- [01:27:16]*atomicturtle (~sshinn@wsip-70-184-242-83.dc.dc.cox.net) has quit (Ping timeout: 480 seconds)
- [03:05:22]*{Glyph_Home} (~glyph@75.110.31.9) entered the channel
- [03:08:50]*{Glyph_Home} (~glyph@75.110.31.9) has left the channel ()
- [03:37:55]*atomicturtle (~sshinn@c-69-255-195-219.hsd1.va.comcast.net) entered the channel
- [06:22:37]*Chandan (~chandan@122.167.106.71) entered the channel
- [08:14:26]*mwiegand (~michael@aktaia.intevation.org) entered the channel
- [08:14:32]mwiegandmorning
- [08:22:33]ChandanGood Morning Michael
- [08:24:29]mwiegandmorning Chandan
- [09:12:53]*felix (~Felix@aktaia.intevation.org) entered the channel
- [09:12:58]felixmorning
- [10:16:54][machine]michael: you seen my comments re solaris local checks
- [10:16:58][machine]ah, you did ;)
- [10:22:50]mwiegandyes, I think the trouble is with acquiring/reusing the shared ssh socket
- [10:23:38]mwiegandI just found it odd that in your case some ssh commands seemed to get through and some did not
- [10:24:15]mwiegandI have to test that again, but from what I've seen here it was either nothing or all
- [10:24:41]mwieganddid you test it again with the older ssh_func.inc?
- [10:31:41]mwiegand[machine]: I'm updating openvas-server/packaging/debian/copyright, if you don't mind
- [10:32:12][machine]not had a chance
- [10:32:18][machine]np.
- [10:32:38][machine]i have some commits to make to packaging but not the copyright files
- [10:33:01][machine]i have beta2 built locally ;)
- [10:33:24]mwiegandseems to be the only thing stopping openvas-server from entering Debian as far as I understand Joey
- [10:36:07]JoeyCorrection: The only the latest reject reason states that I found.
- [10:38:51]mwiegandokay
- [10:40:35]mwiegandJoey: just committed the updated file to -trunk, do think it is okay this way?
- [10:45:25][machine]looks fine to me
- [10:46:22][machine]there is a slight versioning problem atm though
- [10:46:45][machine]afaik, 2.0.0.betaX is > 2.0.0
- [10:47:37][machine]what i am proposing to do is merge the changelog entries in packaging/debian for betaX down to one for 2.0.0 when we release
- [10:48:04][machine]which should be fine as 2.0.0.betaX packages have never been made public
- [10:48:42]Joeymwiegand: Yes, looks good.
- [10:53:28]mwiegand[machine]: Yes, IMHO the betas are not intended for packaging, so merging does make sense to me
- [10:55:35]mwiegandas I said before, I am willing to help with packaging and maintaining as well
- [10:56:13]mwiegandso if you or spion are too busy elsewhere, let me know if there is anything that needs to be done
- [11:06:20][machine]mwiegand: packaging of all the core modules is up to date... i need to have a look at openvas-plugins next
- [11:06:38][machine]and then compendium
- [11:07:50]mwiegandwell, let me know if there is anything I can help with
- [11:08:21][machine][machine] cries
- [11:08:34][machine]why are we attempting to mandate two space indentation
- [11:08:50][machine]any competent editor can render a tab however you wish it
- [11:09:01][machine];)
- [11:09:36]mwiegand[machine]: I think our solaris problem is related to bug 788 reported by ckm
- [11:15:45][machine]it's certainly a good place to start
- [11:20:41]JoeyIs $Id$ expanded to anything useful in Subversion? I don't think so. And if not, it shouldn't be part of source files...
- [11:26:02]JoeyDid s/o build openvas-libraries on a recent Debian system and got .so files? (or didn't get them and know why?)
- [11:27:33]mwiegandJoey: Regarding SVN, it does expand $Id$ if you tell it to (see http://svnbook.red-bean.com/en/1.5/svn.advanced.props.special.keywords.html)
- [11:28:25]JoeyThen we should tell it so...
