[arch-general] RPM Question

newer
[arch-general] KDE and output to...

Lew Wolfgang

3 Oct 2010 3 Oct '10

12:41 a.m.

Hi Folks, New Arch user here. I really like it! Another Arch user recommended it to me after I started noticing quality issues with another of the main distributions. I'm currently working on a test install to see if Arch will function in a very restricted environment. So far I've successfully installed KDE and configured for a true IPv6 network. Yet to be done is support for Common Access Cards and their USB readers. I've been having issues with pcscd but I'm not ready to ask for help yet. I also tried fake-raid but gave up in favor of the much simpler JBOD (two disks) config. But I ran into a problem installing something called HBSS from McAfee. This is a package for Windows that is nothing more than a root-kit that allows remote administrators to set policy, remove/block programs, report versions, etc. Unfortunately management mandates that non-Windows systems also run it. So McAfee labored mightily and emitted a Java port of the Windows package that gives minimal reporting capabilities for Linux installs. It works on all the major distros but fails to install on Arch due to an RPM dependency. Their install script just fails saying it can't find rpm. The script contains much ugliness and is McAfee proprietary, so I doubt hacking it will be productive. So the question is: can Arch be configured/tricked into an rpm install? Thanks for a great distro, and your wiki is amazing! It's a little light on IPv6 info, but I might be able to help there later. Regards, Lew Wolfgang

Show replies by date

Jeremiah Dodds

3 Oct 3 Oct

1:04 a.m.

On Sat, Oct 2, 2010 at 8:41 PM, Lew Wolfgang <wolfgang@sweet-haven.com>wrote:

...

So the question is: can Arch be configured/tricked into an rpm install?

If you can get a hold of the rpm spec file, you could feed it to spec2arch (from pkgtools), run makepkg -s on the resultant PKGBUILD, and modify their script to use pacman -U /path/to/your/pkg instead of rpm.

Steven Susbauer

1:10 a.m.

On 10/2/2010 7:41 PM, Lew Wolfgang wrote:

...

It works on all the major distros but fails to install on Arch due to an RPM dependency. Their install script just fails saying it can't find rpm. The script contains much ugliness and is McAfee proprietary, so I doubt hacking it will be productive.

So the question is: can Arch be configured/tricked into an rpm install?

Does their installer actually require use rpm to install, or just wants rpm to be there? Most distros allow you to install rpm, Arch is no different except it is in aur: aur/rpm 5.2.1-1 (153) The RedHat Package Manager. Don't use it instead of Arch's 'pacman'. If it actually uses rpm for the process, this is probably not the solution. Two package managers at once is not a good thing.

Lew Wolfgang

4 p.m.

On 10/02/2010 06:10 PM, Steven Susbauer wrote:

...

On 10/2/2010 7:41 PM, Lew Wolfgang wrote:

...
It works on all the major distros but fails to install on Arch due to an RPM dependency. Their install script just fails saying it can't find rpm. The script contains much ugliness and is McAfee proprietary, so I doubt hacking it will be productive.

So the question is: can Arch be configured/tricked into an rpm install?

Does their installer actually require use rpm to install, or just wants rpm to be there? Most distros allow you to install rpm, Arch is no different except it is in aur:

aur/rpm 5.2.1-1 (153) The RedHat Package Manager. Don't use it instead of Arch's 'pacman'.

If it actually uses rpm for the process, this is probably not the solution. Two package managers at once is not a good thing.

I spent some time last night pulling the .sh file apart. It's a script that unzips a binary that unpacks two rpm files (9-MB), one 32-bit ELF program (8.9-MB), two cryptographic keys and an xml file. The script then calls rpm to install the two rpm files, which contain tons of 32-bit system libraries. These libraries have the same names as regular system libs, like libc, libm, libresolv and libcrypt. This all makes me very nervous! Arch not using rpm may be a blessing in disguise, I'm going to see if I can get a waiver to not install this McAfee root-kit. Thanks for the help, Lew

Cédric Girard

6:07 p.m.

On Sun, Oct 3, 2010 at 6:00 PM, Lew Wolfgang <wolfgang@sweet-haven.com>wrote:

...

On 10/02/2010 06:10 PM, Steven Susbauer wrote:

...
On 10/2/2010 7:41 PM, Lew Wolfgang wrote:

...
It works on all the major distros but fails to install on Arch due to an RPM dependency. Their install script just fails saying it can't find rpm. The script contains much ugliness and is McAfee proprietary, so I doubt hacking it will be productive.

So the question is: can Arch be configured/tricked into an rpm install?

