Re: Saludos - quiero configurar un proxy

[Camaleón]

El 2020-08-04 a las 16:57 -0400, Karel Alexis Gayle Cutiño escribió:

> Necesito instalar y configurar un proxy, preferiblemente squid (es el que 
> conozco), si hay uno mejor me lo dicen. 

Salvo que tengas problemas concretos de rendimiento con el equipo donde 
quieras instalar el proxy, Squid parece una buena opción: es conocido, 
hay muy buena documentación disponible en español y está en los repos de
Debian.

> Necesito que el proxy limite la descarga a una cantidad determinada de 
> megabytes por cada usuario conectado. 

La pregunta es demasiado genérica, pero tienes manuales para configurar 
Squid de esa manera por doquier, p. ej.:

Bandwidth Limiting HOWTO
https://www.tldp.org/HOWTO/text/Bandwidth-Limiting-HOWTO
 
> Tengo como limitaciones:
> * no te acceso a repositorios, por lo que necesito saber cómo descargar los 
> paquetes necesarios
> * el posible acceso a repositorios es a través de la conexión de datos 
> móviles de un SMART Phone con ip dinámica, por lo que necesita configurar la 
> pc de manera que pueda conectarse sin problemas por usb

Podrás bajar el paquete deb de Squid pero en Debian las aplicaciones 
están muy modularizadas por lo que es posible que tenga dependencias 
que cumplir para instalarse. Yo te recomendaría acceder a un 
repositorio e instalarlo con apt.

Más allá de configurar el móvil para permitir el acceso, no vas a tener
muchos problemas para conectar Debian a un celular y compartir la 
conexión de datos, bien mediante USB, WiFi o BT (tethering).

Saludos,

-- 
Camaleón 

Announcing the version 1.0 hexpeek release!

[hexpeek]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Announcing the version 1.0 hexpeek release!

I am pleased to announce the first stable release of hexpeek, which
seeks to be an efficient, powerful, and portable hex editor for files
of all kinds and sizes.

This release improves on the beta release with a live undo, a greatly
increased backup depth, better support for writing to non-seekable
files, and some miscellaneous cleanup.

Visit https://www.hexpeek.com for more information.

Out of respect for the bandwidth on this mailing list, I do not plan
to announce future hexpeek releases here. There is a mailing list
on https://www.hexpeek.com where future announcements will be posted.

If you are interested in hexpeek becoming a package/port for your
distro, please let me know.
-BEGIN PGP SIGNATURE-

iQJIBAEBCgAyFiEEfeRsn/lRU2hTiGbecMFr/kefAX8FAl8qMysUHGhleHBlZWtA
aGV4cGVlay5jb20ACgkQcMFr/kefAX9U9w//QlTM/zrd25att9/yYcqbQPkDAqhr
sjCtSfMoY6sLlsI1IFR1GDu0v0l+TiW4R2iDDn8dD7esLBrhHXe+QLWd9OjioCF7
jB3Tpg+ozk9GMmwDFglbU6hiwTAM4w7O4NKrLEuR/kQoWZzweEXGjIV2ytWhCpps
tsl3c/t2rSG0SqlhcHrQpy0uZ38v7f7+o3BCH23gqzdAW+mvvPC9iYLfYJqUGDRt
fc5zmouLai9ZAARpqK3Mhu/RTlv8DnxpmsIt2cSJ6OFVbonKBqvDk1RFbLqSUwhU
iJv+wMF97f2HT7g1RCNG+GGClD0TvceFP+8qhwIYUhBaRXLe1u+gEEqXvmlURd0h
m77ydS58Z1ND1YGw01rTTBzDxnW21HHTFCqGHfRKOjVcLEQrt8CkTvcf7tM5fX+n
fodXdEv8k8rrhbOYDyWqurdekWPZCrvrzEPuF+Ww/W6ownW8RwP2cgNccfOiuC2P
dTJdIe5j4VASLtC17iUcwDiQuZYWdK5oBlf/ws9flInFHOlGVUGXuD1pum05Iq1u
OZeJEHJj+yvP1drm4A1O8z3r8XfPa2WmWsQBc0TP8lOvU3l/E20p1T3TPs8EQbqA
dRJyN1PcAv63DE0USa2P+tB18jZkvDV15YT/6yDkOtKEgIdtSsw6H5oscs96LfuI
cKK++c04aRN9e28=
=02ro
-END PGP SIGNATURE-

Re: Homebuilt NAS Advice

[Leslie Rhorer]

On 8/4/2020 10:18 AM, Andrei POPESCU wrote:

On Ma, 04 aug 20, 01:17:13, deloptes wrote:


I don't backup music and video - too big and not changing. The raid is
enough for that.


I'm guessing it depends on the music and videos.

If you made them yourself they are basically irreplaceable and RAID will
replicate any bitrot to the other copy undetected.


	Even if not, they still represent a great deal of time to accumulate 
and then to replace.  Most of mine have been recorded* from Cable TV 
programs, and replacing them would require either waiting a huge amount 
of time for all of them to be re-broadcast (if ever), or else purchasing 
literally thousands of Blu-Ray disks.


	Again, I cannot possily reiterate that RAID is #NOT# a backup solution. 
 On several separate occasions I have lost an entire RAID array.  Each 
involved a completely different type of failure.  In two cases I was 
able to manually recover the arrays with only minimal loss of data.  In 
one, no data recovery at all was possible (a Windows system).  In every 
other case I had to resort to backup.  One of those times, it was the 
backup system which failed, and then DAR really saved my butt, as it has 
done on a number of occasions when the corruption was far less extensive.


* - All perfectly legally

Re: Homebuilt NAS Advice

[Leslie Rhorer]

On 8/4/2020 8:52 AM, Celejar wrote:

On Tue, 4 Aug 2020 10:26:32 +0100
Jonathan Dowland  wrote:


On Tue, Aug 04, 2020 at 01:32:24AM -0700, David Christensen wrote:

jdupes looks interesting, and should work on any file system that
supports hard links.  I expect BorgBackup either calls jdupes or
implements similar functionality:

https://linuxcommandlibrary.com/man/jdupes.html


I'm fairly sure Borg stores files by a hash of their contents and
maintains a separate index of names→hashes for each generation.


Indeed:

"To actually perform the repository-wide deduplication, a hash of each
chunk is checked against the chunks cache, which is a hash-table of all
chunks that already exist."

https://borgbackup.readthedocs.io/en/stable/internals.html


	I prefer DAR for several reasons.  First of all, as I mentioned before, 
DAR is the only backup solution of which I am aware that can restore not 
only deleted or corrupted files, but which can also restore deletions. 
This means DAR can restore any or all files one chooses in a batch, but 
then if requested can go back and delete files which were deleted at a 
later time but prior to additional DAR backups.


	As a simple example, if one backs up an entire system, deletes several 
files, then does another backup, DAR can restore the system to the exact 
state of the last backup without losing any files in the archive, yet 
not restoring the deleted files.  This eliminates the need to ever 
"refresh" the main backup, keeping every file that was ever on the 
system, yet eliminating the need to delete files from a restore 
performed at a later time.


	DAR is also designed to work with removable media.  In this respect, it 
is similar to the venerable TAR utility, but while TAR is not designed 
to work with random access media, DAR is.  In fact, the name DAR is an 
acronym for Disk ARchive.


	Packages are avail;able for Windows, MacOS, FreeBSD, and nearly all 
Linux distros, including Debian.


http://dar.linux.free.fr/doc/Features.html

http://dar.linux.free.fr/

Debian-Live-10.5.0 'Buster'-GNOME-nonfree.iso Installation failed.

[Tzion cole]

Respected sir/madam,

I downloaded Debian-Live-10.5.0-Gnome-nonfree.iso From official website.
And Made a live usb stick using RUFUS 3.11. When I boot from stick to live
session from the boot menu. It gave me `/vmimage error. So I directly went
with the graphical Installation.

All things went well till the Partition of Disk. I wiped all data and went
with the recommended installation just the step after setting up partition
which is recommended that is using the whole disk, In the installation step
it failed. The was no error code nothing just saying *Installation step
faile*. Then I aborted the installation process.


*I have Installed KDE Version perfectly from live image and It was a
success. I think there is something wrong with the GNOME ISO package.*

My system specification.

HP- Pavilion Notebook 15 au111tx
i5-7200u (7th gen)
16GB RAM
1TB HDD
BOOT METHOD USED - UEFI - Secure boot enabled.


Thank you.

Re: Homebuilt NAS Advice

[Leslie Rhorer]

On 8/3/2020 6:17 PM, deloptes wrote:

Leslie Rhorer wrote:


My main server's data is backed up every morning by a
nearly identical backup server using rsync, which in turn is backed up
in its entirety on a multi-volume offline, off-site hard drive set using
DAR every few months.  All the boot systems employ two disk RAID 1
mirrors and all the data repositories consist of 5 - 8 spindle RAID 6
arrays.


any thoughts on using deduplication? For example I started using borg some
time ago. It saves a lot of space and makes it possible to have multiple
backups and longer retention. I don't backup music and video - too big and
not changing. The raid is enough for that.


	DAR has a number of unique capabilities, including restoring deletions, 
which is a very unique feature.  I don't know about you, but my video 
files represent many hundreds of hours of work, and replacing them en 
masse would be a huge and expensive undertaking.  The backup server 
maintains a daily update of all changes and new files.  the server just 
isn't all that expensive, comparatively speaking.  The DAR backup is 
even cheaper, since it is done on old drives removed from the arrays 
during upgrades.  In one sense, they are free.


	DAR allows for not only incremental backups, but also incremental 
deletions.  I find it extremely useful, and allows for as much space 
saving on the live system as one likes.  I suggest you check it out.

Re: firewalls

[riveravaldez]

On 8/4/20, Dan Ritter  wrote:
> mick crane wrote:
>> I've never really understood firewalls. I think the idea is that they
>> don't
>> let anything in that wasn't requested but if you go on a website there
>> are
>> so many hundreds of scripts looking at this and that who knows what
>> happens.
>
> I notice you didn't ask a question, but I'll answer it anyway.
>
> Near the bottom of the stack of networking is a link layer. For
> ethernet and related protocols, that means that there's an
> address for each interface -- ethernet calls it the MAC address.
>
> If you build a firewall to intercept at this level, you can stop
> traffic from specific local sources. That's it. There are
> situations where we do this -- layer 2 firewalling -- but they
> aren't very common.
>
> The next layer up, called layer 3, is IP addressing. IP
> connections involve IP addresses and IP subprotocols: UDP, TCP,
> and so forth. This is where most firewalls operate. An L3
> firewall usually starts with a generic directive to drop all
> traffic that it doesn't specifically allow, and then has a list
> of what to allow to each or all addresses being protected.
>
> So: you can stop all DNS traffic from Cloudflare, but you can't
> drop JavaScript embedded in a web page from Google.
>
> To do that, you need what is generically called an
> application-layer firewall, and those are usually set up on
> individual machines -- though they don't have to be -- and are
> frequently supplied with extensive, rapidly-updated block lists.
>
> Some of them you even run *inside* your web browser: uBlock
> Origin, for example. Highly recommended.
>
> -dsr-
>
> P.S. you may be wondering why the numbering goes 2, 3,
> "application". This is because:
>
> a) the OSI 7-layer model doesn't actually represent real
>networks in this universe
> b) everything above layer 3 is kind of squishy
> c) most firewalls are actually reflecting the owner's policies
> in layers 8 and 9 of the 7-layer model: religion and politics.

Thanks a lot, Dan.

That was extremely educative (and beautiful).

If I can ask: which is the situation, in this aspect, in a plain
plain/straightforward Debian (net)installation? Let's say: what's the
by-default setting of the system?

Regards

Re: firewalls

[Dan Ritter]

mick crane wrote: 
> I've never really understood firewalls. I think the idea is that they don't
> let anything in that wasn't requested but if you go on a website there are
> so many hundreds of scripts looking at this and that who knows what happens.

I notice you didn't ask a question, but I'll answer it anyway.

