Re: [gentoo-user] Re: escape from i3lock
> No, it's my way to run things as root, in general. I distrust su, sudo > and friends. > su is mature, well understood and the standard way of doing things. If you had run an extra term in your X session that had been su'd to root, you wouldn't be exposing a root shell at the console. Perhaps your distrust of su is making you less secure? You might be thinking in absolutes, eg "su is insecure" but its better to think along the lines of "is more or less secure than su?"
Re: [gentoo-user] Decent single-user/embedded-device security standard
On Thu, Jul 11, 2019 at 9:30 AM Laurence Perkins wrote: > When the security auditors come through and ask what standard I use for > securing my systems I'd like to have something to tell them. > > I've had a few suggestions like USGCB, etc. But looking at them they > all seem to start from the direction of "take a bloated, wide-open > Microsoft/Redhat default OS and do these things to make it 'secure' so > you can let several dozen users play around on it without fear." > > A lot of the stuff on the list doesn't apply to or would slightly > reduce the overall security of the device (I think I'll keep my default > umask at 077 thanks...) > > You could still use USGCB (or which ever standard the auditors regard highly) but then document the differences with a note explaining why. For USGCB I'd add another column to the spreadsheet with options of compliant/non compliant with mitigations/non compliant/not applicable and another column for notes. eg umask 077 would be compliant, and in the notes column "stricter than required". >From their point of view they need to justify passing you, and USGCB states "these recommendations do not address site-specific configuration issues. Care must be taken when implementing these settings to address local operational and policy concerns" so deltas are expected. Don't worry if it seems like its all deltas...
[gentoo-user] Re: escape from i3lock
A wrapper script like this seems to do the trick. #!/bin/bash setxkbmap -option srvrkeys:none i3lock -c 003355 -n setxkbmap -option '' Artur Ian Zimmerman writes: On 2019-07-10 20:44, François-Xavier CARTON wrote: > On 7/10/19 7:03 PM, Ian Zimmerman wrote: > > Here is my next "low information" question, haha. > > > > I use i3lock which is like Xscreensaver but much much simpler; it plays > > no movies or games, just blanks the screen with a configured color or > > image. To unlock it you have to type your password. > > > > It bothers me that even when i3lock has locked the X session, I can > > still switch to other Linux virtual consoles with Alt-Control-F , > > without typing the password. It so happens that on one of the other > > virtual consoles there is often an interactive root shell :-P > > > > So, is it possible to prevent virtual console switching while the X > > screen is locked, but still allow it at other times? Looks like > > something the locker program would have to do, not the X server; but > > again I don't know much about this stuff. > > > > Not a direct answer to your question, but as a workaround you can use > tmux sessions, and simply detach them and logout when you lock your > computer. I could also just log out directly :-) It's not like I have some context in the shell that I want to keep. It is just there when I want to be root. > Also, if this is just a shell to start the X server, you can launch it > as "startx & bg; disown" and then logout. No, it's my way to run things as root, in general. I distrust su, sudo and friends. -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com.
[gentoo-user] Decent single-user/embedded-device security standard
When the security auditors come through and ask what standard I use for securing my systems I'd like to have something to tell them. I've had a few suggestions like USGCB, etc. But looking at them they all seem to start from the direction of "take a bloated, wide-open Microsoft/Redhat default OS and do these things to make it 'secure' so you can let several dozen users play around on it without fear." A lot of the stuff on the list doesn't apply to or would slightly reduce the overall security of the device (I think I'll keep my default umask at 077 thanks...) I'm hoping somebody here knows of a commonly used security specification for bottom-up minimal systems so I can minimize the time I have to waste explaining that it simply doesn't have a print server, email server, cifs server, etc., (or even any way for any user to obtain shell access without first being in possession of administrator- level credentials) and that half to two-thirds of the checklist doesn't even apply. LMP signature.asc Description: This is a digitally signed message part
[gentoo-user] Re: escape from i3lock
I guess you are using xorg. man xorg says that there is an option in serverflags section which disables this functionality. Option "DontVTSwitch" "boolean" So you could add a section into xorg.conf or xorg.conf.d/ Artur Ian Zimmerman writes: On 2019-07-10 20:44, François-Xavier CARTON wrote: > On 7/10/19 7:03 PM, Ian Zimmerman wrote: > > Here is my next "low information" question, haha. > > > > I use i3lock which is like Xscreensaver but much much simpler; it plays > > no movies or games, just blanks the screen with a configured color or > > image. To unlock it you have to type your password. > > > > It bothers me that even when i3lock has locked the X session, I can > > still switch to other Linux virtual consoles with Alt-Control-F , > > without typing the password. It so happens that on one of the other > > virtual consoles there is often an interactive root shell :-P > > > > So, is it possible to prevent virtual console switching while the X > > screen is locked, but still allow it at other times? Looks like > > something the locker program would have to do, not the X server; but > > again I don't know much about this stuff. > > > > Not a direct answer to your question, but as a workaround you can use > tmux sessions, and simply detach them and logout when you lock your > computer. I could also just log out directly :-) It's not like I have some context in the shell that I want to keep. It is just there when I want to be root. > Also, if this is just a shell to start the X server, you can launch it > as "startx & bg; disown" and then logout. No, it's my way to run things as root, in general. I distrust su, sudo and friends. -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com.
[gentoo-user] Re: escape from i3lock
On 2019-07-10 20:44, François-Xavier CARTON wrote: > On 7/10/19 7:03 PM, Ian Zimmerman wrote: > > Here is my next "low information" question, haha. > > > > I use i3lock which is like Xscreensaver but much much simpler; it plays > > no movies or games, just blanks the screen with a configured color or > > image. To unlock it you have to type your password. > > > > It bothers me that even when i3lock has locked the X session, I can > > still switch to other Linux virtual consoles with Alt-Control-F , > > without typing the password. It so happens that on one of the other > > virtual consoles there is often an interactive root shell :-P > > > > So, is it possible to prevent virtual console switching while the X > > screen is locked, but still allow it at other times? Looks like > > something the locker program would have to do, not the X server; but > > again I don't know much about this stuff. > > > > Not a direct answer to your question, but as a workaround you can use > tmux sessions, and simply detach them and logout when you lock your > computer. I could also just log out directly :-) It's not like I have some context in the shell that I want to keep. It is just there when I want to be root. > Also, if this is just a shell to start the X server, you can launch it > as "startx & bg; disown" and then logout. No, it's my way to run things as root, in general. I distrust su, sudo and friends. -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com.
[gentoo-user] Re: escape from i3lock
On 2019-07-10 15:23, Alec Ten Harmsel wrote: > On Wed, Jul 10, 2019 at 10:03:42AM -0700, Ian Zimmerman wrote: > > Here is my next "low information" question, haha. > > > > I use i3lock which is like Xscreensaver but much much simpler; it plays > > no movies or games, just blanks the screen with a configured color or > > image. To unlock it you have to type your password. > > It bothers me that even when i3lock has locked the X session, I can > > still switch to other Linux virtual consoles with Alt-Control-F , > > without typing the password. It so happens that on one of the other > > virtual consoles there is often an interactive root shell :-P > > > > So, is it possible to prevent virtual console switching while the X > > screen is locked, but still allow it at other times? Looks like > > something the locker program would have to do, not the X server; but > > again I don't know much about this stuff. > > Which init are you using, what display manager, and how are you > launching it? I'm using systemd and sddm, and when I run `i3lock', I > cannot switch to different virtual consoles. > > Not sure whether any of that stuff matters, but that was the first thing > I thought of. It does matter. Sysvinit, xdm via an initscript. Not so long ago, no DM at all, just startx/xinit. This is probably a function of consolekit or some of the other awful *kits. Not installing one of those. I'll find a workaround. -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com.
Re: [gentoo-user] escape from i3lock
On Wed, Jul 10, 2019, at 19:04, Ian Zimmerman wrote: > Here is my next "low information" question, haha. > > I use i3lock which is like Xscreensaver but much much simpler; it plays > no movies or games, just blanks the screen with a configured color or > image. To unlock it you have to type your password. > > It bothers me that even when i3lock has locked the X session, I can > still switch to other Linux virtual consoles with Alt-Control-F , > without typing the password. It so happens that on one of the other > virtual consoles there is often an interactive root shell :-P > > So, is it possible to prevent virtual console switching while the X > screen is locked, but still allow it at other times? Looks like > something the locker program would have to do, not the X server; but > again I don't know much about this stuff. A command such as physlock can be used to lock virtual terminals: - https://github.com/muennich/physlock - https://packages.gentoo.org/packages/app-misc/physlock -- https://fturco.gitlab.io/
Re: [gentoo-user] escape from i3lock
On Wed, Jul 10, 2019 at 09:52:55PM +0100, Neil Bothwick wrote: > On Wed, 10 Jul 2019 15:23:08 -0400, Alec Ten Harmsel wrote: > > > Which init are you using, what display manager, and how are you > > launching it? I'm using systemd and sddm, and when I run `i3lock', I > > cannot switch to different virtual consoles. > > I use slock for this with the same problem. I just tried i3lock, with > systemd and sddm, and I can still switch to a virtual console. > I just don't know what I'm doing - I can switch virtual consoles too. I had no idea that I had to press Ctrl + Alt + F[1-9]. Based on a cursory look[1] I'd guess this would be something that i3lock has to implement. Or just workaround by using tmux or screen instead of virtual consoles as someone else suggested. Alec 1. https://askubuntu.com/questions/357039/how-do-i-disable-virtual-consoles-tty1-6
Re: [gentoo-user] escape from i3lock
On Wed, 10 Jul 2019 15:23:08 -0400, Alec Ten Harmsel wrote: > > It bothers me that even when i3lock has locked the X session, I can > > still switch to other Linux virtual consoles with Alt-Control-F , > > without typing the password. It so happens that on one of the other > > virtual consoles there is often an interactive root shell :-P > > > > So, is it possible to prevent virtual console switching while the X > > screen is locked, but still allow it at other times? Looks like > > something the locker program would have to do, not the X server; but > > again I don't know much about this stuff. > > Which init are you using, what display manager, and how are you > launching it? I'm using systemd and sddm, and when I run `i3lock', I > cannot switch to different virtual consoles. I use slock for this with the same problem. I just tried i3lock, with systemd and sddm, and I can still switch to a virtual console. -- Neil Bothwick If it ain't broke, break it and charge for repair. pgpbFbosU4avQ.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Firefox key shortcut buglet
Ian Zimmerman wrote: > Alt-Control-R should switch between normal rendering and Reader mode. > All the documentation available including the "tooltip" that pops up > when I hover my mouse over the Reader icon agrees. > > And yet, in the File menu, there is an item "Restart (Developer)" with > the same shortcut. And when I in fact press this key combo, this is > what happens: Firefox restarts. I have no use for this, while the > Reader shortcut is moderately useful. > > I haven't seen the Restart menu item before, I think it appeared with > the last stable Firefox upgrade (60.7.2). Is this a problem with > upstream or the Gentoo package? Can it be worked around, without > leaving _all_ developer features out? > I've never heard of reader mode so I had to google it. It seems you use a binary package since you mentioned it being a Gentoo package. I could be mistaken on that. I compile from source with the following USE flags. [ebuild R ~] www-client/firefox-67.0.4::gentoo USE="dbus gmp-autoupdate screenshot startup-notification system-av1 system-harfbuzz system-icu system-jpeg system-sqlite system-webp -bindist -clang -custom-cflags -custom-optimization -debug -eme-free -geckodriver -hardened -hwaccel -jack -lto (-neon) -pgo -pulseaudio (-selinux) -system-libevent -system-libvpx -test -wayland -wifi" If the thinking is that the binary build is causing this, I'd say that is not the case. I seem to have the same key shortcuts for both items as you have here as well. Since I have several different profiles for my Firefox, including one that I just use to test things with, I started it and tested it. The problem here is that something else KDE related has that same shortcut and it catches it before Firefox does. While I can't duplicate what you get, I suspect if I could find and get rid of whatever that is here, Firefox would behave the same as yours since both have that same shortcut setting which appears to be a default and I can't find a way to change it. There could be a way in about:config but I try not to mess with that to much. While I can't completely duplicate it, I can confirm that the shortcut is set the same way as yours even when compiled from source. It would seem that it is a Firefox issue where one person doing the restart wasn't aware that the person doing the reader view was already using that shortcut. May want to head over to Firefox with a can of Raid. There's a bug to kill. ;-) Hope that helps, a little at least. Dale :-) :-)
Re: [gentoo-user] escape from i3lock
On Wed, Jul 10, 2019 at 10:03:42AM -0700, Ian Zimmerman wrote: > Here is my next "low information" question, haha. > > I use i3lock which is like Xscreensaver but much much simpler; it plays > no movies or games, just blanks the screen with a configured color or > image. To unlock it you have to type your password. Same here, it's simple and just works. > It bothers me that even when i3lock has locked the X session, I can > still switch to other Linux virtual consoles with Alt-Control-F , > without typing the password. It so happens that on one of the other > virtual consoles there is often an interactive root shell :-P > > So, is it possible to prevent virtual console switching while the X > screen is locked, but still allow it at other times? Looks like > something the locker program would have to do, not the X server; but > again I don't know much about this stuff. Which init are you using, what display manager, and how are you launching it? I'm using systemd and sddm, and when I run `i3lock', I cannot switch to different virtual consoles. Not sure whether any of that stuff matters, but that was the first thing I thought of. Alec
Re: [gentoo-user] escape from i3lock
On 7/10/19 7:03 PM, Ian Zimmerman wrote: Here is my next "low information" question, haha. I use i3lock which is like Xscreensaver but much much simpler; it plays no movies or games, just blanks the screen with a configured color or image. To unlock it you have to type your password. It bothers me that even when i3lock has locked the X session, I can still switch to other Linux virtual consoles with Alt-Control-F , without typing the password. It so happens that on one of the other virtual consoles there is often an interactive root shell :-P So, is it possible to prevent virtual console switching while the X screen is locked, but still allow it at other times? Looks like something the locker program would have to do, not the X server; but again I don't know much about this stuff. Not a direct answer to your question, but as a workaround you can use tmux sessions, and simply detach them and logout when you lock your computer. Also, if this is just a shell to start the X server, you can launch it as "startx & bg; disown" and then logout.
[gentoo-user] Firefox key shortcut buglet
Alt-Control-R should switch between normal rendering and Reader mode. All the documentation available including the "tooltip" that pops up when I hover my mouse over the Reader icon agrees. And yet, in the File menu, there is an item "Restart (Developer)" with the same shortcut. And when I in fact press this key combo, this is what happens: Firefox restarts. I have no use for this, while the Reader shortcut is moderately useful. I haven't seen the Restart menu item before, I think it appeared with the last stable Firefox upgrade (60.7.2). Is this a problem with upstream or the Gentoo package? Can it be worked around, without leaving _all_ developer features out? -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com.
Re: [gentoo-user] Massive kmail breakage with mariadb-10.4.6
On Wednesday, 10 July 2019 14:31:19 BST Peter Humphrey wrote: > On Wednesday, 10 July 2019 10:06:01 BST Peter Humphrey wrote: > > On Wednesday, 10 July 2019 00:06:43 BST Adam Carter wrote: > > > > I've just tried upgrading mariadb again while watching it, and got > > > > similar > > > > results. I did notice that an error notice came up about being unable > > > > to > > > > store > > > > a message received via POP3, which is my main incoming source. I can't > > > > quote > > > > exactly because the notice disappeared too soon. > > > > > > > > Back to 10.3.16 for now. > > > > > > Just to confirm, when you say upgrade you mean something like; > > > emerge -u mariadb > > > systemctl restart mariadb > > > mysql_upgrade -u root -p > > > > Akonadi runs an instance of mariadb for its own use, without reference to > > what else might be running on the machine. > > > > I've never had to run mysql_upgrade before, and I can't find a way to do > > it > > manually because of this in .local/share/akonadi/mysql.conf: > > > > # Do not listen for TCP/IP connections at all > > skip_networking > > > > Maybe I could comment that out temporarily, but I don't know what else > > might be affected. Otherwise it looks like creating a new user for myself > > and importing the message archive. > > Well, I tried that but when I started kmail to set it up again, it crashed > after telling me it had failed to get a lock. On what, it didn't say. /usr/bin/akonadi_control launches /usr/bin/akonadiserver, which lunches /usr/ sbin/mysqld: /usr/bin/akonadi_control | \_ /usr/bin/akonadiserver | \_/usr/sbin/mysqld They're all running as the user who launches kmail, i.e. yourself. Also, unless you have tweaked access to the database to allow TCP, it will only use a local Unix socket. Have a look in your /tmp fs for this socket name. If your kdepim user is logged in as user 'peter', I'm guessing you'll see something like this, as long as akonadiserver is running: /tmp/akonadi-peter.XX/mysql.socket You could try running mysql_upgrade on this, but the command will request access to default mysql database tables and its socket under /var/run/mysqld/, which I assume you won't be running unnecessarily just for a Plasma/KDE desktop. Consequently the incantation will fail. Instead, you could try running the individual commands mysql_upgrade runs yourself, only on the akonadi tables. Here's my attempt: $ /usr/bin/mysqlcheck -u michael --all-databases --check-upgrade --auto-repair --socket=/tmp/akonadi-michael.ZtUWTD/mysql.socket akonadi.collectionattributetable OK akonadi.collectionmimetyperelation OK akonadi.collectionpimitemrelation OK akonadi.collectiontableOK akonadi.flagtable OK akonadi.mimetypetable OK akonadi.parttable OK akonadi.parttypetable OK akonadi.pimitemflagrelationOK akonadi.pimitemtable OK akonadi.pimitemtagrelation OK akonadi.relationtable OK akonadi.relationtypetable OK akonadi.resourcetable OK akonadi.schemaversiontable OK akonadi.tagattributetable OK akonadi.tagremoteidresourcerelationtable OK akonadi.tagtable OK akonadi.tagtypetable OK Or, you could connect to the above socket with /usr/bin/mysql and run SQL commands from within, after you select each akonadi database/table in turn. Normally, I don't think any of the above is required. From what I recall akonadiserver runs mysql_upgrade each and every time akonadiserver is launched. However, if akonadi can't run the kdepim mysql following a database version update, then you'll need to look deeper into it. If akonadiserver does not start/crashes, it may be more effective to look at the mysql.err logs under ~/.local/share/akonadi/db_data/. You could also launch akonadiconsole, switch on debugging and see if it offers anything more informative when you try to restart akonadi. HTH. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
[gentoo-user] escape from i3lock
Here is my next "low information" question, haha. I use i3lock which is like Xscreensaver but much much simpler; it plays no movies or games, just blanks the screen with a configured color or image. To unlock it you have to type your password. It bothers me that even when i3lock has locked the X session, I can still switch to other Linux virtual consoles with Alt-Control-F , without typing the password. It so happens that on one of the other virtual consoles there is often an interactive root shell :-P So, is it possible to prevent virtual console switching while the X screen is locked, but still allow it at other times? Looks like something the locker program would have to do, not the X server; but again I don't know much about this stuff. -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com.
Re: [gentoo-user] Music player being run from an emerge
On Tue, Jul 9, 2019 at 2:10 PM Andrew Lowe wrote: > > * ACCESS DENIED: open_wr: /dev/snd/controlC0 > * ACCESS DENIED: open_wr: /dev/snd/controlC0 This has nothing to do with permissions, and everything to do with the sandbox. Most emerge phases are sandboxed. This uses LD_PRELOAD to override glibc functions to intercept filesystem access, which is why you're also getting messages related to this (just going from memory so forgive me if I have a minor detail off here). If you want to override the sandbox behavior you need to stick a file in /etc/sandbox.d/ with your changes, such as adding SANDBOX_WRITE="/dev/snd" to your config. In general though portage is configured to lock down filesystem writes even as root so that build systems aren't dropping random files in random places, or wiping out your hard drives. We want the build system to stay in /var/tmp and stick its install files in the image directory, and then portage will catalog them and move them to your filesystem so that it can cleanly uninstall things later. You could also disable sandboxing entirely, but I would strongly recommend NOT doing this. -- Rich
Re: [gentoo-user] Massive kmail breakage with mariadb-10.4.6
On Wednesday, 10 July 2019 10:06:01 BST Peter Humphrey wrote: > On Wednesday, 10 July 2019 00:06:43 BST Adam Carter wrote: > > > I've just tried upgrading mariadb again while watching it, and got > > > similar > > > results. I did notice that an error notice came up about being unable to > > > store > > > a message received via POP3, which is my main incoming source. I can't > > > quote > > > exactly because the notice disappeared too soon. > > > > > > Back to 10.3.16 for now. > > > > Just to confirm, when you say upgrade you mean something like; > > emerge -u mariadb > > systemctl restart mariadb > > mysql_upgrade -u root -p > > Akonadi runs an instance of mariadb for its own use, without reference to > what else might be running on the machine. > > I've never had to run mysql_upgrade before, and I can't find a way to do it > manually because of this in .local/share/akonadi/mysql.conf: > > # Do not listen for TCP/IP connections at all > skip_networking > > Maybe I could comment that out temporarily, but I don't know what else might > be affected. Otherwise it looks like creating a new user for myself and > importing the message archive. Well, I tried that but when I started kmail to set it up again, it crashed after telling me it had failed to get a lock. On what, it didn't say. -- Regards, Peter.
Re: [gentoo-user] Music player being run from an emerge
Hello, On Wed, 10 Jul 2019, Andrew Lowe wrote: > If I log in as my usual user, alsaplayer will run the song. If I then > "su" >into root, I'm in wheel, alsaplayer will play the song. The problem is that >when the emerge runs, then fails, alsaplayer can't appear to fire up. When an >emerge fails, I get the usual error listings then the following: > > * ACCESS DENIED: open_wr: /dev/snd/controlC0 > * ACCESS DENIED: open_wr: /dev/snd/controlC0 >ALSA lib >/var/tmp/portage/media-libs/alsa-lib-1.1.9/work/alsa-lib-1.1.9/src/confmisc.c:674:(snd_determine_driver) >could not open control for card 0 >ALSA lib >/var/tmp/portage/media-libs/alsa-lib-1.1.9/work/alsa-lib-1.1.9/src/conf.c:3572:(snd_config_hooks_call) >function snd_config_hook_load_for_all_cards returned error: Permission denied You'd probably need to add portage to the "audio" group ... HTH, -dnh -- Sorry, I don't know how to help in this situation. Maybe you should try asking a human? -- a TeX message
Re: [gentoo-user] Music player being run from an emerge
On Tuesday, 9 July 2019 19:10:52 BST Andrew Lowe wrote: > Hi all, > This all happens on an up to date openrc machine with the profile > default/linux/amd64/17.0/desktop/plasma > > I've added a few hooks to the emerge process via the bashrc that is in > /etc/portage. One of the things I do upon emerge failure is kill vlc, > which would have been playing a random song, and then attempt to start > alsaplayer[1] with a specific song. This means that I can be pottering > around the house/shed and if the "failure song" starts playing, I know > something is up. The problem is getting the failure song to play. > > If I log in as my usual user, alsaplayer will run the song. If I then > "su" into root, I'm in wheel, alsaplayer will play the song. The problem > is that when the emerge runs, then fails, alsaplayer can't appear to > fire up. Is this because the emerge runs as portage:portage and it does not have access rights to alsaplayer? > When an emerge fails, I get the usual error listings then the > following: > > * ACCESS DENIED: open_wr: /dev/snd/controlC0 > * ACCESS DENIED: open_wr: /dev/snd/controlC0 > ALSA lib > /var/tmp/portage/media-libs/alsa-lib-1.1.9/work/alsa-lib-1.1.9/src/confmisc. > c:674:(snd_determine_driver) could not open control for card 0 > ALSA lib > /var/tmp/portage/media-libs/alsa-lib-1.1.9/work/alsa-lib-1.1.9/src/conf.c:35 > 72:(snd_config_hooks_call) function snd_config_hook_load_for_all_cards > returned error: Permission denied Unless the above output was from emerging alsa-lib, your hooks should not be looking in /var/tmp/portage/, but I may not have understood what your mechanism is for launching alsa correctly. Also the above could be a sandboxing limitation? > Amongst this stuff is a line: > > LOG FILE: "/var/log/sandbox/sandbox-20431.log" > > which I think confirms my suspicions that something is wrong with my > sandbox as I also get this error when the email fails and just before > the failure hook, running alsaplayer, is run: > > ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded > (cannot open shared object file): ignored. > > Are there any emerge/sandbox gurus out there who might have an idea as > to what's going on? Any thoughts are greatly apreciated, > > Andrew > > > [1] vlc won't play as root hence I tried alsaplayer I'm not versed in the the details of emerge - I just use it with my limited knowledge as a package manager. Nevertheles, here's some ideas others more knowledgeable could contributed to and correct as necessary: Your emerge hooks should 'sudo su - whatever_user' has access to cvlc and run that, instead of vlc, or even alsaplayer. If the emerge process is sandboxed, then the user access rights would be limited, therefore you'll need to expand these with sudo. Use full paths for executables in your hook commands and add some traps to see the step at which they fail. Running a script with conditionals may be a better way to run emerge and catch a failure code, which will then trigger cvlc. I would be reluctant to extend privileges to processes which were designed to do one thing (e.g. emerge) in order to do something else, e.g. read areas of the filesystem they're not meant to meddle in. Choose to use the lowest level of access rights necessary to perform what you're after and no higher. I hope the above leads you closer to what you want to achieve. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Massive kmail breakage with mariadb-10.4.6
On Wednesday, 10 July 2019 00:06:43 BST Adam Carter wrote: > > I've just tried upgrading mariadb again while watching it, and got similar > > results. I did notice that an error notice came up about being unable to > > store > > a message received via POP3, which is my main incoming source. I can't > > quote > > exactly because the notice disappeared too soon. > > > > Back to 10.3.16 for now. > > Just to confirm, when you say upgrade you mean something like; > emerge -u mariadb > systemctl restart mariadb > mysql_upgrade -u root -p Akonadi runs an instance of mariadb for its own use, without reference to what else might be running on the machine. I've never had to run mysql_upgrade before, and I can't find a way to do it manually because of this in .local/share/akonadi/mysql.conf: # Do not listen for TCP/IP connections at all skip_networking Maybe I could comment that out temporarily, but I don't know what else might be affected. Otherwise it looks like creating a new user for myself and importing the message archive. Another strange thing is that I sent the root message of this thread to the kdepim-users list as well, and referred to it later, but there's been not a squeak from anyone there. -- Regards, Peter.