[00:00] so nice [00:00] crystal clear text [00:00] everything is logical minimal effective [00:03] hehehe: you shouldn't use tcp sockets; that again allows all processes on the local machine to run arbitrary php in the context of the FPM process [00:04] i use file socket [00:04] good keep it that way :D [00:04] sarnold: but where is mistake solution! :D [00:04] haha [00:05] and why would tcp sockets allow any proccess to run arb php? [00:05] is there a datagram for it? [00:05] to visualise [00:05] there's no access controls on tcp sockets [00:05] unix domain sockets do have access controls [00:06] ok such as file permissions [00:06] so if you wanted to constrain access to the tcp sockets you'd need to add that yourself via iptables [00:06] so user is www:data and nginx user is www:data [00:06] but say if someone hijack local process via bug [00:07] can you explain more [00:07] what happens then? [00:08] https://dt-cdn.net/wp-content/uploads/2014/10/FirstFastCGIrequest.png [00:08] niceee [00:08] if a local process is hijacked then the hijacker can perform all operations that the process is allowed to do: read/write to open file descriptors, filesystem access, all syscalls with capabilities of the process, etc.. [00:08] and if that allows connect(localhost, 9000) kinds of operations, then it can send essentuially arbitrary php to the fpm system [00:09] emm [00:09] what kind of local process can do all that [00:09] its kinda tricky to hijack such process [00:10] ll /run/php/ | grep php [00:10] -rw-r--r-- 1 root root 5 Jun 13 01:40 php7.0-fpm.pid [00:11] maybe socket died? [00:14] sarnold: issue seems mostly with that dude idea to give file ownership to root:www-data [00:14] it then tries to serve html [00:15] which indicates it cant communicate with php [00:15] or lets say nginx www:data sends request to php fpm and then on a way back something happen [00:41] coreycb: seeing as you Touched It Last: https://launchpad.net/ubuntu/+source/python-pika-pool/0.1.3-1ubuntu2 [05:57] nacc: thanks for your work on this - much appreciated [05:57] nacc: I'd go with the upstream test suites; the earlier this gets landed into artful, the more general testing it will get [07:41] can I concat two repositories when using debmirror to make local mirror? [10:10] is there cacti 1.1.10 available for ubuntu xenial? [12:16] jamespage: do you have a PPA with horizon 10.0.4 somewhere (uca newton)? I tried building locally, but seeing issues with the compress jobs when installing [12:25] frickler: lemme see - I think I deleted my testing ppa once I uploaded for SRU team review [12:26] hmm yeah I did tidy that one up [12:26] frickler: I can shove it somewhere for you if you need it [12:28] frickler: ppa:james-page/newton [12:28] frickler: its a trickier one to build from source due to the multiple orig tarballs thingmy [12:29] jamespage: yeah, I know, its the only package I'm needing sbuild for, but the result still doesn't work for me [12:34] hello server gangsters [12:34] :) [12:34] mwhudson: +1 thanks for letting me know [12:36] I implemented htst [12:36] HSTS [12:36] however nginx also allows to use return 301 https://www $request_uri; [12:36] to sent all requests to https [12:37] so whats the advantage of hsts in such case? [12:37] hi zhhuabj :) [12:38] hehehe: The advantage is that clients ask themselves for https, instead of the server telling them they should go there. [12:39] lordievader: hmm the dude who helped me with nginx told me to use both? [12:39] does it make sense? [12:39] *told me to use both [12:39] hehehe: If you have a man-in-the-middle pretending to be your website, hsts helps, your approach does not help in that case. [12:39] Yes, it makes sense to use both. [12:40] ok I see - first request is http and then it goes to https unless strict http reject all http right? [12:40] and also what are OWASP Secure Headers Project for? :) [12:42] How it goes in this scenario, a browser reaches your website, the server tells the client to go to https. Then hsts tells the browser to only reach this website over https in the future. [12:44] oki [12:44] so if they using site for first time max security comes when site is on distributed preload list [12:45] lordievader: any drawbacks with using hsts? [12:45] potential issues? :D [12:46] You have to make sure your https works. If it is broken you cannot simply switch back to http. [12:46] Ssllabs has some nice tests for this sort of stuff. [12:46] https://www.ssllabs.com/ [12:48] cool [12:48] yes https works here [12:50] I read some nginx howto and its like blank for me :D [12:50] even after re reading [12:52] frickler: did you see [12:52] CommandError: An error occurred during rendering /usr/share/openstack-dashboard/openstack_dashboard/templates/horizon/_scripts.html: '\"../bower_components/respond/dest/respond.min.js\"' isn't accessible via COMPRESS_URL ('/horizon/static/') and can't be compressed [12:55] $fastcgi_script_name [12:55] This variable is equal to the URI request or, if if the URI concludes with a forward slash, then the URI request plus the name of the index file given by fastcgi_index - makes sense but what is user wont use concluding slash? [12:55] then site wont server say index.php? [12:55] *serve [12:55] jamespage: exactly [12:56] while upgrading from 10.0.3 or on a fresh install with 10.0.4 directly [12:58] hehehe: I don't understand the question. [13:00] ok [13:01] lordievader: if u read info I pasted it seems fastscgi parama fastcgi_script_name servers index file in a dir only if directory is /dir/ and not /dir? [13:01] *serves [13:02] It does read that way, yes. [13:03] frickler: looking now but I suspect its some sort of transient dep issue with the way the xstatic bundle is created [13:04] lordievader: but that is an issue as many people will type www.xexy.com and not www.xexy.com/ [13:04] how to solve it? :) [13:05] hehehe: Have you verified if this is actually the case? Wouldn't be surprised if the wording is just a tad confusing and no problem actually occuring. [13:06] lordievader: well somehow it works without closing / but then its kinda contradicts wording [13:06] hehehe: Submit a patch ;) [13:06] also I discovered why I failed to generate lets encrypt cert before on 1 box [13:06] I had ngix setting to dissallow access to all . files [13:06] :D [13:07] location ~ /\. { [13:07] deny all; [13:07] and I did not add location ~ /\.well-known\/acme-challenge { [13:07] allow all; [13:07] } [13:07] :))) [13:11] frickler: building a revised version in ppa:james-page/newton2 [13:13] jamespage: so you did see that error with your package, too? that would imply that my building foo isn't quite as bad as I'm thinking ;) [13:19] frickler: I did [13:19] frickler: the refresh-xstatic helper does not limit upper bounds when creating the xstatic tarball. [13:20] frickler: so I suspect something broke in the xstatic depends versions/deps [13:24] why are my lvm volumes not activated after reboot? this is new here since systemd [13:25] i'm not sure how to do it right [13:25] is there some special systemd service I have to enable to use lvm2? [13:30] Aison: did you upgrade? [13:33] ronator, I just try to upgrade [13:33] usually, an upgrade should convert start scripts to systemd - let me check here ... [13:35] Aison: this won't really help but you are not alone: https://serverfault.com/questions/199185/logical-volumes-are-inactive-at-boot-time#200580 [13:40] frickler: the one in newton2 works OK - I basically copied forward the 10.0.3 orig-static.tar.gz [13:40] 10.0.4-0ubuntu1 was rejected from the UNAPPROVED queue - will upload with the older renamed tarball to avoid the break [13:41] frickler: need to update the refresh process to use upper-constraints [13:42] Aison: Do you have a "lvm2-monitor.service" anywhere on your system? I have on ubuntu server 16.04.2 these in /lib/systemd/system: lvm2-lvmetad.service, lvm2-lvmetad.socket, lvm2-lvmpolld.service, lvm2-lvmpolld.socket, lvm2-monitor.service, lvm2-pvscan@.service, lvm2.service [13:43] Aison: if you dont, this could be a reason but I do not know your whole