Re: [gentoo-dev] RFC: new project gentoo-extreme-security
On Monday 22 October 2007 06:04:58 Donnie Berkholz wrote: > On 01:42 Mon 22 Oct , Alexander Gabert wrote: > > this is a request for comments on a new project: > > > > http://www.gentoo.org/proj/en/extreme-security/ This sounds interesting, though the project page is not very specific. > I'm curious whether this would be better-placed as a subproject of > either the security or hardened projects. Why do you think it would be > better off independent? The Security Team as it stands now is mostly reactive and not proactive so I don't think it would fit very well as a sub project of security. Hardened is another matter. -- Sune Kloppenborg Jeppesen (Jaervosz) Gentoo Linux Security Team http://security.gentoo.org -- [EMAIL PROTECTED] mailing list
[gentoo-dev] Re: Re: Re: repoman - I cannot handle it...
Marius Mauch wrote:
> On Sun, 21 Oct 2007 23:13:58 +0100
> Steve Long <[EMAIL PROTECTED]> wrote:
>> Well the line from portage_versions.py is:
>> ver_regexp = re.compile("^(cvs\\.)?(\\d+)((\\.\\d+)*)([a-z]?)((_(pre|
>> p|beta
>> alpha|rc)\\d*)*)(-r(\\d+))?$")
>> - which means that a version begins with either a digit or cvs
>> followed by digit.
>
> Not precisely: a digit, or "cvs" followed by a dot and a digit (you got
> it right in the following, but not in the code posted earlier)
>
Bleh, thanks: code review FTW! Sleep-loss er FTL :p
>> We represented this in bash (for verCompare) as:
>> ver='^(cvs\.)?([0-9]+)((\.[0-9]+)*)([a-z]?)((_(pre|p|beta|alpha|rc)
>> [0-9]*)* (-r([0-9]+))?$'
>>
>> I think we can use:
>> CPV='^(.*-.*)/(.*)-(cvs\.)?([0-9]+)((\.[0-9]+)*)([a-z]?)((_(pre|p|beta
>> alpha|rc)[0-9]*)*)(-r([0-9.]+))?$'
>
> Well, categories don't necessarily have to contain a dash (though all
> official ones do currently).
>
Ah OK, excellent!
^(([[:alpha:]]+-[[:alpha:]]+)|virtual)/.. and
^([[:alpha:]]+(-[[:alpha:]]+)?)/.. (if other single-terms are to be allowed)
- would add one to every subsequent term index (for the general case, not
when globbing the tree.)
If we can correctly reduce this to a single regex match, it'll make my life
a lot easier :)
(For update there's no need to check the category exists, since the strings
are taken from portage output, but such a check could be performed after
the match.)
--
[EMAIL PROTECTED] mailing list
[gentoo-dev] Re: [gentoo-commits] gentoo-x86 commit in app-portage/portato: ChangeLog portato-0.8.6.ebuild portato-0.8.5.ebuild
On 17:03 Sat 20 Oct , Markus Ullmann (jokey) wrote:
> 1.1 app-portage/portato/portato-0.8.6.ebuild
>
> file :
> http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-portage/portato/portato-0.8.6.ebuild?rev=1.1&view=markup
> plain:
> http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-portage/portato/portato-0.8.6.ebuild?rev=1.1&content-type=text/plain
> apply_sed ()
> {
> cd "${S}/${PN}"
>
> }
Uhh, what's this doing? It's not called anywhere in the ebuild. I'd
guess it's an artifact from an older version.
Thanks,
Donnie
--
[EMAIL PROTECTED] mailing list
Re: [gentoo-dev] Re: [gentoo-commits] gentoo-x86 commit in app-portage/portato: ChangeLog portato-0.8.6.ebuild portato-0.8.5.ebuild
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Donnie Berkholz schrieb:
> On 17:03 Sat 20 Oct , Markus Ullmann (jokey) wrote:
>> 1.1 app-portage/portato/portato-0.8.6.ebuild
>>
>> file :
>> http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-portage/portato/portato-0.8.6.ebuild?rev=1.1&view=markup
>> plain:
>> http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-portage/portato/portato-0.8.6.ebuild?rev=1.1&content-type=text/plain
>
>> apply_sed ()
>> {
>> cd "${S}/${PN}"
>>
>> }
>
> Uhh, what's this doing? It's not called anywhere in the ebuild. I'd
> guess it's an artifact from an older version.
>
> Thanks,
> Donnie
Someone has broken this ebuild - it is not working at all. (The body of
apply_sed has been moved into src_compile - and broken there). A current
version is waiting in sunrise/portage-review to be included in the tree.
Just ignore the current ebuild ^^
Regards,
Necoro
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHHHGD4UOg/zhYFuARAlJEAJ9QXgUNcfDKmoHmEmQ3Q4AeczF5GwCfZ8Zy
tm4+Ssa0xCNs5L1zrJngacQ=
=lwRg
-END PGP SIGNATURE-
--
[EMAIL PROTECTED] mailing list
[gentoo-dev] Slapd calls nss_ldap before opening its ports
Hi, when setting up LDAP Pam authentication I encountered a problem that seems to be neither Slapd- nor nss_ldap-specific. When running the init script there comes up an error that clutters up my syslog with a lot of useless error messages: @(#) $OpenLDAP: slapd 2.3.38 (Oct 18 2007 22:12:26) $ [EMAIL PROTECTED]:/var/tmp/portage/net-nds/openldap-2.3.38/work/openldap-2.3.38/servers/slapd nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server ... nss_ldap: could not search LDAP server - Server is unavailable WARNING: No dynamic config support for database ldbm. slapd starting I found out that the Gentoo init script activates the options "-u ldap -g ldap". Without them, the error messages do not appear. Therefore I suppose the slapd daemon tries to obtain passwd/shadow information for ldap via nss_ldap. At least when I say "compat" in nsswitch.conf, the error message doesn't appear as well. The thing I really wonder about is that the lines in nsswitch.conf say passwd:files ldap shadow:files ldap group: files ldap The files should be searched first. The "ldap" information is present in all three of them. I even tried to chown the shadow file to ldap but this didn't save me from the weird messages either. I detected I have a machine where this didn't happen. Then I upgraded from glibc-2.5-r4 to glibc-2.6.1 ... I tried to stuff log statements into glibc's nss part but I'm not experienced enough in glibc to do that in finite time. Could this it a real bug in glibc or any of its patches? Does anybody experience the same behaviour? Thanks in advance, Bertram -- Bertram Scharpf Stuttgart, Deutschland/Germany http://www.bertram-scharpf.de -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
On Monday 22 October 2007 13:12:29 Bertram Scharpf wrote: > Hi, > > when setting up LDAP Pam authentication I encountered a > problem that seems to be neither Slapd- nor > nss_ldap-specific. > > When running the init script there comes up an error that > clutters up my syslog with a lot of useless error messages: > > @(#) $OpenLDAP: slapd 2.3.38 (Oct 18 2007 22:12:26) $ > [EMAIL > PROTECTED]:/var/tmp/portage/net-nds/openldap-2.3.38/work/openldap-2.3.38/ >servers/slapd nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: > Can't contact LDAP server nss_ldap: failed to bind to LDAP server > ldap://127.0.0.1/: Can't contact LDAP server nss_ldap: failed to bind to > LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server > ... > nss_ldap: could not search LDAP server - Server is unavailable > WARNING: No dynamic config support for database ldbm. > slapd starting > > I found out that the Gentoo init script activates the > options "-u ldap -g ldap". Without them, the error messages > do not appear. Therefore I suppose the slapd daemon tries to > obtain passwd/shadow information for ldap via nss_ldap. At > least when I say "compat" in nsswitch.conf, the error > message doesn't appear as well. instead of -u ldap -g ldap, try putting in the UID and GID. This should stop the calls to the server. > The files should be searched first. The "ldap" information > is present in all three of them. I even tried to chown the > shadow file to ldap but this didn't save me from the weird > messages either. Don't play with the perms on /etc/shadow, you're just openning up security holes. -- Benjamin Smee (strerror) net-mail/netmon/forensics/crypto/ldap Fingerprint: 497F 5E98 1FA0 C313 EA0B 08C7 004A 66ED 448B E78C -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
