Re: Free TCP/IP port numbers?
The answer is correct - IANA maintains the list of ports. You may also look at the services file nmap maintains or ask showdan what it's seen publicly if you want a public popularity contest of ports. As it is, I'm pretty sure you're over engineering this. Have a config file that has a port range option and be done with it. Also, you didn't mention needing <1024 so pick a port and be done with it (what everyone else does). Lastly, certain ports are so old, their intended services shouldn't be online anymore (see the first 20 ports or 90-110 - off the top of my head - not sitting here and going through them) or if the service probably won't be used in ICS or on a box designed to be an internet backbone, use one of those. On Sep 30, 2017 21:50, "Victor Porton"wrote: > Alexander V. Makartsev wrote: > > > There is official list of all registered port numbers: > > https://www.iana.org/assignments/service-names- > port-numbers/service-names-port-numbers.txt > > > > You can choose any port that is not in the list, to be sure they won't > > clash. > > The list of port numbers you pointed to me is a subset (or at least not a > superset) of the full list used by Debian packages. > > Assuring that my port is not in this IANA list is not enough to ensure that > my port number will not clash with a port number used by a Debian package > (by default). > > So your answer to my question is wrong. > > > On 01.10.2017 06:04, Victor Porton wrote: > >> We are going to install a range of software on a Debian Linux > >> installation. Because we run the same software (such as Celery) several > >> times, we need to use port numbers different than the standard Debian > >> port numbers chosen by default (because we can't run more than one > >> instance of a server with the same port, and thus using the standard > port > >> number for all servers would fail). > >> > >> How to choose TCP/IP port numbers for server software we run in such a > >> way that they don't clash with "standard" Debian port numbers? > >> > >> In Debian are there any ranges of port numbers dedicated (so that they > >> wouldn't clash with "standard" that is used by default port numbers) for > >> servers configured by users? > >> > >> Note that we run (at least some of) our software not as root, so we > can't > >> use ports below 1024. > > -- > Victor Porton - http://portonvictor.org > >
Re: pen testing beginner
Also, there's tons of free help online (mailing lists - duh, irc, reddit, Twitter, and Facebook has helped me once you get to know the right people). There are also loads of security conferences and meetups (BSides, ISSA, 2600, etc). On Oct 30, 2016 13:54, "shawn wilson" <ag4ve...@gmail.com> wrote: > > I'll caveat my response by saying I'm not in this field - I'm a lowly sysadmin :) > > On Oct 30, 2016 00:01, "David Christensen" <dpchr...@holgerdanske.com> wrote: > > > > On 10/29/2016 11:50 AM, emetib wrote: > > > have been a linux only person since before 2000 (late 2.2 early 2.4 > > > kernels), yet haven't done much with it in the last ten years. ... > > > > > i'm looking at getting back into it and into pen > > > testing. > > > > I assume you mean penetration testing. Given that computers and > > networks are built from many hardware, firmware, and software work > > products, I would expect that there are specialties. It might help to > > pick one, and then find the knowledge and skill dependencies. > > > > It really would, but I assume he'll find some subset he enjoys more than others after some learning. You'll either learn enough to run tools and scan for known issues or find it more enjoyable to research all the myriad of ways our tech is broken. > > Either way, you want to know (at least) the basics of programming. I touched bash, python, ruby, and perl and json, yaml and ini last week (mainly at work) and I can assure you they're all pretty much the same, so don't really worry about learning multiple until you must - pick one and learn it. Pick something useful (ie, most people don't use Smalltalk so you support community and modules won't be as large so maybe not the best - fun language though) and maybe you find yourself using a tool a lot - might consider learning the language it's written in. To be more precise - Metasploit is ruby, recon-ng is python, nmap is c (with an o object passed everywhere), volatility is python, etc. > > Pentesting - start staying up to date with CVEs and netsec on reddit and darkreading and the like. Learn the tools and what they do. Lots of CTFs are downloadable after the event (and people often do writeups that you can look for when you run into trouble). And learn your tools - this includes basic Unix like strings, grep, file (know the limitations of magic though), find but also nmap, msf, Wireshark, volatility, recon-ng, sqlmap, etc. This isn't to say you shouldn't know how the tools you run work, but I find it useful to learn the tool and look at what it's doing. Ie, start Wireshark and capture and run a basic nmap and see what happens. > > Exploit dev - so you can either go down the network path - I'd start by gripping the RFCs for the word "should" and "may" and see which daemons have issues with that part of their implementation (also be aware networks love time and some errors may lead to leaks). If you go down the normal x86 exploit dev path, I'd start by looking at old viruses and malware and PoC exploits and understand how they work. Also probably want to setup setup cuckoo sandbox and mastiff. > > All of this said, I'd strongly suggest having a good rounded base of knowledge. So get ready for the real reading list - not just to sit on the couch with - read them while in front of a computer: > PC asm (freely available online - nostarch also publishes a much bigger / more in depth / pricier assembly book I have and haven't gotten around to reading yet) > Hacking the art of exploitation > > And depending on which route you go: > Metasploit > Practical malware analysis > > You'll notice a trend - other than pc assembly, they're all published by nostarch. I'm unaware of any books on malware dev - which is why I recommend looking at prior malware and an analysis book, though I'm sure your gov can provide tons of literature here if you ask nice enough ;) > > Most conferences also post talks on YouTube - for the most part, I suggest being active as you watch them (pause, Google, read, return, repeat). > > > > > > from what i have been reading lately i'm going to have to know quite > > > a bit about a couple of different things that i didn't jump to deep > > > into before, programming and networking especially. ... > > > > > i have given myself a four year window on this learning cycle and am > > curious about going about it. ... > > > > > please just give advice and not right or wrong opinions on what i > > > maybe trying to do with my options and if i should actually take some > > > classes to augment my self learning. > > > > If you are serious about this, go get yourself a degree in computer > > science. I preferred and recommend th
Re: pen testing beginner
I'll caveat my response by saying I'm not in this field - I'm a lowly sysadmin :) On Oct 30, 2016 00:01, "David Christensen"wrote: > > On 10/29/2016 11:50 AM, emetib wrote: > > have been a linux only person since before 2000 (late 2.2 early 2.4 > > kernels), yet haven't done much with it in the last ten years. ... > > > i'm looking at getting back into it and into pen > > testing. > > I assume you mean penetration testing. Given that computers and > networks are built from many hardware, firmware, and software work > products, I would expect that there are specialties. It might help to > pick one, and then find the knowledge and skill dependencies. > It really would, but I assume he'll find some subset he enjoys more than others after some learning. You'll either learn enough to run tools and scan for known issues or find it more enjoyable to research all the myriad of ways our tech is broken. Either way, you want to know (at least) the basics of programming. I touched bash, python, ruby, and perl and json, yaml and ini last week (mainly at work) and I can assure you they're all pretty much the same, so don't really worry about learning multiple until you must - pick one and learn it. Pick something useful (ie, most people don't use Smalltalk so you support community and modules won't be as large so maybe not the best - fun language though) and maybe you find yourself using a tool a lot - might consider learning the language it's written in. To be more precise - Metasploit is ruby, recon-ng is python, nmap is c (with an o object passed everywhere), volatility is python, etc. Pentesting - start staying up to date with CVEs and netsec on reddit and darkreading and the like. Learn the tools and what they do. Lots of CTFs are downloadable after the event (and people often do writeups that you can look for when you run into trouble). And learn your tools - this includes basic Unix like strings, grep, file (know the limitations of magic though), find but also nmap, msf, Wireshark, volatility, recon-ng, sqlmap, etc. This isn't to say you shouldn't know how the tools you run work, but I find it useful to learn the tool and look at what it's doing. Ie, start Wireshark and capture and run a basic nmap and see what happens. Exploit dev - so you can either go down the network path - I'd start by gripping the RFCs for the word "should" and "may" and see which daemons have issues with that part of their implementation (also be aware networks love time and some errors may lead to leaks). If you go down the normal x86 exploit dev path, I'd start by looking at old viruses and malware and PoC exploits and understand how they work. Also probably want to setup setup cuckoo sandbox and mastiff. All of this said, I'd strongly suggest having a good rounded base of knowledge. So get ready for the real reading list - not just to sit on the couch with - read them while in front of a computer: PC asm (freely available online - nostarch also publishes a much bigger / more in depth / pricier assembly book I have and haven't gotten around to reading yet) Hacking the art of exploitation And depending on which route you go: Metasploit Practical malware analysis You'll notice a trend - other than pc assembly, they're all published by nostarch. I'm unaware of any books on malware dev - which is why I recommend looking at prior malware and an analysis book, though I'm sure your gov can provide tons of literature here if you ask nice enough ;) Most conferences also post talks on YouTube - for the most part, I suggest being active as you watch them (pause, Google, read, return, repeat). > > > from what i have been reading lately i'm going to have to know quite > > a bit about a couple of different things that i didn't jump to deep > > into before, programming and networking especially. ... > > > i have given myself a four year window on this learning cycle and am > curious about going about it. ... > > > please just give advice and not right or wrong opinions on what i > > maybe trying to do with my options and if i should actually take some > > classes to augment my self learning. > > If you are serious about this, go get yourself a degree in computer > science. I preferred and recommend the old-fashioned university > approach -- professors, planned sequence of courses, classrooms, labs, > textbooks, homework, projects, and especially the camaraderie of other > students. > I'll preface this by saying I have 30 hours of community college credits. I've also had this discussion a few times - mixed reviews. Most schools won't teach you computer security. I think CMU might have the best program in the states though. But basically, if you go this route, read up on what the professors do when not teaching - if none have been in industry for years or don't have any research industry is talking about... So given the expense (both time and money), I recommend against this. If this interests you enough,
Re: Shell - escapes
'...' doesn't interpolate. push @f, '$ and a'; push @f, "'"; print join '', @f; If you want. I have a feeling YDIW and need to step back and present the actual problem. On May 10, 2016 05:36, "Die Optimisten"wrote: > Hi, > > How can I escape a ' inside '...' > e.g. perl -e 'print '$ and a' '# I don't want to use " > > thank you > Andrew > >
Re: iptables changes triggering audit messages, despite auditd not being installed
On May 5, 2016 8:10 AM, "Tony Evans" <t...@darkstorm.co.uk> wrote: > > Firstly, apologies for double-posting the issue originally. > > On 5 May 2016 at 13:05, shawn wilson <ag4ve...@gmail.com> wrote: > > > > On May 5, 2016 6:03 AM, "Tony Evans" <gnomt...@gmail.com> wrote: > >> > > > >> I can't find why the log entries are being created (i.e. I know the > >> trigger, but I can't work out why that trigger is now generating log > >> entries when it wasn't doing that before I installed and removed > >> auditd). > >> > > > > I'm guessing the removal script didn't delete the audit rules which reside > > in kernel memory. If I'm correct, a reboot will fix this. I'd probably > > consider that a bug (if I'm right) and confirm and submit a report to the > > maintainer. > > That doesn't really explain what I'm seeing - I only added one rule > when I first installed it, and it was nothing to do with iptables or > anything near the directories it is using. Additionally, when I > reinstalled auditd, the messages stop (and start again when it's > removed) > Something weird happening with init maybe? > Can I query the kernel rules (without auditctl?) > A quick Google didn't reveal anything but I'm guessing there's at least a rule or hit counter under either proc or sys (kinda like iptables does). Could probably (idk what libs it links to off the top) just copy auditctl somewhere before uninstalling though.
Re: iptables changes triggering audit messages, despite auditd not being installed
On May 5, 2016 6:03 AM, "Tony Evans"wrote: > > I can't find why the log entries are being created (i.e. I know the > trigger, but I can't work out why that trigger is now generating log > entries when it wasn't doing that before I installed and removed > auditd). > I'm guessing the removal script didn't delete the audit rules which reside in kernel memory. If I'm correct, a reboot will fix this. I'd probably consider that a bug (if I'm right) and confirm and submit a report to the maintainer.
Re: RECOMMEND: Wireless Home Router with VPN Built-In
Seconded (unless you can't) On Apr 25, 2016 8:29 PM, "Joel Wirāmu Pauling"wrote: > My advise stands. Use a VPN client on the end devices. > > On 26 April 2016 at 12:27, Patrick Bartek wrote: > >> On Mon, 25 Apr 2016, Joel Wirāmu Pauling wrote: >> >> > I don't suggestion running VPN (at least any with decent encryption ) >> > on the Wifi /AP. It will end up being a bottle kneck. i.E my Dual >> > core MIP's 680hz Wireless AC running openwrt can barely push 12mbit >> > through an AES tunnel. >> > >> > Keep the VPN endpoints on the more well endowed endpoints. If you >> > need it as a backup purely for getting into the router, then SSH is >> > fine. >> >> I'll be the only user on the VPN. It's mainly for when I use public >> wifi on my phone or laptop, for security. For Web and email mostly. >> I might use it to access my home machine, too, but that would be rarely. >> So, I'm not going to be moving large amounts of data over the >> connection. >> >> Thanks. >> >> B >> >> > On 25 April 2016 at 14:22, Paul Duncan wrote: >> > >> > > I have a Draytek Vigor 2820vn. Have had it for a few years now. >> > > Seems to be quite reliable. Has three types of WAN connectivity >> > > built-in - ADSL2+, Ethernet (for cable modems), and USB for mobile >> > > broadband dongles. And, as you requested, it does have a built-in >> > > VPN service and very configurable firewall. >> > > >> > > Now, this particular unit will never support IPV6, and I think they >> > > may have stopped making it now. If I was in the market for a router >> > > today, I would go for the Vigor 2830 series. It is IPV6 ready, and >> > > all four of its Ethernet ports are gigabit ports (only one is on >> > > the 2820). >> > > >> > > Anyway, I'm sure you will get *lots* of opinions about favourite >> > > hardware! >> > > >> > > Cheers, >> > > >> > > Paul. >> > > >> > > On Mon, Apr 25, 2016 at 3:01 AM, Patrick Bartek >> > > wrote: >> > > >> > >> Hi! all, >> > >> >> > >> Toying with the idea of setting up a personal, that is, >> > >> non-business, VPN for a device or two for those rare times I use >> > >> public wifi. For improved security, mind you. Want to keep it >> > >> simple, but it must work outside the U.S. (I foresee a change >> > >> coming.) So, figured a new home router with the server built-in >> > >> would be better than a for-charge (or free) VPN service. (After 8 >> > >> years of continuous use, I'm getting nervous about my old router >> > >> anyway, and want to replace it.) >> > >> >> > >> What routers would you all recommend? And why? >> > >> >> > >> Thanks. >> > >> >> > >> B >> >> >
Re: Firewall - basic config?
