[00:05] Hi! Anyone know how to setup and enable nagiosgrapher? I've installed it and enabled "process_performance_data=1" and "service_perfdata_file_processing_command=process-service-perfdata" in the nagios.conf :) But no hosts is showing up :( === PixelCrumbs is now known as [PixelCrumbs] === [PixelCrumbs] is now known as ASDF___ === ASDF___ is now known as PixelCrumbs === PixelCrumbs is now known as _- === _- is now known as PixelCrumbs === PixelCrumbs is now known as Pixel_Breaky === Pixel_Breaky is now known as PixelCrumbs [01:08] hi gusy how do i find huge file size on my ubunt server [01:08] i ahve storage of 98 pecent but cant see whihc file are having this huge file size any idea..? [01:09] find / -size +something [01:09] man find [01:09] best place to start is /var/log [01:12] or start with [01:12] du -sch /var /home [01:16] 82G /var [01:16] 58G /home [01:16] 140G total [01:17] so how large is the filesystem? [01:17] I need to sleep - talk tomorrow [01:18] http://pastebin.com/XKvuhyaE [01:18] please [01:18] wait [01:56] ruben231: You could always 'find / -type f -printf "%s %p\n" | sort -n [01:58] ruben231: keep in mind sort uses space in /tmp though [05:18] === PixelCrumbs is now known as Sarcasm === Sarcasm is now known as PixelCrumbs [07:10] Which virtualization software do you recommend? I have an 8 core Intel server with 8gb RAM and 300GB HDD. Need to create a virtual machine which can run 24x7 without any need for maintainace or reboot. [07:10] Locally I have been using Virtualbox. But not sure if that is suitable for long running as a server [07:11] I wouldn't use Virtualbox on a server; that's not its intended use case, really. [07:11] kvm (possibly via virt-manager) and Xen are both quite fine [07:12] geofft: I was thinking XEN but need second opinion. Is it easy to setup? [07:14] I haven't used it on recent Ubuntu versions, but in my experience, yes [07:21] geofft: Which guest type is preferred ? PV or HVM ? My needs include mathematical application and a lot of number crunching. That may include clock timing requirements for random numbers etc. [07:24] Greetings from Sweden all. Just installed ubuntu-server on a virtual server, and all works, but I haven't understood one basic thing: Which user is "logged" when the virtual server reboots? For example, which users crontab will be in effect after a reboot? [07:42] vedic: PV. Xen's HVM support is primarily for OSes that can't be run as PV === PixelCrumbs is now known as OresomeBot_ === OresomeBot_ is now known as PixelCrumbs === PixelCrumbs is now known as Pixel_Zzzzz [12:04] how I do list the current list of php processes? [12:41] hi [12:42] i'm haveing a problem setting up a apache2 server on ubuntu, is this the right channel to ask? [12:43] (and i suspect this is not apache2 issue, but something wrong with my router/connection settings/port forwardning) === loostro_ is now known as loostro [13:07] i just created a new raid5 volume with mdadm, got it configured and rebooted to confirm all settings were correct [13:07] volume wouldn't mount properly [13:08] i try to mount it manually and find the device in /dev has changed from /dev/md0 to /dev/md127, but all of my data is still there [13:08] any thoughts on what i might have done wrong? [13:08] here is what i have in /etc/fstab [13:08] UUID=f70b9a0f-cf0aa0a2-9e5cf3fd-c44046b8 /media/storage ext4 defaults 0 0 [13:09] how can I restrict users to only use one command ("passwd") to just be able to change their password. and cannot do anything else in console? how is it possible? [13:09] geofft: yeah, that ppa is years old, and yeah i saw tpm related patches flying by the list recently... sorry i don't kno wof anyone working on tpm+qemu right now. [13:33] Pici, geofft you there? [13:40] how can I restrict users to only use one command ("passwd") to just be able to change their password. and cannot do anything else in console? its for just giving them sftp acces. how is it possible? cant do it with rssh [13:43] may be RoyK would know [13:48] if you use rssh, users can't login [13:48] how many users? [13:49] and why so paranoid? === rocket is now known as Guest38867 [13:58] only sftp? without