Does their installer actually require use rpm to install, or just wants rpm to be there? Most distros allow you to install rpm, Arch is no different except it is in aur:

aur/rpm 5.2.1-1 (153) The RedHat Package Manager. Don't use it instead of Arch's 'pacman'.

If it actually uses rpm for the process, this is probably not the solution. Two package managers at once is not a good thing.

I spent some time last night pulling the .sh file apart. It's a script that unzips a binary that unpacks two rpm files (9-MB), one 32-bit ELF program (8.9-MB), two cryptographic keys and an xml file. The script then calls rpm to install the two rpm files, which contain tons of 32-bit system libraries. These libraries have the same names as regular system libs, like libc, libm, libresolv and libcrypt. This all makes me very nervous! Arch not using rpm may be a blessing in disguise, I'm going to see if I can get a waiver to not install this McAfee root-kit.

Thanks for the help, Lew

Can't you try to install only the program itself without these libraries ? The libraries could be installable using pacman. -- Cédric Girard

Lew Wolfgang

6:47 p.m.

On 10/03/2010 11:07 AM, Cédric Girard wrote:

...

On Sun, Oct 3, 2010 at 6:00 PM, Lew Wolfgang<wolfgang@sweet-haven.com>wrote:

...
On 10/02/2010 06:10 PM, Steven Susbauer wrote:

...
On 10/2/2010 7:41 PM, Lew Wolfgang wrote:

...
It works on all the major distros but fails to install on Arch due to an RPM dependency. Their install script just fails saying it can't find rpm. The script contains much ugliness and is McAfee proprietary, so I doubt hacking it will be productive.

So the question is: can Arch be configured/tricked into an rpm install?

Does their installer actually require use rpm to install, or just wants rpm to be there? Most distros allow you to install rpm, Arch is no different except it is in aur:

aur/rpm 5.2.1-1 (153) The RedHat Package Manager. Don't use it instead of Arch's 'pacman'.

If it actually uses rpm for the process, this is probably not the solution. Two package managers at once is not a good thing.

I spent some time last night pulling the .sh file apart. It's a script that unzips a binary that unpacks two rpm files (9-MB), one 32-bit ELF program (8.9-MB), two cryptographic keys and an xml file. The script then calls rpm to install the two rpm files, which contain tons of 32-bit system libraries. These libraries have the same names as regular system libs, like libc, libm, libresolv and libcrypt. This all makes me very nervous! Arch not using rpm may be a blessing in disguise, I'm going to see if I can get a waiver to not install this McAfee root-kit.

Thanks for the help, Lew

Can't you try to install only the program itself without these libraries ? The libraries could be installable using pacman.

It installs a whole hierarchy in /opt, which is where its many libraries end up. It also has its own ldconfig, so it looks like it sets up its own insular runtime environment. It installs hooks in /etc/init.d for boot-time starting. Since this is a security package, I wouldn't be surprised if it did some kind of a trip-wire process to thwart tampering. It certainly uses pki keys to communicate with its "mother ship". As you can probably see, I'm trying to talk myself out of working on this too much. I could also try making a tarball of /opt/McAfee on a RPM-ed host where the package successfully installed itself, then port the start script to /etc/rc.d. I'm thinking my time might be better spend on getting a waiver for not installing the mess. Thanks for the suggestion, Cédric Regards, Lew

Dan Vrátil

6:11 p.m.

On Sun, 03 Oct 2010 09:00:08 -0700, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:

...

On 10/02/2010 06:10 PM, Steven Susbauer wrote:

...
On 10/2/2010 7:41 PM, Lew Wolfgang wrote:

...
It works on all the major distros but fails to install on Arch due to an RPM dependency. Their install script just fails saying it can't find rpm. The script contains much ugliness and is McAfee proprietary, so I doubt hacking it will be productive.

So the question is: can Arch be configured/tricked into an rpm install?

Does their installer actually require use rpm to install, or just wants rpm to be > there? Most distros allow you to install rpm, Arch is no different except it is in > aur:

aur/rpm 5.2.1-1 (153) The RedHat Package Manager. Don't use it instead of Arch's 'pacman'.

If it actually uses rpm for the process, this is probably not the solution. Two > package managers at once is not a good thing.

I spent some time last night pulling the .sh file apart. It's a script that unzips a binary that unpacks two rpm files (9-MB), one 32-bit ELF program (8.9-MB), two cryptographic keys and an xml file. The script then calls rpm to install the two rpm files, which contain tons of 32-bit system libraries. These libraries have the same names as regular system libs, like libc, libm, libresolv and libcrypt. This all makes me very nervous! Arch not using rpm may be a blessing in disguise, I'm going to see if I can get a waiver to not install this McAfee root-kit.

Thanks for the help, Lew

What about setting up a simple tiny chroot just for this application? -- -- Dan Vrátil vratil@progdansoft.com Tel: +4202 732 326 870 Jabber: progdan@jabber.cz Tento email neobsahuje žádné viry, protože odesílatel nepoužívá Windows. / This email does not contain any viruses because the sender does not use Windows.

Lew Wolfgang

7:19 p.m.

On 10/03/2010 11:11 AM, Dan Vrátil wrote:

...

On Sun, 03 Oct 2010 09:00:08 -0700, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:

...
...
On 10/2/2010 7:41 PM, Lew Wolfgang wrote:

...
It works on all the major distros but fails to install on Arch due to an RPM dependency. Their install script just fails saying it can't find rpm. The script contains much ugliness and is McAfee proprietary, so I doubt hacking it will be productive.

So the question is: can Arch be configured/tricked into an rpm install? Does their installer actually require use rpm to install, or just wants rpm to be> there? Most distros allow you to install rpm, Arch is no different except it is in> aur:

aur/rpm 5.2.1-1 (153) The RedHat Package Manager. Don't use it instead of Arch's 'pacman'.

If it actually uses rpm for the process, this is probably not the solution. Two> package managers at once is not a good thing. I spent some time last night pulling the .sh file apart. It's a

On 10/02/2010 06:10 PM, Steven Susbauer wrote: script that unzips a binary that unpacks two rpm files (9-MB), one 32-bit ELF program (8.9-MB), two cryptographic keys and an xml file. The script then calls rpm to install the two rpm files, which contain tons of 32-bit system libraries. These libraries have the same names as regular system libs, like libc, libm, libresolv and libcrypt. This all makes me very nervous! Arch not using rpm may be a blessing in disguise, I'm going to see if I can get a waiver to not install this McAfee root-kit.

Thanks for the help, Lew What about setting up a simple tiny chroot just for this application?

That's an interesting idea, Dan. But since this package is supposed to install itself like a cancer in the OS, it wouldn't be able to perform its function in a chroot. The Windows version of this thing is intended to remove local administrative privileges so that the machine can be completely managed remotely. It can prevent unapproved programs from being loaded, and can disable installed programs that it has an issue with. Indeed, it disabled non-current versions of Adobe Acrobat a couple of weeks ago. It also has an IPS function to monitor and disable network traffic it finds threatening. It can enforce password polices and can report what a user is doing and what web sites they're visiting. It can sniff network configurations and report dual-homed hosts, natted subnets are also disallowed. I'm sure it does much more. I've been told that the Linux/Apple versions only report at this time, the more intrusive capabilities aren't yet implemented. Thanks, Lew

Dan Vrátil

8:29 p.m.

On Sun, 03 Oct 2010 12:19:30 -0700, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:

...

On 10/03/2010 11:11 AM, Dan Vrátil wrote:

...
On Sun, 03 Oct 2010 09:00:08 -0700, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:

...
...
On 10/2/2010 7:41 PM, Lew Wolfgang wrote:

...
It works on all the major distros but fails to install on Arch due to an RPM dependency. Their install script just fails saying it can't find rpm. The script contains much ugliness and is McAfee proprietary, so I doubt hacking it will be productive.

So the question is: can Arch be configured/tricked into an rpm install? Does their installer actually require use rpm to install, or just wants rpm to be> there? Most distros allow you to install rpm, Arch is no different except it is in> aur:

aur/rpm 5.2.1-1 (153) The RedHat Package Manager. Don't use it instead of Arch's 'pacman'.

If it actually uses rpm for the process, this is probably not the solution. Two> package managers at once is not a good thing. I spent some time last night pulling the .sh file apart. It's a

On 10/02/2010 06:10 PM, Steven Susbauer wrote: script that unzips a binary that unpacks two rpm files (9-MB), one 32-bit ELF program (8.9-MB), two cryptographic keys and an xml file. The script then calls rpm to install the two rpm files, which contain tons of 32-bit system libraries. These libraries have the same names as regular system libs, like libc, libm, libresolv and libcrypt. This all makes me very nervous! Arch not using rpm may be a blessing in disguise, I'm going to see if I can get a waiver to not install this McAfee root-kit.

Thanks for the help, Lew What about setting up a simple tiny chroot just for this application?

That's an interesting idea, Dan. But since this package is supposed to install itself like a cancer in the OS, it wouldn't be able to perform its function in a chroot. The Windows version of this thing is intended to remove local administrative privileges so that the machine can be completely managed remotely. It can prevent unapproved programs from being loaded, and can disable installed programs that it has an issue with. Indeed, it disabled non-current versions of Adobe Acrobat a couple of weeks ago. It also has an IPS function to monitor and disable network traffic it finds threatening. It can enforce password polices and can report what a user is doing and what web sites they're visiting. It can sniff network configurations and report dual-homed hosts, natted subnets are also disallowed. I'm sure it does much more. I've been told that the Linux/Apple versions only report at this time, the more intrusive capabilities aren't yet implemented.

Thanks, Lew

Well it is just an application, not a kernel module or so, so in my opinion it does not matter if it runs in chroot or not, as it can only obtain datas from some /proc, /sys and /dev files and these can be made available in the chroot via mount (e.g. by mounting the real folders to the chroot). What I want to say is, that the application can have access to all the informations it wants, but it will just be installed separately from your beloved Arch. Dan -- -- Dan Vrátil vratil@progdansoft.com Tel: +4202 732 326 870 Jabber: progdan@jabber.cz Tento email neobsahuje žádné viry, protože odesílatel nepoužívá Windows. / This email does not contain any viruses because the sender does not use Windows.

Lew Wolfgang

9:21 p.m.

On 10/03/2010 01:29 PM, Dan Vrátil wrote:

...

On Sun, 03 Oct 2010 12:19:30 -0700, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:

...
On 10/03/2010 11:11 AM, Dan Vrátil wrote:

...
On Sun, 03 Oct 2010 09:00:08 -0700, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:

...
...
On 10/2/2010 7:41 PM, Lew Wolfgang wrote:

...
It works on all the major distros but fails to install on Arch due to an RPM dependency. Their install script just fails saying it can't find rpm. The script contains much ugliness and is McAfee proprietary, so I doubt hacking it will be productive.

So the question is: can Arch be configured/tricked into an rpm install? Does their installer actually require use rpm to install, or just wants rpm to be> there? Most distros allow you to install rpm, Arch is no different except it is in> aur:

aur/rpm 5.2.1-1 (153) The RedHat Package Manager. Don't use it instead of Arch's 'pacman'.

If it actually uses rpm for the process, this is probably not the solution. Two> package managers at once is not a good thing. I spent some time last night pulling the .sh file apart. It's a

On 10/02/2010 06:10 PM, Steven Susbauer wrote: script that unzips a binary that unpacks two rpm files (9-MB), one 32-bit ELF program (8.9-MB), two cryptographic keys and an xml file. The script then calls rpm to install the two rpm files, which contain tons of 32-bit system libraries. These libraries have the same names as regular system libs, like libc, libm, libresolv and libcrypt. This all makes me very nervous! Arch not using rpm may be a blessing in disguise, I'm going to see if I can get a waiver to not install this McAfee root-kit.

Thanks for the help, Lew What about setting up a simple tiny chroot just for this application?

That's an interesting idea, Dan. But since this package is supposed to install itself like a cancer in the OS, it wouldn't be able to perform its function in a chroot. The Windows version of this thing is intended to remove local administrative privileges so that the machine can be completely managed remotely. It can prevent unapproved programs from being loaded, and can disable installed programs that it has an issue with. Indeed, it disabled non-current versions of Adobe Acrobat a couple of weeks ago. It also has an IPS function to monitor and disable network traffic it finds threatening. It can enforce password polices and can report what a user is doing and what web sites they're visiting. It can sniff network configurations and report dual-homed hosts, natted subnets are also disallowed. I'm sure it does much more. I've been told that the Linux/Apple versions only report at this time, the more intrusive capabilities aren't yet implemented.

Thanks, Lew Well it is just an application, not a kernel module or so, so in my opinion it does not matter if it runs in chroot or not, as it can only obtain datas from some /proc, /sys and /dev files and these can be made available in the chroot via mount (e.g. by mounting the real folders to the chroot). What I want to say is, that the application can have access to all the informations it wants, but it will just be installed separately from your beloved Arch.

Hi Dan, Interesting. I wonder how one would do this? Since the package depends on RPM, could that be installed in a jail and not interfere with pacman? Or would most of a second OS need to live in the jail? Can you install a full-up Fedora or openSuSE in a jail? The jail would need access to the main /etc/passwd and /etc/shadow files, wouldn't that be rather difficult to set up? A chroot that has full access to /? Interesting to contemplate... Regards, Lew

Dan Vrátil

9:59 p.m.

On Sun, 03 Oct 2010 14:21:28 -0700, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:

...

On 10/03/2010 01:29 PM, Dan Vrátil wrote:

...
On Sun, 03 Oct 2010 12:19:30 -0700, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:

...
On 10/03/2010 11:11 AM, Dan Vrátil wrote:

...
On Sun, 03 Oct 2010 09:00:08 -0700, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:

...
...
On 10/2/2010 7:41 PM, Lew Wolfgang wrote: > It works on all the major distros but fails to install > on Arch due to an RPM dependency. Their install script just fails saying > it can't find rpm. The script contains much ugliness and is McAfee > proprietary, so I doubt hacking it will be productive. > > So the question is: can Arch be configured/tricked into an rpm install? Does their installer actually require use rpm to install, or just wants rpm to be> there? Most distros allow you to install rpm, Arch is no different except it is in> aur:

aur/rpm 5.2.1-1 (153) The RedHat Package Manager. Don't use it instead of Arch's 'pacman'.

If it actually uses rpm for the process, this is probably not the solution. Two> package managers at once is not a good thing. I spent some time last night pulling the .sh file apart. It's a

On 10/02/2010 06:10 PM, Steven Susbauer wrote: script that unzips a binary that unpacks two rpm files (9-MB), one 32-bit ELF program (8.9-MB), two cryptographic keys and an xml file. The script then calls rpm to install the two rpm files, which contain tons of 32-bit system libraries. These libraries have the same names as regular system libs, like libc, libm, libresolv and libcrypt. This all makes me very nervous! Arch not using rpm may be a blessing in disguise, I'm going to see if I can get a waiver to not install this McAfee root-kit.

Thanks for the help, Lew What about setting up a simple tiny chroot just for this application?

That's an interesting idea, Dan. But since this package is supposed to install itself like a cancer in the OS, it wouldn't be able to perform its function in a chroot. The Windows version of this thing is intended to remove local administrative privileges so that the machine can be completely managed remotely. It can prevent unapproved programs from being loaded, and can disable installed programs that it has an issue with. Indeed, it disabled non-current versions of Adobe Acrobat a couple of weeks ago. It also has an IPS function to monitor and disable network traffic it finds threatening. It can enforce password polices and can report what a user is doing and what web sites they're visiting. It can sniff network configurations and report dual-homed hosts, natted subnets are also disallowed. I'm sure it does much more. I've been told that the Linux/Apple versions only report at this time, the more intrusive capabilities aren't yet implemented.

Thanks, Lew Well it is just an application, not a kernel module or so, so in my opinion it does not matter if it runs in chroot or not, as it can only obtain datas from some /proc, /sys and /dev files and these can be made available in the chroot via mount (e.g. by mounting the real folders to the chroot). What I want to say is, that the application can have access to all the informations it wants, but it will just be installed separately from your beloved Arch.

Hi Dan,

Interesting. I wonder how one would do this? Since the package depends on RPM, could that be installed in a jail and not interfere with pacman? Or would most of a second OS need to live in the jail? Can you install a full-up Fedora or openSuSE in a jail? The jail would need access to the main /etc/passwd and /etc/shadow files, wouldn't that be rather difficult to set up? A chroot that has full access to /? Interesting to contemplate...

Regards, Lew

Actually that should not be so difficult to set up. You can use program called "schroot". It mounts the real folder (/home, /dev, /proc etc) to the chroot using fstab-like file (see /etc/schroot/mount-arch32) and it also copies some essential files (like /etc/shadow and /etc/passwd) to the chroot (see /etc/schroot/copyfiles-arch32). Additionally, I think you don't need access to full /, just to /etc, /dev, /sys and /proc since that's all where the program can get any useful info or where any essential data to be watched over are located. If I'm wrong, it's not a problem to mount the folder to the chroot filesystem. The rest of the chroot's filesystem can contain whatever you want. Actually I believe that it should work even when you would have only the libs that the program is linked against and some applications that the program needs to run, you don't even have to install kernel, udev, etc. I'd recommend not to even use pacman to set up the chroot, but use RPM to set it all up from the main system, something like: rpm install base-system --root=/home/chroot --dbpath=/home/chroot/var/lib/packages (I don't know how to use rpm, just to show the idea) and then enter the chroot using schroot -c my_chroot and then just start the application from the chroot. Dan -- -- Dan Vrátil vratil@progdansoft.com Tel: +4202 732 326 870 Jabber: progdan@jabber.cz Tento email neobsahuje žádné viry, protože odesílatel nepoužívá Windows. / This email does not contain any viruses because the sender does not use Windows.

C Anthony Risinger

11:57 p.m.

On Oct 3, 2010, at 4:59 PM, "Dan Vrátil" <vratil@progdansoft.com> wrote:

...

