[00:17] <mgw> Is there a way for a kvm instance to access its uuid or id?
[00:19] <thinknow> how to setup shell acounts(are putting together an botnet) on my ubuntu 12.10 server ? (-just installed it, regular installation with lvm encryption though)
[00:34] <adam_g> zul, no, thats just the src package
[00:34] <zul> adam_g:  k
[01:01] <twb> debsecan "works" on Ubuntu, but it gives false positives for fixes in the M of -NubuntuM.
[01:01] <twb> Is there something like debsecan, that talks to launchpad?
[01:02] <twb> Plan B is to get my PFY to check, \forall CVEs debsecan reports, does /usr/share/doc/foo mention it (and if so, take no action).
[01:45] <gartral> hey all, I hosed grub on my server and need to recover, I've managed to boot the system, but I need a perma-fix
[01:51] <twb> http://cyber.com.au/~twb/snarf/extlinux.txt
[02:13] <codepython777> Is there a faster way than this : ping -n 1 -w 100 IP4v  : For knowing if my server is up?
[02:17] <twb> ITYM -c1
[02:18] <twb> But not really.  You might want nagios or nmap or something.
[02:24] <codepython777> twb: -c is not there on my ping for some reason
[02:24] <codepython777> also, ping seems to be unreliable for detecting a machine is up or not...sometimes -c 1 does not work?
[02:24] <twb> Shrug.
[02:30] <Patrickdk> define, faster
[02:30] <Patrickdk> cause what your specified I would not consider fast at all
[02:30] <Pici> I vaugely remember there being a netcat argument that could quickly tell if a target was up or not.
[02:30] <Patrickdk> and if your ping doesn't have -c, your not using ubuntu
[02:31] <twb> Pici: well if you're testing e.g. for ssh, you can nc example.net ssh, with a timeout
[02:50] <roasted_> hello friends
=== roasted_ is now known as roasted
[02:50] <roasted> is there a way to cron rsync to run every 5 minutes without having 6,000 entries in crontab?
[02:54] <Patrickdk> yep
[02:54] <Patrickdk> you did read the cron manual right?
[02:55] <Patrickdk> second thing, you won't want to put rsync in cron anyways, cause then you could startup two copies of rsync, and well, rsync doesn't like that
[02:55] <mardraum> man 5 crontab is all you need
[02:55] <roasted> a few times. evidently I missed something.
[02:55] <Patrickdk> */5 * * * *
[02:55] <roasted> Patrickdk: have you ever used lsyncd? I might look into that instead.
[02:55] <Patrickdk> personally, I use bash
[02:56] <roasted> bash, as an alternative to lsyncd?
[02:56] <Patrickdk> to wrap rsync
[02:56] <roasted> ah
[02:56] <Patrickdk> or perl
[02:56] <roasted> I understand lsyncd watches for file system changes and rsyncs the data accordingly.
[02:56] <roasted> I thought that would be kind of neato, but I'm not sure what kind of cons that setup would come with.
[03:00] <Patrickdk> why would it use cron?
[03:01] <roasted> lsyncd wouldn't use cron
[03:02] <roasted> I was looking into a continual rsync and came across lsyncd just a minute ago
=== DaIRCKing is now known as GTAXL
[03:19] <twb> Patrickdk: you could wrap rsync with lockfile-progs, though running it every five minutes is a bit excessive
[03:28] <Patrickdk> excessive?
[03:28] <Patrickdk> I used to run it every 20seconds :)
[03:29] <Patrickdk> over a 8gig maildir
[03:29] <twb> I guess you had enough RAM to cache all the dirents
[03:29] <Patrickdk> yep
[03:29] <Patrickdk> that first rsync would take a good 3min or so
[03:30] <twb> But at that point I would instead just use a while :; do rsync ...; done loop or something, rather than cron jobs
[03:30] <twb> Or for maildir specifically, something maildiry like offlineimap
[03:30] <Patrickdk> well, this was just a loop like that yes, with a 20sec sleep
[03:30] <twb> Righto
[03:30] <Patrickdk> well, offlineimap wouldn't work
[03:30] <Patrickdk> it wasn't clean enough
[03:30] <twb> k
[03:30] <Patrickdk> this was my first attempt, and it worked well for several years
[03:31] <Patrickdk> multi-master mailservers in multible datacenters
[03:31] <twb> What do you do now, drbd?
