Title: FreeBSD Journal DE May/June 2023

Q. Is there a shorthand to `su` to another user, but using a non-default shell? I basically wants effects of `-m` (w.r.t. env vars), but using /bin/sh instead of the default /usr/sbin/nologin.

Err. The effects of `-l`.

Ideally `-l`. But `-m` works.

I just realized I mangled two questions into one.

1) Using an alternative shell as another user.

2) Wiping env vars, login shell-esque.

I know there's `doas` in ports, but I'm looking for something in the core system. If possible.

su user; exec /whatever/shell; . /shell/rc

parv: `su user` won't work when the account has /usr/sbin/nologin.

I guess I can with `-m`.

But that still leaves all the old envvars.

(tl;dr I need to do some tasks as `www`)

I could temporarily `chsh` it, but I'm asking about a different solution, something more elegant.

There is allowance for a specific login class via "-c" option

Just noticed "-l" & "-m" options are mutually exclusive

They are, yes.

(-lm & -ml was the first thing I tried)

I still get "This account is not currently available." if I just try -c. `-m -c` does not clear env vars.

DarkUranium: you could take a look at what rc.subr does

(short answer: It commits crimes.)

lmao

here's a snippet: limits -C $_login_class $_limits nice -n $_nice setfib -F $_fib env $_env chroot -u $_user -g $_group -G $_groups $_chroot command...

and that's a sanitized version

i think env wipes the ENV, but I'm not a 100% on that

i think I copied the wrong line

oh, right, env -i PATH=$PATH HOME=/home/user su -m -c /bin/sh -c blah should give you a clean environment

note that we execute env -i to clear the environment, and su -m to leave it unmodified

DarkUranium: that criminal enough to work for you?

prob want to set TERM too

llua: i haven't scrolled back far enough to figure out what they're trying to do. I just provided an example

wtf.

llua: and USER+GROUP

DarkUranium: probably a wise choice given the amount of hacks you'd have to layer on top of each other to make this work.

I feel like FreeBSD *should* have something of this sort in the core.

Akin to GNU's `su -s`

(not a fan of GNU normally, but that's one of the first things I ever missed!)

DarkUranium: patches welcome… I'm busy with planning to rip out all of /etc/rc.* and burn it down in a cleansing ritual

lmao

(alternatively, `doas` in core would also work, but y'know)

maybe replace it with something less sh-it. but first, I just want to burn it all down.

Understandable.

Well, rc.d isn't too bad. But a lot of the rest is.

have you read /etc/rc.subr?

I wish I hadn't.

What I mean is, the service stuff in /etc/rc.d isn't too bad.

i say that every time i do

Ha.

Obviously, you should just switch to systemd (/s)

yeah, that's not too bad, but some services do waaaaaaaaay too much

(lots and lots of /s)

Fair.

DarkUranium: systemd isn't too bad. I just don't like the design, the implementation, the documentation and the community management.

the idea is okay, but the idea is nothing new, and probably something we desperately need.

Solaris has had it for 10? 15? years? When was Solaris 10 released?

Windows (NT) has had it since probably … ever.

and AIX. Not that this is any form of recommendation

jgh: yeah, i've used AIX for about 2 weeks, and that was more than enough.

OTOH, that might have had to do with the environment i was in…

Mmm aix

mmmm aix

AIX and pains

i'd say it's the gold standard for what it does. but its only a server, not a desktop.

boring. stable. unchanging.

really wish more of my customers made the low end systems all freebsd, with critical big produciton on aix. it'd be a remarkable world

they can keep linux on the desktop, where it only affects one user at a time

since that's been the goal of all the linux distros. dumb linux down until it's only suitable as a desktop

i'm surprised between gnome and systemd they didn't just say "run everything as root, we only want single user anyway"

Has anyone managed to get Passbolt to run successfully on FreeBSD?

(or, alternatively, know of good self-hosted password managers)

DarkUranium: pwsafe.

Seems to be Windows-only?

