[gentoo-user] Security Onion on Gentoo
Hello, So net-analyzer/suricata is all the rage now. The 'Security Onion' is often pitched as a suricata distro. [1] Many of the commonly listed packages that are part of the security onion are already in gentoo. So, are there suricata users on gentoo-user? If so, do you use any of the key listed software found on the security onion, as part of your IDS/NDS/etc security toolset? Would anyone be interested in combining these software components found on the securtiy onion onto gentoo? [2] [2] https://securityonion.net/ [1] https://oisf.net/suricata/ [3] http://pevma.blogspot.com/search/label/Suricata
Re: [gentoo-user] [Security] Update bash *NOW*
On 25/09/2014 02:58, Walter Dnes wrote: [snip] ...with malicious stuff, and it could get ugly. app-shells/bash-4.2_p48 has been pushed to Gentoo stable. The same env command results in... Unfortunately, that version did fully address the problem. Instead, upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were recently committed. For further details: https://bugs.gentoo.org/show_bug.cgi?id=523592 --Kerin
Re: [gentoo-user] [Security] Update bash *NOW*
On 25/09/2014 13:54, Kerin Millar wrote: On 25/09/2014 02:58, Walter Dnes wrote: [snip] ...with malicious stuff, and it could get ugly. app-shells/bash-4.2_p48 has been pushed to Gentoo stable. The same env command results in... Unfortunately, that version did fully address the problem. Instead, upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were recently committed. For further details: https://bugs.gentoo.org/show_bug.cgi?id=523592 Oops. Obviously, I meant to write did not fully address the problem. --Kerin
Re: [gentoo-user] [Security] Update bash *NOW*
Kerin Millar kerfra...@fastmail.co.uk wrote: On 25/09/2014 02:58, Walter Dnes wrote: [snip] ...with malicious stuff, and it could get ugly. app-shells/bash-4.2_p48 has been pushed to Gentoo stable. The same env command results in... Unfortunately, that version did fully address the problem. Instead, upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were recently committed. For further details: https://bugs.gentoo.org/show_bug.cgi?id=523592 I cannot update to that, its not in the tree as of last night. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici cov...@ccs.covici.com
Re: [gentoo-user] [Security] Update bash *NOW*
On 2014-09-25 16:02, cov...@ccs.covici.com wrote: Kerin Millar kerfra...@fastmail.co.uk wrote: On 25/09/2014 02:58, Walter Dnes wrote: [snip] ...with malicious stuff, and it could get ugly. app-shells/bash-4.2_p48 has been pushed to Gentoo stable. The same env command results in... Unfortunately, that version did fully address the problem. Instead, upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were recently committed. For further details: https://bugs.gentoo.org/show_bug.cgi?id=523592 I cannot update to that, its not in the tree as of last night. Try to rsync from some other mirror.
Re: [gentoo-user] [Security] Update bash *NOW*
On Thu, Sep 25, 2014 at 01:54:10PM +0100, Kerin Millar wrote On 25/09/2014 02:58, Walter Dnes wrote: [snip] ...with malicious stuff, and it could get ugly. app-shells/bash-4.2_p48 has been pushed to Gentoo stable. The same env command results in... Unfortunately, that version did fully address the problem. Instead, upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were recently committed. For further details: https://bugs.gentoo.org/show_bug.cgi?id=523592 --Kerin OK, I've got app-shells/bash-4.2_p48-r1 installed now. -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications
[gentoo-user] [Security] Update bash *NOW*
Slashdot article
http://linux.slashdot.org/story/14/09/24/1638207/remote-exploit-vulnerability-found-in-bash
Story at
http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html
CVE ID CVE-2014-6271 at http://seclists.org/oss-sec/2014/q3/650
Summary... bash scripts, CGI, perl via system(), and various other
commands invoke a bash shell at times, passing environmental variables
in the process. Problem is that an environmental variable ***CAN
CONTAIN A FUNCTION DEFINITION, AND EXECUTE IT WHILST SPAWNING A NEW
SHELL***. E.g. execute the command...
env x='() { :;}; echo vulnerable' bash -c echo this is a test
...and you get the following...
vulnerable
this is a test
Replace...
x='() { :;}; echo vulnerable'
...with malicious stuff, and it could get ugly. app-shells/bash-4.2_p48
has been pushed to Gentoo stable. The same env command results in...
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
--
Walter Dnes waltd...@waltdnes.org
I don't run desktop environments; I run useful applications
Re: [gentoo-user] Security
I'm not a professional, but I'd say that running as few services as possible contributes to the overall security be reducing the attack vectors (and Gentoo helps with that by not having that much by default). I usually opt only for ssh and use certificates rather than passwords... On Thu, 2014-03-20 at 22:06 +, john wrote: After recently reading about Windigo I am quesstioning how good my security is on my Gentoo box. I am only a desktop user with iptables and clamav installed and occasionally running chkrootkit. Would you recommend any other forms of security (snort, selinux, hardened etc) that I should be using? I may be a touch neurotic but would hate to think I have been infected!
