Re: What package contains the time daemon?
On 26/07/15 00:08, Bob Bernstein wrote: On Sat, 25 Jul 2015, Gary Dale wrote: ntp No. This is an incorrect response. Really? apt-cache search ntp | grep ^ntp ntp - Network Time Protocol daemon and utility programs ntp-doc - Network Time Protocol documentation ntpdate - client for setting system time from NTP servers ntpstat - show network time protocol (ntp) status -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/55b41a31.6020...@thargoid.co.uk
Re: Query about possible impact of leap second on Debian Linux
On 21/05/15 09:45, Bret Busby wrote: Hello. I have posted this message to the general Debian Users list, rather than to only the LTS list, as, whilst my interest is limited to Debian 6 LTS, I believe that, if the issue involving any possible problem, applies, then it would likely apply to all existing versions of Debian Linux in use. I have today seen the news report below, and wonder whether it needs some kind of patch for Debian Linux, and, if so, whether it has already been done, or is pending. snip https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679882#87 Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/555db416.1010...@thargoid.co.uk
Re: Query about possible impact of leap second on Debian Linux
On 21/05/15 22:15, Bob Proulx wrote: Iain M Conochie wrote: Bret Busby wrote: I have today seen the news report below, and wonder whether it needs some kind of patch for Debian Linux, and, if so, whether it has already been done, or is pending. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679882#87 Good to see that Debian has already implemented the patches through Debian Squeeze LTS. To be fair, this was implemented when squeeze was still stable, as according to the below link Wheezy was officially released over 7 months after this fix https://www.debian.org/releases/wheezy/ A reasonably good summary and description of the leapsecond issues appears in the up-voted answer posted here: http://serverfault.com/questions/403732/anyone-else-experiencing-high-rates-of-linux-server-crashes-during-a-leap-second Bob Nice one Bob. This link also points out this was an issue with the NTP server software (although it seemed in 2012 the main issue was with the kernel) Bret You may want to also check your version of NTP (if you are running the software). You may also want to check your version of the tzdata package if you are *not* running NTP. This should be 2015d-0+deb6u1 Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/555e6616.2090...@thargoid.co.uk
Re: xfce4 user switching with kdm as the display manager
On 17/05/15 18:24, Iain M Conochie wrote: Hi all, I have recently switched my desktop (environment?) from KDE to xfce on a jessie install. I am still running kdm. I have noticed that the Switch User functionality within the action buttons on the top panel (Panel 1) is grey-out. Is there a specific xfce package I have to install to enable this functionality, or will I have to change my display manager to enable this? Below is a list of the installed xfce packages: Just in case anyone else needs to know, you can install kdm-gdmcompat Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/555994dc.3080...@thargoid.co.uk
xfce4 user switching with kdm as the display manager
Hi all,
I have recently switched my desktop (environment?) from KDE to xfce
on a jessie install. I am still running kdm. I have noticed that the
Switch User functionality within the action buttons on the top panel
(Panel 1) is grey-out. Is there a specific xfce package I have to
install to enable this functionality, or will I have to change my
display manager to enable this? Below is a list of the installed xfce
packages:
dpkg -l | grep xfce | awk '{print $2}'
gtk2-engines-xfce
libxfce4ui-1-0
libxfce4ui-utils
libxfce4util-bin
libxfce4util-common
libxfce4util6
xfce-keyboard-shortcuts
xfce4
xfce4-appfinder
xfce4-mixer
xfce4-notifyd
xfce4-panel
xfce4-session
xfce4-settings
xfce4-volumed
xfdesktop4
xfdesktop4-data
Cheers
Iain
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/5558cedd.1060...@thargoid.co.uk
Re: Book questions
On 12/04/15 17:34, David Wright wrote: Quoting Iain M Conochie (i...@thargoid.co.uk): snip IMHO, the issues with perl and python is that you will have to understand Object Orientated Programming (OOP) to get the most out of them, especially for GUI development. This was one of the reasons I drew a blank with perl. This may or may not be the case. Brett, any opinion on this? Oh gosh, I wouldn't just rely on the advice of one or two people here to make your decision. If you type any of perl vs or python vs or ruby vs into google and see the suggestions, then click on a few of them and you will find a lot of knowledgeable discussion of the issues (amongst a wealth of prejudices, of course). If the programs/tools you want to write have GUIs, then you're not going to avoid OOP so that's not really an issue. OOP is a big issue for me :) However,it might help to see if the way languages handle objects seems natural to you. And really, that's the case for the languages themselves...what fits you best. There's also something to be said for seeing what other people in your field are using as you may want to call upon this community to help solve problems you run into. Sad as it may seem, I am on my own in this. Hence trying to solicit other opinions on this matter, of which yours is most welcome. BTW do check the dates of any discussion. These languages are still actively evolving so opinions date, and change. My recollections of Perl are from 20th century perl4 and consequently inconsequential: OOP came with perl5. And perl6 is round the corner (but has been for a decade). I'm ignorant of Ruby, which is seen as another horse in this stable (procedural scripting; far from C). From a sysadmin point of view (and this is probably about 4-5 years out of date) ruby is horrible. A bigger memory hog than java, and it seemed like a passing fad. My hate / love / hate of perl (and probably OOP) comes from a long winter of learning the perl by building an auto-updating website, then I wanted to add the data into a mysql DB and finding myself lost and not being able to do what I wanted to do. This was perl 5.0.4 (which probably gives my age away ;) However, it recently came through for me and I was able to use it to build a shell script. Also bear in mind that while books are fine for learning from, and consolidating your knowledge, once you start seriously using any language the web resources will be essential because most books in this area are out of date before they're even published. Ahh - a beautiful statement, and music to my ears. I am sadly lacking in a formal education in computer science, but the internet is my tutor, and I have learned exactly what I need to learn. No more but probably a bit less. Cheers, Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/552afd38.8010...@thargoid.co.uk
Re: Book questions
On 12/04/15 09:33, Petter Adsen wrote: On Sun, 12 Apr 2015 15:51:24 +0800 Bret Busby bret.bu...@gmail.com wrote: On 12/04/2015, Petter Adsen pet...@synth.no wrote: Now that you mention security, that leads me to another question - are there any good books on writing secure programs? I would guess that would be a good thing to think about from the start, as to learn good practices? I believe that this is where it gets into the realm of How long is a piece of string?. :-) From my understanding, security is always relative, and, never absolute - whether something can be breached, whether it is a building or a software program, depends on the skill and persistence of the person trying to do the breaching, and, importantly, luck. It is like the principle Just when you think that you have produced an idiot-proof program, they design a more effective idiot. Of course. Let me rephrase: are there any good books on _current best practices_ to enhance security in code - in particular as it applies to C? I understand that security is a very complex topic, but I am interested in learning how to write good, solid code, and security is part of that. https://www.securecoding.cert.org/confluence/display/c/CERT+C+Coding+Standard There are, however, differing opinions as how useful some of the above text is: https://www.sourceware.org/ml/libc-alpha/2000-08/msg00061.html Some more: https://www.safaribooksonline.com/library/view/secure-programming-cookbook/0596003943/ http://web.mit.edu/6.s096/www/lecture/lecture03/secure-C.pdf http://www.nostarch.com/hacking2.htm I believe that, similarly, the best way to learn good programming practices, is to take courses at different educational institutions, Unfortunately, that is not an option for me. Books and online guides will have to do. Another thing - I have been thinking about also learning Python, for instance for interacting with GTK, and for writing things that might be hard to do in C. Would that be a good choice, or should I look at any other languages before I start? I am definitely no expert in this, and, others could advise regarding this, much better than me, but, my understanding is that, for what you seek, Perl appears to be the answer, as it apparently includes the good parts of various programming languages, including C, and, is cross-platform portable, and is supposed to be very versatile. OK, thank you, I will definitely consider Perl also, as I already know a little and have a few books on it. Petter IMHO, the issues with perl and python is that you will have to understand Object Orientated Programming (OOP) to get the most out of them, especially for GUI development. This was one of the reasons I drew a blank with perl. This may or may not be the case. Brett, any opinion on this? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/552a5e39.5060...@thargoid.co.uk
/ and separate partitions (was) Re: Upgrading Kernel - Out of Disk Space
snip It was until fairly recently general practice to allocate a few hundred MB to / if /usr and /var were separate. It's only in the last few years that the size of /lib/modules has really exploded, and /usr now needs (in practice) to physically live under /. I once tried to put /lib/modules under it's own partition. Needless to say, it broke horribly and the system was unable to boot. Having said that, with 100GB disks common now, the fallacy that, just because you cannot have a sub 1G / filesystem, that you have to place /usr onto that partition, is annoying. In fact, the whole /usr merge to me is annoying. If we do not _need_ /usr, why have it in the first place? Why have this separate directory that you should no longer split off onto a separate partition? Just have everything in / Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54dd4065.7020...@thargoid.co.uk
Re: Fwd: Re: Have I been hacked?
On 12/01/15 16:50, Jerry Stuckle wrote: On 1/12/2015 11:36 AM, i...@thargoid.co.uk wrote: Forwarding to the list as I seemed to have managed to leave it off. Apologies. Knowledge is easier to duplicate than a physical item. You mentioned the ATM attack. Incorrect. Knowledge cannot be duplicated if there is no basis for that knowledge. For instance, it was not possible for archeologists to decipher ancient Egyption hieroglyphics before the discovery of the Rosetta Stone in 1799 - before this, there was no basis for knowledge of the language. Really? Are you honestly saying that because they did not know what the hieroglyphics meant, they were unable to copy them? They were unable to decipher them. It has nothing to do with copying. Since when is duplication not copying? snip I happen to agree with Joel here. I don't want to know the dictionary definition - I want to know YOUR definition of security. Semantics is a boring argument. If you wish, tell me yours and I will tell you mine (oooh err missus ;) You were asked first. How about putting up? Not playing that game. Joel wanted a definition I gave a definition that apparently was not good enough for you. Tough! snip ) my fingerprint (being something I am) You sure it's not something you have? Nope - I am pretty sure it is something I am, within the context of the above statement. A fingerprint is something you HAVE. It is present on your body; it is NOT something you are. You can leave a fingerprint on a glass, for instance, and it doesn't affect you at all. Jerry - just cos you shout does not mean you are more RIGHT. And repeating something ad nauseum doesn't make you right. Very true. Again, within the context of the above statement it is. You may disagree. Fair enough. snip You need to learn the difference between is and has. They are two entirely different concepts, but you seem to have them mixed up. Not really. I can understand you not wanting to accept that, say, you iris scan is something you are. Surely your eye (and all it's unique properties) is something you have. I have 2 eyes. How can it be something I am? From the point of view of authentication, this is something you are because it is unique to you. Get it now? is more secure than a password. Unless someone chops your hand off to steal your BMW. Again - implementation. Is the hand warm? Is there a pulse? Not part of the fingerprint - but again, these can be duplicated - a latex glove with the fingerprint etched into it, for instance. May or may not work, depending on the implementation. It has been proven to work. That's one reason fingerprints alone are not used for government security. If you think I meant that fingerprints alone are more secure that a password, then of course this is not the case. As well, fingerprints are an _example_ of something you are. Oh, and we all know how secure governments are Also, an ssh-key (being something I have Now there's an interesting assertion. It seems reasonable, if one accepts certain implicit, arbitrary boundaries between the three classes of tokens invoked above. -- seems reasonable -- ) is more secure than a password. And, yet, it is no more secure than the user account on the machine in which it is stored. OK sure - but we are discussing how to authenticate to an account right? We are discussing how to authenticate an account on another machine. If your key is on your machine, and I steal your machine, I can break the passphrase your key uses. It may take a while, but it will be a lot faster than if that same passphrase were uses as a password to your server. Is this due to being limited over the network for the number of tries? What if I delete the key on the server when my machine is stolen? What if I generate new keys every week? It is so easy for me to prevent that it isn't even funny. All I need to do is copy the keyfile (or indeed, the entire disk) to another machine. In fact, that's what I'll probably do, anyway. That way I can access all of your data without even booting your machine. Jolly good. The public key from which you have the private key and are hacking away on to brake the passphrase has been removed from all machines. It is now completely useless to you. Of course, if your disk is encrypted, that becomes another problem. But then you have to use a password to decrypt the disk... Or a fingerprint ;) Something you have and something you are have to be digitised, to produce a token that can be used to prove your identity to a computer system. That is part of the implementation. Everything you have mentioned is something I have. I have knowledge of a long, random password (not stored anywhere else). I have a key stored on my computer (protected by a password). I have a fingerprint. In your opinion. Not in mine (within the context of this discussion) You seem to have difficulty in understanding have versus is. Not
Re: Have I been hacked?