Title: GitHub - nsd20463/pwsafe: commandline tool compatible with Counterpane's Passwordsafe

single binary. single file. only clipboard integration.

no hosting, no servers, no browsers, no web servers, no networking, no frills.

DarkUranium, I use keepassxc.

it's a pkg too! nice. pwsafe-0.2.2.b.196

Demosthenex: well, I need something that works on my phone + desktop + laptop. hence, hosted.

syncthing + pwsaf.e

i can't endorse any network enabled password manager. it's just a disaster waiting to happen

first post freebsd-update ... the console is hung after "32-bit compatibility ldconfig path: /usr/lib32" ... no errors I can see ... do I just power cycle again and hope for the best?

*first reboot

markmcb: from what to what?

13.2-p0 to p1

try again, and if that doesn't work, bectl back a version

ok, will do, thanks

Demosthenex: I use Seafile, but that's kind of a problem for Android.

i hadn't seen that one before

i was using nextcloud... but i'm about to ditch it

Demosthenex: it booted after the 2nd power cycle, thanks

i think that i can replace it with radicale, syncthing, and keep ejabberd

+1 for Syncthing

markmcb: i was hesitant regarding syncthing

but after i reviewed it a bit more, it seems ok

my nextcloud instance on devuan is STUCK at v23, and v26 is current. they provide no upgrade path at all

i'd need to upgrade 23 to 24, 24 to 25, 25 to 26. and that requires a php upgrade which i can't do because that devuan is out of support, completely

i've been running syncthing for years with 20TiB+ data, it's been solid for me

it's not worth the hassle to do a manual compile/install

markmcb: i was suspicious of the server, port forwarding, whether it was also diseased with webdav, etc.

i think my only lingering reservation is that it uses go

one thing i've noticed is it seems slower to notice file changes on freebsd vs. linux. i don't know all the file watching details, so not sure why. everything else seems the same.

markmcb: may need to check what technique it's using to watch for changes. inotify, etc. its different on linux vs freebsd

yeah, kqueue i believe is the freebsd mechanism. it's not bad, but i've noticed if i change a few big files at the same time, it can be several minutes before ST on freebsd notices and begins to act. not sure if that's a watching issue, or something else going on. it all still works fine though. so it's a minor gap.

i think for mobile sync ST shouldn't react instantly

anyway, nextcloud has been such high maintenance and flips over versions so fast, and my users really only used the web interface to exchange files on occasion, i think i can do better to separate ejabberd to standalone, syncthing for files if needed, and radicale for caldav/carddav sync

worst part is the addon apps for nextcloud seem to break every version upgrade, so it's really high maint

guess i shouldn't expect much from php :P

not sure who handles the website, but the RSS links on the security feed have an extra "/" after the domain, e.g., freebsd.org//security/advisories/FreeBSD-SA-23:05.openssh.asc

it made the cli browser "links" get stuck in a redirect loop

I submitted a bug: bugs.freebsd.org/bugzilla/show_bug.cgi?id=272132

Title: 272132 – Extra Slash in RSS Feed Item Links

Does that make me an official FreeBSD'er? lol

markmcb: that shouldnt matter

it does because it triggers a redirect on the server

i.e., open that double slash link and you'll see it redirect to the correct single slash URL

if you open it in links, you'll get: Error loading freebsd.org//security/advisories/FreeBSD-SA-23:05.openssh.asc: Cyclic redirect

That's a feature not a bug

kqueue as a file change notification mechanism only works well on small trees

the lack of a mechanism that works on large trees is a source of constant annoyance, to me at least

can anyone explain how to fix this error? ibb.co/xGWw4fW

Title: vmplayer-X16-PWp-AUx-P hosted at ImgBB — ImgBB

what's the error?

usb ethernet card link state toggles between up and down very quickly

I mean, it's reporting that the ethernet dongle is reporting that the link state is changing

is the cable properly connected? is the device on the other end good?

is it just a warning message?

yes, i tested the usb ethernet adapter in windows and it works fine there

what type of device?

i tested it on an intel mini PC and also in vmware using a virutal machine

what type of device is the ethernet adapter?

