iputils installorder note

Hello, I just wanted to mention a small problem I had updating Owl in-place
from Owl-3.0-stable (around 2011-09-11 I think) to Owl-current. (using ROOT=/)

--- snip ---
error: Failed dependencies:
	libcrypto.so.5()(64bit) is needed by (installed) iputils-s20101006-owl1
21:15:31: Failed openssl openssl-devel openssl-perl mtree openssh openssh-clients openssh-server
d:openssh-blacklist elinks nmap ncat nping mutt openntpd readline readline-devel bc gnupg gdb lftp
21:15:31: Installing iputils traceroute (iputils-s20101006-owl1.x86_64.rpm traceroute-1.0.3-owl3.x86_64.rpm)
error: Failed dependencies:
	libcrypto.so.10()(64bit) is needed by iputils-s20101006-owl1
21:15:31: Failed iputils traceroute
--- snip ---

It seems my Owl-stable from that time had an iputils that needed the old
libcrypto.so.5, so it blocked the new one (so.10) from coming in. When I
removed iputils manually, I could run the "rpm -Uvh --force openssl..." step
OK. (I don't truly understand RPM feature dependencies...)

I believe that if the iputils package were part of the big "openssl..." step,
there would not have been any problem. The following post from last year
mentioned both the (new) dependency of iputils on libcrypto, and a consequent
change to the buildorder (iputils AFTER openssl):

http://www.openwall.com/lists/owl-dev/2011/04/06/2

That change allowed upgrade from no-crypto-deps to with-crypto-deps, but it did
not allow upgrade from with-old-crypto-deps to with-new-crypto-deps (again, if
I understand correctly).

Re: getting involved in Owl (was: linux-distros list setup update)

On Fri, Jan 06, 2012 at 12:33:17AM +0400, Solar Designer wrote:
> There is Owl/doc/TODO in our CVS tree.  It has some high-level tasks;
> a few of these have already been completed (need to update this file).
> 
> Do you currently have Owl installed somewhere?  Do you have any
> "complaints" about it - things you didn't like or felt needed
> improvement?  If so, we could look for overlap of these with our
> actually planned tasks.

I do have Owl installed in a testing-network in home, which I use to investigate malware and random new
products/softwares. That Owl works as SSH-gateway and the network is pretty closed up. No connections to
Internet. Other Owl installation is OpenVZ-instance in durian.nerv.fi running ircd for finnish
IRC-network called Nerv (feel free to Nmap if you like).

UTF-8 did definately need improvements. It should be on by default or at least a pretty good guide how to use
it in various software. I have no idea how I could help you with that as I still aren't very good with pkgsrc,
but I could help to get apt to Owl. TODO-list says: "Support a package repository, possibly with Zypper,
yum, or apt (package one of these - and its prerequisites)." does this mean that the apt should be in
default-installation or optional installation from some other resource and if latter from where?

I am not a Debian Developer, but I have used Debian for over eight years now so I think that should be my number
one focus now in Owl if that is still what Owl needs. Deb-packages could be installed to some location
outside of normal PATH using the same ideology as in with pkgsrc.

- Henri Salo

Owl 3-stable OpenVZ config issue

Hi,

I've recently installed Owl 3-stable and found that it's kind of
unconfigured in re: to OpenVZ:
===
root <at> server:/vz/template/cache # vzctl create 101 --ostemplate owl-3_0-stable-20111026-x86_64
--ipadd '123.123.123.123 192.168.123.123' --hostname test-ve
Creating container private area (owl-3_0-stable-20111026-x86_64)
vzquota : (error) Quota getstat syscall for id 101: Inappropriate ioctl for device
vzquota init failed [3]
vzquota : (error) Can't open quota file for id 101, maybe you need to reinitialize quota: No such file or directory
vzquota : (error) Quota getstat syscall for id 101: Inappropriate ioctl for device
vzquota init failed [3]
vzquota on failed [61]
vzquota : (error) Can't open quota file for id 101, maybe you need to reinitialize quota: No such file or directory
vzquota off failed [11]
vzquota : (error) Can't open quota file for id 101, maybe you need to reinitialize quota: No such file or directory
vzquota setlimit failed [11]
Can't mount: /vz/root/101 /vz/private/101: No such device
Kernel lacks simfs support. Please compile it in, or load simfs module.: No such device
Container private area was created
===

modprobe simfs adds the missing simfs filesystem, modprobe vzdquota adds
missing quota support to the running kernel, but I'm kind of expected this to
work automatically (I think the openvz service should have taken care of
loading the necessary modules, shouldn't it?).

--

-- 
(GM)

VMWare tools

Owl 3-stable 20111026 on Amazon EC2

Hello,

This is an announcement of my preliminary work of an EBS backed AMI of
Owl 3-stable (from 2011-10-26).  I've made a public image (ami-f4fd87a6)
of Owl 3-stable i686 available at Amazon EC2 Asia Pacific (Singapore).

The image is a slightly modified default install of Owl 3-stable (I've
added DHCP client to get a dynamic IP address assigned to the instance
when it's started + created a script to retrieve and install an
associated SSH public key to the root account on the first boot).

No other modification were performed to the system, so it's almost
vanilla 'make installworld'.

It should be noted that since Owl 3-stable is still using old glibc and
gcc (in comparison to Owl-current) there is no easy way to build the
provided kernel with Xen support.  Hence, for the time being, the image
is using one of Amazon Linux kernels.

I believe it's possible to simply upgrade an instance created from the
announced AMI to Owl-current, then build a kernel with Xen support.  The
image supports custom kernel images (simply edit /boot/grub/menu.lst to
add another kernel image -- and to play safe set a fallback to the
currently used kernel image).

I'd appreciate any feedback re: Owl on EC2.  My plans include creating
the x86_64 image of Owl 3-stable as well as maintaining Owl-current
images.  If there is any interest in these AMI I'll notify this list re:
the progress.

--

-- 
(GM)

Failed to build packages from pkgsrc

I sure do understand why somebody uses a system like pkgsrc, but I have no idea why someone would still use
cvs. Also source based package "control" is kind of hard to maintain when you have lots of servers to
handle. Could we add support for .deb-packages?

I have been following these guides since I usually don't install any packages to my Owl-systems:

http://openwall.info/wiki/Owl/packages
http://openwall.info/wiki/Owl/pkgsrc

Few open questions:

1) Why on earth does Owl still lists "Fedora Core 3 and 4"?
2) Where to report problems from pkgsrc?

I was building wget to get environment for my girlfriend working (yes not a joke). I received this error
message while building wget:

