Re: Help with permissions under Rainbow sought
On Sat, Apr 17, 2010 at 09:26:23PM -0400, George Hunt wrote: I am using an ipython console application which writes a history file to the home directory (I changed the HOME environment to SUGAR_ROOT/data). Have you considered saving the history as part of the data store entry instead? That way your activity wouldn't mix histories from separate sessions (i.e. when debugging several different programs). Rainbow changes UID for every invocation [...] Yes, that's the default behaviour. Rainbow can be instructed to use a constant UID (Browse does); according to the OLPC wiki [1] you'd need to add a file activity/permissions.info, containing constant-uid on a single line. This is the least preferable solution, though. Apparently the create mask rainbow uses is 755 and group members do not have write access. It's not Rainbow that decides this. Permissions of newly created file system entries (i.e. files and directories) are determined by the umask (see e.g. man 2 umask). You can either widen the permissions after creation using chmod() (see pydoc os.chmod) or tweak the umask (see pydoc os.umask); since the latter affects _all_ created files I would recommend the chmod() (you could save+restore the umask, but it's prone to race conditions). [1] http://wiki.laptop.org/go/Activity_bundles#activity.2Fpermissions.info CU Sascha -- http://sascha.silbe.org/ http://www.infra-silbe.de/ signature.asc Description: Digital signature ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Help with permissions under Rainbow sought
On 18.04.2010, at 14:10, Sascha Silbe wrote: On Sat, Apr 17, 2010 at 09:26:23PM -0400, George Hunt wrote: I am using an ipython console application which writes a history file to the home directory (I changed the HOME environment to SUGAR_ROOT/data). Have you considered saving the history as part of the data store entry instead? That way your activity wouldn't mix histories from separate sessions (i.e. when debugging several different programs). Rainbow changes UID for every invocation [...] Yes, that's the default behaviour. Rainbow can be instructed to use a constant UID (Browse does); according to the OLPC wiki [1] you'd need to add a file activity/permissions.info, containing constant-uid on a single line. This is the least preferable solution, though. Apparently the create mask rainbow uses is 755 and group members do not have write access. It's not Rainbow that decides this. But arguably Rainbow could set a better default, no? Making files group-writable? Have to admit I forgot how the sticky bits on the data dir affects this though. Permissions of newly created file system entries (i.e. files and directories) are determined by the umask (see e.g. man 2 umask). You can either widen the permissions after creation using chmod() (see pydoc os.chmod) or tweak the umask (see pydoc os.umask); since the latter affects _all_ created files I would recommend the chmod() (you could save+restore the umask, but it's prone to race conditions). When running in Rainbow, setting umask 0002 shouldn't hurt in general. Hmm, how do I test if Rainbow is enabled, in a shell script, again? - Bert - [1] http://wiki.laptop.org/go/Activity_bundles#activity.2Fpermissions.info CU Sascha -- http://sascha.silbe.org/ http://www.infra-silbe.de/___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Help with permissions under Rainbow sought
Sascha, I'll plan to put the history in the Journal -- seems like a good idea. I had looked for an input mechanism to Rainbow's CONSTANT_RAINBOW_UID without success. So thanks for your pointer. I'm curious to know why you think using a constant UID is undesireable. At this point I'm looking for ways to simplify the next stages of debugging my program. My thinking is as follows: If I can get permissions off the table as a source of failure, while I deal with all the other problems I haven't foreseen, I can come back and tighten up security when my code is more solid. With much appreciation for your help, George On Sun, Apr 18, 2010 at 8:10 AM, Sascha Silbe sascha-ml-ui-sugar-olpc-de...@silbe.org wrote: On Sat, Apr 17, 2010 at 09:26:23PM -0400, George Hunt wrote: I am using an ipython console application which writes a history file to the home directory (I changed the HOME environment to SUGAR_ROOT/data). Have you considered saving the history as part of the data store entry instead? That way your activity wouldn't mix histories from separate sessions (i.e. when debugging several different programs). Rainbow changes UID for every invocation [...] Yes, that's the default behaviour. Rainbow can be instructed to use a constant UID (Browse does); according to the OLPC wiki [1] you'd need to add a file activity/permissions.info, containing constant-uid on a single line. This is the least preferable solution, though. Apparently the create mask rainbow uses is 755 and group members do not have write access. It's not Rainbow that decides this. Permissions of newly created file system entries (i.e. files and directories) are determined by the umask (see e.g. man 2 umask). You can either widen the permissions after creation using chmod() (see pydoc os.chmod) or tweak the umask (see pydoc os.umask); since the latter affects _all_ created files I would recommend the chmod() (you could save+restore the umask, but it's prone to race conditions). [1] http://wiki.laptop.org/go/Activity_bundles#activity.2Fpermissions.info CU Sascha -- http://sascha.silbe.org/ http://www.infra-silbe.de/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJLyvayAAoJELpz82VMF3Da4IoIAI+HUTUnCJWOrz0kk4reyDmh GaBNXbG/DbMSRf0EEKiXCVABzQahgKUFg7PKiIZY5xl+Qt5esPQ50KDlsPUZYG+K 972H9/VNRo+kTOZ9JuYGDzKsexwowparXLH7QFL9wZNy/+5eA2vy/qH6kKlKrarZ Qki9Comwxh6aRKqXhlrTQn5/IXA0FoXySjx37T8jW+hJTRe05QfKIJrsUVTks/t7 BnviPWfrJHip2LIDmsChrVDPsibUKBvC7hGV+iEsbCUSQKpt+Nf97jWw8eWL+pbx tmUfNAuuI9CGpgoFsrJjZ3PUR/fvrcDJb9CvXEDz0+VorZuRiSN7tE2883yIXzY= =X+wE -END PGP SIGNATURE- ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Help with permissions under Rainbow sought
