[owl-users] sudo: why not?
From: Mike Belopuhov (mkb@private)
Date: Sat Oct 16 2004 - 13:18:02 PDT
Hi.
I'm just skipping some gratitudes to Owl team ;-) and just asking
a question: why sudo is not in Owl? Always when I install Owl I
can't guess why it is so. It works fine with tcb.
I have working srpm of sudo with .pam and .control files included
(tested on 1.1-release on i386). It's sudo-1.6.7p5. You can get
SRPM here:
http://openbsd.hnet.spb.ru/files/sudo-1.6.7p5-owl1.src.rpm
(sorry if it happens to be broken ;-)
Suppose there is much to be done, but imho sudo is a good candidate
for the owl-current, isn't it?
PS.
Of course I googled for a such discussion, but hasn't found
anything relevant.
--
Mike Belopuhov
* ôèéó íåóóáçå ÷áó ÷òéôôåî õóéîç öéí *
Return-Path: <owl-users-return-474-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id E1997BDDB
for <jwa@private>; Wed, 20 Oct 2004 09:31:00 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id AE3EAE0
for <jwa@private>; Wed, 20 Oct 2004 09:30:54 -0700 (PDT)
Received: (qmail 9439 invoked by uid 550); 20 Oct 2004 16:30:40 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 9430 invoked from network); 20 Oct 2004 16:30:40 -0000
From: misiu_ <misiu_@private>
To: owl-users@private
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-rFZuDvdI76lGmpi8E5rq"
Message-Id: <1098289783.1776.37.camel@private>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2)
Date: Wed, 20 Oct 2004 18:29:44 +0200
Subject: [owl-users] installed and chrooted and now?
Sender: owl-users-return-474-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
--=-rFZuDvdI76lGmpi8E5rq
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Hello list,
this is my first contact with Owl. Now I installed the system as in the
install-doc than I issued a chroot /owl
and no? how do I set up the kernel? install lilo?=20
do you have any documentation?
thanx,
misiu
--=-rFZuDvdI76lGmpi8E5rq
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Dies ist ein digital signierter Nachrichtenteil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBBdpJ21mI39dFheoARAiTIAKCC8yxLGoTC5x3WNgtdZkHSZOz3LQCcChgt
+fA06UGDfp6+8gNo8tC5fCU=
=zfZj
-----END PGP SIGNATURE-----
--=-rFZuDvdI76lGmpi8E5rq--
Return-Path: <owl-users-return-475-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id E9C5CBDDC
for <jwa@private>; Wed, 20 Oct 2004 09:48:34 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id BCBBBE0
for <jwa@private>; Wed, 20 Oct 2004 09:48:31 -0700 (PDT)
Received: (qmail 11850 invoked by uid 550); 20 Oct 2004 16:48:26 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 11841 invoked from network); 20 Oct 2004 16:48:26 -0000
Sender: gremlin@private
Message-ID: <417696D8.7F931C76@private>
Date: Wed, 20 Oct 2004 20:48:24 +0400
From: gremlin <gremlin@private>
X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.2.25 i686)
X-Accept-Language: ru, en
MIME-Version: 1.0
To: owl-users@private
References: <1098289783.1776.37.camel@private>
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Subject: Re: [owl-users] installed and chrooted and now?
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
misiu_ wrote:
> this is my first contact with Owl. Now I installed the system as in the
> install-doc than I issued a chroot /owl
> and no? how do I set up the kernel? install lilo?
> do you have any documentation?
Simplest way:
1. Copy kernel from CD
# cp /boot/bzImage /owl/boot/
2. Setup LILO
# make setup
# vi /owl/etc/lilo.conf
3. Install LILO
# chroot /owl lilo
Then boot up from hard disk and build custom kernel usual way.
--
Alexey V. Vissarionov aka Gremlin from Kremlin
Return-Path: <owl-users-return-476-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id A7FE9BDDC
for <jwa@private>; Wed, 20 Oct 2004 10:03:54 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id E9AF2E0
for <jwa@private>; Wed, 20 Oct 2004 10:03:49 -0700 (PDT)
Received: (qmail 14054 invoked by uid 550); 20 Oct 2004 17:03:44 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 14046 invoked from network); 20 Oct 2004 17:03:43 -0000
From: misiu_ <misiu_@private>
To: owl-users@private
In-Reply-To: <417696D8.7F931C76@private>
References: <1098289783.1776.37.camel@private>
<417696D8.7F931C76@private>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-93IGhzAr8Mg48dZ/pZXa"
Message-Id: <1098291769.1776.43.camel@private>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2)
Date: Wed, 20 Oct 2004 19:02:49 +0200
Subject: Re: [owl-users] installed and chrooted and now?
Sender: owl-users-return-476-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
--=-93IGhzAr8Mg48dZ/pZXa
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Am Mi, den 20.10.2004 schrieb gremlin um 18:48:
> Simplest way:
> 1. Copy kernel from CD
> # cp /boot/bzImage /owl/boot/
o.k.
> 2. Setup LILO
> # make setup
> # vi /owl/etc/lilo.conf
after /sbin/lilo
i get=20
Warning: LBA32 addressing assumed
lilo: fatal: geo_query_dev HDIO_GETGEO(dev 0x1600):Invalid argument
any suggestions?
misiu
> 3. Install LILO
> # chroot /owl lilo
>=20
> Then boot up from hard disk and build custom kernel usual way.
>=20
--=-93IGhzAr8Mg48dZ/pZXa
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Dies ist ein digital signierter Nachrichtenteil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBBdpo41mI39dFheoARAsknAJ4/ky2Y7vjKjbN8LI94ghrYK2uQxgCgqmb4
kcmrSzXGAjQEqfHr7+DWfxI=
=19Cy
-----END PGP SIGNATURE-----
--=-93IGhzAr8Mg48dZ/pZXa--
Return-Path: <owl-users-return-477-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 09045BDDC
for <jwa@private>; Wed, 20 Oct 2004 10:13:50 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 593DA70
for <jwa@private>; Wed, 20 Oct 2004 10:13:46 -0700 (PDT)
Received: (qmail 15399 invoked by uid 550); 20 Oct 2004 17:13:41 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 15391 invoked from network); 20 Oct 2004 17:13:41 -0000
Sender: gremlin@private
Message-ID: <41769CC3.4F187EBD@private>
Date: Wed, 20 Oct 2004 21:13:39 +0400
From: gremlin <gremlin@private>
X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.2.25 i686)
X-Accept-Language: ru, en
MIME-Version: 1.0
To: owl-users@private
References: <1098289783.1776.37.camel@private>
<417696D8.7F931C76@private> <1098291769.1776.43.camel@private>
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Subject: Re: [owl-users] installed and chrooted and now?
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
misiu_ wrote:
> > 1. Copy kernel from CD
> > # cp /boot/bzImage /owl/boot/
> o.k.
> > 2. Setup LILO
> > # make setup
> > # vi /owl/etc/lilo.conf
> after /sbin/lilo
> i get
> Warning: LBA32 addressing assumed
> lilo: fatal: geo_query_dev HDIO_GETGEO(dev 0x1600):Invalid argument
>
> any suggestions?
Hmm... AFAIR, 0x1600 is a sort of SCSI disk - possibly, you have to edit
/owl/etc/lilo.conf to suit your needs.
> > 3. Install LILO
> > # chroot /owl lilo
--
Alexey V. Vissarionov aka Gremlin from Kremlin
Return-Path: <owl-users-return-478-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 16EB9BDDC
for <jwa@private>; Wed, 20 Oct 2004 10:20:52 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 2F2FC70
for <jwa@private>; Wed, 20 Oct 2004 10:20:47 -0700 (PDT)
Received: (qmail 16429 invoked by uid 550); 20 Oct 2004 17:20:40 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 16420 invoked from network); 20 Oct 2004 17:20:40 -0000
Sender: gremlin@private
Message-ID: <41769E66.78C1D247@private>
Date: Wed, 20 Oct 2004 21:20:38 +0400
From: gremlin <gremlin@private>
X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.2.25 i686)
X-Accept-Language: ru, en
MIME-Version: 1.0
To: owl-users@private
References: <1098289783.1776.37.camel@private>
<417696D8.7F931C76@private> <1098291769.1776.43.camel@private> <41769CC3.4F187EBD@private>
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Subject: Re: [owl-users] installed and chrooted and now?
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
> > after /sbin/lilo
> > i get
> > Warning: LBA32 addressing assumed
> > lilo: fatal: geo_query_dev HDIO_GETGEO(dev 0x1600):Invalid argument
> >
> > any suggestions?
>
> Hmm... AFAIR, 0x1600 is a sort of SCSI disk - possibly, you have to edit
> /owl/etc/lilo.conf to suit your needs.
>
> > > 3. Install LILO
> > > # chroot /owl lilo
[I'll never post drunk messages to list! I'll never post dru...]
0x1600 is /dev/hdc (22,0) - is that your hard disk device, or is it a
CD-ROM?
--
Alexey V. Vissarionov aka Gremlin from Kremlin
Return-Path: <owl-users-return-479-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 9FF3CBE34
for <jwa@private>; Wed, 20 Oct 2004 12:58:22 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id C2C0470
for <jwa@private>; Wed, 20 Oct 2004 12:58:16 -0700 (PDT)
Received: (qmail 3774 invoked by uid 550); 20 Oct 2004 19:58:10 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 3760 invoked from network); 20 Oct 2004 19:58:06 -0000
Date: Wed, 20 Oct 2004 23:55:16 +0400
From: Solar Designer <solar@private>
To: owl-users@private
Message-ID: <20041020195516.GA1766@private>
References: <20041016201802.GF6642@private>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20041016201802.GF6642@private>
User-Agent: Mutt/1.4.2.1i
Subject: Re: [owl-users] sudo: why not?
Sender: owl-users-return-479-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
Hi Mike,
On Sun, Oct 17, 2004 at 12:18:02AM +0400, Mike Belopuhov wrote:
> I'm just skipping some gratitudes to Owl team ;-) and just asking
> a question: why sudo is not in Owl? Always when I install Owl I
> can't guess why it is so. It works fine with tcb.
Yes, but unfortunately both su and sudo are subtly but fundamentally
flawed.
Presently, the only safe use for su is to switch from a more
privileged account to a less privileged one (whenever this distinction
can be made) in a non-interactive script (without a tty). As soon as
a tty is used, there is a security problem. As soon as you su to a
more privileged account, there is another security problem.
We've been discussing privately how we might re-design su (or
improve Linux kernel interfaces) such that su would become safe in
presence of tty's. However, even if that is done, su would still be
unsafe for accessing more privileged accounts from less privileged
ones.
Yes, it used to be common sysadmin wisdom to "su root" rather than
login as root. Those few who, when asked, could actually come up with
a valid reason for this preference would refer to the better
accountability achieved with this approach. Yes, this really is a
good reason in favor of this approach. But it's also the only one.
And the reason I give against using this approach is that it
effectively allows anyone who could have compromised the otherwise
non-privileged user account used to su from to gain root (at the
next invocation of su by the admin). So the separation between the
non-root and the root accounts is lost.
The alternative to "su root" is direct root logins. If there're
multiple persons who need root privileges on a server, multiple root
privileged accounts may be created, -- which Owl now includes full
support for (note our msulogin package).
Now, let's approach your question about sudo. As you can imagine, it
too has the problems of su. A privilege is meant to be granted to a
non-user account temporarily, -- however, anyone who could have
compromised the account, even if they do not know the password (e.g.,
for a compromise through a CGI script or an FTP/IRC/whatever client
vulnerability), can gain ahold of the sudo-elevated privilege
permanently (by intercepting one sudo session during which the
password would be entered).
The above property is inherent to sudo. However, besides it, there's
also an implementation defect. sudo uses a blacklist, as opposed to a
whitelist, for disallowing "bad" environment variables from being
passed on to the program specified in the sudoers file. No blacklist
can be complete. The result of this is that it is generally possible
for a user listed in sudoers to get full shell access as the target
user (usually root) even if the specified command was meant to allow
for a certain action only. On Owl, this problem is largely remedied
by the glibc -owl-sanitize-env.diff patch which strips glibc's own
risky environment variables on SUID exec (e.g., of sudo itself) such
that they would not be present on subsequent non-SUID execs (e.g., of
the command specified in sudoers). But this is not something I like
to rely upon, and it only works for glibc. The program invoked from
sudo may use other libraries and it may support its own environment
variables.
"sudo -i" almost achieves the desired effect (environment fully reset,
then populated with known-safe entries), except that there's no way to
force this behavior from a configuration file.
Of course, we may fix this implementation defect with a patch. But
you've asked "why no sudo", -- and the above is the current answer.
Hope it helps, and thank you for trying to help.
--
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments
Return-Path: <owl-users-return-480-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id F094FBE34
for <jwa@private>; Wed, 20 Oct 2004 13:37:41 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 610B4E1
for <jwa@private>; Wed, 20 Oct 2004 13:37:32 -0700 (PDT)
Received: (qmail 8895 invoked by uid 550); 20 Oct 2004 20:37:25 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 8887 invoked from network); 20 Oct 2004 20:37:25 -0000
Date: Wed, 20 Oct 2004 16:36:30 -0400
From: Steven Lembark <lembark@private>
To: owl-users@private
Message-ID: <43D7F4D0F915956AE54B00B1@private>
In-Reply-To: <20041020195516.GA1766@private>
References: <20041016201802.GF6642@private>
<20041020195516.GA1766@private>
X-Mailer: Mulberry/3.1.3 (Linux/x86)
X-Workhorse: lembark 1.1
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: Re: [owl-users] sudo: why not?
Sender: owl-users-return-480-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
> Presently, the only safe use for su is to switch from a more
> privileged account to a less privileged one (whenever this distinction
> can be made) in a non-interactive script (without a tty). As soon as
> a tty is used, there is a security problem. As soon as you su to a
> more privileged account, there is another security problem.
Catch: priv'd accounts can depend on context. What may be
less priv'd in one context (say, dba access vs. reformat the
disks) can be more priv'd in another (say, modify someone's
payroll record).
> Yes, it used to be common sysadmin wisdom to "su root" rather than
> login as root. Those few who, when asked, could actually come up with
> a valid reason for this preference would refer to the better
> accountability achieved with this approach. Yes, this really is a
> good reason in favor of this approach. But it's also the only one.
You can also refuse superuser logins over the network (from
the root username or any other with UID 0). At that point
someone has to compromise the system enough to modify the
login rules before they can get in as root via the network.
You can restrict the number of users with simple access to
the command via mods, which allows revoking access to the
command by removing a user from one group (vs. having to
change the password). While not perfect, this does simplify
the most common cases where ex-employees have su access
because Jow Bloe in accouting couldn't be notified of the
change.
> And the reason I give against using this approach is that it
> effectively allows anyone who could have compromised the otherwise
> non-privileged user account used to su from to gain root (at the
> next invocation of su by the admin). So the separation between the
> non-root and the root accounts is lost.
You have better odds of turning off one non-priv'd account
than modifying any superuser accounts on a running system.
> multiple persons who need root privileges on a server, multiple root
> privileged accounts may be created, -- which Owl now includes full
> support for (note our msulogin package).
Just create multiple accounts with UID 0, fine.
Only catch there is that looking for multiples with 0 is
one of the fastest ways to catch many rootkit attempts.
I normally modify the 'root' account to log the incomming
IP for legal action and create another SU for real work.
If there are multiple 0's in the UID then I have a real
problem.
> Now, let's approach your question about sudo. As you can imagine, it
> too has the problems of su. A privilege is meant to be granted to a
> non-user account temporarily, -- however, anyone who could have
> compromised the account, even if they do not know the password (e.g.,
> for a compromise through a CGI script or an FTP/IRC/whatever client
> vulnerability), can gain ahold of the sudo-elevated privilege
> permanently (by intercepting one sudo session during which the
> password would be entered).
>
> The above property is inherent to sudo. However, besides it, there's
> also an implementation defect. sudo uses a blacklist, as opposed to a
> whitelist, for disallowing "bad" environment variables from being
> passed on to the program specified in the sudoers file. No blacklist
> can be complete. The result of this is that it is generally possible
> for a user listed in sudoers to get full shell access as the target
> user (usually root) even if the specified command was meant to allow
> for a certain action only. On Owl, this problem is largely remedied
> by the glibc -owl-sanitize-env.diff patch which strips glibc's own
> risky environment variables on SUID exec (e.g., of sudo itself) such
> that they would not be present on subsequent non-SUID execs (e.g., of
> the command specified in sudoers). But this is not something I like
> to rely upon, and it only works for glibc. The program invoked from
> sudo may use other libraries and it may support its own environment
> variables.
OK. So there is no perfect security short of a trusted
advisor with a loaded, cocked 44 watching whomever is
on the console...
> "sudo -i" almost achieves the desired effect (environment fully reset,
> then populated with known-safe entries), except that there's no way to
> force this behavior from a configuration file.
Hack sudo to jam-load -i behavior.
> Of course, we may fix this implementation defect with a patch. But
> you've asked "why no sudo", -- and the above is the current answer.
--
Steven Lembark 85-09 90th Street
Workhorse Computing Woodhaven, NY 11421
lembark@private 1 888 359 3508
Return-Path: <owl-users-return-481-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 3F805BE34
for <jwa@private>; Wed, 20 Oct 2004 15:00:33 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id E1E9BE0
for <jwa@private>; Wed, 20 Oct 2004 15:00:30 -0700 (PDT)
Received: (qmail 20434 invoked by uid 550); 20 Oct 2004 22:00:26 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 20426 invoked from network); 20 Oct 2004 22:00:26 -0000
From: misiu_ <misiu_@private>
To: owl-users@private
In-Reply-To: <41769E66.78C1D247@private>
References: <1098289783.1776.37.camel@private>
<417696D8.7F931C76@private>
<1098291769.1776.43.camel@private>
<41769CC3.4F187EBD@private> <41769E66.78C1D247@private>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-Iii8xZ2387qMQIELI7ew"
Message-Id: <1098309570.1776.51.camel@private>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2)
Date: Wed, 20 Oct 2004 23:59:31 +0200
Subject: Re: [owl-users] installed and chrooted and now?
Sender: owl-users-return-481-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
--=-Iii8xZ2387qMQIELI7ew
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
hi, i guess it is my cdrom...
but in my lilo.conf
is =20
"boot=3D/dev/hda1"
"root=3D/dev/hda"
misiu
Am Mi, den 20.10.2004 schrieb gremlin um 19:20:
> > > after /sbin/lilo
> > > i get
> > > Warning: LBA32 addressing assumed
> > > lilo: fatal: geo_query_dev HDIO_GETGEO(dev 0x1600):Invalid argument
> > >
> > > any suggestions?
> >=20
> > Hmm... AFAIR, 0x1600 is a sort of SCSI disk - possibly, you have to edi=
t
> > /owl/etc/lilo.conf to suit your needs.
> >=20
> > > > 3. Install LILO
> > > > # chroot /owl lilo
>=20
> [I'll never post drunk messages to list! I'll never post dru...]
>=20
> 0x1600 is /dev/hdc (22,0) - is that your hard disk device, or is it a
> CD-ROM?
--=-Iii8xZ2387qMQIELI7ew
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Dies ist ein digital signierter Nachrichtenteil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBBdt/C1mI39dFheoARAl4RAKDYov+7+J1+TN1GhRvEQlXkS2Fl5QCeLntw
Q2xdssk8XkYYfwRj21tfSz0=
=vdOn
-----END PGP SIGNATURE-----
--=-Iii8xZ2387qMQIELI7ew--
Return-Path: <owl-users-return-482-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 5ECB6BE34
for <jwa@private>; Wed, 20 Oct 2004 15:07:00 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 6841770
for <jwa@private>; Wed, 20 Oct 2004 15:06:55 -0700 (PDT)
Received: (qmail 21653 invoked by uid 550); 20 Oct 2004 22:06:48 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 21642 invoked from network); 20 Oct 2004 22:06:48 -0000
Message-ID: <4176E158.3030207@private>
Date: Thu, 21 Oct 2004 00:06:16 +0200
From: Andreas Ericsson <ae@private>
User-Agent: Mozilla Thunderbird 0.7.1 (X11/20040626)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: owl-users@private
References: <20041016201802.GF6642@private> <20041020195516.GA1766@private> <43D7F4D0F915956AE54B00B1@private>
In-Reply-To: <43D7F4D0F915956AE54B00B1@private>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [owl-users] sudo: why not?
Sender: owl-users-return-482-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
Steven Lembark wrote:
>
>> Presently, the only safe use for su is to switch from a more
>> privileged account to a less privileged one (whenever this distinction
>> can be made) in a non-interactive script (without a tty). As soon as
>> a tty is used, there is a security problem. As soon as you su to a
>> more privileged account, there is another security problem.
>
>
> Catch: priv'd accounts can depend on context. What may be
> less priv'd in one context (say, dba access vs. reformat the
> disks) can be more priv'd in another (say, modify someone's
> payroll record).
>
The root user could access the database files physically
(binaryphorically speaking) and thus already has this privilege. There
is really no such thing as security against the superuser.
>> Yes, it used to be common sysadmin wisdom to "su root" rather than
>> login as root. Those few who, when asked, could actually come up with
>> a valid reason for this preference would refer to the better
>> accountability achieved with this approach. Yes, this really is a
>> good reason in favor of this approach. But it's also the only one.
>
>
> You can also refuse superuser logins over the network (from
> the root username or any other with UID 0). At that point
> someone has to compromise the system enough to modify the
> login rules before they can get in as root via the network.
>
Apart from a single exploitable bug in a networking daemon running as
root. Or a single exploitable bug in any non-chrooted networking daemon
and a single (or series of, possibly) exploitable local bugs that leads
to elevated privileges.
> You can restrict the number of users with simple access to
> the command via mods, which allows revoking access to the
> command by removing a user from one group (vs. having to
> change the password). While not perfect, this does simplify
> the most common cases where ex-employees have su access
> because Jow Bloe in accouting couldn't be notified of the
> change.
>
The users you want to safeguard against are the ones that doesn't need
just "simple" access to the command.
>> And the reason I give against using this approach is that it
>> effectively allows anyone who could have compromised the otherwise
>> non-privileged user account used to su from to gain root (at the
>> next invocation of su by the admin). So the separation between the
>> non-root and the root accounts is lost.
>
>
> You have better odds of turning off one non-priv'd account
> than modifying any superuser accounts on a running system.
>
Would you care to elaborate? Are you assuming the position of an
attacker or the position of an admin in that statement?
>> multiple persons who need root privileges on a server, multiple root
>> privileged accounts may be created, -- which Owl now includes full
>> support for (note our msulogin package).
>
>
> Just create multiple accounts with UID 0, fine.
> Only catch there is that looking for multiples with 0 is
> one of the fastest ways to catch many rootkit attempts.
Rootkits needs root access to be installed. We're trying to prevent that
altogether, not make sure we can find them once they're installed.
> I normally modify the 'root' account to log the incomming
> IP for legal action and create another SU for real work.
> If there are multiple 0's in the UID then I have a real
> problem.
>
uid 1000 has three. Is that a real problem? ;)
>> Now, let's approach your question about sudo. As you can imagine, it
>> too has the problems of su. A privilege is meant to be granted to a
>> non-user account temporarily, -- however, anyone who could have
>> compromised the account, even if they do not know the password (e.g.,
>> for a compromise through a CGI script or an FTP/IRC/whatever client
>> vulnerability), can gain ahold of the sudo-elevated privilege
>> permanently (by intercepting one sudo session during which the
>> password would be entered).
>>
>> The above property is inherent to sudo. However, besides it, there's
>> also an implementation defect. sudo uses a blacklist, as opposed to a
>> whitelist, for disallowing "bad" environment variables from being
>> passed on to the program specified in the sudoers file. No blacklist
>> can be complete. The result of this is that it is generally possible
>> for a user listed in sudoers to get full shell access as the target
>> user (usually root) even if the specified command was meant to allow
>> for a certain action only. On Owl, this problem is largely remedied
>> by the glibc -owl-sanitize-env.diff patch which strips glibc's own
>> risky environment variables on SUID exec (e.g., of sudo itself) such
>> that they would not be present on subsequent non-SUID execs (e.g., of
>> the command specified in sudoers). But this is not something I like
>> to rely upon, and it only works for glibc. The program invoked from
>> sudo may use other libraries and it may support its own environment
>> variables.
>
>
> OK. So there is no perfect security short of a trusted
> advisor with a loaded, cocked 44 watching whomever is
> on the console...
>
Actually, not even that would be perfectly secure, but it would make it
harder for anyone sitting there to go berzerk without being noticed.
Again, we're not interested in noticing things when they've happened,
but rather to prevent them.
>> "sudo -i" almost achieves the desired effect (environment fully reset,
>> then populated with known-safe entries), except that there's no way to
>> force this behavior from a configuration file.
>
>
> Hack sudo to jam-load -i behavior.
>
Feel free. I'm sure it's not a terribly difficult or burdensome task,
but it's not on the Owl todo.
>> Of course, we may fix this implementation defect with a patch. But
>> you've asked "why no sudo", -- and the above is the current answer.
>
--
Andreas Ericsson andreas.ericsson@private
OP5 AB www.op5.se
Lead Developer
Return-Path: <owl-users-return-483-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 1BED2BE34
for <jwa@private>; Wed, 20 Oct 2004 15:56:41 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id E2654EE
for <jwa@private>; Wed, 20 Oct 2004 15:56:37 -0700 (PDT)
Received: (qmail 26654 invoked by uid 550); 20 Oct 2004 22:56:32 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 26643 invoked from network); 20 Oct 2004 22:56:31 -0000
Date: Wed, 20 Oct 2004 18:55:38 -0400
From: Steven Lembark <lembark@private>
To: owl-users@private
Message-ID: <C61D1E984EEA305E6057E068@private>
In-Reply-To: <4176E158.3030207@private>
References: <20041016201802.GF6642@private>
<20041020195516.GA1766@private>
<43D7F4D0F915956AE54B00B1@private> <4176E158.3030207@private>
X-Mailer: Mulberry/3.1.3 (Linux/x86)
X-Workhorse: lembark 1.1
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: Re: [owl-users] sudo: why not?
Sender: owl-users-return-483-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
> The root user could access the database files physically
> (binaryphorically speaking) and thus already has this privilege. There is
> really no such thing as security against the superuser.
My point was that there is no good definition of
"less privileged" user in the first place since
the notion of privilege is context sensitive.
i.e., even adding some sort of privilege-tree to
the what-user-can-change-to-what does not help.
Thing is that this is Unix, not VMS or OS/390.
At some point the entire thing comes down to
someone somewhere having personal control of
something.
> Apart from a single exploitable bug in a networking daemon running as
> root. Or a single exploitable bug in any non-chrooted networking daemon
> and a single (or series of, possibly) exploitable local bugs that leads
> to elevated privileges.
Execept for any bug that leads to any hole anywhere.
There will always be holes; the best you can ever do
is leave the system less likely to be cracked (as
you've already pointed out).
That doesn't mean I won't at least take the simpler
steps to avoid the more easily-avoidable pitfalls.
> The users you want to safeguard against are the ones that doesn't need
> just "simple" access to the command.
Such as?
> Would you care to elaborate? Are you assuming the position of an attacker
> or the position of an admin in that statement?
As an admin if someone's account has been compromised
I can disable it. Turning off the superuser account(s)
tends to be more problematic. Obviously there are
lingering issues of what might have been done to the
the system in the meantime.
> Rootkits needs root access to be installed. We're trying to prevent that
> altogether, not make sure we can find them once they're installed.
Trivial: patch out the tests for ! uid in the C source,
add a signal handler for graceful shutdown to the reset
button, and put someone with an uzi near the box.
> uid 1000 has three. Is that a real problem? ;)
Three uid == 0 ?
> Actually, not even that would be perfectly secure, but it would make it
> harder for anyone sitting there to go berzerk without being noticed.
> Again, we're not interested in noticing things when they've happened, but
> rather to prevent them.
Think hard about VMS. It died largely because NSA
designed too much of it, at which point the thing
became so unwieldy that people switched to *NIX in
response.
--
Steven Lembark 85-09 90th Street
Workhorse Computing Woodhaven, NY 11421
lembark@private 1 888 359 3508
Return-Path: <owl-users-return-484-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 9C15DBE34
for <jwa@private>; Wed, 20 Oct 2004 16:36:18 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 7C2D970
for <jwa@private>; Wed, 20 Oct 2004 16:36:14 -0700 (PDT)
Received: (qmail 31087 invoked by uid 550); 20 Oct 2004 23:36:10 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 31079 invoked from network); 20 Oct 2004 23:36:09 -0000
Message-ID: <4176F6D8.4090506@private>
Date: Thu, 21 Oct 2004 03:38:00 +0400
From: Michael Tokarev <mjt@private>
Organization: Telecom Service, JSC
User-Agent: Mozilla Thunderbird 0.8 (X11/20040918)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: owl-users@private
References: <1098289783.1776.37.camel@private> <417696D8.7F931C76@private> <1098291769.1776.43.camel@private> <41769CC3.4F187EBD@private> <41769E66.78C1D247@private> <1098309570.1776.51.camel@private>
In-Reply-To: <1098309570.1776.51.camel@private>
Content-Type: text/plain; charset=KOI8-R; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [owl-users] installed and chrooted and now?
Sender: owl-users-return-484-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
misiu_ wrote:
> hi, i guess it is my cdrom...
> but in my lilo.conf
> is
> "boot=/dev/hda1"
> "root=/dev/hda"
You booted from CD-Rom drive, right?
Lilo tries to determine the boot drive (the one which was
used to boot the system this time) and write the stuff to
it. I guess you have to add two more directives into
lilo.conf:
disk=/dev/hda bios=0x80
to force lilo to think that your hda (is it your disk?)
is the first (boot) device in bios terminology (0x80 is
the boot device in bios).
Sometimes, lilo is tricky to set up in a chroot, when the
boot device was different than the one you're trying to
install to. But well, I never seen such a problem with
CD-Rom drive & lilo before. As far as I can tell, lilo
looks up /proc/partitions and tries to get some info
about every device listed there, but it a) should not
see cdrom device there, and b) even if it's there for
some strange reason, lilo should skip it (0x1600 is
device with major number 0x16 (=22 dec) and minor=0,
which is /dev/hdc). It seems that the above trick with
disk= bios= should help, but i'm not sure.
/mjt
> misiu
>
> Am Mi, den 20.10.2004 schrieb gremlin um 19:20:
>
>>>>after /sbin/lilo
>>>>i get
>>>>Warning: LBA32 addressing assumed
>>>>lilo: fatal: geo_query_dev HDIO_GETGEO(dev 0x1600):Invalid argument
>>>>
>>>>any suggestions?
>>>
>>>Hmm... AFAIR, 0x1600 is a sort of SCSI disk - possibly, you have to edit
>>>/owl/etc/lilo.conf to suit your needs.
>>>
>>>
>>>>>3. Install LILO
>>>>># chroot /owl lilo
>>
>>[I'll never post drunk messages to list! I'll never post dru...]
>>
>>0x1600 is /dev/hdc (22,0) - is that your hard disk device, or is it a
>>CD-ROM?
Return-Path: <owl-users-return-485-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id F22DBBE34
for <jwa@private>; Wed, 20 Oct 2004 16:54:56 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 335F170
for <jwa@private>; Wed, 20 Oct 2004 16:54:53 -0700 (PDT)
Received: (qmail 1122 invoked by uid 550); 20 Oct 2004 23:54:48 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 1114 invoked from network); 20 Oct 2004 23:54:46 -0000
Date: Thu, 21 Oct 2004 03:52:10 +0400
From: Solar Designer <solar@private>
To: owl-users@private
Message-ID: <20041020235210.GA2801@private>
References: <1098289783.1776.37.camel@private> <417696D8.7F931C76@private> <1098291769.1776.43.camel@private> <41769CC3.4F187EBD@private> <41769E66.78C1D247@private> <1098309570.1776.51.camel@private> <4176F6D8.4090506@private>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4176F6D8.4090506@private>
User-Agent: Mutt/1.4.2.1i
Subject: Re: [owl-users] installed and chrooted and now?
Sender: owl-users-return-485-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
Michael,
On Thu, Oct 21, 2004 at 03:38:00AM +0400, Michael Tokarev wrote:
> You booted from CD-Rom drive, right?
> Lilo tries to determine the boot drive (the one which was
> used to boot the system this time) and write the stuff to
> it. I guess you have to add two more directives into
> lilo.conf:
>
> disk=/dev/hda bios=0x80
This shouldn't be needed to get Owl installed, really. The lilo.conf
generated by our "setup" program should be OK.
I'm fairly certain that misiu simply entered the wrong device name
somewhere. It would be helpful to see his /owl/etc/lilo.conf in its
entirety.
--
/sd
Return-Path: <owl-users-return-486-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 4F448BE34
for <jwa@private>; Wed, 20 Oct 2004 20:05:04 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 76480E1
for <jwa@private>; Wed, 20 Oct 2004 20:04:59 -0700 (PDT)
Received: (qmail 19194 invoked by uid 550); 21 Oct 2004 03:04:55 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 19186 invoked from network); 21 Oct 2004 03:04:54 -0000
Sender: gremlin@private
Message-ID: <41772753.80FF8EB0@private>
Date: Thu, 21 Oct 2004 07:04:51 +0400
From: gremlin <gremlin@private>
X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.2.25 i686)
X-Accept-Language: ru, en
MIME-Version: 1.0
To: owl-users@private
References: <1098289783.1776.37.camel@private>
<417696D8.7F931C76@private>
<1098291769.1776.43.camel@private>
<41769CC3.4F187EBD@private> <41769E66.78C1D247@private> <1098309570.1776.51.camel@private>
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 8bit
Subject: Re: [owl-users] installed and chrooted and now?
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
misiu_ wrote:
> > > > lilo: fatal: geo_query_dev HDIO_GETGEO(dev 0x1600):Invalid argument
> > 0x1600 is /dev/hdc (22,0) - is that your hard disk device, or is it a
> > CD-ROM?
> hi, i guess it is my cdrom...
> but in my lilo.conf
> is
> "boot=/dev/hda1"
> "root=/dev/hda"
Should be (in /owl/etc/lilo.conf):
boot=/dev/hda (the device where to install lilo)
root=/dev/hda1 (the device to be mounted as /)
Then run:
# cd /owl
# chroot . lilo
Or, simply:
# chroot /owl lilo
--
Alexey V. Vissarionov aka Gremlin from Kremlin
<gremlin ðòé gremlin ôþë ru>
Return-Path: <owl-users-return-487-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id C2F1ABE7E
for <jwa@private>; Thu, 21 Oct 2004 13:42:23 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 8EDE570
for <jwa@private>; Thu, 21 Oct 2004 13:42:17 -0700 (PDT)
Received: (qmail 31941 invoked by uid 550); 21 Oct 2004 20:42:08 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 31932 invoked from network); 21 Oct 2004 20:42:08 -0000
From: misiu_ <misiu_@private>
To: owl-users@private
In-Reply-To: <20041020235210.GA2801@private>
References: <1098289783.1776.37.camel@private>
<417696D8.7F931C76@private>
<1098291769.1776.43.camel@private>
<41769CC3.4F187EBD@private> <41769E66.78C1D247@private>
<1098309570.1776.51.camel@private>
<4176F6D8.4090506@private> <20041020235210.GA2801@private>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-CZH9hIJC3lhOkatNI9DK"
Message-Id: <1098391276.1776.65.camel@private>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2)
Date: Thu, 21 Oct 2004 22:41:17 +0200
Subject: Re: [owl-users] installed and chrooted and now?
Sender: owl-users-return-487-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
--=-CZH9hIJC3lhOkatNI9DK
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
O.k. i tried just to install it like it is written in the install
README.
but it did not work.
my /owl/etc/lilo.conf looks like this
boot=3D/dev/hda
image=3D/boot/bzImage
label=3DLinux
read-only
root=3D/dev/hda3
the errormsg that i get is
Warning:LBA32 addressing is assumed
Added Linux *
Syntax error at or above line 7 in file /etc/lilo.conf
misiu
Am Do, den 21.10.2004 schrieb Solar Designer um 1:52:
> Michael,
>=20
> On Thu, Oct 21, 2004 at 03:38:00AM +0400, Michael Tokarev wrote:
> > You booted from CD-Rom drive, right?
> > Lilo tries to determine the boot drive (the one which was
> > used to boot the system this time) and write the stuff to
> > it. I guess you have to add two more directives into
> > lilo.conf:
> >=20
> > disk=3D/dev/hda bios=3D0x80
>=20
> This shouldn't be needed to get Owl installed, really. The lilo.conf
> generated by our "setup" program should be OK.
>=20
> I'm fairly certain that misiu simply entered the wrong device name
> somewhere. It would be helpful to see his /owl/etc/lilo.conf in its
> entirety.
--=-CZH9hIJC3lhOkatNI9DK
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Dies ist ein digital signierter Nachrichtenteil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBBeB7s1mI39dFheoARAlWAAJ9bexwLPjAL7S3GV0s5Fg/PO5oUqgCfdQBr
nJUWz1Qej/+P/kA1OYDz/qM=
=oOnS
-----END PGP SIGNATURE-----
--=-CZH9hIJC3lhOkatNI9DK--
Return-Path: <owl-users-return-488-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id CA83BBE80
for <jwa@private>; Fri, 22 Oct 2004 05:33:27 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 4D2C570
for <jwa@private>; Fri, 22 Oct 2004 05:33:24 -0700 (PDT)
Received: (qmail 18579 invoked by uid 550); 22 Oct 2004 12:33:18 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 18567 invoked from network); 22 Oct 2004 12:33:16 -0000
Date: Fri, 22 Oct 2004 14:32:37 +0200
From: Nico -telmich- Schottelius <nico-linux-owl@private>
To: owl-users@private
Message-ID: <20041022123237.GB1297@private>
References: <20041016201802.GF6642@private> <20041020195516.GA1766@private>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="WYTEVAkct0FjGQmd"
Content-Disposition: inline
In-Reply-To: <20041020195516.GA1766@private>
User-Agent: echo $message | gpg -e $sender -s | netcat mailhost 25
X-Linux-Info: http://linux.schottelius.org/
X-Operating-System: Linux 2.6.9-cLinux
Subject: Re: [owl-users] sudo: why not?
Sender: owl-users-return-488-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
--WYTEVAkct0FjGQmd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Solar Designer [Wed, Oct 20, 2004 at 11:55:16PM +0400]:
> [su and sudo security problems]
Well, this is not a problem anymore, if you use enhanced
kernel security. For instance using RSBAC (www.rsbac.org)
one can define exaclty what program and which user may use
setuid from which uid to which uid.
In normal system status, no setuid() is allowed.
And yes, it's an external kernel patch, which is not in vanilla
Kernel. Though it's tested and stable.
Just wanted to tell you this possibility of hardening owl/
any distribution.
Nico
--=20
Keep it simple & stupid, use what's available.
Please use pgp encryption: 8D0E 27A4 is my id.
http://nico.schotteli.us | http://linux.schottelius.org
--WYTEVAkct0FjGQmd
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iQIVAwUBQXj947OTBMvCUbrlAQKphxAAoqqIdFCmZKgH5s7fVp95ow5dCzoIebqj
xP9kuaUnvKuAbpishKEbSGFL3ZRBB9aHwjTmD121r1RE5381qXwId00g8t8pPq6M
Dzqte8rBWP96SldXjoMniiSAgqc1Irf6Yk2FAFPFNSso4swfgMva5hD99hUbxyqo
DuAKxu0yzJWbXy2/sByWJO6SZ97H7ek52JW88sXPnT4XV/Lbo66+y84uQo92S7yb
2FmZ1uyiGBZ/kMIG43TkpiPG92VZ1LUoLC8OS2rt3UpZ5XFVIFdZKGt5x/VpHjt5
8h6Q7IhtWa5wYi2tB3X33mLnFT7zwwgaVI5k5+PRrlbn6GPSFuK1svgMohG9OOHd
pFdZ1yGv3eS0KCj9AhyiwgkHuPduAoOs0cZHSoKdzZ9Zy8ieaZiZEWYqaY5pl7QT
m1zhiSX5WDu4KUXYIQ/kZ28V/BYRBQnAjd12j73mtkIJS2Khn55PykVTxqWEJU1o
vxKtkedy2RbsVO2+k/c0Y0HytmE1zhgWFJTzztJbfLijmdDIBoYOe+DAJlZ0z/5d
L5TkfubPhcVPIkPDoMK0nCRLESvGOGMLKz5bhgdbiV7+QgRoGdQU562EwPQ3ic4G
NwXY9kRHlr2eWj+W5E6YMb6BcEbEiz63M+hyOjv5hdulqIEw9xOhLAZg6LfrF9SC
S97PgNVs9pk=
=oJAM
-----END PGP SIGNATURE-----
--WYTEVAkct0FjGQmd--
Return-Path: <owl-users-return-489-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id D5683BE80
for <jwa@private>; Fri, 22 Oct 2004 16:41:13 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 181E0E1
for <jwa@private>; Fri, 22 Oct 2004 16:41:09 -0700 (PDT)
Received: (qmail 30843 invoked by uid 550); 22 Oct 2004 23:40:56 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 30834 invoked from network); 22 Oct 2004 23:40:55 -0000
Date: Sat, 23 Oct 2004 03:38:23 +0400
From: Solar Designer <solar@private>
To: owl-users@private
Message-ID: <20041022233823.GA1490@private>
References: <20041016201802.GF6642@private> <20041020195516.GA1766@private> <20041022123237.GB1297@private>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20041022123237.GB1297@private>
User-Agent: Mutt/1.4.2.1i
Subject: Re: [owl-users] sudo: why not?
Sender: owl-users-return-489-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
Nico,
On Fri, Oct 22, 2004 at 02:32:37PM +0200, Nico -telmich- Schottelius wrote:
> Solar Designer [Wed, Oct 20, 2004 at 11:55:16PM +0400]:
> > [su and sudo security problems]
>
> Well, this is not a problem anymore, if you use enhanced
> kernel security. For instance using RSBAC (www.rsbac.org)
> one can define exaclty what program and which user may use
> setuid from which uid to which uid.
RSBAC is great, but I feel that you've missed the point. If it would
be permitted for a non-root user to su to root, then anyone who could
have compromised the user's account[1] would also be able to hijack a
su session[2] and then su to root himself. This attack is not affected
by kernel policy enforcement in any way.
[1] Such a compromise could occur in a variety of ways: Web/FTP/etc.
client vulnerabilities, password snooping, etc.
[2] For example, edit the user's shell startup scripts to make su an
alias for a custom su wrapper program.
--
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments
Return-Path: <owl-users-return-490-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 90AA9BE80
for <jwa@private>; Fri, 22 Oct 2004 16:45:41 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 8AAB870
for <jwa@private>; Fri, 22 Oct 2004 16:45:37 -0700 (PDT)
Received: (qmail 32028 invoked by uid 550); 22 Oct 2004 23:45:31 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 32016 invoked from network); 22 Oct 2004 23:45:30 -0000
Date: Sat, 23 Oct 2004 03:43:18 +0400
From: Solar Designer <solar@private>
To: owl-users@private
Message-ID: <20041022234318.GA1623@private>
References: <1098289783.1776.37.camel@private> <417696D8.7F931C76@private> <1098291769.1776.43.camel@private> <41769CC3.4F187EBD@private> <41769E66.78C1D247@private> <1098309570.1776.51.camel@private> <4176F6D8.4090506@private> <20041020235210.GA2801@private> <1098391276.1776.65.camel@private>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1098391276.1776.65.camel@private>
User-Agent: Mutt/1.4.2.1i
Subject: Re: [owl-users] installed and chrooted and now?
Sender: owl-users-return-490-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
On Thu, Oct 21, 2004 at 10:41:17PM +0200, misiu_ wrote:
> my /owl/etc/lilo.conf looks like this
>
> boot=/dev/hda
>
> image=/boot/bzImage
> label=Linux
> read-only
> root=/dev/hda3
This looks OK. But is it a verbatim copy of the file you've copied
off the system, or did you type it in for this e-mail again?
> the errormsg that i get is
>
> Warning:LBA32 addressing is assumed
You can safely ignore this one.
> Added Linux *
This indicates that it's almost worked.
> Syntax error at or above line 7 in file /etc/lilo.conf
And now this is a problem. But I see neither a syntax error, nor a
line 7 in what you've quoted above, -- hence my question.
--
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments
Return-Path: <owl-users-return-491-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 7C765BE80
for <jwa@private>; Sat, 23 Oct 2004 03:30:10 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 8C8DB70
for <jwa@private>; Sat, 23 Oct 2004 03:30:06 -0700 (PDT)
Received: (qmail 20773 invoked by uid 550); 23 Oct 2004 10:30:00 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 20765 invoked from network); 23 Oct 2004 10:30:00 -0000
Date: Sat, 23 Oct 2004 12:29:10 +0200
From: Nico -telmich- Schottelius <nico-linux-owl@private>
To: owl-users@private
Message-ID: <20041023102910.GC1297@private>
References: <20041016201802.GF6642@private> <20041020195516.GA1766@private> <20041022123237.GB1297@private> <20041022233823.GA1490@private>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="O3RTKUHj+75w1tg5"
Content-Disposition: inline
In-Reply-To: <20041022233823.GA1490@private>
User-Agent: echo $message | gpg -e $sender -s | netcat mailhost 25
X-Linux-Info: http://linux.schottelius.org/
X-Operating-System: Linux 2.6.9-cLinux
Subject: Re: [owl-users] sudo: why not?
Sender: owl-users-return-491-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
--O3RTKUHj+75w1tg5
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Good morning,
Solar Designer [Sat, Oct 23, 2004 at 03:38:23AM +0400]:
> On Fri, Oct 22, 2004 at 02:32:37PM +0200, Nico -telmich- Schottelius wrot=
e:
> > Solar Designer [Wed, Oct 20, 2004 at 11:55:16PM +0400]:
> > > [su and sudo security problems]
> >=20
> > Well, this is not a problem anymore, if you use enhanced
> > kernel security. For instance using RSBAC (www.rsbac.org)
> > one can define exaclty what program and which user may use
> > setuid from which uid to which uid.
>=20
> RSBAC is great, but I feel that you've missed the point. If it would
> be permitted for a non-root user to su to root, then anyone who could
> have compromised the user's account[1] would also be able to hijack a
> su session[2] and then su to root himself. This attack is not affected
> by kernel policy enforcement in any way.
>=20
> [1] Such a compromise could occur in a variety of ways: Web/FTP/etc.
> client vulnerabilities, password snooping, etc.
>=20
> [2] For example, edit the user's shell startup scripts to make su an
> alias for a custom su wrapper program.