system history :D [13:43] Aison: maybe look also for help in chan #systemd? === Tm_K is now known as Tm_T [13:47] jamespage: cool, thx [14:01] ronator, just checking... [14:03] ronator, lvm2-monitor.service was already enabled [14:03] jamespage: confirmed the newton2 build works fine for me, thx again [14:04] "systemd-analyze" is a great command, maybe read about it and see if you can find the problem ?!? [14:04] @ Aison [14:04] maybe the problem is, that /var is on lvm device? [14:05] well, if thats the case, there should be logs about it, like in "dmesg" or syslog [14:05] is the system booting fast? [14:06] considerable? [14:06] 'systemd-analyze blame' can show you where systemd spends most time on while booting; may be of help ... [14:08] ronator, no, it hangs at mounting the lvm devices for 90seconds [14:08] then I can enter the admin password [14:10] ronator, in #systemd they tell me to mount /var in initrd [14:10] how to do that with ubuntu?!? never changed my initrd [14:11] I read it ... [14:12] I thought in initrd it is also done by systemd [14:13] I am not sure how he/she meant it, that's why I kept silent to see if I can also learn sth. :D [14:15] Aison: let's see if he gives an example. should be possible to apply that to ubuntu similiarly [14:18] initrd is required only to host tools required to mount root. why would you want to mount var in it? [14:26] hi guys, im investigating an issue on my server. i have dovecot service running and it kept telling me that a user i created tries to connect every minute at around the same second-value. i therefore did a "netstat -nputw | grep :25" which shows me a TIME_WAIT: "tcp 0 0 127.0.0.1:49190 127.0.0.1:25 TIME_WAIT -" is there a way to determine what process belonged to 49190 prior to the [14:26] time_WAIT [14:29] I also think my ssd is broken.... [14:29] fallentree: that was a suggestion from #systemd due to not mounted /var LVM device after reboot [14:29] Aison: you should check thta first :) [14:29] hehe [14:30] it's a stupid suggestion (and no wonder it comes from systemd). [14:31] macskay: probably not, btw dovecot has nothing to do with port 25 === Guest6511 is now known as med_ [14:39] hi fallentree :) [14:39] fallentree: I nearly made your suggestion work, but something is yet to work :) I think it may work soon [14:42] fallentree: if I add root to www-data group I also need to change socket ownership right? [14:42] or not [14:42] nah [14:42] I am just figuring out why its yet to work [14:45] why would you add root to www-data group? [14:45] root is omnipotent you don't need to add it to a group [14:45] fallentree: whats what u said yesterday [14:45] I was also wondering wtf is that [14:45] :D [14:46] I never said add root to www-data [14:48] I may have said you chown root:www-data /, so that 750 on dirs and 640 on files can work, assuming nignx runs as www-data. [14:48] the better setup is where the files are owned by root, in group www-data [14:48] I also may've said if you needed sftp access, you add nginx user and php-fpm user into the sftp user's group [14:48] yes I misunderstood [14:49] anyway I done chown [14:49] and [14:49] https://paste.ngx.cc/9d [14:50] hehehe: so, is EVERY component in the path /home/op/gd.com/* readable to the nginx user? [14:51] component means file? [14:51] every element of the path [14:51] home, op, gd.com, anything under gd.com [14:52] hmm [14:52] I dont know [14:52] since after chown root:www-data www-data dont own da files [14:53] according to new permissions it would have to be a group member [14:53] :) [14:53] going to add it to a group [14:54] right, and that's why g+r is required so g (in this case www-data, for root:www-data owned paths) [14:54] adding WHAT to WHICH group? [14:54] g +r means? [14:54] readable to group [14:54] (check chown manpage) [14:54] ok 1 moment [14:55] btw is "op" is some user and /home/op is its home dir, then you have a problem there [14:56] first, having root:www-data owned files in op's home makes zero sense [14:56] its not a user [14:56] its a