[03:31] <twb> Or some magic in dovecot
[03:32] <Patrickdk> well, I would use dsync if I cared
[03:32] <Patrickdk> but the internet has been much better than it was back then
[03:32] <Patrickdk> back them, I would constantly randomly loose routing paths to one or another dc
[03:32] <Patrickdk> local isp's fault
[03:32] <twb> swap in a new ISP
[03:33] <twb> ...with prejudice
[03:33] <Patrickdk> wasn't an option
[03:33] <Patrickdk> when you can only pick from 2
[03:33] <Patrickdk> and the other was 30x the price, much more than they where willing to pay
[03:33] <twb> We still had a quarter of our /24 reserved for staff dial-in pstn modems, until like 2008
[03:33] <Patrickdk> servers in two other dc's where not even 1/3 that price
[03:34] <twb> maybe 2010 even... whenever I took over
[03:34] <twb> That is, staff connecting directly to us because ISPs didn't exist yet
[03:39] <roasted> lsyncd is proving to be a headache.
[03:39] <roasted> I somehow made it work from laptop to server, but the goal is to go from server 1 to server 2. It keeps failing saying the host verification key failed, yet regular rsync works without keys since SSH keys are set up.
[04:10] <twb> roasted: running it as different users?
[04:10] <roasted> tried my regular user and root
[04:10] <twb> host verification failure is usually a result of known_hosts having different data in it, or running in -oBatchMode=yes and not having the existing entry
[04:10] <roasted> if I run rsync manually it works fine
[04:10] <roasted> if I let lsyncd do it, it tanks
[04:11] <twb> I dunno about lsyncd, sorry.
[04:11] <roasted> I'm looking at the log file pulling my ahir out because it looks perfect
[04:11] <twb> But maybe lsyncd can't access your ssh agent?
[04:11] <roasted> I suppose. I'm not sure.
[04:12] <twb> Is it using passphraseless SSH keys for auth?
[04:12] <twb> Also run it with LC_ALL=C and tell me the exact error message
[04:16] <roasted> I have ssh keys set up. I have no idea if it's seeing it properly.
[04:16] <roasted> for now I just set up rsync to run.
[04:16] <twb> Are the passphraseless?
[04:16] <roasted> probably not a good idea for me to troubleshoot half lit up and tired as can be. :P
[04:16] <roasted> well, when I ssh to the server I get no PW prompt, so yea.
[04:26] <codepython777> curl -k -X HEAD -i https://website -- hangs after printing the head- any ideas why?
=== thumper is now known as Guest68473
=== lau is now known as Guest1831
=== ffio is now known as Guest45788
=== Tm_T is now known as Guest51964
=== shirgall is now known as Guest42483
=== Guest1831 is now known as 21WAA4HKQ
=== Ursinha is now known as Guest36665
[04:28] <twb> WFM.
=== Nigel_ is now known as G
=== Guest68473 is now known as thumper
=== thumper is now known as Guest83673
[04:33] <codepython777> how do i measure the total number of bytes sent/received by a particular command?
=== _thumper_ is now known as thumper
=== gartral|away is now known as gartral
=== moonligh- is now known as moonlight
=== ivoks_ is now known as ivoks
=== _KaszpiR__ is now known as _KaszpiR_
=== acidflash__ is now known as acidflash
[08:00] <jamespage> smb: looking at iscsitarget right now
=== klaas_ is now known as klaas
[08:12] <jamespage> Daviey, everything is built in havana-proposed now
[08:12] <jamespage> shall I promote to updates?
=== acidflash__ is now known as acidflash
=== smb` is now known as smb
=== tsimpson_ is now known as tsimpson
[08:26] <sanderj_> What do I do when fsck /dev/sdb1 returns only the version number. and when I go into the dir I get: ls: reading directory .: Input/output error
[08:28] <apw> sanderj_, i would look in dmesg and see if the drive is even present, also fsck on a mounted filesystem is a no-no unless it is r/o and even then not recommended
=== ejv_ is now known as ejv
[08:29] <sanderj_> apw, scsi0: ERROR on channel 0, id 1, lun 0, CDB: Read (10) 00 12 c1 ad 4f 00 00 08 00, Info fld=0x12c1cd8f, Current sdb: sense key Medium Error
[08:29] <apw> medium error, this means physical issues
[08:30] <sanderj_> apw, ok, thanks.
