[gentoo-user] Re: how to setup sun-jdk
The package dose not mention it's Multi-language package or not.The name of package is Linux self-extracting file.And i notice that the package for Windows mentions that it's Multi-language package. Does it matter if it'a Multi-language or not? 2006/4/16, Martins Steinbergs [EMAIL PROTECTED]: On Sunday 16 April 2006 08:06, wu chuanwen wrote: Thank you at first! But i still have some trouble.I just #ebuild /usr/portage/dev-java/sun-jdk/sun-jdk-1.5.0.06-r2.ebuild digest then emerge sun-jdk. and error: . inflating: jdk1.5.0_06/man/ja_JP.eucJP/man1/serialver.1 inflating: jdk1.5.0_06/man/ja_JP.eucJP/man1/idlj.1 !!! ERROR: dev-java/sun-jdk-1.5.0.06-r2 failed. Call stack: ebuild.sh, line 1532: Called dyn_unpack ebuild.sh, line 697: Called src_unpack sun-jdk-1.5.0.06-r2.ebuild, line 106: Called die !!! (no error message) !!! If you need support, post the topmost build error, and the call stack if relevant. How could this happened? Thank you in advanced! are you sure its Multi-language package, maybe it is English only. just a guess. m -- Linux 2.6.15-ck7 AMD Athlon(tm) 64 Processor 3200+ 08:48:53 up 6:23, 3 users, load average: 0.03, 0.16, 0.16 -- gentoo-user@gentoo.org mailing list -- wcw -- gentoo-user@gentoo.org mailing list
[gentoo-user] Re: !!! ERROR: app-text/ope nsp-1.5.1 failed w hen emerge gnome
MAKEOPTS=-j2,Can it be another better one? 2006/4/16, Walter Dnes [EMAIL PROTECTED]: On Sat, Apr 15, 2006 at 10:52:34AM +0800, wcw84 wrote I hava solved this problem now,chang my cflags=O3 to O2,and it's OK now ! Do not use -O3. It is begging for trouble, and can result in *SLOWER* programs, even when it doesn't blow up in your face. By the way, what is your MAKEOPTS setting? That is another item where over-optimizing can blow up the compile. -- Walter Dnes [EMAIL PROTECTED] In linux /sbin/init is Job #1 My musings on technology and security at http://tech_sec.blog.ca -- gentoo-user@gentoo.org mailing list -- wcw -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] X11 + framebuffer - does it work?
Richard Fish wrote: I would suggest not dealing with bootsplash issues at this point, and work on getting a stable framebuffer working. Once you have that, the bootsplash side of things is pretty straight-forward. Thank, Richard - I shall follow you advice. You chose the following I presume? - kernel sources [gentoo-sources] - in kernel config [chose framebuffer-tng] - X11 served by Xorg Any tips for me to ensure that my consoles are not corrupted once X starts and I want command line ob consoles. I think that is what you meant by stable-framebuffer, didn't you? Please bear with me in case this has been answered before. Apologies in that case - and I would really appreciate any pointers. Thank you so much Rohit -- gentoo-user@gentoo.org mailing list
[gentoo-user] Re: how to setup sun-jdk
I am sorry that i missing to tell you some error message: - error: invalid compressed data to inflate file #1618: bad zipfile offset (local header sig): 26725362 file #1619: bad zipfile offset (local header sig): 26728134 file #1620: bad zipfile offset (local header sig): 26728209 file #1621: bad zipfile offset (local header sig): 26728292 file #1622: bad zipfile offset (local header sig): 26728384 file #1623: bad zipfile offset (local header sig): 26728482 file #1624: bad zipfile offset (local header sig): 26729082 file #1625: bad zipfile offset (local header sig): 26729644 file #1626: bad zipfile offset (local header sig): 26730097 file #1627: bad zipfile offset (local header sig): 26730741 file #1628: bad zipfile offset (local header sig): 26731440 file #1629: bad zipfile offset (local header sig): 26732119 file #1630: bad zipfile offset (local header sig): 26732676 file #1631: bad zipfile offset (local header sig): 26733376 file #1632: bad zipfile offset (local header sig): 26734081 file #1633: bad zipfile offset (local header sig): 26734487 error: invalid compressed data to inflate file #1689: bad zipfile offset (local header sig): 26959364 file #1690: bad zipfile offset (local header sig): 26962203 file #1691: bad zipfile offset (local header sig): 26963551 file #1692: bad zipfile offset (local header sig): 26964484 file #1693: bad zipfile offset (local header sig): 26965466 file #1694: bad zipfile offset (local header sig): 26965558 file #1695: bad zipfile offset (local header sig): 26966287 file #1696: bad zipfile offset (local header sig): 26968788 file #1697: bad zipfile offset (local header sig): 26969600 file #1698: bad zipfile offset (local header sig): 26971052 file #1699: bad zipfile offset (local header sig): 26972608 file #1700: bad zipfile offset (local header sig): 26972699 file #1701: bad zipfile offset (local header sig): 26973625 file #1702: bad zipfile offset (local header sig): 2691 file #1703: bad zipfile offset (local header sig): 26981031 file #1704: bad zipfile offset (local header sig): 26982260 file #1705: bad zipfile offset (local header sig): 26982834 file #1706: bad zipfile offset (local header sig): 26983597 file #1707: bad zipfile offset (local header sig): 26983692 file #1708: bad zipfile offset (local header sig): 26983793 file #1709: bad zipfile offset (local header sig): 27004272 file #1710: bad zipfile offset (local header sig): 27005139 file #1711: bad zipfile offset (local header sig): 27043854 file #1712: bad zipfile offset (local header sig): 27044738 file #1713: bad zipfile offset (local header sig): 27045548 file #1714: bad zipfile offset (local header sig): 27046507 file #1715: bad zipfile offset (local header sig): 27047354 file #1716: bad zipfile offset (local header sig): 27051537 file #1717: bad zipfile offset (local header sig): 27051863 file #1718: bad zipfile offset (local header sig): 27052154 file #1719: bad zipfile offset (local header sig): 27056035 file #1720: bad zipfile offset (local header sig): 27058514 file #1721: bad zipfile offset (local header sig): 27058610 file #1722: bad zipfile offset (local header sig): 27059346 file #1723: bad zipfile offset (local header sig): 27061059 file #1724: bad zipfile offset (local header sig): 27064305 file #1725: bad zipfile offset (local header sig): 27065103 file #1726: bad zipfile offset (local header sig): 27066099 file #1727: bad zipfile offset (local header sig): 27066676 file #1728: bad zipfile offset (local header sig): 27067733 file #1729: bad zipfile offset (local header sig): 27068185 file #1730: bad zipfile offset (local header sig): 27069055 file #1731: bad zipfile offset (local header sig): 27069864 file #1732: bad zipfile offset (local header sig): 27070169 file #1733: bad zipfile offset (local header sig): 27070546 file #1734: bad zipfile offset (local header sig): 27070925 file #1735: bad zipfile offset (local header sig): 27071320 file #1736: bad zipfile offset (local header sig): 27072129 file #1737: bad zipfile offset (local header sig): 27073016 file #1738: bad zipfile offset (local header sig): 27073515 file #1739: bad zipfile offset (local header sig): 27073607 file #1740: bad zipfile offset (local header sig): 27073705 file #1741: bad zipfile offset (local header sig): 27074961 file #1742: bad zipfile offset (local header sig): 27078621 file #1743: bad zipfile offset (local header sig): 27078720 file #1744: bad zipfile offset (local header sig): 27214010 file #1745: bad zipfile offset (local header sig): 27215493 file #1746: bad zipfile offset (local header sig): 27216707 file #1747: bad zipfile offset (local header sig): 27217337 file #1748: bad zipfile offset (local header sig): 27219149 file #1749: bad zipfile offset (local
Re: [gentoo-user] dns at startup
David Corbin wrote: When I boot my latpop, ntpdate doesn't work. It fails saying there is a temporary failure in name resolution it cannot lookup pool.ntp.org . After my system finishes booting, /etc/init.d/ntp-client start works fine. The script is running nearly last from the output, and after a few other 'network related' scripts (exim, mysql, lisa), so I don't *think* it's 'running too early'. When I look through the init.d scripts, there are a handful that 'use dns', but no one seems to provide it. I'm not sure this is the cause, but I'd like to understand why no one provides it. More important though is fixing it so ntpdate works on boot. Hi, I have the same problem here. Temporarily what I did was after the machine has booted up, I run the ntp-client script by hand as root. Nothing elegant there. However, evidently, the script _is_ running to early, definitely earlier than your network setup. Once resolv.conf is set up properly and the nameservers in there are reachable, your error would go away. I am on home ADSL and I realise that although my resolv.conf is static [since their DNS are fixed], I should still run ntp-client _after_ the link to DNSes is up [via my USB modem]. I am yet to ensure that this script starts after my network config script start. My netconfig script is actually hand crafted - since my modem is unsupported sort of. So I had put that script last in the startup order. Hence my problem - something similar may be happening at your end. use dns probably refers to DNS server [running on your local host - which is not the case with most of us, as we don't run DNSes of our own] HTH, Rohit -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: how to setup sun-jdk
Am Sonntag 16 April 2006 08:51 schrieb wu chuanwen: I have download two of the same package.And the result is all the same as above. I don't think the packages are corrupted. Yes, they are? Because it's no Gentoo program that tries to unpack the files, but the self-extractable itself (and no wonder Gentoo gets a digest error on the file). Or, your machine is broken somehow, and corrupts the file while it's being written/read from disk. But I'd much rather guess the source you download the self-extractable from is corrupt. Use another source, luke. ;-) --- Heiko. -- gentoo-user@gentoo.org mailing list
[gentoo-user] Hardened Kernel (PaX): How to allow Text Relocations for *ONE* executable, while disallowing it for *EVERY* *OTHER* executable?
Hello! I'm using a Hardened Kernel and set Disallow ELF text relocations (CONFIG_PAX_NOELFRELOCS=y). Because of that, I'm unable to run nxagent from nxserver-freenx package. It fails with the following error message: /usr/NX/bin/nxagent: error while loading shared libraries: /usr/NX/lib/libXcompext.so.1: cannot make segment writable for relocation: Permission denied According to the Gentoo Hardened FAQ at http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#paxnoelf, that's okay - ie. the kernel setting causes the error message. Now, how do I allow text relocations for just ONE binary, while keeping it disallowed for every other executable (the ones which already exist and the ones, which are to come in the future)? I now would like to disable this error and allow my program to be run. How do I do that? The FAQ states, that there's a PaX feature called MPROTECT which is to be used and that MPROTECT must be disallowed on the executable which fails to get executed. How do I do that? I thought that I could do this with chpax -m $binary (replacing $binary by the path to the executable, of course. In this case, /usr/NX/bin/nxagent). But, I did this, and I still get the error message. How do I disallow MPROTECT on just one binary? What is chpax -m doing? Thanks, Alexander Skwar -- printk(KERN_DEBUG %s: BUG... transmitter died. Kicking it.\n,...) linux-2.6.6/drivers/net/acenic.c -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] dns at startup
On Sunday 16 April 2006 04:02 am, Rohit Sharma wrote: David Corbin wrote: snip I am on home ADSL and I realise that although my resolv.conf is static [since their DNS are fixed], I should still run ntp-client _after_ the link to DNSes is up [via my USB modem]. I am yet to ensure that this script starts after my network config script start. My netconfig script is actually hand crafted - since my modem is unsupported sort of. So I had put that script last in the startup order. Hence my problem - something similar may be happening at your end. The machine I'm having the problem with has a permanent network connection, with a DHCP address.But as near I can tell, my ethernet script (the standard one) has been run some time ago. use dns probably refers to DNS server [running on your local host - which is not the case with most of us, as we don't run DNSes of our own] I kind of figured that, but at the same time, why would the various scripts care where the DNS is being resolved from? HTH, Rohit -- gentoo-user@gentoo.org mailing list
[gentoo-user] problem with xorg.conf for x700 mobile...