scp? [13:59] * patdk-lap goes paranoid though [13:59] users can change their password in webmail [13:59] and on the sftp box, I unset all sticky user/group settings from all programs [14:15] To start my application I need to run "start socialapi", but I can't find "start" anywhere [14:20] RoyK, 50-100 [14:23] RoyK, chroot might be better option? [14:23] what does %h means in http://www.fpaste.org/DQdA/ [14:23] and should the ForceCommand internal-sftp be ForceCommand /usr/lib/openssh/sftp-server [14:31] Quest: chroot means you'll need to link in libs an other binaries [14:32] Quest: if the system is secure, like most are, allowing logins shouldn't be a problem [14:35] Quest: at work, we use a homegrown webinterface for users to change their passwords across several systems. I guess there should be some around for just changing unix passwords [14:36] Quest: as usual - please google first [14:36] how do you give web interfaces for changin password? [14:36] RoyK, ^ [14:37] RoyK, i just dont want even anyone the use ifconfig eth0 [14:37] why not? [14:37] it'll just show the ip address and mac address and so on [14:37] no one should do anything that their dont need to [14:38] first rule [14:38] no, the first rule is "noone should be able to administer the system" [14:38] no one should do anything that they* dont need to [14:39] so what if they can run ifconfig? [14:39] RoyK, thats not a rule. thats implicit [14:39] RoyK, nothing... but why give info for a hacker that . look heres my ip config for all ehos. ipconfig is just one example [14:40] oh [14:40] ipconfig doesn't exist, btw [14:40] ... [14:40] the problem with newbies, is that they are afraid of users [14:40] sory ifconfig [14:41] thats a good problem then [14:41] how do you give web interfaces for changin password? [14:42] Quest: have you even tried googling that? [14:42] ok [14:42] * RoyK ignores Quest [14:42] what does %h means in http://www.fpaste.org/DQdA/ [14:42] and should the ForceCommand internal-sftp be ForceCommand /usr/lib/openssh/sftp-server [14:42] RoyK, dont answer / chat with me if you do ignore on me one more time [14:43] and use /ignore not /me ignores Quest [14:43] for good [14:43] google that for its use [14:43] Quest: I've helped you with a lot of things, but I ask you, kindly, again, to please bloody google things before spamming this channel [14:43] for that i am really thank full [14:43] really appriciate it [14:43] :) [14:44] but saying ignoring is not friendly [14:44] its like you are giving a peny to a begger and spiting on his hand as well. i dont need such penies [14:45] Quest: well, ignoring my repetitive requests for you to try to google things before you ask here, and then, when you get an answer, repeat the question, is not very friendly either. it makes people like me who likes to help newbies want to ignore them all the way [14:45] so please, jfgfi === security is now known as fire [15:10] why theres a need to adduser to a group of its own name? why not add most users to one group only? [15:13] that's an option, just not the default [15:14] shauno, adduser userName adds the userName to the groupd called userName by default (and makes /home/userName even -m is not supplied) [15:23] Quest: The practice of making a user's primary group one dedicated to that user is indeed a bit obscure [15:23] It has to do with the concept of 'umask' [15:23] umask determines what the access privileges assigned to newly created files are [15:24] maxb, so adding users to their own group name is neccesry? [15:24] It's not necessary, but it is the de facto standard way to implement the ability to share write access to files using groups [15:25] maxb, ok. whats the command to add a user and while adding, add the user to its own group (named as the user name) and to 2 more groups? [15:25] The idea goes as follows: If you set up users with their own group, then you can set the default umask to one which allows the group write access bit for new files to be on, without actually giving access to other people [15:26] hm [15:26] Then, when you want a directory tree where write access *is* shared between a group of users, you can chgrp that tree and set