/srv/irclogs.ubuntu.com/2011/07/23/#ubuntu-server.txt

=== Guest83192 is now known as nandemonai
=== erichammond1 is now known as erichammond
=== erichammond1 is now known as erichammond
johnacab somebody give me some idea why Ubuntu uses ufw rather than iptables?01:00
jmarsdenjohna: It uses both, ufw is a simpler front end for iptables.01:07
johnajmarden: simpler?01:09
johnathat shuld have been jmarsden, sorry01:09
johnawhere does ubuntu hid the iptables config and input?01:10
jmarsden/etc/ufw is one place where you will see some of it.01:11
jmarsdenIf you don't want to use ufw, no one forces you to do so.  You can use naked iptables on Ubuntu just fine.01:12
jmarsdenYou'll lose some of the integration of packages that automatically configure ufw, etc. but it can be done.01:13
johnajmarsden: I am switching from Centos. I cannot see an advantage to ufw as it seems to make simple things very complicated. what would I be losing if I dropped It?01:15
jmarsdenHow complicated is     ufw allow 22/tcp   ?01:15
jmarsdenSeems pretty simple to me :)01:15
jmarsdenSome packages can automatically configure ufw to allw access to tehir daemons etc...01:16
jmarsdenYou will lose that if you manually set up iptables.01:16
jmarsdenIt is usually better to learn the new way when you enter a new world... but it is your choice.01:16
johnai took a look at the ufw config files and there seem to be chains all over the place, I would think that would make debuggiing more time consuming?01:17
jmarsdenjohna: For normal use, debug at the ufw level.  Why are you trying to dive in so deep?  What weird tricky things that ufw cannot do are you needing to accomplish?01:17
johnajmasden: dovecot has all 4 ports open, I restrict to imaps. Plus I like to know whats going on on the systems I administer01:21
monokromeDoes anyone in here use Ubuntu Server?01:33
monokromeHa. I meant, "Does anyone in here use CloudInit?"01:33
monokromeI am trying to generate multi-part MIME for it's user data, but it's not working.01:34
jdstrandjohna: I suggest you read 'man ufw' and 'man ufw-framework'01:42
jdstrandjohna: if you choose not to use it either leave it disabled or uninstall it01:43
JRWRUbnutu 10.04 - Dovecot/Postfix SMTPd Issue - Auth - Getthing this error message when someone tries to auth to the smtp server to send a email SASL CRAM-MD5 authentication failed: Invalid authentication mechanism01:57
patdk-lapwell, fix it :)01:58
patdk-lapyou oviously didn't store your passwords in plaintext01:58
JRWRno, my dovecot passwd is all in cram-md501:59
JRWRand imap logins work01:59
patdk-laphmm?01:59
JRWRhere is my dovecot.conf : http://pastebin.com/wWbhXaM2 postfix master.cf http://pastebin.com/kvm7Jx2m01:59
patdk-lapI don't exactly know how you can store a password as cram-md5, cause it's not possible01:59
JRWRi did a dovecotpw to make them02:00
patdk-lapwell, what format did it make?02:00
patdk-lapand why do you have two auth sections?02:01
patdk-lapno wonder02:01
patdk-lapthe config is just total foobar02:01
JRWRthe second part of for the SASL for the SMTP server02:02
patdk-lapya, and it has no users or passwords in it02:02
patdk-lapso no wonder nothing can auth02:02
JRWRit wont02:02
JRWRthe first section covers that (i think)02:02
patdk-lapit won't auth cause there is nothing in there to auth against02:02
patdk-lapno, that is a different section02:02
patdk-lapsections have nothing to do with each other02:02
patdk-lapI have seen some complex setups, but never seen more than one auth section before02:03
patdk-lapas you can have as many user storage methods as you want in one section02:03
JRWRthis should work http://pastebin.com/4c9HM9X302:05
patdk-lapyou might want to allow the login method02:06
patdk-lapas that is the only method outlook will use02:06
JRWR>_>02:06
JRWRman this project was harder then it should of been, I dont even have anti-spam in it yet02:07
patdk-laphmm?02:07
patdk-lapnormally takes about 4 hours for me to setup an email server02:08
JRWRwow... my normal time for a LAMP stack is 20mins02:08
JRWRjust never done it before... bout time i learned02:09
patdk-lapheh? to install a lamp stack you just click lamp in the installer, done02:09
patdk-lapemail is the most annoying thing ever to setup02:09
patdk-lapfor incoming not too hard02:09
JRWRi have a bash script to add users and remove users from dovecot02:09
patdk-lapfor outgoing, extreemly hard, cause no one else will trust you02:09
JRWRSPF helps02:09
JRWRDKIM also help02:09
patdk-lapspf and dkim only helps if you make it to the junk folder02:10
patdk-lapfirst is using a good ip02:10
patdk-lapsecond is setting up dns and rdns correctly02:10
patdk-lap3rd is having your mail server id itself correctly02:10
JRWRmine doesnt... atlest i dont think it does02:11
JRWRthe rdns is a linode02:11
JRWRand the smtp server says its that host02:11
patdk-lapso it will probably work on 90% of email servers02:12
patdk-lapthe other 10% needs the rdns to match02:12
JRWRdir02:14
=== ng_ is now known as zz_ng_
sondhi - situation = Lucid-10.04.3amd64 install .. i have a raid1 ( md0 ) and wish to know if Grub will run from within LVM  or do i need a physical /boot partition    ?05:40
sond* LVM on top of raid105:41
photonis there a command to update the server's clock using internet time servers?05:44
photonmine's off couple of days05:44
sondntpdate ip of time serv05:45
sondwatchout if your remote as it can screw your sudo timestamp05:45
photonoh ok. thanks. what could be the worst that can happen? having to re-authenticate?05:46
sondthe worst ? dunno -  it will require a re-auth tho ...  do you have physical access to the machine ?05:48
photonyes05:48
sondno prob then ...05:48
photonworked flawlessly, thanks.05:52
photondidn't know there were that many NTP servers.05:53
sonddid you use your -country.pool.ntp.org ?05:54
sond*your-country05:54
photonyes05:57
photonI have no idea though why my server would think it's Thursday in the first place.05:59
sondgotta get back to this install...06:01
=== photon is now known as Guest83739
sondinstalling a VMhost  do i enable auto security updates ?09:55
sondwhats the command for the network-config curses gui ?10:46
sondor isn't there one ?10:49
=== zz_ng_ is now known as ng_
=== ng_ is now known as zz_ng_
=== zz_ng_ is now known as ng_
=== ng_ is now known as zz_ng_
=== zz_ng_ is now known as ng_
=== ng_ is now known as zz_ng_
uvirtbot`New bug: #815071 in apache2 (main) "package apache2.2-common 2.2.17-1ubuntu1 failed to install/upgrade: installed post-installation script alfolyamat 1 hibak├│ddal kil├ępett" [Undecided,New] https://launchpad.net/bugs/81507113:47
=== medberry is now known as med_out
=== zz_ng_ is now known as ng_
=== ng_ is now known as zz_ng_
[[suarez]]buenas15:46
=== zz_ng_ is now known as ng_
Guest64614Has anyone got sound over hdmi to work in ubuntu server using boxee?17:55
=== ng_ is now known as zz_ng_
Guest64614Has anyone got sound over hdmi to work in ubuntu server using boxee?18:18
Guest64614anyone out there?18:34
* Datz nods as he can here you18:37
Datzbut no, I haven't done that18:37
Guest64614thanks, just seems very quiet here... was starting to wonder if i was on my own18:42
Datzeveryone's at the lunch party, I was full18:43
Guest64614:)18:43
=== zz_ng_ is now known as ng_
=== ng_ is now known as zz_ng_
=== zz_ng_ is now known as ng_
froggerhi all20:32
froggeri have a little dns related question that maybe someone can help me with20:32
froggeri have a bind server running on our net that does dns-caching as well as master for local dns20:32
froggernow i would like to override an external domain to point to a server in our local net20:33
froggerwhat would be the smartest way to handle this?20:33
goddardwhen i upload files via web interface it is uploading them as user www-data instead of the user name21:22
goddardwhat are all you jackasses doing in this channel any way21:25
goddardfew hundred bots?21:25
froggergoddard: www-data is the user of the apache process, so there is nothing wrong with it21:27
goddardfrogger if your running a multi user enviornment and fastcgi it is suppose to assign to the user21:28
goddardmod_suexec21:28
goddardfrogger not to menton if you use sftp then try and make any changes you cant21:30
goddardits idiotic actually to leave it as www-data21:31
goddardany other idiots wasting space on freenode?21:34
fyrfaktrylots :)22:10
goddardfyrfaktry you got that right22:11
=== ng_ is now known as zz_ng_
johnawhere does ubuntu server keep things like dkim keys, apache ssl keys?22:19
patdk-lapwhere-ever?22:20
patdk-lapnormally ssl stuff is in /etc/ssl22:20
patdk-lappersonally I just make /etc/ssl/dkim for well, the ovious22:20
ScottKBut it's a function of the where the config file is set to look for them.22:21
ScottKIt depends a bit on what implementation you are dealing with.22:21
johnapatdk-lap: so there is no recommended location for crypto keys?22:21
patdk-lapheh? didn't I just say /etc/ssl?22:22
johnaScottk: it must be configurable for each app?22:23
ScottKIt is.22:23
ScottKI'm not saying it must be.22:23
ScottKDKIM is a protocol, not an application.22:23
johnapatdk-lap: yep, so the "recommended loc is /etc/ssl/..."22:24
ScottKjohna: For example, my /etc/opendkim.conf says: KeyFile                 /etc/dkim/keys/...22:25
ScottKYou could put it anywhere.22:25
johnaScottK: I just like to keep things neat, and if there were a "prefered" loc use it.22:26
ScottKThere isn't.  Just in /etc somewhere that makes sense to you.22:27
goddardwhen i upload files via web interface it is uploading them as user www-data instead of the user name22:27
patdk-lapgoddard, that is pretty ovious22:31
patdk-lapthe webbrowser runs as www-data22:31
patdk-lapit shouldn't be allowed to be run as your user22:31
patdk-lapor to even do that, root22:31
patdk-lapthat would be some serious security issues22:31
goddardthis part makes sense sure22:31
goddardwhat if you in a multi-user enviornment22:32
goddardone that doesn't have the permissions to change www-data22:32
qman__with a web interface, said environment is handled by said web interface22:32
qman__as in, the web interface controls user access and file permission separately from the filesystem22:36
qman__with, say, an SQL database full of users and password hashes22:36
goddardsome systems let you upload components via the web infact it is much easier this way22:36
goddardif they upload pictures even22:37
qman__yes, and they work the way I described22:37
goddardthat is not what is in question22:37
qman__the files on the filesystem are still owned by www-data (or whatever group their system happens to run the web server as)22:38
qman__because the web server, rightly, does not have the ability to change the owners of files to any given user22:38
qman__that would be an enormous security risk22:38
goddardunless the process is apart of a virtual enviornment22:39
qman__virtual environments don't change this fundamental process22:39
goddardhaha ok i can see we are going to go now where with this so thanks for sharing with me your point of view22:40
qman__an owned virtual server is no different from an owned bare metal server22:41
goddardthanks for the information22:41
goddardjust for your own future reference qman__ check this out http://httpd.apache.org/docs/current/mod/mod_suexec.html#suexecusergroup22:45
goddardin conjunction with fastcgi it all becomes possible22:46
qman__I never said it was impossible22:46
qman__just that it was a huge security risk22:46
qman__which it is22:46
goddardoh ok ... :D haha22:46
goddardCare to explain how this setup is a security risk?22:47
qman__running a given CGI process as a dedicated user separate from the web server user isn't a big risk22:47
qman__running a given CGI process as many different users, probably specified by the web site code, is an enormous risk22:48
goddardok if this is true how?22:49
qman__because if the web site can run code as any given user, with input generated by the web site, that site has the potential to be exploited to privilege escalation22:50
qman__i.e. one bad page in your site means root access22:51
goddardi think you have the process confused a little bit because it is only defined when the apache virtual enviornment is defined22:51
goddardand it is defined as the user you create22:52
goddardthat user has specific privalges22:52
qman__yes, but that user must be determined at some point22:52
goddardi guess they could sudo su22:52
qman__and if that user is not hard coded in the system, it must be provided by the user22:52
qman__and any time you process user input you are taking in a risk22:52
goddardthat isn't the way mod_su works22:52
goddardread the link22:52
goddardif a virtual user was attemping to hack into root you could find out pretty quickly22:53
goddard3 fail attempts and he gets blocked22:53
goddardno more access22:53
qman__that's great, until the web site code is exploited, and only one attempt is needed22:54
goddardid be interested to hear this method but im not seeing what your saying22:54
qman__I assume that your web site is PHP22:54
qman__I also assume that your web site was written by a human22:55
qman__therefore, I can conclude that said website has flaws22:55
goddardright using fastcgi22:55
goddardall systems have flaws22:56
qman__and when you allow such a high risk thing as filesystem access as an arbitrary user with an interface that has a high risk of potential exploits, you are playing a dangerous game22:56
goddardthis is with jailkit?22:56
qman__jails are great too, but I'm guessing you wouldn't want to lose any of your users' data either22:57
qman__and that user data must exist inside the jail, otherwise it couldn't be uploaded in the first place22:58
goddardthis is all just to vague23:00

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!