"""
Making all in src
<snip>
echo '/* version.c */' > version.c
echo '/* Autogenerated by Makefile - DO NOT EDIT */' >> version.c
echo '' >> version.c
echo 'const char *version_string = "1.13.4";' >> version.c
echo 'const char *compilation_string = "'gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=\"//etc/wgetrc\"
-DLOCALEDIR=\"//share/locale\" -I.  -I../lib -I../lib  -I//include -I/usr/include  -Wno-error
-I//include -I/usr/include'";'  | sed -e 's/[\\"]/\\&/g' -e 's/\\"/"/' -e 's/\\";$/";/' >> version.c
echo 'const char *link_string = "'gcc  -Wno-error -I//include -I/usr/include   -L//lib -Wl,-R//lib
-L/usr/lib -Wl,-R/usr/lib /usr/lib/libssl.so /usr/lib/libcrypto.so /usr/lib/libz.so -ldl -lz 
-lidn -lrt ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a'";'  | sed -e 's/[\\"]/\\&/g' -e
's/\\"/"/' -e 's/\\";$/";/' >> version.c
gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=\"//etc/wgetrc\" -DLOCALEDIR=\"//share/locale\" -I. 
-I../lib -I../lib  -I//include -I/usr/include  -Wno-error -I//include -I/usr/include -MT version.o
-MD -MP -MF .deps/version.Tpo -c -o version.o version.c
mv -f .deps/version.Tpo .deps/version.Po
gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=\"//etc/wgetrc\" -DLOCALEDIR=\"//share/locale\" -I. 
-I../lib -I../lib  -I//include -I/usr/include  -Wno-error -I//include -I/usr/include -MT ftp-opie.o
-MD -MP -MF .deps/ftp-opie.Tpo -c -o ftp-opie.o ftp-opie.c
mv -f .deps/ftp-opie.Tpo .deps/ftp-opie.Po
gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=\"//etc/wgetrc\" -DLOCALEDIR=\"//share/locale\" -I. 
-I../lib -I../lib  -I//include -I/usr/include  -Wno-error -I//include -I/usr/include -MT openssl.o
-MD -MP -MF .deps/openssl.Tpo -c -o openssl.o openssl.c
openssl.c: In function `ssl_init':
openssl.c:204: warning: passing arg 1 of `SSL_CTX_new' discards qualifiers from pointer target type
openssl.c: In function `ssl_check_certificate':
openssl.c:585: warning: initialization makes pointer from integer without a cast
mv -f .deps/openssl.Tpo .deps/openssl.Po
gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=\"//etc/wgetrc\" -DLOCALEDIR=\"//share/locale\" -I. 
-I../lib -I../lib  -I//include -I/usr/include  -Wno-error -I//include -I/usr/include -MT
http-ntlm.o -MD -MP -MF .deps/http-ntlm.Tpo -c -o http-ntlm.o http-ntlm.c
mv -f .deps/http-ntlm.Tpo .deps/http-ntlm.Po
gcc  -Wno-error -I//include -I/usr/include  -L//lib -Wl,-R//lib -L/usr/lib -Wl,-R/usr/lib -o wget
cmpt.o connect.o convert.o  cookies.o ftp.o css_.o  css-url.o ftp-basic.o ftp-ls.o  hash.o host.o
html-parse.o  html-url.o http.o init.o log.o  main.o netrc.o progress.o  ptimer.o recur.o res.o retr.o 
spider.o url.o utils.o exits.o  build_info.o iri.o version.o ftp-opie.o openssl.o http-ntlm.o
../lib/libgnu.a /usr/lib/libssl.so /usr/lib/libcrypto.so /usr/lib/libz.so -ldl -lz  -lidn -lrt
openssl.o: In function `ssl_check_certificate':
openssl.c:(.text+0xc78): undefined reference to `a2i_IPADDRESS'
collect2: ld returned 1 exit status
*** Error code 1

Stop.
bmake: stopped in /usr/pkgsrc/net/wget/work/wget-1.13.4/src
*** Error code 1

Stop.
bmake: stopped in /usr/pkgsrc/net/wget/work/wget-1.13.4/src
*** Error code 1

Stop.
bmake: stopped in /usr/pkgsrc/net/wget/work/wget-1.13.4
*** Error code 1

Stop.
bmake: stopped in /usr/pkgsrc/net/wget/work/wget-1.13.4
*** Error code 1

Stop.
bmake: stopped in /usr/pkgsrc/net/wget
*** Error code 1

Stop.
bmake: stopped in /usr/pkgsrc/net/wget
"""

Do you have any information if this is mistake done by me or in pkgsrc?

I also received errors while installing other packages. I basicly have the default configuration-files.
Where the error could be? If pkgsrc shouldn't be used please tell me, which solution I should choose. For
example another error with python27:

"""
Writing /lib/python2.7/lib-dynload/Python-2.7.2-py2.7.egg-info
=> Automatic manual page handling
pkg_create: can't stat `/usr/pkgsrc/lang/python27/work/.destdir//bin/2to3-2.7'
pkg_create: can't stat `/usr/pkgsrc/lang/python27/work/.destdir//bin/pydoc2.7'
pkg_create: can't stat `/usr/pkgsrc/lang/python27/work/.destdir//bin/smtpd2.7.py'
"""

At least I got irssi built. I can provide more information if you can tell me what I need to provide :) I am using
the OpenVZ images.

Best regards,
Henri Salo

Owl-current moved to GCC 4.6.1

Hi,

So we did it.  Today's Owl-current snapshot includes and has been built
with GCC 4.6.1 (C and C++ compilers) instead of the much older 3.4.5,
which we've been using before.  The system is fully capable of
rebuilding itself with this new version of GCC.  New installs and
upgrades from Owl 3.0 and 3.0-stable (if you like) appear to work fine -
but a lot more testing is desired.