Hi, I emerged xorg-x11 and ati-drivers, and now I'm trying to create working xorg.conf for my laptop with x700 mobile radeon... I have read The X Server Configuration HOWTO, and tried: # Xorg -configure but it failed with message: Symbol XAAGetPatternROP_PM from module /usr/lib/modules/drivers/ nsc_drv.o is unresolved! Fatal server error: Caught signal 11. Server aborting I tried semi-automatic xorg.conf generation with xorgconfig, but I really do not know what horizontal sync range should I use (did not find anything about it in my notebook documentation). I defined some default values and tried to start x-server, but it failed with: (EE) No devices detected Fatal server error: no screens found I also tried: # xorgcfg -textmode It stops (waited 5min, then I Ctrl-C) while doing: Loading /usr/X11R6/lib/modules/drivers/fglrx_drv.o Module fglrx: vendor=FireGL - ATI Technologies Inc. compiled for 6.8.0, module version = 8.21.7 I also tried aticonfig (or aticfc or something similar), after that my notebook completely got frozen (no response to keyboard, not possible to connect with ssh, so I had to do a hard reset). What to do now? I really do not know how to write xorg.conf from scratch. Or am I missing something? What is actually proper way to get X11 working? Should I unmerge ati-drivers and first start with pure X11? Jarry -- gentoo-user@gentoo.org mailing list
[gentoo-user] Security from non-authorized logins
I helped a friend install Ubuntu GNU/Linux on his laptop, he left town, forgot his passwords, and I promised to breakin for him, so he can re-do his passwords. Told him all I have to do is run Knoppix, access his partition, and delete the little x in the password file. Then he would reset his root password in be back in business. He felt betrayed. I understand why, I think: what's secure about GNU/Linux if anyone can boot the system and reset his passwords? I said, Dunno. I'll ask on the Gentoo list. How can anyone easily avoid the problem of anyone being able to access the guts of his machine using a live CD? I already thought of one: use the BIOS to disallow booting from a CD or Floppy, and set a password on the BIOS. Don't know whether all BIOSes will allow this, and anyway, isn't it possible on a lot of motherboards to short out the EPROM and thus reset the password of the BIOS? Of course, if he would forget his password he would lose all his data. Oh, well, does anyone have anything to suggest or to say about this? Alan Davis -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] dns at startup
David Corbin wrote: use dns probably refers to DNS server [running on your local host - which is not the case with most of us, as we don't run DNSes of our own] I kind of figured that, but at the same time, why would the various scripts care where the DNS is being resolved from? that makes the two of us - really. If I were you, I would * Ensure that ntp-client script starts after the networking has been set up * modify the ntp-client script to ensure that it tests whether a DNS is available or not, at first. If it can't find a DNS, it should probably wait till it can. Unfortunately, I am not saying anything you dont already know Rohit -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Hardened Kernel (PaX): How to allow Text Relocations for *ONE* executable, while disallowing it for *EVERY* *OTHER* executable?
On Sun, Apr 16, 2006 at 11:19:46AM +0200, Penguin Lover Alexander Skwar squawked: Now, how do I allow text relocations for just ONE binary, while keeping it disallowed for every other executable (the ones which already exist and the ones, which are to come in the future)? I now would like to disable this error and allow my program to be run. How do I do that? The FAQ states, that there's a PaX feature called MPROTECT which is to be used and that MPROTECT must be disallowed on the executable which fails to get executed. How do I do that? I thought that I could do this with chpax -m $binary (replacing $binary by the path to the executable, of course. In this case, /usr/NX/bin/nxagent). But, I did this, and I still get the error message. 1. Check and make sure there are no zombie processes of the desired binary running. For mplayer, if it gets hosed by the kernel for security violation because I forgot to turn off MPROTECT, it would leave a process running and any changes to the PAX flags would not apply. 2. Personally I use paxctl (the interface is slightly more robust in that I don't have to group all the flags in the first argument). 3. So, post the output of 'chpax -v $binary'? It should have the line *mprotect() : not restricted W -- We will talk about time travel yesterday. Sortir en Pantoufles: up 155 days, 4:33 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security from non-authorized logins
On Sun, Apr 16, 2006 at 09:54:33PM +1000, Penguin Lover Alan E. Davis squawked: He felt betrayed. I understand why, I think: what's secure about GNU/Linux if anyone can boot the system and reset his passwords? That is the same regardless of operating system. Physical access == no security. How can anyone easily avoid the problem of anyone being able to access the guts of his machine using a live CD? I already thought of one: use the BIOS to disallow booting from a CD or Floppy, and set a password on the BIOS. Don't know whether all BIOSes will allow this, and anyway, isn't it possible on a lot of motherboards to short out the EPROM and thus reset the password of the BIOS? You can also encrypt the contents of your hard drive. http://tldp.org/HOWTO/Disk-Encryption-HOWTO/ W -- Q: What's an anagram of Banach-Tarski ? A: Banach-Tarski Banach-Tarski Sortir en Pantoufles: up 155 days, 4:42 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Hardened Kernel (PaX): How to allow Text Relocations for *ONE* executable, while disallowing it for *EVERY* *OTHER* executable?