Near the bottom of the stack of networking is a link layer. For
ethernet and related protocols, that means that there's an
address for each interface -- ethernet calls it the MAC address.

If you build a firewall to intercept at this level, you can stop
traffic from specific local sources. That's it. There are
situations where we do this -- layer 2 firewalling -- but they
aren't very common. 

The next layer up, called layer 3, is IP addressing. IP
connections involve IP addresses and IP subprotocols: UDP, TCP,
and so forth. This is where most firewalls operate. An L3
firewall usually starts with a generic directive to drop all
traffic that it doesn't specifically allow, and then has a list
of what to allow to each or all addresses being protected.

So: you can stop all DNS traffic from Cloudflare, but you can't
drop JavaScript embedded in a web page from Google.

To do that, you need what is generically called an
application-layer firewall, and those are usually set up on
individual machines -- though they don't have to be -- and are
frequently supplied with extensive, rapidly-updated block lists.

Some of them you even run *inside* your web browser: uBlock
Origin, for example. Highly recommended.

-dsr-

P.S. you may be wondering why the numbering goes 2, 3,
"application". This is because:

a) the OSI 7-layer model doesn't actually represent real
   networks in this universe
b) everything above layer 3 is kind of squishy
c) most firewalls are actually reflecting the owner's policies
in layers 8 and 9 of the 7-layer model: religion and politics.

Re: firewalls

[deloptes]

mick crane wrote:

> I've never really understood firewalls. I think the idea is that they
> don't let anything in that wasn't requested but if you go on a website
> there are so many hundreds of scripts looking at this and that who knows
> what happens.

this is a good point :) especially with a browser that has audio and
probably video hook up and running :D

firewalls

[mick crane]

I've never really understood firewalls. I think the idea is that they 
don't let anything in that wasn't requested but if you go on a website 
there are so many hundreds of scripts looking at this and that who knows 
what happens.


mick

--
Key ID4BFEBB31

Nettoyage du spam : juillet 2020

[Jean-Pierre Giraud]

Bonjour,
Comme nous sommes en août, il est désormais possible de
traiter les archives du mois de juillet 2020 des listes francophones.

N'oubliez bien sûr pas d'ajouter votre nom à la liste des relecteurs
pour que nous sachions où nous en sommes.

Détails du processus de nettoyage du spam sur :

https://wiki.debian.org/I18n/FrenchSpamClean

Re: Saludos - quiero configurar un proxy

[Rolando Granados]

Hola,

No se te hace más fácil revisar si tu router pueda hacer el control de
ancho de banda o cambiarlo por uno que lo pueda hacer ?

*no te acceso a repositorios, por lo que necesito saber cómo descargar los
paquetes necesarios *
te paso este articulo que te dice algunas formas de instalar paquetes
offline.

*el posible acceso a repositorios es a través de la conexión de datos
móviles de un SMART Phone con ip dinámica, por lo que necesita configurar
la pc de manera que pueda conectarse sin problemas por usb *
si se puede solo que la pc tenga salida internet puede llegar a los
repositorios pero si lo harías desde el smarthphone la pc tendria que tener
un adaptador wifi.



Saludos espero haberte ayudado.




El mar., 4 de ago. de 2020 a la(s) 16:06, Karel Alexis Gayle Cutiño (
karelga...@nauta.cu) escribió:

> Hola, comunidad
>
> Necesito instalar y configurar un proxy, preferiblemente squid (es el que
> conozco), si hay uno mejor me lo dicen.
>
> Necesito que el proxy limite la descarga a una cantidad determinada de
> megabytes por cada usuario conectado.
>
> Tengo como limitaciones:
> * no te acceso a repositorios, por lo que necesito saber cómo descargar
> los paquetes necesarios
> * el posible acceso a repositorios es a través de la conexión de datos
> móviles de un SMART Phone con ip dinámica, por lo que necesita configurar
> la pc de manera que pueda conectarse sin problemas por usb
>
> Tengo debian 10, y un router conectado a pc via eth, y que soporta wifi
> que es como se conectarán los usuarios
> _
> DTB
> Karel

Re: Versiones anteriores de debian

[JavierDebian]

El 4/8/20 a las 14:30, Rafael escribió:

Buenas tardes, otra vez.

Ya encontre el mirron: 
https://cdimage.debian.org/mirror/cdimage/archive/3.0_r1/i386/jigdo-cd/

Pero no se como bajar las isos con los archivos jigdo.
¿Podriais indicarme como se hace? o diriguirme a alguna pagina

Gracias anticipadas otra vez



Bajá las imágenes ISO.

jigdo no funciona bien para bajar versiones TAN viejas, suele haber 
pérdida de algunos archivos.


$ wget -c 
'https://cdimage.debian.org/mirror/cdimage/archive/3.1_r8/i386/iso-cd/debian-31r8-i386-businesscard.iso'


Y luego sí, referenciar sources.list al repositorio.

JAP

Re: Versiones anteriores de debian

[JavierDebian]

El 4/8/20 a las 14:30, Rafael escribió:

Buenas tardes, otra vez.

Ya encontre el mirron: 
https://cdimage.debian.org/mirror/cdimage/archive/3.0_r1/i386/jigdo-cd/

Pero no se como bajar las isos con los archivos jigdo.
¿Podriais indicarme como se hace? o diriguirme a alguna pagina

Gracias anticipadas otra vez



Bajá las imágenes ISO.

jigdo no funciona bien para bajar versiones TAN viejas, suele haber 
pérdida de algunos archivos.


$ wget -c 
'https://cdimage.debian.org/mirror/cdimage/archive/3.1_r8/i386/iso-cd/debian-31r8-i386-businesscard.iso'


Y luego sí, referenciar sources.list al repositorio.

Saludos - quiero configurar un proxy

[Karel Alexis Gayle Cutiño]

Hola, comunidad

Necesito instalar y configurar un proxy, preferiblemente squid (es el que 
conozco), si hay uno mejor me lo dicen. 

Necesito que el proxy limite la descarga a una cantidad determinada de 
megabytes por cada usuario conectado. 

Tengo como limitaciones:
* no te acceso a repositorios, por lo que necesito saber cómo descargar los 
paquetes necesarios
* el posible acceso a repositorios es a través de la conexión de datos móviles 
de un SMART Phone con ip dinámica, por lo que necesita configurar la pc de 
manera que pueda conectarse sin problemas por usb

Tengo debian 10, y un router conectado a pc via eth, y que soporta wifi que es 
como se conectarán los usuarios
_
DTB
Karel 

Re: [OT] sudo: restrict to physical console only?

[Dan Ritter]

Reco wrote: 
>   Hi.
> 
> On Tue, Aug 04, 2020 at 09:47:24AM +0200, Marco M?ller wrote:
> > Is it possible (how?) to restrict a user to only be allowed to make use of 
> > its sudo usage permission if working at the physical console, not granting 
> > to this
> > user sudo permission when i.e. logged in via ssh? To keep it simple, I 
> > could imagine to even have all sudo for all users deactivated automatically 
> > as soon as
> > a remote connection by ANY user is detected.
> 
> Yes. It's an unusual (some may say - dangerous) thing that you're
> asking, so prepare to the unusual side effects.
> 
> --- a/etc/pam.d/sudo   2020-08-04 18:40:26.528699633 +
> +++ b/etc/pam.d/sudo   2020-08-04 18:40:26.296579395 +
> @@ -1,5 +1,6 @@
>  #%PAM-1.0
> 
>  @include common-auth
> +auth required pam_succeed_if.so tty =~ /dev/tty*
>  @include common-account
>  @include common-session-noninteractive
> 
> 
> I'm assuming that by "physical console" you mean that lovely
> conventional virtual terminal kernel facility (i.e. that funny letters
> that appear on your screen then you press Ctrl+Alt+F2). Be warned that
> in the current form it *will* break sudo for anyone, root included, for
> any process which "tty" attribute does not match /dev/tty*, be it ssh,
> screen, tmux, and (possibly) X/Wayland sessions.
> Worked for me in the case of real servers, just in case.
 
It should also match for serial connections, including modem users,
should you have any of such. And USB serial terminals.

-dsr-

Re: PATH question

[Gene Heskett]

On Tuesday 04 August 2020 15:46:05 Gene Heskett wrote:

> On Tuesday 04 August 2020 14:57:49 Greg Wooledge wrote:
> > On Tue, Aug 04, 2020 at 02:49:00PM -0400, Gene Heskett wrote:
> > > > If so, are you logging in via sddm,
> > > > which is what KDE on Debian normally uses?
> > >
> > > probably not, but I'm talking about my own shell, which is
> > > probably started by the tde version of lightdm.
> >
> > So you've configured lightdm to perform an autologin?  Yikes.
> >
> > Well, it probably goes through the Debian X11 session which means
> > you configure environment stuff in ~/.xsessionrc.
> >
> > > > the ~/.bashrc file, which will pick up the PATH change.  When
> > > > all of the windows have been re-shelled, you can edit ~/.bashrc
> > > > again to remove the PATH=... command, since you don't want it to
> > > > stay there.
> > >
> > > But I do want it to remain, just like the $HOME/bin that prefaces
> > > to $PATH I can see with an echo $PATH right now.
> >
> > But you said .profile in the first email.  I said .bashrc.  Now
> > you're saying that you're actually using .bashrc and not .profile?!
>
> I did, because that is where I found the existing $PATH defined. There
> is no mention of PATH in my .bashrc.
>
> > The problem with putting PATH=... in .bashrc is that it gets read by
> > each shell that starts up.  If you ever have a nested set of shells
> > (e.g. you start a terminal with a shell in it, which is shell level
> > one, and then you run an editor, and then from the editor you
> > perform a shell escape, which is now shell level two...) then you
> > end up with duplicate entries in PATH.
>
> Yes, pita to clear them out too.
>
> > In the most degenerate cases you can end up with
> > PATH=/foo:/foo:/foo:
> >
> > That's why you usually try to put some effort into finding the *one*
> > place that you can add a directory to your PATH *one* time, without
> > breaking anything.
>
> Precisely.
>
> > But if you prefer to be lazy, then sure, go ahead and use .bashrc
> > and end up with repeated eternally long PATH entries.
>
> And thats a bad dog, no biscuit.
>
> Thanks. I guess I'll reboot but that rather resembles using a
> sledgehammer on a gnat.  So since I don't seem to able to express what
> I want with the whole world assuming I am logging in from a remote
> terminal, I'll close the thread with a reboot as I can setup the rest
> of my working env in 10 to 15 minutes, what I was trying to avoid.
>
> Thank you
> Cheers, Gene Heskett

And that worked.


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: PATH question

[Gene Heskett]

On Tuesday 04 August 2020 14:57:49 Greg Wooledge wrote:

> On Tue, Aug 04, 2020 at 02:49:00PM -0400, Gene Heskett wrote:
> > > If so, are you logging in via sddm,
> > > which is what KDE on Debian normally uses?
> >
> > probably not, but I'm talking about my own shell, which is probably
> > started by the tde version of lightdm.
>
> So you've configured lightdm to perform an autologin?  Yikes.
>
> Well, it probably goes through the Debian X11 session which means
> you configure environment stuff in ~/.xsessionrc.
>
> > > the ~/.bashrc file, which will pick up the PATH change.  When all
> > > of the windows have been re-shelled, you can edit ~/.bashrc again
> > > to remove the PATH=... command, since you don't want it to stay
> > > there.
> >
> > But I do want it to remain, just like the $HOME/bin that prefaces to
> > $PATH I can see with an echo $PATH right now.
>
> But you said .profile in the first email.  I said .bashrc.  Now you're
> saying that you're actually using .bashrc and not .profile?!
>
I did, because that is where I found the existing $PATH defined. There is 
no mention of PATH in my .bashrc.

> The problem with putting PATH=... in .bashrc is that it gets read by
> each shell that starts up.  If you ever have a nested set of shells
> (e.g. you start a terminal with a shell in it, which is shell level
> one, and then you run an editor, and then from the editor you perform
> a shell escape, which is now shell level two...) then you end up with
> duplicate entries in PATH.

Yes, pita to clear them out too.