[08:56] <jamespage> adam_g, what do you think about a feature for the nova-compute charm that allows you to suckup disks and mount them on /var/lib/nova/instances
[08:57] <jamespage> right now they always sit on the OS disk by default
[08:57] <jamespage> this would allow extra disks in servers to provide ephemeral storage
[08:57] <jamespage> smb, just uploaded a new version of iscsitarget - should be OK now
[08:58] <jamespage> when the patches landed upstream the whitespace/tabbing in the compat patches got fixed up
[08:58] <smb> jamespage, Ok, I will get it downloaded as soon as it shows up and make the machine that failed verify it
[09:00] <jamespage> smb, I tested it on a 3.5 12.04 machine and it looks OK
[09:01] <smb> jamespage, ok, well the machine that exploded was a saucy one but just happened to get upgraded from 3.9 to 3.10 kernel at the same upgrade run
[09:01] <smb> (not that I can repeat that exactly)
=== jibel_ is now known as jibel
=== virusuy is now known as Guest73883
=== virusuy is now known as Guest51645
=== henkjan_ is now known as henkjan
[10:06] <phretor> hi, does this kernel build http://packages.ubuntu.com/precise/linux-image-server has the CONFIG_ROOT_NFS=y?
[10:27] <zatricky> Hi, all. I updated my personal server at home last night from 12.10 to 13.04 - the upgrade went smoothly except that the new kernel (3.8) doesn't finish booting. There are no clues given except for an error saying "Timed out", and "Dropping to a shell".
[10:28] <zatricky> The server runs off a 60GB Intel SSD with btrfs - which works without any issue with the previous kernel (3.5)
[10:29] <zatricky> I've done a lot of googling but I'm not seeing much info relevant either to btrfs or simply "Timed out" in relation to the a boot process failure :-/
[11:39] <foo357> Hello. I've had some trouble with cron-anacron recently, I'm fairly new to it.
=== funkyHat_ is now known as funkyHat
[11:40] <foo357> However I think I've found the answer: http://askubuntu.com/questions/92322/time-of-execution-of-daily-anacron-job
[11:42] <foo357> the solution is to make cron start anacron every hour. But the suggested edits to the crontab file seems a bit flawed.
[11:43] <foo357> 01 0    * * *   root start -q anacron || :
[11:43] <foo357> @hourly root start -q anacron || :
[11:43] <foo357> If I'm reading this correctly these two lines are equivalent and just uses a bit different syntax.
[11:44] <foo357> so only one of them would be needed really.
[11:44] <foo357> can anyone confirm if I'm right or wrong?
[11:45] <zatricky> foo357 - correct, seems a bit strange to have two entries that do the same thing at the same time
[11:51] <foo357> thanks for the response zatricky.
=== huats_ is now known as huats
[13:28] <Teduardo> okay i've figured out that if i interrupt the boot process by holding shift and then select ubuntu advanced and then tell it to boot normally the console works
[13:40] <sebrock> I'm having trouble gettin L2TP tunnel to work with xl2tpd. It just sits there. No error messages, nothing. Can someone please help me?
=== Guest79110 is now known as JanC
=== JanC is now known as Guest3754
=== Guest3754 is now known as JanC
=== Guest51964 is now known as Tm_T
=== Guest14422 is now known as remix_tj
=== Guest28536 is now known as ahasenack
=== wedgwood_ is now known as wedgwood
[15:24] <hallyn_> stgraber: I'm going to have to have lxc-start check whether it is already in a subdir of /sys/fs/cgroup/$d/lxc/$container and do nothing if so
[15:25] <hallyn_> stgraber: it gets a bit hacky, but with new kernel restrictions it seems the only way to keep the mountcgroups hook usable
[15:25] <hallyn_> just fyi
[15:28] <stgraber> hallyn_: ok, does that mean that a nested container will essentially end up in the same cgroup as its parent (instead of its own sub-entry)?
[15:29] <hallyn_> no
[15:29] <hallyn_> it may be that doubly nested containers won't work any more - i haven't thought thruogh whether that's fixable yet
[15:40] <resno> i have 2 vms behind a pfsense firewall, both configured the same. one can ping an ip the other cant... any suggestions?
[15:40] <resno> both ubuntu 10.04
[15:41] <sindri> Ok, I'm still having problem running vsftpd on my server; getting "530 Non-anonymous sessions must use encryption." My config looks like this: http://paste.ubuntu.com/5846998/ and my user config like this: http://paste.ubuntu.com/5847003/ any help would be welcome. Thanks!
[17:08] <Free99> hey everyone. Trying to figure out how to use the "remember" option in PAM for the pam_unix.so module
[17:08] <Free99> there apparently used to be a package called "pam_pwhistory" but it doesn't exist any longer for 12.04
=== Guest82953 is now known as Corey
[17:15] <Free99> (shrug) ok then
=== Guest14861 is now known as maxb
[17:18] <Vec_> Hi. <- learning newbie. Just about to install LAMP-stack on my server. Should i also install a webbased adminpanel like cPanel or ISPConfig3, or simply take my time and config it through a ssh? - what are you guys' reccomendations?
