Date: Thu, 28 Apr 2016 07:12:15 +0200
From: Miroslav Rovis <miro.rovis@croatiafidelis.hr>
To: Good Guy <good1.2guy@gmail.com>
Subject: Re: [Re: [CinCV TNG] Building in Gentoo
Message-ID: <20160428051215.GA1358@g0n>
References: <20160427172235.GB32227@g0n>
 <CAC2VF9_OHJQ7ZaX6YLHahFs4LHrzpcLQQXh5waiQ5bfw0DdF-A@mail.gmail.com>
 <20160427215421.GE32227@g0n>
 <CAC2VF99memBxsTQ9Ei5b+=kiqpvPFsNjv8g00Ob15VGt3Y+-Nw@mail.gmail.com>
 <20160428024302.GA637@g0n>
 <CAC2VF9_ckUQmCh3s+gyOqZFpHReOjR=O_1OaUfT7ko7_FKqT5Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="ReaqsoxgOBHFXBhH"
Content-Disposition: inline
In-Reply-To: <CAC2VF9_ckUQmCh3s+gyOqZFpHReOjR=O_1OaUfT7ko7_FKqT5Q@mail.gmail.com>
User-Agent: Mutt/1.5.23+116 (55ea6e829b46) (2014-03-12)


--ReaqsoxgOBHFXBhH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 160427-22:09-0600, Good Guy wrote:
> I would try to get the application to run as root, with
> root owner/group file permissions.  The goal is to see
> if it can run, not if it can fail.  Once it has been established
> that it can operate, then try to see what causes it to fail.
> It looks to me like most of the problems have to do with
> the gentoo implementation, security features, or operational
> errors, not cinelerra application code.  The goal of security
> is to keep the bad guys out, not prevent normal user operation.
>

C'mon, while I'm relly not an expert, I am still an advanced user.
I did give it a try, right now, and what I saw is just what I had
expected: No, it can't run as root either.=20

It can't run as root either. And it flunked just like it flunked as
normal user, because in a grsecurity-hardened kernel based system, root
is not the boss like root used to be the boss in pre linux capabilities
system.

So you did not install grsecurity-hardened?

You too sure can go the Torvalds and the RMS's way, or even Poettering's
way, they're all great programmers (which I am not), but they have
betrayed FOSS...

Again, nothing you can do to make Cinelerra work for people like me, who
know what grsecurity is, because they saw it in action:

A case of actual protection of my Gentoo box by Grsecurity
https://forums.gentoo.org/viewtopic-t-967806.html

(long time after, if you get to even see this, if they haven't removed
it, as they have started removing some text from my posts (all of my
posts always had titles along with links, like in this
email/web-page-to-be):

System attacked, Konqueror went on window-popping spree!
https://forums.gentoo.org/viewtopic-t-905472.html
)

which links to:
grsec: halting the system due to suspicious kernel crash
https://forums.grsecurity.net/viewtopic.php?f=3D3&t=3D3709&sid=3D60bf798f08=
31a707c94fd20467647e01

where spender himself conferms it was a case of after-free bug :

Re: grsec: halting the system due to suspicious kernel crash
https://forums.grsecurity.net/viewtopic.php?f=3D3&t=3D3709&sid=3D60bf798f08=
31a707c94fd20467647e01#p13407

I will send you how it failed the logs, just like I sent the logs when
it failed to run as user, but pls., again:

So you did not install grsecurity-hardened?

If you haven't, your Cinelerra very probably can't work for me, just
like the Gnu debugger that I sent you a link that doesn't want to work
with PaX (which is part of grsecurity, kind of, grsecurity is a twin
program grseurity and PaX, but we call it grsecurity for short)...

I will send you how it failed the logs, but after the Mass. I go to Mass
and pray for people, for Gentoo, for you, for all the liberals and all
the Trump-ed people and all the other of the U.S. I will pray this
morning.
>=20
>=20
> On Wed, Apr 27, 2016 at 8:43 PM, Miroslav Rovis <
> miro.rovis@croatiafidelis.hr> wrote:
>=20
> > Just a little sleeplessness here.
> >
> > On 160427-17:15-0600, Good Guy wrote:
> > > Sorry, my name is root, I have been root for decades, I like it when
> > > the operations are allowed to succeed, and not deliberately failed.
> > > The entire purpose of many "insecurity" features are to invoke nothing
> > > but failure.  I disagree.
> > >
> > > The security policy I like is to stop the bad guys at the door.  If y=
ou
> > > have bad guys roaming around your house, it is already too late.
> > I'm glad if you can do it. I'm not such expert by any means.
> >
> > > I want any operation which authenticates or verifies to be correct, a=
nd
> > > in this day and age of crystallographic protocols and validation it is
> > > completely possible to do a good job.  These hacks are a sign of fail=
ure
> > > to detect and stop bad guys before they do damage.
> > I'm not sure I understand what you are referring to here.
> >
> > Do you mean you did not install grsec-hardened?
> > >
> > > Frequently, the worst bad guys used to be good guys (pun).  The real
> > > problem is to make sure the development environment is desirable
> > > and secure, so that the effort is cohesive.
> > >
> > > Anyway... I have completed the backup, installed the stage3 system,
> > > and have 80% of the world built.
> > Glad to hear that.
> > > Still have kernel and tweaks to do, but should have a system soon.
> > > Gentoo is a "difficult" system to have to install from scratch.
> > > Seems unnecessarily abstruse.
> > First impressions only.
> >
> > But did you read what I wrote to you below?
> >
> > (And I'll fix a typo or two now, and added a little note more closer to
> > the bottom, but not all the way down to it.)
> > >
> > >
> > >
> > > On Wed, Apr 27, 2016 at 3:54 PM, Miroslav Rovis <
> > > miro.rovis@croatiafidelis.hr> wrote:
> > >
> > > > So more progess there has been.
> > > >
> > > > On 160427-13:05-0600, Good Guy wrote:
> > > > > cd cinelerra5/cinelerra-5.1
> > > > > echo "EXTRA_LIBS +=3D -lva" >> global_config
> > > > > echo "EXTRA_LIBS +=3D -Wl,-z,noexecstack" >> global_config
> > > > > sed -e '1,1c#!/usr/bin/python2.7' -i guicast/bccmdl.py
> > > > > sed -e '/^bcxfer.C:/,+1s/python/python2.7/' -i guicast/Makefile
> > > > > ./configure shared
> > > > > make >& log
> > > > >
> > > >
> > > > I'm also writing this for general *nix users when this is hopefully
> > > > posted as you gave me permission to. I'll give the complete output =
=66rom
> > > > the terminal. Note that there are two issuing of /opt/cin/cinelerra,
> > the
> > > > first will be seen, later, in the log that I will alos give, as "de=
nied
> > > > execution of /opt/cin/cinelerra" and the second as "exec of
> > > > /opt/cin/cinelerra.
> > > >
> > > > miro@gcn ~ $ /opt/cin/cinelerra
> > > > bash: /opt/cin/cinelerra: Permission denied
> > > > miro@gcn ~ $
> > > > miro@gcn ~ $ /opt/cin/cinelerra
> > > > sh: pactl: command not found
> > > >
> > > > Cinelerra 5.1 git://git.cinelerra-cv.org/goodguy/cinelerra.git
> > (c)2015:
> > > > Adam Williams
> > > >
> > > > Cinelerra is free software, covered by the GNU General Public Licen=
se,
> > > >
> > > > and you are welcome to change it and/or distribute copies of it und=
er
> > > >
> > > > certain conditions. There is absolutely no warranty for Cinelerra.
> > > >
> > > >
> > > > MESA-LOADER: could not create udev device for fd 5 MESA-LOADER: cou=
ld
> > > > not create udev device for fd 6 MESA-LOADER: could not create udev
> > > > device for fd 6 init plugin index: /opt/cin/plugins int
> > > > PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> > > >
> > > > PluginServer::open_plugin: load_obj
> > > > /opt/cin/plugins/blending/chromakeyhsv.plugin =3D
> > > > /opt/cin/plugins/blending/chromakeyhsv.plugin: cannot change memory
> > > > protections: Permission denied
> > > >
> > > > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> > > >
> > > > PluginServer::open_plugin: load_obj
> > > > /opt/cin/plugins/themes/theme_blond.plugin =3D
