[gentoo-user] security
Hi, Since I'm not familiar with Gentoo's practice in dealing with security problems I got curious about the following case. Yesterday a Secunia advisory [1] about pidgin was brought to my attention. The solution offered by the up-streams is upgrading to version 2.5.6, while the latest version in portage is "~2.5.5-r1". As I see it, there are three possibilities: 1) even older, the version in Gentoo is not affected, because the maintainers had taken care of it (too optimistic?) 2) Gentoo installations are still vulnerable to the bugs described in the advisory and nobody knows about it (quite disturbing) 3) Gentoo maintainers are working on it, but still not ready Which one is it? [1] [SA35194] http://secunia.com/advisories/35194/ -- Best regards, Daniel
[gentoo-user] Security
After recently reading about Windigo I am quesstioning how good my security is on my Gentoo box. I am only a desktop user with iptables and clamav installed and occasionally running chkrootkit. Would you recommend any other forms of security (snort, selinux, hardened etc) that I should be using? I may be a touch neurotic but would hate to think I have been infected! -- John D Maunder
Re: [gentoo-user] security
Daniel Iliev wrote: > Hi, > > Since I'm not familiar with Gentoo's practice in dealing with > security problems I got curious about the following case. > Yesterday a Secunia advisory [1] about pidgin was brought to my > attention. The solution offered by the up-streams is upgrading to > version 2.5.6, while the latest version in portage is "~2.5.5-r1". > > As I see it, there are three possibilities: > 1) even older, the version in Gentoo is not affected, because the > maintainers had taken care of it (too optimistic?) > 2) Gentoo installations are still vulnerable to the bugs described in > the advisory and nobody knows about it (quite disturbing) > 3) Gentoo maintainers are working on it, but still not ready > > Which one is it? > > > [1] [SA35194] http://secunia.com/advisories/35194/ > > > It's in portage, sync your tree and check again. I just installed Pidgin 2.5.6 last night.
Re: [gentoo-user] security
Daniel Iliev wrote: > > Hi, > > Since I'm not familiar with Gentoo's practice in dealing with > security problems I got curious about the following case. > Yesterday a Secunia advisory [1] about pidgin was brought to my > attention. The solution offered by the up-streams is upgrading to > version 2.5.6, while the latest version in portage is "~2.5.5-r1". > > As I see it, there are three possibilities: > 1) even older, the version in Gentoo is not affected, because the > maintainers had taken care of it (too optimistic?) > 2) Gentoo installations are still vulnerable to the bugs described in > the advisory and nobody knows about it (quite disturbing) > 3) Gentoo maintainers are working on it, but still not ready > > Which one is it? > > > [1] [SA35194] http://secunia.com/advisories/35194/ > > file a bug at b.g.o. signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] security
Daniel Iliev wrote: > > Hi, > > Since I'm not familiar with Gentoo's practice in dealing with > security problems I got curious about the following case. > Yesterday a Secunia advisory [1] about pidgin was brought to my > attention. The solution offered by the up-streams is upgrading to > version 2.5.6, while the latest version in portage is "~2.5.5-r1". > > As I see it, there are three possibilities: > 1) even older, the version in Gentoo is not affected, because the > maintainers had taken care of it (too optimistic?) > 2) Gentoo installations are still vulnerable to the bugs described in > the advisory and nobody knows about it (quite disturbing) > 3) Gentoo maintainers are working on it, but still not ready > > Which one is it? > > > [1] [SA35194] http://secunia.com/advisories/35194/ > > https://bugs.gentoo.org/show_bug.cgi?id=270811 signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] security
On Sat, 23 May 2009 09:23:27 -0400 Saphirus Sage wrote: > Daniel Iliev wrote: > > Hi, > > > > Since I'm not familiar with Gentoo's practice in dealing with > > security problems I got curious about the following case. > > Yesterday a Secunia advisory [1] about pidgin was brought to my > > attention. The solution offered by the up-streams is upgrading to > > version 2.5.6, while the latest version in portage is "~2.5.5-r1". > > > > As I see it, there are three possibilities: > > 1) even older, the version in Gentoo is not affected, because the > > maintainers had taken care of it (too optimistic?) > > 2) Gentoo installations are still vulnerable to the bugs > > described in the advisory and nobody knows about it (quite > > disturbing) 3) Gentoo maintainers are working on it, but still not > > ready > > > > Which one is it? > > > > > > [1] [SA35194] http://secunia.com/advisories/35194/ > > > > > > > It's in portage, sync your tree and check again. I just installed > Pidgin 2.5.6 last night. > I guess the mirror I'm using is not up-to-date and they will get a report about it, Thanks! -- Best regards, Daniel
Re: [gentoo-user] security
Daniel Iliev wrote: > On Sat, 23 May 2009 09:23:27 -0400 > Saphirus Sage wrote: > > >> Daniel Iliev wrote: >> >>> Hi, >>> >>> Since I'm not familiar with Gentoo's practice in dealing with >>> security problems I got curious about the following case. >>> Yesterday a Secunia advisory [1] about pidgin was brought to my >>> attention. The solution offered by the up-streams is upgrading to >>> version 2.5.6, while the latest version in portage is "~2.5.5-r1". >>> >>> As I see it, there are three possibilities: >>> 1) even older, the version in Gentoo is not affected, because the >>> maintainers had taken care of it (too optimistic?) >>> 2) Gentoo installations are still vulnerable to the bugs >>> described in the advisory and nobody knows about it (quite >>> disturbing) 3) Gentoo maintainers are working on it, but still not >>> ready >>> >>> Which one is it? >>> >>> >>> [1] [SA35194] http://secunia.com/advisories/35194/ >>> >>> >>> >>> >> It's in portage, sync your tree and check again. I just installed >> Pidgin 2.5.6 last night. >> >> > > I guess the mirror I'm using is not up-to-date and they will get a > report about it, > > Thanks! > > I sync from rsync://rsync21.us.gentoo.org/gentoo-portage primarily due to the fact that it's an unlimited-sync server.
Re: [gentoo-user] security
On Sat, 23 May 2009 09:37:05 -0400 Saphirus Sage wrote: > >> > > > > I guess the mirror I'm using is not up-to-date and they will get a > > report about it, > > > > Thanks! > > > > > I sync from rsync://rsync21.us.gentoo.org/gentoo-portage primarily due > to the fact that it's an unlimited-sync server. > > Re-syncing fixed it. I guess I've managed to hit the time just before the mirror was updated. -- Best regards, Daniel
Re: [gentoo-user] security
On Samstag 23 Mai 2009, Daniel Iliev wrote: > Hi, > > Since I'm not familiar with Gentoo's practice in dealing with > security problems I got curious about the following case. > Yesterday a Secunia advisory [1] about pidgin was brought to my > attention. The solution offered by the up-streams is upgrading to > version 2.5.6, while the latest version in portage is "~2.5.5-r1". > > As I see it, there are three possibilities: > 1) even older, the version in Gentoo is not affected, because the > maintainers had taken care of it (too optimistic?) > 2) Gentoo installations are still vulnerable to the bugs described in > the advisory and nobody knows about it (quite disturbing) > 3) Gentoo maintainers are working on it, but still not ready > > Which one is it? > > > [1] [SA35194] http://secunia.com/advisories/35194/ subscribe to gentoo-announce read changelogs don't forget that it takes a while until all mirrors have that change.
