1 |
--------------------------------------------------------------------------- |
2 |
Gentoo Weekly Newsletter |
3 |
http://www.gentoo.org/news/en/gwn/current.xml |
4 |
This is the Gentoo Weekly Newsletter for the week of April 7th, 2003. |
5 |
--------------------------------------------------------------------------- |
6 |
|
7 |
============== |
8 |
1. Gentoo News |
9 |
============== |
10 |
|
11 |
Summary |
12 |
------- |
13 |
|
14 |
* Yes, it was a joke |
15 |
* Portage moves to a new, more secure format |
16 |
|
17 |
Yes, it was a joke |
18 |
------------------ |
19 |
|
20 |
Last week's issue, which was conveniently delayed a day so it could be |
21 |
released on April 1, contained a story about the adoption of the RPM |
22 |
format for package management. The results of this April Fools' Joke were |
23 |
far more successful than we had hoped for. (Some might argue it was too |
24 |
successful) Needless to say, it was a joke and the Gentoo development team |
25 |
has no plans to move away from the ebuild format as its standard means of |
26 |
package management. |
27 |
|
28 |
Now please stop sending us hate mail. |
29 |
|
30 |
Portage moves to a new, more secure format |
31 |
------------------------------------------ |
32 |
|
33 |
As part of an overall effort to improve the security of Gentoo Linux, the |
34 |
Portage development team is starting to implement some new features in |
35 |
Portage which will allow for increased security in our package management |
36 |
and distribution systems. One of the first new features that users will |
37 |
notice is digests of every file involved in the merge process, including |
38 |
ebuilds, patches and source tarballs. In addition to offering increased |
39 |
security, these digests will help isolate and track down corrupt ebuilds |
40 |
or other files on our rsync and source mirrors. |
41 |
|
42 |
The next step in the process will be signing these digest files with a GPG |
43 |
key to ensure non-repudiation. While there is still some discussion |
44 |
amongst the development team on the best way to achieve this, the current |
45 |
leading solution involves each developer signing ebuilds individually, and |
46 |
then one master Gentoo "uberkey" signing all of the developer keys to |
47 |
establish a Gentoo "web of trust". Developer keys will be made available |
48 |
through public keyservers, as well as on www.gentoo.org[1] |
49 |
|
50 |
1. http://www.gentoo.org |
51 |
|
52 |
The goal of what has come to be known as "Secure Portage" is to provide a |
53 |
robust package management system that offers end-to-end security in the |
54 |
emerge process. As yet, there is no confirmed timeline on when the entire |
55 |
system will become available, but the digesting portion is in testing now |
56 |
and the rest will soon follow. |
57 |
|
58 |
================== |
59 |
2. Gentoo Security |
60 |
================== |
61 |
|
62 |
Summary |
63 |
------- |
64 |
|
65 |
* GLSA: sendmail |
66 |
* GLSA: krb5 and mit-krb5 |
67 |
* GLSA: openafs |
68 |
* GLSA: dietlibc |
69 |
* New Security Bug Reports |
70 |
* gentoo-security |
71 |
|
72 |
GLSA: sendmail |
73 |
-------------- |
74 |
|
75 |
The sendmail MTA has a stack overflow vulnerability in the way that it |
76 |
checks email addresses. This vulnerability could be exploited remotely to |
77 |
execute a DoS attack, gain control of the sendmail server, or potentially |
78 |
execute arbitrary code under the privileges of the server (typically |
79 |
root). |
80 |
|
81 |
* Severity: Critical - Potential remote root compromise. |
82 |
* Packages Affected: net-mail/sendmail versions prior to sendmail-8.12.9 |
83 |
* Rectification: Synchronize and emerge sendmail, emerge clean. |
84 |
* GLSA Announcement[2] |
85 |
* Advisory[3] |
86 |
|
87 |
2. http://forums.gentoo.org/viewtopic.php?t=44892 |
88 |
3. http://www.cert.org/advisories/CA-2003-12.html |
89 |
|
90 |
|
91 |
GLSA: krb5 and mit-krb5 |
92 |
----------------------- |
93 |
|
