Re: [gentoo-user] www-client/chromium
on 08/05/2011 08:44 AM Mick wrote the following: On Friday 05 Aug 2011 06:14:37 Adam Carter wrote: The noscript firefox addon gives significant protection with only a little inconvenience. By little inconvenience you mean that most webpages will not show up properly? These days any page has a tonne of JavaScript in it and menus, slideshows, etc. will not render without it. Because many designers or CMS' engines do not provide graceful degradation, you end up looking at half a page and thinking what else is missing. I agree that security can have a price in terms of inconvenience, but I found that I had to switch NoScript off after a while because it was becoming a significant hindrance. I will agree. I also have it almost switched off (allow scripts globally).
Re: [gentoo-user] [OT] NFSv4: 32-bit server versus 64-bit client?
On Thursday, August 04, 2011 02:53:28 PM walt wrote: I'm trying to be a good gentoo netizen by nfs-sharing /usr/portage between my three local gentoo machines, and failing :( After weeks of fiddling, I discovered today that my problems come from using a 32-bit machine to serve my two 64-bit NFS clients(!) (I'll mention up front that NFSv3 works perfectly -- only NFSv4 is bad.) For reasons I don't know, the 64-bit client machines mount the 32-bit NFSv4 share with UID/GID 0xffe, which won't let even root write to the rw share. I googled an old thread mentioning that 0x is decimal 65534, a UID traditionally assigned to the user 'nobody'. Can anyone else reproduce my problem, or give a hint how to work around it? This is how I do this: ** (On server) ~ $ cat /etc/exports /usr/portage *(rw,sync,all_squash,anonuid=250,anongid=250,no_subtree_check) ~ $ id portage uid=250(portage) gid=250(portage) groups=250(portage) ** ** (On client) ~ $ cat /etc/fstab server:/usr/portage /usr/portagenfs tcp,nodev,nosuid0 0 ** I stripped non-related parts from the above and the exports and fstab lines should be on a single line. The bit in the exports-file will force all access to /usr/portage to be linked to the uid and gid of portage. (Change the values if your portage-user has a different uid and/or gid) I have also opened it to all servers (the * at the beginning of the line) with a firewall limiting access. (This list is so quiet today I'm wondering if gmane.org is down.) Or simply busy? :) Hope this helps, Joost
Re: [gentoo-user] www-client/chromium
2011/8/5 Matthew Finkel matthew.fin...@gmail.com: On Fri, Aug 5, 2011 at 12:05 AM, Thanasis thana...@asyr.hopto.org wrote: I noticed that chromium's code has a lot of vulnerabilities. https://bugs.gentoo.org/buglist.cgi?quicksearch=www-client%2Fchromium I suppose this is why we see so often version upgrades of it (and it's not a small app to build). Why is its code so, should I say prone to bugs, compared to other browsers? Firefox isn't perfect either https://bugs.gentoo.org/buglist.cgi?quicksearch=www-client%2Ffirefoxlist_id=337885 I think you hit the nail on the head by saying that it's not a small app to build. The more code that's written increases the the chances a security holes will be introduced into the application. I don't think so. It's not the raw number of source code lines which makes it more prone to bugs. I think that a closer and more realistic number would be the number of lines divided by the number of full-time developers, and don't forget to put in the middle of that formula how skilled they are. Having that into account, chromium has a good base since few teams in the planet will have the quantity and quality of man power that Google has to devote to this project. And as an internet browser, they're also susceptible to many more vectors of attack than most other packages. For chromium specifically, I haven't looked at the CVEs but I suspect many are for webkit and not just Chromium. Just my 2c. The webkit branch into chromium is not the same that you can find in any other webkit-based project. They just have a common origin, but they are maintained separately and it is my understanding that they have diverged enough to be considered as separate things. -- Jesús Guerrero Botella
Re: [gentoo-user] www-client/chromium
On Fri, 5 Aug 2011 15:14:37 +1000, Adam Carter wrote: The noscript firefox addon gives significant protection with only a little inconvenience. There was no equivalent for chromium last time I checked, and it still doesn't have a master password to protect saved webform passwords Chromium uses KWallet to store passwords on a KDE system now. I believe it can use the GNOME keyring too. -- Neil Bothwick Talk is cheap because supply exceeds demand. signature.asc Description: PGP signature
Re: [gentoo-user] [OT] NFSv4: 32-bit server versus 64-bit client?
