/srv/irclogs.ubuntu.com/2017/01/20/#ubuntu-server.txt

cmh__	Has anyone run into problems starting AppArmor on Xenial when there are a large number of profiles to load? It's been starting for ~2 hours, seems to be writing to /etc/apparmor.d/cache/usr.sbin.apache2. Kernel: 4.4.0-57-generic, Release: 16.04.1 LTS	03:10
=== cmh__ is now known as cmh_
tyhicks	cmh_: hey - that's not a known issue	03:12
tyhicks	cmh_: could you file a bug report?	03:12
tyhicks	cmh_: what version of the apparmor package do you have installed?	03:13
cmh_	tyhicks: apparmor 2.10.95-0ubuntu2.5	03:16
tyhicks	cmh_: does `sudo apparmor_parser -Q /etc/apparmor.d/usr.sbin.apache2` complete? (shouldn't take more than a few seconds at the most)	03:20
=== rxc is now known as Guest8537
cmh_	tyhicks: adding the -v flag shows 'Addition succeeded for "Profile Name"' for the profiles.	03:36
cmh_	On another server (same Kernel/Release) it shows "Cached load succeeded for "/etc/apparmor.d/cache/usr.sbin.apache2"." ...	03:37
cmh_	hm	03:37
=== giraffe is now known as Guest35314
=== PaulePan1er is now known as PaulePanter
=== lordieva- is now known as lordievader
=== lordievader is now known as Guest10438
zioproto	hello all	08:50
zioproto	when is the next Horizon Newton package refresh gonna happen ? I am interested in this patch https://review.openstack.org/#/c/403160/	08:51
zioproto	also it is not clear to me	08:52
zioproto	when I do	08:52
zioproto	debcheckout --git-track='*' horizon	08:52
zioproto	and then I checkout stable/newton	08:52
zioproto	it looks from the changelog that I am patching the yakkety tree	08:52
zioproto	there are different git repos for xenial and yakkety ?	08:52
zioproto	I understand openstack releases are in different git branches, but what about the target distro ?	08:53
=== Guest10438 is now known as lordievader
lordievader	Good morning.	08:56
=== thib_ is now known as thib
=== T-Co_ is now known as T-Co
zioproto	jamespage: coreycb any of you here ?	12:18
zioproto	Anyone has experience building Openstack Newton deb packages for Ubuntu Xenial ?	12:51
coreycb	zul, python-webob 1:1.6.2-2 synced from unstable	13:04
coreycb	zioproto, o/	13:04
zul	coreycb: yippe skipee	13:05
zul	coreycb: ill keep an eye on things	13:05
zioproto	coreycb: hey there, did you read what I wrote earlier in the channel ?	13:06
zioproto	debcheckout --git-track='*' horizon	13:06
coreycb	zioproto, "I understand openstack releases are in different git branches, but what about the target distro ?"	13:06
zioproto	yes	13:06
zioproto	when I see the changelog	13:07
zioproto	in the debian folder	13:07
zioproto	I see yakkety lines	13:07
zioproto	but I am building for xenial	13:07
coreycb	zioproto, ok	13:07
coreycb	zioproto, first, yes we only have branches per openstack release	13:07
zioproto	okay. Now I am working on this repo git://git.launchpad.net/~ubuntu-server-dev/ubuntu/+source/horizon	13:07
zioproto	I am in stable/newton	13:08
coreycb	zioproto, xenial corresponds to mitaka. however it's also an LTS so we support the cloud archive for newton and ocata on xenial as well.	13:08
zioproto	ok, so how do I make newton packages for xenial ?	13:09
zioproto	I mean, I just write yakkety in the changelog ?	13:09
zioproto	and then I build with sbuild-newton	13:09
zioproto	sbuild-newton -d xenial-amd64 -A ../horizon_10.0.1-0ubuntu2.dsc	13:10
coreycb	zioproto, that's correct	13:10
coreycb	zioproto, s/yakkety/xenial-newton/ though	13:10
zioproto	version number of the packages is the same across xenial and yakkety ?	13:10
zioproto	wait I did not understand where I have to replace s/yakkety/xenial-newton/	13:11
coreycb	zioproto, version numbers of the packages are the same on xenial and newton for any package in the cloud archive, IF you have the newton cloud archive enabled on xenial	13:13
coreycb	zioproto, here's the staging ppa for newton if you want to look through some packages: https://launchpad.net/~ubuntu-cloud-archive/+archive/ubuntu/newton-staging	13:14
zioproto	deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/newton main"	13:14
zioproto	I am using this one	13:15
coreycb	zioproto, it's likely the same for the most part. packages get backported from yakkety to xenial-staging then promoted to xenial-proposed, then to xenial-updates	13:16
zioproto	ok	13:17
zioproto	we are changing the way we work here	13:17
zioproto	before we had VMs pointing to a internal deb	13:18
zioproto	repo	13:18
zioproto	now we build docker images	13:18
zioproto	so I am trying to install my deb packages	13:18
zioproto	with dpkg	13:18
zioproto	if I have three deb files to install	13:19
zioproto	openstack-dashboard_10.0.1-0ubuntu2_all.deb openstack-dashboard-ubuntu-theme_10.0.1-0ubuntu2_all.deb python-django-horizon_10.0.1-0ubuntu2_all.deb	13:20
zioproto	and they are not in a repo	13:20
zioproto	they are just on my disk	13:20
zioproto	how I install them correcttly	13:20
zioproto	I always get deps problems	13:20
zioproto	because I cant install just 1 at the time	13:20
hateball	zioproto: dpkg -i *.deb ?	13:24
zioproto	ok I fixed it !	13:24
zioproto	maybe	13:24
zioproto	looks like the problem	13:25
zioproto	was that I was missing a apt-get update	13:25
zioproto	in my script	13:25
zioproto	so the repo was there	13:25
zioproto	but not loaded	13:25
zioproto	this xenial was still mitaka	13:25
zioproto	openstack-dashboard-ubuntu-theme depends on openstack-dashboard (= 3:10.0.1-0ubuntu2); however:	13:26