On Apr 23, 2016 3:54 PM, "Joe"wrote: > . > > You might also try iptables -S which will list the rules in the form > that you would enter by hand as arguments to the iptables command. It is > a different view, and you may see things that are less obvious in the > -L view. > I'm guessing -S is the same as iptables-save...? If so, then yes that's the way to look at rules and what you want to paste when asking for help. There are two times when I went nL output - when testing and want a delete number (so with the --line-numbers option) and when I think a table is useless and want to call reference count. That's literally it. Otherwise you probably want to see the rules closer to how the kernel does. Also, if you script your restore (I'm guessing ufw handles this... properly) do use a restore file vs looping the iptables command for each rule - besides being proper, it's also a *hell* of a lot faster. > Remember that IPv6 is alive and well in quite a lot of hardware these > days, and there is an ip6tables to deal with it. > Ie, unless you're using it, disable it (both with ip6tables and blacklist modules)
Re: TCP/IP over Bluetooth
On Apr 23, 2016 06:27, "Reco"wrote: > > On Sat, 23 Apr 2016 10:23:57 +0100 > Joe wrote: > > > 'Proper' serial equipment > > typically does not go higher than 115kBd, and most wired serial > > applications need much less than that. > > But serial-over-bluetooth gets me 0.5 Mbps :) > Being able to teacher when connected to either cell *or* wifi from a non rooted android device (like if paying for a single MAC address on a plane) might be a good enough reason to set it up. And in those situations, you're not getting optimal bandwidth anyway.
Re: TCP/IP over Bluetooth
On Apr 23, 2016 00:09,wrote: > > According to https://en.wikipedia.org/wiki/Bluetooth , > Bluetooth was "... originally conceived as a wireless alternative > to RS-232 data cables." Therefore TCP/IP inside PPP on a > Bluetooth connection is hypthetically possible. > > Has anyone tried it with a debian system on one end at least? > Google it? It appears to work fine now days - maybe issues with NetworkManager though - idk. But no I haven't setup PAN, just 1 minute (literally) with Google tells me this. If you want a link to read, this looks good (though a bit dated): http://m.linuxjournal.com/article/10915
Re: [ A little off topic] Best e-mail client for Android
Y'all know you can buy kaiten mail and support the dev, right? On Mon, Apr 11, 2016 at 8:29 AM, Byung-Hee HWANG (황병희)wrote: > On 2016년 4월 11일 오후 9시 8분 6초 GMT+09:00, Hans wrote: >>Am Montag, 11. April 2016, 08:02:13 schrieb German: >>> I wonder what Debian users use on their phone/tablet. >>> >>> Thanks >> >>K9-Mail > > Me too, i use now k-9 with google apps. > Also i like very much Emacs' Gnus! >
Re: Sudo
On Mar 21, 2016 5:56 AM, "Lisi Reisz"wrote: > > On Monday 21 March 2016 04:51:35 Jude DaShiell wrote: > > When you installed LinuMint I'm going to make a wag here and figure you > > didn't put a password in for root and because of that LinuMint put your > > user account in /etc/sudoers as part of its installation routine. > > I don't think that Linux Mint offers a root account during installation. It > doesn't use root by default. > Uh it kinda has to. AFAIK, the kernel doesn't allow ring 0 without being uid 0 / gid 0 (or root). Call the user "mud" if you want, at that point it doesn't really matter.
Re: Good keyboard
On Feb 11, 2016 1:21 PM, "David Christensen"wrote: > Thoughts? Comments? > I don't have one of those (but I think I'll buy one). Currently I swear by my ducky mini (obviously remap caps lock to escape - also, I use vim/vim mode so YMMV if you like arrowing around which means it also doesn't do well in bios or lilo/grub - has fn arrow but that's obviously a PITA). I also have a DasKeyboard but a few keys squeak so that's turned into a $100 brick. And I have a Lexmark model M but still prefer my ducky due to its size on my desk.
Re: Libre graphics could become the standard if we push right now
On Jan 14, 2016 5:11 PM, "Zlatan Todoric"wrote: > > > > On 01/14/2016 09:11 PM, Alberto Salvia Novella wrote: > > Nearly all compact Linux computers feasible for gaming are sold > > exclusively using NVIDIA graphics, and that company is hostile to libre > > software. > > > > So I think it is very important that we support AMD right now on what we > > can, and ask manufacturers to include AMD graphics in those products. > > > > You do realize that AMD graphics need proprietary firmware to have > proper 3D acceleration without which you probably couldn't run any game > at all - so goodbye Libre graphics. > Besides that, AMD's fglrx require X to be running in order to run while nVidia does not (kinda sucks if you have a bunch of 8 card nodes using the cards for scientific applications). Also, in this setting, there were a lot more issues with AMD than nVidia (soft crashes, hard crashes, cards going offline until reboot). I'm not a big gamer, so maybe there are less issues with AMD in this setting. And I'd be thrilled if either fglrx or nv were OSS (would weigh heavily on purchasing decisions). However, because AMD really pissed me off here, I had to say something here. > > Because of that I have started campaigning for it: > > http://steamcommunity.com/discussions/forum/11/458606248621316073/ > >
Re: installing Debian on USB flash drive for use in many machines
On Sat, Nov 28, 2015 at 6:08 PM, Renaud OLGIATIwrote: > Why not use Knoppix, instead of re-inventing the wheel ? > For me, it's just nice to have an easy to boot system w/ storage - takes me a few minutes to setup and then I've got a thumb disk I can boot for rescue disk or a dns server or web server or vim w/ my vimrc/plugins, etc. Also an image doesn't (by default) give you local storage on your thumb drive - you've got to script the boot process to look for free space and add a partition or mount a previously created partition if that's what you want which is a pita/brittle. Knoppix is great if I don't have my stuff w/ me, but isn't really a replacement. I also don't like burning disks if I can help it. But if you like images, there are android apps that emulate a cdrom (somewhat) and things like isostick (see amazon).
Re: installing Debian on USB flash drive for use in many machines
On Nov 28, 2015 3:37 PM, "David Christensen"wrote: > > I am continuing to work on the idea of installing Debian on a USB flash drive for use in many machines, primarily for diagnostics, maintenance, repair, backup, archive, imaging, etc.. > Google "debootstrap usb" - should bring you to enough walk throughs to get you where you want to be. > As you can see, the machines are somewhat similar. > So you're still going to have to play with drivers and the like - I'd make the laptop work first and then move to the desktop. > I have installed Debian 8 amd64 onto a USB flash drive You don't explain how you got to this point - installer, remastering the image, rsync a fresh install, debootstrap, multistrap, etc. > I'm trying to figure out why Ethernet does not work in i72720qm when using the USB flash drive. > > > My theory is that I'm missing software (device driver?) on the USB flash drive that is required to make Ethernet work on i72720qm. > Or a shared address (doubt it but)... > So, I have run 'lsmod' on i72720qm in each of the two configurations. Here is a comparison ('<' indicates module only present when running USB flash drive, '>' indicates module only present when running SSD, no marker indicates module present in both cases): > diff -u is much less chatty btw. Or even: diff -U0 > < usb_storage Needs that to read the thumb drive post grub / pivot root. > > arc4 > > cifs > > crc16 > > dns_resolver > > ecb > > ext4 > > fuse > > hid > > hid_generic > > hmac > > jbd2 > > lp > > mbcache > > md4 > > nls_utf8 > > pci_stub > > usbhid > > vboxdrv > > vboxnetadp > > vboxnetflt > > vboxpci So I'm no kernel expert, but I see crypto, fs, hid, and vbox. Not exactly sure what pci_stub is but I'd look into that. > Of the 21 additional modules (arc4 ... vboxpci) that are present when running the SSD, I don't recognize which one(s) might be what I need to get Ethernet working on i72720qm. > Maybe it's compiled in the kernel or maybe it's not present in /lib/modules/kernel - lots of reasons something may or may not work as a module. Not enough info to make that call. I could guess at a default debian kernel build (which I don't know what it includes as a driver off the top) or you could lspci, figure out which driver you need, confirm the file is where it's supposed to be or that debian builds it into the kernel, and go from there. zcat /boot/config-.gz | grep CONFIG_name
Re: installing Debian on USB flash drive for use in many machines
On Nov 28, 2015 4:30 PM, "Joe"wrote: > > On Sat, 28 Nov 2015 12:37:12 -0800 > David Christensen wrote: > > Why you may be barking up the wrong tree is that all the software is > there, but the Ethernet interface is not being brought up. DHCP on my > network is not being used, though the DHCP client is installed. If I > bring up the interface manually with a suitable IP address, all is > well. Try that exercise in your situation, my assumption would be that > if you can bring it up manually then you have the right drivers > installed. By manually I mean using ifconfig or other networking > software, without the need to bring in any extra modules with modprobe. > ifconfig -a ip addr ls
Re: how execute a script
On Nov 16, 2015 5:37 PM, "Lisi Reisz"wrote: > > On Monday 16 November 2015 19:33:51 David Wright wrote: > > On Mon 16 Nov 2015 at 06:54:40 (+0100), Martin Str|mberg wrote: > > > In article David Wright > wrote: > > > > As for script-file extensions in DOS, there was really only .BAT > > > > wasn't there?, so the idea of distinguishing .bash, .csh, .py, .pl, > > > > .sh, .zsh etc as being inherited from DOS is difficult for me to > > > > understand. > > > > > > Perhaps it's because (MS)DOS begat WINDOWS that only knew how to run > > > something based on the extension? > > > > > > And that is why we shudder on the sight of a (unnecessary?) extension? > > > > I wouldn't know. My experience of windows is far less than DOS, and my > > use of DOS was pretty much restricted to an AUTOEXEC.BAT that started > > an emulation system which was my area of expertise. Interesting choice > > of language, though; shudder. > > > > I'm the person questioning the relevance of DOS to putting ".sh" at > > the end of an on-PATH executable script's filename, when DOS was > > brought up in https://lists.debian.org/debian-user/2015/11/msg00453.html > > > > I take it there's a whole generation of folk who gained their > > experience of filename endings (a less loaded word than extension) > > through DOS/windows, perhaps entirely so. With it, they picked up a > > load of negative associations, causing shuddering here and unhappiness > > in another part of this thread. > > > > I'm sorry for you. I didn't touch DOS until 1992-06-01 (to be precise) > > about twentyone years into my computing career. To say I *used* it > > would be an overstatement: I ran one package on it. > > > > Putting meaningful endings onto filenames (excepting, I hasten to > > add lest people jump down my throat, executable scripts) had been a > > way of life for years. Their necessity was variable from system to > > system; sometimes they were just a convention. Look at man gcc. > > It has meaningful endings. They've been there since at least > > 15 March 1972 when, allegedly, the number of Unix installations had > > grown to 10. (At that time, gcc was obviously called cc; Stallman > > hadn't yet graduated.) > > > > As for unix scripts, well, yes, there's no *need* for any endings, > > but that doesn't preclude their use. If that makes you unhappy or > > into a shudderer, please get over it. > > I take it those who are so against file endings are equally upset by > sources.list and menu.lst? > > Though it is very annoying when they are *needed*. Xsane usually puts them > in, and I used not to bother to check. A few months ago I sent my lawyer a > scan of a document he needed. An hour or two later, back came an > email: "I'm so sorry, we have no software that can open that file. The IT > department has been trying for an hour". Puzzled, because I thought I had > sent a .pdf, and had checked that it opened fine in Evince, I looked at the > file - groaned - and renamed scan-foo to scan-foo.pdf. When resent it opened > fine. > Magic shouldn't be used when a file type is known and should be communicated (via its extension). If you create a pdf, it is bad to not have the pdf extension - you've lost data. Also, I'm fine with installed executables not including extensions. However, in a repo with different types of executable code, I want to know at a glance what something is (there's also that vim filetype uses extension and I want stuff to work).
Re: how execute a script
On Tue, Nov 17, 2015 at 1:02 PM, Chris Bannister <cbannis...@slingshot.co.nz> wrote: > On Tue, Nov 17, 2015 at 09:31:53AM -0500, shawn wilson wrote: >> On Nov 16, 2015 5:37 PM, "Lisi Reisz" <lisi.re...@gmail.com> wrote: >> > department has been trying for an hour". Puzzled, because I thought I had >> > sent a .pdf, and had checked that it opened fine in Evince, I looked at >> the >> > file - groaned - and renamed scan-foo to scan-foo.pdf. When resent it >> >> communicated (via its extension). If you create a pdf, it is bad to not >> have the pdf extension - you've lost data. > > How have you lost data? > You loose what the file type (data) should be if you save a file w/o an extension. Again, this is fine for an installed program (no one cares as long as it works) but not so good for data that is processed by another program or a script I want to edit.
Re: how execute a script
On Tue, Nov 17, 2015 at 1:25 PM, Elimar Riesebieter <riese...@lxtec.de> wrote: > * shawn wilson <ag4ve...@gmail.com> [2015-11-17 13:08 -0500]: > >> On Tue, Nov 17, 2015 at 1:02 PM, Chris Bannister >> <cbannis...@slingshot.co.nz> wrote: >> > On Tue, Nov 17, 2015 at 09:31:53AM -0500, shawn wilson wrote: > > [...] > >> >> communicated (via its extension). If you create a pdf, it is bad to not >> >> have the pdf extension - you've lost data. >> > >> > How have you lost data? >> > >> >> You loose what the file type (data) should be if you save a file w/o >> an extension. Again, this is fine for an installed program (no one >> cares as long as it works) but not so good for data that is processed >> by another program or a script I want to edit. > > PDF files are recognized by their header not their extension. Create > a test.pdf. Copy it to test and test.blo. They will always be > recognized as pdf documents from evince and alike. > Quoting myself (sorry): > Magic shouldn't be used when a file type is known
Re: how execute a script
On Tue, Nov 17, 2015 at 1:56 PM, Brian <a...@cityscape.co.uk> wrote: > On Tue 17 Nov 2015 at 13:08:49 -0500, shawn wilson wrote: > >> On Tue, Nov 17, 2015 at 1:02 PM, Chris Bannister >> <cbannis...@slingshot.co.nz> wrote: >> > On Tue, Nov 17, 2015 at 09:31:53AM -0500, shawn wilson wrote: >> >> On Nov 16, 2015 5:37 PM, "Lisi Reisz" <lisi.re...@gmail.com> wrote: >> >> > department has been trying for an hour". Puzzled, because I thought I >> >> > had >> >> > sent a .pdf, and had checked that it opened fine in Evince, I looked at >> >> the >> >> > file - groaned - and renamed scan-foo to scan-foo.pdf. When resent it >> >> >> >> communicated (via its extension). If you create a pdf, it is bad to not >> >> have the pdf extension - you've lost data. >> > >> > How have you lost data? >> >> You loose what the file type (data) should be if you save a file w/o >> an extension. Again, this is fine for an installed program (no one >> cares as long as it works) but not so good for data that is processed >> by another program or a script I want to edit. > > You would have to give a specific example where a file processed by a > program or script fails to open for this argument to be convincing, You > also have to distinguish between data in the file and information the > extension conveys to the program. > How about just that vim filetype relies on the filename to determine the format? I suspect there are other examples where an extension might be *required* such as compression, but other than Windows, IDK off hand.
