Bootstrapping openpkg-4.0.7 on Solaris 10
Dear Openpkg, Finally getting the time to commence an upgrade of our Openpkg toolset from version 3 to version 4. Have done a successful build of the bootstrap package, but now running into problems. On running any openpkg command receive: openpkg:WARNING: invalid permissions on configuration file /secomon/openpkg-4/etc/openpkg/managers -- ignoring file The permissions on this file are: -rw-r--r-- 1 mapp icmg 64 Jun 15 17:03 /secomon/openpkg-4/etc/openpkg/managers Openpkg was bootstrap with the following command: bash openpkg-4.0.7-20100430.src.sh --prefix=/secomon/openpkg-4 --tag=openpkg --user=mapp --group=icmg --muid=6000 --mgid=6000 --rusr=rapp --nusr=napp --rgrp=icrg --ngrp=icng --ruid=6001 --nuid=6002 --rgid=6001 --ngid=6002 The usernames and groups are all pre-created (and the same as what we used for openpkg version 3). The reason for this is as I don't have root access to our servers and by having a consistent set of usernames and id's I can get them pre-created on all systems prior to installation of openpkg. NOTE: I have 'changed' the real usernames and user id's (because I am paranoid), but the essence is the same. Other things of note: /secomon/openpkg-4/bin/openpkg rpm -qa openpkg:WARNING: invalid permissions on configuration file /secomon/openpkg-4/etc/openpkg/managers -- ignoring file gpg-pubkey-63c4cb9f-3c591eda gpg-pubkey-61b7ae34-4544a6af gpg-pubkey-52197903-4544a74d NOTE: There is no openpkg package listed, just the gpg keys Also, running: /secomon/openpkg-4/bin/openpkg rc all env openpkg:WARNING: invalid permissions on configuration file /secomon/openpkg-4/etc/openpkg/managers -- ignoring file openpkg:WARNING: invalid permissions on configuration file /secomon/openpkg-4/etc/openpkg/managers -- ignoring file Nothing is output besides the errors. I am guessing something is 'dying' or being aborted inside the sub-commands that openpkg runs, but I haven't been able to work out what. Any hints on how to diagnose further? Jason ++ Think B4U Print 1 ream of paper = 6% of a tree and 5.4kg CO2 in the atmosphere 3 sheets of A4 paper = 1 litre of water ++
RE: Bootstrapping openpkg-4.0.7 on Solaris 10
Openpkg people, I should have waited a little while before sending this off. To fix permissions on the managers file was a simple 'chmod 664' to add group write. Doing a truss of the process I see that it is trying to run 'id -un' - which on Solaris does not work. Added the following 'wrapper' script in path the work around: #!/bin/bash if [ $1 == -un ]; then /usr/bin/id | sed -e s/.*(// -e s/).*// exit 0 fi /usr/bin/id $@ Went back and read through build process and now see the same error that Olivier Fournier reported in January (Lua script error within rpm macros) reported at: http://www.mail-archive.com/openpkg-users@openpkg.org/msg03980.html Was a resolution/workaround to this found? Wild guess - could it be due to issue with 'id'? Or possibly some sub command (e.g. id, sed, etc) is failing in the bootstrap, due to Solaris's 'limited' support of these commands? I will continue to investigate, but wanted to report my findings so far. Jason From: openpkg-users-ow...@openpkg.org [mailto:openpkg-users-ow...@openpkg.org] On Behalf Of Wilson Jason Sent: Wednesday, 16 June 2010 8:32 AM To: openpkg-users@openpkg.org Subject: Bootstrapping openpkg-4.0.7 on Solaris 10 Dear Openpkg, Finally getting the time to commence an upgrade of our Openpkg toolset from version 3 to version 4. Have done a successful build of the bootstrap package, but now running into problems. On running any openpkg command receive: openpkg:WARNING: invalid permissions on configuration file /secomon/openpkg-4/etc/openpkg/managers -- ignoring file The permissions on this file are: -rw-r--r-- 1 mapp icmg 64 Jun 15 17:03 /secomon/openpkg-4/etc/openpkg/managers Openpkg was bootstrap with the following command: bash openpkg-4.0.7-20100430.src.sh --prefix=/secomon/openpkg-4 --tag=openpkg --user=mapp --group=icmg --muid=6000 --mgid=6000 --rusr=rapp --nusr=napp --rgrp=icrg --ngrp=icng --ruid=6001 --nuid=6002 --rgid=6001 --ngid=6002 The usernames and groups are all pre-created (and the same as what we used for openpkg version 3). The reason for this is as I don't have root access to our servers and by having a consistent set of usernames and id's I can get them pre-created on all systems prior to installation of openpkg. NOTE: I have 'changed' the real usernames and user id's (because I am paranoid), but the essence is the same. Other things of note: /secomon/openpkg-4/bin/openpkg rpm -qa openpkg:WARNING: invalid permissions on configuration file /secomon/openpkg-4/etc/openpkg/managers -- ignoring file gpg-pubkey-63c4cb9f-3c591eda gpg-pubkey-61b7ae34-4544a6af gpg-pubkey-52197903-4544a74d NOTE: There is no openpkg package listed, just the gpg keys Also, running: /secomon/openpkg-4/bin/openpkg rc all env openpkg:WARNING: invalid permissions on configuration file /secomon/openpkg-4/etc/openpkg/managers -- ignoring file openpkg:WARNING: invalid permissions on configuration file /secomon/openpkg-4/etc/openpkg/managers -- ignoring file Nothing is output besides the errors. I am guessing something is 'dying' or being aborted inside the sub-commands that openpkg runs, but I haven't been able to work out what. Any hints on how to diagnose further? Jason ++ Think B4U Print 1 ream of paper = 6% of a tree and 5.4kg CO2 in the atmosphere 3 sheets of A4 paper = 1 litre of water ++
RE: Introducing OpenPKG 4.x
Openpkg People, Is there any information you can provide the existing users? With the cessation of Openpkg-3 updates and no way to use Openpkg-4 we are in a bit of a situation now. There are packages and version upgrade we would like to do, but no easy way forward. We have also been looking at alternatives, and Openpkg is still the preferred method - but in its current state it is not usable. Jason -Original Message- From: openpkg-users-ow...@openpkg.org [mailto:openpkg-users-ow...@openpkg.org] On Behalf Of Olivier Fournier Sent: Friday, 12 February 2010 12:15 AM To: openpkg-users@openpkg.org Subject: Re: Introducing OpenPKG 4.x We are exactly in the same situation. Due to the lack of support and problem handling appearing with OpenPKG-4, we are now intensively looking for alternatives. We can not avoid waiting weeks and weeks for a problem to be handled and (eventually) solved. Hopefully it will get better in the future... __ OpenPKG http://openpkg.org User Communication List openpkg-users@openpkg.org As of 26 March 2009 the Department of Natural Resources and Water/Environmental Protection Agency integrated to form the Department of Environment and Resource Management ++ Think B4U Print 1 ream of paper = 6% of a tree and 5.4kg CO2 in the atmosphere 3 sheets of A4 paper = 1 litre of water ++ __ OpenPKG http://openpkg.org User Communication List openpkg-users@openpkg.org
RE: Introducing OpenPKG 4.x
Openpkg People (in particular Ralf and Thomas), Can we get another update on what is happening with Openpkg-4? We have a deployment of Openpkg-3 systems across various production systems. With the change in licensing we need to re-evaluate our options. In particular, is Openpkg going to continue to be a viable option for us. You said in your announcement: Finally, for static installations, a shareware license (VALUE) will be available for a small fee. Is there any indication of what this is likely to be? As there are no longer going to be updates for Openpkg-3 we either need to self-maintain or seek alternatives until this can be determined. Jason Wilson -- Jason Wilson Security Consultant, Information and Technology Management Telephone +61 7 389 63129 Facsimile +61 7 389 63740 Email: jason.wil...@derm.qld.gov.au www.derm.qld.gov.au Department of Environment and Resource Management Corner Main and Vulture Streets, Woolloongabba QLD 4102 Locked Bag 40, Coorparoo Delivery Centre QLD 4151 As of 26 March 2009 the Department of Natural Resources and Water/Environmental Protection Agency integrated to form the Department of Environment and Resource Management ++ Think B4U Print 1 ream of paper = 6% of a tree and 5.4kg CO2 in the atmosphere 3 sheets of A4 paper = 1 litre of water ++ __ OpenPKG http://openpkg.org User Communication List openpkg-users@openpkg.org
RE: Building squid on Solaris 10 with large file support
Wilson Jason wrote: multilib is disabled by default. Rebuilding now with multilib explicitly enabled and will report how it goes. Building of gcc went fine - now have multilib support. Unfortunately having problems with squid still. When squid is running its configure scripts it is doing compile time tests with a command like: gcc -m64 conftest.c -lfsl The problem is that the libfsl.a library is only 32 bit (or so I presume) as I get errors like: /secomon/openpkg-3/bin/ld: skipping incompatible /secomon/openpkg/lib/libfsl.a when searching for -lfsl I have rebuilt fsl with the new gcc, but doesn't help with the problem - as it defaults to 32bit of course. Do I need to build the whole openpkg system with 64bit support defined for everything, like this article you linked previously talks about? http://marc.info/?l=openpkg-usersm=116072933928495w=2 If so, this is probably more effort then I am prepared to do just to get the largefile support in squid when I have a workable 'hack' to do it with 32bit compiling. Jason The information in this email together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this email message is prohibited, unless as a necessary part of Departmental business. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network. __ OpenPKG http://openpkg.org User Communication List openpkg-users@openpkg.org
RE: Building squid on Solaris 10 with large file support
openpkg-users-ow...@openpkg.org wrote: On Thu, Feb 05, 2009, Wilson Jason wrote: [...] Now, gcc doesn't like this and the Squid configure scripts changes this to '-m64'. Unfortunately gcc doesn't support 64bit builds and any compile returns an error about multilib not being supported, because it isn't. Why does your GCC not support -m64 on your 64-bit platform? Am using the default build of gcc on Solaris 10 from openpkg. Checking on the source for the 'latest' version I see: openpkg rpm -qip rsync.openpkg.org/current/SRC/CORE/gcc-4.2.4-20080521.src.rpm Name: gcc Source RPM: (none) Version: 4.2.4 Signature: md5:84d4f944e7d9f29decd6a9a8bca21e87 Release: 20080521 Build Host: rm0.openpkg.net Group:Compiler Build System: ix86-freebsd6.2 Class:CORE Build Time: Thu May 22 05:17:09 2008 Distrib: OpenPKG Community Install Time: (not installed) License: GPL Install Size: 44039998 bytes Packager: OpenPKG Foundation e.V. Relocations: (not relocateable) Vendor: Free Software Foundation Summary: GNU Compiler Collection URL: http://gcc.gnu.org/ Description: The GNU Compiler Collection (GCC) provides a standard conforming and highly portable ISO C and ISO C++ compiler. Provides: gcc::with_binutils = yes gcc::with_cxx = yes gcc::with_objc = no gcc::with_java = no gcc::with_fortran = no gcc::with_optimize = yes gcc::with_profile = no gcc::with_threads = yes gcc::with_multilib = no multilib is disabled by default. Rebuilding now with multilib explicitly enabled and will report how it goes. PS: For some old hints about OpenPKG and 64 bit see also: http://marc.info/?l=openpkg-usersm=116072933928495w=2 Had seen this before, the main bit I missed was in 'Fact #1' saying that it supports both 32 and 64 bit - just not built this way by default. Thanks for the help. Jason The information in this email together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this email message is prohibited, unless as a necessary part of Departmental business. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network. __ OpenPKG http://openpkg.org User Communication List openpkg-users@openpkg.org
Building squid on Solaris 10 with large file support
Dear Openpkg people, Last year I worked with you guys to add large file support to squid builds. Recently I had a requirement to rebuild squid and now I am running into some problems. The previous build I used (squid-3.0.1-20080223), worked fine. The latest version (squid-3.0.13-20090203) has problems compiling. The problem would appear to be some changes in the way the Squid configure script handles large files. It uses the getconf command on Solaris to determine what 'model' to use for building with large file support. On my Solaris box it uses the POSIX_V6_LPBIG_OFFBIG model which adds -xarch=generic64 to CFLAGS. Now, gcc doesn't like this and the Squid configure scripts changes this to '-m64'. Unfortunately gcc doesn't support 64bit builds and any compile returns an error about multilib not being supported, because it isn't. To work around I added a new getconf command into the Openpkg bin directory (as it is earlier in the path then the Solaris /bin/getconf) which simply does 'exit 1'. That way configure uses the 'old' way to determine compile time flags (which ends up using _FILE_OFFSET_BITS=64). Not sure what the 'right' fix would be. As far as I know the Openpkg gcc builds still don't do multilib support (haven't tried a recent build, but haven't heard otherwise). At least the build for squid works, but I haven't extensively tested yet. Is there a 'getconf' equivalent for Openpkg environment that will supply the 'right' values? To be honest, getconf is a new command to me, and I never run into this particular problem before. Jason -- Jason Wilson Security Consultant, ICT Operational Security Services Telephone: +61 7 389 63129 Facsimile: +61 7 389 63740 Email: mailto:jason.wil...@nrw.qld.gov.au http://www.nrw.qld.gov.au Department of Natural Resources and Water Corner Main and Vulture Streets, Woolloongabba QLD 4102 Locked Bag 40, Coorparoo Delivery Centre QLD 4151 The information in this email together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this email message is prohibited, unless as a necessary part of Departmental business. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network. __ OpenPKG http://openpkg.org User Communication List openpkg-users@openpkg.org
RE: Running openpkg commands as a different user
[EMAIL PROTECTED] wrote on : All users which you add to prefix/etc/openpkg/managers are allowed the same privileges as the management user. Thanks for this - did this and things seemed to be working fine... famous last words. Unfortunate side affect though was that the HOME variable for each user in here gets set to the home directory of the user that owns openpkg. In addition LOGNAME gets changed too. Not sure if these are fixable in any easy way. It gets very confusing when you don't have permission to write files in your own $HOME, but you do in your ~ - took me a little while to work out what/when was causing this. Jason -- Jason Wilson Security Consultant, ICT Security Services Telephone: +61 7 389 63129 Facsimile: +61 7 389 63740 Email: mailto:[EMAIL PROTECTED] http://www.nrw.qld.gov.au Department of Natural Resources and Water Corner Main and Vulture Streets, Woolloongabba QLD 4102 Locked Bag 40, Coorparoo Delivery Centre QLD 4151 The information in this email together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this email message is prohibited, unless as a necessary part of Departmental business. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network. __ OpenPKG http://openpkg.org User Communication List openpkg-users@openpkg.org
Running openpkg commands as a different user
Dear openpkg people, We have deployed various Openpkg based tools and have various administrators that need to access. Is there any simple way to allow all users in a group (or a static list of users) access to run the 'openpkg' administrative commands, eg: openpkg rc apache restart Currently it complains that you need to be root. If I run as the command that 'owns' openpkg it works fine. One alternative is to wrap commands around sudo, but seeing as the openpkg command is already suid this seems a little redundant. Jason -- Jason Wilson Security Consultant, ICT Security Services Telephone: +61 7 389 63129 Facsimile: +61 7 389 63740 Email: mailto:[EMAIL PROTECTED] http://www.nrw.qld.gov.au Department of Natural Resources and Water Corner Main and Vulture Streets, Woolloongabba QLD 4102 Locked Bag 40, Coorparoo Delivery Centre QLD 4151 The information in this email together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this email message is prohibited, unless as a necessary part of Departmental business. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network. __ OpenPKG http://openpkg.org User Communication List openpkg-users@openpkg.org
Squid restart problems
Openpkg'ers, With the recent work on getting large file support in Squid to work I have finally determined the cause of another annoying problem that had previously eluded me. When you do an upgrade of squid there is a rpm post install script that restarts squid. Unfortunately the restart fails because the squid needs a bit of time to cleanly shutdown (approximately 30 seconds) and the script tries to start it back up again before the shutdown has been completed. In general, any 'openpkg rc squid restart' will fail to correctly restart squid. To work around this issue I added to the rc.squid stop method the following commands: squid_pid=`cat /secomon/openpkg-3/var/squid/logs/squid.pid` pwait $squid_pid As this is on Solaris the convenient pwait does the right thing for me (I do realise this is non-portable though). The next problem is that because rc.squid is not a configuration file, when I do actually upgrade squid this local change is lost. So a couple of questions: is it possible to get this 'fix' included (or a portable alternative)? what is the easiest way to make a similar local change permanent? Thanks in advance, Jay PS: Thanks for the last couple of fixes too, been a great help and very much appreciated. The information in this email together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this email message is prohibited, unless as a necessary part of Departmental business. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network. __ OpenPKG http://openpkg.org User Communication List openpkg-users@openpkg.org
RE: Squid large file support
Ralf (or others), -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ralf S. Engelschall Sent: Wednesday, 20 February 2008 4:35 PM To: openpkg-users@openpkg.org Subject: Re: Squid large file support Sure, now applied -- I just used with_largefile (no second underscore) for the name. Thanks. Another similar one for findutils - currently it explicitly disables large files, this patch makes it an option to re-enable. Wasn't sure on best way to do the '%if', but this seems to work (apologies for any line wraps that creep in): diff -u findutils.spec.orig findutils.spec --- findutils.spec.orig 2008-02-21 08:46:38.002651000 +1000 +++ findutils.spec 2008-02-21 08:49:27.476345000 +1000 @@ -34,6 +34,8 @@ Version: 4.2.33 Release: 20080214 +%option with_largefiles no + # list of sources Source0: ftp://ftp.gnu.org/gnu/findutils/findutils-%{version}.tar.gz Source1: rc.findutils @@ -72,7 +74,11 @@ --libexecdir=%{l_prefix}/libexec/findutils \ --datarootdir=%{l_prefix} \ --localstatedir=%{l_prefix}/var/findutils \ +%if %{with_largefiles} == yes + \ +%else --disable-largefile \ +%endif --disable-nls %{l_make} %{l_mflags} Thanks, Jason The information in this email together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this email message is prohibited, unless as a necessary part of Departmental business. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network. __ OpenPKG http://openpkg.org User Communication List openpkg-users@openpkg.org
Squid large file support
Dear Openpkg People, We are running squid (squid-3.0.1-20080101) on Solaris 10 and ran into 32bit file size limits for log files. Is it possible to get something like the following patch included: --- squid.spec.orig 2008-02-20 11:15:24.704719000 +1000 +++ squid.spec 2008-02-20 11:16:01.763218000 +1000 @@ -44,6 +44,7 @@ %option with_ssl no %option with_snmp no %option with_ntlm no +%option with_large_files no # list of sources Source0: http://www.squid-cache.org/Versions/v%{V_maj}/%{V_maj}.%{V_min}/squid-%{ V_maj}.