94 |
Multiple vulnerabilities in the krb5 and mit-krb5 implementations of the |
95 |
Kerberos authentication protocol have been identified. These include a |
96 |
buffer overrun that permits a DoS attack on he Kerberos administration |
97 |
daemon, a chosen-plaintext attack that permits impersonation of other |
98 |
principals, and buffer overrun and underrun problems that permit unusual |
99 |
names and hosts (which could be used in other attacks). |
100 |
|
101 |
* Severity: Critical - Authentication compromise. |
102 |
* Packages Affected: app-crypt/krb5 versions prior to krb5-1.2.7-r2 and |
103 |
app-crypt/mit-krb5 versions prior to mit-krb5-1.2.7 |
104 |
* Rectification: Synchronize and emerge krb5 and/or mit-krb5, emerge |
105 |
clean. |
106 |
* GLSA Announcement[4] |
107 |
* Advisory[5] |
108 |
|
109 |
4. http://forums.gentoo.org/viewtopic.php?t=44893 |
110 |
5. http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-003-xdr.txt |
111 |
|
112 |
|
113 |
GLSA: openafs |
114 |
------------- |
115 |
|
116 |
A cryptographic weakness in Kerberos 4 permits a chosen-plaintext attack |
117 |
to impersonate other principals in the realm. The openafs distributed file |
118 |
system uses Kerberos 4, and is consequently vulnerable to an impersonation |
119 |
attack. |
120 |
|
121 |
* Severity: Critical - Authentication compromise. |
122 |
* Packages Affected: net-fs/openafs versions prior to openafs-1.3.2-r1 |
123 |
* Rectification: Synchronize and emerge openafs, emerge clean. |
124 |
* GLSA Announcement[6] |
125 |
* Advisory[7] |
126 |
|
127 |
6. http://forums.gentoo.org/viewtopic.php?t=44890 |
128 |
7. http://www.openafs.org/pages/security/OPENAFS-SA-2003-001.txt |
129 |
|
130 |
|
131 |
GLSA: dietlibc |
132 |
-------------- |
133 |
|
134 |
The xdrmem_getbytes() function included in dietlibc contains an integer |
135 |
overflow vulnerability that could be used by a remote attacker to execute |
136 |
an rpc call that permits an exploit on the vulnerable service. |
137 |
|
138 |
* Severity: High - Remote service exploit. |
139 |
* Packages Affected: dev-libs/dietlibc versions prior to dietlibc-0.22-r1 |
140 |
* Rectification: Synchronize and emerge dietlibc, emerge clean. |
141 |
* GLSA Announcement[8] |
142 |
* Advisory[9] |
143 |
|
144 |
8. http://forums.gentoo.org/viewtopic.php?t=44894 |
145 |
9. http://www.eeye.com/html/Research/Advisories/AD20030318.html |
146 |
|
147 |
|
148 |
New Security Bug Reports |
149 |
------------------------ |
150 |
|
151 |
There were no new security bugs this week that are still outstanding. |
152 |
|
153 |
|
154 |
gentoo-security |
155 |
--------------- |
156 |
|
157 |
Marcus Martin posted an idea[10] about including "emerge security" |
158 |
functionality that would automatically update packages for which a GLSA |
159 |
had been released. This prompted a fair bit of discussion, with the |
160 |
consensus being that it was a good idea (albeit one that might not be |
161 |
trivially easy to implement) and had already been documented as bug |
162 |
#5835[11]. |
163 |
|
164 |
10. http://marc.theaimsgroup.com/?l=gentoo-security&m=104920408624890&w=2 |
165 |
11. http://bugs.gentoo.org/show_bug.cgi?id=5835 |
166 |
|
167 |
Chris Frey posted[12] a script for providing a set of md5sums on the |
168 |
master portage server to allow gentooers to check for trojaned ebuilds. |
169 |
This was proposed as a stopgap measure while we wait for signed ebuilds. |
170 |
The post prompted some discussion, including criticism that it might |
171 |
overburden servers and their administrators as well as potentially |
172 |
redirect developer resources from a more robust final solution in portage. |
173 |
The discussion was brought to a conclusion by Nicholas Jones' post[13] |
174 |
which pointed out that the problem was moot because we would begin to see |
175 |
a solution as early as portage-2.0.47. |
176 |
|
177 |
12. http://marc.theaimsgroup.com/?l=gentoo-security&m=104873935409280&w=2 |
178 |