USB

gigabit

usbconfig -d ugenX.Y dump_device_desc (use usbconfig on its own to see the ugen* ids by device)

cpet: not sure if you're joking or not, but i'm fairly certain a path starting with // is invalid as that is reserved for the authority component, i.e., /path//to/file is ok, but //path/to/file is not

what'

what's the command to force an adapter to get an IP address via DHCP?

dhclient ue0 worked

markmcb, As a practical matter I do not see any error with lynx (you mentioned lynx) with that URL. It gets the redirect, follows it, and then displays the contents. Works for me.

rwp: i used links, no lynx

links not lynx. Gotcha. I can reproduce the problem. This appears to me like a bug in links.

perhaps. it's still a malformed URL regardless

a redirect should not be required

can someone gets weigh in on this bug bugs.freebsd.org/bugzilla/show_bug.cgi?id=272129 ?

Title: 272129 – rc.d/kld should run before rc.d/sysctl

I definitely agree that if the source is fixed to not include the troublesome //security then the problem will be avoided.

the claims in reviews.freebsd.org/D25601 feel counter to everything I've read here, and in rc.conf(5) and loader.conf(5)

Title: ⚙ D25601 rc.d/kld: Set sysctls after loading modules.

rwp: just did a curl -I. the redirect looks correct, i.e., 301 with the correct path. so you're right, it's probably a links bug too

chris@daemon:~ % cd //

chris@daemon:/ % cd ///

chris@daemon:/ % cd ////////

chris@daemon:/ %

you sure about that ?

that's not a URL :)

cpet: not sure if you're joking or not, but i'm fairly certain a path starting with // is invalid as that is reserved for the authority component, i.e., /path//to/file is ok, but //path/to/file is not

now youre mentioning URL's

cpet, Also a caution that in file system namespace exactly two slashes at the front "//foo" is special because that designates the next thing to be a hostname in some network file system environments in a system dependent or system defined context.

But markmcb is talking about URLs and in the source HTML emitted whether it is pedantically allowed there or not having that cleaned up would avoid the problem with links entirely.

And then I think additionally links is not handling the redirect correct. I did not look at the code but it appears by behavior that it has a / on the end of the hostname and then appends the Location redirect header location to it.

bleh he said path path != URL

How come I understood that it was a URL all along then? (shrug)

cpet: path is a component of a URL

is it now ?

It is described that way. Yes. en.wikipedia.org/wiki/URL

Title: URL - Wikipedia

A path component, consisting of a sequence of path segments separated by a slash (/). A path is always defined for a URI, though the defined path may be empty (zero length). A segment may also be empty, resulting in two consecutive slashes (//) in the path component. A path component may resemble or map exactly to a file system path but does not always imply a relation to one. If an authority component is defined, then the path

component must either be empty or begin with a slash (/). If an authority component is undefined, then the path cannot begin with an empty segment—that is, with two slashes (//)—since the following characters would be interpreted as an authority component.[18]

I'm updating a FreeBSD 13.1 host to 13.2 - does not boot. I get "Mounting from zfs:zroot/ROOT/FOO failed with error 6" - it boots fine back into 13.1 using that old BE. It was suggested it might be an old ZFS label. Details at twitter.com/vmisev/status/1671532851462914048

Historically the reason why file system //something is special is Apollo Domain Aegis OS used it for their networked file system. And so POSIX wrote that as allowed into the standard spec. Though no living OS uses it that way now I suspect that some day some OS will start using it that way again.

Title: Vladimir Mišev on Twitter: "@DLangille pls see: t.co/OTo1FJknGt" / Twitter

ok cool

markmcb: looks like it's just links incorrectly handling redirects? the header looks fine and it works with any other browser

twitter is a sin of all sins

or something

Two problems: 1) URL format problem 2) links redirect handling problem

im sure the PR is enough and itll get fixed when it gets fixed

moving along

I admit to being quite annoyed with the terseness of "failed with error 6" which I have seen myself before too.