Re: [gentoo-user] Security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 21/03/14 17:44, Ján Zahornadský wrote: Indeed, the smaller the surface area, the smaller the target (the fewer things running, the fewer things can be exploited). For an average desktop environment, doing what you're already doing, I think, would be reasonably sufficient - provided it's mixed with a little common sense (don't grant root privileges to things that don't need them; don't use passwords like 'MyPassword'; that sort of thing). Having a personal firewall is already probably more than many (albeit non-linux) users do (at least of their own accord). If you wanted to go a little further, you could have a look at `qcheck` (app-portage/portage-utils) or even app-admin/tripwire; maybe set up a few cron jobs that mail root with warnings or something. Otherwise, making sure you don't enable unnecessary services and keeping on top of your firewall, log checks and chkrootkit'ing should be sufficient. If you *do* want to go the whole hog, while I'm no expert on it, using a desktop environment under the hardened profile can provide some challenges, but is indeed doable. Personally I'm currently running thunderbird-bin in a kde environment on a custom hardened/kde profile that I kludged together (this is Gentoo, after all)! Ultimately, it's up to you what you feel is appropriate for what you expected usage and risk level is. For reference: https://wiki.gentoo.org/wiki/Project:Hardened Cheers; - -- wraeth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMsDZAACgkQGYlqHeQRhkwwaQD/fInm5p4rbnoKH3sDIklJvK2e /Bud0z1N9QvWXRbDvRUA/i+XYipiYjcMHd+NCduj0AHF/slcb9IJxsfgMon3Tf7h =LJ4m -END PGP SIGNATURE-
Re: [gentoo-user] Security
140320 john wrote: After recently reading about Windigo, I am quesstioning how good my security is on my Gentoo box. I am only a desktop user with iptables and clamav installed and occasionally running chkrootkit. Would you recommend any other forms of security -- snort, selinux, hardened etc -- that I should be using? I may be a touch neurotic but would hate to think I have been infected! Others mb able to offer more professional advice, but as a desktop user of Gentoo for 10 yr , I'ld say don't worry. I read the Windigo PDF (via LWN) saw no explanation of any weakness in the Linux software : it's very long on all the bad things which can happen, esp to M$ Windows systems, if a server or network gets infected, but it looked as if the only way that could happen on a Linux box wb if someone finds out its root password, ie sysadmin carelessness. HTH -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatchassdotutorontodotca
[gentoo-user] Security
After recently reading about Windigo I am quesstioning how good my security is on my Gentoo box. I am only a desktop user with iptables and clamav installed and occasionally running chkrootkit. Would you recommend any other forms of security (snort, selinux, hardened etc) that I should be using? I may be a touch neurotic but would hate to think I have been infected! -- John D Maunder
Re: [gentoo-user] security
Daniel Iliev wrote: Hi, Since I'm not familiar with Gentoo's practice in dealing with security problems I got curious about the following case. Yesterday a Secunia advisory [1] about pidgin was brought to my attention. The solution offered by the up-streams is upgrading to version 2.5.6, while the latest version in portage is ~2.5.5-r1. As I see it, there are three possibilities: 1) even older, the version in Gentoo is not affected, because the maintainers had taken care of it (too optimistic?) 2) Gentoo installations are still vulnerable to the bugs described in the advisory and nobody knows about it (quite disturbing) 3) Gentoo maintainers are working on it, but still not ready Which one is it? [1] [SA35194] http://secunia.com/advisories/35194/ It's in portage, sync your tree and check again. I just installed Pidgin 2.5.6 last night.
Re: [gentoo-user] security
Daniel Iliev wrote: Hi, Since I'm not familiar with Gentoo's practice in dealing with security problems I got curious about the following case. Yesterday a Secunia advisory [1] about pidgin was brought to my attention. The solution offered by the up-streams is upgrading to version 2.5.6, while the latest version in portage is ~2.5.5-r1. As I see it, there are three possibilities: 1) even older, the version in Gentoo is not affected, because the maintainers had taken care of it (too optimistic?) 2) Gentoo installations are still vulnerable to the bugs described in the advisory and nobody knows about it (quite disturbing) 3) Gentoo maintainers are working on it, but still not ready Which one is it? [1] [SA35194] http://secunia.com/advisories/35194/ file a bug at b.g.o. signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] security
Daniel Iliev wrote: Hi, Since I'm not familiar with Gentoo's practice in dealing with security problems I got curious about the following case. Yesterday a Secunia advisory [1] about pidgin was brought to my attention. The solution offered by the up-streams is upgrading to version 2.5.6, while the latest version in portage is ~2.5.5-r1. As I see it, there are three possibilities: 1) even older, the version in Gentoo is not affected, because the maintainers had taken care of it (too optimistic?) 2) Gentoo installations are still vulnerable to the bugs described in the advisory and nobody knows about it (quite disturbing) 3) Gentoo maintainers are working on it, but still not ready Which one is it? [1] [SA35194] http://secunia.com/advisories/35194/ https://bugs.gentoo.org/show_bug.cgi?id=270811 signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] security
On Sat, 23 May 2009 09:23:27 -0400 Saphirus Sage saphirus...@gmail.com wrote: Daniel Iliev wrote: Hi, Since I'm not familiar with Gentoo's practice in dealing with security problems I got curious about the following case. Yesterday a Secunia advisory [1] about pidgin was brought to my attention. The solution offered by the up-streams is upgrading to version 2.5.6, while the latest version in portage is ~2.5.5-r1. As I see it, there are three possibilities: 1) even older, the version in Gentoo is not affected, because the maintainers had taken care of it (too optimistic?) 2) Gentoo installations are still vulnerable to the bugs described in the advisory and nobody knows about it (quite disturbing) 3) Gentoo maintainers are working on it, but still not ready Which one is it? [1] [SA35194] http://secunia.com/advisories/35194/ It's in portage, sync your tree and check again. I just installed Pidgin 2.5.6 last night. I guess the mirror I'm using is not up-to-date and they will get a report about it, Thanks! -- Best regards, Daniel
Re: [gentoo-user] security
On Samstag 23 Mai 2009, Daniel Iliev wrote: Hi, Since I'm not familiar with Gentoo's practice in dealing with security problems I got curious about the following case. Yesterday a Secunia advisory [1] about pidgin was brought to my attention. The solution offered by the up-streams is upgrading to version 2.5.6, while the latest version in portage is ~2.5.5-r1. As I see it, there are three possibilities: 1) even older, the version in Gentoo is not affected, because the maintainers had taken care of it (too optimistic?) 2) Gentoo installations are still vulnerable to the bugs described in the advisory and nobody knows about it (quite disturbing) 3) Gentoo maintainers are working on it, but still not ready Which one is it? [1] [SA35194] http://secunia.com/advisories/35194/ subscribe to gentoo-announce read changelogs don't forget that it takes a while until all mirrors have that change.
[gentoo-user] Security of ciphers.
