--- rainbow-0.8.6.orig/debian/README.Debian +++ rainbow-0.8.6/debian/README.Debian @@ -0,0 +1,55 @@ +rainbow for Debian +------------------ + +By default, rainbow is not "ready to run" once installed. In order to get +rainbow to function, you need to add "rainbow" after the "passwd:" and +"group:" stanzas in /etc/nsswitch.conf. A quick-and-dirty way to do so is via +the following commands: + sudo /bin/sed -i -e s/^passwd:/passwd:\ rainbow/ /etc/nsswitch.conf + sudo /bin/sed -i -e s/^group:/group:\ rainbow/ /etc/nsswitch.conf + +You shoud remove "rainbow" from /etc/nsswitch.conf if you uninstall the +rainbow package. + +After modifying /etc/nsswitch.conf, restart nscd: + sudo /etc/init.d/nscd restart + +If you want to use the "rainbow-easy" helper script, you need a "audio" +group on your system: + sudo groupadd -f audio + +sugar and rainbow +------------------ + +Sugar versions 0.86 and higher support rainbow "out of the box", and only need +some configuration changes to enable full functionality. For earlier versions +of sugar, see http://wiki.laptop.org/go/Rainbow/Installation_Instructions. + +In order for Sugar to work with Rainbow, you will need to tell D-Bus to enable +all users on your system to access your D-Bus session. This represents a +security risk on multi-user systems and is therefore not enabled by default. + +To enable Activity D-Bus access, add the following to your +/etc/dbus-1/session.conf inside the '' section: + + +This will allow other UNIX users besides yours to access your session bus. This +might allow people on the same machine to control your applications and access +your data, so only make this change if you're fine with that (e.g. no one else +or only trusted ones using your computer). + +If you want Sugar activities to be able to access GConf when run using +Rainbow, you will need to run something like: + sudo cat >> /etc/orbitrc < Wed, 26 Aug 2009 06:43:54 -0400 --- rainbow-0.8.6.orig/debian/changelog +++ rainbow-0.8.6/debian/changelog @@ -0,0 +1,11 @@ +rainbow (0.8.6-1) unstable; urgency=low + + * New upstream version + + -- Luke Faraone Wed, 23 Dec 2009 15:10:58 -0500 + +rainbow (0.8.5-1) UNRELEASED; urgency=low + + * Initial release (Closes: #543688) + + -- Luke Faraone Wed, 26 Aug 2009 06:43:54 -0400 --- rainbow-0.8.6.orig/debian/compat +++ rainbow-0.8.6/debian/compat @@ -0,0 +1 @@ +7 --- rainbow-0.8.6.orig/debian/control +++ rainbow-0.8.6/debian/control @@ -0,0 +1,43 @@ +Source: rainbow +Section: shells +Priority: optional +Maintainer: Luke Faraone +Build-Depends: python, python-setuptools, python-support (>= 0.5.3), cdbs (>= 0.4.49), debhelper (>= 7), help2man, pandoc +Standards-Version: 3.8.3 +Vcs-Git: git://git.debian.org/git/collab-maint/rainbow.git +Vcs-Browser: http://git.debian.org/?p=collab-maint/rainbow.git; +Homepage: http://wiki.laptop.org/go/Rainbow + +Package: rainbow +Architecture: all +Depends: ${shlibs:Depends}, ${python:Depends}, ${misc:Depends}, libnss-rainbow2, python-rainbow +Provides: ${python:Provides} +Description: a Bitfrost isolation shell + Rainbow is a isolation shell which implements portions of the Bitfrost + security architecture, as used on the OLPC XO-1 and elsewhere. + . + At the moment, Rainbow only knows how to provide the same primitive form + of filesystem and signal isolation that competent sysadmins provide to + users of multi-user Unix shell servers. + +Package: libnss-rainbow2 +Section: libs +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: nss library for rainbow + Rainbow is a isolation shell which implements portions of the Bitfrost + security architecture, as used on the OLPC XO-1 and elsewhere. + . + This package contains an "Name Service Switch" plugin for glibc which + permits Rainbow to easily create and remove users and groups without + modifying /etc/passwd and /etc/group. + +Package: python-rainbow +Section: python +Architecture: all +Depends: ${python:Depends}, ${misc:Depends} +Description: core rainbow shared module + Rainbow is a isolation shell which implements portions of the Bitfrost + security architecture, as used on the OLPC XO-1 and elsewhere. + . + This package contains the shared Python module used by the rainbow frontend. --- rainbow-0.8.6.orig/debian/copyright +++ rainbow-0.8.6/debian/copyright @@ -0,0 +1,49 @@ +This package was debianized by Luke Faraone on +Wed, 26 Aug 2009 06:43:54 -0400. + +It was downloaded from . + +Upstream Authors: + Michael Stone + Noah Kantrowitz + Michael Burns + +Copyright: + + Copyright © 2007, One Laptop Per Child + Copyright © 2007, Noah Kantrowitz + Copyright © 2007, Michael Stone + Copyright © 2007, Michael Burns + +License: + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + 3. The names of the authors may not be used to endorse or promote + products derived from this software without specific prior + written permission. + + THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS + OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE + GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER + IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN + IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +The Debian packaging is Copyright © 2009, Luke Faraone and +is licensed under the GPL version 3+, see `/usr/share/common-licenses/GPL-3'. +For compatibility with upstream, the Debian packaging is also provided under +the above license. --- rainbow-0.8.6.orig/debian/help2man.include +++ rainbow-0.8.6/debian/help2man.include @@ -0,0 +1,9 @@ +[authors] +.B Rainbow +was primarilly written by Michael Stone and Noah Kantrowitz. + +[see also] +Full documentation for the +.B rainbow +suite is stored at http://wiki.laptop.org/go/Rainbow + --- rainbow-0.8.6.orig/debian/libnss-rainbow2.dirs +++ rainbow-0.8.6/debian/libnss-rainbow2.dirs @@ -0,0 +1 @@ +var/spool/rainbow/2/ --- rainbow-0.8.6.orig/debian/libnss-rainbow2.install +++ rainbow-0.8.6/debian/libnss-rainbow2.install @@ -0,0 +1,2 @@ +usr/lib/libnss_rainbow.so.2 +var/spool/rainbow/2 --- rainbow-0.8.6.orig/debian/manpages +++ rainbow-0.8.6/debian/manpages @@ -0,0 +1,7 @@ +rainbow-xify.8 +rainbow-run.8 +rainbow-sugarize.8 +rainbow-easy.8 +rainbow-gc.8 +rainbow-resume.8 +mkenvdir.1 --- rainbow-0.8.6.orig/debian/mkenvdir.1.md +++ rainbow-0.8.6/debian/mkenvdir.1.md @@ -0,0 +1,33 @@ +% MKENVDIR(8) Rainbow User Manual +% +% August 29, 2009 + +# NAME + +mkenvdir - populate a directory with the contents of the current environment variables + +# SYNOPSIS + +**mkenvdir** *DIR* + +# DESCRIPTION + +For each (key, value) in the current environment variables, **mkenvdir** creates a file with a name of *key*, contents *value*, in *DIR*. + +If *DIR* does not exist, it is created with mode 0755 owned by the current (effective) UID/GID. + +# OPTIONS + +This program does not accept any options or parameters other than as described above. + +# AUTHORS + +**Rainbow** was primarily written by Michael Stone and Noah Kantrowitz. + +This manual page was written by Luke Faraone for the **Debian GNU/Linux** system, but its use elsewhere is encouraged. + +# SEE ALSO + +`rainbow-run`(1) + +Additional documentation may be found at . --- rainbow-0.8.6.orig/debian/pycompat +++ rainbow-0.8.6/debian/pycompat @@ -0,0 +1 @@ +2 --- rainbow-0.8.6.orig/debian/python-rainbow.install +++ rainbow-0.8.6/debian/python-rainbow.install @@ -0,0 +1 @@ +usr/lib/python* --- rainbow-0.8.6.orig/debian/rainbow-easy.8.md +++ rainbow-0.8.6/debian/rainbow-easy.8.md @@ -0,0 +1,33 @@ +% RAINBOW-EASY(1) Rainbow User Manual +% +% August 28, 2009 + +# NAME + +rainbow-easy - wrapper of rainbow-run for the secure execution of untrusted programs + +# SYNOPSIS + +**rainbow-easy** *container-ID* *program-to-execute* + +# DESCRIPTION + +This program acts as a convenience wrapper of the rainbow-run command. It accepts a *container-ID*, which may be reused between sessions, and the path of a *program-to-execute* after the container is created. + +# OPTIONS + +This program does not accept any additional options or parameters. + +# AUTHORS + +**Rainbow** was primarily written by Michael Stone and Noah Kantrowitz. + +This manual page was written by Luke Faraone luke@faraone.cc for the **Debian GNU/Linux** system, but its use elsewhere is encouraged. + +# SEE ALSO + +`rainbow-run`(1), +`rainbow-sugarize`(1), +`rainbow-xify` (1). + +Additional documentation may be found at . --- rainbow-0.8.6.orig/debian/rainbow-resume.8.md +++ rainbow-0.8.6/debian/rainbow-resume.8.md @@ -0,0 +1,33 @@ +% RAINBOW-EASY(1) Rainbow User Manual +% +% December 23, 2009 + +# NAME + +rainbow-resume - wrapper of rainbow-run for the secure execution of untrusted programs + +# SYNOPSIS + +**rainbow-resume** *RESUME_UID* *program-to-execute* + +# DESCRIPTION + +This program allow one to resume a precreated isolated UID. It accepts a *RESUME_UID*, which may be reused between sessions, and the path of a *program-to-execute* after the container is created. + +# OPTIONS + +This program does not accept any additional options or parameters. + +# AUTHORS + +**Rainbow** was primarily written by Michael Stone and Noah Kantrowitz. + +This manual page was written by Luke Faraone luke@faraone.cc for the **Debian GNU/Linux** system, but its use elsewhere is encouraged. + +# SEE ALSO + +`rainbow-run`(1), +`rainbow-sugarize`(1), +`rainbow-xify` (1). + +Additional documentation may be found at . --- rainbow-0.8.6.orig/debian/rainbow.install +++ rainbow-0.8.6/debian/rainbow.install @@ -0,0 +1,4 @@ +usr/sbin +usr/bin +etc/ + --- rainbow-0.8.6.orig/debian/rules +++ rainbow-0.8.6/debian/rules @@ -0,0 +1,40 @@ +#!/usr/bin/make -f + +# python overrides: +DEB_PYTHON_MODULE_PACKAGES = python-rainbow +DEB_PYTHON_SYSTEM = pysupport + +#DEB_SRCDIR = $(CURDIR)/rainbow +include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/class/makefile.mk +include /usr/share/cdbs/1/rules/simple-patchsys.mk +include /usr/share/cdbs/1/class/python-distutils.mk + +# more overrides: +DEB_MAKE_INSTALL_TARGET = DESTDIR=$(CURDIR)/debian/tmp install +DH_VERBOSE=1 + +DEB_PYTHON_BUILD_ARGS = --build-base="$(DEB_BUILDDIR)/build" + + +# custom stuff:: +HELP2MAN_PROPS = --section=8 --no-info -S 'Rainbow User Manual' --include='./debian/help2man.include' + +# generate manpages. +# PYTHONPATH specified so that the scripts execute properly without installation + +build/rainbow:: + PYTHONPATH=. help2man $(HELP2MAN_PROPS) --name='Enable the use of the X display in rainbow-secured shells' ./bin/rainbow-xify > ./rainbow-xify.8 + PYTHONPATH=. help2man $(HELP2MAN_PROPS) --name='Create and use Rainbow-isolated instances' ./bin/rainbow-run > ./rainbow-run.8 + PYTHONPATH=. help2man $(HELP2MAN_PROPS) --name='Helper script for using Sugar with Rainbow' ./bin/rainbow-sugarize > ./rainbow-sugarize.8 + PYTHONPATH=. help2man $(HELP2MAN_PROPS) --name='Helper script which attempts to garbage-collect stale uid reservations' ./bin/rainbow-gc > ./rainbow-gc.8 + pandoc -s -w man ./debian/rainbow-easy.8.md -o rainbow-easy.8 + pandoc -s -w man ./debian/rainbow-resume.8.md -o rainbow-resume.8 + pandoc -s -w man ./debian/mkenvdir.1.md -o mkenvdir.1 + +clean:: + make -C nss clean + rm -f rainbow-xify.8 rainbow-run.8 rainbow-sugarize.8 rainbow-easy.8 mkenvdir.1 + rm -rf rainbow.egg-info + rm -rf build + --- rainbow-0.8.6.orig/debian/watch +++ rainbow-0.8.6/debian/watch @@ -0,0 +1,2 @@ +version=3 +http://dev.laptop.org/~mstone/releases/SOURCES/rainbow-(.