[01:00] <johna> cab somebody give me some idea why Ubuntu uses ufw rather than iptables?
[01:07] <jmarsden> johna: It uses both, ufw is a simpler front end for iptables.
[01:09] <johna> jmarden: simpler?
[01:09] <johna> that shuld have been jmarsden, sorry
[01:10] <johna> where does ubuntu hid the iptables config and input?
[01:11] <jmarsden> /etc/ufw is one place where you will see some of it.
[01:12] <jmarsden> If you don't want to use ufw, no one forces you to do so.  You can use naked iptables on Ubuntu just fine.
[01:13] <jmarsden> You'll lose some of the integration of packages that automatically configure ufw, etc. but it can be done.
[01:15] <johna> jmarsden: I am switching from Centos. I cannot see an advantage to ufw as it seems to make simple things very complicated. what would I be losing if I dropped It?
[01:15] <jmarsden> How complicated is     ufw allow 22/tcp   ?
[01:15] <jmarsden> Seems pretty simple to me :)
[01:16] <jmarsden> Some packages can automatically configure ufw to allw access to tehir daemons etc...
[01:16] <jmarsden> You will lose that if you manually set up iptables.
[01:16] <jmarsden> It is usually better to learn the new way when you enter a new world... but it is your choice.
[01:17] <johna> i took a look at the ufw config files and there seem to be chains all over the place, I would think that would make debuggiing more time consuming?
[01:17] <jmarsden> johna: For normal use, debug at the ufw level.  Why are you trying to dive in so deep?  What weird tricky things that ufw cannot do are you needing to accomplish?
[01:21] <johna> jmasden: dovecot has all 4 ports open, I restrict to imaps. Plus I like to know whats going on on the systems I administer
[01:33] <monokrome> Does anyone in here use Ubuntu Server?
[01:33] <monokrome> Ha. I meant, "Does anyone in here use CloudInit?"
[01:34] <monokrome> I am trying to generate multi-part MIME for it's user data, but it's not working.
[01:42] <jdstrand> johna: I suggest you read 'man ufw' and 'man ufw-framework'
[01:43] <jdstrand> johna: if you choose not to use it either leave it disabled or uninstall it
[01:57] <JRWR> Ubnutu 10.04 - Dovecot/Postfix SMTPd Issue - Auth - Getthing this error message when someone tries to auth to the smtp server to send a email SASL CRAM-MD5 authentication failed: Invalid authentication mechanism
[01:58] <patdk-lap> well, fix it :)
[01:58] <patdk-lap> you oviously didn't store your passwords in plaintext
[01:59] <JRWR> no, my dovecot passwd is all in cram-md5
[01:59] <JRWR> and imap logins work
[01:59] <patdk-lap> hmm?
[01:59] <JRWR> here is my dovecot.conf : http://pastebin.com/wWbhXaM2 postfix master.cf http://pastebin.com/kvm7Jx2m
[01:59] <patdk-lap> I don't exactly know how you can store a password as cram-md5, cause it's not possible
[02:00] <JRWR> i did a dovecotpw to make them
[02:00] <patdk-lap> well, what format did it make?
[02:01] <patdk-lap> and why do you have two auth sections?
[02:01] <patdk-lap> no wonder
[02:01] <patdk-lap> the config is just total foobar
[02:02] <JRWR> the second part of for the SASL for the SMTP server
[02:02] <patdk-lap> ya, and it has no users or passwords in it
[02:02] <patdk-lap> so no wonder nothing can auth
[02:02] <JRWR> it wont
[02:02] <JRWR> the first section covers that (i think)
[02:02] <patdk-lap> it won't auth cause there is nothing in there to auth against
[02:02] <patdk-lap> no, that is a different section
[02:02] <patdk-lap> sections have nothing to do with each other
[02:03] <patdk-lap> I have seen some complex setups, but never seen more than one auth section before
[02:03] <patdk-lap> as you can have as many user storage methods as you want in one section
[02:05] <JRWR> this should work http://pastebin.com/4c9HM9X3
[02:06] <patdk-lap> you might want to allow the login method
[02:06] <patdk-lap> as that is the only method outlook will use
[02:06] <JRWR> >_>
[02:07] <JRWR> man this project was harder then it should of been, I dont even have anti-spam in it yet
[02:07] <patdk-lap> hmm?
[02:08] <patdk-lap> normally takes about 4 hours for me to setup an email server
[02:08] <JRWR> wow... my normal time for a LAMP stack is 20mins
[02:09] <JRWR> just never done it before... bout time i learned
[02:09] <patdk-lap> heh? to install a lamp stack you just click lamp in the installer, done
[02:09] <patdk-lap> email is the most annoying thing ever to setup
[02:09] <patdk-lap> for incoming not too hard
[02:09] <JRWR> i have a bash script to add users and remove users from dovecot
[02:09] <patdk-lap> for outgoing, extreemly hard, cause no one else will trust you
[02:09] <JRWR> SPF helps
[02:09] <JRWR> DKIM also help
[02:10] <patdk-lap> spf and dkim only helps if you make it to the junk folder
[02:10] <patdk-lap> first is using a good ip
[02:10] <patdk-lap> second is setting up dns and rdns correctly
[02:10] <patdk-lap> 3rd is having your mail server id itself correctly
[02:11] <JRWR> mine doesnt... atlest i dont think it does
[02:11] <JRWR> the rdns is a linode
[02:11] <JRWR> and the smtp server says its that host
[02:12] <patdk-lap> so it will probably work on 90% of email servers
[02:12] <patdk-lap> the other 10% needs the rdns to match
[02:14] <JRWR> dir
[05:40] <sond> hi - situation = Lucid-10.04.3amd64 install .. i have a raid1 ( md0 ) and wish to know if Grub will run from within LVM  or do i need a physical /boot partition    ?
[05:41] <sond> * LVM on top of raid1
[05:44] <photon> is there a command to update the server's clock using internet time servers?
[05:44] <photon> mine's off couple of days
[05:45] <sond> ntpdate ip of time serv
[05:45] <sond> watchout if your remote as it can screw your sudo timestamp
[05:46] <photon> oh ok. thanks. what could be the worst that can happen? having to re-authenticate?
[05:48] <sond> the worst ? dunno -  it will require a re-auth tho ...  do you have physical access to the machine ?
[05:48] <photon> yes
[05:48] <sond> no prob then ...
[05:52] <photon> worked flawlessly, thanks.
[05:53] <photon> didn't know there were that many NTP servers.
[05:54] <sond> did you use your -country.pool.ntp.org ?
[05:54] <sond> *your-country
[05:57] <photon> yes
[05:59] <photon> I have no idea though why my server would think it's Thursday in the first place.
[06:01] <sond> gotta get back to this install...
[09:55] <sond> installing a VMhost  do i enable auto security updates ?
[10:46] <sond> whats the command for the network-config curses gui ?
[10:49] <sond> or isn't there one ?
[13:47] <uvirtbot`> New bug: #815071 in apache2 (main) "package apache2.2-common 2.2.17-1ubuntu1 failed to install/upgrade: installed post-installation script alfolyamat 1 hibakóddal kilépett" [Undecided,New] https://launchpad.net/bugs/815071
[15:46] <[[suarez]]> buenas
[17:55] <Guest64614> Has anyone got sound over hdmi to work in ubuntu server using boxee?
[18:18] <Guest64614> Has anyone got sound over hdmi to work in ubuntu server using boxee?
[18:34] <Guest64614> anyone out there?
[18:37]  * Datz nods as he can here you
[18:37] <Datz> but no, I haven't done that
[18:42] <Guest64614> thanks, just seems very quiet here... was starting to wonder if i was on my own
[18:43] <Datz> everyone's at the lunch party, I was full
[18:43] <Guest64614> :)
[20:32] <frogger> hi all
[20:32] <frogger> i have a little dns related question that maybe someone can help me with
[20:32] <frogger> i have a bind server running on our net that does dns-caching as well as master for local dns
[20:33] <frogger> now i would like to override an external domain to point to a server in our local net
[20:33] <frogger> what would be the smartest way to handle this?
[21:22] <goddard> when i upload files via web interface it is uploading them as user www-data instead of the user name
[21:25] <goddard> what are all you jackasses doing in this channel any way
[21:25] <goddard> few hundred bots?
[21:27] <frogger> goddard: www-data is the user of the apache process, so there is nothing wrong with it
[21:28] <goddard> frogger if your running a multi user enviornment and fastcgi it is suppose to assign to the user
[21:28] <goddard> mod_suexec
[21:30] <goddard> frogger not to menton if you use sftp then try and make any changes you cant
[21:31] <goddard> its idiotic actually to leave it as www-data
[21:34] <goddard> any other idiots wasting space on freenode?
[22:10] <fyrfaktry> lots :)
[22:11] <goddard> fyrfaktry you got that right
[22:19] <johna> where does ubuntu server keep things like dkim keys, apache ssl keys?
[22:20] <patdk-lap> where-ever?
[22:20] <patdk-lap> normally ssl stuff is in /etc/ssl
[22:20] <patdk-lap> personally I just make /etc/ssl/dkim for well, the ovious
[22:21] <ScottK> But it's a function of the where the config file is set to look for them.
[22:21] <ScottK> It depends a bit on what implementation you are dealing with.
[22:21] <johna> patdk-lap: so there is no recommended location for crypto keys?
[22:22] <patdk-lap> heh? didn't I just say /etc/ssl?
[22:23] <johna> Scottk: it must be configurable for each app?
[22:23] <ScottK> It is.
[22:23] <ScottK> I'm not saying it must be.
[22:23] <ScottK> DKIM is a protocol, not an application.
[22:24] <johna> patdk-lap: yep, so the "recommended loc is /etc/ssl/..."
[22:25] <ScottK> johna: For example, my /etc/opendkim.conf says: KeyFile                 /etc/dkim/keys/...
[22:25] <ScottK> You could put it anywhere.
[22:26] <johna> ScottK: I just like to keep things neat, and if there were a "prefered" loc use it.
[22:27] <ScottK> There isn't.  Just in /etc somewhere that makes sense to you.
[22:27] <goddard> when i upload files via web interface it is uploading them as user www-data instead of the user name
[22:31] <patdk-lap> goddard, that is pretty ovious
[22:31] <patdk-lap> the webbrowser runs as www-data
[22:31] <patdk-lap> it shouldn't be allowed to be run as your user
[22:31] <patdk-lap> or to even do that, root
[22:31] <patdk-lap> that would be some serious security issues
[22:31] <goddard> this part makes sense sure
[22:32] <goddard> what if you in a multi-user enviornment
[22:32] <goddard> one that doesn't have the permissions to change www-data
[22:32] <qman__> with a web interface, said environment is handled by said web interface
[22:36] <qman__> as in, the web interface controls user access and file permission separately from the filesystem
[22:36] <qman__> with, say, an SQL database full of users and password hashes
[22:36] <goddard> some systems let you upload components via the web infact it is much easier this way
[22:37] <goddard> if they upload pictures even
[22:37] <qman__> yes, and they work the way I described
[22:37] <goddard> that is not what is in question
[22:38] <qman__> the files on the filesystem are still owned by www-data (or whatever group their system happens to run the web server as)
[22:38] <qman__> because the web server, rightly, does not have the ability to change the owners of files to any given user
[22:38] <qman__> that would be an enormous security risk
[22:39] <goddard> unless the process is apart of a virtual enviornment
[22:39] <qman__> virtual environments don't change this fundamental process
[22:40] <goddard> haha ok i can see we are going to go now where with this so thanks for sharing with me your point of view
[22:41] <qman__> an owned virtual server is no different from an owned bare metal server
[22:41] <goddard> thanks for the information
[22:45] <goddard> just for your own future reference qman__ check this out http://httpd.apache.org/docs/current/mod/mod_suexec.html#suexecusergroup
[22:46] <goddard> in conjunction with fastcgi it all becomes possible
[22:46] <qman__> I never said it was impossible
[22:46] <qman__> just that it was a huge security risk
[22:46] <qman__> which it is
[22:46] <goddard> oh ok ... :D haha
[22:47] <goddard> Care to explain how this setup is a security risk?
[22:47] <qman__> running a given CGI process as a dedicated user separate from the web server user isn't a big risk
[22:48] <qman__> running a given CGI process as many different users, probably specified by the web site code, is an enormous risk
[22:49] <goddard> ok if this is true how?
[22:50] <qman__> because if the web site can run code as any given user, with input generated by the web site, that site has the potential to be exploited to privilege escalation
[22:51] <qman__> i.e. one bad page in your site means root access
[22:51] <goddard> i think you have the process confused a little bit because it is only defined when the apache virtual enviornment is defined
[22:52] <goddard> and it is defined as the user you create
[22:52] <goddard> that user has specific privalges
[22:52] <qman__> yes, but that user must be determined at some point
[22:52] <goddard> i guess they could sudo su
[22:52] <qman__> and if that user is not hard coded in the system, it must be provided by the user
[22:52] <qman__> and any time you process user input you are taking in a risk
[22:52] <goddard> that isn't the way mod_su works
[22:52] <goddard> read the link
[22:53] <goddard> if a virtual user was attemping to hack into root you could find out pretty quickly
[22:53] <goddard> 3 fail attempts and he gets blocked
[22:53] <goddard> no more access
[22:54] <qman__> that's great, until the web site code is exploited, and only one attempt is needed
[22:54] <goddard> id be interested to hear this method but im not seeing what your saying
[22:54] <qman__> I assume that your web site is PHP
[22:55] <qman__> I also assume that your web site was written by a human
[22:55] <qman__> therefore, I can conclude that said website has flaws
[22:55] <goddard> right using fastcgi
[22:56] <goddard> all systems have flaws
[22:56] <qman__> and when you allow such a high risk thing as filesystem access as an arbitrary user with an interface that has a high risk of potential exploits, you are playing a dangerous game
[22:56] <goddard> this is with jailkit?
[22:57] <qman__> jails are great too, but I'm guessing you wouldn't want to lose any of your users' data either
[22:58] <qman__> and that user data must exist inside the jail, otherwise it couldn't be uploaded in the first place
[23:00] <goddard> this is all just to vague