00:53:50 <polyex> imagine a world where every binary is capsicum enabled with libxo integration
00:56:37 <RhodiumToad> no thanks :-)
00:56:47 <polyex> why not?
00:57:54 <RhodiumToad> not every program can or should be capsicum enabled
00:58:17 <polyex> why not?
00:58:48 <RhodiumToad> for some programs, opening random files in the filesystem during execution is kind of the point
01:36:29 <polyex> oh true
01:52:15 <markmcb> can anyone recommend any books or other resources that deep dive on bhyve? i see "BHYVE: FreeBSD for Virtualization" from 2019.
04:36:17 <ghoti> I'm having trouble getting a usb audio device to work. I see "uaudio" and "pcm4" show up in messages/dmesg. I am running pulseaudio, and `pamixer --list-sinks` shows the USB device's name... But no sound.
04:36:37 <ghoti> Any idea what I'm missing?
07:39:05 <michaeldexter> markmcb: What aspects of bhyve?
10:19:42 <omegathree> does freebsd has a problem when you have a amd gpu and power usage is higher?
13:19:57 <markmcb> michaeldexter: anything that goes a bit deeper than the manual/handbook
14:54:11 <yourfate> I need a local network ftp server (for my shitty scanner), it should only have one user, and that user should only have access to a single directory. are there any good guides on setting this up? i've looked at ftpd(8), but now I found out I don't even have the ftpd executable
14:54:49 <signalblue> yourfate: probably just need to configure vsftpd or proftpd
14:54:49 <yourfate> i'm on 13.2 release, on a raspberry pi 4
14:55:07 <signalblue> you most likely don't even need FTP since that scanner won't support it
14:55:21 <yourfate> my scanner does SMB and FTP
14:55:29 <signalblue> sorry FTP over SSL is what I meant
14:55:34 <yourfate> but it seems with recent updates to smb on my pi that doesn't work anymore
14:55:47 <signalblue> and use SMB if you can due to the security risks of FTP
14:55:49 <yourfate> I can still access the smb share just fine from other machines
14:56:03 <yourfate> the scanners config page also says the smb share works fine, but it then can't save to it
14:56:47 <CmdLnKid> ncftp
14:56:48 <yourfate> I an successfully store data on the share from other machines, using the same credentials the scanner has
14:56:58 <CmdLnKid> portmaster ftp/ncftp
14:57:33 <CmdLnKid> itll provide you with enough options to limit it anonymously to a single upload directory
14:57:54 <CmdLnKid> ftp/ncftp3
14:58:39 <CmdLnKid> default deny and permit everything you want
14:59:00 <CmdLnKid> better options ... not in scope
15:02:44 <signalblue> is that short for netcat ftp?
15:02:54 <CmdLnKid> no
15:03:10 <CmdLnKid> ncftpd is on it own
15:03:13 <signalblue> got it... just thought that nc could mean netcat
15:03:28 <CmdLnKid> thats the prob with abbrev
15:04:01 <CmdLnKid> ftp/ncftp3/pkg-desc or |less on the makefile should show you whats going on
15:04:07 <CmdLnKid> /usr/ports
15:04:25 <CmdLnKid> websites involved
15:04:40 <signalblue> Is there any way to create a FreeBSD user with an @ symbol?
15:04:52 <signalblue> I need to do this for an email server that I am setting up
15:05:17 <CmdLnKid> thats not posix so no
15:07:06 <CmdLnKid> possible to create a alias for an email user yes. that it could be refferred to by a email server im unaware in 20+ years. exim seems to be highly modifiable tho knowing a user that created a business on it
15:08:57 <unixman_home> Much Unix software will see @ as a special character separator, such as signalblue⊙se Even if you can do it, I do not recommend it. I would like to see the instructions you are reading that says to create such a user.
15:09:43 <unixman_home> s/some.email/some.domain/
15:09:55 <signalblue> I'm not reading instructions that say to do this but I have four domains with same usernames for emails and I'm not quite sure how to handle this
15:09:56 <CmdLnKid> yeah that would be breaking a standard there. "not that it shouldn't be done" but seriously take a "LOT" of time considering it
15:10:16 <jgh> multiple domains not a prob for exim
15:10:24 <signalblue> for example info⊙dc, info⊙dc, etc.
