscall and systrace just add one more flag to call it.
>
> Has anyone experience this problem?

Does this also happen with only one CPU?

--
  WBR,
  Vadim Zhukov

Re: getaddrinfo(3) & chroot(2) with root

[Vadim Zhukov]

2014-05-14 20:57 GMT+04:00 Denis Fondras :
> Hello all,
>
> I am burning my last neurons with a behavior I can't explain. I wonder
> why getaddrinfo() fails when called after chroot() with root user.
>
>
> I have this piece of code :
>
> /*--- test.c ---*/
> #include 
> #include 
> #include 
> #include 
> #include 
>
> int main(int argc, char *argv[])
> {
> struct addrinfo *ai_out;
> struct passwd   *pw;
> int error;
>
> pw = getpwnam("_bgpd");
>
> error = getaddrinfo("rpki.liopen.eu", NULL, NULL, &ai_out);
> if (error)
> printf("getaddrinfo() failed\n");
> else printf("getaddrinfo() succeed\n");
>
> chroot(pw->pw_dir);
> chdir("/");
>
> error = getaddrinfo("rpki.liopen.eu", NULL, NULL, &ai_out);
> if (error)
> printf("getaddrinfo() failed\n");
> else printf("getaddrinfo() succeed\n");
>
> return 0;
> }
> /*--- test.c ---*/
>
> $ ./a.out
> getaddrinfo() succeed
> getaddrinfo() succeed
>
> # ./a.out
> getaddrinfo() succeed
> getaddrinfo() succeed
>
>
>
>
> Everything is good. Now if I compile :
>
> /*--- test.c ---*/
> #include 
> #include 
> #include 
> #include 
> #include 
>
> int main(int argc, char *argv[])
> {
> struct addrinfo *ai_out;
> struct passwd   *pw;
> int error;
>
> pw = getpwnam("_bgpd");
>
> error = 0
> if (error)
> printf("getaddrinfo() failed\n");
> else printf("getaddrinfo() succeed\n");
>
> chroot(pw->pw_dir);
>
> error = getaddrinfo("rpki.liopen.eu", NULL, NULL, &ai_out);
> if (error)
> printf("getaddrinfo() failed\n");
> else printf("getaddrinfo() succeed\n");
>
> return 0;
> }
> /*--- test.c ---*/
>
> $ ./a.out
> getaddrinfo() succeed
> getaddrinfo() succeed
>
> # ./a.out
> getaddrinfo() succeed
> getaddrinfo() failed
>
>
>
> If this an expected behavior, what would be the preferred way to resolve
> a name from a chrooted process ? I am extending OpenBGPd and I need to
> resolve domain names and connect to a service (no BGP protocol). I am
> currently using the "session" process to handle the connection part but
> I am stuck on name resolution for now.

/etc/resolv.conf is read on the first attempt to resolve something,
no? And, of course, you have no /your/chroot/path/etc/resolv.conf.

--
  WBR,
  Vadim Zhukov

Re: spam from chrooted CMSes

[Vadim Zhukov]

On 10 April 2009 c. 05:42:21 Uwe Dippel wrote:
> I'm running postfix as MTA on a machine with several CMS, on a
> chrooted Apache.  Recently, there is a huge number of spam being sent
> from there, alas. When I scan the postfix-logs, all those come from
> 'root', meaning they don't come through port 25. I run OpenBSD with
> mini-sendmail, and now I wonder how I could find out from which CMS
> they are sent. Is there any chance to find out from which CMS they are
> sent?

Do your clients have ability to connect to external hosts? If yes then
you should not even bother logging PHP mail() calls or such.

If outgoing connections are closed then you should have different system
users (i.e., different UIDs) for each client; otherwise it'll be easy
possible for hacker to spoof sender: nothing stops him from modifying
other client's scripts or just implementing SMTP server entire in PHP.

And only if both requirements passed then you can improve your antispam
scurity either by 1) modifying mini_sendmail, or 2) writing a simple
Perl wrapper that parses input data (bundled and/or in-ports Perl
modules should make it very easy) and then passes data to real
mini_sendmail.

IMHO, it's much easier to make mini_sendmail log mail, or add a specific
header to each letter that may help you in debugging. In the latter case
you may even put some limits for mail based on your header knowledge in
your "real" MTA, which mini_sendmail will forward letters to. You do not
need big programming skills to do that, just some basic C knowledge. If
you do not know C at all, ask some your friend to do this work for beer
(or mineral water, if he doesn't like alcohol ;) ).

--
  Best wishes,
Vadim Zhukov

A: Because it messes up the way people read text.
Q: Why is a top-posting such a bad thing?

Re: I can't download torrents with ktorrent with a normal user

[Vadim Zhukov]

On 12 April 2009 c. 19:54:18 Juan Jimenez Galdos wrote:
> The thing is: When I am using root i haven't any problems, but if i
> use a normal user the torrents don't start, and the torrents can't
> connect with the tracker or the peers. if the configuration of pf is
> the same in root and with a normal user, why this is happening? I
> don't understand.
>
> Somebody could help me? Thank you very much.

Please, please, please:

- dmesg (it's mentioned many times in documentation and on the site that
dmesg IS required)
- ktorrent packet version
- /etc/pf.conf
- KTorrent network configuration (particularily local ports specified)
- Torrent sites tested
- And finally: are you logging in as root, or starting "root" KTorrent
via sudo?

--
  Best wishes,
Vadim Zhukov

A: Because it messes up the way people read text.
Q: Why is a top-posting such a bad thing?

Re: VNC and PF

[Vadim Zhukov]

On 16 April 2009 c. 14:25:38 Yuriy A. Dmitrishin wrote:
> Hi.
>
> I try to redirect VNC port in my LAN:
> $ pfctl -s nat|grep 5900
> rdr on tun0 inet proto tcp from any to any port = 59001 ->
> 192.168.0.10 port 5900
>
> But I cannot connect with VNC-viewer to address 66.66.66.66:59001
> (66.66.66.66 as my ext addr.).

0. dmesg IS ALWAYS REQUIRED.

1. Full pf.conf (or, better, "pfctl -sa" output).

2. "ifconfig" output.

3. "route -n show" output.

--
  Best wishes,
Vadim Zhukov

A: Because it messes up the way people read text.
Q: Why is a top-posting such a bad thing?

Re: Is there any particular reason to not have RAIDFrame on RAMDISK_CD

[Vadim Zhukov]

On 20 April 2009 c. 05:15:50 Nick Holland wrote:
> Vadim Zhukov wrote:
> > Hello all.
> >
> > Is there any particular reason to not have RAIDFrame built-in in
> > RAMDISK_CD kernels? I mean, are there any restrictions, except
> > kernel/ramdisk size, which are not the case with RAMDISK_CD,
> > obviously?
> >
> > Maybe I missed something digging through Google output containing a
> > lot of links to official FAQ and quotes from it. :(
>
> What would the point of putting it on the RAMDISK kernels, when it
> isn't in GENERIC?

It'll make updates easier (one less kernel to build). Also, many people,
including me (yes, I'm not a developer, so this is just information and
not anything more) use bsd.rd for quick repairing some broken PCs.

As FAQ says, RAIDFrame isn't in GENERIC just because it'll make GENERIC
too fat. And this isn't the case for bsd.rd, it isn't intended for, erm,
generic usage. :)

It was mentioned many times that RAIDFrame is stable enough, many people
use it in production - so this isn't the point to not put it into stock
kernel. If I'm wrong then RAIDFrame should be mentioned
as "experimental" or "unstable" in raid(4) and FAQ. :)

--
  Best wishes,
Vadim Zhukov

A: Because it messes up the way people read text.
Q: Why is a top-posting such a bad thing?