/srv/irclogs.ubuntu.com/2013/07/05/#ubuntu-server.txt

mgw	Is there a way for a kvm instance to access its uuid or id?	00:17
thinknow	how to setup shell acounts(are putting together an botnet) on my ubuntu 12.10 server ? (-just installed it, regular installation with lvm encryption though)	00:19
adam_g	zul, no, thats just the src package	00:34
zul	adam_g: k	00:34
twb	debsecan "works" on Ubuntu, but it gives false positives for fixes in the M of -NubuntuM.	01:01
twb	Is there something like debsecan, that talks to launchpad?	01:01
twb	Plan B is to get my PFY to check, \forall CVEs debsecan reports, does /usr/share/doc/foo mention it (and if so, take no action).	01:02
gartral	hey all, I hosed grub on my server and need to recover, I've managed to boot the system, but I need a perma-fix	01:45
twb	http://cyber.com.au/~twb/snarf/extlinux.txt	01:51
codepython777	Is there a faster way than this : ping -n 1 -w 100 IP4v : For knowing if my server is up?	02:13
twb	ITYM -c1	02:17
twb	But not really. You might want nagios or nmap or something.	02:18
codepython777	twb: -c is not there on my ping for some reason	02:24
codepython777	also, ping seems to be unreliable for detecting a machine is up or not...sometimes -c 1 does not work?	02:24
twb	Shrug.	02:24
Patrickdk	define, faster	02:30
Patrickdk	cause what your specified I would not consider fast at all	02:30
Pici	I vaugely remember there being a netcat argument that could quickly tell if a target was up or not.	02:30
Patrickdk	and if your ping doesn't have -c, your not using ubuntu	02:30
twb	Pici: well if you're testing e.g. for ssh, you can nc example.net ssh, with a timeout	02:31
roasted_	hello friends	02:50
=== roasted_ is now known as roasted
roasted	is there a way to cron rsync to run every 5 minutes without having 6,000 entries in crontab?	02:50
Patrickdk	yep	02:54
Patrickdk	you did read the cron manual right?	02:54
Patrickdk	second thing, you won't want to put rsync in cron anyways, cause then you could startup two copies of rsync, and well, rsync doesn't like that	02:55
mardraum	man 5 crontab is all you need	02:55
roasted	a few times. evidently I missed something.	02:55
Patrickdk	/5 * * *	02:55
roasted	Patrickdk: have you ever used lsyncd? I might look into that instead.	02:55
Patrickdk	personally, I use bash	02:55
roasted	bash, as an alternative to lsyncd?	02:56
Patrickdk	to wrap rsync	02:56
roasted	ah	02:56
Patrickdk	or perl	02:56
roasted	I understand lsyncd watches for file system changes and rsyncs the data accordingly.	02:56
roasted	I thought that would be kind of neato, but I'm not sure what kind of cons that setup would come with.	02:56
Patrickdk	why would it use cron?	03:00
roasted	lsyncd wouldn't use cron	03:01
roasted	I was looking into a continual rsync and came across lsyncd just a minute ago	03:02
=== DaIRCKing is now known as GTAXL
twb	Patrickdk: you could wrap rsync with lockfile-progs, though running it every five minutes is a bit excessive	03:19
Patrickdk	excessive?	03:28
Patrickdk	I used to run it every 20seconds :)	03:28
Patrickdk	over a 8gig maildir	03:29
twb	I guess you had enough RAM to cache all the dirents	03:29
Patrickdk	yep	03:29
Patrickdk	that first rsync would take a good 3min or so	03:29
twb	But at that point I would instead just use a while :; do rsync ...; done loop or something, rather than cron jobs	03:30
twb	Or for maildir specifically, something maildiry like offlineimap	03:30
Patrickdk	well, this was just a loop like that yes, with a 20sec sleep	03:30
twb	Righto	03:30
Patrickdk	well, offlineimap wouldn't work	03:30
Patrickdk	it wasn't clean enough	03:30
twb	k	03:30
Patrickdk	this was my first attempt, and it worked well for several years	03:30
Patrickdk	multi-master mailservers in multible datacenters	03:31
twb	What do you do now, drbd?	03:31
twb	Or some magic in dovecot	03:31
Patrickdk	well, I would use dsync if I cared	03:32
Patrickdk	but the internet has been much better than it was back then	03:32
Patrickdk	back them, I would constantly randomly loose routing paths to one or another dc	03:32
Patrickdk	local isp's fault	03:32
twb	swap in a new ISP	03:32
twb	...with prejudice	03:33
Patrickdk	wasn't an option	03:33
Patrickdk	when you can only pick from 2	03:33
