Re: [arch-general] arch-general Digest, Vol 61, Issue 39
Re: We need a maintained-by-TU chrome/chromium... (Juan Diego) There are enough arch user maintained repo's, you could ask them to package it beside that how much work is AUR ;) 2009/11/18 <arch-general-request@archlinux.org>
Send arch-general mailing list submissions to arch-general@archlinux.org
To subscribe or unsubscribe via the World Wide Web, visit http://mailman.archlinux.org/mailman/listinfo/arch-general or, via email, send a message with subject or body 'help' to arch-general-request@archlinux.org
You can reach the person managing the list at arch-general-owner@archlinux.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of arch-general digest..."
Today's Topics:
1. Re: MUA (Alexandr Bashmakov) 2. Re: pam settings INSECURE (bender02) 3. Re: pam settings INSECURE (Xavier) 4. Re: pam settings INSECURE (bender02) 5. Re: pam settings INSECURE (Jan de Groot) 6. We need a maintained-by-TU chrome/chromium... (Hamo) 7. Re: pam settings INSECURE (Xavier) 8. Re: We need a maintained-by-TU chrome/chromium... (Daenyth Blank) 9. Re: We need a maintained-by-TU chrome/chromium... (Juan Diego)
----------------------------------------------------------------------
Message: 1 Date: Wed, 18 Nov 2009 17:26:04 +0700 From: Alexandr Bashmakov <alex.teorver@gmail.com> Subject: Re: [arch-general] MUA To: General Discusson about Arch Linux <arch-general@archlinux.org> Message-ID: <7d16d2700911180226q14e0d1bbtf1ad3095687a38a5@mail.gmail.com> Content-Type: text/plain; charset=UTF-8
------------------------------
Message: 2 Date: Wed, 18 Nov 2009 12:58:46 +0100 From: bender02 <bender02@archlinux.us> Subject: Re: [arch-general] pam settings INSECURE To: General Discusson about Arch Linux <arch-general@archlinux.org> Message-ID: <6eefa5460911180358n14f3937esc3a3dea388c09ef3@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1
2009/11/18 Ng Oon-Ee <ngoonee@gmail.com>:
The *disadvantage* is that the devs/maintainers have to patch up-stream. This should be kept to a minimum, primarily to reduce their workload, and also because it is ASSUMED that if you use Arch, you're capable of doing the Right Thing (tm) according to your situation, or at least finding out how to.
If you would take the time to look at the packages that are involved in this (namely shadow and kdebase-workspace), you'd see that both /etc/pam.d/login and /etc/pam.d/kde are manually suplied alongside the PKGBUILDs. So in this case, it's not "patching" but straight "replacing" the "upstream".
------------------------------
Message: 3 Date: Wed, 18 Nov 2009 14:07:39 +0100 From: Xavier <shiningxc@gmail.com> Subject: Re: [arch-general] pam settings INSECURE To: General Discusson about Arch Linux <arch-general@archlinux.org> Message-ID: <91752840911180507l43f7899ncea46da9f73e2e1e@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1
On Wed, Nov 18, 2009 at 6:40 AM, Caleb Cushing <xenoterracide@gmail.com> wrote:
so here's the problem I've discovered
http://xenoterracide.blogspot.com/2009/11/bypassing-disabled-accounts-with-k...
< links to arch bug included posting here because I believe both kde's and arch's developers responses are less than satisfactory. This is a security bug an easy to fix without making users lives more difficult.
so I'm starting with /etc/pam.d/login
auth ? ? ? ?required ? ?pam_shells.so #add this: why let someone login who has an invalid shells.
/etc/pam.d/kdm # I'm pretty sure it should be 99% the same as login since it allows logins.
#%PAM-1.0 auth ? ? ? ?requisite ? pam_nologin.so auth ? ? ? ?required ? ?pam_unix.so nullok auth ? ? ? ?required ? ?pam_shells.so # as my blog says setting an invalid shell is a common way of disabling accounts. auth ? ? ? ?required ? ?pam_tally.so onerr=succeed file=/var/log/faillog # use this to lockout accounts for 10 minutes after 3 failed attempts #auth ? ? ? required ? ?pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/ account ? ? required ? ?pam_access.so account ? ? required ? ?pam_time.so account ? ? required ? ?pam_unix.so password ? ?required ? ?pam_unix.so #password ? required ? ?pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 ret #password ? required ? ?pam_unix.so md5 shadow use_authtok session ? ? required ? ?pam_unix.so session ? ? required ? ?pam_env.so session ? ? required ? ?pam_limits.so
also I believe pam_tally2 replaces pam_tally may wish to consider migrating (non urgent next release?)
So basically you just need to add "auth required pam_shells.so" to all pam files related to login, correct ? Or what were the other problematic settings of pam.d/kde ?
The comments about this being an upstream problem are invalid, as these pam files are all shipped by arch : http://repos.archlinux.org/wsvn/packages/kdebase-workspace/trunk/ http://repos.archlinux.org/wsvn/packages/shadow/trunk/login
Note that this problem probably exists with all login managers. For example gdm does not have pam_shells.so either. http://repos.archlinux.org/wsvn/packages/gdm/trunk/
And I am curious to know what the pam settings of other distro are (debian,fedora,gentoo,..).
Finally, maybe it makes sense to try keeping all the different pam login files as consistent as possible. But I don't know enough about pam to tell.
------------------------------
Message: 4 Date: Wed, 18 Nov 2009 14:17:24 +0100 From: bender02 <bender02@archlinux.us> Subject: Re: [arch-general] pam settings INSECURE To: General Discusson about Arch Linux <arch-general@archlinux.org> Message-ID: <6eefa5460911180517m50a1edcbt518c04950f7203bb@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1
On Wed, Nov 18, 2009 at 2:07 PM, Xavier <shiningxc@gmail.com> wrote:
And I am curious to know what the pam settings of other distro are (debian,fedora,gentoo,..).
Finally, maybe it makes sense to try keeping all the different pam login files as consistent as possible. But I don't know enough about pam to tell.
Some other distros (opensuse, ubuntu, fedora at least) use 'common-auth' (and probably some other 'common-*' files) in /etc/pam.d/, which are then included in the particular pam files. Hence all pam files are consistent. On the other hand, if you need more fine-grained control, you need to edit and consolidate more files than with the current arch setup. [I like arch's system better, but who cares about that :)]
------------------------------
Message: 5 Date: Wed, 18 Nov 2009 14:24:24 +0100 From: Jan de Groot <jan@jgc.homeip.net> Subject: Re: [arch-general] pam settings INSECURE To: General Discusson about Arch Linux <arch-general@archlinux.org> Message-ID: <1258550664.4737.4.camel@jan> Content-Type: text/plain; charset="UTF-8"
On Wed, 2009-11-18 at 14:17 +0100, bender02 wrote:
On Wed, Nov 18, 2009 at 2:07 PM, Xavier <shiningxc@gmail.com> wrote:
And I am curious to know what the pam settings of other distro are (debian,fedora,gentoo,..).
Finally, maybe it makes sense to try keeping all the different pam login files as consistent as possible. But I don't know enough about pam to tell.
Some other distros (opensuse, ubuntu, fedora at least) use 'common-auth' (and probably some other 'common-*' files) in /etc/pam.d/, which are then included in the particular pam files. Hence all pam files are consistent. On the other hand, if you need more fine-grained control, you need to edit and consolidate more files than with the current arch setup. [I like arch's system better, but who cares about that :)]
The reason for shipping custom pam files is because we don't have common-* files in arch. The gdm file is a straight copy from the login file, with some added modules for gnome-keyring to get that daemon started on login. With common-auth, we could just @include common-auth from the pam file, which is much easier.
------------------------------
Message: 6 Date: Wed, 18 Nov 2009 21:48:26 +0800 From: Hamo <hamo.by@gmail.com> Subject: [arch-general] We need a maintained-by-TU chrome/chromium... To: arch-general@archlinux.org Message-ID: <55b9903b0911180548r19eda9b9x1687aab9085c11eb@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1
Dear Archlinux users, Chrome is likely to be a daily-use web browser and with the Chrome OS releasing,it will become more and more reliable.Archlinux is a rolling-release distribution and it aims at being bleeding edge.So we should have a maintained-by-TU chrome/chromium and it is really useful...
-- Nick Name:Hamo Website:http://hamobai.com/
------------------------------
Message: 7 Date: Wed, 18 Nov 2009 14:52:42 +0100 From: Xavier <shiningxc@gmail.com> Subject: Re: [arch-general] pam settings INSECURE To: General Discusson about Arch Linux <arch-general@archlinux.org> Message-ID: <91752840911180552u6626b43at10e6e2c7667a2426@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1
On Wed, Nov 18, 2009 at 2:24 PM, Jan de Groot <jan@jgc.homeip.net> wrote:
On Wed, 2009-11-18 at 14:17 +0100, bender02 wrote:
On Wed, Nov 18, 2009 at 2:07 PM, Xavier <shiningxc@gmail.com> wrote:
And I am curious to know what the pam settings of other distro are (debian,fedora,gentoo,..).
