Re: [Evergreen] samba security update - badlock and friends

2016-04-16 Thread Christian Boltz
Hello,

Am Samstag, 16. April 2016, 13:27:18 CEST schrieb Wolfgang Rosenauer:
> Am 16.04.2016 um 13:11 schrieb Christian Boltz:
...
> > I just submitted the update:
> > https://build.opensuse.org/request/show/390298
> 
> For whatever reason it ended up in the openSUSE:Maintenance target
> instead of openSUSE:Evergreen:Maintenance.

I followed the instructions on
https://en.opensuse.org/openSUSE:Package_maintenance
which basically means
osc branch -M -c openSUSE:13.1 apparmor
followed by (after applying the changes)
osc mr

Now I noticed https://en.opensuse.org/evergreen#Version_11.4.2F13.1 has 
different instructions, so maybe that explains it.

> I've just did an SR
> https://build.opensuse.org/request/show/390300
> You can revoke the other one.

Thanks, and done ;-)


Regards,

Christian Boltz
-- 
>>Mir sind genug NT - Admins mit Gehaeltern ab 150 KDM bekannt, die
>>weniger von NT wissen als ich  -  und das ist _sehr_ wenig.
>NT-Admins werden wie Bundestagsabgeordnete bezahlt?
Wo kriegt man so Angebote? Gibt es irgendwo einen MCSE-Stra├čenstrich?
[in dasr]

___
Evergreen mailing list
Evergreen@lists.rosenauer.org
http://lists.rosenauer.org/mailman/listinfo/evergreen


Re: [Evergreen] samba security update - badlock and friends

2016-04-16 Thread Wolfgang Rosenauer
Am 16.04.2016 um 13:11 schrieb Christian Boltz:
> Hello,
> 
> Am Samstag, 16. April 2016, 12:40:47 CEST schrieb Michal Kubecek:
>> On Sat, Apr 16, 2016 at 12:24:03AM +0200, Christian Boltz wrote:
> 
> FYI: a quick test of the updated packages on one of my 13.1 machines 
> looks good.
> 
>> But I'm not realy expert on this. So maybe
>>
>>> That said - I don't think having a separate update is a real problem
>>> if both are released at the same time (or AppArmor first).
>>
>> might be the safest option after all.
> 
> Indeed ;-)
> 
> I just submitted the update:
> https://build.opensuse.org/request/show/390298

For whatever reason it ended up in the openSUSE:Maintenance target
instead of openSUSE:Evergreen:Maintenance.
I've just did an SR
https://build.opensuse.org/request/show/390300
You can revoke the other one.


Thanks,
 Wolfgang

___
Evergreen mailing list
Evergreen@lists.rosenauer.org
http://lists.rosenauer.org/mailman/listinfo/evergreen


Re: [Evergreen] samba security update - badlock and friends

2016-04-16 Thread Christian Boltz
Hello,

Am Samstag, 16. April 2016, 12:40:47 CEST schrieb Michal Kubecek:
> On Sat, Apr 16, 2016 at 12:24:03AM +0200, Christian Boltz wrote:

FYI: a quick test of the updated packages on one of my 13.1 machines 
looks good.

> But I'm not realy expert on this. So maybe
> 
> > That said - I don't think having a separate update is a real problem
> > if both are released at the same time (or AppArmor first).
> 
> might be the safest option after all.

Indeed ;-)

I just submitted the update:
https://build.opensuse.org/request/show/390298

BTW: I also managed to get 2.9.3 released upstream, so the update for 
13.2 is one of the next things I'll do ;-)

> > [1] 2.10 isn't the worst thing that can happen to you ;-) and
> > probably> 
> > has much less bugs than 2.8.4 - but I understand that such a
> > version
> > update isn't the best idea for a maintenance release.
> > I'll ignore the fact that we do a version update of Samba ;-)
> 
> I'm really not happy about it either. I even tried to start rebasing
> the series but after more than half of first 10 commits needed
> adjusting and there were still more than 200 more, I realized that

Impressive numbers...

> upgrade is probably the only viable option. After all, the fact that
> the same was done in SLE12 GA was a hint...

Oh yes. If even SLE12 does a version update, that's a *very* clear hint 
;-)


Regards,

Christian Boltz
-- 
... wenn man schon Spams und Viren nur unvollkommen filtern,
wie will man dann die Windoof Experten fo^Hiltern? ;-)
[Paul Foerster in suse-laptop]

___
Evergreen mailing list
Evergreen@lists.rosenauer.org
http://lists.rosenauer.org/mailman/listinfo/evergreen


Re: [Evergreen] samba security update - badlock and friends

2016-04-16 Thread Wolfgang Rosenauer
Am 16.04.2016 um 12:40 schrieb Michal Kubecek:
> On Sat, Apr 16, 2016 at 12:24:03AM +0200, Christian Boltz wrote:
>>> The samba update is submitted now to
>>> openSUSE:Evergreen:Maintenance:4627 If you are going to submit the
>>> AppArmor profile update, using this incident would be IMHO the best
>>> option as that way both samba and profile update would be released at
>>> once, preventing regressions.
>>
>> What is the best way to do this?
>> I'd guess something like
>>
>> osc sr security:apparmor apparmor_2_8  \ 
>> openSUSE:Evergreen:Maintenance:4627 WHATEVER
>>
>> but I'm not sure what I should use for WHATEVER ;-)
> 
> I assume apparmor.openSUSE_13.1_Update
> 
> Or maybe rather
> 
>   osc mr -a Evergreen:MaintenanceProject \
>   --incident-project openSUSE:Evergreen:Maintenance:4627 \
>   security:apparmor apparmor_2_8 openSUSE:13.1:Update

Just submit it via SR or MR without anything special (with the a
Evergreen:MaintenanceProject for MR though.
I can merge incoming requests afterwards.

Thanks,
 Wolfgang

___
Evergreen mailing list
Evergreen@lists.rosenauer.org
http://lists.rosenauer.org/mailman/listinfo/evergreen


Re: [Evergreen] samba security update - badlock and friends

2016-04-16 Thread Michal Kubecek
On Sat, Apr 16, 2016 at 12:24:03AM +0200, Christian Boltz wrote:
> > The samba update is submitted now to
> > openSUSE:Evergreen:Maintenance:4627 If you are going to submit the
> > AppArmor profile update, using this incident would be IMHO the best
> > option as that way both samba and profile update would be released at
> > once, preventing regressions.
> 
> What is the best way to do this?
> I'd guess something like
> 
> osc sr security:apparmor apparmor_2_8  \ 
> openSUSE:Evergreen:Maintenance:4627 WHATEVER
> 
> but I'm not sure what I should use for WHATEVER ;-)

I assume apparmor.openSUSE_13.1_Update

Or maybe rather

  osc mr -a Evergreen:MaintenanceProject \
  --incident-project openSUSE:Evergreen:Maintenance:4627 \
  security:apparmor apparmor_2_8 openSUSE:13.1:Update

But I'm not realy expert on this. So maybe

> That said - I don't think having a separate update is a real problem if 
> both are released at the same time (or AppArmor first).

might be the safest option after all.

> [1] 2.10 isn't the worst thing that can happen to you ;-) and probably 
> has much less bugs than 2.8.4 - but I understand that such a version
> update isn't the best idea for a maintenance release.
> I'll ignore the fact that we do a version update of Samba ;-)

I'm really not happy about it either. I even tried to start rebasing the
series but after more than half of first 10 commits needed adjusting and
there were still more than 200 more, I realized that upgrade is probably
the only viable option. After all, the fact that the same was done in
SLE12 GA was a hint...

  Michal Kubecek

___
Evergreen mailing list
Evergreen@lists.rosenauer.org
http://lists.rosenauer.org/mailman/listinfo/evergreen


Re: [Evergreen] samba security update - badlock and friends

2016-04-15 Thread Christian Boltz
Hello,

Am Freitag, 15. April 2016, 09:12:06 CEST schrieb Michal Kubecek:
> On Thu, Apr 14, 2016 at 07:25:51AM +0200, Michal Kubecek wrote:
> > On Thu, Apr 14, 2016 at 12:31:48AM +0200, Christian Boltz wrote:
> > > General feedback if we want that "big" profile update patch or
> > > only a
> > > "small" patch to adjust the samba/nmbd profile is also welcome.
> > 
> > As you seem to know that some of the changes are actually needed in
> > 13.1 (and IIRC you mentioned one in the recent nscd thread), I
> > would vote for the full patch.

Packages with all the profile updates and an additional fix for 
libapparmor (taken from upstream 2.8 bzr branch) to support more log 
formats just built in security:apparmor.

Note that this repo contains multiple versions and will give you 
AppArmor 2.10 if you just zypper dup from it [1], so you'll need to use 
zypper in with the exact 2.8.4 version in the zypper command line.

The safer (and maybe easier) way is probably to download the packages 
via

osc getbinaries security:apparmor apparmor_2_8 openSUSE_13.1 x86_64

(or i586, whatever you need) and install them manually.

I'll test the packages on one of my servers tomorrow and submit them to 
Evergreen afterwards.

> The samba update is submitted now to
> openSUSE:Evergreen:Maintenance:4627 If you are going to submit the
> AppArmor profile update, using this incident would be IMHO the best
> option as that way both samba and profile update would be released at
> once, preventing regressions.

What is the best way to do this?
I'd guess something like

osc sr security:apparmor apparmor_2_8  \ 
openSUSE:Evergreen:Maintenance:4627 WHATEVER

but I'm not sure what I should use for WHATEVER ;-)


That said - I don't think having a separate update is a real problem if 
both are released at the same time (or AppArmor first).


Regards,

Christian Boltz

[1] 2.10 isn't the worst thing that can happen to you ;-) and probably 
has much less bugs than 2.8.4 - but I understand that such a version
update isn't the best idea for a maintenance release.
I'll ignore the fact that we do a version update of Samba ;-)

-- 
looks like you have some special code in yast for password "x", maybe I
should use the even more secure new password "y" in the future  ?! ;-)
[Harald Koenig in https://bugzilla.novell.com/show_bug.cgi?id=148464]

___
Evergreen mailing list
Evergreen@lists.rosenauer.org
http://lists.rosenauer.org/mailman/listinfo/evergreen


Re: [Evergreen] samba security update - badlock and friends

2016-04-15 Thread Michal Kubecek
On Thu, Apr 14, 2016 at 07:25:51AM +0200, Michal Kubecek wrote:
> On Thu, Apr 14, 2016 at 12:31:48AM +0200, Christian Boltz wrote:
> 
> > General feedback if we want that "big" profile update patch or only a 
> > "small" patch to adjust the samba/nmbd profile is also welcome.
> 
> As you seem to know that some of the changes are actually needed in 13.1
> (and IIRC you mentioned one in the recent nscd thread), I would vote for
> the full patch.

The samba update is submitted now to openSUSE:Evergreen:Maintenance:4627
If you are going to submit the AppArmor profile update, using this
incident would be IMHO the best option as that way both samba and
profile update would be released at once, preventing regressions.

Michal Kubecek

___
Evergreen mailing list
Evergreen@lists.rosenauer.org
http://lists.rosenauer.org/mailman/listinfo/evergreen


Re: [Evergreen] samba security update - badlock and friends

2016-04-14 Thread Michal Kubecek
On Thu, Apr 14, 2016 at 07:25:51AM +0200, Michal Kubecek wrote:
> On Thu, Apr 14, 2016 at 12:31:48AM +0200, Christian Boltz wrote:
> > Am Mittwoch, 13. April 2016, 22:04:37 CEST schrieb Michal Kubecek:
> > > 
> > > I did some (very) basic testing and found only one issue: to start
> > > nmbd from 4.2.4 package on a 13.1 system with AppArmor, these need to
> > > be added to its profile:
> > > 
> > >   /var/{cache,lib}/samba/lck/ w,
> > >   /var/{cache,lib}/samba/lck/* wk,
> > >   /var/{cache,lib}/samba/msg/ w,
> > >   /var/{cache,lib}/samba/msg/* w,
> > 
> > Are those files and directories in /var/cache/samba/ or /var/lib/samba/ ?
> > I'm asking because /var/lib/samba/** is covered by newer upstream 
> > profiles (via abstractions/samba), while /var/cache/samba/ isn't.
> 
> Only /var/lib/samba paths were needed, I just adjusted the rules to mach
> the others.
> 
> I will check if the same problem exists in SLE12 GA and openSUSE 13.2
> which also upgraded from 4.1.x to 4.2.4 (and to exactly the same
> package). I it does, I'll file a bug.

SLE12 GA has apparmor-profiles 2.8.2 but it already has

  /var/lib/samba/** rwk,

in abstractions/samba so it's OK. On the other hand, 13.2 has newer
apparmor-profiles 2.9.1 but still without the general rule and as I
checked now, it suffers from the same problem as 13.1. The update hasn't
been released yet so I added a comment to the openSUSE:Maintenance:4961
release request #389541 (https://build.opensuse.org/request/show/389541).

  Michal Kubecek

___
Evergreen mailing list
Evergreen@lists.rosenauer.org
http://lists.rosenauer.org/mailman/listinfo/evergreen