I've been reading this thread in the archives, on loop-aes and then the security of AES. I hate to jump on the bandwagon, so before I do, I will state that I *am* a crypto-expert, and have worked for the several government entities in the US. I am not at liberty to tell you which ones. Mr. Walters: It is not all that easy to crack a *secure* key with the AES-256 cipher. This holds true, even with networks of super-computers. Just how many of them do you think the NSA (you named it), has to spare for things like that? Parallel and distributed computing does not help much with AES, since it is a CBC cipher algorithm (look it up). I think you need to do some research on the subject you say you're majoring in, before you post on the topic, Mr. Walters. Jase
[gentoo-user] security policy/externel disk
Hi, I don't know what exactly happened, but when I plug on my external disk I receive the following message (KDE): | A security policy in place prevents this sender from sending this message to | this recipient, see message bus configuration file (rejected message had | interface org.freedesktop.Hal.Device.Volume member Mount error | name (unset) destination org.freedesktop.Hal) # tail -n 20 /var/log/kern.log Mar 14 08:30:56 zipo usb 1-7: new high speed USB device using ehci_hcd and address 9 Mar 14 08:30:57 zipo usb 1-7: configuration #1 chosen from 1 choice Mar 14 08:30:57 zipo scsi4 : SCSI emulation for USB Mass Storage devices Mar 14 08:30:57 zipo usb-storage: device found at 9 Mar 14 08:30:57 zipo usb-storage: waiting for device to settle before scanning Mar 14 08:31:02 zipo scsi 4:0:0:0: Direct-Access IC35L120 AVVA07-0 VA6O PQ: 0 ANSI: 0 Mar 14 08:31:02 zipo SCSI device sda: 241254721 512-byte hdwr sectors (123522 MB) Mar 14 08:31:02 zipo sda: Write Protect is off Mar 14 08:31:02 zipo sda: Mode Sense: 03 00 00 00 Mar 14 08:31:02 zipo sda: assuming drive cache: write through Mar 14 08:31:02 zipo SCSI device sda: 241254721 512-byte hdwr sectors (123522 MB) Mar 14 08:31:02 zipo sda: Write Protect is off Mar 14 08:31:02 zipo sda: Mode Sense: 03 00 00 00 Mar 14 08:31:02 zipo sda: assuming drive cache: write through Mar 14 08:31:02 zipo sda: sda1 Mar 14 08:31:02 zipo sd 4:0:0:0: Attached scsi disk sda Mar 14 08:31:02 zipo sd 4:0:0:0: Attached scsi generic sg0 type 0 Mar 14 08:31:02 zipo usb-storage: device scan complete Mar 14 08:31:02 zipo sda: Current: sense key=0x0 Mar 14 08:31:02 zipo ASC=0x0 ASCQ=0x0 I can not use this disk (normally /media/disk). Can anybody give me clue what to do and how to track down this this problem? -- Cheers, Oliver -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] security policy/externel disk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello ! You must add you to group plugdev to be able to automount external devices. Run as root : gpasswd -a [username] plugdev and close and reopen your KDE session. Regards. - -- Xavier Parizet On Wed, March 14, 2007 08:46, Oliver VeÃÂernik wrote: Hi, I don't know what exactly happened, but when I plug on my external disk I receive the following message (KDE): | A security policy in place prevents this sender from sending this message to | this recipient, see message bus configuration file (rejected message had | interface org.freedesktop.Hal.Device.Volume member Mount error | name (unset) destination org.freedesktop.Hal) # tail -n 20 /var/log/kern.log Mar 14 08:30:56 zipo usb 1-7: new high speed USB device using ehci_hcd and address 9 Mar 14 08:30:57 zipo usb 1-7: configuration #1 chosen from 1 choice Mar 14 08:30:57 zipo scsi4 : SCSI emulation for USB Mass Storage devices Mar 14 08:30:57 zipo usb-storage: device found at 9 Mar 14 08:30:57 zipo usb-storage: waiting for device to settle before scanning Mar 14 08:31:02 zipo scsi 4:0:0:0: Direct-Access IC35L120 AVVA07-0 VA6O PQ: 0 ANSI: 0 Mar 14 08:31:02 zipo SCSI device sda: 241254721 512-byte hdwr sectors (123522 MB) Mar 14 08:31:02 zipo sda: Write Protect is off Mar 14 08:31:02 zipo sda: Mode Sense: 03 00 00 00 Mar 14 08:31:02 zipo sda: assuming drive cache: write through Mar 14 08:31:02 zipo SCSI device sda: 241254721 512-byte hdwr sectors (123522 MB) Mar 14 08:31:02 zipo sda: Write Protect is off Mar 14 08:31:02 zipo sda: Mode Sense: 03 00 00 00 Mar 14 08:31:02 zipo sda: assuming drive cache: write through Mar 14 08:31:02 zipo sda: sda1 Mar 14 08:31:02 zipo sd 4:0:0:0: Attached scsi disk sda Mar 14 08:31:02 zipo sd 4:0:0:0: Attached scsi generic sg0 type 0 Mar 14 08:31:02 zipo usb-storage: device scan complete Mar 14 08:31:02 zipo sda: Current: sense key=0x0 Mar 14 08:31:02 zipo ASC=0x0 ASCQ=0x0 I can not use this disk (normally /media/disk). Can anybody give me clue what to do and how to track down this this problem? -- Cheers, Oliver -- gentoo-user@gentoo.org mailing list -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.3 (GNU/Linux) iD8DBQFF96l6mSNaOeTZvg0RAsvLAKCnxho7mp7hlblfD5lHHb97s+TczACffu10 Ggxeg38TY0n7fJRnwGmIV10= =vXES -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
[gentoo-user] Security from non-authorized logins
I helped a friend install Ubuntu GNU/Linux on his laptop, he left town, forgot his passwords, and I promised to breakin for him, so he can re-do his passwords. Told him all I have to do is run Knoppix, access his partition, and delete the little x in the password file. Then he would reset his root password in be back in business. He felt betrayed. I understand why, I think: what's secure about GNU/Linux if anyone can boot the system and reset his passwords? I said, Dunno. I'll ask on the Gentoo list. How can anyone easily avoid the problem of anyone being able to access the guts of his machine using a live CD? I already thought of one: use the BIOS to disallow booting from a CD or Floppy, and set a password on the BIOS. Don't know whether all BIOSes will allow this, and anyway, isn't it possible on a lot of motherboards to short out the EPROM and thus reset the password of the BIOS? Of course, if he would forget his password he would lose all his data. Oh, well, does anyone have anything to suggest or to say about this? Alan Davis -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security from non-authorized logins
On Sun, Apr 16, 2006 at 09:54:33PM +1000, Penguin Lover Alan E. Davis squawked: He felt betrayed. I understand why, I think: what's secure about GNU/Linux if anyone can boot the system and reset his passwords? That is the same regardless of operating system. Physical access == no security. How can anyone easily avoid the problem of anyone being able to access the guts of his machine using a live CD? I already thought of one: use the BIOS to disallow booting from a CD or Floppy, and set a password on the BIOS. Don't know whether all BIOSes will allow this, and anyway, isn't it possible on a lot of motherboards to short out the EPROM and thus reset the password of the BIOS? You can also encrypt the contents of your hard drive. http://tldp.org/HOWTO/Disk-Encryption-HOWTO/ W -- Q: What's an anagram of Banach-Tarski ? A: Banach-Tarski Banach-Tarski Sortir en Pantoufles: up 155 days, 4:42 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security from non-authorized logins
On 4/16/06, Willie Wong [EMAIL PROTECTED] wrote: On Sun, Apr 16, 2006 at 09:54:33PM +1000, Penguin Lover Alan E. Davis squawked: He felt betrayed. I understand why, I think: what's secure about GNU/Linux if anyone can boot the system and reset his passwords? That is the same regardless of operating system. Physical access == no security. How can anyone easily avoid the problem of anyone being able to access the guts of his machine using a live CD? I already thought of one: use the BIOS to disallow booting from a CD or Floppy, and set a password on the BIOS. Don't know whether all BIOSes will allow this, and anyway, isn't it possible on a lot of motherboards to short out the EPROM and thus reset the password of the BIOS? You can also encrypt the contents of your hard drive. http://tldp.org/HOWTO/Disk-Encryption-HOWTO/ But I can still get that hard drive and smash it to bits ;) Get a big dog. Tie him next to your PC. Seriously, if your friend can find an OS that can restrict access even if the attacker has physical access to the PC, then he should use that. Encryption is a good solution, even for backups. But it's a bit overboard for most users. -- Jed R. Mallen GPG key ID: 81E575A3 fp: 4E1E CBA5 7E6A 2F8B 8756 660A E54C 39D6 81E5 75A3 http://jed.sitesled.com -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security from non-authorized logins
Alan E. Davis wrote: I helped a friend install Ubuntu GNU/Linux on his laptop, he left town, forgot his passwords, and I promised to breakin for him, so he can re-do his passwords. Told him all I have to do is run Knoppix, access his partition, and delete the little x in the password file. Then he would reset his root password in be back in business. He felt betrayed. I understand why, I think: what's secure about GNU/Linux if anyone can boot the system and reset his passwords? That's NOT a Linux problem. If you've got physical access, you can easily break in (same for Windows, BTW). I said, Dunno. I'll ask on the Gentoo list. How can anyone easily avoid the problem of anyone being able to access the guts of his machine using a live CD? Remove CD-Rom. Put Computer in a solid box which cannot (easily) be opened, so that it's impossible to attach an external CD-Rom. I already thought of one: use the BIOS to disallow booting from a CD or Floppy, and set a password on the BIOS. Most BIOS support either a master password or a way to reset a password (some pins on the motherboard). Don't know whether all BIOSes will allow this, and anyway, isn't it possible on a lot of motherboards to short out the EPROM and thus reset the password of the BIOS? Yes. Alexander Skwar -- Hey Satan, didja hear the news? A war just broke out up on earth. Meet Saddam Hussein, my new partner in evil. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security from non-authorized logins
Still, it would perhaps be somewhat comforting to be able to disable EASY access to a mission critical system. What about further disabling of access to /etc/passwd? Does SELinux take any such steps? (Ok, I could look into this by reading TFM. Apologies). Alan On 4/16/06, Alexander Skwar [EMAIL PROTECTED] wrote: Alan E. Davis wrote: I helped a friend install Ubuntu GNU/Linux on his laptop, he left town, forgot his passwords, and I promised to breakin for him, so he can re-do his passwords. Told him all I have to do is run Knoppix, access his partition, and delete the little x in the password file. Then he would reset his root password in be back in business. He felt betrayed. I understand why, I think: what's secure about GNU/Linux if anyone can boot the system and reset his passwords? That's NOT a Linux problem. If you've got physical access, you can easily break in (same for Windows, BTW). I said, Dunno. I'll ask on the Gentoo list. How can anyone easily avoid the problem of anyone being able to access the guts of his machine using a live CD? Remove CD-Rom. Put Computer in a solid box which cannot (easily) be opened, so that it's impossible to attach an external CD-Rom. I already thought of one: use the BIOS to disallow booting from a CD or Floppy, and set a password on the BIOS. Most BIOS support either a master password or a way to reset a password (some pins on the motherboard). Don't know whether all BIOSes will allow this, and anyway, isn't it possible on a lot of motherboards to short out the EPROM and thus reset the password of the BIOS? Yes. Alexander Skwar -- Hey Satan, didja hear the news? A war just broke out up on earth. Meet Saddam Hussein, my new partner in evil. -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security from non-authorized logins
Alan E. Davis wrote: Still, it would perhaps be somewhat comforting to be able to disable EASY access to a mission critical system. Put them in a server room. Make sure, that only trusted people have a key to that server room. What about further disabling of access to /etc/passwd? Does SELinux take any such steps? Well, how does SElinux help, if a (non-SELinux) boot medium is used to access the system? And what do you do, if you forget the password to your mission critical system? Where are the backdoors? Are the backdoors documented (they better be...)? Alexander Skwar -- Totally illogical, there was no chance. -- Spock, The Galileo Seven, stardate 2822.3 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security from non-authorized logins
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Alan E. Davis wrote: Still, it would perhaps be somewhat comforting to be able to disable EASY access to a mission critical system. What about further disabling of access to /etc/passwd? Does SELinux take any such steps? (Ok, I could look into this by reading TFM. Apologies). Alan Not very sure about SELinux, but RSBAC has in-kernel user management (in it's latest releases =1.2.5). IIRC SELinux also uses it's own user management beside the unix one (check selinux docs). PS: but the data is still there, so use encryption (enc. partition) ...SKIP... HTH.Rumen -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2-ecc0.1.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFEQknRNbtuTtsWD3wRAiRcAJUSlX2s64RHOnwM81YVnFGwdKEJAJ0akEt5 WUbbRd2/9Rmwqxwm0ntq6w== =6tVw -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security from non-authorized logins
Alan E. Davis wrote: He felt betrayed. I understand why, I think: what's secure about GNU/Linux if anyone can boot the system and reset his passwords? Oh C'mon! Like you NEVER did the same on a Windows box. YES, you can do something similar on NT/2K/XP/Whatever... Encrypt your filesystems if you want a little more security on a physically accessible computer. Regards, -- Norberto Bensa Cel: 5654-9539 Ciudad de Buenos Aires, Argentina pgprOmt2ceOln.pgp Description: PGP signature
Re: [gentoo-user] Security from non-authorized logins
On Sunday 16 April 2006 06:54, Alan E. Davis [EMAIL PROTECTED] wrote about '[gentoo-user] Security from non-authorized logins': I helped a friend install Ubuntu GNU/Linux on his laptop, he left town, forgot his passwords, and I promised to breakin for him, so he can re-do his passwords. Told him all I have to do is run Knoppix, access his partition, and delete the little x in the password file. Then he would reset his root password in be back in business. He felt betrayed. I understand why, I think: what's secure about GNU/Linux if anyone can boot the system and reset his passwords? First of all, you can't have it both ways. Either there's a way to get into your system without your password(s) or you are screwed when you forget your password. Second, any OS that doesn't hold it's password file on an encrypted area protected by some other master password, is subject to the same attack. Sometimes there's more security by obscurity to deal with, but that only has to be dealt with once. (For example, rooting a Windows box requires tools that are a bit more specialized than a text editor.) Oh, well, does anyone have anything to suggest or to say about this? You can set your BIOS so that only device X is bootable, but there's two ways around that. Since you have physical access, you can either (a) exchange the media hooked to device X or (b) short the reset pins / remove the MB battery to reset the BIOS to factory defaults. Either might require opening the case, but are pretty easy to do. Also, it really easy to forget BIOS passwords since they aren't needed that often. Now, okay, so lets work under the assumption that the attacker has full control over your boot process. They can load any OS they want so even if they have no /other/ way to access your data, they can simply read it byte by byte off of the hard drive. They can also write to the hard drive, so they could replace your secure software with insecure or malicious software (assuming the can read the software enough to know how to modify it). [The same can be said for transforming innocuous data to incriminating data.] Even if they don't have enough access to modify your software, they could just overwrite the HD and deprive you of the data. Now, while we can't prevent vandals from destroying your data, it is possible to encrypt everything on your HD 'cept for the kernel and just enough user-space tools to start the decryption. This prevents the attacker from stealing the data, and also prevents an attacker from replacing your secure software with insecure or malicious software (they don't know where/what to write). The keys are protected by a password; without the password NO ONE can get them, so DON'T LOSE THE PASSWORD. Finally, I do want to take this opportunity to mention one of the possible /benefits/ of TPM / TCM / Treacherous Computing. Assuming you have the keys to your computer, it will only load BIOSes that you've allowed which will only load kernels you've allowed, which give you control over you boot process again -- encryption will still be necessary to safeguard against your HD simply being stolen, but TPM/TCM is does close a few holes. (Of course, this is not how MS etc. want TPM/TCM implemented; they are looking at a system design where /THEY/ own the keys to your computer.) -- If there's one thing we've established over the years, it's that the vast majority of our users don't have the slightest clue what's best for them in terms of package stability. -- Gentoo Developer Ciaran McCreesh pgpbTa1oSPK2b.pgp Description: PGP signature
[gentoo-user] Security problem? - Apache access.log has: CONNECT ... 200
I just have noticed that my Apache2 access.log has few entries: 220.189.234.182 - - [27/Sep/2005:03:21:59 -0600] CONNECT 202.165.103.38:80 HTTP/1.1 200 17505 61.232.83.75 - - [09/Oct/2005:04:33:26 -0600] CONNECT 66.135.208.90:80 HTTP/1.1 200 25952 59.40.34.187 - - [09/Oct/2005:19:05:40 -0600] CONNECT 210.59.228.72:25 HTTP/1.1 200 17368 66.219.100.118 - - [18/Oct/2005:02:04:00 -0600] CONNECT mx2.ToughGuy.net:25 HTTP/1.0 200 30192 213.180.210.35 - - [26/Nov/2005:12:09:14 -0700] CONNECT 213.180.193.1:25 HTTP/1.0 200 16916 These IP's are mostly from Russian or Chines hackers. My proxy is not enabled in /etc/conf.d/apache2 APACHE2_OPTS=-D DEFAULT_VHOST -D SSL -D PHP4 Anybody has similar entries. According to Apache explanation: http://httpd.apache.org/docs/1.3/misc/FAQ.html#proxyscan 200 would indicate that somebody is using my apache as proxy, but how? -- #Joseph -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security Updates and Portage Trees
On 9/22/05, Neil Bothwick [EMAIL PROTECTED] wrote: On Wed, 21 Sep 2005 23:03:53 +0200, Fernando Meira wrote: I might be wrong, but I have the idea that E-cvs packages are always updated during an emerge world.Only if you run it without -p or -a. I never run emerge world without fiorst checking exactly what it is going to do. I was not meaning that, but instead that CVS packages were always updated in a emerge -u world. If I would update my world, a re-run would re-update those packages. I added the whole list of packages to the world file and it seems that my idea was wrong. None of the E-CVS packages are getting updated. Which also means that I can clean my depclean functionality. :)
Re: [gentoo-user] Security Updates and Portage Trees
On 9/20/05, Neil Bothwick [EMAIL PROTECTED] wrote: On Tue, 20 Sep 2005 13:50:28 +0200, Fernando Meira wrote: - I run emerge -pv depclean and I get a list where I find these: These are the packages that I would unmerge: media-libs/libmpeg3 selected: 1.5.2 protected: none omitted: none x11-plugins/e_modules selected: protected: none omitted: none media-libs/win32codecs selected: 20050216 protected: none omitted: nonex11-wm/e selected: protected: none omitted: none So, I have two problems: 1) I'm using E(nlightenment) from cvs, and I don't have it (my option) in my world file. Therefore it's understandable why emerge wants to clean it. So, what can I do to be able to use depclean and not loose E. Adding all E-related packages to world would be a solution, but there's any other?If you installed it with portage, you should have it in world. I've installed with portage, but with --oneshop option. This is because (as Holly said) E17 packages need to be installed in proper order. So I use a script to update E-related packages. I think if I would let portage update them something would get messed up... So, in the end, can't I use depclean without adding these packages to world file? 2) win32codecs was marked to be clean. why? # equery d win32codecs [ Searching for packages depending on win32codecs... ] media-libs/xine-lib-1.0.1-r3 media-video/avifile-0.7.41.20041001-r1 media-video/mplayer-1.0_pre7-r1Do you have the wind32codecs USE flag set? Have you changed it recently? Did you do emerge -uavDN world before depclean? If you didn't, yourcurrent USE flags may be out of sync with what the packages were actuallymerged with. I don't have that flag set.. never had. Should I? And, first of all, why do I have win32codecs without having the flag? Was it a dependence of a prior version of mplayer?
Re: [gentoo-user] Security Updates and Portage Trees
On Wed, 21 Sep 2005 16:36:59 +0200, Fernando Meira wrote: If you installed it with portage, you should have it in world. I've installed with portage, but with --oneshop option. This is because (as Holly said) E17 packages need to be installed in proper order. So I use a script to update E-related packages. I think if I would let portage update them something would get messed up... So you lied to portage and now it's acting on the incorrect information you have given it :) So, in the end, can't I use depclean without adding these packages to world file? Add them to world. As long as you don't do an automatic emerge -uD world you shouldn't have a problem. When updates come out, yopu'll see them in the output of emerge -pvD world (which you won't with your current setup) then you can merge them manually in the correct order before letting portage handle the rest of world. Do you have the wind32codecs USE flag set? Have you changed it recently? Did you do emerge -uavDN world before depclean? If you didn't, your current USE flags may be out of sync with what the packages were actually merged with. I don't have that flag set.. never had. Should I? And, first of all, why do I have win32codecs without having the flag? Was it a dependence of a prior version of mplayer? That's a possible explanation. the easy way to find out is to run quickpkg win32codecs emerge -C win32codecs emerge world -uavDk If it really is needed, the last command will re-emerge it. I take it you have run emerge -uavD --newuse world before depclean? -- Neil Bothwick Top Oxymorons Number 22: Childproof pgpNHhXJpwrOd.pgp Description: PGP signature
Re: [gentoo-user] Security Updates and Portage Trees
On 9/21/05, Neil Bothwick [EMAIL PROTECTED] wrote: On Wed, 21 Sep 2005 16:36:59 +0200, Fernando Meira wrote: If you installed it with portage, you should have it in world. I've installed with portage, but with --oneshop option. This is because (as Holly said) E17 packages need to be installed in proper order. So I use a script to update E-related packages. I think if I would let portage update them something would get messed up... So you lied to portage and now it's acting on the incorrect informationyou have given it :) Basically, yeah! So, in the end, can't I use depclean without adding these packages to world file? Add them to world. As long as you don't do an automatic emerge -uDworld you shouldn't have a problem. When updates come out, yopu'll seethem in the output of emerge -pvD world (which you won't with your current setup) then you can merge them manually in the correct orderbefore letting portage handle the rest of world. I might be wrong, but I have the idea that E-cvs packages are always updated during an emerge world. Therefore I can't control it by updating (manually) E-packages and then run emerge world. However, I'll check this next update. With all that said, I assume that there's no way to manage my packages for update and depclean while keeping some of them out of world file... damn.. Do you have the wind32codecs USE flag set? Have you changed it recently? Did you do emerge -uavDN world before depclean? If you didn't, your current USE flags may be out of sync with what the packages were actually merged with. I don't have that flag set.. never had. Should I? And, first of all, why do I have win32codecs without having the flag? Was it a dependence of a prior version of mplayer?That's a possible explanation. the easy way to find out is to runquickpkg win32codecsemerge -C win32codecsemerge world -uavDkIf it really is needed, the last command will re-emerge it. I take it you have run emerge -uavD --newuse world before depclean? I think I'll just add the flag and add --newuse flag for next emerge world! Thanks.
Re: [gentoo-user] Security Updates and Portage Trees
On Wed, 21 Sep 2005 23:03:53 +0200, Fernando Meira wrote: Add them to world. As long as you don't do an automatic emerge -uD world you shouldn't have a problem. When updates come out, you'll see them in the output of emerge -pvD world (which you won't with your current setup) then you can merge them manually in the correct order before letting portage handle the rest of world. I might be wrong, but I have the idea that E-cvs packages are always updated during an emerge world. Only if you run it without -p or -a. I never run emerge world without fiorst checking exactly what it is going to do. Therefore I can't control it by updating (manually) E-packages and then run emerge world. You can, just don't let emerge world run until you are happy with what it is going to do. -- Neil Bothwick Compatible: Gracefully accepts erroneous data from any source. pgp4RsXhsWKFd.pgp Description: PGP signature
Re: [gentoo-user] Security Updates and Portage Trees
On 9/20/05, Neil Bothwick [EMAIL PROTECTED] wrote: On Tue, 20 Sep 2005 09:04:02 +0800, W.Kenworthy wrote: One point I have never seen mentioned is *why* would you *not* want a package in the world file - especially if you want it to be managed by the system? The world file is for packages you have explicitly installed foryourself, not their dependencies. If you put every package in world,emerge will no longer be able to clean out dependencies that are nolonger needed. For example, I have a package installed that used to depend on id3lib, butthe authors switched over to libid3tag for the latest version, so anupgrade pulled in that package and id3lib is no longer required. Because it is not in world, my next emerge depclean will remove it, providednothing else needs it. If it had been in world, it would have stayed onmy system forever, despite being totally unnecessary. Since you've touched that detail, here is what I have: - I run emerge -pv depclean and I get a list where I find these: These are the packages that I would unmerge: media-libs/libmpeg3 selected: 1.5.2 protected: none omitted: none x11-plugins/e_modules selected: protected: none omitted: none media-libs/win32codecs selected: 20050216 protected: none omitted: none x11-wm/e selected: protected: none omitted: none and so on.. So, I have two problems: 1) I'm using E(nlightenment) from cvs, and I don't have it (my option) in my world file. Therefore it's understandable why emerge wants to clean it. So, what can I do to be able to use depclean and not loose E. Adding all E-related packages to world would be a solution, but there's any other? 2) win32codecs was marked to be clean. why? # equery d win32codecs [ Searching for packages depending on win32codecs... ] media-libs/xine-lib-1.0.1-r3 media-video/avifile-0.7.41.20041001-r1 media-video/mplayer-1.0_pre7-r1 This shows me that 3 other apps depend on win32codecs (or am I getting it wrong?). So I assume I shouldn't clean this otherwise I'll have problems next time I run mplayer, right? Also, # equery d libmpeg3 [ Searching for packages depending on libmpeg3... ] app-misc/evidence- takes me back to 1). How can I ensure that dependencies of packages that are not in world file are not erased? Cheers, Fernando
Re: [gentoo-user] Security Updates and Portage Trees