Isn't that a problem of any tool, which allows to change to a higher
security level?
I just wanted to point to rsbac, as it at least removes the possibility
for most users to setuid() and that way to 'exploit' su.
Nico
--=20
Keep it simple & stupid, use what's available.
Please use pgp encryption: 8D0E 27A4 is my id.
http://nico.schotteli.us | http://linux.schottelius.org
--O3RTKUHj+75w1tg5
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iQIVAwUBQXoyc7OTBMvCUbrlAQIPSA/+Pjy9DLET5LK57R+iKJwmEuZ1ovmxaK3l
56rNgKeo4mR4XRjj/C5b7w+9Bsg0Vv4ZUnT7aykT5bIW9AE1ysHwBurN7LuCW2q9
fYu6odWUGkl02qXCbby31PqYTALWbDb7HRA1UsxtHK2RMtAqgmPvXyS4ZbqvNadC
dKhGucnahzKLhkPIJIo6BPkyckVxvMjo33cF6xXeTh+SI5yYPbwajFtZ5Xl4q4yx
Wq0NeQIRSNaPeZhg8Ebr6PeR0yohVVZD6YfcKS8Rwmn2Niokp6FNG1xNiS0/2bpa
2ZVIGur4UV/NqzzI+MtUmlMLOPOSlxTq3l1fVd/F5Kj4oFvNGUMNy/SafQ2hY3Sq
DvpxNf4EE4YcK5v2Ik1PKa7pQI0+8G7Q1/dntSuyzRctGcvcKRXqgtQQTjoKasrO
A2otd2VcAX0l2Q9Lu8v0J3pPc/fmhppWW9N+FvU83hBreN3XmJ6NjxoFGGVZbxSt
hg1vbVvzJBF7FgTeZA9jEaK301ldWGCnSKZayeAyJ7QyvBE3a0eqN7hg8w6Wv53H
Ye+g+E8thS5OyK6jNKUVXV6TtdkwBGUvLO0a3i+b/61W+DX9asTKL6vve3nsqc2j
gnIDe0JZ4NlF1uYZWcnxN7FWJLcqA5MsK303viWMLZYil1r4pL9f2oo1vRi6fXIl
3rwt4gB0yfY=
=pdPj
-----END PGP SIGNATURE-----
--O3RTKUHj+75w1tg5--
Return-Path: <owl-users-return-492-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 58CBDBE80
for <jwa@private>; Sat, 23 Oct 2004 06:32:54 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id A6408E0
for <jwa@private>; Sat, 23 Oct 2004 06:32:42 -0700 (PDT)
Received: (qmail 10248 invoked by uid 550); 23 Oct 2004 13:32:37 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 10229 invoked from network); 23 Oct 2004 13:32:35 -0000
Date: Sat, 23 Oct 2004 17:30:04 +0400
From: Solar Designer <solar@private>
To: owl-users@private
Message-ID: <20041023133004.GA564@private>
References: <20041016201802.GF6642@private> <20041020195516.GA1766@private> <20041022123237.GB1297@private> <20041022233823.GA1490@private> <20041023102910.GC1297@private>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20041023102910.GC1297@private>
User-Agent: Mutt/1.4.2.1i
Subject: Re: [owl-users] sudo: why not?
Sender: owl-users-return-492-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
On Sat, Oct 23, 2004 at 12:29:10PM +0200, Nico -telmich- Schottelius wrote:
> Solar Designer [Sat, Oct 23, 2004 at 03:38:23AM +0400]:
> > RSBAC is great, but I feel that you've missed the point. If it would
> > be permitted for a non-root user to su to root, then anyone who could
> > have compromised the user's account[1] would also be able to hijack a
> > su session[2] and then su to root himself. This attack is not affected
> > by kernel policy enforcement in any way.
> >
> > [1] Such a compromise could occur in a variety of ways: Web/FTP/etc.
> > client vulnerabilities, password snooping, etc.
> >
> > [2] For example, edit the user's shell startup scripts to make su an
> > alias for a custom su wrapper program.
>
> Isn't that a problem of any tool, which allows to change to a higher
> security level?
Yes, -- or, more precisely, it's a problem with making use of such
tools. For example, the mere existence of a Windows(*) PC with an SSH
client might not be a big security problem, but as soon as you use it
to SSH into your super secure server, you effectively empower the
Windows system (and not just yourself!) with access to the no longer
secure server.
> I just wanted to point to rsbac, as it at least removes the possibility
> for most users to setuid() and that way to 'exploit' su.
I really do not see how RSBAC is of any help here. You grant group
privileges for su just to those who are supposed to use su (if at all),
whether or not you use RSBAC on the system (for other great purposes).
(*) I used Windows as an example. Unfortunately, the same problem
exists, albeit to a slightly smaller extent, with typical uses of X
Window System desktops where you would use the same X server to run a
web browser and to SSH into supposedly secure remote servers. The use
of a dedicated pseudo-user account for the web browser is a first step
to resolving this, -- but it is not sufficient because of the shared X
server. A solution to this appears to be the use of a filtering X
proxy, through which the web browser will talk to your X server:
http://cons.home.cern.ch/cons/mxconns/
--
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments
Return-Path: <owl-users-return-493-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 4C10CBDC2
for <jwa@private>; Sun, 24 Oct 2004 09:46:52 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 2595170
for <jwa@private>; Sun, 24 Oct 2004 09:46:49 -0700 (PDT)
Received: (qmail 14027 invoked by uid 550); 24 Oct 2004 16:46:33 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 14017 invoked from network); 24 Oct 2004 16:46:32 -0000
Date: Sun, 24 Oct 2004 18:45:26 +0200
From: Nico -telmich- Schottelius <nico-linux-owl@private>
To: owl-users@private
Message-ID: <20041024164526.GF1297@private>
References: <20041016201802.GF6642@private> <20041020195516.GA1766@private> <20041022123237.GB1297@private> <20041022233823.GA1490@private> <20041023102910.GC1297@private> <20041023133004.GA564@private>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="gdTfX7fkYsEEjebm"
Content-Disposition: inline
In-Reply-To: <20041023133004.GA564@private>
User-Agent: echo $message | gpg -e $sender -s | netcat mailhost 25
X-Linux-Info: http://linux.schottelius.org/
X-Operating-System: Linux 2.6.9-cLinux
Subject: Re: [owl-users] sudo: why not?
Sender: owl-users-return-493-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
--gdTfX7fkYsEEjebm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Solar Designer [Sat, Oct 23, 2004 at 05:30:04PM +0400]:
> > I just wanted to point to rsbac, as it at least removes the possibility
> > for most users to setuid() and that way to 'exploit' su.
>=20
> I really do not see how RSBAC is of any help here. You grant group
> privileges for su just to those who are supposed to use su (if at all),
> whether or not you use RSBAC on the system (for other great purposes).
That's not exaclty what happens when using RSBAC.
I'll try to explain how rsbac works and where I see the differences:
- su is mode 4755 (or 4750, doesn't really matter for this example)
1. rsbac kernel boots
2. user 'test' logs in
3. user 'test' tries to use 'su' or any other program, which is setuid
-> user fails, because the rsbac kernel denies any setuid() by default
4. rsbac_officer logs in and gives user 'test' the permissions to use
'su' to setuid to a specific id
5. user 'test' can setuid() to this/the user rsbac_officer allows him to
The difference betwenn normal and rsbac systems:
- normal kernel doesn't check for setuid()s
- normally only su itself checks for a correct password, it does not
check whether the user is allowed to start su
- normally su allows _anybody_ to change to _anybody else's_ id, rsbac
only allows predefined changes
I hope I made it clear where I see the difference.
Nico
--=20
Keep it simple & stupid, use what's available.
Please use pgp encryption: 8D0E 27A4 is my id.
http://nico.schotteli.us | http://linux.schottelius.org
--gdTfX7fkYsEEjebm
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iQIVAwUBQXvcJLOTBMvCUbrlAQJ4fw/+JC57Ckq1bFIN380+5WT3QFfI076rg4/F
Nn9DhUkDvPs9usOXkNF/UBKeT15PO2F69Z5vBu4EA28KbPQVBRE6WsvKtD0zebeY
7DdrKUkTMIbz9cT72Fm4g/FpBHZCrxkOJvx+X72v0aklAzQ6F/MoYhjhBK9AsLLB
cuRDacVWIiWTnxbPN16WmV5kCuFH9Cj8rb63mKCIl1sbsDQ6STDWw5Xb2/c5ibHq
UBFF8GyFJpbnVsc012+i2WEatKuNvD0YKG1qKEhVaGP5mutxFQcLkTTfrydStUZQ
fUpy8tW3jMOhDK5pRBUgyEJWsb3QxAh3cjDx11qYPIRRyprBY9LB40A+WXtFHev4
sP8FZ8Bc2olFXbcF0rz9Dta7AE9R2/ERwLSgrHBPSU1xzGd203c9DTvRvAyPD0ep
smqs287F39sXSVX30ZikRT4SY1jruhz142SVbkO961z/u/oYIe7Zsj0G/nUpdJhx
V+WRTbKhI0SqpUPuwsuBI8wgyGTZCTMTxWTO50Po8v5JyA2QWoGh84JmgwxpkTLM
PIoicqbBIV9v5ZeETg5JAJEycLBUBsVQ34mSItCeqV0WwxyAq0rsPXuuFzGRvMf8
PHqEEzitXKyTXoHwT9QYRe0pd+5CiIvqSi+22CSTDEKMyN5LNFj5jLJHcQXY6/qk
iz3vpY+G0To=
=C9T2
-----END PGP SIGNATURE-----
--gdTfX7fkYsEEjebm--
Return-Path: <owl-users-return-494-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 620A1BDC2
for <jwa@private>; Sun, 24 Oct 2004 09:58:07 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 5A88CE0
for <jwa@private>; Sun, 24 Oct 2004 09:58:05 -0700 (PDT)
Received: (qmail 15353 invoked by uid 550); 24 Oct 2004 16:57:58 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 15345 invoked from network); 24 Oct 2004 16:57:58 -0000
Date: Sun, 24 Oct 2004 20:57:27 +0400
From: "(GalaxyMaster)" <galaxy@private>
To: owl-users@private
Message-ID: <20041024205727.B10728@private>
References: <20041016201802.GF6642@private> <20041020195516.GA1766@private> <20041022123237.GB1297@private> <20041022233823.GA1490@private> <20041023102910.GC1297@private> <20041023133004.GA564@private> <20041024164526.GF1297@private>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20041024164526.GF1297@private>; from nico-linux-owl@private on Sun, Oct 24, 2004 at 06:45:26PM +0200
Subject: Re: [owl-users] sudo: why not?
Sender: owl-users-return-494-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
On Sun, Oct 24, 2004 at 06:45:26PM +0200, Nico -telmich- Schottelius wrote:
> Solar Designer [Sat, Oct 23, 2004 at 05:30:04PM +0400]:
> I hope I made it clear where I see the difference.
I affraid that you dont't understand what Solar is trying to describe :(
The main problem here is that if somebody has an unprivileged account with
ability to make some privileged tasks, then if intruder abuses this account,
he will have access to do such privileged tasks also.
> Nico
--
(GalaxyMaster)
Openwall
Return-Path: <owl-users-return-495-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 1E251BDC2
for <jwa@private>; Sun, 24 Oct 2004 15:37:26 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 552AE70
for <jwa@private>; Sun, 24 Oct 2004 15:37:23 -0700 (PDT)
Received: (qmail 22999 invoked by uid 550); 24 Oct 2004 22:37:18 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 22988 invoked from network); 24 Oct 2004 22:37:17 -0000
Date: Mon, 25 Oct 2004 02:34:55 +0400
From: Solar Designer <solar@private>
To: owl-users@private
Message-ID: <20041024223455.GA2499@private>
References: <20041016201802.GF6642@private> <20041020195516.GA1766@private> <20041022123237.GB1297@private> <20041022233823.GA1490@private> <20041023102910.GC1297@private> <20041023133004.GA564@private> <20041024164526.GF1297@private>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20041024164526.GF1297@private>
User-Agent: Mutt/1.4.2.1i
Subject: Re: [owl-users] sudo: why not?
