Gentoo Weekly Newsletter: June 9th, 2003
Announcing Gentoo on MacOS X
We're pleased to announce that the Gentoo platform will soon be available for MacOS X. This means that users will be able to enjoy the the power and simplicity of the Gentoo platform and Portage where they happen to be, on the operating system they are currently using -- even if that operating system isn't GNU/Linux. We want to give our users more choices than anyone else, including the ability to use non-GNU operating systems and non-Linux kernels if they have that particular requirement or desire.
We are currently getting our infrastructure ready (mailing lists, project page, etc.) for this project and integrating Portage for MacOS X into our mainline Portage sources. News about further developments will be posted on the Gentoo news page as well as in future editions of the GWN.
Hardened Gentoo demonstrates SELinux
Hardened Gentoo is proud to announce that we have made available a machine to demonstrate some of our technology. The machine is available via ssh to illustrate SELinux, an advanced mandatory access control system. The reason we are providing this to everyone is to show everyone the significance of the work we are doing.
What this machine is:
- A Gentoo installation secured with SELinux, running several daemons for testing in a production environment.
What this machine is not:
- A chrooted installation
- A uml installation
- A userland restricted shell (ie: rbash)
- A honeypot/honeynet
- A completely useless and stripped down machine
- Impervious to DoS attacks (don't DoS or forkbomb, it doesn't do anything except annoy people and stop others from enjoying the machine)
- A workstation; the main focus is on servers, running selinux on desktops is possible, but not currently supported
Note: root is a real user with UID=0, nothing in addition to SELinux has been used to secure this machine so that we can demonstrate how SELinux works. Feel free to try and obtain higher access on the machine, and take a look at dmesg to see the denials when they occur.
Without further ado, please visit http://selinux.dev.gentoo.org for root login information.
Anyone who is interested in this, and would like to know when it's ready for most users and after it's been tested in production environments should subscribe to the email@example.com mailing list and come to #gentoo-hardened on irc.freenode.net. Our project page at http://www.gentoo.org/proj/en/hardened will also be updated when status changes occur.
Open positions in the Gentoo Linux project
The following Portage packages are currently in need of a maintainer. If you are interested in taking one of these positions, please send an e-mail to firstname.lastname@example.org with your full name, location, Linux (and especially Gentoo) experience, areas of expertise, and level of experience with the particular application in question.
If you're unsure about what level of experience any of these tasks
require, try searching http://bugs.gentoo.org for open bugs on the
package name to get a feeling for the type of experience and skill necessary for that particular package.
Note: We will make every effort to respond to each email personally. However, due to the sheer volume of email that we receive, please accept our thanks in advance in case we're not able to respond to your email
The tomcat servlet creates the /opt/tomcat directory with privileges that permit
users to read files that contain passwords.
- Severity: High - Local password compromise.
- Packages Affected: net-www/tomcat prior to tomcat-4.1.24-r1
- Rectification 1: Synchronize and emerge tomcat, emerge clean.
- Rectification 2: /etc/init.d/tomcat stop ; chmod -R 750 /opt/topcat/ ; /etc/init.d/tomcat start
- GLSA Announcement
The UW-imapd IMAP daemon can also be used as a client. By default, any authenticated user is permitted to connect to
the server, even in restricted operating modes. Exploiting this vulnerability could be used to gain access to the system
as the logged-in user.
- Severity: High - Remote authentication compromise.
- Packages Affected: net-mail/uw-imapd prior to uw-imapd-2002d
- Rectification: Synchronize and emerge uw-imapd, emerge clean.
- GLSA Announcement
The game maelstrom has a buffer overflow that could permit a local user to execute arbitrary code.
- Severity: Moderate - Arbitrary code execution, limited to users with local access.
- Packages Affected: app-games/maelstrom prior to maelstrom-3.0.6
- Rectification: Synchronize and emerge maelstrom, emerge clean.
- GLSA Announcement
Apache 2.0 servers are subject to a remote Denial-of-Service attack through the mod_dav (and possibly other) mechanism. This
vulnerability is a result of a configuration bug that causes the server to be thread-unsafe in certain configurations.
- Severity: Moderate - Remote DoS.
- Packages Affected: net-www/apache-2.x prior to apache-2.0.46
- Rectification: Synchronize and emerge apache, emerge clean.
- GLSA Announcement
New Security Bug Reports
The following new security bugs were posted this week:
The guys behind breakmygentoo.net
Figure 3.1: The team of breakmygentoo.net
This week we feature the people who took care of all the CVS ebuilds left homeless by the "Great Portage CVS Purge '03", Matthew Schick (lin_matt) and Karl Abbott (karl11).