13. http://marc.theaimsgroup.com/?l=gentoo-security&m=104879793011018&w=2 |
179 |
|
180 |
|
181 |
================================= |
182 |
3. Featured Developer of the Week |
183 |
================================= |
184 |
|
185 |
Seth Chandler |
186 |
|
187 |
Everyone likes to complain about how slow OpenOffice[14] is, but it's |
188 |
still one of the most full-featured and MS Office-compatible suites out |
189 |
there. This week's featured developer, Seth Chandler[15], is in charge of |
190 |
the openoffice and openoffice-bin packages, and also maintains keychain, |
191 |
writes some docs, and is also one of the three PPC co-leads. His primary |
192 |
duty - fixing bugs that crop up with OpenOffice - takes up most of his |
193 |
time, but he also helps take up the slack when other developers go |
194 |
missing. Seth began using Gentoo about two years ago, and was invited to |
195 |
the Gentoo development team five months ago by Spanky, whom he knew from |
196 |
school, because they needed someone to be in charge of OpenOffice. Through |
197 |
his work with Gentoo, he has become a regular of IRC channels and mailing |
198 |
lists related to OpenOffice, and has been contributing to OpenOffice's |
199 |
IssueZilla[16] because Gentoo's bleeding-edge nature means that problems |
200 |
are often noticed here before they are on other distributions. |
201 |
|
202 |
14. http://www.OpenOffice.org/ |
203 |
15. sethbc@g.o |
204 |
16. http://www.openoffice.org/project_issues.html |
205 |
|
206 |
During the day, Seth is a student at Worcester Polytechnic Institute[17], |
207 |
and will go to Cornell Law School once he graduates. His three computers |
208 |
(a Dual P3, a Dual Athlon MP 2100, and a 15.2-inch Powerbook) all run |
209 |
Gentoo, although the Mac dual boots with OS X. He runs Waimea-cvs and |
210 |
qmail on all of his boxen, and his favorite apps include gaim-cvs, |
211 |
xchat-2, kmail, aterm, and gkrellm. Both of his x86 machines run the |
212 |
latest sources, which at the time of the interview was 2.5.65-mm2, but |
213 |
when he's feeling spicy he'll run off a live BitKeeper repo. |
214 |
|
215 |
17. http://www.wpi.edu/ |
216 |
|
217 |
Seth is a member of the Atlanta Braves[18] ground crew and has been |
218 |
enjoying working down there for 15 years; his father is the team doctor. |
219 |
He says he goes to school in the offseason. |
220 |
|
221 |
18. http://atlanta.braves.mlb.com/ |
222 |
|
223 |
========================= |
224 |
4. Heard In The Community |
225 |
========================= |
226 |
|
227 |
Web Forums |
228 |
---------- |
229 |
|
230 |
Slithering Along the Bleeding Edge |
231 |
|
232 |
The development tree of the Linux kernel is advancing towards 2.6 rapidly, |
233 |
and several threads in the forums are making clear that Gentooists are |
234 |
pretty much following the development as closely as possible. Not without |
235 |
the occasional problem, apparently... |
236 |
|
237 |
|
238 |
* development kernel 2.5.66 what works / doesn't work for you?[19] |
239 |
* Patches for mm-sources 2.5.66r3[20] |
240 |
|
241 |
19. http://forums.gentoo.org/viewtopic.php?t=44859 |
242 |
20. http://forums.gentoo.org/viewtopic.php?t=45637 |
243 |
|
244 |
Best April Fool's Joke Ever |
245 |
|
246 |
Check the first link in our list: The forums had actually predicted that |
247 |
this would happen... But the threat of Portage's disappearance hit a nerve |
248 |
in many faithful Gentoo users, and many went into shock for anything |
249 |
between a split-second to several hours. They shouted abuse at their |
250 |
screens or room mates, and threatened to start deleting their portage tree |
251 |
before it dawned on them: They'd been had... And amidst the outrage over |
252 |
Gentoo's alleged move to RPM, only a handful of Germans found the second |
253 |
false news in last week's GWN. |
254 |
|
255 |
|
256 |
* No GWN today?[21] |
257 |
* Portage 2.1 moving to RPM[22] |
258 |
* emerge -> rpm?[23] (German) |
259 |
