On 160427-22:09-0600, Good Guy wrote:
> I would try to get the application to run as root, with
> root owner/group file permissions. The goal is to see
> if it can run, not if it can fail. Once it has been established
> that it can operate, then try to see what causes it to fail.
> It looks to me like most of the problems have to do with
> the gentoo implementation, security features, or operational
> errors, not cinelerra application code. The goal of security
> is to keep the bad guys out, not prevent normal user operation.
>
C'mon, while I'm relly not an expert, I am still an advanced user.
I did give it a try, right now, and what I saw is just what I had
expected: No, it can't run as root either.
It can't run as root either. And it flunked just like it flunked as
normal user, because in a grsecurity-hardened kernel based system, root
is not the boss like root used to be the boss in pre linux capabilities
system.
So you did not install grsecurity-hardened?
You too sure can go the Torvalds and the RMS's way, or even Poettering's
way, they're all great programmers (which I am not), but they have
betrayed FOSS...
Again, nothing you can do to make Cinelerra work for people like me, who
know what grsecurity is, because they saw it in action:
A case of actual protection of my Gentoo box by Grsecurity
https://forums.gentoo.org/viewtopic-t-967806.html
(long time after, if you get to even see this, if they haven't removed
it, as they have started removing some text from my posts (all of my
posts always had titles along with links, like in this
email/web-page-to-be):
System attacked, Konqueror went on window-popping spree!
https://forums.gentoo.org/viewtopic-t-905472.html
)
which links to:
grsec: halting the system due to suspicious kernel crash
https://forums.grsecurity.net/viewtopic.php?f=3&t=3709&sid=60bf798f0831a707c94fd20467647e01
where spender himself conferms it was a case of after-free bug :
Re: grsec: halting the system due to suspicious kernel crash
https://forums.grsecurity.net/viewtopic.php?f=3&t=3709&sid=60bf798f0831a707c94fd20467647e01#p13407
I will send you how it failed the logs, just like I sent the logs when
it failed to run as user, but pls., again:
So you did not install grsecurity-hardened?
If you haven't, your Cinelerra very probably can't work for me, just
like the Gnu debugger that I sent you a link that doesn't want to work
with PaX (which is part of grsecurity, kind of, grsecurity is a twin
program grseurity and PaX, but we call it grsecurity for short)...
I will send you how it failed the logs, but after the Mass. I go to Mass
and pray for people, for Gentoo, for you, for all the liberals and all
the Trump-ed people and all the other of the U.S. I will pray this
morning.
>
>
> On Wed, Apr 27, 2016 at 8:43 PM, Miroslav Rovis <
> miro.rovis@???> wrote:
>
> > Just a little sleeplessness here.
> >
> > On 160427-17:15-0600, Good Guy wrote:
> > > Sorry, my name is root, I have been root for decades, I like it when
> > > the operations are allowed to succeed, and not deliberately failed.
> > > The entire purpose of many "insecurity" features are to invoke nothing
> > > but failure. I disagree.
> > >
> > > The security policy I like is to stop the bad guys at the door. If you
> > > have bad guys roaming around your house, it is already too late.
> > I'm glad if you can do it. I'm not such expert by any means.
> >
> > > I want any operation which authenticates or verifies to be correct, and
> > > in this day and age of crystallographic protocols and validation it is
> > > completely possible to do a good job. These hacks are a sign of failure
> > > to detect and stop bad guys before they do damage.
> > I'm not sure I understand what you are referring to here.
> >
> > Do you mean you did not install grsec-hardened?
> > >
> > > Frequently, the worst bad guys used to be good guys (pun). The real
> > > problem is to make sure the development environment is desirable
> > > and secure, so that the effort is cohesive.
> > >
> > > Anyway... I have completed the backup, installed the stage3 system,
> > > and have 80% of the world built.
> > Glad to hear that.
> > > Still have kernel and tweaks to do, but should have a system soon.
> > > Gentoo is a "difficult" system to have to install from scratch.
> > > Seems unnecessarily abstruse.
> > First impressions only.
> >
> > But did you read what I wrote to you below?
> >
> > (And I'll fix a typo or two now, and added a little note more closer to
> > the bottom, but not all the way down to it.)