Patrickdk	and the other was 30x the price, much more than they where willing to pay	03:33
twb	We still had a quarter of our /24 reserved for staff dial-in pstn modems, until like 2008	03:33
Patrickdk	servers in two other dc's where not even 1/3 that price	03:33
twb	maybe 2010 even... whenever I took over	03:34
twb	That is, staff connecting directly to us because ISPs didn't exist yet	03:34
roasted	lsyncd is proving to be a headache.	03:39
roasted	I somehow made it work from laptop to server, but the goal is to go from server 1 to server 2. It keeps failing saying the host verification key failed, yet regular rsync works without keys since SSH keys are set up.	03:39
twb	roasted: running it as different users?	04:10
roasted	tried my regular user and root	04:10
twb	host verification failure is usually a result of known_hosts having different data in it, or running in -oBatchMode=yes and not having the existing entry	04:10
roasted	if I run rsync manually it works fine	04:10
roasted	if I let lsyncd do it, it tanks	04:10
twb	I dunno about lsyncd, sorry.	04:11
roasted	I'm looking at the log file pulling my ahir out because it looks perfect	04:11
twb	But maybe lsyncd can't access your ssh agent?	04:11
roasted	I suppose. I'm not sure.	04:11
twb	Is it using passphraseless SSH keys for auth?	04:12
twb	Also run it with LC_ALL=C and tell me the exact error message	04:12
roasted	I have ssh keys set up. I have no idea if it's seeing it properly.	04:16
roasted	for now I just set up rsync to run.	04:16
twb	Are the passphraseless?	04:16
roasted	probably not a good idea for me to troubleshoot half lit up and tired as can be. :P	04:16
roasted	well, when I ssh to the server I get no PW prompt, so yea.	04:16
codepython777	curl -k -X HEAD -i https://website -- hangs after printing the head- any ideas why?	04:26
=== thumper is now known as Guest68473
=== lau is now known as Guest1831
=== ffio is now known as Guest45788
=== Tm_T is now known as Guest51964
=== shirgall is now known as Guest42483
=== Guest1831 is now known as 21WAA4HKQ
=== Ursinha is now known as Guest36665
twb	WFM.	04:28
=== Nigel_ is now known as G
=== Guest68473 is now known as thumper
=== thumper is now known as Guest83673
codepython777	how do i measure the total number of bytes sent/received by a particular command?	04:33
=== _thumper_ is now known as thumper
=== gartral\|away is now known as gartral
=== moonligh- is now known as moonlight
=== ivoks_ is now known as ivoks
=== _KaszpiR__ is now known as _KaszpiR_
=== acidflash__ is now known as acidflash
jamespage	smb: looking at iscsitarget right now	08:00
=== klaas_ is now known as klaas
jamespage	Daviey, everything is built in havana-proposed now	08:12
jamespage	shall I promote to updates?	08:12
=== acidflash__ is now known as acidflash
=== smb` is now known as smb
=== tsimpson_ is now known as tsimpson
sanderj_	What do I do when fsck /dev/sdb1 returns only the version number. and when I go into the dir I get: ls: reading directory .: Input/output error	08:26
apw	sanderj_, i would look in dmesg and see if the drive is even present, also fsck on a mounted filesystem is a no-no unless it is r/o and even then not recommended	08:28
=== ejv_ is now known as ejv
sanderj_	apw, scsi0: ERROR on channel 0, id 1, lun 0, CDB: Read (10) 00 12 c1 ad 4f 00 00 08 00, Info fld=0x12c1cd8f, Current sdb: sense key Medium Error	08:29
apw	medium error, this means physical issues	08:29
sanderj_	apw, ok, thanks.	08:30
jamespage	adam_g, what do you think about a feature for the nova-compute charm that allows you to suckup disks and mount them on /var/lib/nova/instances	08:56
jamespage	right now they always sit on the OS disk by default	08:57
jamespage	this would allow extra disks in servers to provide ephemeral storage	08:57
jamespage	smb, just uploaded a new version of iscsitarget - should be OK now	08:57
jamespage	when the patches landed upstream the whitespace/tabbing in the compat patches got fixed up	08:58
smb	jamespage, Ok, I will get it downloaded as soon as it shows up and make the machine that failed verify it	08:58
jamespage	smb, I tested it on a 3.5 12.04 machine and it looks OK	09:00