Re: how execute a script
> % file t.sh > t.sh: ASCII text > % cat t.sh > max=10 > Oh and before someone says "but there's some standard that says you're supposed to put a shebang at the top" - afaik, it's not in POSIX anywhere: http://www.in-ulm.de/~mascheck/various/shebang/ So, magic dropped the ball - should've been identified as a shell script (due to the use of "echo"
Re: how execute a script
On Tue, Nov 17, 2015 at 2:53 PM, Brian <a...@cityscape.co.uk> wrote: > On Tue 17 Nov 2015 at 14:05:25 -0500, shawn wilson wrote: > >> On Tue, Nov 17, 2015 at 1:56 PM, Brian <a...@cityscape.co.uk> wrote: >> > On Tue 17 Nov 2015 at 13:08:49 -0500, shawn wilson wrote: >> > >> >> On Tue, Nov 17, 2015 at 1:02 PM, Chris Bannister >> >> <cbannis...@slingshot.co.nz> wrote: >> >> > On Tue, Nov 17, 2015 at 09:31:53AM -0500, shawn wilson wrote: >> >> >> On Nov 16, 2015 5:37 PM, "Lisi Reisz" <lisi.re...@gmail.com> wrote: >> >> >> > department has been trying for an hour". Puzzled, because I thought >> >> >> > I had >> >> >> > sent a .pdf, and had checked that it opened fine in Evince, I looked >> >> >> > at >> >> >> the >> >> >> > file - groaned - and renamed scan-foo to scan-foo.pdf. When resent >> >> >> > it >> >> >> >> >> >> communicated (via its extension). If you create a pdf, it is bad to not >> >> >> have the pdf extension - you've lost data. >> >> > >> >> > How have you lost data? >> >> >> >> You loose what the file type (data) should be if you save a file w/o >> >> an extension. Again, this is fine for an installed program (no one >> >> cares as long as it works) but not so good for data that is processed >> >> by another program or a script I want to edit. >> > >> > You would have to give a specific example where a file processed by a >> > program or script fails to open for this argument to be convincing, You >> > also have to distinguish between data in the file and information the >> > extension conveys to the program. >> >> How about just that vim filetype relies on the filename to determine the >> format? > > "vim filetype". I don't know what you mean. 'vim /usr/bin/vim' opens the > file. I do not understand a word of the display but it does open it. An > extension doesn't seem to have a part to play in the file's opening. > Your way of setting filetype is by looking at the extension - for example: :autocmd BufRead *.js set filetype=javascript Same goes for *.pl or *.pm or *.py or *.c, etc
Re: how execute a script
On Tue, Nov 17, 2015 at 2:57 PM, shawn wilson <ag4ve...@gmail.com> wrote: > On Tue, Nov 17, 2015 at 2:53 PM, Brian <a...@cityscape.co.uk> wrote: >> On Tue 17 Nov 2015 at 14:05:25 -0500, shawn wilson wrote: >> >>> On Tue, Nov 17, 2015 at 1:56 PM, Brian <a...@cityscape.co.uk> wrote: >>> > On Tue 17 Nov 2015 at 13:08:49 -0500, shawn wilson wrote: >>> > >>> >> On Tue, Nov 17, 2015 at 1:02 PM, Chris Bannister >>> >> <cbannis...@slingshot.co.nz> wrote: >>> >> > On Tue, Nov 17, 2015 at 09:31:53AM -0500, shawn wilson wrote: >>> >> >> On Nov 16, 2015 5:37 PM, "Lisi Reisz" <lisi.re...@gmail.com> wrote: >>> >> >> > department has been trying for an hour". Puzzled, because I >>> >> >> > thought I had >>> >> >> > sent a .pdf, and had checked that it opened fine in Evince, I >>> >> >> > looked at >>> >> >> the >>> >> >> > file - groaned - and renamed scan-foo to scan-foo.pdf. When resent >>> >> >> > it >>> >> >> >>> >> >> communicated (via its extension). If you create a pdf, it is bad to >>> >> >> not >>> >> >> have the pdf extension - you've lost data. >>> >> > >>> >> > How have you lost data? >>> >> >>> >> You loose what the file type (data) should be if you save a file w/o >>> >> an extension. Again, this is fine for an installed program (no one >>> >> cares as long as it works) but not so good for data that is processed >>> >> by another program or a script I want to edit. >>> > >>> > You would have to give a specific example where a file processed by a >>> > program or script fails to open for this argument to be convincing, You >>> > also have to distinguish between data in the file and information the >>> > extension conveys to the program. >>> >>> How about just that vim filetype relies on the filename to determine the >>> format? >> >> "vim filetype". I don't know what you mean. 'vim /usr/bin/vim' opens the >> file. I do not understand a word of the display but it does open it. An >> extension doesn't seem to have a part to play in the file's opening. >> > > Your way of setting filetype is by looking at the extension - for example: > :autocmd BufRead *.js set filetype=javascript > > Same goes for *.pl or *.pm or *.py or *.c, etc Here's another example of magic failing: % file t.sh Downloads/temp swlap1 t.sh: ASCII text % cat t.sh Downloads/temp swlap1 max=10 echo "HERE 1" for (( count = 0; count <= max; count++ )) ; do echo "$count" sleep "${sleep:-0}" done echo "HERE 2" % ./t.sh Downloads/temp swlap1 HERE 1 0 1 2 3 4 5 6 7 8 9 10 HERE 2
Re: how execute a script
On Tue, Nov 17, 2015 at 3:24 PM, <to...@tuxteam.de> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Tue, Nov 17, 2015 at 03:15:21PM -0500, shawn wilson wrote: >> > % file t.sh >> > t.sh: ASCII text >> > % cat t.sh >> > max=10 >> > >> >> Oh and before someone says "but there's some standard that says you're >> supposed to put a shebang at the top" - afaik, it's not in POSIX >> anywhere: >> http://www.in-ulm.de/~mascheck/various/shebang/ > > You forgot to mention that it's in AT Unix since 1979. I'd venture to > say that nowadays it is an integral part of Unix. > Merely pointing out it's not a spec. But yeah, it's older than me :) >> So, magic dropped the ball - should've been identified as a shell >> script (due to the use of "echo" > > Now you lost me. > If magic were smarter (was able to derive from syntax or had regex capability in the format), it could've still told me I was looking at a script (and not just a bunch of text - which is next to useless). It doesn't, so arguing that magic could be used (not an argument I've seen, but one I was expecting and figured I'd preempt) instead of an extension is lacking.
Re: how execute a script
On Tue, Nov 17, 2015 at 4:25 PM, <to...@tuxteam.de> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Tue, Nov 17, 2015 at 04:13:48PM -0500, shawn wilson wrote: >> On Tue, Nov 17, 2015 at 3:24 PM, <to...@tuxteam.de> wrote: > > [...] > >> > Now you lost me. >> > >> >> If magic were smarter (was able to derive from syntax or had regex >> capability in the format), it could've still told me I was looking at >> a script (and not just a bunch of text - which is next to useless). It >> doesn't, so arguing that magic could be used (not an argument I've >> seen, but one I was expecting and figured I'd preempt) instead of an >> extension is lacking. > > Got it. But magic *can* do many of those things. A headless shell > script is a tough nut to crack, though: "echo" could occur as well > in a Tcl script (via Tcl's crazy but genius "unknown" mechanism). > You're right - just "script" then. I'm not dissing magic - it's a good starting point in forensics or to see what's in a bin directory, but shouldn't be relied on (also see ftimes xmagic for a more featureful magic implementation w/e sf comes back up). My point is that you can't determine what you're looking at w/o being told (an extension) or looking at it. So (my original point) you loose data by removing/not having an extension.
Re: how execute a script
On Tue, Nov 17, 2015 at 5:17 PM, shawn wilson <ag4ve...@gmail.com> wrote: > shouldn't be relied on (also see ftimes xmagic for a more featureful > magic implementation w/e sf comes back up). Ugh, it's back now: http://ftimes.sourceforge.net/FTimes/XMagic.shtml
Re: how execute a script
You can call a function from within a sourced file and it'll run (no matter x bit). So: # ~/bin/runner.sh runner () { echo foo } runner # ~/.bashrc PATH="$PATH:~/bin" source runner.sh On Nov 14, 2015 4:51 AM, "Pol Hallen"wrote: > Put the command at the end of /home/user/.profile >> It works for me. >> > > thanks for help but does not work :-/ > > Pol > >
Re: BIOS size limit for USB flash drives
On Sep 8, 2015 6:51 AM, "Pascal Hambourg" <pas...@plouf.fr.eu.org> wrote: > > shawn wilson a écrit : > > > > (which uefi uses for boot). > > So what ? Who needs an EFI system partition bigger than the recommended > 512 MB ? > Maybe he was trying to use a bigger partition? Do you have a better idea what's happening? Was just listing the only bios limits I'm aware of. I'm pretty sure the issue is not with the bios since none I'm aware of can address ext2 at all.
Re: BIOS size limit for USB flash drives
On Sep 7, 2015 9:47 AM, "Ken Heard"wrote: > > > Is there any limit to the size of a USB flash drive with the ext2 file > system encrypted on it which can be addressed through the BIOS > interface? (I am using Debian Jessie.) The largest size I am now > using is 32 gb drives but would like to use 64 gb or even 12 gb drives. > IIRC, 32 GB is the limit of vfat (which uefi uses for boot). I can't think of any other limitation here. As already stated, ext2 is 2 TB. Old bios needed the initial kernel in the first few sectors - basically, for lots of these reasons, make boot a different partition (shouldn't need more than a gig.
Re: Question about mv operation.
On Aug 4, 2015 1:26 AM, Some Body somebody.mo...@gmail.com wrote: Le mardi 04 août 2015 à 16:11 +0800, Magicloud Magiclouds a écrit : Now, I see in both locations, there are the file. My question is, is it safe to remove file in dest, and move to it again from src? If you don't want to take a risk, couldn't you copy the files in dest in another folder, or in a .tar archive, in order to have a backup if you need one ? Yeah, unless you're moving on the same fs (because changing inode info is faster than data copy and delete) don't use mv. It's not atomic - rsync at least tries to be atomic with a temp file that gets moved into place but mv isn't that smart (what you want on the same fs).
Re: IP address
On Jul 17, 2015 11:53 AM, Elimar Riesebieter riese...@lxtec.de wrote: * John J. Boyer john.bo...@abilitiessoft.org [2015-07-17 08:32 -0500]: I have Jessie set up for CLI only. The machine is on a local network using dhcp. What command will tell me what ip address it is using? $ dig +short `hostname -f` Won't always work (I'd even go as far as to say it generally won't)
Re: cp output format
On Jul 17, 2015 7:16 AM, Nicolas George geo...@nsup.org wrote: Le nonidi 29 messidor, an CCXXIII, Andrew McGlashan a écrit : Not sure if this is relevant enough, but I have a method to keep source files -- in this case .forward files in a controlled directory; if any of these differ from the target locations, then I save the target location file with a dated version and copy in the controlled source copy. This way I only get new files if they are changed, you could use a similar method for the backups, that is only copying files to the backup area if they are different to the current copy in the source area. If your files were all isolated in small hierarchies, I would have suggested to use Git instead, but with dotfiles in several home directories, that is not practical. And I realize you already considered that. Heh, I symlink my dotfiles to the repo that contains them. No issues here. On the other hand, I suspect rsync (with option -c) can detect the files that need updating in a simpler way. [snipped all of the bash stuff you don't need because you have rsync] To do that kind of thing reliably, you need to create a temporary file and rename it once it is complete. Just use rsync for the copy, it does that by default. fi done ) And done :)
Re: Free GNU/Linux intro class for teens advice? Purchase box? Squeak/Smalltalk programming
On Jul 6, 2015 8:17 PM, Marc D Ronell mron...@alumni.upenn.edu wrote: As a test, I purchased a laptop (Toshiba Satellite C75-B7180) on sale for $350 at our local Microcenter in Cambridge and was able to load GNU/Linux for my son. I am thinking of working some programming assignments in Squeak (Smalltalk), but maybe C is a better choice for an OS class? I agree - no on the extra laptop. Virtualbox would be fine (a Pi might work too but then you've got to consider peripherals). Smalltalk is fine but I'd go with pharoh. No on c too - too complex. Maybe teach js if you don't want Smalltalk. Don't teach bash either - too many edge cases and weirdness (when to quote, not being able to return date from functions properly, etc. If you did ruby or js you could probably get help from a local group. I would also teach the system separate from programming. They're both big topics and you'll end up overwhelming everyone (yourself included).
Re: Systemd files on a Raspberry Pi
Just tired of seeing the debate brought up along w/ any and every systemd (and sometimes not even mildly related) issue. I wish there's a debian-systemd list for everyone who still wants to have this debate or see it improved / removed (and maybe there is and it should be advertised better). On Mon, Jun 22, 2015 at 8:07 PM, chris tknch...@gmail.com wrote: +1 On Jun 22, 2015 7:24 PM, Zebediah C. McClure z...@ensistech.com wrote: On Monday 22 June 2015 18:30:56 shawn wilson wrote: On Jun 22, 2015 4:39 PM, Dan Ritter d...@randomstring.org wrote: On Mon, Jun 22, 2015 at 10:05:28PM +0200, Ansgar Burchardt wrote: Dan Ritter d...@randomstring.org writes: People only complain about systemd being a cancer if they love the Debian system otherwise. [snip] The next time a systemd booster tells people to leave the community rather than try to fix Debian, please call them on that behavior and tell them you won't stand for it. You're being sarcastic - I'm not when I say I totally agree with this statement - use it or leave. Train has left the station on this. (I don't have strong opinions on systemd - I run Ubuntu and Gentoo at work and home and another few Debian boxes at home and the Gentoo boxes don't have systemd. But I don't care that y'all hate or love something and I doubt anyone else on this list does either) Thread jumping a bit here. I subscribed to the list because I find systemd to be broken enough to warrant removal as the default init system. I wasn't here when the devs made the choice to put it in, I'm here now because it's hitting my machines. I'm sure I'm not the first or last to say Systemd is broken, it shouldn't be default init. zmc -- Ensis Technologies www.ensistech.com 1-888-373-9056 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1572002.SC9qDQxlF3@strata -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cah_obifkznz9owm2jczawwkq0_ru4q7hwa3j6emuh+mh+5r...@mail.gmail.com
Re: Systemd files on a Raspberry Pi
On Jun 22, 2015 4:39 PM, Dan Ritter d...@randomstring.org wrote: On Mon, Jun 22, 2015 at 10:05:28PM +0200, Ansgar Burchardt wrote: Dan Ritter d...@randomstring.org writes: People only complain about systemd being a cancer if they love the Debian system otherwise. [...] Remember that every time you tell people to go use something else, you are saying that they are not valued members of the community. I do indeed not consider people with toxic behaviour as valued members of the community. Loving something is *not* an excuse for such behaviour. Short outbursts of temper I can understand, and I assume so can most others, but continued abuse over a long time is not something I think we should put up with. It's just damaging and drives other users and people who contribute away (and this has happened already over this specific behaviour). You're absolutely right. The next time a systemd booster tells people to leave the community rather than try to fix Debian, please call them on that behavior and tell them you won't stand for it. You're being sarcastic - I'm not when I say I totally agree with this statement - use it or leave. Train has left the station on this. (I don't have strong opinions on systemd - I run Ubuntu and Gentoo at work and home and another few Debian boxes at home and the Gentoo boxes don't have systemd. But I don't care that y'all hate or love something and I doubt anyone else on this list does either)
Re: Systemd files on a Raspberry Pi
On Jun 22, 2015 9:16 PM, Zebediah C. McClure z...@ensistech.com wrote: I'm sure it's going to continue, There should be a place for this problem though. I took a quick look at the debian bug-tracker and it looks more like a collection of mailing lists. After looking at how systemd does things, I'd rather have the bug read, Remove as default instead of fixing bugs in systemd. Is there any way to metric how many people think this is a bad decision? I agree it should be able to be easily changed out but it's got some interesting features such that having it default for most archs is fine.
