Re: Bug#856652: RFS: xpdf/3.0.4.real-4

2017-03-08 Thread Boud Roukema 

hi Svante,

I could not find the xpdf upstream developer pages. Your message here:

On Wed, 8 Mar 2017, Svante Signell wrote:


And FYI:
Quoting from upstream, sent to me yesterday:

Regarding security bugs, I try to respond to those as quickly as
possible.


gives the impression that there is just one person
developing/maintaining xpdf upstream. Feel free to correct my guess
by giving us the URL to the xpdf upstream developers' repository.

For a package with a Debian usership of thousands:

https://qa.debian.org/popcon.php?package=xpdf

that deals with an extremely widespread document format that has
recently developed the reputation of being actively exploited:

http://www.computerworld.com/article/2517774/security0/pdf-exploits-explode--continue-climb-in-2010.html
http://www.computerworld.com/article/2493378/desktop-apps/zero-day-pdf-exploit-reportedly-defeats-adobe-reader-sandbox-protection.html

the systematic long-term sustainable aspects of modularity and
security maintenance would seem to me to require a team of many
people, not just one (no matter how well-intentioned and skillful at
coding s/he is).

Upstream poppler has had 7 different people uploading to git since 1 Jan 2017:
https://cgit.freedesktop.org/poppler/poppler/log/

Cheers
Boud

Re: mpgrafic - mpirun test program as root in automatic build

2017-01-18 Thread Boud Roukema 

On Wed, 18 Jan 2017, Paul Wise wrote:


When manually building from source:

You always build/test as a normal user.
You install as either root or normal user, depending on the install prefix.

When doing Debian package builds:

You always build/test as a normal user.
You always install using fakeroot.


Thanks for the clarification :). That's consistent
with my experience, and seems like reasonable policy.

Cheers
Boud

Re: mpgrafic - mpirun test program as root in automatic build

2017-01-17 Thread Boud Roukema 

On Wed, 18 Jan 2017, Paul Wise wrote:


On Wed, Jan 18, 2017 at 5:13 AM, Boud Roukema wrote:


I've looked a bit at buildd.debian.org, but it's not completely
trivial to decide which is correct - do the buildd builds on the
debian build machines run dh_auto_tests as (i) root, as (ii) an unprivileged
user running fakeroot, or as (iii) an unprivileged user?


(iii) an unprivileged user

fakeroot is only used at `debian/rules install` time.

Both of these are the same as if you were building manually from source.


I guess by "both of these" you mean "most of the build steps (apart from
the 'debian/rules install' step)"?

cheers
boud

Re: mpgrafic - mpirun test program as root in automatic build

2017-01-17 Thread Boud Roukema 

On Tue, 17 Jan 2017, James Cowgill wrote:


I'm not sure I follow. Debhelper runs the testsuite during the build
target so it shouldn't be run as root anyway. I don't think you need any
workarounds at all for this.


I agree in terms of principles :), but I don't know what actually happens
on the buildd machines.

I've looked a bit at buildd.debian.org, but it's not completely
trivial to decide which is correct - do the buildd builds on the
debian build machines run dh_auto_tests as (i) root, as (ii) an unprivileged
user running fakeroot, or as (iii) an unprivileged user?

Looking at git://git.debian.org/buildd-tools/sbuild.git it looks like
the user is "buildd" - but this is just a guess.

The mpirun exit-if-root mechanism is in

openmpi-2.0.2~git.20161225/orte/orted/orted_submit.c

Isolating this to lines 319-335, this is easy to test as a standalone
main program (see snippet.c below) - the exit-if-root test is triggered either 
(i) using
root directly, or (ii) as ordinary user running fakeroot.

Even as fakeroot, both geteuid() and getuid() in the snippet below
report an identity of 0.

My own pbuilder setup - closely following the maint-guide.en.txt advice -
appears *not* to run "make check" as fakeroot or root, since I
do not see the error and exit due to running as root.

The snippet below can be tested:

user$ ./snippet
user$ fakeroot ./snippet
root# ./snippet

Cheers
Boud

--

/* inspired by openmpi-2.0.2~git.20161225/orte/orted/orted_submit.c root 
detection */

/* (C) 2017 GPL-3+ B. Roukema if copyright is needed */

#include 
#include 
#include 

int main(void)
{
  int uid = 77 , euid = ;
  euid = geteuid();
  uid = getuid();
  if (0 == euid){
printf("WARNING: You are effectively root.\n");
  };
  if (0 == uid){
printf("WARNING: You are really root.\n");
  };
  if (0 != uid && 0 != euid){
printf("You are not running as root :).\n");
  }
  return 0;
}

--

mpgrafic - mpirun test program as root in automatic build

2017-01-16 Thread Boud Roukema 

hi Debian-mentors,

Is it reasonable to override the mpirun (openmpi_2.0.2~git.20161225-8)
default preference of refusing to run as root?

I've started packaging mpgrafic for debian - this is my first
debianisation, apart from minor private hacks after extracting debian
source packages:

https://anonscm.debian.org/cgit/debian-astro/packages/mpgrafic.git/

I've added regression-test-0.3.7.sh to the upstream version of
mpgrafic. This is a "reproducible run" test. The test runs the main
binary, mpgrafic, with a frontend "mpirun", which, in general, allows
a program to run on many different machines, without shared memory.
This test runs explicitly on exactly one processor, for reproducibility.

Since, in general, there is no reason for mpirun to run as root,
the sid version of mpirun (from openmpi) apparently refuses to run as root.
(I have not reproduced this behaviour myself - Ole Streicher
has warned me about it.) The openmpi developers provide an option
--allow-run-as-root.

In version 0.3.7.4-1, the debian-only, openmpi-only use of this option in
debian/rules + regression-test-0.3.7.sh

https://anonscm.debian.org/cgit/debian-astro/packages/mpgrafic.git/tree/debian/rules
https://anonscm.debian.org/cgit/debian-astro/packages/mpgrafic.git/tree/regression-test-0.3.7.sh

should presumably allow debian automatic builds to pass "make check".

Is the choice to use the option --allow-run-as-root safe from a general
system security point of view?

My arguments against (i.e. it would be unsafe):

* A newbie might download/extract the debian source as root,
unintentionally modify the fortran source to do some dangerous things
with files and directories, change the -n 1 option to -n 32 for a cluster
of 4 machines each with 8 processors, and then try "make check".
Since the --allow-run-as-root option is enabled in regression-test-0.3.7.sh,
the newbie does some dangerous root operations.

Counterarguments (i.e. it would be safe):

** If the newbie has ignored the recommendation of building
debian packets from source with fakeroot debian/rules binary, then s/he
is already taking superuser risks, and we can't do much to help him/her;

** Introducing system-dangerous operations in fortran is possible, but unlikely
for someone just wishing to make a cosmology calculation;

** If the newbie modifies the -n 1 option, then s/he would see
the much more obvious --allow-run-as-root option and should learn
enough to realise that running as root is unlikely to be needed when
compiling/running the package as an ordiner user.

An alternative I see to enabling --allow-run-as-root would be e.g.

adduser --no-create-home --disabled-password mpgrafic
mpirun -n 1 ... ;
deluser mpgrafic

but that would unnecessarily require build dependence on adduser, and
creating/removing users is itself a security-related issue that
automated checkers (e.g. lintian) might (or should?) be concerned
about.

I'd like to rename mpgrafic-0.3.7.4 to 0.3.8 upstream, along with the
debian versions 0.3.7.4-1 and 0.3.8-1, but first it would be
good to hear some opinions on this.

tracker: https://tracker.debian.org/pkg/mpgrafic

Cheers
Boud