smb	jamespage, ok, well the machine that exploded was a saucy one but just happened to get upgraded from 3.9 to 3.10 kernel at the same upgrade run	09:01
smb	(not that I can repeat that exactly)	09:01
=== jibel_ is now known as jibel
=== virusuy is now known as Guest73883
=== virusuy is now known as Guest51645
=== henkjan_ is now known as henkjan
phretor	hi, does this kernel build http://packages.ubuntu.com/precise/linux-image-server has the CONFIG_ROOT_NFS=y?	10:06
zatricky	Hi, all. I updated my personal server at home last night from 12.10 to 13.04 - the upgrade went smoothly except that the new kernel (3.8) doesn't finish booting. There are no clues given except for an error saying "Timed out", and "Dropping to a shell".	10:27
zatricky	The server runs off a 60GB Intel SSD with btrfs - which works without any issue with the previous kernel (3.5)	10:28
zatricky	I've done a lot of googling but I'm not seeing much info relevant either to btrfs or simply "Timed out" in relation to the a boot process failure :-/	10:29
foo357	Hello. I've had some trouble with cron-anacron recently, I'm fairly new to it.	11:39
=== funkyHat_ is now known as funkyHat
foo357	However I think I've found the answer: http://askubuntu.com/questions/92322/time-of-execution-of-daily-anacron-job	11:40
foo357	the solution is to make cron start anacron every hour. But the suggested edits to the crontab file seems a bit flawed.	11:42
foo357	01 0 * * * root start -q anacron \|\| :	11:43
foo357	@hourly root start -q anacron \|\| :	11:43
foo357	If I'm reading this correctly these two lines are equivalent and just uses a bit different syntax.	11:43
foo357	so only one of them would be needed really.	11:44
foo357	can anyone confirm if I'm right or wrong?	11:44
zatricky	foo357 - correct, seems a bit strange to have two entries that do the same thing at the same time	11:45
foo357	thanks for the response zatricky.	11:51
=== huats_ is now known as huats
Teduardo	okay i've figured out that if i interrupt the boot process by holding shift and then select ubuntu advanced and then tell it to boot normally the console works	13:28
sebrock	I'm having trouble gettin L2TP tunnel to work with xl2tpd. It just sits there. No error messages, nothing. Can someone please help me?	13:40
=== Guest79110 is now known as JanC
=== JanC is now known as Guest3754
=== Guest3754 is now known as JanC
=== Guest51964 is now known as Tm_T
=== Guest14422 is now known as remix_tj
=== Guest28536 is now known as ahasenack
=== wedgwood_ is now known as wedgwood
hallyn_	stgraber: I'm going to have to have lxc-start check whether it is already in a subdir of /sys/fs/cgroup/$d/lxc/$container and do nothing if so	15:24
hallyn_	stgraber: it gets a bit hacky, but with new kernel restrictions it seems the only way to keep the mountcgroups hook usable	15:25
hallyn_	just fyi	15:25
stgraber	hallyn_: ok, does that mean that a nested container will essentially end up in the same cgroup as its parent (instead of its own sub-entry)?	15:28
hallyn_	no	15:29
hallyn_	it may be that doubly nested containers won't work any more - i haven't thought thruogh whether that's fixable yet	15:29
resno	i have 2 vms behind a pfsense firewall, both configured the same. one can ping an ip the other cant... any suggestions?	15:40
resno	both ubuntu 10.04	15:40
sindri	Ok, I'm still having problem running vsftpd on my server; getting "530 Non-anonymous sessions must use encryption." My config looks like this: http://paste.ubuntu.com/5846998/ and my user config like this: http://paste.ubuntu.com/5847003/ any help would be welcome. Thanks!	15:41
Free99	hey everyone. Trying to figure out how to use the "remember" option in PAM for the pam_unix.so module	17:08
Free99	there apparently used to be a package called "pam_pwhistory" but it doesn't exist any longer for 12.04	17:08
=== Guest82953 is now known as Corey
Free99	(shrug) ok then	17:15
=== Guest14861 is now known as maxb
Vec_	Hi. <- learning newbie. Just about to install LAMP-stack on my server. Should i also install a webbased adminpanel like cPanel or ISPConfig3, or simply take my time and config it through a ssh? - what are you guys' reccomendations?	17:18
Vec_	Basically at first i just want my box to serve webpages securly, then my goal is to host various java applets im programming for school.	17:19
