|
|
| Author |
Message |
| 25 new of 547 responses total. |
aruba
|
|
response 285 of 547:
| 
May 19 19:20 UTC 2003 |
We don't know for sure if our CDs shipped Tuesday, only that our credit card
was charged then. I sent mail to the shipping guy at openbsd.org to ask if
they really did ship.
But anyway, dang offered to make Jan a CD, and he'll bring it over tonight.
|
remmers
|
|
response 286 of 547:
|
May 19 22:24 UTC 2003 |
Re #280: My machine is still online and available to any staffer who
wants access. It's currently running OpenBSD 3.2. If it's going to be
used to test out software, I should upgrade it to 3.3. If I have time
to do that in the next couple of days I will, but to be honest free time
is in somewhat short supply this week. I'll see how it goes. Dang
installed a CVS server on it, the idea being to use that to document
our work. The CVS server hasn't been used yet, and nothing much else
has been done with the machine yet either, so it might not be too
unreasonable to use the OpenBSD CDs, when they arrive, to install 3.3
from scratch on my machine, then ask dang politely to re-install the
CVS server...
|
janc
|
|
response 287 of 547:
|
May 20 00:49 UTC 2003 |
Turns out Valerie can burn CD's. I should have known that. So I've got a
working boot CD now.
I tried logging into John's machine and failed. I should give him a call and
see what I've got wrong.
|
janc
|
|
response 288 of 547:
|
May 20 01:54 UTC 2003 |
Hmmm. Got it installed on the disk, but boot from the disk seems to be
hanging when the kernel tries to initialize the audio drivers. I'll
investigate more later tonight and report back.
|
aruba
|
|
response 289 of 547:
|
May 20 03:11 UTC 2003 |
I had a little trouble with the audio in Windows 98, actually. It mostly
worked, but occasionally produced static when it should have been playing a
sound. I figured it was because I needed a different version of the driver,
or it needed to be reinstalled.
|
other
|
|
response 290 of 547:
|
May 20 03:22 UTC 2003 |
Why are we worrying about making the audio drivers on the next Grex
machine work?
|
janc
|
|
response 291 of 547:
|
May 20 03:31 UTC 2003 |
OK, some details. As the kernal starts up, it prints out lots of messages
describing the various devices. When booting from the CD or floppy, it finds
the audio device, but doesn't have a driver for it (of course, since this is
a install disk and it doesn't need audio), so it says:
"VIA VT8233 AC97 Audio" rev 0x50 at pci0 dev 17 function 5 not configured
When we boot from the hard disk, it finds the device, and has a driver, but
the driver seems to fail to initialize. It types the following, and then
hangs forever with the cursor at the end of the line:
auvia0 at pci0 dev 17 function 5 "VIA VT8233 AC97 Audio" rev 0x50_
It should go on to finish the line by typing something like
auvia0 at pci0 dev 17 function 5 "VIA VT8233 AC97 Audio" rev 0x50: irq 9
We never get the ": irq 9" part. (It is IRQ 9, according to the bios).
One fix would be to build a kernal without the audio driver. It's not like
Grex needs audio. Any better ideas?
|
janc
|
|
response 292 of 547:
|
May 20 03:39 UTC 2003 |
Eric slipped in. I don't care very much about making them work. Right now
they are keeping us from booting, which I do care about. I'd slightly prefer
to know what is causing it to fail.
We are going to have to do an OpenBSD install on this machine every year or
so. We need to figure out how to do it smoothly. It's worth a little effort
to find the *best* way to deal with problems, not just some workaround kludge.
|
cross
|
|
response 293 of 547:
|
May 20 03:42 UTC 2003 |
Hmm; can you disable the onboard audio in the BIOS? It sounds like
it's hanging in the probe routine; perhaps it's having difficulties
disambiguating the audio device from something else it might share
an interupt line with? Maybe there's a bug allocating an IRQ?
Weird.
|
janc
|
|
response 294 of 547:
|
May 20 03:45 UTC 2003 |
Found this:
http://www.netsys.com/openbsd-misc/2003/01/msg00734.html
Appears to be someone having the same problem.
|
janc
|
|
response 295 of 547:
|
May 20 04:26 UTC 2003 |
The discussion of this problem above didn't find any sensible solutions, so
I'm willing to just disable the device. Looks like there are two ways to do
this without recompiling the the kernal.
http://www.openbsd.org/cgi-bin/man.cgi?query=boot_config&sektion=8&arch=i38
6
To make this work, you need to tell it to boot "/bsd -c" instead of /bsd.
However, it doesn't prompt for a kernal to boot, and I don't know how to
make it do so.
http://www.openbsd.org/cgi-bin/man.cgi?query=config&sektion=8&arch=i386
To make this work, I need a reasonably running system. Booting off the
CD and mounting the / partition under /mnt doesn't do it. The config program
is not on the install CD and the copy on the hard disk wants ld.so which it
can't seem to find while booted off the CD. I might be able to figure out
how to make this work, if I was less sleepy.
Either way, I just need to do "disable auvia" and that should kill the
audio card.
I'm going to bed.
|
lk
|
|
response 296 of 547:
|
May 20 07:00 UTC 2003 |
Maybe you'll dream up another solution, like disabling the audio in the
BIOS so OpenBSD will never see it in the first place...?
(I suppose it could be a jumper on the motherboard if not a BIOS option.)
|
janc
|
|
response 297 of 547:
|
May 20 11:24 UTC 2003 |
Yeah Leeron! There is a thing in the BIOS to disable the Audio Controller,
and with that turned off, we can boot.
I'd still like to know how to tell OpenBSD to boot off something else.
It seems to sometimes show a "boot>" prompt briefly, and if you type
something then it won't fill it in itself. However, when I started
booting off the CD, typed "boot wd0a:/bsd -c" at the boot> prompt,
it went ahead and booted off the CD anyway. Well, I'll get plenty more
chances to experiment with this.
In the true OpenBSD spirit, after all this work, it greets me by telling me
I'm an idiot:
Don't login as root, use su
Root's the only account on the system, and that's a comma splice, you idiots.
Sorry, I have personality conflicts with OpenBSD.
|
cross
|
|
response 298 of 547:
|
May 20 12:49 UTC 2003 |
Most of the world has personality conflicts with OpenBSD. Hey, disabling
the audio device in the BIOS; I said that in #293!
Comma splices are bad, use semicolons.
|
cross
|
|
response 299 of 547:
|
May 20 12:51 UTC 2003 |
So Jan, just so I can be sure I understand what's going on; a minimal
OpenBSD installation is on the IDE drive, and it's seeing all the
devices now?
|
janc
|
|
response 300 of 547:
|
May 20 14:45 UTC 2003 |
Yup. Staff has been informed, John Remmers has successfully logged in.
My next step is to write some little scripts to copy data around fiercely
on the three SCSI disks, just to increase my confidence that the controller
really is working right with multiple drives.
Yeah, you did say that didn't you? I was way too sleepy last night.
|
remmers
|
|
response 301 of 547:
|
May 20 14:50 UTC 2003 |
Yep, I logged in and created myself a "remmers" account.
|
janc
|
|
response 302 of 547:
|
May 20 15:42 UTC 2003 |
Thought I'd so a survey of suid/sgid programs, many of which might have to
be moved if we do an /suidbin directory. There's a number of them, but many
don't actually need to be SUID on Grex (the ones marked 'X' in the list
below should probably lose their suid bits or not be moved to suidbin).
SUID files:
X -r-sr-xr-x 1 root bin /sbin/ping
X -r-sr-xr-x 1 root bin /sbin/ping6
X -r-sr-x--- 1 root operator /sbin/shutdown
-r-sr-xr-x 3 root bin /usr/bin/chfn
-r-sr-xr-x 3 root bin /usr/bin/chpass
-r-sr-xr-x 3 root bin /usr/bin/chsh
X -r-sr-sr-x 1 root daemon /usr/bin/lpr
X -r-sr-sr-x 1 root daemon /usr/bin/lprm
-r-sr-xr-x 1 root bin /usr/bin/passwd
X -r-sr-xr-x 1 root bin /usr/bin/rsh
-r-sr-xr-x 1 root bin /usr/bin/su
-r-sr-xr-x 1 root bin /usr/bin/sudo
? -r-sr-xr-x 1 root auth /usr/libexec/auth/login_chpass
? -r-sr-xr-x 1 root auth /usr/libexec/auth/login_krb4
? -r-sr-xr-x 1 root auth /usr/libexec/auth/login_krb4-or-pwd
? -r-sr-xr-x 1 root auth /usr/libexec/auth/login_krb5
? -r-sr-xr-x 1 root auth /usr/libexec/auth/login_krb5-or-pwd
? -r-sr-xr-x 1 root auth /usr/libexec/auth/login_lchpass
? -r-sr-xr-x 1 root auth /usr/libexec/auth/login_passwd
-r-sr-xr-x 1 root bin /usr/libexec/lockspool
-r-sr-xr-x 1 root bin /usr/libexec/ssh-keysign
? -r-sr-sr-x 1 root authpf /usr/sbin/authpf
X -r-sr-xr-- 1 root network /usr/sbin/ppp
X -r-sr-xr-- 1 root network /usr/sbin/pppd
X -r-sr-xr-- 1 root network /usr/sbin/sliplogin
X -r-sr-xr-x 1 root bin /usr/sbin/timedc
X -r-sr-xr-x 1 root bin /usr/sbin/traceroute
X -r-sr-xr-x 1 root bin /usr/sbin/traceroute6
SGID files:
X -r-xr-sr-x 4 root crontab /usr/bin/at
X -r-xr-sr-x 4 root crontab /usr/bin/atq
X -r-xr-sr-x 4 root crontab /usr/bin/atrm
X -r-xr-sr-x 4 root crontab /usr/bin/batch
X -r-xr-sr-x 1 root crontab /usr/bin/crontab
? -r-xr-sr-x 1 root kmem /usr/bin/fstat
-r-xr-sr-x 1 root auth /usr/bin/lock
X -r-xr-sr-x 1 root daemon /usr/bin/lpq
? -r-xr-sr-x 1 root _lkm /usr/bin/modstat
? -r-xr-sr-x 1 root kmem /usr/bin/netstat
-r-xr-sr-x 1 root auth /usr/bin/skeyaudit
-r-xr-sr-x 1 root auth /usr/bin/skeyinfo
-r-xr-sr-x 1 root auth /usr/bin/skeyinit
-r-xr-sr-x 1 root _sshagnt /usr/bin/ssh-agent
-r-xr-sr-x 1 root kmem /usr/bin/systat
-r-xr-sr-x 1 root kmem /usr/bin/vmstat
-r-xr-sr-x 1 root tty /usr/bin/wall
-r-xr-sr-x 1 root tty /usr/bin/write
-r-xr-sr-x 1 root games /usr/games/atc
-r-xr-sr-x 1 root games /usr/games/battlestar
-r-xr-sr-x 1 root games /usr/games/canfield
-r-xr-sr-x 1 root games /usr/games/cfscores
-r-xr-sr-x 1 root games /usr/games/cribbage
-r-xr-sr-x 1 root games /usr/games/hack
-r-xr-sr-x 1 root games /usr/games/robots
-r-xr-sr-x 1 root games /usr/games/sail
-r-xr-sr-x 1 root games /usr/games/snake
-r-xr-sr-x 1 root games /usr/games/tetris
? -r-xr-sr-x 4 root _token /usr/libexec/auth/login_activ
? -r-xr-sr-x 4 root _token /usr/libexec/auth/login_crypto
? -r-xr-sr-x 1 root _radius /usr/libexec/auth/login_radius
? -r-xr-sr-x 1 root auth /usr/libexec/auth/login_skey
? -r-xr-sr-x 4 root _token /usr/libexec/auth/login_snk
? -r-xr-sr-x 4 root _token /usr/libexec/auth/login_token
-r-xr-sr-x 1 root smmsp /usr/libexec/sendmail/sendmail
X -r-xr-sr-x 1 root daemon /usr/sbin/lpc
X -r-xr-s--- 1 root daemon /usr/sbin/lpd
-r-xr-sr-x 1 root kmem /usr/sbin/pstat
|
janc
|
|
response 303 of 547:
|
May 20 15:43 UTC 2003 |
You know, this is the next Grex hardware item. I should probably move
future comments to a "software" item.
|
janc
|
|
response 304 of 547:
|
May 20 15:46 UTC 2003 |
I've got six processes busily copying files around on the SCSI drives. No
problems at all yet.
|
polytarp
|
|
response 305 of 547:
|
May 20 18:14 UTC 2003 |
You're great, janc.
|
cross
|
|
response 306 of 547:
|
May 20 21:31 UTC 2003 |
Regarding #304; Cool.
Regarding #303; My suggestion is to leave most of the `normal' binaries
that aren't on / (only ping, ping6, and shutdown are) alone and put
copies in /suid/{s,}bin, then put those directories in the user PATH
before the system default directories. As long as /usr and /usr/local
are mounted nosuid, it won't hurt anything if (mode & 06000) != 0 on
some files therein. It also makes it easier than trying to find what
was symlinked where when the system is upgraded.
Some suggestions: there's no reason to keep pstat, vmstat, systat,
modstat, netstat, etc executable by normal users. Definitely that's true
of fstat; that's a privacy violation waiting to happen. ssh-keysign
can be restricted to members. I don't see the need to strip the suid
bit off of shutdown, as that's only executable by root or users in
group operator, and there aren't likely to be many of the latter.
I would only put login_krb5 in /suid/sbin, as that's the only one
that's likely to be useful, if grex really moves to krb5. I would
further disable the skey stuff; I doubt anyone uses or would use it.
Certainly, authpf doesn't need to be executable by normal users, either.
Wall shouldn't be available to normal users, I don't think. If you go
with an alternate mailer like Postfix, then there's no reason to worry
about keeping sendmail sgid. Finally, the games are only sgid to write
high score files. Probably harmless, and I don't see why not to put
them in /suid/bin (or /suid/games, so they can be shut off easily if
there's a problem). Also, going with Kerberos means that stock `passwd'
can be disabled. /usr/bin/lock isn't likely to be useful if Kerberos
is used, either.
I wouldn't worry about ping and ping6 being suid since the only reason
they are is to send ICMP packets, and those would be blocked by the PF
rules preventing non-member users from sending random stuff out onto
the Internet. It's conceivable someone could find another hole in it,
but I think it's highly unlikely.
|
gull
|
|
response 307 of 547:
|
May 20 22:07 UTC 2003 |
Generally Grex doesn't let users use 'ping' at all, from what I've been
able to tell.
|
cross
|
|
response 308 of 547:
|
May 20 22:18 UTC 2003 |
Yes; my point is that the PF filters will take care of that without
modifying anything in the base-system filesystem.
|
gull
|
|
response 309 of 547:
|
May 20 22:19 UTC 2003 |
Ah, I see. But if no one who doesn't have root privilages is allowed to
use it anyway, why keep the setuid bit?
|
