| === Guest83192 is now known as nandemonai | ||
| === erichammond1 is now known as erichammond | ||
| === erichammond1 is now known as erichammond | ||
| johna | cab somebody give me some idea why Ubuntu uses ufw rather than iptables? | 01:00 |
|---|---|---|
| jmarsden | johna: It uses both, ufw is a simpler front end for iptables. | 01:07 |
| johna | jmarden: simpler? | 01:09 |
| johna | that shuld have been jmarsden, sorry | 01:09 |
| johna | where does ubuntu hid the iptables config and input? | 01:10 |
| jmarsden | /etc/ufw is one place where you will see some of it. | 01:11 |
| jmarsden | If you don't want to use ufw, no one forces you to do so. You can use naked iptables on Ubuntu just fine. | 01:12 |
| jmarsden | You'll lose some of the integration of packages that automatically configure ufw, etc. but it can be done. | 01:13 |
| johna | jmarsden: I am switching from Centos. I cannot see an advantage to ufw as it seems to make simple things very complicated. what would I be losing if I dropped It? | 01:15 |
| jmarsden | How complicated is ufw allow 22/tcp ? | 01:15 |
| jmarsden | Seems pretty simple to me :) | 01:15 |
| jmarsden | Some packages can automatically configure ufw to allw access to tehir daemons etc... | 01:16 |
| jmarsden | You will lose that if you manually set up iptables. | 01:16 |
| jmarsden | It is usually better to learn the new way when you enter a new world... but it is your choice. | 01:16 |
| johna | i took a look at the ufw config files and there seem to be chains all over the place, I would think that would make debuggiing more time consuming? | 01:17 |
| jmarsden | johna: For normal use, debug at the ufw level. Why are you trying to dive in so deep? What weird tricky things that ufw cannot do are you needing to accomplish? | 01:17 |
| johna | jmasden: dovecot has all 4 ports open, I restrict to imaps. Plus I like to know whats going on on the systems I administer | 01:21 |
| monokrome | Does anyone in here use Ubuntu Server? | 01:33 |
| monokrome | Ha. I meant, "Does anyone in here use CloudInit?" | 01:33 |
| monokrome | I am trying to generate multi-part MIME for it's user data, but it's not working. | 01:34 |
| jdstrand | johna: I suggest you read 'man ufw' and 'man ufw-framework' | 01:42 |
| jdstrand | johna: if you choose not to use it either leave it disabled or uninstall it | 01:43 |
| JRWR | Ubnutu 10.04 - Dovecot/Postfix SMTPd Issue - Auth - Getthing this error message when someone tries to auth to the smtp server to send a email SASL CRAM-MD5 authentication failed: Invalid authentication mechanism | 01:57 |
| patdk-lap | well, fix it :) | 01:58 |
| patdk-lap | you oviously didn't store your passwords in plaintext | 01:58 |
| JRWR | no, my dovecot passwd is all in cram-md5 | 01:59 |
| JRWR | and imap logins work | 01:59 |
| patdk-lap | hmm? | 01:59 |
| JRWR | here is my dovecot.conf : http://pastebin.com/wWbhXaM2 postfix master.cf http://pastebin.com/kvm7Jx2m | 01:59 |
| patdk-lap | I don't exactly know how you can store a password as cram-md5, cause it's not possible | 01:59 |
| JRWR | i did a dovecotpw to make them | 02:00 |
| patdk-lap | well, what format did it make? | 02:00 |
| patdk-lap | and why do you have two auth sections? | 02:01 |
| patdk-lap | no wonder | 02:01 |
| patdk-lap | the config is just total foobar | 02:01 |
| JRWR | the second part of for the SASL for the SMTP server | 02:02 |
| patdk-lap | ya, and it has no users or passwords in it | 02:02 |
| patdk-lap | so no wonder nothing can auth | 02:02 |
| JRWR | it wont | 02:02 |
| JRWR | the first section covers that (i think) | 02:02 |
| patdk-lap | it won't auth cause there is nothing in there to auth against | 02:02 |
| patdk-lap | no, that is a different section | 02:02 |
| patdk-lap | sections have nothing to do with each other | 02:02 |
| patdk-lap | I have seen some complex setups, but never seen more than one auth section before | 02:03 |
| patdk-lap | as you can have as many user storage methods as you want in one section | 02:03 |
| JRWR | this should work http://pastebin.com/4c9HM9X3 | 02:05 |
| patdk-lap | you might want to allow the login method | 02:06 |
| patdk-lap | as that is the only method outlook will use | 02:06 |
| JRWR | >_> | 02:06 |
| JRWR | man this project was harder then it should of been, I dont even have anti-spam in it yet | 02:07 |
| patdk-lap | hmm? | 02:07 |
| patdk-lap | normally takes about 4 hours for me to setup an email server | 02:08 |
| JRWR | wow... my normal time for a LAMP stack is 20mins | 02:08 |
| JRWR | just never done it before... bout time i learned | 02:09 |
| patdk-lap | heh? to install a lamp stack you just click lamp in the installer, done | 02:09 |
| patdk-lap | email is the most annoying thing ever to setup | 02:09 |
| patdk-lap | for incoming not too hard | 02:09 |
| JRWR | i have a bash script to add users and remove users from dovecot | 02:09 |
| patdk-lap | for outgoing, extreemly hard, cause no one else will trust you | 02:09 |
| JRWR | SPF helps | 02:09 |
| JRWR | DKIM also help | 02:09 |
| patdk-lap | spf and dkim only helps if you make it to the junk folder | 02:10 |
| patdk-lap | first is using a good ip | 02:10 |
| patdk-lap | second is setting up dns and rdns correctly | 02:10 |
| patdk-lap | 3rd is having your mail server id itself correctly | 02:10 |
| JRWR | mine doesnt... atlest i dont think it does | 02:11 |
| JRWR | the rdns is a linode | 02:11 |
| JRWR | and the smtp server says its that host | 02:11 |
| patdk-lap | so it will probably work on 90% of email servers | 02:12 |
| patdk-lap | the other 10% needs the rdns to match | 02:12 |
| JRWR | dir | 02:14 |
| === ng_ is now known as zz_ng_ | ||
| sond | hi - situation = Lucid-10.04.3amd64 install .. i have a raid1 ( md0 ) and wish to know if Grub will run from within LVM or do i need a physical /boot partition ? | 05:40 |
| sond | * LVM on top of raid1 | 05:41 |
| photon | is there a command to update the server's clock using internet time servers? | 05:44 |
| photon | mine's off couple of days | 05:44 |
| sond | ntpdate ip of time serv | 05:45 |
| sond | watchout if your remote as it can screw your sudo timestamp | 05:45 |
| photon | oh ok. thanks. what could be the worst that can happen? having to re-authenticate? | 05:46 |
| sond | the worst ? dunno - it will require a re-auth tho ... do you have physical access to the machine ? | 05:48 |
| photon | yes | 05:48 |
| sond | no prob then ... | 05:48 |
| photon | worked flawlessly, thanks. | 05:52 |
| photon | didn't know there were that many NTP servers. | 05:53 |
| sond | did you use your -country.pool.ntp.org ? | 05:54 |
| sond | *your-country | 05:54 |
| photon | yes | 05:57 |
| photon | I have no idea though why my server would think it's Thursday in the first place. | 05:59 |
| sond | gotta get back to this install... | 06:01 |
| === photon is now known as Guest83739 | ||
| sond | installing a VMhost do i enable auto security updates ? | 09:55 |
| sond | whats the command for the network-config curses gui ? | 10:46 |
| sond | or isn't there one ? | 10:49 |
| === zz_ng_ is now known as ng_ | ||
| === ng_ is now known as zz_ng_ | ||
| === zz_ng_ is now known as ng_ | ||
| === ng_ is now known as zz_ng_ | ||
| === zz_ng_ is now known as ng_ | ||
| === ng_ is now known as zz_ng_ | ||
| uvirtbot` | New bug: #815071 in apache2 (main) "package apache2.2-common 2.2.17-1ubuntu1 failed to install/upgrade: installed post-installation script alfolyamat 1 hibakóddal kilépett" [Undecided,New] https://launchpad.net/bugs/815071 | 13:47 |
| === medberry is now known as med_out | ||
| === zz_ng_ is now known as ng_ | ||
| === ng_ is now known as zz_ng_ | ||
| [[suarez]] | buenas | 15:46 |
| === zz_ng_ is now known as ng_ | ||
| Guest64614 | Has anyone got sound over hdmi to work in ubuntu server using boxee? | 17:55 |
| === ng_ is now known as zz_ng_ | ||
