**** BEGIN LOGGING AT Sun Jan 17 02:59:57 2021
Jan 17 05:53:11 <aparcar[m]> philipp64: oh surely I'm just watching
Jan 17 11:35:19 <grift> i could use some help with this: https://github.com/openwrt/packages/blob/master/net/privoxy/Makefile#L59
Jan 17 11:35:35 <grift> (also an aside that package is 3 stable version behind)
Jan 17 11:36:25 <grift> i asked dango about what happens when packages add userid/groupid etc
Jan 17 11:36:39 <grift> and he pointed me to 3 functions for three scenarios
Jan 17 11:36:50 <grift> i tried to interpret these functions
Jan 17 11:37:45 <grift> take this scenario:
Jan 17 11:37:46 <grift> Or, if the package is installed by the user at run-time:
Jan 17 11:37:47 <grift> https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=package/base-files/files/lib/functions.sh#l247
Jan 17 11:39:09 <grift> i guess the add_group_and_user() does the editing of /etc/{group,passwd,shadow}
Jan 17 11:39:39 <grift> but in that function i don't see where it uses sed to do this
Jan 17 11:40:04 <grift> i know sed replaces /etc/group
Jan 17 11:40:12 <grift> but i dont know where in the code
Jan 17 11:40:50 <grift> the challenge is this:
Jan 17 11:40:54 <grift> [  256.182929] audit: type=1400 audit(1610882949.577:5): avc:  granted  { create } for  pid=3347 comm="sed" name="groupIgpbMl" scontext=u:r:sys.subj tcontext=u:r:file.conffile tclass=file
Jan 17 11:41:30 <grift> sed creates the new /etc/group with a random suffix and then the file gets renamed
Jan 17 11:41:53 <grift> i know that sed allows you to specify a suffix
Jan 17 11:42:39 <grift> so i would like to see where in the code i would need to change this so that sed creates these new /etc/group,passwd,shadow files with a predictable suffix
Jan 17 11:47:17 <dorf> speaking of privoxy, it's probably better swapped out for tinyproxy with a luci UI.
Jan 17 11:48:21 <dorf> privoxy is bloatware that's mostly ineffective these days, given it doesn't process https.
Jan 17 11:48:43 <mangix> grift: that package badly needs modernization. i don't care for it.
Jan 17 11:49:01 <dorf> mangix: tinyproxy!
Jan 17 11:49:35 <dorf> eminently suited to openwrt.
Jan 17 11:52:29 <grift> ok i will look into tinyproxy but i would still like to figure out  where those sed calls are to re-create updates /etc/group
Jan 17 11:54:05 <grift> every time i install a package that requires a new groupid/userid that function messes up the label of /etc/group/passwd and then stuff can not read those files
Jan 17 12:17:34 <grift> dorf any reason for taking tinyproxy over polipo you know of?
Jan 17 12:18:00 <dorf> grift: yeah, polipo is unmaintained
Jan 17 12:18:30 <dorf> tinyproxy also does more.
Jan 17 12:21:06 <grift> hmm i think i found it: https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=package/base-files/files/lib/functions.sh#l353
Jan 17 12:25:37 <dorf> polipo was more or less abandoned around the same time Tor transitioned to the TorBrowser, fwiw.
Jan 17 12:30:15 <grift> thanks
Jan 17 12:30:22 <grift> so the issue here is that:
Jan 17 12:30:27 <grift> sed -i "s/$grp/$grp$delim$2/g" ${IPKG_INSTROOT}/etc/group
Jan 17 12:30:49 <grift> creates a new /etc/groupYRTYREYTR and then renames it to /etc/group
Jan 17 12:31:07 <grift> if i understand correctly this should address my issue:
Jan 17 12:31:18 <grift> sed -i'' "s/$grp/$grp$delim$2/g" ${IPKG_INSTROOT}/etc/group
Jan 17 13:05:59 <grift> this looks weird though: https://github.com/openwrt/packages/blob/master/net/tinyproxy/files/tinyproxy.init#L52
Jan 17 13:06:19 <grift> so it creates /var/log/tinyproxy.log with mode 666?
Jan 17 13:32:36 <dorf> let's have a look at that, grift.
Jan 17 13:33:33 <dorf> it's probably in case the user's not running as root, no?
Jan 17 13:34:11 <dorf> or maybe it's just lax for another reason.
Jan 17 13:35:24 <dorf> in any event, tinyproxy is screaming out for a luci-app :)
Jan 17 13:36:01 <dorf> also, nevermind re 666. I just realized I'm looking at openwrt's repo. no idea why it's 666.
