how would i sensibly restrict an ssh user to 4-5 specific commands like sftp and rsync?

some programs might still have some escape hatch, on linux i have some hacked-together namespacing program that maps everything out

i'm running xfce and i cant figure out how to do privilege escalation

like running gui apps that require sudo to change stuff

or mounting drives in thunar and stuff like that

has someone used jails to restrict ssh users?

nero: what's your current approach?

The jail would have to contain everything that the ssh user would need on a functional system.

meena: a self-written Linux-specific program that creates a chroot with some static binaries in it

but its Linux, and i want a similar thing on FreeBSD so i can have the full ZFS experience

i like how both of the commands have shell escapes to run other commands

nero: you could do the same with FreeBSD, or you could create jails that only have specific commands

meena: i'd be happy if someone has seen prior work

im 90% confident both Hetzner Storage and rsync.net have such a thing already

nero: check the wiki, search the web, i have to goto bed.

good night

i should've gone to bed 2 hours ago

$ipfw -q pipe 1 config bw 2800Kbits/s queue 10Kbytes Is there a queue limit used for this command?

on a fresh installed I did a pkg clean -a && pkg upgrade -f, now I get a ld-elf.so.1: Shared object "libssl.so.111" not found, required by "pkg"

derzahl: pkg bootstrap -f

grmbl

damarusama: pkg bootstrap -f

you did make delete-old-libs before you did pkg upgrade

no

should I ?

the pkg bootstrap -f re-installed the pkg package, but the same libssl.so.111 still comes back

this is on freebsd14 armv6

docs.freebsd.org/en/books/handbook/kernelconfig/#kernelconfig > section To build a file which contains all available options, run the following command as root: || Updating LINT but empty where is the all options ?

Title: Chapter 10. Configuring the FreeBSD Kernel | FreeBSD Documentation Portal

and doesn't see arch so I'm checking from within amd64 directory.

vxwarlock: what are you trying to do/learn?

he meena > I want to compile kernel about IPFW feature and I wanted to see all available options and device list. It used to write in lint, but now it doesn't. I guess I can't.

sorry hi meena

How can I access the full list of supported options when compiling the kernel?

vxwarlock: sys/conf/NOTES + sys/<arch>/conf/NOTES

(and for i386/amd64, sys/x86/conf/NOTES, it seems)

the documentation needs updating, yes

yuripv I found it ın .usr.src.sys.conf.NOTES inside

thanks for helping

previously it was sys/conf/LINT

vxwarlock, Does you IRC client do some "odd" thing if you were to use "/" instead of "." in ".usr.src.sys.conf.NOTES"?

/sys

my does not :)

In any case, it's time for me to go ...

parv > my mistake I wrote that wrong . /

classic irc clients use /commands, but only on the first word

ircII seem which does not support /commands:

*** Unknown command: COMMANDS

no kiddin

you'll need a script ... or a diff irc client

there are a few famous ones out there but you'll need some google foo

think LiCe5 is what i was thinking of

if your heart is in scripting out ircii ... then thats for you

otherwise ... irssi

Title: Dropbox Capture

checkpoint, try good old BitchX

Also, Catgirl is a very nice, simple text based IRC client.

"Screenshot: imagine, if you will, text on a screen, next to names in a selection of colours."

hah

and thats when they are turned into beef

Plasmoduck some years you don't have port for it

bitchx-1.2.1_3,1 Feature-rich scriptable IRC client

actually we've o/

ircii-20210314 Small and high extensible IRC client

and ircII too

do with it what you will

i could cook dinner with it, but then I'd still need to cook another dinner for my daughter.

splurge

be sure to slap a few nicks with it first. have to make sure its tender

good idea

Dereckson, freshports.org/irc/catgirl

Title: FreshPorts -- irc/catgirl: TLS-only terminal IRC client

tls only

sheesh! talk about limitations

Yes, why would you not use tls?

good luck connecting to EFnet

nothing wrong with that but why not include connecting to everything but a switch to enforce tls or quit thats in your control

seems pointless to exclude valid connections

not really freebsd philosify

however you spell that

take a irc standard and exclude half the internet of irc makes sense

CmdLnKid: Doesn't sound like freebsd philosophy to be so condescending, either.

yeah thanks for the correction

You're welcome, for both the spelling and attitude correction. :)

sorry im not very limitation friendly

It's not a freebsd-imposed limitation. If the user wants their system to have limited functionality, that's their choice, and it's a valid one.