[17:19] <Vec_> Basically at first i just want my box to serve webpages securly, then my goal is to host various java applets im programming for school.
[17:19] <jpds> Vec_: You're going to learn a lot more via SSH.
[17:19] <Pici> Vec_: The only web-based front end that I personally find useful is phpmyadmin (or phppgadmin), anything else is probably overkill.
[17:19] <sarnold> Vec_: strongly recommend against web-based configuration panels. (a) they are very often used by hackers to gain access to systems, since their code quality is usually very poor (b) they get in the way of doing the configuration yourself -- it's like wearing boxing gloves with everything you do. I dislike them. Intensely. :)
[17:19] <Vec_> hehe
[17:20] <jpds> sarnold: Including boxing?
[17:20] <Vec_> Ok, well im settled then. SSH it is.
[17:20] <Pici> Also, I usually leave them disabled unless I'm actively working with them.
[17:20] <Vec_> jpds: lol
[17:20] <sarnold> jpds: lol :)
[17:21] <Vec_> Tbh i've gotten really far in 1 week. From 0% knowledge of linux to now having a server sharing files, running automated backup, sharing a printer -- all configured as restrictive as my brain find logical and whatnot HOWTOs and ubuntu docs tell me
[17:21] <Vec_> Its really really fun ^^
[17:21] <maxb> The other *massively* useful thing about doing configuration in textual configuration files is that you can put them under version control, and have an audit trail, notes about why you changed things, and a way to roll back when things go wrong
[17:22] <sarnold> Vec_: cool :) I'm glad it's fun :)
[17:22] <Vec_> maxb: That sounds like something i should google.. not sure if i can handle the added complexity of learning version control (however that works) together with configing the LAMP stuff
[17:22] <jpds> Vec_: sudo apt-get install etckeeper
[17:23] <jpds> Vec_: https://help.ubuntu.com/12.04/serverguide/etckeeper.html
[17:24] <enraged> maxb: I just joined in the middle of this conversation, but if I launch a GUI program that makes modifications to a config file, doesn't the user who launched the GUI program be recorded as the person who edited the text file, just as if they'd done it with a standard text editor?
[17:24] <Vec_> jpds: "By default, etckeeper will commit uncommitted changes made to /etc daily" what exactly does this mean?
[17:24] <maxb> The context of the conversation involved ssh vs. web admin tools
[17:25] <enraged> Ah ok
[17:25] <enraged> I apologize
[17:25] <maxb> np
[17:25] <jpds> Vec_: It'll do a daily commit of changes on its own.
[17:25] <enraged> If we're discussing SSH atm in here, is there anyone using Ubuntu 10.04 that has managed to get multi factor authentication working with OpenSSH?
[17:25] <Vec_> Please define commit. Also, if i make changes to a config file in /etc then i save it staight away (pretty sure im missing the target at this point? :p)
[17:26] <enraged> I'm specifically involving ssh keys here
[17:26] <enraged> An important detail missed out.
[17:26] <jpds> enraged: I always use SSH keys, everywhere.
[17:26] <jpds> Vec_: Commited into the version control.
[17:26] <Vec_> jpds: As in logged? (will continiue to read now..)
[17:26] <thinknow> easiest app to make an shell account on my server?
[17:26] <jpds> Vec_: If you just save the file, the change isn't yet in the version control system until you commit it into it.
[17:26] <enraged> jpds: Do you use mfa aswell?
[17:26] <jpds> enraged: No.
[17:27] <enraged> jpds: Aw damn.
[17:27] <sarnold> thinknow: adduser(8)
[17:27] <Vec_> jpds: Ah ok, so if i change stuff, notice i fubar'd it, then i can roll it back before its committed?
[17:27] <jpds> Vec_: Yes, and even after it's commited.
[17:27] <Vec_> well that sounds very nice
[17:27] <thinknow> sarnold, but i mean shell account so i can add process like irc
[17:28] <thinknow> dont remember the name
[17:28] <enraged> jpds: I've been trying to get totp codes to be required as a secondary authentication method to an ssh key, but as far as I can tell PAM is required to do that and when you use an SSH key it bypasses PAM
[17:28] <jpds> enraged: If they steal your private SSH key, you have other issues.
[17:29] <enraged> jpds: Yeah, my concern is the laptop I use to remotely admin being hacked, the private key file being stolen and the laptop being keylogged so they know the passphrase to decrypt the file.
[17:29] <enraged> jpds: So yeah, totp codes generated by a phone or something else as secondary authentication, because they'd then need to hack the phone aswell
[17:30] <jpds> enraged: Welcome to the world of paranoia. Encrypt your /home directory on the laptop.
[17:30] <enraged> jpds: Oh man! I wish I could, but the circumstances I'm in, the laptop is Windows 7.
[17:30] <sarnold> enraged: see if this helps: https://www.duosecurity.com/docs/duounix
[17:30] <enraged> jpds: So yeah, now you understand why I'm so nervous XD
[17:30] <Free99> anyone know how I can enable the "remember" option in PAM?
[17:30] <enraged> sarnold: Thanks. I remember annoying you about this a while back.
[17:30] <Free99> I'm not clear on how to do it
[17:31] <sarnold> enraged: yes, and I remember being very annoyed that I didn't completely understand opeenshd at the time :)
[17:31] <enraged> sarnold: No problem man; It's what, a month later, and I still haven't figured this one out.
[17:32] <jpds> enraged: You can still encrypt things on Windows (truecrypt and co.).
[17:32] <enraged> jpds: Oh yes, but the private key file is stored on a usb stick anyways seperate from the laptop.
[17:32] <sarnold> Free99: pam_cracklib's "similar" might do it?
[17:32] <enraged> jpds: So the win7 laptop itself isn't the concern, just a keylogger and filestealer being installed.
=== Vec_ is now known as Vec_brb
[17:32] <sarnold> enraged: man :/ you think this would be easier..
[17:33] <Free99> enraged: what about using libpam-oath?
[17:33] <enraged> sarnold: I talked to the guy who wrote the sirc protocol yesterday and mentioned this to him. Didn't believe me so he logged onto his test server, spent 10 minutes playing arond and came back giving me a puzzled look.
[17:33] <Free99> sarnold, i'll take a look thanks
[17:34] <sarnold> enraged: hahah :)
[17:34] <sarnold> enraged: well, at least I'm not the only one then
[17:34] <mgw> I have a firstboot script in rc.local (I used vm-builder). How can that script cause a reboot?
[17:34] <sarnold> that makes me feel a touch better :)
[17:34] <enraged> free99: Whole problem here is you can't use PAM
[17:34] <sarnold> mgw: by calling /sbin/reboot ?
[17:34] <mgw> Simply rebooting aborts rc and the firstboot flag never gets set
[17:34] <mgw> so it repeats the reboot after every boot
[17:34] <jpds> mgw: Nice.
[17:35] <Free99> but enraged, sshd authenticates against pam
[17:35] <sarnold> ah :) good luck ;)
[17:35] <sarnold> Free99: only for passwords..
[17:35] <mgw> sarnold, jpds: I guess I can set the firstboot flag manually
[17:35] <jpds> mgw: Store that you've firsted boot in a file and check if that file exists before you reboot?
[17:35] <sarnold> Free99: if you use keys, it bypasses pam entirely :/
[17:35] <enraged> free99: Only when you use passwords. When you use SSH keys, it bypasses PAM for auth, so you can't use any pam modules.
[17:36] <Free99> hum.
[17:36] <enraged> hum indeed
[17:37] <mgw> jpds: thanks, that's what the rc.local script does, but the firstboot.sh was exiting before it got there. SHould have it fixed now
[17:37] <Free99> enraged, would this help? think about the possibilities: http://jpmens.net/2006/03/02/ssh-public-keys-from-ldap/
[17:38] <jpds> enraged: You could just set up a firewall so that the server only allows access to sshd from your IP address.
[17:39] <Free99> enraged, the idea isn't the LDAP part, its more the fact that the patch allows you to connect via ssh through seeing you have a user account via PAM, then checking the key against...well, whatever you want
[17:40] <Free99> could potentially be a file or a stupid script or w/e you want
[17:40] <enraged> I'll have to read more into this; it's the first time I've seen this post.
[17:41] <jpds> enraged: LDAP doesn't slove your problem.
[17:41] <enraged> It's close to a suggestion I recieved by the sounds of it, where we would have a key server that I logged into with a password and otp code, then from that key server, log onto the other servers
[17:42] <enraged> Yeah, I'll have to read it more.
[17:42] <enraged> I've never heard of LDAP before.
[17:42] <enraged> How bad is that?
[17:42] <jpds> "bad" ?
[17:42] <enraged> Well, OpenSSH is something every sysadmin show know about...
[17:42] <Free99> enraged: it's got a steep learning curve. it's the tech that microsoft borrowed to make active directory
[17:42] <enraged> By comparison, LDAP is....?
[17:42] <Free99> basically a database of user accounts and stuff
[17:43] <enraged> hrm, ok
[17:43] <Free99> update in one place, updated everywhere
[17:43] <enraged> Just to be clear, purely focused on user management or is this just a general file syncing service?
[17:44] <jpds> enraged: User management.
[17:44] <enraged> Ok
[17:44] <jpds> enraged: But you can store other things in it.
[17:44] <Free99> enraged, what service provider do you have?
[17:44] <Free99> for your cell
[17:45] <enraged> British Telecom
[17:48] <Free99> enraged, do you know what BT's sms gateway is?
[17:48] <enraged> No...
[17:48] <enraged> Sorry, you've gone off on a tangent here; what are we/you trying to do?
[17:50] <Free99> enraged, if you want to replicate Google's OTP thing, I was thinking you'd have that pam plugin make the OTP and you can essentially "email it to your phone" via sms
[17:51] <Free99> in the US, if you want to send a text to your phone, depending on your service provider (mine is AT&T) you email "<phone number>@wap.att.net" and it shows up as a regular text
[17:52] <sarnold> Free99: but PAM isn't available if you're doing ssh authorized_keys :/
[17:52] <Free99> sarnold, unless he uses that patch I just linked him
[17:52] <sarnold> Free99: jpmen's ldap-thingy?
[17:52] <Free99> yeah. the LDAP is totally PAM-based
[17:52] <sarnold> aha :)
[17:52] <enraged> Free99: Oh, I understand!
[17:53] <enraged> Free99: One second.
[17:53] <Free99> oh dang. the link to the patch is dead
[17:54] <Free99> oh wait! github to the rescue!
[17:54] <Free99> https://github.com/rfay/OpenSSH-LPK
[17:55] <enraged> Free99: Ok, so at the moment, I have an app on my phone (Android) that produces the TOTP codes without contacting the server I'm connecting to. The problem is, how do I get the SSHd server to request the second authentication method, of the totp code, and then compare it against the PAM module which will confirm or declare false the code entered.
[17:55] <jpds> Free99: You do realize using a hacked up version of OpenSSH like that is going to be a security nightmare in the long term?
[17:55] <enraged> Free99: The PAM module is supposed to initiate after a succesful password login that then waits for the user to enter the TOTP code before giving Shell
[17:56] <enraged> jpds: At the moment, this is more technical curiosity.
[17:56] <enraged> jpds: If it can just be done I'll be happy.
[17:56] <Free99> jpds, yeah.. I know. But how can I trust anyone tbh? Just because the repos are canonical maintained, doesn't mean they're always trustworthy. Even kernel.org... http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/
[17:57] <jpds> Free99: No, I meant more like having to compile and update OpenSSH by hand every time an update comes out in precise-updates.
=== Guest41538 is now known as mist
[17:58] <Free99> jpds, perhaps enraged will become a repo contributor... that's how it starts right?
[17:58] <enraged> BWA HA HA
[17:58] <Free99> openssh-server-lpk? lol
[17:58] <enraged> Free99: I think you're overestimating my capabilities
[17:59] <Free99> enraged, that's on you bro haha
[17:59] <Free99> anyhow I'm enjoying my 5th of july off. Gonna hit the pool. see you guys! and good luck
[17:59] <enraged> See ya man
[18:00] <sarnold> enraged: the duo-security thing looks like an unfortunate hack the way it's implemented, but a pal who I trust uses it, so perhaps the caveats are worth it :)
[18:00] <mgw> Free99: upstream has AuthorizedKeysCommand directive for ssh
[18:01] <enraged> Sarnold: Yeah I'll have to give it a proper look later.
[18:02] <enraged> I don't think Free99's ldap proporsal really solves the problem; it looks very similair to a certificate authority
=== wizonesolutions_ is now known as wizonesolutions
[18:04] <sarnold> enraged: he is only suggesting it because it patches sshd to use the PAM stack before doing ssh keys
[18:04] <sarnold> enraged: the ldap is just a side effect
[18:04] <sarnold> .. and probably one you can ignore
[18:05] <enraged> ok
[18:05] <enraged> I think I'm starting to get a bit closer to fully understanding why he wanted to do this now then :p
[18:06] <enraged> I'll be reading through the duo security manual though before I decide which to try first
[18:07] <sarnold> enraged: I'd also like to suggest against running a patched sshd :)
[18:07] <sarnold> it's fragile code.