On 12/01/15 16:41, Jerry Stuckle wrote: On 1/12/2015 10:10 AM, Chris Bannister wrote: snip Oh, come on! http://www.thefreedictionary.com/context It is all about *who* you are, or claim to be. https://danielmiessler.com/blog/security-identification-authentication-and-authorization/ You have completely missed the point, Chris. And don't believe every blog you read on the internet. Pot, kettle, black In fact this blog pretty much describes what I am talking about. Seems to be falling on deaf ears though Jerry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b42f25.4000...@thargoid.co.uk
Re: Have I been hacked?
On 11/01/15 23:18, Brian wrote: On Sun 11 Jan 2015 at 22:32:39 +, Iain M Conochie wrote: On 10/01/15 20:31, Brian wrote: By all means advocate and use ssh keys. But at least provide some substantial reason for spurning password login for that particular situation. A blanket don't use passwords or keys are better doesn't cut it. There are 3 (current) factors in authentication: 1. What the user knows 2. What the user has 3. What the user is These increase in security as you go higher up the number. So (assuming the implementation is secure) my fingerprint (being something I am) is more secure than a password. Also, an ssh-key (being something I have) is more secure than a password. Both a password and a key is something the user is in possession of. Think pin and bank card. Both you are in possession of. Only one you know. Perhaps this will explain: http://en.wikipedia.org/wiki/Multi-factor_authentication A fingerprint (a key, I suppose) is no more me than a password. I may be being dense but I am having difficulties in following your argument and the distinctions you are trying to make. dense is the one of last thing you are Brian. In each case we have the _implementation_ to let us down. #1 is up to the user whereas #2 and #3 are up to the programmer. Who do you trust ;) Sorry, I do not follow this either. As I see it, the ability of a computer to reduce an individual to a _unique_ blob[1] is what we are trying to achieve here. Think the hash of a password. [1] A length of arbitrary bytes. Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b3092e.3070...@thargoid.co.uk
Re: Have I been hacked?
On 11/01/15 23:47, Bob Proulx wrote: Iain M Conochie wrote: These increase in security as you go higher up the number. So (assuming the implementation is secure) my fingerprint (being something I am) is more secure than a password. Also, an ssh-key (being something I have) is more secure than a password. Concerning fingerprints and other biometrics for security... I am sorry to disclose that our site had a security breach. Please change your fingerprints to a new secure fingerprint before using the site. Hmm... I think I would much rather change my password. Bob Hence assuming the implementation is secure. When you use more secure authentication factors, the ability of the remote system to keep them secure needs to be higher. In other words, you have to _trust_ the remote site to be able to keep your unique data secure. Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b30d13.3080...@thargoid.co.uk
Re: Have I been hacked?
On 10/01/15 20:31, Brian wrote: By all means advocate and use ssh keys. But at least provide some substantial reason for spurning password login for that particular situation. A blanket don't use passwords or keys are better doesn't cut it. There are 3 (current) factors in authentication: 1. What the user knows 2. What the user has 3. What the user is These increase in security as you go higher up the number. So (assuming the implementation is secure) my fingerprint (being something I am) is more secure than a password. Also, an ssh-key (being something I have) is more secure than a password. In each case we have the _implementation_ to let us down. #1 is up to the user whereas #2 and #3 are up to the programmer. Who do you trust ;) Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b2fa07.80...@thargoid.co.uk
Re: umask has no man page?
On 02/11/14 05:58, Carl Fink wrote: On Sun, 2014-11-02 at 14:17 +1100, Scott Ferguson wrote: Succinct! man pam_umask? That is not a solution to the original question I asked, unless you alias it to man umask. You don't _type_ pam_umask. Carl Perhaps apropos is your friend here? :$ apropos umask pam_umask (8)- PAM module to set the file mode creation mask -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/545652fd.1090...@thargoid.co.uk
Re: umask has no man page?
snip Perhaps apropos is your friend here? :$ apropos umask pam_umask (8)- PAM module to set the file mode creation mask As I said in the original, I found it almost immediately. However, doesn't the Debian policy manual require a man page for every program? Not being a DD or DM I cannot possibly comment on this. However: $: which umask $: So umask is _not_ a program (in the sense that there is no binary called umask on the system) Wouldn't that lead users to try the man system to get help on every command, since a new or non-technical user would have no way to know that umask or read or fg is not a program but a personality of Bash? So why _not_ have a man page for them? I guess because they are not programs (in the above sense). However this is but a guess. IMO the man system needs you to know what you are looking for. If you do not know umask is a shell builtin then I guess the man system can let you down. Hence apropos, as this, at least, will search for appropriate man pages. One more command to learn perhaps? Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54567a4c.2060...@thargoid.co.uk
Re: dpkg no space left on device errors (lots of room left)
On 22/10/14 19:49, John Bleichert wrote: Hello All, As of a few days ago I keep getting errors similar to the following when running aptitude upgrade: dpkg: error processing archive /var/cache/apt/archives/cups-server-common_1.7.5-5_all.deb (--unpack): unable to create `/usr/share/cups/templates/ru/set-printer-options-header.tmpl.dpkg-new' (while processing `./usr/share/cups/templates/ru/set-printer-options-header.tmpl'): No space left on device dpkg-deb: error: subprocess paste was killed by signal (Broken pipe) I've gotten strange errors like this with /tmp too outside of upgrades. I've got arseloads of space available on all my mount points: snip partitions Try a df -i You may have run out of inodes Cheers Iain And now, of course, there are dependency issues all over the place. Any suggestions on how how to sort this out? I can provide a great deal more info. jessie/sid Thanks, John -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5447fee7.5010...@thargoid.co.uk
preseed from CD different to network booting