the directory setgid bit so that new files are also group-owned by that group [15:26] It is a fairly obscure use case [15:26] i see [15:26] ok [15:26] whats the command to add a user and while adding, add the user to its own group (named as the user name) and to 2 more groups? [15:27] But it is the only concrete reason I've ever come across for the pattern of defaulting to creating these 'usergroups' as they are typically known [15:27] Are you using 'adduser' the Debian/Ubuntu friendly helper, or 'useradd' the lower level tool? [15:27] yes [15:28] adduser [15:28] That was an either/or question, yes is not a valid answer :-) [15:28] i stated adduser [15:29] It looks like you need to create the user and then add the additional group memberships in a second command [15:29] ok [15:29] whats the commands? [15:30] 1) adduser [options] username [15:30] 2) adduser username groupname [15:30] adduser does different things depending on whether you give it one or two names [15:30] Which is a little obscure at first [15:34] my /etc/groups stats testing:x:1005: but groups testing says groups: testing: No such user [15:35] whats wrong [15:37] Huh, weird. Somehow I've managed to go a decade plus of using Linux without coming across the groups command :-) [15:38] But 'man groups' tells me that groups takes a username, and you appear to be misunderstanding it as taking a groupname [15:40] k [15:46] i just $ sudo service ssh restart . it did restarted and iam on that shell (i didnt disconnected) but now i cannot ssh to that computer by any account. it says connection refused. whats wrong? [16:09] I just installed fail2ban with no config editing. i restarted sshd with sudo service ssh restart. now i cant login by ssh by any ip. nmap says port 22 is closed. what can by wrong? [16:13] hallyn: OK, thanks. (Was looking for something easy to learn with, since my laptop doesn't have a TPM) [16:14] hallyn: may I ITP libtpms in Debian based on your packaging? (I'll also check with the Debian qemu team) [16:15] Quest: Sounds like sshd failed to start to me. [16:15] hm [16:15] maxb, but why ssh 22 is closed and so are other ports? [16:16] closed just means nothing has it open... [16:16] ok [16:54] maxb, this config http://pastebin.ca/2352079 in the /etc/ssh/sshd_config is not letting the openssh server to startup. whats wrong in it? [16:56] anyone? [17:09] this config http://pastebin.ca/2352079 in the /etc/ssh/sshd_config is not letting the openssh server to startup. whats wrong in it? i commented the out to make it work. now ssh server is runing. the only logs i get is ssh status stop/waiting and Invalid user plant from 116.212.190.6 [17:39] more elaboration : this config http://pastebin.ca/2352079 in the /etc/ssh/sshd_config is not letting the openssh server to startup. whats wrong in it? i commented the out to make it work. now ssh server is runing. the only logs i get is ssh status stop/waiting and Invalid user plant from 116.212.190.6 . if i follow this http://www.serverubuntu.it/SFTP-chroot it says this http://pastebin.ca/2352109 [17:40] Pici, ? [17:42] My guess would be that the way sshd is being managed by upstart is unhelpfully causing the interesting error messages to be lost. [17:43] Therefore I would try starting a second sshd running on an alternate port manually in a terminal, so I could observe whatever it's complaining about [17:46] maxb, now iam on local host [17:46] same problem [18:29] Hi good people. I jsut made my ubuntu server to have static ip. I dont know if it is a consecuense of this that i cannot ping any ip that is not 8.8.8.8 - 8.8.8.4.4. Anyone that can help me find out whats wrong? [18:31] I did the two ip are the two that i added as dns-nameservers in my etc/network/interfaces [18:31] no idea === RoyK^ is now known as RoyK [18:45] I have created upstart script to start/stop a python script (its a tcp/ip server). There are two servers that I need to start (order is not a matter). When I start the first server using upstart script, it is starting well and works fine. But while first is running, if I start second server which is using prefork to spawn about 10 processes, it is not able to start. === rocket is now known as Guest1797 [18:57] Hi good people. I jsut made my ubuntu server to have static ip. I dont know if it is a consecuense of this that i cannot ping any ip that is not 8.8.8.8 - 8.8.8.4.4. These two ip are the two only ips i added as dns-nameservers in my etc/network/interfaces. Can anyone help me find out why i cannot ping other ip's? [19:02] i just deleted /var/log/auth.log and i dont see it recreated. i recrated it with sudo. blank file but even after a reboot. its no being populated. stil blank [19:16] Shogoot: dns-nameservers have nothing to do with the ability to ping a host by IP-address, thats more a problem of routing-tables [19:17] can you help me find ouot what i need to do? [19:18] ig ot a netgear WNDR3700 router [19:24] did you define a gateway? [19:27] patdk-lap, this is my interface file http://pastebin.com/ZKeq0n6j [19:27] quick snser: yes [19:27] quick answer: yes* [19:29] im looing into if it is my router... [19:29] it does have a static routers config thing.... [19:31] iamge: http://imageshack.us/photo/my-images/708/staticipk.jpg/ [19:32] You really shouldn't be defining static routes on a home wifi router unless you're REALLY sure you need to do so [19:33] In this case it looks a lot like you've told the router it needs to route to your network via itself [19:33] i want to access it from outside [19:33] Which could well be breaking stuff [19:33] hmmm [19:34] Static routes have very little to do with external access [19:34] what i thought to... but im going nowwhere with this [19:39] Delete all static routes on the router and see if your routing problem is fixed [19:40] i had no static routes to begin whit. so that not the issue [19:42] you had no static routes when you could ping the outside world. you now have them and can't. so it makes sense to backtrack to a working config before you go forward [19:43] yupp [19:43] and i found the problem [19:43] in interfaces i use 3 dns-servernames, and only 2 are allowed... [19:44] i got rid of the last and now i got it up and running :) [19:44] maxb, thanks for your time [19:45] i have seen rssh docs, used chroot with sftp and openssh server . i want to accomplish is. give users sftp access, make a jail and they cant go outside their home, but can login to console and only use those commands that i have allowed. . how can it be done? [19:49] heh? you can't [19:49] chroot breaks all of that stuff [20:26] I encrypted /homes while installing ubuntu. how come i can browse other peoples /homes. ? [20:30] if those are encrypted, you can't [20:30] probably because you are switching to that user account [20:31] no iam not [20:32] More detail will be needed to diagnose [20:32] there is .ecryptfs [20:32] in /home [20:32] but i can cd to others /home [20:35] as root or as a user [20:36] How many times do we need to tell you not to cross post your questions in multiple Ubuntu channels, it is rude, and it divides the support. [20:36] Do you actually see anything in their homes? [20:38] IdleOne, user [20:40] I encrypted /homes while installing ubuntu. how come i can browse other peoples /homes. ? so if had user1 setup at install time and choosed encrypt /home folder . who can go into other user accounts and who cannot? [20:42] i used vmbuilder and now have a qemu qcow image. how can i boot this using libvirt? [20:42] who can chdir to that folder is permissions, not encryption. as you were were trying to put users all in the same group earlier, rather than having a group created per-user, you're probably not seeing the default behaviour there anymore [20:42] what you find inside those homedirs should be the result of encryption/lack of [21:14] coplete info . I encrypted /homes while installing ubuntu. how come i can browse other peoples /homes. ? so if had user1 setup at install time and choosed encrypt /home folder . who can go into other user accounts and who cannot? [21:28] it's based on permissions of that users home directory. 700 means only they can see it. 750 will let users in the same group in to read (but not write), 770 also write. 755 those in the same group, and everyone else, read. 777, everyone read/write (bad idea) [21:29] if a theif gets the HD , boots from live cd, replaces /etc/shodow file with his own. boots up. logs as sudoer, changes all users password , can he get into the encryped /homes of users? [21:30] Quest: no, because /home (i'm assuming) is encrypted as a partition. they would need the password and/or key of the encrypted partition [21:30] I'm pretty sure the context is that directories in /home are encrypted with eCryptFS. [21:31] i'm not sure what that is, all i know of is luks [21:31] and i'm assuming /home was encrypted in such a way [21:31] encryptfs is far away from luks [21:31] okay, well whatever it is, if it's /home that is its own partition, and encrypted, the concept still applies [21:31] Fieldy: Quest has said before that ecryptfs is what's being used. [21:32] Fieldy: It's not partition-level encryption. [21:32] right. but i don't know what that is. so i'm reverting to conceptual stuff [21:32] fieldy, the concept does not [21:32] okay, i am ill-informed on this subject then, sorry [21:32] if you don't know what it is, you don't know the concept, please to confuse people [21:32] short answer from me: with luks, an attacker won't get the user data as described. with this other thing, I have no idea. [21:33] I'm really worried about what Quest is doing, since they're clearly doing something security-sensitive [21:33] and are asking random folks on an IRC channel for advice [21:33] and that's a great way to get yourself totally misconfigured by mistake and screwed over. [21:34] If I say "no, you're fine, there's no security risk", why should you possibly trust me? [21:34] Even if I'm competent, I may have misunderstood you. [21:34] Or you may have failed to describe something else about the system that's relevant. [21:35] So I strongly, strongly advise folks here to point Quest at thorough documentation instead of guessing at particular questions. [21:35] hm [21:35] Or at consulting resources. I hear you can pay Canonical to run this for you. [21:35] Here's some ecryptfs documentation: [21:35] http://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/files/head:/doc/ [21:35] I think this all gets installed somewhere in /usr/share/doc [21:37] I'm usually happy to answer questions, but the amount that these questions are security-sensitive [21:37] and the way that they're being asked [21:37] worries me a _lot_ [21:37] If you're doing this for fun, for learning, for personal use, great. It gets hacked, whatever. [21:37] but it sounds like you have a deadline, which means someone is paying you to get this right [21:38] so you should be appropriately conscientious about getting this right. [21:41] Fieldy, geofft user3@server1:/home$ sudo ls user1/ [21:41] Desktop Documents Downloads Music nxclient_3.5.0-7_amd64.deb Pictures Public Templates Videos wget-log [21:41] * Fieldy is confused [21:41] user1 home is supposed to be encrypted [21:42] you're running the command as root. you will be able to see any file anywhere [21:42] i don't really understand the encryption you're using though, i only understand luks. so i can't say if an attacker would be able to see that information or not [21:42] heh? [21:42] this is how *it works* [21:43] fieldy, please read the docs before commenting about [21:43] Fieldy: This isn't LUKS, please stop talking about LUKS. [21:43] but I don't see the private folder [21:43] so that use likely was not created using encrypted home [21:43] user [21:43] Quest: Yes, the encrypted directory is mounted by eCryptfs because that user has unlocked and mounted it. [21:44] patdk-lap: I _think_ this is what you get if you encrypt your whole homedir and not just Private [21:44] but I might be wrong there [21:44] Quest: You should figure out how mounts work and what PAM is and how pam_ecryptfs fits in here. [21:44] maybe, I don't use encryptfs personally, just messed with it some [21:45] Quest: I can't give you a proper explanation of all that in an IRC channel. I've given 2-hour lectures on that stuff before. [21:45] but I do what fieldy doesn, luks on all my drives [21:45] geofft, so if one user logs in, he has decrypted all the users /homes? [21:45] Quest: That's not what I said. [21:45] Quest: You should