Willie Wong wrote: On Sun, Apr 16, 2006 at 11:19:46AM +0200, Penguin Lover Alexander Skwar squawked: Now, how do I allow text relocations for just ONE binary, while keeping it disallowed for every other executable (the ones which already exist and the ones, which are to come in the future)? [...] I thought that I could do this with chpax -m $binary (replacing $binary by the path to the executable, of course. In this case, /usr/NX/bin/nxagent). But, I did this, and I still get the error message. 1. Check and make sure there are no zombie processes of the desired binary running. [x] No Zombies 2. Personally I use paxctl (the interface is slightly more robust in that I don't have to group all the flags in the first argument). 3. So, post the output of 'chpax -v $binary'? It should have the line *mprotect() : not restricted [EMAIL PROTECTED] /usr/src $ /sbin/chpax -v /usr/NX/bin/nxagent [ chpax 0.7 : Current flags for /usr/NX/bin/nxagent (pEmrxs) ] * Paging based PAGE_EXEC : disabled * Trampolines : emulated * mprotect() : not restricted * mmap() base : not randomized * ET_EXEC base : not randomized * Segmentation based PAGE_EXEC : disabled I now used paxctl, like you suggested in 2.. I ran: paxctl -m /usr/NX/bin/nxagent And see: [EMAIL PROTECTED] /usr/src $ sudo paxctl -v /usr/NX/bin/nxagent PaX control v0.4 Copyright 2004,2005 PaX Team [EMAIL PROTECTED] - PaX flags: -m-x-e-- [/usr/NX/bin/nxagent] MPROTECT is disabled RANDEXEC is disabled EMUTRAMP is disabled Now I am able to run NX. But none the less, I would still like to know, why chpax did not work. Any ideas? Alexander Skwar -- Even more amazing was the realization that God has Internet access. I wonder if He has a full newsfeed? -- Matt Welsh -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security from non-authorized logins
On 4/16/06, Willie Wong [EMAIL PROTECTED] wrote: On Sun, Apr 16, 2006 at 09:54:33PM +1000, Penguin Lover Alan E. Davis squawked: He felt betrayed. I understand why, I think: what's secure about GNU/Linux if anyone can boot the system and reset his passwords? That is the same regardless of operating system. Physical access == no security. How can anyone easily avoid the problem of anyone being able to access the guts of his machine using a live CD? I already thought of one: use the BIOS to disallow booting from a CD or Floppy, and set a password on the BIOS. Don't know whether all BIOSes will allow this, and anyway, isn't it possible on a lot of motherboards to short out the EPROM and thus reset the password of the BIOS? You can also encrypt the contents of your hard drive. http://tldp.org/HOWTO/Disk-Encryption-HOWTO/ But I can still get that hard drive and smash it to bits ;) Get a big dog. Tie him next to your PC. Seriously, if your friend can find an OS that can restrict access even if the attacker has physical access to the PC, then he should use that. Encryption is a good solution, even for backups. But it's a bit overboard for most users. -- Jed R. Mallen GPG key ID: 81E575A3 fp: 4E1E CBA5 7E6A 2F8B 8756 660A E54C 39D6 81E5 75A3 http://jed.sitesled.com -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security from non-authorized logins
Alan E. Davis wrote: I helped a friend install Ubuntu GNU/Linux on his laptop, he left town, forgot his passwords, and I promised to breakin for him, so he can re-do his passwords. Told him all I have to do is run Knoppix, access his partition, and delete the little x in the password file. Then he would reset his root password in be back in business. He felt betrayed. I understand why, I think: what's secure about GNU/Linux if anyone can boot the system and reset his passwords? That's NOT a Linux problem. If you've got physical access, you can easily break in (same for Windows, BTW). I said, Dunno. I'll ask on the Gentoo list. How can anyone easily avoid the problem of anyone being able to access the guts of his machine using a live CD? Remove CD-Rom. Put Computer in a solid box which cannot (easily) be opened, so that it's impossible to attach an external CD-Rom. I already thought of one: use the BIOS to disallow booting from a CD or Floppy, and set a password on the BIOS. Most BIOS support either a master password or a way to reset a password (some pins on the motherboard). Don't know whether all BIOSes will allow this, and anyway, isn't it possible on a lot of motherboards to short out the EPROM and thus reset the password of the BIOS? Yes. Alexander Skwar -- Hey Satan, didja hear the news? A war just broke out up on earth. Meet Saddam Hussein, my new partner in evil. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Hardened Kernel (PaX): How to allow Text Relocations for *ONE* executable, while disallowing it for *EVERY* *OTHER* executable?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alexander Skwar wrote: Willie Wong wrote: On Sun, Apr 16, 2006 at 11:19:46AM +0200, Penguin Lover Alexander Skwar squawked: Now, how do I allow text relocations for just ONE binary, while keeping it disallowed for every other executable (the ones which already exist and the ones, which are to come in the future)? [...] I thought that I could do this with chpax -m $binary (replacing $binary by the path to the executable, of course. In this case, /usr/NX/bin/nxagent). But, I did this, and I still get the error message. 1. Check and make sure there are no zombie processes of the desired binary running. [x] No Zombies 2. Personally I use paxctl (the interface is slightly more robust in that I don't have to group all the flags in the first argument). 3. So, post the output of 'chpax -v $binary'? It should have the line *mprotect() : not restricted [EMAIL PROTECTED] /usr/src $ /sbin/chpax -v /usr/NX/bin/nxagent [ chpax 0.7 : Current flags for /usr/NX/bin/nxagent (pEmrxs) ] * Paging based PAGE_EXEC : disabled * Trampolines : emulated * mprotect() : not restricted * mmap() base : not randomized * ET_EXEC base : not randomized * Segmentation based PAGE_EXEC : disabled I now used paxctl, like you suggested in 2.. I ran: paxctl -m /usr/NX/bin/nxagent And see: [EMAIL PROTECTED] /usr/src $ sudo paxctl -v /usr/NX/bin/nxagent PaX control v0.4 Copyright 2004,2005 PaX Team [EMAIL PROTECTED] - PaX flags: -m-x-e-- [/usr/NX/bin/nxagent] MPROTECT is disabled RANDEXEC is disabled EMUTRAMP is disabled Now I am able to run NX. But none the less, I would still like to know, why chpax did not work. Any ideas? Alexander Skwar Hi, Because chpax uses the old ELF-header markings and paxctl uses the new ones (binaries compiled with PIC PIE, binutils 2.16.X). So you use chpax or paxctl depending on the binary. HTH.Rumen -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2-ecc0.1.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEQkJoNbtuTtsWD3wRAtiRAJwIpQ8su9vvoF0xU8zBRhdvgB3VQgCeObWl EJt5COvdMDgjvqAMKUwUIj4= =++Z/ -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security from non-authorized logins
