/srv/irclogs.ubuntu.com/2009/03/07/#ubuntu-devel.txt

slangaseksuperm1: are you sure media-retriever/mountmedia aren't in the initramfs?00:24
slangaseksuperm1: media-retriever should be included in all cdrom initramfses, according to the d-i source00:25
TheMusoslangasek: have livefs builds for powerpc been turned off, or are they dying in another way that I can't see, as I don't see any logs since Feb 27th.00:30
TheMusolivefs builds for ports in general actually.00:30
slangasekTheMuso: ports CD builds have been disabled because ports.u.c was having Issues, and the ports builds were both causing contention on the mirror while it was trying to repair its RAID array, and also breaking the non-ports builds due to locking issues00:30
slangasekI'll check with IS whether it's safe to re-enable00:31
TheMusoslangasek: ok thanks for that.00:31
=== foxbuntu is now known as foxbuntu_
=== foxbuntu_ is now known as foxbuntu
=== asac_ is now known as asac
jdongany X deities know why compiz trying to start on my jaunty Intel GMA950 would instantly lock up the system?03:46
superm1slangasek, i'll verify on monday. this came about because i was attempting to use a patched media-retriever so i didn't realize i'd have to repack the initramfs to use it.04:38
=== Caesar_ is now known as Caesar
jdongsbeattie: http://jdong.mit.edu/~jdong/jailbuddy2.png this is what came of our discussion the other day :)06:21
jdongit's an ugly solution but it works06:21
jdongat least that gives some user interaction for willingly escaping out of apparmor06:21
jdongI will eat my hat if /usr/bin/file becomes vulnerable to some untrusted input exploit :)06:21
jdong(actually... that has probably happened before)06:22
LaserJockjdong: what kind of hat do you wear?06:27
jdongnot a fedora ;-)06:27
LaserJockan edible hat might be nice06:28
slangaseksuperm1: aha06:33
=== fargiola` is now known as fargiolas
keesdoko: openjdk looks good with stack/fortify.  2 new errors, 1 fixed error, out of almost 3300 tests.08:51
=== alex3f is now known as gringo1
ion_Woot, grub2 works.09:44
ideamonk_http://i39.tinypic.com/14cd4xi.png10:29
ideamonk_isn't the file selection windows too wide there10:29
ideamonk_imagine if a upload popup wished to allow users any one ".abc,.abd..... 60 such things10:30
ideamonk_won't that fill up all my screen space ?10:30
ideamonk_i've proposed a solution - http://ideamonk.blogspot.com/2009/03/trying-to-make-ubuntu-better.html10:30
ideamonk_i wonder if that window is handled totally by firefox or gnome makes it for the user10:31
ideamonk_any ideas ?10:31
maxbTheMuso: My audio was glitching horribly, your PPA packages fixed it up nicely. Is there any testing I can do to help with getting Jaunty's official audio fixed?11:12
Laneyrelated, where would a bug where my master volume always resets to muted after login go?11:22
hyperairLaney: how about the init-scripts11:22
Laneyreally?11:22
hyperairLaney: one of the alsa ones11:22
hyperairLaney: it's supposed to save your volume when stop is called, and restore when start is called11:23
hyperairLaney: i noticed this in archlinux. probably is the same on debian-based systems11:23
Laneyright, I never know what's pulse and what's alsa11:23
hyperairhahah11:23
hyperairpulseaudio is purely userspace11:24
hyperairwhereas alsa has stuff both in kernelspace and userspace11:24
Laneybut it has something to do with volume controls11:24
hyperairthat's the way i understand it11:24
hyperairpulseaudio doesn't attack your volume controls on its own unless i'm mistaken11:24
hyperairas in the system's volume control11:24
hyperairindividual apps yes, but not the system's volume control11:24
hyperairthe system's one is handled by the alsa initscript11:25
hyperairerm alsasound11:25
hyperair/etc/init.d/alsasound11:25
hyperairit saves into /etc/asound.state11:25
hyperairand restores from there11:25
LaneyI don't even have that file11:26
Laneythe initscript, that is11:26
hyperaireh?11:26
hyperairlemme do a dpkg -S11:26
hyperairokay, thisi s strange, i can't find it11:27
cjwatsonISTR a bug being filed about this already11:27
cjwatson/etc/init.d/alsa-utils, BTW11:27
hyperairhmm? does that poke asound.state?11:27
Laneycjwatson: Cool, I was just trying to find the right places to search11:28
hyperairoh it does!11:28
cjwatsonvia alsactl, yes11:28
hyperair/var/lib/alsa/asound.state11:28
Laneybug 22750511:29
ubottuLaunchpad bug 227505 in alsa-utils "Not restoring volume levels" [Undecided,Confirmed] https://launchpad.net/bugs/22750511:29
geserjdstrand: re bug 337659: where did you find the dependency? I see bmpx only listed in recommends with two other alternatives.11:38
ubottuLaunchpad bug 337659 in bmpx "RM: bmpx -- RoM; unmaintained upstream, uses outdated libraries" [Wishlist,Invalid] https://launchpad.net/bugs/33765911:38
chris-ppulseaudio on Jaunty is very stuttery12:20
chris-pdid a test and: Underruns for  pulse:   26, Underruns for   alsa:    112:21
directhexis cdimage down for everyone, or just me?12:47
StevenKhttp://downforeveryoneorjustme.com/cdimage.ubuntu.com12:49
directhexpoot.12:50
directhexwell, i'll use an intrepid cd & upgrade12:50
sebnerStevenK: lol, cool site12:51
chris-pdirecthex: why not download it off a different mirror12:51
directhexchris-p, there arfe mirrors for jaunty discs?12:51
chris-pdirecthex: http://ftp.heanet.ie/mirrors/ubuntu-cdimage/releases/9.04/alpha-5/12:52
directhexoh, those crazy irish. woo!12:52
elmomaswan also has a mirror12:53
elmoin any event, I've kicked some of the worst offenders off of cdimage, and it's backup12:53
directhexi should poke the mirror.ox.ac.uk people12:53
hyperairdirecthex: down for me. it was up 6 minutes ago12:58
hyperair*512:58
hyperairah it's back up12:59
directhexi'll just wait for heanet's sloooow download12:59
directhexdoko, thanks for ironpython upload in sid13:08
Laneyanyone able to NEW pywebkitgtk binaries pretty please?13:21
DktrKranzRiddell, if you have time, mind looking at bug 334121 with your motu-release delegate hat on?13:22
ubottuLaunchpad bug 334121 in plasma-widget-translatoid "Update to 0.6" [Wishlist,New] https://launchpad.net/bugs/33412113:22
sebnerDktrKranz: nahh, kde is evil :P13:26
DktrKranzhey sebner!13:26
jdstrandgeser: I see now that you are right. it is a Recommends only. script output didn't make that difference. my bad. I'll remove14:03
jdstrandgeser: done14:07
chris-pdirecthex: download finished yet?14:10
directhexchris-p, oh, yeah14:54
RainCTpitti: about bug #338279, $GDMSESSION is "default" here, so the "if [ $GDMSESSION = gnome ]; then exec" won't work15:14
ubottuLaunchpad bug 338279 in notify-osd "notify-osd should be aware of if the messaging indicator is present and fall back to old style notifications if it's not" [Undecided,New] https://launchpad.net/bugs/33827915:14
=== thunderstruck is now known as gnomefreak
ScottKDktrKranz: Riddell is at a free software conference in Nigeria, so probably not for a few days.16:23
DktrKranzScottK, oh, I didn't know that, thanks16:25
=== azeem_ is now known as azeem
Laneydoko: Would it be a problem for boost to depends on all of the pythonx.y-dev packages as alternatives?17:00
Laneylibboost-pythonfoo-dev, that is17:00
=== RainCT_ is now known as RainCT
darksmokeis there a way to install firefox on kubuntu without the list of unneeded-dontknow-why-they-where-added-as-dependencies dependencies?18:06
darksmokelike synaptics and suck18:06
darksmoke*such18:06
azeemdarksmoke: that's a question for #ubuntu18:09
directhexazeem, or even for #kubuntu!18:11
Toobazis there an Ubuntu official policy about packages which only have a menu item in the Debian menu (and hence end up in "Others" section)? I've asked a maintainer to add a .desktop under "Education;Science;Math;", but (also because of the bug that Science is no main cathegory) he prefers "Applications/Science/Data Analysis", and I can understand him. Is there any possibility to avoid a (quite permanent) patch at the M18:16
Toobaz(reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=51859618:17
ubottuDebian bug 518596 in r-cran-rcmdr "R Commander missing in applications menu" [Unknown,Open]18:17
Toobazwell, maybe #motu is the right channel, I move there, please forget my question here18:19
Adri2000slangasek: now that the samba sru is uploaded, can you approve it on behalf of ubuntu-sru please? (#328874)20:00
=== The_Company is now known as Company
lfaraoneWould it be reasonable to add apparmor profiles to userland SSH in jaunty+1?22:05
jdonglfaraone: do you have samples of what those profiles would look like?22:12
jdongI assume you have some change_hat patching for openssh22:12
lfaraonejdong: no clue, I'm not too familiar with openssh yet.22:16
jdonglfaraone: well the fundamental problem is Apparmor alone is not really granular enough to encapsulate openssh's role22:16
jdonglfaraone: in effect you need to allow openssh touch enough of pam and uid switching that it is probably going to end up not any more constricted than otherwise22:17
jdongat least that was my experience with attempting to secure it with apparmor22:17
lfaraonejdong: is there a way to make it that the only app that is allowed access to ~/.ssh is /usr/bin/ssh?22:17
jdongno.22:17
jdongapparmor is not good for doing system-wide restrictions like that22:18
jdongthat's much easier to express in SELinux22:18
lfaraonejdong: why was apparmor chosen over selinux?22:18
lfaraone(I was juuust going to say, lol)22:18
jdonglfaraone: lack of intrusiveness, low overhead, simplicity of configuring22:18
lfaraonejdong: is there a way to improve apparmor in order to make it easier to implement system-wide restrictions?22:19
jdonglfaraone: it's not designed to do that I am afraid.22:19
jdongto clarify on "simplicity"22:20
jdonghere's my irssi profile in apparmor for Hardy: http://paste.ubuntu.com/127980/22:20
jdongand here's the same thing in SELinux for Lenny: http://jdong.mit.edu/~jdong/selinux/irssi.if22:20
jdongthe former I can explain to my 9 year old sister :)22:20
lfaraonejdong: hehe, because you hide all the scary bits in templates, I assume? :)22:21
lfaraone*include files22:21
jdonglfaraone: not at all22:21
jdonglfaraone: most of those bits are not required22:21
jdonglfaraone: note that SELinux is all in templates too22:21
macoat some point i have to learn to read that, and then to write it myself22:21
jdongi.e. corenet, corecmd, manage_*_pattern22:21
jdonguserdom_*22:21
lfaraonemaco: what, SELinux?22:21
macolfaraone: yeah22:22
jdongin practice it's not IMO any more *difficult* to configure22:22
lfaraonemaco: god, I'm going to kill myself if I end up managing RHEL systems; at least until they simplify that.22:22
jdongjust the learning curve is a step function22:22
lfaraonejdong: is there a gui? :)22:22
macolfaraone: why would you have a gui on a server?22:22
macolfaraone: and RHEL includes some default contexts pre-configured, i think22:23
jdonglfaraone: not for either, in practice.22:23
lfaraonemaco: yeah, I know.22:23
jdongthere are some automated tools in GUI and CLI form for developing policies but none of them work in practice for me22:23
lfaraonemaco: I mean for use on the desktop.22:23
lfaraonejdong: that's terrible.22:23
lfaraonemaco: as in, I write a policy on my nice desky and scp it to the server.22:23
jdongaudit2allow (SELinux) tends to suggest all the wrong things to do (i.e. give unconfined access, comeon do it! do it!)22:23
lfaraonejdong: unconfined? (you can tell I'm new to this)22:24
jdongand aa-logprof is equally unclear in asking a bazillion questions for something one glob accesses.22:24
jdonglfaraone: i.e. if irssi tries to read ~/.irssi and you haven't configured it to allow this22:24
jdongand then you run audit2allow22:24
jdongthe deafult rule it generates is "read_files_pattern($1_irssi_t, $1_home_t, $1_home_t)22:25
jdongand similar for write files22:25
jdongwhich gives irssi full access to your unlabeled sections of your home directory22:25
jdongthe "correct" pattern would have been to create a file context globbing the areas it tried to access if they were a general label22:25
jdongIMO neither of these tools NEED a GUI.22:26
jdongthe hardest part is describing what your process to confine needs access to.22:26
jdongand if you can explain that to me in English, you can write it in selinux or apparmor just as easily22:27
jdongespecially apparmor.22:27
lfaraonejdong: Well, AppArmor seems simple enough.22:27
lfaraonejdong: however SELinux seems unreadable to me.22:27
jdonglfaraone: it's a much more powerful system capable fo expressing far more relationships than an ACL.22:28
jdongit's necessarily complex.22:28
jdonghence it is capable of doing the OpenSSH profiles and GnuPG profiles you wanted :)22:28
lfaraonejdong: it is possible to have complexity while retaining ease of understanding and use, no?22:29
jdonglfaraone: not really22:29
jdonglfaraone: the apparmor language cannot define domains and file types between domains.22:29
jdongand that's fundamentally one of the things SELinux lets you do that makes possible the things you are asking for22:29
jdongand also, when SELinux "breaks" even your unconfined users are affected.22:30
jdongthere are things that unconfined_u cannot do, and there's more of those when your policy is broken!22:30
jdongand I still haven't begun to understand how SELinuxing GUI apps correctly works :)22:31
lfaraonehm.22:32
lfaraonejdong: has any thought been put into using the rainbow/bitfrost framework for GUI apps?22:32
lfaraonejdong: OLPC did a pretty good job with the XO, with a (IMHO) very good framework.22:33
jdonglfaraone: what does bitfrost do in terms of domain-to-domain interaction though?22:34
jdongI recall it seemed to have next to NO protection for things that "interact with the home directory"22:34
lfaraonejdong: domain-to-domain?22:34
lfaraonejdong: you can't write to ~ at all, hehe.22:34
jdonglfaraone: Firefox needs to save a file you download, and then open it with Evince.22:34
lfaraonejdong: since each app is technically running as its own user.22:34
jdonghow do you implement that with a bitfrost setup?22:34
jdonglike with Apparmor it's a relationship that's pertty freaking hard to describe.22:35
lfaraonejdong: currently we have firefox save an object to the journal (which is a problem once you are talking about non-abstract file structures), and you're sent to the object's details page where you choose to open it in evince.22:35
LaserJocklfaraone: btw, how is Abiword going?22:36
jdongsounds as hackish as my apparmor solution.22:36
jdonghttp://jdong.mit.edu/~jdong/jailbuddy2.png22:36
lfaraoneLaserJock: it isn't, I was hopelessly lost. I *think* morgs was working on it,22:36
lfaraone*.22:36
jdongsomeone told me yesterday jail buddy reminded them of UAC :(22:37
LaserJockk22:37
lfaraonejdong: hehe22:37
lfaraonejdong: it's like that, but in OLPC/sugar we're intergrating it with the whole UI paradigm so it's unintrusive (assuming you don't expect computers to work the way Windows/GNOME/KDE does)22:37
jdonglfaraone: one of my longer term projects is working on a Firefox SELinux profile that supports the concept of quarantined files the way OS X handles them22:38
LaserJockjdong: shouldn't that be called JailFileKit or similar? :-)22:38
jdongi.e. they are labeled in such a way that the user is neither allowed to access nor execute them until "bringing it out of quarantine"22:38
lfaraonejdong: interesting22:38
jdonglfaraone: how does bitfrost deal with local priviledge escalation once an app is compromised?22:39
jdonglfaraone: i.e. if I took advantage of that flashplayer 0day and had a shell within Firefox, what can I do?22:39
=== warriorf1rgod is now known as warriorforgod
lfaraonejdong: anything firefox can do , which is steal your cookies.22:48
lfaraonejdong: write huuuuuge files to the journal (currently nothing stops you from doing that)22:48
lfaraonejdong: and nothing else. you cannot su, etc.22:48
lfaraonejdong: you can only see things that you have been explitly given access to by a user action.22:48
lfaraonejdong: and steal your banking info.22:50
lfaraonejdong: however it's isolated; unless you are able to exploit another app you can't spread to it.22:50
lfaraonejdong: (ie if I write shell code to the journal, the user has to exec it manually)22:51
jdonglfaraone: how is the process space divided? can I ptrace() existing processes or peer into /proc or /sys?22:53
jdongflashplugin definitely requires access to /proc to work correctly.22:53
TheMusomaxb: Talk to dtchen when he is online, he is trying to get glitchy issues sorted out.22:54
lfaraonejdong: would it be a problem if you were? I think you *can*, currently.23:23
jdonglfaraone: well yes in a way it would be23:24
lfaraonejdong: how exactly?23:25
jdonglfaraone: a few of the root level kernel exploits were done through malformed proc/sys not to mention seeing what processes are running can be a serious privacy breach.23:25
jdongit still doesn't stop me from abusing your firefox into a free-for-all worm/zombie spam server23:25
lfaraonejdong: does SELinux?23:25
jdongyes.23:25
jdong18:26 Exec: /bin/sh: Permission denied23:26
jdong18:26 -!- Irssi: process 0 (ls) terminated with return code 25523:26
jdongjdong@CLOSETMONSTER:~$ ps aux | wc -l23:26
jdong423:26
jdongI think there's more than 4 processes running on my system ;-)23:26
jdongjdong@CLOSETMONSTER:~$ su -23:26
jdongPassword:23:26
jdongls: cannot access /root: Permission denied23:26
jdongls: cannot open directory /home/jdong: Permission denied23:27
jdongsu'ing to root actually ended in a useless context that had access to neither root's home nor the original user's home :)23:28
lfaraonejdong: 18:32  m_stone$ lfaraone: you can ptrace() processes running as your same uid.23:37
lfaraonejdong: lol. I already told you, though, that /bin/su isn't executable by the world.23:37
lfaraonejdong: (in our magic rainbow situation)23:38
jdonglfaraone: but that doesn't preclude a root exploit being leveraged via another means -- you provide basically any Linux ability that your jail environment has, and as you get domains to interact with each other (which FRANKLY in the current setup -- they CAN'T) it's going to get harder and harder to balance security and intrusiveness.23:43
jdongIMO it's not a good replacement for something like the UBAC SELinux refpolicy that was just checked in @ tresys23:43
lfaraonejdong: oh yes, we're most surely going to persue a system where rainbow and SELinux complement each other.23:44
lfaraonejdong: RH sent over some of their own engineers, and even the "selinux people" couldn't think of how to make selinux do what we were trying to accomplish.23:45
jdongwell indeed SELinux is not the magic bullet for this stuff either.23:46

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!