So who are these guys who so desperately try to break your Gentoo? Karl is currently a Computer Science undergraduate at the University of Southern Mississippi (USM) and 21 years old. He uses Linux as his operating system of choice since September 2001. Matthew Schick, 27, works as systems administrator at USM's computer science department. A Linux user since 1998 he tried various distributions including Red Hat, Caldera, Mandrake and Debian before deciding to go with Gentoo Linux in May 2002. He recently switched the department's main server successfully from Red Hat 7.2 to Gentoo Linux, and is currently looking into the viability of migrating all the lab's machines (around 100) sometime during this summer as well.
Once upon a time in Gentoo land...
breakmygentoo.net originated from a site called "Ebuild Central". The purpose of this site was to have a place to share "home-grown" ebuilds among Gentoo users locally as well as having a place to link to from the forums. The quicktime enabled MPlayer ebuilds were hot at that time and after exceeding the bandwith of Karl's site both of them knew they had to find another solution.
So Matt talked to one of his clients in Los Angeles and obtained some much needed space and bandwidth for the site in December of 2002. After a little while of going only with an IP address, Matt and Karl decided that a domain would be necessary, and thus breakmygentoo.net was born in February 2003. The name was decided on as both a warning and a tongue-in-cheek joke for anyone hitting the site. Even during those times they simply expected the project to be a way of sharing ebuilds amongst themselves and a few people who might be interested in the same types of software. For the first few months, the site was simply a listing of the ebuilds in the directory. But it soon became obvious that there was a high demand, and just a few weeks ago, Karl created a frontend for the site and then announced the launch of the new site. With that launch comes the project's own bugzilla, giving brave Gentooists the ability to submit ebuilds and bug reports that they encounter with all the CVS ebuilds out there.
With the release of GNOME 2.3.2 has come some of the highest usage the site has ever experienced. The fans of breakmygentoo.net have also helped identify several potential bugs, both on the Gentoo side as well as in some of the GNOME software. This gives Gentoo users an opportunity to play with what many people regard as the most exciting release of GNOME so far.
In January Matthew and Karl started to keep track of the site's stats using Webalizer. At this time they had a daily average of 117 and a monthly total of 3650 hits, whereas in May they experienced an average of 927 hits a day which amounted to a total of 28,748 page hits at the end of the month. The first two days of June already saw more than 10,000 hits which makes one think about all the people out there trying to break their Gentoos... ;-)
Here's what they have to say:
Matt: "breakmygentoo.net has become an unlikely resource for folks that enjoy bug hunting (or just playing) in the realm of unstable software. Hopefully some of the information that's gained through the usage of the ebuilds on the site will contribute to the overall quality of the stable releases."
Karl: "breakmygentoo.net came out of the necessity for a shared space for development ebuilds. I never could have imagined it becoming as widely used as it is today."
Also both of them would like to express their thanks to everyone who has contributed to the site!
Featured Developer of the Week
Joshua Brindle, aka Method
Figure 4.1: Joshua Brindle, aka Method
Joshua Brindle is in charge of several security-related Gentoo projects, acting as liaison between the teams and Gentoo proper in addition to participating and getting his hands dirty. The biggest one is Hardened Gentoo, which Joshua himself started a few months ago and now boasts five active developers and the official SELinux play machine mentioned earlier in the newsletter. Joshua is also working on the integration of Propolice stack smashing protection into Gentoo; he and his team are very close to getting it into the default profiles. With all this security work he hasn't been able to participate in SPARC development (when Joshua joined first the team in November 2002 it was as a SPARC developer), he's really proud of how far he and his teams have come in such a short time and hopes to continue to progress and show the world what Gentoo is really made of.
An undergraduate studying for a BS in System Network Management, and working as UNIX administrator at Southern Nazarene University, Joshua's favorite applications are actually mostly servers: Apache, PHP, exim, MySQL, and openSSH. While he usually runs Linux on servers, on the rare occasions when he runs it on a desktop he uses KDE, Konqueror, and Evolution, as well as VMWare (which he wishes were open). His hobbies include watching the Simpsons, drinking Dr. Pepper, partying, clubbing, and playing Warcraft III. Joshua lives in Oklahoma but is from Texas! (he says that people who live or have lived in Texas would understand). When he graduates next semester and starts hunting for a job, he says he'll be sure to put in an application at the NSA.