figure out how mounts work and what PAM is and how pam_ecryptfs fits in here. [21:46] if a user logs in, that users home is decrypted for all to see, assuming permissions [21:46] you mean. if the system is runing, its mounted. ofcourse, so decrypted [21:46] we are talking to a wall [21:46] patdk-lap, in my case, the user1 was not logged in but user 3 saw his home [21:48] default permissions set on home folders don't allow that, encrypted or not [21:49] convinced [21:49] drwx------ 19 user1 user1 4096 Apr 7 22:15 user1 [21:50] the install was by user1 and choosed to encrypt home [21:50] ser3@server1:/home$ sudo ls user1/ [21:50] Desktop Documents Downloads Music nxclient_3.5.0-7_amd64.deb Pictures Public Templates Videos wget-log [21:50] patdk-lap, geofft any commentd ^ [21:53] comment about what? [21:53] you just ran ls as root, what did you expect? [21:53] i thought even roots cant go in ecrypted homes [21:53] if they aren't mounted [21:54] hm [21:54] i see. so if they are mounted. roots can go in those? [21:54] anyone can [21:54] as I said above [21:54] now i understand what geofft said [21:54] patdk-lap, thanks [21:55] for a server, it's generally pointless, as I see it for encrypted homes [21:55] unless you want to use it for some semi-private storage space, that does not need tobe used by normal server operations [21:56] cause anything in it, won't be accessable to normal server stuff, unless the user is logged in [21:56] or you auto-mount it [21:59] Fieldy, you said no. well if shaddow is replaced. so are password. so they have the password and can bot system. [21:59] if a theif gets the HD , boots from live cd, replaces /etc/shodow file with his own. boots up. logs as sudoer, changes all users password , can he get into the encryped /homes of users? [22:01] patdk-lap, ok [22:01] Quest: Why not try it? [22:01] Backup /etc/shadow, make a new one, see what happens. [22:02] geofft, are you saying it because you are unsure? [22:03] No, I know the answer. I just want you to figure it out. :) [22:03] I know the answer because I know _how_ /etc/shadow interacts with ecryptfs. [22:03] please tell it [22:03] And so I can figure out the answer from that base knowledge. [22:03] No, dude, you're not paying me. [22:04] ok. tell me yes/no. ill find out how [22:04] I'm here to help you figure out how to answer questions on your own. [22:04] If you're going to be demanding of volunteers, I'm not helping you. [22:05] This is a development channel, not a paid contractor. If you want a paid contractor find one. [22:06] Doing experiments like this is exactly how I learned the answer to every question you have asked fso far in the past two days. [22:06] I am happy to help you learn, but I'm not doing your homework for you. [22:06] .. [22:07] And honestly, if I told you "no", why should you possibly believe me? [22:07] Are you willing to risk your job on the chance that some guy you've never met before understands ecryptfs? [22:07] i trust people here. thats why [22:07] like you, Pici and RoyK [22:07] I don't even trust _myself_ to answer that question. [22:08] k [22:08] I have my guess, but if I had to do so on a reaal production system I'd do the experiment before guaranteeing the answer. [22:08] So why don't you do that experiment and cut the middleman? [22:09] i did and couldnt get into. maybe i did it wronge [22:09] thats why asking [22:09] Why did it fail? Did you get any error message? [22:09] and i couldnt find on google. on how . [22:09] nop. [22:09] no error message [22:12] geofft, slienced? [22:12] Dude, I'm doing three other things behind a bad internet connection [22:13] What happens if you try to ecryptfs-mount the homedir? [22:15] iam away from that system now. and i attached the HD again. re repleced shadow [22:15] geofft, can you tell me what might be wronge? === LargePrime is now known as Guest43684 [22:51] <^Mike> How can I list which repositories have a given package available? [22:52] ^Mike: apt-cache policy $package, or packages.ubuntu.com/$package [22:52] geofft: Error: "Mike:" is not a valid command. [22:53] ... [22:53] I'm just going to call you "Carrot Mike" from now on. [22:55] <^Mike> cool, thanks