00:28:21 polyex, Which logs? messages? Or auth.log? messages is already 644, right? But auth.log is 600 due to the sensitive nature of it. 00:28:39 If you are the only one on the system and it is on the LAN not WAN then that seems acceptable. I wouldn't do it on a public server machine because it might be used as a chain to something else if there is a first exploit. 00:28:44 daemon logs like postgres 00:29:48 I am not familiar specifically with postgres but that seems like it would be reasonable to be 644 there. 00:31:01 Another frequently configured way is to make the group of the logs readable by group wheel or a group like adm and then add yourself to that group. Then you and only you can read the logs easily by group permissions but other users are not allowed. 00:32:37 To change the group of a logfile of course the /etc/newsyslog.conf file can list the user:group in the 2nd column for that logfile and set the mode to 64something. 00:36:11 tyvm 03:51:55 This is what I get when I run liquidsoap -h icy.update_metadata (in a jail, in a non-root user shell running bash) (it's filled with escape codes) https://bsd.to/O5W7 03:51:56 Title: dpaste/O5W7 (Plain Text) 03:55:16 it would be nice to understand the cause. it seems they have some sort of colored log. maybe the pager (on this box that has no X or anything on the host or in the jail) is expected to behave differently 05:13:32 VVD: blender builds on BE after all 05:53:04 why are so many rc.d files 655? they should be 555 i think 05:53:18 like rsyncd 07:49:13 should rc.d scripts have "networking" or "NETWORKING" for the REQUIRE: field? 10:44:58 got thinkpad t480. now install time 11:41:53 polyex: NETWORKING, but whether it's case sensitive is not documented 11:42:42 at least not in rcorder(8) 12:03:16 Gotta be uppercase 14:33:54 des@ vs /usr/sbin/adduser. FIGHT! 14:55:29 https://bsdcafemedia01.server-gestiti.it/bsdmmedia01/cache/media_attachments/files/112/410/074/136/633/729/original/465e3467003738c0.gif 17:15:00 dch why does it gotta be uppercase? because it's a special purpose symbol and not an actual rc script name? 17:16:03 lw in man rc there's a "ALLUPPERCASE" about these virtual REQUIRES items 17:17:44 it's not exactly virtual 17:17:51 -r-xr-xr-x 1 root wheel 287 Apr 15 22:04 /etc/rc.d/NETWORKING* 17:18:33 s/virtual/dummy 17:18:52 if you want to ask why it's uppercase you probably need to take that up with lukem 17:20:56 my hostname is changed but not in my /etc/rc.conf 17:21:55 changed to "ConnectOn" but I have no idea why. 17:59:18 also, is there a way to disable starting firefox as certain users? 18:55:40 entikan, Generally speaking if the hostname became "ConnectOn" then I would look for that string because I suspect "hostname [options] ConnectOn" was applied somehow. 18:56:43 Back on HP-UX which does not support any options it was pretty common for people to run a script and their hostname would become "-f" due to the linux world's proclivity to use "hostname -f" to read out the hostname as a FQDN by reverse DNS lookup. It happened quite a bit. 18:57:45 entikan, Re: blocking users from running any particular program. Generally no. Because a user can always simply copy in a program from elsewhere. 18:58:21 One could remove programs from the system. But then I could always copy that program in from elsewhere into my home directory and run it from there. 18:58:41 grepping the whole disk for "ConnectOn" doesn't show anything. But it did happen after logging in to someone elses router. Perhaps it happened there? 18:58:41 Or I could compile the source code and have a natively compiled executable. 18:59:20 By some chance is the host setting the hostname to the reverse DNS for the IP address that it was dynamically assigned by DHCP? 19:00:01 That always seemed crazy to me but RHEL/Rocky/Alma/CentOS do exactly that! It's an unreasonable configuration to my sensibilities but they do. 19:00:32 rwp: That's fine, it's just for myself. I need firefox for some administrative purposes but I'd rather have some hoop to jump through for before it starts up (logging into a seperate user for it for example) or I get sucked into old habits 19:01:13 how do I check the reverse DNS? 19:01:43 If it is just for you and you want to restrict an executable to some particular user then chmod go-x,u+x and it will be executable only by that user that owns it, and then set the owner to the user you want to be able to execute it. 19:02:07 Or alternatively the same thing using group permissions. Actually... Using group permissions for that is probably more sensible. 19:03:16 Using one of "host", "dig", or "drill" look up the IP address. For example looking up "host 142.250.72.69" here says "69.72.250.142.in-addr.arpa domain name pointer den16s09-in-f5.1e100.net." (That's mail.google.com by the way) 19:03:46 I'll try that out next time I'm logged into that network, thanks! 19:04:03 and I'll look into group permissions, this is very helpful yaaay 19:04:26 For dig it could be "dig -x 142.250.72.69 +short" and for drill basically the same syntax as dig almost always. 19:07:13 do not dig 19:07:19 omg what will you find 19:07:27 there could be anything down there 19:08:38 if god wanted us to dig we would have been born with /usr/bin 19:09:26 Hi. 19:09:26 I need to truss a command. How can I avoid following error? 19:09:26 truss: Unable to enable LWP events for pid 99999: Operation not permitted 19:10:17 Which permissing I've to grant to this user to be able to execute truss? 19:10:27 s/permissing/permission/ 19:11:19 lw, If dog wanted us to wear clothes we would have been born that way! :-) 19:13:11 security.bsd.unprivileged_proc_debug is enough? 20:13:55 https://github.com/freebsd/freebsd-src/blob/main/sys/amd64/conf/NOTES ---- from 'CPU OPTIONS' , '# Options for CPU features.' is empty. from where i can look up to for avaible choices for 'options for CPU Features' ? 20:13:57 Title: freebsd-src/sys/amd64/conf/NOTES at main · freebsd/freebsd-src · GitHub 20:30:07 hello! 20:47:28 CountryBall0, AFAIK there is only one for amd64 - "cpu HAMMER" 20:47:30 i cant interact with the installer because keyboard is acting funny on a very old hp laptop (from 2006). not a single key is functional, not even arrows, enter, tab... nothing. jsut shift seems to act like enter. any advice? thanks! 20:49:34 ndo-, can you connect USB keyboard? 20:50:03 VVD, below that there is 'options for CPU features' tho and it doesnt listed any options for 'cpu HAMMER' , its blank. what are the CPU feature options for 'cpu HAMMER' tho ? (at sys/amd64/conf/NOTES 'options for CPU features' is blank :/) 20:52:37 VVD: gonna try. 20:52:56 CountryBall0, this part is template - check NOTES for i386. 20:54:45 VVD, yes it seems i386 NOTES file has that 'cpu options' . so from this I should understand as; amd64 has only 'cpu HAMMER' option and no CPU features options as kernel options? (thanks btw for pointing to the i386 notes) 21:03:56 CountryBall0, probably yes. 21:06:16 VVD: its working with the usb keyboard 21:06:43 but if i manage to install the whole thing i'll be stuck with the external keyboard i guess 21:07:11 if my rc.d script needs networking and daemon, i only need to specify REQUIRE: DAEMON right? because DAEMON implies networking too because DAEMON has REQUIRE: NETWORKING 21:07:12 ndo-, try to install using it and after reboot from disk check internal keyboard 21:10:55 VVD: ok thanks 21:12:39 VVD, thanks 21:19:10 I think thats a lot of whst actually bothers me, since i spend way more time tending to BSD and Leenoochs systems from my mac desktop - and Unix just flat out lets you juggle running chainsaws and play russian roulette with a semi auto if you want... so getting nerfed on stuff on my desktop stings 21:19:11 . 21:34:16 VVD: ok, installed 21:34:30 VVD: no internal keyboard, same behaviour 21:35:24 what's better style, cmd --foo=bar or cmd --foo bar? 21:37:00 polyex, How long is a piece of string? Personally I prefer --var=foo style when using long options. 21:37:15 why? 21:37:40 It just clumps the entire set of characters together visually and I think makes it more visible what is happening. 21:37:57 But "--var foo" is also valid. It's valid so I can't say it is wrong. 21:37:59 ndo-, :-( maybe u have options in BIOS? 21:42:23 VVD: i dont know, i'll just finish to setup DE and then try to investigate 21:42:37 i dont even know what kind of information to look for 21:42:55 Rwp: its as long as the universe needed it to be 21:43:24 ndo-, something about keyboard 21:43:42 btw, maybe u can configre keyboard in DE 21:50:43 any upside to having daemons log to their own log file instead of just dumping it all into syslog? 21:50:53 mrelcee, Right! And since there are likely three different valid forms for -v foo, --var=foo, --var foo, all being valid I think all are valid. But I prefer --var=foo visually. 21:51:11 Various programs have different option processing however. There are a lot of variations. 21:51:43 polyex, Programs which generate A LOT of output tend to use their own log file. nginx/apache dump a lot of output for example and tend to write to their own log file. 21:52:14 It's a judgement call for the program. If something is going to completely dominate a file with output then I would put it into a dedicated log file. 21:52:41 If something is going to occasionally make a log entry like cron or something then using the existing system log framework is most appropriate. 21:54:21 hm 21:55:10 polyex, WDYT? 21:56:45 well just to make monitoring easier, i kinda want to just stuff everything possible into syslog. but i also want to limit logging output to warns or higher severity 22:04:27 Then I say just do it. Often things just need to be done in order to know if it is the right thing to do or not. Then make corrections only if needed. 22:05:33 how do i adjust the msi-x interrupt vectors on my nic? i've been looking at the iflib settings to see if i can gleam where they are but im winging most of it 22:08:07 rwp also i run into probs where i don't know to look in /var/log/messages or in /var/log/mydaemon/mydaemon.log for daemon probs 22:08:28 not like it's hard to check but stuffing everything i can into syslog helps reduce that 22:23:06 got a opentelemetry-collector running as a daemon. it's made in Go. when i run sudo service otelcol restart log file says "Error: failed to shutdown service after error: failed to shutdown pipelines: sync /dev/stderr: invalid argument; sync /dev/stderr: invalid argument". anyone know what that means in Go code? 22:24:51 polyex: but does it otherwise work? 22:24:55 ya 22:28:43 i wonder what daemon even does with stderr 22:30:49 Is that daemon running in a container? Does the container have a /dev/stderr and if so is /dev/fd mounted? 22:31:18 I am one of those people who despise seeing /dev/stderr because it creates this extra dependency that isn't otherwise needed. Just write to fd 2! 22:31:26 ya it is running in a container 22:31:49 Does the container set "mount.devfs" for it? 22:32:06 ls -la /dev/stderr -> fd/2 22:32:13 oh indeed 22:32:35 Right. And therefore /dev/stderr depends upon /dev/fd having been mounted. That's an extra worthless dependency that shouldn't be required. 22:33:02 jail's config has mount.devfs in it yet 22:33:04 ya* 22:33:10 those files are useful for scripts 22:33:16 only scripts 22:33:23 /dev/std* 22:33:26 @files" 22:33:29 " 22:33:30 Well, then /dev/stderr should work. I would jexec into the jail and verify that it works. If so then the problem is somethign else. 22:33:42 how do i verify it works? 22:33:43 ketas, It's only extremely rarely useful in scripts. 22:34:41 opening that in some other code is wtf 22:34:49 polyex, "jexec -l jailname login -f username" (username is possibly root) and then ls -ld /dev/stderr /dev/fd/2; echo foo > /dev/stderr and see if it works there. 22:35:37 well if it's not written to have - thing or separate option, sometimes some util can open stdin "file" 22:35:43 rwp that echo'd "foo" 22:35:50 limited use, yes 22:35:54 ketas, People use /dev/stderr because they read it somewhere and learned about it but it didn't even exist until like 1999 or something. 22:36:52 how do i disable it? 22:36:57 if it's just a hack 22:37:06 is it just a hack or an actual improvement? 22:37:10 So in a shell I want to print an error: echo "Error: this thing failed" 1>&2 22:37:32 1>&2? 22:38:02 polyex, It's just a hack but if that is not your problem case then I would not touch it. Instead your daemon has some other reason it is printing that error message. Keep looking for the root cause of that error. 22:38:47 should i take "mount.devfs;" out of my jail config? 22:39:44 ketas, If you are not a shell programmer then that is gobblygook. 0 is stdin, 1 is stdout, 2 is stderr. echo prints to stdout 1 by default. 1>&2 assigns fd 2 (stderr) into the fd 1 (stdout) so that when echo prints it then prints to 1 which is mapped to stderr. 22:40:00 well 1> works too 22:40:22 stdout is assumed by default... 22:40:42 On the command line both stdout and stderr go to the terminal. So both will appear to "work" such as it is. But in a script if you redirect stdout then stderr should continue to go to the terminal. 22:41:05 The idea is that errors happen out-of-band to the normal flow so that you see them. 22:41:28 sometimes it's annoying too 22:41:42 grep foo file1 | awk '{print$2}' | tr a b | sed ... you get the idea. If any of those print an error then the error goes to stdout and NOT into the stdout going into the pipeline. 22:41:44 have | less, stderr doesn't go there 22:41:51 :p 22:43:49 The order of assignment is important too. That's why if one wants to discard all output it is "if grep foo file1 >/dev/null 2>&1; then" in that order > then 2>&1 and not a different order. 22:44:22 i think most don't use redundant 1> 22:44:24 The first > sends fd 1 to /dev/null and the next 2>&1 assigns fd 2 to the same place as fd 1. 22:44:27 hence wtf 22:45:31 is there a shell that required fd number? 22:45:35 "1>" is just the same as ">" so not really the idiom. It's okay to have it there. It's redundant as you say. But we started of with why one does not need /dev/stderr usually almost never. 22:46:17 AFAIK there has never been a shell that required a number there. 22:46:48 yeah, shells, perl, python, c, they all allow you internal stderr usage 22:47:02 so no idea why 22:47:42 something something easier? 22:47:47 we have urandom too 22:48:05 you don't really need to open that "file" 22:48:46 but i get the idea 22:49:08 it's always there, as a "file" 22:51:08 rwp so that bug is from somewhere else? 22:51:14 got a opentelemetry-collector running as a daemon. it's made in Go. when i run sudo service otelcol restart log file says "Error: failed to shutdown service after error: failed to shutdown pipelines: sync /dev/stderr: invalid argument; sync /dev/stderr: invalid argument". anyone know what that means in Go code? 22:51:15 that 1 22:51:21 What bug? 22:51:57 I guess I don't know if that is a bug yet. 22:52:08 well is the OS working right? 22:52:10 the container 22:52:30 Sure it produced an error message. But neither you nor I know what that error message actually means at the root cause of it yet. I can't say it is a bug yet. 22:53:01 I don't see anything leading me to believe the jail container is not working right. 22:53:14 ok ty 22:54:00 I mean jails have been around for years, are very mature, people run thousands of programs in them, and then this one program is giving an error message. I am more likely to think this one program is where the problem is located. 22:54:16 But until I would get to the root cause of it then I don't know if it is a bug or not. 22:54:35 putting that aside, would you disable the /dev/stderr hack? 22:54:45 like so /dev/stderr doesn't even exist 22:55:24 Nope. I would let the jail mount /dev and just keep moving with it there. It doesn't hurt anything to have it and then programs that use /dev/stderr will work without changes. (Even if I don't like that they are using it.) 22:56:00 ok so your containers have mount.devfs; too? 22:56:58 Yes. I always have those in my jail.conf file globally. 22:57:03 Reading that error message seems like quite a bit of gobblygook to me. "sync /dev/stderr: invalid argument" What's it really doing there? is it calling fsync(2) on the fd and it is producing an error? Perhaps the fd is closed at that moment? Maybe. 22:57:10 ok ty 22:57:37 the app is being run by daemon 22:57:39 Do you have the source to this Go-lang program? 22:58:04 ya it's https://github.com/open-telemetry/opentelemetry-collector 22:58:05 Title: GitHub - open-telemetry/opentelemetry-collector: OpenTelemetry Collector 22:59:17 Also if run under daemon with -f it will redirect stdout, stderr to /dev/null so that it is a bitbucket receiver. But sometimes I see people /close/ the fd and that could cause an invalid argument error for example as fsync(2) on a closed fd would do that. 22:59:27 my rc.d command line for it is daemon --output-file=/var/log/otelcol/otelcol.log --sighup --supervisor-pidfile=/var/run/otelcol/otelcol.pid --close-fds /usr/local/bin/otelcol --config=/usr/local/etc/otelcol/otelcol.yaml 22:59:46 tried -f and no 0f 22:59:47 hmmm 22:59:47 -f 23:00:10 Hmm... "--close-fds" but that's an argument to opentelemetry-collector, right? So that /shouldn't/ be the problem. 23:00:15 daemon is really cute util btw 23:00:19 no that's to daemon rwp 23:00:24 that's also a hack kind of 23:00:24 daemon is great! :-) 23:00:54 just close fd's and fork off 23:02:10 but then it also catches pids and restarts if needed 23:02:44 When I read the man page for daemon I see no --close-fds listed there. Is that new in 14? I am still on 13. 23:03:22 It's new in 14. 23:03:27 it's same as -f 23:03:29 i'm on 13.3 23:03:59 daemon -f does not close file descriptors though as they are redirected to /dev/null. 23:04:23 I think 14 introduced a bug in that they say --close-fds redirects but then they are NOT closed! BUG! Gack. 23:05:03 It was introduced in 13.3 and 13.2 does not have that option. 23:05:59 This is just one of those examples of things that get worse instead of better. Oh well. Corey Doctorow was right. 23:08:21 * rwp can't upgrade past 13.2 yet because my radeonkms driver from ports is tied to the kernel in 13.2 and I rather like X working and haven't had time to compile a new version for myself 23:09:57 # Do we want the config file compiled into the kernel? 23:09:57 INCLUDE_CONFIG_FILE opt_config.h <<--- what happens if we dont compile kernel config file into the kernel ? 23:10:08 ketas, I generally agree that programs should turn themselves into daemons as needed. It's not that difficult. But... 23:10:14 Oh look at the time! I must run off. Good luck!