Bert Freudenberg wrote: On 18.04.2010, at 14:10, Sascha Silbe wrote: On Sat, Apr 17, 2010 at 09:26:23PM -0400, George Hunt wrote: Rainbow changes UID for every invocation [...] Yes, that's the default behaviour. Rainbow can be instructed to use a constant UID (Browse does); according to the OLPC wiki [1] you'd need to add a file activity/permissions.info, containing constant-uid on a single line. This is the least preferable solution, though. Apparently the create mask rainbow uses is 755 and group members do not have write access. It's not Rainbow that decides this. But arguably Rainbow could set a better default, no? Making files group-writable? Rainbow actually calls os.umask(0) here: http://dev.laptop.org/git/security/tree/rainbow/rainbow/inject.py#n263 However, it's entirely possible that some other logic in your program is setting umask(022) or is creating files with an explicitly specified mode. (You may recall that xulrunner's behavior here was the reason why constant-uid was introduced.) Hmm, how do I test if Rainbow is enabled, in a shell script, again? If you mean is sugar going to launch the next activity it launches under rainbow?, then test for the presence of /etc/olpc-security, e.g. with if [ -f /etc/olpc-security ]; then ... fi If you mean is my script currently running under rainbow?, then I don't have a perfect answer for you this instant. (A good but imperfect answer is to test whether whether getuid() 1 and getgid() 1, e.g. by parsing the output of the id command.) Regards, Michael ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Help with permissions under Rainbow sought
On 18.04.2010, at 17:10, Michael Stone wrote: Bert Freudenberg wrote: On 18.04.2010, at 14:10, Sascha Silbe wrote: On Sat, Apr 17, 2010 at 09:26:23PM -0400, George Hunt wrote: Rainbow changes UID for every invocation [...] Yes, that's the default behaviour. Rainbow can be instructed to use a constant UID (Browse does); according to the OLPC wiki [1] you'd need to add a file activity/permissions.info, containing constant-uid on a single line. This is the least preferable solution, though. Apparently the create mask rainbow uses is 755 and group members do not have write access. It's not Rainbow that decides this. But arguably Rainbow could set a better default, no? Making files group-writable? Rainbow actually calls os.umask(0) here: http://dev.laptop.org/git/security/tree/rainbow/rainbow/inject.py#n263 However, it's entirely possible that some other logic in your program is setting umask(022) or is creating files with an explicitly specified mode. (You may recall that xulrunner's behavior here was the reason why constant-uid was introduced.) Well, I remember having to put the umask 0002 call in the Etoys startup script a long time ago. It's still there, but unconditionally. Hence my next question ... Hmm, how do I test if Rainbow is enabled, in a shell script, again? If you mean is sugar going to launch the next activity it launches under rainbow?, then test for the presence of /etc/olpc-security, e.g. with if [ -f /etc/olpc-security ]; then ... fi If you mean is my script currently running under rainbow?, then I don't have a perfect answer for you this instant. (A good but imperfect answer is to test whether whether getuid() 1 and getgid() 1, e.g. by parsing the output of the id command.) Regards, Michael I meant the latter. Guess I won't worry too much, since most distros nowadays use per-user groups anyway. - Bert - ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Help with permissions under Rainbow sought
George Hunt wrote: I had looked for an input mechanism to Rainbow's CONSTANT_RAINBOW_UID without success. So thanks for your pointer. Where did you look? (I'd like to go fix it...) I'm curious to know why you think using a constant UID is undesireable. Making things constant-uid in the sugar-0.82 + rainbow-0.7.* world removes all isolation between instances of the activity. At this point I'm looking for ways to simplify the next stages of debugging my program. My thinking is as follows: If I can get permissions off the table as a source of failure, while I deal with all the other problems I haven't foreseen, I can come back and tighten up security when my code is more solid. Your reasoning seems fine to me. (One word of caution, though: rainbow will probably not respond well to seeing a single activity bundle_id switch between the constant-uid and the (default) fresh-uid setting. Therefore, you should either use a fresh bundle_id when you switch or you should clean out rainbow's filesystem state in /etc/passwd, /etc/group, and /home/olpc/isolation/1/.) Regards, Michael P.S. - I really like ipython, so I'm excited to see your activity. Also, if you like ipython, check out bpython. ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: strange keyboard problem with synaptics controller
On Fri, Apr 16, 2010 at 03:34:38PM -0300, Daniel Drake wrote: What would be the next steps for debugging the next time we see this? Also capture some of the mapping between what you press and what you see displayed. (If pressing a q displays something like a w then alt gr may be down). -- James Cameron http://quozl.linux.org.au/ ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Hulahop browser screen width XO1.0 vs XO1.5
Hi again, My activity uses Hulahop Browser for its help system. The default browser on the XO`1.0 seems set up for 800x600. The CSS width specs on the functioning HELP activity add up to 800 px wide and everything works out ok. But on F11 XO1.5, the same help activity only renders about 2/3 full screen. And I'm experiencing similar problems rendering my help pages between 1.0 and 1.5. On F11, I believe the default screen width sensed by the xulrunner engine is the 1200x900, the actual screen size. I'm pretty sure there's a way to ask the gecko engine to render on a 800x600 screen, or alternatively to ask gecko on the XO1.0 to render on a 1200x900 surface. But I don't know XUL well and I feel I'd be wasting my time learning about how to set up gecko, if someone already knows how to solve this one. I'd be willing to modify HELP activity, once we I find an acceptable solution. George ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: the old keypad behavior gets too sensitive
On Fri, Apr 16, 2010 at 02:13:21PM -0500, Mikus Grinbergs wrote: Are there any software parameters that I can play with, to try to dampen the unwanted cursor position changes that I'm seeing ? I've tried using xset to lower the mouse acceleration. It can help a little bit, but not much once the jitters set in. Out here in the Australian outback the humidity can be so low that this touchpad behaviour becomes normal. (It's so dry here that the trees are starting to chase the dogs). There's a hardware trick I've used ... grab some aluminium foil or a metal baking tray from the kitchen, placed it under the laptop, and maintained some sort contact with it while I'm at my desk. -- James Cameron http://quozl.linux.org.au/ ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
[Server-devel] WWWOFFLE Cache Size and Location
I have noted that in the current kickstart implementation of XS, the ks.config file sets aside the bulk of the hard disk space to a mapped volume where /library is located, and 8 GB of hard disk space for the root directory. I am using WWWOFFLE for web caching, and its caching is on the root directory. I am not sure about redirecting it to the /library directory, because I'm not fully aware of wwwoffle's workings. My question is this: Is there any problem with changing the ks.config file to allocated say 40GB of my 500 GB disk to the root, in order to give more space for web caching? A related question: Why is the /library mapped to a separate disk space rather than leaving it on the root directory? The ks.config line I am using is: part / --fstype ext3 --size=2048 --maxsize=40960 --grow --ondisk=sda Thanks, Andy ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] WWWOFFLE Cache Size and Location
On Sun, 2010-04-18 at 13:57 -0400, Andra DuPont wrote: I have noted that in the current kickstart implementation of XS, the ks.config file sets aside the bulk of the hard disk space to a mapped volume where /library is located, and 8 GB of hard disk space for the root directory. I am using WWWOFFLE for web caching, and its caching is on the root directory. I am not sure about redirecting it to the /library directory, because I'm not fully aware of wwwoffle's workings. Where on /? /var maybe? My question is this: Is there any problem with changing the ks.config file to allocated say 40GB of my 500 GB disk to the root, in order to give more space for web caching? Shouldn't be.. A related question: Why is the /library mapped to a separate disk space rather than leaving it on the root directory? Think that is related to trying to run the XS on an XO where the OS is on the CF card, and /library would be on an external HD. The ks.config line I am using is: part / --fstype ext3 --size=2048 --maxsize=40960 --grow --ondisk=sda Should be fine. How are you passing your revised kickstart file to the installer? Jerry ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] WWWOFFLE Cache Size and Location
On Apr 19, 2010, at 1:10 AM, Jerry Vonau wrote: On Sun, 2010-04-18 at 13:57 -0400, Andra DuPont wrote: I have noted that in the current kickstart implementation of XS, the ks.config file sets aside the bulk of the hard disk space to a mapped volume where /library is located, and 8 GB of hard disk space for the root directory. I am using WWWOFFLE for web caching, and its caching is on the root directory. I am not sure about redirecting it to the /library directory, because I'm not fully aware of wwwoffle's workings. Where on /? /var maybe? Yes... /var/spool/wwwoffle/...various My question is this: Is there any problem with changing the ks.config file to allocated say 40GB of my 500 GB disk to the root, in order to give more space for web caching? Shouldn't be.. Good... that is what I've done. A related question: Why is the /library mapped to a separate disk space rather than leaving it on the root directory? Think that is related to trying to run the XS on an XO where the OS is on the CF card, and /library would be on an external HD. The ks.config line I am using is: part / --fstype ext3 --size=2048 --maxsize=40960 --grow --ondisk=sda Should be fine. How are you passing your revised kickstart file to the installer? The server is an Acer Aspire One with no CD drive, so I'm using a USB install. I just modified the ks.config file on the USB stick. Worked fine. Jerry ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel