Bug#514709: event queue full if slots undefined
Package: monit Severity: important Version: 4.10.1-4 Hi, Monit says that the event queue is full if SLOTS are not defined in set eventqueue statement. The following patch in the attachment correct this failure. Greetings, Markus Naß diff -ruN old/monit-4.10.1/file.c new/monit-4.10.1/file.c --- old/monit-4.10.1/file.c 2007-08-12 20:02:48.0 +0200 +++ new/monit-4.10.1/file.c 2009-02-10 09:55:00.0 +0100 @@ -404,7 +404,7 @@ DIR *dir = NULL; struct dirent *de = NULL; - if(limit = 0) { + if(limit = 0) { LogError(%s: event queue full\n, prog); return FALSE; }
Bug#514729: cryptsetup: /sbin/udevsettle: not found
Package: cryptsetup Version: 2:1.0.6-7 Severity: important Tags: patch If anyone have not installed udev, cryptsetup dont need to run udevsettle or did not post the message, that udevsettle could not found by /bin/sh. The patch in the attachment correct this by an if-statement. Greetings, Markus Naß diff -ruN old/cryptsetup-1.0.6/lib/libdevmapper.c new/cryptsetup-1.0.6/lib/libdevmapper.c --- old/cryptsetup-1.0.6/lib/libdevmapper.c 2007-10-25 09:11:19.0 +0200 +++ new/cryptsetup-1.0.6/lib/libdevmapper.c 2009-02-10 12:18:43.0 +0100 @@ -22,7 +22,8 @@ static void run_udevsettle(void) { - system(UDEVSETTLE); + if(!access(UDEVSETTLE, F_OK|X_OK)) + system(UDEVSETTLE); } static void set_dm_error(int level, const char *file, int line,
Bug#404531: Emails were don't delete
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Alexander Sack - Debian Bugmail schrieb: Try to run Compact Folder manually (e.g. right-click on folder-Compact). Ah, it works ;-) Thanks. - - Markus Naß - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFkVXmfBT4BlZld/0RA4H3AJ4jmEhJZ1cNLCIVpwPkpB86eQdw3ACgqOvI oUVo457qfuKvexCr7YFyglo= =JTiI -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#404531: Emails were don't delete
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Package: icedove Version: 1.5.0.9.dfsg1-1 Severity: important If I delete my emails from a directory, icedove don't delete it from .mozilla-thunderbird/*.default/Mail/Local\ Folders/. Example: I become an email and then I delete it and delete the trash too, the mail is not visible in icedove but in .mozilla-thunderbird/*.default/Mail/Local\ Folders/Sent the mail is still there. Thanks. - - Markus Nass - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFkG7vfBT4BlZld/0RA7MgAJ9Tca2uUeoAcn1Zh90re9Rs84u3zgCgr3Qt y3wNHXtntuwkE0y++kDDbck= =e6Wl -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#385068: add some pam features
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Roger Leigh wrote: I'm fairly sure that the PAM_TTY must be a terminal device. There might be security issues in using a fake TTY: that's a relative path, and so a cups TTY could be created in the CWD and potentially abused (for example, a hard or soft link to a real TTY). If there isn't a TTY, PAM_TTY should probably be left unset. Yes, I was self confused about the function of these variable, but the pam-modules (look at the sources) want be check if it was a TTY device or not. The SSH server set the PAM_TTY variable to ssh and xdm set the variable to :0 or :1, etc. The pam_access module themself support these fake variables (see libpam-doc). So I think there shouldn't be a problem if cupsd set the variable to cups or cupsys or whatever. - - Markus Nass - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE9ExBfBT4BlZld/0RA/CoAJ9PG4F2d6om8NXtvMiVvHZnkLTwRwCdFiv0 YM8pBhiK1u5af1rwrLtfjE0= =GHGE -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#385068: add some pam features
Package: cupsys Version: 1.2.2-1 Severity: wishlist Tags: patch Please add these pam features: 1) pam_set_item(pamh, PAM_TTY, cups) --- Need by some pam-modules which need the 'tty' variable, like pam_group, pam_access, pam_time, etc. 2) pam_set_item(pamh, PAM_RHOST, con-http.hostname) - Usefull for some pam-modules like pam_access, etc and for the logs, which are created by pam. 3) pam_setcred(pamh, PAM_ESTABLISH_CRED|PAM_SILENT) Need by some pam-modules like pam_tally, pam_group, etc. The patch is in the attachment and for the original tarball. Thanks. - Markus Nass -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ diff -urN old/cups-1.2.2/scheduler/auth.c new/cups-1.2.2/scheduler/auth.c --- old/cups-1.2.2/scheduler/auth.c 2006-06-07 22:58:29.0 +0200 +++ new/cups-1.2.2/scheduler/auth.c 2006-08-28 21:28:59.0 +0200 @@ -510,6 +510,28 @@ return; } + pamerr = pam_set_item(pamh, PAM_TTY, cups); + if (pamerr != PAM_SUCCESS) + { + cupsdLogMessage(CUPSD_LOG_ERROR, + cupsdAuthorize: pam_set_item() returned %d + (%s)!\n, + pamerr, pam_strerror(pamh, pamerr)); + pam_end(pamh, 0); + return; + } + + pamerr = pam_set_item(pamh, PAM_RHOST, con-http.hostname); + if (pamerr != PAM_SUCCESS) + { + cupsdLogMessage(CUPSD_LOG_ERROR, + cupsdAuthorize: pam_set_item() returned %d + (%s)!\n, + pamerr, pam_strerror(pamh, pamerr)); + pam_end(pamh, 0); + return; + } + pamerr = pam_authenticate(pamh, PAM_SILENT); if (pamerr != PAM_SUCCESS) { @@ -532,6 +554,17 @@ return; } + pamerr = pam_setcred(pamh, PAM_ESTABLISH_CRED|PAM_SILENT); + if (pamerr != PAM_SUCCESS) + { + cupsdLogMessage(CUPSD_LOG_ERROR, + cupsdAuthorize: pam_setcred() returned %d + (%s)!\n, + pamerr, pam_strerror(pamh, pamerr)); + pam_end(pamh, 0); + return; + } + pam_end(pamh, PAM_SUCCESS); #elif defined(HAVE_USERSEC_H) signature.asc Description: OpenPGP digital signature
Bug#383666: remove chown on /var/log/{statsdir}
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Package: ntp Version: 1:4.2.2+dfsg.2-1 Severity: wishlist Please change in /etc/init.d/ntp the line: chown -R ntp:ntp /var/lib/ntp /var/log/ntpstats to chown -R ntp:ntp /var/lib/ntp, because it should possible, that an user in group xy can access on the logs but is not in the group ntp. - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE5ecBfBT4BlZld/0RAyFYAKCAo7oUhoK3j0SyGOn3DRsuRX8LqgCcC/G1 sMslPH3Il0+kQzDDjOuUXy0= =hhSX -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#383668: add NTPD_DAILY_CYCLE to /etc/cron.daily/ntp
Package: ntp Version: 1:4.2.2+dfsg.2-1 Severity: wishlist Please add the variable NTPD_DAILY_CYCLE to the cron-script for the find command, so that an user can self decide how long a copy of stats will saved. -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ 9a10,17 if [ -r /etc/default/ntp ]; then . /etc/default/ntp fi if [ -z $NTPD_DAILY_CYCLE ]; then NTPD_DAILY_CYCLE='7' fi 13c21 find $statsdir -type f -mtime +7 -exec rm {} \; --- find $statsdir -type f -mtime +$NTPD_DAILY_CYCLE -exec rm {} \; 1a2 NTPD_DAILY_CYCLE='30' signature.asc Description: OpenPGP digital signature
Bug#383666: remove chown on /var/log/{statsdir}
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Peter Eisentraut schrieb: This is not a matter of reading the logs but writing the logs. The ntpd daemon runs as ntp:ntp, so the permissions need to be set appropriately. In order to have general read access to log files on Debian, you need to be root. What I meen is, that the logs could be have another group-permission, but not another user-permission. On my server I have an user which is in the adm group and need to read the logfiles. If the server restarts from the init-script, the group will be changed to the group ntp, and the user can not read the log-files. chown -R ntp:$LOG_GROUP /var/log/ntpstats in init.d/ntp could dissolving this problem. Thanks. - - Markus Nass - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE5fkgfBT4BlZld/0RA8rHAKCZQEhh7EeXQ97X2tu92W7CznZwVACgpXCY YzLXJdGRvyBdiMjX+BZTAGg= =hJnS -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#382036: xdm restart with active pam_tally
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Package: xdm Version: 1:1.0.5-1 Severity: normal If the module 'pam_tally' is active in the '/etc/pam.d/xdm' config, 'xdm' crash and restart itself. - - # The PAM configuration file for the `xdm' service ... auth requisite pam_tally.so onerr=fail file=/var/log/faillog deny=3 unlock_time=60 even_deny_root_account per_user ... - Thanks. - - Markus Nass - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE2IwjfBT4BlZld/0RA8+zAJ9CMPH9aZvayOQrvrUzMfPdU8nWrACdHFte NKxAXdgl+N3RVEd/YLqQmFs= =KvC4 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#382037: Missing programname and PID in syslog-log by PAM
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Package: xdm Version: 1:1.0.5-1 Severity: important PAM can not locate the PID and also the programname 'xdm'. So in the logs are statments like this: - - Aug 8 14:34:51 workserver1 : (pam_unix) session opened for user generalstone by (uid=0) - and not: Aug 8 14:34:51 workserver1 xdm[34521]: ... ^^ Thanks. - - Markus Nass - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE2IsKfBT4BlZld/0RA3jBAKCnRUJYUQRjMtVvAYmvBCsBSb1wAwCeOT8M XRacyepswhMVaIvXwfonv8g= =Q3Be -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#378359: some features, some bugfixes
Package: acct Version: 6.3.99+6.4pre1-4 Severity: whishlist Tags: patch Hi, in the attachment is a tar.gz file with includes the some modified scripts for init and cron (daily, monthly) which will fix the bugs #375712 and #377835 too. /etc/init.d/acct: use /var/account/pacct if the $ACCT_LOGFILE don't exists. Exit generally if ACCT_ENABLE isn't 1 and not only in the start case. Removed the if clause for error code 16, because there won't be returned such a error code if acct is already running. logger will use the daemon facility and notice level and not the file /var/log/daemon.log, because somebody (like me) can have another syslog config and removed the daemon.log file. fixed the bug #377835. /etc/cron.daily/acct: use /var/account/pacct if the $ACCT_LOGFILE don't exists (same as in /etc/init.d/acct). Stop before the savelog do his job. Rewrote the $ACCT_LOGGING to $ACCT_DAILY_CYCLE. Exit if $ACCT_DAILY_CYCLE is less than two, savelog needs a number greater than one for cycle. fixed the bug #377835. /etc/cron.monthly/acct: added ACCT_MONTHLY_CYCLE for saveloging the report file, useful if logrotate.conf cycle the wtmp file more than one. change the permission to 640 and root:adm to the report file. fixed the bug #375712. -- Bill Gates said: It requires Windows XP or better, so I installed Linux. acct_scripts.tar.gz Description: application/gzip
Bug#375376: failure in the mode molecule when switching console/x-display
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It only affects if mousemotion is off. - - Markus Nass - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEpELAfBT4BlZld/0RAorcAJ9MH21GNnEMre6AdZzH1ApSAwMoAACdGAkA 8b9+2yXt99MHz12Anr8ITLo= =0aZn -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#375374: Firefox don't start the e-mail application
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Package: firefox Version: 1.5.dfsg+1.5.0.4-1 Severity: normal Firefox do not start the e-mail application thunderbird if I click on a mailto-link and it do not start the application too if I click on Tools-Read Mail and Tools-New Message... Thanks. - - Markus Nass - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEnrSxfBT4BlZld/0RAr6WAJ0d1yLpSCc1lNuchVjEJbVWmoFe1ACgvolF NCn7K5P9PLpNAfMa8c8wQqU= =afse -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#375376: failure in the mode molecule when switching console/x-display
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Package: xlockmore-gl Version: 1:5.22-1 Severity: important If I want to lock my x-screen with the mode molecule and I switch then to the console and swtiched back to X, the xlock application return a SIGSEGV signal (Access control list restored. xlock: caught signal 11 while running molecule mode), so anybody don't need to typing a password. - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEnrk9fBT4BlZld/0RAhizAJ4ootaHJfSBw6LmDCckV/TuQ9d7XACbBkC5 SFXXpuwW6VGct0Zi/mgfS9U= =FbaW -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#370302: [Pkg-cryptsetup-devel] Bug#370302: a better recommendation for cryptdisks.functions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Why not change the semantics of /etc/crypttab so that the third column (keyfile) is interpreted as a script if the file exists and has the executable bit set. This sounds ok If so, the script is executed and its stdout is piped to cryptsetup via stdin. This sounds not ok, because if there is a key which needs to decrypt, the decrypted key needs to save on a location during the process by an own decrypt-script. You can see that it anyway must save. The cryptdisks initscript are under the mountdevsubfs.sh initscript which mount a tmpfs on /dev/shm (ah, I have linked it to /tmp). So the FS is in the Memory (RAM) and I don't know any technics do restore any dates from it. But the main problem is that anybody can have a key whith 'newlines' and that would not work with the getpass() function in cryptsetup. I know that my patch is not perfect but it can be an alternative while an encryption and decryption for very long keys is implement in cryptsetup self, so that nobody need gnupg or openssl. PS: The ../examples/gen-ssl-key is not so intelligent (I know I have wrote it ;-), because the generated key have x30x standard characters (-BEGIN DSA PRIVATE KEY-). So a key-size from 128 bit is reduced to x98x bit. In the attachment is a better replacment for example. - - Markus Nass - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEhz6ffBT4BlZld/0RAlPHAKCpjLlskYeuoZIq+iq1Hht4CRyc9QCeOp8t 9T64NeQcl+48qVzZVSi3+Zk= =vseS -END PGP SIGNATURE- #!/bin/sh # # script to generate a keyfile that is encrypted twice with openssl # # Written 2005 by Markus Nass [EMAIL PROTECTED] # Improved 2006 by Jonas Meurer [EMAIL PROTECTED] usage() { echo Usage: $0 key exit 1 } if [ $1 = -o $1 = -h -o $1 = --help ]; then usage fi if [ -x /usr/bin/openssl ]; then key=`tempfile` dd if=/dev/random of=$key bs=1c count=256 openssl enc -aes-256-cbc -e -salt -in $key -out $1 rm -f $key else echo You have openssl installed? exit 1 fi decrypt_ssl.sh Description: Bourne shell script
Bug#370302: [Pkg-cryptsetup-devel] Bug#370302: a better recommendation, for cryptdisks.functions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To much coffee today :-/ change: # script to generate a keyfile that is encrypted twice with openssl ^ in: # script to generate a keyfile that is encrypted with openssl change: # Script to decode your ssl-key(s). in: # Script to decrypt the key which is encrypted with openssl. Thanks. - - Markus Nass - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEh0GcfBT4BlZld/0RAlgJAKCB8EX6Jsu9x22qSchoBWWxL5OVDgCaAnO9 phLCLk3FYAAelCUdjq39fJE= =6/Z8 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#370302: [Pkg-cryptsetup-devel] Bug#370302: a better recommendation for cryptdisks.functions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 i didn't find any fixed typos, did you miss them in the patch? Ah, it is in the decrypt_ssl, First password - Second password also a good idea, but using vol_id from udev seems like a even better one. still the scripts could use a fallback, if udev is not installed. I don't use udev but for anybody and in general it is better and finer. Yes you have right and udev should be recommend. what's wrong with /etc/keys? i don't think that most people like a new directory for every key type. and it's only a recommentation, nobody is forced to store his/her keys there. Ah, ok, I was bit of overhasty, I put my disk-keys directory in /etc/keys :-) - - Markus Nass - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEhC3nfBT4BlZld/0RAu5mAJ4nuRy93Fy/Z26W7l6p/KaV2TpexwCfXb3U ewc3Dk8buhrpplmteCqoV7M= =1M6W -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#370302: a better recommendation for cryptdisks.functions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Package: cryptsetup Version: 2:1.0.3-1 Severity: wishlist In the attachment are patches for a better support on decrypted keys and to fix some little typing errors. 1) seperate the init-script and the decrypt-scripts so that anybody can write his own decrypt-script without modify the init-script. The decrypted key must be in /tmp/cryptdisk.key were it will be removed after added a crypted disk. 2) The swap-check-script use the strings tool which is in /usr/bin :-/. egrep can work with binarys so that work with strings is needless. 3) /etc/keys -- which keys? better is /etc/disk-keys!? thanks, Markus Nass - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEgvvHfBT4BlZld/0RAsJGAJ40BhIc6wJKOIZ+QhLuw1yMkl5R+wCgtDBX K36L8sJMRgUqtKk3XezFwOk= =lyh+ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#370302: the attachment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ups :-( - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEgwNufBT4BlZld/0RAt6LAJ0XQZ/FEZ4mBKCQg+sp08guaGQU7QCfQs/d kXRmgg9ZHmetjhIg+mpHOk4= =zp3L -END PGP SIGNATURE- cryptsetup.tar.bz2 Description: Binary data
Bug#370173: failure in prerm-script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Package: dhcp3-relay Version: 3.0.4-2 Severity: normal There are missing brackets in the if-clause (line 9). This if-clause is better :-) ### if ( [ $1 = upgrade ] || [ $1 = remove ] ) \ [ -L /usr/doc/dhcp3-relay ]; then rm -f /usr/doc/dhcp3-relay fi ### - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEgfA0fBT4BlZld/0RAuq2AJ9CwtDLJ4ngXy4w4fff3c2KBNk5UACfZo1n bCIAfN1W2BM1ATC6YCuQPMQ= =hej6 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#361109: /usr/sbin/accton need an argument
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Package: acct Version: 6.3.99+6.4pre1-1 Severity: normal '/etc/init.d/acct stop' fails because '/usr/sbin/accton' needs an argument like '/usr/sbin/accton off'. - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFENUkFfBT4BlZld/0RAgBEAKCjjBnP2zZTM3PM6UaorgV9VrDF/ACeK+4y b4qcivB/Z2Pgqz+pwnxRJAg= =LasZ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#361111: Better initscript and cronscript
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Package: acct Version: 6.3.99+6.4pre1-1 Severity: whishlist Tags: patch I have resorted the initscript and included the file '/etc/default/acct'. With the patches it is possible to define an another path for the accounting information file and there will close the bug #361109. - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFENUtRfBT4BlZld/0RAiYXAJ9W1bRtoPO0bAmow/yPH3ZWgJbUIQCePvmX NS1xu0fRWI39CsHbNAaExpI= =c7BO -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#361111: Better initscript and cronscript
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Here are my attachments :-/ oO(too much coffee) - - Markus Nass - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFENVNAfBT4BlZld/0RAjFmAKCygqzhw7NDeDFrLdlBtoQTgiUo9wCgpkPK sKBs6bgQx2yC8cEg9Yba2qA= =qHAj -END PGP SIGNATURE- --- /etc/cron.daily/acct.old2006-03-23 23:41:51.0 +0100 +++ /etc/cron.daily/acct2006-04-06 18:09:18.0 +0200 @@ -4,11 +4,21 @@ # # Written by Ian A. Murdock [EMAIL PROTECTED] # Modified by Dirk Eddelbuettel [EMAIL PROTECTED] +# Modified by Markus Nass [EMAIL PROTECTED] if [ -x /usr/sbin/accton ] then -cd /var/account -savelog -g adm -m 0640 -u root -c 7 /var/account/pacct /dev/null +test -f /etc/default/acct . /etc/default/acct + +if [ -z $FILE ] +then + cd /var/account + savelog -g adm -m 0640 -u root -c 7 /var/account/pacct /dev/null +else + cd $(echo $FILE | grep -o \/.*\/) + savelog -g adm -m 0640 -u root -c 7 $FILE /dev/null +fi + /etc/init.d/acct stop /dev/null /etc/init.d/acct start /dev/null fi --- /etc/init.d/acct.old2006-03-23 23:41:40.0 +0100 +++ /etc/init.d/acct2006-04-06 18:17:06.0 +0200 @@ -4,11 +4,16 @@ # # Initial version written by Ian Murdock [EMAIL PROTECTED] # This version written by Dirk Eddelbuettel [EMAIL PROTECTED] +# Modified by Markus Nass [EMAIL PROTECTED] set -e -compare_kernel_version_and_exit_if_needed() { +START_ACCT=1 + +test -x /usr/sbin/accton || exit 0 +test -f /etc/default/acct . /etc/default/acct +compare_kernel_version_and_exit_if_needed() { # thanks to Joey Hess for this shell script snippet # -- easier than my previous perl code cmp_major=2 @@ -36,51 +41,45 @@ fi } -test -x /usr/sbin/accton || exit 0 - -# If you want to keep acct installed, but not started automatically, set this -# variable to 0. Because /etc/cron.daily/acct calls this file daily, it is -# not sufficient to stop acct once after booting if your machine remains up. -START_ACCT=1 - -if [ $START_ACCT -eq 1 ] -then -compare_kernel_version_and_exit_if_needed -fi +start() { +# Have to turn this on to be able to test the return code +set +e +echo -n Starting process accounting: + +if [ -n $FILE ] +then + /usr/sbin/accton $FILE /dev/null 21 +else + /usr/sbin/accton on /dev/null 21 +fi + +rv=$? -case $1 in - start) -# We start acct only if the switch variable tells us to -if [ $START_ACCT -eq 1 ] +if [ $rv -eq 0 ] +then + echo done. +elif [ $rv -eq 38 ] then - # Have to turn this on to be able to test the return code - set +e - echo -n Starting process accounting: - /usr/sbin/accton /var/account/pacct 2/dev/null - rv=$? - if [ $rv -eq 0 ] - then - echo done. - elif [ $rv -eq 38 ] - then - echo failed - echo Process accounting not available on this system. - elif [ $rv -eq 16 ] - then - echo failed - echo Process accounting already running on this system. - else - logger -f /var/log/daemon.log \ - Unexpected error code $rv received in /etc/init.d/acct - fi - set -e + echo failed + echo Process accounting not available on this system. +elif [ $rv -eq 16 ] +then + echo failed + echo Process accounting already running on this system. +else + logger -f /var/log/daemon.log \ + Unexpected error code $rv received in /etc/init.d/acct fi -;; - stop) -echo -n Stopping process accounting: + +set -e +} + +stop() { # Have to turn this on to be able to test the return code set +e -/usr/sbin/accton 2/dev/null +echo -n Stopping process accounting: +/usr/sbin/accton off /dev/null 21 + if [ $? -eq 0 ] then echo done. @@ -88,45 +87,33 @@ echo failed. echo Process accounting not available on this system. fi + set -e +} + +case $1 in + start) +# We start acct only if the switch variable tells us to +if [ $START_ACCT -eq 1 ] +then + compare_kernel_version_and_exit_if_needed + start +fi ;; - restart|force-reload) -echo -n Restaring process accounting: -# Have to turn this on to be able to test the return code -set +e -/usr/sbin/accton 2/dev/null -if [ $? -eq 0 ] + stop) +if [ $START_ACCT -eq 1 ] then - echo done. -else - echo failed. - echo Process accounting not available on this system. +
Bug#355284: apt-get don't adhere the order from sources.list
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ah, It affects only if server1.example.org hasn't a Release.gpg So, it should be added for sources, too and should be documented. - - Markus Nass - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEKEykfBT4BlZld/0RAovMAJsEd75qeM5pwfzhENNFCBE8jPa1zwCfRjYA UmgaXWo1DH2zm0/zSt1VVjU= =I9+0 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#357692: new rule
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ syslog-ng\[[[:digit:]]{1,5}\]: SIGHUP received, reloading configuration;$ At the end of line, the $ should be remove or replace with $. Please consider adding /etc/logcheck/violations.ignore.d/logcheck-syslog-ng with the following (single!) line: Replace it with the available lines in '/etc/logcheck/*/syslog-ng' - - Markus Nass - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEJs6cfBT4BlZld/0RAvssAJ91Y3IFQLuPjLvoQKJ8AEAbf1SgsQCdFseu 794MNcf3ySCJq3SocS50hPQ= =MNyB -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#357071: few non debug facilities matchs debug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Package: syslog-ng Version: 1.9.9-1 Severity: normal There are few non debug facilities which will match the debug facility in syslog-ng :-/ Logs of 'named', 'sudo', 'ddclient' are some of the examples. - --- snip /etc/syslog-ng/syslog-ng.conf --- filter f_debug { level(debug) and not match(kernel:) and not match(lvm.*:); }; - --- snip end --- - - Markus Nass - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEGDYOfBT4BlZld/0RAvW8AJ91CNVbj5YyV9yfQ3J6+kY+/rmJ7wCfVedY aNMRGSp4pTuw76g1LcdWZZk= =ZsPI -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#357071: few non debug facilities matchs debug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Szalay Attila schrieb: Could you please do some test with the configuration what Bazsi wrote in the bug #350344? Because neither I nor the upstream author could reproduce this problem. :( Ah, sorry, I want to say level() not facility() but I think you now what I mean ;-) If you can use my full config (see at line 338 in my full config at the attachment), change level(crit) to level(debug) and restart '/etc/init.d/bind9' and you can see that there are few duplicated entries in '/var/log/debug' and '/var/log/daemon.log' by named. It works fine with change level(debug) to level(crit). - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEGEeTfBT4BlZld/0RAoYyAJ4mqpsjVGrZn/hWZBAVJuJJ7CFB2gCgv6Lt bPL1UVVG/VekV3CKbF9IiOQ= =XiWp -END PGP SIGNATURE- # The standard syslog levels are (in descending order of priority): # emerg, alert, crit, err, warning, notice, info and debug. # # The aliases error, panic, and warn are deprecated. # # The none priority found in the original syslogd configuration is only used # in internal messages created by syslogd. options { # Disable the chained hostname format in logs (default is enabled). chain_hostnames(0); # Set long hostname generation on or off. long_hostnames(0); # The number of seconds between two STATS. stats(3600); # The time to wait before a died connection is re-established # (default is 60). time_reopen(10); # The time to wait before an idle destination file is closed # (default is 60). time_reap(360); # The number of lines buffered before written to file you might want to # increase this if your disk isn't catching with all the log messages # you get or if you want less disk activity (default is 0). sync(0); # The number of lines fitting in the output queue. log_fifo_size(2048); # Enable or disable directory creation for destination files. create_dirs(yes); # Default owner, group, and permissions for log files # (defaults are 0, 0, 0600). owner(root); group(adm); perm(0640); # Default owner, group, and permissions for created directories # (defaults are 0, 0, 0700). dir_owner(root); dir_group(adm); dir_perm(0750); # Enable or disable DNS usage. syslog-ng blocks on DNS queries, so # enabling DNS may lead to a Denial of Service attack (default is yes). use_dns(no); # Maximum length of message in bytes. This is only limited by the # program listening on the '/dev/log' Unix socket, glibc can handle # arbitrary length log messages, but, for example, syslogd accepts # only 1024 bytes (default is 2048). log_msg_size(2048); }; # Sources # All known message sources source src { # Message generated by syslog-ng internal(); # Standard Linux log source (this is the default place for the syslog() # function to send logs to.) unix-stream(/dev/log); # Messages from the kernel pipe ( /proc/kmsg log_prefix(kernel: ) ); }; # Use the above line if you want to receive remote UDP logging messages. source remote { udp ( ip(10.32.0.2) port(514) ); }; # Destinations # Some standard log files destination authlog { file ( /var/log/auth.log owner(root) group(adm) perm(0640) ); }; destination cron { file ( /var/log/cron.log owner(root) group(adm) perm(0640) ); }; destination daemon { file ( /var/log/daemon.log owner(root) group(adm) perm(0640) ); }; destination kern { file ( /var/log/kern.log owner(root) group(adm) perm(0640) ); }; destination user { file ( /var/log/user.log owner(root) group(adm) perm(0640) ); }; # These files are meant for the mail systems log files and provide re-usable # destinations for mail.info, mail.warn and mail.err. destination mailerr { file ( /var/log/mail/mail.err owner(root) group(adm) perm(0640) ); }; destination mailwarn { file (
Bug#355284: apt-get don't adhere the order from sources.list
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Package: apt Version: 0.6.43.2 Severity: normal The order which will '/usr/bin/apt-get' handle in '/etc/sources.list' is mirror-inverted for binary packages. Example: - cat /etc/sources.list: deb http://server1.example.org/ etch/updates main deb-src http://server1.example.org/ etch/updates main deb http://server2.example.org/ etch/updates main deb-src http://server2.example.org/ etch/updates main apt-get install packages (will get packages from server2.example.org) apt-get -d source packages (will get packages from server1.example.org) - For source packages the order from '/etc/sources.list' will be adhere. - - Markus Nass - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFECdlVfBT4BlZld/0RAjbuAJ9gATzhu3UYj7Mwsq6+Euk7QL1z7gCgu4id /GYke+28WdE/DxxKX0eKdVc= =XnlE -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#350067: TERM already sent
Yes, because the KILLALL5(8) in /etc/rc[06].d/S20sendsigs don't really kill all processes on my machines. I don't know if this is a feature from my patched grsec kernel. I will it tested without grsec and report about it. Ok. It was an grsec related problem. See http://grsecurity.net/pipermail/grsecurity/2006-February/000710.html -Markus Nass -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ signature.asc Description: Digital signature
Bug#350067: TERM already sent
On Sat, Feb 04, 2006 at 05:20:52PM +0100, Thomas Hood wrote: The /etc/rc[06].d/S20sendsigs script already sends the TERM and KILL signals to all processes. Would it therefore suffice if umountfs and umountroot were just to wait for filesystem-using processes to finish? Yes, because the KILLALL5(8) in /etc/rc[06].d/S20sendsigs don't really kill all processes on my machines. I don't know if this is a feature from my patched grsec kernel. I will it tested without grsec and report about it. As exapmple: wdm starts a xconsole with uid/gid 0/0 and /etc/rc[06].d/S20sendsigs don't kill the xconsole. -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#350603: Add {...} for bash-completation
Package: anacron Version: 2.3-11 Severity: wishlist Please add this { and } symbol at the Usage: line in the initscript for bash-completation. Thanks. -Markus Nass -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ signature.asc Description: Digital signature
Bug#350605: Add {...} for bash-completation
Package: cron Version: 3.0pl1-92 Severity: wishlist Please add this { and } symbol at the Usage: line in the initscript for bash-completation. Thanks. -Markus Nass -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ signature.asc Description: Digital signature
Bug#350606: Add {...} for bash-completation
Package: apache2-common Version: 2.0.55-4 Severity: wishlist Please add this { and } symbol at the Usage: line in the initscript for bash-completation. Thanks. -Markus Nass -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ signature.asc Description: Digital signature
Bug#350609: remove --mknodes for lvm2
Package: lvm-common Version: 1.5.20 Severity: wishlist Please replace this line: /sbin/vgscan $IGNORELOCKINGFAILURES $MKNODES || true with these lines in the initscript: if [ `/sbin/lvmiopversion` -ge 200 ]; then /sbin/vgscan $IGNORELOCKINGFAILURES || true else /sbin/vgscan $IGNORELOCKINGFAILURES $MKNODES || true fi From vgscan(8): In LVM2, vgscans take place automatically; but you might still need to run one explicitly after changing hardware. -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ signature.asc Description: Digital signature
Bug#350615: Add support for encrypted ssl-keys
Package: cryptsetup Version: 20050111-4 Severity: wishlist In the attachment is a patch and a tool. The patch include support to use encrypted ssl-key/s at the boot-up process. The modificated initscript will them ask for a password and decrypt it in a defined $PATH which is mounted as a tmpfs. If there are more keys with the same encrypted password, the initscript want to ask once. The other modification is from the /etc/init.d/lvm-common script. It changes the usermod in /dev/mapper/cdisks. The tool create a double encrypted key with 'openssl' for use with the cryptsetup initscript. -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ diff -ruN old/etc/default/cryptdisks new/etc/default/cryptdisks --- old/etc/default/cryptdisks 2005-11-15 00:12:49.0 +0100 +++ new/etc/default/cryptdisks 2006-01-22 21:53:45.0 +0100 @@ -1,2 +1,21 @@ # Run cryptdisks at startup ? CRYPTDISKS_ENABLE=Yes + +# Path where the keys are. +SRCPATH=/etc/disk-keys + +# Path for the keys which are declared in /etc/crypttab. +DSTPATH=/tmp + +# Keys to use +#KEYS=backups.key home.key var.key + +# The format of /dev/mapper/device is +# MODE_device=user:group mode +# +# eg: +# +# MODE_cswap=root:disk 660 +# +# Sets the protection of /dev/mapper/cswap to 0660 and makes it owned by user +# root and group disk. diff -ruN old/etc/init.d/cryptdisks new/etc/init.d/cryptdisks --- old/etc/init.d/cryptdisks 2005-11-15 00:12:49.0 +0100 +++ new/etc/init.d/cryptdisks 2006-01-30 18:51:59.0 +0100 @@ -12,6 +12,10 @@ # Default-Start: S # Default-Stop: 0 6 ### END INIT INFO +# +# Modified by Markus Nass [EMAIL PROTECTED] +# to use double encrypted key/s by 'openssl'. +# CRYPTCMD=/sbin/cryptsetup DEVMAPCMD=/sbin/dmsetup @@ -32,8 +36,52 @@ $DEVMAPCMD mknodes +decrypt() { + OLDUMASK=`umask` + umask 0077 + + for KEY in $KEYS; do + while ( ! openssl enc -aes256 -d -salt -in $SRCPATH/$KEY \ + -out $DSTPATH/$KEY.tmp -k $PASSWORD /dev/null 21 ); do + echo -n Password of '$SRCPATH/$KEY': + read -s PASSWORD; echo + + if [ $PASSWORD = ]; then + return 0 + fi + done + + while ( ! openssl dsa -in $DSTPATH/$KEY.tmp -out $DSTPATH/$KEY \ + -passin pass:$PASSWORD /dev/null 21 ); do + echo -n Password of '$DSTPATH/$KEY.tmp': + read -s PASSWORD; echo + + if [ $PASSWORD = ]; then + return 0 + fi + done + done + + rm -f $DSTPATH/*.key.tmp + PASSWORD= + umask $OLDUMASK +} + case $1 in start) + if [ ! $KEYS = ]; then + # Important to decrypt the disk-keys. + if [ $(grep -c \/usr /etc/fstab) = 1 ] \ + [ $(grep -c \/usr /etc/mtab) = 0 ]; then + mount /usr + touch /mounted + fi + + mount -t tmpfs tmpfs $DSTPATH /dev/null 21 + + test -f /usr/bin/openssl decrypt + fi + echo -n Starting crypto disks: egrep -v ^[[:space:]]*(#|$) $TABFILE | while read dst src key opt; do echo -n $dst @@ -161,6 +209,29 @@ fi fi done + + for MODEVAR in ${!MODE_*}; do + eval MODE=\$$MODEVAR + DEV=${MODEVAR//_/-} + DEV=/dev/mapper/${DEV#MODE-} + MOD=${MODE#* } + OWN=${MODE% *} + chmod $MOD $DEV + chown $OWN $DEV + done + + for KEY in $KEYS; do + rm -f $DSTPATH/$KEY + done + + umount -f $DSTPATH /dev/null 21 + + # Important to check and repair the file system. + if [ -f /mounted ]; then + umount -f /usr + rm -f /mounted + fi + echo . ;; stop) createkey.gz Description: Binary data signature.asc Description: Digital signature
Bug#350620: Documentation is not completely
Package: libpam-modules Version: 0.79-3 There missing documentation for these libpam-modules: pam_debug pam_localuser pam_selinux pam_stress pam_succeed_if pam_xauth -Markus Nass -- Bill Gates said: It requires Windows XP or better, so I installed Linux. signature.asc Description: Digital signature
Bug#350067: SIGTERM on umountfs and umountroot
Package: initscripts Version: 2.86.ds1-4 Severity: serious Hi, the problem is that a few processes thereby to still be could be terminated, during 'umountfs' and 'umountroot' tries their service to do. That ends then with an error and the file system incorrectly is mostly driven down. In the attachment there are two patches which repair this problem, by sending a SIGTERM to all processes which access to the filesystems and loop it so long if the services were correctly terminated. The difference between 'umountfs' and 'umountroot' is that for 'umountroot' you need to declare the directories in '/etc/default/umountroot' to sending a SIGTERM. The services which i had tested was 'xconsole' started from 'wdm' and will not terminate by other scripts, the ntpd which needs more time to terminate. There could be other services like a DBMS with big and/or lot of tables which need time to terminate. Better to wait as come in dangerous with an inconsistent FS, DBMS, DB, ... The patch for version 2.86.ds1-11 wasn't tested. -Markus Nass -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ diff -ruN old/etc/default/umountroot new/etc/default/umountroot --- old/etc/default/umountroot 1970-01-01 01:00:00.0 +0100 +++ new/etc/default/umountroot 2006-01-26 22:23:32.0 +0100 @@ -0,0 +1,8 @@ +# List of directories which will use by fuser(1) '/etc/init.d/unmountroot'. +# +# This is usefull if you have directories which processes work in it +# and the rootfs can't mount readonly. +# +# The directories must seperate with an ' ' and the list self in ''. + +#DIRS=/home /usr /var diff -ruN old/etc/init.d/umountfs new/etc/init.d/umountfs --- old/etc/init.d/umountfs 2005-09-10 15:30:45.0 +0200 +++ new/etc/init.d/umountfs 2006-01-26 21:08:44.0 +0100 @@ -11,6 +11,8 @@ # # Version: @(#)umountfs 2.85-16 03-Jun-2004 [EMAIL PROTECTED] # +# Modified by Markus Nass [EMAIL PROTECTED] (see line 25-33) +# PATH=/sbin:/bin:/usr/sbin:/usr/bin umask 022 @@ -20,6 +22,16 @@ # Umount all filesystems except root and the virtual ones log_begin_msg Unmounting local filesystems... +mount | awk '/^\/dev/ { print $3 }' | egrep -v ^\/$ | \ +while read line; do +N=1 + while [[ `fuser -m $line 21` != ]]; do + fuser -m -SIGTERM -k $line /dev/null 21 + sleep $N + let N++ + done +done + # List all mounts, deepest mount point first LANG=C sort -r -k 2 /etc/mtab | ( diff -ruN old/etc/init.d/umountroot new/etc/init.d/umountroot --- old/etc/init.d/umountroot 2005-09-10 12:30:30.0 +0200 +++ new/etc/init.d/umountroot 2006-01-26 22:20:14.0 +0100 @@ -8,18 +8,33 @@ # Short-Description: Mount the root filesystem read-only. ### END INIT INFO # -# v 0.1, localtime: 2005/07/06 19:00 CEST +# v 0.2, localtime: 2006/01/26 21:09 CEST # # Written by Markus Nass [EMAIL PROTECTED] # +# Modified for Debian GNU/Linux +# PATH=/sbin:/bin [ -z $VERBOSE ] VERBOSE=yes [ -f /etc/default/rcS ] . /etc/default/rcS . /lib/lsb/init-functions +. /etc/default/umountroot do_stop () { +if [[ $DIRS != ]]; then + echo $DIRS | \ + while read line; do + N=1 + while [[ `fuser $line 21` != ]]; do + fuser -SIGTERM -k $line /dev/null 21 + sleep $N + let N++ + done + done +fi + [ $VERBOSE != no ] log_begin_msg Mounting root filesystem read-only... mount -n -o remount,ro / [ $VERBOSE != no ] log_end_msg $? diff -ruN old/etc/default/umountroot new/etc/default/umountroot --- old/etc/default/umountroot 1970-01-01 01:00:00.0 +0100 +++ new/etc/default/umountroot 2006-01-26 22:23:32.0 +0100 @@ -0,0 +1,8 @@ +# List of directories which will use by fuser(1) '/etc/init.d/unmountroot'. +# +# This is usefull if you have directories which processes work in it +# and the rootfs can't mount readonly. +# +# The directories must seperate with an ' ' and the list self in ''. + +#DIRS=/home /usr /var diff -ruN old/etc/init.d/umountfs new/etc/init.d/umountfs --- old/etc/init.d/umountfs 2006-01-22 20:50:11.0 +0100 +++ new/etc/init.d/umountfs 2006-01-26 22:18:16.0 +0100 @@ -8,6 +8,7 @@ # Short-Description: Turn off swap and unmount all local file systems. # Description: ### END INIT INFO +# Modified by Markus Nass [EMAIL PROTECTED] (see line 21-29) PATH=/usr/sbin:/usr/bin:/sbin:/bin . /lib/init/vars.sh @@ -17,6 +18,16 @@ umask 022 do_stop () { + cat /proc/mounts | awk '/^\/dev/ { print $2 }' | egrep -v ^\/$ | \ + while read line; do + N=1 + while [[ `fuser -m $line 21` != ]]; do + fuser -m -SIGTERM -k $line /dev/null 21 +
Bug#344832: correct subject header
Package: logcheck Version: Version: 1.2.3 Severity: wishlist The subject line is not correct, if any of these options 'ATTACKSUBJECT', 'SECURITYSUBJECT' and 'EVENTSSUBJECT' are combined in a report. The subject line only include the first event of a report. This is not so good for report mail filtering. The patch in the attachment correct this. -- Bill Gates said: It requires Windows XP or better, so I installed Linux. --- logcheck2005-04-19 17:58:39.0 +0200 +++ /usr/sbin/logcheck 2005-12-26 16:04:01.0 +0100 @@ -1,4 +1,4 @@ -#!/bin/bash +#! /bin/bash # # Copyright (C) 2004-2005 Debian Logcheck Team # [EMAIL PROTECTED] @@ -6,6 +6,8 @@ # Copyright (C) 1999-2002 Rene Mayrhofer [EMAIL PROTECTED] # Copyright (C) 1996-1997 Craig Rowland [EMAIL PROTECTED] +# Modified by Markus Nass [EMAIL PROTECTED] + # This file is part of Logcheck # Logcheck is free software; you can redistribute it and/or modify @@ -740,10 +742,21 @@ fi # If there are results, mail them to sysadmin +SUBJECT= + if [ $ATTACK -eq 1 ]; then -sendreport $ATTACKSUBJECT +SUBJECT=$ATTACKSUBJECT +fi +if [[ $SUBJECT != ]] [ $SECURITY -eq 1 ]; then +SUBJECT=$SUBJECT, $SECURITYSUBJECT elif [ $SECURITY -eq 1 ]; then -sendreport $SECURITYSUBJECT +SUBJECT=$SECURITYSUBJECT +fi +if [[ $SUBJECT != ]] [ $SYSTEM -eq 1 ]; then +SUBJECT=$SUBJECT, $EVENTSSUBJECT elif [ $SYSTEM -eq 1 ]; then -sendreport $EVENTSSUBJECT +SUBJECT=$EVENTSSUBJECT +fi +if [[ $SUBJECT != ]]; then +sendreport $SUBJECT fi signature.asc Description: Digital signature
Bug#320207: vgscan and vgchange interchanged?
Package: lvm-common Version: 1.5.17 Hello, If 'vgscan' runs bevore 'vgchange -y a', 'vgscan' reported an opendir error (/dev/vg), because the symlinks were created by 'vgchange'.'vgscan' only repaired it with the flag '--mknodes', if anybody or something has deletet a block-device for an activated disk/partition. In the attachment is a patch that corrects it and it includes some new lines, that the permissions in '/dev/mapper/vg-lv' sets too, if the block-devices exists (see the sample default config in '../default/lvm-common'). Thanks, Markus Nass -- Bill Gates said: It requires Windows XP or better, so I installed Linux. lvm-common.new.tar.bz2 Description: Binary data signature.asc Description: Digital signature
Bug#319890: /etc/init.d/umountfs
Package: initscripts Version: 2.86.ds1-1 Hello, The '/etc/init.d/umountfs' script mounts the rootfs (/) readonly, but there other scripts -- like cryptsetup -- who need write permission to deactivate the maps. I modified the script '/etc/init.d/umountfs' and added two new scipts, '/etc/init.d/umountroot' and /etc/default/umountfs, so that the / is mounted readonly last. Look at the attachment for the modification and the two scripts. Thanks, Markus Nass. -- Bill Gates said: It requires Windows XP or better, so I installed Linux. umount_scripts.tar.bz2 Description: Binary data signature.asc Description: Digital signature