Finally, maybe it makes sense to try keeping all the different pam login files as consistent as possible. But I don't know enough about pam to tell.
Some other distros (opensuse, ubuntu, fedora at least) use 'common-auth' (and probably some other 'common-*' files) in /etc/pam.d/, which are then included in the particular pam files. Hence all pam files are consistent. On the other hand, if you need more fine-grained control, you need to edit and consolidate more files than with the current arch setup. [I like arch's system better, but who cares about that :)]
The reason for shipping custom pam files is because we don't have common-* files in arch. The gdm file is a straight copy from the login file, with some added modules for gnome-keyring to get that daemon started on login. With common-auth, we could just @include common-auth from the pam file, which is much easier.
That sounds good. I filed http://bugs.archlinux.org/task/17188
------------------------------
Message: 8 Date: Wed, 18 Nov 2009 08:54:40 -0500 From: Daenyth Blank <daenyth+arch@gmail.com <daenyth%2Barch@gmail.com>> Subject: Re: [arch-general] We need a maintained-by-TU chrome/chromium... To: General Discusson about Arch Linux <arch-general@archlinux.org> Message-ID: <ea09a6380911180554w59527b1bg81fd22d94fa75d55@mail.gmail.com> Content-Type: text/plain; charset=UTF-8
On Wed, Nov 18, 2009 at 08:48, Hamo <hamo.by@gmail.com> wrote:
Dear Archlinux users, Chrome is likely to be a daily-use web browser and with the Chrome OS releasing,it will become more and more reliable.Archlinux is a rolling-release distribution and it aims at being bleeding edge.So we should have a maintained-by-TU chrome/chromium and it is really useful...
If you're interested, I recommend finding a sponsor so that you can apply...
There are lots of software projects that would be good to have, but it only makes sense to keep them in the repos if someone is interested in maintaining them.
------------------------------
Message: 9 Date: Wed, 18 Nov 2009 23:05:06 +0900 From: Juan Diego <juantascon@gmail.com> Subject: Re: [arch-general] We need a maintained-by-TU chrome/chromium... To: General Discusson about Arch Linux <arch-general@archlinux.org> Message-ID: <b3095c50911180605h211fe211oee2a7b3902ab482a@mail.gmail.com> Content-Type: text/plain; charset=UTF-8
I would be happy to maintain that package, but unfortunately Im not a TU
dont you think archlinux should have something similar to ppa from ubuntu so that it will be easier to maintain and promote personal repositories, aur is a good option but if I would have to choose between using a packages from aur or using a package from a personal repository from somebody I wouldnt think it twice, I would choose the personal repo one.
On Wed, Nov 18, 2009 at 10:54 PM, Daenyth Blank <daenyth+arch@gmail.com<daenyth%2Barch@gmail.com>> wrote:
On Wed, Nov 18, 2009 at 08:48, Hamo <hamo.by@gmail.com> wrote:
Dear Archlinux users, Chrome is likely to be a daily-use web browser and with the Chrome OS releasing,it will become more and more reliable.Archlinux is a rolling-release distribution and it aims at being bleeding edge.So we should have a maintained-by-TU chrome/chromium and it is really useful...
If you're interested, I recommend finding a sponsor so that you can apply...
There are lots of software projects that would be good to have, but it only makes sense to keep them in the repos if someone is interested in maintaining them.
------------------------------
_______________________________________________ arch-general mailing list arch-general@archlinux.org http://mailman.archlinux.org/mailman/listinfo/arch-general
End of arch-general Digest, Vol 61, Issue 39 ********************************************
-- Jelle
On Wed, Nov 18, 2009 at 09:36, jelle van der waa <jellevdwaa@gmail.com> wrote:
Re: We need a maintained-by-TU chrome/chromium... (Juan Diego)
There are enough arch user maintained repo's, you could ask them to package it beside that how much work is AUR ;)
Can you please reply to the specific thread instead of the digest? Also, please don't top post, especially quoting the entire digest...
participants (2)
-
Daenyth Blank
-
jelle van der waa