simple directory [14:56] so what's inside /home/op except gd.com ? [14:56] nothing [14:56] just gd.com [14:57] in fact I will double check now [14:57] yes thats it [14:57] right, so, chmod 755 /home, chmod 755 /home/op, chown -R root:www-data /home/op/gd.com [14:58] and use whatever method you're comfortable with to set dirs to 750 and files to 640, under (and including) /home/op/gd.com [14:58] like, find /home/op/gd.com/ -type f -exec chmod 640 {} \; [14:58] yes I done find stuff [14:58] and find /home/op/gd.com/ -type d -exec chmod 750 {} \; [14:59] however chmod 755 /home why? [14:59] there may be other users stuff, its not a problem? [14:59] because it'd default directory for user accounts and in itself should be accessible to all users [14:59] oki [14:59] *it's [15:00] /home should be world accessible, but individual paths in home, assuming user home dirs, should not [15:00] but since you said op is not a user... well... you're going against standards. better put root owned sites under /var/www [15:00] yes later I can do that [15:01] my friend said if I put in home it can fool some crackers [15:01] making it harder to hack lol [15:01] that's stupid [15:01] yes by now it seems stupid === danpawlik is now known as _danpawlik [15:03] ok nearly there [15:03] chown -R root:www-data /home/op/gd.com - this command permits what? [15:04] it simply changes ownership [15:04] ok [15:04] it recursively sets ownership to root:www-data to all files and folders under (and including) gd.com [15:04] check the manpage [15:04] `man chpown` [15:04] the manuals are you best friends. [15:05] ok so only thing I did not do before was to set 755 to op dir [15:05] I set is to 750 [15:05] that caused issue right? [15:05] depends on who owned it [15:06] it was owned by root:www-data [15:06] that's accessible to www-data group [15:06] fallentree: that is clear, but how nginx www-data user is accessing it? he is member of www-data group by default? [15:07] I am getting some hackers guide to servers soon :D [15:08] also system/storage/modification/ is not writable. open cart want some directories writeable but by whom? [15:08] group? [15:08] use `id www-data` to check that. `man id` for more info on the command. [15:08] so simple [15:09] awesome [15:09] :) [15:14] fallentree: also for extra security set config.php to 440? [15:14] or no need since if root is hacked it wont do anything anyway [15:14] :) [15:14] so 640 is as secure [15:16] if root is hacked, all bets are off [15:16] ye [15:17] dirs that app want to be writeable have to be set to 770? [15:17] read write execute [15:17] it's another layer of security. [15:17] fallentree: what is? [15:17] chmod 440 instead 640 [15:17] that is, u-w [15:17] fallentree: what makes it extra layer? [15:18] that root can't write it without chmodding it first [15:18] there are classes of RCE which can try append/modify a file or mmap, but can't execute a chmod [15:18] RCE? [15:19] so every protection counts, every little detail is important. if you can 440, then do it. [15:19] Remote code Execution [15:19] yes I can do it [15:19] fallentree: also open cart wants some dirs writeable by group is that normal safe practise? [15:20] I think yes its for cache and images etc [15:20] sure, file uploads for example [15:20] yeah cache and other stuff generated by php [15:20] but those paths are most frequently abused to upload and execute PHP code [15:21] well what can be done to null such attemps? [15:21] best thing would be to be extra sure that the web server won't call the PHP handler from those paths [15:23] that can be done in php config file right? [15:23] no, in nginx [15:23] do you know how to do it? [15:24] it depends on the directory structure and many other factors [15:24] I have no idea what opencart has [15:25] cool [15:25] I am also installing metasploiter [15:25] to check site for common holes [15:25] if any [15:25] nice. I have to go now, bbl [15:26] cool [15:26] overall folks its better to hire sysadmin from same country and log all stuff on server? [15:27] cause