Re: Free TCP/IP port numbers?

[shawn wilson]

The answer is correct - IANA maintains the list of ports. You may also look
at the services file nmap maintains or ask showdan what it's seen publicly
if you want a public popularity contest of ports.

As it is, I'm pretty sure you're over engineering this. Have a config file
that has a port range option and be done with it. Also, you didn't mention
needing <1024 so pick a port and be done with it (what everyone else does).

Lastly, certain ports are so old, their intended services shouldn't be
online anymore (see the first 20 ports or 90-110 - off the top of my head -
not sitting here and going through them) or if the service probably won't
be used in ICS or on a box designed to be an internet backbone, use one of
those.

On Sep 30, 2017 21:50, "Victor Porton"  wrote:

> Alexander V. Makartsev wrote:
>
> > There is official list of all registered port numbers:
> > https://www.iana.org/assignments/service-names-
> port-numbers/service-names-port-numbers.txt
> >
> > You can choose any port that is not in the list, to be sure they won't
> > clash.
>
> The list of port numbers you pointed to me is a subset (or at least not a
> superset) of the full list used by Debian packages.
>
> Assuring that my port is not in this IANA list is not enough to ensure that
> my port number will not clash with a port number used by a Debian package
> (by default).
>
> So your answer to my question is wrong.
>
> > On 01.10.2017 06:04, Victor Porton wrote:
> >> We are going to install a range of software on a Debian Linux
> >> installation. Because we run the same software (such as Celery) several
> >> times, we need to use port numbers different than the standard Debian
> >> port numbers chosen by default (because we can't run more than one
> >> instance of a server with the same port, and thus using the standard
> port
> >> number for all servers would fail).
> >>
> >> How to choose TCP/IP port numbers for server software we run in such a
> >> way that they don't clash with "standard" Debian port numbers?
> >>
> >> In Debian are there any ranges of port numbers dedicated (so that they
> >> wouldn't clash with "standard" that is used by default port numbers) for
> >> servers configured by users?
> >>
> >> Note that we run (at least some of) our software not as root, so we
> can't
> >> use ports below 1024.
>
> --
> Victor Porton - http://portonvictor.org
>
>

Re: pen testing beginner

[shawn wilson]

Also, there's tons of free help online (mailing lists - duh, irc, reddit,
Twitter, and Facebook has helped me once you get to know the right people).
There are also loads of security conferences and meetups (BSides, ISSA,
2600, etc).

On Oct 30, 2016 13:54, "shawn wilson" <ag4ve...@gmail.com> wrote:
>
> I'll caveat my response by saying I'm not in this field - I'm a lowly
sysadmin :)
>
> On Oct 30, 2016 00:01, "David Christensen" <dpchr...@holgerdanske.com>
wrote:
> >
> > On 10/29/2016 11:50 AM, emetib wrote:
> > > have been a linux only person since before 2000 (late 2.2 early 2.4
> > > kernels), yet haven't done much with it in the last ten years. ...
> >
> > > i'm looking at getting back into it and into pen
> > > testing.
> >
> > I assume you mean penetration testing.  Given that computers and
> > networks are built from many hardware, firmware, and software work
> > products, I would expect that there are specialties.  It might help to
> > pick one, and then find the knowledge and skill dependencies.
> >
>
> It really would, but I assume he'll find some subset he enjoys more than
others after some learning. You'll either learn enough to run tools and
scan for known issues or find it more enjoyable to research all the myriad
of ways our tech is broken.
>
> Either way, you want to know (at least) the basics of programming. I
touched bash, python, ruby, and perl and json, yaml and ini last week
(mainly at work) and I can assure you they're all pretty much the same, so
don't really worry about learning multiple until you must - pick one and
learn it. Pick something useful (ie, most people don't use Smalltalk so you
support community and modules won't be as large so maybe not the best - fun
language though) and maybe you find yourself using a tool a lot - might
consider learning the language it's written in. To be more precise -
Metasploit is ruby, recon-ng is python, nmap is c (with an o object passed
everywhere), volatility is python, etc.
>
> Pentesting - start staying up to date with CVEs and netsec on reddit and
darkreading and the like. Learn the tools and what they do. Lots of CTFs
are downloadable after the event (and people often do writeups that you can
look for when you run into trouble). And learn your tools  - this includes
basic Unix like strings, grep, file (know the limitations of magic though),
find but also nmap, msf, Wireshark, volatility, recon-ng, sqlmap, etc. This
isn't to say you shouldn't know how the tools you run work, but I find it
useful to learn the tool and look at what it's doing. Ie, start Wireshark
and capture and run a basic nmap and see what happens.
>
> Exploit dev - so you can either go down the network path - I'd start by
gripping the RFCs for the word "should" and "may" and see which daemons
have issues with that part of their implementation (also be aware networks
love time and some errors may lead to leaks). If you go down the normal x86
exploit dev path, I'd start by looking at old viruses and malware and PoC
exploits and understand how they work. Also probably want to setup setup
cuckoo sandbox and mastiff.
>
> All of this said, I'd strongly suggest having a good rounded base of
knowledge. So get ready for the real reading list - not just to sit on the
couch with - read them while in front of a computer:
> PC asm (freely available online - nostarch also publishes a much bigger /
more in depth / pricier assembly book I have and haven't gotten around to
reading yet)
> Hacking the art of exploitation
>
> And depending on which route you go:
> Metasploit
> Practical malware analysis
>
> You'll notice a trend - other than pc assembly, they're all published by
nostarch. I'm unaware of any books on malware dev - which is why I
recommend looking at prior malware and an analysis book, though I'm sure
your gov can provide tons of literature here if you ask nice enough ;)
>
> Most conferences also post talks on YouTube - for the most part, I
suggest being active as you watch them (pause, Google, read, return,
repeat).
>
> >
> > > from what i have been reading lately i'm going to have to know quite
> > > a bit about a couple of different things that i didn't jump to deep
> > > into before, programming and networking especially. ...
> >
> > > i have given myself a four year window on this learning cycle and am
> > curious about going about it. ...
> >
> > > please just give advice and not right or wrong opinions on what i
> > > maybe trying to do with my options and if i should actually take some
> > > classes to augment my self learning.
> >
> > If you are serious about this, go get yourself a degree in computer
> > science.  I preferred and recommend th

Re: pen testing beginner

[shawn wilson]

I'll caveat my response by saying I'm not in this field - I'm a lowly
sysadmin :)

On Oct 30, 2016 00:01, "David Christensen" 
wrote:
>
> On 10/29/2016 11:50 AM, emetib wrote:
> > have been a linux only person since before 2000 (late 2.2 early 2.4
> > kernels), yet haven't done much with it in the last ten years. ...
>
> > i'm looking at getting back into it and into pen
> > testing.
>
> I assume you mean penetration testing.  Given that computers and
> networks are built from many hardware, firmware, and software work
> products, I would expect that there are specialties.  It might help to
> pick one, and then find the knowledge and skill dependencies.
>

It really would, but I assume he'll find some subset he enjoys more than
others after some learning. You'll either learn enough to run tools and
scan for known issues or find it more enjoyable to research all the myriad
of ways our tech is broken.

Either way, you want to know (at least) the basics of programming. I
touched bash, python, ruby, and perl and json, yaml and ini last week
(mainly at work) and I can assure you they're all pretty much the same, so
don't really worry about learning multiple until you must - pick one and
learn it. Pick something useful (ie, most people don't use Smalltalk so you
support community and modules won't be as large so maybe not the best - fun
language though) and maybe you find yourself using a tool a lot - might
consider learning the language it's written in. To be more precise -
Metasploit is ruby, recon-ng is python, nmap is c (with an o object passed
everywhere), volatility is python, etc.

Pentesting - start staying up to date with CVEs and netsec on reddit and
darkreading and the like. Learn the tools and what they do. Lots of CTFs
are downloadable after the event (and people often do writeups that you can
look for when you run into trouble). And learn your tools  - this includes
basic Unix like strings, grep, file (know the limitations of magic though),
find but also nmap, msf, Wireshark, volatility, recon-ng, sqlmap, etc. This
isn't to say you shouldn't know how the tools you run work, but I find it
useful to learn the tool and look at what it's doing. Ie, start Wireshark
and capture and run a basic nmap and see what happens.

Exploit dev - so you can either go down the network path - I'd start by
gripping the RFCs for the word "should" and "may" and see which daemons
have issues with that part of their implementation (also be aware networks
love time and some errors may lead to leaks). If you go down the normal x86
exploit dev path, I'd start by looking at old viruses and malware and PoC
exploits and understand how they work. Also probably want to setup setup
cuckoo sandbox and mastiff.

All of this said, I'd strongly suggest having a good rounded base of
knowledge. So get ready for the real reading list - not just to sit on the
couch with - read them while in front of a computer:
PC asm (freely available online - nostarch also publishes a much bigger /
more in depth / pricier assembly book I have and haven't gotten around to
reading yet)
Hacking the art of exploitation

And depending on which route you go:
Metasploit
Practical malware analysis

You'll notice a trend - other than pc assembly, they're all published by
nostarch. I'm unaware of any books on malware dev - which is why I
recommend looking at prior malware and an analysis book, though I'm sure
your gov can provide tons of literature here if you ask nice enough ;)

Most conferences also post talks on YouTube - for the most part, I suggest
being active as you watch them (pause, Google, read, return, repeat).

>
> > from what i have been reading lately i'm going to have to know quite
> > a bit about a couple of different things that i didn't jump to deep
> > into before, programming and networking especially. ...
>
> > i have given myself a four year window on this learning cycle and am
> curious about going about it. ...
>
> > please just give advice and not right or wrong opinions on what i
> > maybe trying to do with my options and if i should actually take some
> > classes to augment my self learning.
>
> If you are serious about this, go get yourself a degree in computer
> science.  I preferred and recommend the old-fashioned university
> approach -- professors, planned sequence of courses, classrooms, labs,
> textbooks, homework, projects, and especially the camaraderie of other
> students.
>

I'll preface this by saying I have 30 hours of community college credits.
I've also had this discussion a few times - mixed reviews.

Most schools won't teach you computer security. I think CMU might have the
best program in the states though. But basically, if you go this route,
read up on what the professors do when not teaching - if none have been in
industry for years or don't have any research industry is talking about...

So given the expense (both time and money), I recommend against this. If
this interests you enough, 

Re: Shell - escapes

[shawn wilson]

'...'  doesn't interpolate.
push @f, '$ and a';
push @f, "'";
print join '', @f;
If you want. I have a feeling YDIW and need to step back and present the
actual problem.
On May 10, 2016 05:36, "Die Optimisten"  wrote:

> Hi,
>
> How can I escape a ' inside '...'
> e.g. perl -e 'print '$ and a' '# I don't want to use "
>
> thank you
> Andrew
>
>

Re: iptables changes triggering audit messages, despite auditd not being installed

[shawn wilson]

On May 5, 2016 8:10 AM, "Tony Evans" <t...@darkstorm.co.uk> wrote:
>
> Firstly, apologies for double-posting the issue originally.
>
> On 5 May 2016 at 13:05, shawn wilson <ag4ve...@gmail.com> wrote:
> >
> > On May 5, 2016 6:03 AM, "Tony Evans" <gnomt...@gmail.com> wrote:
> >>
> >
> >> I can't find why the log entries are being created (i.e. I know the
> >> trigger, but I can't work out why that trigger is now generating log
> >> entries when it wasn't doing that before I installed and removed
> >> auditd).
> >>
> >
> > I'm guessing the removal script didn't delete the audit rules which
reside
> > in kernel memory. If I'm correct, a reboot will fix this. I'd probably
> > consider that a bug (if I'm right) and confirm and submit a report to
the
> > maintainer.
>
> That doesn't really explain what I'm seeing - I only added one rule
> when I first installed it, and it was nothing to do with iptables or
> anything near the directories it is using.  Additionally, when I
> reinstalled auditd, the messages stop (and start again when it's
> removed)
>

Something weird happening with init maybe?

> Can I query the kernel rules (without auditctl?)
>

A quick Google didn't reveal anything but I'm guessing there's at least a
rule or hit counter under either proc or sys (kinda like iptables does).
Could probably (idk what libs it links to off the top) just copy auditctl
somewhere before uninstalling though.

Re: iptables changes triggering audit messages, despite auditd not being installed

[shawn wilson]

On May 5, 2016 6:03 AM, "Tony Evans"  wrote:
>

> I can't find why the log entries are being created (i.e. I know the
> trigger, but I can't work out why that trigger is now generating log
> entries when it wasn't doing that before I installed and removed
> auditd).
>

I'm guessing the removal script didn't delete the audit rules which reside
in kernel memory. If I'm correct, a reboot will fix this. I'd probably
consider that a bug (if I'm right) and confirm and submit a report to the
maintainer.

Re: RECOMMEND: Wireless Home Router with VPN Built-In

[shawn wilson]

Seconded (unless you can't)
On Apr 25, 2016 8:29 PM, "Joel Wirāmu Pauling"  wrote:

> My advise stands. Use a VPN client on the end devices.
>
> On 26 April 2016 at 12:27, Patrick Bartek  wrote:
>
>> On Mon, 25 Apr 2016, Joel Wirāmu Pauling wrote:
>>
>> > I don't suggestion running VPN (at least any with decent encryption )
>> > on the Wifi /AP. It will end up being a bottle kneck. i.E my Dual
>> > core MIP's 680hz Wireless AC running openwrt can barely push 12mbit
>> > through an AES tunnel.
>> >
>> > Keep the VPN endpoints on the more well endowed endpoints. If you
>> > need it as a backup purely for getting into the router, then SSH is
>> > fine.
>>
>> I'll be the only user on the VPN.  It's mainly for when I use public
>> wifi on my phone or laptop, for security.  For Web and email mostly.
>> I might use it to access my home machine, too, but that would be rarely.
>> So, I'm not going to be moving large amounts of data over the
>> connection.
>>
>> Thanks.
>>
>> B
>>
>> > On 25 April 2016 at 14:22, Paul Duncan  wrote:
>> >
>> > > I have a Draytek Vigor 2820vn. Have had it for a few years now.
>> > > Seems to be quite reliable. Has three types of WAN connectivity
>> > > built-in - ADSL2+, Ethernet (for cable modems), and USB for mobile
>> > > broadband dongles. And, as you requested, it does have a built-in
>> > > VPN service and very configurable firewall.
>> > >
>> > > Now, this particular unit will never support IPV6, and I think they
>> > > may have stopped making it now. If I was in the market for a router
>> > > today, I would go for the Vigor 2830 series. It is IPV6 ready, and
>> > > all four of its Ethernet ports are gigabit ports (only one is on
>> > > the 2820).
>> > >
>> > > Anyway, I'm sure you will get *lots* of opinions about favourite
>> > > hardware!
>> > >
>> > > Cheers,
>> > >
>> > > Paul.
>> > >
>> > > On Mon, Apr 25, 2016 at 3:01 AM, Patrick Bartek
>> > >  wrote:
>> > >
>> > >> Hi! all,
>> > >>
>> > >> Toying with the idea of setting up a personal, that is,
>> > >> non-business, VPN for a device or two for those rare times I use
>> > >> public wifi. For improved security, mind you.  Want to keep it
>> > >> simple, but it must work outside the U.S. (I foresee a change
>> > >> coming.)  So, figured a new home router with the server built-in
>> > >> would be better than a for-charge (or free) VPN service. (After 8
>> > >> years of continuous use, I'm getting nervous about my old router
>> > >> anyway, and want to replace it.)
>> > >>
>> > >> What routers would you all recommend?  And why?
>> > >>
>> > >> Thanks.
>> > >>
>> > >> B
>>
>>
>

Re: Firewall - basic config?

[shawn wilson]

On Apr 23, 2016 3:54 PM, "Joe"  wrote:
>
.
>
> You might also try iptables -S which will list the rules in the form
> that you would enter by hand as arguments to the iptables command. It is
> a different view, and you may see things that are less obvious in the
> -L view.
>

I'm guessing -S is the same as iptables-save...? If so, then yes that's the
way to look at rules and what you want to paste when asking for help. There
are two times when I went nL output - when testing and want a delete number
(so with the --line-numbers option) and when I think a table is useless and
want to call reference count. That's literally it. Otherwise you probably
want to see the rules closer to how the kernel does.

Also, if you script your restore (I'm guessing ufw handles this...
properly) do use a restore file vs looping the iptables command for each
rule - besides being proper, it's also a *hell* of a lot faster.