- [11:28:32]Joey(or remove such lines)
- [11:31:00]mwiegandJoey: I think the property is enabled on some files at least, but I agree that that should be made consistent
- [11:41:00][machine]joey: to get .so files on unstable for 2.0.0.betaX, you need to run libtoolize --force -c
- [11:41:31][machine]the distributed libtool file creates libblah.2 etc
- [11:42:10]felix[machine]: about tab/spaces: agreed. ;)
- [11:44:04][machine][machine] had toyed with running the whole source based through a prettyfier, but can you imagine the commit logs
- [11:44:40][machine]one idea might be to prettyfier files as we make other changes
- [11:46:25]felix[machine]: I was thinking about adding that to the changerequest, to have an astyle or prettifier script that allows clean _new_ files. But running it over the existing code interferes so much with svn blames.
- [11:47:41][machine]felix: if we did it only when we change the file in other ways it might not be too bad
- [11:48:48]felix[machine]: but still bad? ;)
- [12:00:02]Joey[machine]: Thanks. That requires aclocal to run, but in the end I seem to have .so files.
- [12:01:41]JoeyAlso... ${misc:Depends} isn't substituted and thus causes a warning because it's unavailable
- [12:04:11]mwiegandhmm. There is no real reason as to why -plugins has to be installed as root, is there?
- [12:04:37]mwiegandI'm testing Stjepans Patch, seems to cause no adverse effects so far
- [12:06:43][machine]mwiegand: other than the obvious reason that, that's how unix does these things
- [12:07:01][machine]or "why would you not"
- [12:08:02][machine]that might change when the manager code is stabilised and we can essentially privilege separate
- [12:09:02][machine](but i have a problem with the current approach which means i'll need to approach iana for another port number and given how slow they are...)
- [12:10:30]mwiegandbut why should -plugins require root to install while -server does not?
- [12:12:48]mwiegandthe only reason it needs to be root seems to be so it can chown root the plugins during install
- [12:13:30][machine]mwiegand: it doesn't *need* to be
- [12:14:20]*felix (~Felix@aktaia.intevation.org) has quit (Remote host closed the connection)
- [12:15:26][machine]mind you
- [12:16:14][machine]--installuser can be set to something other than root and is honoured for the plugins
- [12:16:33][machine]imo, it should be honoured for the other modules also
- [12:17:14]mwiegandyes, but Stjepans patch is proposing taking out the installuser option and not chowning the plugins
- [12:17:34][machine]the chown was temporary
- [12:17:49][machine](i assume you mena in the update script)
- [12:17:55][machine]mean rather
- [12:18:08]mwiegandno, I mean in the Makefile
- [12:18:35]mwiegandunder the install-* targets
- [12:18:43][machine]i don't see a chown in the makefile
- [12:19:18]mwiegandit's implicit $(INSTALL) -o $(installuser) with $installuser defaulting to root
- [12:19:29][machine]yeh, that is correct imo
- [12:19:37][machine]the other modules should also do the same
- [12:19:44]*felix (~Felix@aktaia.intevation.org) entered the channel
- [12:20:06][machine]since the process runs as root, the install should default to maaking all files root owned
- [12:20:09][machine]for all modules
- [12:20:19][machine]unless explicitly asked not to
- [12:20:29][machine]otherwise you have a potential priv esc attack
- [12:21:55][machine]it's the same reason we changed the update script (which was originally installing plugins with an "arbitrary id" (based on the rsync server user) which may or may not be allocated, or may even be allocated to a normal user
- [12:22:58]JoeyWhere is openvas-check-signature.1?
- [12:23:24]mwiegandJoey: should be gone, does sth still refer to it?
- [12:23:27][machine]was removed
- [12:23:34][machine]joey: i have a fix for that
- [12:23:42][machine]it was removed between beta1 and beta2
- [12:23:50][machine]shall i commit my beta 2 changes
- [12:24:08]JoeyI see, then I'll remove it from packaging.
- [12:30:05]mwiegand[machine]: I think I see your point, but what would be the attack scenario here?
- [12:31:54][machine]mweigand: we have systems that we run nessus & openvas from where people have normal accounts but not necessarily root
- [12:32:24][machine]if the scripts get created as a non-root user, possible priv esc
- [12:32:48][machine]it's the same threat as why i changed the file functions in NASL
- [12:35:21]mwiegandtrue
- [12:37:32]mwiegandwell, the configure in -server seems to take an --enable-install option as well, fwiw
- [12:37:53]mwiegandit just doesn't do anything with it afaict
- [12:40:43][machine]anyway i need to go to the machine room for the rest of the day...
- [12:40:45][machine][machine] nods
- [12:40:50][machine]imo, it *should*
- [12:45:40]JoeyDid you see this somewhere?
- [12:45:41]JoeyStarting OpenVAS daemon: preferences_new():open : No such file or directory
- [12:45:41]JoeyERROR.
- [12:46:05]mwiegandhow did you get that?
- [12:46:53]JoeyI tried to start the openvas-server so I could connect to it with the client...
- [12:47:06]mwiegandhow did you build -server?
- [12:47:08]JoeyI guess that was a no...
- [12:47:19]mwieganddid you use a prefix?
- [12:47:21]Joeymake -f debian/rules build from current svn source
- [12:48:05]Joeythat boils down to --prefix=/usr
- [12:49:54]JoeyHmm, starting the server manually gives another line of output:
- [12:49:55]JoeyError creating /usr/local/etc/openvas/openvasd.conf
- [12:50:48]JoeyWait, maybe I forgot a make clean before.
- [12:52:22]mwiegandhmm, where does the local come from?
- [12:53:07]JoeyI fear that that's the default, and that I forgot a clean target so that --prefix=/usr does not have effect.
- [12:53:43][machine][machine] nods
- [12:55:02]JoeyAt least the server starts now.
- [12:55:13]JoeySo, that's probably a layer 8 problem *sigh*
- [12:55:18]JoeySorry for the noise!
- [12:59:09]mwiegandnp :)
- [12:59:30]JoeyAnother issue, even though it seems to be ignored
- [12:59:32]Joey[24767] SSL_CTX_load_verify_locations: error:02001002:system library:fopen:No such file or directory
- [13:00:01]JoeyAnd the client reports in a message box "Errow while setting the trusted CA: cacert.pem\nSSL connections are likely to fail."
- [13:00:25]JoeyNot sure where that comes from and if I should worry.
- [13:02:18]JoeyEeks, now it's not ignored anymore and I get "SSL error". Need to debug this as well...
- [13:12:05]JoeyOk, that was another layer 8 problem.
- [13:12:19]JoeyHowever, OpenVAS client should have emitted a better error message...
- [13:13:57]Joeytrust level 2||3 && ! -f CA Cert file should probably result in a more useful message than the above, and not emit openssl output on stderr, imho.
- [13:39:42]felixtrue. i shortly loked into it. too hairy for me to change rapidly.
- [14:48:56]mwiegandmwiegand is looking at Stjepans patch re plugin reorganisation and subdirs
- [15:00:40]mwiegandI think this could be useful, but it might be a good idea if he would write a change request and outline his plans
- [15:00:53]mwiegandWhat do you think?
- [15:03:34]felix(voted+1) :)
- [15:04:04]felixwould be nice to have a small spec for that.
- [15:07:29]mwiegandI think he has some good ideas, but it's quite a bit of work to derive them from a 30K patch
- [15:27:26]Joeyfelix: Proposed patch: http://paste.debian.net/21856
- [15:35:12]Joeyfelix: I'll send it to -devel with you on Bcc (because s/o needs to moderate my mails through). Enjoy
- [15:35:34]mwiegandJoey: felix has gone home for today, but I'm sure he'll look at it tomorrow
- [15:36:37]JoeyOops...
- [15:36:45]Joeyno problem
- [15:56:59]*Chandan (~chandan@122.167.106.71) has quit (Quit: Leaving)
- [16:19:21]*mwiegand (~michael@aktaia.intevation.org) has quit (Quit: leaving)
- [21:20:16]*mib_2c9r3r (58cf4e45@webchat.mibbit.com) entered the channel
- [21:22:18]*mib_2c9r3r (58cf4e45@webchat.mibbit.com) has quit ()
- [23:24:29]*spion (~bombadil@bofh.lx.se) has quit (Ping timeout: 480 seconds)
- [23:27:38]*spion (~bombadil@bofh.lx.se) entered the channel
Last 30 days: