Hi! I installed package abcde with Synaptic and i got warnings:: While installing package abcde-2.3.3-0.pm.0: warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root What is wrong, please? Mitja
On Sunday 06 November 2005 22:31, ajtiM wrote:
Hi!
I installed package abcde with Synaptic and i got warnings::
While installing package abcde-2.3.3-0.pm.0:
warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root
What is wrong, please?
Nothing. Whoever created that package built it using a regular user, not root. And when you install it, rpm wants to restore the ownership to that user. But as the warning says, that user doesn't exist on your system, so rpm sets ownership to root instead, which is as it should be Basically it means that the person who made that package didn't know fully how to use the %files section in the rpm spec file to set the correct ownership
Hi, On Sun, 6 Nov 2005, ajtiM wrote:
I installed package abcde with Synaptic and i got warnings::
While installing package abcde-2.3.3-0.pm.0:
warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root warning: user kosta does not exist - using root
What is wrong, please?
It is written very clearly: user kosta does not exist. But the automatic solution is OK. Cheers -e -- Eberhard Moenkeberg (emoenke@gwdg.de, em@kki.org)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ajtiM wrote:
I installed package abcde with Synaptic and i got warnings:: While installing package abcde-2.3.3-0.pm.0: warning: user kosta does not exist - using root ... What is wrong, please?
Nothing bad.
RPM packages include a list of files that are installed (which is,
obviously, the primary goal of RPM packages ;)).
It also stores information about access rights, owner user and owner
group. It's just a slight bug in the package, as the files have been
stored as belonging to a user named "kosta" (who is most probably the
person who made the package ;)). When installing the package, RPM also
applies a "chown kosta" on the files, notices there's no user named
"kosta" on your system and falls back to chown'ing them to root.
It just gives you a warning that it did so.
Nothing bad, will work just fine, but a small bug in the package.
Please file a bug report to Packman => packman@links2linux.de
and it will be fixed.
cheers
- --
-o) Pascal Bleser http://linux01.gwdg.de/~pbleser/
/\\
On Sunday 06 November 2005 15:41, Pascal Bleser wrote:
ajtiM wrote:
I installed package abcde with Synaptic and i got warnings:: While installing package abcde-2.3.3-0.pm.0: warning: user kosta does not exist - using root
...
What is wrong, please?
Nothing bad. RPM packages include a list of files that are installed (which is, obviously, the primary goal of RPM packages ;)).
It also stores information about access rights, owner user and owner group. It's just a slight bug in the package, as the files have been stored as belonging to a user named "kosta" (who is most probably the person who made the package ;)). When installing the package, RPM also applies a "chown kosta" on the files, notices there's no user named "kosta" on your system and falls back to chown'ing them to root. It just gives you a warning that it did so.
Nothing bad, will work just fine, but a small bug in the package.
Please file a bug report to Packman => packman@links2linux.de and it will be fixed.
cheers
Thank you very much to everyone for explanation :)
Hi:
Moreover... the bug in the package most be the following: the packager
forgot to use the %defattr directive in the %files section of the spec
file used to build the package, so persmissions on the files were set
acordingly, and not to root, as the %deffattr directive should have
done. As said here before, it's just a small bug in the rpm package,
as long a any user called kosta exist in the system...But hey, things
get worse if by chance a user called kosta does exist in the
system...In that case, for example, user kosta(and *NOT root) will own
in the system **every file within the rpm pkg, as well as every folder
in their path...That means, for ejemplo, that if the package contains
files that will go into sensible dirs like /etc, /usr etc, all of them
will belong to user kosta, which is ugly. ;-)
In fact, even official suse packages(which come with the distro) have
had this *bug in the past, as the packager forgets the mentioned
directive. And I myself have found a beagle(not a suse one) package
with this error the other day.
cheers
jorge
On 11/6/05, ajtiM
On Sunday 06 November 2005 15:41, Pascal Bleser wrote:
ajtiM wrote:
I installed package abcde with Synaptic and i got warnings:: While installing package abcde-2.3.3-0.pm.0: warning: user kosta does not exist - using root
...
What is wrong, please?
Nothing bad. RPM packages include a list of files that are installed (which is, obviously, the primary goal of RPM packages ;)).
It also stores information about access rights, owner user and owner group. It's just a slight bug in the package, as the files have been stored as belonging to a user named "kosta" (who is most probably the person who made the package ;)). When installing the package, RPM also applies a "chown kosta" on the files, notices there's no user named "kosta" on your system and falls back to chown'ing them to root. It just gives you a warning that it did so.
Nothing bad, will work just fine, but a small bug in the package.
Please file a bug report to Packman => packman@links2linux.de and it will be fixed.
cheers
Thank you very much to everyone for explanation :)
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-help@opensuse.org
Hi, people got tired of all those Windows vulnerabilities, in particular spyware, which i consider very nasty. Yet, i'm writing from a Win box (with Thunderbird, at least ;) till i can chose the most pratical e-mail client in KDE (either Thunderbird, or Kmail as i used before). But that is OT, and might be for another thread. What really bothers me is what you guys pointed out: quoting Jorge: "That means, for ejemplo, that if the package contains files that will go into sensible dirs like /etc, /usr etc, all of them will belong to user kosta, which is ugly. ;-)" So, suppose that someone builds rpms with those directives (%deffatr, ...) with "common" user names, like "mike", "dave", etc. (not like "kosta", rather unusual..) with the purpose to compromise, "statistically", those machines? Would that be possible? If yes, wouldn't it be a severe security flaw?? i can't believe that!! We enjoy Linux for many reasons, and i think that at least once is to have some security integrity, not like the other OS mentionned. I wish i am wrong, and that a distributed rpm in places not as "reliable" as sourceforge, packman, etc. could not lead anyone to having his/hers Linux box compromised. Cheers, PatrickM Jorge Luis Arzola wrote:
Hi:
Moreover... the bug in the package most be the following: the packager forgot to use the %defattr directive in the %files section of the spec file used to build the package, so persmissions on the files were set acordingly, and not to root, as the %deffattr directive should have done. As said here before, it's just a small bug in the rpm package, as long a any user called kosta exist in the system...But hey, things get worse if by chance a user called kosta does exist in the system...In that case, for example, user kosta(and *NOT root) will own in the system **every file within the rpm pkg, as well as every folder in their path...That means, for ejemplo, that if the package contains files that will go into sensible dirs like /etc, /usr etc, all of them will belong to user kosta, which is ugly. ;-) In fact, even official suse packages(which come with the distro) have had this *bug in the past, as the packager forgets the mentioned directive. And I myself have found a beagle(not a suse one) package with this error the other day.
cheers
jorge
On 11/6/05, ajtiM
wrote: On Sunday 06 November 2005 15:41, Pascal Bleser wrote:
ajtiM wrote:
I installed package abcde with Synaptic and i got warnings:: While installing package abcde-2.3.3-0.pm.0: warning: user kosta does not exist - using root
...
What is wrong, please?
Nothing bad. RPM packages include a list of files that are installed (which is, obviously, the primary goal of RPM packages ;)).
It also stores information about access rights, owner user and owner group. It's just a slight bug in the package, as the files have been stored as belonging to a user named "kosta" (who is most probably the person who made the package ;)). When installing the package, RPM also applies a "chown kosta" on the files, notices there's no user named "kosta" on your system and falls back to chown'ing them to root. It just gives you a warning that it did so.
Nothing bad, will work just fine, but a small bug in the package.
Please file a bug report to Packman => packman@links2linux.de and it will be fixed.
cheers
Thank you very much to everyone for explanation :)
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-help@opensuse.org
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-help@opensuse.org
* mop48836
So, suppose that someone builds rpms with those directives (%deffatr, ...) with "common" user names, like "mike", "dave", etc. (not like "kosta", rather unusual..) with the purpose to compromise, "statistically", those machines?
Would that be possible?
If yes, wouldn't it be a severe security flaw?? i can't believe that!!
Which is why the _most_ rpm's are signed and their keys provided. Please trim your quotes and refrain from top-posting. tks http://www.netmeister.org/news/learn2quote.html -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/gallery2
Patrick Shanahan wrote:
* mop48836
[11-07-05 09:15]: So, suppose that someone builds rpms with those directives (%deffatr, ...) with "common" user names, like "mike", "dave", etc. (not like "kosta", rather unusual..) with the purpose to compromise, "statistically", those machines?
Would that be possible?
If yes, wouldn't it be a severe security flaw?? i can't believe that!!
Which is why the _most_ rpm's are signed and their keys provided.
Please trim your quotes and refrain from top-posting. tks http://www.netmeister.org/news/learn2quote.html
Hi Patrick, sorry for the top-posting, as this has been a long enough discussion. Reading from left to right, and top to bottom. Just wrote that post a little too fast, as i felt we could be concerned in something wild. I apologize. Thanks to remind the useful link, too. About the subject: so, when rpms are signed and key provided, we can assure they are OK, that's it? Thus, a good user pratice would to never install rpms that do not fullfil those conditions; is this correct? Thanks, Patrick M
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 mop48836 wrote:
Patrick Shanahan wrote:
* mop48836
[11-07-05 09:15]: So, suppose that someone builds rpms with those directives (%deffatr, ...) with "common" user names, like "mike", "dave", etc. (not like "kosta", rather unusual..) with the purpose to compromise, "statistically", those machines? Would that be possible? If yes, wouldn't it be a severe security flaw?? i can't believe that!! Which is why the _most_ rpm's are signed and their keys provided. Please trim your quotes and refrain from top-posting. tks http://www.netmeister.org/news/learn2quote.html ... About the subject: so, when rpms are signed and key provided, we can assure they are OK, that's it?
No. But you know whom has built the package, for sure (unless the key is compromised, but that's rather unlikely to happen). - - don't install RPMs that are not signed - - only use repositories you trust (packman, suser-guru, others...) - - only import signature keys (rpm --import) of repositories you trust - - if you want to be really sure, inspect every package before installation: - rpm -qlp <package>.rpm ===========> will give you a list of the files (*) - rpm -qp --scripts <package>.rpm ==> will show you the pre/post-installation scripts that would be executed - rpm --checksig <package>.rpm =====> verifies that the package is signed and whether you have the signature(s) in your database; it also verifies the signed checksum/hash
Thus, a good user pratice would to never install rpms that do not fullfil those conditions; is this correct?
Definately never install packages that are not signed by someone you trust.
cheers
- --
-o) Pascal Bleser http://linux01.gwdg.de/~pbleser/
/\\
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 mop48836 wrote: ...
What really bothers me is what you guys pointed out: quoting Jorge: "That means, for ejemplo, that if the package contains files that will go into sensible dirs like /etc, /usr etc, all of them will belong to user kosta, which is ugly. ;-)"
Yes, but it's also a feature when used properly, because not everything is installed as root. Especially with daemons (servers), e.g. apache: they're often using their own, unprivileged, system account (e.g. "wwwrun" for apache), and some permissions have to be set accordingly.
So, suppose that someone builds rpms with those directives (%deffatr, ...) with "common" user names, like "mike", "dave", etc. (not like "kosta", rather unusual..) with the purpose to compromise, "statistically", those machines? Would that be possible?
Oh, sure, but you can do a lot of much nastier things with RPMs. RPMs have post-installation scripts. If you build an RPM with the following in the spec file: %post /bin/rm -rf / then, when you install that package, it will trash your system (i.e. remove all your files).
If yes, wouldn't it be a severe security flaw?? i can't believe that!!
Yes, somehow. That's why we need good packagers, a web of trust, and that's also why packages are digitally signed.
We enjoy Linux for many reasons, and i think that at least once is to have some security integrity, not like the other OS mentionned. I wish i am wrong, and that a distributed rpm in places not as "reliable" as sourceforge, packman, etc. could not lead anyone to having his/hers Linux box compromised.
Sure, it could. And you can't really change that, as you would have to strongly restrict RPM's
flexibility. Some RPMs also automatically create required user accounts, etc etc...
In the end, it is executing code as root. And that can punch quite a big hole in your system.
But on the other hand, it's also much required to work properly.
I don't really see a technical approach to avoid this.
cheers
- --
-o) Pascal Bleser http://linux01.gwdg.de/~pbleser/
/\\
Pascal Bleser wrote:
Yes, somehow. That's why we need good packagers, a web of trust, and that's also why packages are digitally signed.
Sure, it could. And you can't really change that, as you would have to strongly restrict RPM's flexibility. Some RPMs also automatically create required user accounts, etc etc...
In the end, it is executing code as root. And that can punch quite a big hole in your system. But on the other hand, it's also much required to work properly.
I don't really see a technical approach to avoid this.
Hi Pascal, Thanks to your answers. So you point out the "web of trust", and that there is no technical approach to this. It's within the inherent structure of rpms, etc. I wish we can have the web of trust you mention, and that new users have clearly in mind what rpms can do. OK, i didn't know. But spreading the word and learning might be the best approch to remain safe, under a certain degree. Cheers, Patrick M
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 mop48836 wrote:
Pascal Bleser wrote: ... Thanks to your answers. So you point out the "web of trust", and that there is no technical approach to this. It's within the inherent structure of rpms, etc.
Yes.
I wish we can have the web of trust you mention, and that new users have clearly in mind what rpms can do.
http://en.wikipedia.org/wiki/Web_of_trust
http://www.rubin.ch/pgp/weboftrust.en.html
Go to Linux/OSS events, meet up with people, always have a fingerprint of your public key with you,
sign the keys of people who give you their fingerprints and show their ID.
That's how to build a web of trust. And ultimatively, trust people who have signed the keys of the
packagers who made the packages you're installing ;-)
cheers
- --
-o) Pascal Bleser http://linux01.gwdg.de/~pbleser/
/\\
participants (7)
-
ajtiM
-
Anders Johansson
-
Eberhard Moenkeberg
-
Jorge Luis Arzola
-
mop48836
-
Pascal Bleser
-
Patrick Shanahan