zioproto	Package openstack-dashboard is not configured yet.	13:26
zioproto	I think the problem is with openstack-dashboard	13:28
zioproto	that fails the configuration step	13:28
zioproto	coreycb: I get this error, there is your name here :) https://bugs.launchpad.net/horizon/+bug/1643964	13:30
ubottu	Launchpad bug 1643964 in horizon (Ubuntu) "compressing static assets fails with xstatic-bootswatch 3.3.7.0" [Undecided,Fix released]	13:30
coreycb	zioproto, are you using ocata?	13:31
zioproto	no	13:32
zioproto	I get the same error	13:32
zioproto	trying to upgrade from	13:32
zioproto	openstack-dashboard (3:10.0.1-0ubuntu1)	13:32
coreycb	zioproto, did you build the package yourself?	13:32
zioproto	to my package	13:32
zioproto	yes	13:32
coreycb	zioproto, did you create a new orig-xstatic.tar.gz?	13:32
zioproto	I added a patch in debian/pachtes	13:32
zioproto	yes I did	13:32
coreycb	zioproto, if so,don't	13:32
zioproto	ahhhhh	13:33
zioproto	I should not ?	13:33
zioproto	the procedure for horizon changed again ?	13:33
coreycb	zioproto, no	13:33
coreycb	zioproto, for ocata we'll regenerate orig-xstatic.tar.gz but for stable releases we don't, because it pulls down the latest xstatic libraries	13:34
coreycb	zioproto, which is probably fine most of the time but it caused you to hit this bug which we've only fixed in ocata	13:34
zioproto	I am trying now	13:37
zioproto	gbp buildpackage -S -us -uc	13:37
zioproto	and then build from the dsc file	13:37
zioproto	without calling any xstatic stuff	13:37
zioproto	build failed	13:39
zioproto	because the xstatic files are missing	13:39
coreycb	zioproto, use debuild with horizon	13:44
coreycb	zioproto, also you need the xstatic-orig tar	13:44
coreycb	zioproto, you can get it from the ppa above	13:44
zioproto	so, I avoid to call ./debian/rules refresh-xstatic	13:46
zioproto	http://ppa.launchpad.net/ubuntu-cloud-archive/newton-staging/ubuntu/pool/main/h/horizon/horizon_10.0.1.orig-xstatic.tar.gz	13:48
coreycb	beisner-afk, when you get in can you promote python-webob to ocata-proposed?	13:48
coreycb	zioproto, correct, just wget that	13:49
zioproto	ok building at the moment	13:50
zioproto	Build success! but I guess no one in the world can build horizon packages for xenial-newton without knowing this issue !	13:59
zioproto	ok but I still get this error	14:00
zioproto	CommandError: An error occurred during rendering /usr/share/openstack-dashboard/openstack_dashboard/templates/horizon/_scripts.html: '\"../bower_components/respond/dest/respond.min.js\"' isn't accessible via COMPRESS_URL ('/horizon/static/') and can't be compressed	14:00
zul	coreycb: yeah webob problems go away	14:04
zioproto	coreycb: I was able to build the package and install it. But maybe the patch I was testing did not work	14:32
zioproto	thanks for the support	14:32
coreycb	zioproto, great, np	14:34
=== wwalker_ is now known as wwalker
gymdude	I am wondering in linux/unix like os's what is the equivalent of local group/security policy gui in control panel for windows is for linux	16:12
gymdude	or unix	16:13
gymdude	...I know unix/linux like os's have samba , winbind , openldap , pam and many other security alternatives that model active directory for if on a domain or local	16:14
gymdude	What i am getting at is my main thing is can one in linux or unix os lock all administrators/ disable them	16:15
gymdude	So one cann't sudo or su to a higher privilage level every again like one can do for windows os's	16:16
gymdude	...At that point the only way to get complete control back to your unix or linux distro would be to have some password reset program like chntpw is to windows sam analogy	16:17
gymdude	...I hope you understand what i am talking about and somebody that knows something about this elaborate on it	16:18
gymdude	...And what would happen if one booted from a live usb and deleted the shadow and password files from the etc folder. When the person booted up again I always wondered that but haven't got around to trying it or have a spare HDD right at the moment	16:26
joelio	gymdude: You're mixing several things there.. there are attibutes on the filesystem for ownership and modes	16:29
gymdude	right so if you deleted the shadow and passwd files what would happen	16:29
dr4c4n	gymdude:	16:30
joelio	gymdude: you wouldn't be able to login	16:30
dr4c4n	https://www.cyberciti.biz/tips/recovering-deleted-etcshadow-password-file.html	16:30
dr4c4n	the system would ask for maintenance root password	16:30
gymdude	for login you don't have any users totally blank or not there and even if you did replace it with failed users you still have to get the ownership , modes , : : : parts of it correct to	16:30
joelio	dr4c4n: where would it get the password from if you've deleted /etc/{passwd,shadow} ?	16:31
joelio	you boot into single user mode, or init bash - there's no password	16:31
joelio	gymdude: not following there	16:32
joelio	basically PAM is the major system here that deals with the UID/GID mapping on the files	16:33
joelio	now PAM is a pluggable system, so there are many backend supported, like ldap, kerberos, sssd etc	16:33
gymdude	wait if one rebooted there machine with out a shadow or password file what would happen would the linux os recreate just the basic root user with blank password , ask you to create a user , throw a error no user to login with ?	16:33
joelio	you need to go in single user and recreate the system for multi user	16:34
joelio	booting into init=/bin/bash literally drops you into bash shell	16:34
joelio	as root	16:34
gymdude	I get the software command you gave me can be used to recreate the barebones shadow or password files but that won't help you with all the other users , file attributes ,owners you have destroyed you have to create them all by hand / remember them thats if your lucky	16:35
joelio	gymdude: that's what backups are for.. but I'm not following what you're specifically trying to do :)	16:35
gymdude	But how can single user mode drop you into root you wiped root out because there is not users not even root because the password file is deleted	16:36
joelio	why not try it in a VM and find out	16:36
gymdude	But sure if it some how by dropping to single user mode gives you a root privilage then yes you should beable to addgroup,user, chown ,...etc to get what you want to some extent back	16:37
joelio	that's what single user mode is, root	16:37
joelio	full privilege	16:37
joelio	there are different levels of init in unix, multi-user is one of them	16:38
gymdude	So if any linux distro one can drop to single user mode then how is protect root password or other things doing anything	16:38
joelio	physical security, grub passwords, bios passwords etc etc	16:38
joelio	basically if someone can reboot your systems and has physical access, then the game can be over anyway	16:38
gymdude	One could always drop to single user mode create a sudo user that has root privilage and do pretty much what they want	16:39
joelio	if you can drop to single user mode, games over already, why bother with a sudo user?	16:39
iliv	gymdude not if you restrain physical access to your machines	16:39
joelio	security is like an onion, many layers	16:40
iliv	gymdude security can never be absolute. let that percolate in your mind for a moment.	16:40
joelio	yup	16:40
joelio	security vs. usability -- pick your point	16:40
joelio	most secure system is one turned off buried beneath 6 feet of concrete	16:40
joelio	not very usable though	16:40
gymdude	Ok well to get into single user mode you have to at least beable to customize the grub configuration files under boot which you cann't if you don't know the grub password or if you cann't privilage escalate to a user that can modify the /boot/grub files	16:42
iliv	gymdude there's also BIOS/EUFI password	16:42
joelio	and disk encryption, that requires unlocking	16:43
gymdude	Ya but bios passwords in general aren't a good idea or work for large companies because then they have to remember tons of different bios passwords. If they had them all the same one person leaking it would eventually have a bunch of people knowing it	16:44
joelio	no, not true, there are solutions for MDM fleet management	16:45
gymdude	And also the fact that if one forgot the bios password your screwed just basically smash your machine its done	16:45
joelio	no, not ture	16:45
joelio	*true - reset BIOS with a jumper	16:45
gymdude	....Usually companies are more concerned not with that but with securing there os they put on ... they already know that one with bios access could boot from a live distro and reformat or reinstall a different os's	16:46
gymdude	Well if the mobo had bios jumpers then why care about setting the password all a person would have to do is reset with the jumps defeating the purpose of the password	16:48
joelio	yea, it's just to stop walkby or maybe a random thief with no knowledge	16:48
joelio	nothing in security is absolute	16:48
gymdude	... All i am saying is securing at the bios level is really not a good way unless its a one shot thing where no jumpers or reset can be done	16:48
joelio	again, it's an ensemble of security practices that help, not one specific thing	16:49
gymdude	I get that one could make the motherboard to have a bios on a plug able bios pci like card so when the one shot is over they can just throw out the card and not the whole motherboard	16:50
joelio	well, your bios is in an EEPROM, so technically you can do that anyway	16:51
joelio	it's 'puggable' in that sense	16:52
gymdude	But its integrated on the mobo so your really destroying the whole motherboard if you destroy the bios for it currently	16:52
gymdude	That is a way for company computers to go thru less issue and still secure a bios password not having to worry about leaking because they can uses many different passwords and not worrying about forgetting one because they can just order another replacement bios for the problemed machine that one for gets the password from time to time	16:54
gymdude	...Because lets face it if the company computers cann't boot live alternative os because a bios password is set that cann't be figured out how could anybody modify anything on that computer ever	16:56
gymdude	...Never mind they could also take out the sata hard drive and replace it with there own as well	16:56
gymdude	So in this respect bios securing isn't really worth it	16:57
joelio	suer	16:58
gymdude	...So thats why companies just secure there computers/laptops os by disabling all there local admin's when the person is not on the domain. Which would prevent them from having enough privilage to change there local policy settings	16:59
joelio	maybe in windows land	17:02
joelio	When we roll out laptops for users, they get admin privileges, but we also use dm-crypt	17:03
joelio	we trust the users (mainly devs) to manage themselves, sudo on their own systems is fine	17:04
joelio	we're just concerned about the data, hence encyption policies	17:04