[gentoo-user] security issues
With the basic install of gentoo 2.6.12-r9 behind me (forget splash - it's not worth the headaches right now, and I need more research to find a good backup solution), I read through the gentoo security doc. There's a world of stuff here! I have a laptop that I'm intending to use for web development (the geek side) and also for business tasks (the end user side). I'm wondering how much / how little of the security measures mentioned in the gentoo security doc I really need? Or, should I move on to the desktop environment first, and then come back and tighten down the system? Thanks for the input - as always, greatly appreciated. John D -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Security
I'm not a professional, but I'd say that running as few services as possible contributes to the overall security be reducing the attack vectors (and Gentoo helps with that by not having that much by default). I usually opt only for ssh and use certificates rather than passwords... On Thu, 2014-03-20 at 22:06 +, john wrote: > After recently reading about Windigo I am quesstioning how good my > security is on my Gentoo box. I am only a desktop user with iptables > and clamav installed and occasionally running chkrootkit. > > Would you recommend any other forms of security (snort, selinux, > hardened etc) that I should be using? > > I may be a touch neurotic but would hate to think I have been infected! > > >
Re: [gentoo-user] Security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 21/03/14 17:44, Ján Zahornadský wrote: Indeed, the smaller the surface area, the smaller the target (the fewer things running, the fewer things can be exploited). For an average desktop environment, doing what you're already doing, I think, would be reasonably sufficient - provided it's mixed with a little common sense (don't grant root privileges to things that don't need them; don't use passwords like 'MyPassword'; that sort of thing). Having a personal firewall is already probably more than many (albeit non-linux) users do (at least of their own accord). If you wanted to go a little further, you could have a look at `qcheck` (app-portage/portage-utils) or even app-admin/tripwire; maybe set up a few cron jobs that mail root with warnings or something. Otherwise, making sure you don't enable unnecessary services and keeping on top of your firewall, log checks and chkrootkit'ing should be sufficient. If you *do* want to go the whole hog, while I'm no expert on it, using a desktop environment under the hardened profile can provide some challenges, but is indeed doable. Personally I'm currently running thunderbird-bin in a kde environment on a custom hardened/kde profile that I kludged together (this is Gentoo, after all)! Ultimately, it's up to you what you feel is appropriate for what you expected usage and risk level is. For reference: https://wiki.gentoo.org/wiki/Project:Hardened Cheers; - -- wraeth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMsDZAACgkQGYlqHeQRhkwwaQD/fInm5p4rbnoKH3sDIklJvK2e /Bud0z1N9QvWXRbDvRUA/i+XYipiYjcMHd+NCduj0AHF/slcb9IJxsfgMon3Tf7h =LJ4m -END PGP SIGNATURE-
Re: [gentoo-user] Security
140320 john wrote: > After recently reading about Windigo, > I am quesstioning how good my security is on my Gentoo box. > I am only a desktop user with iptables and clamav installed > and occasionally running chkrootkit. > Would you recommend any other forms of security > -- snort, selinux, hardened etc -- that I should be using? > I may be a touch neurotic but would hate to think I have been infected! Others mb able to offer more professional advice, but as a desktop user of Gentoo for > 10 yr , I'ld say don't worry. I read the Windigo PDF (via LWN) & saw no explanation of any weakness in the Linux software : it's very long on all the bad things which can happen, esp to M$ Windows systems, if a server or network gets infected, but it looked as if the only way that could happen on a Linux box wb if someone finds out its root password, ie sysadmin carelessness. HTH -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatchassdotutorontodotca
[gentoo-user] Security of ciphers.
I've been reading this thread in the archives, on loop-aes and then the security of AES. I hate to jump on the bandwagon, so before I do, I will state that I *am* a crypto-expert, and have worked for the several government entities in the US. I am not at liberty to tell you which ones. Mr. Walters: It is not all that easy to crack a *secure* key with the AES-256 cipher. This holds true, even with networks of super-computers. Just how many of them do you think the NSA (you named it), has to spare for things like that? Parallel and distributed computing does not help much with AES, since it is a CBC cipher algorithm (look it up). I think you need to do some research on the subject you say you're majoring in, before you post on the topic, Mr. Walters. Jase
[gentoo-user] security policy/externel disk
Hi, I don't know what exactly happened, but when I plug on my external disk I receive the following message (KDE): | A security policy in place prevents this sender from sending this message to | this recipient, see message bus configuration file (rejected message had | interface "org.freedesktop.Hal.Device.Volume" member "Mount" error | name "(unset)" destination "org.freedesktop.Hal") # tail -n 20 /var/log/kern.log Mar 14 08:30:56 zipo usb 1-7: new high speed USB device using ehci_hcd and address 9 Mar 14 08:30:57 zipo usb 1-7: configuration #1 chosen from 1 choice Mar 14 08:30:57 zipo scsi4 : SCSI emulation for USB Mass Storage devices Mar 14 08:30:57 zipo usb-storage: device found at 9 Mar 14 08:30:57 zipo usb-storage: waiting for device to settle before scanning Mar 14 08:31:02 zipo scsi 4:0:0:0: Direct-Access IC35L120 AVVA07-0 VA6O PQ: 0 ANSI: 0 Mar 14 08:31:02 zipo SCSI device sda: 241254721 512-byte hdwr sectors (123522 MB) Mar 14 08:31:02 zipo sda: Write Protect is off Mar 14 08:31:02 zipo sda: Mode Sense: 03 00 00 00 Mar 14 08:31:02 zipo sda: assuming drive cache: write through Mar 14 08:31:02 zipo SCSI device sda: 241254721 512-byte hdwr sectors (123522 MB) Mar 14 08:31:02 zipo sda: Write Protect is off Mar 14 08:31:02 zipo sda: Mode Sense: 03 00 00 00 Mar 14 08:31:02 zipo sda: assuming drive cache: write through Mar 14 08:31:02 zipo sda: sda1 Mar 14 08:31:02 zipo sd 4:0:0:0: Attached scsi disk sda Mar 14 08:31:02 zipo sd 4:0:0:0: Attached scsi generic sg0 type 0 Mar 14 08:31:02 zipo usb-storage: device scan complete Mar 14 08:31:02 zipo sda: Current: sense key=0x0 Mar 14 08:31:02 zipo ASC=0x0 ASCQ=0x0 I can not use this disk (normally /media/disk). Can anybody give me clue what to do and how to track down this this problem? -- Cheers, Oliver -- gentoo-user@gentoo.org mailing list
[gentoo-user] [Security] Update bash *NOW*
Slashdot article http://linux.slashdot.org/story/14/09/24/1638207/remote-exploit-vulnerability-found-in-bash Story at http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html CVE ID CVE-2014-6271 at http://seclists.org/oss-sec/2014/q3/650 Summary... bash scripts, CGI, perl via "system()", and various other "commands" invoke a bash shell at times, passing environmental variables in the process. Problem is that an "environmental variable" ***CAN CONTAIN A FUNCTION DEFINITION, AND EXECUTE IT WHILST SPAWNING A NEW SHELL***. E.g. execute the command... env x='() { :;}; echo vulnerable' bash -c "echo this is a test" ...and you get the following... vulnerable this is a test Replace... x='() { :;}; echo vulnerable' ...with malicious stuff, and it could get ugly. app-shells/bash-4.2_p48 has been pushed to Gentoo stable. The same "env" command results in... bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test -- Walter Dnes I don't run "desktop environments"; I run useful applications
[gentoo-user] Security Onion on Gentoo