> In the most degenerate cases you can end up with
> PATH=/foo:/foo:/foo:
>
> That's why you usually try to put some effort into finding the *one*
> place that you can add a directory to your PATH *one* time, without
> breaking anything.

Precisely.
>
> But if you prefer to be lazy, then sure, go ahead and use .bashrc and
> end up with repeated eternally long PATH entries.

And thats a bad dog, no biscuit.

Thanks. I guess I'll reboot but that rather resembles using a 
sledgehammer on a gnat.  So since I don't seem to able to express what I 
want with the whole world assuming I am logging in from a remote 
terminal, I'll close the thread with a reboot as I can setup the rest of 
my working env in 10 to 15 minutes, what I was trying to avoid.

Thank you
Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: [OT] Remote SSH (dynamic IP) without third-party server

[Gene Heskett]

On Tuesday 04 August 2020 12:43:58 Curt wrote:

> On 2020-08-01, riveravaldez  wrote:
> > Is this possible?
> >
> > Hi, to clarify: I would like to connect to a remote home-machine
> > (dynamic IP) through SSH session but without using a third-party
> > server (free or paid), just with software running in both machines.
>
> If the client machine (the one from which you wish to establish the
> remote SSH session) has a static, public IP address, you could set up
> a reverse ssh tunnel initiated by the destination machine.

this is a shell on its own workspace, all of which belongs to me. I've 
found I can set the $PATH, then export it, and it works for that shell 
only. I want it applied to every shell open in my username.

Thanks

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: PATH question

[Greg Wooledge]

On Tue, Aug 04, 2020 at 02:49:00PM -0400, Gene Heskett wrote:
> > If so, are you logging in via sddm, 
> > which is what KDE on Debian normally uses?
> probably not, but I'm talking about my own shell, which is probably 
> started by the tde version of lightdm.

So you've configured lightdm to perform an autologin?  Yikes.

Well, it probably goes through the Debian X11 session which means
you configure environment stuff in ~/.xsessionrc.

> > the ~/.bashrc file, which will pick up the PATH change.  When all
> > of the windows have been re-shelled, you can edit ~/.bashrc again
> > to remove the PATH=... command, since you don't want it to stay there.
> 
> But I do want it to remain, just like the $HOME/bin that prefaces to 
> $PATH I can see with an echo $PATH right now.

But you said .profile in the first email.  I said .bashrc.  Now you're
saying that you're actually using .bashrc and not .profile?!

The problem with putting PATH=... in .bashrc is that it gets read by
each shell that starts up.  If you ever have a nested set of shells
(e.g. you start a terminal with a shell in it, which is shell level one,
and then you run an editor, and then from the editor you perform a
shell escape, which is now shell level two...) then you end up with
duplicate entries in PATH.

In the most degenerate cases you can end up with PATH=/foo:/foo:/foo:

That's why you usually try to put some effort into finding the *one*
place that you can add a directory to your PATH *one* time, without
breaking anything.

But if you prefer to be lazy, then sure, go ahead and use .bashrc and
end up with repeated eternally long PATH entries.

Re: PATH question

[Gene Heskett]

On Tuesday 04 August 2020 12:34:21 Greg Wooledge wrote:

> On Tue, Aug 04, 2020 at 12:25:11PM -0400, Gene Heskett wrote:
> > I just created a /home/me/AppImage directory, moved some appimages
> > into it, and added another stanza to add that to my .profile. Do I
> > have to logout the 15 processes or so I have running now and
> > effectively restart the system to make that path take effect? 
> > Closing all konsole sessions on this workspace and opening fresh
> > konsole's is not bringing that path into effect.
>
> It depends on several things.  You say you're using konsole, so does
> that mean you're running KDE? 

No. TDE uptodate r14.

> If so, are you logging in via sddm, 
> which is what KDE on Debian normally uses?
probably not, but I'm talking about my own shell, which is probably 
started by the tde version of lightdm.
 
> If all of those things are 
> true, then editing .profile probably doesn't do anything at all.  An
> sddm login running a Debian X11 session which runs KDE shouldn't
> be reading the .profile file.  Ever.
>
> Are you logging in on a console and running startx?

No, x is self starting.  The shells I open are on one of 8 or so on one  
of many "workspaces".

> In that case, 
> your .profile *will* be read, by your console login shell, and the
> changes to PATH and other environmental bits and bobs will all be
> inherited by the X11 session, then by the window manager, then by
> the terminals which are children of the window manager, and then by
> the shell run inside the terminal, and then by the programs launched
> by the shell.
>
> If you aren't using startx from a console login, then the right place
> to make modifications to PATH would be in the ~/.xsessionrc file.
>
> I *just* got done saying all this stuff last week.
>
> Now, your immediate question was how to make the PATH change take
> effect in all of your existing terminal windows, without having to
> log out and back in.  There's no single command that'll just blast
> it out to all of them.  Each one is an independent self-contained
> process, with its own separate copy of the environment.  You'll
> have to go around to each window, one by one.
>
> The most straightforward way to do it would be to paste your PATH=...
> command into each window.
>
> If you don't like that approach, you could add your PATH=... to
> your ~/.bashrc file (assuming you use bash) temporarily.  Then in
> each window, run "exec bash" to run a new shell, which will read
> the ~/.bashrc file, which will pick up the PATH change.  When all
> of the windows have been re-shelled, you can edit ~/.bashrc again
> to remove the PATH=... command, since you don't want it to stay there.

But I do want it to remain, just like the $HOME/bin that prefaces to 
$PATH I can see with an echo $PATH right now. In effect making "freecad" 
look for its appimage there, before spending another second scanning the 
rest of the env looking for it.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: [OT] sudo: restrict to physical console only?

[Reco]

Hi.

On Tue, Aug 04, 2020 at 09:47:24AM +0200, Marco Möller wrote:
> Is it possible (how?) to restrict a user to only be allowed to make use of 
> its sudo usage permission if working at the physical console, not granting to 
> this
> user sudo permission when i.e. logged in via ssh? To keep it simple, I could 
> imagine to even have all sudo for all users deactivated automatically as soon 
> as
> a remote connection by ANY user is detected.

Yes. It's an unusual (some may say - dangerous) thing that you're
asking, so prepare to the unusual side effects.

--- a/etc/pam.d/sudo   2020-08-04 18:40:26.528699633 +
+++ b/etc/pam.d/sudo   2020-08-04 18:40:26.296579395 +
@@ -1,5 +1,6 @@
 #%PAM-1.0

 @include common-auth
+auth required pam_succeed_if.so tty =~ /dev/tty*
 @include common-account
 @include common-session-noninteractive


I'm assuming that by "physical console" you mean that lovely
conventional virtual terminal kernel facility (i.e. that funny letters
that appear on your screen then you press Ctrl+Alt+F2). Be warned that
in the current form it *will* break sudo for anyone, root included, for
any process which "tty" attribute does not match /dev/tty*, be it ssh,
screen, tmux, and (possibly) X/Wayland sessions.
Worked for me in the case of real servers, just in case.

Reco

Fwd: Versiones anteriores de debian

[Raúl Armenta]

-- Forwarded message -
De: Rafael 
Date: mar., 4 ago. 2020 19:48
Subject: Versiones anteriores de debian
To: 





 Mensaje reenviado 
Asunto: Versiones anteriores de debian
Fecha: Tue, 4 Aug 2020 16:58:16 +0200
De: Rafael  
Para: debian-user-spanish@lists.debian.org

Buenas tardes.

Me podriais indicar donde se encuentran las isos de debian woddy 3.2 en DVD
para i386.

gracias anticipadas



Buenas tardes, otra vez.

Ya encontre el mirron:
https://cdimage.debian.org/mirror/cdimage/archive/3.0_r1/i386/jigdo-cd/
Pero no se como bajar las isos con los archivos jigdo.
¿Podriais indicarme como se hace? o diriguirme a alguna pagina

Gracias anticipadas otra vez


-()))---


Búsqueda en duckduckgo

https://blog.desdelinux.net/jigdo-crear-descargar-isos-debian/

Saludos.

Noseasasi

Re: Versiones anteriores de debian

[Camaleón]

El 2020-08-04 a las 19:30 +0200, Rafael escribió:

> Buenas tardes, otra vez.
> 
> Ya encontre el mirron:
> https://cdimage.debian.org/mirror/cdimage/archive/3.0_r1/i386/jigdo-cd/
> Pero no se como bajar las isos con los archivos jigdo.
> ¿Podriais indicarme como se hace? o diriguirme a alguna pagina

Tienes la ISO del DVD para la 3.0_r6:

https://cdimage.debian.org/mirror/cdimage/archive/3.0_r6/i386/iso-dvd/

Si prefieres JIGDO:

https://www.debian.org/CD/jigdo-cd/

Saludos,

-- 
Camaleón 

Re: Lenovo S205 boot

[Russell L. Harris]

On Tue, Aug 04, 2020 at 07:04:13PM +0200, Sven Hoexter wrote:

so far I can only confirm that the grub installation fails with
both stable and testing. It seems something is at odds with writing
the efivars. I did not yet get around to try again if I can switch
the installation back to using grub-legacy somehow.


I would not mind going back to Wheezy, if necessary.

I envisioned the notebook machine for composition tasks when away from
the office; so about the only software I would be using is Emacs,
xdvi, and a dictionary, along with something such as rsync or scp or
git to transfer new material back to the desktop upon return to the
office.  The notebook is much preferable to pen and paper.

RLH

Versiones anteriores de debian

[Rafael]

 Mensaje reenviado 
Asunto: Versiones anteriores de debian
Fecha:  Tue, 4 Aug 2020 16:58:16 +0200
De: Rafael 
Para:   debian-user-spanish@lists.debian.org



Buenas tardes.

Me podriais indicar donde se encuentran las isos de debian woddy 3.2 en 
DVD para i386.


gracias anticipadas



Buenas tardes, otra vez.

Ya encontre el mirron: 
https://cdimage.debian.org/mirror/cdimage/archive/3.0_r1/i386/jigdo-cd/

Pero no se como bajar las isos con los archivos jigdo.
¿Podriais indicarme como se hace? o diriguirme a alguna pagina

Gracias anticipadas otra vez

Re: [OT] Remote SSH (dynamic IP) without third-party server

[Charles Curley]

On Mon, 3 Aug 2020 21:05:57 -0500
David Wright  wrote:

> How do you keep this set of dynamic DNS providers informed each time
> your home's IP address changes, bearing in mind nobody's at home?

I do that with ddclient. Run:

apt show ddclient

You may want to ensure that ddclient supports the ddns server you use.
I use changeip.com.

-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

Re: Problemas para iniciar Debian (era: Richiesta Contatto)

[Matias Mucciolo]

- Original Message -
> From: "Camaleón" 
> To: "debian-user-spanish" 
> Sent: Tuesday, August 4, 2020 1:37:08 PM
> Subject: Re: Problemas para iniciar Debian (era: Richiesta Contatto)

> El 2020-08-04 a las 16:01 +, carlossalidoarj...@gmail.com escribió:
> 
> (reenvío a la lista)
> 
>> El martes 4 de agosto de 2020, Camaleón escribió:
>> > El 2020-08-04 a las 10:52 +, Carlos salido arjona escribió:
>> > 
>> > > Buenos dias Richiesta, desde que actualizado a debian 10.5 no puedo
>> > > arrancar el sistema, el GRUB no arranca.
>> > 
>> > ¿Estás respondiendo con una pregunta a un mensaje de spam? :-)
>> > 
>> > Si tienes problemas para iniciar Debian, dinos hasta dónde llegas,
>> > exactamente. Y si llegas al menú de GRUB, prueba seleccionando la opción
>> > avanzada del «modo de recuperación», a ver si arranca el sistema.
> 
>> Hols, tras actualizar debian 10.4  ha debian 10.5  el grub no aparece, se 
>> queda
>> la pantalla negra.
> 
> Si no llegas a ver el gestor de arranque (GRUB) prueba a cargar
> SuperGRUB2Disk¹ (es una LiveCD/USB) para poder iniciar Debian desde ahí.
> 
> Si eso funciona, una vez dentro de tu sistema Debian,
> reinstala/reconfigura GRUB2 para ver si lo puedes recuperar.
> 
>> Tenia varios discos duros con otros sistemas  linux, lo  he borrado  , he
>> tradado de instalar  solo debian  y despuws de instalar y reiniciar la
>> pantalla,se,queda negra.
> 
> Es posible que se haya trastocado el gestor de arranque de la partición
> que tuvieras marcada como de inicio.
> 
> ¹https://www.supergrubdisk.org/super-grub2-disk/
> 
> Saludos,
> 
> --
> Camaleón

ojo con esto
es muy posible que sea por la vuln. boothole o algo asi se llama
muchos sistemas con grub2 después de una actualización dejaron de andar.

ejemplo centos/rh

https://arstechnica.com/gadgets/2020/07/red-hat-and-centos-systems-arent-booting-due-to-boothole-patches/

no eh leido mucho sobre debian y este bug
pero se que justo en la version 10.5 fue parcheado ese bug.

saludos

Re: [OT] Remote SSH (dynamic IP) without third-party server

[Curt]

On 2020-08-01, riveravaldez  wrote:
> Is this possible?
>
> Hi, to clarify: I would like to connect to a remote home-machine
> (dynamic IP) through SSH session but without using a third-party
> server (free or paid), just with software running in both machines.

