00:31:22 <nero> how would i sensibly restrict an ssh user to 4-5 specific commands like sftp and rsync?
00:32:19 <nero> some programs might still have some escape hatch, on linux i have some hacked-together namespacing program that maps everything out
00:32:22 <bjornn> i'm running xfce and i cant figure out how to do privilege escalation
00:32:34 <bjornn> like running gui apps that require sudo to change stuff
00:32:51 <bjornn> or mounting drives in thunar and stuff like that
00:32:57 <nero> has someone used jails to restrict ssh users?
00:34:02 <meena> nero: what's your current approach?
00:34:04 <jkc> The jail would have to contain everything that the ssh user would need on a functional system.
00:35:09 <nero> meena: a self-written Linux-specific program that creates a chroot with some static binaries in it
00:35:28 <nero> but its Linux, and i want a similar thing on FreeBSD so i can have the full ZFS experience
00:35:35 <llua> i like how both of the commands have shell escapes to run other commands
00:35:42 <meena> nero: you could do the same with FreeBSD, or you could create jails that only have specific commands
00:36:15 <nero> meena: i'd be happy if someone has seen prior work
00:36:31 <nero> im 90% confident both Hetzner Storage and rsync.net have such a thing already
00:36:54 <meena> nero: check the wiki, search the web, i have to goto bed.
00:36:59 <nero> good night
00:37:01 <meena> i should've gone to bed 2 hours ago
07:07:47 <vxwarlock> $ipfw -q pipe 1 config bw 2800Kbits/s queue 10Kbytes Is there a queue limit used for this command?
07:37:47 <damarusama> on a fresh installed I did a pkg clean -a && pkg upgrade -f, now I get a ld-elf.so.1: Shared object "libssl.so.111" not found, required by "pkg"
07:42:11 <bapt> derzahl: pkg bootstrap -f
07:42:14 <bapt> grmbl
07:42:19 <bapt> damarusama: pkg bootstrap -f
07:42:28 <bapt> you did make delete-old-libs before you did pkg upgrade
07:44:41 <damarusama> no
07:45:37 <damarusama> should I ?
07:46:47 <damarusama> the pkg bootstrap -f re-installed the pkg package, but the same libssl.so.111 still comes back
07:47:04 <damarusama> this is on freebsd14 armv6
08:43:15 <vxwarlock> https://docs.freebsd.org/en/books/handbook/kernelconfig/#kernelconfig > section To build a file which contains all available options, run the following command as root: || Updating LINT but empty where is the all options ?
08:43:16 <VimDiesel> Title: Chapter 10. Configuring the FreeBSD Kernel | FreeBSD Documentation Portal
08:44:30 <vxwarlock> and doesn't see arch so I'm checking from within amd64 directory.
09:16:42 <meena> vxwarlock: what are you trying to do/learn?
10:04:31 <vxwarlock> he meena > I want to compile kernel about IPFW feature and I wanted to see all available options and device list. It used to write in lint, but now it doesn't. I guess I can't.
10:05:55 <vxwarlock> sorry hi meena
11:10:06 <vxwarlock> How can I access the full list of supported options when compiling the kernel?
11:13:27 <yuripv> vxwarlock: sys/conf/NOTES + sys/<arch>/conf/NOTES
11:14:30 <yuripv> (and for i386/amd64, sys/x86/conf/NOTES, it seems)
11:14:49 <yuripv> the documentation needs updating, yes
11:17:27 <vxwarlock> yuripv I found it ın .usr.src.sys.conf.NOTES inside
11:17:33 <vxwarlock> thanks for helping
11:18:28 <checkpoint> previously it was sys/conf/LINT
11:55:05 <parv> vxwarlock, Does you IRC client do some "odd" thing if you were to use "/" instead of "." in ".usr.src.sys.conf.NOTES"?
11:56:07 <checkpoint>  /sys
11:56:14 <checkpoint> my does not :)
11:57:28 <parv> In any case, it's time for me to go ...