%{V_min}.STABLE%{V_rev}.tar.gz @@ -122,6 +123,9 @@ %else --enable-auth=basic digest \ %endif +%if %{with_large_files} == yes + --with-large-files \ +%endif --enable-basic-auth-helpers=NCSA \ --enable-digest-auth-helpers=password \ --enable-default-err-language=English \ I have locally modified and built to get around our immediate problems, but if can be included as a general thing that would be great. Thanks in advance, Jason -- Jason Wilson Security Consultant, ICT Security Services Telephone: +61 7 389 63129 Facsimile: +61 7 389 63740 Email: mailto:[EMAIL PROTECTED] http://www.nrw.qld.gov.au Department of Natural Resources and Water Corner Main and Vulture Streets, Woolloongabba QLD 4102 Locked Bag 40, Coorparoo Delivery Centre QLD 4151 The information in this email together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this email message is prohibited, unless as a necessary part of Departmental business. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network. __ OpenPKG http://openpkg.org User Communication List openpkg-users@openpkg.org
Problems with rrdtool on Solaris 10
Trying to build rrdtool-1.2.26-20071120 on Solaris 10 and getting an error with not having 'POSIX_MADV_RANDOM' undeclared. Manually applied http://oss.oetiker.ch/rrdtool-trac/changeset/1242 and appears to move past this problem. Now got a 'error: invalid pre-processing directive #undefine' - so changed line 247 in the patchset to be back to '#undef' and it got further. Now get to linking problems with libart. It seems that the first 'configure' correctly uses lart_lgpl, but then the 'make' re-runs configure and this time it uses lart_lgpl_2. This causes problems as Solaris 10 has are_lgpl_2, but openpkg uses art_lgpl - and the two have different symbols. Anyway, to work around this I changed the first bit of the rrdtool.spec %build section to do: %build # configure package %{l_shtool} subst \ -e 's;lart_lgpl_2;lart_lgpl;g' \ -e 's;art_lgpl_2;art_lgpl;g' \ configure configure.ac I am sure this is not the most 'elegant' solution, but it does work for me (and is probably not portable). Jason -- Jason Wilson Security Consultant, ICT Security Services Telephone: +61 7 389 63129 Facsimile: +61 7 389 63740 Email: mailto:[EMAIL PROTECTED] http://www.nrw.qld.gov.au Department of Natural Resources and Water Corner Main and Vulture Streets, Woolloongabba QLD 4102 Locked Bag 40, Coorparoo Delivery Centre QLD 4151 The information in this email together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this email message is prohibited, unless as a necessary part of Departmental business. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network. __ OpenPKG http://openpkg.org User Communication List openpkg-users@openpkg.org
Problems using delegate
Dear openpkg maintainers, We have previously been using an older version of delegate (delegate-9.2.4-2.20061018) and due to some problems with getting it to log anything useful I decided to try the 'current' version (delegate-9.6.0-20070520). This is on Solaris 10 SPARC machines. The problem is that the code builds and install fine, but when trying to execute we keep getting messages like: [EMAIL PROTECTED]: openpkg rc delegate start OpenPKG: start: delegate:FAILED openpkg:rc:WARNING: /secomon/openpkg-2.20061018:delegate:%start: failed with return code 255 openpkg:rc:NOTICE: output from stdout/stderr is following: +-- | -- File MD5: cd7d3568b95ffc180580b2998002f7db | ** checking the integrity of /secomon/openpkg-2.20061018/sbin/delegated ... | -- ERROR: can't link the SSL/Crypto library. | -- Hint: use -vl option to trace the required library, | --- find it (ex. libssl.so.X.Y.Z) under /usr/lib or /lib, | --- then set the library version as DYLIB='+,lib*.so.X.Y.Z' | -- src Sign? 9.6.0:20070520161041+0900:6476b7d225eef1ec:[EMAIL PROTECTED] | -- bld Sign 9.6.0 2007052213 d168f6191fe13291 ([EMAIL PROTECTED]) | ** NG, this executable is not built from the original code | -- exe Sign? 9.6.0 2007052213 a7d38977349a0802 ([EMAIL PROTECTED]) | ** NG, cannot verify this executable (RSA lib. unavailable) | FATAL: seems interpolated: /secomon/openpkg-2.20061018/sbin/delegated +-- After a lot of messing around I finally worked out a workaround to get things to work. 1. Login as the 'managed' user (in our case laicmapp). 2. Run: [EMAIL PROTECTED]:~$ LDPATH=/usr/sfw/lib delegated -Fexesign -w -delegate[13084]- insufficient access right: DGROOT=/secomon/openpkg-2.20061018/var/delegate -delegate[13084]- bad DGROOT=/secomon/openpkg-2.20061018/var/delegate -- src Sign 9.6.0 2007052016 6476b7d225eef1ec ([EMAIL PROTECTED]) -- bld Sign 9.6.0 2007052213 d168f6191fe13291 ([EMAIL PROTECTED]) ** NG, this executable is not built from the original code -- exe Sign? 9.6.0 2007052213 a7d38977349a0802 ([EMAIL PROTECTED]) -- File MD5: cd7d3568b95ffc180580b2998002f7db old 9.6.0 2007052213 a7d38977349a0802 ([EMAIL PROTECTED]) new 9.6.0 2007060710 cd7d3568b95ffc18 ([EMAIL PROTECTED]) 9.6.0:20070607104245+1000:cd7d3568b95ffc18:[EMAIL PROTECTED] .au:-''' -rwxr-xr-x 1 laicmapp landicmg 2290576 Jun 7 10:42 /secomon/openpkg-2.20061018/sbin/delegated The LDPATH is so that it can find the run-time openssl libraries (which openpkg openssl does not have). Once this is done then the daemon will start successfully. Unfortunately this 'exesign' function actually modifies the executable so that a 'rpm verify' reports a mismatching MD5. This does not particularly worry me, but would be nice if it could be fixed. I presume that the 'build' process needs to be updated to re-sign the build (or something like that). Jason -- Jason Wilson Security Consultant, ICT Security Services Telephone: +61 7 389 63129 Facsimile: +61 7 389 63740 Email: mailto:[EMAIL PROTECTED] http://www.nrw.qld.gov.au Department of Natural Resources and Water Corner Main and Vulture Streets, Woolloongabba QLD 4102 Locked Bag 40, Coorparoo Delivery Centre QLD 4151 The information in this email together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this email message is prohibited, unless as a necessary part of Departmental business. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network. __ OpenPKG http://openpkg.org User Communication List openpkg-users@openpkg.org
RE: Problems configuring postfix to forward to syslog
For debugging aid please have a look at the last paragraph of http://marc.theaimsgroup.com/?l=openpkg-devm=116608524305991 I had found the instructions in the fsl code, but had hoped there might be an easier way... On a related question - does the fsl library re-read configuration on the fly - or it only on startup? The fsl reads all fsl.* files from it's configuration directory on every openlog() call from the application. A common pitfall is to store defective, testing and copies of fsl.* files in the directory which confuses fsl because it reads them all and concatenates them into a huge string. This also leads to the problem of one defective file - independent of the application - affects all fsl applications. Had worked this out too. Ok - recompiled fsl with debugging enabled and then postfix with the new fsl library. By doing this I was able to see messages like the following in the debugging output: Mar 01 10:34:59 debug postfix/postsuper/mail[25262^25245] processcfg: argident=ident, argmatch=(postfix/.+)/.+, argl2spec= prefix( prefix=%b %d %H:%M:%S %N %L postfix/postsuper[%P]: ) - { debug: file( path=/secomon/openpkg-2.20061018/var/postfix/log/postfix.log, perm=0644, monitor=3600 ); debug: syslog( target='remote', remotehost='secomondev.dnr.qld.gov.au'. remoteport=4800, ident='jay' ); } Mar 01 10:34:59 error postfix/postsuper/mail[25262^25245] processcfg: logging failed to create stream from spec invalid use; line 11, column 18: `ote', '; failed to configure channel with 'target='remote''(3) Mar 01 10:34:59 error postfix/postsuper/mail[25262^25245] openlog: processcfg() failed with an unrecoverable error (6) Some additional testing I managed to break it down to: fsl-l2tool 'syslog(target=remote)' l2tool:ERROR: failed to parse specification (invalid use; line 1, column 23: `ote)'; failed to configure channel with 'target=remote') It would appear to me that the configuration file parser is getting itself out of sync. The 'target=remote' has already been read, but it thinks it is up to the ote part of the file. My guess there is a bug in the config file reader (l2 I think it is called)? If anyone has any ideas that would be great, otherwise I will need to rebuild all with debugging enabled and try that way. At least I make a much simpler test case then using a whole postfix installation. Jason -- Jason Wilson [EMAIL PROTECTED] ICT Security Services Queensland Department of Natural Resources and Water, Australia Ph: +61 7 389 63129 The information in this e-mail together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this e-mail message is prohibited. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network. __ OpenPKG http://openpkg.org User Communication List openpkg-users@openpkg.org
RE: Problems configuring postfix to forward to syslog
Replying to myself - Some additional testing I managed to break it down to: fsl-l2tool 'syslog(target=remote)' l2tool:ERROR: failed to parse specification (invalid use; line 1, column 23: `ote)'; failed to configure channel with 'target=remote') It would appear to me that the configuration file parser is getting itself out of sync. The 'target=remote' has already been read, but it thinks it is up to the ote part of the file. This is not correct. My guess there is a bug in the config file reader (l2 I think it is called)? No - just the message is misleading. If anyone has any ideas that would be great, otherwise I will need to rebuild all with debugging enabled and try that way. This I have done and worked out the order of the parameters is important. Using 'syslog(target=remote)' fails, but 'syslog(remotehost=localhost,target=remote)' works. The remotehost parameter needs to be specified before you specify that the target is remote. Suggest that the documentation is clarified and the examples updated. Jason -- Jason Wilson [EMAIL PROTECTED] ICT Security Services Queensland Department of Natural Resources and Water, Australia Ph: +61 7 389 63129 The information in this e-mail together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this e-mail message is prohibited. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network. __ OpenPKG http://openpkg.org User Communication List openpkg-users@openpkg.org
Problems configuring postfix to forward to syslog
Could someone please help me with configuring postfix to sends its logs to both a local file and to a syslog server? I have read the online FAQ at http://www.ossp.org/pkg/lib/fsl/faq.html and I still cant seem to get it to work. The configuration file I have is shown below. I have tried many variations but none seem to want to work. ## ## fsl.postfix -- OSSP fsl configuration ## ident (postfix/.+)/.+ q{ prefix( prefix=%b %d %H:%M:%S %N %L [%P]: ) - { debug: file( path=/secomon/openpkg-2.20061018/var/postfix/log/postfix.log, perm=0644, monitor=3600 ); debug: syslog( facility = mail, ident=info, target=remote, remotehost=localhost ) } ) Whenever I try and add any syslog based rules it seems to totally ignore the fsl.postfix file and send it to where fsl.fsl points. I suspect there is some type of syntax error in the configuration. Is there anywhere where fsl logs its own config parsing (I know it is a bit of a chicken-and-the-egg problem). Have even tried removing the 'file' channel, and that doesn't work either. Using fairly recent builds (from the 20061018 release) on Solaris 8. Everything builds fine and postfix runs fine - just cant seem to get the logging to do what I want it to do. Your help is appreciated. Can provide additional details if it helps. On a related question - does the fsl library re-read configuration on the fly - or it only on startup? Jason -- Jason Wilson [EMAIL PROTECTED] ICT Security Services Queensland Department of Natural Resources and Water, Australia Ph: +61 7 389 63129 The information in this e-mail together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this e-mail message is prohibited. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network. __ OpenPKG http://openpkg.org User Communication List openpkg-users@openpkg.org