Re: Bug#856652: RFS: xpdf/3.0.4.real-4
hi Svante, I could not find the xpdf upstream developer pages. Your message here: On Wed, 8 Mar 2017, Svante Signell wrote: And FYI: Quoting from upstream, sent to me yesterday: Regarding security bugs, I try to respond to those as quickly as possible. gives the impression that there is just one person developing/maintaining xpdf upstream. Feel free to correct my guess by giving us the URL to the xpdf upstream developers' repository. For a package with a Debian usership of thousands: https://qa.debian.org/popcon.php?package=xpdf that deals with an extremely widespread document format that has recently developed the reputation of being actively exploited: http://www.computerworld.com/article/2517774/security0/pdf-exploits-explode--continue-climb-in-2010.html http://www.computerworld.com/article/2493378/desktop-apps/zero-day-pdf-exploit-reportedly-defeats-adobe-reader-sandbox-protection.html the systematic long-term sustainable aspects of modularity and security maintenance would seem to me to require a team of many people, not just one (no matter how well-intentioned and skillful at coding s/he is). Upstream poppler has had 7 different people uploading to git since 1 Jan 2017: https://cgit.freedesktop.org/poppler/poppler/log/ Cheers Boud
Re: mpgrafic - mpirun test program as root in automatic build
On Wed, 18 Jan 2017, Paul Wise wrote: When manually building from source: You always build/test as a normal user. You install as either root or normal user, depending on the install prefix. When doing Debian package builds: You always build/test as a normal user. You always install using fakeroot. Thanks for the clarification :). That's consistent with my experience, and seems like reasonable policy. Cheers Boud
Re: mpgrafic - mpirun test program as root in automatic build
On Wed, 18 Jan 2017, Paul Wise wrote: On Wed, Jan 18, 2017 at 5:13 AM, Boud Roukema wrote: I've looked a bit at buildd.debian.org, but it's not completely trivial to decide which is correct - do the buildd builds on the debian build machines run dh_auto_tests as (i) root, as (ii) an unprivileged user running fakeroot, or as (iii) an unprivileged user? (iii) an unprivileged user fakeroot is only used at `debian/rules install` time. Both of these are the same as if you were building manually from source. I guess by "both of these" you mean "most of the build steps (apart from the 'debian/rules install' step)"? cheers boud
Re: mpgrafic - mpirun test program as root in automatic build
On Tue, 17 Jan 2017, James Cowgill wrote: I'm not sure I follow. Debhelper runs the testsuite during the build target so it shouldn't be run as root anyway. I don't think you need any workarounds at all for this. I agree in terms of principles :), but I don't know what actually happens on the buildd machines. I've looked a bit at buildd.debian.org, but it's not completely trivial to decide which is correct - do the buildd builds on the debian build machines run dh_auto_tests as (i) root, as (ii) an unprivileged user running fakeroot, or as (iii) an unprivileged user? Looking at git://git.debian.org/buildd-tools/sbuild.git it looks like the user is "buildd" - but this is just a guess. The mpirun exit-if-root mechanism is in openmpi-2.0.2~git.20161225/orte/orted/orted_submit.c Isolating this to lines 319-335, this is easy to test as a standalone main program (see snippet.c below) - the exit-if-root test is triggered either (i) using root directly, or (ii) as ordinary user running fakeroot. Even as fakeroot, both geteuid() and getuid() in the snippet below report an identity of 0. My own pbuilder setup - closely following the maint-guide.en.txt advice - appears *not* to run "make check" as fakeroot or root, since I do not see the error and exit due to running as root. The snippet below can be tested: user$ ./snippet user$ fakeroot ./snippet root# ./snippet Cheers Boud -- /* inspired by openmpi-2.0.2~git.20161225/orte/orted/orted_submit.c root detection */ /* (C) 2017 GPL-3+ B. Roukema if copyright is needed */ #include #include #include int main(void) { int uid = 77 , euid = ; euid = geteuid(); uid = getuid(); if (0 == euid){ printf("WARNING: You are effectively root.\n"); }; if (0 == uid){ printf("WARNING: You are really root.\n"); }; if (0 != uid && 0 != euid){ printf("You are not running as root :).\n"); } return 0; } --
mpgrafic - mpirun test program as root in automatic build
hi Debian-mentors, Is it reasonable to override the mpirun (openmpi_2.0.2~git.20161225-8) default preference of refusing to run as root? I've started packaging mpgrafic for debian - this is my first debianisation, apart from minor private hacks after extracting debian source packages: https://anonscm.debian.org/cgit/debian-astro/packages/mpgrafic.git/ I've added regression-test-0.3.7.sh to the upstream version of mpgrafic. This is a "reproducible run" test. The test runs the main binary, mpgrafic, with a frontend "mpirun", which, in general, allows a program to run on many different machines, without shared memory. This test runs explicitly on exactly one processor, for reproducibility. Since, in general, there is no reason for mpirun to run as root, the sid version of mpirun (from openmpi) apparently refuses to run as root. (I have not reproduced this behaviour myself - Ole Streicher has warned me about it.) The openmpi developers provide an option --allow-run-as-root. In version 0.3.7.4-1, the debian-only, openmpi-only use of this option in debian/rules + regression-test-0.3.7.sh https://anonscm.debian.org/cgit/debian-astro/packages/mpgrafic.git/tree/debian/rules https://anonscm.debian.org/cgit/debian-astro/packages/mpgrafic.git/tree/regression-test-0.3.7.sh should presumably allow debian automatic builds to pass "make check". Is the choice to use the option --allow-run-as-root safe from a general system security point of view? My arguments against (i.e. it would be unsafe): * A newbie might download/extract the debian source as root, unintentionally modify the fortran source to do some dangerous things with files and directories, change the -n 1 option to -n 32 for a cluster of 4 machines each with 8 processors, and then try "make check". Since the --allow-run-as-root option is enabled in regression-test-0.3.7.sh, the newbie does some dangerous root operations. Counterarguments (i.e. it would be safe): ** If the newbie has ignored the recommendation of building debian packets from source with fakeroot debian/rules binary, then s/he is already taking superuser risks, and we can't do much to help him/her; ** Introducing system-dangerous operations in fortran is possible, but unlikely for someone just wishing to make a cosmology calculation; ** If the newbie modifies the -n 1 option, then s/he would see the much more obvious --allow-run-as-root option and should learn enough to realise that running as root is unlikely to be needed when compiling/running the package as an ordiner user. An alternative I see to enabling --allow-run-as-root would be e.g. adduser --no-create-home --disabled-password mpgrafic mpirun -n 1 ... ; deluser mpgrafic but that would unnecessarily require build dependence on adduser, and creating/removing users is itself a security-related issue that automated checkers (e.g. lintian) might (or should?) be concerned about. I'd like to rename mpgrafic-0.3.7.4 to 0.3.8 upstream, along with the debian versions 0.3.7.4-1 and 0.3.8-1, but first it would be good to hear some opinions on this. tracker: https://tracker.debian.org/pkg/mpgrafic Cheers Boud