Hey Debianers, I am trying to compose a real basic preseed file, that will answer all the d-i questions so that the install is completely automated. This works on a PXE boot (with dhcp) but not with a CD boot (with dhcp). I still get asked to confirm my hostname, domain name and also if I want to install grub on the MBR with the CD install, but not the PXE install. What gives? Cheers Iain ### Preseed config ## Created by cpc ## Inspired by https://www.debian.org/releases/wheezy/example-preseed.txt ### Locale config d-i console-setup/ask_detect boolean false d-i debian-installer/locale string en_GB d-i keyboard-configuration/xkb-keymap select uk ### Network config d-i netcfg/enable boolean true d-i netcfg/choose_interface select auto d-i netcfg/disable_dhcp boolean false d-i netcfg/get_hostname string test d-i netcfg/get_domain string mydomain.lan d-i netcfg/wireless_wep string d-i hw-detect/load_firmware boolean true ### Mirror configuration d-i mirror/country string manual d-i mirror/http/hostname string mirror.ox.ac.uk d-i mirror/http/directory string /debian d-i mirror/suite string stable d-i mirror/http/proxy string ### Root account d-i passwd/root-password password hackmebaby d-i passwd/root-password-again password hackmebaby ### User config d-i passwd/user-fullname string Iain M Conochie d-i passwd/username string iain d-i passwd/user-password password r00tm3 d-i passwd/user-password-again password r00tm3 d-i passwd/user-uid string 1004 ### Clock, timezone and optionally ntp setup d-i clock-setup/utc boolean true d-i time/zone string UTC d-i clock-setup/ntp boolean true d-i clock-setup/ntp-server string 0.uk.pool.ntp.org ### Partition setup d-i partman-auto/disk string /dev/vda d-i partman-auto/method string regular d-i partman-lvm/device_remove_lvm boolean true d-i partman-md/device_remove_md boolean true d-i partman-auto/choose_recipe select atomic d-i partman-partitioning/confirm_write_new_label boolean true d-i partman/choose_partition select finish d-i partman/confirm boolean true d-i partman/confirm_nooverwrite boolean true d-i partman/mount_style select uuid ### Apt setup # You can choose to install non-free and contrib software. d-i apt-setup/non-free boolean true d-i apt-setup/contrib boolean true d-i apt-setup/services-select multiselect security, updates d-i apt-setup/security_host string security.debian.org ### Package selection tasksel tasksel/first multiselect standard popularity-contest popularity-contest/participate boolean false d-i pkgsel/include string openssh-server less locate ### Finish off the install d-i finish-install/reboot_in_progress note -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5425aa51.5060...@thargoid.co.uk
Re: preseed from CD different to network booting
Hey Brian, On 26/09/14 19:24, Brian wrote: On Fri 26 Sep 2014 at 19:02:57 +0100, Iain M Conochie wrote: I am trying to compose a real basic preseed file, that will answer all the d-i questions so that the install is completely automated. This works on a PXE boot (with dhcp) but not with a CD boot (with dhcp). I still get asked to confirm my hostname, domain name and also if I want to install grub on the MBR with the CD install, but not the PXE install. What gives? For the hostname: d-i netcfg/get_hostname string test d-i netcfg/hostname string test For grub: d-i grub-installer/with_other_os boolean true d-i grub-installer/only_debian boolean true The domain name cannot be preseeded. This is recommended: https://www.debian.org/releases/wheezy/example-preseed.txt Yeah - I used that for inspiration. I guess I should add the grub parts so that the questions are not asked. Thanks for that. However, I am concerned why a CD d-i behaves differently to a PXE d-i. It, of course, could be that I am using different versions (the ISO image I have is old) so I will try the latest images and see what happens. I am using a netinst CD image if that makes any difference. Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5425b2ad.9060...@thargoid.co.uk
bad bash bug
Evening, In case people may have missed this: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 Upgrade available for wheezy. Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54232461.2050...@thargoid.co.uk
Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
On 24/09/14 21:52, Steve Litt wrote:
Hi everyone,
Bash Code Injection Vulnerability via Specially Crafted Environment
Variables (CVE-2014-6271)
https://access.redhat.com/articles/1200223
My current Debian setup is vulnerable, as shown below:
==
slitt@mydesq2:~$ env x='() { :;}; \
echo vulnerable' bash -c echo this is a test
vulnerable
this is a test
slitt@mydesq2:~$ uname -a
Linux mydesq2 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64
GNU/Linux slitt@mydesq2:~$ cat /etc/issue
Debian GNU/Linux 7 \n \l
env x='() { :;}; \
echo vulnerable' bash -c echo this is a test
bash: line 1: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
21:58:57 shihad:$ uname -a
Linux shihad 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64 GNU/Linux
21:59:09 shihad:$ cat /etc/issue
Debian GNU/Linux 7 \n \l
bash --version
GNU bash, version 4.3.24(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
http://gnu.org/licenses/gpl.html
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Did you try apt-get update apt-get upgrade yet? That should fix you
right up
as long as your mirror is up to date
Cheers
Iain
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/54233116.6080...@thargoid.co.uk
Re: Jessie and Systemd integration
snip Don't be rude. Many of us are not system programmers (some of us aren't professional programmers at all, we just use computers) but are (sometimes) able to gather enough useful information to help report or even fix a bug. But there's no point in putting any effort into reporting the kind of thing Don mentions if we already know that nothing will be done about it. This is the basic purpose of this whole set of threads. Is there *really* going to be a practical alternative to using systemd, and if so, will Debian support it? It is, for example, perfectly possible to use Open Office in testing or unstable but it isn't available from the repositories for anything later than Wheezy. But using an untracked Open Office won't prevent the use of anything else, except possibly libreoffice unless care is taken. So we're looking for some kind of direction here, hoping that someone who actually knows for sure will tell us whether the use of systemd as init will be completely unavoidable in future Debian releases. If not, if it will only be the 'default', then it may be worth putting a bit of effort into making an alternative practical. If, as seems likely, the people who actually run Linux are determined that every Linux installation in future must be controlled by systemd, we'd like to know that as well, as it will assist in future planning. One of the many reasons for using Linux rather than Windows is that it isn't a monoculture. If it will in future be a monoculture, if this is all working towards a single, officially certified and legal Linux distribution, that's one less reason for using it. Spot on Joe! I for one have found these discussions helpful with regards to knowing what is in the pipe coming down the line. It has led me to do research about this topic, and to be fair, I do not like what I see. Having said that, at least I know about this know, I can do my own testing, poke at it, break it, fix it and hopefully get a better understanding how it works. With all that in mind, I am glad the dive bomb trolls have seemed to abated and we can looks forward to more useful discussions about systemd and it's relation to debian today, tomorrow and in the future. Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/541ab3ad.6050...@thargoid.co.uk
Re: preseeding: disable systemd
