Bug#808680: ITP: python-knockpy: python tool designed to enumerate subdomains on a target domain through a wordlist

[Gianfranco Costamagna]

Package: wnpp
X-Debbugs-CC: debian-de...@lists.debian.org
Owner: locutusofb...@debian.org
Severity: wishlist

* Package name: knock
* Version: 3.0.0
* Upstream Author : Gianni Amato 
* URL: https://github.com/guelfoweb/knock
* License: GPL-3+
* Programming Lang: Python
* Description: Knockpy is a python tool designed to enumerate subdomains
on a target domain through a wordlist.

Bug#258096: Seasons greetings

[Mfuni, Hanneke]

From: Mfuni, Hanneke
Sent: 21 December 2015 17:44
To: Mfuni, Hanneke
Subject: Seasons greetings

Seasons Greetings To You, A Donation Has Been Made To You , Email; 
lilianebettencourt...@gmail.com For 
Details
This electronic message transmission contains information that is deemed 
confidential or privileged by the sender. The information is intended to be for 
the use of the individual or entity named as recipient(s) above, only. If you 
are not the intended recipient, be aware that any disclosure, copying, 
distribution or use of the contents of this information is prohibited. If you 
have received this electronic transmission in error, please notify us 
immediately by replying to the email or by telephoning Cambridge Regional 
College on 01223 418200. Once you have done this please delete the 
email/attachment and do not disclose, copy, distribute, or rely on it. Please 
note that any opinions presented in this email are solely those of the author 
and do not necessarily represent those of Cambridge Regional College. No 
employee or agent is authorised to conclude any binding agreement on behalf of 
Cambridge Regional College with another party by email without express written 
confirmation by the Director of Finance and Resources. Under the Data 
Protection Act 1998 and the Freedom of Information Act 2000 the contents of 
emails and their attachments (sent to or received) may need to be disclosed. 
The College reserves the right to monitor both sent and received emails. 
WARNING: Although Cambridge Regional College has taken reasonable precautions 
to ensure no viruses are present in this email, the College cannot accept 
responsibility for any loss or damage arising from the use of this email or 
attachments.

Processed: owner 762385

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> owner 762385 av...@debian.org
Bug #762385 [wnpp] ITP: mailpile -- a modern fast web-mail client with 
user-friendly encryption and privacy features.
Bug #745399 [wnpp] ITP: mailpile -- a modern fast web-mail client with 
user-friendly encryption and privacy features.
Ignoring request to set the owner of bug #762385 to the same value
Ignoring request to set the owner of bug #745399 to the same value
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
745399: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745399
762385: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762385
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: owner 745399

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> owner 745399 av...@debian.org
Bug #745399 [wnpp] ITP: mailpile -- a modern fast web-mail client with 
user-friendly encryption and privacy features.
Bug #762385 [wnpp] ITP: mailpile -- a modern fast web-mail client with 
user-friendly encryption and privacy features.
Owner changed from Ulrike Uhlig  to av...@debian.org.
Owner changed from Ulrike Uhlig  to av...@debian.org.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
745399: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745399
762385: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762385
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: retitle 808260 to abi-tracker - visualize ABI changes timeline of a C/C++ software library

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 808260 abi-tracker - visualize ABI changes timeline of a C/C++ 
> software library
Bug #808260 [wnpp] ITP: abi-tracker visualize ABI changes timeline of a C/C++ 
software library
Changed Bug title to 'abi-tracker - visualize ABI changes timeline of a C/C++ 
software library' from 'ITP: abi-tracker visualize ABI changes timeline of a 
C/C++ software library'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
808260: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808260
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: retitle 808260 to abi-tracker -- visualize ABI changes timeline of a C/C++ software library

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 808260 abi-tracker -- visualize ABI changes timeline of a C/C++ 
> software library
Bug #808260 [wnpp] abi-tracker - visualize ABI changes timeline of a C/C++ 
software library
Changed Bug title to 'abi-tracker -- visualize ABI changes timeline of a C/C++ 
software library' from 'abi-tracker - visualize ABI changes timeline of a C/C++ 
software library'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
808260: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808260
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#745399: Taking over the ITP

[Alexandre Viau]

Hello,

Unless you object, I intend to take over this ITP.

I am in contact with upstream and we have already begun working on it
together.