> > > > /opt/cin/plugins/themes/theme_blond.plugin: cannot change memory
> > > > protections: Permission denied
> > > >
> > > > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> > > >
> > > > PluginServer::open_plugin: load_obj
> > > > /opt/cin/plugins/themes/theme_blond_cv.plugin =3D
> > > > /opt/cin/plugins/themes/theme_blond_cv.plugin: cannot change memory
> > > > protections: Permission denied
> > > >
> > > > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> > > >
> > > > PluginServer::open_plugin: load_obj
> > > > /opt/cin/plugins/themes/theme_blue.plugin =3D
> > > > /opt/cin/plugins/themes/theme_blue.plugin: cannot change memory
> > > > protections: Permission denied
> > > >
> > > > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> > > >
> > > > PluginServer::open_plugin: load_obj
> > > > /opt/cin/plugins/themes/theme_blue_dot.plugin =3D
> > > > /opt/cin/plugins/themes/theme_blue_dot.plugin: cannot change memory
> > > > protections: Permission denied
> > > >
> > > > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> > > >
> > > > PluginServer::open_plugin: load_obj
> > > > /opt/cin/plugins/themes/theme_bright.plugin =3D
> > > > /opt/cin/plugins/themes/theme_bright.plugin: cannot change memory
> > > > protections: Permission denied
> > > >
> > > > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> > > >
> > > > PluginServer::open_plugin: load_obj
> > > > /opt/cin/plugins/themes/theme_hulk.plugin =3D
> > > > /opt/cin/plugins/themes/theme_hulk.plugin: cannot change memory
> > > > protections: Permission denied
> > > >
> > > > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> > > >
> > > > PluginServer::open_plugin: load_obj
> > > > /opt/cin/plugins/themes/theme_pinklady.plugin =3D
> > > > /opt/cin/plugins/themes/theme_pinklady.plugin: cannot change memory
> > > > protections: Permission denied
> > > >
> > > > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> > > >
> > > > PluginServer::open_plugin: load_obj
> > > > /opt/cin/plugins/themes/theme_suv.plugin =3D
> > > > /opt/cin/plugins/themes/theme_suv.plugin: cannot change memory
> > > > protections: Permission denied
> > > >
> > > > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> > > >
> > > > PluginServer::open_plugin: load_obj
> > > > /opt/cin/plugins/themes/theme_unflat.plugin =3D
> > > > /opt/cin/plugins/themes/theme_unflat.plugin: cannot change memory
> > > > protections: Permission denied
> > > >
> > > > init ladspa index: /opt/cin/ladspa
> > > > MWindow::init_theme: prefered theme S.U.V. not found.
> > > > MWindow::init_theme: theme_plugin not found.
> > > > unjoined tids / owner 1
> > > >   000003297c18b700 / 000003298d7eb740 12BC_Clipboard
> > > > miro@gcn ~ $
> > > >
> > > > Just to tell that Cinelerra showed the little opening window in the
> > > > middle of the screen, but did not freeze like in the last attempt.
> > > > Instead it exited and returned the command prompt. The previous att=
empt
> > > > can be read at:
> > > >
> > > > http://lists.cinelerra-cv.org/pipermail/cinelerra/2016q2/004711.html
> > > > And it shows the Cinelerra girl holding huge 5.1 notice
> > > >
> >
> > was "it that's what"
> >
> > > > The same happened. Only, it exited gracefully (if that's what's
> > > > giving the command prompt back is).
> > > >
> > > > Now the logs:
> > > >
> > > > Freshly installed todays goodguy's git repo Cinelerra 5.1. Chowning=
 it
> > > > to user and group miro:miro.
> > > >
> > > > Apr 27 23:22:03 gcn kernel: [143518.989075] grsec: (admin:S:/) exec=
 of
> > > > /bin/chown (chown -R miro:miro /opt/cin ) by /bin/chown[bash:26292]
> > > > uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3278] uid/euid:0/0
> > > > gid/egid:0/0
> > > >
> > > > RBAC enabled, just to see what will happen.
> > > >
> > > > Apr 27 23:22:14 gcn kernel: [143530.000378] grsec: (admin:S:/) exec=
 of
> > > > /bin/grep (grep --colour=3Dauto RBAC /proc/3278/status ) by
> > > > /bin/grep[bash:26294] uid/euid:0/0 gid/egid:0/0, parent
> > > > /bin/bash[bash:3278] uid/euid:0/0 gid/egid:0/0
> > > >
> > > > Apr 27 23:22:25 gcn kernel: [143540.657532] grsec: (miro:U:/bin/bas=
h)
> > > > denied execution of /opt/cin/cinelerra by /bin/bash[bash:26297]
> > > > uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
> > > > uid/euid:1000/1000 gid/egid:1000/1000
> > > >