15:10:28 <megaTherion> unixman_home: you can do it, @ can be escaped without issues
15:10:39 <CrtxReavr> What was that network directory software that was popular (mostly in military circles) prior to LDAP & Windows domains?
15:10:53 <signalblue> NIS?
15:10:56 <CrtxReavr> No.
15:11:08 <CmdLnKid> there is a mailops mailing list...
15:11:09 <CrtxReavr> I mean, yes. . . . but that's not what I'm thinking of.
15:11:13 <unixman_home> megaTherion, I know it can be escaped. But using it in a username? Just ... no. ;)
15:11:17 <jgh> netware?
15:11:26 <CrtxReavr> It used @s as namespace delimiters for navagating the directory.
15:11:30 <CmdLnKid> exim and sendmail both have involvement
15:11:43 <megaTherion> unixman_home: its totally legit for mailboxes
15:11:45 <CmdLnKid> as well as postfix
15:11:56 <signalblue> and yes, jgh, I know that it's easy in Exim, but I am doing this in postfix and it's something I've done before
15:12:03 <signalblue> just not sure how right now
15:12:34 <CmdLnKid> lol jgh netware
15:12:35 <unixman_home> megaTherion, ah, okay. TIL, thanks.
15:12:36 <signalblue> because when an user adds the mailbox to their mail client, they'll need the full form email... and I'm not sure how best to enforce this
15:14:11 <CmdLnKid> personally on some occasions i wouldn't mind having an email address translated to a twitter/X or insta account. but i won't go there
15:14:51 <CmdLnKid> and have both conversations translated into DM's and email
15:15:14 <CmdLnKid> not that kinda fan tho
15:15:33 <signalblue> i mean that seems pointless
15:15:49 <CrtxReavr> Banyan Vines!
15:15:50 <unixman_home> megaTherion, nm me. I am decaffeinated. I forgot that AD users get created under sssd on Linux as user@domain. Just remembered that.
15:16:03 <CmdLnKid> not in todays must keep up with my friends dinner
15:16:34 <CrtxReavr> I tried to setup sssd once. . . found it horribly documented.
15:16:57 * unixman_home should not try to give advice before the third cup of coffee :P
15:17:00 <CrtxReavr> The config file was so strange, I couldn't figure out what the comment characters were.
15:17:33 <unixman_home> CrtxReavr, sssd is ... special. But it does work once one groks the setup.
15:17:42 <CmdLnKid> nobody uses comments anymore except freebsd
15:17:59 <CmdLnKid> ;)
15:20:11 <CrtxReavr> https://xkcd.com/1597/
15:20:12 <VimDiesel> Title: xkcd: Git
15:20:39 <unixman_home> CmdLnKid, you mean to place comments in the sssd.conf file?
15:20:46 <CmdLnKid> hahahahaa
15:21:19 <CmdLnKid> just a joke not elaborating to stay on subject
15:22:15 <CmdLnKid> probaly not even the right word "elaborating" even spelling...
15:27:52 <yourfate> ARGH, the scanner also can't scan to FTP, even tho the ftp server works from other machines
15:28:11 <yourfate> i'm at a loss. I reset the scanner, its on the latest firmware, the web-ui of the scanner that tests the ftp / smb connections says they work
15:28:20 <yourfate> the target has more than enough space
15:29:00 <megaTherion> ftp is pretty old but still legit kinda... a lot of stuff supports that
15:29:12 <megaTherion> does the scanner login?
15:29:29 <yourfate> ye, next thing I want to do, run the ftpd interactively and watch it login
15:29:35 <CrtxReavr> I think Anonymous FTP is okay for public file downloads.
15:29:40 <jgh> wireshark...
15:29:47 <megaTherion> yup either that or wireshark/tcpdump
15:29:49 <CrtxReavr> Probably not a popular opinion.
15:30:09 <Demosthenex> CrtxReavr: i agree. ftp and http are fine for public files.
15:30:28 <Demosthenex> as long as you have a cryptographically sound method to confirm the authenticity of the file you download
15:30:37 <Demosthenex> ie: debian still uses http because they sign everything
15:30:49 <CrtxReavr> sha256 sum should be good.
15:31:22 <Demosthenex> and an authentic source for the sha256 sum
15:31:26 <Demosthenex> ie: signed cksum files
15:32:44 <CrtxReavr> Actually. . . FTP is a little wierd in how it uses two TCP connections. . . one for control and one for data.
15:33:04 <megaTherion> yes old style
15:33:05 <CrtxReavr> Then the whole thing with Active & Passive FTP can be a whole other pain point.
15:33:15 <megaTherion> these days everything is shoved thru http
15:33:22 <CmdLnKid> tftp is old style
15:33:32 <CrtxReavr> Not everthing.
15:33:34 <CrtxReavr> But a lot.
15:33:44 <CmdLnKid> ftp was new kids on the block style
15:33:49 <CrtxReavr> I've used way too much tftp in my life.
15:33:50 <megaTherion> but I still keep an ftp, even in my private lan.. just for how easy and fast it is to access from various setups
15:34:01 <Demosthenex> i think it's hilarious how people fuss over ftp wanting a second parallel connection
15:34:07 <Demosthenex> you know http is a callback system?
15:34:15 <Demosthenex> you open a link, and you open a port and wait for a callback?
15:34:20 <Demosthenex> which is worse, really?
15:34:59 <CrtxReavr> Demosthenex, I think it's less about two TCP sessions and more about the active/passive thing.
15:35:38 <micdud> back with the same problem (https://forums.freebsd.org/threads/nfsv4-mounting-as-user-operation-not-permitted.89892/)
15:35:58 <micdud> can provide ktrace and tcpdump on pastebin
15:36:07 <CrtxReavr> ftp-data         20/tcp    #File Transfer [Default Data]
15:36:07 <CrtxReavr> ftp              21/tcp    #File Transfer [Control]
15:36:19 <Demosthenex> CrtxReavr: active/passive only says whether to have a control channel, or to try to "passively" do control inband with the transfer data
15:36:25 <Demosthenex> by not opening a second port
15:36:35 <CrtxReavr> o_O
15:36:58 <CrtxReavr> No. . . . active uses 20/tcp and passive uses pseudo-random ports.
15:37:16 <megaTherion> wasnt it also about whom may establish the connection
15:37:18 <megaTherion> I cant remember
15:37:40 <Demosthenex> off the top of my head, passive was to prevent a second port opening because most firewalls didn't like that
15:37:46 <Demosthenex> but i could have the mechanic wrong.
15:38:07 <megaTherion> wasn't active an outbound connection to the client?
15:38:19 <Demosthenex> i thought it just tried to do everything on the one connection, which is why you have to hard kill broken downloads if they are hung, you can't send a control message while a file is flowig
15:38:34 <megaTherion> and this was the issue when people began being behind routers
15:43:34 <Demosthenex> megaTherion: yeah, but really it should be harder to handle http than ftp ;]
15:43:59 <megaTherion> it is, in fact
15:44:29 <megaTherion> (to handle http correctly that is)
19:03:25 <sandu> anyone, I have a question : why do you like FreeBSD ?
19:03:43 <micdud> mascot
19:03:56 <sandu> :) haha, nice answer
19:03:57 <micdud> way better then a penguin
19:04:05 <sandu> yeah, more cool
19:07:37 <unixman_home> sandu, 1) base is an actual standalone OS 2) packages and ports are kept separate from base 3) poudriere 4) standardized logical file system layout 5) yeah, better mascot. I am sure there is more, but that is first off the top of my head. ;)
19:09:09 <sandu> i use both linux and freebsd. i use slackware, which is a bsd-style linux os. i like freebsd, although is not my primary os, for its feeling of order it gives me, compared to the chaos of linux kernel
19:10:25 <unixman_home> I use both as well. Typing this from a NUC running Devuan Linux right now. My other system runs FreeBSD.
19:11:09 <sandu> great !
19:11:10 <unixman_home> My server "in the cloud" runs FreeBSD as well.
19:11:17 <sandu> nice
19:11:48 <sandu> i think FreeBSD users/people are more mature, compared to the average debianites
19:13:16 <unixman_home> At $work we mostly run Hed Rat Linux due to having an enterprise site license, with some other OSs in the mix based on vendor requirements, including FreeBSD. I am not going to comment on maturity of user bases though.
19:15:31 <mason> Ironic timing for saying "Hed Rat" there.
19:16:05 <sandu> i like this very much :
19:16:10 <sandu>  BSD is what you get when a bunch of Unix hackers sit down to try to port a Unix system to the PC. Linux is what you get when a bunch of PC hackers sit down and try to write a Unix system for the PC.
19:16:13 <micdud> but FreeBSD has a barrier of entry (unless you are greybeard and grew up with it), need to hack out of the box . example: (delete,home,end keys  do not work for roots shell:)
19:16:20 <sandu> from :
19:16:25 <sandu> https://www.over-yonder.net/~fullermd/rants/bsd4linux/01
19:16:26 <VimDiesel> Title: BSD For Linux Users :: Intro
19:16:37 <sandu> yes, vim
19:29:34 <sandu> is around here a channel for tcp/ip / networking ?
19:33:12 <la_mettrie> sandu: #networking (or was it ##networking), if you mean it doesn't need to be freebsd related
19:39:38 <signalblue> would a username such as testATdomainname.com be standards compliant?
19:39:49 <signalblue> i would not think so though
19:49:26 <yuripv> signalblue: passwd(5) describes allowed user names
19:56:09 <signalblue> yuripv: i think i was able to sort out my issues with my mail server... i just need to do a lot of testing to confirm :)
19:59:18 <polyex> so i'm learning about jails. but i'm wondering about logging. will the jail get its own /var/log/messages for system logs or will those go into the host /var/log/messages?
20:08:11 <signalblue> that information I think will get relayed to the hosts' log files polyex
20:08:53 <martinrame> Hi, does anyone know if there's something similar to Linux's autofs?. I need to be able to moung remote CIFS shares that for some reason gets disconnected from time to time. So far I have them mounted on /etc/fstab, but I have to re-mount periodically.
20:10:02 <polyex> sorry i d/c
20:10:15 <signalblue> no prob, that information I think will get relayed to the hosts' log files polyex.
20:10:40 <polyex> ahh
20:10:48 <polyex> so jails don't get their own logging environment?
20:11:06 <polyex> was kinda hoping to keep jails fully separate in the state they create, like log messages
20:11:11 <signalblue> https://docs.freebsd.org/en/books/handbook/jails/
20:11:12 <polyex> but maybe i'm thinking about it wrong
20:11:13 <VimDiesel> Title: Chapter 17. Jails | FreeBSD Documentation Portal
20:11:15 <signalblue> A jail is characterized by four elements:
20:11:49 <signalblue> rather it may be the way you want because of this
20:11:49 <signalblue> https://forums.freebsd.org/threads/send-syslog-messages-from-within-the-jail-to-the-host.88059/
20:11:50 <VimDiesel> Title: jails - Send syslog messages from within the jail to the host | The FreeBSD Forums
20:12:06 <V_PauAmma_V> Only if you set them that way with their own syslogd instance, I believe.
20:12:28 <polyex> wow jails are flexible
20:12:32 <signalblue> ^^^
20:12:33 <polyex> tyvm!!
20:12:38 <signalblue> extremely customizable
20:13:05 <signalblue> you can do it both ways... jails log internally or send logs to host
20:17:31 <meena> that socat things looks cool
20:18:00 <V_PauAmma_V> martinrame, see "apropos automount".
20:22:26 <polyex> meena what's socat?
20:28:12 <martinrame> V_PauAmma_V: thanks
20:32:14 <V_PauAmma_V> polyex, the net/socat port. See https://www.freshports.org/net/socat/ (incidently, that site suggests a book on FreeBSD jails - no endorsement as I haven't read it).
20:32:15 <VimDiesel> Title: FreshPorts -- net/socat: Multipurpose relay and more
20:32:46 <meena> polyex: https://man.freebsd.org/socat(1)
20:32:47 <VimDiesel> Title: socat(1)
21:00:55 <Beladona> No straight forward way to change mouse icons in awesomwm + freebsd?
21:02:28 <polyex> meena huh cool. could socat on a host proxy traffic from the outside to/from jails running on the host?
21:02:53 <meena> i… dunno
21:04:18 <polyex> sorry, back
21:06:17 <meena> polyex: generally, if someone says proxy, I'm thinking http proxy, or ha-proxy, which can do more than just HTTP (by not giving a shit about the protocol)
21:07:05 <polyex> oh i just meant any traffic. because jails can do more than just http
21:10:28 <meena> i don't use socat much, so I don't know, but I'd guess: "probably"
21:10:38 <RhodiumToad> not very well, I think
21:11:58 <polyex> RhodiumToad what do you recommend for production quality proxying (all protocols not just http) network between host and jails?
21:13:03 <RhodiumToad> do any of the services you need to proxy need to parse incoming data to know what jail to connect to?
21:13:17 * meena wants mount -o nullfs for sockets
21:13:55 <RhodiumToad> meena: to do what exactly?
21:14:38 <meena> RhodiumToad: mount syslogd sockets into jails… if that shouldn't turn out to be as dangerous as symlinks
21:15:07 <polyex> RhodiumToad not sure. what if i said yes for some no for others?
21:15:10 <RhodiumToad> rather than just having syslogs open more sockets?
21:15:15 <RhodiumToad> *syslogd
21:15:46 <meena> RhodiumToad: https://reviews.freebsd.org/D27411
21:15:47 <VimDiesel> Title: ⚙ D27411 add altlog_jaillist to syslogd's rc script
21:15:58 <RhodiumToad> polyex: for example, for http and https (or any ssl protocol) you need to accept the connection and parse far enough to get the requested hostname, yes?
21:16:17 <polyex> yep
21:16:46 <polyex> i'm guessing host shouldn't run a general purpose proxy, but a specialized 1 for each protocol i want to proxy into jails?
21:16:49 <RhodiumToad> which you can do with things like nginx
21:17:23 <polyex> ya
21:17:27 <RhodiumToad> but for cases where only one jail has a service on a given port, you can forward that port to the jail using nat
21:18:00 <polyex> ahh, like if only 1 jail is handling the finger service can just nat forward it ok
21:18:12 <polyex> then what if i wanna be able to like, ping the different jails from the outside?
21:18:59 <RhodiumToad> I'm assuming the host has just the one external ip. if you want each jail to have an ip reachable from outside, then you can do that with bridging
21:19:46 <RhodiumToad> but that assumes the availability of multiple ips which may be problematic these days
21:23:07 <polyex> ya only 1 external ip
21:23:19 <polyex> so in that case any way to ping individual jails? i'm guessing not?
21:23:48 <RhodiumToad> not with icmp pings.
21:29:55 <polyex> so basically for the jail to get network behind a single external ip, it needs a service specific proxy, or it needs exclusive port ownership for forwarding. that right?
21:30:58 <polyex> so basically for the jail to get network behind a single external ip, it needs a service specific proxy, or it needs exclusive port ownership for forwarding. that right?
21:35:28 <RhodiumToad> right, but in theory it may be possible to have an ssl-specific proxy for protocols using ssl+sni
21:35:43 * RhodiumToad hasn't tried that
21:36:21 <polyex> oh wow like secure dns? i think that has tls
21:39:38 <RhodiumToad> I believe nginx can do stream-proxying using SNI to detect which endpoint to proxy to
21:44:57 <RhodiumToad> meena: not sure I agree with mjg there
21:50:20 <meena> RhodiumToad: yeah, but i yielded to higher authority, and will go think about better ways of doing this eventually
21:58:28 <polyex> RhodiumToad why not agree with mjg?