Re: ipset
On May 9, 2015 12:59 PM, Gokan Atmaca linux.go...@gmail.com wrote: The Loop gives error as follows. # for g in 'gawk '{print $2}' facebook.com-ip'; do ipset add face $g; done ipset v6.23: Syntax error: cannot parse gawk: resolving to IPv4 address failed ipset v6.23: Syntax error: cannot parse }: resolving to IPv4 address failed IIRC you need to define the set first and it's telling you the data isn't an IP address. You should show some data.
Re: Which plotter printer would you recommend for construction engineers who will be using Linux?
On Fri, Mar 13, 2015 at 7:39 PM, Doug dmcgarr...@optonline.net wrote: Another reason to buy the HP: if they are abundant, then inks should be abundantly available also. If you get something else, supplies might be difficult to come by in such an out-of-the-way area. Something to check out before you commit! He said plotter printer - I'm guessing this means plotter. If this is the case, you're dealing with pens and an ink well. And you can generally use basically w/e ink you want (like silver or other metals to make printed antennas). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAH_OBic3ntawdd5oeLV8e9hdeDH59TCp=T1qyfUkWTav=90...@mail.gmail.com
Re: Which plotter printer would you recommend for construction engineers who will be using Linux?
On Mar 13, 2015 5:41 PM, Ric Moore wayward4...@gmail.com wrote: You might want to go at this from another direction. I suppose you have already chosen your software?? Ask them. They would know better than anyone what plotter works with their software. Ric I agree with this. But besides that, even if your plotter only supports Windows (IDK how - AFAIK all its doing is shooting over an EPS but if not) just buy it and whatever Windows desktop, make it a print server and go with it. Your plotter is going to run you upwards of $5k so another couple hundred dollars shouldn't kill you. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cah_obic2ejp2ydluktqrcxyfnmdctzo4xbdbhz-w8opz-yd...@mail.gmail.com
Re: Recompiling debian kernel
On Mar 5, 2015 7:26 AM, csanyi...@gmail.com wrote: make deb-pkg replaces all this: Then I execute make to build the kernel, and sudo make modules_install dpkg-buildpackage -us -uc -b -apowerpc but at these last step I get an error message: make[2]: Leaving directory `/home/csanyipal/BubbaKernelek/LeforditottKernelek/\ Community-b3-kernel/community-b3-kernel/debian/build/source' dtc -b 0 -V 17 -R 4 -S 0x3000 -I dts -O dtb -f debian/dts/bubba.dts debian/dts/bubba.dtb /bin/sh: 1: cannot create debian/dts/bubba.dtb: Directory nonexistent make[1]: *** [override_dh_auto_build] Error 2 make[1]: Leaving directory `/home/csanyipal/BubbaKernelek/LeforditottKernelek/\ Community-b3-kernel/community-b3-kernel' make: *** [build] Error 2 dpkg-buildpackage: error: debian/rules build gave error exit status 2 What should I do to solve this problem? It's worth a shot if there are no other prerecs. Keep old debs in another directory and then you can: cd .. dpkg -i *.deb And reboot.
Re: rsync question
On Feb 6, 2015 11:14 PM, Don Armstrong d...@debian.org wrote: On Sat, 07 Feb 2015, Curtis Vaughan wrote: That seems to work, but here's a problem. Each time it enters a new user directory I have to re-enter the root password. I realize I can just set it up so that I don't have to enter a password at all, but maybe there's a way to set it, so I'd have to only enter the root password once? The general method is to use ssh connection sharing; you connect once, then subsequent connections use the master connection. Just to expand on that, you need to setup ControlMaster (see the man page - this comes with risk - like keeping agent running). This will keep the session open between calls, hence things will run faster (don't have to reestablish session key each time) and you don't reauth (nothing is checked that would require auth). And further: You shouldn't be using password auth and should be using keys everywhere. You can also use RSYNC_PASSWORD if using rsync protocol (god please don't do this - any of it - using rsync directly or sending passwords over the wire). You should be able to do this with just rsync (no bash) but I'm not at a computer and can't do that off the top.
Re: GHOST, Am I ok?
You'll need a reboot since most everything links against libc.so.6 it'll never be unloaded. On Wed, Jan 28, 2015 at 4:59 PM, Bob Bernstein poo...@ruptured-duck.com wrote: On Wed, Jan 28, 2015 at 04:08:06PM -0500, Dan Ritter wrote: After you reboot, you are. Before that, maybe. Thanks everyone. I was not at all on top of this thing. -- Bob Bernstein -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150128215924.ga4...@sixtiessurvivor.org -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cah_obidgkgnamajurnkwm_vuwqco1ywlckpk8ljn28h7jr8...@mail.gmail.com
Re: GHOST, Am I ok?
doh, tired. sorry for the repeat. On Wed, Jan 28, 2015 at 5:16 PM, shawn wilson ag4ve...@gmail.com wrote: You'll need a reboot since most everything links against libc.so.6 it'll never be unloaded. On Wed, Jan 28, 2015 at 4:59 PM, Bob Bernstein poo...@ruptured-duck.com wrote: On Wed, Jan 28, 2015 at 04:08:06PM -0500, Dan Ritter wrote: After you reboot, you are. Before that, maybe. Thanks everyone. I was not at all on top of this thing. -- Bob Bernstein -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150128215924.ga4...@sixtiessurvivor.org -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAH_OBid89_d0kEuTKe2b=rUQ9MXNskKs0WpdJXO4=scjpd1...@mail.gmail.com
Re: Command line wifi tooling
Not sure if you're looking for cli or ncurses. I always just do: nmcli dev wifi # list APs) nmcli con essid password password That assumes networkmanager - I'm sure installer probably uses iwlist dev scan and then either iwconfig or wpa_supplicant/wpa_passphrase though. On Fri, Nov 28, 2014 at 4:00 AM, Bram Diederik bram.diede...@gmail.com wrote: Hi all, During Debian installation does the user has an option to use the wifi to get debian packages. The user is shown all access point. And fill in the credentials after selection an AP. My question is. Is there an commandline equivalent to this? Thanks in advance. Bram -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAH_OBie_y4OP9iJYtkadRy59edE=0uvsay2j-hnazg9n4co...@mail.gmail.com
Re: umask has no man page?
While I like the dhelp script idea, I think man is a pure UX issue - man should generally DWIM because if I type man foo, I don't want to jump through hoops. There times (looking at libraries and system calls and the like) that knowing the system helps. However, with 20 (IDR how many - a bunch) this gets annoying. I think the easiest fix would be for debian to have a per shell alternatives search (/etc/alternatives/man/shell) that the shell's global rc can prepend to $MANPATH (of course, I compile zsh from git, so no help for me, but w/e). This way we can include builtins for shells and they are no longer there when we switch shells. On Sun, Nov 2, 2014 at 12:17 PM, Carl Fink c...@finknetwork.com wrote: However, doesn't the Debian policy manual require a man page for every program? These aren't programs (though, man [ DWIM - guess it's both a program AND a builtin - ugh) these are a part of your shell - a program, but it's like arguing that each program function gets a manpage - not happening. Wouldn't that lead users to try the man system to get help on every command, since a new or non-technical user would have no way to know that umask or read or fg is not a program but a personality of Bash? So why _not_ have a man page for them? And I agree with this (again because the man system should try to DWIM). Just not as a part of a global man system (because that would fail to DWIM which has already been pointed out for the which command). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAH_OBicFXPCU=psJ_UHLYDqsSFFeuGQjG-13P=fwflgrejt...@mail.gmail.com
Re: Installing an Alternative Init?
On Nov 10, 2014 11:34 AM, Michael Biebl bi...@debian.org wrote: Am 10.11.2014 um 17:26 schrieb Patrick Bartek: On Mon, 10 Nov 2014, Michael Biebl wrote: You can use pre-seeding and run preseed/late_command=in-target apt-get install -y sysvinit-core in the debian-installer. While that does indeed first install systemd-sysv, it's directly replaced again during system installation and doesn't require you to boot with systemd as PID 1. So it might be pretty close to what you're looking for. Thanks. But wouldn't it be nice if as an option, you could just pick which init you wanted in the installer. It would make things so much easier. Too late to implement this, I suppose. Maybe, in the next release? Most users simply don't care and don't want to be bothered with this. It's not like we prompt the user whether he wants to use grub or isolinux. If we added an explicit switch, this would have to be in expert-install-mode only imo. I can't speak for the d-i people, but since we entered freeze, I guess it's likely to late to add that for jessie. Especially, as already mentioned, you do already have a mechanism via preseed/late_command. Not sure whether this was deb or slack, but I do remember a prompt of grub vs lilo for a while (also the choice of password hash was there for a while too). Ie, it wouldn't be precedented.
Re: Joey Hess is out?
On Nov 9, 2014 4:46 AM, Jonathan Dowland j...@debian.org wrote: On Sun, Nov 09, 2014 at 05:38:59PM +1100, Andrew McGlashan wrote: What part of we don't want systemd on any of our systems don't you get? If we don't want it, we won't be testing it. There's still plenty of work to be done testing upgrade paths for sysvinit; improving systemd-shim; patching d-i so that you can preseed a systemd-free install; no shortage of places to constructively apply yourself. Right, as well, to be a part of a community means going with the flow when the community heads a certain direction. Just for the record, I'm split on systemd -I generally like the idea, don't like how its been pushed out, and think there should be non-systemd packages wherever possible.
Re: Joey Hess is out?
On Nov 8, 2014 12:24 PM, Miles Fidelman mfidel...@meetinghouse.net wrote: Mart van de Wege wrote: Slavko li...@slavino.sk writes: Ahoj, Dňa Sat, 08 Nov 2014 16:03:46 +0100 Mart van de Wege mvdw...@gmail.com napísal: Why don't the anti-systemd people do what they've been threatening the whole time and fuck off to another distro or to FreeBSD? This is exact example why i stopped all my contribution to Debian, and i will not start it again, despite if i stay with Debian in future or not! I orphan my packages in near future. If the community consider people which have another opinion as bad, it is time do not contribute to it more. And whole debate is about one idea: If you don't like systemd, you are stupid. I consider people that bring nothing else but their opinion to the table as lesser than people who do the actual development, yes. In this discussion at least. If you can't even be bothered to set up a test server to look at systemd, but instead foul up the mailing lists creating a climate where threats to the actual developers become normal, then you can sod off. I wouldn't trust you to sit the right way on a toilet seat. So you're saying that reading specs, documentation, install reports, bug reports, qa threads about specific problems, and so forth, are not useful ways to evaluate technology? Where I come from, that's called doing one's homework. If that's suggesting those supplant actual testing. If you're suggesting docs should be considered *as well*, absolutely.
Re: /etc/udev/rules.d/10-local.rules
On Nov 2, 2014 6:03 PM, pe...@easthope.ca wrote: Until recently # The black Kingston SDHC card. KERNEL==mmcblk?p1, ATTR{size}==7626752, SYMLINK+=BlackSDHC1, \ OWNER=peter, GROUP=users in /etc/udev/rules.d/10-local.rules produced /dev/BlackSDHC1. Now that doesn't work although, if the part is labeled, it is automounted at /media/label. lsusb -v Everything must match the same set. No error message appears with interactive udevadm trigger. No error message is visible in /var/log/syslog. Of course not - the rule is structured correctly and it could match for another device.
apt as a user
I'm trying to allow an apt user to run apt* commands. I've got this polkit: /etc/polkit-1/localauthority/30-site.d/10-org.com.foo.apt.pkla [Configuration] AdminIdentities=unix-user:apt Action=org.debian.apt.* ResultAny=no ResultInactive=no ResultActive=yes However when I: su - apt it looks like nothing has changed: $ apt-get update E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied) E: Unable to lock directory /var/lib/apt/lists/ E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied) E: Unable to lock the administration directory (/var/lib/dpkg/), are you root? I've got aptdaemon installed. Any idea what I'm doing wrong here? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cah_obidzwkugqo++pgcvau-u2fwszt+ro+xcmmtn0jtgnj4...@mail.gmail.com
Re: apt as a user
On Fri, Oct 31, 2014 at 12:05 PM, Mario Castelán Castro marioxcc...@yandex.com wrote: El 31/10/14 09:29, shawn wilson escribió: I'm trying to allow an apt user to run apt* commands. I've got this polkit: /etc/polkit-1/localauthority/30-site.d/10-org.com.foo.apt.pkla [Configuration] AdminIdentities=unix-user:apt Action=org.debian.apt.* ResultAny=no ResultInactive=no ResultActive=yes However when I: su - apt it looks like nothing has changed: $ apt-get update E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied) E: Unable to lock directory /var/lib/apt/lists/ E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied) E: Unable to lock the administration directory (/var/lib/dpkg/), are you root? I've got aptdaemon installed. Any idea what I'm doing wrong here? I'm not an expert in Debian package management, but I think that the error is what it says, the user lacks appropriate permissions for those files and directories. I recommend that you configure sudo to allow those users to invoke at least apt-get. You can also use sudo to log the commands and even the command line interaction. See the man page of sudo and sudoers. Arg, I forgot to mention the reason I'm doing this: Right now I only allow http(s) out to repo servers on certain times that we do updates: -A FORWARD -d dest ip -i eth5 -p tcp -m tcp --sport 1024:65535 --dport 80 -m time --weekdays day --datestop time range -j ACCEPT What I want is a way to limit it to a command. The only way I know how to do that is to specify --uid-owner in iptables Bear in mind that users who can install and uninstall packages can make the system unusable or purposely install a vulnerable package to perform privilege escalation. If they can add repositories, they can easily direct the package manager to a specially crafted package which will give them root access without the need to exploit an existing package. If you wouldn't trust root access to those users, don't give them package management capabilities. So my original thought was to use pkexec and set the user to /bin/false but pkexec wants to ask me for a password - since I don't have/know/want to use a password (all logins are ssh with keys) IDK that's going to work. So just a user to su into in order to run the command should be ok? Security wise - I'm always open to being checked. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cah_obifh3daadfyrup51dvl9in6fuyvcoq+dcy3qxr7mafm...@mail.gmail.com
Re: apt as a user
On Fri, Oct 31, 2014 at 12:17 PM, shawn wilson ag4ve...@gmail.com wrote: On Fri, Oct 31, 2014 at 12:05 PM, Mario Castelán Castro marioxcc...@yandex.com wrote: El 31/10/14 09:29, shawn wilson escribió: -A FORWARD -d dest ip -i eth5 -p tcp -m tcp --sport 1024:65535 --dport 80 -m time --weekdays day --datestop time range -j ACCEPT Also, that was from our firewall box - obviously in order to do this, I'll have to loosen that up and do the --uid-owner on the local box (which is fine - that rule should jump to a accept_log chain anyway). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cah_obifrpx7u8ejy8xjbdh-btwvyywrakqggrnncta_-hxr...@mail.gmail.com
Re: apt as a user
On Fri, Oct 31, 2014 at 12:40 PM, Vanessa vane...@ulukai.org wrote: On 2014-10-31 17:17, shawn wilson wrote: On Fri, Oct 31, 2014 at 12:05 PM, Mario Castelán Castro marioxcc...@yandex.com wrote: El 31/10/14 09:29, shawn wilson escribió: I'm trying to allow an apt user to run apt* commands. I've got this polkit: /etc/polkit-1/localauthority/30-site.d/10-org.com.foo.apt.pkla [Configuration] AdminIdentities=unix-user:apt Action=org.debian.apt.* ResultAny=no ResultInactive=no ResultActive=yes However when I: su - apt it looks like nothing has changed: $ apt-get update E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied) E: Unable to lock directory /var/lib/apt/lists/ E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied) E: Unable to lock the administration directory (/var/lib/dpkg/), are you root? I've got aptdaemon installed. Any idea what I'm doing wrong here? If I'm reading the description and documentation of aptdaemon right, you need to use an aptdaemon client, which would be aptdcon in the same package. But the fetching and installation would then be done by aptdaemon, which would still be run as root and not the user executing aptdcon. Ahha, that sorta worked: $ aptdcon --safe-upgrade The following packages will be upgraded (31): [.] Do you want to continue [Y/n]?Y ERROR: You are not allowed to perform this action. ('system-bus-name', {'name': ':1.50'}): org.debian.apt.upgrade-packages So, I'm guessing there's something wrong with my polkit rule? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAH_OBidMMDPKcr9NScW7=bpabfs_k2cqh9j_ct2+zx+aqy+...@mail.gmail.com
Re: Avoid reboot by loading initramfs again
On Oct 20, 2014 8:13 AM, Jimmy Thrasibule jimmy.thrasib...@gmail.com wrote: DM I think it depends on what you're trying to achieve and what you're DM trying to avoid. Well my first idea was to have a kind of management OS that I can load in memory to do some stuff like disk partitioning, fsck, etc... See Qubes Its what Amazon uses for AWS. Its based on Fedora but idk of a Debian based distro with a similar focus
Re: Problem with SSH host keys
On Sep 23, 2014 6:44 PM, Keith Lawson ke...@nowhere.ca wrote: On Tue, Sep 23, 2014 at 04:45:50PM -0400, shawn wilson wrote: On Tue, Sep 23, 2014 at 10:20 AM, Keith Lawson ke...@nowhere.ca wrote: Hello, I'm running jessie on my laptop and after doing a dist-upgrade yesterday I'm getting SSH host key errors for a bunch of servers I've been connecting to for years: IDK this has anything to do with the problem you're seeing (unless you have something wacky with your ~/.ssh - like it symlinked to /etc/ssh or something). So, I'll just go on the assumption that this is coincidence... The authenticity of host 'blah' can't be established. RSA key fingerprint is e8:08:db:b0:e7:38:57:d4:82:a8:a4:1c:42:f0:25:09. Are you sure you want to continue connecting (yes/no)? The host keys are in ~/.ssh/known_hosts and haven't changed on the server side. Looking at the openssl, openssh-server and openssh-client change logs I don't see anything that would explain this behavior. Is anyone aware of any changes in openssh-client in jessie that would cause certain server keys that were previously working to be invalid? The host keys are in known_hosts, but are the proper keys (the one you listed above - see ssh-keygen -lf /etc/ssh/ssh/ssh_host_rsa_key.puh on the server) listed there? Does your user own the file and is it mod 660 or less? Are you logging into the server you think you are (did you typo an ip in your ssh_config or is someone mitm you)? Time stamps on the keys on the server haven't changed and the key fingerprint on the server matches what's getting offered to the client. I use aliases like alias hostname='ssh ke...@hostaname.com' so typos are out of the question. Still stumped on what changed and when we're talking SSH keys that makes me nervous. You didn't answer most of the above, so I'll just assume you've found that not to be an issue ... I guess the main way I debug SSH is to login out of band and look at both the client and server logs. You're aware of ssh_config? And that you can define the username to use for an arbitrary hostname to connect to a real ip? Basically doing the same thing your aliases do (but better). If you're going to add functionality to SSH, do it with functions so you have better control of what happens to parameters.
Re: Problem with SSH host keys
On Wed, Sep 24, 2014 at 3:41 AM, Karl E. Jorgensen k...@jorgensen.org.uk wrote: Another good reason not to hash the known_hosts file: bash command completion - after ssh or scp the bash command completion will use ~/.ssh/known_hosts to suggest/complete hosts. Brilliant stuff. Weird the ssh host completion that zsh (or maybe it's something in omz) has seems to handle it fine. It seems to work with ssh (not very well with remote commands though), scp (I don't use it much), and rsync (though there are some quoting issues with globing - I was working on making that work, but got side tracked). That said, I plan to split up my known_hosts using the UserKnownHostsFile option Don pointed out as I'm now at 100 lines. Not much of an issue since ssh tells me what line is the issue and if I know something has changed (ie, most of my hosts now use ed25519) I open up vim and ##gdd:wq and than verify the new fingerprint. But, that would just be much cleaner. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cah_obiepoodx0z1itwwnyvnucyk7f3vzxr3u_svmkpemgey...@mail.gmail.com
Re: Problem with SSH host keys
On Tue, Sep 23, 2014 at 10:20 AM, Keith Lawson ke...@nowhere.ca wrote: Hello, I'm running jessie on my laptop and after doing a dist-upgrade yesterday I'm getting SSH host key errors for a bunch of servers I've been connecting to for years: IDK this has anything to do with the problem you're seeing (unless you have something wacky with your ~/.ssh - like it symlinked to /etc/ssh or something). So, I'll just go on the assumption that this is coincidence... The authenticity of host 'blah' can't be established. RSA key fingerprint is e8:08:db:b0:e7:38:57:d4:82:a8:a4:1c:42:f0:25:09. Are you sure you want to continue connecting (yes/no)? The host keys are in ~/.ssh/known_hosts and haven't changed on the server side. Looking at the openssl, openssh-server and openssh-client change logs I don't see anything that would explain this behavior. Is anyone aware of any changes in openssh-client in jessie that would cause certain server keys that were previously working to be invalid? The host keys are in known_hosts, but are the proper keys (the one you listed above - see ssh-keygen -lf /etc/ssh/ssh/ssh_host_rsa_key.puh on the server) listed there? Does your user own the file and is it mod 660 or less? Are you logging into the server you think you are (did you typo an ip in your ssh_config or is someone mitm you)? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAH_OBidP35qkYMOQ16hhgB-31HMK5a9f--NOuYxO6yEKsPj=w...@mail.gmail.com
Re: Iptables
On Jun 27, 2014 8:14 AM, Diogene Laerce me_buss...@yahoo.fr wrote: iptables -A INPUT -i eth0 -p udp -s 192.168.0.2/32 -d 192.168.0.1 --dport 137 -j ACCEPT iptables -A INPUT -i eth0 -p udp -s 192.168.0.2/32 -d 192.168.0.1 --dport 138 -j ACCEPT iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp -s 192.168.0.2/32 -d 192.168.0.1 --dport 139 -j ACCEPT iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp -s 192.168.0.2/32 -d 192.168.0.1 --dport 445 -j ACCEPT Any clue ? Clues, sure. It probably doesn't matter but establishing state in the middle of your rules looks weird. Second, don't silently drop stuff - make a log and drop chain. Last (probably your issue) is you're filtering out broadcasts. But if you log your drops, that'll be very apparent.
Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
On Wed, Apr 16, 2014 at 8:54 AM, John Hasler jhas...@newsguy.com wrote: Bill Wood writes: and medical identity theft has risen sharply in recent years. What is medical identity theft? I'd also be interested seeing the proof for the claim (I think he means medical data breaches but IDK anyone has disclosed that information). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAH_OBieq6ECfG914h=e3_uxq2q_ynuv6o-vzd9ohcrkaqw7...@mail.gmail.com
Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
On Apr 13, 2014 11:03 PM, Chris Bannister cbannis...@slingshot.co.nz wrote: Then there is also the very serious issue of embedded devices using openssl. Tablets, smartphones, routers, ... etc. etc. You're correct about network hardware (though the only one I'm aware of so far is F5 with the latest firmware). If anyone knows of other network hardware that uses openssl (any version) I'd like to know. However, how exactly would this bug be used to compromise a client (tablet or smartphone) whose app uses openssl libs? (I think you spoke in err and my initial intent was to dispel FUD. However if there's a way, I'm really curious)
Re: OpenVPN + Heartbleed question
It might be possible for an openvpn server to initiate a heartbeat sequence with a client. And therefore for a rogue server to exploit this. I don't believe this to be the case however and I can't think of any other way of exploiting this. If you can get openvpn to use named sockets, you should be able to easily test this with existing scripts. On Apr 14, 2014 3:24 AM, Alan Murrell li...@murrell.ca wrote: Hello All, I am not entirely sure if this is right place to ask, but I thought I would start here. We have a client who has several dozen remote locations all connected to the head office via OpenVPN tunnels. OpenVPN is form the Debian packages. The version of OpenSSL on the head office firewall running the OpenVPN server is a non-vulnerable version (it runs Debian 6.0.2, which has OpenSSL 0.9.8 installed). However, the remote locations are mix of Debian 6 and Debian 7 installations (the Debian 6 would not have a vulnerable version of OpenSSL, while the Debian 7 ones would, and can be patched by running 'apt-get update apt-get upgrade' to install a patched version of OpenSSL) My question sis this, really: while it is understood that the systems running the vulnerable versions of OpenSSL should be updated (and in fact are in process of doing just that), is there really any immediate danger of information being leaked from those tunnels? The certificate were all generated on the head office firewall running the OpenVPN server, and all the clients are making their connections to that non-vulnerable server (as far as Heartbleed goes, anyway), so are the tunnels themselves in fact in any danger of compromisation, even if the clients are running a vulnerable version of OpenSSL? I guess I am wondering if *all* those SSL tickets need to be revoked and re-generated (I know it is likely best-practice to do so, but is it likely necessary? It should likely be done anyway, but is there any immediacy about it that has to be done?) Thanks for your input. A. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.orgwith a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140414001250. 60861ub65uhaw0w0@imap.murrell-van.local
Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
On Apr 14, 2014 11:01 AM, Chris Bannister cbannis...@slingshot.co.nz wrote: On Mon, Apr 14, 2014 at 01:55:04AM -0500, Stan Hoeppner wrote: On 4/13/2014 10:03 PM, Chris Bannister wrote: ... considering it is a catastrophe worse than the Y2K bug. This is several orders of magnitude less severe than Y2K. I read https://www.schneier.com/blog/archives/2014/04/heartbleed.html Catastrophic is the right word. On the scale of 1 to 10, this is an 11 So I gathered, perhaps wrongly, that in that case the Y2K bug would have to be greater than 11 on a scale of 1 to 10. No we're using hex based scales now. And how this works is when someone tries to be stupid and rate something a 17, it rotates into being a 0. They're different types of bugs. Taking a scale and making something out of bounds for it is stupid but really, so is comparing one bug to the other. They generally affected different types of systems, were caused by different types of oversight, were generally on a different programming level, and mostly the Y2K bug affected financial instructions and this bug has little affect there. Not even an email from the bank! Many/most financial institutions disdain open source software and would much rather pay for proprietary commercial solutions so there is someone to sue and recover damages when things go tits up. That statement was made in the sense that at least the bank could have issued a statement along the lines of 'you may have heard of the heartbleed bug, we can assure all of our customers that we are not affected by this bug and there is no need to panic.' No, I don't want to hear from my bank unless there's a problem. If everything is going OK, don't spam me. If its not, by all means, let me know. This didn't affect them so don't tell me anything.
Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
On Apr 14, 2014 9:15 PM, John Hasler jhas...@newsguy.com wrote: shawn wilson writes: No, I don't want to hear from my bank unless there's a problem. If everything is going OK, don't spam me. If its not, by all means, let me know. This didn't affect them so don't tell me anything. You assume that they would tell you if they were affected. If I did any online banking (I don't) I'd change all the passwords no matter what the banks said and consider closing the accounts and opening new ones with different account numbers as well. Maybe with different banks. Well yes, there are few businesses that have good security and information policies and who I trust. However, my point is that banks are in the business of keeping my money - that's what I pay them for. They're not a news outlet or someone who I trust to give me advice for the best use of other people's systems. And, when compromises do happen, we don't hear about it unless there was specific data loss found. So basically they should never send me this type of email.
Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
On Apr 14, 2014 10:11 PM, Richard Hector rich...@walnut.gen.nz wrote: On 15/04/14 12:59, shawn wilson wrote: That statement was made in the sense that at least the bank could have issued a statement along the lines of 'you may have heard of the heartbleed bug, we can assure all of our customers that we are not affected by this bug and there is no need to panic.' No, I don't want to hear from my bank unless there's a problem. If everything is going OK, don't spam me. If its not, by all means, let me know. This didn't affect them so don't tell me anything. They don't need to send an email, or anything intrusive. They just need to put a big notice on the login page of their internet banking site - along with (or instead of) all the ads they have for cheap loans or term deposits or whatever. It would make virtually no difference to the speed of logging in, and would reassure me that they take security seriously. This is totally OT (this thread sorta has been for a while) All banks take security seriously - if they fail audits, someone will get fired (probably a C level someone). Past that, I can say BofA seems to spend extra effort on security for businesses and high value customers, and Wells Fargo is probably one of the most secure financial instructions I know of (based on someone I know who Fortify for them and my mom complaining about how irritating it is to deal with them). I also know of a security company who has contracts with a financial instruction. Basically they care and have tons more knowledge working on a subject than either of us have. If a company starts posting CVEs on their home page, I'll think it kinda cool or interesting, but I'm not going to read through it or take them more seriously because of it.
Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
On Tue, Apr 15, 2014 at 12:44 AM, Chris Bannister cbannis...@slingshot.co.nz wrote: On Mon, Apr 14, 2014 at 08:59:30PM -0400, shawn wilson wrote: On Apr 14, 2014 11:01 AM, Chris Bannister cbannis...@slingshot.co.nz wrote: On Mon, Apr 14, 2014 at 01:55:04AM -0500, Stan Hoeppner wrote: On 4/13/2014 10:03 PM, Chris Bannister wrote: ... considering it is a catastrophe worse than the Y2K bug. This is several orders of magnitude less severe than Y2K. I read https://www.schneier.com/blog/archives/2014/04/heartbleed.html Catastrophic is the right word. On the scale of 1 to 10, this is an 11 So I gathered, perhaps wrongly, that in that case the Y2K bug would have to be greater than 11 on a scale of 1 to 10. No we're using hex based scales now. And how this works is when someone tries to be stupid and rate something a 17, it rotates into being a 0. You'd be better of emailing Mr Schneier on that one. You're going to blame someone else for your (quite literal) +1 on their comment. OK :) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAH_OBic6Q=S4Zygi=2srfsw3tmnenn7u6941m2abkvfmeob...@mail.gmail.com
Re: Cropping a large collection of .PNG screenshots
On Wed, Apr 9, 2014 at 6:03 AM, Kevin O'Gorman kogor...@gmail.com wrote: I have a few hundred screen shots I want to put on a web page, but they are all full-screen and I want to crop to the real contents. This is an identical region in all cases. So I want to script it. So, 2 questions: A) What's the best tool for the job? Gimp, irfanview, or something else? B) Is there a script already in existence where I can just change the crop rectangle? I really don't want to learn a new language for a one-time job. After seeing tons of different scripts and no response to your idea of irfanview, I figured I'd put my $.02 in Irfanview is a Windows program and this is a linux forum. Other than that, it is what I'd recommend someone look at in order to attempt to do this before I had to write them a one off script. Last I checked there is no linux port of irfanview. You could look at xnview/xnconvert and after you figure out the cli options, run it through a loop or xargs or find exec. You could also look for a gimpscript (basically python iirc) to do this there. Or if this is something you will need to repeat, you might look into writing it. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAH_OBiey2Z=xf-AoYj7=fpdqhwtte_nhaatfmdu1tbokqx2...@mail.gmail.com
Re: is there a risk to program in java since sun is bought by oracle
(Nice top post) On Thu, Apr 10, 2014 at 2:57 AM, Gian Uberto Lauri gianuberto.la...@gmail.com wrote: The only problem with Java is that it is a bit old for current architectures. There are better languages that run on the JVM (Clojure and Scala to name two). The problems with java come from allowing untrusted compiled code to run natively on your machine (WebStart). Web services, databases, Android apps, etc don't have this issue. However, I'm pretty sure you can write Scala/Clojure WebStart apps that would have the same issues as native Java has here. The Java culture tends to piss me off so I try to stay away from it (and I like scripting languages better anyway). On 09/apr/2014, at 22:31, abdelkader belahcene abelahc...@gmail.com wrote: is there a risk to program in java since sun is bought by oracle ? AFAIK, the issue with Oracle is their release cycle (not sure if that's still the case). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cah_obideztijvnm_jhs8re+1rqbzkxtm4kv6uywqgfbbvfa...@mail.gmail.com
Re: OpenSSL Heartbleed bug, Apache still vulnerable?