-- 
Alexandre Viau
av...@lanets.ca



signature.asc
Description: OpenPGP digital signature

Bug#808690: ITP: fsa -- Fast Statistical Alignment of protein, RNA or DNA sequences

[Andreas Tille]

Package: wnpp
Severity: wishlist
Owner: Andreas Tille 

* Package name: fsa
  Version : 1.15.9
  Upstream Author : Ariel Schwartz, Chuong Do, Robert Bradley, Jaeyoung Do, 
Colin Dewey, Ian Holmes, Lars Barquist
* URL : http://fsa.sourceforge.net/
* License : GPL
  Programming Lang: C
  Description : Fast Statistical Alignment of protein, RNA or DNA sequences
 FSA is a probabilistic multiple sequence alignment algorithm which uses
 a "distance-based" approach to aligning homologous protein, RNA or DNA
 sequences. Much as distance-based phylogenetic reconstruction methods
 like Neighbor-Joining build a phylogeny using only pairwise divergence
 estimates, FSA builds a multiple alignment using only pairwise
 estimations of homology. This is made possible by the sequence annealing
 technique for constructing a multiple alignment from pairwise
 comparisons, developed by Ariel Schwartz.
 .
 FSA brings the high accuracies previously available only for
 small-scale analyses of proteins or RNAs to large-scale problems such as
 aligning thousands of sequences or megabase-long sequences. FSA
 introduces several novel methods for constructing better alignments:
  * FSA uses machine-learning techniques to estimate gap and
substitution parameters on the fly for each set of input sequences.
This "query-specific learning" alignment method makes FSA very robust:
it can produce superior alignments of sets of homologous sequences
which are subject to very different evolutionary constraints.
  * FSA is capable of aligning hundreds or even thousands of sequences
using a randomized inference algorithm to reduce the computational
cost of multiple alignment. This randomized inference can be over ten
times faster than a direct approach with little loss of accuracy.
  * FSA can quickly align very long sequences using the "anchor
annealing" technique for resolving anchors and projecting them with
transitive anchoring. It then stitches together the alignment between
the anchors using the methods described above.
  * The included GUI, MAD (Multiple Alignment Display), can display the
intermediate alignments produced by FSA, where each character is
colored according to the probability that it is correctly aligned


Remark: This package enhances the package t-coffee also maintained by
the Debian Med team.  The packaging can be found at

git://anonscm.debian.org/debian-med/fsa.git

Bug#808708: ITP: falconkit -- genome assembly toolkit

[Afif Elghraoui]

Package: wnpp
Severity: wishlist
Owner: Debian Med Packaging Team 
Control: block 395843 by -1

* Package name: falconkit
  Version : 0.4.0
  Upstream Author : Jason Chin 
* URL : https://github.com/PacificBiosciences/FALCON
* License : BSD
  Programming Lang: Python
  Description : genome assembly toolkit

Falcon is a set of tools for fast aligning long reads for consensus and
assembly. It is a simple code collection for efficient assembly of haploid and
diploid genomes.


This package is needed for parts of wgs-assembler and will be handled by
the Debian Med team.

Processed: ITP: falconkit -- genome assembly toolkit

[Debian Bug Tracking System]

Processing control commands:

> block 395843 by -1
Bug #395843 [wnpp] ITP: wgs-assembler -- Whole-Genome Shotgun Assembler
395843 was blocked by: 796644 784863 796640 778489 793763
395843 was blocking: 787977
Added blocking bug(s) of 395843: 808708

-- 
395843: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=395843
808708: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808708
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#743638: RFP: shairport -- Play music streamed from iTunes/iPads/iPods

[Chris Boot]

On 2015-12-21 11:08, Daniel Carter wrote:
> Now switching my ubuntu ppa builds to fork from this.
[snip]

Hi Dan,

I've just pushed a few more changes to my Git repo on Alioth that you
may be interested in. I've made several changes including shipping a
systemd service and sysvinit script, as well as shipping a
shairport-sync.conf file. I've decided not to use the provided service
and init script files for various reasons, though.

If you're wanting to cater for Ubuntu releases prior to vivid, the init
script I have provided will not work and you'll have to do something
else (presumably just use the upstream version). Unfortunately I don't
think I'll be able to upload a package to Debian that also supports
those older Ubuntu releases (or even Debian releases prior to Jessie).

As I understand it, the general aim when uploading new Debian packages
is to use the latest available helpers in testing/unstable, and it
really makes sense to do so here in my opinion.

I'm sure that you would be able to maintain a branch / fork of the
packaging if you still wish to support those older distributions,
though, and I will of course help where it's appropriate for me to do so.

