When executed the command
rpm -i adobe-release-i386-1.0-1.noarch.rpm The feedback is, Eerror: can't create transaction lock on /var/lib/rpm/.rpm.lock (Permission denied)
What is the Solution and what is meant by? can't create transaction lock
How to Overcome this?
On 04/09/2011 12:21 AM, Varuna Seneviratna wrote:
When executed the command
rpm -i adobe-release-i386-1.0-1.noarch.rpm The feedback is, Eerror: can't create transaction lock on /var/lib/rpm/.rpm.lock (Permission denied)
What is the Solution and what is meant by? can't create transaction lock
How to Overcome this?
You have to execute as root, not as a regular user.
Either become root (su -) or use sudo....
Hello Kevin When I execute as root I am not in the Downloads directory and the command "cd Downloads" produces the output "-bash: cd: Downloads: No such file or directory"
How can I use the file in the Downloads directory or go to Downloads when logged in as root?
On 9 April 2011 09:54, Kevin J. Cummings cummings@kjchome.homeip.net wrote:
On 04/09/2011 12:21 AM, Varuna Seneviratna wrote:
When executed the command
rpm -i adobe-release-i386-1.0-1.noarch.rpm The feedback is, Eerror: can't create transaction lock on /var/lib/rpm/.rpm.lock (Permission denied)
What is the Solution and what is meant by? can't create transaction lock
How to Overcome this?
You have to execute as root, not as a regular user.
Either become root (su -) or use sudo....
-- Kevin J. Cummings kjchome@verizon.net cummings@kjchome.homeip.net cummings@kjc386.framingham.ma.us Registered Linux User #1232 (http://counter.li.org) -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
On Sat, 9 Apr 2011 10:03:42 +0530 Varuna Seneviratna varunaseneviratna@gmail.com wrote:
Hello Kevin When I execute as root I am not in the Downloads directory and the command "cd Downloads" produces the output "-bash: cd: Downloads: No such file or directory"
How can I use the file in the Downloads directory or go to Downloads when logged in as root?
You want the Downloads directory for your user, not for root, so:
cd ~yourusername/Downloads
the ~ there means home directory of, and of course you need to replace 'yourusername' with whatever you login is.
Kind of dated, but still a lot of good information about the command line is available in RUTE: http://rute.2038bug.com/index.html.gz
kevin
On 04/08/2011 09:36 PM, Kevin Fenzi wrote:
You want the Downloads directory for your user, not for root, so:
cd ~yourusername/Downloads
Even easier: just use su instead of su - because that doesn't change your directory and su - is a tad heavy handed for simply installing software.
On Sat, 9 Apr 2011 09:51:53 +0530 Varuna Seneviratna varunaseneviratna@gmail.com wrote:
When executed the command
rpm -i adobe-release-i386-1.0-1.noarch.rpm The feedback is, Eerror: can't create transaction lock on /var/lib/rpm/.rpm.lock (Permission denied)
What is the Solution and what is meant by? can't create transaction lock
How to Overcome this?
You need to be root (superuser) to install packages. ;) (ie, use the 'su' command first)
Also, see:
http://fedoraproject.org/wiki/Flash
for step by step instructions.
kevin
If I hadn't been fighting with grub for five days straight (and still losing), I'd have been able to add my two cents when it might have still mattered. (sigh)
On Sat, Apr 9, 2011 at 1:21 PM, Varuna Seneviratna varunaseneviratna@gmail.com wrote:
When executed the command
rpm -i adobe-release-i386-1.0-1.noarch.rpm The feedback is, Eerror: can't create transaction lock on /var/lib/rpm/.rpm.lock (Permission denied)
What is the Solution and what is meant by? can't create transaction lock
Theoretically, a transaction lock is a flag (often in the form of a specific file) which is used by the system to prevent two (or more) processes from working at the same time on some important system resource. Without such a flag, the processes could end up leaving the resource in a confused state.
How to Overcome this?
My advice is not to.
You don't surf the web as an administrator user, do you?
Right, you wouldn't do such a silly thing. So, logged in as the non-administrator user that you want to use to surf the web and see all the flash, do the following:
Go back to adobe and get the tarball version, instead of the rpm.
Start a shell and do the following in it:
cd .mozilla/plugins tar xzf ~/Desktop/<flash-tarball-name.tar.gz>
This allows you to view flash as that user. Other users will not have access to flash unless you do the same thing for them.
This is not to be mean to the other users. It's to protect the other users from the vulnerabilities in flash. If flash is installed globally (the usual thing that happens when you use the rpm package), all users become vulnerable. Including that administrator account that you never use to get on the web, except to fedoraproject.org and other places where you need to read the manuals, etc.
Fedoraproject.org will hopefully never have malicious code, but if you use google and find something interesting on feboraproject.org, you might not notice. So it's just better to keep the misbehaving plugin away from the system libraries and such.
The flash plugin is not that big so having a copy in your surfing user account and another in your children's surfing account, etc., is not going to be a problem, except that every time adobe cleans out another vulnerability, you'll need to remember to unpack it in all the surfing accounts.
There are probably no more than three of those, anyway, right?
Joel Rees
On Sun, Apr 10, 2011 at 7:04 PM, Joel Rees joel.rees@gmail.com wrote:
This is not to be mean to the other users. It's to protect the other users from the vulnerabilities in flash. If flash is installed globally (the usual thing that happens when you use the rpm package), all users become vulnerable. Including that administrator account that you never use to get on the web, except to fedoraproject.org and other places where you need to read the manuals, etc.
I don't think this is correct. Permissions for plugins are not setuid. So as long as the call to load the library is done as a regular user (as in, you don't surf the Internet as root), vulnerabilities in the plugin can _only_ affect the regular user.
Please feel free to correct me if you think I am wrong.
(I was hoping someone else would take the time to explain this.)
On Mon, Apr 11, 2011 at 12:42 PM, suvayu ali fatkasuvayu+linux@gmail.com wrote:
On Sun, Apr 10, 2011 at 7:04 PM, Joel Rees joel.rees@gmail.com wrote:
This is not to be mean to the other users. It's to protect the other users from the vulnerabilities in flash. If flash is installed globally (the usual thing that happens when you use the rpm package), all users become vulnerable. Including that administrator account that you never use to get on the web, except to fedoraproject.org and other places where you need to read the manuals, etc.
I don't think this is correct. Permissions for plugins are not setuid.
setuid is not really relavent to this particular question.
So as long as the call to load the library is done as a regular user (as in, you don't surf the Internet as root),
Sure, you don't surf the web as root. I don't surf the web as root. Nor do we surf the web as a user capable of raising privilege temporarily via sudo.
And we always su (if we do use su to do administrative tasks) from users that we never surf the web from, right? You understand why?
And we have a dedicated user for downloading live CD and install CD images, Oracle's Java (if we need that) and (ahem) Adobe's Flash, getting on-line to paypal or your bank, etc.
Right?
Does that explain why I'm saying you don't want Flash loading every time you run your web browser as any user?
vulnerabilities in the plugin can _only_ affect the regular user.
There are many paths to exploits besides things directly running in the instance of the web server (with plugins) which you are currently running. Tricks like leaving keyloggers and trojans behind, in places where they get executed the next time you log in instead of now.
So a Flash exploit lets the bad guys leave a keylogger in your surfing account. That's not good (and in some senses it's a ticking time bomb), but at least it isn't as bad as it could be.
Joel Rees
Hi Joel,
On Wed, Apr 13, 2011 at 5:56 AM, Joel Rees joel.rees@gmail.com wrote:
And we always su (if we do use su to do administrative tasks) from users that we never surf the web from, right? You understand why?
I presume you are alluding to the possibility of the system being affected by keyloggers (as you mention later in your post)?
Does that explain why I'm saying you don't want Flash loading every time you run your web browser as any user?
How does this change when flash is installed as the regular user? Irrespective of how flash was installed, whatever vulnerabilities it introduces will be limited to the account that is using it. Isn't that correct?
vulnerabilities in the plugin can _only_ affect the regular user.
There are many paths to exploits besides things directly running in the instance of the web server (with plugins) which you are currently running. Tricks like leaving keyloggers and trojans behind, in places where they get executed the next time you log in instead of now.
