using anoncvs regularly to update openbsd source tree

First, start out by `get'-ing an initial tree:
(If you are following current):
# setenv CVSROOT anoncvs@anoncvs.ca.openbsd.org:/cvs
# cd /usr
# cvs -q get -P src

# setenv CVSROOT anoncvs@anoncvs.ca.openbsd.org:/cvs
# cd /usr
# cvs -q get -P ports

Anytime afterwards, to `update' this tree:

#!/bin/bash
## export CVSROOT=anoncvs@anoncvs.ca.openbsd.org:/cvs

echo "" ;echo "--- begin cvs updates for `date` ---"
export CVSROOT=':pserver:anoncvs@anoncvs.ca.openbsd.org:/cvs'

cd /usr/src
cvs -d $CVSROOT -q up -Pd

cd /usr
cvs -d $CVSROOT -q up -Pd ports
echo "--- end cvs updates for `date` ---" ;echo ""

off to swing central. rob and dianne...

1. closed
2. swing out
3. lindy
4. lindy to closed
5. lindy hand around back and spin
6. opposite hands, push left
7. push right, push left
8. forearm grab and spin
9. kick kick turn, kick kick spin
10. normal hands, pull by under arm
11. switch hands, feet together
12. slide feet out, left to right and step left
13. step back and pull forward

openbsd vs. freebsd hrmmm they're not really that different. it's mostly a religous issue. openbsd tends to be more anal about security (generally a good thing). i miss the little things from linux though, take grsecurity for example. very cool kernel patch for linux.

grsecurity 1.9.7-rc4 was released today. Changes include a new optimized hash function, stability fixes for the ACL system, and a new PaX feature: kernel stack randomization. It applies 5 bits of randomization to the kernel stack on each syscall (a fast permutation of the time is used to create the randomness). Since the randomization is applied on every syscall, it makes bypassing by info leak much more difficult or impossible in some cases. This feature won't do anything against holes that allow arbitrary kernel memory reads or writes, yet it is useful against exploits that need an address on the kernel's stack to work correctly. More work is under development by the PaX team related to stopping arbitrary code execution in the kernel. In the future, VM_[WRITE|MAYWRITE] handling will become more strict as well. This means that gdb breakpointing and ptracing won't be allowed for your binaries, so if you're a developer using PaX on your system, you'll have to disable PaX to set breakpoints on the code you've written. Work will begin shortly on implementing the PaX flags under the ACL system.

don't trust other people's code unless you have to... and then don't trust it farther than you can throw it. users demand suid root perl scripts for apache? probably should protect that stuff with htaccess. it's not going to fix anything, but it will keep loosers and worms from rooting you box. check these out: apacheweek, bignosebird, and apache-server. or just use google

btw i've removed the .htaccess from /cgi-bin/howto/ so you all can comment again

step 1: make .htaccess in whatever directory you want to protect

AuthUserFile /usr/www/dirname/.htpasswd
AuthGroupFile /dev/null
AuthName "The Secret Page"
AuthType Basic

require valid-user

step 2: set a password
htpasswd -c .htpasswd user_name

in the beginning speeding tickets are seen as no more than a monitary annoyance, though quickly one realizes the silly dmv has this nifty point system. first person to 4 points wins.... (apparently they'll jack your license quick if you get 4 in one year) my advise: fight every ticket you ever get. old news i know, but really every time i've fought a speeding ticket i've won simply because the officer didn't show up in court.

obviously the guy swerving through traffic in his hummer won't get pulled over. it's a karma thing. what will happen though is while traffic is going 84mph through the barren wasteland known as nevada, you'll get pulled over for 88mph in a 65.

fink on mac os x is great... if you like having to leave your workstation alone compiling code for hours. no really it's nice. i would like it to do some intelligent stuff like checking for precompiled packages and using them instead of compiling it's own. baby G4 Ti book is only running at 333mhz so i feel the pain.

i don't like running "fink update-all" as if one package dies the whole thing dies. instead, run a little script to get the latest updates, and update them one at a time.

fink -y -q selfupdate ;for i in `fink -y list |egrep -i '\(i\)' |awk '{print $2}'` ;do fink -y -q update $i ;done

no i'm not a graphic designer. i admit my skills stop abruptly somewhere in the neighborhood of page curl in photoshop, but i know when a site just plain sucks^TM and i pray every night that the blink tag never returns from it's grave. you know there's about five thousand bed wetting webmasters just itching to use it.

can we maybe have an internet worm to clean servers of crap, taking down ugly and useless websites? please?

oh by the way, here's how to do the little trademark thingie:
this text is trademark^TM

since there's almost no documentation for it outside of "man systrace" here's some examples of what i've kludged together to get systrace happy on my openbsd box. remember you've got to be up and running with openbsd-current. we do love niels provos. i know i'm running devel code and it does hurt to be ahead of the curve, but there's really no documentation for this thing and it's pissing me off.

update: really this is annoying... i can't get systrace to do anything meaningful outside of breaking my processes. it mostly tells me "no ld.so" even after i've allowed it. if anyone has better documentation on using systrace please let me know.

of course you need to be running -current, with a new kernel and everything. make sure this is somewhere in your kernel config (/usr/src/sys/arch/i386/conf/GENERIC)
pseudo-device systrace

after building your new kernel and rebooting
(config GENERIC && cd ../compile/GENERIC && make clean && make depend && make && cp /bsd /bsd.old && cp bsd /bsd && chown root.wheel /bsd && reboot)

you'll need to copy MAKEDEV from /home/newroot/dev/ to /dev and then run /dev/MAKEDEV systrace

now you can run systrace against a daemon or whatever you want. i'm running it in learning mode right now like this:
systrace -A -i -d /etc/systrace -p 27715 /usr/sbin/httpd
oh and here's a quick script to find the pid of processes that don't stick nice little files in /var/run:
PID_HTTP=`ps aux|grep httpd |grep root |egrep -vi '(man|grep|systrace)' |awk '{ print $2 }'`

after you're sure systrace has seen everything "normal" the daemon should be able to do, change the "-A" to "-a" and it'll begin to enforce policy.

retarted webmasters think that disableing right-click is a good security measure, when all it really does is piss us off and show how juvinile they are... hope they realize that anyone can save their files and download whatever we want anyway. here's a "security script" to prevent right click. funny thing is, simply use another browser (mozilla) and this useless security feature can be turned off by the end user.

if (self != top) {top.location.href = self.location.href}

function click(e) {
var message=" Sorry, that function is disabled.\nThis Page (Pictures & Text) is copyrighted & protected !\n (C) 2002 - ALL RIGHTS RESERVED !";

if (document.all) {
if (event.button == 2) {
alert(message);
return false;
}
}

if (document.layers) {
if (e.which == 3) {
alert(message);
return false;
}
}
}

if (document.layers) {
document.captureEvents(Event.MOUSEDOWN);
}
document.onmousedown=click;

tons of ways to stop unwanted advertisements. trick your box into thinking that the offending website is somewhere it isn't. use the hosts file, remap crap to localhost, done. uhmmm almost. actually you'll need this website to do it on mac os x since darwin likes it's netinfo database. (cached here for your pleasure)

now tons of requests get sent to your localmachine... even causing unending errors in netscape. time to start apache and set the errordocument to a blank site. now done. mac os x is great for this since it's got mad bsd skills, though the whole netinfo thing really screws with me.

after adding all naughty crap ad sites to your hosts file or database, you need to change this line in httpd.conf and start apache:
ErrorDocument 404 /errordoc.html

then add this file in your webroot /htdocs/errordoc.html

can't edit your blog using my https site? too bad, go use another browser. microsoft felt like giving osx a crappy browser that's not capable of using self-signed ssl certificates.

this means unless a website pays big money for a "real" ssl cert you'll not be able to connect. nothing's wrong with my homemade certificate... just that is isn't from one of the big boys. so if you want to connect to https://www.fif3.com you had better use a real browser

to type the same thing over and over again in a very repetative way that seems to copy that which was just written, it seems, is a very nimious way to do things which are repetative.

way better than making files in /usr/local/bin... don't you always think to yourself "self, who's connected to my box right now" or maybe "why the hell does openbsd require one to type ifconfig -a when linux knows what to do without the -a

alias sshsomeplace='ssh jim@hotmail.org'
alias i='ifconfig -a'
alias l='clear;exit'
alias es='netstat -na |grep -i esta |grep -v 127.0.0.1 |sort -n -t. -k2'
alias li='netstat -na |grep -i list |grep -v 127.0.0.1 |sort -n -t. -k2'
alias cls='clear;ls'

if you're not running -current then, well, you've probably been rooted by now. me? i'm no target for balls-nasty uber hackers like gobbles and crew who have more time on their hands than i to research crap and make 0day sploits. hell even if someone with skillz wants to root my box what are they gonna get? my ~ has nothing more than a 40meg mail spool from the damn incidents list and maybe a personal message every few weeks for cheap viagra.

here's my script to update my system to openbsd-current. mostly borrowed from openbsd website and also here.

