Bug#581711: Created kernel-package do not trigger the creation of an initrd
Package: kernel-package Version: 12.033 severity: medium Hello Manoj, from time to time I build kernels with kernel-package. Since the new kernel-package version (I installed squeeze's version to my lenny machine) I cannot build packages anymore that automatically create an initrd. I already read the docs and the man package I did what is recommended to do, but I still don't get hook scripts in /etc/kernel/foobar My questions: * Does the --initrd option of make-kpkg _only_ enable the scan and execution of the the hooks in /etc/kernel? * Is there any mode in that creates a kernel package which _installs_ hook scripts on the _target_ system? I want the hooks script itself being included in the kernel package I create. I see make-kpkg creates debian/linux-image-foobar/etc/kernel/postinst.d/, but this dir is always empty. * Are you aware that the initramfs-tools ship a hook that contains: ---8--- # kernel-package passes an extra arg; hack to not run under kernel-package [ -z $2 ] || exit 0 ---8--- So that hook script exit 0 when called by a kernel package made by make-kpkg - why would it be wrong to run that hook when installing a kernel made by kernel-package? My goal is to create distro-like kernel packages, i.e. I want the packages to be transferable to other machines as a drop-in replacement for the packages that Debian ships. But as long as the users habe to call the mkinitramfs manually, it's a real pitfall for them ... Best Regards, Andreas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#542751: util-vserver: vserver --version shows wrong version
Package: util-vserver Version: 0.30.216~r2842-2 severity: minor Hello, if you use vserver --version you get the wrong version number: # vserver --version vserver 0.30.215 -- manages the state of vservers This program is part of util-vserver 0.30.215 The code of the tool itself seems to be the current one, only the version is not updated. The package used is squeeze's current 0.30.216~r2842-2. A reason for the historic version number might be in the configure-file of the sources (0.30.216~r2842-2): # grep PACKAGE_VERSION configure PACKAGE_VERSION='0.30.215' rgds, derjohn -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#436954: slapd: wishlist item: re-index at startup
Package: slapd
Version: 2.3.30-5, probably all newer ones.
severity: wishlist
Hello,
as slapd fails from time to time in maintaining it's indexes correctly,
I would like to see a config option in /etc/default/slapd, to make it
re-index at startup time. The behavior should be configurable in
/etc/default/slapd.
Two patches attached.
rgds,
Andreas
--- /etc/default/slapd.orig 2007-08-09 18:44:35.0 +0200
+++ /etc/default/slapd 2007-08-09 19:01:21.0 +0200
@@ -9,6 +9,10 @@
# run in the primary group of its user.
SLAPD_GROUP=openldap
+# Set this to true, if you want the indexes to be reindexed at startup
+# Needs sudo to be installed. (apt-get install sudo or such)
+SLAPINDEX_ON_START=
+
# Path to the pid file of the slapd server. If not set the init.d script
# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf)