Heard In The Community
Much Ado About Macintosh
Drobbins' announcement of Gentoo/Mac OS X and the new LiveCDs for the PowerPC architecture have rippled the waves quite considerably last week. A few people are discussing the virtues of Portage vs. Fink or Darwinports, others suddenly express revived interest in Macintosh emulators on x86 for Linux, and the lead dev for PPC dropped by to ask for hardware loans of oldworld Macs and PReP machines (i.e. IBM RS/6000 etc.) that he could use for testing the LiveCD:
Ximian Desktop 2 Port
Not many of the Gentoo developers are also forum regulars, since most of them prefer the mailing lists or the IRC channels. But when link suddenly announced that he was starting work on a port of Ximian's Desktop 2, due out in the market this week starting 9 June 2003, the devs came flocking in to offer advice and help and wish him luck:
Laptops and Gentoo
In the beginning, only the most devout hackers with a basement full of luck were able to get Linux running properly on their laptops. The quirky hardware, screens and suspend modes boggled driver developers, leaving many features disabled or abandoned. Fortunately the increasing demand has fueled the maturation of laptop-centric drivers, and installing Linux on a laptop is now considered childs play. The good news is that the whole community feels that all distibutions considered, Gentoo Linux is an excellent choice for laptops. One reason for this is Gentoo's tendency to stay on the cutting edge of latest stable software. Armed with the ACPI patches of the 1.4rc4 LiveCD, Gentoo'ers should experience a smooth ride while running a base system on their laptop. Heat was mentioned as an important issue due to Gentoo's propensity to stress the CPU while compiling for extended periods on sometimes indadaquately cooled laptops. Finne Boonen solved this by placing the laptop on bricks. Another issue was that of sound dying after returning from safe mode. Jason Nielson let us know his solution here. In a seperate thread Cedric Veilleux asked which vendor of laptop should be purchased. Many great recommendations were given, including Chris Meidinger's submission of linux-on-laptops.com. All in all, Gentoo Linux is recommended as a viable solution for laptops, and that you are encouraged to try it out.
This week has seen many smaller threads, however interesting. And one of them in particular:
(FS) Attributes for Ebuilds?
Using the file system as a sort of extra database functionality for portage. So as to allow for, maybe faster searches or expanded categorization.
This idea came as a followup, by Michael Kohl, to the earlier discussion about categories in portage.
Italian Gentoo Propaganda Machines Roundup
Enrico Morelli, initiator of Gentoo Linux Italia, has recently closed the unofficial forum he maintained on a university server in favour of inviting everyone to join the official Italian forum. His excellent website continues to be around, of course. And now there's yet another unofficial Gentoo website in Italy: Joe and Stefano Lucidi have concocted a PHP-driven website based on Postnuke, and included a broad range of Gentoo-centric information with news directly off the frontpage, a user forum and a few other gimmicks including AvantGo PDA-formatted infos. The Italian mailing list the duo established is also quite successful.
Journée des Gentooistes
As reported earlier, the French Gentooists are discussing the date and venue for a Gentoo user meeting in France. The preliminary verdict seems to point in the direction of a meeting in Paris, sometime after the infamous rentrée when millions of French head back to town from their summer vacation. A web forum set aside exclusively for coordinating the details is waiting for people to express their opinions.
The following notable packages were updated or added to portage this week
The following stable packages were updated or added to portage this week
Total categories: 82
Total packages: 4564 (86 packages added since last week)
Note: Due to server problems last week, this week's statistics are based on the 14 day period between 23 May 2003 and 5 Jun 2003
The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track
bugs, notifications, suggestions and other interactions with the development team. In the last 14 days, activity
on the site has resulted in:
- 471 new bugs during this period
- 326 bugs closed during this period
- 10 previously closed bugs were reopened this period
Of the 3259 currently open bugs: 54 are labeled 'blocker', 133 are labeled 'critical', and 253 are labeled 'major'.
Closed Bug Rankings
The developers and teams who have closed the most bugs this week are:
New Bug Rankings
The developers and teams who have been assigned the most new bugs this week are:
Tips and Tricks
Combining Commands with For
This week's tip shows you how to run similar commands in a loop to avoid
typing in the same command over and over again. For example, untarring
several tar.gz files. Or perhaps renaming files with similar
Code Listing 9.1: for and tar
# for n in *.tar.gz; do tar -zxvf $n; done
This next instance demonstrates removing the .dist extension of
Code Listing 9.2: for and mv
# for n in *.dist; do mv $n `basename $n .dist`; done
If necessary, you could combine it with find to rename all
.phtml files in /home/httpd/htdocs to
Code Listing 9.3: for and find
# cd /home/httpd/htdocs
# for n in `find -type f -name '*.phtml'`; \
do mv $n `basename $n .phtml`.php; done
Quote/Signature of the week
This week's featured .sig was seen on gentoo-dev in a message from Pascal Bourguignon: "Do not adjust your mind, there is a fault in reality." Or maybe it's just a fault in the matrix? ;-)
Moves, Adds and Changes
The following developers recently left the Gentoo team:
The following developers recently joined the Gentoo Linux team:
- Abhishek Amit ("andrd") -- LDAP
- Brad Laue (brad) -- phoenix/firebird
The following developers recently changed roles within the Gentoo Linux project.
Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.
Please send us your feedback and help make GWN better.
GWN Subscription Information
To subscribe to the Gentoo Weekly Newsletter, send a blank email to email@example.com.
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to firstname.lastname@example.org from the email address you are subscribed under.
The Gentoo Weekly Newsletter is also available in the following languages: