[00:01] <sarnold> superboot: http://old-releases.ubuntu.com/releases/lucid/ubuntu-10.04.3-server-amd64.list ?
[01:09] <storrgie> In 14.04 is it advisable to install mariadb from the base repositories or use their repository?
[01:10] <sarnold> storrgie: base repo is probably fine, one of our users (otto) does a good job keeping up on security fixes
[01:10] <sarnold> storrgie: though feel free to use their repository if you'd feel better about that
[01:16] <storrgie> sarnold, hypothetical, if someone was able to gain underprivileged user access, say through wordpress (if I have a php or wordpress user to run their garbage code), would that user be able to see the crontab, or is that a root only thing?
[01:16] <storrgie> I ask because I typically do this on my mariadb installs: @weekly mysqlcheck -o --user=root --password=<your password here> -A
[01:20] <sarnold> storrgie: that should be safe
[01:20] <storrgie> sarnold, along those same lines, whats the convention for installing something like wordpress? I always just make a wordpress user and chown the wp install directory(s) with that user account
[01:20] <sarnold> storrgie: the crontabs are stored in /var/spool/cron/crontabs/, which has restrictive permissions, and the individual files have restrictive permissions, too;
[01:21] <sarnold> storrgie: that's a good approach; especially if you make sure the user running the webserver / wordpress executables doesn't have write access to its own files
[01:23] <storrgie> sarnold, isn't there a way to pass an arg when you make the user account that makes it a 'system' account effectively iwth no home directory?
[01:24] <storrgie> sarnold, is there a guide on hardening nginx that you'd recommend?
[01:24] <storrgie> sorry with all the questions, I still have more
[01:25] <storrgie> is fail2ban considered useful or is there alternatives that are better?
[01:26] <sarnold> storrgie: hmm, adduser seems to create homedirs even with --system ... that's probably n ot terrible though, only things that use getent(3) would care. You could set the permissions on its directory to forbid it from writing in the directory, if you wish
[01:26] <sarnold> storrgie: nginx hardening is best asked to teward ^^
[01:27] <storrgie> teward, sir are you present?
[01:27] <sarnold> storrgie: and some people do like fail2ban, I think it's better to just turn off password authentication once your keys are on the system, and avoid bruteforce password searches entirely that way, but blocking those hosts via iptables isn't a bad idea
[01:27] <sarnold> storrgie: ufw can also do rate limiting, which may help avoid need for fail2ban too
[01:28] <sarnold> storrgie: .. I'm just reluctant to run scripts as root on data supplied by attackers, even if the log files "should" be safe ...
[01:36] <storrgie> sarnold, thats a good point
[01:37] <storrgie> I've already installed it, is it easy to remove (will it leave system cruft)? I'm already using key based auth and a diff port
[01:37] <sarnold> storrgie: apt-get purge will clean up config files too
[01:40] <storrgie> I like the ufw limit a lot more
[01:47] <storrgie> sarnold, just installed php5 and php5-fpm, do you know where the php.ini file is located now days?
[01:48] <storrgie> on fedora/centos its /etc/php.ini
[01:49] <storrgie> sarnold, nvm, found it at: sudo vim /etc/php5/fpm/php.ini
[04:19] <lxus_> Evening folks, having a few issues with ubuntu server. for some reason when i try to boot normally the boot fails and the process restarts. the message i keep getting is / boot terminated with error 1
[04:19] <lxus_> any clues?
[04:19] <lxus_> However when i boot into recovery and continue normal boot i lets me into console :|
[05:25] <fattywumpus> apologies to those that just saw this on #ubuntu, how are most folks managing user accounts/ids/groups on 20+ systems.  ldap?
[05:25] <fattywumpus> or just synchronizing passwd/shadow/etc
[05:27] <jpds_> fattywumpus: Probably using LDAP at that point.
[05:30] <jpds_> fattywumpus: Another method would be to use something like puppet to roll out user accounts.
[05:31] <fattywumpus> jpds_: that's what i was wondering, if folks are digging into that route these days.   it's been a few years and i've done ldap a few times
[05:31] <fattywumpus> haven't tried any of the cool new tools for managing users
[05:31] <jpds_> I hear freeipa is good.
[05:33] <fattywumpus> whoa, never heard of it, looks interesting..thanks!
[06:09] <lordievader> Good morning.
[07:19] <megapixel> Hello
[07:20] <megapixel> Please give me command line for format root sda
[07:20] <megapixel> debian
[07:26] <Sling> megapixel: you want to remove the current partitions on your /dev/sda disk and create a new one, or?
[07:26] <megapixel> yes
[07:27] <Sling> you could use 'fdisk' or 'sfdisk' for that
[07:27] <Sling> sfdisk is probably easiest
[07:28] <Sling> although it doesn't understand GPT
[07:28] <Sling> there is also 'parted'
[08:23] <linuxmint> Hello?
[08:23] <linuxmint> Is there a grep command to search for a line of code, as I can't find the file containing the code?
[08:37] <Walex> linuxmint: yes
[08:48] <halvors> I'm trying to setup dovecot with sieve and a default script in the path: /var/lib/dovecot/sieve/default.sieve. But when an email arrives i get the following error: Error: sieve: main script: failed to stat sieve script: stat(/var/lib/dovecot/sieve/default.sieve) failed: Permission denied (euid=1011(halvors@halvors.org) egid=1004(halvors.org) missing +x perm: /var/lib/dovecot, we're not in group 0(root), dir owned by 0:0 mode=0750)
[08:48] <halvors> I understand that this is a permission problem somehow, but what user is supposed to own it?
[08:54] <Walex> halvors: also "missing +x perm"
[09:01] <halvors> i did chmod +x default.sieve
[09:01] <halvors> Walex: But what user should be the owner of the default.sieve file?
[09:07] <Walex> that depends on which user is running the dovecot and/or sieve processes.
[09:08] <Walex> halvors: also note that the 'sieve' process needs to traverse the '/var/lib/dovecot' directory, and as the message says its mode is "=0750".
[09:40] <halvors> Walex: How can i find out what user is running the sieve process?
[09:47] <Tazmain> hi all, it seems that some packages in my update list on my server can't be authenticated? does that mean I waited too long to update or something ?
[10:16] <Sling> hm, if i put '/var/log/folder/file*' in a custom logrotate.d/file , is it smart enough to not match the .gz files created by logrotate in the past?
[10:21] <Walex> halvors: with 'ps' with the 'u' option.
[10:21] <Walex> halvors: if you are asking basic questions like this perhaps you need a system administrator to help you...
[10:22] <Walex> Sling: the psychic version of 'logrotate' will be released soon :-)
[10:24] <Sling> Walex: well I would expect it to only rotate textfiles, for example :)
[10:24] <Sling> oh well I've fixed it now by just specifying the files in full
[11:24] <halvors> Walex: Seems like root is running dovecot.
[11:24] <halvors> I don't see why this wouldn't work then.
[11:24] <halvors> 1055 root      20   0   17768   1528   1236 S   0.0  0.0   0:00.03 dovecot
[11:24] <halvors>  1164 dovecot   20   0    9276    956    812 S   0.0  0.0   0:00.00 anvil
[11:54] <jpds_> halvors: Have you checked the dovecot apparmor rules?
[13:20] <superboot> sarnold: Thanks for the manifest link. Just got it now.
[15:14] <strikov> rbasak: is it correct in case of juju-core: dpkg-source: warning: Version number suggests Ubuntu changes, but there is no XSBC-Original-Maintainer field
[15:14] <strikov> rbasak: i though that i lost it while baking 1.22.0 but it looks like it was not available even before it
[15:18] <rbasak> strikov: that's fine to ignore, since we maintain it primarily in Ubuntu and it is not derived from Debian.
[15:43] <strikov> rbasak: ok, thanks
[15:45] <strikov> rbasak: https://github.com/juju/juju/pull/2072/files
[15:45] <strikov> rbasak: could you review this please
[15:45] <strikov> rbasak: looks ~okay to me (don't know how to make it better)
[16:02] <rbasak> strikov: looks great to me.
[16:57] <strikov> rbasak: allocate some time tomorrow afternoon please to review/upload juju-1.22.1 to vivid; i modified tests to install upstart and finished d/copyright; need to wait for a single upstream fix and we're done
[17:10] <rbasak> strikov: OK
[20:02] <arcsky> what do you guys recommend ansible or puppet or chef?
[20:14] <roaksoax_> arcsky: juju and maas