gymdude	Ya makes sense. Curious on linux is there away to do the equivalent of disabling all root privilaged accounts	17:06
gymdude	Like in windows disabling all local admin accounts	17:06
gymdude	for the sam file	17:06
gymdude	it just be for the shadow or passwd /etc files i would imagine	17:07
joelio	on linux, the only user priveleged is root	17:08
gymdude	not true there is different groups and privilage levels	17:08
gymdude	associated with them	17:08
joelio	different levels of access, not full privilege.	17:09
* joelio has been doing this 20 years		17:09
gymdude	ya but sudo users have full privilage as a root	17:10
joelio	no	17:10
joelio	sudo su -	17:10
joelio	yes, but sudo is very granular	17:10
joelio	you can choose a single command for example that a single user can run	17:10
joelio	look in /etc/sudoers	17:10
gymdude	ya but by default its usually set up when you sudo you sudo to root privlage	17:10
joelio	no, that's just you assuming	17:10
joelio	sudo su -	17:10
joelio	puts you in full root as you're running su	17:11
gymdude	su does to	17:11
joelio	su sets the super user, but you need to run sudo to escalate up	17:11
joelio	try and run su on a machine with no root password set	17:11
gymdude	if i su i just become root i don't need sudo su	17:11
joelio	as I said, try that on ubuntu	17:12
joelio	there is no password set for root, that's why during install it asks you for a user	17:12
genii	Default is no su, recommended is sudo -i for interactive, then exit when admin things are finished being done	17:12
joelio	no you can make it have a password, but default ubuntu has no password set	17:12
greyolla	Hi. So normalling ones setting ethtool settings in the interfaces but I'm testing out libteamd/teaming interfaces. Is there any existing tools that will help manage just ethtool settings (vs me just applying them manually)?	17:12
gymdude	super user is root right	17:13
greyolla	interfaces file	17:13
gymdude	ya su you need a password which fails if its not set up because of /etc file setup	17:13
joelio	greyolla: you can pass post-up commands in /etc/network/interfaces	17:13
joelio	that'll allow you to set at boot/interface bring up time	17:14
joelio	gymdude: UID0 is root :D	17:14
gymdude	ya got you on that	17:15
gymdude	why is it though one can do sudo apt-get and not sudo su first then apt-get install...etc	17:15
greyolla	teamd requires that the interfaces be off before joining them to the team interfaces. Using the interfaces file / ifupdown seems to auto up them before applying the setting. Is there a way to specify not to bring up the interface but apply the changes still?	17:15
joelio	greyolla: yes use manual	17:16
gymdude	I am wondering sudo executes commands under a different user but how do you know which user it is executing under	17:16
joelio	greyolla: iface eth0 inet manual ---- kinda thing	17:16
joelio	gymdude: sudo also logs auth escallation as well, when you go full root you lose some of that logging	17:17
gymdude	I could go sudo -u user1 apt-get install ... which would execute that command under user1	17:17
greyolla	I can set it to manual but the settings do not apply until I add "auto eth0" which brings up the interface	17:17
gymdude	i guess i am wondering what sudo defaults to if no switches are used is it root user	17:18
joelio	gymdude: just vanilla sudo {thing} will execute thing as uid 0 but you'll retain stuff like SUDO_USER env vars etc	17:19
joelio	so you know what user is executing even though they are doing something as root	17:19
gymdude	what take precedence the env SUDO_USER being set to something other then root which would make you have to do sudo -u root to get the equivalent of sudo	17:20
joelio	I'm not following, sorry	17:21
gymdude	If you set the SUDO_USER env to something does sudo uses that user by default other then 0 root user	17:21
gymdude	by default when you do sudo	17:21
joelio	the env vars are just used in whatever application needs them, they don't override the calling user from an ACL perspective	17:23
joelio	they're just handlers so an app knows who's instantiated it	17:23
gymdude	yes and that application could be for sudo itself	17:24
gymdude	so you can only have one and only one root account and by disabling this would be like the equivalent of disabling all local administrators is that correct	17:26
gymdude	so one only needs to disable root user	17:26
joelio	no	17:27
joelio	you need uid 0	17:27
joelio	there is (generally) only one root user, the others all escalate their CAPS depending on what's set	17:27
gymdude	But if there is no root how can there be any uid 0 or person using it	17:27
joelio	uid0 == root	17:28
joelio	I'm going home now anyway, enjoy :)	17:28
gymdude	right	17:28
tarpman	gymdude: there has to be root. if you remove (or change) the definition of root in /etc/passwd your entire system will break	17:28
gymdude	So then how does one prevent all users from privilage escalation to uid0	17:29
tarpman	gymdude: in any case, uid 0 is what's special. uid 0 is the superuser regardless of what name /etc/passwd assigns it	17:29
joelio	gymdude: they're not in the sudo group, or not set in sudoers	17:29
joelio	by default	17:29
joelio	you have to add them to sudo (wheel) group or add them in sudoers	17:29
joelio	when you install ubuntu the user is added with sudo group membership automatically	17:29
sypher	The default sudo group is named "sudo," not wheel. Wheel is a Red Hat/BSD-ism.	17:30
joelio	if you add a user manually, they're not added	17:30
joelio	you have to gpasswd -a {user} sudo --- or add to /etc/sudoers etc	17:30
joelio	sypher: I know that	17:30
* sypher shrugs. "Just being clear."		17:30
gymdude	O ok so if i just adduser it won't beable to sudo to uid unless i add it to the group sudo or place the user in the sudoer file	17:31
joelio	exactamundo	17:31
joelio	you'll get an error saying the user is not in the sudoers file	17:32
joelio	and it'll mail root (or whatever the admin email is set to) about the violation	17:32
joelio	sane defaults ftw	17:32
gymdude	Got it now i see so then how is user 1 and user 2 which are in different none sudo groups have different privilages/access levels... is the file system storing the gid and uid exceptable to access the file or resource	17:33
joelio	the filesystem has attributes for storing the file owner/group	17:34
tarpman	gymdude: yes. every file or directory has permissions for a specific user (the owner), a specific group (the owning group), and everyone else	17:34
tarpman	gymdude: see https://en.wikipedia.org/wiki/File_system_permissions#Traditional_Unix_permissions	17:34
joelio	in fact there are a lot of attrivutes it stores	17:34
tarpman	gymdude: and https://en.wikipedia.org/wiki/Modes_(Unix)	17:34
gymdude	This is for HDD resource how does the os keep track of memory blocks a user or group has access to . Because you have 2 main resources HDD and memory	17:37
joelio	CAPS	17:37
gymdude	Since device drivers are controlled via files , programs thats taken care of by HDD resources	17:37
joelio	along with loads of other ways :)	17:37
joelio	"Everything is a file"	17:38
joelio	down the rabbit hole - http://man7.org/linux/man-pages/man7/capabilities.7.html	17:38
gymdude	GDT , paging ,...etc doesn't take into account the user or group just weather the program itself stays with in its memory allocation/ memory resources	17:39
gymdude	so if one can run the program it doesn't care what user or group ran it	17:39
gymdude	So what i am getting at is how can one user have permission to access memory and another user cann't access that same memory or is that even ever considered	17:40
joelio	well, the kernel manages some part, but the memory management will happen inside a program.. Hence why there are hacks like heartbleed.. bad memory management	17:40
joelio	and why rust is awesome	17:41
joelio	there are 'mitigations' in the kernel which subert this, memory address randomisation, stack protection etc	17:42
gymdude	...well what i was wondering is they any way directly to restrict particular users or groups to certain memory	17:42
joelio	(ironic as I'm building grsec kernel atm too)	17:42
joelio	it's restircted by default	17:42
gymdude	Obviously indirectly thru program itself or file permissions	17:42
joelio	not sure what you mean by 'certain memory'	17:43
sypher	A user cannot access memory allocated by programs run by other users, with the obvious exception of root.	17:43
gymdude	the memory manager at the kernel or user level doesn't care at a user or group level	17:44
joelio	unless it's a badly written program that reads/writes to an area of memory it shouldn't aka a hack	17:44
gymdude	it only cares about if the block is marked shared , private,...etc	17:44
tarpman	gymdude: a process can only access its own memory. if it tries to access another process' memory, that's a segmentation fault.	17:45
tarpman	gymdude: is there something you're trying to figure out or accomplish that's leading you to all these questions? I have a feeling you're going in a particular direction, but I can't figure out what that direction is	17:45
gymdude	ya got that so its more securing users and groups thru file permissions then thru what user access memory	17:45
gymdude	And the memory manager only cares to keep programs/process separate so they don't violate one another	17:46
joelio	there's no real 'memory manager' as it were too, malloc and stuff sure but not in the kernel, not in that sense anyway. Programs themselves manage their memory, depending on what language you use you may have to manage it, it could be manageg for you, it might use garbage collection etc etc	17:47
tarpman	joelio: there is absolutely a memory manager in the kernel, translating physical addresses to virtual ones and managing which pages are allocated to which processes	17:48
gymdude	in the task_struct of the kernel there is a memory substructure it uses but thats just to check if the task running can access this memory... is sharable block ,..etc	17:48
joelio	tarpman: I mean in the sense that gymdude was describing	17:48
joelio	tarpman: aware of that, otherwise how would KSM work ;)	17:49
gymdude	fs_struct is the substructure for what files the process uses , weather there locked ,..etc and the HDD file system contains the permissions/privilages for the user/groups for accessing/denying them	17:49
gymdude	So permissions and privilages are all part of the HDD drive nothing more	17:50
joelio	righ	17:50
gymdude	regardless of what os's for the most part	17:50
sypher	This is why physical access to a system can render the majority of security protections immediately moot.	17:51
joelio	righ	17:51
joelio	right, time to go home, laters :)	17:51
gymdude	unless of course they put more into a sub structure of the task_struct for process	17:51
gymdude	at some point	17:51
