Petter Reinholdtsen writes:
> I am bothered by http://bugs.debian.org/56 >, and the fact
> that apt(-get,itude) do not work with Squid as a proxy. I would very
> much like to have apt work out of the box with Squid in Squeeze. To
> fix it one can either change Squid to work with pipelining
On 16/05/10 at 23:06 +0200, Raphael Hertzog wrote:
> Receive Ubuntu bugs by mail via PTS
> ---
>
> It is now possible to subscribe to Ubuntu bugmail for the packages you
> care about, without having to use Launchpad (and subscribe on a
> per-package basis there).
Santiago Vila writes:
> In either case, if we plan to set default umask in /etc/login.defs or
/etc/login.defs is not read when I login to openssh server and it has
"UseLogin" set to false. If I enable UseLogin then X11 forwarding
stops working [1]. To me it seems that login.defs can not be the on
On Sun, 16 May 2010 18:18:14 -0400, Felipe Sateler
wrote:
> Is there a reason to support non-UPG systems?
Not to force users to use anything that they don't want?
btw: While I stopped at some point commenting that issue, when I realised
that general security concerns were simply ignored,... I've
On Saturday 15 May 2010 12:09:47 David Weinehall wrote:
> Last time I checked, /usr/bin is also part of default $PATH...
Tricky, it becomes part of it later, not from the beginning.
But that wasn't the point. The point was that if an admin changes something to
a non-standard behavior, then has to
On Mon, 17 May 2010 00:12:56 -0400, Micah Anderson
wrote:
> Can you clarify what you mean by "standardised technology"? I work on
> the monkeysphere project, and from my point of view, I'd have to
> disagree with you, but I may not understand what you mean.
What I mean was simply something that is
Hi,
On Montag, 17. Mai 2010, Christoph Anton Mitterer wrote:
> May I suggest the following:
how about you file bugs _with patches_? Talk is cheap.
cheers,
Holger
signature.asc
Description: This is a digitally signed message part.
Package: openssh-server
Version: 1:5.5p1-3
Severity: important
Hi,
Base-files package just switched to umask 002 by default for new install
(see #248140 and discussion in d-devel). However, with this setup,
openssh-server babdly behave. It is similar to #314347 that was opened
for openssh-cli
On 16/05/2010 16:46, Aaron Toponce wrote:
> On 05/15/2010 12:16 AM, Vincent Danjean wrote:
>> Somethink is wrong here. Should 314347 be reopened ?
>
> Agreed. It's not working as it should. Running openssh-client version
> 1:5.5p1-3, and setting the write bit on my private group seems to keep
> th
On Mon, 17 May 2010 10:31:44 +0200, Holger Levsen
wrote:
> how about you file bugs _with patches_? Talk is cheap.
Well the only patches I could write with pure conscience would be:
- change umask from 022 or 002 to either 027 (or 077).
- disable UPGs altogether, as I feel that they contradict the
On Montag, 17. Mai 2010, Christoph Anton Mitterer wrote:
> But I guess non of them wouldn't be received enthusiastically, would they?
you suggested something else in your previous mail...
signature.asc
Description: This is a digitally signed message part.
Package: wnpp
Severity: wishlist
Owner: Fladischer Michael
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
* Package name: django-reversion
Version : 1.2.1
Upstream Author : David Hall
* URL : http://code.google.com/p/django-reversion/
* License : New BSD Licen
On Thu, May 13, 2010 at 11:48:19AM +0200, Santiago Vila wrote:
> Will be done in base-files 5.4.
I think that this change was done prematurely. There is still the
issue of a Debian system running in a non-UPG environment. And so far
I haven't seen a resolution for this point in the discussion.
C
On Mon, May 17, 2010 at 10:22 AM, Christoph Anton Mitterer
wrote:
> On Sun, 16 May 2010 18:18:14 -0400, Felipe Sateler
> wrote:
>> Is there a reason to support non-UPG systems?
> Not to force users to use anything that they don't want?
>
>
> btw: While I stopped at some point commenting that issu
On Fri, 14 May 2010 11:30:17 +0200, Scott James Remnant
wrote:
>> What is so bad about init scripts? Where am I supposed to put my init
>> script magic[1] in an upstart scenario?
>>
>Upstart job configs go in /etc/init
And I can do arbitrary things there, just as with an init script?
Greetings
On Mon, May 17, 2010 at 13:04:17 (CEST), Marc Haber wrote:
> On Fri, 14 May 2010 11:30:17 +0200, Scott James Remnant
> wrote:
>>> What is so bad about init scripts? Where am I supposed to put my init
>>> script magic[1] in an upstart scenario?
>>>
>>Upstart job configs go in /etc/init
>
> And I
On Mon, May 17, 2010 at 12:26 PM, Harald Braumann wrote:
> On Thu, May 13, 2010 at 11:48:19AM +0200, Santiago Vila wrote:
>
>> Will be done in base-files 5.4.
>
> I think that this change was done prematurely. There is still the
> issue of a Debian system running in a non-UPG environment. And so f
On Mon, May 17, 2010 at 01:04:22PM +0200, Bastien ROUCARIES wrote:
> On Mon, May 17, 2010 at 12:26 PM, Harald Braumann wrote:
> > On Thu, May 13, 2010 at 11:48:19AM +0200, Santiago Vila wrote:
> >
> >> Will be done in base-files 5.4.
> >
> > I think that this change was done prematurely. There is
On Mon, 17 May 2010, Timo Juhani Lindfors wrote:
> Santiago Vila writes:
> > In either case, if we plan to set default umask in /etc/login.defs or
>
> /etc/login.defs is not read when I login to openssh server and it has
> "UseLogin" set to false. If I enable UseLogin then X11 forwarding
> stops
Santiago Vila writes:
> Ok, what about PAM?
"UsePAM no" is the default in openssh. I do not know if this is just
to reduce the attack surface.
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive
On Mon, May 17, 2010 at 13:26:04 (CEST), Mike Hommey wrote:
>> I believe the pam umask module is the way to go according to
>> http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_umask.html
>>
>> [opition] usergroups
>>
>> If the user is not root, and the user ID is equal to the
On Mon, May 17, 2010 at 2:22 PM, Santiago Vila wrote:
> On Mon, 17 May 2010, Timo Juhani Lindfors wrote:
>
>> Santiago Vila writes:
>> > In either case, if we plan to set default umask in /etc/login.defs or
>>
>> /etc/login.defs is not read when I login to openssh server and it has
>> "UseLogin"
On Mon, May 17, 2010 at 02:55:20PM +0200, Reinhard Tartler wrote:
> > And it was said in this thread that UID == GID is not always true with
> > UPG. You only need to create a group for that to become false for users
> > you would create afterwards.
>
> I'd say if Debian's idea of UPG doesn't matc
On 05/17/2010 07:00 AM, Mike Hommey wrote:
> There is no such thing as Debian's idea of UPG. There is simply the fact
> that when you create a user with UPG, it uses the first uid and the
> first gid available. It can happen that they don't match, in the
> scenario I gave above. This applies to any
Package: wnpp
Severity: wishlist
Owner: Jonas Smedegaard
* Package name: radicale
Version : 0.2
Upstream Author : Guillaume Ayoub
* URL : http://radicale.org/
* License : GPL-3+
Programming Lang: Python
Description : simple CalDAV calendar server
The
On Mon, 17 May 2010 08:25:50 +, Christoph Anton Mitterer
wrote:
> On Mon, 17 May 2010 00:12:56 -0400, Micah Anderson
> wrote:
> > Can you clarify what you mean by "standardised technology"? I work on
> > the monkeysphere project, and from my point of view, I'd have to
> > disagree with you,
On Mon, 17 May 2010, Timo Juhani Lindfors wrote:
> Santiago Vila writes:
> > Ok, what about PAM?
>
> "UsePAM no" is the default in openssh. I do not know if this is just
> to reduce the attack surface.
Grr. We are supposed to be system integrators, but how can we do that
if some parts of the sy
On 2010-05-17, Timo Juhani Lindfors wrote:
> Santiago Vila writes:
>> Ok, what about PAM?
> "UsePAM no" is the default in openssh. I do not know if this is just
> to reduce the attack surface.
While that's true it's not the case for Debian openssh, its postinst adds
UsePAM yes to the configurati
> > I have never rejected any SELinux patches for Upstart; I have simply
> > never been *sent* any.
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543420#10
>
This pretty much proves my point. I was never sent these patches,
instead Debian kept them to itself and never attempted to get the
* Reinhard Tartler [100517 08:56]:
> Let's have a look at the source. Note that options->usergroups is set
> iff the option "usergroups" is used.
>
> ,[modules/pam_umask/pam_umask.c]
> | /* Set the process nice, ulimit, and umask from the
> |password file entry. */
> | static void
> | se
On 5/17/2010 7:34 AM, Marvin Renich wrote:
> This looks like a bug in pam_umask. UPG has never guaranteed uid=gid.
> I'll file a bug.
While the numerical ID might not match, the names should:
id -gn should equal id -un
After all, that is part of the definition of the UPG setup.
--
. O . O .
On Mon, 10 May 2010, Aaron Toponce wrote:
> I guess I'm more or less curious why we're still using this outdated
> umask value with UPG. What would it take for Debian to update our
> default umask to match the UPG scheme? Is this doable for Sqeeze? Are
> there reasons for not making the switch?
T
* Peter Palfrader [100517 16:41]:
> The main problem with a default 002 umask, IMHO, is that as soon as you
> copy your files from a host with 002 and usergroups to one without, or
> untar a tarball created on a 002 host with usergroups on a system where
> you don't have a usergroup, Bad Things ca
On Mon, May 17, 2010 at 01:04:22PM +0200, Bastien ROUCARIES wrote:
> On Mon, May 17, 2010 at 12:26 PM, Harald Braumann wrote:
> > On Thu, May 13, 2010 at 11:48:19AM +0200, Santiago Vila wrote:
> >
> >> Will be done in base-files 5.4.
> >
> > I think that this change was done prematurely. There is
On 05/17/2010 10:02 AM, Harald Braumann wrote:
> - you could have a UPG system but a mismatch of IDs -> wrong umask
ID numbers, yes. ID names, no. If the user name maches the group name,
IE: aaron = aaron, then the user matches the private group. If the match
is not made, then umask 0022 should be
On Mon, 2010-05-17 at 09:40 -0400, micah anderson wrote:
> RFC 5081 is still quite a while off from widespread adoption. When it is
> more widely adopted, we will be in a much better situation, until then
> the monkeysphere is operating as an interim translation step (keeping
> the on-the-wire prot
On Mon, May 17, 2010 at 10:14:28AM -0600, Aaron Toponce wrote:
> On 05/17/2010 10:02 AM, Harald Braumann wrote:
> > - you could have a UPG system but a mismatch of IDs -> wrong umask
>
> ID numbers, yes. ID names, no. If the user name maches the group name,
> IE: aaron = aaron, then the user match
On 05/17/2010 10:49 AM, Harald Braumann wrote:
> On Mon, May 17, 2010 at 10:14:28AM -0600, Aaron Toponce wrote:
>> On 05/17/2010 10:02 AM, Harald Braumann wrote:
>>> - you could have a UPG system but a mismatch of IDs -> wrong umask
>>
>> ID numbers, yes. ID names, no. If the user name maches the g
As far as I understood,... you guys are already starting to patch
unrelated software just to make UPG work (see
#581919).
Even the title of that "bug", "bad ownership or modes..." is
ridiculous... and proves what I've predicted before, namely that these
changes will compromise security (such a pa
On 05/17/2010 11:10 AM, Christoph Anton Mitterer wrote:
> As far as I understood,... you guys are already starting to patch
> unrelated software just to make UPG work (see
> #581919).
>
> Even the title of that "bug", "bad ownership or modes..." is
> ridiculous... and proves what I've predicted b
On Mon, May 17, 2010 at 11:04:58AM -0600, Aaron Toponce wrote:
> If you're using a non-UPG system, then you don't care. Debian is
> UPG-based, so your argument is invalid.
So you propose that Debian should be restricted to work in pure UPG
environments. Then there is no need to detect the environ
On Mon, 2010-05-17 at 11:23 -0600, Aaron Toponce wrote:
> You haven't shown any implementation that security will be compromised
> in any way. You just keep throwing it around, which isn't doing anything
> for the discussion.
Uhm, no!
If you need to change for example ssh, to allow an authorized_k
On 05/17/2010 11:46 AM, Christoph Anton Mitterer wrote:
> If you need to change for example ssh, to allow an authorized_keys file
> or perhaps even things like ~/.ssh/id_rsa to be group-readable and/or
> writable you actively compromise security, at least for those systems
> which do not use (for w
On Mon, May 17, 2010 at 07:10:14PM +0200, Christoph Anton Mitterer wrote:
> As far as I understood,... you guys are already starting to patch
> unrelated software just to make UPG work (see
> #581919).
>
> Even the title of that "bug", "bad ownership or modes..." is
> ridiculous... and proves wha
On Mon, 2010-05-17 at 11:50 -0600, Aaron Toponce wrote:
> How does this compromise security when you're the only member of your
> private group?
And if you are not?
Why should you? Well someone simply might not want to use UPG? Or might
use the users or staff group?
Or do "we" now basically force
* Petter Reinholdtsen:
> I am bothered by http://bugs.debian.org/56 >, and the fact
> that apt(-get,itude) do not work with Squid as a proxy. I would very
> much like to have apt work out of the box with Squid in Squeeze. To
> fix it one can either change Squid to work with pipelining the wa
]] Christoph Anton Mitterer
| On Mon, 2010-05-17 at 11:50 -0600, Aaron Toponce wrote:
| > How does this compromise security when you're the only member of your
| > private group?
| And if you are not?
Then you have a misconfigured system where security might be
compromised. If it's intentional,
Hi all,
I would like to adopt package libnjb5, which is up for adoption due to
its maintainer being MIA.
However, I'm not a DD or a DM. I've been contributing work to Debian
for a few months now as a member of the testing security team, but my
work is unimportant - I simply sort CVE's and file bu
Untitled Document M&R® TAS Hebbecker Antec
Workhorse TUF Atlas Ranar
Walz-Schenk Anatol HIX CAPS
MHM Pannon Hopkins Lawson
Melhora na Qualidade da Impressão - A prancha para Bolso de Tote Bag pode ser
usada para inserir em espaços apertados como o bolso lateral de um pequeno tote
bag. O
* Aaron Toponce [100517 13:05]:
> On 05/17/2010 10:49 AM, Harald Braumann wrote:
> > from pam_umask's description of the usergroups option:
> >
> > If the user is not root, and the user ID is equal to the group ID, *and*
> > the username is the same as primary group name, the umask group bits
> >
Due to the widespread usage of intercepting proxies, its very hard, if
not impossible, to determine if a proxy is in use. Its unwise, at
best, to assume that no proxy configured == no proxy processing your
traffic :(.
-Rob
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a
Package: wnpp
Severity: wishlist
Owner: Sune Vuorela
* Package name: synaptiks
Version : 0.4.0
Upstream Author : Sebastian Wiesner
* URL :
http://kde-apps.org/content/show.php/synaptiks?content=114270
* License : BSD
Programming Lang: C++
Description
* Robert Collins [100517 17:42]:
> Due to the widespread usage of intercepting proxies, its very hard, if
> not impossible, to determine if a proxy is in use. Its unwise, at
> best, to assume that no proxy configured == no proxy processing your
> traffic :(.
>
> -Rob
IANADD, but if I had filed b
Given that pipelining is broken by design, that the HTTP WG has
increased the number of concurrent connections that are recommended,
and removed the upper limit - no. I don't think that disabling
pipelining hurts anyone - just use a couple more concurrent
connections.
-Rob
--
To UNSUBSCRIBE, em
http://www.srware.net/en/software_srware_iron_chrome_vs_iron.php
This should become a full open source project with a community behind
it. With Mozilla disregarding H.264, the community needs a full
browser capable of H.264 video playback without the privacy issues of
Chrome.
We need to "Icewease
On Tue, 2010-05-18 at 14:02 +1200, Robert Collins wrote:
> Given that pipelining is broken by design, that the HTTP WG has
> increased the number of concurrent connections that are recommended,
> and removed the upper limit - no. I don't think that disabling
> pipelining hurts anyone - just use a c
Marvin Renich writes:
> * Robert Collins [100517 17:42]:
>> Due to the widespread usage of intercepting proxies, its very hard, if
>> not impossible, to determine if a proxy is in use. Its unwise, at
>> best, to assume that no proxy configured == no proxy processing your
>> traffic :(.
>>
>> -R
57 matches
Mail list logo