> > >
> > >
> > >
> > > On Wed, Apr 27, 2016 at 3:54 PM, Miroslav Rovis <
> > > miro.rovis@???> wrote:
> > >
> > > > So more progess there has been.
> > > >
> > > > On 160427-13:05-0600, Good Guy wrote:
> > > > > cd cinelerra5/cinelerra-5.1
> > > > > echo "EXTRA_LIBS += -lva" >> global_config
> > > > > echo "EXTRA_LIBS += -Wl,-z,noexecstack" >> global_config
> > > > > sed -e '1,1c#!/usr/bin/python2.7' -i guicast/bccmdl.py
> > > > > sed -e '/^bcxfer.C:/,+1s/python/python2.7/' -i guicast/Makefile
> > > > > ./configure shared
> > > > > make >& log
> > > > >
> > > >
> > > > I'm also writing this for general *nix users when this is hopefully
> > > > posted as you gave me permission to. I'll give the complete output from
> > > > the terminal. Note that there are two issuing of /opt/cin/cinelerra,
> > the
> > > > first will be seen, later, in the log that I will alos give, as "denied
> > > > execution of /opt/cin/cinelerra" and the second as "exec of
> > > > /opt/cin/cinelerra.
> > > >
> > > > miro@gcn ~ $ /opt/cin/cinelerra
> > > > bash: /opt/cin/cinelerra: Permission denied
> > > > miro@gcn ~ $
> > > > miro@gcn ~ $ /opt/cin/cinelerra
> > > > sh: pactl: command not found
> > > >
> > > > Cinelerra 5.1 git://git.cinelerra-cv.org/goodguy/cinelerra.git
> > (c)2015:
> > > > Adam Williams
> > > >
> > > > Cinelerra is free software, covered by the GNU General Public License,
> > > >
> > > > and you are welcome to change it and/or distribute copies of it under
> > > >
> > > > certain conditions. There is absolutely no warranty for Cinelerra.
> > > >
> > > >
> > > > MESA-LOADER: could not create udev device for fd 5 MESA-LOADER: could
> > > > not create udev device for fd 6 MESA-LOADER: could not create udev
> > > > device for fd 6 init plugin index: /opt/cin/plugins int
> > > > PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> > > >
> > > > PluginServer::open_plugin: load_obj
> > > > /opt/cin/plugins/blending/chromakeyhsv.plugin =
> > > > /opt/cin/plugins/blending/chromakeyhsv.plugin: cannot change memory
> > > > protections: Permission denied
> > > >
> > > > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> > > >
> > > > PluginServer::open_plugin: load_obj
> > > > /opt/cin/plugins/themes/theme_blond.plugin =
> > > > /opt/cin/plugins/themes/theme_blond.plugin: cannot change memory
> > > > protections: Permission denied
> > > >
> > > > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> > > >
> > > > PluginServer::open_plugin: load_obj
> > > > /opt/cin/plugins/themes/theme_blond_cv.plugin =
> > > > /opt/cin/plugins/themes/theme_blond_cv.plugin: cannot change memory
> > > > protections: Permission denied
> > > >
> > > > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> > > >
> > > > PluginServer::open_plugin: load_obj
> > > > /opt/cin/plugins/themes/theme_blue.plugin =
> > > > /opt/cin/plugins/themes/theme_blue.plugin: cannot change memory
> > > > protections: Permission denied
> > > >
> > > > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> > > >
> > > > PluginServer::open_plugin: load_obj
> > > > /opt/cin/plugins/themes/theme_blue_dot.plugin =
> > > > /opt/cin/plugins/themes/theme_blue_dot.plugin: cannot change memory
> > > > protections: Permission denied
> > > >
> > > > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> > > >
> > > > PluginServer::open_plugin: load_obj
> > > > /opt/cin/plugins/themes/theme_bright.plugin =
> > > > /opt/cin/plugins/themes/theme_bright.plugin: cannot change memory
> > > > protections: Permission denied
> > > >
> > > > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> > > >
> > > > PluginServer::open_plugin: load_obj
> > > > /opt/cin/plugins/themes/theme_hulk.plugin =
> > > > /opt/cin/plugins/themes/theme_hulk.plugin: cannot change memory
> > > > protections: Permission denied
> > > >
> > > > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> > > >
> > > > PluginServer::open_plugin: load_obj
> > > > /opt/cin/plugins/themes/theme_pinklady.plugin =
> > > > /opt/cin/plugins/themes/theme_pinklady.plugin: cannot change memory
> > > > protections: Permission denied
> > > >
> > > > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> > > >
> > > > PluginServer::open_plugin: load_obj
> > > > /opt/cin/plugins/themes/theme_suv.plugin =
> > > > /opt/cin/plugins/themes/theme_suv.plugin: cannot change memory
> > > > protections: Permission denied
> > > >
> > > > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> > > >
> > > > PluginServer::open_plugin: load_obj
> > > > /opt/cin/plugins/themes/theme_unflat.plugin =
> > > > /opt/cin/plugins/themes/theme_unflat.plugin: cannot change memory
> > > > protections: Permission denied
> > > >
> > > > init ladspa index: /opt/cin/ladspa
> > > > MWindow::init_theme: prefered theme S.U.V. not found.
> > > > MWindow::init_theme: theme_plugin not found.
> > > > unjoined tids / owner 1
> > > > 000003297c18b700 / 000003298d7eb740 12BC_Clipboard
> > > > miro@gcn ~ $
> > > >
> > > > Just to tell that Cinelerra showed the little opening window in the
> > > > middle of the screen, but did not freeze like in the last attempt.
> > > > Instead it exited and returned the command prompt. The previous attempt
> > > > can be read at:
> > > >
> > > > http://lists.cinelerra-cv.org/pipermail/cinelerra/2016q2/004711.html
> > > > And it shows the Cinelerra girl holding huge 5.1 notice
> > > >
> >
> > was "it that's what"
> >
> > > > The same happened. Only, it exited gracefully (if that's what's
> > > > giving the command prompt back is).
> > > >
> > > > Now the logs:
> > > >
> > > > Freshly installed todays goodguy's git repo Cinelerra 5.1. Chowning it
> > > > to user and group miro:miro.
> > > >
> > > > Apr 27 23:22:03 gcn kernel: [143518.989075] grsec: (admin:S:/) exec of
> > > > /bin/chown (chown -R miro:miro /opt/cin ) by /bin/chown[bash:26292]
> > > > uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3278] uid/euid:0/0
> > > > gid/egid:0/0
> > > >
> > > > RBAC enabled, just to see what will happen.
> > > >
> > > > Apr 27 23:22:14 gcn kernel: [143530.000378] grsec: (admin:S:/) exec of
> > > > /bin/grep (grep --colour=auto RBAC /proc/3278/status ) by
> > > > /bin/grep[bash:26294] uid/euid:0/0 gid/egid:0/0, parent
> > > > /bin/bash[bash:3278] uid/euid:0/0 gid/egid:0/0
> > > >
> > > > Apr 27 23:22:25 gcn kernel: [143540.657532] grsec: (miro:U:/bin/bash)
> > > > denied execution of /opt/cin/cinelerra by /bin/bash[bash:26297]
> > > > uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
> > > > uid/euid:1000/1000 gid/egid:1000/1000
> > > >
> > > >
> > > > Checking it TPE was enabled. Can't show, but I remember it was not.
> > > > Neither tpe nor tpe_restrict_all.
> > > >
> > > > Apr 27 23:22:25 gcn kernel: [143540.657675] grsec: (miro:U:/bin/bash)
> > > > denied open of /opt/cin/cinelerra for reading by /bin/bash[bash:26297]
> > > > uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
> > > > uid/euid:1000/1000 gid/egid:1000/1000
> > > >
> > > > Apr 27 23:22:51 gcn kernel: [143566.483957] grsec: (admin:S:/) exec of
> > > > /bin/cat (cat /proc/sys/kernel/grsecurity/tpe_restrict_all ) by
> > > > /bin/cat[bash:26300] uid/euid:0/0 gid/egid:0/0, parent
> > > > /bin/bash[bash:3278] uid/euid:0/0 gid/egid:0/0
> > > >
> > > > Apr 27 23:22:54 gcn kernel: [143569.600844] grsec: (admin:S:/) exec of
> > > > /bin/cat (cat /proc/sys/kernel/grsecurity/tpe ) by /bin/cat[bash:26303]
> > > > uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3278] uid/euid:0/0
> > > > gid/egid:0/0
> > > >
> > > >
> > > > Disabling RBAC:
> > > >
> > > > Apr 27 23:23:13 gcn kernel: [143588.739630] grsec: (admin:S:/) exec of
> > > > /sbin/gradm (gradm -D ) by /sbin/gradm[bash:26304] uid/euid:0/0
> > > > gid/egid:0/0, parent /bin/bash[bash:3278] uid/euid:0/0 gid/egid:0/0
> > > >
> > > > ...[36 lines cut here]...