I can see lots of cases where I don't want my system to even be capable of unencrypted connections.

thats so easy to do tho. firewalls are a blessing

and yes i know ... you can connect to a ssl/tls port on a non-encrypted connection

Exactly.

Or an unassigned alternate port.

right

So, again, you're tending toward condescending, here.

yeah i guess so. stepping down

The way that YOU would solve a problem isn't necessarily the best way, for you or anyone else.

frickin pitt. thanks for the ladder

even ssh has a none cipher, ie. unencrypted. but you would have to compile ssh yourself on both sides, and i don't know if you are limited to ssh1 protocol.

if you want to shoot yourself in the foot, it's all there

isn't none disabled by default now

that's why you have to compile it

thats what i figured

Title: Automation and Hacking Your FreeBSD CLI

you know, i love those sorts of things

my problem is, then it's missing when i have to use a linux or some older system

Okay guys... got a weird issue here. A server running 13-stable decided to just stop doing networking. No DDoS, no nothing, and nothing in the messages log to indicate an issue. Any ideas on how to figure out what actually caused this?

Onepamopa, ifconfig down/up helped?

I connected via IPMI, didn't perform ifconfig down/up. But from what I see the server did loose link prior to me connecting to it via ipmi

Aug 23 19:39:13 server kernel: [8038990] ix0: link state changed to DOWN

Aug 23 19:39:16 server kernel: [8038994] ix0: link state changed to UP

that wasn't my doing, I've rebooted it and it works but... can't figure out what caused it.

There's basically nothing in all of the logs to indicate an issue.

tried ping/telnet - no route to host

since it's in production I didn't waste much time - did a quick reboot expecting to find something/anything in the logs, but nada..

driver issue probably

Why guess, when there's no way to know?

Could just as well be gremlins in the server room.

Onepamopa, could be something as simple as the cable

i have an ubuntu jail, and i'm trying to launch dbus, it never happens. could this be a raw socket or securitylevel issue for the jail?

Demosthenex: what do the logs say?

meena: the native host syslog has nothing useful, and dbus-daemon just says failed

dbus-daemon[16932]: Failed to start message bus: Failed to bind socket "/tmp/dbus-wrELFCL9y4": No such file or directory

i see errors in messages when i login, and when i logout, about clear console and such, but no messages when i run dbus

what Filesystem is /tmp?

nice catch, it's using the main host /tmp

let me make that tmpfs

ok, now its tmpfs with good perms, i can touch files in the linux jail in /tmp

same message about bind socket

Hi all, I'm wondering about the uefi boot process (13.2R/amd64). /boot/efi/efi/boot/bootx64.efi and /boot/efi/efi/freebsd/loader.efi are the same, but these files are different than any of /boot/*.efi. Does /boot/efi/efi/boot/bootx64.efi chain load any of these other loader*s?

zeyu: The /boot/efi/efi/boot/bootx64.efi file is used for the UEFI firmware's standard search for an OS loader file, if no other UEFI entry exists in the firmware's boot manager.

The /boot/efi/efi/freebsd/loader.efi used by FreeBSD from using efibootmgr to make an actually boot manager entry dedicated to it.

You can read more about this using `man 8 efi` and scroll down to the line "The UEFI boot process proceeds as follows:"

That manual section is what inspired me to ask. I'm thinking in a default setup: the efi firmware loads the efi application (loader.efi) which the system has installed to /boot/efi/efi/boot/bootx64.efi. bootx64.efi (a copy of /boot/efi/efi/freebsd/loader.efi) loads /boot/boot.config if available, and then loads loader.conf, and then loads the

kernel? What are all the other efi applications in the /boot directory?

Of particular interest, /boot/boot1.efi. The manual page makes no mention of any uefi analogue to bootblocks. The manual page reads as if bootx64.efi is a single stage (efi>bootx64.efi>kernel), as opposed to traditional freebsd  bios>boot0>boot1>boot2>loader>kernel

I suppose you can use efibootmgr to change the boot order so that the entry "UEFI OS" or whatever your motherboard's firmware calls it is the first one at Boot0000

I don't want to change the order, I just want to understand what's going on in the default installation.