New ISOs are linked right from the Owl homepage, as usual:

http://www.openwall.com/Owl/

Please note that unlike those of 3.0-stable and unlike older Owl-current
ISOs, these new ones require DVD media now (the .iso.gz files for
Owl-current uncompress to approximately 800 MB now).  Owl is not exactly
this large, though.  Rather, our ISOs effectively include three copies
of the system: live (almost full install), packages, and sources.

The corresponding OpenVZ container templates, RPMs, and sources are
found on our FTP mirrors (not all mirrors have already been updated,
though, but they should be within 24 hours).  (RPMs and sources, but not
OpenVZ container templates, are also found inside the ISOs.)

Besides the GCC update, today's Owl-current includes all of the updates
recently announced for Owl 3.0-stable:

http://www.openwall.com/lists/announce/2011/10/26/1

It also includes GMP, MPC, and MPFR - arbitrary precision arithmetic
libraries, which are required by the new GCC version.

One unrelated change is introduction of VLAN support into networking
startup scripts, due to a patch by Piotr Meyer (thanks!)

These changes are documented in the usual place:

http://www.openwall.com/Owl/CHANGES-current.shtml

The GCC update has mostly been worked on by Vasiliy Kulikov, with some
preparations by Georgi Geshev and final cleanups and testing by me.
It is a major development milestone towards Owl 4.0.  One of the next
steps enabled by this update is a glibc update.  Stay tuned!

Alexander

Owl 3.0-stable update

Hi,

We've released an update of Owl 3.0-stable today - including ISOs,
OpenVZ container templates, binary packages for i686 and x86-64, and
indeed the sources:

http://www.openwall.com/Owl/

It includes relevant changes recently tested in Owl-current: rebase of
the kernel on OpenVZ/RHEL 5.7, RPM security fix, and timezone data
update (critical for Russia and certain other countries, and now updated
for the latest reconsideration by Ukraine).  Please refer to my previous
announcement (pertaining to Owl-current) for "release notes" on these
changes:

http://www.openwall.com/lists/announce/2011/10/11/1

Additionally, we've included security fixes for two vulnerabilities in
pam_env that were made public on Monday (CVE-2011-3148, CVE-2011-3149).
This PAM module is not in use on default installs of Owl, and it never
was, hence there was no impact for default installs.

Finally, we've added the hardlink(1) program - a tool to consolidate
duplicate files via hardlinks.  This has resulted in discovery of
security issues in the program, which we've fixed at inclusion time.
We've notified other distro vendors via the public oss-security
mailing list, and CVE IDs have been assigned.  Since Owl had these
issues addressed right away, please do not expect us to release any fix
for them - we sort of already did.

The changes mentioned above are also documented in the usual place:

http://www.openwall.com/Owl/CHANGES-3.0-stable.shtml

Alexander

P.S. Meanwhile, Owl-current has successfully moved to GCC 4.6.1.  More
on this in a separate announcement.

new Owl 3.0-stable snapshot being released

Hi,

I am releasing a new snapshot of Owl 3.0-stable (ISOs, etc.)  It is
already linked from the website.  I am going to announce it properly a
bit later.  If anyone wants to help test it, please do - and report back.
Of course, no new issues are expected since this is "stable" - only
including changes that were previously tested in -current plus a minor
tzdata update that is crucial for Ukraine.  Yet more testing won't hurt.

http://www.openwall.com/Owl/

Thanks,

Alexander

Openwall t-shirts; Owl-current 2011/10/10 snapshot

Hi,

This is to announce two things at once.  I'll start with the less usual
and shorter announcement:

1. Official Openwall t-shirts are now available from 0-day Clothing:

http://www.zerodayclothing.com/products/openwall.php

Please consider purchasing one of these if you'd like to express your
support for Openwall.  While you're at it, you might also want to check
out other 0-day Clothing designs:

http://www.zerodayclothing.com

2. A new snapshot of Owl-current (Openwall GNU/*/Linux development
branch) is available, including a complete set of components: ISO
images, OpenVZ container templates, binary packages for i686 and x86_64,
and indeed the source code:

http://www.openwall.com/Owl/

Significant changes since the previous set of ISOs and templates (those
of Owl 3.0-stable this time, generated a month ago) include update of
the Linux/OpenVZ kernel to one based on RHEL 5.7's, introduction of
tzdata package with up-to-date timezone data, and a security fix to
Owl's package of RPM (CVE-2011-3378):

http://www.openwall.com/Owl/CHANGES-current.shtml

Obviously, these changes are also meant for inclusion in Owl 3.0-stable
after testing in Owl-current.