Jan 17 13:36:02 <grift> well yes i think its running as user nobody? so that looks like  corner cutting to allow nobody to write to /var/log/tinyproxy.log
Jan 17 13:36:15 <grift> but collatoral damage is that others can write as well i guess
Jan 17 13:36:24 <grift> anyway i am also looking into it further
Jan 17 13:36:28 <dorf> sure, user nobody privs, that's it.
Jan 17 13:37:02 <grift> instead probably better to chown
Jan 17 13:37:11 <dorf> sure
Jan 17 13:37:32 <grift> root.nobody 0760 or something
Jan 17 13:38:28 <grift> or nogroup whatever
Jan 17 13:38:47 <grift> using nobody.nogroup might not be optimal either though
Jan 17 13:38:56 <grift> too generic
Jan 17 13:39:17 <dorf> it's a log, why not just chown it to root?
Jan 17 13:39:18 <grift> but i am wrapping this up with selinux confinement
Jan 17 13:39:42 <grift> well then if tinyproxy runs as nobody it cant write it?
Jan 17 13:39:50 <dorf> except for the fact nobody couldn't write to it, yeah.
Jan 17 13:39:53 <grift> or "append" technically
Jan 17 13:40:20 <grift> question is why not use syslog?
Jan 17 13:40:36 <grift> as a logfile might fill up the tmpfs
Jan 17 13:40:43 <dorf> pretty much everything else runs as root, though. not sure if tinyproxy merits the nobody treatment. it might, but then so does a bunch of other stuff.
Jan 17 13:41:05 <grift> those days are gone
Jan 17 13:41:26 <grift> many services run with unpriv identities these day's
Jan 17 13:41:30 <dorf> if you're going to use syslog, make sure you run the logs at warn or error level, perhaps. otherwise it gets noisy in there.
Jan 17 13:42:22 <grift> i dont mind a bit of noise besides you can just run logread with -Z 9
Jan 17 13:42:50 <dorf> at around 4 or 5 lines per connection, you'll soon mind :)
Jan 17 13:42:59 <grift> the wireguard cronjob also floods the logs
Jan 17 13:45:37 <grift> the issue with the nobody.nogroup idea is that its insecure if more than one service uses it
Jan 17 13:46:01 <grift> so ideally we'd have a tinyproxy uid
Jan 17 13:46:14 <grift> and then chown the log root.tinyproxy 0760
Jan 17 13:46:23 <grift> uig/gid
Jan 17 13:48:12 <dorf> yeah, that makes more sense. upstream tinyproxy does that.
Jan 17 14:25:23 <f00b4r0> lynxis: ping
Jan 17 14:25:35 <lynxis> f00b4r0: pong
Jan 17 14:26:03 <f00b4r0> lynxis: why did you pull #2417? It's not functional and uses the awful u-boot based intermediary loader?
Jan 17 14:26:24 <lynxis> f00b4r0: the awful bootloader is gone.
Jan 17 14:26:36 <f00b4r0> in the PR it isn't.
Jan 17 14:31:10 <lynxis> f00b4r0: take a look into https://git.openwrt.org/?p=openwrt/staging/lynxis.git;a=shortlog;h=refs/heads/80211ad
Jan 17 14:31:32 <f00b4r0> lynxis: I see in your tree you've expunged. The problem is that the code you pulled doesn't use the recent bells and whistles for mikrotik, namely the platform driver
Jan 17 14:31:43 <f00b4r0> the partition scheme is wrong btw
Jan 17 14:31:54 <f00b4r0> partition0@0 starts at reg 0x80000
Jan 17 14:32:05 <f00b4r0> that PR wasn't ready for merge IMHO
Jan 17 14:32:18 <f00b4r0> I'm pretty sure robimarko wanted to revisit it.
Jan 17 14:33:49 <f00b4r0> led naming is also not matching the current style
Jan 17 14:34:39 <f00b4r0> and the commit message still lmentions the extra loader. Honestly I'd suggest you throw that back and maybe give robi a chance to polish it?
Jan 17 14:39:23 <lynxis> f00b4r0: I wasn't sure why robertmarko closed the PR. but some people of the openwrt community are using a couple of those devices. I would like to push the 60ghz stuff. I also have 5 of the 60ghz devices around.
Jan 17 14:39:24 <f00b4r0> https://git.openwrt.org/?p=openwrt/staging/lynxis.git;a=commitdiff;h=0cf4ce8cc4b31e4d6bce40d357c2d70c8a673f1c#patch3 this is also wrong
Jan 17 14:39:51 <lynxis> f00b4r0: sure there are still things to be moved and fixed up there.