So a Flash exploit lets the bad guys leave a keylogger in your surfing account. That's not good (and in some senses it's a ticking time bomb), but at least it isn't as bad as it could be.
How does (not-)installing flash as root affect any of the above? What you are talking about above is something everyone should be mindful of when surfing the Internet irrespective of whether they are using flash.
I still fail to see how installing flash as the regular user is saving the user from any vulnerabilities which he/she would be otherwise prone to.
Pardon me for being pedantic here.
On Thu, Apr 14, 2011 at 2:34 AM, suvayu ali fatkasuvayu+linux@gmail.com wrote:
Hi Joel,
On Wed, Apr 13, 2011 at 5:56 AM, Joel Rees joel.rees@gmail.com wrote:
And we always su (if we do use su to do administrative tasks) from users that we never surf the web from, right? You understand why?
I presume you are alluding to the possibility of the system being affected by keyloggers (as you mention later in your post)?
Keyloggers are an example. There are all sorts of malicious kinds of software that can be installed via vulnerabilities in Flash. There are more vulnerabilities than are known, and there are more known by those who would keep them secret and use them to their own purposes than by those who would help fix them.
Does that explain why I'm saying you don't want Flash loading every time you run your web browser as any user?
How does this change when flash is installed as the regular user?
From what I said about not using su or sudo when logged in to an
account you surf the web from, you understand that I mean that the user does not even use su or sudo to do the final step of copying flash where it goes? The steps I gave, to move the downloaded tarball to the home directory via the graphical file manager start a shell in a terminal session and do this:
----------------- cd .mozilla/plugins tar xzf ~/Desktop/<flash-tarball-name.tar.gz> -----------------
put the Flash plugin file in /home/<username>/.mozilla/plugins , not in any system-wide file, not in any directory accessible to any other user.
That means that flash will not even run for any other user.
Well, you can install flash in other users' .mozilla/plugins directories if you want, of course, but only the users which have the flash specifically installed will be able to run flash.
Irrespective of how flash was installed, whatever vulnerabilities it introduces will be limited to the account that is using it. Isn't that correct?
Uhm. Actually, unfortunately, not necessarily. There have been vulnerabilities that don't require setuid execution to escalate privilege. Of course, with such vulnerabilities, the local installation is not a high wall, but even low walls can help a little.
But you see that is not what I'm targeting with this recommendation.
vulnerabilities in the plugin can _only_ affect the regular user.
There are many paths to exploits besides things directly running in the instance of the web server (with plugins) which you are currently running. Tricks like leaving keyloggers and trojans behind, in places where they get executed the next time you log in instead of now.
So a Flash exploit lets the bad guys leave a keylogger in your surfing account. That's not good (and in some senses it's a ticking time bomb), but at least it isn't as bad as it could be.
How does (not-)installing flash as root affect any of the above? What you are talking about above is something everyone should be mindful of when surfing the Internet irrespective of whether they are using flash.
I still fail to see how installing flash as the regular user is saving the user from any vulnerabilities which he/she would be otherwise prone to.
Well, for all that, ideally, one would never surf the web as an admin class user, many packages have their documentation in HTML. The docs contain links to the project website.
And even if the project website is clean, it often has advertising (often in Flash, no less), and links to other places which may or may not be properly administered. It's all too easy for even the most cautious admin user to get drawn out on the general web, and not having flash installed in the general browser puts up more walls that the intruder has to get through.
And then there's the bank's website and the queston of whether flash should be enabled in the browser you are typing your bank password in, etc.
It's not a really high wall, but it is a way to put another wall between the user's important data and the intruder, provide some more buffer against social engineering and user error, etc.
-- Joel Rees
Hi Joel,
On Thu, 14 Apr 2011 22:03:00 +0900 Joel Rees joel.rees@gmail.com wrote:
Does that explain why I'm saying you don't want Flash loading every time you run your web browser as any user?
How does this change when flash is installed as the regular user?
From what I said about not using su or sudo when logged in to an account you surf the web from, you understand that I mean that the user does not even use su or sudo to do the final step of copying flash where it goes?
I think I follow where we were differing. I didn't realise you also meant no "administration related tasks" are done from the regular account in question. Of course in that case it is definitely safer.
So your objection is definitely a valid point but it is not specific to flash. Its a general principle of not exposing your administrative password to user accounts that might have been infected by the outside world.
Am I understanding this correctly? I guess we often make choices between convenience over security. It usually depends on the context and the administrator of the system whether it is an acceptable choice.
On Fri, Apr 15, 2011 at 12:28 AM, Suvayu Ali fatkasuvayu+linux@gmail.com wrote:
Hi Joel,
On Thu, 14 Apr 2011 22:03:00 +0900 Joel Rees joel.rees@gmail.com wrote:
Does that explain why I'm saying you don't want Flash loading every time you run your web browser as any user?
How does this change when flash is installed as the regular user?
From what I said about not using su or sudo when logged in to an account you surf the web from, you understand that I mean that the user does not even use su or sudo to do the final step of copying flash where it goes?
I think I follow where we were differing. I didn't realise you also meant no "administration related tasks" are done from the regular account in question. Of course in that case it is definitely safer.
Exactly.
So your objection is definitely a valid point but it is not specific to flash. Its a general principle of not exposing your administrative password to user accounts that might have been infected by the outside world.
The principle is general, sure, but the application to Flash is specific -- that the plugin should go in the .mozilla/plugins folder of each user that uses it, and nowhere else.
It's not as good as having a separate box for the bank, but separate accounts are not as bad as using the same account for posting to (say) Digg or slashdot and for logging in to the bank.
Leaving Flash out of the account you log into the bank with strengthens the walls against the un-foreseen accidents.
Likewise, if you don't have Flash loaded in the account you usually use to do admin tasks, you have a little more breathing room when you're checking the docs while you tweak the system, without using a separate computer.
Am I understanding this correctly? I guess we often make choices between convenience over security. It usually depends on the context and the administrator of the system whether it is an acceptable choice.
True. It's a little inconvenient.
In fact, if you have 138 users on the company network, and you have to set up multiple accounts for each one, installing and updating Flash and other brick-brack on some accounts and not on others, maybe you have to decide between writing a script to handle the install across the LAN and just installing/updating one global location.
For personal and family machines, however, I prefer the local install, since the kids insist on having it.
On Fri, Apr 15, 2011 at 7:44 PM, Joel Rees joel.rees@gmail.com wrote:
So your objection is definitely a valid point but it is not specific to flash. Its a general principle of not exposing your administrative password to user accounts that might have been infected by the outside world.
The principle is general, sure, but the application to Flash is specific -- that the plugin should go in the .mozilla/plugins folder of each user that uses it, and nowhere else.
It's not as good as having a separate box for the bank, but separate accounts are not as bad as using the same account for posting to (say) Digg or slashdot and for logging in to the bank.
Leaving Flash out of the account you log into the bank with strengthens the walls against the un-foreseen accidents.
Likewise, if you don't have Flash loaded in the account you usually use to do admin tasks, you have a little more breathing room when you're checking the docs while you tweak the system, without using a separate computer.
Am I understanding this correctly? I guess we often make choices between convenience over security. It usually depends on the context and the administrator of the system whether it is an acceptable choice.
True. It's a little inconvenient.
In fact, if you have 138 users on the company network, and you have to set up multiple accounts for each one, installing and updating Flash and other brick-brack on some accounts and not on others, maybe you have to decide between writing a script to handle the install across the LAN and just installing/updating one global location.
For personal and family machines, however, I prefer the local install, since the kids insist on having it.
Okay. Now we are on the same page. Agree wholeheartedly. :)
After the discussion I am switching to using flash this way on my machines. In any case I have to do it by hand as I use the 64 bit flash. :-/
On 04/16/2011 02:37 AM, suvayu ali wrote:
After the discussion I am switching to using flash this way on my machines. In any case I have to do it by hand as I use the 64 bit flash. :-/
No you don't:
[flash] name=flash baseurl=http://dl.dropbox.com/u/6907158/flashplayer.x86_64 enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-leigh123linux
Put that in a file in /etc/yum.repos.d and you should have a packaged version of the 64 bit Flash Player (square) that Adobe releases from time to time. It is packaged by leigh123linux, and there are discussions about it on www.fedoraforum.org.