On Sun, 03 Oct 2010 14:21:28 -0700, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:

...
On 10/03/2010 01:29 PM, Dan Vrátil wrote:

...
...
On 10/03/2010 11:11 AM, Dan Vrátil wrote:

...
On Sun, 03 Oct 2010 09:00:08 -0700, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:

...
On 10/02/2010 06:10 PM, Steven Susbauer wrote: > On 10/2/2010 7:41 PM, Lew Wolfgang wrote: >> It works on all the major distros but fails to install >> on Arch due to an RPM dependency. Their install script just >> fails saying >> it can't find rpm. The script contains much ugliness and is >> McAfee >> proprietary, so I doubt hacking it will be productive. >> >> So the question is: can Arch be configured/tricked into an >> rpm install? > Does their installer actually require use rpm to install, or > just wants rpm to be> there? Most distros allow you to > install rpm, Arch is no different except it is in> aur: > > aur/rpm 5.2.1-1 (153) > The RedHat Package Manager. Don't use it instead of > Arch's 'pacman'. > > If it actually uses rpm for the process, this is probably not > the solution. Two> package managers at once is not a good > thing. I spent some time last night pulling the .sh file apart. It's a script that unzips a binary that unpacks two rpm files (9-MB), one 32-bit ELF program (8.9-MB), two cryptographic keys and an xml file. The script then calls rpm to install the two rpm files, which contain tons of 32-bit system libraries. These libraries have the same names as regular system libs, like libc, libm, libresolv and libcrypt. This all makes me very nervous! Arch not using rpm may be a blessing in disguise, I'm going to see if I can get a waiver to not install this McAfee root-kit.

Thanks for the help, Lew What about setting up a simple tiny chroot just for this application?

That's an interesting idea, Dan. But since this package is supposed to install itself like a cancer in the OS, it wouldn't be able to perform its function in a chroot. The Windows version of this thing is intended to remove local administrative privileges so that the machine can be completely managed remotely. It can prevent unapproved programs from being loaded, and can disable installed programs that it has an issue with. Indeed, it disabled non-current versions of Adobe Acrobat a couple of weeks ago. It also has an IPS function to monitor and disable network traffic it finds threatening. It can enforce password polices and can report what a user is doing and what web sites they're visiting. It can sniff network configurations and report dual-homed hosts, natted subnets are also disallowed. I'm sure it does much more. I've been told that the Linux/Apple versions only report at this time, the more intrusive capabilities aren't yet implemented.

Thanks, Lew Well it is just an application, not a kernel module or so, so in my opinion it does not matter if it runs in chroot or not, as it can only obtain datas from some /proc, /sys and /dev files and these can be made available in the chroot via mount (e.g. by mounting the real folders to the chroot). What I want to say is, that the application can have access to all

On Sun, 03 Oct 2010 12:19:30 -0700, Lew Wolfgang <wolfgang@sweet-haven.com> wrote: the informations it wants, but it will just be installed separately from your beloved Arch.

Hi Dan,

Interesting. I wonder how one would do this? Since the package depends on RPM, could that be installed in a jail and not interfere with pacman? Or would most of a second OS need to live in the jail? Can you install a full-up Fedora or openSuSE in a jail? The jail would need access to the main /etc/passwd and /etc/shadow files, wouldn't that be rather difficult to set up? A chroot that has full access to /? Interesting to contemplate...

Regards, Lew

Actually that should not be so difficult to set up. You can use program called "schroot". It mounts the real folder (/home, /dev, /proc etc) to the chroot using fstab-like file (see /etc/schroot/mount-arch32) and it also copies some essential files (like /etc/shadow and /etc/passwd) to the chroot (see /etc/schroot/copyfiles-arch32).

Additionally, I think you don't need access to full /, just to /etc, /dev, /sys and /proc since that's all where the program can get any useful info or

where any essential data to be watched over are located. If I'm wrong, it's not a problem to mount the folder to the chroot filesystem. The rest of the chroot's filesystem can contain whatever you want. Actually I believe that it should work even when you would have only the libs that the program is linked against and some applications that the program needs to run, you don't even have to install kernel, udev, etc.

I'd recommend not to even use pacman to set up the chroot, but use RPM to set it all up from the main system, something like:

rpm install base-system --root=/home/chroot --dbpath=/home/chroot/var/lib/packages (I don't know how to use rpm, just to show the idea)

and then enter the chroot using

schroot -c my_chroot

and then just start the application from the chroot.

Dan

-- -- Dan Vrátil vratil@progdansoft.com Tel: +4202 732 326 870 Jabber: progdan@jabber.cz

Tento email neobsahuje žádné viry, protože odesílatel nepouží vá Windows. / This email does not contain any viruses because the sender does not use Windows.

If you want to be sure it can't escape, you could try using LXC to contain the fedora system. It is a recent kernel technology designed specifically for this purpose, and has tools to build fedora amongst other distributions. Very easy to set up a containerized system. C Anthony [mobile]

Dan Vratil

4 Oct 4 Oct

5:26 a.m.