[18:08] <sarnold> or, it has a long history of being fragile..
[18:08] <enraged> Yeah, probably the main reason I am going to put my hope in your duo security suggestion...
[18:09] <enraged> If this doesn't work, I'll come back and annoy you some more with the forcecommand issue...
[18:09] <sarnold> :)
[18:09] <enraged> Sarnold: You have so much fun to look forward to!
[18:09] <sarnold> hehe
[18:20] <thinknow> someone have an idea how to connect my server trough tor/vidalia ?
[18:21] <thinknow> i have tried some tutorials, but cant find any apps that make this job easy or stable
[18:22] <sarnold> thinknow: I think what you're looking for is tor onion addresses. maybe ask in #tor on irc.oftc.net.
[18:23] <thinknow> ok i will look it up:)
[18:23] <thinknow> thank you
=== royk is now known as RoyK
=== RoyK is now known as rOYk
[18:41] <sandprickle> I've been trying for hours to get Nginx+php fpm working to no avail. Precise. Nginx 1.4.1 from the Nginx repo. All other packages from ubuntu repos. What might I be missing?
[18:42] <sarnold> sandprickle: anything in hte logs?
[18:43] <sandprickle> yeah: 2013/07/05 14:34:22 [crit] 25963#0: *1 connect() to unix:/var/run/php5-fpm.sock failed (13: Permission denied) while connecting to upstream, client: 127.0.0.1, server: localhost, request: "GET /test.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "localhost"
[18:43] <sandprickle> file permissions?
[18:47] <rOYk> smells like PEBKAC
[18:52] <sarnold> sandprickle: could be; what ar ethe permissions on /var/run/php5-fpm.sock? does the nginx process owner have privileges to talk with thatsocket?
[18:58] <sandprickle> www-data owned /var/run/php5-fpm.sock; did chown nginx:www-data /var/run/php5-fpm.sock; now I get a different error..
[18:59] <sarnold> yeah don't change the ownership of the socket... the fpm runner should own it, it provides the socket after all :)
[19:02] <sandprickle> Yeah, that didn't work. added nginx to the www-data group. now getting this: 2013/07/05 15:01:15 [error] 26598#0: *1 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 127.0.0.1, server: localhost, request: "GET /test.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "localhost"
[19:02] <sarnold> TheLordOfTime: ^^^  :)
[19:03]  * TheLordOfTime looks
[19:03] <TheLordOfTime> sarnold:  you did poke me at a bad time though
[19:03]  * TheLordOfTime was beating an nginx FTBFS
[19:03] <sarnold> TheLordOfTime: d'oh :)
[19:04] <TheLordOfTime> sandprickle:  pastebin your conf
[19:04] <sandprickle> sure thing
[19:06] <sandprickle> it's in multiple files... multiple pastes or just one (pastebin n00b)
[19:10] <sandprickle> nginx.conf: http://pastebin.com/9WCkccyt conf.d/dev.conf: http://pastebin.com/9SmR5Y9X fastcgi_params: http://pastebin.com/sTprY17D
[19:10] <sandprickle> TheLordOfTime: ^^
=== blkperl_ is now known as blkperl
[19:14] <sandprickle> /etc/php5/fpm/pool.d/www.conf: http://pastebin.com/PxVz0JUy /etc/php5/fpm/php.ini: http://pastebin.com/D3AjBb4L
[19:24] <TheLordOfTime> sanderj_:  sorry i'm like jugging a billion things
[19:24]  * TheLordOfTime looks now
[19:25] <TheLordOfTime> erm
[19:25] <TheLordOfTime> sandprickle:  ^
[19:26] <sandprickle> no worries. #nginx woke up now anyway.
[19:26] <TheLordOfTime> sandprickle:  yes they did
[19:26] <TheLordOfTime> having said that i see a few pitfalls
[19:48] <Vec_brb> On my apache server, i have java.html with 004 permissions. If the file is owned by root user and root group, i can view the file in my browser. If www-data group owns the file, i get permission denied. How come? o.O
[19:48] <sarnold> Vec_brb: permissions are checked in the order of user, group, world
[19:49] <sarnold> Vec_brb: when the web server owns the file, the first check finds '0', and returns forbidden
[19:50] <Vec_brb> Oh, derp..
[19:50] <Vec_brb> In other words, im denying the owner of content in displaying it to my browser?