#!/bin/bash
#### fun ##
# Rebuild and install gcc
# Recompile a kernel
# Reboot and run make build
###########################

## update sources
export CVSROOT=':pserver:anoncvs@anoncvs.ca.openbsd.org:/cvs'
cd /usr/src && cvs -d $CVSROOT -q up -Pd
cd /usr && cvs -d $CVSROOT -q up -Pd ports

## clean tree
find . -type l -name obj | xargs rm && \
make -k cleandir && \
rm -rf /usr/obj/* && \
make obj

## any new devices
cd /dev && \
cp /usr/src/etc/etc.`machine`/MAKEDEV ./ && \
./MAKEDEV all

## fix any file hierarchy changes
cd /usr/src/etc/mtree && \
install -c -o root -g wheel -m 600 special /etc/mtree && \
install -c -o root -g wheel -m 444 4.4BSD.dist /etc/mtree && \
mtree -qdef /etc/mtree/4.4BSD.dist -p / -u

## fix up ld.so dynamic loader
cd /usr/src && \
make obj && \
cd /usr/src/gnu/usr.bin/ld/rtld && \
make depend && make && make install

## rebuild and install new libc
cd /usr/src/include && \
make prereq && make includes && \
cd /usr/src/lib/libc && \
make depend && make NOMAN=1 && make NOMAN=1 install

## cleanup gcc
rm -r /usr/obj/gnu/egcs/gcc/*
cd /usr/src/gnu/egcs/gcc && \
make -f Makefile.bsd-wrapper clean && \
make -f Makefile.bsd-wrapper obj && \
make -f Makefile.bsd-wrapper depend && \
make -f Makefile.bsd-wrapper && \
make -f Makefile.bsd-wrapper install && \
make -f Makefile.bsd-wrapper clean && \
make -f Makefile.bsd-wrapper depend && \
make -f Makefile.bsd-wrapper && \
make -f Makefile.bsd-wrapper install && \

## rebuild ld
cd /usr/src/gnu/usr.bin/binutils && \
make -f Makefile.bsd-wrapper cleandir && \
make -f Makefile.bsd-wrapper obj && \
make -f Makefile.bsd-wrapper depend && \
make -f Makefile.bsd-wrapper && \
make -f Makefile.bsd-wrapper install

## clean out old object files
rm -rf /usr/obj/* && \
cd /usr/src && \
make obj && \
## make directories
cd /usr/src/etc && make DESTDIR=/ distrib-dirs && \
## make new kernel
cd /usr/src/sys/arch/`machine`/conf && \
config GENERIC && \
cd ../compile/GENERIC && \
make clean && make depend && make && \
cp /bsd /.bsd.`date "+%H%M%S%Y"`.old && \
cp /bsd /bsd.old && cp bsd /bsd && \
chown root.wheel /bsd && \
## reboot here
## compile new system
cd /usr/src && \
make build && \

## play with the new etc
mkdir /home/newroot
export DESTDIR=/home/newroot
cd /usr/src/etc && make distribution-etc-root-var
export DESTDIR="/"

#####################################
oh, and here's how to update a single spot in your openbsd source tree:
# cd /usr/src/usr.bin/ssh
# make obj
# make cleandir
# make depend
# make
# make install

or just in case you need to patch something:
# cd /usr/src/usr.bin/ssh
# patch -p0 < .../openbsd31_3.4.patch
# make obj
# make cleandir
# make depend
# make
# make install

heh while we're on the topic of banners... here's something dmuz came acrost while romping in the sshd source. simple one file edit and your openssh banner can be super custom. change it to read AmigaOS for all i care.

edit /usr/src/usr.bin/ssh/version.h in the openbsd source tree. change

#define SSH_VERSION "SSH OpenBSD 2.9"
to whatever you want... i like this the most:
#define SSH_VERSION "SSH WinXP 5.0.3235.3194"

now when you nc www.server.com 22 you get the super l33t ssh banner:
SSH-2.0-SSH WinXP 5.0.3235.3194

i know it's not _super effective_ and won't do much to stop a skilled attacker, but removing service banners can slow skript kiddies, worms, lUser tools, etc.

here's my all-time favorite httpd.conf options that effectively remove everything in the "Server" string past "Server: Apache" i figure that's good enough for now.

ServerType standalone
ServerTokens Prod
ServerSignature Off
LimitRequestLine 1279
LimitRequestFieldsize 1279
LimitRequestFields 127
ExtendedStatus Off
UseCanonicalName Off
HostnameLookups Off
ErrorDocument 404 /errordoc.html

note the LimitRequests can break stuff if you're running funky stuff. if not, go for it. oh and the ErrorDocument is like a five line empty web page.