some hire remote sysadmins from say bangladesh - if there is arguments etc he can simply screw server [15:27] cause who is going to go there to locate him etc :D [15:49] jamespage: ack, i'll just check the manpages and stuff and then uplod today, probably [15:51] any advice to upgrade to pbuilder 0.228.7 on Xenial? [15:54] maybe, backport from Zesty? [15:57] nacc, ping. [15:57] http://people.canonical.com/~ubuntu-archive/proposed-migration/update_excuses.html [15:57] can you explain to me why open-iscsi would be stuck in proposed ? [15:57] smoser: pong [15:57] oh... no -udebs. hmmm. [15:57] libisns0 is avialable [15:57] at needed version, but no -udeb i guess ? [15:57] smoser: there's a MIR filed [15:57] smoser: it's c-m [15:58] smoser: LP: #1689963 [15:58] Launchpad bug 1689963 in open-isns (Ubuntu) "[MIR] open-isns" [Undecided,New] https://launchpad.net/bugs/1689963 [16:00] nacc, thanks. [16:00] smoser: np [16:37] nacc: great thankyou! [16:37] jamespage: np [16:53] seems nice [16:53] who here used it? [16:53] https://book.serversforhackers.com/ :) === hehehe is now known as hehehe_offline [17:10] pbuilder backport for Xenial: https://paste.debian.net/plain/971347 [17:11] ChmEarl: wrong channel? ... === JanC_ is now known as JanC [17:25] hi [17:49] jamespage: the biggest thing from the updated celery that will probably get hit is that many of the commands (celeryd, celerybeat, celeryd-multi) are gone. REplaced by `celery` subcommands (worker, beat and multi respectively) -- not sure if that matters for openstack itself or not [18:11] I'm trying to figure out how in the world to change both the hostname and fqdn on my ubuntu server box [18:12] I'm using 14.04.5 LTS, /etc/hosts modification doesn't seem to do a thing, hostnamectl set-hostname doesn't seem to have a way to set the fqdn [18:13] I'm finding a lot of random on google but nothing else, any help is appreciated [18:13] The_Tick: /etc/hosts is used for name resolution, not setting the hostname. (see `man hosts`) [18:14] The_Tick: `hostnamectl` (I thought) is a systemd thing [18:14] nacc: having your host wrong there is problematic though. (/etc/hosts) [18:14] dpb1: absolutely [18:14] dpb1: but changing values there won't change your hostname [18:14] +1 [18:14] The_Tick: the underlying file is /etc/hostname, iirc [18:14] The_Tick: `man 1 hostname` may help [18:15] oof just got it [18:15] hostnamectl and /etc/cloud/templates/hosts.debian.tmpl [18:23] i'm still stuck at initramfs that should activate lvm volumes [18:24] I dont get it ;( [18:24] since zesty, no lvm is activated on my machine [18:24] I always have to do it manually [18:24] is that a problem of my lvm.conf or initramfs? [18:25] Aison: when you get dropped the shell, are you able to debug why it failed? [18:25] e.g., systemctl status lvm2 or whatever [18:25] lvm2.service is masked [18:25] ;) [18:25] Aison, check for a hook: /usr/share/initramfs-tools/hooks/LVM [18:26] Aison: and how do you activate it? [18:26] nacc: celery is not actually used by openstack; they just share a common dependency in kombu and one blocks the other with proposed migrations [18:26] lvchange -ay alv0 [18:26] jamespage: ah ok [18:26] this way all logical volumes of logical group alv0 are activated [18:27] Hi nPeople! [18:27] How do I verify DMARC record for a subdomain? [18:27] It always fails when I mail from a subdomain. SPF passes, since I added the IP to SPF record already. [18:28] I also added a dmarc record for the subdomain, still it fails. [18:31] jamespage: just getting the autopkgtests to pass and i should be able to upload [18:42] I can't seem to get my vpn tunneled transmission to work anymore and I'm not sure what broke it, could anybody help? [18:42] https://www.htpcguides.com/force-torrent-traffic-vpn-split-tunnel-debian-8-ubuntu-16-04/ [18:42] that was the guide I used and it worked for a few months up until about last week [18:44] when I use auto_activation_volume_list = [ "alv0" ] [18:44] then the it is auto activated [18:44] (though an empty auto_activation_volume_list