Hi, Am Montag, 22. Okt 2007, 13:44:19 +0100 schrieb Benjamin Smee: > On Monday 22 October 2007 13:12:29 Bertram Scharpf wrote: > > > > @(#) $OpenLDAP: slapd 2.3.38 (Oct 18 2007 22:12:26) $ > > [EMAIL > > PROTECTED]:/var/tmp/portage/net-nds/openldap-2.3.38/work/openldap-2.3.38/ > >servers/slapd nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: > > Can't contact LDAP server nss_ldap: failed to bind to LDAP server > > ldap://127.0.0.1/: Can't contact LDAP server nss_ldap: failed to bind to > > LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server > > ... > > nss_ldap: could not search LDAP server - Server is unavailable > > > > I found out that the Gentoo init script activates the > > options "-u ldap -g ldap". Without them, the error messages > > do not appear. Therefore I suppose the slapd daemon tries to > > obtain passwd/shadow information for ldap via nss_ldap. At > > least when I say "compat" in nsswitch.conf, the error > > message doesn't appear as well. > > instead of -u ldap -g ldap, try putting in the UID and GID. This should stop > the calls to the server. I forgot to mention that I tried this, too. The same messages appear. Is there a way to determine _what_ nss is asked for? > > I even tried to chown the > > shadow file to ldap but this didn't save me from the weird > > messages either. > > Don't play with the perms on /etc/shadow, you're just openning up security > holes. That was just for a minute. Of course I recovered the previous state immediately. Thanks anyway so far, Bertram -- Bertram Scharpf Stuttgart, Deutschland/Germany http://www.bertram-scharpf.de -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
Hi On Mon, Oct 22, 2007 at 02:12:29PM +0200, Bertram Scharpf wrote: > Therefore I suppose the slapd daemon tries to obtain passwd/shadow > information for ldap via nss_ldap. Yes, it does. Therefore, use something like the following line in /etc/ldap.conf: nss_initgroups_ignoreusers root,ldap,cron,portage Greets, Michael -- http://hansmi.ch/ pgpT7nFYZxHSZ.pgp Description: PGP signature
Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
On 10/22/07, Michael Hanselmann <[EMAIL PROTECTED]> wrote: > Hi > > On Mon, Oct 22, 2007 at 02:12:29PM +0200, Bertram Scharpf wrote: > > Therefore I suppose the slapd daemon tries to obtain passwd/shadow > > information for ldap via nss_ldap. > > Yes, it does. Therefore, use something like the following line in > /etc/ldap.conf: > > nss_initgroups_ignoreusers root,ldap,cron,portage ew, what if root is in some ldap groups? :) But seriously while that most likely works, it's only hiding the problem, not solving it. Do other distributions just not run ldap as an unprivileged user? We run slapd as 'ldap' at work, but do not have this problem (but we are not running gentoo, obviously, our libraries are old and crufty). I know robbat2 knows more about this problem, it just seems odd that it's only us. -Alec > > Greets, > Michael > > -- > http://hansmi.ch/ > > -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
On 10/22/07, Bertram Scharpf <[EMAIL PROTECTED]> wrote: > Hi, > > Am Montag, 22. Okt 2007, 13:44:19 +0100 schrieb Benjamin Smee: > > On Monday 22 October 2007 13:12:29 Bertram Scharpf wrote: > > > > > > @(#) $OpenLDAP: slapd 2.3.38 (Oct 18 2007 22:12:26) $ > > > [EMAIL > > > PROTECTED]:/var/tmp/portage/net-nds/openldap-2.3.38/work/openldap-2.3.38/ > > >servers/slapd nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: > > > Can't contact LDAP server nss_ldap: failed to bind to LDAP server > > > ldap://127.0.0.1/: Can't contact LDAP server nss_ldap: failed to bind to > > > LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server > > > ... > > > nss_ldap: could not search LDAP server - Server is unavailable > > > > > > I found out that the Gentoo init script activates the > > > options "-u ldap -g ldap". Without them, the error messages > > > do not appear. Therefore I suppose the slapd daemon tries to > > > obtain passwd/shadow information for ldap via nss_ldap. At > > > least when I say "compat" in nsswitch.conf, the error > > > message doesn't appear as well. > > > > instead of -u ldap -g ldap, try putting in the UID and GID. This should stop > > the calls to the server. > > I forgot to mention that I tried this, too. The same > messages appear. > > Is there a way to determine _what_ nss is asked for? Sure, turn on nscd in super debug mode and you should see most, if not all the requests. -Alec > > > > I even tried to chown the > > > shadow file to ldap but this didn't save me from the weird > > > messages either. > > > > Don't play with the perms on /etc/shadow, you're just openning up security > > holes. > > That was just for a minute. Of course I recovered the > previous state immediately. > > Thanks anyway so far, > > Bertram > > > -- > Bertram Scharpf > Stuttgart, Deutschland/Germany > http://www.bertram-scharpf.de > -- > [EMAIL PROTECTED] mailing list > > -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] striping blank lines (was: stripping out the DO NOT REPLY from bugzie emails)
В Сбт, 29/09/2007 в 07:05 -0400, Mike Frysinger пишет:
> when comments get added, there are 5 blank lines between the bugzilla
> URI's and the start of actual content ...
This can be workarouned with another .procmailrc rule:
# Strip out excess empty lines
:0 Hfw
* ^From: [EMAIL PROTECTED]
| awk '{ if ( $0 == "" ) {el++;} else { if (el>0) print ""; el=0; print $0 ;}}'
I'm not sure that this is the best approach but I did not found a way
how to do this with sed. If it's possible I'd like to know how, so I
could just add another -e 'script' to existing "DO NOT REPLY" striping
recipe.
--
Peter.
signature.asc
Description: Эта часть сообщения подписана цифровой подписью
Re: [gentoo-dev] striping blank lines (was: stripping out the DO NOT REPLY from bugzie emails)
Am Montag, 22. Oktober 2007 18:09:37 schrieb Peter Volkov:
> | awk '{ if ( $0 == "" ) {el++;} else { if (el>0) print ""; el=0; print $0
> | ;}}'
>
> I'm not sure that this is the best approach but I did not found a way
> how to do this with sed. If it's possible I'd like to know how, so I
> could just add another -e 'script' to existing "DO NOT REPLY" striping
> recipe.
To delete empty lines with sed, just do a
sed '/^$/d'
I hope that's what you're looking for.
Regards, Elias P.
--
A really nice number:
"09:F9:11:02:9D:74:E3:5B:D8:41:56:C5:63:56:88:C0"
signature.asc
Description: This is a digitally signed message part.
Re: [gentoo-dev] striping blank lines (was: stripping out the DO NOT REPLY from bugzie emails)
В Пнд, 22/10/2007 в 19:21 +0200, Elias Probst пишет: > To delete empty lines with sed, just do a > sed '/^$/d' > I hope that's what you're looking for. No. awk command in the previous mail substituted 2 or more empty lines with exactly one empty line. Your command makes mail less readable. -- Peter. signature.asc Description: Эта часть сообщения подписана цифровой подписью
[gentoo-dev] Re: [gentoo-commits] gentoo-x86 commit in net-mail/mailgraph: ChangeLog mailgraph-1.14.ebuild
On 18:24 Mon 22 Oct , Tobias Scherbaum (dertobi123) wrote:
> 1.1 net-mail/mailgraph/mailgraph-1.14.ebuild
>
> file :
> http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-mail/mailgraph/mailgraph-1.14.ebuild?rev=1.1&view=markup
> plain:
> http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-mail/mailgraph/mailgraph-1.14.ebuild?rev=1.1&content-type=text/plain
> user_group_setup() {
> # add user and group for mailgraph daemon
> # also add mgraph to the group adm so it's able to
> # read syslog logfile /var/log/messages (should be owned by
> # root:adm with permission 0640)
> enewgroup mgraph
> enewuser mgraph -1 -1 /var/empty mgraph,adm
> }
>
> pkg_setup() {
> webapp_pkg_setup
> built_with_use net-analyzer/rrdtool perl \
> || die "net-analyzer/rrdtool must be built with USE=perl"
> user_group_setup
> }
...
> pkg_preinst() {
> user_group_setup
> }
Why is user_group_setup() run twice?
> if [[ has_version <=net-mail/mailgraph-1.12 ]] ; then
Does this actually work?
Thanks,
Donnie
--
[EMAIL PROTECTED] mailing list
Re: [gentoo-dev] striping blank lines (was: stripping out the DO NOT REPLY from bugzie emails)
On 2007/10/22, Peter Volkov <[EMAIL PROTECTED]> wrote: > > В Пнд, 22/10/2007 в 19:21 +0200, Elias Probst пишет: > > To delete empty lines with sed, just do a > > sed '/^$/d' > > I hope that's what you're looking for. > > No. awk command in the previous mail substituted 2 or more empty lines > with exactly one empty line. Your command makes mail less readable. > One of this two commands should do the trick (depending whether you're after empty lines or blank lines): '/./,/^$/!d' or '/[^[:space:]]/,/^[[:space:]]*$/!d' -- TGL. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
Hi, Am Montag, 22. Okt 2007, 08:48:59 -0700 schrieb Alec Warner: > On 10/22/07, Bertram Scharpf <[EMAIL PROTECTED]> wrote: > > Is there a way to determine _what_ nss is asked for? > > Sure, turn on nscd in super debug mode and you should see most, if not > all the requests. A _really_ cool idea. Thanks! It's indeed the initgroups query that starts to spin. Bertram -- Bertram Scharpf Stuttgart, Deutschland/Germany http://www.bertram-scharpf.de -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] Slapd calls nss_ldap before opening its ports
Hi, Am Montag, 22. Okt 2007, 15:30:59 +0200 schrieb Michael Hanselmann: > On Mon, Oct 22, 2007 at 02:12:29PM +0200, Bertram Scharpf wrote: > > Therefore I suppose the slapd daemon tries to obtain passwd/shadow > > information for ldap via nss_ldap. > > Yes, it does. Therefore, use something like the following line in > /etc/ldap.conf: > > nss_initgroups_ignoreusers root,ldap,cron,portage Ah, I did not know this yet. I see the problem in whole is more complicated. Even though Alec enters caveats I will use the ignore solution for now. What was troubling me was that I didn't know what was going on at all. Thank you both, Bertram -- Bertram Scharpf Stuttgart, Deutschland/Germany http://www.bertram-scharpf.de -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] RFC: new project gentoo-extreme-security
On 10/22/07, Sune Kloppenborg Jeppesen <[EMAIL PROTECTED]> wrote: > On Monday 22 October 2007 06:04:58 Donnie Berkholz wrote: > > On 01:42 Mon 22 Oct , Alexander Gabert wrote: > > > this is a request for comments on a new project: > > > > > > http://www.gentoo.org/proj/en/extreme-security/ > This sounds interesting, though the project page is not very specific. > > > I'm curious whether this would be better-placed as a subproject of > > either the security or hardened projects. Why do you think it would be > > better off independent? > The Security Team as it stands now is mostly reactive and not proactive so I > don't think it would fit very well as a sub project of security. Hardened is > another matter. > > -- > Sune Kloppenborg Jeppesen (Jaervosz) > Gentoo Linux Security Team > http://security.gentoo.org > -- > [EMAIL PROTECTED] mailing list > > I live the way you put 'friendly' first :) regarding the past posts about the existing security team, I'm thinking this project is suposed to build up some suite of applications and configurations to let the administrator control his security settings in a more easy way. imo this does not clash with the security team's purpose; this project will that the security team's results and make it into a more frieldy suite I'd be more than happy to assist in this project, or the main security team. -- Thanks, Omer Cohen www.omerc.net [EMAIL PROTECTED] -- [EMAIL PROTECTED] mailing list