On Tue, Sep 20, 2005 at 01:50:28PM +0200, Fernando Meira wrote: 2) win32codecs was marked to be clean. why? # equery d win32codecs [ Searching for packages depending on win32codecs... ] media-libs/xine-lib-1.0.1-r3 media-video/avifile-0.7.41.20041001-r1 media-video/mplayer-1.0_pre7-r1 Do you have set the win32codecs useflag? W -- TEN RULES OF MENDACIOUS HOUSEKEEPING 1. Vacuuming too often weakens the carpet fibers. Say this with a serious face, and shudder delicately whenever anyone mentions Carpet Fresh. 2. Dust bunnies cannot evolve into dust rhinos when disturbed. Rename the area under the couch The Galapagos Islands and claim an ecological exemption. 3. Layers of dirty film on windows and screens provide a helpful filter against harmful and aging rays from the sun. Call it an SPF factor of 5 and leave it alone. 4. Cobwebs artfully draped over lampshades reduce the glare from the bulb, thereby creating a romantic atmosphere. If your husband points out that the light fixtures need dusting, simply look affronted and exclaim, What? And spoil the mood? 5. In a pinch, you can always claim that the haphazard tower of unread magazines and newspapers next to your chair provides the valuable Feng Shui aspect of a tiger, thereby reducing your vulnerability. Roll your eyes when you say this. 6. Explain the mound of pet hair brushed up against the doorways by claiming you are collecting it there to use for stuffing handsewn play animals for underprivileged children. 7. If unexpected company is coming, pile everything unsightly into one room and close the door. As you show your guests through your tidy home, rattle the door knob vigorously, fake a growl and say, I'd love you to see our den, but Fluffy hates to be disturbed and the shots are SO expensive. 8. If dusting is REALLY out of control, simply place a showy urn on the coffee table and insist that THIS is where Grandma wanted us to scatter her ashes... 9. Don't bother repainting. Simply scribble lightly over a dirty wall with an assortment of crayons, and try to muster a glint of tears as you say, Johnny did this when he was two. I haven't had the heart to clean it... 10. Mix one-quarter cup pine-scented household cleaner with four cups of water in a spray bottle. Mist the air lightly. Leave dampened rags in conspicuous locations. Develop an exhausted look, throw yourself onto the couch, and sigh, I clean and I clean and I still don't get anywhere... Sortir en Pantoufles: up 39 days, 16:33 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security Updates and Portage Trees
On Tue, 20 Sep 2005 13:50:28 +0200, Fernando Meira wrote: - I run emerge -pv depclean and I get a list where I find these: These are the packages that I would unmerge: media-libs/libmpeg3 selected: 1.5.2 protected: none omitted: none x11-plugins/e_modules selected: protected: none omitted: none media-libs/win32codecs selected: 20050216 protected: none omitted: none x11-wm/e selected: protected: none omitted: none So, I have two problems: 1) I'm using E(nlightenment) from cvs, and I don't have it (my option) in my world file. Therefore it's understandable why emerge wants to clean it. So, what can I do to be able to use depclean and not loose E. Adding all E-related packages to world would be a solution, but there's any other? If you installed it with portage, you should have it in world. 2) win32codecs was marked to be clean. why? # equery d win32codecs [ Searching for packages depending on win32codecs... ] media-libs/xine-lib-1.0.1-r3 media-video/avifile-0.7.41.20041001-r1 media-video/mplayer-1.0_pre7-r1 Do you have the wind32codecs USE flag set? Have you changed it recently? Did you do emerge -uavDN world before depclean? If you didn't, your current USE flags may be out of sync with what the packages were actually merged with. # equery d libmpeg3 [ Searching for packages depending on libmpeg3... ] app-misc/evidence- What are these versions? Are they CVS installs, or packages installed outside of portage and injected, or added to /etc/portage/profile/package.provided? -- Neil Bothwick I only shoot IBM's to put them out of their misery. pgpXBOn2tb1ji.pgp Description: PGP signature
Re: [gentoo-user] Security Updates and Portage Trees
Neil Bothwick schreef: On Tue, 20 Sep 2005 13:50:28 +0200, Fernando Meira wrote: # equery d libmpeg3 [ Searching for packages depending on libmpeg3... ] app-misc/evidence- What are these versions? Are they CVS installs, or packages installed outside of portage and injected, or added to /etc/portage/profile/package.provided? Oooh, ooh, I know!!! The versions are Enlightement 17 installs, from Portage, but utilizing E17 CVS. It's very complex; the packages have to be installed in a specific order for the whole thing to work (but E17 is pretty cool). I tried E17 recently. I don't remember the name of the media player that perhaps has libmpeg3 as a dependency, but E17 has so much stuff Holly -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security Updates and Portage Trees
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jason Stubbs wrote: On Monday 19 September 2005 13:16, gentuxx wrote: If I update firefox with the --oneshot option, I know that it won't update the world tree, but why? Why is that the recommended procedure? Does that give me any benefit? Also, why would a package be available as a --oneshot and NOT through a normal emerge -Dupv world? The package would be available through -Dupv as well, but not everybody likes to update all packages (especially on servers). Granted. And while I run a server (a few actually), it's a home system, not a production one. And, since I run production gentoo systems, I understand the difference. For this, I'm asking from the perspective of a home user. So, that being said, does updating a package for a security fix using the --oneshot option update the same package that is housed in the world tree? If so, can I assume that the same package will be updated next time I update world? Meaning, if I run --oneshot for mozilla-firefox-1.0.6-r7 and mozilla-firefox-1.0.7-r1 comes out, will 1.0.6-r7 be upgraded to 1.0.7-r1? I love how portage unifies the packaging system, and I feel like if I run all of these --oneshot updates for security fixes, that I'll have all of these stray programs running around on my system, that won't get updated next time I emerge world. --oneshot won't remove the package from world. It just prevents it from being added. If the package is installed but not in world, it is presumably there as a dependency from another package. Hence, updating world will still grab the package. Using --oneshot just keeps the world file clean. So what exactly does that mean if the package is already in world? If every security fix comes out with --oneshot being recommended, how do I know if it's a dependency of a package in world, or an entity in world? (This seems like an extension of the questioning above.) I'm just trying to set all this straight mentally, so I know what's going on with my system when I update it. I typically run the following to update my system 2 or 3 times a week (sometimes only once): emerge -Du(p)v world emerge -(p)v depclean revdep-rebuild -(p)v dispatch-conf I put the p for --pretend in parentheses because depending on the output of that step, I may skip it if there is nothing to do. Also, for the most recent firefox update, I would run the command as recommended with the -p flag, and it would see the package. If I run emerge -Dupv mozilla-firefox I only get a few of the (supposed) dependencies, and not the package itself, while the package installed (when I do emerge search mozilla-firefox) is 1.0.6-r5. - -- gentux echo hfouvyAdpy/ofu | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint == 34CE 2E97 40C7 EF6E EC40 9795 2D81 924A 6996 0993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDLlQLLYGSSmmWCZMRAiBYAJ9m6Pl/IkG/mXFX6iZ90epVCTkuWQCfcVH+ 25V6IF0g1dFHWCyLv1xlLIE= =tOYB -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security Updates and Portage Trees