On Apr 9, 2014 3:51 PM, Sven Hartge s...@svenhartge.de wrote: Curt cu...@free.fr wrote: On 2014-04-09, Jochen Spieker m...@well-adjusted.de wrote: The repository now contains a fixed version (0.9.4.2-r413). I tested it and the new version looks fine. Don't mean to hijack, but is this a useful tool? http://filippo.io/Heartbleed/ To scan your complete network in mere seconds: https://github.com/robertdavidgraham/masscan http://blog.erratasec.com/2014/04/using-masscan-to-scan-for-heartbleed.html There's also ssl-heartbleed.nse which (even though its not threaded) is probably a bit faster (not to mention has a familiar interface). It also looks like they cleaned some stuff up in the port.
Re: Security question concerning jail or virtualization
On Fri, Mar 14, 2014 at 4:30 AM, Scott Ferguson scott.ferguson.debian.u...@gmail.com wrote: On 14/03/14 15:51, shawn wilson wrote: On Mar 14, 2014 12:13 AM, Brad Alexander stor...@gmail.com mailto:stor...@gmail.com wrote: Due to this experience I would like to know what the best way to limit such problems is, especially when hosting web servers for users who may or may not installed unsecure applications on the web server. None of those methods are dependent on password access. The initial attack isn't. Post exploit is. Again, I'd think there are legal issues with auditing your clients' software making all of this moot (besides my recommendation for a layer 7 firewall). Password security for the server (as distinct from user web applications) *should* be part of any webserver security. Debian provides dnsiff and john the ripper which are used in industry best practice password auditing. By default Debian implements md5 and shadow which are the 'basis' of best practice password security (auditing are other practices add to those things). For most use cases, see hashcat - not jtr. Also default hash on debian is ssha per the $6$ in shadow - not md5. See: http://en.wikipedia.org/wiki/Crypt_%28C%29 It should also be noted - don't use md5 - ever. If you're dealing with web apps, use bcrypt or scrypt. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAH_OBiem65D-_gMJFsztCCGVqz+WcoDE8TptMzS==cyizp7...@mail.gmail.com
Re: Security question concerning jail or virtualization
Well Linux has LXC which is supposed to be equivalent to jails (also see docker). But use whatever suits you. Idk what's current for breaking out of VMs is. It might be good to pay attention to who is using the most entropy and make sure you don't run out. Most VMs use processor VT to isolate things (I don't think any 'jail' does this). I think most providers use OpenStack (a suite of technologies). YMMV On Mar 13, 2014 11:06 PM, Martin Braun yellowgoldm...@gmail.com wrote: Hi I have recently experienced a server being hacked due to a security problem with a PHP application that made it possible for the hacker to gain a web shell. Due to this experience I would like to know what the best way to limit such problems is, especially when hosting web servers for users who may or may not installed unsecure applications on the web server. What does the big hosters do? What do they use? The solution can't be too complecated to maintain and I would prefer each user being completely seperated from the main OS and from other users. I have been thinking about running Debian inside FreeBSD Jails or The Warden. I have also been thinking about using Xen and installing several Debians on Debian. What is the best (and if possible simplest) way to deal with this? Kind regards
Re: Security question concerning jail or virtualization
On Mar 14, 2014 12:13 AM, Brad Alexander stor...@gmail.com wrote: Due to this experience I would like to know what the best way to limit such problems is, especially when hosting web servers for users who may or may not installed unsecure applications on the web server. Auditing your security is probably your best bet. As I said above, maybe some web app testing tools, run scans against your server regularly with Nessus or OpenVAS, plus the security best practices...Good password hygene, bastion hosts (only one type of app on a machine), turning off/uninstalling unneeded apps, especially those with a network presence, etc. I'm not sure how your customers may feel about you scanning their apps. What do you do if you find something they don't want to fix? It will probably even cause legal issues. If you do want to do scans, might want to start with someone like nikto (it's free) and see what you find. Idk how well Nessus does web scans either - idk that's their core business (I think that would be AD and compliance). Burp is the tool most use for this. Though, give a baby your car keys and if you're lucky nothing will happen - if you're not... A better solution for sites you host and don't own might be a WAF. Something free like mod_security (some used to sell a rule subscription - can't remember who). Or a PaloAlto box. As for passwords, among other things, the company I work for is kinda known for password auditing so, take it off list if you want a contact for that type of thing. If you don't own the data though...
multistrap
How do I replicate this line: deb http://us.archive.ubuntu.com/ubuntu/ precise main restricted from sources.list in a multistrap.conf? I'm trying this: [General] directory=/mnt/install cleanup=true arch=amd64 retainsources=/var/cache/apt/archives noauth=true unpack=true retries=5 debootstrap=precise bootstrap=precise [precise] packages=apt source=http://archive.ubuntu.com/ubuntu suite=precise main restricted omitdebsrc=true And apparently I can't use 'suite' the same way the location of sources.list is defined. I guess the real question is: if I just have: suite=precise it 'works' but doesn't install libterm-readline-perl-perl which is found in the repos I have defined on this box which means that: dpkg-reconfigure -f noninteractive -a errors. (IIRC, this works with Debian's sources which is why I'm specifically asking about multistrap and not a missing package - maybe this is a bug with the Ubuntu repo, but I don't know enough to say as much). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAH_OBieK_jZszK=c7vo_fdxczm-zhn1szxufva1u5b5xoom...@mail.gmail.com
preseed raid-lvm-crypto
I see how to create raid devices: d-i partman-auto-raid/recipe string \ 1 2 0 ext2 /boot /dev/sda1#/dev/sdb1 1 2 0 lvm - /dev/sda2#/dev/sdb2 And then making lvm or crypto devices seems easy enough. However, how do I create one on top of the other (I'd prefer luks inside lvm so that swap can have a random key but either way works). Also, on an existing install with a configuration like how I want it: # debconf-get-selections --installer ~/preseed-komp.txt # grep -i error preseed-komp.txt | grep -i error | wc -l 179 So, why is this erroring in so many places? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAH_OBiep0fbQyMk+ekOwdY1=u-iZUH8NPXS75MxzB==-xir...@mail.gmail.com
Re: nano vs VI
On Jan 1, 2014 7:43 PM, Paul Cartwright pbcartwri...@gmail.com wrote: On 01/01/2014 07:00 PM, Richard Hector wrote: Also perhaps: aptitude purge nano :-) Richard thanks, I might do that also, since I use either VI or gedit.. You do know about gvim right?
Re: nano vs VI
No idea. I compile vim on Debian for ruby support (command-t). Probably vim-gtk. So I'm putting this back on the list. On Jan 2, 2014 7:19 AM, Paul Cartwright pbcartwri...@gmail.com wrote: On 01/02/2014 07:12 AM, shawn wilson wrote: On Jan 1, 2014 7:43 PM, Paul Cartwright pbcartwri...@gmail.com wrote: On 01/01/2014 07:00 PM, Richard Hector wrote: Also perhaps: aptitude purge nano :-) Richard thanks, I might do that also, since I use either VI or gedit.. You do know about gvim right? not really.. should I? when I try to install it I get: apt-get install gvim Reading package lists... Done Building dependency tree Reading state information... Done Package gvim is a virtual package provided by: vim-gtk 2:7.3.547-7 vim-gnome 2:7.3.547-7 vim-athena 2:7.3.547-7 You should explicitly select one to install. so, which one is right? -- Paul Cartwright Registered Linux User #367800 and new counter #561587
Re: Undocumented telnet access to Brother HL-2280DW
There's a framework for hacking printers (and maybe other networked hardware). I did a quick Google and didn't find it but that's what I'd suggest looking for. Celejar cele...@gmail.com wrote: The Brother HL-2280DW (network printer) listens on port 23, but I can't get a working telnet session going. Telnet option negotiation seems to take place, but I get no login or any other sort of prompt. Pressing enter a few times, with or without typing random text, eventually results in the remote host disconnecting. Here's a netcat dump of a session where I repeatedly press enter until disconnection: 1b 5b 32 4a 1b 5b 31 3b 31 66 # .[2J.[1;1f 000a ff fb 01 ff fb 03 ff fd 03 # . 0a # . 0013 ff fb 01 ff fb 03 ff fd 03 # . 001c 0d 0a # .. 0001 0a # . 001e 0d 0a # .. 0002 0a # . 0020 0d 0a # .. 0003 0a # . 0022 0d 0a # .. 0004 0a # . 0024 0d 0a # .. 0005 0a # . If I understand this correctly, the first few lines are telnet option negotiation, but nothing after that. nmap reports: 23/tcp open telnet Brother/HP printer telnetd but I don't know if it's just assuming that daemon, since the machine is listening on port 23 and it's a Brother, or if it is actually managing to connect The documentation for this model doesn't seem to say anything about telnet access, and I can find no mention of it in the web management interface, which does list the other open ports / services, including FTP, SNMP, POP3 and SMTP. I have tried connecting to these other services, and they seem to work. So what do we have here? Some sort of broken, half-baked telnet service running, or am I doing something wrong? Celejar -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/8a9bbab8-5744-4c35-ab21-64b00cd22...@email.android.com
Re: fail2ban fails to ban apache...
François Patte francois.pa...@mi.parisdescartes.fr wrote: Bonjour, I try to configure fail2ban in order to ban IP which try to connect to directories protected by .htaccess. Here is my [apache] section in jail.conf: enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 3 But I tested filling the auth form with erroneous login/password and nothing happens! Nothing appeared in /var/log/fail2ban.log... Show filter.d/apache-auth and show the output of a: tail -F /var/log/apache*/*error.log while you make the bad requests (you might need to do a $(find ...) to handle those wildcards - I'm also unsure if f2b deals with apache*). Also, if you've logged an invalid request, do yourself a favor and create a test directory with different files of different failure lines and run fail2ban-regex against them. Then, when you alter a regex, you can easily see if something you didn't want changed. I tried the same for ssh connections and the IP of the computer from which I tried was banned after the third attempt. What is missing in my config? Here is the ssh section in jail.conf: enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6 Thanks -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cf358a0c-2eb9-4205-9c7b-a135e5c4c...@email.android.com
Re: Collecting information after installation
Ali ISIN a.i...@live.be wrote: Hi, Since the 7.x version does my computer freeze; In what way? No more messages are logged? Doesn't respond to pings? SysRq doesn't reboot it (is the kernel totally hosed)? and that after installing GRUB and rebooting. My system seem to work correctly but I thougth to inform you. Installing or upgrading? If you copy the first, say, 448 bytes (I think that's right - 512-64 but it doesn't matter) to a file and then copy it back, does the same thing happen as with grub-install (grub-install has helper scripts to figure out things and it might be an issue with something done in there). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/04902e62-9090-4ca6-80c8-cb8549bc3...@email.android.com
Re: Unable to change shell and add groups
$ chsh -s /bin/zsh ag4ve Password: $ grep ag4ve /etc/passwd ag4ve:x:1008:1008::/home/ag4ve:/bin/zsh $ echo $SHELL /bin/bash $ readlink /proc/$$/exe /bin/bash $ cat /etc/debian_version 6.0.8 $ grep zsh /etc/shells /bin/zsh /usr/bin/zsh Oh, there is some interresting stuff about /etc/shells - probably unrelated, but just weirdness: $ grep tcsh /etc/shells /usr/bin/tcsh /bin/tcsh $ whereis tcsh tcsh: And, linking around the whole system: $ readlink /bin/zsh /etc/alternatives/zsh $ readlink /etc/alternatives/zsh /bin/zsh4 $ readlink /usr/bin/zsh /etc/alternatives/zsh-usrbin $ readlink /etc/alternatives/zsh-usrbin /bin/zsh4 (again, not probably not the issue and just annoys me since I noticed it) On Fri, Dec 6, 2013 at 3:10 AM, Scott Ferguson scott.ferguson.debian.u...@gmail.com wrote: On 06/12/13 18:31, shawn wilson wrote: For some reason, when I chsh to say /bin/zsh, log out and back in, I'm still in bash - confirmed with readlink /proc/$$/exe Which release are you running? For me this works:- # chsh -s /bin/zsh $me (where $me is your username). Check with:- $ echo $SHELL or:- $ grep $me /etc/passwd (where $me is your username). I tried adding my user to the adm group, logging out and back in, and it's not there. However, if I exec su -p -l user - everything works. I've also tried an init q to no avail. So, I'm out of ideas. Any suggestions? Kind regards -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52a1865a.3080...@gmail.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAH_OBicNUP6udfp3Hyi+nbNFqxeBRLY=Hf_caHzw0aJMi=y...@mail.gmail.com
Unable to change shell and add groups
For some reason, when I chsh to say /bin/zsh, log out and back in, I'm still in bash - confirmed with readlink /proc/$$/exe I tried adding my user to the adm group, logging out and back in, and it's not there. However, if I exec su -p -l user - everything works. I've also tried an init q to no avail. So, I'm out of ideas. Any suggestions? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cah_obicfzarnbosvb17njio0h8nr5gtto6nxcfvprn-beju...@mail.gmail.com
Re: Serverbackup cron
basti black.flederm...@arcor.de wrote: Is there a better/ easier way for daily backups? I don't want to do a daily backup if weekly or monthly is running. Use a pidfile - just make sure your process deletes it or you won't be getting backups. I've used Amanda in the past and that works. But now I encrypt my backups and I don't think Amanda will do that (at least not with partials like duplicity does). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/ef2441d6-9127-4952-800d-d9140b779...@email.android.com
Re: IPTables question
Erwan David er...@rail.eu.org wrote: Le 09/11/2013 23:06, Shawn Wilson a écrit : Redhat has something called firewalld which generates rules based on zones. I don't use it because using dbus to help manage rules scares me. But it's there and could be what you want. I use fwbuilder which helps to define elaborated rules ; there is also shorewall which uses zones, both generates the ryules either as shell script or itptables-save/restore configuration. Both are available in debian. Just FYI, a shell script will be slower than iptables-save since the later only makes one call while the former makes one call per ipt command. I looked at shorewall and didn't know it had zones - that's cool (since I don't like xml that firewalld uses). I've now got a 2k line perl script that does almost everything we need but I'll take another look at shorewall (for ideas if nothing else). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/3da3a425-3862-4156-9116-1ebc3d3b3...@email.android.com
Copy buffer from a script
How do I get access to the buffer that is presented by clicking the third (or center) mouse button from a script? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAH_OBicO=LVjb9Sf9B36A5e4DZNi=9gamhqdjwq6acjammc...@mail.gmail.com
Re: Copy buffer from a script
That gives me the X clipboard buffer, which seems to be a different buffer. On Sun, Nov 10, 2013 at 6:30 PM, Lukas Erlacher lists+deb...@lerlacher.de wrote: check out xclip. On 11.11.2013 00:29, shawn wilson wrote: How do I get access to the buffer that is presented by clicking the third (or center) mouse button from a script? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5280171e.50...@lerlacher.de -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAH_OBie4VioXuvso5zS4=VJwE_o=5f2mcbjfpmpaarsdrc8...@mail.gmail.com
Re: Copy buffer from a script
On Sun, Nov 10, 2013 at 6:47 PM, Lukas Erlacher lists+deb...@lerlacher.de wrote: On 11.11.2013 00:42, shawn wilson wrote: That gives me the X clipboard buffer, which seems to be a different buffer. There are three buffers. You're looking for the keyboard buffer, which is the primary buffer and used by default. Please read the manpage. % xclip -o -sel secondary % xclip -o -sel primary http://www.daycounter.com/Calculators/Decibels-Calculator.phtml% % xclip -o -sel clipboard http://www.daycounter.com/Calculators/Decibels-Calculator.phtml% There was (before I copied this) an ip address in one of the clipboards. I even tried selecting something else and those two clipboards aren't changing. On Sun, Nov 10, 2013 at 6:30 PM, Lukas Erlacher lists+deb...@lerlacher.de wrote: check out xclip. On 11.11.2013 00:29, shawn wilson wrote: How do I get access to the buffer that is presented by clicking the third (or center) mouse button from a script? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5280171e.50...@lerlacher.de -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52801b0b.5060...@lerlacher.de -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cah_obidgl-j-txpr7bvwohv46unv+g27pb0csjtwl-agdxl...@mail.gmail.com
Re: IPTables question
Redhat has something called firewalld which generates rules based on zones. I don't use it because using dbus to help manage rules scares me. But it's there and could be what you want. David F deb...@meta-dynamic.com wrote: On 11/09/2013 12:47 PM, Bill.M wrote: But is there anyway to specify both eth0 and wlan0 as equally valid interfaces on my laptop depending on whether it's in my dock or on the road? For example, -i wlan0,eth0 or -o wlan0,eth0 Is something like these possible? * You can avoid specifying any interface at all, so long as you don't mind the rule being applied to the loopback interface as well. Chances are very good that this will work for you and is the best solution, but you need to evaluate the rules in question. * You can use a '+' at the end of the interface name which acts as a wildcard. This won't help since your interfaces names differ in the first character, not the last, but you can easily customize their names to differ in their suffix rather than prefix by editing: /etc/udev/rules.d/70-persistent-net.rules * You can create a new chain, have packets from either interface jump to it via two rules, then put the rest of your rules in that chain, without specifying an interface name. e.g. (untested): iptables -t filter -N foo iptables -t filter -A INPUT -i eth0 -j foo iptables -t filter -A INPUT -i wlan0 -j foo iptables -t filter -A foo --src 1.2.3.4 -j DROP iptables -t filter -A foo -p tcp --dport 80 -j DROP ... -- David -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/b20675f7-67d9-4942-9dca-de4102336...@email.android.com
Re: IPTables question
Pascal Hambourg pas...@plouf.fr.eu.org wrote: Hello, Bill.M a écrit : In IPTables one can specify multiple addresses, and multiple ports, but is there anyway to specify multiple interfaces. For example, -m multiport --destination-port 22,25,80 Or -s 1.2.3.4,1.2.3.5,1.2.3.7 or -s 1.2.3.4:1.2.3.10 In addition to David's answer : Unless recent change I am not aware of, you cannot specify an address range in -s or -d. You must use the iprange match instead (or ipset if your kernel supports it). Also, note that specifying multiple comma-separated addresses or prefixes in -s or -d will result in multiple rules being actually created, which can have undesirable side-effects and impact efficiency. The speed impact of a small rule set is negligible. One ipset vs 20 rules, yes please - it's easier to look at. Also, idk any way to match interface with ipset - ip and port (even src and dst in one line) but not interface. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d539f94-5809-483f-bfa8-fc50e6e73...@email.android.com
Re: Why syslog is not rotating?
I can't see how a default config would do this, but do you have SELinux or AppArmor enabled? What does fstab and mount show? If possible, copy the system off and write ones and then zeros to the disk (and look for speed drops). Looking at the disk might've been a good call. Itay deb...@itayf.fastmail.fm wrote: On Sun, 3 Nov 2013, Reco wrote: On Sun, 3 Nov 2013 17:16:02 +0200 (IST) Itay deb...@itayf.fastmail.fm wrote: On Sun, 3 Nov 2013, Reco wrote: [...] Is there anything suspicious in the root mailbox? root mail box has daily messages like this starting at june 2010 (yes, I know, bad me) /etc/cron.daily/logrotate: gzip: stdin: Input/output error error: failed to compress log /var/log/syslog.1 run-parts: /etc/cron.daily/logrotate exited with return code 1 And, is there anything unusual in /var/log/kern.log at the time you had this error? Multiple messages like those two: ... Oct 31 07:59:35 gandalf kernel: [4627180.405646] ata3.00: exception Emask 0x0 SAct 0x1 SErr 0x0 action 0x0 Oct 31 07:59:35 gandalf kernel: [4627180.405650] ata3.00: irq_stat 0x4008 Oct 31 07:59:35 gandalf kernel: [4627180.405653] ata3.00: failed command: READ FPDMA QUEUED Oct 31 07:59:35 gandalf kernel: [4627180.405659] ata3.00: cmd 60/08:00:cb:05:a9/00:00:05:00:00/40 tag 0 ncq 4096 in Oct 31 07:59:35 gandalf kernel: [4627180.405661] res 41/40:00:cd:05:a9/00:00:05:00:00/40 Emask 0x409 (media error) F Oct 31 07:59:35 gandalf kernel: [4627180.405664] ata3.00: status: { DRDY ERR } Oct 31 07:59:35 gandalf kernel: [4627180.405666] ata3.00: error: { UNC } Oct 31 07:59:35 gandalf kernel: [4627180.407143] ata3.00: configured for UDMA/133 Oct 31 07:59:35 gandalf kernel: [4627180.407153] sd 2:0:0:0: [sda] Unhandled sense code Oct 31 07:59:35 gandalf kernel: [4627180.407155] sd 2:0:0:0: [sda] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE Oct 31 07:59:35 gandalf kernel: [4627180.407158] sd 2:0:0:0: [sda] Sense Key : Medium Error [current] [descriptor] Oct 31 07:59:35 gandalf kernel: [4627180.407163] Descriptor sense data with sense descriptors (in hex): Oct 31 07:59:35 gandalf kernel: [4627180.407165] 72 03 11 04 00 00 00 0c 00 0a 80 00 00 00 00 00 Oct 31 07:59:35 gandalf kernel: [4627180.407173] 05 a9 05 cd Oct 31 07:59:35 gandalf kernel: [4627180.407176] sd 2:0:0:0: [sda] Add. Sense: Unrecovered read error - auto reallocate failed Oct 31 07:59:35 gandalf kernel: [4627180.407181] sd 2:0:0:0: [sda] CDB: Read(10): 28 00 05 a9 05 cb 00 00 08 00 Oct 31 07:59:35 gandalf kernel: [4627180.407188] end_request: I/O error, dev sda, sector 94963149 Oct 31 07:59:35 gandalf kernel: [4627180.407208] ata3: EH complete ... Nov 1 07:50:21 gandalf kernel: [4713026.178488] ata3.00: exception Emask 0x0 SAct 0x1 SErr 0x0 action 0x0 Nov 1 07:50:21 gandalf kernel: [4713026.178492] ata3.00: irq_stat 0x4008 Nov 1 07:50:21 gandalf kernel: [4713026.178496] ata3.00: failed command: READ FPDMA QUEUED Nov 1 07:50:21 gandalf kernel: [4713026.178502] ata3.00: cmd 60/08:00:cb:05:a9/00:00:05:00:00/40 tag 0 ncq 4096 in Nov 1 07:50:21 gandalf kernel: [4713026.178503] res 41/40:00:cd:05:a9/00:00:05:00:00/40 Emask 0x409 (media error) F Nov 1 07:50:21 gandalf kernel: [4713026.178506] ata3.00: status: { DRDY ERR } Nov 1 07:50:21 gandalf kernel: [4713026.178509] ata3.00: error: { UNC } Nov 1 07:50:21 gandalf kernel: [4713026.179984] ata3.00: configured for UDMA/133 Nov 1 07:50:21 gandalf kernel: [4713026.179992] ata3: EH complete ... Does, say, 'md5sum /var/log/syslog' runs to the completion? Yes. Without warnings/errors. What about 'cat /var/log/syslog /dev/null'? Yes. Without warnings/errors. Ok. What about 'cat /var/log/syslog | gzip -c /dev/null'? And, while we're at that, what about: cat /var/log/syslog | gzip -c /var/log/syslog.test.gz Both commands finished without warnings/errors. If error shows early, can you also post contents of (/tmp/gzip): strace -fo /tmp/gzip cat /var/log/syslog | gzip -c /dev/null Didn't try since there were no errors. Can you run fsck on the filesystem containing /var/log/syslog? [snip] File system was found clean. No errors were reported. What does smartctl --all shows on the partition with this filesystem? I never used smartctl (installed it now following-up your question). In my system /var resides on a logical volume. So I am not sure how to proceed. Find a physical volume corresponding to the /var logical volume. Run smartctl --all on the disk that's containing that physical volume. In case you have RAID (be it mdadm or dm-mirror) - run smartctl on all disks that are part of said RAID. While we're on it, also run smartctl -t long on said disk, wait for a while (smartctl should say you, how much), and run smartctl --all on the same disk again. Output of 'smartctl --all' (after running 'smartctl -t long'): smartctl 5.41 2011-06-09 r3365 [x86_64-linux-3.2.0-4-amd64] (local build)
Re: Why syslog is not rotating?
Raco already basically said what the issue is. I didn't notice it in the prior messages you posted. If you wanted to confirm, after you migrate your data, do a: dd if=/dev/zero of=old disk and then looking at something like: iostat -xtc 5 /dev/old disk And, if you don't see an error there, do dd if=(tr '\000' '\377' /dev/zero) of=old disk and look at the iostat for that. Even if the disk won't tell the kernel it's breaking, chances are dd will error. But, even if that doesn't happen, you'd notice a big slow down with iostat. As it is, disks are cheap - get another one and be done with the old one. On Mon, Nov 4, 2013 at 6:16 AM, Itay deb...@itayf.fastmail.fm wrote: On Mon, 4 Nov 2013, Shawn Wilson wrote: Date: Mon, 04 Nov 2013 04:46:48 -0500 For some reason your messages ended up in a differenet mailbox, therefore I saw them only now. Sorry about that. As was recommended I will replace the harddrive that holds /var. Nevertheless, respectfully, I will answer your response. I can't see how a default config would do this, but do you have SELinux or AppArmor enabled? What does fstab and mount show? I didn't enable SElinux or AppArmor. How do I double-check? mount output: sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) udev on /dev type devtmpfs (rw,relatime,size=10240k,nr_inodes=473761,mode=755) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=380288k,mode=755) /dev/disk/by-uuid/4712a4c6-be99-43bf-8628-0edd641d5262 on / type ext3 (rw,relatime,errors=remount-ro,barrier=1,data=ordered) tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k) tmpfs on /run/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=2323680k) /dev/sda1 on /boot type ext2 (rw,relatime,errors=continue) /dev/mapper/vg-cache on /cache type ext3 (rw,relatime,errors=continue,barrier=1,data=ordered) /dev/mapper/vg-home on /home type ext3 (rw,relatime,errors=continue,barrier=1,data=ordered) /dev/mapper/vg-opt on /opt type ext3 (rw,relatime,errors=continue,barrier=1,data=ordered) /dev/mapper/vg-tmp on /tmp type ext3 (rw,relatime,errors=continue,barrier=1,data=ordered) /dev/mapper/vg-usr on /usr type ext3 (rw,relatime,errors=continue,barrier=1,data=ordered) /dev/mapper/vg-usrlocal on /usr/local type ext3 (rw,relatime,errors=continue,barrier=1,data=ordered) /dev/mapper/vg-var on /var type ext3 (rw,relatime,errors=continue,barrier=1,data=ordered) /dev/sdb8 on /legacy type ext3 (rw,nosuid,nodev,noexec,relatime,errors=continue,barrier=1,data=ordered) rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime) fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime) And /etc/fstab: # /etc/fstab: static file system information. # !! Note !! # UUID is a property of the residing file system -- not of the device. # Any file system reformatting will result in change to UUID. # file system mount point type options dump pass ### Static Devices ### proc/proc procdefaults0 0 # Master Hard Drive Partitions # 1: boot (purposefully an ext2 partition) UUID=81d775af-9f80-4081-be71-c8d379c05944/boot ext2defaults 0 2 # 2: root file system UUID=4712a4c6-be99-43bf-8628-0edd641d5262/ ext3 errors=remount-ro 0 1 # 3: swap partition UUID=73035ad5-bba9-4d8e-8cfd-546ab09ac456none swapsw 0 0 # LVM /dev/mapper/vg-cache/cache ext3defaults0 2 /dev/mapper/vg-home /home ext3defaults0 2 /dev/mapper/vg-opt /optext3defaults0 2 /dev/mapper/vg-tmp /tmpext3defaults0 2 /dev/mapper/vg-usr /usrext3defaults0 2 /dev/mapper/vg-usrlocal /usr/local ext3defaults0 2 /dev/mapper/vg-var /varext3defaults0 2 ## Removable Media ## /dev/scd0 /media/cdrom0 udf,iso9660 user,noauto 0 0 #/dev/fd0/media/floppy0 autorw,user,noauto 0 0 # USB: Gandalf Attached Storage. UUID=6b01200d-446d-46da-b6ac-405f1ec5b1bf/legacyext3user 0 0 UUID=0866a19d-3661-422b-818c-410d96868139/media/gandalfBACK ext3 noauto,user 0 0 # LABEL=gandalfBACK2 Gandalf's secondary backup (kept at my parents' house) UUID=14a0b647-02e0-4681-b37c-cea165004e24/media/gandalfBACK2ext3 noauto 0 0 # USB: Portable disk. UUID=ac334401-5833-4946-bc7b-4d93622ea929/media/palm/legacy ext3 noauto,user0 0 UUID=807e9825-1838-4d5c-bada-e54a7d94e2ff/media/palm/lennyBACK
Re: Why syslog is not rotating?
Can syslog rotate logs? I just use logrotate. Itay deb...@itayf.fastmail.fm wrote: On Sat, 2 Nov 2013, Sven Hartge wrote: Date: Sat, 2 Nov 2013 21:47:11 +0100 From: Sven Hartge s...@svenhartge.de To: debian-user@lists.debian.org Subject: Re: Why syslog is not rotating? Resent-Date: Sat, 2 Nov 2013 20:48:34 + (UTC) Resent-From: debian-user@lists.debian.org Itay deb...@itayf.fastmail.fm wrote: Can someone help me, please, to understand why syslog is not rotating? The system ist not running at the time when cron.daily is scheduled to run? -- anacron takes care of that. Sven, Thank you for your reply. My system was continuously on except for very short random periods and 3 weeks on Aug 2013. In contrast, the listing below shows (I believe) that syslog stopped rotating at 2010. # ls -gh /var/log/syslog* -rw-r- 1 adm 219M Nov 2 21:50 syslog -rw-r- 1 adm 2.5K Jun 5 2010 syslog.1 -rw-r- 1 adm0 Nov 1 07:50 syslog.1.gz -rw-r- 1 adm 661 Jun 5 2010 syslog.2.gz However: I checked /etc/cron.daily and did not find entry for rsyslog. Maybe that's the cause? Or somehow there is an error and logrotate refuses to run. In that case run logrotate manually with the debug-switch -d and see if anything strange appears. Is logrotate responsible for rotating syslog files? Information on the net [1] suggests it's not. --- [1] https://wiki.debian.org/Rsyslog I am confused... Finally, I should point out that, I have just completed dist-upgrade from squeeze to wheezy with no major problems. This issue came up as I was cleaning-up after the upgrade. Many thanks, Itay Grüße, Sven.
Re: ANDROID
First, thanks for f-droid - I didn't know about that. I think the most open platform to date is the Pi - there are only certain parts of the processor that are kept under NDA. As for phones, there are many parts of them you will never see released (even openmoko which is old and I'd like one to play with, but not to use). So, lets consider how much of Android (arguably the most open stable mobile OS) you can compile vs finding binary blobs. You can compile cyanogenmod and you can get the binary blobs for lots of phones from github.com/TheMuppets. So, what might be a good indication of openness, might be to look at the number and size of files for each phone and compare that. Though this might be faulty as this may also mean more proprietary hardware (that might never get updated). There is another issue with Android: I couldn't figure out how to compile it using OpenJDK on Gentoo. AFAICT, you have to use Sun's (not sure what is missing here, but). Currently, most apps for Android are closed source (including Google Maps, GMail, Play, YouTube, etc). However, f-droid should be a good replacement for the Play store as long as you're not expecting Angry Birds or other games. Now, without recompiling anything, you've got a decent Linux base system you can go from. My stock Samsung Note 2 even has access to iptables functionality and tun/tap. On Tue, Oct 29, 2013 at 6:48 PM, André Nunes Batista andrenbati...@gmail.com wrote: On Tue, 2013-10-29 at 10:56 -0400, alex.pad...@laposte.net wrote: Hello to all, I shall want to buy a SMARTPHONE with a free O.S (GNU). Many of my friends say to me that ANDROID is a free system, it is LINUX! What do you think about it? Does it exist a SMARTPHONE with a system DEBIAN GNU LINUX Thank you for your answers Alex Android is build upon Linux kernel and other free software components, but it relies on binary blobs and proprietary google code. Apart from openmoko - which sounds great but I could never get to lay hands on one of those - you could search for Replicant (go see which phones are already supported). Cyanogenmod + f-droid.org - Gapps would also be better than running the default firmware. Sometime ago I had an N900 and it worked great with maemo as well.. Dunno the current state of the project. But R. Stallman usually says he does not own any smart phone as they are user tracking devices built in with microphones, camera and motion sensors. So completely free OS is something yet to be achieved to smart phone users. But even in the case of traditional pc's, many people rely on proprietary BIOS or proprietary firmware for special devices or cards. -- André N. Batista GNUPG/PGP KEY: 6722CF80 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1383086934.24485.29.camel@tagesuhu-pc -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAH_OBicp9XUj9EWFhHqALAxvCP4sxPBO7u-JGZdu3JvS9=d...@mail.gmail.com
Re: ANDROID
On Tue, Oct 29, 2013 at 7:28 PM, Celejar cele...@gmail.com wrote: On Tue, 29 Oct 2013 20:48:54 -0200 André Nunes Batista andrenbati...@gmail.com wrote: ... phone users. But even in the case of traditional pc's, many people rely on proprietary BIOS or proprietary firmware for special devices or cards. I'm never really sure why people have such a hard time with that - even without them, you're still relying on proprietary logic in hardware. If you're really concerned that there could be something nasty in the BIOS or firmware, you shouldn't use any non-open hardware. And for that matter, even if you've seen the hardware specs, who says the manufactured part you buy really follows them exactly, and doesn't have a backdoor? https://plus.google.com/u/0/103470457057356043365/posts/9fyh5R9v2Ga If you believe him, I wouldn't be so flippent about this. There are also IPMI issues (I think there's a Defcon talk on it) ther you'll never be able to do anything to fix because the hardware is closed. You have to trust someone, somewhere. You shouldn't /have/ to. That you currently do need to trust someone is probably an issue. I'm not as far as Stallman for F/OSS... until companies can't keep up with security issues, then they've shown they can't handle responsible updates and need to give up their IP that people have purchased with good faith. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAH_OBicSh-3VQV3ChSxZ9zA7O78WJa=+pgvphga7lyulg3r...@mail.gmail.com
Re: How to format the command output like MySQL output
On Mon, Oct 21, 2013 at 8:01 AM, Jonathan Dowland j...@debian.org wrote: On Sat, Oct 19, 2013 at 08:54:25PM -0600, Bob Proulx wrote: Check out perl formats. Great suggestion, it's a shame the user has (since) ruled out Perl. Hardly anyone seems to discuss perl formats anymore ☺ I think most people prefer printf formatting vs formats. I think you'll even find some in the perl community that think formats ended up being a bad idea (something stuck in a real long time ago - ~20 years ago now probably - that can't be removed). Ask on irc if you're interrested. printf is pretty portable and I've only seen perl formats in code once or twice and never used them. FWIW. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cah_obicdjs2v+3ilthvryghmkwbcs1qor-0s6bbw+mayg8d...@mail.gmail.com
Re: How to format the command output like MySQL output
Lars Noodén lars.noo...@gmail.com wrote: On 20.10.2013 04:17, 陶治江 wrote: 于 2013-10-20 0:53, Lars Noodén 写道: On 19.10.2013 19:35, 陶治江 wrote: [snip] I think it seems good like this, but I do not know how to make out it.(someone says awk, sed may help, but the environment does not permit it). Is there some libs or tools can help make output result good and elegent? [snip] Perl would be the next step up, but if awk is not allowed then perl certainly won't be. Regards, /Lars yes, the whole system size a extremely limited, so the only possible way is to find a suitable C lib to handle this. What a big task What about the PCRE library? http://www.pcre.org/ That's written in C and gives you the power of perl's regular expressions. We use libpcre in some projects and it might be useful but it does not give a perl compatible regex engine. It might have up to perl 4 regex support but there might even be some missing features there too. So no, not the power of perl regex here. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/ffb2575f-ee7e-4d58-8b92-29d835c06...@email.android.com
Re: sysadmin qualifications (Re: apt-get vs. aptitude)
Joel Rees joel.r...@gmail.com wrote: On Thu, Oct 10, 2013 at 8:09 PM, Richard Owlett rowl...@cloud85.net wrote: We're a long way from being able to build internet terminals that people can use as simply as they use a phone, and it's quite possible that it can't really be done. I'm not sending this email from a phone... Nope. Where's that 'sent from my Kaiten mail app' signature when I need it? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/7a6f82ad-106d-42b8-bc42-8aec310fb...@email.android.com
Re: loop back iptables
On Tue, Oct 8, 2013 at 8:12 PM, Dan Ritter d...@randomstring.org wrote: On Tue, Oct 08, 2013 at 03:04:14PM -0700, james gray wrote: working with the examples at https://wiki.debian.org/iptables -A INPUT -i lo -j ACCEPT This will do nothing unless you have a default DROP policy and follow procedure of iptables-restore file-name i do receive a message line failed for that line as shown above. Next, you'll need to copy the entirety of the grey area example to a file, and use that file name in the iptables-restore. It's a very specific format. Very specific - I wrote a script to generate an iptables save file and saw that line failed message lots. Basically the format is: *chain :table [counter] -A rule COMMIT Any deviation from this format is an error (you can also have # comments btw). I assume you can use -I or -D or -R but I don't see much point (maybe you go into different 'zones' and then that might be cool to do). Generally, what you want to do is: iptables -F; iptables -X; iptables-restore file If you want to test individual rules, you could do this at the command line: iptables -A INPUT -i lo -j ACCEPT Depending on where that line was put in the save file, that might not be acurate (though since this rule doesn't do anything, one could argue about the 'effect' it has at any point). However, assuming the rule needs to be placed somewhere in the middle, you want: iptables -nL --line-numbers And then: iptables -I INPUT number rule and then iptables -L to see if it took. There is nothing Debian-specific going on here. Nope - this is linux. A few notes: *I've seen some people (Ubuntu) naming their tables with all UPPERCASE letters - don't do this. You can clobber namespace (and maybe other issues?) and the only way to distinguish between internal jumps and tables is the case (LOG and MARK being a prime example and mangle has some cool jumps you can use and the ones you know of: ACCEPT, REJECT, DROP, DENY - and it's 0400 so I can't think of others right now). *iptables-restore makes one kernel call so is much better (read faster) than calling iptables tons of times. *these commands are actually links to xtables-multi: # xtables-multi ERROR: No valid subcommand given. Valid subcommands: * iptables * main4 * iptables-save * save4 * iptables-restore * restore4 * iptables-xml * xml * ip6tables * main6 * ip6tables-save * save6 * ip6tables-restore * restore6 (no idea why anyone would want to take a good thing and mess it with xml but it's there - though, if there's an xslt parser as a part of that there could be some real fun to be had there) And this stuff is fun, good luck in learning. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cah_obidd7pbxesm7bptmdnrfgde2w_e_gtrk3m24tdljbyt...@mail.gmail.com
schroot
This is at the top of every config file, but I can't find it documented: . $SETUP_DATA_DIR/common-data . $SETUP_DATA_DIR/common-functions . $SETUP_DATA_DIR/common-config Where is this being sourced from (ie, where is the 'common-data' file?) and (more important) where is this documented? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAH_OBicid_VO1OBjuvcywypee8=Y3ZpbNWrCT3rCf1=tnqy...@mail.gmail.com
Re: schroot
berenger.mo...@neutralite.org wrote: Le 07.10.2013 18:38, shawn wilson a écrit : This is at the top of every config file, but I can't find it documented: . $SETUP_DATA_DIR/common-data . $SETUP_DATA_DIR/common-functions . $SETUP_DATA_DIR/common-config Where is this being sourced from (ie, where is the 'common-data' file?) and (more important) where is this documented? Doing echo $SETUP_DATA_DIR should help you, I think. And for documentation, reading about shell will also help you. I'm guessing this means it's exported by some schroot internal mechanism inside the schroot? I'm not sure what I don't know about bash that would help here? This doesn't seem to be an export bash knows about? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/ca1a02d3-a87e-4b9e-aaba-c8dc743d8...@email.android.com
Re: schroot
On Mon, Oct 7, 2013 at 2:20 PM, berenger.mo...@neutralite.org wrote: Le 07.10.2013 19:50, shawn wilson a écrit : Not a bad idea. However: find / -type f -print0 | xargs -0 -i{} -P 10 grep -H 'SETUP_DATA_DIR=' {} 2 /dev/null found nothing. Just to be complete (so that maybe this shows up on google when the next person has issues finding undocumented stuff in schroot - it's not in the man page as my search implies btw): /usr/share # find -iname *.bz2 | while read f; do t=$(bzcat $f | grep SETUP_DATA_DIR); test -n $t echo $f echo $t; done ./doc/schroot-1.6.5-r1/contrib/setup.d/05customdir.bz2 . $SETUP_DATA_DIR/common-data . $SETUP_DATA_DIR/common-functions . $SETUP_DATA_DIR/common-config ./doc/schroot-1.6.5-r1/ChangeLog.bz2 Add SCHROOT_DATA_DIR, SCHROOT_SETUP_DATA_DIR and replace DATA_DIR and SETUP_DATA_DIR. Add SCHROOT_DATA_DIR, SCHROOT_SETUP_DATA_DIR and replace DATA_DIR and SETUP_DATA_DIR. ./man/man7/schroot-faq.7.bz2 .ds SCHROOT_SETUP_DATA_DIR /usr/share/schroot/setup ./man/man5/schroot.conf.5.bz2 .ds SCHROOT_SETUP_DATA_DIR /usr/share/schroot/setup ./man/man5/schroot-setup.5.bz2 .ds SCHROOT_SETUP_DATA_DIR /usr/share/schroot/setup ./man/man5/schroot-script-config.5.bz2 .ds SCHROOT_SETUP_DATA_DIR /usr/share/schroot/setup ./man/man1/dchroot.1.bz2 .ds SCHROOT_SETUP_DATA_DIR /usr/share/schroot/setup ./man/man1/dchroot-dsa.1.bz2 .ds SCHROOT_SETUP_DATA_DIR /usr/share/schroot/setup ./man/man1/schroot.1.bz2 .ds SCHROOT_SETUP_DATA_DIR /usr/share/schroot/setup On Mon, Oct 7, 2013 at 1:05 PM, berenger.mo...@neutralite.org wrote: Le 07.10.2013 18:59, Shawn Wilson a écrit : berenger.mo...@neutralite.org wrote: Le 07.10.2013 18:38, shawn wilson a écrit : This is at the top of every config file, but I can't find it documented: . $SETUP_DATA_DIR/common-data . $SETUP_DATA_DIR/common-functions . $SETUP_DATA_DIR/common-config Where is this being sourced from (ie, where is the 'common-data' file?) and (more important) where is this documented? Doing echo $SETUP_DATA_DIR should help you, I think. And for documentation, reading about shell will also help you. I'm guessing this means it's exported by some schroot internal mechanism inside the schroot? I'm not sure what I don't know about bash that would help here? This doesn't seem to be an export bash knows about? I have no idea about what are the files you are speaking about, but the $ prefix usually indicates a variable in shell, and shell scripts are widely used in the system. To find what file could export that variable, try a grep -r SETUP_DATA_DIR, it might help you find which file uses that variable. Do not send me private mail for something like that, it could interest someone else on the list. That was an accident (I was guessing telling me reading about shell would be helpful that you might not be the person to talk to but I like to follow up). Honestly, I can not help you more that that, I do not use chroot very often, and do not know what is schroot. If the variable is not defined, then maybe it have a default value. Maybe if you find other files containing simply the SETUP_DATA_DIR text (without '=' or '$') you could find more hints. PS: do the giant line you posted above make the same thing as grep -r 'SETUP_DATA_DIR=' 2/dev/null ? If yes, it seems quite complex for what it does... Quite, but xargs gives one major advantage - that -P allows you to parallelize grep and sending the process SIGUSR1/SIGUSR2 increases or decreases that parallelization. (This also meant that my laptop shat bricks due to a slower hdd and I had to revert to a server). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAH_OBidpCBd80N0KEtDLDyCTsqNdoDHxz=fwyzt4jzesbqc...@mail.gmail.com