* Portage 2.1 e lsb[24] (Italian) |
260 |
* Gentoo basé sur les rpm ???[25] (French) |
261 |
|
262 |
21. http://forums.gentoo.org/viewtopic.php?t=44880 |
263 |
22. http://forums.gentoo.org/viewtopic.php?t=44980 |
264 |
23. http://forums.gentoo.org/viewtopic.php?t=45028 |
265 |
24. http://forums.gentoo.org/viewtopic.php?t=45646 |
266 |
25. http://forums.gentoo.org/viewtopic.php?t=45039 |
267 |
|
268 |
gentoo-user |
269 |
----------- |
270 |
|
271 |
Gentoo Corporate Usage? |
272 |
|
273 |
With over 60 responses so far, this week's busiest thread on gentoo-user |
274 |
asks about companies (preferably large ones) that are using Gentoo in a |
275 |
production environment. Many people responded indicating they didn't feel |
276 |
Gentoo was appropriate for a production environment, noting too many |
277 |
problems with their own personal systems. Others indicated that Gentoo ran |
278 |
quite happily in a production role, often serving upwards of 150,000 |
279 |
clients. The responses are obviously quite varied and, in many cases, |
280 |
off-topic, but the thread does contain quite a few interesting insights |
281 |
into the trials and tribulations of using Gentoo Linux in a production |
282 |
environment. |
283 |
|
284 |
* Survey: Gentoo Corporate Usage?[26] |
285 |
|
286 |
26. http://marc.theaimsgroup.com/?t=104930176600004&r=3&w=2 |
287 |
|
288 |
|
289 |
Package management for non-ebuild software |
290 |
|
291 |
Jan Drugowitsch asked about managing software packages installed outside |
292 |
of Portage on a Gentoo Linux system. Responses were varied and helpful, |
293 |
pointing to several open source projects which might fit the bill. |
294 |
|
295 |
* Package management for non-ebuild software[27] |
296 |
|
297 |
27. |
298 |
http://marc.theaimsgroup.com/?l=gentoo-user&w=2&r=1&s=package+management+fo |
299 |
r+non-ebuild&q=b |
300 |
|
301 |
|
302 |
gentoo-dev |
303 |
---------- |
304 |
|
305 |
Portage Programming Question |
306 |
|
307 |
Robin H. Johnson asked[28] about the availability of some documentation on |
308 |
the Portage DB API and he received a nice surprise when he was told to |
309 |
type python [RETURN] help() [RETURN] portage to get to Python's |
310 |
interactive help. |
311 |
|
312 |
28. http://marc.theaimsgroup.com/?l=gentoo-dev&m=104900613027231&w=2 |
313 |
|
314 |
ACCEPT_KEYWORDS="~arch" equivalent? |
315 |
|
316 |
Jani Monoses was wondering[29] if there is a more simple solution to the |
317 |
use of the long ACCEPT_KEYWORDS="~arch" emerge package_name. Thomas M. |
318 |
Beaudry chipped in[30] with the suggestion to use Bash aliases (see man |
319 |
bash). And another Thomas contributed[31] with his alias definition alias |
320 |
expmerge='ACCEPT_KEYWORDS="~x86" emerge'. |
321 |
|
322 |
29. http://marc.theaimsgroup.com/?l=gentoo-dev&m=104877565711737&w=2 |
323 |
30. http://marc.theaimsgroup.com/?l=gentoo-dev&m=104877651312869&w=2 |
324 |
31. http://marc.theaimsgroup.com/?l=gentoo-dev&m=104877594312098&w=2 |
325 |
|
326 |
======================= |
327 |
5. Gentoo International |
328 |
======================= |
329 |
|
330 |
A French Meta-Project for the Meta-Distribution |
331 |
|
332 |
Gentoo France is re-emerging itself: After the establishment of |
333 |
gentoofr.org[32] in July last year (and carefully maintaining their good |
334 |
relations with the older project), a new organisation founded by Baptiste |
335 |
Simon, Guillaume Morin and Mark Krauth called frgentoo.net is now |
336 |
gathering supporters and activists willing to help with a new initiative |
337 |
for French translations of Gentoo documentation and tutorials, organising |
338 |
IRC channels and mailing lists, and generally wanting to round up more |
339 |
than just the usual suspects. The new club wants to provide a whole range |
340 |
of services around Gentoo Linux in France, and is determined to do things |
341 |
right by the community from day one. frgentoo's first elections for all |
342 |