If the client machine (the one from which you wish to establish the
remote SSH session) has a static, public IP address, you could set up a
reverse ssh tunnel initiated by the destination machine.

Re: Lenovo S205 boot

[Sven Hoexter]

On Thu, Jul 30, 2020 at 10:04:18AM +0200, Sven Hoexter wrote:
> On Thu, Jul 30, 2020 at 04:38:20AM +, Russell L. Harris wrote:
> > On an older Lenovo S205 on which I never have managed to get Debian
> > running, I did a netinstall of
> > debian-bullseye-DI-alpha2-amd64-netinst.iso
> 
> Uh it's been a while since
> https://wiki.debian.org/InstallingDebianOn/Lenovo/ideapadS205/wheezy
> 
> But lately I repurposed that for some test and had
> Alpine installed, so in general it's still well supported by
> Linux. Maybe I managed some time next week to give it a try with
> Debian again.

Hi,
so far I can only confirm that the grub installation fails with
both stable and testing. It seems something is at odds with writing
the efivars. I did not yet get around to try again if I can switch
the installation back to using grub-legacy somehow.

Sven

Re: error en apt update

[Marcelo Eduardo Giordano]

On 4/8/20 13:43, Camaleón wrote:

El 2020-08-04 a las 13:22 -0300, Marcelo Eduardo Giordano escribió:


Cuando ejecuto apt update me da este error

http://deb.debian.org/debian buster InRelease' changed its 'Version' value
from '10.4' to '10.5'

(...)

En este hilo de la lista en inglés de Debian comentan ese error:

error while doing apt-get update
https://lists.debian.org/debian-user/2019/09/msg00218.html

Mira a ver si te sirve lo que sugieren.

Saludos,


Gracias

Re: [OT] sudo: restrict to physical console only?

[tomas]

On Tue, Aug 04, 2020 at 10:24:16AM -0500, John Hasler wrote:
> tomas writes:
> > OTOH practice has shown: if you're doing sudo, you will have forgotten
> > your root password anyway when you need it (I have, it's some horrible
> > "pwgen -n 16" or something), and it' back to...
> 
> It should be written down somewhere secure.  Depending on your threat
> model this can be on a note taped to the inside of the machine, in your
> safe, or even in the notebook where you keep all your other passwords.

It's in a file on the encrypted harddisk. Now you may ask... ;-)

Yes, of course. It's in a backup, on an (also) encrypted medium. But all
those possibilities (the ones you mention no less) mean that "init=/bin/sh"
or rescue medium are less work (I haven't a safe).

This is the point I was trying to make: a password you don't use often
isn't that useful if there are perfectly viable alternatives. Thus, /if/
you are using sudo, root password loses much of its glamour. This is
something I learnt slowly.

Cheers
 - t


signature.asc
Description: Digital signature

Re: error en apt update

[Marcelo Eduardo Giordano]

Gracias

On 4/8/20 13:30, Matias Mucciolo wrote:

- Original Message -
From: "Marcelo Eduardo Giordano" 
To: "debian-user-spanish" 
Sent: Tuesday, August 4, 2020 1:22:56 PM
Subject: error en apt update

Cuando ejecuto apt update me da este error

http://deb.debian.org/debian buster InRelease' changed its 'Version'
value from '10.4' to '10.5'

estos son mis repositorios, los debo cambiar?


deb http://deb.debian.org/debian/ buster main contrib non-free
deb http://security.debian.org/debian-security buster/updates main
contrib non-$
deb http://deb.debian.org/debian/ buster-updates main contrib non-free
deb https://www.deb-multimedia.org buster main non-free
deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main
deb http://security.debian.org/ buster/updates main contrib non-free

Muchas gracias


hola Marcelo

esto no es un error
solo un aviso de que hubo una minor release nueva.

saludos
Matias.-

Re: error en apt update

[Camaleón]

El 2020-08-04 a las 13:22 -0300, Marcelo Eduardo Giordano escribió:

> Cuando ejecuto apt update me da este error
> 
> http://deb.debian.org/debian buster InRelease' changed its 'Version' value
> from '10.4' to '10.5'

(...)

En este hilo de la lista en inglés de Debian comentan ese error:

error while doing apt-get update
https://lists.debian.org/debian-user/2019/09/msg00218.html

Mira a ver si te sirve lo que sugieren.

Saludos,

-- 
Camaleón 

Re: [OT] sudo: restrict to physical console only?

[Andy Smith]

Hi Marco,

On Tue, Aug 04, 2020 at 09:47:24AM +0200, Marco Möller wrote:
> Is it possible (how?) to restrict a user to only be allowed to make use of
> its sudo usage permission if working at the physical console, not granting
> to this user sudo permission when i.e. logged in via ssh?

I was intrigued by this question so I tried to find out how to do
it. I was unsuccessful and only got as far as:

https://www.sudo.ws/pipermail/sudo-users/2009-April/004015.html

Probably the feature has not been added to sudo in the last 11 years
either.

Perhaps using pam_group.so you could force users on certain ttys
into a specific group, and allow that group (only) to use sudo?

http://www.linux-pam.org/Linux-PAM-html/sag-pam_group.html

I've never done it but the above seems to imply that putting
something like:

 *;tty*;*;*;mysudogroup

into /etc/security/group.conf would put any user logging in on tty*
into the group "mysudogroup". If you allowed "mysudogroup" to use
sudo in /etc/sudoers then maybe that works.

I would be interested to know if that is a workable solution.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Problemas para iniciar Debian (era: Richiesta Contatto)

[Camaleón]

El 2020-08-04 a las 16:01 +, carlossalidoarj...@gmail.com escribió:

(reenvío a la lista)

> El martes 4 de agosto de 2020, Camaleón escribió:
> > El 2020-08-04 a las 10:52 +, Carlos salido arjona escribió:
> > 
> > > Buenos dias Richiesta, desde que actualizado a debian 10.5 no puedo
> > > arrancar el sistema, el GRUB no arranca.
> > 
> > ¿Estás respondiendo con una pregunta a un mensaje de spam? :-)
> > 
> > Si tienes problemas para iniciar Debian, dinos hasta dónde llegas, 
> > exactamente. Y si llegas al menú de GRUB, prueba seleccionando la opción 
> > avanzada del «modo de recuperación», a ver si arranca el sistema.

> Hols, tras actualizar debian 10.4  ha debian 10.5  el grub no aparece, se 
> queda la pantalla negra.

Si no llegas a ver el gestor de arranque (GRUB) prueba a cargar 
SuperGRUB2Disk¹ (es una LiveCD/USB) para poder iniciar Debian desde ahí.

Si eso funciona, una vez dentro de tu sistema Debian, 
reinstala/reconfigura GRUB2 para ver si lo puedes recuperar.

> Tenia varios discos duros con otros sistemas  linux, lo  he borrado  , he 
> tradado de instalar  solo debian  y despuws de instalar y reiniciar la 
> pantalla,se,queda negra.

Es posible que se haya trastocado el gestor de arranque de la partición 
que tuvieras marcada como de inicio.

¹https://www.supergrubdisk.org/super-grub2-disk/

Saludos,

-- 
Camaleón 

Re: error en apt update

[Matias Mucciolo]

- Original Message -
From: "Marcelo Eduardo Giordano" 
To: "debian-user-spanish" 
Sent: Tuesday, August 4, 2020 1:22:56 PM
Subject: error en apt update

Cuando ejecuto apt update me da este error

http://deb.debian.org/debian buster InRelease' changed its 'Version' 
value from '10.4' to '10.5'

estos son mis repositorios, los debo cambiar?


deb http://deb.debian.org/debian/ buster main contrib non-free
deb http://security.debian.org/debian-security buster/updates main 
contrib non-$
deb http://deb.debian.org/debian/ buster-updates main contrib non-free
deb https://www.deb-multimedia.org buster main non-free
deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main
deb http://security.debian.org/ buster/updates main contrib non-free

Muchas gracias


hola Marcelo

esto no es un error
solo un aviso de que hubo una minor release nueva.

saludos
Matias.-

Re: PATH question

[Greg Wooledge]

On Tue, Aug 04, 2020 at 12:25:11PM -0400, Gene Heskett wrote:
> I just created a /home/me/AppImage directory, moved some appimages into 
> it, and added another stanza to add that to my .profile. Do I have to 
> logout the 15 processes or so I have running now and effectively restart 
> the system to make that path take effect?  Closing all konsole sessions 
> on this workspace and opening fresh konsole's is not bringing that path 
> into effect.

It depends on several things.  You say you're using konsole, so does
that mean you're running KDE?  If so, are you logging in via sddm,
which is what KDE on Debian normally uses?  If all of those things are
true, then editing .profile probably doesn't do anything at all.  An
sddm login running a Debian X11 session which runs KDE shouldn't
be reading the .profile file.  Ever.

Are you logging in on a console and running startx?  In that case,
your .profile *will* be read, by your console login shell, and the
changes to PATH and other environmental bits and bobs will all be
inherited by the X11 session, then by the window manager, then by
the terminals which are children of the window manager, and then by
the shell run inside the terminal, and then by the programs launched
by the shell.

If you aren't using startx from a console login, then the right place
to make modifications to PATH would be in the ~/.xsessionrc file.

I *just* got done saying all this stuff last week.

Now, your immediate question was how to make the PATH change take
effect in all of your existing terminal windows, without having to
log out and back in.  There's no single command that'll just blast
it out to all of them.  Each one is an independent self-contained
process, with its own separate copy of the environment.  You'll
have to go around to each window, one by one.

The most straightforward way to do it would be to paste your PATH=...
command into each window.

If you don't like that approach, you could add your PATH=... to
your ~/.bashrc file (assuming you use bash) temporarily.  Then in
each window, run "exec bash" to run a new shell, which will read
the ~/.bashrc file, which will pick up the PATH change.  When all
of the windows have been re-shelled, you can edit ~/.bashrc again
to remove the PATH=... command, since you don't want it to stay there.

PATH question

[Gene Heskett]

Greeting all;

This box is on stretch.

I just created a /home/me/AppImage directory, moved some appimages into 
it, and added another stanza to add that to my .profile. Do I have to 
logout the 15 processes or so I have running now and effectively restart 
the system to make that path take effect?  Closing all konsole sessions 
on this workspace and opening fresh konsole's is not bringing that path 
into effect.
  
Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

error en apt update

[Marcelo Eduardo Giordano]

Cuando ejecuto apt update me da este error

http://deb.debian.org/debian buster InRelease' changed its 'Version' 
value from '10.4' to '10.5'


estos son mis repositorios, los debo cambiar?


deb http://deb.debian.org/debian/ buster main contrib non-free
deb http://security.debian.org/debian-security buster/updates main 
contrib non-$

deb http://deb.debian.org/debian/ buster-updates main contrib non-free
deb https://www.deb-multimedia.org buster main non-free
deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main
deb http://security.debian.org/ buster/updates main contrib non-free

Muchas gracias

Re: Python 3 Segmentation Fault

[Cindy Sue Causey]

On 8/4/20, J.Arun Mani  wrote:
> Hello.
> I'm using Debian Testing (upgraded from Debian 10). Today I started Python
> 3, but it was not able to interpret any commands from stdin and resulted in
> Segmentation Fault. Luckily modules (python3 -m ) and files (python3
> ) works fine though.
>
> Observed:
> $ python3
> Python 3.8.3rc1 (default, Apr 30 2020, 07:33:30)
> [GCC 9.3.0] on linux
> Type "help", "copyright", "credits" or "license" for more information.
 print
> 
> 
> Segmentation fault


Hi... A C(omputer)C(opy) was sent to that help@python address for
informational purposes. If it bounces, that's cool, but I'll be
checking that out, too. Appreciate the lead there. :)

So I get this while attempting your path above:

 BEGIN TEST +++
$ python3
Python 3.8.5 (default, Jul 20 2020, 18:32:44)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> print

 END TEST 

Mine's Python 3.8.5 on Bullseye.. I STARTED TO ASK: Did you run
something similar to "apt-get update" before reinstalling?

But in addition to that: Did you also try
installing/reinstalling/upgrading Python3.8? It took a few seconds of
nosing around to figure out that's where *my* "Python 3.8.5" came from
(and NOT from e.g. Python3 nor Python):

 BEGIN APT-CACHE POLICY 
$ apt-cache policy python3.8
python3.8:
  Installed: 3.8.5-1
  Candidate: 3.8.5-1
  Version table:
 *** 3.8.5-1 500
500 http://deb.debian.org/debian bullseye/main amd64 Packages
100 /var/lib/dpkg/status
 END APT-CACHE POLICY 

N.B. as an aside: There's a Debian-Python list out there:

https://lists.debian.org/debian-python/

Debian-Python's description is:

"Discussion of issues related to Python on Debian systems with a
stress on packaging standards. Therefore relevant for maintainers of
Python related packages."

It's for Developer types who are either creating or maintaining
Debian's Python-based packages. They're VERY helpful when inquiries
contain all the pertinent details necessary to work through issues.

Cindy :)

PS #ThankYou! You just helped me a little, too. I'm messing around
with something that's having GTK issues... and there is... a list for
that, too! Score!

https://lists.debian.org/completeindex.html

-- 
Cindy-Sue Causey
Talking Rock, Pickens County, Georgia, USA

* runs with birdseed.. && yet another shiny new deboostrap... *

Re: Python 3 Segmentation Fault

[Kushal Kumaran]

"J.Arun Mani"  writes:

> Hello.
> I'm using Debian Testing (upgraded from Debian 10). Today I started
> Python 3, but it was not able to interpret any commands from stdin and
> resulted in Segmentation Fault. Luckily modules (python3 -m )
> and files (python3 ) works fine though.
>
> Observed:
> $ python3
> Python 3.8.3rc1 (default, Apr 30 2020, 07:33:30)

Where did you get this from?
https://tracker.debian.org/pkg/python3-defaults says testing has version
3.8.2-3.

The output of the command "apt policy python3" and looking at your
sources.list and /etc/apt/sources.list.d/* will help.

> [GCC 9.3.0] on linux
> Type "help", "copyright", "credits" or "license" for more information.
 print
> 
> 
> Segmentation fault
>
> Screen capture that could help :
> https://www.dropbox.com/s/9w941t93ymem1x1/python3_issue-2020-08-04_19.38.28.mp4?dl=0
>
> Some additional info:
> 1. I tried running a file that takes input from user (using input
> function), it also didn't work. So I think something regarding
> standard input has broken.
> 2. Python 2 also has the exact, same issue. So both Pythons face the problem !
>
> I have IPython installed, which works fine without any issue.
> The very recent installations I made :
> Installed Emacs (~ 2 days ago)
> Installed and removed Neovim (~ 1 day ago)
>
> I tried reinstalling Python by : sudo apt reinstall python3
> But it didn't fix the issue.
>
> Though I hardly use live session of Python 3 (I use IPython for live
> sessions), having a broken Python 3 scares me. Any help regarding the
> issue is greatly appreciated. :)
>
> Thanks
> J Arun Mani

Re: Versiones anteriores de debian

[Roberto C . Sánchez]

On Tue, Aug 04, 2020 at 04:58:16PM +0200, Rafael wrote:
> Buenas tardes.
> 
> Me podriais indicar donde se encuentran las isos de debian woddy 3.2 en DVD
> para i386.
> 
> gracias anticipadas
> 
> 

Desde aquí puedes descargar imágenes de todas las versiones antiguas de
Debian hasta el 3.0: https://cdimage.debian.org/mirror/cdimage/archive/

Lo único es que no veo una versión 3.2.  ¿A caso buscas 3.0r2 o 3.1r2?

Saludos,

-Roberto

-- 
Roberto C. Sánchez

Re: [OT] Remote SSH (dynamic IP) without third-party server

[Andrei POPESCU]

On Vi, 31 iul 20, 23:03:07, riveravaldez wrote:
> Is this possible?
> 
> Hi, to clarify: I would like to connect to a remote home-machine
> (dynamic IP) through SSH session but without using a third-party
> server (free or paid), just with software running in both machines.

If both ends are more or less "fixed"[1] and you have control over any 
NAT routers at both ends it should be possible to have each machine tell 
the other its public IP on every change.

This will fail if both ends get new IPs at the same time, which, 
depending on how the ISPs in question allocate IPs, could be rare enough 
to not matter in practice.

[1] it's not obvious if the client system is a laptop that might be used 
from various internet connections or a desktop system behind another 
fixed connection with a dynamic IP address.

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Multiple keyboard layouts on the Linux console

[Nicolas George]

Hi.

Some time ago, I explained here how to use different keyboard layouts
with X11.

https://lists.debian.org/debian-user/2020/02/msg00755.html

Now I will explain how to do it with the Linux console. Unfortunately,
it also relies on a non-standard tool.

The use-case I will take as an example is this: imagine there is on your
desktop a keyboard with fancy extra keys, including a "power" key in the
corner; and that you have a cat.

(We could set "HandlePowerKey=ignore" in /etc/systemd/logind.conf, but
that would also prevent from using the button on the box itself. The cat
does not walk on this one.) (This is an example, what I explain can work
for other kinds of keyboards.)

First, a disappointment: the standard way of setting the keyboard layout
for the Linux console, loadkeys, is global. It cannot handle several
keyboards with different layouts.

Fortunately, there is another layer of conversion: before the console
converts key codes to characters or functions, the keyboard driver
converts device-dependant scan codes into device-independent key codes.
We can tweak that.

Unfortunately, it seems no tool exists to call the kernel interfaces
that allow to change the scan code to key code conversion. I have
written my own, see the bottom of this mail.

First, we need to find out which device corresponds to the keyboard;
worse: to the key, because some keyboards create several devices, with
some keys going to one and some other keys going to another.

So, try, with root privileges:

xxd /dev/input/eventX

for various values of X (you can use other dump tools than xxd of
course) and press the key. The correct device is the one that causes
data to appear each time the key is pressed. Let us say it is
/dev/input/event6.

Next, let us find the default layout:

sudo /usr/local/sbin/evdev_map -d /dev/input/event6 -p
...
  569 000c023b   0xf0 (UNKNOWN)
  570 000c023c   0xf0 (UNKNOWN)
  571 00010081   0x74 (POWER)
  572 00010082   0x8e (SLEEP)
  573 00010083   0x8f (WAKEUP)
...

The offending key seems to have scan code 00010081. Let us try to remap
it:

sudo /usr/local/sbin/evdev_map -d /dev/input/event6 -s 00010081=A

if pressing the key now produces a 'a', we have won. Otherwise, maybe
there is another scan code mapped to the same key code, keyboards often
declare way more scan codes than they have.

No, we only need to automate it, using for example 0x0 to disable the
key ("0" would mean the char '0'). It is a job for udev:

UBSYSTEM=="input", ACTION=="add|change", \
  ATTRS{name}=="USB-compliant keyboard System Control", \
  RUN+="/usr/local/sbin/evdev_map -d $devnode -s 00010081=0x0"

(I will not develop here how to use udevadm info -a -p
/sys/class/input/event6 to get the conditions that allow to identify
this keyboard over others.)

If the purpose is to change the layout in a significant way, it may be
more complex. For example, azerty's key [1] yields '&' unshifted and '1'
shifted. To handle that, you would have to find an unused key code, and
then use loadkeys table to map it.

Hope this helps somebody.

Regards,

-- 
  Nicolas George


8<8<8<8< evdev_map.c >8>8>8>8



/*
 * evdev_map -- manipulate evdev keycode tables
 *
 * Nicolas George, 2020-08-03
 * Public domain
 */

/*
   Building:

   First, generate the table of key names:

   gcc -E -dM -x c - <<<'#include ' |
   perl -ne \
'if (/^\#define (KEY_(\w+))\s+\S+/) { print "  { $1, \"$2\" },\n" }' \
> /tmp/key_names.h

   Then:

   c99 -Wall -Wextra -D_XOPEN_SOURCE=600 -g -O2 -o evdev_map evdev_map.c

*/

#include 
#include 
#include 
#include 
#include 
#include 
#include 

#if __BYTE_ORDER == __LITTLE_ENDIAN
# define REVERSE_SCANCODE 1
#endif

typedef struct Key_name {
unsigned code;
const char *name;
} Key_name;

static const Key_name key_names[] = {
#include "/tmp/key_names.h"
};

static void
scancode_to_string(char *out, __u8 *code, int len)
{
#ifdef REVERSE_SCANCODE
int ic = len - 1, id = -1;
#else
int ic = 0, id = +1;
#endif
while (len-- > 0) {
snprintf(out, 3, "%02x", code[ic]);
ic += id;
out += 2;
}
}

static void
check_device(int dev)
{
if (dev < 0) {
fprintf(stderr, "No device opened\n");
exit(1);
}
}

static const char *
get_key_by_code(unsigned code)
{
size_t i;

for (i = 0; i < sizeof(key_names) / sizeof(*key_names); i++)
if (key_names[i].code == code)
return key_names[i].name;
return NULL;
}

static unsigned
get_key_by_name(const char *name)
{
size_t i;
unsigned code, off = 0;

for (i = 0; i < sizeof(key_names) / sizeof(*key_names); i++)
if (strcmp(key_names[i].name, name) == 0)
return key_names[i].code;
sscanf(name, "%i%n", , );
if (off == 0 || name[off] != 0) {
fprintf(stderr, "Unknown key: %s\n", name);
exit(1);
}
return code;
}

static void
print_keymap(int dev)
{
struct input_keymap_entry ke;
   

Re: [OT] Remote SSH (dynamic IP) without third-party server

[Andrei POPESCU]

On Ma, 04 aug 20, 15:57:43, MAS Jean-Louis wrote:
> Le 01/08/2020 à 04:03, riveravaldez a écrit :
> > Is this possible?
> 
> > If there's any other simpler way (that doesn't imply the use of any
> > third party) please let me know, I could use anything that works.
> 
> IPv4 address are becoming rare, and expensive for ISP.
> IPv6 is free, and plenty
> 
> just ask for a public IPv6 address, if you don't already have one, and
> then just
> 
> ssh -6 your_computer_ipv6_address

That depends again on the ISP, my current one assigns new IPv6 prefixes 
(as well as IPv4 addresses) at every router restart.

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Re: [OT] sudo: restrict to physical console only?

[John Hasler]

tomas writes:
> OTOH practice has shown: if you're doing sudo, you will have forgotten
> your root password anyway when you need it (I have, it's some horrible
> "pwgen -n 16" or something), and it' back to...

It should be written down somewhere secure.  Depending on your threat
model this can be on a note taped to the inside of the machine, in your
safe, or even in the notebook where you keep all your other passwords.
-- 
John Hasler 
jhas...@newsguy.com
Elmwood, WI USA

Re: Homebuilt NAS Advice

[Andrei POPESCU]

On Ma, 04 aug 20, 01:17:13, deloptes wrote:
> 
> I don't backup music and video - too big and not changing. The raid is 
> enough for that.

I'm guessing it depends on the music and videos.

If you made them yourself they are basically irreplaceable and RAID will 
replicate any bitrot to the other copy undetected.

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Versiones anteriores de debian

[Rafael]

Buenas tardes.

Me podriais indicar donde se encuentran las isos de debian woddy 3.2 en 
DVD para i386.


gracias anticipadas

Python 3 Segmentation Fault

[J.Arun Mani]

Hello.
I'm using Debian Testing (upgraded from Debian 10). Today I started Python 3, 
but it was not able to interpret any commands from stdin and resulted in 
Segmentation Fault. Luckily modules (python3 -m ) and files (python3 
) works fine though.

Observed:
$ python3
Python 3.8.3rc1 (default, Apr 30 2020, 07:33:30)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> print


Segmentation fault

Screen capture that could help : 
https://www.dropbox.com/s/9w941t93ymem1x1/python3_issue-2020-08-04_19.38.28.mp4?dl=0

Some additional info:
1. I tried running a file that takes input from user (using input function), it 
also didn't work. So I think something regarding standard input has broken.
2. Python 2 also has the exact, same issue. So both Pythons face the problem !

I have IPython installed, which works fine without any issue.
The very recent installations I made :
Installed Emacs (~ 2 days ago)
Installed and removed Neovim (~ 1 day ago)

I tried reinstalling Python by : sudo apt reinstall python3
But it didn't fix the issue.

Though I hardly use live session of Python 3 (I use IPython for live sessions), 
having a broken Python 3 scares me. Any help regarding the issue is greatly 
appreciated. :)

Thanks
J Arun Mani

Upgraded stretch to buster, not booting

[Joe]

This is an Acer netbook, a year or two old, no legacy BIOS, bought with
Win10 installed. It has a hardwired SSD designated mmcblk0 and I
installed another SSD which is /dev/sda. Stretch installed with no
problem, and gives me a Windows entry in its menu. It's been OK for
about 18 months, so I thought I'd try the upgrade in partial
preparation for upgrading my Stretch server when I've worked up the
courage.

Read the docs, did some minor cleanup, did the partial upgrade, no
network, rebooted, OK. Did the full upgrade, all looked good, just the
minor issue that the machine won't boot now. I can get into Win10
through the BIOS menu OK.

On startup, it flashes a message for a few milliseconds, then restarts,
and does this indefinitely.

I eventually deciphered the message: 

System BootOrder not found. Initializing defaults
Creating entry with 

Reboot


 increments on every attempt.

I've burned a Buster Netinstall USB stick and got to the stage where it
opens a shell into the root partition. As far as I can see, the correct
files (grubx64.efi, shimx64.efi, grub.cfg), are in the correct place
(/boot/efi/EFI/debian/). The installer has chrooted into the SSD root,
so I tried all the usual grub rebuilding/reinstalling, no success. 

I'm guessing that the partition layout, created by the stretch
installer, of EFI stuff on sda3 and root on sda4 are unexpected, and
the boot code is looking in the wrong place for shimx64.efi. I recall
grub upgrades a few years ago that broke booting with a separate /boot
partition, because someone hadn't allowed for it, I wonder if something
similar is happening here. /boot/efi does exist under /, but it's just a
mount point for /dev/sda3. The Buster installer certainly knows that,
and mounts it correctly in the rescue mode. efibootmgr is active in
this chroot, and returns sensible results, so the problem ought to be
something fairly trivial.

It's only a workstation, so there's nothing irreplaceable on it, but
there is some stuff I'd like to keep. I've booted a Knoppix, and will
copy what I want off and I can install from scratch if necessary. But
I'd like to fix it if possible, and the Net really isn't being very
helpful. This would have been a two-minute job with lilo and tomsrtbt,
maybe half an hour with grub/grub2 and I've been hacking away at this
for half a day so far. I think it's called progress...

So, can anyone see at a glance what is wrong here? If not, where I
should be looking next? I've found suggestions to make a new custom
entry in the BIOS boot manager, but that doesn't seem to be an option
here.

OK, a bit further: if I use efibootmgr from the rescue chroot to set
the next boot to one of these new entries, the computer boots OK.

However, if I set the boot order to put one of these entries first, on
the next boot, we're back to the same problem. Something has overridden
my choice of boot order and put /dev/sda back as the first boot choice,
which doesn't work. I suspect it's because the BIOS boot order puts
this drive first. But it was always like that before the upgrade, and
it worked then.

-- 
Joe

Re: [OT] sudo: restrict to physical console only?

[Michael Stone]

On Tue, Aug 04, 2020 at 04:09:30PM +0200, Marco Möller wrote:
The idea of Tomas to look in /etc/sudoers.conf for something like 
'requiretty' sounds promising. I will need a couple of days to read 
and learn about this and then testing it.


That won't work. Anything that's based on identifying a "safe" tty won't 
work on a modern system. (In the old days you could identify a trusted 
tty by tracing its physical attachment. So /etc/securetty made sense 
because it was those terminals whose serial cables terminated in secure 
areas or which were directly attached, like the linux text console. But 
once X came along people wanted to use virtual terminals--at which point 
the idea of a secure physically-connected terminal went right out the 
Xwindow.) To get similar functionality now, you'd need something that 
has a concept of what is a local login vs what is a remote login. You 
could experiment with using systemd/polkit to do this, for example. 
*BUT* this approach is more inherently fragile, and it would be really 
good to make sure you have an actual root password to facilite recovery, 
as someone suggested earlier.

Re: Homebuilt NAS Advice

[Stefan Monnier]

> "To actually perform the repository-wide deduplication, a hash of each
> chunk is checked against the chunks cache, which is a hash-table of all
> chunks that already exist."
>
> https://borgbackup.readthedocs.io/en/stable/internals.html

Same approach as used in `bup` (which all come from `rsync`, IIUC).


Stefan

Re: [OT] Remote SSH (dynamic IP) without third-party server

[Michael Stone]

On Tue, Aug 04, 2020 at 03:57:43PM +0200, MAS Jean-Louis wrote:

IPv4 address are becoming rare, and expensive for ISP.
IPv6 is free, and plenty


Maybe where you are, definitely not where I am. 


just ask for a public IPv6 address


My ISP is 10 years into a 2 year plan to make them available. Probably 
not a useful way forward for a timely solution.


That said, if you do have IPv6 it's obviously a good solution. It's also 
possible to get an IPv6 tunnel, but since the original request was for 
no third party server involvement that seems like a non-starter.

Re: [OT] sudo: restrict to physical console only?

[Marco Möller]

On 04.08.20 15:50, Henning Follmann wrote:

On Tue, Aug 04, 2020 at 11:44:04AM +0200, Marco Möller wrote:

On 04.08.20 10:59, to...@tuxteam.de wrote:

On Tue, Aug 04, 2020 at 09:47:24AM +0200, Marco Möller wrote:

Is it possible (how?) to restrict a user to only be allowed to make
use of its sudo usage permission if working at the physical console,


See pam_securetty(8) for that. Sorry I can't give you some step-by-step
account.


not granting to this user sudo permission when i.e. logged in via
ssh?


Now you have to decide: You want to *only allow root login on console*
or to *disallow root login for ssh*?

For the first, PAM is the right tool. The second should be default on
most modern Linux distros (yell at them if it ain't ;-) and is governed
by the sshd configuration, typically in /etc/ssh/sshd_config and
documented in sshd_config(5).

Cheers
   - t



Sorry, I will not have been clear enough, or did not understand your answer
clearly, ssh and pam are both new to me, and I also never configured sudo
myself.
As my root account is disabled, I do all administration as the "normal" user
with the help of sudo for running administrative commands. The user "root"
shall not login nowhere, not at the physical console and not by ssh, never.
Only the "normal" user should be allowed to log in to the system. The
"normal" user then of course needs to keep the right to use "sudo" if
working at the physical console (being logged in at a console (CTRL+ALT+F2),
or logged in via sddm or gdm, or having opened a terminal within the X11 or
Wayland session, etc.), but for security the access for this "normal" user
to "sudo" privileges shall not be granted if this user would work at the
system from remote, for instance logged in via ssh.
I could imagine that it is possible to kind of generally block all sudo (and
also su) functionality in the system for everybody as soon as any remote
(incoming) login to ssh is detected, and automatically allowing sudo
functionality again if no more incoming ssh to the computer exists:
if remote (incoming) connection established, then disable sudo and su
if no remote (incoming) connection established, then switch on sudo and su
If such security mechanism could be done in a reliable way to only effect
the incoming connection, while a parallel local (physically sitting at the
computer) user could continue to work with sudo, then this would be fine,
but assuming that this might be much more difficult to configure, especially
if remote login and physical login could be the same user (same user ID), I
am open to the drastic but simple version as described above.



Have you considered to have one account allowed to ssh in and
one account allowed to sudo?

You say you are the only user. That seems like an simple
solution.


-H



Yes, I understand that this could ease configuration, but my thoughts 
are going towards a setup in which I access my computer from remote in 
order to enjoy the Graphical Desktop System and all software being 
nicely configured already, the home directory has my data available for 
me, etc. To this end I thought to maybe tunnel X11 through ssh, or using 
X2Go, or something alike. I am not sure about all this by now, I am 
still collecting information about the security part of all this.
The idea of Tomas to look in /etc/sudoers.conf for something like 
'requiretty' sounds promising. I will need a couple of days to read and 
learn about this and then testing it.

Marco

Re: [OT] Remote SSH (dynamic IP) without third-party server

[Celejar]

On Mon, 3 Aug 2020 22:52:58 -0500
David Wright  wrote:

> On Mon 03 Aug 2020 at 22:15:25 (-0400), Stefan Monnier wrote:
> > > How do you keep this set of dynamic DNS providers informed each time
> > > your home's IP address changes, bearing in mind nobody's at home?
> > 
> > It's called a "dynamic DNS (DDNS) client" and runs on your router (it sends
> > the new IP to the DDNS server whenever your router gets one).
> > 
> > Most home routers come with built-in support for some DDNS protocols.
> > Of course, I recommend upgrading your router to a firmware like OpenWRT
> > if at all possible, and not just so you get a large choice of
> > DDNS clients.
> 
> I see. Not being familiar with the service, should I understand that
> I could get one such address from no-ip.com for free? DynDNS costs.

Yes, and there are many other free ddns services available. I personally use
afraid.org and nsupdate.info.

Celejar

Re: [OT] Remote SSH (dynamic IP) without third-party server

[MAS Jean-Louis]

Le 01/08/2020 à 04:03, riveravaldez a écrit :
> Is this possible?

> If there's any other simpler way (that doesn't imply the use of any
> third party) please let me know, I could use anything that works.

IPv4 address are becoming rare, and expensive for ISP.
IPv6 is free, and plenty

just ask for a public IPv6 address, if you don't already have one, and
then just

ssh -6 your_computer_ipv6_address

Regards

-- 
Jean Louis Mas



smime.p7s
Description: Signature cryptographique S/MIME

Re: Homebuilt NAS Advice

[Celejar]

On Tue, 4 Aug 2020 10:26:32 +0100
Jonathan Dowland  wrote:

> On Tue, Aug 04, 2020 at 01:32:24AM -0700, David Christensen wrote:
> >jdupes looks interesting, and should work on any file system that 
> >supports hard links.  I expect BorgBackup either calls jdupes or 
> >implements similar functionality:
> >
> >https://linuxcommandlibrary.com/man/jdupes.html
> 
> I'm fairly sure Borg stores files by a hash of their contents and
> maintains a separate index of names→hashes for each generation.

Indeed:

"To actually perform the repository-wide deduplication, a hash of each
chunk is checked against the chunks cache, which is a hash-table of all
chunks that already exist."

https://borgbackup.readthedocs.io/en/stable/internals.html

Celejar

Re: [OT] sudo: restrict to physical console only?