Hello, So net-analyzer/suricata is all the rage now. The 'Security Onion' is often pitched as a suricata distro. [1] Many of the commonly listed packages that are part of the security onion are already in gentoo. So, are there suricata users on gentoo-user? If so, do you use any of the key listed software found on the security onion, as part of your IDS/NDS/etc security toolset? Would anyone be interested in combining these software components found on the securtiy onion onto gentoo? [2] [2] https://securityonion.net/ [1] https://oisf.net/suricata/ [3] http://pevma.blogspot.com/search/label/Suricata
[gentoo-user] Security Updates and Portage Trees
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I don't know if this would be considered a newbie question or not. I haven't really seen it asked, and I haven't been able to find any documentation that clearly states this, so I thought I would ask here. Why is the "--oneshot" option specified in the GLSA advisories? And how does that affect the different package groups (trees) in portage? If I update firefox with the --oneshot option, I know that it won't update the "world" tree, but why? Why is that the recommended procedure? Does that give me any benefit? Also, why would a package be available as a "--oneshot" and NOT through a normal "emerge -Dupv world"? I love how portage unifies the packaging system, and I feel like if I run all of these "--oneshot" updates for security fixes, that I'll have all of these "stray" programs running around on my system, that won't get updated next time I emerge "world". Can someone maybe shed a little light for me? Thanks. - -- gentux echo "hfouvyAdpy/ofu" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 34CE 2E97 40C7 EF6E EC40 9795 2D81 924A 6996 0993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDLjurLYGSSmmWCZMRAqqxAJ9LjFKFggkmVgD9SkeTcIkJ1gRbxQCfYZTX A3jilZ2/0hkV2JLMZoTp1VI= =onDU -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
[gentoo-user] Security from non-authorized logins
I helped a friend install Ubuntu GNU/Linux on his laptop, he left town, forgot his passwords, and I promised to breakin for him, so he can re-do his passwords. Told him all I have to do is run Knoppix, access his partition, and delete the little x in the password file. Then he would reset his root password in be back in business. He felt betrayed. I understand why, I think: what's secure about GNU/Linux if anyone can boot the system and reset his passwords? I said, Dunno. I'll ask on the Gentoo list. How can anyone easily avoid the problem of anyone being able to access the guts of his machine using a live CD? I already thought of one: use the BIOS to disallow booting from a CD or Floppy, and set a password on the BIOS. Don't know whether all BIOSes will allow this, and anyway, isn't it possible on a lot of motherboards to short out the EPROM and thus reset the password of the BIOS? Of course, if he would forget his password he would lose all his data. Oh, well, does anyone have anything to suggest or to say about this? Alan Davis -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] security policy/externel disk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello ! You must add you to group plugdev to be able to automount external devices. Run as root : "gpasswd -a [username] plugdev" and close and reopen your KDE session. Regards. - -- Xavier Parizet On Wed, March 14, 2007 08:46, Oliver VeÃÂernik wrote: > Hi, > > I don't know what exactly happened, but when I plug on my external disk I > receive the following message (KDE): > > | A security policy in place prevents this sender from sending this > message to > | this recipient, see message bus configuration file (rejected message had > | interface "org.freedesktop.Hal.Device.Volume" member "Mount" error > | name "(unset)" destination "org.freedesktop.Hal") > > # tail -n 20 /var/log/kern.log > Mar 14 08:30:56 zipo usb 1-7: new high speed USB device using ehci_hcd and > address 9 > Mar 14 08:30:57 zipo usb 1-7: configuration #1 chosen from 1 choice > Mar 14 08:30:57 zipo scsi4 : SCSI emulation for USB Mass Storage devices > Mar 14 08:30:57 zipo usb-storage: device found at 9 > Mar 14 08:30:57 zipo usb-storage: waiting for device to settle before > scanning > Mar 14 08:31:02 zipo scsi 4:0:0:0: Direct-Access IC35L120 AVVA07-0 > VA6O PQ: 0 ANSI: 0 > Mar 14 08:31:02 zipo SCSI device sda: 241254721 512-byte hdwr sectors > (123522 > MB) > Mar 14 08:31:02 zipo sda: Write Protect is off > Mar 14 08:31:02 zipo sda: Mode Sense: 03 00 00 00 > Mar 14 08:31:02 zipo sda: assuming drive cache: write through > Mar 14 08:31:02 zipo SCSI device sda: 241254721 512-byte hdwr sectors > (123522 > MB) > Mar 14 08:31:02 zipo sda: Write Protect is off > Mar 14 08:31:02 zipo sda: Mode Sense: 03 00 00 00 > Mar 14 08:31:02 zipo sda: assuming drive cache: write through > Mar 14 08:31:02 zipo sda: sda1 > Mar 14 08:31:02 zipo sd 4:0:0:0: Attached scsi disk sda > Mar 14 08:31:02 zipo sd 4:0:0:0: Attached scsi generic sg0 type 0 > Mar 14 08:31:02 zipo usb-storage: device scan complete > Mar 14 08:31:02 zipo sda: Current: sense key=0x0 > Mar 14 08:31:02 zipo ASC=0x0 ASCQ=0x0 > > I can not use this disk (normally /media/disk). Can anybody give me clue > what > to do and how to track down this this problem? > > -- > Cheers, > Oliver > -- > gentoo-user@gentoo.org mailing list > > -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.3 (GNU/Linux) iD8DBQFF96l6mSNaOeTZvg0RAsvLAKCnxho7mp7hlblfD5lHHb97s+TczACffu10 Ggxeg38TY0n7fJRnwGmIV10= =vXES -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [Security] Update bash *NOW*
On 25/09/2014 02:58, Walter Dnes wrote: [snip] ...with malicious stuff, and it could get ugly. app-shells/bash-4.2_p48 has been pushed to Gentoo stable. The same "env" command results in... Unfortunately, that version did fully address the problem. Instead, upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were recently committed. For further details: https://bugs.gentoo.org/show_bug.cgi?id=523592 --Kerin
Re: [gentoo-user] [Security] Update bash *NOW*
On 25/09/2014 13:54, Kerin Millar wrote: On 25/09/2014 02:58, Walter Dnes wrote: [snip] ...with malicious stuff, and it could get ugly. app-shells/bash-4.2_p48 has been pushed to Gentoo stable. The same "env" command results in... Unfortunately, that version did fully address the problem. Instead, upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were recently committed. For further details: https://bugs.gentoo.org/show_bug.cgi?id=523592 Oops. Obviously, I meant to write "did not fully address the problem". --Kerin
Re: [gentoo-user] [Security] Update bash *NOW*
Kerin Millar wrote: > On 25/09/2014 02:58, Walter Dnes wrote: > > [snip] > > > ...with malicious stuff, and it could get ugly. app-shells/bash-4.2_p48 > > has been pushed to Gentoo stable. The same "env" command results in... > > Unfortunately, that version did fully address the problem. Instead, > upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were > recently committed. For further details: > > https://bugs.gentoo.org/show_bug.cgi?id=523592 I cannot update to that, its not in the tree as of last night. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici cov...@ccs.covici.com
Re: [gentoo-user] [Security] Update bash *NOW*
On 2014-09-25 16:02, cov...@ccs.covici.com wrote: Kerin Millar wrote: On 25/09/2014 02:58, Walter Dnes wrote: [snip] > ...with malicious stuff, and it could get ugly. app-shells/bash-4.2_p48 > has been pushed to Gentoo stable. The same "env" command results in... Unfortunately, that version did fully address the problem. Instead, upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were recently committed. For further details: https://bugs.gentoo.org/show_bug.cgi?id=523592 I cannot update to that, its not in the tree as of last night. Try to rsync from some other mirror.
Re: [gentoo-user] [Security] Update bash *NOW*
On Thu, Sep 25, 2014 at 01:54:10PM +0100, Kerin Millar wrote > On 25/09/2014 02:58, Walter Dnes wrote: > > [snip] > > > ...with malicious stuff, and it could get ugly. app-shells/bash-4.2_p48 > > has been pushed to Gentoo stable. The same "env" command results in... > > Unfortunately, that version did fully address the problem. Instead, > upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were > recently committed. For further details: > > https://bugs.gentoo.org/show_bug.cgi?id=523592 > > --Kerin OK, I've got app-shells/bash-4.2_p48-r1 installed now. -- Walter Dnes I don't run "desktop environments"; I run useful applications
Re: [gentoo-user] Security Updates and Portage Trees
On Monday 19 September 2005 13:16, gentuxx wrote: > If I update firefox with the --oneshot option, I know that it won't > update the "world" tree, but why? Why is that the recommended > procedure? Does that give me any benefit? Also, why would a package > be available as a "--oneshot" and NOT through a normal "emerge -Dupv > world"? The package would be available through -Dupv as well, but not everybody likes to update all packages (especially on servers). > I love how portage unifies the packaging system, and I feel like if I > run all of these "--oneshot" updates for security fixes, that I'll > have all of these "stray" programs running around on my system, that > won't get updated next time I emerge "world". --oneshot won't remove the package from world. It just prevents it from being added. If the package is installed but not in world, it is presumably there as a dependency from another package. Hence, updating world will still grab the package. Using --oneshot just keeps the world file clean. -- Jason Stubbs pgpJ1kBcYynH2.pgp Description: PGP signature
Re: [gentoo-user] Security Updates and Portage Trees
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jason Stubbs wrote: >On Monday 19 September 2005 13:16, gentuxx wrote: > >>If I update firefox with the --oneshot option, I know that it won't >>update the "world" tree, but why? Why is that the recommended >>procedure? Does that give me any benefit? Also, why would a package >>be available as a "--oneshot" and NOT through a normal "emerge -Dupv >>world"? > > >The package would be available through -Dupv as well, but not everybody >likes to update all packages (especially on servers). Granted. And while I run a server (a few actually), it's a home system, not a production one. And, since I run production gentoo systems, I understand the difference. For this, I'm asking from the perspective of a home user. So, that being said, does updating a package for a security fix using the "--oneshot" option update the same package that is "housed" in the "world" tree? If so, can I assume that the same package will be updated next time I update "world"? Meaning, if I run "--oneshot" for mozilla-firefox-1.0.6-r7 and mozilla-firefox-1.0.7-r1 comes out, will 1.0.6-r7 be upgraded to 1.0.7-r1? > >>I love how portage unifies the packaging system, and I feel like if I >>run all of these "--oneshot" updates for security fixes, that I'll >>have all of these "stray" programs running around on my system, that >>won't get updated next time I emerge "world". > > >--oneshot won't remove the package from world. It just prevents it from >being added. If the package is installed but not in world, it is presumably >there as a dependency from another package. Hence, updating world will >still grab the package. Using --oneshot just keeps the world file clean. > So what exactly does that mean if the package is already in "world"? If every security fix comes out with "--oneshot" being recommended, how do I know if it's a dependency of a package in world, or an entity in world? (This seems like an extension of the questioning above.) I'm just trying to set all this straight mentally, so I know what's going on with my system when I update it. I typically run the following to update my system 2 or 3 times a week (sometimes only once): emerge -Du(p)v world emerge -(p)v depclean revdep-rebuild -(p)v dispatch-conf I put the "p" for "--pretend" in parentheses because depending on the output of that step, I may skip it if there is nothing to do. Also, for the most recent firefox update, I would run the command as recommended with the "-p" flag, and it would see the package. If I run "emerge -Dupv mozilla-firefox" I only get a few of the (supposed) dependencies, and not the package itself, while the package installed (when I do "emerge search mozilla-firefox") is 1.0.6-r5. - -- gentux echo "hfouvyAdpy/ofu" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 34CE 2E97 40C7 EF6E EC40 9795 2D81 924A 6996 0993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDLlQLLYGSSmmWCZMRAiBYAJ9m6Pl/IkG/mXFX6iZ90epVCTkuWQCfcVH+ 25V6IF0g1dFHWCyLv1xlLIE= =tOYB -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security Updates and Portage Trees
On Monday 19 September 2005 15:00, gentuxx wrote: > does updating a package for a security fix using the "--oneshot" option > update the same package that is "housed" in the "world" tree? There is no world "tree". There is only a "list". --oneshot has no affect on this list. > If so, can I assume that the same package will be updated next time I > update "world"? Meaning, if I run "--oneshot" for > mozilla-firefox-1.0.6-r7 and mozilla-firefox-1.0.7-r1 comes out, will > 1.0.6-r7 be upgraded to 1.0.7-r1? If it was in the world list prior to you running --oneshot, it'll still be in the world list afterward. Hence, it will be updated with world. > If every security fix comes out with "--oneshot" being recommended, > how do I know if it's a dependency of a package in world, or an entity > in world? (This seems like an extension of the questioning above.) What does it matter in the context of a security update? > Also, for the most recent firefox update, I would run the command as > recommended with the "-p" flag, and it would see the package. If I > run "emerge -Dupv mozilla-firefox" I only get a few of the (supposed) > dependencies, and not the package itself, while the package installed > (when I do "emerge search mozilla-firefox") is 1.0.6-r5. If that is the case then 1.0.6-r5 is the latest version available for you with respect to your current snapshot of the tree. -- Jason Stubbs pgpgOHJHMeSrI.pgp Description: PGP signature
Re: [gentoo-user] Security Updates and Portage Trees
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jason Stubbs wrote: >On Monday 19 September 2005 15:00, gentuxx wrote: > >>does updating a package for a security fix using the "--oneshot" option >>update the same package that is "housed" in the "world" tree? > > >There is no world "tree". There is only a "list". --oneshot has no affect on >this list. > >>If so, can I assume that the same package will be updated next time I >>update "world"? Meaning, if I run "--oneshot" for >>mozilla-firefox-1.0.6-r7 and mozilla-firefox-1.0.7-r1 comes out, will >>1.0.6-r7 be upgraded to 1.0.7-r1? > > >If it was in the world list prior to you running --oneshot, it'll still be >in the world list afterward. Hence, it will be updated with world. > >>If every security fix comes out with "--oneshot" being recommended, >>how do I know if it's a dependency of a package in world, or an entity >>in world? (This seems like an extension of the questioning above.) > > >What does it matter in the context of a security update? Well, I'm trying to see if I can get a better understanding of how it all fits together. But, I want to make sure that I don't have 2 packages running around on the system (1 patched, and 1 NOT patched). > >>Also, for the most recent firefox update, I would run the command as >>recommended with the "-p" flag, and it would see the package. If I >>run "emerge -Dupv mozilla-firefox" I only get a few of the (supposed) >>dependencies, and not the package itself, while the package installed >>(when I do "emerge search mozilla-firefox") is 1.0.6-r5. > > >If that is the case then 1.0.6-r5 is the latest version available for you >with respect to your current snapshot of the tree. Well, I did an "emerge sync" right before issuing the command above. I would think that if the updated package is available for "--oneshot", it would be available when I run "emerge -Du(p)v world". But that didn't seem to be the case. Again, I'm just trying to understand how this all fits together. Thanks. - -- gentux echo "hfouvyAdpy/ofu" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 34CE 2E97 40C7 EF6E EC40 9795 2D81 924A 6996 0993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDLuNtLYGSSmmWCZMRArF+AJ9gFfQRgSb2ciNNreJ0lNSUbmkZiwCg0m9i 6bkDqhDyVSr4fT/X7GvuRTI= =K2Vt -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security Updates and Portage Trees
On Tuesday 20 September 2005 01:12, gentuxx wrote: > >>If every security fix comes out with "--oneshot" being recommended, > >>how do I know if it's a dependency of a package in world, or an entity > >>in world? (This seems like an extension of the questioning above.) > > > >What does it matter in the context of a security update? > > Well, I'm trying to see if I can get a better understanding of how it > all fits together. But, I want to make sure that I don't have 2 > packages running around on the system (1 patched, and 1 NOT patched). A version of a package can only be installed once. --oneshot does not change any behaviour in this regard. All it changes is whether the package is added to (or confirmed to be already in) the world list or not. > >>Also, for the most recent firefox update, I would run the command as > >>recommended with the "-p" flag, and it would see the package. If I > >>run "emerge -Dupv mozilla-firefox" I only get a few of the (supposed) > >>dependencies, and not the package itself, while the package installed > >>(when I do "emerge search mozilla-firefox") is 1.0.6-r5. > > > >If that is the case then 1.0.6-r5 is the latest version available for > > you with respect to your current snapshot of the tree. > > Well, I did an "emerge sync" right before issuing the command above. > I would think that if the updated package is available for > "--oneshot", it would be available when I run "emerge -Du(p)v world". > But that didn't seem to be the case. --oneshot does not prevent the installation of a package that has not been installed already. If --oneshot shows the package as new, there's no reason to install it. If it shows it as an upgrade, your world file must be incomplete. Take a look at /var/lib/portage/world and check the output of `emerge -p depclean` to be sure. -- Jason Stubbs pgpFXkvs3iOuU.pgp Description: PGP signature
Re: [gentoo-user] Security Updates and Portage Trees
One point I have never seen mentioned is *why* would you *not* want a package in the world file - especially if you want it to be managed by the system? BillK On Tue, 2005-09-20 at 09:07 +0900, Jason Stubbs wrote: > On Tuesday 20 September 2005 01:12, gentuxx wrote: > > >>If every security fix comes out with "--oneshot" being recommended, -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security Updates and Portage Trees
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 W.Kenworthy wrote: >One point I have never seen mentioned is *why* would you *not* want a >package in the world file - especially if you want it to be managed by >the system? > >BillK > I guess maybe that's part of what I'm getting at. ;-) > >On Tue, 2005-09-20 at 09:07 +0900, Jason Stubbs wrote: > >>On Tuesday 20 September 2005 01:12, gentuxx wrote: >> >If every security fix comes out with "--oneshot" being recommended, > > - -- gentux echo "hfouvyAdpy/ofu" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 34CE 2E97 40C7 EF6E EC40 9795 2D81 924A 6996 0993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDL2RwLYGSSmmWCZMRAuIrAJ47hkkiSoWVraFAkY/9tP0VdtcLcwCgomXn zI3pF31mlC0aUAlwC/2oaE0= =PnvW -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security Updates and Portage Trees
On Tue, 20 Sep 2005 09:04:02 +0800, W.Kenworthy wrote: > One point I have never seen mentioned is *why* would you *not* want a > package in the world file - especially if you want it to be managed by > the system? The world file is for packages you have explicitly installed for yourself, not their dependencies. If you put every package in world, emerge will no longer be able to clean out dependencies that are no longer needed. For example, I have a package installed that used to depend on id3lib, but the authors switched over to libid3tag for the latest version, so an upgrade pulled in that package and id3lib is no longer required. Because it is not in world, my next emerge depclean will remove it, provided nothing else needs it. If it had been in world, it would have stayed on my system forever, despite being totally unnecessary. -- Neil Bothwick Everything should be made as simple as possible, but no simpler. pgpvz2XZEKOLt.pgp Description: PGP signature
Re: [gentoo-user] Security Updates and Portage Trees
On 9/20/05, Neil Bothwick <[EMAIL PROTECTED]> wrote: On Tue, 20 Sep 2005 09:04:02 +0800, W.Kenworthy wrote:> One point I have never seen mentioned is *why* would you *not* want a> package in the world file - especially if you want it to be managed by> the system? The world file is for packages you have explicitly installed foryourself, not their dependencies. If you put every package in world,emerge will no longer be able to clean out dependencies that are nolonger needed. For example, I have a package installed that used to depend on id3lib, butthe authors switched over to libid3tag for the latest version, so anupgrade pulled in that package and id3lib is no longer required. Because it is not in world, my next emerge depclean will remove it, providednothing else needs it. If it had been in world, it would have stayed onmy system forever, despite being totally unnecessary. Since you've touched that detail, here is what I have: - I run emerge -pv depclean and I get a list where I find these: >>> These are the packages that I would unmerge: media-libs/libmpeg3 selected: 1.5.2 protected: none omitted: none x11-plugins/e_modules selected: protected: none omitted: none media-libs/win32codecs selected: 20050216 protected: none omitted: none x11-wm/e selected: protected: none omitted: none and so on.. So, I have two problems: 1) I'm using E(nlightenment) from cvs, and I don't have it (my option) in my world file. Therefore it's understandable why emerge wants to clean it. So, what can I do to be able to use depclean and not loose E. Adding all E-related packages to world would be a solution, but there's any other? 2) win32codecs was marked to be clean. why? # equery d win32codecs [ Searching for packages depending on win32codecs... ] media-libs/xine-lib-1.0.1-r3 media-video/avifile-0.7.41.20041001-r1 media-video/mplayer-1.0_pre7-r1 This shows me that 3 other apps depend on win32codecs (or am I getting it wrong?). So I assume I shouldn't clean this otherwise I'll have problems next time I run mplayer, right? Also, # equery d libmpeg3 [ Searching for packages depending on libmpeg3... ] app-misc/evidence- takes me back to 1). How can I ensure that dependencies of packages that are not in world file are not erased? Cheers, Fernando
Re: [gentoo-user] Security Updates and Portage Trees
On Tue, Sep 20, 2005 at 01:50:28PM +0200, Fernando Meira wrote: > 2) win32codecs was marked to be clean. why? > # equery d win32codecs > [ Searching for packages depending on win32codecs... ] > media-libs/xine-lib-1.0.1-r3 > media-video/avifile-0.7.41.20041001-r1 > media-video/mplayer-1.0_pre7-r1 Do you have set the win32codecs useflag? W -- TEN RULES OF MENDACIOUS HOUSEKEEPING 1. Vacuuming too often weakens the carpet fibers. Say this with a serious face, and shudder delicately whenever anyone mentions Carpet Fresh. 2. Dust bunnies cannot evolve into dust rhinos when disturbed. Rename the area under the couch "The Galapagos Islands" and claim an ecological exemption. 3. Layers of dirty film on windows and screens provide a helpful filter against harmful and aging rays from the sun. Call it an SPF factor of 5 and leave it alone. 4. Cobwebs artfully draped over lampshades reduce the glare from the bulb, thereby creating a romantic atmosphere. If your husband points out that the light fixtures need dusting, simply look affronted and exclaim, "What? And spoil the mood?" 5. In a pinch, you can always claim that the haphazard tower of unread magazines and newspapers next to your chair provides the valuable Feng Shui aspect of a tiger, thereby reducing your vulnerability. Roll your eyes when you say this. 6. Explain the mound of pet hair brushed up against the doorways by claiming you are collecting it there to use for stuffing handsewn play animals for underprivileged children. 7. If unexpected company is coming, pile everything unsightly into one room and close the door. As you show your guests through your tidy home, rattle the door knob vigorously, fake a growl and say, "I'd love you to see our den, but Fluffy hates to be disturbed and the shots are SO expensive." 8. If dusting is REALLY out of control, simply place a showy urn on the coffee table and insist that "THIS is where Grandma wanted us to scatter her ashes..." 9. Don't bother repainting. Simply scribble lightly over a dirty wall with an assortment of crayons, and try to muster a glint of tears as you say, "Johnny did this when he was two. I haven't had the heart to clean it..." 10. Mix one-quarter cup pine-scented household cleaner with four cups of water in a spray bottle. Mist the air lightly. Leave dampened rags in conspicuous locations. Develop an exhausted look, throw yourself onto the couch, and sigh, "I clean and I clean and I still don't get anywhere..." Sortir en Pantoufles: up 39 days, 16:33 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security Updates and Portage Trees
On Tue, 20 Sep 2005 13:50:28 +0200, Fernando Meira wrote: > - I run emerge -pv depclean and I get a list where I find these: > >>> These are the packages that I would unmerge: > > media-libs/libmpeg3 > selected: 1.5.2 > protected: none > omitted: none > > x11-plugins/e_modules > selected: > protected: none > omitted: none > > media-libs/win32codecs > selected: 20050216 > protected: none > omitted: none > > x11-wm/e > selected: > protected: none > omitted: none > So, I have two problems: > 1) I'm using E(nlightenment) from cvs, and I don't have it (my option) > in my world file. Therefore it's understandable why emerge wants to > clean it. So, what can I do to be able to use depclean and not loose E. > Adding all E-related packages to world would be a solution, but there's > any other? If you installed it with portage, you should have it in world. > 2) win32codecs was marked to be clean. why? > # equery d win32codecs > [ Searching for packages depending on win32codecs... ] > media-libs/xine-lib-1.0.1-r3 > media-video/avifile-0.7.41.20041001-r1 > media-video/mplayer-1.0_pre7-r1 Do you have the wind32codecs USE flag set? Have you changed it recently? Did you do "emerge -uavDN world" before depclean? If you didn't, your current USE flags may be out of sync with what the packages were actually merged with. > # equery d libmpeg3 > [ Searching for packages depending on libmpeg3... ] > app-misc/evidence- What are these versions? Are they CVS installs, or packages installed outside of portage and injected, or added to /etc/portage/profile/package.provided? -- Neil Bothwick I only shoot IBM's to put them out of their misery. pgpXBOn2tb1ji.pgp Description: PGP signature
Re: [gentoo-user] Security Updates and Portage Trees
Neil Bothwick schreef: > On Tue, 20 Sep 2005 13:50:28 +0200, Fernando Meira wrote: > >> # equery d libmpeg3 [ Searching for packages depending on >> libmpeg3... ] app-misc/evidence- > > > What are these versions? Are they CVS installs, or packages > installed outside of portage and injected, or added to > /etc/portage/profile/package.provided? > > Oooh, ooh, I know!!! The versions are Enlightement 17 installs, from Portage, but utilizing E17 CVS. It's very complex; the packages have to be installed in a specific order for the whole thing to work (but E17 is pretty cool). I tried E17 recently. I don't remember the name of the media player that perhaps has libmpeg3 as a dependency, but E17 has so much stuff Holly -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security Updates and Portage Trees
On 9/20/05, Neil Bothwick <[EMAIL PROTECTED]> wrote: On Tue, 20 Sep 2005 13:50:28 +0200, Fernando Meira wrote:> - I run emerge -pv depclean and I get a list where I find these:> >>> These are the packages that I would unmerge:>> media-libs/libmpeg3 > selected: 1.5.2> protected: none> omitted: none>> x11-plugins/e_modules> selected: > protected: none> omitted: none>> media-libs/win32codecs> selected: 20050216 > protected: none> omitted: none>> x11-wm/e> selected: > protected: none> omitted: none> So, I have two problems:> 1) I'm using E(nlightenment) from cvs, and I don't have it (my option) > in my world file. Therefore it's understandable why emerge wants to> clean it. So, what can I do to be able to use depclean and not loose E.> Adding all E-related packages to world would be a solution, but there's > any other?If you installed it with portage, you should have it in world. I've installed with portage, but with --oneshop option. This is because (as Holly said) E17 packages need to be installed in proper order. So I use a script to update E-related packages. I think if I would let portage update them something would get messed up... So, in the end, can't I use depclean without adding these packages to world file? > 2) win32codecs was marked to be clean. why?> # equery d win32codecs > [ Searching for packages depending on win32codecs... ]> media-libs/xine-lib-1.0.1-r3> media-video/avifile-0.7.41.20041001-r1> media-video/mplayer-1.0_pre7-r1Do you have the wind32codecs USE flag set? Have you changed it recently? Did you do "emerge -uavDN world" before depclean? If you didn't, yourcurrent USE flags may be out of sync with what the packages were actuallymerged with. I don't have that flag set.. never had. Should I? And, first of all, why do I have win32codecs without having the flag? Was it a dependence of a prior version of mplayer?
Re: [gentoo-user] Security Updates and Portage Trees
On Wed, 21 Sep 2005 16:36:59 +0200, Fernando Meira wrote: > > If you installed it with portage, you should have it in world. > > > I've installed with portage, but with --oneshop option. This is because > (as Holly said) E17 packages need to be installed in proper order. So I > use a script to update E-related packages. I think if I would let > portage update them something would get messed up... So you lied to portage and now it's acting on the incorrect information you have given it :) > So, in the end, can't I use depclean without adding these packages to > world file? Add them to world. As long as you don't do an automatic emerge -uD world you shouldn't have a problem. When updates come out, yopu'll see them in the output of emerge -pvD world (which you won't with your current setup) then you can merge them manually in the correct order before letting portage handle the rest of world. > > Do you have the wind32codecs USE flag set? Have you changed it > > recently? Did you do "emerge -uavDN world" before depclean? If you > > didn't, your current USE flags may be out of sync with what the > > packages were actually merged with. > I don't have that flag set.. never had. Should I? And, first of all, > why do I have win32codecs without having the flag? Was it a dependence > of a prior version of mplayer? That's a possible explanation. the easy way to find out is to run quickpkg win32codecs emerge -C win32codecs emerge world -uavDk If it really is needed, the last command will re-emerge it. I take it you have run "emerge -uavD --newuse world" before depclean? -- Neil Bothwick Top Oxymorons Number 22: Childproof pgpNHhXJpwrOd.pgp Description: PGP signature
Re: [gentoo-user] Security Updates and Portage Trees
On 9/21/05, Neil Bothwick <[EMAIL PROTECTED]> wrote: On Wed, 21 Sep 2005 16:36:59 +0200, Fernando Meira wrote:> > If you installed it with portage, you should have it in world.>>> I've installed with portage, but with --oneshop option. This is because > (as Holly said) E17 packages need to be installed in proper order. So I> use a script to update E-related packages. I think if I would let> portage update them something would get messed up... So you lied to portage and now it's acting on the incorrect informationyou have given it :) Basically, yeah! > So, in the end, can't I use depclean without adding these packages to> world file? Add them to world. As long as you don't do an automatic emerge -uDworld you shouldn't have a problem. When updates come out, yopu'll seethem in the output of emerge -pvD world (which you won't with your current setup) then you can merge them manually in the correct orderbefore letting portage handle the rest of world. I might be wrong, but I have the idea that E-cvs packages are always updated during an emerge world. Therefore I can't control it by updating (manually) E-packages and then run emerge world. However, I'll check this next update. With all that said, I assume that there's no way to manage my packages for update and depclean while keeping some of them out of world file... damn.. > > Do you have the wind32codecs USE flag set? Have you changed it> > recently? Did you do "emerge -uavDN world" before depclean? If you > > didn't, your current USE flags may be out of sync with what the> > packages were actually merged with.> I don't have that flag set.. never had. Should I? And, first of all,> why do I have win32codecs without having the flag? Was it a dependence > of a prior version of mplayer?That's a possible explanation. the easy way to find out is to runquickpkg win32codecsemerge -C win32codecsemerge world -uavDkIf it really is needed, the last command will re-emerge it. I take it you have run "emerge -uavD --newuse world" before depclean? I think I'll just add the flag and add --newuse flag for next emerge world! Thanks.
Re: [gentoo-user] Security Updates and Portage Trees
On Wed, 21 Sep 2005 23:03:53 +0200, Fernando Meira wrote: > > Add them to world. As long as you don't do an automatic emerge -uD > > world you shouldn't have a problem. When updates come out, you'll see > > them in the output of emerge -pvD world (which you won't with your > > current setup) then you can merge them manually in the correct order > > before letting portage handle the rest of world. > I might be wrong, but I have the idea that E-cvs packages are always > updated during an emerge world. Only if you run it without -p or -a. I never run emerge world without fiorst checking exactly what it is going to do. > Therefore I can't control it by > updating (manually) E-packages and then run emerge world. You can, just don't let emerge world run until you are happy with what it is going to do. -- Neil Bothwick Compatible: Gracefully accepts erroneous data from any source. pgp4RsXhsWKFd.pgp Description: PGP signature
Re: [gentoo-user] Security Updates and Portage Trees
On 9/22/05, Neil Bothwick <[EMAIL PROTECTED]> wrote: On Wed, 21 Sep 2005 23:03:53 +0200, Fernando Meira wrote:> I might be wrong, but I have the idea that E-cvs packages are always> updated during an emerge world.Only if you run it without -p or -a. I never run emerge world without fiorst checking exactly what it is going to do. I was not meaning that, but instead that CVS packages were always updated in a emerge -u world. If I would update my world, a re-run would re-update those packages. I added the whole list of packages to the world file and it seems that my idea was wrong. None of the E-CVS packages are getting updated. Which also means that I can "clean" my "depclean" functionality. :)
Re: [gentoo-user] Security from non-authorized logins
On Sun, Apr 16, 2006 at 09:54:33PM +1000, Penguin Lover Alan E. Davis squawked: > He felt betrayed. I understand why, I think: what's secure about > GNU/Linux if anyone can boot the system and reset his passwords? That is the same regardless of operating system. Physical access == no security. > How can anyone easily avoid the problem of anyone being able to access > the guts of his machine using a live CD? I already thought of one: > use the BIOS to disallow booting from a CD or Floppy, and set a > password on the BIOS. Don't know whether all BIOSes will allow this, > and anyway, isn't it possible on a lot of motherboards to short out > the EPROM and thus reset the password of the BIOS? You can also encrypt the contents of your hard drive. http://tldp.org/HOWTO/Disk-Encryption-HOWTO/ W -- Q: What's an anagram of "Banach-Tarski" ? A: "Banach-Tarski Banach-Tarski" Sortir en Pantoufles: up 155 days, 4:42 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security from non-authorized logins
On 4/16/06, Willie Wong <[EMAIL PROTECTED]> wrote: > On Sun, Apr 16, 2006 at 09:54:33PM +1000, Penguin Lover Alan E. Davis > squawked: > > He felt betrayed. I understand why, I think: what's secure about > > GNU/Linux if anyone can boot the system and reset his passwords? > > That is the same regardless of operating system. > Physical access == no security. > > > How can anyone easily avoid the problem of anyone being able to access > > the guts of his machine using a live CD? I already thought of one: > > use the BIOS to disallow booting from a CD or Floppy, and set a > > password on the BIOS. Don't know whether all BIOSes will allow this, > > and anyway, isn't it possible on a lot of motherboards to short out > > the EPROM and thus reset the password of the BIOS? > > You can also encrypt the contents of your hard drive. > http://tldp.org/HOWTO/Disk-Encryption-HOWTO/ But I can still get that hard drive and smash it to bits ;) Get a big dog. Tie him next to your PC. Seriously, if your friend can find an OS that can restrict access even if the attacker has physical access to the PC, then he should use that. Encryption is a good solution, even for backups. But it's a bit overboard for most users. -- Jed R. Mallen GPG key ID: 81E575A3 fp: 4E1E CBA5 7E6A 2F8B 8756 660A E54C 39D6 81E5 75A3 http://jed.sitesled.com -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security from non-authorized logins
Alan E. Davis wrote: I helped a friend install Ubuntu GNU/Linux on his laptop, he left town, forgot his passwords, and I promised to breakin for him, so he can re-do his passwords. Told him all I have to do is run Knoppix, access his partition, and delete the little x in the password file. Then he would reset his root password in be back in business. He felt betrayed. I understand why, I think: what's secure about GNU/Linux if anyone can boot the system and reset his passwords? That's NOT a Linux problem. If you've got physical access, you can easily break in (same for Windows, BTW). I said, Dunno. I'll ask on the Gentoo list. How can anyone easily avoid the problem of anyone being able to access the guts of his machine using a live CD? Remove CD-Rom. Put Computer in a solid box which cannot (easily) be opened, so that it's "impossible" to attach an external CD-Rom. I already thought of one: use the BIOS to disallow booting from a CD or Floppy, and set a password on the BIOS. Most BIOS support either a "master password" or a way to reset a password (some pins on the motherboard). Don't know whether all BIOSes will allow this, and anyway, isn't it possible on a lot of motherboards to short out the EPROM and thus reset the password of the BIOS? Yes. Alexander Skwar -- Hey Satan, didja hear the news? A war just broke out up on earth. Meet Saddam Hussein, my new partner in evil. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security from non-authorized logins
Still, it would perhaps be somewhat comforting to be able to disable EASY access to a "mission critical" system. What about further disabling of access to /etc/passwd? Does SELinux take any such steps? (Ok, I could look into this by reading TFM. Apologies). Alan On 4/16/06, Alexander Skwar <[EMAIL PROTECTED]> wrote: > Alan E. Davis wrote: > > I helped a friend install Ubuntu GNU/Linux on his laptop, he left > > town, forgot his passwords, and I promised to breakin for him, so he > > can re-do his passwords. Told him all I have to do is run Knoppix, > > access his partition, and delete the little x in the password file. > > Then he would reset his root password in be back in business. > > > > He felt betrayed. I understand why, I think: what's secure about > > GNU/Linux if anyone can boot the system and reset his passwords? > > That's NOT a Linux problem. If you've got physical access, > you can easily break in (same for Windows, BTW). > > > I said, Dunno. I'll ask on the Gentoo list. > > > > How can anyone easily avoid the problem of anyone being able to access > > the guts of his machine using a live CD? > > Remove CD-Rom. > Put Computer in a solid box which cannot (easily) be opened, > so that it's "impossible" to attach an external CD-Rom. > > > I already thought of one: > > use the BIOS to disallow booting from a CD or Floppy, and set a > > password on the BIOS. > > Most BIOS support either a "master password" > or a way to reset a password (some pins on the > motherboard). > > > Don't know whether all BIOSes will allow this, > > and anyway, isn't it possible on a lot of motherboards to short out > > the EPROM and thus reset the password of the BIOS? > > Yes. > > Alexander Skwar > -- > Hey Satan, didja hear the news? A war just broke out up on earth. > > Meet Saddam Hussein, my new partner in evil. > -- > gentoo-user@gentoo.org mailing list > > -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security from non-authorized logins
Alan E. Davis wrote: Still, it would perhaps be somewhat comforting to be able to disable EASY access to a "mission critical" system. Put them in a server room. Make sure, that only trusted people have a key to that server room. What about further disabling of access to /etc/passwd? Does SELinux take any such steps? Well, how does SElinux help, if a (non-SELinux) boot medium is used to access the system? And what do you do, if you "forget" the password to your mission critical system? Where are the backdoors? Are the backdoors documented (they better be...)? Alexander Skwar -- Totally illogical, there was no chance. -- Spock, "The Galileo Seven", stardate 2822.3 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security from non-authorized logins
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Alan E. Davis wrote: > Still, it would perhaps be somewhat comforting to be able to disable > EASY access to a "mission critical" system. > > What about further disabling of access to /etc/passwd? Does SELinux > take any such steps? (Ok, I could look into this by reading TFM. > Apologies). > > Alan > Not very sure about SELinux, but RSBAC has in-kernel user management (in it's latest releases >=1.2.5). IIRC SELinux also uses it's own user management beside the unix one (check selinux docs). PS: but the data is still there, so use encryption (enc. partition) ...SKIP... HTH.Rumen -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2-ecc0.1.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFEQknRNbtuTtsWD3wRAiRcAJUSlX2s64RHOnwM81YVnFGwdKEJAJ0akEt5 WUbbRd2/9Rmwqxwm0ntq6w== =6tVw -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security from non-authorized logins
Alan E. Davis wrote: > He felt betrayed. I understand why, I think: what's secure about > GNU/Linux if anyone can boot the system and reset his passwords? Oh C'mon! Like you NEVER did the same on a Windows box. YES, you can do something similar on NT/2K/XP/Whatever... Encrypt your filesystems if you want a little more security on a physically accessible computer. Regards, -- Norberto Bensa Cel: 5654-9539 Ciudad de Buenos Aires, Argentina pgprOmt2ceOln.pgp Description: PGP signature
Re: [gentoo-user] Security from non-authorized logins
On Sunday 16 April 2006 06:54, "Alan E. Davis" <[EMAIL PROTECTED]> wrote about '[gentoo-user] Security from non-authorized logins': > I helped a friend install Ubuntu GNU/Linux on his laptop, he left > town, forgot his passwords, and I promised to breakin for him, so he > can re-do his passwords. Told him all I have to do is run Knoppix, > access his partition, and delete the little x in the password file. > Then he would reset his root password in be back in business. > > He felt betrayed. I understand why, I think: what's secure about > GNU/Linux if anyone can boot the system and reset his passwords? First of all, you can't have it both ways. Either there's a way to get into your system without your password(s) or you are screwed when you forget your password. Second, any OS that doesn't hold it's password file on an encrypted area protected by some other master password, is subject to the same attack. Sometimes there's more "security by obscurity" to deal with, but that only has to be dealt with once. (For example, "rooting" a Windows box requires tools that are a bit more specialized than a text editor.) > Oh, well, does anyone have anything to suggest or to say about this? You can set your BIOS so that only device X is bootable, but there's two ways around that. Since you have physical access, you can either (a) exchange the media hooked to device X or (b) short the reset pins / remove the MB battery to reset the BIOS to factory defaults. Either might require opening the case, but are pretty easy to do. Also, it really easy to forget BIOS passwords since they aren't needed that often. Now, okay, so lets work under the assumption that the attacker has full control over your boot process. They can load any OS they want so even if they have no /other/ way to access your data, they can simply read it byte by byte off of the hard drive. They can also write to the hard drive, so they could replace your secure software with insecure or malicious software (assuming the can read the software enough to know how to modify it). [The same can be said for transforming innocuous data to incriminating data.] Even if they don't have enough access to modify your software, they could just overwrite the HD and deprive you of the data. Now, while we can't prevent vandals from destroying your data, it is possible to encrypt everything on your HD 'cept for the kernel and just enough user-space tools to start the decryption. This prevents the attacker from stealing the data, and also prevents an attacker from replacing your secure software with insecure or malicious software (they don't know where/what to write). The keys are protected by a password; without the password NO ONE can get them, so DON'T LOSE THE PASSWORD. Finally, I do want to take this opportunity to mention one of the possible /benefits/ of TPM / TCM / "Treacherous" Computing. Assuming you have the keys to your computer, it will only load BIOSes that you've allowed which will only load kernels you've allowed, which give you control over you boot process again -- encryption will still be necessary to safeguard against your HD simply being stolen, but TPM/TCM is does close a few holes. (Of course, this is not how MS etc. want TPM/TCM implemented; they are looking at a system design where /THEY/ own the keys to your computer.) -- "If there's one thing we've established over the years, it's that the vast majority of our users don't have the slightest clue what's best for them in terms of package stability." -- Gentoo Developer Ciaran McCreesh pgpbTa1oSPK2b.pgp Description: PGP signature
[gentoo-user] Security problem? - Apache access.log has: CONNECT ... 200
I just have noticed that my Apache2 access.log has few entries: 220.189.234.182 - - [27/Sep/2005:03:21:59 -0600] "CONNECT 202.165.103.38:80 HTTP/1.1" 200 17505 61.232.83.75 - - [09/Oct/2005:04:33:26 -0600] "CONNECT 66.135.208.90:80 HTTP/1.1" 200 25952 59.40.34.187 - - [09/Oct/2005:19:05:40 -0600] "CONNECT 210.59.228.72:25 HTTP/1.1" 200 17368 66.219.100.118 - - [18/Oct/2005:02:04:00 -0600] "CONNECT mx2.ToughGuy.net:25 HTTP/1.0" 200 30192 213.180.210.35 - - [26/Nov/2005:12:09:14 -0700] "CONNECT 213.180.193.1:25 HTTP/1.0" 200 16916 These IP's are mostly from Russian or Chines hackers. My proxy is not enabled in /etc/conf.d/apache2 APACHE2_OPTS="-D DEFAULT_VHOST -D SSL -D PHP4" Anybody has similar entries. According to Apache explanation: http://httpd.apache.org/docs/1.3/misc/FAQ.html#proxyscan "200" would indicate that somebody is using my apache as proxy, but how? -- #Joseph -- gentoo-user@gentoo.org mailing list
[gentoo-user] Security Violation: A file exists that is not in the manifest
Hi, I am getting several of the above/below errors which is preventing me from updating my ports. How do I get around this ? Deleting the files doesn't seem to help. !!! Security Violation: A file exists that is not in the manifest. !!! File: files/digest-xerces-2.3.0 !!! Security Violation: A file exists that is not in the manifest. !!! File: files/digest-libidn-0.5.11-r1 !!! Security Violation: A file exists that is not in the manifest. !!! File: files/1.1.4/crash-objstream.diff !!! Security Violation: A file exists that is not in the manifest. !!! File: files/digest-wine-20050310 ...etc Thanks. Nelis -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security Violation: A file exists that is not in the manifest
Nelis Lamprecht wrote: > Hi, > > I am getting several of the above/below errors which is preventing me > from updating my ports. How do I get around this ? Deleting the files > doesn't seem to help. > > !!! Security Violation: A file exists that is not in the manifest. I guess u clone portage tree from another PC repeatedly, but forgot to add --delete flag to rsync command. "emerge sync" should help, RTFM rsync too. noro -- gentoo-user@gentoo.org mailing list