debian/0000755000000000000000000000000012217650616007174 5ustar debian/copyright0000644000000000000000000000421612217650616011132 0ustar This package was debianized by Luke Faraone on Wed, 26 Aug 2009 06:43:54 -0400. It was downloaded from . Upstream Authors: Michael Stone Noah Kantrowitz Michael Burns Copyright: Copyright © 2007, One Laptop Per Child Copyright © 2007, Noah Kantrowitz Copyright © 2007, Michael Stone Copyright © 2007, Michael Burns License: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The names of the authors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The Debian packaging is Copyright © 2009, Luke Faraone and is licensed under the GPL version 3+, see `/usr/share/common-licenses/GPL-3'. For compatibility with upstream, the Debian packaging is also provided under the above license. debian/help2man.include0000644000000000000000000000027212217650616012250 0ustar [authors] .B Rainbow was primarily written by Michael Stone and Noah Kantrowitz. [see also] Full documentation for the .B rainbow suite is stored at http://wiki.laptop.org/go/Rainbow debian/mkenvdir.1.md0000644000000000000000000000154212217650616011476 0ustar % MKENVDIR(8) Rainbow User Manual % % August 29, 2009 # NAME mkenvdir - populate a directory with the contents of the current environment variables # SYNOPSIS **mkenvdir** *DIR* # DESCRIPTION For each (key, value) in the current environment variables, **mkenvdir** creates a file with a name of *key*, contents *value*, in *DIR*. If *DIR* does not exist, it is created with mode 0755 owned by the current (effective) UID/GID. # OPTIONS This program does not accept any options or parameters other than as described above. # AUTHORS **Rainbow** was primarily written by Michael Stone and Noah Kantrowitz. This manual page was written by Luke Faraone for the **Debian GNU/Linux** system, but its use elsewhere is encouraged. # SEE ALSO `rainbow-run`(1) Additional documentation may be found at . debian/control0000644000000000000000000000325512217650616010604 0ustar Source: rainbow Section: shells Priority: optional Maintainer: Luke Faraone Build-Depends: python, python-setuptools, python-support (>= 0.5.3), cdbs (>= 0.4.49), debhelper (>= 7), help2man, pandoc, pandoc-data Standards-Version: 3.9.4 Vcs-Bzr: https://code.launchpad.net/~lfaraone/rainbow/debian Homepage: http://wiki.laptop.org/go/Rainbow Package: rainbow Architecture: all Depends: ${shlibs:Depends}, ${python:Depends}, ${misc:Depends}, libnss-rainbow2, python-rainbow Provides: ${python:Provides} Description: a Bitfrost isolation shell Rainbow is a isolation shell which implements portions of the Bitfrost security architecture, as used on the OLPC XO-1 and elsewhere. . At the moment, Rainbow only knows how to provide the same primitive form of filesystem and signal isolation that competent sysadmins provide to users of multi-user Unix shell servers. Package: libnss-rainbow2 Section: libs Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Description: nss library for rainbow Rainbow is a isolation shell which implements portions of the Bitfrost security architecture, as used on the OLPC XO-1 and elsewhere. . This package contains an "Name Service Switch" plugin for glibc which permits Rainbow to easily create and remove users and groups without modifying /etc/passwd and /etc/group. Package: python-rainbow Section: python Architecture: all Depends: ${python:Depends}, ${misc:Depends} Description: core rainbow shared module Rainbow is a isolation shell which implements portions of the Bitfrost security