Jan 17 14:40:08 <f00b4r0> lynxis: my understanding is he closed it to focus on hap-ac2, and planned to revisit once that was merged. Likewise for the sxtac
Jan 17 14:40:08 <lynxis> f00b4r0: do you know why there is mtd erase at all?
Jan 17 14:40:16 <f00b4r0> yes I do
Jan 17 14:40:18 <f00b4r0> :)
Jan 17 14:40:49 <f00b4r0> the mtd erase is called during sysupgrade when the device is booted from initramfs to clear the flash from extraneous kernel signatures
Jan 17 14:41:07 <f00b4r0> otherwise the bootloader might pick up a spurious signature from RouterOS and that will result in a brick.
Jan 17 14:41:28 <lynxis> the bootloader is scanning the whole partition for signatures?
Jan 17 14:41:32 <f00b4r0> please revert this from your tree, it's a collection of "don't do" for this target
Jan 17 14:41:36 <f00b4r0> yes
Jan 17 14:41:56 <f00b4r0> apparently uses "last match"
Jan 17 14:43:17 <f00b4r0> i really wouldn't want to 1) have to submit patches to fix afterwards and 2) have people copy-pasting this to submit other devices. The canonical working example is the hap-ac2 and we tried to ask other submitters to follow it (rogerpueo did for the sxtac)
Jan 17 14:46:39 <f00b4r0> even the device name in DTS and makefile doesn't follow the semi-official pattern ;P
Jan 17 14:51:32 <lynxis> f00b4r0: let's get the hap to upstream first.
Jan 17 14:53:30 <f00b4r0> lynxis: sure. Please just don't push the current lhg60 to master as it is.
Jan 17 15:52:59 <grift> dorf_ : https://github.com/openwrt/packages/issues/14491
Jan 17 15:54:08 <grift> targeted tinyproxy in selinux-policy though: https://github.com/openwrt/packages/issues/14491
Jan 17 15:54:21 <grift> it can't even write the log file itself (only append)
Jan 17 15:54:33 <grift> err
Jan 17 15:54:54 <grift> https://git.defensec.nl/?p=selinux-policy.git;a=blob_plain;f=src/agent/tinyproxy.cil;hb=HEAD
Jan 17 18:56:42 <philipp64> grift: do we not count on groupmod and usermod being present for packaging?
Jan 17 18:57:55 <grift> no
Jan 17 18:58:01 <philipp64> hmm... seems busybox doesn't even include usermod/groupmod...
Jan 17 19:02:18 <dorf_> grift: shunting everything over to the syslog might not be such a bad idea.
Jan 17 19:03:13 <grift> dorf_ thats what i just did on my router
Jan 17 19:03:43 <dorf_> log level Connect looks like a sane default.
Jan 17 19:03:51 <grift> yes  changed it to that
Jan 17 19:04:06 <dorf_> I'll get my coat :)
Jan 17 19:05:22 <dorf_> you can style the status page btw, but you need to apply styles within the tags.. inline css doesn't work.
Jan 17 19:07:20 <dorf_> grift: feel free to modify https://pastebin.ubuntu.com/p/rJmW5xbmDj/ to suit your needs.
Jan 17 19:08:01 <grift> thanks
Jan 17 19:08:52 <dorf_> fairly minimal.. something like that could be piped into a luci front end I guess.
Jan 17 19:09:27 <grift> i dont like how that paste service requires registration to download raw pastes
Jan 17 19:10:49 <dorf_> I never noticed before. annoying. copy and paste should be fine straight off the page.
Jan 17 19:11:00 <grift> yes i did that
Jan 17 21:24:24 <swalker> updated openwrt/upstream, https://sdwalker.github.io/uscan/index.html
Jan 18 02:01:22 <aparcar[m]> grift: this dependency issue with busybox-selinux is still annoying ☹️ Did you talk about it with dangole ?
Jan 18 02:24:21 <OutBackDingo> anyone else having massive issues updating repos from openwrt git ?
Jan 18 02:24:39 <OutBackDingo> error: RPC failed; curl 56 OpenSSL SSL_read: Connection reset by peer, errno 104
Jan 18 02:24:39 <OutBackDingo> fatal: the remote end hung up unexpectedly
Jan 18 02:24:39 <OutBackDingo> fatal: early EOF
Jan 18 02:24:39 <OutBackDingo> fatal: index-pack failed
**** ENDING LOGGING AT Mon Jan 18 02:59:57 2021