[Henning Follmann]

On Tue, Aug 04, 2020 at 11:44:04AM +0200, Marco Möller wrote:
> On 04.08.20 10:59, to...@tuxteam.de wrote:
> > On Tue, Aug 04, 2020 at 09:47:24AM +0200, Marco Möller wrote:
> > > Is it possible (how?) to restrict a user to only be allowed to make
> > > use of its sudo usage permission if working at the physical console,
> > 
> > See pam_securetty(8) for that. Sorry I can't give you some step-by-step
> > account.
> > 
> > > not granting to this user sudo permission when i.e. logged in via
> > > ssh?
> > 
> > Now you have to decide: You want to *only allow root login on console*
> > or to *disallow root login for ssh*?
> > 
> > For the first, PAM is the right tool. The second should be default on
> > most modern Linux distros (yell at them if it ain't ;-) and is governed
> > by the sshd configuration, typically in /etc/ssh/sshd_config and
> > documented in sshd_config(5).
> > 
> > Cheers
> >   - t
> > 
> 
> Sorry, I will not have been clear enough, or did not understand your answer
> clearly, ssh and pam are both new to me, and I also never configured sudo
> myself.
> As my root account is disabled, I do all administration as the "normal" user
> with the help of sudo for running administrative commands. The user "root"
> shall not login nowhere, not at the physical console and not by ssh, never.
> Only the "normal" user should be allowed to log in to the system. The
> "normal" user then of course needs to keep the right to use "sudo" if
> working at the physical console (being logged in at a console (CTRL+ALT+F2),
> or logged in via sddm or gdm, or having opened a terminal within the X11 or
> Wayland session, etc.), but for security the access for this "normal" user
> to "sudo" privileges shall not be granted if this user would work at the
> system from remote, for instance logged in via ssh.
> I could imagine that it is possible to kind of generally block all sudo (and
> also su) functionality in the system for everybody as soon as any remote
> (incoming) login to ssh is detected, and automatically allowing sudo
> functionality again if no more incoming ssh to the computer exists:
> if remote (incoming) connection established, then disable sudo and su
> if no remote (incoming) connection established, then switch on sudo and su
> If such security mechanism could be done in a reliable way to only effect
> the incoming connection, while a parallel local (physically sitting at the
> computer) user could continue to work with sudo, then this would be fine,
> but assuming that this might be much more difficult to configure, especially
> if remote login and physical login could be the same user (same user ID), I
> am open to the drastic but simple version as described above.
>

Have you considered to have one account allowed to ssh in and
one account allowed to sudo?

You say you are the only user. That seems like an simple
solution.


-H



-- 
Henning Follmann   | hfollm...@itcfollmann.com

Problemas para iniciar Debian (era: Richiesta Contatto)

[Camaleón]

El 2020-08-04 a las 10:52 +, Carlos salido arjona escribió:

> Buenos dias Richiesta, desde que actualizado a debian 10.5 no puedo
> arrancar el sistema, el GRUB no arranca.

¿Estás respondiendo con una pregunta a un mensaje de spam? :-)

Si tienes problemas para iniciar Debian, dinos hasta dónde llegas, 
exactamente. Y si llegas al menú de GRUB, prueba seleccionando la opción 
avanzada del «modo de recuperación», a ver si arranca el sistema.

Saludos,

-- 
Camaleón 

Re: [OT] Remote SSH (dynamic IP) without third-party server

[Celejar]

On Tue, 4 Aug 2020 07:49:10 -0400
Greg Wooledge  wrote:

> Some of you are assuming that the local router offers an API whereby
> clients inside the LAN can determine what the local router's external
> IP address is, without going outside the LAN.  That may or may not be
> a thing.  I have no idea.  Good luck with that.

Obviously depends on what the router is. For OpenWrt:

https://forum.openwrt.org/t/how-to-get-current-public-ip-address-using-uci/40870/25

Celejar

Re: [OT] sudo: restrict to physical console only?

[tomas]

On Tue, Aug 04, 2020 at 07:39:53AM -0400, Greg Wooledge wrote:
> On Tue, Aug 04, 2020 at 11:44:04AM +0200, Marco Möller wrote:
> > As my root account is disabled, I do all administration as the "normal" user
> > with the help of sudo for running administrative commands. The user "root"
> > shall not login nowhere, not at the physical console and not by ssh, never.
> 
> Remember that this also means you can never boot in single-user ("rescue")
> mode.

Right. As someone who actually likes and uses sudo (not everyone does,
and there are good reasons to dislike it), this was one of my main
critiques of that "root-less" scheme. Sitting in front of a console
telling you that / is mounted ro and to enter your root password when
you haven't one can be... frustrating :-)

OTOH practice has shown: if you're doing sudo, you will have forgotten
your root password anyway when you need it (I have, it's some horrible
"pwgen -n 16" or something), and it' back to...

> If you ever need to boot in quasi-rescue mode, you'll have to
> go down even lower and override the init= kernel parameter.

... or to some rescue image.

Cheers
 - t


signature.asc
Description: Digital signature

Re: [OT] Remote SSH (dynamic IP) without third-party server

[Michael Stone]

On Mon, Aug 03, 2020 at 10:52:58PM -0500, David Wright wrote:

My main router doesn't have the facility to run that client. My
cascaded router does (to just those two services), but that one
has a broken WAN port (hence its rôle). So I presume I'd be expected
to run No-IP's own software on my home PC.


or just use a generic client written in perl or python. some people 
really seem to be looking for ways to complicate this.

Re: [OT] Remote SSH (dynamic IP) without third-party server

[Michael Stone]

On Mon, Aug 03, 2020 at 09:05:57PM -0500, David Wright wrote:

How do you keep this set of dynamic DNS providers informed each time
your home's IP address changes, bearing in mind nobody's at home?


A program runs on the local machine which updates the dynamic DNS 
entries, either periodically or tied to DHCP/PPP. This was a solved 
problem 20+ years ago.

Re: [OT] sudo: restrict to physical console only?

[Marco Möller]

On 04.08.20 13:39, Greg Wooledge wrote:

On Tue, Aug 04, 2020 at 11:44:04AM +0200, Marco Möller wrote:

As my root account is disabled, I do all administration as the "normal" user
with the help of sudo for running administrative commands. The user "root"
shall not login nowhere, not at the physical console and not by ssh, never.


Remember that this also means you can never boot in single-user ("rescue")
mode.  If you ever need to boot in quasi-rescue mode, you'll have to
go down even lower and override the init= kernel parameter.

If you don't know what that means, you should NOT be doing this.



Thanks for this warning, especially as this is a public mailing list and 
others might find this thread.
Fortunately I know already how to help me with the proper init=... boot 
parameter, which reminds me that I should check if this important detail 
is also mentioned in the Debian installation documentation or could be 
added there. I am afraid I have had to look it up elsewhere in the 
internet, when I needed it in the past, but am not sure about this 
detail anymore.

Re: [OT] Remote SSH (dynamic IP) without third-party server

[Greg Wooledge]

On Mon, Aug 03, 2020 at 02:38:13PM -0600, Charles Curley wrote:
> On Mon, 3 Aug 2020 15:18:46 -0400
> Greg Wooledge  wrote:
> 
> > On Mon, Aug 03, 2020 at 02:15:17PM -0500, David Wright wrote:
> > > The home PC that I'd be trying to contact has a 192.168.n.n IP
> > > address given to it by my primary router. But the router's external
> > > address is obtained by its DHCP client talking to my ISP's DHCP
> > > server.  
> > 
> > In a case like that, just contact an external web site that tells you
> > what your externally visible IP address is.  There are many of them.
> > Mine is .
> > 
> 
> Ah, now you are back to using an external server, which the OP would
> like to avoid.

The only way you can do this without ANY external help is if one of the
two endpoints has a static IP address.  Then you can have the dynamic
one contact the static one by its static IP address.

If both ends are dynamic, there MUST be some third party help.  This
may involve dynamic DNS, or email, or web sites, or Dropbox, or whatever
you can dream up.

Now, in addition to that, my suggestion was simply a response to a
tangential exploration of how the dynamic client can DETERMINE what its
IP address is, so that it can inform the other endpoint.  If the client
is behind a local DHCP server, it won't know what the router's external
IP address is.  How could it?  That information is never given to the
client by the DHCP server.

So the client needs SOME way to determine what information to send to
the other endpoint.  Using one of the several dozen (hundred?) "what
is my IP address" web sites is one such way.

Another way would be for the client to send a generic message to the
static machine, and then have the static machine determine what IP
address the message came from.  Doing that is viable if there is a
direct communication between the two.  If the communication goes
through a third party helper (e.g. email), it may still be possible
to parse the client's original IP address out of the Received: headers
(or analogous tracking information if you're using something other
than email).  Or it may be impossible, if the third party helper does
not reveal such information.

Some of you are assuming that the local router offers an API whereby
clients inside the LAN can determine what the local router's external
IP address is, without going outside the LAN.  That may or may not be
a thing.  I have no idea.  Good luck with that.

Re: [OT] sudo: restrict to physical console only?

[Greg Wooledge]

On Tue, Aug 04, 2020 at 11:44:04AM +0200, Marco Möller wrote:
> As my root account is disabled, I do all administration as the "normal" user
> with the help of sudo for running administrative commands. The user "root"
> shall not login nowhere, not at the physical console and not by ssh, never.

Remember that this also means you can never boot in single-user ("rescue")
mode.  If you ever need to boot in quasi-rescue mode, you'll have to
go down even lower and override the init= kernel parameter.

If you don't know what that means, you should NOT be doing this.

Re: Richiesta Contatto

[Carlos salido arjona]

Buenos dias Richiesta, desde que actualizado a debian 10.5 no puedo
arrancar el sistema, el GRUB no arranca.

Re: [OT] sudo: restrict to physical console only?

[tomas]

On Tue, Aug 04, 2020 at 11:44:04AM +0200, Marco Möller wrote:
> On 04.08.20 10:59, to...@tuxteam.de wrote:

[pam sshd]

> Sorry, I will not have been clear enough, or did not understand your
> answer clearly, ssh and pam are both new to me, and I also never
> configured sudo myself.

Ah, got it. Then sudo is your first stop :-)

It's configured via /etc/sudoers.conf (there is a special command
to edit that file). Proceed with care, since botching it might
make it more difficult to access your box :-)

Not all is lost, however if something goes awry.

The relevant documentation is in sudoers(5). I think you are
looking for 'requiretty', there, although I'm not sure whether
that will be as restrictive as you envision. Perhaps you need
to tweak your PAM setup for that as well.

Sorry for just providing generic pointers. I'd have to experiment
around to be more concrete, but I currently try to avoid rabbit
holes...

Cheers
 - t


signature.asc
Description: Digital signature

Re: [OT] sudo: restrict to physical console only?

[Marco Möller]

On 04.08.20 10:59, to...@tuxteam.de wrote:

On Tue, Aug 04, 2020 at 09:47:24AM +0200, Marco Möller wrote:

Is it possible (how?) to restrict a user to only be allowed to make
use of its sudo usage permission if working at the physical console,


See pam_securetty(8) for that. Sorry I can't give you some step-by-step
account.


not granting to this user sudo permission when i.e. logged in via
ssh?


Now you have to decide: You want to *only allow root login on console*
or to *disallow root login for ssh*?

For the first, PAM is the right tool. The second should be default on
most modern Linux distros (yell at them if it ain't ;-) and is governed
by the sshd configuration, typically in /etc/ssh/sshd_config and
documented in sshd_config(5).