jpds	Vec_: You're going to learn a lot more via SSH.	17:19
Pici	Vec_: The only web-based front end that I personally find useful is phpmyadmin (or phppgadmin), anything else is probably overkill.	17:19
sarnold	Vec_: strongly recommend against web-based configuration panels. (a) they are very often used by hackers to gain access to systems, since their code quality is usually very poor (b) they get in the way of doing the configuration yourself -- it's like wearing boxing gloves with everything you do. I dislike them. Intensely. :)	17:19
Vec_	hehe	17:19
jpds	sarnold: Including boxing?	17:20
Vec_	Ok, well im settled then. SSH it is.	17:20
Pici	Also, I usually leave them disabled unless I'm actively working with them.	17:20
Vec_	jpds: lol	17:20
sarnold	jpds: lol :)	17:20
Vec_	Tbh i've gotten really far in 1 week. From 0% knowledge of linux to now having a server sharing files, running automated backup, sharing a printer -- all configured as restrictive as my brain find logical and whatnot HOWTOs and ubuntu docs tell me	17:21
Vec_	Its really really fun ^^	17:21
maxb	The other massively useful thing about doing configuration in textual configuration files is that you can put them under version control, and have an audit trail, notes about why you changed things, and a way to roll back when things go wrong	17:21
sarnold	Vec_: cool :) I'm glad it's fun :)	17:22
Vec_	maxb: That sounds like something i should google.. not sure if i can handle the added complexity of learning version control (however that works) together with configing the LAMP stuff	17:22
jpds	Vec_: sudo apt-get install etckeeper	17:22
jpds	Vec_: https://help.ubuntu.com/12.04/serverguide/etckeeper.html	17:23
enraged	maxb: I just joined in the middle of this conversation, but if I launch a GUI program that makes modifications to a config file, doesn't the user who launched the GUI program be recorded as the person who edited the text file, just as if they'd done it with a standard text editor?	17:24
Vec_	jpds: "By default, etckeeper will commit uncommitted changes made to /etc daily" what exactly does this mean?	17:24
maxb	The context of the conversation involved ssh vs. web admin tools	17:24
enraged	Ah ok	17:25
enraged	I apologize	17:25
maxb	np	17:25
jpds	Vec_: It'll do a daily commit of changes on its own.	17:25
enraged	If we're discussing SSH atm in here, is there anyone using Ubuntu 10.04 that has managed to get multi factor authentication working with OpenSSH?	17:25
Vec_	Please define commit. Also, if i make changes to a config file in /etc then i save it staight away (pretty sure im missing the target at this point? :p)	17:25
enraged	I'm specifically involving ssh keys here	17:26
enraged	An important detail missed out.	17:26
jpds	enraged: I always use SSH keys, everywhere.	17:26
jpds	Vec_: Commited into the version control.	17:26
Vec_	jpds: As in logged? (will continiue to read now..)	17:26
thinknow	easiest app to make an shell account on my server?	17:26
jpds	Vec_: If you just save the file, the change isn't yet in the version control system until you commit it into it.	17:26
enraged	jpds: Do you use mfa aswell?	17:26
jpds	enraged: No.	17:26
enraged	jpds: Aw damn.	17:27
sarnold	thinknow: adduser(8)	17:27
Vec_	jpds: Ah ok, so if i change stuff, notice i fubar'd it, then i can roll it back before its committed?	17:27
jpds	Vec_: Yes, and even after it's commited.	17:27
Vec_	well that sounds very nice	17:27
thinknow	sarnold, but i mean shell account so i can add process like irc	17:27
thinknow	dont remember the name	17:28
enraged	jpds: I've been trying to get totp codes to be required as a secondary authentication method to an ssh key, but as far as I can tell PAM is required to do that and when you use an SSH key it bypasses PAM	17:28
jpds	enraged: If they steal your private SSH key, you have other issues.	17:28
enraged	jpds: Yeah, my concern is the laptop I use to remotely admin being hacked, the private key file being stolen and the laptop being keylogged so they know the passphrase to decrypt the file.	17:29
enraged	jpds: So yeah, totp codes generated by a phone or something else as secondary authentication, because they'd then need to hack the phone aswell	17:29
jpds	enraged: Welcome to the world of paranoia. Encrypt your /home directory on the laptop.	17:30
enraged	jpds: Oh man! I wish I could, but the circumstances I'm in, the laptop is Windows 7.	17:30
sarnold	enraged: see if this helps: https://www.duosecurity.com/docs/duounix	17:30
enraged	jpds: So yeah, now you understand why I'm so nervous XD	17:30
Free99	anyone know how I can enable the "remember" option in PAM?	17:30
enraged	sarnold: Thanks. I remember annoying you about this a while back.	17:30
Free99	I'm not clear on how to do it	17:30
sarnold	enraged: yes, and I remember being very annoyed that I didn't completely understand opeenshd at the time :)	17:31
enraged	sarnold: No problem man; It's what, a month later, and I still haven't figured this one out.	17:31
jpds	enraged: You can still encrypt things on Windows (truecrypt and co.).	17:32
enraged	jpds: Oh yes, but the private key file is stored on a usb stick anyways seperate from the laptop.	17:32
sarnold	Free99: pam_cracklib's "similar" might do it?	17:32
enraged	jpds: So the win7 laptop itself isn't the concern, just a keylogger and filestealer being installed.	17:32
=== Vec_ is now known as Vec_brb
sarnold	enraged: man :/ you think this would be easier..	17:32
Free99	enraged: what about using libpam-oath?	17:33
enraged	sarnold: I talked to the guy who wrote the sirc protocol yesterday and mentioned this to him. Didn't believe me so he logged onto his test server, spent 10 minutes playing arond and came back giving me a puzzled look.	17:33
Free99	sarnold, i'll take a look thanks	17:33
sarnold	enraged: hahah :)	17:34
sarnold	enraged: well, at least I'm not the only one then	17:34
mgw	I have a firstboot script in rc.local (I used vm-builder). How can that script cause a reboot?	17:34
sarnold	that makes me feel a touch better :)	17:34
enraged	free99: Whole problem here is you can't use PAM	17:34
sarnold	mgw: by calling /sbin/reboot ?	17:34
mgw	Simply rebooting aborts rc and the firstboot flag never gets set	17:34
mgw	so it repeats the reboot after every boot	17:34
jpds	mgw: Nice.	17:34
Free99	but enraged, sshd authenticates against pam	17:35
sarnold	ah :) good luck ;)	17:35
sarnold	Free99: only for passwords..	17:35
mgw	sarnold, jpds: I guess I can set the firstboot flag manually	17:35
jpds	mgw: Store that you've firsted boot in a file and check if that file exists before you reboot?	17:35
sarnold	Free99: if you use keys, it bypasses pam entirely :/	17:35
enraged	free99: Only when you use passwords. When you use SSH keys, it bypasses PAM for auth, so you can't use any pam modules.	17:35
Free99	hum.	17:36
enraged	hum indeed	17:36
mgw	jpds: thanks, that's what the rc.local script does, but the firstboot.sh was exiting before it got there. SHould have it fixed now	17:37
Free99	enraged, would this help? think about the possibilities: http://jpmens.net/2006/03/02/ssh-public-keys-from-ldap/	17:37
jpds	enraged: You could just set up a firewall so that the server only allows access to sshd from your IP address.	17:38
Free99	enraged, the idea isn't the LDAP part, its more the fact that the patch allows you to connect via ssh through seeing you have a user account via PAM, then checking the key against...well, whatever you want	17:39
Free99	could potentially be a file or a stupid script or w/e you want	17:40
enraged	I'll have to read more into this; it's the first time I've seen this post.	17:40
jpds	enraged: LDAP doesn't slove your problem.	17:41
enraged	It's close to a suggestion I recieved by the sounds of it, where we would have a key server that I logged into with a password and otp code, then from that key server, log onto the other servers	17:41
enraged	Yeah, I'll have to read it more.	17:42
enraged	I've never heard of LDAP before.	17:42
enraged	How bad is that?	17:42
jpds	"bad" ?	17:42
enraged	Well, OpenSSH is something every sysadmin show know about...	17:42
Free99	enraged: it's got a steep learning curve. it's the tech that microsoft borrowed to make active directory	17:42
enraged	By comparison, LDAP is....?	17:42
Free99	basically a database of user accounts and stuff	17:42
enraged	hrm, ok	17:43
Free99	update in one place, updated everywhere	17:43
enraged	Just to be clear, purely focused on user management or is this just a general file syncing service?	17:43
jpds	enraged: User management.	17:44
enraged	Ok	17:44
jpds	enraged: But you can store other things in it.	17:44
Free99	enraged, what service provider do you have?	17:44
Free99	for your cell	17:44
enraged	British Telecom	17:45
Free99	enraged, do you know what BT's sms gateway is?	17:48
enraged	No...	17:48
enraged	Sorry, you've gone off on a tangent here; what are we/you trying to do?	17:48
Free99	enraged, if you want to replicate Google's OTP thing, I was thinking you'd have that pam plugin make the OTP and you can essentially "email it to your phone" via sms	17:50
Free99	in the US, if you want to send a text to your phone, depending on your service provider (mine is AT&T) you email "<phone number>@wap.att.net" and it shows up as a regular text	17:51
sarnold	Free99: but PAM isn't available if you're doing ssh authorized_keys :/	17:52
Free99	sarnold, unless he uses that patch I just linked him	17:52
sarnold	Free99: jpmen's ldap-thingy?	17:52
Free99	yeah. the LDAP is totally PAM-based	17:52
sarnold	aha :)	17:52
enraged	Free99: Oh, I understand!	17:52
enraged	Free99: One second.	17:53
Free99	oh dang. the link to the patch is dead	17:53
Free99	oh wait! github to the rescue!	17:54
Free99	https://github.com/rfay/OpenSSH-LPK	17:54
enraged	Free99: Ok, so at the moment, I have an app on my phone (Android) that produces the TOTP codes without contacting the server I'm connecting to. The problem is, how do I get the SSHd server to request the second authentication method, of the totp code, and then compare it against the PAM module which will confirm or declare false the code entered.	17:55
jpds	Free99: You do realize using a hacked up version of OpenSSH like that is going to be a security nightmare in the long term?	17:55
enraged	Free99: The PAM module is supposed to initiate after a succesful password login that then waits for the user to enter the TOTP code before giving Shell	17:55
enraged	jpds: At the moment, this is more technical curiosity.	17:56
enraged	jpds: If it can just be done I'll be happy.	17:56
Free99	jpds, yeah.. I know. But how can I trust anyone tbh? Just because the repos are canonical maintained, doesn't mean they're always trustworthy. Even kernel.org... http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/	17:56
jpds	Free99: No, I meant more like having to compile and update OpenSSH by hand every time an update comes out in precise-updates.	17:57
=== Guest41538 is now known as mist
Free99	jpds, perhaps enraged will become a repo contributor... that's how it starts right?	17:58
enraged	BWA HA HA	17:58
Free99	openssh-server-lpk? lol	17:58
enraged	Free99: I think you're overestimating my capabilities	17:58
Free99	enraged, that's on you bro haha	17:59
Free99	anyhow I'm enjoying my 5th of july off. Gonna hit the pool. see you guys! and good luck	17:59
enraged	See ya man	17:59
sarnold	enraged: the duo-security thing looks like an unfortunate hack the way it's implemented, but a pal who I trust uses it, so perhaps the caveats are worth it :)	18:00
mgw	Free99: upstream has AuthorizedKeysCommand directive for ssh	18:00
enraged	Sarnold: Yeah I'll have to give it a proper look later.	18:01
enraged	I don't think Free99's ldap proporsal really solves the problem; it looks very similair to a certificate authority	18:02
=== wizonesolutions_ is now known as wizonesolutions
sarnold	enraged: he is only suggesting it because it patches sshd to use the PAM stack before doing ssh keys	18:04
sarnold	enraged: the ldap is just a side effect	18:04
sarnold	.. and probably one you can ignore	18:04
enraged	ok	18:05
enraged	I think I'm starting to get a bit closer to fully understanding why he wanted to do this now then :p	18:05
enraged	I'll be reading through the duo security manual though before I decide which to try first	18:06
sarnold	enraged: I'd also like to suggest against running a patched sshd :)	18:07
sarnold	it's fragile code.	18:07
sarnold	or, it has a long history of being fragile..	18:08
enraged	Yeah, probably the main reason I am going to put my hope in your duo security suggestion...	18:08
enraged	If this doesn't work, I'll come back and annoy you some more with the forcecommand issue...	18:09
sarnold	:)	18:09
enraged	Sarnold: You have so much fun to look forward to!	18:09
sarnold	hehe	18:09
thinknow	someone have an idea how to connect my server trough tor/vidalia ?	18:20
thinknow	i have tried some tutorials, but cant find any apps that make this job easy or stable	18:21
sarnold	thinknow: I think what you're looking for is tor onion addresses. maybe ask in #tor on irc.oftc.net.	18:22
thinknow	ok i will look it up:)	18:23
thinknow	thank you	18:23
=== royk is now known as RoyK
=== RoyK is now known as rOYk
sandprickle	I've been trying for hours to get Nginx+php fpm working to no avail. Precise. Nginx 1.4.1 from the Nginx repo. All other packages from ubuntu repos. What might I be missing?	18:41
sarnold	sandprickle: anything in hte logs?	18:42
sandprickle	yeah: 2013/07/05 14:34:22 [crit] 25963#0: *1 connect() to unix:/var/run/php5-fpm.sock failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: localhost, request: "GET /test.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "localhost"	18:43
sandprickle	file permissions?	18:43
rOYk	smells like PEBKAC	18:47
sarnold	sandprickle: could be; what ar ethe permissions on /var/run/php5-fpm.sock? does the nginx process owner have privileges to talk with thatsocket?	18:52
sandprickle	www-data owned /var/run/php5-fpm.sock; did chown nginx:www-data /var/run/php5-fpm.sock; now I get a different error..	18:58
sarnold	yeah don't change the ownership of the socket... the fpm runner should own it, it provides the socket after all :)	18:59
sandprickle	Yeah, that didn't work. added nginx to the www-data group. now getting this: 2013/07/05 15:01:15 [error] 26598#0: *1 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 127.0.0.1, server: localhost, request: "GET /test.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "localhost"	19:02
sarnold	TheLordOfTime: ^^^ :)	19:02
* TheLordOfTime looks		19:03
TheLordOfTime	sarnold: you did poke me at a bad time though	19:03
* TheLordOfTime was beating an nginx FTBFS		19:03
sarnold	TheLordOfTime: d'oh :)	19:03
TheLordOfTime	sandprickle: pastebin your conf	19:04
sandprickle	sure thing	19:04
sandprickle	it's in multiple files... multiple pastes or just one (pastebin n00b)	19:06
sandprickle	nginx.conf: http://pastebin.com/9WCkccyt conf.d/dev.conf: http://pastebin.com/9SmR5Y9X fastcgi_params: http://pastebin.com/sTprY17D	19:10
sandprickle	TheLordOfTime: ^^	19:10
=== blkperl_ is now known as blkperl
sandprickle	/etc/php5/fpm/pool.d/www.conf: http://pastebin.com/PxVz0JUy /etc/php5/fpm/php.ini: http://pastebin.com/D3AjBb4L	19:14
TheLordOfTime	sanderj_: sorry i'm like jugging a billion things	19:24
* TheLordOfTime looks now		19:24
TheLordOfTime	erm	19:25
TheLordOfTime	sandprickle: ^	19:25
sandprickle	no worries. #nginx woke up now anyway.	19:26
TheLordOfTime	sandprickle: yes they did	19:26
TheLordOfTime	having said that i see a few pitfalls	19:26
Vec_brb	On my apache server, i have java.html with 004 permissions. If the file is owned by root user and root group, i can view the file in my browser. If www-data group owns the file, i get permission denied. How come? o.O	19:48
sarnold	Vec_brb: permissions are checked in the order of user, group, world	19:48
sarnold	Vec_brb: when the web server owns the file, the first check finds '0', and returns forbidden	19:49
Vec_brb	Oh, derp..	19:50
Vec_brb	In other words, im denying the owner of content in displaying it to my browser?	19:50
=== Vec_brb is now known as Vec_
Vec_	Yeah, i could make www-data the owner group and give that group read permissions with everyone else at 0 and it works. I assume this is because its the www-data group that is because my user which is in www-data is responsible for serving the site	19:53
sarnold	Vec_: yes, and worse, if your web server is compromised, it'd be easy for the file permissions to be set back to allowing the server to write the file, and then changes be made ot your website content in a persistent fashion	19:53
sarnold	Vec_: web servers shouldn't own any of the content they serve -- their only write privileges should be their log files, database and fast-cgi-like sockets	19:54