On Monday 19 September 2005 15:00, gentuxx wrote: does updating a package for a security fix using the --oneshot option update the same package that is housed in the world tree? There is no world tree. There is only a list. --oneshot has no affect on this list. If so, can I assume that the same package will be updated next time I update world? Meaning, if I run --oneshot for mozilla-firefox-1.0.6-r7 and mozilla-firefox-1.0.7-r1 comes out, will 1.0.6-r7 be upgraded to 1.0.7-r1? If it was in the world list prior to you running --oneshot, it'll still be in the world list afterward. Hence, it will be updated with world. If every security fix comes out with --oneshot being recommended, how do I know if it's a dependency of a package in world, or an entity in world? (This seems like an extension of the questioning above.) What does it matter in the context of a security update? Also, for the most recent firefox update, I would run the command as recommended with the -p flag, and it would see the package. If I run emerge -Dupv mozilla-firefox I only get a few of the (supposed) dependencies, and not the package itself, while the package installed (when I do emerge search mozilla-firefox) is 1.0.6-r5. If that is the case then 1.0.6-r5 is the latest version available for you with respect to your current snapshot of the tree. -- Jason Stubbs pgpgOHJHMeSrI.pgp Description: PGP signature
Re: [gentoo-user] Security Updates and Portage Trees
One point I have never seen mentioned is *why* would you *not* want a package in the world file - especially if you want it to be managed by the system? BillK On Tue, 2005-09-20 at 09:07 +0900, Jason Stubbs wrote: On Tuesday 20 September 2005 01:12, gentuxx wrote: If every security fix comes out with --oneshot being recommended, -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security Updates and Portage Trees
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 W.Kenworthy wrote: One point I have never seen mentioned is *why* would you *not* want a package in the world file - especially if you want it to be managed by the system? BillK I guess maybe that's part of what I'm getting at. ;-) On Tue, 2005-09-20 at 09:07 +0900, Jason Stubbs wrote: On Tuesday 20 September 2005 01:12, gentuxx wrote: If every security fix comes out with --oneshot being recommended, - -- gentux echo hfouvyAdpy/ofu | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint == 34CE 2E97 40C7 EF6E EC40 9795 2D81 924A 6996 0993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDL2RwLYGSSmmWCZMRAuIrAJ47hkkiSoWVraFAkY/9tP0VdtcLcwCgomXn zI3pF31mlC0aUAlwC/2oaE0= =PnvW -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
[gentoo-user] Security Updates and Portage Trees
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I don't know if this would be considered a newbie question or not. I haven't really seen it asked, and I haven't been able to find any documentation that clearly states this, so I thought I would ask here. Why is the --oneshot option specified in the GLSA advisories? And how does that affect the different package groups (trees) in portage? If I update firefox with the --oneshot option, I know that it won't update the world tree, but why? Why is that the recommended procedure? Does that give me any benefit? Also, why would a package be available as a --oneshot and NOT through a normal emerge -Dupv world? I love how portage unifies the packaging system, and I feel like if I run all of these --oneshot updates for security fixes, that I'll have all of these stray programs running around on my system, that won't get updated next time I emerge world. Can someone maybe shed a little light for me? Thanks. - -- gentux echo hfouvyAdpy/ofu | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint == 34CE 2E97 40C7 EF6E EC40 9795 2D81 924A 6996 0993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDLjurLYGSSmmWCZMRAqqxAJ9LjFKFggkmVgD9SkeTcIkJ1gRbxQCfYZTX A3jilZ2/0hkV2JLMZoTp1VI= =onDU -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Security Updates and Portage Trees
On Monday 19 September 2005 13:16, gentuxx wrote: If I update firefox with the --oneshot option, I know that it won't update the world tree, but why? Why is that the recommended procedure? Does that give me any benefit? Also, why would a package be available as a --oneshot and NOT through a normal emerge -Dupv world? The package would be available through -Dupv as well, but not everybody likes to update all packages (especially on servers). I love how portage unifies the packaging system, and I feel like if I run all of these --oneshot updates for security fixes, that I'll have all of these stray programs running around on my system, that won't get updated next time I emerge world. --oneshot won't remove the package from world. It just prevents it from being added. If the package is installed but not in world, it is presumably there as a dependency from another package. Hence, updating world will still grab the package. Using --oneshot just keeps the world file clean. -- Jason Stubbs pgpJ1kBcYynH2.pgp Description: PGP signature
[gentoo-user] security issues
With the basic install of gentoo 2.6.12-r9 behind me (forget splash - it's not worth the headaches right now, and I need more research to find a good backup solution), I read through the gentoo security doc. There's a world of stuff here! I have a laptop that I'm intending to use for web development (the geek side) and also for business tasks (the end user side). I'm wondering how much / how little of the security measures mentioned in the gentoo security doc I really need? Or, should I move on to the desktop environment first, and then come back and tighten down the system? Thanks for the input - as always, greatly appreciated. John D -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Security Violation: A file exists that is not in the manifest
Nelis Lamprecht wrote: Hi, I am getting several of the above/below errors which is preventing me from updating my ports. How do I get around this ? Deleting the files doesn't seem to help. !!! Security Violation: A file exists that is not in the manifest. I guess u clone portage tree from another PC repeatedly, but forgot to add --delete flag to rsync command. emerge sync should help, RTFM rsync too. noro -- gentoo-user@gentoo.org mailing list