Cheers
  - t



Sorry, I will not have been clear enough, or did not understand your 
answer clearly, ssh and pam are both new to me, and I also never 
configured sudo myself.
As my root account is disabled, I do all administration as the "normal" 
user with the help of sudo for running administrative commands. The user 
"root" shall not login nowhere, not at the physical console and not by 
ssh, never. Only the "normal" user should be allowed to log in to the 
system. The "normal" user then of course needs to keep the right to use 
"sudo" if working at the physical console (being logged in at a console 
(CTRL+ALT+F2), or logged in via sddm or gdm, or having opened a terminal 
within the X11 or Wayland session, etc.), but for security the access 
for this "normal" user to "sudo" privileges shall not be granted if this 
user would work at the system from remote, for instance logged in via ssh.
I could imagine that it is possible to kind of generally block all sudo 
(and also su) functionality in the system for everybody as soon as any 
remote (incoming) login to ssh is detected, and automatically allowing 
sudo functionality again if no more incoming ssh to the computer exists:

if remote (incoming) connection established, then disable sudo and su
if no remote (incoming) connection established, then switch on sudo and su
If such security mechanism could be done in a reliable way to only 
effect the incoming connection, while a parallel local (physically 
sitting at the computer) user could continue to work with sudo, then 
this would be fine, but assuming that this might be much more difficult 
to configure, especially if remote login and physical login could be the 
same user (same user ID), I am open to the drastic but simple version as 
described above.

Re: Homebuilt NAS Advice

[Jonathan Dowland]

On Tue, Aug 04, 2020 at 01:32:24AM -0700, David Christensen wrote:
jdupes looks interesting, and should work on any file system that 
supports hard links.  I expect BorgBackup either calls jdupes or 
implements similar functionality:


https://linuxcommandlibrary.com/man/jdupes.html


I'm fairly sure Borg stores files by a hash of their contents and
maintains a separate index of names→hashes for each generation.

Thanks for mentioning jdupes, I have a problem it might help me solve
for which fdupes is not up to the task.


--
Please do not CC me, I am subscribed to the list.

  Jonathan Dowland
✎j...@debian.org
   https://jmtd.net

Re: [OT] sudo: restrict to physical console only?

[Marco Möller]

On 04.08.20 10:38, Keith bainbridge wrote:

On 4/8/20 5:47 pm, Marco Möller wrote:
I have the root account already deactivated, and am using in principal 
only one main user who also has the sudo permissions for being able to 
do all the system administration, exactly as Debian was setting this 
up automatically during the system installation.



M    I have ALWAYS been asked for a root password at debian 
installation. Is this behaviour new in the last 3-4 weeks?


The installer activates sudo only if you left root password blank - your 
choice; not default.




I left the root password blank, in order to not have the root account 
activated and to receive the sudo configuration automatically for my 
one, main, "normal" user. Maybe not default, but done following the 
official documentation offering this option for consideration (I do not 
have the exact reference available right now, but I am sure to have 
followed and received knowledge about this option from documentation 
published on the Debian site, most likely even from the installation 
manual itself).

Re: [OT] sudo: restrict to physical console only?

[tomas]

On Tue, Aug 04, 2020 at 09:47:24AM +0200, Marco Möller wrote:
> Is it possible (how?) to restrict a user to only be allowed to make
> use of its sudo usage permission if working at the physical console,

See pam_securetty(8) for that. Sorry I can't give you some step-by-step
account.

> not granting to this user sudo permission when i.e. logged in via
> ssh?

Now you have to decide: You want to *only allow root login on console*
or to *disallow root login for ssh*?

For the first, PAM is the right tool. The second should be default on
most modern Linux distros (yell at them if it ain't ;-) and is governed
by the sshd configuration, typically in /etc/ssh/sshd_config and
documented in sshd_config(5).

Cheers
 - t


signature.asc
Description: Digital signature

Re: [OT] sudo: restrict to physical console only?

[Keith bainbridge]

On 4/8/20 5:47 pm, Marco Möller wrote:
I have the root account already deactivated, and am using in principal 
only one main user who also has the sudo permissions for being able to 
do all the system administration, exactly as Debian was setting this up 
automatically during the system installation.



MI have ALWAYS been asked for a root password at debian 
installation. Is this behaviour new in the last 3-4 weeks?


The installer activates sudo only if you left root password blank - your 
choice; not default.


--

Keith Bainbridge

keithr...@gmail.com

0447 667468

Re: [OT] Remote SSH (dynamic IP) without third-party server

[David Christensen]

On 2020-08-03 16:52, Nate Bargmann wrote:

Let's say machine 1 always gets 192.168.1.1 and machine 2 gets
192.168.1.2 from the router's DHCP server.  To SSH into each from the
public Internet set up port forwarding on the router.  OpenWRT also
allows port translation and some off the shelf routers do not.  As I use
OpenWRT, all of the machines on my LAN listen on port 22 for SSH.  Then
I set up the port forwarding table similar to:

Incoming port   Machine Port
10022   192.168.1.1 22
20022   192.168.1.2 22


On 2020-08-03 19:18, Stefan Monnier wrote:
> I personally like using port 22nnn for the SSH port of host 192.168.1.nnn


I have done similar port forwarding tricks in the past.  If/ when I have 
the need again, I will probably do SSH jump hosts:


https://en.wikibooks.org/wiki/OpenSSH%2FCookbook%2FProxies_and_Jump_Hosts


David

[Sid] gvfs & nfs shares icons on desktop

[Grzesiek Sójka]

Hi there,

I'm using laptop with Xfce and the following in the /etc/fstab:

server:/mnt/ex /mnt/ex nfs vers=3,defaults,noauto,users 0 0

Recently I installed gvfs.

Before gvfs installtion:
I had nfs icon on the desktop, so I could easily mount/unmount nfs (by 
right click). Since this is mobile device nfs needs to be mounted on demand.


After gvfs installation:
The nfs share icon disappeared from the desktop. So I need to mount by a 
terminal command.


Is there a way to have gvfs and have icons of nfs shares (defined in 
/etc.fstab) on the desktop?

Re: Re : Re: [HS] Dégafamiser l'internet

[Bureau LxVx]

Bonjour à tous,

Le 03/08/2020 à 23:36, k6dedi...@free.fr a écrit :
> Bonjour,
> Bravo pour cet article.
>
> Il y a aussi d'autres initiatives que celles citées dans cette liste :
> https://degooglisons-internet.org/fr/
> Dans cette initiative, il y a une trentaine de services pour rester maître de 
> ses données personnelles;
> Il y a aussi les moteurs de recherche Qwant 
NON, qwant n'est "plus" le moteur si honnête qu'il le disait (bcp
d'articles à ce sujet dans les mois précédents) :
https://www.lalettrea.fr/entreprises_conseil-et-services/2020/07/20/datas-proces-et-paradis-fiscaux--le-delicat-droit-d-inventaire-de-qwant,109245405-ge0

> *Qwant dépend fortement de Microsoft Bing*
>
> L'un des plus gros problèmes à souligner dans la démarche interne de
> l’entreprise est sa forte dépendance de Microsoft. Oui, l’entreprise
> n’a pas les ressources suffisantes ou elle n’en dispose pas du tout
> pour élaborer son propre index de tri des résultats de recherche sur
> le Web. À sa création en 2013, l’entreprise n’a pas cessé de répéter
> qu’il utilisait son propre algorithme de tri, mais ses premiers
> utilisateurs ont remarqué qu’il ne s’agissait pas du tout d’une
> nouveauté. En effet, ces derniers ont souligné le fait qu’il existait
> une similitude remarquable par rapport à l’affichage et le tri des
> résultats de recherches entre le moteur de recherche français et le
> moteur de recherche de Microsoft Bing. Pourquoi Qwant utilise les
> technologies américaines pour ensuite essayer de rivaliser avec elles ?
https://www.developpez.com/actu/268567/Qwant-enquete-sur-les-deboires-du-Google-francais-hauts-salaires-deficit-subventions-utilisation-de-Bing-et-Bing-Ads/

Il nous reste heureusement Startpage, duckduckgo, searx  et pour les
écolos Ecosia et Lilo

@plus,

Sylvie
> et Duckduckgo
>
> Nous pouvons commencer à agir sans attendre que l'État ne réagisse.
> Cassis
>
>
> - Mail d'origine -
> De: ajh-valmer 
> À: debian-user-french@lists.debian.org
> Envoyé: Mon, 03 Aug 2020 17:16:02 +0200 (CEST)
> Objet: Re: [HS] Dégafamiser l'internet
>
> Bonjour,
>
> Un film va sortir dans de nombreuses salles sur ce sujet :
>
> "Effacer l'historique".
>
> signé du metteur en scène Gustave Kervern,
> avec de bons acteurs connus.
>
> Un groupe de personnes décident de partir en guerre
> contre les géants d'internet...
>
> Sortie, 27 août.
>
>

Re: Homebuilt NAS Advice

[David Christensen]

On 2020-08-03 16:17, deloptes wrote:


any thoughts on using deduplication? For example I started using borg some
time ago. It saves a lot of space and makes it possible to have multiple
backups and longer retention. 


ZFS supports de-duplication, but the documents warn about enabling it. 
So, of course I enabled de-duplication on my ZFS SOHO file server. ;-)



Everything was groovy when utilization was ~30%, but performance for 
bulk writes degraded precipitously as the pool filled.  This includes 
backup replication jobs.  I am fairly certain de-duplication is a major 
contributing factor.  The only way to test this hypothesis is to create 
a fresh pool using similar hardware, replicate the data without 
de-duplication, and benchmark.



jdupes looks interesting, and should work on any file system that 
supports hard links.  I expect BorgBackup either calls jdupes or 
implements similar functionality:


https://linuxcommandlibrary.com/man/jdupes.html


David

Re: Systemd leaves uninterruptible processes

[Andrei POPESCU]

On Du, 02 aug 20, 21:37:34, Mart van de Wege wrote:
> 
> I traced it down to user-runtime-dir@UID.service crashing on cleaning
> up a /run/user/UID directory. I gave relevant information, and Andrei
> is asking if I have LibreOffice installed, and points me to ESR's FAQ.
> 
> I'm very sorry, but that feels extremely condescending. I'm *not* some
> newbie just in from Ubuntu. When I provide information, I expect to be
> queried on relevant points.

I'm sorry you took offence on me recommending to read the How to Ask 
Questions The Smart Way. It was certainly not my intention to offend.

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

[OT] sudo: restrict to physical console only?

[Marco Möller]

Is it possible (how?) to restrict a user to only be allowed to make use 
of its sudo usage permission if working at the physical console, not 
granting to this user sudo permission when i.e. logged in via ssh? To 
keep it simple, I could imagine to even have all sudo for all users 
deactivated automatically as soon as a remote connection by ANY user is 
detected.
The idea behind this: I have the root account already deactivated, and 
am using in principal only one main user who also has the sudo 
permissions for being able to do all the system administration, exactly 
as Debian was setting this up automatically during the system 
installation. If I now this main user ssh access to the system, then I 
would like to asure that some security is in place, at least concerning 
such simple restrictions like not offering sudo. Coming physically back 
to the system could then be checked in the log files if meanwhile 
unwanted ssh login or activity took place because I assume that at least 
the log files cannot have been manipulated.

Re: VMs on external storage CPU overloading

[john doe]

On 8/3/2020 11:00 PM, Michael Stone wrote:

On Mon, Aug 03, 2020 at 10:21:01PM +0200, john doe wrote:

I'm settleing on buying (1), Google says that it is UASP compatible.


Is there some reason you're set on buying a thumb drive form factor?



Mainly the form factor and the ease of use.


I guess you are hinting out at something like (1,2) (Sata3 SSD 2.5 along
with a usb 3.0 to sata3 adapter (UASP compatible))?


This approach would be more flexible as I could only change the drive
without having to buy a new thumdrive if my capacity requirements are
increasing.
Looking more into this, in my case this could also have the benefit of
being able to share that drive across those single boards by using a usb
3.0 hub (UASP compatible).

It is worth looking at, thank you.


1)
https://www.amazon.com/StarTech-com-10Gbps-Adapter-Cable-Drives/dp/B00XLAZODE/ref=sr_1_4?dchild=1=uasp=1596522233=computers-intl-ship=1-4
2)
https://www.amazon.com/Kingston-120GB-Solid-SA400S37-120G/dp/B01N6JQS8C/ref=sr_1_1?dchild=1=ssd+128=1596522367=electronics=1-1


--
John Doe