22:03:40 <RhodiumToad> I don't think it's any more of a security problem than any other approach would be
22:12:09 <SpaceBass> Im trying to mount a kerberized nfsv4 mount in 13.2-release ... I can mount it, but if I try and ls, I get 'permission denied'
22:12:25 <SpaceBass> Im mounting as a nonprivledged user to a directory the user owns
22:12:55 <RhodiumToad> the server doesn't think you have permission, most likely
22:13:20 <SpaceBass> Hummm why would it let me mount it using kerberos then?
22:13:35 <SpaceBass> mount  -vvv -o sec=krb5p
22:15:13 <RhodiumToad> it thinks you have permission to mount it, but not to read the root dir?
22:15:16 <SpaceBass> I use samba in DC mode for SSO... what's interesting, on every client if I do: id user@domain it shows the right groups, etc, but the UID is different on each client :/
22:19:44 <SpaceBass> And I'm noting that on some clients where mount is successful I get an nfs/... principal in my kerberos tickets, but I'm not getting that principal on the freebsd boxes
22:24:09 <SpaceBass> Solved! Required gssd to be enabled
22:24:22 <polyex> gssd?
22:24:25 <polyex> grats btw
22:24:59 <SpaceBass> https://man.freebsd.org/cgi/man.cgi?query=gssd&sektion=8&manpath=FreeBSD+8.0-RELEASE
22:25:00 <VimDiesel> Title: gssd(8)
22:25:09 <SpaceBass> Presumably maps kerberos tickets to permissions
22:31:44 <SpaceBass> Now, I have to make it work at boot :/
22:33:00 <RhodiumToad> sysrc gssd_enable="YES"   should suffice for gssd
22:33:17 <SpaceBass> Got it in rc.conf
22:34:05 <RhodiumToad> I don't think fstab as any option to mount as a user other than root, though
22:34:10 <RhodiumToad> s/as/has/
22:34:57 <SpaceBass> Linux's mount allows for a UID= and pass=
22:35:10 <SpaceBass> Not sure I love keeping a pass in fstab...
22:35:42 <SpaceBass> Presumably there's some way to have a secure NFS mount with more than just host IP whitelisting
23:13:44 <micdud> you can mount  with noauto from fstab sec=krb5
23:14:14 <micdud> let user kinit then mount, at least used to work
23:17:24 <micdud> and mounting as root in kerberos is not advised
23:20:58 <SpaceBass> But user can't kinit at boot
23:21:41 <micdud> gssproxy  i think is for that , and he can always manualy after boot
23:22:02 <SpaceBass> In this case, services run as the user and need access to the filesystem when the services start
23:22:35 <micdud> gssproxy
23:22:40 <SpaceBass> I think I can export a key tab file and root can kinit against it at boot... but I'm currently failing at that
23:23:33 <micdud> you can map staticaly map hosts file in the domain to a single user also
23:25:03 <micdud> idmap.conf  [Static] nfs/nfs-client.lan@LAN = someuser
23:25:55 <micdud> on server that is
23:26:17 <SpaceBass> But the client still needs to get the principal, right?
23:26:35 <micdud> no, it will use the hosts keytab
23:26:45 <SpaceBass> The server's key tab?
23:27:03 <micdud> clients hosts keytab
23:27:54 <micdud> i only done that with nfs though for auto mounting  on boot , and linux clients . never on bsd  ( but might be the same )
23:27:55 <SpaceBass> On the nfs server? Sorry not following
23:28:42 <micdud> on nfs servers idmap.conf  [Static] nfs/nfs-client.lan@LAN = someuser        (nfs/nfs-client.lan@LAN) being the keytab of the client host
23:31:16 <micdud> but look in to gssproxy , thats  its purpose i think, actually authenticating for apps or use who cannot or do not want to kinit
23:33:31 <SpaceBass> Found this which is the only thing my google-fu found today that was directionally close... but for the life of me I can't get a ticket from my key tab file https://lists.freebsd.org/pipermail/freebsd-questions/2016-October/274336.html
23:33:32 <VimDiesel> Title: Mounting Kerberized NFS at boot
23:42:28 <_xor> RhodiumToad: You around?