Re: [CentOS] Broadcom BCM4360

2017-12-03 Thread John R Pierce 

On 12/3/2017 11:10 PM, Phil Perry wrote:
Correct, elrepo isn't able to freely redistribute the drivers due 
Broadcom's licensing, but does provide instructions and a SRPM (minus 
tarball) for you to build yourself.


Alternatively, for $8 you can purchase an adaptor that is natively 
supported and will work out of the box:


https://www.amazon.com/Edimax-EW-7811Un-150Mbps-Raspberry-Supports/dp/B003MTTJOY/ref=sr_1_1?ie=UTF8=1512370979=8-1=edimax+n150 



https://www.newegg.com/Product/Product.aspx?Item=N82E16833315091_re=edimax_n150-_-33-315-091-_-Product 



The above adaptor is based on the Realtek RTL8188CUS chipset and uses 
the rtl8192cu kernel driver. 



those are only 11N adapters, the OP asked about a 11AC card.

--
john r pierce, recycling bits in santa cruz

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Broadcom BCM4360

2017-12-03 Thread Alice Wonder 

On 12/03/2017 11:10 PM, Phil Perry wrote:

On 04/12/17 00:38, John R Pierce wrote:

On 12/3/2017 4:22 PM, Gregory P. Ennis wrote:

I have not been able to get it to work Centos 7.4 machine.  Some of the
  centos user posts had indicated the nux repsitory had a Centos 7 kmod-
wl, but it is not present when I tried to search or or install it at
this time.


this looks potentionally helpful

http://elrepo.org/tiki/wl-kmod

it appears those are closed source drivers with funky licenses, so
they can't just be redistributed without assumption of liability.




Correct, elrepo isn't able to freely redistribute the drivers due
Broadcom's licensing, but does provide instructions and a SRPM (minus
tarball) for you to build yourself.


That's what I have to do, and it can sometimes be a PITA because a 
kernel update can break it and you have to build it again.


With major updates (like 7.3 to 7.4) you sometimes have to download a 
new nosrc rpm.




Alternatively, for $8 you can purchase an adaptor that is natively
supported and will work out of the box:

https://www.amazon.com/Edimax-EW-7811Un-150Mbps-Raspberry-Supports/dp/B003MTTJOY/ref=sr_1_1?ie=UTF8=1512370979=8-1=edimax+n150


https://www.newegg.com/Product/Product.aspx?Item=N82E16833315091_re=edimax_n150-_-33-315-091-_-Product


The above adaptor is based on the Realtek RTL8188CUS chipset and uses
the rtl8192cu kernel driver.


At some point I will be replacing mine, but with a low-profile PCI-E 
card. I've had bad luck with USB wifi adapters, sometimes for example 
they lose connection when a microwave is turned on and when I was 
visiting my parents, had one that lost connection whenever the AC unit 
kicked on.


My best wifi experience in Linux has been with my T series thinkpad, it 
uses some kind of Intel wireless chipset that is in the kernel.


I'm going to be looking for a low profile Intel PCI-E card, but for now 
my broadcom PCI-E actually works quite well - with the exception of 
needing to rebuild every now and then (last time was 7.3 to 7.4 update)


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Broadcom BCM4360

2017-12-03 Thread Phil Perry 

On 04/12/17 00:38, John R Pierce wrote:

On 12/3/2017 4:22 PM, Gregory P. Ennis wrote:

I have not been able to get it to work Centos 7.4 machine.  Some of the
  centos user posts had indicated the nux repsitory had a Centos 7 kmod-
wl, but it is not present when I tried to search or or install it at
this time.


this looks potentionally helpful

http://elrepo.org/tiki/wl-kmod

it appears those are closed source drivers with funky licenses, so they 
can't just be redistributed without assumption of liability.





Correct, elrepo isn't able to freely redistribute the drivers due 
Broadcom's licensing, but does provide instructions and a SRPM (minus 
tarball) for you to build yourself.


Alternatively, for $8 you can purchase an adaptor that is natively 
supported and will work out of the box:


https://www.amazon.com/Edimax-EW-7811Un-150Mbps-Raspberry-Supports/dp/B003MTTJOY/ref=sr_1_1?ie=UTF8=1512370979=8-1=edimax+n150

https://www.newegg.com/Product/Product.aspx?Item=N82E16833315091_re=edimax_n150-_-33-315-091-_-Product

The above adaptor is based on the Realtek RTL8188CUS chipset and uses 
the rtl8192cu kernel driver.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Broadcom BCM4360

2017-12-03 Thread John R Pierce 

On 12/3/2017 4:22 PM, Gregory P. Ennis wrote:

I have not been able to get it to work Centos 7.4 machine.  Some of the
  centos user posts had indicated the nux repsitory had a Centos 7 kmod-
wl, but it is not present when I tried to search or or install it at
this time.


this looks potentionally helpful

http://elrepo.org/tiki/wl-kmod

it appears those are closed source drivers with funky licenses, so they 
can't just be redistributed without assumption of liability.



--
john r pierce, recycling bits in santa cruz

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Broadcom BCM4360

2017-12-03 Thread Gregory P. Ennis 
Everyone,

I just purchased a new wfi card that is identified as using lspci as :
Broadcom Limited BCM4360 802.11ac Wireless Network Adapter (rev 03)

I have not been able to get it to work Centos 7.4 machine.  Some of the
 centos user posts had indicated the nux repsitory had a Centos 7 kmod-
wl, but it is not present when I tried to search or or install it at
this time.