=== Vec_brb is now known as Vec_
[19:53] <Vec_> Yeah, i could make www-data the owner group and give that group read permissions with everyone else at 0 and it works. I assume this is because its the www-data group that is because my user which is in www-data is responsible for serving the site
[19:53] <sarnold> Vec_: yes, and worse, if your web server is compromised, it'd be easy for the file permissions to be set back to allowing the server to write the file, and then changes be made ot your website content in a persistent fashion
[19:54] <sarnold> Vec_: web servers shouldn't own any of the content they serve -- their only write privileges should be their log files, database and fast-cgi-like sockets
[19:55] <Vec_> sarnold: Ok. So best practice is having no owners on the files with 004 permissions ?
[19:56] <sarnold> Vec_: well, make sure www-data doesn't own any more files than necessary; 004 is another matter (it's overkill, and perhaps counter-productive..)
=== james_ is now known as Guest8292
[19:59] <Vec_> There is only one user in www-data, me (the server superuser?), i don't see why it would be bad for effectivly me to own the files in my webdirectory.. I'm 100% new at this linux stuff, and i just installed LAMP so im kinda fumbeling atm >..<
[20:00] <Vec_> I mean, does it matter when i can control the permissions anyway. And if my user is compromised then im fubared anyway
[20:00] <sarnold> Vec_: on the one hand, you're right, if the servre gets compromised you're better off re-building from backups
[20:01] <sarnold> Vec_: but business demands sometimes means fixing the iimmediate problem and getting back to business while you rebuild a new machine
[20:03] <Vec_> sarnold: Thanks for making me understand what happened on my original question. Other than that i feel like you are replying with knowledge way outside my league at this point in time. Im just a random student who installed linux a week ago and now i have this awsome server up and running with some basic services like printersharing/filesharing/automated backup and now this LAMP server.
[20:03] <Vec_> I should probably just read a whole lot more HOWTOs and documentation instead of conversing in this channel on a level i dont yet fully comprehend ^^
[20:04] <Vec_> I was kinda apprehensive about installing LAMP tho as it exposes me so much (i assume) to the net.. Therefore i think i should read more to limit my exposure and get the permissions and fileownership right (and understand it too)
[20:06] <sarnold> Vec_: heh, fair enough, just mark down that you'll want to ask me about it again in another six months or osmething :)
[20:06] <sarnold> I've got a nice rant written about it somewhere..
[20:07] <Vec_> ^-^
[20:07] <uvirtbot> Vec_: Error: "-^" is not a valid command.
[20:08] <Vec_> Hm, i should probably only installed apache, considering i really just want to serve static pages with java applets i program for school
=== rOYk is now known as RoyK
=== pgraner` is now known as pgraner
=== ppetraki_ is now known as ppetraki
=== Guest36200 is now known as jrgifford_
[22:53] <hallyn_> stgraber: are you by any chance around with a few minutes to look at an ugly lxc patch?
[22:55] <hallyn_> (if so, http://people.canonical.com/~serge/0011-cgroup-hook-handle-stricter-kernel - else, i'll test some more and push to saucy and post to list)
[23:03] <stgraber> hallyn_: +INFO("XXX checking subsystem %s against string devices len %d", cg->subsystem, len);
[23:03] <stgraber> hallyn_: did you mean for those three INFO to stay there? the XXX looks like a temporary thing
[23:05] <stgraber> hallyn_: besides that, as ugly as it's, it looks fine
[23:08] <hallyn_> i kind of wonder if we went ahead and setup all the cgroups first, then ran hooks, then entered cgroup at very end, if that would be better overall
[23:08] <hallyn_> meanwhile upstream git has diverged there from saucy's pkg...  already split up the devices setup a bit
[23:09] <hallyn_> still, this is passing tests
[23:10] <hallyn_> stgraber: you've told me before, but can't find it in my irc logs -  were you planning on merging upstream git in july?
[23:13] <hallyn_> well really the clean solution will be "if you want nesting, use user namespaces and the cgroup management agent."  <shudder>
[23:24] <stgraber> hallyn_: I've been pretty busy with other things but I think we should try and get an alpha release done upstream in early August, then use that for saucy
[23:25] <stgraber> hallyn_: what we end up shipping with in saucy I don't really care much about, it's a non-LTS release with a 9 months support period, so as long as it's fairly recent and it works...
[23:32] <hallyn_> stgraber: sounds good.
[23:32] <thinknow> lol question, but command in ubuntu server for starting ftp host ?
[23:35] <sarnold> thinknow: apt-get install vsftpd, edit the configuration as necessary, then 'service vsftpd start'   ought to do it
[23:36] <thinknow> ok thnx