I'm trying to be a good gentoo netizen by nfs-sharing /usr/portage between my three local gentoo machines, and failing :( After weeks of fiddling, I discovered today that my problems come from using a 32-bit machine to serve my two 64-bit NFS clients(!) (I'll mention up front that NFSv3 works perfectly -- only NFSv4 is bad.) this is due to different authentication methods used in nfs3 and nfs4 and does not rely on installation arch (32/64bit). you have to tune up nfs4 infrastructure. on both client and server make sure you have - nfs4 and inotify support in kernel - net-fs/nfs-utils installed with nfs4 support - grep NFS_NEEDED_SERVICES /etc/conf.d/nfs shows 'NFS_NEEDED_SERVICES=rpc.idmapd' - grep Domain /etc/idmapd.conf shows 'Domain = your local domain' - rpc.idmapd daemon is running (if it does not, restart nfs stack) - surely portage uid/gid are the same on all nfs-ed machines server side: /etc/exports: /usr/portage 192.168.1.0/24(async,no_root_squash,rw,no_subtree_check) client side: grep nfs /etc/fstab: server:/usr/portage /usr/portage nfs4 defaults,rw 0 1 consult rpc.idmapd(8) for details that way i'm sharing portage at home. works pretty good for months i've migrated to nfs4 hth
[gentoo-user] xtables-addons : Invalid module format
I'm having troubles with net-firewall/xtables-addons-1.3.7 emerge is successful, but all attempts to create an IP set (e.g., `ipset --create test hash:ip`) resulted in the following error message: FATAL: Error inserting ip_set (/lib/modules/2.6.39-hardened-r8PANS_GW_BN_02/xtables_addons/ip_set.ko): Invalid module format `insmod` begat an additional information: insmod: error inserting '/lib/modules/2.6.39-hardened-r8PANS_GW_BN_02/xtables_addons/ip_set.ko': -1 Invalid module format `dmesg | tail -1` gave a worrying error: [ 4085.271442] ip_set: exports duplicate symbol ip_set_nfnl_put (owned by kernel) What should I do? Rgds, -- Pandu E Poluan ~ IT Optimizer ~ • Blog : http://pepoluan.tumblr.com • Linked-In : http://id.linkedin.com/in/pepoluan
Re: [gentoo-user] xtables-addons : Invalid module format
On Fri, Aug 5, 2011 at 9:11 AM, Pandu Poluan pa...@poluan.info wrote: I'm having troubles with net-firewall/xtables-addons-1.3.7 emerge is successful, but all attempts to create an IP set (e.g., `ipset --create test hash:ip`) resulted in the following error message: FATAL: Error inserting ip_set (/lib/modules/2.6.39-hardened-r8PANS_GW_BN_02/xtables_addons/ip_set.ko): Invalid module format `insmod` begat an additional information: insmod: error inserting '/lib/modules/2.6.39-hardened-r8PANS_GW_BN_02/xtables_addons/ip_set.ko': -1 Invalid module format `dmesg | tail -1` gave a worrying error: [ 4085.271442] ip_set: exports duplicate symbol ip_set_nfnl_put (owned by kernel) What should I do? I don't know much about xtables, but ISTR it's a fork (or supplement?) to iptables. That sounds like a symbol conflict, such as if you were to try to insert a module into a kernel, where the kernel already had the code built-in. Check your kernel configuration and ensure that all of the iptables stuff is built as modules, rather than built-in. Then (I suspect) it should be a matter of figuring out which module conflicts. -- :wq
Re: [gentoo-user] xtables-addons : Invalid module format
On Fri, Aug 5, 2011 at 20:24, Michael Mol mike...@gmail.com wrote: On Fri, Aug 5, 2011 at 9:11 AM, Pandu Poluan pa...@poluan.info wrote: I'm having troubles with net-firewall/xtables-addons-1.3.7 emerge is successful, but all attempts to create an IP set (e.g., `ipset --create test hash:ip`) resulted in the following error message: FATAL: Error inserting ip_set (/lib/modules/2.6.39-hardened-r8PANS_GW_BN_02/xtables_addons/ip_set.ko): Invalid module format `insmod` begat an additional information: insmod: error inserting '/lib/modules/2.6.39-hardened-r8PANS_GW_BN_02/xtables_addons/ip_set.ko': -1 Invalid module format `dmesg | tail -1` gave a worrying error: [ 4085.271442] ip_set: exports duplicate symbol ip_set_nfnl_put (owned by kernel) What should I do? I don't know much about xtables, but ISTR it's a fork (or supplement?) to iptables. Supplement, actually. It provides modules that for some reason haven't made it into iptables itself. That sounds like a symbol conflict, such as if you were to try to insert a module into a kernel, where the kernel already had the code built-in. Check your kernel configuration and ensure that all of the iptables stuff is built as modules, rather than built-in. Then (I suspect) it should be a matter of figuring out which module conflicts. Hmmm... okay, I'll try to build another kernel. There's this whole page of IPset in `make menuconfig` that I had naively set to built-in. I'll post updates. Rgds, -- Pandu E Poluan ~ IT Optimizer ~ • Blog : http://pepoluan.tumblr.com • Linked-In : http://id.linkedin.com/in/pepoluan
Re: [gentoo-user] xtables-addons : Invalid module format
On Fri, Aug 5, 2011 at 20:32, Pandu Poluan pa...@poluan.info wrote: On Fri, Aug 5, 2011 at 20:24, Michael Mol mike...@gmail.com wrote: That sounds like a symbol conflict, such as if you were to try to insert a module into a kernel, where the kernel already had the code built-in. Check your kernel configuration and ensure that all of the iptables stuff is built as modules, rather than built-in. Then (I suspect) it should be a matter of figuring out which module conflicts. Hmmm... okay, I'll try to build another kernel. There's this whole page of IPset in `make menuconfig` that I had naively set to built-in. I'll post updates. Well, whaddaya know... I set `CONFIG_IP_SET=m`, rebuild the kernel, and re-emerged xtables-addons, and... It works ! ! ! Thank you so much :-) (If we ever meet, remind me to treat you to a nice mug o'beer -- or your preferred cold drink) Rgds, -- Pandu E Poluan ~ IT Optimizer ~ • Blog : http://pepoluan.tumblr.com • Linked-In : http://id.linkedin.com/in/pepoluan
Re: [gentoo-user] xtables-addons : Invalid module format
On Fri, Aug 5, 2011 at 9:45 AM, Pandu Poluan pa...@poluan.info wrote: On Fri, Aug 5, 2011 at 20:32, Pandu Poluan pa...@poluan.info wrote: On Fri, Aug 5, 2011 at 20:24, Michael Mol mike...@gmail.com wrote: That sounds like a symbol conflict, such as if you were to try to insert a module into a kernel, where the kernel already had the code built-in. Check your kernel configuration and ensure that all of the iptables stuff is built as modules, rather than built-in. Then (I suspect) it should be a matter of figuring out which module conflicts. Hmmm... okay, I'll try to build another kernel. There's this whole page of IPset in `make menuconfig` that I had naively set to built-in. I'll post updates. Well, whaddaya know... I set `CONFIG_IP_SET=m`, rebuild the kernel, and re-emerged xtables-addons, and... It works ! ! ! Thank you so much :-) (If we ever meet, remind me to treat you to a nice mug o'beer -- or your preferred cold drink) Not necessary. :) Well, I do hope to be at Dragon*Con this year, so if you're in the area. ;) -- :wq
Re: [gentoo-user] www-client/chromium
2011/8/5 Jesús J. Guerrero Botella jesus.guerrero.bote...@gmail.com 2011/8/5 Matthew Finkel matthew.fin...@gmail.com: On Fri, Aug 5, 2011 at 12:05 AM, Thanasis thana...@asyr.hopto.org wrote: I noticed that chromium's code has a lot of vulnerabilities. https://bugs.gentoo.org/buglist.cgi?quicksearch=www-client%2Fchromium I suppose this is why we see so often version upgrades of it (and it's not a small app to build). Why is its code so, should I say prone to bugs, compared to other browsers? Firefox isn't perfect either https://bugs.gentoo.org/buglist.cgi?quicksearch=www-client%2Ffirefoxlist_id=337885 I think you hit the nail on the head by saying that it's not a small app to build. The more code that's written increases the the chances a security holes will be introduced into the application. I don't think so. It's not the raw number of source code lines which makes it more prone to bugs. I think that a closer and more realistic number would be the number of lines divided by the number of full-time developers, and don't forget to put in the middle of that formula how skilled they are. Having that into account, chromium has a good base since few teams in the planet will have the quantity and quality of man power that Google has to devote to this project. And as an internet browser, they're also susceptible to many more vectors of attack than most other packages. For chromium specifically, I haven't looked at the CVEs but I suspect many are for webkit and not just Chromium. Just my 2c. The webkit branch into chromium is not the same that you can find in any other webkit-based project. They just have a common origin, but they are maintained separately and it is my understanding that they have diverged enough to be considered as separate things. -- Jesús Guerrero Botella Your points on code quality and developer quality/experience are well taken, and I completely agree; the number of lines of source code is never really a good criterion for comparison. I also wasn't aware the chromium-base and webkit-base had diverged so much. On second look of the bug reports, all of them are linked to the Google Chrome Release blog, where the vast majority of the vulnerabilities/bugs are attributed to bounty hunters. So I believe this also heavily contributes to the quick release cycle. To Thanasis' point, I think the quick release cycle is two-fold. The first being that Google has a policy of release early-release often, so I would guess that once the new feature set is stable they push it out. Second is the fact that most people like using stable and secure software as well as making money. Also, quite a few of the bugs, in the Google Chrome Team's words, were clever, so I would assume they weren't easy to find. I didn't go digging around to see how old these bugs were, to see when they were introduced, but it did appear that a large portion were due to common coding error, i.e. use-after-free, memory corruption, etc. As an aside, a similar (condensed) list of vulnerabilities in all Mozilla projects can be found here [0]. I think, overall, compared to Chrome/Chromium, there are significantly less vulnerabilities reported for Firefox. But there is also far less money going towards the discoveries, as well. 0. http://www.mozilla.org/security/known-vulnerabilities/ - Matt
[gentoo-user] logrotate: /var/log/portage/elog insecure permissions?
Hi, today I received this mail from cron: --- error: skipping /var/log/portage/elog/summary.log because parent directory has insecure permissions (It's world writable or writable by group which is not root) Set su directive in config file to tell logrotate which user/group should be used for rotation. --- My /var/log/portage/elog has this permissions: drwxrws--- 2 portage portage 4096 Jun 1 2010 elog What is wrong with it? I'm pretty sure I did not touch it for years so I'm surprised logrotate is suddenly complaining (it has been updated recently, that might be reason). Anyway, how should those permissions look like to make logrotate (and cron) happy? Jarry -- ___ This mailbox accepts e-mails only from selected mailing-lists! Everything else is considered to be spam and therefore deleted.
Re: [gentoo-user] logrotate: /var/log/portage/elog insecure permissions?
Am 05.08.2011 17:22, schrieb Jarry: Hi, today I received this mail from cron: --- error: skipping /var/log/portage/elog/summary.log because parent directory has insecure permissions (It's world writable or writable by group which is not root) Set su directive in config file to tell logrotate which user/group should be used for rotation. --- My /var/log/portage/elog has this permissions: drwxrws--- 2 portage portage 4096 Jun 1 2010 elog What is wrong with it? I'm pretty sure I did not touch it for years so I'm surprised logrotate is suddenly complaining (it has been updated recently, that might be reason). Anyway, how should those permissions look like to make logrotate (and cron) happy? Jarry Yes, this was introduced in 3.8.0 to fix security issues [1]. Change your config to look like this: /var/log/portage/elog/summary.log { su portage portage ... } Disclaimer: I've not really tried this (yet) but I think I'm able to read changelogs and man-pages. ;-) [1] https://bugzilla.redhat.com/show_bug.cgi?id=680799 Regards, Florian Philipp signature.asc Description: OpenPGP digital signature
[gentoo-user] Network Topology Diagrams
Hello one and all, It's been a while since I've created diagrams. I'd be curious to learn what tools (software ebuilds) and techniques that folks employ to: Graphically map an existing network topology. Create new designs and implementation details a proposed Network Topology Design. Create paper printable diagrams. I'm thinking about getting an 11 x 17 color printer for the actual printed (paper) diagrams. It'd be nice to include (graphical colors) that shows wireless, cat(5), fiber and POE segments in different colors, even if I have to manually edit what a software tool cannot distinguish within it's features. BISCI, RCDD, TIA, NEC and any other related standards or regulatory (regardless of country) types of related issues and support are of interest, but not necessary for a general response and discussion. Hopefully the industry has move passed creating much of these sorts of materials, uniquely by hand, using Autocad? All comments and suggestions are welcome. Templates are most welcome! James
Re: [gentoo-user] Network Topology Diagrams