On 13/09/14 07:40, Jonathan Dowland wrote: On Fri, Sep 12, 2014 at 07:02:06PM +0100, Iain M Conochie wrote: Not at all. This is a basic preseed file I was using for wheezy installs. I am testing it again on a new VM - gimmie an hour or so and I will post the results The one you posted was exactly that - a late_command to manually switch the inits. As explained - my late_command did not do that. As Brian has explained elsewhere, you can manually script a switch of the init system. So I guess the answer for the OP is not by default, but you can script it. Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5413f0c4.4020...@thargoid.co.uk
Re: preseeding: disable systemd
On 12/09/14 17:35, Michael Biebl wrote: Am 12.09.2014 15:30, schrieb Martin Vegter: hello, when installing Jessie, systemd is installed as default init. Is it possible to use preseeding to override this, so that systemd will not be installed? No, this is currently not possible. Oh really? This virtual machine must be imaginary as well as virtual then: uname -a Linux aitjes01 3.14-2-686-pae #1 SMP Debian 3.14.15-2 (2014-08-09) i686 GNU/Linux iain@aitjes01:~$ dpkg -l | grep systemd ii libsystemd-journal0:i386 208-8 i386 systemd journal utility library ii libsystemd-login0:i386 208-8 i386 systemd login utility library iain@aitjes01:~$ cat /etc/debian_version jessie/sid Martin, If you want the preseed file that built this VM I can email it to you. I will, of course, take out any sensitive info with suggestions for replacements Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54132566.6050...@thargoid.co.uk
Re: preseeding: disable systemd
On 12/09/14 18:37, Michael Biebl wrote: Am 12.09.2014 18:55, schrieb Iain M Conochie: If you want the preseed file that built this VM I can email it to you. I will, of course, take out any sensitive info with suggestions for replacements I assume you used a post-install hook to uninstall systemd and install sysvinit-core? This is of course possible. But afaics this is not what Martin was asking for. I might be wrong though. Michael Not at all. This is a basic preseed file I was using for wheezy installs. I am testing it again on a new VM - gimmie an hour or so and I will post the results Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5413351e.3080...@thargoid.co.uk
Re: preseeding: disable systemd
On 12/09/14 18:54, Michael Biebl wrote: Am 12.09.2014 19:37, schrieb Michael Biebl: Am 12.09.2014 18:55, schrieb Iain M Conochie: If you want the preseed file that built this VM I can email it to you. I will, of course, take out any sensitive info with suggestions for replacements I assume you used a post-install hook to uninstall systemd and install sysvinit-core? Or d-i preseed/late_command [1] to be specific. Michael [1] https://www.debian.org/releases/stable/i386/apbs05.html.en cat /var/lib/cmdb/web/aitweb02.cfg |grep late d-i preseed/late_command string cd /target/root; wget http://weezer.shihad.org/cmdb/hosts/aitweb02.sh sh /target/root/aitweb02.sh All this does is grab a script to setup motd, ful ssl ldap auth, and a logging server. Posting the scripts could get long and boring :) But none of that matters, as it seems the new netboot files installer will use systemd. Bummer :( Sorry for the noise. Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54134a3d.1080...@thargoid.co.uk
Re: Nmap of Debian 7.6 KDE machine
On 09/09/14 03:54, John Conover wrote: Nmap of a Debian 7.6 KDE machine indicates rpcbind (port 111) open. This otherwise known as the portmapper service. It is used by Remote Procedure Call services, such as NFS (hence the RPC in the name) You can check what services are using this with the following command: rpcinfo -p ip-or-hostname-of-host Cheers Iain What is rpcbind used for in a default installation? Thanks, John -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/541016ab.4020...@thargoid.co.uk
systemd killing sshd
I just updated my jessie box, and noticed ssh was no longer running: systemctl status ssh ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled) Active: failed (Result: start-limit) since Fri 2014-08-29 10:33:29 BST; 2h 25min ago Main PID: 16698 (code=exited, status=0/SUCCESS) CGroup: /system.slice/ssh.service Aug 29 10:33:28 weezer systemd[1]: Starting OpenBSD Secure Shell server... Aug 29 10:33:28 weezer systemd[1]: Started OpenBSD Secure Shell server. Aug 29 10:33:28 weezer sshd[16698]: Server listening on 0.0.0.0 port 22. Aug 29 10:33:28 weezer sshd[16698]: Server listening on :: port 22. Aug 29 10:33:29 weezer systemd[1]: Stopping OpenBSD Secure Shell server... Aug 29 10:33:29 weezer systemd[1]: Starting OpenBSD Secure Shell server... Aug 29 10:33:29 weezer systemd[1]: ssh.service start request repeated too quickly, refusing to start. Aug 29 10:33:29 weezer systemd[1]: Failed to start OpenBSD Secure Shell server. Aug 29 10:33:29 weezer systemd[1]: Unit ssh.service entered failed state. Does anyone have any idea why systemd wants to stop ssh after it has started? After I run: systemctl start ssh it runs fine: systemctl status ssh ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled) Active: active (running) since Fri 2014-08-29 12:59:22 BST; 12s ago Main PID: 4375 (sshd) CGroup: /system.slice/ssh.service └─4375 /usr/sbin/sshd -D Aug 29 12:59:22 weezer systemd[1]: Starting OpenBSD Secure Shell server... Aug 29 12:59:22 weezer systemd[1]: Started OpenBSD Secure Shell server. Aug 29 12:59:22 weezer sshd[4375]: Server listening on 0.0.0.0 port 22. Aug 29 12:59:22 weezer sshd[4375]: Server listening on :: port 22. journalctl _SYSTEMD_UNIT=ssh.service does not show anything interesting as the logs stop on 21st august. Ta Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54006d2d.1040...@thargoid.co.uk
Re: systemd killing sshd
snip Does anyone have any idea why systemd wants to stop ssh after it has started? After I run: Sounds like https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756547 Caused by the ifupdown hook /etc/network/if-up.d/openssh-server rapidly restarting the ssh service (if you have multiple interfaces) in a short time frame. yup. I have updated to reload instead of restart - will see what happens when I reboot Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54007630.8070...@thargoid.co.uk
Re: Choose your side on the Linux divide
On 28/08/14 14:32, AW wrote: On Thu, 28 Aug 2014 15:15:10 +0200 B lazyvi...@gmx.com wrote: Treating sysV of overly complex against systemd is… quite intriguing (to stay polite and avoid referring to brain and other things;) All of the above is opinion, not source code based, and has nothing at to do with anything other than -- I don't want to use it... Based on some good rules of thumb: 1. Violates the K.I.S.S principle 2. Non textual _default_ stream 3. Feature creep I've been using GNU/Linux for at least 15 years. I've programmed in many languages - my favorite being assembly. I find bash scripting to be rather cumbersome, and I find systemd significantly easier to use than sysvinit... after I read through the documentation, that is... Jolly good. Glad you like it. Some of us don't. So, I guess I'm just the odd anomaly? I suppose /everyone/ who runs GNU/Linux finds bash scripting easy in comparison to filling in sectioned off lists of options, except me? And I suppose there are no users 'out there' who have read about systemd and are eagerly learning how to use it to their advantage rather than moaning about changing how something is done? Please don't be facetious. Perhaps we can raise the level of this debate. snip apt-get source sysvinit is all you need to type in order to compile your own init and run it on whatever machine you wish... What about in 2 years time? 5 years? Can you guarantee that will still be the case? I have some unix books from the 1980's and they are still relevant today. That is one of the main strengths of 'nix systems IMO. And just to bang this drum again, count how many of these principles are not being adhered to. This is the Unix philosophy: Write programs that do one thing and do it well. Write programs to work together. Write programs to handletext streams, because that is a universal interface. So, the NSA comparison is complete rubbish and a total red herring. Troll-baited... sure... however, I would hope that at the very least those wishing systemd away have at least /looked/ a little at the documentation and configuration of systemd. --Andrew And perhaps wishing those that don't like it just give up and learn it, cos, hey - it's really cool probably is not going to address the concerns that are being raised. Iain
Re: Choose your side on the Linux divide
Yeahrp, def'nitely tha end of Debian! It really is a sad, sad day. None of: https://wiki.debian.org/Debate/initsystem/systemd was in the slightest convincing ... barely even interesting. Zennan Thank you! Finally someone has bother to post a link to the whole debate behind this. Apologies is this was posted before and I missed it. Gotta laugh at the irrelevant political stances statement. Yeah, like whatever Iain
Re: how to make gnome SHUT DOWN when I say SHUT DOWN
On 15/08/14 19:08, Jerry Stuckle wrote: On 8/15/2014 1:52 PM, Brian wrote: On Fri 15 Aug 2014 at 09:28:42 -0800, Britton Kerin wrote: Sometimes firefox doesn't really exit (despite all its windows being closed) so when I say shutdown gnome pops up this dialog asking if I want to shutdown despite a running process. Then my laptop gets put in its bag and tries to cook itself to death. Is there a way to explain to gnome that when I say shutdown, I mean SHUTDOWN NOW, REGARDLESS OF STUPID BROKEN PROCESSES? Talk to it nicely; it is very sensitive to tone and is less likely to respond to being shouted at. (If you were hoping for a technical answer to a question devoid of technical detail I am sorry to diappoint you). I've found threatening to reformat and install Windoze does wonders :) Also muttereing xface and kde can work too :) Iain Jerry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53ee4d54.5070...@thargoid.co.uk
Re: systemd fails to poweroff - A stop job is running for Session 2 of user $USER
On 12/08/14 22:23, Lisi Reisz wrote: On Tuesday 12 August 2014 17:53:19 Martin Steigerwald wrote: But if the english meaning of the words give exact this difference, so well. In my understanding there never was much of a difference between halt and poweroff. I'm not quite clear what you are saying, but if you are saying that there is not give much difference in the English meaning of the words poweroff and halt, then I must take issue with you. Halt simply means stop. Poweroff means turn the power off. A big difference in the words. Think of a car at traffic lights. You stop it: halt it. You do not power off, i.e. turn the engine off. (Unless you accidentally stall it!) Yet this is exactly what my 2 year old car does now. I halt at the lights and the engine powers off. Is this a bug? Given enough usage, a bug can become a feature. Iain Lisi
[OT] [politics] Re: Skype access cancelled for Debian versions before 7
On 03/08/14 00:21, Joel Rees wrote: Google has too much money and is out of control. The NSA has too much money and is out of our control. I find it interesting that you feel more in control of a privately funded corporation than a legitimate arm of a sovereign government. It is obvious what the NSA want to do (snoop), I'm not so sure what google want to do. Almost 300 million US citizens have the ability to curtail the NSA's behaviour if enough of 'em want to make something of it; this is their constitutional right. Don't believe the hype, corporations are in no way in our control. Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53e687b8.1030...@thargoid.co.uk
Netbooting jessie installer gives kernel mismatch
Hello debian people I am trying to install jessie into a vm, using a netboot. The installer complains about not being able to find modules for the running kernel. I downloaded the vmlinuz and initrd from the following directory from the mirror I am trying to install from: debian/dists/jessie/main/installer-i386/current/images/netboot/debian-installer/i386/ The timestamps are from 16th March (so quite old I guess) and the kernel version is 3.13-1-486 (3.13.5.1) I cannot see any packages for the 3.13-1 kernel in the repo; is there anyone running jessie that can tell me 1. What kernel version it runs 2. Where I can locate a better kernel / initrd combination for network booting Any more info I can provide please ask Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53bd646d.3070...@thargoid.co.uk
Re: Preseeded setting on openssh-server ignored
On 14/06/14 13:57, Brian wrote: On Sat 14 Jun 2014 at 11:50:57 +0100, Iain M Conochie wrote: Can you categorically state what _are_ the preseed options for the openssh-server package? I can find 4: The ones you listed below are for a fresh install of Wheezy. Jessie is different. This output can be obtained from debconf-show openssh-server Excellent. Thanks Brian. That is exactly what I wanted Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/539d6f9f.4080...@thargoid.co.uk
Re: Preseeded setting on openssh-server ignored
snip To date I haven't been able to find documented lists of preseeds anywhere, except for the standard debian installer values given in You haven't looked hard enough. Debian's and Ubuntu's example preseed files. I found this preseed option in forum postings somewhere. Which preseed option? You might not be able to find the forum posting but please would you quote this option so we know what you are talking about? I can categorically state there is no preseed option for permit-root-login in Wheezy, Squeeze or Lenny. Can you categorically state what _are_ the preseed options for the openssh-server package? I can find 4: openssh-server ssh/vulnerable_host_keysnote openssh-server ssh/use_old_init_script boolean true openssh-server ssh/encrypted_host_key_but_no_keygennote openssh-server ssh/disable_cr_auth boolean false Do you know of any others? Where are these documented? And while we are at it, are preseed options for each package documented in the package? Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/539c2911.3010...@thargoid.co.uk
Re: LVM preseed install fails with partition error
snip Hi Iain, I removed all the partman related lines and created a new preseed file. It works now on vm but has issue with baremetal for which i'll start a new thread. This is my complete preseed file for reference - http://paste.debian.net/88147/ Cheers, Sandeep. I think it was getting picky with no . after the partition definition. I will be interested to see what issues you have with baremetal that are do not exist for a VM Cheers Iain
Re: LVM preseed install fails with partition error
Hi Sandeep
I think you are missing a section to describe the LVM volume group
you want to create. This one works for me:
100 1000 10 ext3 \
$defaultignore{ } \
$primary{ } \
method{ lvm } \
device{ /dev/sda } \
vg_name{ systemlv }\
.
I think you also need to add
in_vg{ systemlv }
to all the logical volumes (partitions) you want to create. Obviously,
you can change the name systemlv to what ever you want.