architecture, as used on the OLPC XO-1 and elsewhere. . This package contains the shared Python module used by the rainbow frontend. debian/rainbow-resume.8.md0000644000000000000000000000157212217650616012630 0ustar % RAINBOW-EASY(1) Rainbow User Manual % % December 23, 2009 # NAME rainbow-resume - wrapper of rainbow-run for the secure execution of untrusted programs # SYNOPSIS **rainbow-resume** *RESUME_UID* *program-to-execute* # DESCRIPTION This program allow one to resume a precreated isolated UID. It accepts a *RESUME_UID*, which may be reused between sessions, and the path of a *program-to-execute* after the container is created. # OPTIONS This program does not accept any additional options or parameters. # AUTHORS **Rainbow** was primarily written by Michael Stone and Noah Kantrowitz. This manual page was written by Luke Faraone luke@faraone.cc for the **Debian GNU/Linux** system, but its use elsewhere is encouraged. # SEE ALSO `rainbow-run`(1), `rainbow-sugarize`(1), `rainbow-xify` (1). Additional documentation may be found at . debian/rainbow.install0000644000000000000000000000002712217650616012224 0ustar usr/sbin usr/bin etc/ debian/source/0000755000000000000000000000000012217650616010474 5ustar debian/source/format0000644000000000000000000000001412217650616011702 0ustar 3.0 (quilt) debian/manpages0000644000000000000000000000015012217650616010706 0ustar rainbow-xify.8 rainbow-run.8 rainbow-sugarize.8 rainbow-easy.8 rainbow-gc.8 rainbow-resume.8 mkenvdir.1 debian/pycompat0000644000000000000000000000000212217650616010743 0ustar 2 debian/watch0000644000000000000000000000011612217650616010223 0ustar version=3 http://dev.laptop.org/~mstone/releases/SOURCES/rainbow-(.*).tar.bz2 debian/compat0000644000000000000000000000000212217650616010372 0ustar 7 debian/python-rainbow.install0000644000000000000000000000002012217650616013534 0ustar usr/lib/python* debian/libnss-rainbow2.dirs0000644000000000000000000000002512217650616013067 0ustar var/spool/rainbow/2/ debian/README.Debian0000644000000000000000000000416212217650616011240 0ustar rainbow for Debian ------------------ By default, rainbow is not "ready to run" once installed. In order to get rainbow to function, you need to add "rainbow" after the "passwd:" and "group:" stanzas in /etc/nsswitch.conf. A quick-and-dirty way to do so is via the following commands: sudo /bin/sed -i -e s/^passwd:/passwd:\ rainbow/ /etc/nsswitch.conf sudo /bin/sed -i -e s/^group:/group:\ rainbow/ /etc/nsswitch.conf You shoud remove "rainbow" from /etc/nsswitch.conf if you uninstall the rainbow package. After modifying /etc/nsswitch.conf, restart nscd: sudo /etc/init.d/nscd restart If you want to use the "rainbow-easy" helper script, you need a "audio" group on your system: sudo groupadd -f audio sugar and rainbow ------------------ Sugar versions 0.86 and higher support rainbow "out of the box", and only need some configuration changes to enable full functionality. For earlier versions of sugar, see http://wiki.laptop.org/go/Rainbow/Installation_Instructions. In order for Sugar to work with Rainbow, you will need to tell D-Bus to enable all users on your system to access your D-Bus session. This represents a security risk on multi-user systems and is therefore not enabled by default. To enable Activity D-Bus access, add the following to your /etc/dbus-1/session.conf inside the '' section: This will allow other UNIX users besides yours to access your session bus. This might allow people on the same machine to control your applications and access your data, so only make this change if you're fine with that (e.g. no one else or only trusted ones using your computer). If you want Sugar activities to be able to access GConf when run using Rainbow, you will need to run something like: sudo cat >> /etc/orbitrc < Wed, 26 Aug 2009 06:43:54 -0400 debian/patches/0000755000000000000000000000000012217650616010623 5ustar debian/patches/2000-makefile-nosetup.patch0000644000000000000000000000070012217650616015470 0ustar diff -Nur -x '*.orig' -x '*~' rainbow-0.8.6/Makefile rainbow-0.8.6.new/Makefile --- rainbow-0.8.6/Makefile 2009-12-21 23:58:13.000000000 -0500 +++ rainbow-0.8.6.new/Makefile 2009-12-23 14:53:23.437738591 -0500 @@ -8,11 +8,9 @@ # targets build: - python setup.py build $(MAKE) -C nss install: - python setup.py install --root=$(DESTDIR) $(MAKE) -C bin install $(MAKE) -C nss install install -d $(SYSCONFDIR)/security/console.perms.d/ debian/patches/README0000644000000000000000000000021212217650616011476 0ustar 0xxx: Grabbed from upstream development. 1xxx: Possibly relevant for upstream adoption. 2xxx: Only relevant for official Debian release. debian/patches/2001-python-env.patch0000644000000000000000000000321212217650616014331 0ustar diff -Nur -x '*.orig' -x '*~' rainbow-0.8.6/bin/mkenvdir rainbow-0.8.6.new/bin/mkenvdir --- rainbow-0.8.6/bin/mkenvdir 2009-12-21 23:58:13.000000000 -0500 +++ rainbow-0.8.6.new/bin/mkenvdir 2009-12-23 14:53:50.680267248 -0500 @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/python import os, sys from os.path import join, exists, isdir from rainbow.util import make_dirs diff -Nur -x '*.orig' -x '*~' rainbow-0.8.6/bin/rainbow-gc rainbow-0.8.6.new/bin/rainbow-gc --- rainbow-0.8.6/bin/rainbow-gc 2009-12-21 23:58:13.000000000 -0500 +++ rainbow-0.8.6.new/bin/rainbow-gc 2009-12-23 14:53:58.467724176 -0500 @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/python import sys diff -Nur -x '*.orig' -x '*~' rainbow-0.8.6/bin/rainbow-run rainbow-0.8.6.new/bin/rainbow-run --- rainbow-0.8.6/bin/rainbow-run 2009-12-21 23:58:13.000000000 -0500 +++ rainbow-0.8.6.new/bin/rainbow-run 2009-12-23 14:54:04.738757710 -0500 @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/python import os import sys diff -Nur -x '*.orig' -x '*~' rainbow-0.8.6/bin/rainbow-sugarize rainbow-0.8.6.new/bin/rainbow-sugarize --- rainbow-0.8.6/bin/rainbow-sugarize 2009-12-21 23:58:13.000000000 -0500 +++ rainbow-0.8.6.new/bin/rainbow-sugarize 2009-12-23 14:54:08.987700459 -0500 @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/python import sys import pwd diff -Nur -x '*.orig' -x '*~' rainbow-0.8.6/bin/rainbow-xify rainbow-0.8.6.new/bin/rainbow-xify --- rainbow-0.8.6/bin/rainbow-xify 2009-12-21 23:58:13.000000000 -0500 +++ rainbow-0.8.6.new/bin/rainbow-xify 2009-12-23 14:54:15.200305059 -0500 @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/python import sys import pwd debian/patches/1000-install-bins-in-sbin.patch0000644000000000000000000000127312217650616016161 0ustar diff -Nur -x '*.orig' -x '*~' rainbow-0.8.6/bin/Makefile rainbow-0.8.6.new/bin/Makefile --- rainbow-0.8.6/bin/Makefile 2009-12-21 23:58:13.000000000 -0500 +++ rainbow-0.8.6.new/bin/Makefile 2009-12-23 14:52:50.807759078 -0500 @@ -1,7 +1,7 @@ install: - install -D -m 0755 rainbow-run $(BINDIR)/rainbow-run - install -D -m 0755 rainbow-easy $(BINDIR)/rainbow-easy + install -D -m 0755 rainbow-run $(SBINDIR)/rainbow-run + install -D -m 0755 rainbow-easy $(SBINDIR)/rainbow-easy install -D -m 0755 rainbow-resume $(BINDIR)/rainbow-resume install -D -m 0755 rainbow-gc $(BINDIR)/rainbow-gc