Still, it would perhaps be somewhat comforting to be able to disable EASY access to a mission critical system. What about further disabling of access to /etc/passwd? Does SELinux take any such steps? (Ok, I could look into this by reading TFM. Apologies). Alan On 4/16/06, Alexander Skwar [EMAIL PROTECTED] wrote: Alan E. Davis wrote: I helped a friend install Ubuntu GNU/Linux on his laptop, he left town, forgot his passwords, and I promised to breakin for him, so he can re-do his passwords. Told him all I have to do is run Knoppix, access his partition, and delete the little x in the password file. Then he would reset his root password in be back in business. He felt betrayed. I understand why, I think: what's secure about GNU/Linux if anyone can boot the system and reset his passwords? That's NOT a Linux problem. If you've got physical access, you can easily break in (same for Windows, BTW). I said, Dunno. I'll ask on the Gentoo list. How can anyone easily avoid the problem of anyone being able to access the guts of his machine using a live CD? Remove CD-Rom. Put Computer in a solid box which cannot (easily) be opened, so that it's impossible to attach an external CD-Rom. I already thought of one: use the BIOS to disallow booting from a CD or Floppy, and set a password on the BIOS. Most BIOS support either a master password or a way to reset a password (some pins on the motherboard). Don't know whether all BIOSes will allow this, and anyway, isn't it possible on a lot of motherboards to short out the EPROM and thus reset the password of the BIOS? Yes. Alexander Skwar -- Hey Satan, didja hear the news? A war just broke out up on earth. Meet Saddam Hussein, my new partner in evil. -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Hardened Kernel (PaX): How to allow Text Relocations for *ONE* executable, while disallowing it for *EVERY* *OTHER* executable?
Rumen Yotov wrote: Because chpax uses the old ELF-header markings and paxctl uses the new ones (binaries compiled with PIC PIE, binutils 2.16.X). So you use chpax or paxctl depending on the binary. Alright. That's an explanation I can live with. Is there a way to find out beforehand if chpax or paxctl is to be used? Thanks, Alexander Skwar -- The shortest distance between any two puns is a straight line. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security from non-authorized logins
Alan E. Davis wrote: Still, it would perhaps be somewhat comforting to be able to disable EASY access to a mission critical system. Put them in a server room. Make sure, that only trusted people have a key to that server room. What about further disabling of access to /etc/passwd? Does SELinux take any such steps? Well, how does SElinux help, if a (non-SELinux) boot medium is used to access the system? And what do you do, if you forget the password to your mission critical system? Where are the backdoors? Are the backdoors documented (they better be...)? Alexander Skwar -- Totally illogical, there was no chance. -- Spock, The Galileo Seven, stardate 2822.3 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security from non-authorized logins
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Alan E. Davis wrote: Still, it would perhaps be somewhat comforting to be able to disable EASY access to a mission critical system. What about further disabling of access to /etc/passwd? Does SELinux take any such steps? (Ok, I could look into this by reading TFM. Apologies). Alan Not very sure about SELinux, but RSBAC has in-kernel user management (in it's latest releases =1.2.5). IIRC SELinux also uses it's own user management beside the unix one (check selinux docs). PS: but the data is still there, so use encryption (enc. partition) ...SKIP... HTH.Rumen -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2-ecc0.1.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFEQknRNbtuTtsWD3wRAiRcAJUSlX2s64RHOnwM81YVnFGwdKEJAJ0akEt5 WUbbRd2/9Rmwqxwm0ntq6w== =6tVw -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Hardened Kernel (PaX): How to allow Text Relocations for *ONE* executable, while disallowing it for *EVERY* *OTHER* executable?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alexander Skwar wrote: Rumen Yotov wrote: Because chpax uses the old ELF-header markings and paxctl uses the new ones (binaries compiled with PIC PIE, binutils 2.16.X). So you use chpax or paxctl depending on the binary. Alright. That's an explanation I can live with. Is there a way to find out beforehand if chpax or paxctl is to be used? Thanks, Alexander Skwar Hi, $ file /sbin/init /sbin/init: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped Second (better) option: $ qlist pax-utils /usr/bin/pspax /usr/bin/scanelf /usr/bin/dumpelf /usr/share/man/man1/scanelf.1.gz /usr/share/man/man1/dumpelf.1.gz /usr/share/man/man1/pspax.1.gz HTH.Rumen -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2-ecc0.1.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEQktdNbtuTtsWD3wRArvRAJ9pup2JkwEFVad3gPQ6YR4YKD/jcgCffWzH jWDkPClm5YpqrdiZPCDUeBM= =Fmif -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
[gentoo-user] Only one sound channel with SB live value
Hi all I've just put together a system using some old kit I've got. Everything seems OK except the sound card. Before I go any further the system is also setup to boot Win98 and the sound card is fine when running Win98. With the Labtec stereo speakers plugged into the front speaker socket sound only comes from the left speaker, if I use KMix and set the balance slider fully to the right and turn the volume right up, some sound comes through the right speaker. If I plug the speakers into the rear output socket the sound comes from both speakers. I've been trying to fix this for a couple of weeks with no joy. Hope someone can help with this TIA Stewart -- gentoo-user@gentoo.org mailing list
[gentoo-user] Write Protect is on: USB key insists on being read-only filesystem
Hi all,I've bought a simple and cheap USB key/MP3 player by memup.The kernel says:sdc: Write Protect is onHow to disable this write protection?[all details bellow]I use hal/udev/ivman/pmount. When I insert the drive in my gentoo box, it is mounted by ivman/pmount in /media for the current user # df -T /dev/sdcFilesystem Type 1K-blocks Used Available Use% Mounted on/dev/sdc vfat 251496 1344 250152 1% /media/REGIS_USBdrwx-- 2 regis users 16384 jan 1 1970 /media/REGIS_USB And /media/REGIS_USB does list the content of the USB drive.Now, I can't write anything on this filesytem.regis /media/REGIS_USB % touch toto touch: cannot touch `toto': Read-only file systemAs I understand my trivial configuration, this should be mounted read+write. Just in case, I tried:kro64 REGIS_USB # mount -o rw,remount /media/REGIS_USB/ mount: block device /dev/sdc is write-protected, mounting read-onlydmesg saysusb 2-4: USB disconnect, address 2usb 3-4: new full speed USB device using ohci_hcd and address 10usb 3-4: configuration #1 chosen from 1 choice scsi7 : SCSI emulation for USB Mass Storage devicesusb-storage: device found at 10usb-storage: waiting for device to settle before scanning Vendor: Model: Rev: Type: Direct-Access ANSI SCSI revision: 00 SCSI device sdc: 503521 512-byte hdwr sectors (258 MB)sdc: Write Protect is onsdc: Mode Sense: 00 c0 00 80sdc: assuming drive cache: write throughSCSI device sdc: 503521 512-byte hdwr sectors (258 MB) sdc: Write Protect is onsdc: Mode Sense: 00 c0 00 80sdc: assuming drive cache: write throughsdc: unknown partition tablesd 7:0:0:0: Attached scsi removable disk sdcsd 7:0:0:0: Attached scsi generic sg1 type 0 usb-storage: device scan completeI have another usb key which is mounted rw as expected. The major difference I see is that dmesg says about the other key:sdc: Write Protect is offSo: I do change this Write-protect parameter? Thanks and merry Easter.-- Régis-- Régis