| Guest64614 | Has anyone got sound over hdmi to work in ubuntu server using boxee? | 18:18 |
| Guest64614 | anyone out there? | 18:34 |
| * Datz nods as he can here you | 18:37 | |
| Datz | but no, I haven't done that | 18:37 |
| Guest64614 | thanks, just seems very quiet here... was starting to wonder if i was on my own | 18:42 |
| Datz | everyone's at the lunch party, I was full | 18:43 |
| Guest64614 | :) | 18:43 |
| === zz_ng_ is now known as ng_ | ||
| === ng_ is now known as zz_ng_ | ||
| === zz_ng_ is now known as ng_ | ||
| frogger | hi all | 20:32 |
| frogger | i have a little dns related question that maybe someone can help me with | 20:32 |
| frogger | i have a bind server running on our net that does dns-caching as well as master for local dns | 20:32 |
| frogger | now i would like to override an external domain to point to a server in our local net | 20:33 |
| frogger | what would be the smartest way to handle this? | 20:33 |
| goddard | when i upload files via web interface it is uploading them as user www-data instead of the user name | 21:22 |
| goddard | what are all you jackasses doing in this channel any way | 21:25 |
| goddard | few hundred bots? | 21:25 |
| frogger | goddard: www-data is the user of the apache process, so there is nothing wrong with it | 21:27 |
| goddard | frogger if your running a multi user enviornment and fastcgi it is suppose to assign to the user | 21:28 |
| goddard | mod_suexec | 21:28 |
| goddard | frogger not to menton if you use sftp then try and make any changes you cant | 21:30 |
| goddard | its idiotic actually to leave it as www-data | 21:31 |
| goddard | any other idiots wasting space on freenode? | 21:34 |
| fyrfaktry | lots :) | 22:10 |
| goddard | fyrfaktry you got that right | 22:11 |
| === ng_ is now known as zz_ng_ | ||
| johna | where does ubuntu server keep things like dkim keys, apache ssl keys? | 22:19 |
| patdk-lap | where-ever? | 22:20 |
| patdk-lap | normally ssl stuff is in /etc/ssl | 22:20 |
| patdk-lap | personally I just make /etc/ssl/dkim for well, the ovious | 22:20 |
| ScottK | But it's a function of the where the config file is set to look for them. | 22:21 |
| ScottK | It depends a bit on what implementation you are dealing with. | 22:21 |
| johna | patdk-lap: so there is no recommended location for crypto keys? | 22:21 |
| patdk-lap | heh? didn't I just say /etc/ssl? | 22:22 |
| johna | Scottk: it must be configurable for each app? | 22:23 |
| ScottK | It is. | 22:23 |
| ScottK | I'm not saying it must be. | 22:23 |
| ScottK | DKIM is a protocol, not an application. | 22:23 |
| johna | patdk-lap: yep, so the "recommended loc is /etc/ssl/..." | 22:24 |
| ScottK | johna: For example, my /etc/opendkim.conf says: KeyFile /etc/dkim/keys/... | 22:25 |
| ScottK | You could put it anywhere. | 22:25 |
| johna | ScottK: I just like to keep things neat, and if there were a "prefered" loc use it. | 22:26 |
| ScottK | There isn't. Just in /etc somewhere that makes sense to you. | 22:27 |
| goddard | when i upload files via web interface it is uploading them as user www-data instead of the user name | 22:27 |
| patdk-lap | goddard, that is pretty ovious | 22:31 |
| patdk-lap | the webbrowser runs as www-data | 22:31 |
| patdk-lap | it shouldn't be allowed to be run as your user | 22:31 |
| patdk-lap | or to even do that, root | 22:31 |
| patdk-lap | that would be some serious security issues | 22:31 |
| goddard | this part makes sense sure | 22:31 |
| goddard | what if you in a multi-user enviornment | 22:32 |
| goddard | one that doesn't have the permissions to change www-data | 22:32 |
| qman__ | with a web interface, said environment is handled by said web interface | 22:32 |
| qman__ | as in, the web interface controls user access and file permission separately from the filesystem | 22:36 |
| qman__ | with, say, an SQL database full of users and password hashes | 22:36 |
| goddard | some systems let you upload components via the web infact it is much easier this way | 22:36 |
| goddard | if they upload pictures even | 22:37 |
| qman__ | yes, and they work the way I described | 22:37 |
| goddard | that is not what is in question | 22:37 |
| qman__ | the files on the filesystem are still owned by www-data (or whatever group their system happens to run the web server as) | 22:38 |
| qman__ | because the web server, rightly, does not have the ability to change the owners of files to any given user | 22:38 |
| qman__ | that would be an enormous security risk | 22:38 |
| goddard | unless the process is apart of a virtual enviornment | 22:39 |
| qman__ | virtual environments don't change this fundamental process | 22:39 |
| goddard | haha ok i can see we are going to go now where with this so thanks for sharing with me your point of view | 22:40 |
| qman__ | an owned virtual server is no different from an owned bare metal server | 22:41 |
| goddard | thanks for the information | 22:41 |
| goddard | just for your own future reference qman__ check this out http://httpd.apache.org/docs/current/mod/mod_suexec.html#suexecusergroup | 22:45 |
| goddard | in conjunction with fastcgi it all becomes possible | 22:46 |
| qman__ | I never said it was impossible | 22:46 |
| qman__ | just that it was a huge security risk | 22:46 |
| qman__ | which it is | 22:46 |
| goddard | oh ok ... :D haha | 22:46 |
| goddard | Care to explain how this setup is a security risk? | 22:47 |
| qman__ | running a given CGI process as a dedicated user separate from the web server user isn't a big risk | 22:47 |
| qman__ | running a given CGI process as many different users, probably specified by the web site code, is an enormous risk | 22:48 |
| goddard | ok if this is true how? | 22:49 |
| qman__ | because if the web site can run code as any given user, with input generated by the web site, that site has the potential to be exploited to privilege escalation | 22:50 |
| qman__ | i.e. one bad page in your site means root access | 22:51 |
| goddard | i think you have the process confused a little bit because it is only defined when the apache virtual enviornment is defined | 22:51 |
| goddard | and it is defined as the user you create | 22:52 |
| goddard | that user has specific privalges | 22:52 |
| qman__ | yes, but that user must be determined at some point | 22:52 |
| goddard | i guess they could sudo su | 22:52 |
| qman__ | and if that user is not hard coded in the system, it must be provided by the user | 22:52 |
| qman__ | and any time you process user input you are taking in a risk | 22:52 |
| goddard | that isn't the way mod_su works | 22:52 |
| goddard | read the link | 22:52 |
| goddard | if a virtual user was attemping to hack into root you could find out pretty quickly | 22:53 |
| goddard | 3 fail attempts and he gets blocked | 22:53 |
| goddard | no more access | 22:53 |
| qman__ | that's great, until the web site code is exploited, and only one attempt is needed | 22:54 |
| goddard | id be interested to hear this method but im not seeing what your saying | 22:54 |
| qman__ | I assume that your web site is PHP | 22:54 |
| qman__ | I also assume that your web site was written by a human | 22:55 |
| qman__ | therefore, I can conclude that said website has flaws | 22:55 |
| goddard | right using fastcgi | 22:55 |
| goddard | all systems have flaws | 22:56 |
| qman__ | and when you allow such a high risk thing as filesystem access as an arbitrary user with an interface that has a high risk of potential exploits, you are playing a dangerous game | 22:56 |
| goddard | this is with jailkit? | 22:56 |
| qman__ | jails are great too, but I'm guessing you wouldn't want to lose any of your users' data either | 22:57 |
| qman__ | and that user data must exist inside the jail, otherwise it couldn't be uploaded in the first place | 22:58 |
| goddard | this is all just to vague | 23:00 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!