Hello,
inspired by the thread "Want to could use /dev/ttyS0 as user" on the
opensuse-factory maling list, I tried to figure out whether access
to /dev/ttyS0 can be granted by HAL/resmgr (since this works fine with the
alsa devices). According to /etc/hal/fdi/policy/90osvendor/80-resmgr.fdi,
access to serial devices should be granted to "members" of the resmgr modem
class (desktop users are not "member" of this class by default).
But using 10.3, I cannot even find any serial device via HAL:
jan@karl:~> hal-find-by-capability --capability serial
jan@karl:~>
Obviously, udev recognizes my /dev/ttyS0:
jan@karl:~> udevinfo --query=all --name=/dev/ttyS0
P: /devices/platform/serial8250/tty/ttyS0
N: ttyS0
I do not need access to /dev/ttyS0, but I do want to learn more about
HAL. :)
Gruß
Jan
--
A fail-safe circuit will destroy all others.
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
This question is not entirely security related but it is a consequence of
providing an updated kernel for 11.0.
I am looking for the corresponding kernel-default-debuginfo for
http://download.opensuse.org/update/11.0/rpm/x86_64/kernel-default-2.6.25.9…
I have been unable to locate this package and without it, I cannot use
makedumpfile, crash or systemtap with the updated kernel.
I would prefer to use the updated kernel rather that the original one from the
11.0 media or a self-compiled kernel just to get debuginfo symbols.
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
Hi all,
I've just upgraded to openSuSE 11.0 and my freeradius server now seems to be
broken. It seems to be listening for auth requests on a random port instead
of UDP 1812 I've done a bit of digging on the net and as far as I can see,
the issue occurs in a number of other distributions but there doesn't seem to
be a fix for it.
Has anyone else seen this problem on openSuSE? Is there a fix available, or
should I just go back to v1.1.7? I've appended some debug output below.
Cheers,
Neil
# radiusd -X
FreeRADIUS Version 2.0.3, for host x86_64-unknown-linux-gnu, built on Jun 7
2008 at 04:26:43
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
user = "nobody"
group = "nobody"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client 127.0.0.1 {
require_message_authenticator = no
secret = "testing123"
shortname = "localhost"
nastype = "other"
}
client 192.168.x.x/32 {
require_message_authenticator = no
secret = "xxxxx"
shortname = "Weasel-AP"
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = yes
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/xxx.pem"
certificate_file = "/etc/raddb/certs/xxx.pem"
CA_file = "/etc/raddb/certs/xxx.pem"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
check_cert_cn = "%{User-Name}"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
}
}
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-
Address,NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-
Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1812
}
listen {
type = "acct"
ipaddr = *
port = 0
}
main {
snmp = no
smux_password = ""
snmp_write_access = no
}
Listening on authentication address * port 5409
Listening on accounting address * port 18126
Ready to process requests.
Dear users of fou4s,
For those who don't know, fou4s stands for "Fast OnlineUpdate for SuSE",
so it is an alternative implementation to YOU.
It was built during the days, where you had to start YaST and click 5
times with some waiting in between to get your updates.
The situation has become much better lately, but fou4s still has some nice
features (such as nice and colored console output, automatic downloading
with email-notification and powerful filters).
Finally, I have a working version with support for openSUSE 11.0.
Please note the following restrictions before downloading:
* Signature checking may not be performed
* Reboot notifications may not work as expected (former pre-install
* Self-Update to newer versions is not yet tested (I need to put
appropriate XML files on my server to make this work)
info)
* Performance is not great and should improve soon
* The package which is available for download DOES NOT WORK ON OLDER
SUSE RELEASES due to a changed compression algorithm
* Dependency resolving is not implemented (and probably will never be,
but there are only very few updates which change dependencies)
But on the plus-side I have now some multi-core/SMP support :)
Delta-RPMs are working fine, patch-rpms are not supported (but I don't
think they are offered anymore anyway). Error handling needs some work but
most things are done.
RPM download:
http://fou4s.gaugusch.at/beta/fou4s-0.15.0-0.8.noarch.rpm
Homepage:
http://fou4s.gaugusch.at/
regards,
Markus Gaugusch
PS: I use the smart package manager for all other package updates. Only
two things keep me from using it for updates: delta RPMs and update
descriptions. So as long as this is missing in smart (or I don't know that
it exists ;) there will be a working fou4s version. I promise :)
--
__________________ /"\
Markus Gaugusch \ / ASCII Ribbon Campaign
markus(at)gaugusch.at X Against HTML Mail
/ \
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
On Jul 12, Gar Ulbricht <garulbricht7(a)netscape.net> wrote:
> Hi Markus et al,
>
> I have been using fou4s since I installed SuSE-8.0 many years ago.
> It has been my up-dater of choice (I do use YaST2 from time to time,
> and I am using "openSUSE updater" as well as the SUSE security list
> to know when patches available), but fou4s is my first "go to"
> for up dating as I feel I am in control of what patches I accept
> and which I don't.
Hi!
I have done some work on 11.0 but it's not ready yet. But requests such as
yours are really motivating me :)
The biggest problem seems to be some link between the primary.xml and
updateinfo.xml (except for the filenames).
Markus
--
__________________ /"\
Markus Gaugusch \ / ASCII Ribbon Campaign
fou4s(at)gaugusch.at X Against HTML Mail
/ \
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Content-ID: <alpine.LSU.1.00.0807180231020.7677(a)nimrodel.valinor>
El 2008-07-15 a las 17:10 +0200, Ludwig Nussel escribió:
> Several news sites recently published articles citing a report about
> attacks on package managers [1]. Some unfortunately chose a wording
> that could be misunderstood as if a rogue mirror server could trick
> YaST into installing malicious software when applying regular
> (security-)updates.
>
> This is not the case. All official update repositories for SUSE
> Linux based products use cryptographically signed packages and meta
> data. YaST verifies the cryptographic signatures and rejects any
> file whose signature doesn't match. Therefore it's not possible for
> a rogue mirror to introduce malicious software.
Question, please:
when a user adds a repository, he is asked to add its key first. Where
from is this key imported, from the repository itself, from a central
repo, or from the chain of HKP keyservers? Usually we simply click
"accept", as there is no clear method of checking, trusting, and importing
the key except by clicking "accept" when the repo is added. Perhaps Yast,
or zypper, should include a key management module.
Once the correct key is imported, it is obvious that a rogue repo would be
detected. The problem IMO (I haven't read the report) is the key import
phase. I understand you have a person studying this precise problem, so it
will be nice to learn the conclusions :-)
- --
Saludos
Carlos E.R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
iD8DBQFIf+TZtTMYHG2NR9URAt2OAJ96iwAYGwDmhw94FuD3qtCcq2WDWwCgmVUl
KfKLJrYfJmeMm8Do12KZ0QA=
=vDm5
-----END PGP SIGNATURE-----
Ludwig Nussel wrote on [security-announce] "Package management security
on SUSE Linux" on Tue, 15 Jul 2008 17:10:52 +0200 (Reference:)
<http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00005.html>
>
> Dear openSUSE and SUSE Linux Enterprise users,
>
> Several news sites recently published articles
> citing a report about attacks on package managers.
> Some unfortunately chose a wording
> that could be misunderstood as if a rogue mirror server
> could trick YaST into installing malicious software
> when applying regular (security-) updates.
>
> This is not the case.... (snip)
>
----- <Ludwig Nussel's comments heavily trimmed >----
Dear Ludwig,
Thank you for taking the time to post your comments
on the (Novell) [security-announce] list
regarding "Package management security...".
I had seen the original University of Arizona CS article
(as you referenced in your footnote) and as cited
in either in slash-dot or digg (or may be both)
and it was good to get your take
on the "Stork project" research.
Thanks again.
--
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
On Tue, Jul 15, 2008 at 06:45:10PM +0000, opensuse-security-announce(a)opensuse.org wrote:
> Hello,
Please mail this to opensuse-security(a)opensuse.org, not -announce.
-announce is moderated.
> Yast autoupdate fails installing freetype2. Message is:
> Failed to mount cd:///?devices=/dev/sr0 on /var/adm/mount/AP_0x00000080:
> No medium found (mount: No medium found) Problem beim Laden von Daten
> von: Failed to mount cd:///?devices=/dev/sr0 on
> /var/adm/mount/AP_0x00000080: No medium found (mount: No medium found) .
> My system:
> uname -a
> Linux AMD64 2.6.22.18-0.2-default #1 SMP 2008-06-09 13:53:20 +0200
> x86_64 x86_64 x86_64 GNU/Linux
Your openSUSE CD is not in the drive. If you do not use the CD, disable
this repository.
Ciao, Marcus
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
Hello everyone!
I use OpenSuse since v9.0 and sometimes I needed disable SuseFirewall and used
script "iptables" from RedHat. It worked fine.. but I have troubles with
OpenSuse 10.3. Of course I disabled Susefirewall from Yast and checked with
chkconfig:
# chkconfig |grep wall
SuSEfirewall2_init off
SuSEfirewall2_setup off
Then I copied my script and enabled:
#chkconfig iptables on
# chkconfig -l iptables
iptables 0:off 1:off 2:off 3:on 4:off 5:on 6:off
But my script didn't work in boot time. And rules have discarded when I
used "ifup dsl0" for VPN.
Last thing is the most annoying.
When I run my script manually :
/etc/init.d/iptables start
everything is okey.
Why does SuseFirewall work?
What should I do?
Is it a bug?
--
Faithfully yours, Vladislav.
Key fingerprint = 67CC FA3F 5018 1300 010D 6C26 796D 3965 7B04 2EC6
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
Hi Markus et al,
I have been using fou4s since I installed SuSE-8.0 many years ago.
It has been my up-dater of choice (I do use YaST2 from time to time,
and I am using "openSUSE updater" as well as the SUSE security list
to know when patches available), but fou4s is my first "go to"
for up dating as I feel I am in control of what patches I accept
and which I don't.
Now, I just bought openSUSE-11.0 and I am getting ready to install it.
____ Do you know if fou4s works with openSUSE-11.0 ____
The last note on your web page says:
# For 10.3 you need to set Server=http://download.opensuse.org/
# in your fou4s.conf.
<http://fou4s.gaugusch.at/>
And that's what I did and fou4s is working for openSUS-10.3.
I would suspect I need to do something similar for openSUSE-11.0,
but what is your experience ???
Best Regards,
Gar
--
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org