With this kernel package update, we're compiling two additional disk
controller drivers into the kernel image (for Adaptec AIC94xx SAS/SATA
and Compaq Smart Array 5xxx controllers).  Because of this and because
RHEL 5.7 kernels are slightly larger than older kernels on their own,
we're moving some other components from the kernel image to modules in
order to keep the kernel image from growing.  This includes some OpenVZ
features, which are normally compiled as modules in OpenVZ's official
kernel builds (so our builds are more similar to theirs in this respect
now).  For this reason, the new kernel packages should be installed at
the same time with our vzctl package update, which has the
MODULES_DISABLED setting in /etc/vz.conf commented out (just like it's
done in upstream's vzctl).  As a side-effect of this change, an Owl
system with at least one OpenVZ container now has more components of
OpenVZ loaded than it would before.  Specifically, "service vz start"
loads optional OpenVZ components and ip_conntrack, which did not happen
before (since these were not built into the kernel image and vzctl's
module loading was disabled).  Here's what the loaded module list looks
like after "service vz start" (with at least one OpenVZ container):

Module                  Size  Used by
vzethdev               14752  0 
simfs                   9752  1 
exportfs                9088  1 simfs
vzrst                 152592  0 
ip_nat                 19600  1 vzrst
vzcpt                 115640  0 
nfs                   253912  2 vzrst,vzcpt
lockd                  69552  2 vzrst,nfs
nfs_acl                 7296  1 nfs
sunrpc                156352  6 vzrst,nfs,lockd,nfs_acl
ip_conntrack           56596  3 vzrst,ip_nat,vzcpt
vzdquota               44792  1 [permanent]
vznetdev               27448  2 
vzmon                  38936  4 vzrst,vzcpt,vznetdev
vzdev                   7304  4 vzethdev,vzdquota,vznetdev,vzmon

In a later revision of vzctl, we might deal with this by making
MODULES_DISABLED tri-state.  Opinions on this are welcome.

The timezone data update is critical for Russia, Ukraine, and Belarus,
which have abolished the switch to "winter time" starting this year.
This switch would take effect on the night from October 29 to October 30,
so the timezone data update must be installed before then.  It may be
installed with the following commands and actions:

rpm -Fvh glibc-*.rpm # Update glibc package thereby removing old timezone data
rpm -Uvh tzdata-*.rpm # Install the tzdata package providing new timezone data
setup # Choose your timezone again in order to have /etc/localtime updated

The two "rpm" commands may be combined into one:

rpm -Uvh glibc-*.rpm tzdata-*.rpm

assuming that you had all sub-packages of glibc installed anyway.

The RPM package manager issue was a crash and potential arbitrary code
execution when processing a malformed/malicious package file.  Although
an RPM package can, by design, execute arbitrary code when installed or
even during installation, this issue would potentially allow a
specially-crafted RPM package to execute arbitrary code when the package
metadata is merely queried, including for digital signature
verification.  Note that for Owl RPM packages we do not rely on RPM's
support for signatures; instead, we sign *.mtree files.  Please continue
to verify detached GnuPG signatures that we provide for such files with
gpg(1), and then verify RPM package files against the message digests
found in *.mtree files with mtree(8) (both of these tools are part of
Owl).  This kind of verification was unaffected by this RPM issue.

Please note that use of RPM on untrusted package files, even if just to
verify a signature, remains risky despite of this recent fix: RPM
package format and processing are complicated, so further issues of this
kind are likely.

The RPM issue was discovered and reported to distribution vendors by
Tavis Ormandy:

http://www.openwall.com/lists/oss-security/2011/09/27/3

Besides the changes in Owl-current mentioned above, certain minor and
development-focused changes have been made as well, such as in
preparation for GCC update to 4.6.x (making many packages ready to build
with this new version of GCC).  These are primarily due to work by
Vasiliy Kulikov.

As usual, any feedback is welcome on owl-users.

Alexander

Any plans for dhcp client support?

Hello List,

Are there any plans to include dhcp client support by default?

Best regards,
Flavio Waechter