Has anyone had any success in making the Broadcom BCM4360 chip work for
Centos 7.4

Greg
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache and web content permissions

2017-12-03 Thread Pete Travis 
Hi Niki,

The principle to work by here is 'least required access'.  There's two
functional types of users we care about, the one executing the PHP
code (probably apache or php-fpm) and admins like yourself with
FTP/shell access.  Upstream wordpress documents application write
requirements at
https://codex.wordpress.org/Hardening_WordPress#File_Permissions -
read it to know where the web server will expect write access, but
don't follow the instructions - especially the numbers for chmod - by
rote!

On Sat, Dec 2, 2017 at 3:30 AM, Nicolas Kovacs  wrote:
>
> Hi,
>
> Until a few months ago, when I had to setup a web server under CentOS, I
> assigned (I'm not sure about the correct english verb for "chown"ing)
> all the web pages to the apache user and group. To give you an example,
> let's say I have a static website under /var/www/myserver on a CentOS
> server running Apache. Then I would configure permissions for the web
> content like this:
>
> # chown -R apache:apache /var/www/myserver
> # find /var/www/myserver -type d -exec chmod 0750 {} \;
> # find /var/www/myserver -type f -exec chmod 0640 {} \;
>
> Some time ago a fellow sysadmin (Remi Collet on the fr.centos.org forum)
> pointed out that this is malpractice in terms of security, and that the
> stuff under /var/www should *not* be owned by the user/group running the
> webserver.


Right, this gives Apache write access over *everything*.  That means
that Apache could potentially change your site code.  Many attack
vectors rely on changing wordpress files or creating new files, so
this should not be possible.

> Which means that for the static website above, I could have
> something like this, for example:
>
> # chown -R microlinux:microlinux /var/www/myserver
> # find /var/www/myserver -type d -exec chmod 0755 {} \;
> # find /var/www/myserver -type f -exec chmod 0644 {} \;
>
> Or even this:
>
> # chown -R nobody:nobody /var/www/myserver
> # find /var/www/myserver -type d -exec chmod 0755 {} \;
> # find /var/www/myserver -type f -exec chmod 0644 {} \;


I don't like the convention of creating an arbitrarily named user to
own website files.  Nicolas is logging in and working on the server,
make an ie nkovacs user for yourself to do your work.  Shared hosting
companies tend to follow the "one FTP user named after website" or
"one shell user named after customer" model and expect their customers
to share a single login account, but if you have root access to the
server there's no restrict yourself this way.  It also leads to a
solution where a group of folks who need to work on the site will
share the single login account, making it impossible to answer
questions like "who changed this file" or "who is logged in right
now".  If any kind of compliance is a concern, generic/anonymous login
is a no-go.  If compliance is not a concern, there's still no real
benefit to making up usernames for yourself on a production system
that are not your own name, and sharing credentials is still bad
practice in principle.

>
> Now I'm hosting quite a few Wordpress sites on various CentOS servers.
> Some stuff in Wordpress has to be writable by Apache. If I want to keep
> stuff as secure as possible, here's the permissions I have to define.
>
> # cd /var/www
> # chown -R microlinux:microlinux wordpress-site/
> # find wordpress-site/ -type d -exec chmod 0755 {} \;
> # find wordpress-site/ -type f -exec chmod 0644 {} \;
> # cd wordpress-site/html
> # chown -R microlinux:apache wp-content/
> # find wp-content/ -type d -exec chmod 0775 {} \;
> # find wp-content/ -type f -exec chmod 0664 {} \;
>
> As far as I know, this is the most secure setup for Wordpress as far as
> permissions are concerned.


Wordpress plugins are in wp-content.  Allowing a wordpress plugin to
be compromised is functionally equivalent to allowing the core code to
be compromised, we do not want Apache to write plugin code.
`wp-content/uploads` is the only *stock* directory I'm aware of that
Wordpress *requires* write access too.  Some plugins might have
additional directories they write to, this should be documented for
each such plugin.

With an application like Wordpress, Apache only needs to create files
for things like images uploaded for posts.  It should never be allowed
to write in a directory where PHP files are.  Conversely, any
directory where it *can* write should not be used for PHP code.  You
can block that with the snippet below, again from upstream wordpress:


   # Kill PHP Execution
   
  deny from all
   


You might notice that I used a  block where the page I
linked to does not.  The upstream example has you drop a  block
into a .htaccess file; in that context, the  is implicitly
inherited from the immediate parent directory of the .htaccess file.
It's a convenient way to adjust Apache configuration if you do not
have privileged shell access, but it also means the .htaccess file
will be read and interpreted anew for *every request*.  You *do* have
privileged

Re: [CentOS] Apache and web content permissions

2017-12-03 Thread Nicolas Kovacs 
Le 02/12/2017 à 16:25, Brian Mathis a écrit :
> You could write a script to open the permissions, apply updates using
> something like http://wp-cli.org/, then close the permissions again.  Run
> it through cron so you get updates in a timely manner.

This is EXACTLY what I've been looking for. I've spent a few hours
experimenting with wp-cli, and the big advantage is you are supposed to
run it as the user owning the web content, so no need to fiddle with
permissions, even temporarily.

I'm currently writing a detailed blog post about this, since it looks
like this makes my life much easier. Thanks very much !

Cheers from the sunny South of France,

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos