imagine a world where every binary is capsicum enabled with libxo integration

no thanks :-)

why not?

not every program can or should be capsicum enabled

why not?

for some programs, opening random files in the filesystem during execution is kind of the point

oh true

can anyone recommend any books or other resources that deep dive on bhyve? i see "BHYVE: FreeBSD for Virtualization" from 2019.

I'm having trouble getting a usb audio device to work. I see "uaudio" and "pcm4" show up in messages/dmesg. I am running pulseaudio, and `pamixer --list-sinks` shows the USB device's name... But no sound.

Any idea what I'm missing?

markmcb: What aspects of bhyve?

does freebsd has a problem when you have a amd gpu and power usage is higher?

michaeldexter: anything that goes a bit deeper than the manual/handbook

I need a local network ftp server (for my shitty scanner), it should only have one user, and that user should only have access to a single directory. are there any good guides on setting this up? i've looked at ftpd(8), but now I found out I don't even have the ftpd executable

yourfate: probably just need to configure vsftpd or proftpd

i'm on 13.2 release, on a raspberry pi 4

you most likely don't even need FTP since that scanner won't support it

my scanner does SMB and FTP

sorry FTP over SSL is what I meant

but it seems with recent updates to smb on my pi that doesn't work anymore

and use SMB if you can due to the security risks of FTP

I can still access the smb share just fine from other machines

the scanners config page also says the smb share works fine, but it then can't save to it

ncftp

I an successfully store data on the share from other machines, using the same credentials the scanner has

portmaster ftp/ncftp

itll provide you with enough options to limit it anonymously to a single upload directory

ftp/ncftp3

default deny and permit everything you want

better options ... not in scope

is that short for netcat ftp?

no

ncftpd is on it own

got it... just thought that nc could mean netcat

thats the prob with abbrev

ftp/ncftp3/pkg-desc or |less on the makefile should show you whats going on

/usr/ports

websites involved

Is there any way to create a FreeBSD user with an @ symbol?

I need to do this for an email server that I am setting up

thats not posix so no

possible to create a alias for an email user yes. that it could be refferred to by a email server im unaware in 20+ years. exim seems to be highly modifiable tho knowing a user that created a business on it

Much Unix software will see @ as a special character separator, such as signalblue⊙se Even if you can do it, I do not recommend it. I would like to see the instructions you are reading that says to create such a user.

s/some.email/some.domain/

I'm not reading instructions that say to do this but I have four domains with same usernames for emails and I'm not quite sure how to handle this

yeah that would be breaking a standard there. "not that it shouldn't be done" but seriously take a "LOT" of time considering it

multiple domains not a prob for exim

for example info⊙dc, info⊙dc, etc.

unixman_home: you can do it, @ can be escaped without issues

What was that network directory software that was popular (mostly in military circles) prior to LDAP & Windows domains?

NIS?

No.

there is a mailops mailing list...

I mean, yes. . . . but that's not what I'm thinking of.

megaTherion, I know it can be escaped. But using it in a username? Just ... no. ;)

netware?

It used @s as namespace delimiters for navagating the directory.

exim and sendmail both have involvement

unixman_home: its totally legit for mailboxes

as well as postfix

and yes, jgh, I know that it's easy in Exim, but I am doing this in postfix and it's something I've done before

just not sure how right now

lol jgh netware

megaTherion, ah, okay. TIL, thanks.

because when an user adds the mailbox to their mail client, they'll need the full form email... and I'm not sure how best to enforce this

personally on some occasions i wouldn't mind having an email address translated to a twitter/X or insta account. but i won't go there

and have both conversations translated into DM's and email

not that kinda fan tho

i mean that seems pointless

Banyan Vines!

megaTherion, nm me. I am decaffeinated. I forgot that AD users get created under sssd on Linux as user@domain. Just remembered that.

not in todays must keep up with my friends dinner

I tried to setup sssd once. . . found it horribly documented.

The config file was so strange, I couldn't figure out what the comment characters were.

CrtxReavr, sssd is ... special. But it does work once one groks the setup.

nobody uses comments anymore except freebsd

;)

Title: xkcd: Git

CmdLnKid, you mean to place comments in the sssd.conf file?

hahahahaa

just a joke not elaborating to stay on subject

probaly not even the right word "elaborating" even spelling...

ARGH, the scanner also can't scan to FTP, even tho the ftp server works from other machines

i'm at a loss. I reset the scanner, its on the latest firmware, the web-ui of the scanner that tests the ftp / smb connections says they work

the target has more than enough space

ftp is pretty old but still legit kinda... a lot of stuff supports that

does the scanner login?

ye, next thing I want to do, run the ftpd interactively and watch it login

I think Anonymous FTP is okay for public file downloads.

wireshark...

yup either that or wireshark/tcpdump

Probably not a popular opinion.

CrtxReavr: i agree. ftp and http are fine for public files.

as long as you have a cryptographically sound method to confirm the authenticity of the file you download

ie: debian still uses http because they sign everything

sha256 sum should be good.

and an authentic source for the sha256 sum

ie: signed cksum files

Actually. . . FTP is a little wierd in how it uses two TCP connections. . . one for control and one for data.

yes old style

Then the whole thing with Active & Passive FTP can be a whole other pain point.

these days everything is shoved thru http

tftp is old style

Not everthing.

But a lot.

ftp was new kids on the block style

I've used way too much tftp in my life.

but I still keep an ftp, even in my private lan.. just for how easy and fast it is to access from various setups

i think it's hilarious how people fuss over ftp wanting a second parallel connection

you know http is a callback system?

you open a link, and you open a port and wait for a callback?

which is worse, really?

Demosthenex, I think it's less about two TCP sessions and more about the active/passive thing.

back with the same problem (forums.freebsd.org/threads/nfsv4-mo…-user-operation-not-permitted.89892)

can provide ktrace and tcpdump on pastebin

ftp-data 20/tcp #File Transfer [Default Data]

ftp 21/tcp #File Transfer [Control]

CrtxReavr: active/passive only says whether to have a control channel, or to try to "passively" do control inband with the transfer data

by not opening a second port

o_O

No. . . . active uses 20/tcp and passive uses pseudo-random ports.

wasnt it also about whom may establish the connection

I cant remember

off the top of my head, passive was to prevent a second port opening because most firewalls didn't like that

but i could have the mechanic wrong.

wasn't active an outbound connection to the client?

i thought it just tried to do everything on the one connection, which is why you have to hard kill broken downloads if they are hung, you can't send a control message while a file is flowig

and this was the issue when people began being behind routers

megaTherion: yeah, but really it should be harder to handle http than ftp ;]

it is, in fact

(to handle http correctly that is)

anyone, I have a question : why do you like FreeBSD ?

mascot

:) haha, nice answer

way better then a penguin

yeah, more cool

sandu, 1) base is an actual standalone OS 2) packages and ports are kept separate from base 3) poudriere 4) standardized logical file system layout 5) yeah, better mascot. I am sure there is more, but that is first off the top of my head. ;)

i use both linux and freebsd. i use slackware, which is a bsd-style linux os. i like freebsd, although is not my primary os, for its feeling of order it gives me, compared to the chaos of linux kernel

I use both as well. Typing this from a NUC running Devuan Linux right now. My other system runs FreeBSD.

great !

My server "in the cloud" runs FreeBSD as well.

nice

i think FreeBSD users/people are more mature, compared to the average debianites

At $work we mostly run Hed Rat Linux due to having an enterprise site license, with some other OSs in the mix based on vendor requirements, including FreeBSD. I am not going to comment on maturity of user bases though.

Ironic timing for saying "Hed Rat" there.

i like this very much :

BSD is what you get when a bunch of Unix hackers sit down to try to port a Unix system to the PC. Linux is what you get when a bunch of PC hackers sit down and try to write a Unix system for the PC.

but FreeBSD has a barrier of entry (unless you are greybeard and grew up with it), need to hack out of the box . example: (delete,home,end keys do not work for roots shell:)

from :

Title: BSD For Linux Users :: Intro

yes, vim

is around here a channel for tcp/ip / networking ?

sandu: #networking (or was it ##networking), if you mean it doesn't need to be freebsd related

would a username such as testATdomainname.com be standards compliant?

i would not think so though

signalblue: passwd(5) describes allowed user names

yuripv: i think i was able to sort out my issues with my mail server... i just need to do a lot of testing to confirm :)

so i'm learning about jails. but i'm wondering about logging. will the jail get its own /var/log/messages for system logs or will those go into the host /var/log/messages?

that information I think will get relayed to the hosts' log files polyex

Hi, does anyone know if there's something similar to Linux's autofs?. I need to be able to moung remote CIFS shares that for some reason gets disconnected from time to time. So far I have them mounted on /etc/fstab, but I have to re-mount periodically.

sorry i d/c

no prob, that information I think will get relayed to the hosts' log files polyex.

ahh

so jails don't get their own logging environment?

was kinda hoping to keep jails fully separate in the state they create, like log messages

but maybe i'm thinking about it wrong

Title: Chapter 17. Jails | FreeBSD Documentation Portal

A jail is characterized by four elements:

rather it may be the way you want because of this

Title: jails - Send syslog messages from within the jail to the host | The FreeBSD Forums

Only if you set them that way with their own syslogd instance, I believe.

wow jails are flexible

^^^

tyvm!!

extremely customizable

you can do it both ways... jails log internally or send logs to host

that socat things looks cool

martinrame, see "apropos automount".

meena what's socat?

V_PauAmma_V: thanks

polyex, the net/socat port. See freshports.org/net/socat (incidently, that site suggests a book on FreeBSD jails - no endorsement as I haven't read it).

Title: FreshPorts -- net/socat: Multipurpose relay and more

polyex: man.freebsd.org/socat(1)

Title: socat(1)

No straight forward way to change mouse icons in awesomwm + freebsd?

meena huh cool. could socat on a host proxy traffic from the outside to/from jails running on the host?

i… dunno

sorry, back

polyex: generally, if someone says proxy, I'm thinking http proxy, or ha-proxy, which can do more than just HTTP (by not giving a shit about the protocol)

oh i just meant any traffic. because jails can do more than just http

i don't use socat much, so I don't know, but I'd guess: "probably"

not very well, I think

RhodiumToad what do you recommend for production quality proxying (all protocols not just http) network between host and jails?

do any of the services you need to proxy need to parse incoming data to know what jail to connect to?

meena: to do what exactly?

RhodiumToad: mount syslogd sockets into jails… if that shouldn't turn out to be as dangerous as symlinks

RhodiumToad not sure. what if i said yes for some no for others?

rather than just having syslogs open more sockets?

*syslogd

RhodiumToad: reviews.freebsd.org/D27411

Title: ⚙ D27411 add altlog_jaillist to syslogd's rc script

polyex: for example, for http and https (or any ssl protocol) you need to accept the connection and parse far enough to get the requested hostname, yes?

yep

i'm guessing host shouldn't run a general purpose proxy, but a specialized 1 for each protocol i want to proxy into jails?

which you can do with things like nginx

ya

but for cases where only one jail has a service on a given port, you can forward that port to the jail using nat

ahh, like if only 1 jail is handling the finger service can just nat forward it ok

then what if i wanna be able to like, ping the different jails from the outside?

I'm assuming the host has just the one external ip. if you want each jail to have an ip reachable from outside, then you can do that with bridging

but that assumes the availability of multiple ips which may be problematic these days

ya only 1 external ip

so in that case any way to ping individual jails? i'm guessing not?

not with icmp pings.

so basically for the jail to get network behind a single external ip, it needs a service specific proxy, or it needs exclusive port ownership for forwarding. that right?

so basically for the jail to get network behind a single external ip, it needs a service specific proxy, or it needs exclusive port ownership for forwarding. that right?

right, but in theory it may be possible to have an ssl-specific proxy for protocols using ssl+sni

oh wow like secure dns? i think that has tls

I believe nginx can do stream-proxying using SNI to detect which endpoint to proxy to

meena: not sure I agree with mjg there

RhodiumToad: yeah, but i yielded to higher authority, and will go think about better ways of doing this eventually

RhodiumToad why not agree with mjg?

I don't think it's any more of a security problem than any other approach would be

Im trying to mount a kerberized nfsv4 mount in 13.2-release ... I can mount it, but if I try and ls, I get 'permission denied'

Im mounting as a nonprivledged user to a directory the user owns

the server doesn't think you have permission, most likely

Hummm why would it let me mount it using kerberos then?

mount -vvv -o sec=krb5p

it thinks you have permission to mount it, but not to read the root dir?

I use samba in DC mode for SSO... what's interesting, on every client if I do: id user@domain it shows the right groups, etc, but the UID is different on each client :/

And I'm noting that on some clients where mount is successful I get an nfs/... principal in my kerberos tickets, but I'm not getting that principal on the freebsd boxes

Solved! Required gssd to be enabled

gssd?

grats btw

Title: gssd(8)

Presumably maps kerberos tickets to permissions

Now, I have to make it work at boot :/

sysrc gssd_enable="YES" should suffice for gssd

Got it in rc.conf

I don't think fstab as any option to mount as a user other than root, though

s/as/has/

Linux's mount allows for a UID= and pass=

Not sure I love keeping a pass in fstab...

Presumably there's some way to have a secure NFS mount with more than just host IP whitelisting

you can mount with noauto from fstab sec=krb5

let user kinit then mount, at least used to work

and mounting as root in kerberos is not advised

But user can't kinit at boot

gssproxy i think is for that , and he can always manualy after boot

In this case, services run as the user and need access to the filesystem when the services start

gssproxy

I think I can export a key tab file and root can kinit against it at boot... but I'm currently failing at that

you can map staticaly map hosts file in the domain to a single user also

idmap.conf [Static] nfs/nfs-client.lan@LAN = someuser

on server that is

But the client still needs to get the principal, right?

no, it will use the hosts keytab

The server's key tab?

clients hosts keytab

i only done that with nfs though for auto mounting on boot , and linux clients . never on bsd ( but might be the same )

On the nfs server? Sorry not following

on nfs servers idmap.conf [Static] nfs/nfs-client.lan@LAN = someuser (nfs/nfs-client.lan@LAN) being the keytab of the client host

but look in to gssproxy , thats its purpose i think, actually authenticating for apps or use who cannot or do not want to kinit

Found this which is the only thing my google-fu found today that was directionally close... but for the life of me I can't get a ticket from my key tab file lists.freebsd.org/pipermail/freebsd…-questions/2016-October/274336.html

Title: Mounting Kerberized NFS at boot

RhodiumToad: You around?