It looks like the system is a GPT system. The GPT labels appear to be null, listed as "(null)" there, so no idea what was used to create the pool.

in what context?

Context: bugs.freebsd.org/bugzilla/show_bug.cgi?id=271989

Title: 271989 – zfs root mount error 6 after upgrade from 11.1-release to 13.2-release

Oh, it's nvd0p3 and nvd1p3 using the disk slices. Gotcha. Those are probably stable but can move. Using GPT labels is a recommended best-practice to avoid that but either should work okay.

Going directly from 11 to 13 skipping 12 makes me too nervous for words though. If it were me I would upgrade from 11 to 12 verify things are happen, zpool upgrade at that point, verify still happy, then upgrade from 12 to 13.

dvl, Is there a reason to skip 12? That would seem to be the more well traveled path.

that wouldn't have helped

rwp: I am not skipping 12. The PR is not mine.

rwp: It was suggested it MIGHT apply to my situation.

I have booted with zfs debug on. Reading my screen shots from that now.

rwp: FYI, those are not my disks either. ;)

I am getting guid mismatch on boot.

Title: Dan Langille @dvl⊙bn on Twitter: "@vmisev This does not seem reasonable. guid mismatch t.co/2SQtkGh8iG" / Twitter

can you show the messages around the very first attach

RhodiumToad: I may have missed them, but I have more screen shots to share

RhodiumToad: first one I got: twitter.com/DLangille/status/1671571405672939537

Title: Dan Langille @dvl⊙bn on Twitter: "@vmisev I'll now post all the screen shots I have, in order. 1.07.16 PM t.co/GXYlgukAoQ" / Twitter

running out of battery here This is going on hold until later. I will read what you say later. Thanks.

i see the release notes for major releases. is there something similar for p1, p2, etc.? or just the errata on the release notes?

Security notes are for patch releases

got it. so there's no consolidated view of everything that changed with 13.2-RELEASE-p1 on the site, it's just the collection of advisories?

Isn't that what a patch release is ?

I don't know. This is my first patch with FreeBSD. The system gave a list of everything changing when I did the update. I'm just wondering if there's a web link to something similar, i.e., "p1" resource. As far as I can tell, there is not.

the problem i reported earlier appears to be in opnsense, not freebsd

Title: USB Ethernet Link toggles between up and down repeatedly · Issue #6628 · opnsense/core · GitHub

6628 – Tyan Tomcat III locks SMP-GENERIC kernel, 3.0-980426-SNAP bugs.freebsd.org/bugzilla/show_bug.cgi?id=6628

with packages like samba413 / samba416 etc, can I tell pkg to just install the latest, and also upgrade to newer ones?

like just, samba-latest

when the version number is part of the package name like that, it means that the packages are not compatible

i.e. you can't substitute samba416 if some other program depends on samba413 (whether you can install both at once depends on the package)

hm right

whereas foo-1.2 and foo-2.2 are expected to be compatible and will automatically be upgraded to the latest

hrm, anyone know a log analyzer that isn't some enormous webstack? maybe like visidata for syslog?

cat grep sed color codes and beer

cpet: i agree with you, i view at cli all day. but others have to view them sometimes too, and i don't want to setup something huge like greylog or ELK

Automate pf does a very good job at keeping those out

RhodiumToad, upgrading across major versions sounds rather dangerous to me

meena: ?

RhodiumToad: it was about "whereas foo-1.2 and foo-2.2 are expected to be compatible and will automatically be upgraded to the latest"

either way, I think I'm giving up on flua as shell script replacement tonight

huh

just an observation, the user groups page is a graveyard of bad links. the first three i clicked on were dead.

RhodiumToad: i'm way out of practice with lua, and some things are kinda surprising… like, there's no string split function