[SLUG] disk partitioning for lamp: tmp on it's own?
I'm setting up a new LAMP server with Centos 5.2; in the past, whilst discussing undesirable intrusions through like CMS vulnerabilities it was suggested to set up /tmp ion a separate partition, set as non executable, is that still a good idea ? how much space to assign to /tmp on a 150GB HD? how do I make it non executable ? -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] disk partitioning for lamp: tmp on it's own?
On Thu, Jul 24, 2008, Voytek Eymont wrote: how do I make it non executable ? Mount it with the 'noexec' option. It goes in the same column of /etc/fstab as other options like 'auto' and 'noauto'. man mount has the details of various filesystem mount options, under the -o flag section. -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] July SLUG Monthly Meeting - this Friday
== July SLUG Monthly Meeting == You can read the full version of this announcement on the Web at http://www.slug.org.au/node/103 When: 18.30 - 20.30, Friday, 25 July, 2008 We start at 18:30 but we ask that people arrive 15 minutes early so we can all get into the building and start on time. Please do not arrive before 18:00, as it may hinder business activities for our host! Appropriate signage and directions will be posted on the building. Where: Atlassian[0], 173-185 Sussex Street, Sydney (corner of Sussex and Market Street) Entry is via the rear on Slip Street. There are stairs going down along the outside of building from Sussex St to near the entrance. A map of the area and directions can be found here[1]. = Talks = ** General Talk ** Nick Nicholas: open approaches to persistence, a report on the PILIN project ** In-Depth Talk ** Erik de Castro Lopo: ICFP Programming Contest 2008 Redux ** SLUGlets ** Ken Wilson: Installation of Linux on a Desktop (beginner level) = Meeting Schedule = See here[2] for an explanation of the segments. * 18:15 : Open Doors * 18:30 : Announcements, News, Introductions * 18:45 : General Talk * 19:30 : Intermission * 19:45 : Split into two groups for * In-depth Talk * SLUGlets * 20:30 : Dinner Dinner is at Golden Harbour Restaurant, in Chinatown. We will be having the $24 Banquet[3], but we will be collecting $25 per head for ease of accounting and to cover a tip. We will be taking numbers during the break to confirm the reservation size. If you have any particular dietary requirements (e.g. vegetarian), or if you would prefer to order separately, let us know beforehand. Dinner is a great way to socialise and learn in a relaxed atmosphere :) We hope to see you there! [0] http://www.atlassian.com [1] http://tinyurl.com/35fxes [2] http://www.slug.org.au/meetings/meetingformat [3] http://www.goldenharbour.com.au/specials.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] disk partitioning for lamp: tmp on it's own?
On Thu, Jul 24, 2008 at 09:37:56PM +1000, Mary Gardiner wrote: On Thu, Jul 24, 2008, Voytek Eymont wrote: how do I make it non executable ? Mount it with the 'noexec' option. It goes in the same column of /etc/fstab as other options like 'auto' and 'noauto'. man mount has the details of various filesystem mount options, under the -o flag section. one thing to be careful when doing this, is some deb's/rpm's expect /tmp to exec (run into this problem with apt and a noexec /tmp) -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- She's just trying to make sure Anthony gets a good meal -- Antonio. - George W. Bush 01/14/2001 NBC Nightly News With Tom Brokaw on Laura Bush inviting Justice Antonin Scalia to dinner at the White House signature.asc Description: Digital signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] disk partitioning for lamp: tmp on it's own?
On Fri, July 25, 2008 7:37 am, Alex Samad wrote: On Thu, Jul 24, 2008 at 09:37:56PM +1000, Mary Gardiner wrote: On Thu, Jul 24, 2008, Voytek Eymont wrote: one thing to be careful when doing this, is some deb's/rpm's expect /tmp to exec (run into this problem with apt and a noexec /tmp) Alex, thanks yes, just looking on my current server, it seems I have cgi possibly executing in /tmp should I go that way, do I need to do partition on hard disk, or, just an LVM ? -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] disk partitioning for lamp: tmp on it's own?
The problem of course is that /tmp is a known world-writable location where attackers can upload malicious files (if they find ways to do that). Using a partition gives you a fairly low-level way to stop them from being able to execute those files, so I guess the answer is how paranoid are you about holes in your cgi's and/or other network services, vs how much of a pain in the ass not being able to execute from /tmp will be based upon it's effect on the rest of the system - eg, as Alex pointed out, having packages not being able to be installed without a remount, and obviously patching your cgi's or reconfiguring or doing what ever you have to do to remove the dependance on /tmp it is certainly not a bad thing to do, and if you're using LVM for / then you can change your mind later by removing the mount point and adding the old partition back into the fold On Fri, Jul 25, 2008 at 7:42 AM, Voytek Eymont [EMAIL PROTECTED] wrote: On Fri, July 25, 2008 7:37 am, Alex Samad wrote: On Thu, Jul 24, 2008 at 09:37:56PM +1000, Mary Gardiner wrote: On Thu, Jul 24, 2008, Voytek Eymont wrote: one thing to be careful when doing this, is some deb's/rpm's expect /tmp to exec (run into this problem with apt and a noexec /tmp) Alex, thanks yes, just looking on my current server, it seems I have cgi possibly executing in /tmp should I go that way, do I need to do partition on hard disk, or, just an LVM ? -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] disk partitioning for lamp: tmp on it's own?
Voytek Eymont [EMAIL PROTECTED] writes: I'm setting up a new LAMP server with Centos 5.2; in the past, whilst discussing undesirable intrusions through like CMS vulnerabilities it was suggested to set up /tmp ion a separate partition, set as non executable, is that still a good idea ? As much as it ever was, yes, which is to say: it is worth next to nothing, so the effort involved is almost certainly not well invested. how much space to assign to /tmp on a 150GB HD? I would use a tmpfs, which provides natural and sensible limits. how do I make it non executable? Set the noexec flag. However, keep in mind that this will not work for anything run with an interpreter, which includes normal ELF executables, because you can invoke the interpreter (outside /tmp) directly. If you have a noexec /tmp, try this: cp /bin/ls /tmp/ls /tmp/ls # fails /lib/ld-linux.so.2 /tmp/ls # works # you may need ld-linux-x86-64.so.2 on some distributions While a non-exec /tmp may help you against attacks that don't work around this issue[1], but it doesn't actually stop a successful attack. Oh, and don't forget /var/tmp, and any other world-writable directories on your machine, while you are about it. Regards, Daniel Footnotes: [1] Approximately zero, in my experience, but yours may vary. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Safe samba configuration
I use samba on a mixed OS network. We have several NAS devices and two Fedora workstations which share drives using NAS. I have configured the Fedora workstations to only announce on the local subnet (/24) to prevent inadvertent connections from the wider organization. I implement this by putting the following in smb.conf remote announce = 10.9.136.0/24 I also set local master = no Because I figured that there were other computers more suited to being the master browser (whatever that means) Unfortunately I've been faced with some windows boxes spontaneously not able to browse or connect to the network. It is occasional, but seemed to decrease in occurance when I reduced the use of SMB shares. I'm really keen to find a safe configuration for my SMB shares, but I'm not sure where I would find how to do this. It's very difficult to diagnose which configuration works better without months of investigation. Any help would be greatly appreciated. -- Robbie Barnett [EMAIL PROTECTED] 0431864709 Skype Name: retsil42 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Safe samba configuration
prevent samba from getting involved with browsing at all by adding this to your smb.conf [global] domain master = no local master = no preferred master = no os level = 0 its also a good idea to set up a wins server, and send its details out using dhcp and set the client mode to wins only. from man dhcp-options... quote option netbios-name-servers ip-address [, ip-address...]; The NetBIOS name server (NBNS) option specifies a list of RFC 1001/1002 NBNS name servers listed in order of preference. NetBIOS Name Service is currently more commonly referred to as WINS. WINS servers can be specified using the netbios-name-servers option. option netbios-node-type uint8; The NetBIOS node type option allows NetBIOS over TCP/IP clients which are configurable to be configured as described in RFC 1001/1002. The value is specified as a single octet which identiā fies the client type. Possible node types are: 1B-node: Broadcast - no WINS 2P-node: Peer - WINS only 4M-node: Mixed - broadcast, then WINS 8H-node: Hybrid - WINS, then broadcast /quote Dean Robert Barnett wrote: I use samba on a mixed OS network. We have several NAS devices and two Fedora workstations which share drives using NAS. I have configured the Fedora workstations to only announce on the local subnet (/24) to prevent inadvertent connections from the wider organization. I implement this by putting the following in smb.conf remote announce = 10.9.136.0/24 I also set local master = no Because I figured that there were other computers more suited to being the master browser (whatever that means) Unfortunately I've been faced with some windows boxes spontaneously not able to browse or connect to the network. It is occasional, but seemed to decrease in occurance when I reduced the use of SMB shares. I'm really keen to find a safe configuration for my SMB shares, but I'm not sure where I would find how to do this. It's very difficult to diagnose which configuration works better without months of investigation. Any help would be greatly appreciated. -- http://fragfest.com.au -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Equivalent of Gentoo's python-updater for Debian
Hi all I'm upgrading Python from 2.4 to 2.5 on a Debian etch box. I have a lot of python packages in pycentral /usr/share/pycentral Many of these came from Debian packages such as libapache-mod-python, python-pysqlite2, python-textile, python-pydot. python2.4/site-packages has lots of symlinks to packages in /usr/share/pycentral python2.5/site-packages is pretty empty. Now a colleague at work tells me that his Gentoo has a thing called python-updater that remerges python packages when upgrading python. This makes all the old packages available for an updated python. Is there such a thing for Debian? Mike -- Michael Lake Computational Research Centre of Expertise Science Faculty, UTS Ph: 9514 2238 -- UTS CRICOS Provider Code: 00099F DISCLAIMER: This email message and any accompanying attachments may contain confidential information. If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. If you have received this message in error, please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of the University of Technology Sydney. Before opening any attachments, please check them for viruses and defects. Think. Green. Do. Please consider the environment before printing this email. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Equivalent of Gentoo's python-updater for Debian
quote who=Michael Lake Now a colleague at work tells me that his Gentoo has a thing called python-updater that remerges python packages when upgrading python. This makes all the old packages available for an updated python. Is there such a thing for Debian? python-central (and Debian packaging guidelines for Python) does it all for you as you upgrade. Since those changes were made, and we no longer have version-specific Python library packages, I've never had to do anything manual to get a Python library to work with a particular version of Python. It just works for versions of Python that you have installed. - Jeff -- linux.conf.au 2009: Hobart, Tasmania http://marchsouth.org/ Free software never simply picks up its marbles and goes home. - Jonathan Corbet, LWN -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Thunderbird send problems
Hi All, I'm using Thunderbird 2.0.0.16 on Dapper. On the odd occasion I've had these problems, but today it's been *all* day. I cannot send e-mail with more than a few lines - approx 150 words. It's as if there is a problem sending e-mail only as I can upload files, so it's not like I've got a problem with the ISP blocking anything outgoing of any real size. Has anyone any ideas that may be of assistance. Many thanks in advance. Regards, Patrick -- Registered GNU/Linux User 368634 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Thunderbird send problems
elliott-brennan wrote: Hi All, I'm using Thunderbird 2.0.0.16 on Dapper. On the odd occasion I've had these problems, but today it's been *all* day. I cannot send e-mail with more than a few lines - approx 150 words. It's as if there is a problem sending e-mail only as I can upload files, so it's not like I've got a problem with the ISP blocking anything outgoing of any real size. Though it could be the ISPs outgoing email server - this is setup under preferences/account settings. But perhaps your ISP is tightening up their systems. Has anyone any ideas that may be of assistance. Many thanks in advance. Regards, Patrick -- Marghanita da Cruz http://www.ramin.com.au Phone: (+61)0414 869202 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Opinions pls on best/easiest setup Groupware suite.
Hi Folks, wading in to the quagmire that is groupware at the moment and wondered what experiences might be out there pls. Would prefer to use dovecot over cyrus as cyrus apprently doesn't do maildir. And a reasonably significant preference for mail/calendar sharing in T'Bird/whatever_calendar_extension XP clients. Though, for the right suite, I guess I could drop T'Bird. Does anyone have any elnlightenment pls? -- Kind Regards Kyle -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Thunderbird send problems
Thanks Marghanita. Update on this. 1. I had no net connection for about 18hrs. When I was able to call TPG they suggested I change the 'modulation type' setting in my modem (DSL-502T) from multi-mode to G.dmt. This fixed the net connection problem. 2. I have a mynetfone VOIP adapter. By disconnecting the adapter from my network (modem - VOIP adapter - hub - PCs) I can now upload files to my online storage and send this e-mail -which is longer than 150 words. It would appear there is something going on :)) but exactly what I'm not sure. The mynetfone adapter works otherwise and my connection is okay when it's plugged in *but* my e-mail and uploading is seriously restricted when it's connected. Any other assistance/suggestions would be most appreciated. Regards, Patrick Marghanita da Cruz wrote: It's as if there is a problem sending e-mail only as I can upload files, so it's not like I've got a problem with the ISP blocking anything outgoing of any real size. Though it could be the ISPs outgoing email server - this is setup under preferences/account settings. But perhaps your ISP is tightening up their systems. elliott-brennan wrote: Hi All, I'm using Thunderbird 2.0.0.16 on Dapper. On the odd occasion I've had these problems, but today it's been *all* day. I cannot send e-mail with more than a few lines - approx 150 words. It's as if there is a problem sending e-mail only as I can upload files, so it's not like I've got a problem with the ISP blocking anything outgoing of any real size. Though it could be the ISPs outgoing email server - this is setup under preferences/account settings. But perhaps your ISP is tightening up their systems. Has anyone any ideas that may be of assistance. Many thanks in advance. Regards, Patrick -- Registered GNU/Linux User 368634 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Opinions pls on best/easiest setup Groupware suite.
On 25/07/2008, at 3:25 PM, Kyle wrote: Hi Folks, wading in to the quagmire that is groupware at the moment and wondered what experiences might be out there pls. Would prefer to use dovecot over cyrus as cyrus apprently doesn't do maildir. And a reasonably significant preference for mail/ calendar sharing in T'Bird/whatever_calendar_extension XP clients. Though, for the right suite, I guess I could drop T'Bird. Does anyone have any elnlightenment pls? I've had some experience with zimbra, not so much as a user, but as an admin. The users seem to like it, but it needs more computer resources than if you setup postfix/dovecot manually. I think the idea is you use the web interface, although it supports pop/imap too. -- http://chesterton.id.au/blog/ -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html