> Remember that IPv6 is alive and well in quite a lot of hardware these
> days, and there is an ip6tables to deal with it.
>

Ie, unless you're using it, disable it (both with ip6tables and blacklist
modules)

Re: TCP/IP over Bluetooth

[shawn wilson]

On Apr 23, 2016 06:27, "Reco"  wrote:
>
> On Sat, 23 Apr 2016 10:23:57 +0100
> Joe  wrote:
>

> > 'Proper' serial equipment
> > typically does not go higher than 115kBd, and most wired serial
> > applications need much less than that.
>
> But serial-over-bluetooth gets me 0.5 Mbps :)
>

Being able to teacher when connected to either cell *or* wifi from a non
rooted android device (like if paying for a single MAC address on a plane)
might be a good enough reason to set it up. And in those situations, you're
not getting optimal bandwidth anyway.

Re: TCP/IP over Bluetooth

[shawn wilson]

On Apr 23, 2016 00:09,  wrote:
>
> According to https://en.wikipedia.org/wiki/Bluetooth ,
> Bluetooth was "... originally conceived as a wireless alternative
> to RS-232 data cables."  Therefore TCP/IP inside PPP on a
> Bluetooth connection is hypthetically possible.
>
> Has anyone tried it with a debian system on one end at least?
>

Google it? It appears to work fine now days - maybe issues with
NetworkManager though - idk. But no I haven't setup PAN, just 1 minute
(literally) with Google tells me this.

If you want a link to read, this looks good (though a bit dated):
http://m.linuxjournal.com/article/10915

Re: [ A little off topic] Best e-mail client for Android

[shawn wilson]

Y'all know you can buy kaiten mail and support the dev, right?

On Mon, Apr 11, 2016 at 8:29 AM, Byung-Hee HWANG (황병희)
 wrote:
> On 2016년 4월 11일 오후 9시 8분 6초 GMT+09:00, Hans  wrote:
>>Am Montag, 11. April 2016, 08:02:13 schrieb German:
>>> I wonder what Debian users use on their phone/tablet.
>>>
>>> Thanks
>>
>>K9-Mail
>
> Me too, i use now k-9 with google apps.
> Also i like very much Emacs' Gnus!
>

Re: Sudo

[shawn wilson]

On Mar 21, 2016 5:56 AM, "Lisi Reisz"  wrote:
>
> On Monday 21 March 2016 04:51:35 Jude DaShiell wrote:
> > When you installed LinuMint I'm going to make a wag here and figure you
> > didn't put a password in for root and because of that LinuMint put your
> > user account in /etc/sudoers as part of its installation routine.
>
> I don't think that Linux Mint offers a root account during installation.
It
> doesn't use root by default.
>

Uh it kinda has to. AFAIK, the kernel doesn't allow ring 0 without being
uid 0 / gid 0 (or root). Call the user "mud"  if you want, at that point it
doesn't really matter.

Re: Good keyboard

[shawn wilson]

On Feb 11, 2016 1:21 PM, "David Christensen" 
wrote:
>

Thoughts?  Comments?
>

I don't have one of those (but I think I'll buy one). Currently I swear by
my ducky mini (obviously remap caps lock to escape - also, I use vim/vim
mode so YMMV if you like arrowing around which means it also doesn't do
well in bios or lilo/grub - has fn arrow but that's obviously a PITA). I
also have a DasKeyboard but a few keys squeak so that's turned into a $100
brick. And I have a Lexmark model M but still prefer my ducky due to its
size on my desk.

Re: Libre graphics could become the standard if we push right now

[shawn wilson]

On Jan 14, 2016 5:11 PM, "Zlatan Todoric"  wrote:
>
>
>
> On 01/14/2016 09:11 PM, Alberto Salvia Novella wrote:
> > Nearly all compact Linux computers feasible for gaming are sold
> > exclusively using NVIDIA graphics, and that company is hostile to libre
> > software.
> >
> > So I think it is very important that we support AMD right now on what we
> > can, and ask manufacturers to include AMD graphics in those products.
> >
>
> You do realize that AMD graphics need proprietary firmware to have
> proper 3D acceleration without which you probably couldn't run any game
> at all - so goodbye Libre graphics.
>

Besides that, AMD's fglrx require X to be running in order to run while
nVidia does not (kinda sucks if you have a bunch of 8 card nodes using the
cards for scientific applications). Also, in this setting, there were a lot
more issues with AMD than nVidia (soft crashes, hard crashes, cards going
offline until reboot).

I'm not a big gamer, so maybe there are less issues with AMD in this
setting. And I'd be thrilled if either fglrx or nv were OSS (would weigh
heavily on purchasing decisions). However, because AMD really pissed me off
here, I had to say something here.

> > Because of that I have started campaigning for it:
> > http://steamcommunity.com/discussions/forum/11/458606248621316073/
> >

Re: installing Debian on USB flash drive for use in many machines

[shawn wilson]

On Sat, Nov 28, 2015 at 6:08 PM, Renaud  OLGIATI
 wrote:
> Why not use Knoppix, instead of re-inventing the wheel ?
>

For me, it's just nice to have an easy to boot system w/ storage -
takes me a few minutes to setup and then I've got a thumb disk I can
boot for rescue disk or a dns server or web server or vim w/ my
vimrc/plugins, etc. Also an image doesn't (by default) give you local
storage on your thumb drive - you've got to script the boot process to
look for free space and add a partition or mount a previously created
partition if that's what you want which is a pita/brittle. Knoppix is
great if I don't have my stuff w/ me, but isn't really a replacement.
I also don't like burning disks if I can help it. But if you like
images, there are android apps that emulate a cdrom (somewhat) and
things like isostick (see amazon).

Re: installing Debian on USB flash drive for use in many machines

[shawn wilson]

On Nov 28, 2015 3:37 PM, "David Christensen" 
wrote:
>

> I am continuing to work on the idea of installing Debian on a USB flash
drive for use in many machines, primarily for diagnostics, maintenance,
repair, backup, archive, imaging, etc..
>

Google "debootstrap usb" - should bring you to enough walk throughs to get
you where you want to be.

> As you can see, the machines are somewhat similar.
>

So you're still going to have to play with drivers and the like - I'd make
the laptop work first and then move to the desktop.

> I have installed Debian 8 amd64 onto a USB flash drive

You don't explain how you got to this point - installer, remastering the
image, rsync a fresh install, debootstrap, multistrap, etc.

> I'm trying to figure out why Ethernet does not work in i72720qm when
using the USB flash drive.
>
>
> My theory is that I'm missing software (device driver?) on the USB flash
drive that is required to make Ethernet work on i72720qm.
>

Or a shared address (doubt it but)...

> So, I have run 'lsmod' on i72720qm in each of the two configurations.
Here is a comparison ('<' indicates module only present when running USB
flash drive, '>' indicates module only present when running SSD, no marker
indicates module present in both cases):
>

diff -u is much less chatty btw. Or even: diff -U0

> < usb_storage

Needs that to read the thumb drive post grub / pivot root.

> > arc4
> > cifs
> > crc16
> > dns_resolver
> > ecb
> > ext4
> > fuse
> > hid
> > hid_generic
> > hmac
> > jbd2
> > lp
> > mbcache
> > md4
> > nls_utf8
> > pci_stub
> > usbhid
> > vboxdrv
> > vboxnetadp
> > vboxnetflt
> > vboxpci

So I'm no kernel expert, but I see crypto, fs, hid, and vbox. Not exactly
sure what pci_stub is but I'd look into that.

> Of the 21 additional modules (arc4 ... vboxpci) that are present when
running the SSD, I don't recognize which one(s) might be what I need to get
Ethernet working on i72720qm.
>

Maybe it's compiled in the kernel or maybe it's not present in
/lib/modules/kernel - lots of reasons something may or may not work as a
module. Not enough info to make that call.

I could guess at a default debian kernel build (which I don't know what it
includes as a driver off the top) or you could lspci, figure out which
driver you need, confirm the file is where it's supposed to be or that
debian builds it into the kernel, and go from there.

zcat /boot/config-.gz | grep CONFIG_name

Re: installing Debian on USB flash drive for use in many machines

[shawn wilson]

On Nov 28, 2015 4:30 PM, "Joe"  wrote:
>
> On Sat, 28 Nov 2015 12:37:12 -0800
> David Christensen  wrote:
>

> Why you may be barking up the wrong tree is that all the software is
> there, but the Ethernet interface is not being brought up. DHCP on my
> network is not being used, though the DHCP client is installed. If I
> bring up the interface manually with a suitable IP address, all is
> well. Try that exercise in your situation, my assumption would be that
> if you can bring it up manually then you have the right drivers
> installed. By manually I mean using ifconfig or other networking
> software, without the need to bring in any extra modules with modprobe.
>

ifconfig -a
ip addr ls

Re: how execute a script

[shawn wilson]

On Nov 16, 2015 5:37 PM, "Lisi Reisz"  wrote:
>
> On Monday 16 November 2015 19:33:51 David Wright wrote:
> > On Mon 16 Nov 2015 at 06:54:40 (+0100), Martin Str|mberg wrote:
> > > In article  David Wright
>  wrote:
> > > > As for script-file extensions in DOS, there was really only .BAT
> > > > wasn't there?, so the idea of distinguishing .bash, .csh, .py, .pl,
> > > > .sh, .zsh etc as being inherited from DOS is difficult for me to
> > > > understand.
> > >
> > > Perhaps it's because (MS)DOS begat WINDOWS that only knew how to run
> > > something based on the extension?
> > >
> > > And that is why we shudder on the sight of a (unnecessary?) extension?
> >
> > I wouldn't know. My experience of windows is far less than DOS, and my
> > use of DOS was pretty much restricted to an AUTOEXEC.BAT that started
> > an emulation system which was my area of expertise. Interesting choice
> > of language, though; shudder.
> >
> > I'm the person questioning the relevance of DOS to putting ".sh" at
> > the end of an on-PATH executable script's filename, when DOS was
> > brought up in https://lists.debian.org/debian-user/2015/11/msg00453.html
> >
> > I take it there's a whole generation of folk who gained their
> > experience of filename endings (a less loaded word than extension)
> > through DOS/windows, perhaps entirely so. With it, they picked up a
> > load of negative associations, causing shuddering here and unhappiness
> > in another part of this thread.
> >
> > I'm sorry for you. I didn't touch DOS until 1992-06-01 (to be precise)
> > about twentyone years into my computing career. To say I *used* it
> > would be an overstatement: I ran one package on it.
> >
> > Putting meaningful endings onto filenames (excepting, I hasten to
> > add lest people jump down my throat, executable scripts) had been a
> > way of life for years. Their necessity was variable from system to
> > system; sometimes they were just a convention. Look at   man gcc.
> > It has meaningful endings. They've been there since at least
> > 15 March 1972 when, allegedly, the number of Unix installations had
> > grown to 10. (At that time, gcc was obviously called cc; Stallman
> > hadn't yet graduated.)
> >
> > As for unix scripts, well, yes, there's no *need* for any endings,
> > but that doesn't preclude their use. If that makes you unhappy or
> > into a shudderer, please get over it.
>
> I take it those who are so against file endings are equally upset by
> sources.list and menu.lst?
>
> Though it is very annoying when they are *needed*.  Xsane usually puts
them
> in, and I used not to bother to check.  A few months ago I sent my lawyer
a
> scan of a document he needed.  An hour or two later, back came an
> email:  "I'm so sorry, we have no software that can open that file.  The
IT
> department has been trying for an hour".  Puzzled, because I thought I had
> sent a .pdf, and had checked that it opened fine in Evince, I looked at
the
> file - groaned - and renamed scan-foo to scan-foo.pdf.  When resent it
opened
> fine.
>

Magic shouldn't be used when a file type is known and should be
communicated (via its extension). If you create a pdf, it is bad to not
have the pdf extension - you've lost data.

Also, I'm fine with installed executables not including extensions.
However, in a repo with different types of executable code, I want to know
at a glance what something is (there's also that vim filetype uses
extension and I want stuff to work).

Re: how execute a script

[shawn wilson]

On Tue, Nov 17, 2015 at 1:02 PM, Chris Bannister
<cbannis...@slingshot.co.nz> wrote:
> On Tue, Nov 17, 2015 at 09:31:53AM -0500, shawn wilson wrote:
>> On Nov 16, 2015 5:37 PM, "Lisi Reisz" <lisi.re...@gmail.com> wrote:
>> > department has been trying for an hour".  Puzzled, because I thought I had
>> > sent a .pdf, and had checked that it opened fine in Evince, I looked at
>> the
>> > file - groaned - and renamed scan-foo to scan-foo.pdf.  When resent it
>>
>> communicated (via its extension). If you create a pdf, it is bad to not
>> have the pdf extension - you've lost data.
>
> How have you lost data?
>

You loose what the file type (data) should be if you save a file w/o
an extension. Again, this is fine for an installed program (no one
cares as long as it works) but not so good for data that is processed
by another program or a script I want to edit.

Re: how execute a script

[shawn wilson]

On Tue, Nov 17, 2015 at 1:25 PM, Elimar Riesebieter <riese...@lxtec.de> wrote:
> * shawn wilson <ag4ve...@gmail.com> [2015-11-17 13:08 -0500]:
>
>> On Tue, Nov 17, 2015 at 1:02 PM, Chris Bannister
>> <cbannis...@slingshot.co.nz> wrote:
>> > On Tue, Nov 17, 2015 at 09:31:53AM -0500, shawn wilson wrote:
>
> [...]
>
>> >> communicated (via its extension). If you create a pdf, it is bad to not
>> >> have the pdf extension - you've lost data.
>> >
>> > How have you lost data?
>> >
>>
>> You loose what the file type (data) should be if you save a file w/o
>> an extension. Again, this is fine for an installed program (no one
>> cares as long as it works) but not so good for data that is processed
>> by another program or a script I want to edit.
>
> PDF files are recognized by their header not their extension. Create
> a test.pdf. Copy it to test and test.blo. They will always be
> recognized as pdf documents from evince and alike.
>

Quoting myself (sorry):
> Magic shouldn't be used when a file type is known

Re: how execute a script

[shawn wilson]

On Tue, Nov 17, 2015 at 1:56 PM, Brian <a...@cityscape.co.uk> wrote:
> On Tue 17 Nov 2015 at 13:08:49 -0500, shawn wilson wrote:
>
>> On Tue, Nov 17, 2015 at 1:02 PM, Chris Bannister
>> <cbannis...@slingshot.co.nz> wrote:
>> > On Tue, Nov 17, 2015 at 09:31:53AM -0500, shawn wilson wrote:
>> >> On Nov 16, 2015 5:37 PM, "Lisi Reisz" <lisi.re...@gmail.com> wrote:
>> >> > department has been trying for an hour".  Puzzled, because I thought I 
>> >> > had
>> >> > sent a .pdf, and had checked that it opened fine in Evince, I looked at
>> >> the
>> >> > file - groaned - and renamed scan-foo to scan-foo.pdf.  When resent it
>> >>
>> >> communicated (via its extension). If you create a pdf, it is bad to not
>> >> have the pdf extension - you've lost data.
>> >
>> > How have you lost data?
>>
>> You loose what the file type (data) should be if you save a file w/o
>> an extension. Again, this is fine for an installed program (no one
>> cares as long as it works) but not so good for data that is processed
>> by another program or a script I want to edit.
>
> You would have to give a specific example where a file processed by a
> program or script fails to open for this argument to be convincing, You
> also have to distinguish between data in the file and information the
> extension conveys to the program.
>

How about just that vim filetype relies on the filename to determine the format?

I suspect there are other examples where an extension might be
*required* such as compression, but other than Windows, IDK off hand.

Re: how execute a script

[shawn wilson]

>  % file t.sh
> t.sh: ASCII text
>  % cat t.sh
> max=10
>

Oh and before someone says "but there's some standard that says you're
supposed to put a shebang at the top" - afaik, it's not in POSIX
anywhere:
http://www.in-ulm.de/~mascheck/various/shebang/

So, magic dropped the ball - should've been identified as a shell
script (due to the use of "echo"

Re: how execute a script

[shawn wilson]

On Tue, Nov 17, 2015 at 2:53 PM, Brian <a...@cityscape.co.uk> wrote:
> On Tue 17 Nov 2015 at 14:05:25 -0500, shawn wilson wrote:
>
>> On Tue, Nov 17, 2015 at 1:56 PM, Brian <a...@cityscape.co.uk> wrote:
>> > On Tue 17 Nov 2015 at 13:08:49 -0500, shawn wilson wrote:
>> >
>> >> On Tue, Nov 17, 2015 at 1:02 PM, Chris Bannister
>> >> <cbannis...@slingshot.co.nz> wrote:
>> >> > On Tue, Nov 17, 2015 at 09:31:53AM -0500, shawn wilson wrote:
>> >> >> On Nov 16, 2015 5:37 PM, "Lisi Reisz" <lisi.re...@gmail.com> wrote:
>> >> >> > department has been trying for an hour".  Puzzled, because I thought 
>> >> >> > I had
>> >> >> > sent a .pdf, and had checked that it opened fine in Evince, I looked 
>> >> >> > at
>> >> >> the
>> >> >> > file - groaned - and renamed scan-foo to scan-foo.pdf.  When resent 
>> >> >> > it
>> >> >>
>> >> >> communicated (via its extension). If you create a pdf, it is bad to not
>> >> >> have the pdf extension - you've lost data.
>> >> >
>> >> > How have you lost data?
>> >>
>> >> You loose what the file type (data) should be if you save a file w/o
>> >> an extension. Again, this is fine for an installed program (no one
>> >> cares as long as it works) but not so good for data that is processed
>> >> by another program or a script I want to edit.
>> >
>> > You would have to give a specific example where a file processed by a
>> > program or script fails to open for this argument to be convincing, You
>> > also have to distinguish between data in the file and information the
>> > extension conveys to the program.
>>
>> How about just that vim filetype relies on the filename to determine the 
>> format?
>
> "vim filetype". I don't know what you mean. 'vim /usr/bin/vim' opens the
> file.  I do not understand a word of the display but it does open it. An
> extension doesn't seem to have a part to play in the file's opening.
>

Your way of setting filetype is by looking at the extension - for example:
:autocmd BufRead *.js set filetype=javascript

Same goes for *.pl or *.pm or *.py or *.c, etc

Re: how execute a script

[shawn wilson]

On Tue, Nov 17, 2015 at 2:57 PM, shawn wilson <ag4ve...@gmail.com> wrote:
> On Tue, Nov 17, 2015 at 2:53 PM, Brian <a...@cityscape.co.uk> wrote:
>> On Tue 17 Nov 2015 at 14:05:25 -0500, shawn wilson wrote:
>>
>>> On Tue, Nov 17, 2015 at 1:56 PM, Brian <a...@cityscape.co.uk> wrote:
>>> > On Tue 17 Nov 2015 at 13:08:49 -0500, shawn wilson wrote:
>>> >
>>> >> On Tue, Nov 17, 2015 at 1:02 PM, Chris Bannister
>>> >> <cbannis...@slingshot.co.nz> wrote:
>>> >> > On Tue, Nov 17, 2015 at 09:31:53AM -0500, shawn wilson wrote:
>>> >> >> On Nov 16, 2015 5:37 PM, "Lisi Reisz" <lisi.re...@gmail.com> wrote:
>>> >> >> > department has been trying for an hour".  Puzzled, because I 
>>> >> >> > thought I had
>>> >> >> > sent a .pdf, and had checked that it opened fine in Evince, I 
>>> >> >> > looked at
>>> >> >> the
>>> >> >> > file - groaned - and renamed scan-foo to scan-foo.pdf.  When resent 
>>> >> >> > it
>>> >> >>
>>> >> >> communicated (via its extension). If you create a pdf, it is bad to 
>>> >> >> not
>>> >> >> have the pdf extension - you've lost data.
>>> >> >
>>> >> > How have you lost data?
>>> >>
>>> >> You loose what the file type (data) should be if you save a file w/o
>>> >> an extension. Again, this is fine for an installed program (no one
>>> >> cares as long as it works) but not so good for data that is processed
>>> >> by another program or a script I want to edit.
>>> >
>>> > You would have to give a specific example where a file processed by a
>>> > program or script fails to open for this argument to be convincing, You
>>> > also have to distinguish between data in the file and information the
>>> > extension conveys to the program.
>>>
>>> How about just that vim filetype relies on the filename to determine the 
>>> format?
>>
>> "vim filetype". I don't know what you mean. 'vim /usr/bin/vim' opens the
>> file.  I do not understand a word of the display but it does open it. An
>> extension doesn't seem to have a part to play in the file's opening.
>>
>
> Your way of setting filetype is by looking at the extension - for example:
> :autocmd BufRead *.js set filetype=javascript
>
> Same goes for *.pl or *.pm or *.py or *.c, etc

Here's another example of magic failing:

 % file t.sh

Downloads/temp swlap1
t.sh: ASCII text
 % cat t.sh

Downloads/temp swlap1
max=10

echo "HERE 1"
for (( count = 0; count <= max; count++ )) ; do
  echo "$count"
  sleep "${sleep:-0}"
done
echo "HERE 2"
 % ./t.sh

Downloads/temp swlap1
HERE 1
0
1
2
3
4
5
6
7
8
9
10
HERE 2

Re: how execute a script

[shawn wilson]

On Tue, Nov 17, 2015 at 3:24 PM,  <to...@tuxteam.de> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Tue, Nov 17, 2015 at 03:15:21PM -0500, shawn wilson wrote:
>> >  % file t.sh
>> > t.sh: ASCII text
>> >  % cat t.sh
>> > max=10
>> >
>>
>> Oh and before someone says "but there's some standard that says you're
>> supposed to put a shebang at the top" - afaik, it's not in POSIX
>> anywhere:
>> http://www.in-ulm.de/~mascheck/various/shebang/
>
> You forgot to mention that it's in AT Unix since 1979. I'd venture to
> say that nowadays it is an integral part of Unix.
>

Merely pointing out it's not a spec. But yeah, it's older than me :)

>> So, magic dropped the ball - should've been identified as a shell
>> script (due to the use of "echo"
>
> Now you lost me.
>

If magic were smarter (was able to derive from syntax or had regex
capability in the format), it could've still told me I was looking at
a script (and not just a bunch of text - which is next to useless). It
doesn't, so arguing that magic could be used (not an argument I've
seen, but one I was expecting and figured I'd preempt) instead of an
extension is lacking.

Re: how execute a script

[shawn wilson]

On Tue, Nov 17, 2015 at 4:25 PM,  <to...@tuxteam.de> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Tue, Nov 17, 2015 at 04:13:48PM -0500, shawn wilson wrote:
>> On Tue, Nov 17, 2015 at 3:24 PM,  <to...@tuxteam.de> wrote:
>
> [...]
>
>> > Now you lost me.
>> >
>>
>> If magic were smarter (was able to derive from syntax or had regex
>> capability in the format), it could've still told me I was looking at
>> a script (and not just a bunch of text - which is next to useless). It
>> doesn't, so arguing that magic could be used (not an argument I've
>> seen, but one I was expecting and figured I'd preempt) instead of an
>> extension is lacking.
>
> Got it. But magic *can* do many of those things. A headless shell
> script is a tough nut to crack, though: "echo" could occur as well
> in a Tcl script (via Tcl's crazy but genius "unknown" mechanism).
>

You're right - just "script" then. I'm not dissing magic - it's a good
starting point in forensics or to see what's in a bin directory, but
shouldn't be relied on (also see ftimes xmagic for a more featureful
magic implementation w/e sf comes back up).

My point is that you can't determine what you're looking at w/o being
told (an extension) or looking at it. So (my original point) you loose
data by removing/not having an extension.

Re: how execute a script

[shawn wilson]

On Tue, Nov 17, 2015 at 5:17 PM, shawn wilson <ag4ve...@gmail.com> wrote:

> shouldn't be relied on (also see ftimes xmagic for a more featureful
> magic implementation w/e sf comes back up).

Ugh, it's back now:

http://ftimes.sourceforge.net/FTimes/XMagic.shtml

Re: how execute a script

[shawn wilson]

You can call a function from within a sourced file and it'll run (no matter
x bit).

So:

# ~/bin/runner.sh
runner () {
echo foo
}

runner

# ~/.bashrc
PATH="$PATH:~/bin"
source runner.sh
On Nov 14, 2015 4:51 AM, "Pol Hallen"  wrote:

> Put the command at the end of /home/user/.profile
>> It works for me.
>>
>
> thanks for help but does not work :-/
>
> Pol
>
>

Re: BIOS size limit for USB flash drives

[shawn wilson]

On Sep 8, 2015 6:51 AM, "Pascal Hambourg" <pas...@plouf.fr.eu.org> wrote:
>
> shawn wilson a écrit :
> >

> > (which uefi uses for boot).
>
> So what ? Who needs an EFI system partition bigger than the recommended
> 512 MB ?
>

Maybe he was trying to use a bigger partition? Do you have a better idea
what's happening?

Was just listing the only bios limits I'm aware of. I'm pretty sure the
issue is not with the bios since none I'm aware of can address ext2 at all.

Re: BIOS size limit for USB flash drives

[shawn wilson]

On Sep 7, 2015 9:47 AM, "Ken Heard"  wrote:
>

>
> Is there any limit to the size of a USB flash drive with the ext2 file
> system encrypted on it which can be addressed through the BIOS
> interface?  (I am using Debian Jessie.) The largest size I am now
> using is 32 gb drives but would like to use 64 gb or even 12 gb drives.
>

IIRC, 32 GB is the limit of vfat (which uefi uses for boot). I can't think
of any other limitation here. As already stated, ext2 is 2 TB. Old bios
needed the initial kernel in the first few sectors - basically, for lots of
these reasons, make boot a different partition (shouldn't need more than a
gig.

Re: Question about mv operation.

[shawn wilson]

On Aug 4, 2015 1:26 AM, Some Body somebody.mo...@gmail.com wrote:

 Le mardi 04 août 2015 à 16:11 +0800, Magicloud Magiclouds a écrit :
 
  Now, I see in both locations, there are the file. My question is, is
  it safe to remove file in dest, and move to it again from src?



 If you don't want to take a risk, couldn't you copy the files in dest in
 another folder, or in a .tar archive, in order to have a backup if you
 need one ?


Yeah, unless you're moving on the same fs (because changing inode info is
faster than data copy and delete) don't use mv. It's not atomic - rsync at
least tries to be atomic with a temp file that gets moved into place but mv
isn't that smart (what you want on the same fs).

Re: IP address

[shawn wilson]

On Jul 17, 2015 11:53 AM, Elimar Riesebieter riese...@lxtec.de wrote:

 * John J. Boyer john.bo...@abilitiessoft.org [2015-07-17 08:32 -0500]:

  I have Jessie set up for CLI only. The machine is on a local network
  using dhcp. What command will tell me what ip address it is using?

 $ dig  +short `hostname -f`


Won't always work (I'd even go as far as to say it generally won't)

Re: cp output format

[shawn wilson]

On Jul 17, 2015 7:16 AM, Nicolas George geo...@nsup.org wrote:

 Le nonidi 29 messidor, an CCXXIII, Andrew McGlashan a écrit :
  Not sure if this is relevant enough, but I have a method to keep
  source files -- in this case .forward files in a controlled directory;
  if any of these differ from the target locations, then I save the target
  location file with a dated version and copy in the controlled source
  copy.  This way I only get new files if they are changed, you could use
  a similar method for the backups, that is only copying files to the
  backup area if they are different to the current copy in the source
area.

 If your files were all isolated in small hierarchies, I would have
suggested
 to use Git instead, but with dotfiles in several home directories, that is
 not practical. And I realize you already considered that.


Heh, I symlink my dotfiles to the repo that contains them. No issues here.

 On the other hand, I suspect rsync (with option -c) can detect the files
 that need updating in a simpler way.


[snipped all of the bash stuff you don't need because you have rsync]


 To do that kind of thing reliably, you need to create a temporary file and
 rename it once it is complete. Just use rsync for the copy, it does that
by
 default.

  fi
  done
  )

And done :)

Re: Free GNU/Linux intro class for teens advice? Purchase box? Squeak/Smalltalk programming

[shawn wilson]

On Jul 6, 2015 8:17 PM, Marc D Ronell mron...@alumni.upenn.edu wrote:



 As a test, I purchased  a laptop (Toshiba Satellite C75-B7180) on sale
 for $350  at our local Microcenter  in Cambridge and was  able to load
 GNU/Linux  for my  son.  I  am  thinking of  working some  programming
 assignments in Squeak (Smalltalk), but  maybe C is a better choice for
 an OS class?


I agree - no on the extra laptop. Virtualbox would be fine (a Pi might work
too but then you've got to consider peripherals).

Smalltalk is fine but I'd go with pharoh. No on c too - too complex. Maybe
teach js if you don't want Smalltalk. Don't teach bash either - too many
edge cases and weirdness (when to quote, not being able to return date from
functions properly, etc.

If you did ruby or js you could probably get help from a local group.

I would also teach the system separate from programming. They're both big
topics and you'll end up overwhelming everyone (yourself included).

Re: Systemd files on a Raspberry Pi

[shawn wilson]

Just tired of seeing the debate brought up along w/ any and every
systemd (and sometimes not even mildly related) issue. I wish there's
a debian-systemd list for everyone who still wants to have this debate
or see it improved / removed (and maybe there is and it should be
advertised better).

On Mon, Jun 22, 2015 at 8:07 PM, chris tknch...@gmail.com wrote:
 +1

 On Jun 22, 2015 7:24 PM, Zebediah C. McClure z...@ensistech.com wrote:

 On Monday 22 June 2015 18:30:56 shawn wilson wrote:
  On Jun 22, 2015 4:39 PM, Dan Ritter d...@randomstring.org wrote:
   On Mon, Jun 22, 2015 at 10:05:28PM +0200, Ansgar Burchardt wrote:
Dan Ritter d...@randomstring.org writes:
 People only complain about systemd being a cancer if they love
 the Debian system otherwise.
 [snip]
   The next time a systemd booster tells people to leave the
   community rather than try to fix Debian, please call them on
   that behavior and tell them you won't stand for it.
 
  You're being sarcastic - I'm not when I say I totally agree with this
  statement - use it or leave. Train has left the station on this.
 
  (I don't have strong opinions on systemd - I run Ubuntu and Gentoo at
  work
  and home and another few Debian boxes at home and the Gentoo boxes don't
  have systemd. But I don't care that y'all hate or love something and I
  doubt anyone else on this list does either)

 Thread jumping a bit here.  I subscribed to the list because I find
 systemd to
 be broken enough to warrant removal as the default init system.

 I wasn't here when the devs made the choice to put it in, I'm here now
 because
 it's hitting my machines.  I'm sure I'm not the first or last to say
 Systemd
 is broken, it shouldn't be default init.

 zmc
 --
 Ensis Technologies
 www.ensistech.com
 1-888-373-9056


 --
 To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact
 listmas...@lists.debian.org
 Archive: https://lists.debian.org/1572002.SC9qDQxlF3@strata




-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/cah_obifkznz9owm2jczawwkq0_ru4q7hwa3j6emuh+mh+5r...@mail.gmail.com

Re: Systemd files on a Raspberry Pi

[shawn wilson]

On Jun 22, 2015 4:39 PM, Dan Ritter d...@randomstring.org wrote:

 On Mon, Jun 22, 2015 at 10:05:28PM +0200, Ansgar Burchardt wrote:
  Dan Ritter d...@randomstring.org writes:
   People only complain about systemd being a cancer if they love
   the Debian system otherwise.
  [...]
   Remember that every time you tell people to go use something
   else, you are saying that they are not valued members of the
   community.
 
  I do indeed not consider people with toxic behaviour as valued members
  of the community.  Loving something is *not* an excuse for such
  behaviour.
 
  Short outbursts of temper I can understand, and I assume so can most
  others, but continued abuse over a long time is not something I think we
  should put up with. It's just damaging and drives other users and people
  who contribute away (and this has happened already over this specific
  behaviour).

 You're absolutely right.

 The next time a systemd booster tells people to leave the
 community rather than try to fix Debian, please call them on
 that behavior and tell them you won't stand for it.


You're being sarcastic - I'm not when I say I totally agree with this
statement - use it or leave. Train has left the station on this.

(I don't have strong opinions on systemd - I run Ubuntu and Gentoo at work
and home and another few Debian boxes at home and the Gentoo boxes don't
have systemd. But I don't care that y'all hate or love something and I
doubt anyone else on this list does either)

Re: Systemd files on a Raspberry Pi

[shawn wilson]

On Jun 22, 2015 9:16 PM, Zebediah C. McClure z...@ensistech.com wrote:

 I'm sure it's going to continue,  There should be a place for this problem
 though. I took a quick look at the debian bug-tracker and it looks more
like a
 collection of mailing lists.

 After looking at how systemd does things, I'd rather have the bug read,
 Remove as default instead of fixing bugs in systemd. Is there any way to
 metric how many people think this is a bad decision?


I agree it should be able to be easily changed out but it's got some
interesting features such that having it default for most archs is fine.

Re: ipset

[shawn wilson]

On May 9, 2015 12:59 PM, Gokan Atmaca linux.go...@gmail.com wrote:

 The Loop gives error as follows.

 # for g in 'gawk '{print $2}' facebook.com-ip'; do ipset add  face $g;
done

 ipset v6.23: Syntax error: cannot parse gawk: resolving to IPv4 address
failed
 ipset v6.23: Syntax error: cannot parse }: resolving to IPv4 address
failed


IIRC you need to define the set first and it's telling you the data isn't
an IP address. You should show some data.