gymdude	either way that wouldn't be worth it because you be chewing up memory at the same time as needing it stored on the HDD for permissions to be persistant over boot ups	17:53
gymdude	so not really a point to put it in the task_struct for individual user or groups so much	17:54
gymdude	...That gets me to another point if you cann't get root privilages cann't you always boot a live cd and change the permission of the file you want to access without even having to mess with the passwd file or user anyway just change it to user 1 as owner instead of root on the HDD drive ...	17:55
gymdude	provided you know where on the ext 4 or so you need to change to do this	17:56
tarpman	yes. as sypher said, physical access lets you do pretty much anything	17:56
gymdude	equivalent of sudo chown ... but directly modifying HDD bits	17:56
tarpman	that sounds like a lot of effort. I'd boot a liveCD/liveUSB and use chown :P	17:57
tarpman	or use passwd and reset the root password, or, or, or, ...	17:57
sypher	gymdude: I feel compelled to observe that you're going through an awful lot of effort to appear knowledgeable about disk and memory data structures, without even a basic understanding of how permissions are managed by the system itself. This seems... backwards.	17:57
tarpman	indeed	17:58
gymdude	ya your right i am over complicating things	17:59
sypher	gymdude: If I had a recommendation, it would be to set aside what you think you know about how these data structures function, and start at the foundations. Learn the operating system and how permissions and privileges are managed. Only then can you put the more advanced topics in the proper context.	17:59
sypher	gymdude: To be clear, I'm not trying to offend or otherwise demean. I do, however, have a number of years' experience teaching these sorts of topics, and I don't want you to trip yourself up while you're trying to learn.	18:00
gymdude	there managed by the file system driver program	18:00
gymdude	and the ext4 file structure	18:01
gymdude	or in general the file system driver and file structure	18:01
gymdude	Just different file systems store the permissions and privilages in different ways i.e registers , databases , cluster fields for fat , ntfs MFT or directory entries	18:02
gymdude	just over thinking it thanks	18:03
genii	Might want to read http://tldp.org/HOWTO/html_single/Security-HOWTO/	18:07
gymdude	And LSA secrets whas before the invention of syskey for encrypting the same either way one can obtain these with bkhive and other register scrubbing programs	18:24
gymdude	But i am curious if one has bitlocker or whole HDD encryption How can one ever do password reset thru bkhive, chntpw ,...etc like programs	18:25
sypher	gymdude: Without the key, you don't.	18:25
gymdude	but wait whole drive encryption or bitlocker encryption doesn't encrypt the system partition and thats where the sam file is so one should beable to password rest a user without decrypting the data paritions	18:29
gymdude	So adds no additional difficulty in changing the sam or changing passwords for the user	18:30
gymdude	i would think	18:30
gymdude	kind of confused on this if the system files aren;t encrypted and its not at the bios level for decrypting the HDD then how is it going to provided any more security	18:31
tarpman	gymdude: maybe there's a channel for discussing bitlocker and windows security, but I don't think this is it	18:32
gymdude	ok last question if one did change the sam file with an encrypted drive what would happen the partition isn't being encrypted just the data so the os should boot and you should beable to change the password to use the machine except it won't decrypt your other paritions	18:33
gymdude	...so you won't get the data but you should beable to get a usable working os's	18:34
sarnold	if you want a usable working OS just stick in a USB stick or something	18:34
gymdude	true good point	18:35
sypher	gymdude: None of this is on topic for this channel, so we're clear.	18:35
gymdude	but was curious of that	18:35
tarpman	gymdude: depends entirely on which partitions you encrypt. if / and /home are on different partitions, and you encrypt /home but not /, then yes, you'd have a working system but no access to data	18:35
asrockus	hola	18:35
asrockus	hay algn canal de ubuntu server español ?	18:35
sypher	If he's discussing SAM files, he's not talking about Ubuntu (or any Linux) anymore.	18:35
tarpman	gymdude: ... but in that case you'd also have a perfect opportunity to sneak in a rootkit or something. so IMO you want to encrypt everything, all of /	18:35
sypher	!es	18:36
ubottu	En la mayoría de los canales de Ubuntu, se habla sólo en inglés. Si busca ayuda en español entre al canal #ubuntu-es; escriba " /join #ubuntu-es " (sin comillas) y presione intro.	18:36
sarnold	asrockus: #ubuntu-es XD	18:36
asrockus	sarnold muchas gracias !	18:36
sarnold	de nada :D	18:36
asrockus	xD	18:37
gymdude	but can you encrypt the system paritions as well thus the complete HDD and have the bios some how decrypt and encrypt the whole thing at boot up so its like boot up---> decrypt os system paritions ---> decrypt data partitions/others --> run the os	18:37
asrockus	estoy tratando de configurar ubuntu server pero se me es muy complicado jajaja	18:38
gymdude	Because thats the only true way to stop password resets or any uses of that particular installment to the person that has the key	18:38
sypher	gymdude: It doesn't decrypt it on the disk at all. Data read is decrypted in memory, data written is automatically encrypted on write.	18:38
tarpman	gymdude: not that I know of. every setup I've seen, you need the bootloader and /boot (kernel and initramfs) available and not encrypted	18:38
tarpman	gymdude: if you want to ensure no one has snuck a rootkit into your bootloader or kernel, you're looking at TPM and/or Secure Boot	18:38
sypher	tarpman: Newer versions of grub support an encrypted /boot.	18:38
tarpman	sypher: nifty! noted, will look into that	18:39
tarpman	so s/bootloader or kernel/bootloader/ above :)	18:39
gymdude	but for going one level higher encrypting / that would take firmware or bios to do it	18:39
gymdude	just curious if they have that	18:39
tarpman	gymdude: no, encrypting / does not require firmware support	18:39
sypher	gymdude: No, it would take a bootloader, which is ... what I just said.	18:39
gymdude	its definitely not need in most cases over kill just curious	18:40
sypher	It's not overkill at all.	18:40
sypher	gymdude: Where are you getting these opinions/observations?	18:40
gymdude	No i meant not / but the whole HDD when i said that so MBR and partition tables encrypted	18:40
gymdude	to	18:41
tomreyn	it's possible, but involves manual adjustments and it's easy to break it. http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/	18:41
tomreyn	this is not with "secureboot" / TPM involved, though, though this may also be possible.	18:42
gymdude	ya i get you but i was think more local not thru a network resource just a whole internal HDD being encrypted by itself standalone	18:42
gymdude	that link isn't quiet that	18:42
sypher	gymdude: It's recommended that you create one container partition for the encrypted data, then store everything else insite that container.	18:42
sypher	Trying to just encrypt a whole disk device is a recipe for something between aggravation and disaster.	18:43
tomreyn	gymdude: if you're tlaking self-encrypting storage media (so, in hardware / drive / controlelr firmware), this would be something for ##hardware rather than here.	18:44
gymdude	so you basically have grub unencrypted but password protected and the other paritions holding different os with data and system files or other thing completely encrypted	18:44
gymdude	But your still relying on the boot loader at the top level being unencrypted	18:44
tarpman	which is why I was talking about secure boot - to ensure the boot loader stays trustworthy	18:44
sypher	That's really the only good way to do it.	18:45
gymdude	... I want to know if there is away to complete encrypt that to and do the encryption / decryption of the boot loader from the bios or firmware level thus making it one layer more secure	18:45
gymdude	what does secure boot do	18:45
tarpman	one layer more secure? one layer more fragile, more like	18:45
tarpman	gymdude: don't make me LMGTFY you.	18:45
sypher	gymdude: You really are taking this to an extreme without understanding any of the components.	18:46
tarpman	gymdude: go away and read every single post on mjg59.dreamwidth.org and then come back and we can talk	18:46
sypher	gymdude: And from the tone of the responses you're getting, I'm not the only one getting a bit annoyed by the fact that you're not doing your own homework/learning.	18:46
gymdude	I just wondering if manufactures ever made one not it would be useful as much more for research	18:46
sarnold	gymdude: many hard drives have variants that support on-disk encryption. Most people don't trust these drives entirelly because firmware authors have a tendency to suck at their jobs and write terrible firmware, but it is an option	18:46
tarpman	don't get me wrong, I love talking about this stuff	18:46
sypher	sarnold: 100% truth, there...	18:47
sypher	tarpman: pm okay?	18:48
tomreyn	this discusses the "secure boot" process http://www.linuxjournal.com/content/take-control-your-pc-uefi-secure-boot	18:48
tarpman	sypher: yeah, I'll take the noise elsewhere. sorry.	18:48
gymdude	O ya secure boot is the bios thing i am talking about to some extent	18:51
teward	sarnold: ping	19:25
teward	sarnold: http://paste.ubuntu.com/23834943/	19:25
sarnold	teward: excellent! :D	19:27
teward	sarnold: so we know it builds here right	19:27
teward	so now I can work on the merge.	19:27
teward	... but not this weekend	19:27
teward	got plans	19:28
teward	sarnold: so yes, at least the executable and such is all PIE/PIC enabled	19:28
teward	but I did have to compile it with -fPIC flags to make it obey for the module builds :/	19:28
teward	sarnold: is there a reason dpkg-buildflags' CPPFLAGS or CFLAGS, when +pie is enabled in the hardening flags, that it *doesn't* put -fPIC into the flags?	19:29
teward	a security-specific reason	19:29
sarnold	teward: PIC forces a huge number of variable refernces through the global offset table. or procedure linkage table. Or something like that. It typically introduces a larger performance penalty.	19:30
sarnold	teward: but there's possible changes afoot. see the huge thread here, and especially the paper https://sourceware.org/ml/libc-alpha/2016-12/msg00954.html	19:31
ubottu	sourceware.org bug 2016 in libc "argp --help infloop, via ARGP_HELP_FMT envvar" [Normal,Reopened]	19:31
sarnold	ubottu: shush you got it wrong	19:32
ubottu	sarnold: I am only a bot, please don't think I'm intelligent :)	19:32
teward	sarnold: ah, OK. I have no choice but to either enable PIC with PIE, or disable PIE altogether for the merge	19:38
teward	and I presume you would rater PIE+PIC than -PIE	19:38
sarnold	teward: absolutely	19:38
teward	OK	19:38
teward	we'll add that to release notes then about the potential performance hit	19:39
sarnold	it might be worth benchmarking it first :)	19:39
teward	if I get it in before FF	19:39
sarnold	x86 will probably suffer more than x86-64	19:39
teward	sarnold: we already have this issue noted with +PIE since Xenial	19:39
teward	and others	19:39
teward	I don't have a choice here, though, on building. It's either +PIE+PIC or -PIE.	19:39
teward	performance impacts aside	19:40
teward	(since most server installs I know of are 64bit, I'm less concerned about i386)	19:40
teward	i think this was discussed a long while ago when we first got the request to turn on PIE on it	19:40
teward	sarnold: I'm more inclined to just enable it and make a note there may be a performance impact, especially on 32bit.	19:46
teward	since +PIE+PIC is better than not having either	19:46
teward	sarnold: at least, according to you. If they get changes working that'd be great	19:48
teward	to reduce that impact for fPIC, but apparently it's needed for nginx currently.	19:48
sarnold	teward: works for me. typically if someone really cares about eeking out the last few percentages of performance, they'll recompile with their specific architecture in the compilation flags and use profile-driven optimizations anyway. they can do what they want with the pic/pie on their own systems. :D	19:49
teward	yup	19:50
teward	sarnold: that's the argument we made when we enabled PIE in the builds for Trusty or something	19:51
teward	'twas a feature request :P	19:51
teward	but got it approved	19:51
sarnold	woot	19:51
teward	and we'll make sure to make a note in the release options	19:51
teward	s/options/notes/	19:51
teward	this weekend I have plans though so it's a "Not caring much" weekend :P	19:51
sarnold	FF is still ages away, no real rush yet :)	19:52
teward	sarnold: well, i have other obligations too, time wise	19:53
teward	so :P	19:53
teward	but the hard part is done	19:53
teward	the PPA builds as-is are Debian, so I just have to add the Ubuntu delta to that	19:53
teward	though I think I found a critical install-from-scratch bug	19:53
teward	so i have to test that further	19:53
gymdude	also curious how does the andriod linux os on a phone do set it up so there is no root user?	20:04
gymdude	Linked with the uid 0	20:04
tarpman	gymdude: sounds like a question for #android	20:04
gymdude	but its a general unix/linux os question	20:05
tarpman	this is #ubuntu-server, not #general-unix-linux-os-questions	20:05
gymdude	like how to remove root	20:05
Pici	or ##linux	20:05
gymdude	obviously you cann't remove uid 0 but the username associated with it seems to be	20:05
gymdude	so how do you disassociated any username with uid 0	20:06
gymdude	another words	20:06
tarpman	my android phone certainly seems to have uid 0 named 'root'	20:06
tarpman	'id root' says uid=0(root) gid=0(root) groups=0(root)	20:06
gymdude	that would answer my question in general for any unix/linux like os weather it be for a phone/embedded device or for a compute	20:06
gymdude	r	20:06
gymdude	So then whats stopping you from rooting or sudo su to the root?	20:07
tarpman	there's definitely no sudo on my phone	20:08
gymdude	If you copy over a sudo program	20:08
tarpman	and su - I don't think root has a password, and if it does I don't know it	20:08
tarpman	if I copy over a sudo program, I have to be root in order to set the suid bit	20:08
gymdude	Ya so how does one copy over a sudo or any program and set it to an owner of root uid 0 without actually being able to sudo chmod , chown ,..etc	20:11
* lynorian wishes she understood what these flags were		20:12
tarpman	you don't :) that's the whole point	20:12
tarpman	lynxman: which ones? suid/sgid?	20:12
tarpman	lynxman: excuse me	20:12
tarpman	lynorian: ^	20:12
lynorian	tarpman, That was not in response to you sorry I was scrolled up	20:13
gymdude	you should beable to edit the sudoer and other files in /etc if you go from a live cd right	20:14
tarpman	gymdude: sure	20:14
gymdude	O but these parititions are internal so you would kind of need an adb to connect to which is not at uid 0 privilage level anyway	20:15
tarpman	right, adb doesn't give you a root shell unless the phone is already rooted/otherwise had 'adb root' enabled	20:16
sypher	How is this related to Ubuntu server support?	20:17
gymdude	so how does one enable adb root	20:17
sypher	Please take this to offtopic.	20:17
genii	Alternately, #android or #android-root	20:17
sypher	or that.	20:17
gymdude	why cann't you just leave the sudo , su programs on the sd card and change them to the right permission with your live cd distro	20:19
gymdude	...Why do they need to be executed under the internal paritions thru adb	20:19
gymdude	shell	20:19
gymdude	in the first place	20:19
sarnold	gymdude: man 8 mount -- look for nosuid	20:21
gymdude	O wait the terminal your going to need to execute them in would need to be thru adb never mind. So the only true way is to fastboot to an image file ... then mount the imagine changing the permissions and reflash it	20:21
sarnold	gymdude: of course modern androids also use selinux to further confine processes beyond the usual unix security model	20:22
sypher	Guys, please. This is off-topic for this channel. Please find a more suitable forum.	20:22

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!