posts in the association are going to be held by the end of the month, |
343 |
candidate submissions for coordinator and project leader roles are |
344 |
possible until 11 April, with the elections to be held by electronic vote |
345 |
between 14 and 20 April. |
346 |
|
347 |
32. http://gentoofr.org/ |
348 |
|
349 |
International Event Calender |
350 |
|
351 |
While the Köln-Bonn community is still publicly discussing the agenda for |
352 |
their first meeting, two events in the US have emerged at somewhat shorter |
353 |
notice: |
354 |
|
355 |
* USA: The University of Southern Mississippi in Hattiesburg is having a |
356 |
"Gentoo Saturday" on 12 April. Development kernel performance and general |
357 |
installation help will be at the center of the event, held on the |
358 |
University's campus in the Bobby Chain Technology Building, Room 202 |
359 |
starting from 10:00 to 14:00. Check the corresponding forum thread[33], |
360 |
further details are here[34]. |
361 |
|
362 |
* USA: If you happen to live in places with names like Metuchen, Old |
363 |
Bridge or Hackensack, the first meeting of the New Jersey Gentoo Linux User |
364 |
Group may well be what you've been waiting for. The happy NJ-GLUG lot has |
365 |
agreed on the Cafe52 on Easton Avenue in New Brunswick as their venue for |
366 |
the initial get-together, on 16 April at 20:00. Coordination for this |
367 |
meeting is done via this forum thread[35]. |
368 |
|
369 |
* Germany14 May is now the official date for Gentoo users in the |
370 |
Köln/Bonn region, and now they also have decided on a time (17:00) and a |
371 |
venue: Hellers Brauhaus, Roonstrasse. Tell the others about your intentions |
372 |
to come right here[36]. |
373 |
|
374 |
33. http://forums.gentoo.org/viewtopic.php?t=45616 |
375 |
34. http://www.99b.org/lug/gentoo.html |
376 |
35. http://forums.gentoo.org/viewtopic.php?t=42874 |
377 |
36. http://forums.gentoo.org/viewtopic.php?t=40510 |
378 |
|
379 |
|
380 |
================ |
381 |
6. Portage Watch |
382 |
================ |
383 |
|
384 |
The following stable packages were added to portage this week |
385 |
------------------------------------------------------------- |
386 |
|
387 |
* app-games/tetrix : A GNU TetriNET server |
388 |
http://tetrinetx.sourceforge.net/ |
389 |
|
390 |
|
391 |
Updates to notable packages |
392 |
--------------------------- |
393 |
|
394 |
* sys-apps/portage - portage-2.0.47-r13.ebuild; |
395 |
* sys-kernel/* - gs-sources-2.4.21_pre6.ebuild; |
396 |
hardened-sources-2.4.20.ebuild; mm-sources-2.5.66-r2.ebuild; |
397 |
mm-sources-2.5.66-r3.ebuild; ppc-sources-2.4.20-r4.ebuild; |
398 |
selinux-sources-2.4.20-r3.ebuild; sparc-sources-2.4.20-r7.ebuild; |
399 |
|
400 |
New USE variables |
401 |
----------------- |
402 |
|
403 |
* debug - Tells configure and the makefiles to build for debugging. |
404 |
Effects vary accross packages, but generally it will at least add -g to |
405 |
CFLAGS. Remeber to set FEATURES+=nostrip too. |
406 |
* emacs - Adds support for GNU Emacs |
407 |
|
408 |
=========== |
409 |
7. Bugzilla |
410 |
=========== |
411 |
|
412 |
Summary |
413 |
------- |
414 |
|
415 |
* Statistics |
416 |
* Closed Bug Ranking |
417 |
* New Bug Rankings |
418 |
|
419 |
Statistics |
420 |
---------- |
421 |
|
422 |
The Gentoo community uses Bugzilla (bugs.gentoo.org[37]) to record and |
423 |
track bugs, notifications, suggestions and other interactions with the |
424 |
development team. In the last 7 days, activity on the site has resulted |
425 |
in: |
426 |
|
427 |
37. http://bugs.gentoo.org |
428 |
|
429 |
* 288 new bugs this week |
430 |
* 751 bugs closed or resolved this week |
431 |
* 3 previously closed bugs were reopened this week. |
432 |
* 2386 total bugs currently marked 'new' |
433 |
* 450 total bugs currently assigned to developers |
434 |
|
435 |
There are currently 2895 bugs open in bugzilla. Of these: 63 are labeled |
436 |
'blocker', 107 are labeled 'critical', and 227 are labeled 'major'. |
437 |
|
438 |
Closed Bug Rankings |
439 |
------------------- |
440 |
|
441 |
The developers and teams who have closed the most bugs this week are: |
442 |
|
443 |
* The Gnome Team[38], with 64 closed bugs[39] |
444 |
* Daniel Robbins[40], with 29 closed bugs[41] |
445 |
* Nick Hadaway[42], with 28 closed bugs[43] |
446 |
* George Shapovalov[44], with 26 closed bugs[45] |
447 |
* Martin Schlemmer[46], with 21 closed bugs[47] |
448 |
* Martin Holzer[48], with 21 closed bugs[49] |
449 |
38. gnome@g.o |
450 |
39. |
451 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&ch |
452 |
field=bug_status&chfieldfrom=2003-03-28&chfieldto=Now&resolution=FIXED&assi |
453 |
gned_to=gnome%40gentoo.org |
454 |
40. drobbins@g.o |
455 |
41. |
456 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&ch |
457 |
field=bug_status&chfieldfrom=2003-03-28&chfieldto=Now&resolution=FIXED&assi |
458 |
gned_to=drobbins%40gentoo.org |
459 |
42. raker@g.o |
460 |
43. |
461 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&ch |
462 |
field=bug_status&chfieldfrom=2003-03-28&chfieldto=Now&resolution=FIXED&assi |
463 |
gned_to=raker%40gentoo.org |
464 |
44. george@g.o |
465 |
45. |
466 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&ch |
467 |
field=bug_status&chfieldfrom=2003-03-28&chfieldto=Now&resolution=FIXED&assi |
468 |
gned_to=george%40gentoo.org |
469 |
46. azarah@g.o |
470 |
47. |
471 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&ch |
472 |
field=bug_status&chfieldfrom=2003-03-28&chfieldto=Now&resolution=FIXED&assi |
473 |
gned_to=azarah%40gentoo.org |
474 |
48. mholzer@g.o |
475 |
49. |
476 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&ch |
477 |
field=bug_status&chfieldfrom=2003-03-28&chfieldto=Now&resolution=FIXED&assi |
478 |
gned_to=mholzer%40gentoo.org |
479 |
|
480 |
|
481 |
New Bug Rankings |
482 |
---------------- |
483 |
|
484 |
The developers and teams who have been assigned the most new bugs this |
485 |
week are: |
486 |
|
487 |
|
488 |
* Nick Hadaway[50], with 23 new bugs[51] |
489 |
* Martin Schlemmer[52], with 19 new bugs[53] |
490 |
* The x86-kernel Team[54], with 17 new bugs[55] |
491 |
* Matthew Kennedy[56], with 16 new bugs[57] |
492 |
* Bob Johnson[58], with 15 new bugs[59] |
493 |
|
494 |
50. raker@g.o |
495 |
51. |
496 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_s |
497 |
tatus=REOPENED&chfield=assigned_to&chfieldfrom=2003-03-28&chfieldto=Now&=&a |
498 |
ssigned_to=raker%40gentoo.org |
499 |
52. azarah@g.o |
500 |
53. |
501 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_s |
502 |
tatus=REOPENED&chfield=assigned_to&chfieldfrom=2003-03-28&chfieldto=Now&=&a |
503 |
ssigned_to=azarah%40gentoo.org |
504 |
54. x86-kernel@g.o |
505 |
55. |
506 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_s |
507 |
tatus=REOPENED&chfield=assigned_to&chfieldfrom=2003-03-28&chfieldto=Now&=&a |
508 |
ssigned_to=x86-kernel%40gentoo.org |
509 |
56. mkennedy@g.o |
510 |
57. |
511 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_s |
512 |
tatus=REOPENED&chfield=assigned_to&chfieldfrom=2003-03-28&chfieldto=Now&=&a |
513 |
ssigned_to=mkennedy%40gentoo.org |
514 |
58. livewire@g.o |
515 |
59. |
516 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_s |
517 |
tatus=REOPENED&chfield=assigned_to&chfieldfrom=2003-03-28&chfieldto=Now&=&a |
518 |
ssigned_to=livewire%40gentoo.org |
519 |
|
520 |
|
521 |
================== |
522 |
8. Tips and Tricks |
523 |
================== |
524 |
|
525 |
Changing File Attributes |
526 |
|
527 |
This week's tip explains how to use chattr to keep important system files |
528 |
secure. The "change attribute" command, or chattr, can be used to add or |
529 |
change existing file attributes for things such as synchronous updates, |
530 |
tighter file security, and more. However, this command is only available |
531 |
on ext2 or ext3 partitions. |
532 |
|
533 |
A list of common attributes and their associated flags is listed below. |
534 |
For a more complete list see man chattr. |