On Fri, Aug 5, 2011 at 1:42 PM, James wirel...@tampabay.rr.com wrote: Hello one and all, It's been a while since I've created diagrams. I'd be curious to learn what tools (software ebuilds) and techniques that folks employ to: Graphically map an existing network topology. Create new designs and implementation details a proposed Network Topology Design. Create paper printable diagrams. I'm thinking about getting an 11 x 17 color printer for the actual printed (paper) diagrams. It'd be nice to include (graphical colors) that shows wireless, cat(5), fiber and POE segments in different colors, even if I have to manually edit what a software tool cannot distinguish within it's features. BISCI, RCDD, TIA, NEC and any other related standards or regulatory (regardless of country) types of related issues and support are of interest, but not necessary for a general response and discussion. Hopefully the industry has move passed creating much of these sorts of materials, uniquely by hand, using Autocad? All comments and suggestions are welcome. Templates are most welcome! To my knowledge, Dia is the most common Linux answer to Microsoft Visio, and sounds somewhat close to what you're looking for. I'd *love* to see a tool that sniffs the network and tries to build a visible topology graph, though... -- :wq
Re: [gentoo-user] Network Topology Diagrams
On 08/05/2011 07:48 PM, Michael Mol wrote: On Fri, Aug 5, 2011 at 1:42 PM, James wirel...@tampabay.rr.com wrote: Hello one and all, It's been a while since I've created diagrams. I'd be curious to learn what tools (software ebuilds) and techniques that folks employ to: Graphically map an existing network topology. Create new designs and implementation details a proposed Network Topology Design. Create paper printable diagrams. I'm thinking about getting an 11 x 17 color printer for the actual printed (paper) diagrams. It'd be nice to include (graphical colors) that shows wireless, cat(5), fiber and POE segments in different colors, even if I have to manually edit what a software tool cannot distinguish within it's features. BISCI, RCDD, TIA, NEC and any other related standards or regulatory (regardless of country) types of related issues and support are of interest, but not necessary for a general response and discussion. Hopefully the industry has move passed creating much of these sorts of materials, uniquely by hand, using Autocad? All comments and suggestions are welcome. Templates are most welcome! To my knowledge, Dia is the most common Linux answer to Microsoft Visio, and sounds somewhat close to what you're looking for. I'd *love* to see a tool that sniffs the network and tries to build a visible topology graph, though... Zenmap - part of net-analyzer/nmap can do that for you. It lists all hosts found. When clicked you can access their scan data. You can import export those scans in a XML format. It draws a topological chart of the network. It uses only circles as icons, so it's not apt for presentations, but to get a quick overview. It's handy to make a thorough scan at customers and make its export accessible to your colleagues in your admin-firm. Greetings, Daniel -- PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887op=get # gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887 signature.asc Description: OpenPGP digital signature
[gentoo-user] Cannot remove empty directory: cannot remove `APR-13-2011': Directory not empty
Hi all, I use a USB key to transfer files between my printer/scanner and my computer. This all works fine except that I am unable to delete empty directories on the USB key. The following applies to both user 'hilco' and 'root'! centaur usb # mount snip/ /dev/sdc1 on /mnt/usb type vfat (rw,noexec,nosuid,nodev,user=hilco) centaur usb # find . . ./APR-13-2011 snip/ ./AUG-05-2011 centaur usb # rm -rf * rm: cannot remove `APR-13-2011': Directory not empty snip/ rm: cannot remove `AUG-05-2011': Directory not empty centaur usb # mkdir xyz centaur usb # rmdir xyz (I should note that any files in the MMM-DD- directories *are* removed.) I could reformat the USB key of course but I would prefer to be able to simply delete old directories. Any ideas what might be causing this? Cheers, Hilco
Re: [gentoo-user] Cannot remove empty directory: cannot remove `APR-13-2011': Directory not empty
On 5 August 2011 13:38, Thanasis thana...@asyr.hopto.org wrote: umount /dev/sdc1 fsck /dev/sdc1 Wow. Just wow. The printer/scanner somehow renamed '.' and '..' to '. ~1' and '.. ~1' respectively. Sigh, I guess I'll just reformat.