SLAPD_PIDFILE=
--- /etc/init.d/slapd.orig 2007-08-09 18:25:32.0 +0200
+++ /etc/init.d/slapd 2007-08-09 19:18:33.0 +0200
@@ -128,6 +128,16 @@
# Start the slapd daemon and capture the error message if any to
# $reason.
start_slapd() {
+ # (re-)creates indexes, if configured so in /etc/default/slapd
+ # indexes in slapd a known to misbehave from time to time. -aj
+ if [ ! -z ${SLAPINDEX_ON_START} ]; then
+ if [ -z $SLAPD_USER ]; then
+ /usr/sbin/slapindex
+ else
+ [ -f /usr/sbin/slapd ] sudo -u
$SLAPD_USER /usr/sbin/slapindex
+ fi
+ fi
+
echo -n slapd
if [ -z $SLAPD_SERVICES ]; then
reason=`start-stop-daemon --start --quiet --oknodo \
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#436992: linux-image-2.6.18-4-amd64: sb600
Package: linux-image-2.6.18-4-amd64 Version: 2.6.18.dfsg.1-12 severity: medium Booting this kernel on a machine equipped with 4GB+ RAM and sb600-based controller, causes ahci to hang, as the hardware is not really 64 bit capable. Since 2.6.22 there exists a patch already, details can be found on LKML (ahci: disable 64bit dma on sb600) Here is as web-archive link of the thread http://www.mail-archive.com/[EMAIL PROTECTED]/msg06695.html I would love to see that patch backported and appear in the etch/proposed updates. Meanwhile, there is a workaround: Set mem=4095M on the append line, but you cannot use much more than 3.3GB of the 4GB then. rgds, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#429877: util-vserver: vcontext takes 100% CPU on a race condition
Package: util-vserver Version: 0.30.212-1 severity: important Hello, on that particular version of the userspace tools there appears from time to time a race condition, that makes the vcontext process(es) within a guest consume(s) 100% of the cpu resources. The consider upgrading to .213 utils with the next service release of etch. Meanwhile I build packages from the lenny sources, wich solved the problem on my hosts. For those who dont want to build them themselves, they can fetch my binaries here: i386: http://linux-vserver.derjohn.de/debian/dists/etch/main/binary-i386/util-vserver_0.30.213-1_i386.deb AMD64: http://linux-vserver.derjohn.de/debian/dists/etch/main/binary-amd64/util-vserver_0.30.213-1_amd64.deb Micah also plans to offer packages on backports.org very soon. rgds, derjohn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#414699: libtowitoko2 fails on install, postinstall brakes the install process
Package: libtowitoko2 Version: 2.0.7-7.2 Severity: medium Hello, in the postinst libtowitoko2.postinst there are the lines: --- if [ -x /etc/init.d/pcscd ]; then /etc/init.d/pcscd restart-if-running 3/dev/null fi restart-if-running is not (any longer?) known by /etc/init.d/pcscd, so the postinst fails. Please change to /etc/init.d/pcscd restart or something like that. rgds, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#411109: update-grub/grub-set-default throws an error, if /grub dir does not exist
Package: grub Version: sid Severity: medium Hi, after dist-upgrading my sid, update-grub did not run successfully. The reason for that was that it called indirectly 'grub-set-default', which looked for a grub dir on / ! (not /boot or in my case /boot/boot ,as I run traditionally an own partition for /boot). This might have to do with the fact, that /boot ran out of disk space during my dist-upgrades. (I have to much different kernels I think :-)) But in any case there should be a sanity check in update-grub that regenerates any missing files or dirs. An mkdir /grub solved my problem, but I am not sure if that was simply a dirty workaround. Rgds, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#408668: Wish: Add those two /usr/share/doc/pure-ftpd-common/somewhat
Package: pure-ftpd Version: all Severity: wishlist Hi, I wrote some lines about the upload script feature and how Debian manages its. I would like to see it included in /usr/share/doc/pure-ftpd-common/somewhat or in a manpage. URLs: http://blog.derjohn.de/snipsnap/space/start/2006-11-14/1#Pure-ftpd_and_the_Upload-Script_Feature http://blog.derjohn.de/snipsnap/space/start/2007-01-14/1#pure-FTPD:_Another_perl_code_snippet_as_uploadscript The Licenses is GPL V2 as noted within the texts. rgds, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#407450: awstats package has ^M in examples/awstats_buildstaticpages.pl
Package: awstats Version: all (?) severity: minor Hi, in my stats-building scipt I directly call /usr/share/doc/awstats/examples/awstats_buildstaticpages.pl to build static stats pages. The script has a ^M at the end of each line and is thus not executable without error :/ A conversion with 'dos2unix' or such helps to make it run :) The script is obviously maintained by the upstream on a non-Linux desktop. Would you mind to check all the stuff in examles and deliver it directly with Linux-ish linefeeds? thx, derjohn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#407452: awstats package has ^M in examples/logresolvemerge.pl
Package: awstats Version: all (?) severity: minor SORRY FOR THE PREVOUS FILED BUG. I MADE A MISTAKE. THE SCRIPT IS QUESTION IS logresolvemerge.pl, NOT awstats_buildstaticpages.pl. Hi, in my stats-building scipt I directly call /usr/share/doc/awstats/examples/logresolvemerge.pl to build static stats pages. The script has a ^M at the end of each line and is thus not executable without error :/ A conversion with 'dos2unix' or such helps to make it run :) The script is obviously maintained by the upstream on a non-Linux desktop. Would you mind to check all the stuff in examles and deliver it directly with Linux-ish linefeeds? thx, derjohn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#406342: module-assistant says in German translation: Zum Weitere Return drücken...