12:13:02 <vxwarlock> parv > my mistake I wrote that wrong . /
12:37:56 <Demosthenex> classic irc clients use /commands, but only on the first word
12:42:55 <checkpoint> ircII seem which does not support /commands:
12:43:01 <checkpoint> *** Unknown command: COMMANDS
12:43:14 <CmdLnKid> no kiddin
12:43:32 <CmdLnKid> you'll need a script ... or a diff irc client
12:44:04 <CmdLnKid> there are a few famous ones out there but you'll need some google foo
12:44:36 * checkpoint is using TinyIRC script
12:46:03 <CmdLnKid> think LiCe5 is what i was thinking of
12:47:25 <CmdLnKid> if your heart is in scripting out ircii ... then thats for you
12:47:35 <CmdLnKid> otherwise ... irssi
12:48:57 <CmdLnKid> https://capture.dropbox.com/UWNnI9SlN09GOF0d
12:48:57 <VimDiesel> Title: Dropbox Capture
12:51:29 <Plasmoduck> checkpoint, try good old BitchX
12:52:23 <Plasmoduck> Also, Catgirl is a very nice, simple text based IRC client.
12:56:10 <meena> "Screenshot: imagine, if you will, text on a screen, next to names in a selection of colours."
12:56:11 <meena> hah
12:56:22 <CmdLnKid> and thats when they are turned into beef
12:56:44 <Dereckson> Plasmoduck some years you don't have port for it
12:56:53 <Dereckson> bitchx-1.2.1_3,1               Feature-rich scriptable IRC client
12:56:57 <Dereckson> actually we've o/
12:57:07 <Dereckson> ircii-20210314                 Small and high extensible IRC client
12:57:10 <Dereckson> and ircII too
12:57:23 * CmdLnKid hands meena a large trout
12:57:32 <CmdLnKid> do with it what you will
12:57:48 <meena> i could cook dinner with it, but then I'd still need to cook another dinner for my daughter.
12:58:33 <CmdLnKid> splurge
13:01:24 <CmdLnKid> be sure to slap a few nicks with it first. have to make sure its tender
13:02:43 <meena> good idea
13:03:28 * CmdLnKid puts on fish slap helmet just in case ;)
13:04:23 <Plasmoduck> Dereckson, https://www.freshports.org/irc/catgirl/
13:04:24 <VimDiesel> Title: FreshPorts -- irc/catgirl: TLS-only terminal IRC client
13:04:43 <CmdLnKid> tls only
13:04:53 <CmdLnKid> sheesh! talk about limitations
13:05:01 <Plasmoduck> Yes, why would you not use tls?
13:05:53 <meena> good luck connecting to EFnet
13:05:58 <CmdLnKid> nothing wrong with that but why not include connecting to everything but a switch to enforce tls or quit thats in your control
13:06:29 <CmdLnKid> seems pointless to exclude valid connections
13:06:54 <CmdLnKid> not really freebsd philosify
13:07:05 <CmdLnKid> however you spell that
13:07:45 <CmdLnKid> take a irc standard and exclude half the internet of irc makes sense
13:08:32 <jkc> CmdLnKid: Doesn't sound like freebsd philosophy to be so condescending, either.
13:08:40 * CmdLnKid slaps plasmoduck with a large trout and finally gives it to meena 
13:09:19 <CmdLnKid> yeah thanks for the correction
13:10:03 <jkc> You're welcome, for both the spelling and attitude correction. :)
13:10:09 <CmdLnKid> sorry im not very limitation friendly
13:10:36 <jkc> It's not a freebsd-imposed limitation. If the user wants their system to have limited functionality, that's their choice, and it's a valid one.
13:10:49 <jkc> I can see lots of cases where I don't want my system to even be capable of unencrypted connections.
13:11:20 <CmdLnKid> thats so easy to do tho. firewalls are a blessing
13:11:57 <CmdLnKid> and yes i know ... you can connect to a ssl/tls port on a non-encrypted connection
13:12:03 <jkc> Exactly.
13:12:09 <jkc> Or an unassigned alternate port.
13:12:14 <CmdLnKid> right
13:12:30 <jkc> So, again, you're tending toward condescending, here.
13:12:46 <CmdLnKid> yeah i guess so. stepping down
13:12:48 <jkc> The way that YOU would solve a problem isn't necessarily the best way, for you or anyone else.
13:14:20 <CmdLnKid> frickin pitt. thanks for the ladder
13:30:43 <CueXXIII> even ssh has a none cipher, ie. unencrypted. but you would have to compile ssh yourself on both sides, and i don't know if you are limited to ssh1 protocol.
13:30:55 <CueXXIII> if you want to shoot yourself in the foot, it's all there
13:31:28 <CmdLnKid> isn't none disabled by default now
13:31:49 <CueXXIII> that's why you have to compile it
13:31:58 <CmdLnKid> thats what i figured
16:02:01 <jauntyd> https://klarasystems.com/articles/automation-and-hacking-your-freebsd-cli/
16:02:02 <VimDiesel> Title: Automation and Hacking Your FreeBSD CLI
16:14:09 <rtprio> you know, i love those sorts of things
16:14:36 <rtprio> my problem is, then it's missing when i have to use a linux or some older system
16:56:08 <Onepamopa> Okay guys... got a weird issue here. A server running 13-stable decided to just stop doing networking. No DDoS, no nothing, and nothing in the messages log to indicate an issue. Any ideas on how to figure out what actually caused this?