install -D -m 0755 rainbow-sugarize $(BINDIR)/rainbow-sugarize debian/patches/series0000644000000000000000000000003412217650616012035 0ustar 2000-makefile-nosetup.patch debian/rainbow-easy.8.md0000644000000000000000000000160312217650616012264 0ustar % RAINBOW-EASY(1) Rainbow User Manual % % August 28, 2009 # NAME rainbow-easy - wrapper of rainbow-run for the secure execution of untrusted programs # SYNOPSIS **rainbow-easy** *container-ID* *program-to-execute* # DESCRIPTION This program acts as a convenience wrapper of the rainbow-run command. It accepts a *container-ID*, which may be reused between sessions, and the path of a *program-to-execute* after the container is created. # OPTIONS This program does not accept any additional options or parameters. # AUTHORS **Rainbow** was primarily written by Michael Stone and Noah Kantrowitz. This manual page was written by Luke Faraone luke@faraone.cc for the **Debian GNU/Linux** system, but its use elsewhere is encouraged. # SEE ALSO `rainbow-run`(1), `rainbow-sugarize`(1), `rainbow-xify` (1). Additional documentation may be found at . debian/changelog0000644000000000000000000000127412217650616011052 0ustar rainbow (0.8.7-1) unstable; urgency=low * New upstream version * Add dependency on pandoc-data to fix FTBFS (closes: #724106) * Update Vcs-* field in debian/control * Update maintainer for my debian.org address. * Fix typo in man page. * Bump standards version; no changes required * Switch to dpkg-source 3.0 (quilt) format -- Luke Faraone Sun, 22 Sep 2013 16:21:27 -0400 rainbow (0.8.6-1) unstable; urgency=low * New upstream version -- Luke Faraone Wed, 23 Dec 2009 15:10:58 -0500 rainbow (0.8.5-1) UNRELEASED; urgency=low * Initial release (Closes: #543688) -- Luke Faraone Wed, 26 Aug 2009 06:43:54 -0400 debian/libnss-rainbow2.install0000644000000000000000000000006012217650616013573 0ustar usr/lib/libnss_rainbow.so.2 var/spool/rainbow/2 debian/rules0000755000000000000000000000306612217650616010261 0ustar #!/usr/bin/make -f # python overrides: DEB_PYTHON_MODULE_PACKAGES = python-rainbow DEB_PYTHON_SYSTEM = pysupport #DEB_SRCDIR = $(CURDIR)/rainbow include /usr/share/cdbs/1/rules/debhelper.mk include /usr/share/cdbs/1/class/makefile.mk include /usr/share/cdbs/1/class/python-distutils.mk # more overrides: DEB_MAKE_INSTALL_TARGET = DESTDIR=$(CURDIR)/debian/tmp install DH_VERBOSE=1 DEB_PYTHON_BUILD_ARGS = --build-base="$(DEB_BUILDDIR)/build" # custom stuff:: HELP2MAN_PROPS = --section=8 --no-info -S 'Rainbow User Manual' --include='./debian/help2man.include' # generate manpages. # PYTHONPATH specified so that the scripts execute properly without installation build/rainbow:: PYTHONPATH=. help2man $(HELP2MAN_PROPS) --name='Enable the use of the X display in rainbow-secured shells' ./bin/rainbow-xify > ./rainbow-xify.8 PYTHONPATH=. help2man $(HELP2MAN_PROPS) --name='Create and use Rainbow-isolated instances' ./bin/rainbow-run > ./rainbow-run.8 PYTHONPATH=. help2man $(HELP2MAN_PROPS) --name='Helper script for using Sugar with Rainbow' ./bin/rainbow-sugarize > ./rainbow-sugarize.8 PYTHONPATH=. help2man $(HELP2MAN_PROPS) --name='Helper script which attempts to garbage-collect stale uid reservations' ./bin/rainbow-gc > ./rainbow-gc.8 pandoc -s -w man ./debian/rainbow-easy.8.md -o rainbow-easy.8 pandoc -s -w man ./debian/rainbow-resume.8.md -o rainbow-resume.8 pandoc -s -w man ./debian/mkenvdir.1.md -o mkenvdir.1 clean:: make -C nss clean rm -f rainbow-xify.8 rainbow-run.8 rainbow-sugarize.8 rainbow-easy.8 mkenvdir.1 rm -rf rainbow.egg-info rm -rf build