Package: module-assistant severity: low Version: 0.10.8 Hi, after preparing the system, module-assistant in Etch says -- Fertig! Zum Weitere Return drücken... --- That's wrong in German language, it should read like Zum Weitermachen Return drücken... or more elegant Zum Fortfahren Return drücken Furthermore: --- Um mehr zu erfahren, Wählen Sie die Option OVERVIEW. --- ^must be wählen (small after a comma) There are more quirks in the translation, but I was unable to reproduce them. rgds, Andreas
Bug#406355: drbd0.7-module-source fails to compile
Package: drbd0.7-module-source severity: medium Hello, I was using module-assistant to compile drbd0.7 on Debian's 2.6.18-3 on etch (current, dist-upgtaded today). but the compile step failed. I switched to drbd0.8 which compiled fine with the same procedure. This is the kernel im question: # dpkg --get-selections |grep linux-.*-2.6.18.* linux-headers-2.6.18-3 install linux-headers-2.6.18-3-686 install linux-image-2.6.18-3-686install linux-kbuild-2.6.18 install rgds, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#401003: omit configuration - it asks for allow ldap v2
Package: slapd severity: low I think there is a problem in the debconf of the package. If I choose to omit configuration on a fresh install, it asks me if I want to allow ldap v2 logins. Well, that's a question of the configuration, as it is defined in slapd.conf. The question should appear in that case. rgds, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#394927: $PAT/Regex for Cyrus 2.2 does not properly
Package: pop-before-smtp Version: all severity: medium See: SF #1583141 Hi, The Cyrus pattern shipped in /etc/pop-before-smtp/pop-before-smtp.conf looks like that: $pat = '^(... .. ..:..:..) \S+ (?:pop3|imap)[ds]?\[\d+\]: ' . 'login: [^[\s]*\s*\[[:f]*(\d+\.\d+\.\d+\.\d+)\] \S+ \S+'; On a Cyrus 2.2 System (Debian Etch) a pop3 login creates a line like that in the mail.log: Oct 23 21:47:27 mx3 cyrus/pop3[11390]: login: my.reverse.xy [192.168.1.1] [EMAIL PROTECTED] plaintext User logged in Do you spot the problem? I am sure ;) There is the word cyrus/ missing. I guess that cyrus 2.2 did change behavior. I added an optional non-backreferencing pattern to match it and the line looks the that: $pat = '^(... .. ..:..:..) \S+ (?:cyrus\/)(?:pop3|imap)[ds]?\[\d+\]: ' . 'login: [^[\s]*\s*\[[:f]*(\d+\.\d+\.\d+\.\d+)\] \S+ \S+'; But I am pretty unsure, why the Regex should not match a User logged in at the end. The IP should not be auth'ed, if the last words sound like verification failed: Name or service not known or authentication failure: checkpass failed, but the regex might work because it requited the right amount of []. As as I said: IMVHO the pattern should match User logged in at the end. Best Regrads, derjohn -- Andreas John net-lab GmbH Luisenstrasse 30b 63067 Offenbach Tel: +49 69 85700331 http://www.net-lab.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#389614: util-vserver: Please stay consistent in the software's name: Linux-VServer
Package: util-vserver Version: all severity: wishlist Hi! I propose some changes for the text output of util-vserver's supporting scripts: 1.) debconf: Automatically handle the starting and stopping of Vserver guests? -- Automatically handle the starting and stopping of Linux-VServer guests? (or maybe simply guests). 2.) Start-Stop-Script: Vserver capability not detected in kernel. -- This Kernel does not support Linux-VServer. 3.) Start-Stop-Script: Fixing visibility of /proc entries for Vservers... -- Fixing visibility of /proc entries for Linux-VServer guests... Best regards, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#368428: adduser: uninitialized value in printf
Package: adduser Version: 3.82 severity: minor When installing dcc-client you see a warning in adduser: Use of uninitialized value in printf at /usr/sbin/adduser line 329. rgds, derjohn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#368195: libpam-ldap: add comments to the config file: no double quotes
Package: libpam-ldap Version: all severity: wishlist In /etc/pam_ldap.conf there is: # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. # Please do not put double qoutes around it as they # are interpreted as literal. #binddn cn=proxyuser,dc=padl,dc=com rgds, derjohn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#368189: sasl2-bin: multiple mechanisms not supported simultanously