> > > >
> > > > Apr 27 23:23:41 gcn kernel: [143616.978863] grsec: exec of
> > > > /opt/cin/cinelerra (/opt/cin/cinelerra ) by
> > > > /opt/cin/cinelerra[bash:26350] uid/euid:1000/1000 gid/egid:1000/1000,
> > > > parent /bin/bash[bash:3549] uid/euid:1000/1000 gid/egid:1000/1000
> > > >
> > > > I hope this pulseaudio command does no harm. Only pure alsa here.
> > > >
> > > > Apr 27 23:23:42 gcn kernel: [143617.432067] grsec: exec of /bin/bash
> > (sh
> > > > -c pactl list sinks ) by /bin/bash[cinelerra:26351] uid/euid:1000/1000
> > > > gid/egid:1000/1000, parent /opt/cin/cinelerra[cinelerra:26350]
> > > > uid/euid:1000/1000 gid/egid:1000/1000
> > > >
> > > > The crucial PT_GNU_STACK, and RWX mprotect lines:
> > > >
> >
> > These typical grsec-hardened entries (starting with "grsec: denied" can
> > only be gotten with a grsecurity-hardened kernel based systems.
> >
> > > > Apr 27 23:23:44 gcn kernel: [143619.882015] grsec: denied marking stack
> > > > executable as requested by PT_GNU_STACK marking in
> > > > /opt/cin/plugins/blending/chromakeyhsv.plugin by
> > > > /opt/cin/cinelerra[cinelerra:26350] uid/euid:1000/1000
> > > > gid/egid:1000/1000, parent /bin/bash[bash:3549] uid/euid:1000/1000
> > > > gid/egid:1000/1000
> > > >
> > > > Apr 27 23:23:44 gcn kernel: [143619.882045] grsec: denied RWX mprotect
> > > > of /lib64/ld-2.22.so by /opt/cin/cinelerra[cinelerra:26350]
> > > > uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
> > > > uid/euid:1000/1000 gid/egid:1000/1000
> > > >
> > > > Apr 27 23:23:44 gcn kernel: [143620.045971] grsec: denied marking stack
> > > > executable as requested by PT_GNU_STACK marking in
> > > > /opt/cin/plugins/themes/theme_blond.plugin by
> > > > /opt/cin/cinelerra[cinelerra:26350] uid/euid:1000/1000
> > > > gid/egid:1000/1000, parent /bin/bash[bash:3549] uid/euid:1000/1000
> > > > gid/egid:1000/1000
> > > >
> > > > Apr 27 23:23:44 gcn kernel: [143620.046009] grsec: denied RWX mprotect
> > > > of /lib64/ld-2.22.so by /opt/cin/cinelerra[cinelerra:26350]
> > > > uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
> > > > uid/euid:1000/1000 gid/egid:1000/1000
> > > >
> > > > Apr 27 23:23:44 gcn kernel: [143620.046087] grsec: more alerts, logging
> > > > disabled for 10 seconds
> > > >
> > > >
> > > > And here is where a hardened dev could help us... I've been studying
> > > > these days (but only for small part of the time, this testing takes a
> > > > lot of energy and time), on the above PT_GNU_STACK and RWX mprotect
> > > > issue, and I'll try and post next to grsecurity Forums:
> > > >
> > > > Building Cinelerra and stack exec and mprotect issues
> > > >
> > > >
> > https://forums.grsecurity.net/viewtopic.php?f=3&t=4453&sid=6acf30eee27f95dd5bc31d4d282cae77
> > > >
> > > > as I have collected some links that could help us here...
> > > >
> > > > --
> > > > Miroslav Rovis
> > > > Zagreb, Croatia
> > > > http://www.CroatiaFidelis.hr
> > > >
> >
> > --
> > Miroslav Rovis
> > Zagreb, Croatia
> > http://www.CroatiaFidelis.hr
> >
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
(text/plain)