535 |
|
536 |
* (A) Don't update atime |
537 |
* (S) synchronous updates |
538 |
* (a) append only |
539 |
* (d) no dump |
540 |
* (i) immutable |
541 |
* (j) data journalling |
542 |
* (t) no tail-merging |
543 |
|
544 |
The 'j' option can only be used with ext3. The 'j', 'a' and 'i' |
545 |
options are only available to the superuser |
546 |
|
547 |
First make sure that you have chattr installed by emerging e2fsprogs. |
548 |
|
549 |
--------------------------------------------------------------------------- |
550 |
| Code Listing 8.1: | |
551 |
| Installing Required Files | |
552 |
--------------------------------------------------------------------------- |
553 |
| | |
554 |
|# emerge e2fsprogs | |
555 |
| | |
556 |
--------------------------------------------------------------------------- |
557 |
|
558 |
To set attributes on files, use the chattr command and to view attributes, |
559 |
use the lsattr command. |
560 |
|
561 |
--------------------------------------------------------------------------- |
562 |
| Code Listing 8.2: | |
563 |
|Examples of using chattr and lsattr | |
564 |
--------------------------------------------------------------------------- |
565 |
| | |
566 |
|Set the immutable bit on a file so it cannot be changed or removed | |
567 |
|# chattr +i myfile | |
568 |
|# lsattr myfile | |
569 |
|----i-------- myfile | |
570 |
|Testing the immutable flag by attempting to delete the file | |
571 |
|# rm myfile | |
572 |
|rm: cannot remove `myfile': Operation not permitted | |
573 |
|Set myfile to append-only | |
574 |
|# chattr +a myfile | |
575 |
|# lsattr myfile | |
576 |
|-----a------- myfile | |
577 |
|# echo testing > myfile | |
578 |
|myfile: Operation not permitted | |
579 |
|# echo testing >> myfile | |
580 |
|no errors - file was appended to | |
581 |
| | |
582 |
--------------------------------------------------------------------------- |
583 |
|
584 |
Some instances where this may be useful is keeping important files safe |
585 |
from deletion. Remember that even root can't delete a file that is |
586 |
immutable or append-only without first explicitly removing that attribute. |
587 |
Using this flag on /etc/passwd or /etc/shadow files keeps them safe from |
588 |
an accidental rm -f and also ensures no new accounts can be added in the |
589 |
event of an exploit. Keeping other files append-only means once they are |
590 |
written, that data can't be changed. Logs are a good candidate for this to |
591 |
keep them from being tampered with. With chattr and lsattr, you now have a |
592 |
few new tools to keep your system secure. |
593 |
|
594 |
========================== |
595 |
9. Moves, Adds and Changes |
596 |
========================== |
597 |
|
598 |
Moves |
599 |
----- |
600 |
|
601 |
The following developers recently left the Gentoo team: |
602 |
|
603 |
* Peter Brown (rendhalver) |
604 |
|
605 |
Adds |
606 |
---- |
607 |
|
608 |
The following developers recently joined the Gentoo Linux team: |
609 |
|
610 |
* Makoto Yamakura (yakina) -- Japanese documentation |
611 |
* Peter Bilitch (hsinhsin) -- Gentoo documentation |
612 |
* John Mylchreest (johnm) -- Gentoo documentation |
613 |
* Joe Kallar (blademan) -- Sparc documentation |
614 |
* Ashton Mills (martigen) -- Gentoo documentation |
615 |
* Thomas Pedley (shallax) -- Gentoo xbox |
616 |
* Robin Johnson (robbat2) -- ufed, mysql, php |
617 |
|
618 |
Changes |
619 |
------- |
620 |
|
621 |
The following developers recently changed roles within the Gentoo Linux |
622 |
project. |
623 |
|
624 |
* none this week |
625 |
|
626 |
===================== |
627 |
10. Contribute to GWN |
628 |
===================== |
629 |
|
630 |
Interested in contributing to the Gentoo Weekly Newsletter? Send us an |
631 |
email[60]. |
632 |
|
633 |
60. gwn-feedback@g.o |
634 |
|
635 |
================ |
636 |
11. GWN Feedback |
637 |
================ |
638 |
|
639 |
Please send us your feedback[61] and help make GWN better. |
640 |
|
641 |
61. gwn-feedback@g.o |
642 |
|
643 |
=================== |
644 |
12. Other Languages |
645 |
=================== |
646 |
|
647 |
The Gentoo Weekly Newsletter is also available in the following languages: |
648 |
|
649 |
* Dutch[62] |
650 |
* English[63] |
651 |
* German[64] |
652 |
* French[65] |
653 |
* Japanese[66] |
654 |
* Italian[67] |
655 |
* Portuguese (Brazil)[68] |
656 |
* Portuguese (Portugal)[69] |
657 |
* Spanish[70] |
658 |
|
659 |
62. http://www.gentoo.org/news/be/gwn/gwn.xml |
660 |
63. http://www.gentoo.org/news/en/gwn/gwn.xml |
661 |
64. http://www.gentoo.org/news/de/gwn/gwn.xml |
662 |
65. http://www.gentoo.org/news/fr/gwn/gwn.xml |
663 |
66. http://www.gentoo.org/news/ja/gwn/gwn.xml |
664 |
67. http://www.gentoo.org/news/it/gwn/gwn.xml |
665 |
68. http://www.gentoo.org/news/br/gwn/gwn.xml |
666 |
69. http://www.gentoo.org/news/pt/gwn/gwn.xml |
667 |
70. http://www.gentoo.org/news/es/gwn/gwn.xml |
668 |
|
669 |
|
670 |
Kurt Lieber <klieber@g.o> - Editor |
671 |
AJ Armstrong <aja@×××××××××××××.com> - Contributor |
672 |
Brice Burgess <nesta@×××××××.net> - Contributor |
673 |
Yuji Carlos Kosugi <carlos@g.o> - Contributor |
674 |
Rafael Cordones Marcos <rcm@×××××××.net> - Contributor |
675 |
David Narayan <david@×××××××.net> - Contributor |
676 |
Ulrich Plate <plate@g.o> - Contributor |
677 |
Peter Sharp <mail@××××××××××××××.net> - Contributor |
678 |
Kim Tingkaer <kim@×××××××.dk> - Contributor |
679 |
Mathy Vanvoorden <matje@×××××××.be> - Dutch Translation |
680 |
Tom Van Laerhoven <tom.vanlaerhoven@××××××.be> - Dutch Translation |
681 |
Peter Dijkstra <phj.dijkstra@××××.nl> - Dutch Translation |
682 |
Bernard Bernieke <bernieke@××××××××.com> - Dutch Translation |
683 |
Vincent Verleye <zu@×××××××.be> - Dutch Translation |
684 |
Jochen Maes <linux@××××.be> - Dutch Translation |
685 |
Ben De Groot <yngwin@××××××.nl> - Dutch Translation |
686 |
Jelmer Jaarsma <j.jaarsma@××××××××××××××××××.nl> - Dutch Translation |
687 |
Nicolas Ledez <nicolas.ledez@××××.fr> - French Translation |
688 |
Guillaume Plessis <gui@×××××××××.com> - French Translation |
689 |
John Berry <anfini@××××.fr> - French Translation |
690 |
Martin Prieto <riverdale@×××××××××.org> - French Translation |
691 |
Michael Kohl <citizen428@g.o> - German Translation |
692 |
Steffen Lassahn <madeagle@g.o> - German Translation |
693 |
Matthias F. Brandstetter <haim@g.o> - German Translation |
694 |
Thomas Raschbacher <lordvan@g.o> - German Translation |
695 |
Klaus-J. Wolf <yanestra@×××.de> - German Translation |
696 |
Marco Mascherpa <mush@××××××.net> - Italian Translation |
697 |
Claudio Merloni <paper@×××××××.it> - Italian Translation |
698 |
Daniel Ketel <kage-chan@g.o> - Japanese Translation |
699 |
Yoshiaki Hagihara <hagi@×××.com> - Japanese Translation |
700 |
Andy Hunne <andy@×××××××××.com> - Japanese Translation |
701 |
Yuji Carlos Kosugi <carlos@g.o> - Japanese Translation |
702 |
Yasunori Fukudome <yasunori@××××××××××××××××.uk> - Japanese Translation |
703 |
Ventura Barbeiro <venturasbarbeiro@××××××.br> - Portuguese (Brazil) |
704 |
Translation |
705 |
Bruno Ferreira <blueroom@××××××××××××.net> - Portuguese (Portugal) |
706 |
Translation |
707 |
Gustavo Felisberto <gustavo@××××××××××.net> - Portuguese (Portugal) |
708 |
Translation |
709 |
Ricardo Jorge Louro <rjlouro@×××××××.org> - Portuguese (Portugal) |
710 |
Translation |
711 |
Lanark <lanark@××××××××××.ar> - Spanish Translation |
712 |
Rafael Cordones Marcos <rcm@×××××××.net> - Spanish Translation |
713 |
Julio Castillo <julio@×××××××××××××.com> - Spanish Translation |
714 |
Sergio Gómez <s3r@××××××××××××.ar> - Spanish Translation |
715 |
Pablo Pita Leira <pablo.leira@×××××××××.com> - Spanish Translation |
716 |
Carlos Castillo <carlos@×××××××××××××.com> - Spanish Translation |
717 |
Tirant <tirant@×××××.net> - Spanish Translation |
718 |
Jaime Freire <jfreire@××.com> - Spanish Translation |
719 |
Lucas Sallovitz <krusty_ar@×××××.com> - Spanish Translation |