Vec_	sarnold: Ok. So best practice is having no owners on the files with 004 permissions ?	19:55
sarnold	Vec_: well, make sure www-data doesn't own any more files than necessary; 004 is another matter (it's overkill, and perhaps counter-productive..)	19:56
=== james_ is now known as Guest8292
Vec_	There is only one user in www-data, me (the server superuser?), i don't see why it would be bad for effectivly me to own the files in my webdirectory.. I'm 100% new at this linux stuff, and i just installed LAMP so im kinda fumbeling atm >..<	19:59
Vec_	I mean, does it matter when i can control the permissions anyway. And if my user is compromised then im fubared anyway	20:00
sarnold	Vec_: on the one hand, you're right, if the servre gets compromised you're better off re-building from backups	20:00
sarnold	Vec_: but business demands sometimes means fixing the iimmediate problem and getting back to business while you rebuild a new machine	20:01
Vec_	sarnold: Thanks for making me understand what happened on my original question. Other than that i feel like you are replying with knowledge way outside my league at this point in time. Im just a random student who installed linux a week ago and now i have this awsome server up and running with some basic services like printersharing/filesharing/automated backup and now this LAMP server.	20:03
Vec_	I should probably just read a whole lot more HOWTOs and documentation instead of conversing in this channel on a level i dont yet fully comprehend ^^	20:03
Vec_	I was kinda apprehensive about installing LAMP tho as it exposes me so much (i assume) to the net.. Therefore i think i should read more to limit my exposure and get the permissions and fileownership right (and understand it too)	20:04
sarnold	Vec_: heh, fair enough, just mark down that you'll want to ask me about it again in another six months or osmething :)	20:06
sarnold	I've got a nice rant written about it somewhere..	20:06
Vec_	^-^	20:07
uvirtbot	Vec_: Error: "-^" is not a valid command.	20:07
Vec_	Hm, i should probably only installed apache, considering i really just want to serve static pages with java applets i program for school	20:08
=== rOYk is now known as RoyK
=== pgraner` is now known as pgraner
=== ppetraki_ is now known as ppetraki
=== Guest36200 is now known as jrgifford_
hallyn_	stgraber: are you by any chance around with a few minutes to look at an ugly lxc patch?	22:53
hallyn_	(if so, http://people.canonical.com/~serge/0011-cgroup-hook-handle-stricter-kernel - else, i'll test some more and push to saucy and post to list)	22:55
stgraber	hallyn_: +INFO("XXX checking subsystem %s against string devices len %d", cg->subsystem, len);	23:03
stgraber	hallyn_: did you mean for those three INFO to stay there? the XXX looks like a temporary thing	23:03
stgraber	hallyn_: besides that, as ugly as it's, it looks fine	23:05
hallyn_	i kind of wonder if we went ahead and setup all the cgroups first, then ran hooks, then entered cgroup at very end, if that would be better overall	23:08
hallyn_	meanwhile upstream git has diverged there from saucy's pkg... already split up the devices setup a bit	23:08
hallyn_	still, this is passing tests	23:09
hallyn_	stgraber: you've told me before, but can't find it in my irc logs - were you planning on merging upstream git in july?	23:10
hallyn_	well really the clean solution will be "if you want nesting, use user namespaces and the cgroup management agent." <shudder>	23:13
stgraber	hallyn_: I've been pretty busy with other things but I think we should try and get an alpha release done upstream in early August, then use that for saucy	23:24
stgraber	hallyn_: what we end up shipping with in saucy I don't really care much about, it's a non-LTS release with a 9 months support period, so as long as it's fairly recent and it works...	23:25
hallyn_	stgraber: sounds good.	23:32
thinknow	lol question, but command in ubuntu server for starting ftp host ?	23:32
sarnold	thinknow: apt-get install vsftpd, edit the configuration as necessary, then 'service vsftpd start' ought to do it	23:35
thinknow	ok thnx	23:36

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!