should auto activate all volumes...) [18:45] but mounting still doesn't work, since the activation is too late ;) [18:50] Aison, sudo udevadm info --name= | grep SYSTEMD_WANTS <-- I think this ENV var is missing on Zesty [18:50] ^^ same thing on Stretch [18:51] ChmEarl, systemd_wants is not defined [18:52] this is an old bug filed in Sid 2 years ago [18:52] the lvm2-pvscan@.service is broken as a result [18:53] an is there a workaround? [18:54] yes, you copy the 69*rules to /etc/udev/rules.d/69-lvm-metad.rules and patch it [18:55] nacc: hi, question [18:55] nacc: if https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1668940 is sru'ed, it will introduce a libcephs1 dependency into samba-vfs-modules. That's generally frowned upon? [18:55] Launchpad bug 1668940 in samba (Ubuntu Yakkety) "[FFe] samba-vfs-modules misses ceph vfs module" [Undecided,New] [18:56] it's a new feature per se. The "bug" is that we included the manpage of the ceph module, just not the module itself. Another way to fix it would be to remove the manpage ;) [18:56] ChmEarl, where do I get these files? [18:56] and the patch? :P [18:57] Aison basic idea is to add in the 3 ENV vars: https://paste.debian.net/plain/971356 [18:57] Aison that patch is quite old so the context might be changed [18:58] ok [18:58] Aison test with: sudo udevadm info --name= | grep SYSTEMD_WANTS [18:58] PV is the physical volume with your VG's [18:58] yes, I already tested [18:59] there is only SYSTEMD_READY=1 [19:00] Aison, the patch is invisible [19:00] patch it, test again [19:02] find the 69*rules under /usr/lib, copy it to /etc/udev*, patch it [19:02] Aison I did this in Stretch & Zesty [19:03] Aison, original bug was found by M Biebl in #debian-systemd on OFTC [19:05] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791869#209 [19:05] Debian bug 791869 in lvm2 "lvm2: updating src:lvm2 from 2.02.111-2.2 to 2.02.122-1 breaks booting, mounting LVs other than / fails" [Grave,Fixed] [19:10] I guess I have to do update-initramfs -u ? [19:11] bug report with some spam at the end [19:12] Aison, I hesitate to post that BTS since its 2 years ago [19:13] hmm, still not working [19:13] looks like this udev is simply ignored [19:18] Aison, lvmetad.socket enabled, lvm2-lvmpolld.socket enabled, lvm2-monitor enabled [19:19] ^^ only these are enabled [19:19] well, I can't even see the env vars with udevadm info [19:22] Aison, if you add the major/minor for your PV here: lvm2-pvscan@.service what happends [19:24] Aison, this patch fixed it for me in 2 very different contexts, so I think it should work [19:25] lvmetad.socket and lvmpolld.socket is present [19:25] when I type systemctl, is the order of the services the order they were executed? [19:27] lvm2-monitor is also enabled [19:29] ChmEarl, the funny thing is, as soon as I type lvchange -ay alv0, everything works is is mounted [19:29] so strange... [19:33] nacc: ok, so where autopkgtest runs, what is the network like. is there an http_proxy etc? [19:33] ChmEarl, how do you mount the lvm then? by uuid? [19:34] or by name? [19:34] nacc: I'm assuming it's fine for boto to have network-dependent tests. [19:37] If I'm wanting to copy all files/folders inside a directory to remote server using rsync, do I need to use option -r ? [19:37] I just see rsync -avz in tutorials. [19:37] ChmEarl, and do you use auto_activation_volume_list in lvm.conf? [19:37] db`: read the manpage and look at -a: -a, --archive archive mode; equals -rlptgoD (no -H,-A,-X) [19:38] db`: go look up what each of those flags means for -a, it's a fun read. :) [19:39] sure [19:39] Aison, all defaults [19:39] ok [19:40] one thing is very very strange. even when the volumes are activated and visible in /dev/mapper/ [19:40] they are not mounted by systemd [19:41] dpb1: so if I use rsync -avz, I hope the files in remote which are NOT present in localhost, will NOT get deleted. [19:42] db`: right, --delete is specifically not bundled in the '-a' option [19:42] for just that reason [19:42] but I would be using -e [19:43]