----- Original message -----

...

On Oct 3, 2010, at 4:59 PM, "Dan Vrátil" <vratil@progdansoft.com> wrote:

...
On Sun, 03 Oct 2010 14:21:28 -0700, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:

...
On 10/03/2010 01:29 PM, Dan Vrátil wrote:

...
...
On 10/03/2010 11:11 AM, Dan Vrátil wrote:

...
On Sun, 03 Oct 2010 09:00:08 -0700, Lew Wolfgang <wolfgang@sweet-haven.com> wrote: > On 10/02/2010 06:10 PM, Steven Susbauer wrote: > > On 10/2/2010 7:41 PM, Lew Wolfgang wrote: > > > It works on all the major distros but fails to install > > > on Arch due to an RPM dependency. Their install script > > > just fails saying > > > it can't find rpm. The script contains much ugliness and > > > is McAfee > > > proprietary, so I doubt hacking it will be productive. > > > > > > So the question is: can Arch be configured/tricked into > > > an rpm install? > > Does their installer actually require use rpm to install, > > or just wants rpm to be> there? Most distros allow you to > > install rpm, Arch is no different except it is in> aur: > > > > aur/rpm 5.2.1-1 (153) > > The RedHat Package Manager. Don't use it instead of > > Arch's 'pacman'. > > > > If it actually uses rpm for the process, this is probably > > not the solution. Two> package managers at once is not a > > good thing. > I spent some time last night pulling the .sh file apart. > It's a script that unzips a binary that unpacks two rpm > files (9-MB), one > 32-bit ELF program (8.9-MB), two cryptographic keys and an > xml file. > The script then calls rpm to install the two rpm files, which > contain > tons of 32-bit system libraries. These libraries have the > same names > as regular system libs, like libc, libm, libresolv and > libcrypt. This > all makes me very nervous! Arch not using rpm may be a > blessing in > disguise, I'm going to see if I can get a waiver to not > install this > McAfee root-kit. > > Thanks for the help, > Lew What about setting up a simple tiny chroot just for this application?

That's an interesting idea, Dan. But since this package is supposed to install itself like a cancer in the OS, it wouldn't be able to perform its function in a chroot. The Windows version of this thing is intended to remove local administrative privileges so that the machine can be completely managed remotely. It can prevent unapproved programs from being loaded, and can disable installed programs that it has an issue with. Indeed, it disabled non-current versions of Adobe Acrobat a couple of weeks ago. It also has an IPS function to monitor and disable network traffic it finds threatening. It can enforce password polices and can report what a user is doing and what web sites they're visiting. It can sniff network configurations and report dual-homed hosts, natted subnets are also disallowed. I'm sure it does much more. I've been told that the Linux/Apple versions only report at this time, the more intrusive capabilities aren't yet implemented.

Thanks, Lew Well it is just an application, not a kernel module or so, so in my opinion it does not matter if it runs in chroot or not, as it can only obtain datas from some /proc, /sys and /dev files and these can be made available in the chroot via mount (e.g. by mounting the real folders to the chroot). What I want to say is, that the application can have access to all

On Sun, 03 Oct 2010 12:19:30 -0700, Lew Wolfgang <wolfgang@sweet-haven.com> wrote: the informations it wants, but it will just be installed separately from your beloved Arch.

Hi Dan,

Interesting. I wonder how one would do this? Since the package depends on RPM, could that be installed in a jail and not interfere with pacman? Or would most of a second OS need to live in the jail? Can you install a full-up Fedora or openSuSE in a jail? The jail would need access to the main /etc/passwd and /etc/shadow files, wouldn't that be rather difficult to set up? A chroot that has full access to /? Interesting to contemplate...

Regards, Lew

Actually that should not be so difficult to set up. You can use program called "schroot". It mounts the real folder (/home, /dev, /proc etc) to the chroot using fstab-like file (see /etc/schroot/mount-arch32) and it also copies some essential files (like /etc/shadow and /etc/passwd) to the chroot (see /etc/schroot/copyfiles-arch32).

Additionally, I think you don't need access to full /, just to /etc, /dev, /sys and /proc since that's all where the program can get any useful info or

where any essential data to be watched over are located. If I'm wrong, it's not a problem to mount the folder to the chroot filesystem. The rest of the chroot's filesystem can contain whatever you want. Actually I believe that it should work even when you would have only the libs that the program is linked against and some applications that the program needs to run, you don't even have to install kernel, udev, etc.