Sender: owl-users-return-495-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
On Sun, Oct 24, 2004 at 06:45:26PM +0200, Nico -telmich- Schottelius wrote:
> The difference betwenn normal and rsbac systems:
>
> - normal kernel doesn't check for setuid()s
> - normally only su itself checks for a correct password, it does not
> check whether the user is allowed to start su
> - normally su allows _anybody_ to change to _anybody else's_ id, rsbac
> only allows predefined changes
None of these have anything to do with the problem I've described.
--
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments
Return-Path: <owl-users-return-496-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 40E51BDC2
for <jwa@private>; Mon, 25 Oct 2004 01:07:38 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 46A4C70
for <jwa@private>; Mon, 25 Oct 2004 01:07:34 -0700 (PDT)
Received: (qmail 11623 invoked by uid 550); 25 Oct 2004 08:07:28 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 11615 invoked from network); 25 Oct 2004 08:07:27 -0000
From: misiu_ <misiu_@private>
To: owl-users@private
In-Reply-To: <20041022234318.GA1623@private>
References: <1098289783.1776.37.camel@private>
<417696D8.7F931C76@private>
<1098291769.1776.43.camel@private>
<41769CC3.4F187EBD@private> <41769E66.78C1D247@private>
<1098309570.1776.51.camel@private>
<4176F6D8.4090506@private> <20041020235210.GA2801@private>
<1098391276.1776.65.camel@private>
<20041022234318.GA1623@private>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-g4KU65Zm8FnaTjy1kjCp"
Message-Id: <1098691521.1776.3.camel@private>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2)
Date: Mon, 25 Oct 2004 10:06:35 +0200
Subject: Re: [owl-users] installed and chrooted and now?
Sender: owl-users-return-496-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
--=-g4KU65Zm8FnaTjy1kjCp
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Hi,=20
> And now this is a problem. But I see neither a syntax error, nor a
> line 7 in what you've quoted above, -- hence my question.
I retiped it but I looked over it several times!
I just try to install totally new!
Since somebody mentioned there is no need to edit the lilo.conf
misiu
--=-g4KU65Zm8FnaTjy1kjCp
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Dies ist ein digital signierter Nachrichtenteil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBBfLPA1mI39dFheoARAggiAJ9TLKCyqjpk8Krt0hwa06NDWfx+VQCfczVU
+vz4SBhzwaAKnsCgpT9zTjI=
=nuZZ
-----END PGP SIGNATURE-----
--=-g4KU65Zm8FnaTjy1kjCp--
Return-Path: <owl-users-return-497-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 9542ABDC2
for <jwa@private>; Mon, 25 Oct 2004 10:45:29 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 00C70E0
for <jwa@private>; Mon, 25 Oct 2004 10:45:26 -0700 (PDT)
Received: (qmail 8134 invoked by uid 550); 25 Oct 2004 17:45:20 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 8122 invoked from network); 25 Oct 2004 17:45:20 -0000
From: misiu_ <misiu_@private>
To: owl-users@private
In-Reply-To: <1098691521.1776.3.camel@private>
References: <1098289783.1776.37.camel@private>
<417696D8.7F931C76@private>
<1098291769.1776.43.camel@private>
<41769CC3.4F187EBD@private> <41769E66.78C1D247@private>
<1098309570.1776.51.camel@private>
<4176F6D8.4090506@private> <20041020235210.GA2801@private>
<1098391276.1776.65.camel@private>
<20041022234318.GA1623@private>
<1098691521.1776.3.camel@private>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-X7lQYfPOrCQzxaRoVRSd"
Message-Id: <1098726270.2129.37.camel@private>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2)
Date: Mon, 25 Oct 2004 19:44:30 +0200
Subject: Re: [owl-users]Works installed and chrooted and now?
Sender: owl-users-return-497-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
--=-X7lQYfPOrCQzxaRoVRSd
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Hello,
now in works! I guess I made one thing different now, after "make
installworld" I made the "setup" again with "fstab" and "lilo"
After running the command "lilo" I rebooted and it worked.
Thanks for your help.
misiu
Am Mo, den 25.10.2004 schrieb misiu_ um 10:06:
> Hi,=20
> > And now this is a problem. But I see neither a syntax error, nor a
> > line 7 in what you've quoted above, -- hence my question.
>=20
> I retiped it but I looked over it several times!
> I just try to install totally new!
> Since somebody mentioned there is no need to edit the lilo.conf
>=20
> misiu
--=-X7lQYfPOrCQzxaRoVRSd
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Dies ist ein digital signierter Nachrichtenteil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBBfTt91mI39dFheoARAlXRAKCaEFSnHf0JBXhQf0RRxzZKbm92ggCg1iE0
6atS8nNL7ThiU0+nhGDr8Mc=
=2ML7
-----END PGP SIGNATURE-----
--=-X7lQYfPOrCQzxaRoVRSd--
Return-Path: <owl-users-return-498-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id B42BEBDC3
for <jwa@private>; Mon, 25 Oct 2004 11:14:59 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 6EC8370
for <jwa@private>; Mon, 25 Oct 2004 11:14:56 -0700 (PDT)
Received: (qmail 11533 invoked by uid 550); 25 Oct 2004 18:14:51 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 11524 invoked from network); 25 Oct 2004 18:14:51 -0000
From: misiu_ <misiu_@private>
To: owl-users@private
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-xTy2aw1wGlIiOxJ+PpV7"
Message-Id: <1098728043.2129.41.camel@private>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2)
Date: Mon, 25 Oct 2004 20:14:04 +0200
Subject: [owl-users] question about doku
Sender: owl-users-return-498-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.0
X-Spam-Level:
--=-xTy2aw1wGlIiOxJ+PpV7
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Hello again,
is there some more information about Owl?
I still try to find more out about my *now* working system.
Is there some archive from the mailinglist or so?
misiu
--=-xTy2aw1wGlIiOxJ+PpV7
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Dies ist ein digital signierter Nachrichtenteil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBBfUJr1mI39dFheoARAo60AJ0U1Sf96/fbYo1kXRzx8nGjooCEQwCgpBl0
X83xqJkz8TNB/L0MucWW3+4=
=c1Mu
-----END PGP SIGNATURE-----
--=-xTy2aw1wGlIiOxJ+PpV7--
Return-Path: <owl-users-return-499-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id B63F0BDD5
for <jwa@private>; Tue, 26 Oct 2004 06:24:33 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 743CE70
for <jwa@private>; Tue, 26 Oct 2004 06:24:30 -0700 (PDT)
Received: (qmail 24694 invoked by uid 550); 26 Oct 2004 13:24:23 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Delivered-To: moderator for owl-users@private
Received: (qmail 20595 invoked from network); 26 Oct 2004 12:42:54 -0000
From: Bernhard Fuchs <bf@private>
To: owl-users@private
Content-Type: text/plain
Organization: MASTERDIGITAL
Message-Id: <1098794525.1775.143.camel@private>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2)
Date: Tue, 26 Oct 2004 14:42:06 +0200
Content-Transfer-Encoding: 7bit
Subject: [owl-users] Hello? Anybody there?
Sender: owl-users-return-499-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham
version=3.0.0
X-Spam-Level:
I'm Still waiting for an answer of my las mail.
I can't find docus for owl...
The website is kind of confuse to me...
misiu
Return-Path: <owl-users-return-500-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 08126BDD5
for <jwa@private>; Tue, 26 Oct 2004 06:48:13 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 3F8B8E0
for <jwa@private>; Tue, 26 Oct 2004 06:48:11 -0700 (PDT)
Received: (qmail 27533 invoked by uid 550); 26 Oct 2004 13:48:05 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 27525 invoked from network); 26 Oct 2004 13:48:05 -0000
Date: Tue, 26 Oct 2004 17:46:00 +0400
From: (GalaxyMaster) <galaxy@private>
To: owl-users@private
Cc: bf@private
Message-ID: <20041026174600.51b423ee@private>
In-Reply-To: <1098794525.1775.143.camel@private>
References: <1098794525.1775.143.camel@private>
Organization: Openwall
X-Mailer: Sylpheed-Claws 0.9.12b (GTK+ 1.2.10; i686-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
micalg="pgp-sha1";
boundary="Signature=_Tue__26_Oct_2004_17_46_00_+0400_zU=S3vzc40tSYY=6"
Subject: Re: [owl-users] Hello? Anybody there?
Sender: owl-users-return-500-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=-1.3 required=5.0 tests=AWL,BAYES_00 autolearn=ham
version=3.0.0
X-Spam-Level:
--Signature=_Tue__26_Oct_2004_17_46_00_+0400_zU=S3vzc40tSYY=6
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Hello,
Reply message to the letter from Bernhard Fuchs <bf@private> on
Tue, 26 Oct 2004 14:42:06 +0200:
BF> I'm Still waiting for an answer of my las mail.
BF> I can't find docus for owl...
BF> The website is kind of confuse to me...
Hmm, what kind of documentation you want to see? :)
BF> misiu
--
(GalaxyMaster)
http://www.openwall.com/
========================
AC5C EF16 E76F 015B 38ED
EC50 367D CA79 FD15 42FC
--Signature=_Tue__26_Oct_2004_17_46_00_+0400_zU=S3vzc40tSYY=6
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBflUYNn3Kef0VQvwRArfiAJ4oBSfzHAZyt38QwYkHOmqKSvJoSACeM6By
nFQoDEpPtLVv16+9TRr5t+0=
=XGlc
-----END PGP SIGNATURE-----
--Signature=_Tue__26_Oct_2004_17_46_00_+0400_zU=S3vzc40tSYY=6--
Return-Path: <owl-users-return-501-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 1C631BDD5
for <jwa@private>; Tue, 26 Oct 2004 07:15:24 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id B5D8D70
for <jwa@private>; Tue, 26 Oct 2004 07:15:21 -0700 (PDT)
Received: (qmail 30252 invoked by uid 550); 26 Oct 2004 14:15:16 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 30244 invoked from network); 26 Oct 2004 14:15:16 -0000
From: misiu_ <misiu_@private>
To: owl-users@private
In-Reply-To: <20041026174600.51b423ee@private>
References: <1098794525.1775.143.camel@private>
<20041026174600.51b423ee@private>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-HJj96q0Wb2/IbDR2PXeT"
Message-Id: <1098800070.1775.156.camel@private>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2)
Date: Tue, 26 Oct 2004 16:14:30 +0200
Subject: Re: [owl-users] Hello? Anybody there?
Sender: owl-users-return-501-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=-1.3 required=5.0 tests=AWL,BAYES_00 autolearn=ham
version=3.0.0
X-Spam-Level:
--=-HJj96q0Wb2/IbDR2PXeT
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Hi,
how do I install openvpn or so. I mean, I read that there is "rpm" as
packetmanagement. I know now different management solutions like "swup",
"apt-get", "emerge", "yum". It is good and easy to make it like that. On
Trustix its swup --install packetname.=20
To be serious, I had a lot of problems installing owl 'cause the docu is
not clear to me. I'm not really a beginner nor I'm an expert.
Right now my Firewall is "trustix" 'cause they will charge sooner or
later money, I'm looking for another distro. So for me it's openwall or
"TinySofa". Nothing else I've found until now. A lot of people make
Firewalls with SuSe Linux or RedHat, I go a different way.
If people look at "Gentoo Linux" there is so much on docu and forums
etc.
Why is it not with owl? Time? money? people?=20
misiu
Am Di, den 26.10.2004 schrieb galaxy@private um 15:46:
> Hello,
>=20
> Reply message to the letter from
> Tue, 26 Oct 2004 14:42:06 +0200:
>=20
> Hmm, what kind of documentation you want to see? :)
--=-HJj96q0Wb2/IbDR2PXeT
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Dies ist ein digital signierter Nachrichtenteil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBBflvF1mI39dFheoARAuvKAJ0SpuFUJG6pUg4fpcENyOXnmAvdeACg0fBM
5dp8/FQhM6eUATVU4BoyhxU=
=OWis
-----END PGP SIGNATURE-----
--=-HJj96q0Wb2/IbDR2PXeT--
Return-Path: <owl-users-return-502-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 63647BDD5
for <jwa@private>; Tue, 26 Oct 2004 07:25:23 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 3D107E2
for <jwa@private>; Tue, 26 Oct 2004 07:25:19 -0700 (PDT)
Received: (qmail 31520 invoked by uid 550); 26 Oct 2004 14:25:13 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 31508 invoked from network); 26 Oct 2004 14:25:13 -0000
Message-ID: <417E5E28.9010001@private>
Date: Tue, 26 Oct 2004 16:24:40 +0200
From: Andreas Ericsson <ae@private>
User-Agent: Mozilla Thunderbird 0.7.1 (X11/20040626)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: owl-users@private
References: <1098794525.1775.143.camel@private>
In-Reply-To: <1098794525.1775.143.camel@private>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [owl-users] Hello? Anybody there?
Sender: owl-users-return-502-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=-1.3 required=5.0 tests=AWL,BAYES_00 autolearn=ham
version=3.0.0
X-Spam-Level:
Bernhard Fuchs wrote:
> I'm Still waiting for an answer of my las mail.
> I can't find docus for owl...
> The website is kind of confuse to me...
>
> misiu
>
>
There are man- and info pages. Try
$ man info
for instance. Also, you could have a look in /usr/doc. There you will
find a plethora of information about each installed package which you
can peruse any time you like.
Other than that it's pretty much like Red Hat Linux, except that the
code that makes it tick has been audited for security issues and
everything is configured to be as safe as possible by default.
If there is some specific question you would like to know the answer to
I'm sure you've noticed that there is an abundance of help available
from the mailing-list. If you need a starter-guide to Owl, you can have
a look at the magicpoint slides at
http://www.openwall.com/presentations/.
--
Andreas Ericsson andreas.ericsson@private
OP5 AB www.op5.se
Lead Developer
Return-Path: <owl-users-return-503-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id B982CBDD5
for <jwa@private>; Tue, 26 Oct 2004 07:39:35 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 5D73AE0
for <jwa@private>; Tue, 26 Oct 2004 07:39:33 -0700 (PDT)
Received: (qmail 610 invoked by uid 550); 26 Oct 2004 14:39:28 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 601 invoked from network); 26 Oct 2004 14:39:27 -0000
Message-ID: <417E617E.3010101@private>
Date: Tue, 26 Oct 2004 16:38:54 +0200
From: Andreas Ericsson <ae@private>
User-Agent: Mozilla Thunderbird 0.7.1 (X11/20040626)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: owl-users@private
References: <1098794525.1775.143.camel@private> <20041026174600.51b423ee@private> <1098800070.1775.156.camel@private>
In-Reply-To: <1098800070.1775.156.camel@private>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [owl-users] Hello? Anybody there?
Sender: owl-users-return-503-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=-1.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham
version=3.0.0
X-Spam-Level:
misiu_ wrote:
> Hi,
> how do I install openvpn or so. I mean, I read that there is "rpm" as
> packetmanagement. I know now different management solutions like "swup",
> "apt-get", "emerge", "yum". It is good and easy to make it like that. On
> Trustix its swup --install packetname.
> To be serious, I had a lot of problems installing owl 'cause the docu is
> not clear to me. I'm not really a beginner nor I'm an expert.
> Right now my Firewall is "trustix" 'cause they will charge sooner or
> later money, I'm looking for another distro. So for me it's openwall or
> "TinySofa". Nothing else I've found until now. A lot of people make
> Firewalls with SuSe Linux or RedHat, I go a different way.
> If people look at "Gentoo Linux" there is so much on docu and forums
> etc.
> Why is it not with owl? Time? money? people?
>
A combination of those, yes.
Owl is not a very old operating system so it doesn't have a great many
users. Usually, there are three kinds of contributors to an
opensource-project;
Developers (the Founding Father and a few of his friends at first, usually)
Testers (highly experienced users that doesn't exactly need
documentation and are often apt at pinpointing the bugs as well as just
noticing they exist).
Documentation writers (usually people who really want to contribute in
some way but doesn't have the programming skills required to write code).
When all this is done, you pretty much just have to sit back and wait
for the forums and user-created HOWTO sites to start popping up. Gentoo,
Debian, RedHat, Mandrake and other GNU/*/Linux-based distributions have
been around for a long time and has evolved faster due to not being as
thorough about code reviews as the Owl team.
--
Andreas Ericsson andreas.ericsson@private
OP5 AB www.op5.se
Lead Developer
Return-Path: <owl-users-return-504-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id C1109BDD8
for <jwa@private>; Tue, 26 Oct 2004 12:05:13 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 4190CE1
for <jwa@private>; Tue, 26 Oct 2004 12:05:11 -0700 (PDT)
Received: (qmail 29569 invoked by uid 550); 26 Oct 2004 19:04:54 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 29561 invoked from network); 26 Oct 2004 19:04:54 -0000
From: misiu_ <misiu_@private>
To: owl-users@private
In-Reply-To: <417E617E.3010101@private>
References: <1098794525.1775.143.camel@private>
<20041026174600.51b423ee@private>
<1098800070.1775.156.camel@private>
<417E617E.3010101@private>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-+OPrTzXQqLrp6po+Zqon"
Message-Id: <1098817448.1775.163.camel@private>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2)
Date: Tue, 26 Oct 2004 21:04:09 +0200
Subject: Re: [owl-users] Hello? Anybody there?
Sender: owl-users-return-504-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=-1.4 required=5.0 tests=AWL,BAYES_00,
MIME_QP_LONG_LINE autolearn=ham version=3.0.0
X-Spam-Level:
--=-+OPrTzXQqLrp6po+Zqon
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
> A combination of those, yes.
> Owl is not a very old operating system so it doesn't have a great many=20
> users. Usually, there are three kinds of contributors to an=20
> opensource-project;
> Developers (the Founding Father and a few of his friends at first, usuall=
y)
> Testers (highly experienced users that doesn't exactly need=20
> documentation and are often apt at pinpointing the bugs as well as just=20
> noticing they exist).
> Documentation writers (usually people who really want to contribute in=20
> some way but doesn't have the programming skills required to write code).
>=20
So, I write a Install-Docu in german and put it on my website. Do you
need Serverspace? I got 2 GB free let's say 500MB .... can you use it?
It's a fast Server and fast Internet Connection.
> When all this is done, you pretty much just have to sit back and wait=20
> for the forums and user-created HOWTO sites to start popping up. Gentoo,=20
> Debian, RedHat, Mandrake and other GNU/*/Linux-based distributions have=20
> been around for a long time and has evolved faster due to not being as=20
> thorough about code reviews as the Owl team.
O.k. I'll wait and see what popps up and I do what I find out or can
do....
misiu
--=-+OPrTzXQqLrp6po+Zqon
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Dies ist ein digital signierter Nachrichtenteil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBBfp+o1mI39dFheoARAt4qAKDOBAO5oeY1Q6mueHcvlGtFbvEtegCggin/
6Li7sPoccAzvmAkMq9A5qVw=
=ZcS3
-----END PGP SIGNATURE-----
--=-+OPrTzXQqLrp6po+Zqon--
Return-Path: <owl-users-return-505-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 66119BDD8
for <jwa@private>; Wed, 27 Oct 2004 01:49:38 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 3EACCE0
for <jwa@private>; Wed, 27 Oct 2004 01:49:35 -0700 (PDT)
Received: (qmail 16879 invoked by uid 550); 27 Oct 2004 08:49:30 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 16871 invoked from network); 27 Oct 2004 08:49:29 -0000
Message-ID: <417F60F9.5010909@private>
Date: Wed, 27 Oct 2004 10:48:57 +0200
From: Andreas Ericsson <ae@private>
User-Agent: Mozilla Thunderbird 0.7.1 (X11/20040626)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: owl-users@private
References: <1098794525.1775.143.camel@private> <20041026174600.51b423ee@private> <1098800070.1775.156.camel@private> <417E617E.3010101@private> <1098817448.1775.163.camel@private>
In-Reply-To: <1098817448.1775.163.camel@private>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [owl-users] Hello? Anybody there?
Sender: owl-users-return-505-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=-2.2 required=5.0 tests=AWL,BAYES_00 autolearn=ham
version=3.0.0
X-Spam-Level:
misiu_ wrote:
>
>>A combination of those, yes.
>>Owl is not a very old operating system so it doesn't have a great many
>>users. Usually, there are three kinds of contributors to an
>>opensource-project;
>>Developers (the Founding Father and a few of his friends at first, usually)
>>Testers (highly experienced users that doesn't exactly need
>>documentation and are often apt at pinpointing the bugs as well as just
>>noticing they exist).
>>Documentation writers (usually people who really want to contribute in
>>some way but doesn't have the programming skills required to write code).
>>
>
> So, I write a Install-Docu in german and put it on my website. Do you
> need Serverspace? I got 2 GB free let's say 500MB .... can you use it?
> It's a fast Server and fast Internet Connection.
>
That would probably be helpful, but I think it would be best if it was
kept as an unofficial installation guide with just a link from the
official Owl website. That way it doesn't add to the burden of making
sure documentation is up to date on the maintainers, while still being a
helpful piece of documentation.
>
>>When all this is done, you pretty much just have to sit back and wait
>>for the forums and user-created HOWTO sites to start popping up. Gentoo,
>>Debian, RedHat, Mandrake and other GNU/*/Linux-based distributions have
>>been around for a long time and has evolved faster due to not being as
>>thorough about code reviews as the Owl team.
>
>
> O.k. I'll wait and see what popps up and I do what I find out or can
> do....
>
You can write that install-docu, send a link to it to this list and make
sure it registers at Google. That will help others find it properly.
--
Andreas Ericsson andreas.ericsson@private
OP5 AB www.op5.se
Lead Developer
Return-Path: <owl-users-return-506-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id F0F52BDDC
for <jwa@private>; Fri, 29 Oct 2004 01:53:11 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 82DBE70
for <jwa@private>; Fri, 29 Oct 2004 01:53:08 -0700 (PDT)
Received: (qmail 3551 invoked by uid 550); 29 Oct 2004 08:52:39 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 3541 invoked from network); 29 Oct 2004 08:52:38 -0000
From: misiu_ <misiu_@private>
To: owl-users@private
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-dDCTo2dBjqu3Ld7/f6Zz"
Message-Id: <1099039919.1800.14.camel@private>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2)
Date: Fri, 29 Oct 2004 10:52:00 +0200
Subject: [owl-users] error message??
Sender: owl-users-return-506-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=-1.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham
version=3.0.0
X-Spam-Level:
--=-dDCTo2dBjqu3Ld7/f6Zz
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Hello List,
can anybody tell me, what the error-message: "spurious 8259A interrupt:
IRQ7" means?
misiu
--=-dDCTo2dBjqu3Ld7/f6Zz
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Dies ist ein digital signierter Nachrichtenteil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBBggSu1mI39dFheoARAvjMAJ4o9UysnmpSjdH4RSy6Y8/FJyND4ACdFQDO
TobIETmlThfWT0ienpTzqPA=
=ApuI
-----END PGP SIGNATURE-----
--=-dDCTo2dBjqu3Ld7/f6Zz--
Return-Path: <owl-users-return-507-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 99714BDDC
for <jwa@private>; Fri, 29 Oct 2004 02:43:25 -0700 (PDT)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id DCFC5E1
for <jwa@private>; Fri, 29 Oct 2004 02:43:22 -0700 (PDT)
Received: (qmail 9109 invoked by uid 550); 29 Oct 2004 09:43:17 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 9101 invoked from network); 29 Oct 2004 09:43:17 -0000
Message-ID: <41821095.2060902@private>
Date: Fri, 29 Oct 2004 13:42:45 +0400
From: Michael Tokarev <mjt@private>
User-Agent: Mozilla Thunderbird 0.8 (X11/20040918)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: owl-users@private
References: <1099039919.1800.14.camel@private>
In-Reply-To: <1099039919.1800.14.camel@private>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [owl-users] error message??
Sender: owl-users-return-507-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=-1.3 required=5.0 tests=AWL,BAYES_00 autolearn=ham
version=3.0.0
X-Spam-Level:
misiu_ wrote:
> Hello List,
>
> can anybody tell me, what the error-message: "spurious 8259A interrupt: IRQ7" means?
Learn to use google ;)
http://www.google.com/search?q=%22spurious+8259A+interrupt%3A+IRQ7%22
Basically, just ignore this warning.
/mjt
Return-Path: <owl-users-return-508-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id C4270BDC0
for <jwa@private>; Wed, 3 Nov 2004 04:32:13 -0800 (PST)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 3714770
for <jwa@private>; Wed, 3 Nov 2004 04:32:11 -0800 (PST)
Received: (qmail 4777 invoked by uid 550); 3 Nov 2004 12:31:52 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 4752 invoked from network); 3 Nov 2004 12:31:50 -0000
Date: Wed, 3 Nov 2004 15:31:38 +0300
From: Solar Designer <solar@private>
To: announce@private, owl-users@private
Message-ID: <20041103123138.GA22476@private>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
Subject: [owl-users] Owl-current moved to glibc 2.3.x
Sender: owl-users-return-508-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=-1.3 required=5.0 tests=AWL,BAYES_00 autolearn=ham
version=3.0.0
X-Spam-Level:
Hi,
As some of you might be aware, the publicly-visible Owl-current had
been frozen for the past two months while we proceeded to break the
system with heavy updates applied to our private CVS.
Well, today I did the final touches and let all the new stuff to the
public, along with certain newly introduced bugs that are yet to be
fixed... Further updates are to follow.
Basically, the system has been updated to glibc 2.3.x (2.3.2 plus the
patches found in latest Red Hat Linux 9 glibc update, minus NPTL, and
plus all of our modifications indeed). To do this, we had to update
many other packages as well, including gcc, autoconf, automake,
libtool, and gettext. And we've updated to RPM 4.2, at the same time
re-introducing the code to convert RPM 3.0.6's db1 databases into
the new db3 format (to enable upgrades from older versions of Owl).
Other packages have been updated as well, providing a consistent set
of core libraries as required by packages from or intended for newer
versions of Red Hat Linux and by other Linux executables.
Please refer to the Owl-current change log for information on the more
important of these changes:
http://www.openwall.com/Owl/CHANGES-current.shtml
The new snapshot may be downloaded from the usual locations given at:
http://www.openwall.com/Owl/DOWNLOAD.shtml
Not all of the FTP mirrors have been updated yet, but most should be
within a day.
Note that there's no updated ISO image yet. We will generate one once
Owl-current stabilizes a little after this big update. Yes, as I have
mentioned, some known problems do exist, as well as definitely many
not yet known ones. Those who want stability are advised to stay with
Owl 1.1-stable until we approach a new release.
--
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments
Return-Path: <owl-users-return-509-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id C65B6BDC0
for <jwa@private>; Wed, 3 Nov 2004 04:41:47 -0800 (PST)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 87E7CE0
for <jwa@private>; Wed, 3 Nov 2004 04:41:45 -0800 (PST)
Received: (qmail 6520 invoked by uid 550); 3 Nov 2004 12:41:41 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 6512 invoked from network); 3 Nov 2004 12:41:40 -0000
Message-ID: <4188D1E4.2020802@private>
Date: Wed, 03 Nov 2004 13:41:08 +0100
From: Andreas Ericsson <ae@private>
User-Agent: Mozilla Thunderbird 0.7.1 (X11/20040626)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: owl-users@private
References: <20041103123138.GA22476@private>
In-Reply-To: <20041103123138.GA22476@private>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [owl-users] Owl-current moved to glibc 2.3.x
Sender: owl-users-return-509-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=-2.3 required=5.0 tests=AWL,BAYES_00 autolearn=ham
version=3.0.0
X-Spam-Level:
Solar Designer wrote:
>
> Note that there's no updated ISO image yet. We will generate one once
> Owl-current stabilizes a little after this big update. Yes, as I have
> mentioned, some known problems do exist, as well as definitely many
> not yet known ones. Those who want stability are advised to stay with
> Owl 1.1-stable until we approach a new release.
>
The previous versions of current (prior to "The Big Update") has been
very stable on about 80 production critical servers for us. How about
naming the 'current' prior to "The Big Update" Owl 1.2-stable (or 1.1.1
stable or whatever), and bump the release number for Owl-current to
"Owl-1.3_beta" or something similar.
Optionally, put the 1.1 binary compatible updates in 1.1_updates and
stick with current for everything new, including the biggies, before
bumping the release for that one.
--
Andreas Ericsson andreas.ericsson@private
OP5 AB www.op5.se
Lead Developer
Return-Path: <owl-users-return-510-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id 6371EBDC1
for <jwa@private>; Thu, 4 Nov 2004 19:59:11 -0800 (PST)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id 617E5E0
for <jwa@private>; Thu, 4 Nov 2004 19:59:08 -0800 (PST)
Received: (qmail 16495 invoked by uid 550); 5 Nov 2004 03:59:01 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 16483 invoked from network); 5 Nov 2004 03:58:59 -0000
Date: Fri, 5 Nov 2004 06:58:46 +0300
From: Solar Designer <solar@private>
To: owl-users@private
Message-ID: <20041105035846.GA14271@private>
References: <20041103123138.GA22476@private> <4188D1E4.2020802@private>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4188D1E4.2020802@private>
User-Agent: Mutt/1.4.2.1i
Subject: Re: [owl-users] Owl-current moved to glibc 2.3.x
Sender: owl-users-return-510-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=-1.5 required=5.0 tests=AWL,BAYES_00 autolearn=ham
version=3.0.0
X-Spam-Level:
On Wed, Nov 03, 2004 at 01:41:08PM +0100, Andreas Ericsson wrote:
> The previous versions of current (prior to "The Big Update") has been
> very stable on about 80 production critical servers for us. How about
> naming the 'current' prior to "The Big Update" Owl 1.2-stable (or 1.1.1
> stable or whatever),
Yes, I had this thought, too. But to do it right, we'd have to make a
1.2 release and that's quite some work (build/test on all archs, build
an ISO image of the latest, propagate it to CD production). Then we'd
maintain a 1.2-stable instead of 1.1-stable.
If, however, we make a 1.2-stable without a 1.2 release, I don't feel
we'd have the right to abandon 1.1-stable like that. And maintaining
three branches at once (1.1-stable, 1.2-stable, and current) would be
too much overhead.
Now, there's the option to simply roll all updates from current prior
to the Big Update into 1.1-stable, but there's one change some might
not appreciate despite the system remaining very stable: the Perl
version change (5.6.x to 5.8.x). This will break support for Perl
modules people have built locally. Not something to be done within a
stable branch.
> and bump the release number for Owl-current to "Owl-1.3_beta" or
> something similar.
There's no such thing as a release number for Owl-current. It's just
current.
> Optionally, put the 1.1 binary compatible updates in 1.1_updates and
> stick with current for everything new, including the biggies, before
> bumping the release for that one.
I don't quite understand this suggestion.
There will be updates for 1.1-stable as needed. These will also work
on current prior to the Big Update, but some might actually be older
versions of packages (again, Perl is the most noticeable example).
--
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments
Return-Path: <owl-users-return-511-jwa=jammed.com@private>
Received: from gate.jammed.com (celephais.int.jammed.com [172.16.64.1])
by barcelona.int.jammed.com (Postfix) with ESMTP id CFE8ABDD9
for <jwa@private>; Fri, 5 Nov 2004 01:18:54 -0800 (PST)
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
by gate.jammed.com (Postfix) with SMTP id B470670
for <jwa@private>; Fri, 5 Nov 2004 01:18:51 -0800 (PST)
Received: (qmail 12043 invoked by uid 550); 5 Nov 2004 09:18:46 -0000
Mailing-List: contact owl-users-help@private; run by ezmlm
Precedence: bulk
List-Post: <mailto:owl-users@private>
List-Help: <mailto:owl-users-help@private>
List-Unsubscribe: <mailto:owl-users-unsubscribe@private>
List-Subscribe: <mailto:owl-users-subscribe@private>
Reply-To: owl-users@private
Delivered-To: mailing list owl-users@private
Received: (qmail 12035 invoked from network); 5 Nov 2004 09:18:46 -0000
Message-ID: <418B4556.3070903@private>
Date: Fri, 05 Nov 2004 10:18:14 +0100
From: Andreas Ericsson <ae@private>
User-Agent: Mozilla Thunderbird 0.7.1 (X11/20040626)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: owl-users@private
References: <20041103123138.GA22476@private> <4188D1E4.2020802@private> <20041105035846.GA14271@private>
In-Reply-To: <20041105035846.GA14271@private>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [owl-users] Owl-current moved to glibc 2.3.x
Sender: owl-users-return-511-jwa=jammed.com@private
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on
barcelona.int.jammed.com
X-Spam-Status: No, score=-2.3 required=5.0 tests=AWL,BAYES_00 autolearn=ham
version=3.0.0
X-Spam-Level:
Solar Designer wrote:
> On Wed, Nov 03, 2004 at 01:41:08PM +0100, Andreas Ericsson wrote:
>
>>The previous versions of current (prior to "The Big Update") has been
>>very stable on about 80 production critical servers for us. How about
>>naming the 'current' prior to "The Big Update" Owl 1.2-stable (or 1.1.1
>>stable or whatever),
>
>
> Yes, I had this thought, too. But to do it right, we'd have to make a
> 1.2 release and that's quite some work (build/test on all archs, build
> an ISO image of the latest, propagate it to CD production). Then we'd
> maintain a 1.2-stable instead of 1.1-stable.
>
I can build and test it on i386, but I haven't got the kind of access
needed to build everything on any other platform.
> If, however, we make a 1.2-stable without a 1.2 release, I don't feel
> we'd have the right to abandon 1.1-stable like that. And maintaining
> three branches at once (1.1-stable, 1.2-stable, and current) would be
> too much overhead.
>
1.1 and 1.2 would be binary compatible, so 1.1 could possibly be dropped
from maintenance in favor of 1.2. Are there any strong suggestions
against this?
> Now, there's the option to simply roll all updates from current prior
> to the Big Update into 1.1-stable, but there's one change some might
> not appreciate despite the system remaining very stable: the Perl
> version change (5.6.x to 5.8.x). This will break support for Perl
> modules people have built locally. Not something to be done within a
> stable branch.
>
Hadn't thought of that, but I think sensible users can choose not to
upgrade perl if they rely to heavily on extra modules they've built, or
simply build them again for perl 5.8. Besides, I'm sure a lot of people
were running current as it was before the big update and has already
upgraded their perl packages so the problem with perl is double-edged.
>
>>Optionally, put the 1.1 binary compatible updates in 1.1_updates and
>>stick with current for everything new, including the biggies, before
>>bumping the release for that one.
>
>
> I don't quite understand this suggestion.
>
Just keep updates for 1.1 in a separate directory. This way users can
pick what updates they would like to install, but there would be no need
to drop what's currently the most recent version of 1.1 binary
compatible packages, or jumble them