Re: Which plotter printer would you recommend for construction engineers who will be using Linux?

[shawn wilson]

On Fri, Mar 13, 2015 at 7:39 PM, Doug dmcgarr...@optonline.net wrote:

 Another reason to buy the HP: if they are abundant, then inks should be
 abundantly available also. If you get something else, supplies might be
 difficult to come by in such an out-of-the-way area. Something to
 check out before you commit!


He said plotter printer - I'm guessing this means plotter. If this
is the case, you're dealing with pens and an ink well. And you can
generally use basically w/e ink you want (like silver or other metals
to make printed antennas).


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAH_OBic3ntawdd5oeLV8e9hdeDH59TCp=T1qyfUkWTav=90...@mail.gmail.com

Re: Which plotter printer would you recommend for construction engineers who will be using Linux?

[shawn wilson]

On Mar 13, 2015 5:41 PM, Ric Moore wayward4...@gmail.com wrote:



 You might want to go at this from another direction. I suppose you have 
 already chosen your software?? Ask them. They would know better than anyone 
 what plotter works with their software. Ric


I agree with this. But besides that, even if your plotter only
supports Windows (IDK how - AFAIK all its doing is shooting over an
EPS but if not) just buy it and whatever Windows desktop, make it a
print server and go with it. Your plotter is going to run you upwards
of $5k so another couple hundred dollars shouldn't kill you.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/cah_obic2ejp2ydluktqrcxyfnmdctzo4xbdbhz-w8opz-yd...@mail.gmail.com

Re: Recompiling debian kernel

[shawn wilson]

On Mar 5, 2015 7:26 AM, csanyi...@gmail.com wrote:


make deb-pkg replaces all this:

 Then I execute
 make
 to build the kernel, and

 sudo make modules_install

 dpkg-buildpackage -us -uc -b -apowerpc

 but at these last step I get an error message:
 make[2]: Leaving directory
 `/home/csanyipal/BubbaKernelek/LeforditottKernelek/\
 Community-b3-kernel/community-b3-kernel/debian/build/source'
 dtc -b 0 -V 17 -R 4 -S 0x3000 -I dts -O dtb -f debian/dts/bubba.dts 
 debian/dts/bubba.dtb
 /bin/sh: 1: cannot create debian/dts/bubba.dtb: Directory nonexistent
 make[1]: *** [override_dh_auto_build] Error 2
 make[1]: Leaving directory
 `/home/csanyipal/BubbaKernelek/LeforditottKernelek/\
 Community-b3-kernel/community-b3-kernel'
 make: *** [build] Error 2
 dpkg-buildpackage: error: debian/rules build gave error exit status 2

 What should I do to solve this problem?


It's worth a shot if there are no other prerecs. Keep old debs in another
directory and then you can:
cd ..
dpkg -i *.deb
And reboot.

Re: rsync question

[shawn wilson]

On Feb 6, 2015 11:14 PM, Don Armstrong d...@debian.org wrote:

 On Sat, 07 Feb 2015, Curtis Vaughan wrote:
  That seems to work, but here's a problem. Each time it enters a new
  user directory I have to re-enter the root password. I realize I can
  just set it up so that I don't have to enter a password at all, but
  maybe there's a way to set it, so I'd have to only enter the root
  password once?

 The general method is to use ssh connection sharing; you connect once,
 then subsequent connections use the master connection.


Just to expand on that, you need to setup ControlMaster (see the man page -
this comes with risk - like keeping agent running). This will keep the
session open between calls, hence things will run faster (don't have to
reestablish session key each time) and you don't reauth (nothing is checked
that would require auth).

And further:
You shouldn't be using password auth and should be using keys everywhere.
You can also use RSYNC_PASSWORD if using rsync protocol (god please don't
do this - any of it - using rsync directly or sending passwords over the
wire). You should be able to do this with just rsync (no bash) but I'm not
at a computer and can't do that off the top.

Re: GHOST, Am I ok?

[shawn wilson]

You'll need a reboot since most everything links against libc.so.6
it'll never be unloaded.

On Wed, Jan 28, 2015 at 4:59 PM, Bob Bernstein poo...@ruptured-duck.com wrote:
 On Wed, Jan 28, 2015 at 04:08:06PM -0500, Dan Ritter wrote:

 After you reboot, you are. Before that, maybe.

 Thanks everyone. I was not at all on top of this thing.

 --
 Bob Bernstein




 --
 To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: https://lists.debian.org/20150128215924.ga4...@sixtiessurvivor.org



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/cah_obidgkgnamajurnkwm_vuwqco1ywlckpk8ljn28h7jr8...@mail.gmail.com

Re: GHOST, Am I ok?

[shawn wilson]

doh, tired. sorry for the repeat.

On Wed, Jan 28, 2015 at 5:16 PM, shawn wilson ag4ve...@gmail.com wrote:
 You'll need a reboot since most everything links against libc.so.6
 it'll never be unloaded.

 On Wed, Jan 28, 2015 at 4:59 PM, Bob Bernstein poo...@ruptured-duck.com 
 wrote:
 On Wed, Jan 28, 2015 at 04:08:06PM -0500, Dan Ritter wrote:

 After you reboot, you are. Before that, maybe.

 Thanks everyone. I was not at all on top of this thing.

 --
 Bob Bernstein




 --
 To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: https://lists.debian.org/20150128215924.ga4...@sixtiessurvivor.org



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAH_OBid89_d0kEuTKe2b=rUQ9MXNskKs0WpdJXO4=scjpd1...@mail.gmail.com

Re: Command line wifi tooling

[shawn wilson]

Not sure if you're looking for cli or ncurses.

I always just do:
nmcli dev wifi # list APs)
nmcli con essid password password

That assumes networkmanager - I'm sure installer probably uses iwlist
dev scan and then either iwconfig or wpa_supplicant/wpa_passphrase
though.

On Fri, Nov 28, 2014 at 4:00 AM, Bram Diederik bram.diede...@gmail.com wrote:
 Hi all,  During Debian installation does the user has an option to use the
 wifi to get debian packages. The user is shown all access point. And fill in
 the credentials after selection an AP.

 My question is. Is there an commandline equivalent to this?

 Thanks in advance.
 Bram


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAH_OBie_y4OP9iJYtkadRy59edE=0uvsay2j-hnazg9n4co...@mail.gmail.com

Re: umask has no man page?

[shawn wilson]

While I like the dhelp script idea, I think man is a pure UX issue -
man should generally DWIM because if I type man foo, I don't want to
jump through hoops. There times (looking at libraries and system calls
and the like) that knowing the system helps. However, with 20 (IDR
how many - a bunch) this gets annoying. I think the easiest fix would
be for debian to have a per shell alternatives search
(/etc/alternatives/man/shell) that the shell's global rc can prepend
to $MANPATH (of course, I compile zsh from git, so no help for me, but
w/e). This way we can include builtins for shells and they are no
longer there when we switch shells.

On Sun, Nov 2, 2014 at 12:17 PM, Carl Fink c...@finknetwork.com wrote:

 However, doesn't the Debian policy manual require a man page for every
 program?

These aren't programs (though, man [ DWIM - guess it's both a program
AND a builtin - ugh) these are a part of your shell - a program, but
it's like arguing that each program function gets a manpage - not
happening.

 Wouldn't that lead users to try the man system to get help on every
 command, since a new or non-technical user would have no way to know that
 umask or read or fg is not a program but a personality of Bash? So why
 _not_ have a man page for them?

And I agree with this (again because the man system should try to
DWIM). Just not as a part of a global man system (because that would
fail to DWIM which has already been pointed out  for the which
command).


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAH_OBicFXPCU=psJ_UHLYDqsSFFeuGQjG-13P=fwflgrejt...@mail.gmail.com

Re: Installing an Alternative Init?

[shawn wilson]

On Nov 10, 2014 11:34 AM, Michael Biebl bi...@debian.org wrote:

 Am 10.11.2014 um 17:26 schrieb Patrick Bartek:
  On Mon, 10 Nov 2014, Michael Biebl wrote:

  You can use pre-seeding and run
 
  preseed/late_command=in-target apt-get install -y sysvinit-core
 
  in the debian-installer. While that does indeed first install
  systemd-sysv, it's directly replaced again during system installation
  and doesn't require you to boot with systemd as PID 1.
  So it might be pretty close to what you're looking for.
 
 
  Thanks.  But wouldn't it be nice if as an option, you could just pick
  which init you wanted in the installer.  It would make things so much
  easier.  Too late to implement this, I suppose.  Maybe, in the next
  release?

 Most users simply don't care and don't want to be bothered with this.
 It's not like we prompt the user whether he wants to use grub or isolinux.
 If we added an explicit switch, this would have to be in
 expert-install-mode only imo. I can't speak for the d-i people, but
 since we entered freeze, I guess it's likely to late to add that for
jessie.
 Especially, as already mentioned, you do already have a mechanism via
 preseed/late_command.


Not sure whether this was deb or slack, but I do remember a prompt of grub
vs lilo for a while (also the choice of password hash was there for a while
too). Ie, it wouldn't be precedented.

Re: Joey Hess is out?

[shawn wilson]

On Nov 9, 2014 4:46 AM, Jonathan Dowland j...@debian.org wrote:

 On Sun, Nov 09, 2014 at 05:38:59PM +1100, Andrew McGlashan wrote:
  What part of we don't want systemd on any of our systems don't you
  get?  If we don't want it, we won't be testing it.

 There's still plenty of work to be done testing upgrade paths for
sysvinit;
 improving systemd-shim; patching d-i so that you can preseed a
systemd-free
 install; no shortage of places to constructively apply yourself.


Right, as well, to be a part of a community means going with the flow when
the community heads a certain direction.

Just for the record, I'm split on systemd -I generally like the idea, don't
like how its been pushed out, and think there should be non-systemd
packages wherever possible.

Re: Joey Hess is out?

[shawn wilson]

On Nov 8, 2014 12:24 PM, Miles Fidelman mfidel...@meetinghouse.net
wrote:

 Mart van de Wege wrote:

 Slavko li...@slavino.sk writes:

 Ahoj,

 Dňa Sat, 08 Nov 2014 16:03:46 +0100 Mart van de Wege
 mvdw...@gmail.com napísal:

 Why don't the anti-systemd people do what they've been threatening the
 whole time and fuck off to another distro or to FreeBSD?

 This is exact example why i stopped all my contribution to Debian, and
 i will not start it again, despite if i stay with Debian in future or
 not! I orphan my packages in near future.

 If the community consider people which have another opinion as bad, it
 is time do not contribute to it more. And whole debate is about one
 idea: If you don't like systemd, you are stupid.

 I consider people that bring nothing else but their opinion to the table
 as lesser than people who do the actual development, yes. In this
 discussion at least.

 If you can't even be bothered to set up a test server to look at
 systemd, but instead foul up the mailing lists creating a climate where
 threats to the actual developers become normal, then you can sod off. I
 wouldn't trust you to sit the right way on a toilet seat.


 So you're saying that reading specs, documentation, install reports, bug
reports, qa threads about specific problems, and so forth, are not useful
ways to evaluate technology?  Where I come from, that's called doing one's
homework.


If that's suggesting those supplant actual testing. If you're
suggesting docs should be considered *as well*, absolutely.

Re: /etc/udev/rules.d/10-local.rules

[shawn wilson]

On Nov 2, 2014 6:03 PM, pe...@easthope.ca wrote:

 Until recently

 # The black Kingston SDHC card.
 KERNEL==mmcblk?p1, ATTR{size}==7626752, SYMLINK+=BlackSDHC1, \
  OWNER=peter, GROUP=users

 in /etc/udev/rules.d/10-local.rules produced /dev/BlackSDHC1.
 Now that doesn't work although, if the part is labeled, it
 is automounted at /media/label.


lsusb -v

Everything must match the same set.

 No error message appears with interactive udevadm trigger.
 No error message is visible in /var/log/syslog.

Of course not - the rule is structured correctly and it could match for
another device.

apt as a user

[shawn wilson]

I'm trying to allow an apt user to run apt* commands. I've got this polkit:

/etc/polkit-1/localauthority/30-site.d/10-org.com.foo.apt.pkla

[Configuration]
AdminIdentities=unix-user:apt
Action=org.debian.apt.*
ResultAny=no
ResultInactive=no
ResultActive=yes

However when I: su - apt
it looks like nothing has changed:

$ apt-get update
E: Could not open lock file /var/lib/apt/lists/lock - open (13:
Permission denied)
E: Unable to lock directory /var/lib/apt/lists/
E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)
E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?

I've got aptdaemon installed. Any idea what I'm doing wrong here?


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/cah_obidzwkugqo++pgcvau-u2fwszt+ro+xcmmtn0jtgnj4...@mail.gmail.com

Re: apt as a user

[shawn wilson]

On Fri, Oct 31, 2014 at 12:05 PM, Mario Castelán Castro
marioxcc...@yandex.com wrote:
 El 31/10/14 09:29, shawn wilson escribió:

 I'm trying to allow an apt user to run apt* commands. I've got this
 polkit:

 /etc/polkit-1/localauthority/30-site.d/10-org.com.foo.apt.pkla

 [Configuration]
 AdminIdentities=unix-user:apt
 Action=org.debian.apt.*
 ResultAny=no
 ResultInactive=no
 ResultActive=yes

 However when I: su - apt
 it looks like nothing has changed:

 $ apt-get update
 E: Could not open lock file /var/lib/apt/lists/lock - open (13:
 Permission denied)
 E: Unable to lock directory /var/lib/apt/lists/
 E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission
 denied)
 E: Unable to lock the administration directory (/var/lib/dpkg/), are you
 root?

 I've got aptdaemon installed. Any idea what I'm doing wrong here?


 I'm not an expert in Debian package management, but I think that the error
 is what it says, the user lacks appropriate permissions for those files and
 directories. I recommend that you configure sudo to allow those users to
 invoke at least apt-get. You can also use sudo to log the commands and even
 the command line interaction. See the man page of sudo and sudoers.


Arg, I forgot to mention the reason I'm doing this:
Right now I only allow http(s) out to repo servers on certain times
that we do updates:
-A FORWARD -d dest ip -i eth5 -p tcp -m tcp --sport 1024:65535
--dport 80 -m time --weekdays day --datestop time range -j ACCEPT

What I want is a way to limit it to a command. The only way I know how
to do that is to specify --uid-owner in iptables

 Bear in mind that users who can install and uninstall packages can make the
 system unusable or purposely install a vulnerable package to perform
 privilege escalation. If they can add repositories, they can easily direct
 the package manager to a specially crafted package which will give them root
 access without the need to exploit an existing package. If you wouldn't
 trust root access to those users, don't give them package management
 capabilities.


So my original thought was to use pkexec and set the user to
/bin/false but pkexec wants to ask me for a password - since I don't
have/know/want to use a password (all logins are ssh with keys) IDK
that's going to work. So just a user to su into in order to run the
command should be ok? Security wise - I'm always open to being
checked.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/cah_obifh3daadfyrup51dvl9in6fuyvcoq+dcy3qxr7mafm...@mail.gmail.com

Re: apt as a user

[shawn wilson]

On Fri, Oct 31, 2014 at 12:17 PM, shawn wilson ag4ve...@gmail.com wrote:
 On Fri, Oct 31, 2014 at 12:05 PM, Mario Castelán Castro
 marioxcc...@yandex.com wrote:
 El 31/10/14 09:29, shawn wilson escribió:

 -A FORWARD -d dest ip -i eth5 -p tcp -m tcp --sport 1024:65535
 --dport 80 -m time --weekdays day --datestop time range -j ACCEPT


Also, that was from our firewall box - obviously in order to do this,
I'll have to loosen that up and do the --uid-owner on the local box
(which is fine - that rule should jump to a accept_log chain anyway).


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/cah_obifrpx7u8ejy8xjbdh-btwvyywrakqggrnncta_-hxr...@mail.gmail.com

Re: apt as a user

[shawn wilson]

On Fri, Oct 31, 2014 at 12:40 PM, Vanessa vane...@ulukai.org wrote:
 On 2014-10-31 17:17, shawn wilson wrote:
 On Fri, Oct 31, 2014 at 12:05 PM, Mario Castelán Castro
 marioxcc...@yandex.com wrote:
 El 31/10/14 09:29, shawn wilson escribió:

 I'm trying to allow an apt user to run apt* commands. I've got this
 polkit:

 /etc/polkit-1/localauthority/30-site.d/10-org.com.foo.apt.pkla

 [Configuration]
 AdminIdentities=unix-user:apt
 Action=org.debian.apt.*
 ResultAny=no
 ResultInactive=no
 ResultActive=yes

 However when I: su - apt
 it looks like nothing has changed:

 $ apt-get update
 E: Could not open lock file /var/lib/apt/lists/lock - open (13:
 Permission denied)
 E: Unable to lock directory /var/lib/apt/lists/
 E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission
 denied)
 E: Unable to lock the administration directory (/var/lib/dpkg/), are you
 root?

 I've got aptdaemon installed. Any idea what I'm doing wrong here?

 If I'm reading the description and documentation of aptdaemon right, you
 need to use an aptdaemon client, which would be aptdcon in the same
 package. But the fetching and installation would then be done by
 aptdaemon, which would still be run as root and not the user executing
 aptdcon.


Ahha, that sorta worked:
$ aptdcon --safe-upgrade
The following packages will be upgraded (31):
[.]
Do you want to continue [Y/n]?Y
ERROR: You are not allowed to perform this action.

('system-bus-name', {'name':  ':1.50'}): org.debian.apt.upgrade-packages


So, I'm guessing there's something wrong with my polkit rule?


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAH_OBidMMDPKcr9NScW7=bpabfs_k2cqh9j_ct2+zx+aqy+...@mail.gmail.com

Re: Avoid reboot by loading initramfs again

[shawn wilson]

On Oct 20, 2014 8:13 AM, Jimmy Thrasibule jimmy.thrasib...@gmail.com
wrote:

 DM I think  it depends  on what  you're trying to  achieve and  what
you're
 DM trying to avoid.

 Well my first idea was to have a kind of management OS that I can load
 in memory to do some stuff like disk partitioning, fsck, etc...


See Qubes

Its what Amazon uses for AWS. Its based on Fedora but idk of a Debian based
distro with a similar focus

Re: Problem with SSH host keys

[shawn wilson]

On Sep 23, 2014 6:44 PM, Keith Lawson ke...@nowhere.ca wrote:

 On Tue, Sep 23, 2014 at 04:45:50PM -0400, shawn wilson wrote:
  On Tue, Sep 23, 2014 at 10:20 AM, Keith Lawson ke...@nowhere.ca wrote:
   Hello,
  
   I'm running jessie on my laptop and after doing a dist-upgrade
yesterday I'm
   getting SSH host key errors for a bunch of servers I've been
connecting to
   for years:
  
 
  IDK this has anything to do with the problem you're seeing (unless you
  have something wacky with your ~/.ssh - like it symlinked to /etc/ssh
  or something). So, I'll just go on the assumption that this is
  coincidence...
 
   The authenticity of host 'blah' can't be established.
   RSA key fingerprint is
e8:08:db:b0:e7:38:57:d4:82:a8:a4:1c:42:f0:25:09.
   Are you sure you want to continue connecting (yes/no)?
  
   The host keys are in ~/.ssh/known_hosts and haven't changed on the
server
   side. Looking at the openssl, openssh-server and openssh-client
change logs
   I don't see anything that would explain this behavior. Is anyone
aware of
   any changes in openssh-client in jessie that would cause certain
server keys
   that were previously working to be invalid?
  
 
  The host keys are in known_hosts, but are the proper keys (the one you
  listed above - see ssh-keygen -lf /etc/ssh/ssh/ssh_host_rsa_key.puh on
  the server) listed there? Does your user own the file and is it mod
  660 or less? Are you logging into the server you think you are (did
  you typo an ip in your ssh_config or is someone mitm you)?
 

 Time stamps on the keys on the server haven't changed and the key
fingerprint on the server matches what's getting offered to the client. I
use aliases like alias hostname='ssh ke...@hostaname.com' so typos are
out of the question. Still stumped on what changed and when we're talking
SSH keys that makes me nervous.


You didn't answer most of the above, so I'll just assume you've found that
not to be an issue ... I guess the main way I debug SSH is to login out of
band and look at both the client and server logs.

You're aware of ssh_config? And that you can define the username to use for
an arbitrary hostname to connect to a real ip? Basically doing the same
thing your aliases do (but better). If you're going to add functionality to
SSH, do it with functions so you have better control of what happens to
parameters.

Re: Problem with SSH host keys

[shawn wilson]

On Wed, Sep 24, 2014 at 3:41 AM, Karl E. Jorgensen
k...@jorgensen.org.uk wrote:

 Another good reason not to hash the known_hosts file: bash command
 completion - after ssh or scp the bash command completion will use
 ~/.ssh/known_hosts to suggest/complete hosts. Brilliant stuff.


Weird the ssh host completion that zsh (or maybe it's something in
omz) has seems to handle it fine. It seems to work with ssh (not very
well with remote commands though), scp (I don't use it much), and
rsync (though there are some quoting issues with globing - I was
working on making that work, but got side tracked).

That said, I plan to split up my known_hosts using the
UserKnownHostsFile option Don pointed out as I'm now at 100 lines.
Not much of an issue since ssh tells me what line is the issue and if
I know something has changed (ie, most of my hosts now use ed25519) I
open up vim and ##gdd:wq and than verify the new fingerprint. But,
that would just be much cleaner.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/cah_obiepoodx0z1itwwnyvnucyk7f3vzxr3u_svmkpemgey...@mail.gmail.com

Re: Problem with SSH host keys

[shawn wilson]

On Tue, Sep 23, 2014 at 10:20 AM, Keith Lawson ke...@nowhere.ca wrote:
 Hello,

 I'm running jessie on my laptop and after doing a dist-upgrade yesterday I'm
 getting SSH host key errors for a bunch of servers I've been connecting to
 for years:


IDK this has anything to do with the problem you're seeing (unless you
have something wacky with your ~/.ssh - like it symlinked to /etc/ssh
or something). So, I'll just go on the assumption that this is
coincidence...

 The authenticity of host 'blah' can't be established.
 RSA key fingerprint is e8:08:db:b0:e7:38:57:d4:82:a8:a4:1c:42:f0:25:09.
 Are you sure you want to continue connecting (yes/no)?

 The host keys are in ~/.ssh/known_hosts and haven't changed on the server
 side. Looking at the openssl, openssh-server and openssh-client change logs
 I don't see anything that would explain this behavior. Is anyone aware of
 any changes in openssh-client in jessie that would cause certain server keys
 that were previously working to be invalid?


The host keys are in known_hosts, but are the proper keys (the one you
listed above - see ssh-keygen -lf /etc/ssh/ssh/ssh_host_rsa_key.puh on
the server) listed there? Does your user own the file and is it mod
660 or less? Are you logging into the server you think you are (did
you typo an ip in your ssh_config or is someone mitm you)?


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAH_OBidP35qkYMOQ16hhgB-31HMK5a9f--NOuYxO6yEKsPj=w...@mail.gmail.com

Re: Iptables

[shawn wilson]

On Jun 27, 2014 8:14 AM, Diogene Laerce me_buss...@yahoo.fr wrote:


 iptables -A INPUT -i eth0 -p udp -s 192.168.0.2/32 -d 192.168.0.1
 --dport 137 -j ACCEPT
 iptables -A INPUT -i eth0 -p udp -s 192.168.0.2/32 -d 192.168.0.1
 --dport 138 -j ACCEPT
 iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp -s
 192.168.0.2/32 -d 192.168.0.1 --dport 139 -j ACCEPT
 iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp -s
 192.168.0.2/32 -d 192.168.0.1 --dport 445 -j ACCEPT


 Any clue ?


Clues, sure. It probably doesn't matter but establishing state in the
middle of your rules looks weird. Second, don't silently drop stuff - make
a log and drop chain. Last (probably your issue) is you're filtering out
broadcasts. But if you log your drops, that'll be very apparent.

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[shawn wilson]

On Wed, Apr 16, 2014 at 8:54 AM, John Hasler jhas...@newsguy.com wrote:
 Bill Wood writes:

 and medical identity theft has risen sharply in recent years.

 What is medical identity theft?

I'd also be interested seeing the proof for the claim (I think he
means medical data breaches but IDK anyone has disclosed that
information).


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAH_OBieq6ECfG914h=e3_uxq2q_ynuv6o-vzd9ohcrkaqw7...@mail.gmail.com

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[shawn wilson]

On Apr 13, 2014 11:03 PM, Chris Bannister cbannis...@slingshot.co.nz
wrote:


 Then there is also the very serious issue of embedded devices using
 openssl. Tablets, smartphones, routers, ... etc. etc.


You're correct about network hardware (though the only one I'm aware of so
far is F5 with the latest firmware). If anyone knows of other network
hardware that uses openssl (any version) I'd like to know.

However, how exactly would this bug be used to compromise a client (tablet
or smartphone) whose app uses openssl libs?

(I think you spoke in err and my initial intent was to dispel FUD. However
if there's a way, I'm really curious)

Re: OpenVPN + Heartbleed question

[shawn wilson]

It might be possible for an openvpn server to initiate a heartbeat sequence
with a client. And therefore for a rogue server to exploit this. I don't
believe this to be the case however and I can't think of any other way of
exploiting this.

If you can get openvpn to use named sockets, you should be able to easily
test this with existing scripts.
On Apr 14, 2014 3:24 AM, Alan Murrell li...@murrell.ca wrote:

 Hello All,

 I am not entirely sure if this is right place to ask, but I thought I
 would start here.

 We have a client who has several dozen remote locations all connected to
 the head office via OpenVPN tunnels.  OpenVPN is form the Debian packages.

 The version of OpenSSL on the head office firewall running the OpenVPN
 server is a non-vulnerable version (it runs Debian 6.0.2, which has OpenSSL
 0.9.8 installed).  However, the remote locations are mix of Debian 6 and
 Debian 7 installations (the Debian 6 would not have a vulnerable version of
 OpenSSL, while the Debian 7 ones would, and can be patched by running
 'apt-get update  apt-get upgrade' to install a patched version of OpenSSL)

 My question sis this, really: while it is understood that the systems
 running the vulnerable versions of OpenSSL should be updated (and in fact
 are in process of doing just that), is there really any immediate danger of
 information being leaked from those tunnels?

 The certificate were all generated on the head office firewall running the
 OpenVPN server, and all the clients are making their connections to that
 non-vulnerable server (as far as Heartbleed goes, anyway), so are the
 tunnels themselves in fact in any danger of compromisation, even if the
 clients are running a vulnerable version of OpenSSL?

 I guess I am wondering if *all* those SSL tickets need to be revoked and
 re-generated (I know it is likely best-practice to do so, but is it likely
 necessary?  It should likely be done anyway, but is there any immediacy
 about it that has to be done?)

 Thanks for your input.

 A.


 --
 To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.orgwith a
 subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: https://lists.debian.org/20140414001250.
 60861ub65uhaw0w0@imap.murrell-van.local

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[shawn wilson]

On Apr 14, 2014 11:01 AM, Chris Bannister cbannis...@slingshot.co.nz
wrote:

 On Mon, Apr 14, 2014 at 01:55:04AM -0500, Stan Hoeppner wrote:
  On 4/13/2014 10:03 PM, Chris Bannister wrote:
  ...
   considering it is a catastrophe worse than the Y2K bug.
 
  This is several orders of magnitude less severe than Y2K.

 I read https://www.schneier.com/blog/archives/2014/04/heartbleed.html
 Catastrophic is the right word. On the scale of 1 to 10, this is an
 11

 So I gathered, perhaps wrongly, that in that case the Y2K bug would have
 to be greater than 11 on a scale of 1 to 10.


No we're using hex based scales now. And how this works is when someone
tries to be stupid and rate something a 17, it rotates into being a 0.

They're different types of bugs. Taking a scale and making something out of
bounds for it is stupid but really, so is comparing one bug to the other.
They generally affected different types of systems, were caused by
different types of oversight, were generally on a different programming
level, and mostly the Y2K bug affected financial instructions and this bug
has little affect there.

   Not even an email from the bank!
 
  Many/most financial institutions disdain open source software and would
  much rather pay for proprietary commercial solutions so there is someone
  to sue and recover damages when things go tits up.

 That statement was made in the sense that at least the bank could have
 issued a statement along the lines of 'you may have heard of the
 heartbleed bug, we can assure all of our customers that we are not
 affected by this bug and there is no need to panic.'


No, I don't want to hear from my bank unless there's a problem. If
everything is going OK, don't spam me. If its not, by all means, let me
know. This didn't affect them so don't tell me anything.

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[shawn wilson]

On Apr 14, 2014 9:15 PM, John Hasler jhas...@newsguy.com wrote:

 shawn wilson writes:
  No, I don't want to hear from my bank unless there's a problem. If
  everything is going OK, don't spam me. If its not, by all means, let
  me know. This didn't affect them so don't tell me anything.

 You assume that they would tell you if they were affected.

 If I did any online banking (I don't) I'd change all the passwords no
 matter what the banks said and consider closing the accounts and opening
 new ones with different account numbers as well.  Maybe with different
 banks.

Well yes, there are few businesses that have good security and information
policies and who I trust.

However, my point is that banks are in the business of keeping my money -
that's what I pay them for. They're not a news outlet or someone who I
trust to give me advice for the best use of other people's systems. And,
when compromises do happen, we don't hear about it unless there was
specific data loss found.

So basically they should never send me this type of email.

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[shawn wilson]

On Apr 14, 2014 10:11 PM, Richard Hector rich...@walnut.gen.nz wrote:

 On 15/04/14 12:59, shawn wilson wrote:
  That statement was made in the sense that at least the bank could have
   issued a statement along the lines of 'you may have heard of the
   heartbleed bug, we can assure all of our customers that we are not
   affected by this bug and there is no need to panic.'
  
  No, I don't want to hear from my bank unless there's a problem. If
  everything is going OK, don't spam me. If its not, by all means, let me
  know. This didn't affect them so don't tell me anything.
 

 They don't need to send an email, or anything intrusive. They just need
 to put a big notice on the login page of their internet banking site -
 along with (or instead of) all the ads they have for cheap loans or term
 deposits or whatever. It would make virtually no difference to the speed
 of logging in, and would reassure me that they take security seriously.


This is totally OT (this thread sorta has been for a while)

All banks take security seriously - if they fail audits, someone will get
fired (probably a C level someone). Past that, I can say BofA seems to
spend extra effort on security for businesses and high value customers, and
Wells Fargo is probably one of the most secure financial instructions I
know of (based on someone I know who Fortify for them and my mom
complaining about how irritating it is to deal with them). I also know of a
security company who has contracts with a financial instruction. Basically
they care and have tons more knowledge working on a subject than either of
us have.

If a company starts posting CVEs on their home page, I'll think it kinda
cool or interesting, but I'm not going to read through it or take them more
seriously because of it.

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[shawn wilson]

On Tue, Apr 15, 2014 at 12:44 AM, Chris Bannister
cbannis...@slingshot.co.nz wrote:
 On Mon, Apr 14, 2014 at 08:59:30PM -0400, shawn wilson wrote:
 On Apr 14, 2014 11:01 AM, Chris Bannister cbannis...@slingshot.co.nz
 wrote:
 
  On Mon, Apr 14, 2014 at 01:55:04AM -0500, Stan Hoeppner wrote:
   On 4/13/2014 10:03 PM, Chris Bannister wrote:
   ...
considering it is a catastrophe worse than the Y2K bug.
  
   This is several orders of magnitude less severe than Y2K.
 
  I read https://www.schneier.com/blog/archives/2014/04/heartbleed.html
  Catastrophic is the right word. On the scale of 1 to 10, this is an
  11
 
  So I gathered, perhaps wrongly, that in that case the Y2K bug would have
  to be greater than 11 on a scale of 1 to 10.
 

 No we're using hex based scales now. And how this works is when someone
 tries to be stupid and rate something a 17, it rotates into being a 0.

 You'd be better of emailing Mr Schneier on that one.


You're going to blame someone else for your (quite literal) +1 on
their comment. OK :)


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAH_OBic6Q=S4Zygi=2srfsw3tmnenn7u6941m2abkvfmeob...@mail.gmail.com

Re: Cropping a large collection of .PNG screenshots

[shawn wilson]

On Wed, Apr 9, 2014 at 6:03 AM, Kevin O'Gorman kogor...@gmail.com wrote:
 I have a few hundred screen shots I want to put on a web page, but
 they are all full-screen and I want to crop to the real contents.
 This is an identical region in all cases.  So I want to script it.

 So, 2 questions:
 A) What's the best tool for the job?  Gimp, irfanview, or something else?
 B) Is there a script already in existence where I can just change the
 crop rectangle?  I really don't want to learn a new language for a
 one-time job.


After seeing tons of different scripts and no response to your idea of
irfanview, I figured I'd put my $.02 in Irfanview is a Windows
program and this is a linux forum. Other than that, it is what I'd
recommend someone look at in order to attempt to do this before I had
to write them a one off script. Last I checked there is no linux port
of irfanview. You could look at xnview/xnconvert and after you figure
out the cli options, run it through a loop or xargs or find exec.

You could also look for a gimpscript (basically python iirc) to do
this there. Or if this is something you will need to repeat, you might
look into writing it.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAH_OBiey2Z=xf-AoYj7=fpdqhwtte_nhaatfmdu1tbokqx2...@mail.gmail.com

Re: is there a risk to program in java since sun is bought by oracle

[shawn wilson]

(Nice top post)

On Thu, Apr 10, 2014 at 2:57 AM, Gian Uberto Lauri
gianuberto.la...@gmail.com wrote:
 The only problem with Java is that it is a bit old for current 
 architectures. There are better languages that run on the JVM (Clojure and 
 Scala to name two).


The problems with java come from allowing untrusted compiled code to
run natively on your machine (WebStart). Web services, databases,
Android apps, etc don't have this issue. However, I'm pretty sure you
can write Scala/Clojure WebStart apps that would have the same issues
as native Java has here.

The Java culture tends to piss me off so I try to stay away from it
(and I like scripting languages better anyway).

 On 09/apr/2014, at 22:31, abdelkader belahcene abelahc...@gmail.com wrote:

 is there a risk to program in java since sun is bought by oracle ?


AFAIK, the issue with Oracle is their release cycle (not sure if
that's still the case).


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/cah_obideztijvnm_jhs8re+1rqbzkxtm4kv6uywqgfbbvfa...@mail.gmail.com

Re: OpenSSL Heartbleed bug, Apache still vulnerable?

[shawn wilson]

On Apr 9, 2014 3:51 PM, Sven Hartge s...@svenhartge.de wrote:

 Curt cu...@free.fr wrote:
  On 2014-04-09, Jochen Spieker m...@well-adjusted.de wrote:

  The repository now contains a fixed version (0.9.4.2-r413). I tested it
  and the new version looks fine.

  Don't mean to hijack, but is this a useful tool?

  http://filippo.io/Heartbleed/

 To scan your complete network in mere seconds:

 https://github.com/robertdavidgraham/masscan

http://blog.erratasec.com/2014/04/using-masscan-to-scan-for-heartbleed.html


There's also ssl-heartbleed.nse which (even though its not threaded) is
probably a bit faster (not to mention has a familiar interface). It also
looks like they cleaned some stuff up in the port.

Re: Security question concerning jail or virtualization

[shawn wilson]

On Fri, Mar 14, 2014 at 4:30 AM, Scott Ferguson
scott.ferguson.debian.u...@gmail.com wrote:
 On 14/03/14 15:51, shawn wilson wrote:

 On Mar 14, 2014 12:13 AM, Brad Alexander stor...@gmail.com
 mailto:stor...@gmail.com wrote:



 Due to this experience I would like to know what the best way to
 limit such problems is, especially when hosting web servers for users
 who may or may not installed unsecure applications on the web server.



 None of those methods are dependent on password access.

The initial attack isn't. Post exploit is. Again, I'd think there are
legal issues with auditing your clients' software making all of this
moot (besides my recommendation for a layer 7 firewall).

 Password security for the server (as distinct from user web
 applications) *should* be part of any webserver security. Debian
 provides dnsiff and john the ripper which are used in industry best
 practice password auditing.
 By default Debian implements md5 and shadow which are the 'basis' of
 best practice password security (auditing are other practices add to
 those things).


For most use cases, see hashcat - not jtr. Also default hash on debian
is ssha per the $6$ in shadow - not md5. See:
http://en.wikipedia.org/wiki/Crypt_%28C%29
It should also be noted - don't use md5 - ever. If you're dealing with
web apps, use bcrypt or scrypt.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAH_OBiem65D-_gMJFsztCCGVqz+WcoDE8TptMzS==cyizp7...@mail.gmail.com

Re: Security question concerning jail or virtualization

[shawn wilson]

Well Linux has LXC which is supposed to be equivalent to jails (also see
docker). But use whatever suits you.

Idk what's current for breaking out of VMs is. It might be good to pay
attention to who is using the most entropy and make sure you don't run out.
Most VMs use processor VT to isolate things (I don't think any 'jail' does
this).

I think most providers use OpenStack (a suite of technologies). YMMV
On Mar 13, 2014 11:06 PM, Martin Braun yellowgoldm...@gmail.com wrote:

 Hi

 I have recently experienced a server being hacked due to a security
 problem with a PHP application that made it possible for the hacker to
 gain a web shell.

 Due to this experience I would like to know what the best way to limit
 such problems is, especially when hosting web servers for users who may or
 may not installed unsecure applications on the web server.

 What does the big hosters do? What do they use?

 The solution can't be too complecated to maintain and I would prefer each
 user being completely seperated from the main OS and from other users.

 I have been thinking about running Debian inside FreeBSD Jails or The
 Warden. I have also been thinking about using Xen and installing several
 Debians on Debian.

 What is the best (and if possible simplest) way to deal with this?

 Kind regards

Re: Security question concerning jail or virtualization

[shawn wilson]

On Mar 14, 2014 12:13 AM, Brad Alexander stor...@gmail.com wrote:



 Due to this experience I would like to know what the best way to limit
such problems is, especially when hosting web servers for users who may or
may not installed unsecure applications on the web server.


 Auditing your security is probably your best bet. As I said above, maybe
some web app testing tools, run scans against your server regularly with
Nessus or OpenVAS, plus the security best practices...Good password hygene,
bastion hosts (only one type of app on a machine), turning off/uninstalling
unneeded apps, especially those with a network presence, etc.

I'm not sure how your customers may feel about you scanning their apps.
What do you do if you find something they don't want to fix? It will
probably even cause legal issues.

If you do want to do scans, might want to start with someone like nikto
(it's free) and see what you find. Idk how well Nessus does web scans
either - idk that's their core business (I think that would be AD and
compliance). Burp is the tool most use for this. Though, give a baby your
car keys and if you're lucky nothing will happen - if you're not...

A better solution for sites you host and don't own might be a WAF.
Something free like mod_security (some used to sell a rule subscription -
can't remember who). Or a PaloAlto box.

As for passwords, among other things, the company I work for is kinda known
for password auditing so, take it off list if you want a contact for that
type of thing. If you don't own the data though...

multistrap

[shawn wilson]

How do I replicate this line:
deb http://us.archive.ubuntu.com/ubuntu/ precise main restricted
from sources.list in a multistrap.conf? I'm trying this:

[General]
directory=/mnt/install
cleanup=true
arch=amd64
retainsources=/var/cache/apt/archives
noauth=true
unpack=true
retries=5
debootstrap=precise
bootstrap=precise
[precise]
packages=apt
source=http://archive.ubuntu.com/ubuntu
suite=precise main restricted
omitdebsrc=true

And apparently I can't use 'suite' the same way the location of
sources.list is defined.

I guess the real question is: if I just have:
suite=precise
it 'works' but doesn't install libterm-readline-perl-perl which is
found in the repos I have defined on this box which means that:
dpkg-reconfigure -f noninteractive -a
errors.

(IIRC, this works with Debian's sources which is why I'm specifically
asking about multistrap and not a missing package - maybe this is a
bug with the Ubuntu repo, but I don't know enough to say as much).


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAH_OBieK_jZszK=c7vo_fdxczm-zhn1szxufva1u5b5xoom...@mail.gmail.com

preseed raid-lvm-crypto

[shawn wilson]

I see how to create raid devices:
d-i partman-auto-raid/recipe string \
  1 2 0 ext2 /boot
/dev/sda1#/dev/sdb1
  1 2 0 lvm -
/dev/sda2#/dev/sdb2

And then making lvm or crypto devices seems easy enough. However, how
do I create one on top of the other (I'd prefer luks inside lvm so
that swap can have a random key but either way works).

Also, on an existing install with a configuration like how I want it:
# debconf-get-selections --installer  ~/preseed-komp.txt
# grep -i error preseed-komp.txt | grep -i error | wc -l
179

So, why is this erroring in so many places?


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAH_OBiep0fbQyMk+ekOwdY1=u-iZUH8NPXS75MxzB==-xir...@mail.gmail.com

Re: nano vs VI

[shawn wilson]

On Jan 1, 2014 7:43 PM, Paul Cartwright pbcartwri...@gmail.com wrote:

 On 01/01/2014 07:00 PM, Richard Hector wrote:
  Also perhaps:
 
  aptitude purge nano :-)
 
  Richard
 thanks, I might do that also, since I use either VI or gedit..


You do know about gvim right?

Re: nano vs VI

[shawn wilson]

No idea. I compile vim on Debian for ruby support (command-t). Probably
vim-gtk. So I'm putting this back on the list.
On Jan 2, 2014 7:19 AM, Paul Cartwright pbcartwri...@gmail.com wrote:

  On 01/02/2014 07:12 AM, shawn wilson wrote:


 On Jan 1, 2014 7:43 PM, Paul Cartwright pbcartwri...@gmail.com wrote:
 
  On 01/01/2014 07:00 PM, Richard Hector wrote:
   Also perhaps:
  
   aptitude purge nano :-)
  
   Richard
  thanks, I might do that also, since I use either VI or gedit..
 

 You do know about gvim right?

 not really.. should I?
 when I try to install it I get:
  apt-get install gvim
 Reading package lists... Done
 Building dependency tree
 Reading state information... Done
 Package gvim is a virtual package provided by:
   vim-gtk 2:7.3.547-7
   vim-gnome 2:7.3.547-7
   vim-athena 2:7.3.547-7
 You should explicitly select one to install.


 so, which one is right?

 --
 Paul Cartwright
 Registered Linux User #367800 and new counter #561587

Re: Undocumented telnet access to Brother HL-2280DW

[Shawn Wilson]

There's a framework for hacking printers (and maybe other networked hardware). 
I did a quick Google and didn't find it but that's what I'd suggest looking for.

Celejar cele...@gmail.com wrote:
The Brother HL-2280DW (network printer) listens on port 23, but I
can't get a working telnet session going. Telnet option negotiation
seems to take place, but I get no login or any other sort of prompt.
Pressing enter a few times, with or without typing random text,
eventually results in the remote host disconnecting.

Here's a netcat dump of a session where I repeatedly press enter until
disconnection:

  1b 5b 32 4a 1b 5b 31 3b 31 66   # .[2J.[1;1f
 000a ff fb 01 ff fb 03 ff fd 03  # .
  0a  # .
 0013 ff fb 01 ff fb 03 ff fd 03  # .
 001c 0d 0a   # ..
 0001 0a  # .
 001e 0d 0a   # ..
 0002 0a  # .
 0020 0d 0a   # ..
 0003 0a  # .
 0022 0d 0a   # ..
 0004 0a  # .
 0024 0d 0a   # ..
 0005 0a  # .

If I understand this correctly, the first few lines are telnet option
negotiation, but nothing after that.

nmap reports:

23/tcp   open  telnet Brother/HP printer telnetd

but I don't know if it's just assuming that daemon, since the machine
is listening on port 23 and it's a Brother, or if it is actually
managing to connect

The documentation for this model doesn't seem to say anything about
telnet access, and I can find no mention of it in the web management
interface, which does list the other open ports / services, including
FTP, SNMP, POP3 and SMTP. I have tried connecting to these other
services, and they seem to work.

So what do we have here? Some sort of broken, half-baked telnet service
running, or am I doing something wrong?

Celejar


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/8a9bbab8-5744-4c35-ab21-64b00cd22...@email.android.com

Re: fail2ban fails to ban apache...

[Shawn Wilson]

François Patte francois.pa...@mi.parisdescartes.fr wrote:
Bonjour,

I try to configure fail2ban in order to ban IP which try to connect to
directories protected by .htaccess.

Here is my [apache] section in jail.conf:

enabled  = true
port = http,https
filter   = apache-auth
logpath  = /var/log/apache*/*error.log
maxretry = 3

But I tested filling the auth form with erroneous login/password and
nothing happens! Nothing appeared in /var/log/fail2ban.log...


Show filter.d/apache-auth and show the output of a: tail -F 
/var/log/apache*/*error.log while you make the bad requests (you might need to 
do a $(find ...) to handle those wildcards - I'm also unsure if f2b deals with 
apache*).

Also, if you've logged an invalid request, do yourself a favor and create a 
test directory with different files of different failure lines and run 
fail2ban-regex against them. Then, when you alter a regex, you can easily see 
if something you didn't want changed. 

I tried the same for ssh connections and the IP of the computer from
which I tried was banned after the third attempt.

What is missing in my config?


Here is the ssh section in jail.conf:

enabled  = true
port = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6



Thanks


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/cf358a0c-2eb9-4205-9c7b-a135e5c4c...@email.android.com

Re: Collecting information after installation

[Shawn Wilson]

Ali ISIN a.i...@live.be wrote:
Hi,


Since the 7.x version does my computer freeze;

In what way? No more messages are logged? Doesn't respond to pings? SysRq 
doesn't reboot it (is the kernel totally hosed)?

and that after installing GRUB and rebooting.

My system seem to work correctly but I thougth to inform you.

Installing or upgrading? If you copy the first, say, 448 bytes (I think that's 
right - 512-64 but it doesn't matter) to a file and then copy it back, does the 
same thing happen as with grub-install (grub-install has helper scripts to 
figure out things and it might be an issue with something done in there).


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/04902e62-9090-4ca6-80c8-cb8549bc3...@email.android.com

Re: Unable to change shell and add groups

[shawn wilson]

$ chsh -s /bin/zsh ag4ve
Password:
$ grep ag4ve /etc/passwd
ag4ve:x:1008:1008::/home/ag4ve:/bin/zsh
$ echo $SHELL
/bin/bash
$ readlink /proc/$$/exe
/bin/bash
$ cat /etc/debian_version
6.0.8
$ grep zsh /etc/shells
/bin/zsh
/usr/bin/zsh

Oh, there is some interresting stuff about /etc/shells - probably
unrelated, but just weirdness:
$ grep tcsh /etc/shells
/usr/bin/tcsh
/bin/tcsh
$ whereis tcsh
tcsh:

And, linking around the whole system:
$ readlink /bin/zsh
/etc/alternatives/zsh
$ readlink /etc/alternatives/zsh
/bin/zsh4
$ readlink /usr/bin/zsh
/etc/alternatives/zsh-usrbin
$ readlink /etc/alternatives/zsh-usrbin
/bin/zsh4

(again, not probably not the issue and just annoys me since I noticed it)

On Fri, Dec 6, 2013 at 3:10 AM, Scott Ferguson
scott.ferguson.debian.u...@gmail.com wrote:
 On 06/12/13 18:31, shawn wilson wrote:
 For some reason, when I chsh to say /bin/zsh, log out and back in, I'm
 still in bash - confirmed with readlink /proc/$$/exe

 Which release are you running?

 For me this works:-
 # chsh -s /bin/zsh $me (where $me is your username).


 Check with:-
 $ echo $SHELL
 or:-
 $ grep $me /etc/passwd (where $me is your username).




 I tried adding my user to the adm group, logging out and back in, and
 it's not there. However, if I exec su -p -l user - everything works.

 I've also tried an init q to no avail.

 So, I'm out of ideas. Any suggestions?




 Kind regards


 --
 To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: http://lists.debian.org/52a1865a.3080...@gmail.com



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAH_OBicNUP6udfp3Hyi+nbNFqxeBRLY=Hf_caHzw0aJMi=y...@mail.gmail.com

Unable to change shell and add groups

[shawn wilson]

For some reason, when I chsh to say /bin/zsh, log out and back in, I'm
still in bash - confirmed with readlink /proc/$$/exe

I tried adding my user to the adm group, logging out and back in, and
it's not there. However, if I exec su -p -l user - everything works.

I've also tried an init q to no avail.

So, I'm out of ideas. Any suggestions?


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/cah_obicfzarnbosvb17njio0h8nr5gtto6nxcfvprn-beju...@mail.gmail.com

Re: Serverbackup cron

[Shawn Wilson]

basti black.flederm...@arcor.de wrote:

Is there a better/ easier way for daily backups?
I don't want to do a daily backup if weekly or monthly is running.

Use a pidfile - just make sure your process deletes it or you won't be getting 
backups. I've used Amanda in the past and that works. But now I encrypt my 
backups and I don't think Amanda will do that (at least not with partials like 
duplicity does). 


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/ef2441d6-9127-4952-800d-d9140b779...@email.android.com

Re: IPTables question

[Shawn Wilson]

Erwan David er...@rail.eu.org wrote:
Le 09/11/2013 23:06, Shawn Wilson a écrit :
 Redhat has something called firewalld which generates rules based on
zones. I don't use it because using dbus to help manage rules scares
me. But it's there and could be what you want. 


I use fwbuilder which helps to define elaborated rules ;
there is also shorewall which uses zones, both generates the ryules
either as shell script or itptables-save/restore configuration.
Both are available in debian.

Just FYI, a shell script will be slower than iptables-save since the later only 
makes one call while the former makes one call per ipt command. 

I looked at shorewall and didn't know it had zones - that's cool (since I don't 
like xml that firewalld uses). I've now got a 2k line perl script that does 
almost everything we need but I'll take another look at shorewall (for ideas if 
nothing else). 


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/3da3a425-3862-4156-9116-1ebc3d3b3...@email.android.com

Copy buffer from a script

[shawn wilson]

How do I get access to the buffer that is presented by clicking the
third (or center) mouse button from a script?


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAH_OBicO=LVjb9Sf9B36A5e4DZNi=9gamhqdjwq6acjammc...@mail.gmail.com

Re: Copy buffer from a script

[shawn wilson]

That gives me the X clipboard buffer, which seems to be a different buffer.

On Sun, Nov 10, 2013 at 6:30 PM, Lukas Erlacher
lists+deb...@lerlacher.de wrote:
 check out xclip.

 On 11.11.2013 00:29, shawn wilson wrote:
 How do I get access to the buffer that is presented by clicking the
 third (or center) mouse button from a script?




 --
 To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: http://lists.debian.org/5280171e.50...@lerlacher.de



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAH_OBie4VioXuvso5zS4=VJwE_o=5f2mcbjfpmpaarsdrc8...@mail.gmail.com

Re: Copy buffer from a script

[shawn wilson]

On Sun, Nov 10, 2013 at 6:47 PM, Lukas Erlacher
lists+deb...@lerlacher.de wrote:
 On 11.11.2013 00:42, shawn wilson wrote:
 That gives me the X clipboard buffer, which seems to be a different buffer.

 There are three buffers. You're looking for the keyboard buffer, which is the 
 primary buffer and used by default.
 Please read the manpage.


 % xclip -o -sel secondary
 % xclip -o -sel primary
http://www.daycounter.com/Calculators/Decibels-Calculator.phtml%
 % xclip -o -sel clipboard
http://www.daycounter.com/Calculators/Decibels-Calculator.phtml%

There was (before I copied this) an ip address in one of the
clipboards. I even tried selecting something else and those two
clipboards aren't changing.


 On Sun, Nov 10, 2013 at 6:30 PM, Lukas Erlacher
 lists+deb...@lerlacher.de wrote:
 check out xclip.

 On 11.11.2013 00:29, shawn wilson wrote:
 How do I get access to the buffer that is presented by clicking the
 third (or center) mouse button from a script?




 --
 To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact 
 listmas...@lists.debian.org
 Archive: http://lists.debian.org/5280171e.50...@lerlacher.de





 --
 To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: http://lists.debian.org/52801b0b.5060...@lerlacher.de



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/cah_obidgl-j-txpr7bvwohv46unv+g27pb0csjtwl-agdxl...@mail.gmail.com

Re: IPTables question

[Shawn Wilson]

Redhat has something called firewalld which generates rules based on zones. I 
don't use it because using dbus to help manage rules scares me. But it's there 
and could be what you want. 

David F deb...@meta-dynamic.com wrote:
On 11/09/2013 12:47 PM, Bill.M wrote:
 But is there anyway to specify both eth0 and wlan0 as equally valid
 interfaces on my laptop depending on whether it's in my dock or on
the road?

 For example, -i wlan0,eth0 or -o wlan0,eth0
 Is something like these possible?

* You can avoid specifying any interface at all, so long as you don't
mind
the rule being applied to the loopback interface as well.  Chances are
very
good that this will work for you and is the best solution, but you need
to
evaluate the rules in question.

* You can use a '+' at the end of the interface name which acts as a
wildcard.  This won't help since your interfaces names differ in the
first
character, not the last, but you can easily customize their names to
differ
in their suffix rather than prefix by editing:
/etc/udev/rules.d/70-persistent-net.rules

* You can create a new chain, have packets from either interface jump
to it
via two rules, then put the rest of your rules in that chain, without
specifying an interface name.

e.g. (untested):
iptables -t filter -N foo
iptables -t filter -A INPUT -i eth0  -j foo
iptables -t filter -A INPUT -i wlan0 -j foo
iptables -t filter -A foo --src 1.2.3.4 -j DROP
iptables -t filter -A foo -p tcp --dport 80 -j DROP
...

-- David


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/b20675f7-67d9-4942-9dca-de4102336...@email.android.com

Re: IPTables question

[Shawn Wilson]

Pascal Hambourg pas...@plouf.fr.eu.org wrote:
Hello,

Bill.M a écrit :
 
 In IPTables one can specify multiple addresses, and multiple ports,
but 
 is there anyway to specify multiple interfaces.
 
 For example,  -m multiport --destination-port 22,25,80
 
 Or -s 1.2.3.4,1.2.3.5,1.2.3.7 or -s 1.2.3.4:1.2.3.10

In addition to David's answer :
Unless recent change I am not aware of, you cannot specify an address
range in -s or -d. You must use the iprange match instead (or ipset
if
your kernel supports it). Also, note that specifying multiple
comma-separated addresses or prefixes in -s or -d will result in
multiple rules being actually created, which can have undesirable
side-effects and impact efficiency.

The speed impact of a small rule set is negligible. One ipset vs 20 rules, yes 
please - it's easier to look at. Also, idk any way to match interface with 
ipset - ip and port (even src and dst in one line) but not interface. 


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/4d539f94-5809-483f-bfa8-fc50e6e73...@email.android.com

Re: Why syslog is not rotating?

[Shawn Wilson]

I can't see how a default config would do this, but do you have SELinux or 
AppArmor enabled? What does fstab and mount show? 

If possible, copy the system off and write ones and then zeros to the disk (and 
look for speed drops). Looking at the disk might've been a good call. 

Itay deb...@itayf.fastmail.fm wrote:
On Sun, 3 Nov 2013, Reco wrote:

 On Sun, 3 Nov 2013 17:16:02 +0200 (IST)
 Itay deb...@itayf.fastmail.fm wrote:

 On Sun, 3 Nov 2013, Reco wrote:

 [...] Is there anything suspicious in the root mailbox?

root mail box has daily messages like this starting at june 2010
(yes, I know, bad me)

  /etc/cron.daily/logrotate:

   gzip: stdin: Input/output error
   error: failed to compress log /var/log/syslog.1
   run-parts: /etc/cron.daily/logrotate exited with return code 1

 And, is there anything unusual in /var/log/kern.log at the time you
 had this error?

Multiple messages like those two:

...
Oct 31 07:59:35 gandalf kernel: [4627180.405646] ata3.00: exception 
Emask 0x0 SAct 0x1 SErr 0x0 action 0x0
Oct 31 07:59:35 gandalf kernel: [4627180.405650] ata3.00: irq_stat 
0x4008
Oct 31 07:59:35 gandalf kernel: [4627180.405653] ata3.00: failed 
command: READ FPDMA QUEUED
Oct 31 07:59:35 gandalf kernel: [4627180.405659] ata3.00: cmd 
60/08:00:cb:05:a9/00:00:05:00:00/40 tag 0 ncq 4096 in
Oct 31 07:59:35 gandalf kernel: [4627180.405661]  res 
41/40:00:cd:05:a9/00:00:05:00:00/40 Emask 0x409 (media error) F
Oct 31 07:59:35 gandalf kernel: [4627180.405664] ata3.00: status: { 
DRDY ERR }
Oct 31 07:59:35 gandalf kernel: [4627180.405666] ata3.00: error: { UNC 
}
Oct 31 07:59:35 gandalf kernel: [4627180.407143] ata3.00: configured 
for UDMA/133
Oct 31 07:59:35 gandalf kernel: [4627180.407153] sd 2:0:0:0: [sda] 
Unhandled sense code
Oct 31 07:59:35 gandalf kernel: [4627180.407155] sd 2:0:0:0: [sda] 
Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
Oct 31 07:59:35 gandalf kernel: [4627180.407158] sd 2:0:0:0: [sda] 
Sense Key : Medium Error [current] [descriptor]
Oct 31 07:59:35 gandalf kernel: [4627180.407163] Descriptor sense data 
with sense descriptors (in hex):
Oct 31 07:59:35 gandalf kernel: [4627180.407165] 72 03 11 04 
00 00 00 0c 00 0a 80 00 00 00 00 00
Oct 31 07:59:35 gandalf kernel: [4627180.407173] 05 a9 05 cd
Oct 31 07:59:35 gandalf kernel: [4627180.407176] sd 2:0:0:0: [sda] 
Add. Sense: Unrecovered read error - auto reallocate failed
Oct 31 07:59:35 gandalf kernel: [4627180.407181] sd 2:0:0:0: [sda] 
CDB: Read(10): 28 00 05 a9 05 cb 00 00 08 00
Oct 31 07:59:35 gandalf kernel: [4627180.407188] end_request: I/O 
error, dev sda, sector 94963149
Oct 31 07:59:35 gandalf kernel: [4627180.407208] ata3: EH complete
...
Nov  1 07:50:21 gandalf kernel: [4713026.178488] ata3.00: exception 
Emask 0x0 SAct 0x1 SErr 0x0 action 0x0
Nov  1 07:50:21 gandalf kernel: [4713026.178492] ata3.00: irq_stat 
0x4008
Nov  1 07:50:21 gandalf kernel: [4713026.178496] ata3.00: failed 
command: READ FPDMA QUEUED
Nov  1 07:50:21 gandalf kernel: [4713026.178502] ata3.00: cmd 
60/08:00:cb:05:a9/00:00:05:00:00/40 tag 0 ncq 4096 in
Nov  1 07:50:21 gandalf kernel: [4713026.178503]  res 
41/40:00:cd:05:a9/00:00:05:00:00/40 Emask 0x409 (media error) F
Nov  1 07:50:21 gandalf kernel: [4713026.178506] ata3.00: status: { 
DRDY ERR }
Nov  1 07:50:21 gandalf kernel: [4713026.178509] ata3.00: error: { UNC 
}
Nov  1 07:50:21 gandalf kernel: [4713026.179984] ata3.00: configured 
for UDMA/133
Nov  1 07:50:21 gandalf kernel: [4713026.179992] ata3: EH complete
...

 Does, say, 'md5sum /var/log/syslog' runs to the completion?

 Yes.  Without warnings/errors.

 What about 'cat /var/log/syslog  /dev/null'?

 Yes.  Without warnings/errors.

 Ok. What about 'cat /var/log/syslog | gzip -c  /dev/null'?
 And, while we're at that, what about:

 cat /var/log/syslog | gzip -c  /var/log/syslog.test.gz

Both commands finished without warnings/errors.

 If error shows early, can you also post contents of (/tmp/gzip):

 strace -fo /tmp/gzip cat /var/log/syslog | gzip -c  /dev/null

Didn't try since there were no errors.

 Can you run fsck on the filesystem containing /var/log/syslog?

[snip]

File system was found clean.  No errors were reported.

 What does smartctl --all shows on the partition with this
filesystem?

 I never used smartctl (installed it now following-up your question).
 In my system /var resides on a logical volume.
 So I am not sure how to proceed.

 Find a physical volume corresponding to the /var logical volume.
 Run smartctl --all on the disk that's containing that physical
volume.
 In case you have RAID (be it mdadm or dm-mirror) - run smartctl on
all
 disks that are part of said RAID.

 While we're on it, also run smartctl -t long on said disk, wait for a
 while (smartctl should say you, how much), and run smartctl --all on
 the same disk again.

Output of 'smartctl --all' (after running 'smartctl -t long'):

smartctl 5.41 2011-06-09 r3365 [x86_64-linux-3.2.0-4-amd64] (local
build)

Re: Why syslog is not rotating?

[shawn wilson]

Raco already basically said what the issue is. I didn't notice it in
the prior messages you posted. If you wanted to confirm, after you
migrate your data, do a:
dd if=/dev/zero of=old disk
and then looking at something like:
iostat -xtc 5 /dev/old disk

And, if you don't see an error there, do
dd if=(tr '\000' '\377'  /dev/zero) of=old disk
and look at the iostat for that.

Even if the disk won't tell the kernel it's breaking, chances are dd
will error. But, even if that doesn't happen, you'd notice a big slow
down with iostat.

As it is, disks are cheap - get another one and be done with the old one.

On Mon, Nov 4, 2013 at 6:16 AM, Itay deb...@itayf.fastmail.fm wrote:
 On Mon, 4 Nov 2013, Shawn Wilson wrote:

 Date: Mon, 04 Nov 2013 04:46:48 -0500


 For some reason your messages ended up in a differenet mailbox, therefore I
 saw them only now. Sorry about that.

 As was recommended I will replace the harddrive that holds /var.

 Nevertheless, respectfully, I will answer your response.


 I can't see how a default config would do this, but do you have SELinux or
 AppArmor enabled? What does fstab and mount show?


 I didn't enable SElinux or AppArmor.
 How do I double-check?

 mount output:

 sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
 proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
 udev on /dev type devtmpfs
 (rw,relatime,size=10240k,nr_inodes=473761,mode=755)
 devpts on /dev/pts type devpts
 (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
 tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=380288k,mode=755)
 /dev/disk/by-uuid/4712a4c6-be99-43bf-8628-0edd641d5262 on / type ext3
 (rw,relatime,errors=remount-ro,barrier=1,data=ordered)
 tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
 tmpfs on /run/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=2323680k)
 /dev/sda1 on /boot type ext2 (rw,relatime,errors=continue)
 /dev/mapper/vg-cache on /cache type ext3
 (rw,relatime,errors=continue,barrier=1,data=ordered)
 /dev/mapper/vg-home on /home type ext3
 (rw,relatime,errors=continue,barrier=1,data=ordered)
 /dev/mapper/vg-opt on /opt type ext3
 (rw,relatime,errors=continue,barrier=1,data=ordered)
 /dev/mapper/vg-tmp on /tmp type ext3
 (rw,relatime,errors=continue,barrier=1,data=ordered)
 /dev/mapper/vg-usr on /usr type ext3
 (rw,relatime,errors=continue,barrier=1,data=ordered)
 /dev/mapper/vg-usrlocal on /usr/local type ext3
 (rw,relatime,errors=continue,barrier=1,data=ordered)
 /dev/mapper/vg-var on /var type ext3
 (rw,relatime,errors=continue,barrier=1,data=ordered)
 /dev/sdb8 on /legacy type ext3
 (rw,nosuid,nodev,noexec,relatime,errors=continue,barrier=1,data=ordered)
 rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
 fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)

 And /etc/fstab:

 # /etc/fstab: static file system information.

 # !! Note !!
 # UUID is a property of the residing file system -- not of the device.
 # Any file system reformatting will result in change to UUID.

 # file system mount point   type  options   dump  pass

 ###  Static Devices  ###

 proc/proc   procdefaults0
 0

 # Master Hard Drive Partitions

 #  1: boot (purposefully an ext2 partition)
 UUID=81d775af-9f80-4081-be71-c8d379c05944/boot  ext2defaults
 0   2
 #  2: root file system
 UUID=4712a4c6-be99-43bf-8628-0edd641d5262/  ext3
 errors=remount-ro 0   1
 #  3: swap partition
 UUID=73035ad5-bba9-4d8e-8cfd-546ab09ac456none   swapsw
 0   0

 # LVM
 /dev/mapper/vg-cache/cache  ext3defaults0
 2
 /dev/mapper/vg-home /home   ext3defaults0
 2
 /dev/mapper/vg-opt  /optext3defaults0
 2
 /dev/mapper/vg-tmp  /tmpext3defaults0
 2
 /dev/mapper/vg-usr  /usrext3defaults0
 2
 /dev/mapper/vg-usrlocal /usr/local  ext3defaults0
 2
 /dev/mapper/vg-var  /varext3defaults0
 2


 ##  Removable  Media  ##

 /dev/scd0   /media/cdrom0   udf,iso9660 user,noauto 0   0
 #/dev/fd0/media/floppy0  autorw,user,noauto  0   0

 #  USB: Gandalf Attached Storage.
 UUID=6b01200d-446d-46da-b6ac-405f1ec5b1bf/legacyext3user
 0   0
 UUID=0866a19d-3661-422b-818c-410d96868139/media/gandalfBACK ext3
 noauto,user 0   0
 #  LABEL=gandalfBACK2 Gandalf's secondary backup (kept at my
 parents' house)
 UUID=14a0b647-02e0-4681-b37c-cea165004e24/media/gandalfBACK2ext3
 noauto  0   0

 #  USB: Portable disk.
 UUID=ac334401-5833-4946-bc7b-4d93622ea929/media/palm/legacy ext3
 noauto,user0   0
 UUID=807e9825-1838-4d5c-bada-e54a7d94e2ff/media/palm/lennyBACK

Re: Why syslog is not rotating?

[Shawn Wilson]

Can syslog rotate logs? I just use logrotate. 

Itay deb...@itayf.fastmail.fm wrote:
On Sat, 2 Nov 2013, Sven Hartge wrote:

 Date: Sat, 2 Nov 2013 21:47:11 +0100
 From: Sven Hartge s...@svenhartge.de
 To: debian-user@lists.debian.org
 Subject: Re: Why syslog is not rotating?
 Resent-Date: Sat,  2 Nov 2013 20:48:34 + (UTC)
 Resent-From: debian-user@lists.debian.org

 Itay deb...@itayf.fastmail.fm wrote:

 Can someone help me, please, to understand why syslog is not
rotating?

 The system ist not running at the time when cron.daily is scheduled
to
 run?  -- anacron takes care of that.

Sven,

Thank you for your reply.

My system was continuously on except for very short random periods and 
3 weeks on Aug 2013. In contrast, the listing below shows (I believe) 
that syslog stopped rotating at 2010.

# ls -gh /var/log/syslog*
-rw-r- 1 adm 219M Nov  2 21:50 syslog
-rw-r- 1 adm 2.5K Jun  5  2010 syslog.1
-rw-r- 1 adm0 Nov  1 07:50 syslog.1.gz
-rw-r- 1 adm  661 Jun  5  2010 syslog.2.gz

However:
I checked /etc/cron.daily and did not find entry for rsyslog.
Maybe that's the cause?

 Or somehow there is an error and logrotate refuses to run. In that
case
 run logrotate manually with the debug-switch -d and see if anything
 strange appears.


Is logrotate responsible for rotating syslog files?
Information on the net [1] suggests it's not.
---
[1] https://wiki.debian.org/Rsyslog

I am confused...

Finally, I should point out that, I have just completed dist-upgrade 
from squeeze to wheezy with no major problems.
This issue came up as I was cleaning-up after the upgrade.

Many thanks,
Itay

 Grüße,
 Sven.

Re: ANDROID

[shawn wilson]

First, thanks for f-droid - I didn't know about that.

I think the most open platform to date is the Pi - there are only
certain parts of the processor that are kept under NDA. As for phones,
there are many parts of them you will never see released (even
openmoko which is old and I'd like one to play with, but not to use).
So, lets consider how much of Android (arguably the most open stable
mobile OS) you can compile vs finding binary blobs. You can compile
cyanogenmod and you can get the binary blobs for lots of phones from
github.com/TheMuppets. So, what might be a good indication of
openness, might be to look at the number and size of files for each
phone and compare that. Though this might be faulty as this may also
mean more proprietary hardware (that might never get updated).

There is another issue with Android: I couldn't figure out how to
compile it using OpenJDK on Gentoo. AFAICT, you have to use Sun's (not
sure what is missing here, but). Currently, most apps for Android
are closed source (including Google Maps, GMail, Play, YouTube, etc).
However, f-droid should be a good replacement for the Play store as
long as you're not expecting Angry Birds or other games.

Now, without recompiling anything, you've got a decent Linux base
system you can go from. My stock Samsung Note 2 even has access to
iptables functionality and tun/tap.

On Tue, Oct 29, 2013 at 6:48 PM, André Nunes Batista
andrenbati...@gmail.com wrote:
 On Tue, 2013-10-29 at 10:56 -0400, alex.pad...@laposte.net wrote:
 Hello to all,

 I shall want to buy a SMARTPHONE with a free O.S (GNU).
 Many of my friends say to me that ANDROID is a free system, it is LINUX!
 What do you think about it?
 Does it exist a SMARTPHONE with a system DEBIAN GNU LINUX

 Thank you for your answers

 Alex

 Android is build upon Linux kernel and other free software components,
 but it relies on binary blobs and proprietary google code. Apart from
 openmoko - which sounds great but I could never get to lay hands on one
 of those - you could search for Replicant (go see which phones are
 already supported). Cyanogenmod + f-droid.org - Gapps would also be
 better than running the default firmware.

 Sometime ago I had an N900 and it worked great with maemo as well..
 Dunno the current state of the project.

 But R. Stallman usually says he does not own any smart phone as they are
 user tracking devices built in with microphones, camera and motion
 sensors. So completely free OS is something yet to be achieved to smart
 phone users. But even in the case of traditional pc's, many people rely
 on proprietary BIOS or proprietary firmware for special devices or
 cards.

 --
 André N. Batista
 GNUPG/PGP KEY: 6722CF80



 --
 To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: http://lists.debian.org/1383086934.24485.29.camel@tagesuhu-pc



--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAH_OBicp9XUj9EWFhHqALAxvCP4sxPBO7u-JGZdu3JvS9=d...@mail.gmail.com

Re: ANDROID

[shawn wilson]

On Tue, Oct 29, 2013 at 7:28 PM, Celejar cele...@gmail.com wrote:
 On Tue, 29 Oct 2013 20:48:54 -0200
 André Nunes Batista andrenbati...@gmail.com wrote:

 ...

 phone users. But even in the case of traditional pc's, many people rely
 on proprietary BIOS or proprietary firmware for special devices or
 cards.

 I'm never really sure why people have such a hard time with that - even
 without them, you're still relying on proprietary logic in hardware. If
 you're really concerned that there could be something nasty in the BIOS
 or firmware, you shouldn't use any non-open hardware. And for that
 matter, even if you've seen the hardware specs, who says the
 manufactured part you buy really follows them exactly, and doesn't have
 a backdoor?


https://plus.google.com/u/0/103470457057356043365/posts/9fyh5R9v2Ga
If you believe him, I wouldn't be so flippent about this. There are
also IPMI issues (I think there's a Defcon talk on it) ther you'll
never be able to do anything to fix because the hardware is closed.

 You have to trust someone, somewhere.

You shouldn't /have/ to. That you currently do need to trust someone
is probably an issue. I'm not as far as Stallman for F/OSS... until
companies can't keep up with security issues, then they've shown they
can't handle responsible updates and need to give up their IP that
people have purchased with good faith.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAH_OBicSh-3VQV3ChSxZ9zA7O78WJa=+pgvphga7lyulg3r...@mail.gmail.com

Re: How to format the command output like MySQL output

[shawn wilson]

On Mon, Oct 21, 2013 at 8:01 AM, Jonathan Dowland j...@debian.org wrote:
 On Sat, Oct 19, 2013 at 08:54:25PM -0600, Bob Proulx wrote:
 Check out perl formats.

 Great suggestion, it's a shame the user has (since) ruled out Perl.
 Hardly anyone seems to discuss perl formats anymore ☺


I think most people prefer printf formatting vs formats. I think
you'll even find some in the perl community that think formats ended
up being a bad idea (something stuck in a real long time ago - ~20
years ago now probably - that can't be removed). Ask on irc if you're
interrested.

printf is pretty portable and I've only seen perl formats in code once
or twice and never used them. FWIW.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/cah_obicdjs2v+3ilthvryghmkwbcs1qor-0s6bbw+mayg8d...@mail.gmail.com

Re: How to format the command output like MySQL output

[Shawn Wilson]

Lars Noodén lars.noo...@gmail.com wrote:
On 20.10.2013 04:17, 陶治江 wrote:
 于 2013-10-20 0:53, Lars Noodén 写道:
 On 19.10.2013 19:35, 陶治江 wrote:
 [snip]
 I think it seems good like this, but I do not know how to make out
 it.(someone says awk, sed may help, but the environment does not
 permit it). Is there some libs or tools can help make output result
 good and elegent?
 [snip]

 Perl would be the next step up, but if awk is not allowed then perl
 certainly won't be.

 Regards,
 /Lars
 
 yes, the whole system size a extremely limited, so the only possible
way
 is to find a suitable C lib to handle this.
 
 What a big task

What about the PCRE library?

   http://www.pcre.org/

That's written in C and gives you the power of perl's regular
expressions.


We use libpcre in some projects and it might be useful but it does not give a 
perl compatible regex engine. It might have up to perl 4 regex support but 
there might even be some missing features there too. So no, not the power of 
perl regex here. 


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/ffb2575f-ee7e-4d58-8b92-29d835c06...@email.android.com

Re: sysadmin qualifications (Re: apt-get vs. aptitude)

[Shawn Wilson]

Joel Rees joel.r...@gmail.com wrote:
On Thu, Oct 10, 2013 at 8:09 PM, Richard Owlett rowl...@cloud85.net
wrote:

We're a long way from being able to build internet terminals that
people can use as simply as they use a phone, and it's quite possible
that it can't really be done.


I'm not sending this email from a phone...  Nope. Where's that 'sent from my 
Kaiten mail app' signature when I need it? 


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/7a6f82ad-106d-42b8-bc42-8aec310fb...@email.android.com

Re: loop back iptables

[shawn wilson]

On Tue, Oct 8, 2013 at 8:12 PM, Dan Ritter d...@randomstring.org wrote:
 On Tue, Oct 08, 2013 at 03:04:14PM -0700, james gray wrote:

 working with the examples at

 https://wiki.debian.org/iptables


 -A INPUT -i lo -j ACCEPT

This will do nothing unless you have a default DROP policy

 and follow procedure of

 iptables-restore  file-name


 i do receive a message line failed for that line as shown above.


 Next, you'll need to copy the entirety of the grey area example
 to a file, and use that file name in the iptables-restore. It's
 a very specific format.


Very specific - I wrote a script to generate an iptables save file and
saw that line failed message lots. Basically the format is:

*chain
:table [counter]
-A rule
COMMIT

Any deviation from this format is an error (you can also have #
comments btw). I assume you can use -I or -D or -R but I don't see
much point (maybe you go into different 'zones' and then that might be
cool to do). Generally, what you want to do is:
iptables -F; iptables -X; iptables-restore  file

 If you want to test individual rules, you could do this at the
 command line:

 iptables -A INPUT -i lo -j ACCEPT

Depending on where that line was put in the save file, that might not
be acurate (though since this rule doesn't do anything, one could
argue about the 'effect' it has at any point). However, assuming the
rule needs to be placed somewhere in the middle, you want:
iptables -nL --line-numbers

And then:
iptables -I INPUT number rule


 and then

 iptables -L

 to see if it took.

 There is nothing Debian-specific going on here.

Nope - this is linux.
A few notes:
*I've seen some people (Ubuntu) naming their tables with all UPPERCASE
letters - don't do this. You can clobber namespace (and maybe other
issues?) and the only way to distinguish between internal jumps and
tables is the case (LOG and MARK being a prime example and mangle has
some cool jumps you can use and the ones you know of: ACCEPT, REJECT,
DROP, DENY - and it's 0400 so I can't think of others right now).
*iptables-restore makes one kernel call so is much better (read
faster) than calling iptables tons of times.
*these commands are actually links to xtables-multi:
# xtables-multi
ERROR: No valid subcommand given.
Valid subcommands:
 * iptables
 * main4
 * iptables-save
 * save4
 * iptables-restore
 * restore4
 * iptables-xml
 * xml
 * ip6tables
 * main6
 * ip6tables-save
 * save6
 * ip6tables-restore
 * restore6
(no idea why anyone would want to take a good thing and mess it with
xml but it's there - though, if there's an xslt parser as a part of
that there could be some real fun to be had there)

And this stuff is fun, good luck in learning.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/cah_obidd7pbxesm7bptmdnrfgde2w_e_gtrk3m24tdljbyt...@mail.gmail.com

schroot

[shawn wilson]

This is at the top of every config file, but I can't find it documented:

. $SETUP_DATA_DIR/common-data
. $SETUP_DATA_DIR/common-functions
. $SETUP_DATA_DIR/common-config

Where is this being sourced from (ie, where is the 'common-data'
file?) and (more important) where is this documented?


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAH_OBicid_VO1OBjuvcywypee8=Y3ZpbNWrCT3rCf1=tnqy...@mail.gmail.com

Re: schroot

[Shawn Wilson]

berenger.mo...@neutralite.org wrote:


Le 07.10.2013 18:38, shawn wilson a écrit :
 This is at the top of every config file, but I can't find it 
 documented:

 . $SETUP_DATA_DIR/common-data
 . $SETUP_DATA_DIR/common-functions
 . $SETUP_DATA_DIR/common-config

 Where is this being sourced from (ie, where is the 'common-data'
 file?) and (more important) where is this documented?

Doing echo $SETUP_DATA_DIR should help you, I think. And for 
documentation, reading about shell will also help you.


 I'm guessing this means it's exported by some schroot internal mechanism 
inside the schroot? I'm not sure what I don't know about bash that would help 
here? This doesn't seem to be an export bash knows about? 



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/ca1a02d3-a87e-4b9e-aaba-c8dc743d8...@email.android.com

Re: schroot

[shawn wilson]

On Mon, Oct 7, 2013 at 2:20 PM,  berenger.mo...@neutralite.org wrote:
 Le 07.10.2013 19:50, shawn wilson a écrit :

 Not a bad idea. However:
 find / -type f -print0 | xargs -0 -i{} -P 10 grep -H 'SETUP_DATA_DIR='
 {} 2 /dev/null

 found nothing.

Just to be complete (so that maybe this shows up on google when the
next person has issues finding undocumented stuff in schroot - it's
not in the man page as my search implies btw):

/usr/share # find -iname *.bz2 | while read f; do t=$(bzcat $f |
grep SETUP_DATA_DIR); test -n $t  echo $f  echo $t; done
./doc/schroot-1.6.5-r1/contrib/setup.d/05customdir.bz2
. $SETUP_DATA_DIR/common-data . $SETUP_DATA_DIR/common-functions .
$SETUP_DATA_DIR/common-config
./doc/schroot-1.6.5-r1/ChangeLog.bz2
Add SCHROOT_DATA_DIR, SCHROOT_SETUP_DATA_DIR and replace DATA_DIR and
SETUP_DATA_DIR. Add SCHROOT_DATA_DIR, SCHROOT_SETUP_DATA_DIR and
replace DATA_DIR and SETUP_DATA_DIR.
./man/man7/schroot-faq.7.bz2
.ds SCHROOT_SETUP_DATA_DIR /usr/share/schroot/setup
./man/man5/schroot.conf.5.bz2
.ds SCHROOT_SETUP_DATA_DIR /usr/share/schroot/setup
./man/man5/schroot-setup.5.bz2
.ds SCHROOT_SETUP_DATA_DIR /usr/share/schroot/setup
./man/man5/schroot-script-config.5.bz2
.ds SCHROOT_SETUP_DATA_DIR /usr/share/schroot/setup
./man/man1/dchroot.1.bz2
.ds SCHROOT_SETUP_DATA_DIR /usr/share/schroot/setup
./man/man1/dchroot-dsa.1.bz2
.ds SCHROOT_SETUP_DATA_DIR /usr/share/schroot/setup
./man/man1/schroot.1.bz2
.ds SCHROOT_SETUP_DATA_DIR /usr/share/schroot/setup


 On Mon, Oct 7, 2013 at 1:05 PM,  berenger.mo...@neutralite.org wrote:

 Le 07.10.2013 18:59, Shawn Wilson a écrit :

 berenger.mo...@neutralite.org wrote:




 Le 07.10.2013 18:38, shawn wilson a écrit :


 This is at the top of every config file, but I can't find it
 documented:

 . $SETUP_DATA_DIR/common-data
 . $SETUP_DATA_DIR/common-functions
 . $SETUP_DATA_DIR/common-config

 Where is this being sourced from (ie, where is the 'common-data'
 file?) and (more important) where is this documented?



 Doing echo $SETUP_DATA_DIR should help you, I think. And for
 documentation, reading about shell will also help you.


  I'm guessing this means it's exported by some schroot internal
 mechanism inside the schroot? I'm not sure what I don't know about
 bash that would help here? This doesn't seem to be an export bash
 knows about?



 I have no idea about what are the files you are speaking about, but the $
 prefix usually indicates a variable in shell, and shell scripts are
 widely
 used in the system. To find what file could export that variable, try a
 grep
 -r SETUP_DATA_DIR, it might help you find which file uses that variable.


 Do not send me private mail for something like that, it could interest
 someone else on the list.

That was an accident (I was guessing telling me reading about shell
would be helpful that you might not be the person to talk to but I
like to follow up).

 Honestly, I can not help you more that that, I do not use chroot very often,
 and do not know what is schroot. If the variable is not defined, then maybe
 it have a default value.
 Maybe if you find other files containing simply the SETUP_DATA_DIR text
 (without '=' or '$') you could find more hints.

 PS: do the giant line you posted above make the same thing as grep -r
 'SETUP_DATA_DIR=' 2/dev/null ? If yes, it seems quite complex for what it
 does...


Quite, but xargs gives one major advantage - that -P allows you to
parallelize grep  and sending the process SIGUSR1/SIGUSR2 increases or
decreases that parallelization. (This also meant that my laptop shat
bricks due to a slower hdd and I had to revert to a server).


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAH_OBidpCBd80N0KEtDLDyCTsqNdoDHxz=fwyzt4jzesbqc...@mail.gmail.com