I think I'm getting pretty close to having the package in an uploadable
state, and I expect to be seeking review of the packaging this weeking.
I do still, however, need to examine the man page which at the very
least includes a typo I need to fix (compatability => compatibility)!

Cheers,
Chris

-- 
Chris Boot
bo...@bootc.net

Bug#804350: ITP: vizzini -- Kernel driver for Exar XR21V1414 USB UART

[Joel Stanley]

Hi Ben,

On Tue, 10 Nov 2015 22:06:20 + Ben Hutchings  wrote:
> However, as this device doesn't really seem to follow the CDC-ACM class
> at all, I suspect that the way to support it upstream is with a custom
> USB serial driver.  I've attached a patch against Linux 4.3 which
> implements that.  This involved a certain amount of guesswork as I have
> no experience with serial drivers, but I think it's worth trying.

Thanks for the patch. Similarly, I don't have experience with serial
drivers. We managed to get it working with some changes to skip over
the interrupt endpoint. While this hack works, we need to work out
what we're missing by ignoring this descriptor.

I have a tree with my patch atop Bens here:

 https://github.com/shenki/linux/tree/vizzini

Cheers,

Joel
From 36b15d5c5a6374acf075f3dbe38ecd67757f8564 Mon Sep 17 00:00:00 2001
From: Joel Stanley 
Date: Sun, 15 Nov 2015 17:30:19 +1030
Subject: [PATCH] usb-serial/vizzini: Fix probing for 1410 device

This device has the following configuration:

 device
  - interface
- interrupt endpoint
  - interface
- in bulk endpoint
- out bulk endpoint

The first interface should be ignored in order to correctly probe. The
device appears to operate correctly, but this may be a horrible hack.

Signed-off-by: Joel Stanley 
---
 drivers/usb/serial/vizzini.c | 27 +++
 1 file changed, 27 insertions(+)

diff --git a/drivers/usb/serial/vizzini.c b/drivers/usb/serial/vizzini.c
index b462cb694ed5..ee33366348a7 100644
--- a/drivers/usb/serial/vizzini.c
+++ b/drivers/usb/serial/vizzini.c
@@ -294,6 +294,32 @@ static void vizzini_set_termios(struct tty_struct *tty,
 vizzini_enable(port);
 }
 
+static int vizzini_probe(struct usb_serial *serial,
+			 const struct usb_device_id *id)
+{
+	struct usb_host_interface *iface_desc = serial->interface->
+cur_altsetting;
+	struct usb_endpoint_descriptor *endpoint;
+	int num_bulk_out = 0;
+	int i;
+
+	for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) {
+		endpoint = _desc->endpoint[i].desc;
+		if (usb_endpoint_is_bulk_out(endpoint)) {
+			dev_dbg(>dev->dev,
+"found bulk out on endpoint %d\n", i);
+			++num_bulk_out;
+		}
+	}
+
+	if (num_bulk_out == 0) {
+		dev_dbg(>dev->dev, "Invalid interface, discarding\n");
+		return -ENODEV;
+	}
+
+	return 0;
+}
+
 static const struct usb_device_id id_table[] = {
 	{ USB_DEVICE(0x04e2, 0x1410), },
 	{ USB_DEVICE(0x04e2, 0x1412), },
@@ -314,6 +340,7 @@ static struct usb_serial_driver vizzini_1410_device = {
 	.id_table =		vizzini_1410_id_table,
 	.num_ports =		1,
 	.set_termios =		vizzini_set_termios,
+	.probe =		vizzini_probe,
 };
 
 static const struct usb_device_id vizzini_1412_id_table[] = {
-- 
2.6.4

Bug#605090:

[Yves-Alexis Perez]

On dim., 2015-12-20 at 23:14 +, Jacob Appelbaum wrote:
> To make my Debian Jessie system work with pax, I had to set pax flags
> for these three binaries:
> 
>   paxctl -c -m /usr/bin/gnome-shell
>   paxctl -c -m /usr/bin/gnome-session
>   paxctl -c -m /usr/bin/pulseaudio
> 
> If you don't want to modify the binary, you can also set the
> attributes in the file system:
> 
>   setfattr -n user.pax.flags -v m /usr/bin/gnome-shell
>   setfattr -n user.pax.flags -v m /usr/bin/gnome-session
>   setfattr -n user.pax.flags -v m /usr/bin/pulseaudio

For people reading this at home. Don't just blindly apply those commands to
your system, please check the grsecurity/PaX documentation before. You can
find bits of them at https://en.wikibooks.org/wiki/Grsecurity
> 
> You will need the `attr` package to run the above command. See
> https://wiki.debian.org/grsecurity/setfattr for more information. It
> may make sense to add a suggestion on the grsec kernel package for
> attr.

I can do that.
> 
> The above allowed me to properly start GDM and to login to my system.
> To use iceweasel and other utilities, I had to modify other things. I
> also was able to set `kernel.grsecurity.disable_priv_io=0` after
> running the setfattr commands above.

Good to know. With modesetting drivers I think privileged I/O is not useful
anymore in Xorg.
> 
> I additionally had to set the following to make the following programs
> "work" with this kernel:
> 
>   setfattr -n user.pax.flags -v m /usr/bin/seahorse
>   setfattr -n user.pax.flags -v m /usr/bin/iceweasel
>   setfattr -n user.pax.flags -v m /usr/bin/chromium
>   setfattr -n user.pax.flags -v m /usr/lib/chromium/chromium
> 
> For those who care pulse audio was also making some log entries about
> "denied resource overstep by requesting 25 for RLIMIT_NICE against
> limit 0 for /usr/bin/pulseaudio" - I reconfigured it with an edit to
> /etc/pulseaudio/daemon.conf to add 'high-priority = no' and the kernel
> stopped complaining.

Ok.
> 
> 
> 

> It might make sense to have a different bug where we track things that
> need to be done for user space. That said - this is now my main kernel
> - hooray!

You can try to open relevant bugs to the relevant packages, but in some case
it'll just be closed as “wontfix” because the package really needs rewritable
code segments, or upstream doesn't have manpower to change it, or whatever.
> 
> 
> As a side note, I found that kernel.modules_disabled=1 caused me a
> bunch of problems. It might be interesting to ensure that this is
> called before GDM3 login but not beforehand...

Indeed, modules_disabled=1 is really restrictive, but it also prevents a
robust way to prevent inserting code in the kernel, and improving the
userspace/kernelspace barrier.

I mostly use it on server boxes, where I first run a standard kernel, do
everything I need to do, then pick all loaded modules from lsmod and put them
in /etc/initramfs-tools/modules to have them loaded from the initramfs. Then
set kernel.modules_disabled=1 to prevent any further modification to the
running kernel.

Regards,
-- 
Yves-Alexis



signature.asc
Description: This is a digitally signed message part

Bug#605090:

[Jacob Appelbaum]

On 12/21/15, Mickaël Salaün  wrote:
> On 21/12/2015 00:14, Jacob Appelbaum wrote:
>> I was left with:
>>
>> [ 1802.373906] grsec: denied untrusted exec (due to not being in
>> trusted group and file in non-root-owned directory) of
>> /run/user/1000/orcexec.bCtW1V by
>> /usr/bin/pulseaudio[alsa-source-ALC:3038] uid/euid:1000/1000
>> gid/egid:1000/1000, parent /lib/systemd/systemd[systemd:1]
>> uid/euid:0/0 gid/egid:0/0
>> [ 1802.373967] grsec: denied untrusted exec (due to not being in
>> trusted group and file in non-root-owned directory) of
>> /home/error/orcexec.SzaIXb by
>> /usr/bin/pulseaudio[alsa-source-ALC:3038] uid/euid:1000/1000
>> gid/egid:1000/1000, parent /lib/systemd/systemd[systemd:1]
>> uid/euid:0/0 gid/egid:0/0
>> [ 1802.374015] grsec: denied untrusted exec (due to not being in
>> trusted group and file in world-writable directory) of
>> /tmp/orcexec.5bPuTr by /usr/bin/pulseaudio[alsa-source-ALC:3038]
>> uid/euid:1000/1000 gid/egid:1000/1000, parent
>> /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
>>
>> I have no idea why pulse audio is trying to exec anything but audio
>> works fine regardless - so I'm just going to ignore it.
>
> grsecurity enforce a healthy execution environment not respected by liborc.
> Pulseaudio creates executable files in /tmp, writable by everyone (with the
> sticky-bit exception), which are then forbidden from being executed.
>

Oh - I'm well aware that grsecurity is doing the correct thing! I'm
rather asking, why does pulse audio do this crazy thing? :-(

> You can set $TMPDIR to a private directory (e.g. /home//tmp) and this
> should do the trick. However, the better solution is to create a private FS
> namespace for your user (e.g. using pam_namespace) to polyinstanciate a
> private /tmp for every user.

I think grsecurity will still stop it as the trusted path execution
should stop it.

Bug#605090:

[Jacob Appelbaum]

I'm also running this kernel with AppArmor and it seems to work without issue.

I followed the steps on https://wiki.debian.org/AppArmor/HowToUse
which sets "apparmor=1 security=apparmor" on the kernel command line
as documented:

sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1
apparmor=1 security=apparmor",' /etc/default/grub
sudo update-grub
sudo reboot

It works without issue. This gives a kernel with grsecurity and
apparmor - hooray!

Bug#605090: Git tag signing

[Yves-Alexis Perez]

On dim., 2015-12-20 at 21:55 +, ban...@openmailbox.org wrote:
> I just wanted to mention Git tag signing. Its a very useful security 
> feature we use for protecting source code builds in our project.
> 
> https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work

Ben Hutchings signs his src:linux tags (which I'm merging to my tree). I
didn't tag anything yet but I do intend to use signed tags too.

Regards,
-- 
Yves-Alexis



signature.asc
Description: This is a digitally signed message part

Bug#808611: ITP: juce -- Jules' Utility Class Extensions

[IOhannes m zmoelnig]

Package: wnpp
Severity: wishlist
Owner: IOhannes m zmoelnig 

* Package name: juce
  Version : 4.1
  Upstream Author : Julian Storer
* URL : http://www.juce.com
* License : GPL
  Programming Lang: C++
  Description : Jules' Utility Class Extensions

 JUCE (Jules' Utility Class Extensions) is an all-encompassing C++ framework for
 developing cross-platform software.
 .
 It contains pretty much everything you're likely to need to create most
 applications, and is particularly well-suited for building highly-customised
 GUIs, and for handling graphics and sound.
 
For more information, visit the website: http://www.juce.com

JUCE is a toolkit used by a number of audio plugins and applications, including
future releases of giada.
I intend to package juce under the umbrella of the pkg-multimedia-maintainers.

Bug#743638: RFP: shairport -- Play music streamed from iTunes/iPads/iPods

[Daniel Carter]

Now switching my ubuntu ppa builds to fork from this.  I've got a branch
for precise, which uses systemv and thus pre-jessie users find the patch of
interest, fairly obvious/trivial packaging change apart from the patch to
compile against older libconfig (would be needed for squeeze also)

https://github.com/dantheperson/shairport-sync-collab-maint/commit/b512e586830dcc2c281c534b5a5c0f0ca9221d50

Regards,
Dan.

Bug#605090:

[Yves-Alexis Perez]

On lun., 2015-12-21 at 05:51 +, ban...@openmailbox.org wrote:
> Is there other ways to deal with unwanted network stack modules like 
> Appletalk besides going in and manually disabling them in config before 
> compiling?
> 
> Is disabling module loading enough?

Only you can say if it's enough for your use case. Once
kernel.modules_disabled=1, userland can't insert or remove modules from the
kernel anymore, but the object file will still be present on the filesystem.
> 
> Please give some insight if its okay to discuss.

I think it's irrelevant to this bug. I'm trying very hard *not* to modify the
kernel configuration from the standard linux kernel. If you need more
customization, rebuild your own kernels, it's really easy (you can see my
Kernel Recipes presentation [1]).

[1] https://kernel-recipes.org/en/2015/talks/hardened-kernels-for-everyone/

Regards,
-- 
Yves-Alexis



signature.asc
Description: This is a digitally signed message part

Bug#605090:

[Yves-Alexis Perez]

On dim., 2015-12-20 at 22:37 +, Jacob Appelbaum wrote:
> ( One difference I've noticed is that I no longer have the little
> frame buffer penguins at boot time - I think on this computer, I
> should see a bunch of them. I assume this is expected behavior but
> wanted to note it anyway. )

I /never/ saw any penguins on my Debian kernels, CONFIG_LOGO is not set on
i386/amd64 afair.

Regards,
-- 
Yves-Alexis



signature.asc
Description: This is a digitally signed message part

Bug#423458: Package implementation

[Thomas Champagne]

Hello all,
I have found an implementation of a Debian package for dnscap. You can
find it at :
https://github.com/klaus3000/dnscap/commit/1b42c201ffd9fb2addd5f3b0430c620ed2dac6a3

I think for a first version, it is good. But it could be better with a
development package (dnscap-dev) that provide dnscap_common.h for
developing other plugins.

Do you think it is possible to integrate it in Debian ?

Thomas

Bug#808708: RFS: falconkit (blocker for wgs-assembler)

[Afif Elghraoui]

Hi, all,
I ended up packaging falconkit 0.1.3, as that's what's required for
wgs-assembler. Although there are newer releases, they are not
compatible and the software is not really mature enough in any case.

I believe this is the last blocker for wgs-assember. The packaging is at
git+ssh://git.debian.org/git/debian-med/falconkit.git

and it's browsable at the following link, in case anyone would like to
review:
http://anonscm.debian.org/cgit/debian-med/falconkit.git

Many thanks and regards
Afif

-- 
Afif Elghraoui | عفيف الغراوي
http://afif.ghraoui.name

Bug#808605: ITP: python-flaky -- Plugin for nose or py.test that automatically reruns flaky tests

[Tristan Seligmann]

Package: wnpp
Severity: wishlist
Owner: Tristan Seligmann 

* Package name: python-flaky
  Version : 3.0.1
  Upstream Author : Box 
* URL : https://github.com/box/flaky
* License : Apache License
  Programming Lang: Python
  Description : Plugin for nose or py.test that automatically reruns flaky 
tests

Binary package names: python3-flaky python-flaky pypy-flaky

Flaky is a plugin for nose or py.test that automatically reruns flaky tests.

Bug#605090:

[Mickaël Salaün]

On 21/12/2015 00:14, Jacob Appelbaum wrote:
> I was left with:
> 
> [ 1802.373906] grsec: denied untrusted exec (due to not being in
> trusted group and file in non-root-owned directory) of
> /run/user/1000/orcexec.bCtW1V by
> /usr/bin/pulseaudio[alsa-source-ALC:3038] uid/euid:1000/1000
> gid/egid:1000/1000, parent /lib/systemd/systemd[systemd:1]
> uid/euid:0/0 gid/egid:0/0
> [ 1802.373967] grsec: denied untrusted exec (due to not being in
> trusted group and file in non-root-owned directory) of
> /home/error/orcexec.SzaIXb by
> /usr/bin/pulseaudio[alsa-source-ALC:3038] uid/euid:1000/1000
> gid/egid:1000/1000, parent /lib/systemd/systemd[systemd:1]
> uid/euid:0/0 gid/egid:0/0
> [ 1802.374015] grsec: denied untrusted exec (due to not being in
> trusted group and file in world-writable directory) of
> /tmp/orcexec.5bPuTr by /usr/bin/pulseaudio[alsa-source-ALC:3038]
> uid/euid:1000/1000 gid/egid:1000/1000, parent
> /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
> 
> I have no idea why pulse audio is trying to exec anything but audio
> works fine regardless - so I'm just going to ignore it.

grsecurity enforce a healthy execution environment not respected by liborc. 
Pulseaudio creates executable files in /tmp, writable by everyone (with the 
sticky-bit exception), which are then forbidden from being executed.

You can set $TMPDIR to a private directory (e.g. /home//tmp) and this 
should do the trick. However, the better solution is to create a private FS 
namespace for your user (e.g. using pam_namespace) to polyinstanciate a private 
/tmp for every user.

Regards,
 Mickaël



signature.asc
Description: OpenPGP digital signature

Bug#743638: RFP: shairport -- Play music streamed from iTunes/iPads/iPods

[Chris Boot]

On 2015-12-21 00:48, Daniel Carter wrote:
> On Sun, 20 Dec 2015 09:47:23 + Chris Boot  > wrote:
>>
>> I would *definitely* appreciate patches from anyone who wishes to help,
>> or even co-maintenance.
> 
> Nice work.  
> 
> I just put a bit of effort into getting the systemd service side of
> things working.  Happy to contribute those, see attached diff. (not sure
> how alioth works, cant see how to do a pull request there?).  The patch
> for the systemd unit path i have done a pull request for, so if that is
> accepted you can drop that.
> 
> Though perhaps you intend this not to be a daemon package?

Hi Dan,

Thanks for the patch! I think I'm going to go down a different route for
the init script and systemd units. I'd like to modify them both to use a
defaults file in order to specify additional arguments and I don't think
it's appropriate to include all the various command-line examples in the
init script. After all, Debian doesn't expect users to touch init
scripts at all.

I definitely intend for the package to run a daemon, though.

I've added the postinst script already based on what you supplied though:

http://anonscm.debian.org/cgit/collab-maint/shairport-sync.git/commit/?id=9cf3a18293f687d18e4a72c6abda9e3480143644

Thanks again!

Cheers,
Chris

-- 
Chris Boot
deb...@bootc.net
GPG: 8467 53CB 1921 3142 C56D  C918 F5C8 3C05 D9CE