Package: sasl2-bin Version: all severity: normal The /etc/default/saslauthd reads: # You must specify the authentication mechanisms you wish to use. # This defaults to pam for PAM support, but may also include # shadow or sasldb, like this: # MECHANISMS=pam shadow I tried that with MECHANISMS=pam ldap and MECHANISMS=ldap pam, but came to the conclusion that saslauthd only queries the first mechansim mentioned. I googleg I found that (from mid 2005): http://comments.gmane.org/gmane.mail.imap.cyrus/18735 Which supports my theory. Please look for the comment of Igor Brezac, who is the author of auth_ldap module for saslauthd (and besides that not mention in the copyright file of sasl2-bin. that should be changed, too, because the module is packages with the .deb!) rgds, Andreas John -- Andreas John net-lab GmbH Luisenstrasse 30b 63067 Offenbach Tel: +49 69 85700331 http://www.net-lab.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#368191: libnss-ldap: add comments to the config file
Package: libnss-ldap Version: all severity: wishlist In /etc/libnss-ldap.conf there is: # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) Well, that's only half the truth. The password stored there must not have neither newline at the end nor a blank. But what strikes most ist that ist must not be a terminated line, so creating the password with e.g. vi will not work! I would vote for adding a hint to the above comment: # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600). Use # 'echo -n mYpAsSwOrD /etc/ldap.secret' instead of an # editor to create it. rgds, derjohn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#368192: libnss-ldap: add comments to the config file: no double quotes
Package: libnss-ldap Version: all severity: wishlist In /etc/libnss-ldap.conf there is: # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. # Please do not put double qoutes around it as they # are interpreted as literal. #binddn cn=proxyuser,dc=padl,dc=com rgds, derjohn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#368194: libpam-ldap: add comments to the config file
Package: libpam-ldap Version: all severity: wishlist In /etc/pam_ldap.conf there is: # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) Well, that's only half the truth. The password stored there must not have a newline at the end nor a blank. But what strikes most is that it must not be a terminated line, so creating the password with e.g. vi will not work! I would vote for adding a hint to the above comment: # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600). Use # 'echo -n mYpAsSwOrD /etc/ldap.secret' instead of an # editor to create it. rgds, Andreas John -- Andreas John net-lab GmbH Luisenstrasse 30b 63067 Offenbach Tel: +49 69 85700331 http://www.net-lab.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#368042: pure-ftpd-ldap: the wrapper startscript does not correctly start pure-ftpd-ldap
Hi! I use the 'current' from the date the bug was filed. I saw the problem on sarge, then dist-upgraded to etch (for several reasons). I remeber switching from .19 to .21 - but cannot remember Debian's -X revision. I may have to add the I apt-ed pure-ftpd first, then replaced it with apt-get install pure-ftpd-ldap. Maybe there is a problem? rgds, Andreas Stefan Hornburg (Racke) wrote: Andreas John wrote: Package: pure-ftpd-ldap Version: sarge,etch,... severity: normal When using pure-ftp-ldap, I cannot start it, neither as standalone nor via inetd. The error comes from here: /usr/sbin/pure-ftpd-wrapper in line 174 Solution (Workaround): ln -s /usr/sbin/pure-ftpd-ldap /usr/sbin/pure-ftpd But IMO it should be fixed in /usr/sbin/pure-ftpd-wrapper. Which version do you using ? Bye Racke -- Andreas John net-lab GmbH Luisenstrasse 30b 63067 Offenbach Tel: +49 69 85700331 http://www.net-lab.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#368042: pure-ftpd-ldap: the wrapper startscript does not correctly start pure-ftpd-ldap
Package: pure-ftpd-ldap Version: sarge,etch,... severity: normal When using pure-ftp-ldap, I cannot start it, neither as standalone nor via inetd. The error comes from here: /usr/sbin/pure-ftpd-wrapper in line 174 Solution (Workaround): ln -s /usr/sbin/pure-ftpd-ldap /usr/sbin/pure-ftpd But IMO it should be fixed in /usr/sbin/pure-ftpd-wrapper. rgds, derjohn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#366691: util-vserver: should include the cpuhog to test the scheduler
Package: util-vserver Version: all (?) severity: wishlist There is a script ready, that eats up all cpu power: http://vserver.13thfloor.at/Experimental/TOOLS/cpuhog.c This is ideal for testing the sched limits of a guest. It should be at least included in /usr/share/doc/util-vserver/examples. I like to see only the src provided, to prevent that id 10 t's DoS their machine rgds, derjohn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#364384: util-vserver: should include the bash_completion script
Package: util-vserver Version: all (?) severity: wishlist There is a bash completion ready: http://linux-vserver.org/Vserver+Completion The Debian package should put that to /etc/bash_completion.d/vserver. The user can enable bash_completion gloablly in /etc/bash.bashrc, Debian has that feature commented out be default. This should be mentioned in the README. Alternatively and/or additionally the script could go into /usr/share/doc/examples. rgds, derjohn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#363342: util-vserver: long description referrs to the wrong URL
Package: util-vserver Version: all (?) severity: wishlist The description of the package mentions http://www.linux-vserver.de/ (which is a redirect to the right one), but the projects official URL is http://linux-vserver.org (no www, and .org at the end. rgds, derjohn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#363343: util-vserver: description mentions a ctx patch
Package: util-vserver Version: all (?) severity: wishlist The description of the package mentions the 'ctx'. The use of the term 'ctx' is only correct for the 1.x generation of linux-vserver which is enf-of-life (as far as we can use that term for opensource software :)). Besides that an apt-cache search ctx in sid does not reveal anything about vserver. In Sid recently appeared pre-patched kernels. So I would wish the description being changed. rgds, derjohn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#363382: util-vserver: should recommend debootstrap
Package: util-vserver Version: all (?) severity: wishlist util-vserver should recommend debootstrap (or even yum?), because it's the usual way to build guests with vserver build foo -m debootstrap ... rgds, derjohn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#362658: grub: grub-install fails on hdh+
Package: grub
Version: all (?)
severity: normal
grub-install fails on disks = hdh.
# Get the drive name.
tmp_drive=`grep -v '^#' $device_map | grep $tmp_disk *$ \
| sed 's%.*\(([hf]d[0-9][a-g0-9,]*)\).*%\1%'`
here is only up top 'g' matched.
This not enough. I have a pretty standard ASUS Mobo, whose PATA devices
are hdi+.
Similar is true for grub-install on md-devices:
| sed s%.*/r\{0,1\}da[0-9]\(s[0-9]*[a-h]\)%\1%
^^^ ^^
rgds,
derjohn
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#360339: start bind within linux-vserver (no capabilities available in the security context)
package: bind9
version: all
severity: wishlist
Hello!
This bug is filed as wish. It's more or less related to #212226 (bind9
doesn't start when capabilities aren't available) which is set to
wontfix. I would vote for re-thinking about fixing:
There is already a patch available that fixes it. We use that heavily in
linux-vserver.org, because in the so called 'security contexs' we use
(like virtual servers, guests, jails ...) don't get any capability.
Unlike other v12n solutions (XEN, UML ..) in linux-vserver there is no
own kernel per context: So we dont allow guests to get capabilities.
Linux-vserver is already available in Debian for a long time (packages
util-vserver, vserver-debiantools), recently
linux-image-2.6.16-1-vserver.* entered Debian Sid even as ready-to-run
kernel.
The patch was made by Daniel Hokka Zakrisson. It works quite simple: It
checks if there are capabilities available and uses them. This is the
usual and under normal circumstances the more secure way. If there are
no capabilities available (especially CAP_SYS_RESOURCE, which is
requested by bind) it starts without them. With linux-vserver.org this
way of running bind make it _more_ secure.
The original source of the patch is here:
http://daniel.hozac.com/stuff/bind-9.2.3-CAP_SYS_RESOURCE-when-available.patch
And the source of the patch itself is also to be found at the end of
that mail.
rgds,
Andreas
--
Andreas John
net-lab GmbH
Luisenstrasse 30b
63067 Offenbach
Tel: +49 69 85700331
http://www.net-lab.net
$ cat bind-9.2.3-CAP_SYS_RESOURCE-when-available.patch
diff -Naurp bind-9.2.3.orig/bin/named/unix/os.c
bind-9.2.3/bin/named/unix/os.c
--- bind-9.2.3.orig/bin/named/unix/os.c 2004-11-30 11:04:45.0 +0100
+++ bind-9.2.3/bin/named/unix/os.c 2004-12-05 15:24:08.0 +0100
@@ -155,9 +155,27 @@ linux_setcaps(unsigned int caps) {
}
}
+static unsigned int
+linux_getcaps(void) {
+ struct __user_cap_header_struct caphead;
+ struct __user_cap_data_struct cap;
+ char strbuf[ISC_STRERRORSIZE];
+
+ memset(caphead, 0, sizeof(caphead));
+ caphead.version = _LINUX_CAPABILITY_VERSION;
+ caphead.pid = 0;
+ memset(cap, 0, sizeof(cap));
+ if (syscall(SYS_capget, caphead, cap) 0) {
+ isc__strerror(errno, strbuf, sizeof(strbuf));
+ ns_main_earlyfatal(capget failed: %s, strbuf);
+ }
+
+ return cap.permitted;
+}
+
static void
linux_initialprivs(void) {
- unsigned int caps;
+ unsigned int caps, current;
/*
* We don't need most privileges, so we drop them right away.
@@ -166,6 +184,7 @@ linux_initialprivs(void) {
*/
caps = 0;
+ current = linux_getcaps();
/*
* We need to be able to bind() to privileged ports, notably
port 53!
@@ -205,14 +224,15 @@ linux_initialprivs(void) {
* of files, the stack size, data size, and core dump size to
* support named.conf options, this is now being added to test.
*/
- caps |= (1 CAP_SYS_RESOURCE);
+ if ((current (1 CAP_SYS_RESOURCE)) == (1 CAP_SYS_RESOURCE))
+ caps |= (1 CAP_SYS_RESOURCE);
linux_setcaps(caps);
}
static void
linux_minprivs(void) {
- unsigned int caps;
+ unsigned int caps, current;
/*
* Drop all privileges except the ability to bind() to privileged
@@ -223,6 +243,7 @@ linux_minprivs(void) {
*/
caps = 0;
+ current = linux_getcaps();
caps |= (1 CAP_NET_BIND_SERVICE);
/*
@@ -232,7 +253,8 @@ linux_minprivs(void) {
* of files, the stack size, data size, and core dump size to
* support named.conf options, this is now being added to test.
*/
- caps |= (1 CAP_SYS_RESOURCE);
+ if ((current (1 CAP_SYS_RESOURCE)) == (1 CAP_SYS_RESOURCE))
+ caps |= (1 CAP_SYS_RESOURCE);
linux_setcaps(caps);
}
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#355303: cyrus-imap should extend config template of /etc/cyrus.conf
Package: cyrus-imapd-2.2 Version: all (?) severity: wishlist Would you consider adding this (commented out) snippet to Debian's default cyrus.conf in the EVENTS Section: # squatter # squatter cmd=/usr/sbin/squatter -s -r user at=0200 or simlar. This applies to other version(s), namely the 2.1 package, too, but I filed only this wish [I assume the wish is still valid as I only checked the 2.1 cyrus world] rgds + foo, derjohn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#355306: cyrus21-imapd should extend config template of /etc/cyrus.conf
Package: cyrus21-imapd Version: all (?) severity: wishlist Would you consider adding this (commented out) snippet to Debian's default cyrus.conf in the EVENTS Section: # squatter # squatter cmd=/usr/sbin/squatter -s -r user at=0200 or simlar. I filed that bug to cyrus-imapd-2.2 already. HMH told me to file for 2.1, too. rgds + foo, derjohn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