> > > >
> > > > Checking it TPE was enabled. Can't show, but I remember it was not.
> > > > Neither tpe nor tpe_restrict_all.
> > > >
> > > > Apr 27 23:22:25 gcn kernel: [143540.657675] grsec: (miro:U:/bin/bas=
h)
> > > > denied open of /opt/cin/cinelerra for reading by /bin/bash[bash:262=
97]
> > > > uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
> > > > uid/euid:1000/1000 gid/egid:1000/1000
> > > >
> > > > Apr 27 23:22:51 gcn kernel: [143566.483957] grsec: (admin:S:/) exec=
 of
> > > > /bin/cat (cat /proc/sys/kernel/grsecurity/tpe_restrict_all ) by
> > > > /bin/cat[bash:26300] uid/euid:0/0 gid/egid:0/0, parent
> > > > /bin/bash[bash:3278] uid/euid:0/0 gid/egid:0/0
> > > >
> > > > Apr 27 23:22:54 gcn kernel: [143569.600844] grsec: (admin:S:/) exec=
 of
> > > > /bin/cat (cat /proc/sys/kernel/grsecurity/tpe ) by /bin/cat[bash:26=
303]
> > > > uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3278] uid/euid:0/0
> > > > gid/egid:0/0
> > > >
> > > >
> > > > Disabling RBAC:
> > > >
> > > > Apr 27 23:23:13 gcn kernel: [143588.739630] grsec: (admin:S:/) exec=
 of
> > > > /sbin/gradm (gradm -D ) by /sbin/gradm[bash:26304] uid/euid:0/0
> > > > gid/egid:0/0, parent /bin/bash[bash:3278] uid/euid:0/0 gid/egid:0/0
> > > >
> > > > ...[36 lines cut here]...
> > > >
> > > > Apr 27 23:23:41 gcn kernel: [143616.978863] grsec: exec of
> > > > /opt/cin/cinelerra (/opt/cin/cinelerra ) by
> > > > /opt/cin/cinelerra[bash:26350] uid/euid:1000/1000 gid/egid:1000/100=
0,
> > > > parent /bin/bash[bash:3549] uid/euid:1000/1000 gid/egid:1000/1000
> > > >
> > > > I hope this pulseaudio command does no harm. Only pure alsa here.
> > > >
> > > > Apr 27 23:23:42 gcn kernel: [143617.432067] grsec: exec of /bin/bash
> > (sh
> > > > -c pactl list sinks ) by /bin/bash[cinelerra:26351] uid/euid:1000/1=
000
> > > > gid/egid:1000/1000, parent /opt/cin/cinelerra[cinelerra:26350]
> > > > uid/euid:1000/1000 gid/egid:1000/1000
> > > >
> > > > The crucial PT_GNU_STACK, and RWX mprotect lines:
> > > >
> >
> > These typical grsec-hardened entries (starting with "grsec: denied" can
> > only be gotten with a grsecurity-hardened kernel based systems.
> >
> > > > Apr 27 23:23:44 gcn kernel: [143619.882015] grsec: denied marking s=
tack
> > > > executable as requested by PT_GNU_STACK marking in
> > > > /opt/cin/plugins/blending/chromakeyhsv.plugin by
> > > > /opt/cin/cinelerra[cinelerra:26350] uid/euid:1000/1000
> > > > gid/egid:1000/1000, parent /bin/bash[bash:3549] uid/euid:1000/1000
> > > > gid/egid:1000/1000
> > > >
> > > > Apr 27 23:23:44 gcn kernel: [143619.882045] grsec: denied RWX mprot=
ect
> > > > of /lib64/ld-2.22.so by /opt/cin/cinelerra[cinelerra:26350]
> > > > uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
> > > > uid/euid:1000/1000 gid/egid:1000/1000
> > > >
> > > > Apr 27 23:23:44 gcn kernel: [143620.045971] grsec: denied marking s=
tack
> > > > executable as requested by PT_GNU_STACK marking in
> > > > /opt/cin/plugins/themes/theme_blond.plugin by
> > > > /opt/cin/cinelerra[cinelerra:26350] uid/euid:1000/1000
> > > > gid/egid:1000/1000, parent /bin/bash[bash:3549] uid/euid:1000/1000
> > > > gid/egid:1000/1000
> > > >
> > > > Apr 27 23:23:44 gcn kernel: [143620.046009] grsec: denied RWX mprot=
ect
> > > > of /lib64/ld-2.22.so by /opt/cin/cinelerra[cinelerra:26350]
> > > > uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
> > > > uid/euid:1000/1000 gid/egid:1000/1000
> > > >
> > > > Apr 27 23:23:44 gcn kernel: [143620.046087] grsec: more alerts, log=
ging
> > > > disabled for 10 seconds
> > > >
> > > >
> > > > And here is where a hardened dev could help us... I've been studying
> > > > these days (but only for small part of the time, this testing takes=
 a
> > > > lot of energy and time), on the above PT_GNU_STACK and RWX mprotect
> > > > issue, and I'll try and post next to grsecurity Forums:
> > > >
> > > > Building Cinelerra and stack exec and mprotect issues
> > > >
> > > >
> > https://forums.grsecurity.net/viewtopic.php?f=3D3&t=3D4453&sid=3D6acf30=
eee27f95dd5bc31d4d282cae77
> > > >
> > > > as I have collected some links that could help us here...
> > > >
> > > > --
> > > > Miroslav Rovis
> > > > Zagreb, Croatia
> > > > http://www.CroatiaFidelis.hr
> > > >
> >
> > --
> > Miroslav Rovis
> > Zagreb, Croatia
> > http://www.CroatiaFidelis.hr
> >

--=20
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

--ReaqsoxgOBHFXBhH
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXIZuvAAoJEOqYhIhPuvCuDD0P/38D3ob+07qp+Am5mr8D1mbN
PczJLrlt5dugCxigagfEWvS7yCUoOzEGxi3xUTI/NVjEfL1ABFde2BO4BILdKSuT
ox311pxTHh6k1tHBJ4byr8zwTV0guv0BQMXVreKMJdmMQwJuQbcwx67zF2ZzbfEK
6imtqHvuyHulVwhkF0jNdzTiQVYkmGSl8ZUs1VY/vPn96HTHe3v6a9ezVJ/EGe51
7/wiEE/nU+KL8GRAwbqmz6LPG0OgXwj5dxXb25KWRfJ1NGSb1TYHYK2Lm8eaJYDn
OCZ2WI8G5MuOEn2ixvqr/E1dW98gzWSb+xeuo2x9oBfIMXAP+z9AiMu/Hhahfe7y
Q5+uvUsJRdVe2EmQwn6hDJsjFvmpGxXWJfOHCjwxzFHuJkgm6QolTFnY3J4TZrx6
EzyB4zfBCnzMBcLAdhO1EK88Gn3gy8eXMOH4cdJd2YwNENRhO3fvkw2vSCf6zCb/
WiFZiOEb71c9Xg9PgcXxBYpJddhKUioTDGPYBYz0TmpxKSIn6mHknMeZFe8P5ifU
lGwgGr++Da+9e0unraLwG9PY/W488yEHFeofOnzZGRA0KQFeagUD1Ow+LcDqQncC
LqpvXgnpGQGeQq9fHrd+i/quMxeoJ2CDEE9cahGAKSkGS+VBeEl4+IXvM54KT8Zw
uWL/IqZ2FbK4eKfmS8T9
=Igxw
-----END PGP SIGNATURE-----

--ReaqsoxgOBHFXBhH--