*).tar.bz2 --- rainbow-0.8.6.orig/debian/patches/1000-install-bins-in-sbin.patch +++ rainbow-0.8.6/debian/patches/1000-install-bins-in-sbin.patch @@ -0,0 +1,13 @@ +diff -Nur -x '*.orig' -x '*~' rainbow-0.8.6/bin/Makefile rainbow-0.8.6.new/bin/Makefile +--- rainbow-0.8.6/bin/Makefile 2009-12-21 23:58:13.000000000 -0500 ++++ rainbow-0.8.6.new/bin/Makefile 2009-12-23 14:52:50.807759078 -0500 +@@ -1,7 +1,7 @@ + + install: +- install -D -m 0755 rainbow-run $(BINDIR)/rainbow-run +- install -D -m 0755 rainbow-easy $(BINDIR)/rainbow-easy ++ install -D -m 0755 rainbow-run $(SBINDIR)/rainbow-run ++ install -D -m 0755 rainbow-easy $(SBINDIR)/rainbow-easy + install -D -m 0755 rainbow-resume $(BINDIR)/rainbow-resume + install -D -m 0755 rainbow-gc $(BINDIR)/rainbow-gc + install -D -m 0755 rainbow-sugarize $(BINDIR)/rainbow-sugarize --- rainbow-0.8.6.orig/debian/patches/2000-makefile-nosetup.patch +++ rainbow-0.8.6/debian/patches/2000-makefile-nosetup.patch @@ -0,0 +1,15 @@ +diff -Nur -x '*.orig' -x '*~' rainbow-0.8.6/Makefile rainbow-0.8.6.new/Makefile +--- rainbow-0.8.6/Makefile 2009-12-21 23:58:13.000000000 -0500 ++++ rainbow-0.8.6.new/Makefile 2009-12-23 14:53:23.437738591 -0500 +@@ -8,11 +8,9 @@ + + # targets + build: +- python setup.py build + $(MAKE) -C nss + + install: +- python setup.py install --root=$(DESTDIR) + $(MAKE) -C bin install + $(MAKE) -C nss install + install -d $(SYSCONFDIR)/security/console.perms.d/ --- rainbow-0.8.6.orig/debian/patches/2001-python-env.patch +++ rainbow-0.8.6/debian/patches/2001-python-env.patch @@ -0,0 +1,45 @@ +diff -Nur -x '*.orig' -x '*~' rainbow-0.8.6/bin/mkenvdir rainbow-0.8.6.new/bin/mkenvdir +--- rainbow-0.8.6/bin/mkenvdir 2009-12-21 23:58:13.000000000 -0500 ++++ rainbow-0.8.6.new/bin/mkenvdir 2009-12-23 14:53:50.680267248 -0500 +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/python + import os, sys + from os.path import join, exists, isdir + from rainbow.util import make_dirs +diff -Nur -x '*.orig' -x '*~' rainbow-0.8.6/bin/rainbow-gc rainbow-0.8.6.new/bin/rainbow-gc +--- rainbow-0.8.6/bin/rainbow-gc 2009-12-21 23:58:13.000000000 -0500 ++++ rainbow-0.8.6.new/bin/rainbow-gc 2009-12-23 14:53:58.467724176 -0500 +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/python + + import sys + +diff -Nur -x '*.orig' -x '*~' rainbow-0.8.6/bin/rainbow-run rainbow-0.8.6.new/bin/rainbow-run +--- rainbow-0.8.6/bin/rainbow-run 2009-12-21 23:58:13.000000000 -0500 ++++ rainbow-0.8.6.new/bin/rainbow-run 2009-12-23 14:54:04.738757710 -0500 +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/python + + import os + import sys +diff -Nur -x '*.orig' -x '*~' rainbow-0.8.6/bin/rainbow-sugarize rainbow-0.8.6.new/bin/rainbow-sugarize +--- rainbow-0.8.6/bin/rainbow-sugarize 2009-12-21 23:58:13.000000000 -0500 ++++ rainbow-0.8.6.new/bin/rainbow-sugarize 2009-12-23 14:54:08.987700459 -0500 +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/python + + import sys + import pwd +diff -Nur -x '*.orig' -x '*~' rainbow-0.8.6/bin/rainbow-xify rainbow-0.8.6.new/bin/rainbow-xify +--- rainbow-0.8.6/bin/rainbow-xify 2009-12-21 23:58:13.000000000 -0500 ++++ rainbow-0.8.6.new/bin/rainbow-xify 2009-12-23 14:54:15.200305059 -0500 +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/python + + import sys + import pwd --- rainbow-0.8.6.orig/debian/patches/README +++ rainbow-0.8.6/debian/patches/README @@ -0,0 +1,4 @@ +0xxx: Grabbed from upstream development. +1xxx: Possibly relevant for upstream adoption. +2xxx: Only relevant for official Debian release. +