Re: [gentoo-user] Cannot remove empty directory: cannot remove `APR-13-2011': Directory not empty
On Fri, Aug 5, 2011 at 5:13 PM, Hilco Wijbenga hilco.wijbe...@gmail.com wrote: On 5 August 2011 13:38, Thanasis thana...@asyr.hopto.org wrote: umount /dev/sdc1 fsck /dev/sdc1 Wow. Just wow. The printer/scanner somehow renamed '.' and '..' to '. ~1' and '.. ~1' respectively. Sigh, I guess I'll just reformat. Ok, that's impressive. -- :wq
Re: [gentoo-user] logrotate: /var/log/portage/elog insecure permissions?
On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote: Yes, this was introduced in 3.8.0 to fix security issues [1]. Change your config to look like this: /var/log/portage/elog/summary.log { su portage portage ... } Disclaimer: I've not really tried this (yet) but I think I'm able to read changelogs and man-pages. ;-) Yes that fixes it. The latest portage ebuilds include an updated config file. -- Neil Bothwick There's no such thing as a free lunch ___Steve Ballmer, choking on a linuxburger signature.asc Description: PGP signature
[gentoo-user] Re: [OT] NFSv4: 32-bit server versus 64-bit client?
On 08/05/2011 12:10 AM, Joost Roeleveld wrote: On Thursday, August 04, 2011 02:53:28 PM walt wrote: For reasons I don't know, the 64-bit client machines mount the 32-bit NFSv4 share with UID/GID 0xffe, which won't let even root write to the rw share. I googled an old thread mentioning that 0x is decimal 65534, a UID traditionally assigned to the user 'nobody'. This is how I do this: ** (On server) ~ $ cat /etc/exports /usr/portage *(rw,sync,all_squash,anonuid=250,anongid=250,no_subtree_check) (Thanks also to Todd and Victor for their replies. I hope this will address your points too.) Joost, here's what I'm using at the moment: #grep portage /etc/exports /usr/portage 192.168.0.100/29(rw,sync,all_squash,anonuid=250,anongid=250,no_subtree_check) This is what my 32-bit server thinks: #exportfs -v | grep portage /usr/portage 192.168.0.100/29(rw,wdelay,root_squash,all_squash,no_subtree_check,anonuid=250,anongid=250) Unfortunately, this is what the 64-bit client thinks: #mount | grep portage k2:/usr/portage on /mnt/nfs type nfs (rw,vers=4,addr=192.168.0.100,clientaddr=192.168.0.102) #ls -la /mnt/nfs | head total 2120 drwxr-xr-x 164 4294967294 42949672944096 Aug 5 04:32 . drwxr-xr-x5 root root 4096 Jun 17 2008 .. -rw-r--r--1 4294967294 4294967294 1258556 Aug 5 04:33 .ebuild.x drwxr-xr-x 44 4294967294 42949672944096 Aug 5 03:31 app-accessibility drwxr-xr-x 198 4294967294 42949672944096 Aug 5 03:31 app-admin drwxr-xr-x3 4294967294 42949672944096 Aug 5 03:31 app-antivirus drwxr-xr-x 92 4294967294 42949672944096 Aug 5 03:31 app-arch drwxr-xr-x 36 4294967294 42949672944096 Aug 5 03:31 app-backup drwxr-xr-x 30 4294967294 42949672944096 Aug 5 03:31 app-benchmarks When I look at the uid/gid of that mount, my gut tells me there's a bug in there somewhere. Do you disagree? I have only one 32-bit machine, so I'm thinking I can install a 32-bit gentoo virtualbox guest to test my 32-bit versus 64-bit theory. That's going to wait for tomorrow, though. Meanwhile, anyone know of a live CD that would let me mount an NFS4 share? My ubuntu vbox guest supports NFS3 but not NFS4 :(