Re: [gentoo-user] Write Protect is on: USB key insists on being read-only filesystem
On 4/16/06, Régis Décamps [EMAIL PROTECTED] wrote: Hi all, So: I do change this Write-protect parameter? on my usb mp3 player there is a slider(? sorry, don't know how to call it in english) - it can be in one of the two positions. one for readonly, another - read/write. just like a floppy disks have. maybe there is something like this on your player too. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Write Protect is on: USB key insists on being read-only filesystem
a) write protect switch b) hdparm (man hdparm) -- gentoo-user@gentoo.org mailing list
[gentoo-user] how to update /etc/services file?
I found my /etc/services is too many ports are not included in the file! eg telnet,ftp,http for UDP, so, how to get a stronger /etc/services file? thanks! -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] how to update /etc/services file?
I found my /etc/services is too many ports are not included in the file! eg telnet,ftp,http for UDP, Maybe they are not using UDP... so, how to get a stronger /etc/services file? /etc/services is provided by baselayout package. -- Best Regards, Peper -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] how to update /etc/services file?
David wrote: I found my /etc/services is too many ports are not included in the file! eg telnet,ftp,http for UDP, so, how to get a stronger /etc/services file? thanks! Enjoy. http://www.iana.org/assignments/port-numbers leads you to.. Search on google for complete /etc/services and within 10 sec you hit the solution with the authoritative /etc/services file. :-) -- gentoo-user@gentoo.org mailing list
[gentoo-user] Re: Write Protect is on: USB key insists on being read-only filesystem
Mantas Povilaitis wrote: On 4/16/06, Régis Décamps [EMAIL PROTECTED] wrote: Hi all, So: I do change this Write-protect parameter? on my usb mp3 player there is a slider(? sorry, don't know how to call it in english) - it can be in one of the two positions. one for readonly, another - read/write. Yes, exactly, you found the cause of my problem. I have a hold button, and it was pushed in position locked indeed. Thank you very much! I feel stupid for having digged hours in hal, ivman, pmount, permissions and so forth... -- Régis -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security from non-authorized logins
Alan E. Davis wrote: He felt betrayed. I understand why, I think: what's secure about GNU/Linux if anyone can boot the system and reset his passwords? Oh C'mon! Like you NEVER did the same on a Windows box. YES, you can do something similar on NT/2K/XP/Whatever... Encrypt your filesystems if you want a little more security on a physically accessible computer. Regards, -- Norberto Bensa Cel: 5654-9539 Ciudad de Buenos Aires, Argentina pgprOmt2ceOln.pgp Description: PGP signature
Re: [gentoo-user] Only one sound channel with SB live value
On Sunday 16 April 2006 14:02, Stewart Taylor wrote: Hi all I've just put together a system using some old kit I've got. Everything seems OK except the sound card. Before I go any further the system is also setup to boot Win98 and the sound card is fine when running Win98. With the Labtec stereo speakers plugged into the front speaker socket sound only comes from the left speaker, if I use KMix and set the balance slider fully to the right and turn the volume right up, some sound comes through the right speaker. If I plug the speakers into the rear output socket the sound comes from both speakers. I've been trying to fix this for a couple of weeks with no joy. Hope someone can help with this My money's on a dodgy jack, cable connection, etc. I wouldn't think that this is a software problem (not until all hardware fault avenues have been exhausted). -- Regards, Mick -- gentoo-user@gentoo.org mailing list
[gentoo-user] prelink question and kdeinit
Hi lists, i've followed the gentoo prelink-howto (http://www.gentoo.org/doc/en/prelink-howto.xml) and everything went well during setup. I've also set KDE_IS_PRELINKED=1 in /etc/env.d/99kde-env to inform KDE about the prelinking (and not KDE_IS_PRELINKED=true). This should (following the howto) disable the kdeinit process, but unfortunately KDE still loads it. Any experiences with this behaviour? Should i set other variables not present in the howto? Regards, MC -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] prelink question and kdeinit
On 4/16/06, Marco Calviani [EMAIL PROTECTED] wrote: Hi lists, i've followed the gentoo prelink-howto (http://www.gentoo.org/doc/en/prelink-howto.xml) and everything went well during setup. I've also set KDE_IS_PRELINKED=1 in /etc/env.d/99kde-env to inform KDE about the prelinking (and not KDE_IS_PRELINKED=true). This should (following the howto) disable the kdeinit process, but unfortunately KDE still loads it. Any experiences with this behaviour? Should i set other variables not present in the howto? Did you remember to run env-update? Even with this, KDE still loads some things through kdeinit or klauncher. For those, try setting KDE_FORK_SLAVES=1. http://docs.kde.org/development/en/kdebase/userguide/environment-variables.html -Richard -- gentoo-user@gentoo.org mailing list
[gentoo-user] Re: Help : need grub,conf file : kernel wouldn't boot
Rohit and Bhavana wrote: Hi all, I have built my kernel 2.6.15-r5 [not the latest I know but should support all that I have]. I am unable to boot it. It stops looking for root device when booting. Corresponding line from my grub,conf is title Linux-latest kernel (hd0,2)/kernel-genkernel-x86-2.6.15-gentoo-r5 root=/dev/ram0 real_root=/dev/hda2 init=/linuxrc vga=7 CONSOLE=/dev/tty1 initrd (hd0,2)/initramfs-genkernel-x86-2.6.15-gentoo-r5 I have both root= and real_root= title Gentoo kernel (hd0,0)/vmlinuz real_root=/dev/sda5 root=/dev/sda5 gentoo=nodevfs vga=0x317 initrd (hd0,0)/initramfs-gentoo Good luck, -- Régis -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] X11 + framebuffer - does it work?
On 4/15/06, Rohit Sharma [EMAIL PROTECTED] wrote: Thank, Richard - I shall follow you advice. You chose the following I presume? - kernel sources [gentoo-sources] I'm using suspend2-sources (notice the 'suspend2' in my kernel version), but gentoo-sources should work also. Everything else is ok. Any tips for me to ensure that my consoles are not corrupted once X starts and I want command line ob consoles. I think that is what you meant by stable-framebuffer, didn't you? Not really...it should just work. If it doesn't, I guess you could experiment with different resolutions for the console. Remember that you can choose the console resolution by changing the video= option passed to the kernel at boot time (e.g. video=vesafb:[EMAIL PROTECTED]), or with the fbres command (part of splashutils). -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] prelink question and kdeinit
Hi Richard, Did you remember to run env-update? Even with this, KDE still loads some things through kdeinit or klauncher. For those, try setting KDE_FORK_SLAVES=1. http://docs.kde.org/development/en/kdebase/userguide/environment-variables.html -Richard yes, i run etc-update. I've also added that KDE_FORK_SLAVES option but with no results. Regards, MC -- gentoo-user@gentoo.org mailing list
[gentoo-user] Gnupg (probably) FAQs
Hi All, I think I am getting a bit mixed up with gpg and how it is used in Gentoo. So, I am asking (sorry if some of this is repetitive) some Q's in no particular order in the hope of clearing things out in my head: 1. What is the relationship between gpg-agent and ssh-agent? Do I need both? 2. How can I get the gpg-agent to start if I do not use KDM, but XDM with fluxbox? (I added eval $(gpg-agent --daemon) in my ~/.xsession with no effect). 3. Some mail clients do not handle gpg signing very elegantly (as in automatically). Neverhteless, the signature is presented as an attachment. How can the recipient check the validity of the signature? It would be useful to find this answer not just for Linux, but also for M$Outlook. 4. I created two uids one for [EMAIL PROTECTED] and one for [EMAIL PROTECTED] I thought that I would be able to switch between uids depending on the domain that I use in Kmail. Things got rather messed up thereafter. When I try to select a Signing key id (Group properties on say a newsgroup/Identity/Signing key/Change) I always get the [EMAIL PROTECTED] as the uid, instead of the [EMAIL PROTECTED] as a signature. How can I switch between uids? 5. When I revoke a uid is it also removed from the keyservers? 6. Is there a way of finding out what is kept with respect to my sigs/uids on a keyserver? I think that's enough for now. Thanks for any answers. -- Regards, Mick -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: Help : need grub,conf file : kernel wouldn't boot
On Sunday 16 April 2006 13:46, Regis Decamps wrote: Rohit and Bhavana wrote: Hi all, I have built my kernel 2.6.15-r5 [not the latest I know but should support all that I have]. I am unable to boot it. It stops looking for root device when booting. Corresponding line from my grub,conf is title Linux-latest kernel (hd0,2)/kernel-genkernel-x86-2.6.15-gentoo-r5 root=/dev/ram0 real_root=/dev/hda2 init=/linuxrc vga=7 CONSOLE=/dev/tty1 initrd (hd0,2)/initramfs-genkernel-x86-2.6.15-gentoo-r5 Do you have ANY kernel that does boot on this system? If so, or even if not, post a copy of your entire grub.conf, and your /etc/fstab file, so we can see how your system partitions are set up. Is there an error message, like error 17, or some other number? I think your (hd0,2) and root=dev/hd2 are probably wrong. If you installed Gentoo following the Docs, your /boot should be hda1, swap hda2, and / hda3. Your grub should be installed on the MBR, and grub.conf should look something like this, set up with no splash framebuffer: title=[Evo-2.6.16-beyond1] root (hd0,0) kernel /boot/2.6.16-beyond1 root=/dev/hda3 With a splash framebuffer, something like this: title=Gentoo [Evolution-Mission] root (hd0,0) # boot partition kernel /vmlinuz-2.6.15-archck root=/dev/hda3 video=vesafb:[EMAIL PROTECTED],mtrr,ywrap splash=silent,fadein,theme:default quiet console=tty1 initrd (hd0,0)/fbsplash-default Robert Crawford. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] prelink question and kdeinit
On 4/16/06, Marco Calviani [EMAIL PROTECTED] wrote: yes, i run etc-update. I've also added that KDE_FORK_SLAVES option but with no results. No, not 'etc-update', 'env-update'. That is the command that takes all of the /etc/env.d/* settings and rolls them into /etc/profile. When you run 'env', do you see the KDE_IS_PRELINKED and KDE_FORK_SLAVES settings? What does ps auwx | grep kdeinit report? -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] prelink question and kdeinit
Hi Richard, No, not 'etc-update', 'env-update'. That is the command that takes all of the /etc/env.d/* settings and rolls them into /etc/profile. yeah, of course i mispelled in the mail. i've actually made the env-update.. When you run 'env', do you see the KDE_IS_PRELINKED and KDE_FORK_SLAVES settings? now i've realized that i need to perform a source /etc/profile before these keys appears as environmental variables. However i've still kdeinit processes (see later) What does ps auwx | grep kdeinit report? 13441 1.4 0.5 24348 7240 ?Ss 22:41 0:00 kdeinit Running... 13446 0.2 0.5 24608 7636 ?S22:41 0:00 klauncher [kdeinit] 13524 1.5 0.9 32244 12336 ?S22:41 0:00 knotify [kdeinit] Regards, MC -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] prelink question and kdeinit
On 4/16/06, Marco Calviani [EMAIL PROTECTED] wrote: 13441 1.4 0.5 24348 7240 ?Ss 22:41 0:00 kdeinit Running... 13446 0.2 0.5 24608 7636 ?S22:41 0:00 klauncher [kdeinit] 13524 1.5 0.9 32244 12336 ?S22:41 0:00 knotify [kdeinit] AFAICT, this is the expected result. Without KDE_IS_PRELINKED or KDE_FORK_SLAVES you will see many more kdeinit processes. The real question is is it faster? -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security from non-authorized logins
On Sunday 16 April 2006 06:54, Alan E. Davis [EMAIL PROTECTED] wrote about '[gentoo-user] Security from non-authorized logins': I helped a friend install Ubuntu GNU/Linux on his laptop, he left town, forgot his passwords, and I promised to breakin for him, so he can re-do his passwords. Told him all I have to do is run Knoppix, access his partition, and delete the little x in the password file. Then he would reset his root password in be back in business. He felt betrayed. I understand why, I think: what's secure about GNU/Linux if anyone can boot the system and reset his passwords? First of all, you can't have it both ways. Either there's a way to get into your system without your password(s) or you are screwed when you forget your password. Second, any OS that doesn't hold it's password file on an encrypted area protected by some other master password, is subject to the same attack. Sometimes there's more security by obscurity to deal with, but that only has to be dealt with once. (For example, rooting a Windows box requires tools that are a bit more specialized than a text editor.) Oh, well, does anyone have anything to suggest or to say about this? You can set your BIOS so that only device X is bootable, but there's two ways around that. Since you have physical access, you can either (a) exchange the media hooked to device X or (b) short the reset pins / remove the MB battery to reset the BIOS to factory defaults. Either might require opening the case, but are pretty easy to do. Also, it really easy to forget BIOS passwords since they aren't needed that often. Now, okay, so lets work under the assumption that the attacker has full control over your boot process. They can load any OS they want so even if they have no /other/ way to access your data, they can simply read it byte by byte off of the hard drive. They can also write to the hard drive, so they could replace your secure software with insecure or malicious software (assuming the can read the software enough to know how to modify it). [The same can be said for transforming innocuous data to incriminating data.] Even if they don't have enough access to modify your software, they could just overwrite the HD and deprive you of the data. Now, while we can't prevent vandals from destroying your data, it is possible to encrypt everything on your HD 'cept for the kernel and just enough user-space tools to start the decryption. This prevents the attacker from stealing the data, and also prevents an attacker from replacing your secure software with insecure or malicious software (they don't know where/what to write). The keys are protected by a password; without the password NO ONE can get them, so DON'T LOSE THE PASSWORD. Finally, I do want to take this opportunity to mention one of the possible /benefits/ of TPM / TCM / Treacherous Computing. Assuming you have the keys to your computer, it will only load BIOSes that you've allowed which will only load kernels you've allowed, which give you control over you boot process again -- encryption will still be necessary to safeguard against your HD simply being stolen, but TPM/TCM is does close a few holes. (Of course, this is not how MS etc. want TPM/TCM implemented; they are looking at a system design where /THEY/ own the keys to your computer.) -- If there's one thing we've established over the years, it's that the vast majority of our users don't have the slightest clue what's best for them in terms of package stability. -- Gentoo Developer Ciaran McCreesh pgpbTa1oSPK2b.pgp Description: PGP signature
Re: [gentoo-user] Re: how to setup sun-jdk
Oh,God!Now i know the problem.My usbdisk is broken.So the file every time i read from it is corrucpted althougth the file i download is OK.I'm so sorry that i have such a silly problem 2006/4/16, Heiko Wundram [EMAIL PROTECTED]: Am Sonntag 16 April 2006 08:51 schrieb wu chuanwen: I have download two of the same package.And the result is all the same as above. I don't think the packages arecorrupted.Yes, they are? Because it's no Gentoo program that tries to unpack the files, but the self-extractable itself (and no wonder Gentoo gets a digest error onthe file). Or, your machine is broken somehow, and corrupts the file whileit's being written/read from disk. But I'd much rather guess the source you download the self-extractable from is corrupt. Use another source, luke. ;-)--- Heiko.--gentoo-user@gentoo.org mailing list -- wcw
Re: [gentoo-user] how to update /etc/services file?
On Sun, Apr 16, 2006 at 05:40:14PM +0200, Peper wrote: I found my /etc/services is too many ports are not included in the file! eg telnet,ftp,http for UDP, Maybe they are not using UDP... so, how to get a stronger /etc/services file? /etc/services is provided by baselayout package. hi, I use qpkg to find out sys-apps/baselayout. thank you! -- Best Regards, Peper -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list