website VS src

Traefik : A modern HTTP reverse proxy and load balancer that makes deploying microservices easy. Traefik integrates with your existing infrastructure components and configures itself automatically and dynamically. it's also well integrated with Let's Encrypt (Alternatives : HAProxy, Kong, NGINX)

Let's Encrypt

cert-manager is a CRD (Custom Resource Definition) that dynamically generates TLS/SSL certificates for our applications using Let's Encrypt (although it also supports other issuers).

Install Certbot Certbot is a CLI that helps to obtain and maintain Let's Encrypt cert.

Let's Encrypt. CapRover automatically configures each service with nginx. SSL certificates (on multiple domains too) are just the click of a button.

you should look at free services like https://letsencrypt.org/

Let's Encrypt Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security…letsencrypt.org

Today, you will learn how to deploy your node.js project to the internet via an Amazon Web Services EC2 Instance at little or no cost. You will learn how to create an AWS EC2 Instance and work in Amazon Linux 2, create and manage services with SYSTEMD, use NGINX as a reverse proxy and obtain an SSL certificate from Let's Encrypt to ensure your website is secure via HTTPS protocol. So let’s get to it and deploy your project to your EC2 Instance.

Luckily you can get the https easily. I’ve been using https://letsencrypt.org/ to get it encrypted. Was fast and free. No real barrier just a bunch of setup.

The OpenBSD project released 7.4 of their OS on 16 Oct 2023 as their 55th release 💫

Well since https://www.openbsd.org/ still says

> Only two remote holes in the default install, in a heck of a long time!

I'm assuming not, but I could always be mistaken.

> building a cat from scratch

> That would be an interesting project.

Here is the source code of the OpenBSD implementation of cat:

> https://github.com/openbsd/src/blob/master/bin/cat/cat.c

and here of the GNU coreutils implementation:

> https://github.com/coreutils/coreutils/blob/master/src/cat.c

Thus: I don't think building a cat from scratch or creating a tutorial about that topic is particularly hard (even though the HN audience would likely be interested in it). :-)

> I don't know how they define `MAX`, but I'm guessing it's a typical "a>b?a:b"

Indeed: https://github.com/openbsd/src/blob/master/sys/sys/param.h#L...

> Then `SYS_kbind` seems to be a signed int.

It's an untyped #define: https://github.com/openbsd/src/blob/master/sys/sys/syscall.h...

I believe your whole analysis is correct, that running an elf file with an openbsd.syscalls entry with .sysno > INT_MAX will allow an out-of-bounds write.

I can reproduce it. And this is the commit that causes the issue: https://github.com/openbsd/src/commit/d21788ce70be80e9c4ed0c52c149e01147c4a823

This doesn’t really change your conclusion, but I think that’s the wrong file. This is the real doas afaict: https://github.com/openbsd/src/blob/master/usr.bin/doas/doas...

Still just a tidy 1072 lines in that folder though.

I spent 5 minutes staring at your file trying to understand how on earth it does the things in the man page, but of course it doesn’t.

OpenBSD developers are making serious effort to kill off indirect syscalls, the base system is completely clean, take a look at the work Andrew Fresh did to adapt Perl. He write a complete syscall "dispatcher" or emulator for the Perl syscall function so that it calls the libc stubs.

https://github.com/openbsd/src/commit/312e26c80be876012ae979...

The ports tree is also being cleansed of syscall(2) usage, until they're all gone.

msyscall, pinsyscall, recent mandatory IBT/BTI, xonly. OpenBSD is making waves, but people aren't really seeing them yet.

Actually, I got it wrong, too many vulnerabilities in flight. They did fix it: https://github.com/openbsd/src/commit/375ccafb2eb77de6cf240e...