17:05:37 <VVD> Onepamopa, ifconfig down/up helped?
17:06:19 <Onepamopa> I connected via IPMI, didn't perform ifconfig down/up. But from what I see the server did loose link prior to me connecting to it via ipmi
17:06:35 <Onepamopa> Aug 23 19:39:13 server kernel: [8038990] ix0: link state changed to DOWN
17:06:36 <Onepamopa> Aug 23 19:39:16 server kernel: [8038994] ix0: link state changed to UP
17:06:55 <Onepamopa> that wasn't my doing, I've rebooted it and it works but... can't figure out what caused it.
17:07:03 <Onepamopa> There's basically nothing in all of the logs to indicate an issue.
17:08:24 <Onepamopa> tried ping/telnet - no route to host
17:09:14 <Onepamopa> since it's in production I didn't waste much time - did a quick reboot expecting to find something/anything in the logs, but nada..
17:13:15 <yuripv> driver issue probably
17:24:36 <debdrup> Why guess, when there's no way to know?
17:24:45 <debdrup> Could just as well be gremlins in the server room.
17:26:58 <BarnabasDK> Onepamopa, could be something as simple as the cable
20:04:02 <Demosthenex> i have an ubuntu jail, and i'm trying to launch dbus, it never happens. could this be a raw socket or securitylevel issue for the jail?
20:28:44 <meena> Demosthenex: what do the logs say?
20:42:54 <Demosthenex> meena: the native host syslog has nothing useful, and dbus-daemon just says failed
20:43:08 <Demosthenex> dbus-daemon[16932]: Failed to start message bus: Failed to bind socket "/tmp/dbus-wrELFCL9y4": No such file or directory
20:43:32 <Demosthenex> i see errors in messages when i login, and when i logout, about clear console and such, but no messages when i run dbus
20:43:43 <meena> what Filesystem is /tmp?
20:44:37 <Demosthenex> nice catch, it's using the main host /tmp
20:44:39 <Demosthenex> let me make that tmpfs
20:46:52 <Demosthenex> ok, now its tmpfs with good perms, i can touch files in the linux jail in /tmp
20:46:57 <Demosthenex> same message about bind socket
22:59:09 <zeyu> Hi all, I'm wondering about the uefi boot process (13.2R/amd64). /boot/efi/efi/boot/bootx64.efi and /boot/efi/efi/freebsd/loader.efi are the same, but these files are different than any of /boot/*.efi. Does /boot/efi/efi/boot/bootx64.efi chain load any of these other loader*s?
23:11:08 <kenrap> zeyu: The /boot/efi/efi/boot/bootx64.efi file is used for the UEFI firmware's standard search for an OS loader file, if no other UEFI entry exists in the firmware's boot manager.
23:12:03 <kenrap> The /boot/efi/efi/freebsd/loader.efi used by FreeBSD from using efibootmgr to make an actually boot manager entry dedicated to it.
23:12:58 <kenrap> You can read more about this using `man 8 efi` and scroll down to the line "The UEFI boot process proceeds as follows:"
23:19:04 <zeyu> That manual section is what inspired me to ask. I'm thinking in a default setup: the efi firmware loads the efi application (loader.efi) which the system has installed to /boot/efi/efi/boot/bootx64.efi. bootx64.efi (a copy of /boot/efi/efi/freebsd/loader.efi) loads /boot/boot.config if available, and then loads loader.conf, and then loads the
23:19:05 <zeyu> kernel? What are all the other efi applications in the /boot directory?
23:21:54 <zeyu> Of particular interest, /boot/boot1.efi. The manual page makes no mention of any uefi analogue to bootblocks. The manual page reads as if bootx64.efi is a single stage (efi>bootx64.efi>kernel), as opposed to traditional freebsd  bios>boot0>boot1>boot2>loader>kernel
23:48:02 <kenrap> I suppose you can use efibootmgr to change the boot order so that the entry "UEFI OS" or whatever your motherboard's firmware calls it is the first one at Boot0000
23:50:49 <zeyu> I don't want to change the order, I just want to understand what's going on in the default installation.