You may also want to add this to the disk partition definition:
d-i partman/choose_partition select Finish partitioning and write
changes to disk
Good luck!
Iain
On 13/03/14 19:55, Sandeep Raman wrote:
I am using a preseed file on a physical server with the following
requirement:
The 146gb disk need to be partitioned as 120gb '/' partition and 25gb
'swap' partition with lvm.
The install fails with the error Description: Failed to partition the
selected diskThis happened because the selected recipe does not
contain any partition that can be created on LVM volumes.
The following lines from the preseed specific to disk configuration:
d-i partman-auto/disk string /dev/sda
d-i partman-auto/method string lvm
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-lvm/device_remove_lvm_span boolean true
d-i partman-md/device_remove_md boolean true
d-i partman-lvm/confirm boolean true
d-i partman/choose_partition select finish
d-i partman-lvm/confirm_nooverwrite boolean true
d-i partman-auto-lvm/guided_size string max
d-i partman-auto/choose_recipe select root_swap
d-i partman/default_filesystem string ext4
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true
d-i partman-auto/expert_recipe string root_swap :: \
12 10 12 ext4 \
$defaultignore{ }
$lvmok{ } lv_name{ root } \
method{ format } format{ } \
use_filesystem{ } filesystem{ ext4 } \
mountpoint{ / }
25000 20 25000 linux-swap \
$lvmok{ } lv_name{ swap_1 } \
method{ swap } format{ }
Is any other option needed in the preseed for this to work?
Cheers,
Sandeep.
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/5305.1020...@thargoid.co.uk
Re: How to setup a simple email server?
On 25/01/14 19:09, Garry wrote: I would like to setup a simple email server and run it out of my house. I have everything needed in order to do it. In fact I had one setup successfully about a year ago and crashed it. I can't figure out how I did it. There's only two email addresses I would like to setup. I would like to use postfix and dovecot; I don't need MySQL. My ISP seems to block port 587; all other ports are open (25, 110, etc.) I have issues wrapping my mind around setting up mx records. Say your domain is domain.com and your static IP is 123.45.67.89 Add an A record for mail.domain.com to point to 123.45.67.89 Add an MX record to point to mail.domain.com The domain is registered on namecheap.com My IP address is static ipv4. Will you be running this behind a NAT'ed firewall? If so make sure you add this to your postfix config: proxy_interfaces = 123.45.67.89 Do you already have an email provider? You could ask them to be a secondary MX for you, for when your DSL line goes down. While not strictly necessary, it is helpful. Good Luck Iain I'm running (would like to keep running) Debian 6 32bit. I've followed all the various guides that pull up in search; with each I run into problems I can't seem to resolve. Can someone point me to a tutorial or provide me with some resources I can follow? I am very appreciative with any help willing to be offered. Thank you. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52e43768.8050...@thargoid.co.uk
Re: sad but true, Linux sucks, a bit
snip A lot of Linux geeks spent a lot of time worrying about Microsoft's desktop dominance over those years. I would often hear people claim that Linux had to get on to the desktop *now* (1999, 2004, 2007, etc) or it would be locked out *forever*. I concluded some time in the late 90s that sooner or later a disruptive technology would come along and completely rewrite the rules on computer interfaces, making any current desktop dominance irrelevant. Absolutely spot on. Gazing into my crystal ball, there will be a 3D interface that will blow us all away, and the kids will laugh at us for using a mouse / keyboard. Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52d81889.2050...@thargoid.co.uk
Re: sudo security Was: Reporting missing package during install
On 12/12/13 08:20, Gian Uberto Lauri wrote: Iain M Conochie writes: On 11/12/13 08:01, Gian Uberto Lauri wrote: Encrypt your hard disk. Hoping that the encryption you use has no backdoor. You do understand what the peer review process is right? I got it about 20 years ago. Is it enough? Mayeb - just maybe ;) Although not a magic bullet, it can help weed this out. You say it. It is not bullet proof. The bullet has already pierced the target once. Therefore it may happen again. May - but not assured. snip But I still think that That once one has his hands on the hardware there is no user/prom/bios password stopping his intrusion. means that no password at all will stop an intruder that can physically reach a machine. Then I guess i should have stated passphrase for your encryption, not password for access to the machine. snip I think that the security problems that sudo could pose with the default configuration could really be useful in a situation where you need a large number of bots. What could trigger this? a large user base with a majority of non-tech aware users. Wait - so by default you mean having a NOPASSWD entry or have an entry that allows certain users to enter a password when using sudo and then having a time where they do not need to? - The reason I ask is that I have never seen a NOPASSWD entry be default. The 2nd one is probably the best trade off between security and usability. On any multiuser system, the access to root account should be limited. This is the whole point of sudo. On a home machine I guess you can argue you do not really need it. Surely it is more secure to give users limited root access that you control and is logged rather then everyone having the root password? Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52a98e39.5040...@thargoid.co.uk
Re: sudo security Was: Reporting missing package during install
On 12/12/13 11:43, Gian Uberto Lauri wrote: Iain M Conochie writes: I got it about 20 years ago. Is it enough? Mayeb - just maybe ;) Indeed, never be sure! :) You say it. It is not bullet proof. The bullet has already pierced the target once. Therefore it may happen again. May - but not assured. Indeed. You usually prepare for bad things hoping they'll never arrive. Exactly! Kinda like house fire insurance (or any kind of insurance for that matter I guess) Then I guess i should have stated passphrase for your encryption, not password for access to the machine. A good passphrase for the encription will slow down (even halt if you are lucky) an attacker that has complete control of your machine, while no password will protect a computer that is physically in the hands of the enemy. Is that a statement we can agree ? BTW, it's my point of view. Yes - especially if you say no password will completely protect a computer. I think that the security problems that sudo could pose with the default configuration could really be useful in a situation where you need a large number of bots. What could trigger this? a large user base with a majority of non-tech aware users. Wait - so by default you mean having a NOPASSWD entry or have an entry that allows certain users to enter a password when using sudo and then having a time where they do not need to? - The reason I ask is that I have never seen a NOPASSWD entry be default. No, having one user with ALL=(ALL) ALL by default AND having credential caching. The problem is not strictly technical. There is no technical difference in guarding an account with id 0:0 that you can access by direct logon or having root unreachable by logon and one user that can become root via su or sudo. The problem is in the usage of the account, it's a psychological one: your everyday account is your everyday account, and using it with strict security - as appropriate for an administrative account - could be what someone labels a PITA. And this relaxed behaviour may lead to security breaches. Credential cache hijacking in sudo is one of the paths an attacker may use: the change of the timestamp was a trivial one to find and has been fixed; I fear that subtler attacks may be possible. And in these case is not that sudo is misbehaving. My opinion is that the poor program as been abused. Yup - i agree with all of this. Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52a9b434.3040...@thargoid.co.uk
Re: sudo security Was: Reporting missing package during install
On 11/12/13 08:01, Gian Uberto Lauri wrote: Encrypt your hard disk. Hoping that the encryption you use has no backdoor. You do understand what the peer review process is right? Although not a magic bullet, it can help weed this out. Choose a *very* good password. For the encryption, I suppose. That once one has his hands on the hardware there is no user/prom/bios password stopping his intrusion. Oh please. A BIOS password does nothing if your computer is stolen. Just remove the disk and put it in another one. Unless they are a honey trap - and then you can see what is actually trying to break into your network Honey trap are honey trap, not unguarded computers - I mean computer people use without care for security. OK - misunderstanding there - sorry. Security is a journey, not a destination. No one thing will make your computer use secure. Well, maybe never connecting it to a network is the one major thing you can do. However, that makes it un-usable in my opinion. You can never be completely secure. Just as in the world you can never be completely safe. You have to make compromises. The one thing I would say is that security by obscurity is worse than no security as it gives you the nice warm glow that you are secure without being so. I see this alot in the commercial world and it really sucks :( Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52a8cc64.7000...@thargoid.co.uk
Re: sudo security Was: Reporting missing package during install
On 10/12/13 16:56, Gian Uberto Lauri wrote: snip Physical security is indeed an issue. When attackers can put their greedy hands on a computer there is nothing to stop them :) Encrypt your hard disk. Choose a *very* good password. That will slow them down, if not halt them. But it depends on *who* has stolen your computer. Perhaps somebody with real server experiences for real multi-user-systems could enlighten us, if sudo does cause any issue and why Debian anyway decided to make it a default. I had some in the past, even in the not so far past. Even if I am a senior developer, the Italian part of my signature says Software farmer and sysadmin in others' wasted time [**]. And unguarded machines are a real boon for wrongdoers. Unless they are a honey trap - and then you can see what is actually trying to break into your network Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52a756a7.8050...@thargoid.co.uk
Re: dhcpd runs as root
Does the daemon allow dropping privileges? If not, then it will bot be able to bind to a port below 1024. This option does not seem to be available in dhcpd Cheers Iain Andrew Wood and...@perpetualmotion.co.uk wrote: On 28/08/13 01:13, Jerry Stuckle wrote: Reading through the bug report, it looks like upstream didn't accept it. Debian stays as close as possible to upstream, for good reason. I agree its good to keep things as close as possible to upstream, but unless upstream can present some compelling argument for why they've chosen to run it as root, surely this would be a good case to deviate? Running a network daemon as root is poor security practice and just plain poor design. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/521f3d77.80...@perpetualmotion.co.uk -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: PXE, automatic installation and reboot
On Thu, 2013-07-25 at 17:30 +0200, Jimmy Thrasibule wrote: Hi, I've setup and environment to automatically install some Debian boxes via the network using PXE, TFTP and Preseed. If this part is working fine, I'm facing a little issue when the installation is done. I'm trying to make everything automatic with no human intervention. The problem is that when the installation is done, the box will reboot, boot again using PXE and start a new installation process. You can prevent that from happening by using a specific configuration file for every machine you install. The name of the file is based on the HEX of the IP address that the machine will get from DHCP when you PXE boot. E.G. have a file called 0A641901 for a machine with IP 10.100.25.1 You also have a default file in your pxelinux.cfg file with the following in it: # generated by fai-chboot default fai-generated label fai-generated localboot 0 You then have a simple PHP script to move the boot config to, say, .disabled and when the machine reboots it will boot from local disk. Example PHP script: ?php if (isset($_SERVER['REMOTE_ADDR'])) $ip = $_SERVER['REMOTE_ADDR']; else $ip=192.168.1.203; $long=ip2long($ip); $hex=dechex($long); $hex=strtoupper($hex); print $hex\n; $origin = /var/lib/tftpboot/pxelinux.cfg/$hex; $destination = /var/lib/tftpboot/pxelinux.cfg/$hex.disabled; passthru(mv $origin $destination); You can call this script from your preseed/late_command target Cheers Iain How can I prevent that without having to monitor every installation process? The idea would be to kind of deny access to `pxelinux.0` when a host had already made a request. -- Jimmy -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1375101097.5786.9.ca...@lnxdesk.rivers.proact.co.uk
Re: PXE, automatic installation and reboot
You also have a default file in your pxelinux.cfg file with the following in it: This should read pxelinux.cfg Directory not file. And the default file is called default Ta Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1375101811.5786.10.ca...@lnxdesk.rivers.proact.co.uk
preseed LVM with no /boot partition on wheezy
Good evening people, I am trying to create a preseed file using LVM but with no boot partition. When partman runs, it creates recognises the partitons but stops to ask if I wish to continue as I have no /boot partition. I answere yes (twice!) and the installation continues. I can boot the installed system Does anyone know an option to give in the preseed file to partman to skip this question? Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201306202158.36843.i...@shihad.org
Re: preseed LVM with no /boot partition on wheezy
Thanks Brian. I will check this out and report back. Cheers Iain Brian a...@cityscape.co.uk wrote: On Thu 20 Jun 2013 at 21:58:36 +0100, Iain M Conochie wrote: I am trying to create a preseed file using LVM but with no boot partition. When partman runs, it creates recognises the partitons but stops to ask if I wish to continue as I have no /boot partition. I answere yes (twice!) and the installation continues. I can boot the installed system Does anyone know an option to give in the preseed file to partman to skip this question? The templates file in the partman-auto-lvm udeb should tell you. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130621100622.GC13890@desktop -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: preseed LVM with no /boot partition on wheezy
On Friday 21 Jun 2013 11:45:04 Tom H wrote: On Thu, 20 Jun 2013 21:58:36, Iain M Conochie i...@shihad.org wrote: I am trying to create a preseed file using LVM but with no boot partition. When partman runs, it creates recognises the partitons but stops to ask if I wish to continue as I have no /boot partition. I answere yes (twice!) and the installation continues. I can boot the installed system Does anyone know an option to give in the preseed file to partman to skip this question? d-i partman-auto-lvm/no_boot boolean true Nice one Tom. Works like a charm! Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201306212203.30047.i...@shihad.org
