[gentoo-dev] Re: [gentoo-commits] gentoo-x86 commit in app-accessibility/yasr: ChangeLog yasr-0.6.9.ebuild

[gentoo-dev] Re: [gentoo-commits] gentoo-x86 commit in app-accessibility/yasr: ChangeLog yasr-0.6.9.ebuild

[Christian Faulhammer]

[-- Attachment #1: Type: text/plain, Size: 711 bytes --]

Hi.

"William Hubbs (williamh)" <williamh@gentoo.org>:

> williamh    08/02/03 20:36:09
> 
>   Modified:             ChangeLog
>   Added:                yasr-0.6.9.ebuild
>   Log:
>   Version bump.
>   (Portage version: 2.1.4.1)

[...]

> src_compile() {
> 	econf --datadir='/etc' || die "econf failed"
> 	emake || die "emake failed"
> }

 Are you sure that /etc as datadir is a good choice or does yasr
itself abuse it?
 
> src_install() {
> 	make DESTDIR="${D}" install || die

 If emake is not possible, add a comment.

V-Li

-- 
Christian Faulhammer, Gentoo Lisp project
<URL:http://www.gentoo.org/proj/en/lisp/>, #gentoo-lisp on FreeNode

<URL:http://www.faulhammer.org/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-dev] Not encrypted password in memory

[Mateusz Mierzwinski]

Hi!

After making memory dump and editing file in k hex editor I've found 
unencrypted password to my linux. I thin'k thats not good because anyone 
can read it with some php script with system() execution.
Password is fully readable.

Mateusz M.
-- 
gentoo-dev@lists.gentoo.org mailing list

Re: [gentoo-dev] Not encrypted password in memory

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 875 bytes --]

On Sun, Feb 03, 2008 at 11:20:00PM +0100, Mateusz Mierzwinski wrote:
> After making memory dump and editing file in k hex editor I've found 
> unencrypted password to my linux. I thin'k thats not good because anyone 
> can read it with some php script with system() execution.
> Password is fully readable.
You'll need to be a little more explanatory than that. What process did
the memory space in question belong to? Was is your system password,
your gpg password or what? How were you dumping memory?

Unless you are running a web-facing PHP as root, a script running
system() would only be able to get to it via root exploit or if the
password was in a memory space accessible to the same process.

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 329 bytes --]

[gentoo-dev] Re: [gentoo-commits] gentoo-x86 commit in app-accessibility/yasr: ChangeLog yasr-0.6.9.ebuild

[William Hubbs]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, Feb 03, 2008 at 10:00:19PM +0100, Christian Faulhammer wrote:
> > src_compile() {
> > 	econf --datadir='/etc' || die "econf failed"
> > 	emake || die "emake failed"
> > }
> 
>  Are you sure that /etc as datadir is a good choice or does yasr
> itself abuse it?

If I remove this, yasr's default configuration goes in
/usr/share/yasr/yasr.conf instead of /etc/yasr/yasr.conf, so it looks
like yasr isn't using the datadir correctly.  I don't know what the
patch should be to fix this.

> > src_install() {
> > 	make DESTDIR="${D}" install || die
 
 I have changed this to emake.

>  If emake is not possible, add a comment.
> 
> V-Li
> 
> -- 
> Christian Faulhammer, Gentoo Lisp project
> <URL:http://www.gentoo.org/proj/en/lisp/>, #gentoo-lisp on FreeNode
> 
> <URL:http://www.faulhammer.org/>



- -- 
William Hubbs
gentoo accessibility team lead
williamh@gentoo.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFHpk1KblQW9DDEZTgRAqqlAJ0fy0nqHS+ZIQEz8yGe8MEIocatnQCgkz3g
KBUtFPfOYUJQ6uIiIuKy7qo=
=So3o
-----END PGP SIGNATURE-----
-- 
gentoo-dev@lists.gentoo.org mailing list

Re: [gentoo-dev] Re: [gentoo-commits] gentoo-x86 commit in app-accessibility/yasr: ChangeLog yasr-0.6.9.ebuild

[Nirbheek Chauhan]

[-- Attachment #1: Type: text/plain, Size: 710 bytes --]

On Feb 4, 2008 4:54 AM, William Hubbs <williamh@gentoo.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sun, Feb 03, 2008 at 10:00:19PM +0100, Christian Faulhammer wrote:
> > > src_compile() {
> > >     econf --datadir='/etc' || die "econf failed"
> > >     emake || die "emake failed"
> > > }
> >
> >  Are you sure that /etc as datadir is a good choice or does yasr
> > itself abuse it?
>
> If I remove this, yasr's default configuration goes in
> /usr/share/yasr/yasr.conf instead of /etc/yasr/yasr.conf, so it looks
> like yasr isn't using the datadir correctly.  I don't know what the
> patch should be to fix this.


The attached patch fixes the problem for me.

-- 
~Nirbheek Chauhan

[-- Attachment #2: fix-confdir.patch --]
[-- Type: application/octet-stream, Size: 335 bytes --]

diff -Naur yasr-0.6.9.orig/Makefile.am yasr-0.6.9/Makefile.am
--- yasr-0.6.9.orig/Makefile.am	2008-02-02 18:14:05.000000000 +0530
+++ yasr-0.6.9/Makefile.am	2008-02-04 09:45:54.348748777 +0530
@@ -10,7 +10,8 @@
 m4 \
 	po
 
-pkgdata_DATA = \
+configdir = $(sysconfdir)/yasr
+config_DATA = \
 	yasr.conf
 
 EXTRA_DIST = config.rpath  \