I'd recommend not to even use pacman to set up the chroot, but use RPM to set it all up from the main system, something like:

rpm install base-system --root=/home/chroot --dbpath=/home/chroot/var/lib/packages (I don't know how to use rpm, just to show the idea)

and then enter the chroot using

schroot -c my_chroot

and then just start the application from the chroot.

Dan

-- -- Dan Vrátil vratil@progdansoft.com Tel: +4202 732 326 870 Jabber: progdan@jabber.cz

Tento email neobsahuje žádné viry, protože odesílatel nepouží vá Windows. / This email does not contain any viruses because the sender does not use Windows.

If you want to be sure it can't escape, you could try using LXC to contain the fedora system.

It is a recent kernel technology designed specifically for this purpose, and has tools to build fedora amongst other distributions.

Very easy to set up a containerized system.

C Anthony [mobile]

Hmmm the LXC looks like a pretty cool project, that's exactly what I was looking for some time ago, thanks for bringing it in. But if I understood correctly, you need to have entire system installed inside the container, which is I think a waste of diskspace for just one program, meanwhile chroot would require just default libs, bash and dependencies of that app. Dan

David C. Rankin

4:41 a.m.

On 10/02/2010 08:10 PM, Steven Susbauer wrote:

...

On 10/2/2010 7:41 PM, Lew Wolfgang wrote:

...
It works on all the major distros but fails to install on Arch due to an RPM dependency. Their install script just fails saying it can't find rpm. The script contains much ugliness and is McAfee proprietary, so I doubt hacking it will be productive.

So the question is: can Arch be configured/tricked into an rpm install?

Lew, good to see you here. I have just created a step-by-step howto and building and installing rpm/yum/yum-createrepo/etc... on arch just a few weeks ago. I still manage my suse repos on my Arch server. I'll have to switch drives to grab the notes, but I'll post back if I can't find it with a quick google: Ahah! Found it: http://www.pubbs.net/201009/archlinux/21794-arch-general-installing-createre... This lays out which packages you need to get from AUR and build with 'makepkg -s' in the order you need to install them to get rpm and the yum-metadata-parser installed on arch. (there is also a patch from the rpm upstream guys to deal with the weird tokens suse still uses in packaging. (for some reason the site messes up the urls to the AUR packages, I'll shoot you my saved copy with good links) This howto will get rpm5 and all the goods installed on your Arch box. I haven't tried an 'rpm install' on arch, as the spec2arch script that generates the arch PKGBUILD which you then use (while in the same directory) by simply typing 'makepkg -s' to build the arch package for whatever you are installing. I left rpm installs with suse and use pacman with Arch. It's simple and (works almost identical to zypper from a user standpoint). But I do still maintain my 11.0 and 11.3 repos on my Arch server which is what got me started down this path to begin with. When I pop my other drive back in the laptop, I'll shoot you a copy with good urls. (I think you can use the ones in the link, you just have to changee the char to either a '-' or '_' IIRC. -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com

Jakob Gruber

7:53 a.m.

On 10/03/2010 02:41 AM, Lew Wolfgang wrote:

...

Hi Folks,

New Arch user here. I really like it! Another Arch user recommended it to me after I started noticing quality issues with another of the main distributions.

I'm currently working on a test install to see if Arch will function in a very restricted environment. So far I've successfully installed KDE and configured for a true IPv6 network. Yet to be done is support for Common Access Cards and their USB readers. I've been having issues with pcscd but I'm not ready to ask for help yet. I also tried fake-raid but gave up in favor of the much simpler JBOD (two disks) config.

But I ran into a problem installing something called HBSS from McAfee. This is a package for Windows that is nothing more than a root-kit that allows remote administrators to set policy, remove/block programs, report versions, etc. Unfortunately management mandates that non-Windows systems also run it. So McAfee labored mightily and emitted a Java port of the Windows package that gives minimal reporting capabilities for Linux installs. It works on all the major distros but fails to install on Arch due to an RPM dependency. Their install script just fails saying it can't find rpm. The script contains much ugliness and is McAfee proprietary, so I doubt hacking it will be productive.

So the question is: can Arch be configured/tricked into an rpm install?

Thanks for a great distro, and your wiki is amazing! It's a little light on IPv6 info, but I might be able to help there later.

Regards, Lew Wolfgang

I think nobody has mentioned rpmextract yet? Might be possible to use that to create a native arch package. AFAIK it's the usual solution when an application exists only in rpm form.

5238

Age (days ago)

5239

Last active (days ago)

List overview

Download

14 comments

9 participants

participants (9)

C Anthony Risinger
Cédric Girard
Dan Vratil
Dan Vrátil
David C. Rankin
Jakob Gruber
Jeremiah Dodds
Lew Wolfgang
Steven Susbauer