hehehe | good | 00:21 |
---|---|---|
hehehe | be hungry | 00:21 |
hehehe | whats the common danger to give any kind of folder or file permision to public? | 00:26 |
hehehe | read is safe | 00:26 |
hehehe | write - they can try to load malicious code? | 00:26 |
patdk-l2 | read is not safe | 00:38 |
patdk-l2 | not if it contains a config file with your mysql permissions and stuff like that | 00:38 |
patdk-l2 | write should NEVER be given | 00:39 |
sarnold | if you ever grant someone untrusted write access to a directory that basically means there's entire classes of tools that should never be used on that directory again | 00:39 |
sarnold | just about everything that traverses directory structures assumes they are operating on safe inputs | 00:39 |
sarnold | no tar, no rsync, etc. | 00:40 |
sarnold | while it is possible to safely implement tree walking routines in the face of malicious modifications I honestly can't say I know any tool offhand that does it correctly. | 00:40 |
hehehe | :) | 01:06 |
hehehe | sarnold: there's entire classes of tools that should never be used on that directory again | 01:07 |
hehehe | like what tools and why | 01:07 |
sarnold | hehehe: anything that works on directory trees | 01:08 |
hehehe | like? | 01:08 |
sarnold | no tree, no find, no tar, no ls -R, etc. | 01:08 |
sarnold | no du. | 01:08 |
hehehe | so if someone have write access how they can use find? | 01:09 |
hehehe | i just read open cart golden partner tutorial We recommend setting the permissions of config.php to 444. This will make the file as read-only. :D | 01:12 |
hehehe | lol | 01:12 |
hehehe | ehehe | 01:13 |
sarnold | hehehe: if you give someone else write access to a directory and you don't trust them then _YOU_ and _root_ do not get to use find | 01:13 |
patdk-l2 | give find u+s rights :) | 01:13 |
sarnold | (don't give find setuid rights! :) | 01:14 |
patdk-l2 | that is like the first thing I do on some of my systems | 01:14 |
sarnold | holy hell | 01:14 |
patdk-l2 | is remove setuid and setgid to everything | 01:14 |
sarnold | oh okay | 01:14 |
sarnold | you scared me to death man | 01:14 |
patdk-l2 | as there is no ligit usecase for any of them | 01:14 |
patdk-l2 | as user management and stuff are on another box | 01:14 |
sarnold | "did patdk really forget about -exec? and -delete?" :) | 01:15 |
patdk-l2 | na :) | 01:15 |
patdk-l2 | I really don't get apple | 01:15 |
patdk-l2 | on this order confirmation email | 01:16 |
patdk-l2 | they **** out my phone number | 01:16 |
patdk-l2 | but left everything else, my address, and everything | 01:16 |
hehehe | remove setuid and setgid to everything - what is everything and how u do it? | 01:16 |
hehehe | :D | 01:16 |
patdk-l2 | I think my phone number is the least of my worry | 01:16 |
hehehe | even credit card details? | 01:16 |
patdk-l2 | use find :) | 01:16 |
patdk-l2 | lucky, no cc details at all | 01:16 |
patdk-l2 | if you remove setgid/setuid from everything, you will normally have a very broken system | 01:17 |
patdk-l2 | sudo won't work, passwd won't work, sendmail won't work, ... | 01:17 |
hehehe | not good | 01:17 |
patdk-l2 | but those are all things I had no issues with | 01:18 |
hehehe | ur idea is bad :D | 01:18 |
patdk-l2 | not if it's a webserver | 01:18 |
patdk-l2 | and NOTHING else | 01:18 |
hehehe | but how do u change pass? | 01:18 |
hehehe | without passwd | 01:18 |
patdk-l2 | why would I? | 01:18 |
patdk-l2 | passwords won't live on that box | 01:18 |
patdk-l2 | if someone changed a password from there, it's hacked | 01:18 |
patdk-l2 | passwords live in ldap | 01:18 |
hehehe | is there howto on it? | 01:19 |
hehehe | to read more :D | 01:19 |
patdk-l2 | not really, it's more just knowing how everything works and what you can get away with | 01:19 |
patdk-l2 | these days people generally use lxd/docker for these type of things | 01:19 |
patdk-l2 | but I build this like 12years ago | 01:19 |
patdk-l2 | been moving it to lxc | 01:20 |
patdk-l2 | but still keep the basics I always do, since no reason not to | 01:20 |
hehehe | how many times your server been hacked? | 01:22 |
hehehe | :D | 01:22 |
hehehe | none? | 01:22 |
patdk-l2 | that depends | 01:22 |
patdk-l2 | atleast multible times a day | 01:22 |
patdk-l2 | but never rooted | 01:22 |
patdk-l2 | I can't really secure customers stuff | 01:22 |
patdk-l2 | but as long as they stay contained to the customer | 01:22 |
hehehe | so you offer hostin? | 01:23 |
patdk-l2 | yes | 01:23 |
hehehe | files hotel or motel | 01:23 |
hehehe | :D | 01:23 |
hehehe | well this app opencart - uses some dirs like images etc to write and read, I set folder to 770 - however images wont show in checkout and also some ajax functions like menu dont work | 01:24 |
hehehe | most does work | 01:24 |
hehehe | maybe faulty code a bit? | 01:24 |
patdk-l2 | you probably just need to make it group owned and set the group to writable | 01:25 |
patdk-l2 | by whatever it runs under | 01:25 |
patdk-l2 | likely php, and that is likely defaulted to www-data unless you changed it | 01:25 |
hehehe | I have done that | 01:25 |
hehehe | but set to group to writable hmm I done some of it | 01:26 |
patdk-l2 | only folders it needs write access | 01:26 |
patdk-l2 | like your images/tmp/... folders | 01:26 |
patdk-l2 | 770 would be fine | 01:26 |
patdk-l2 | as that is read+write+execute | 01:26 |
hehehe | yes | 01:29 |
hehehe | so I need to use setgid? | 01:30 |
patdk-l2 | no | 01:30 |
hehehe | chmod g+s /image stuff like? | 01:30 |
patdk-l2 | chmod g+w | 01:30 |
patdk-l2 | and I hope you don't use / | 01:30 |
patdk-l2 | that would be a very strange location for a image folder | 01:30 |
hehehe | its app/image :D | 01:31 |
hehehe | change mode to make it group writeable right? | 01:32 |
hehehe | like chmod g+w /app/image or /app/image/ ? | 01:33 |
hehehe | and how I can check existing things like that if any | 01:35 |
hehehe | ls -l does not seems to show them :D | 01:35 |
hehehe | patdk-l2: anyway I did run chmod g+s image etc etc | 01:45 |
hehehe | same story | 01:45 |
hehehe | dun | 01:46 |
hehehe | 770 means its writeable by group | 01:46 |
hehehe | why I need to use chmod g+w? | 01:46 |
=== hehehe is now known as hehehe_offline | ||
lordievader | Good morning | 06:13 |
a_z0_9823 | Hello, testing, first time IRC user.. | 07:11 |
lordievader | o/ | 07:13 |
a_z0_9823 | anyone here familiar with email hosting? | 07:14 |
lms | Hello all. I'm having some issues setting up a simple kerberos environment. I've posted a serverfault question about it: https://serverfault.com/questions/855859/mit-kerberos-keeps-asking-for-password-when-authenticating-to-openssh . I'd really appreciate if anyone here could shed some light. | 10:04 |
sadsheep | hi$ | 10:36 |
sadsheep | I would like generate an .po file from old but this old po file is in subfolder | 10:36 |
sadsheep | i using this cli | 10:37 |
sadsheep | msgmerge --no-wrap --directory="../locales" -o ../locales/new.po messages.po ./testersclub.pot | 10:37 |
sadsheep | but this, no run ! OUTPUT : msgmerge: Erreur lors de l'ouverture de « messages.po » en lecture: Aucun fichier ou dossier de ce type | 10:38 |
sadsheep | please ? | 10:38 |
hehehe | hey hey | 11:34 |
hehehe | :D | 11:34 |
lordievader | o/ | 11:37 |
hehehe | hi lordievader :) | 11:38 |
lordievader | Hey hehehe | 11:38 |
lordievader | How are you? | 11:38 |
hehehe | I nearly managed to wrestle all I want from a server - 1 thing left app writeable dirs like /images yet to work, and it was working on the other box (but I forgot how I made it work) , using chmod 770 | 11:39 |
hehehe | and I am fine | 11:39 |
hehehe | any idea how I can check whats the issue is? | 11:39 |
lordievader | Is the party trying to write to that folder the owner or in the group? | 11:40 |
hehehe | in the group, not an owner | 11:40 |
hehehe | its root:www-data | 11:40 |
hehehe | and party writing is www-data | 11:40 |
lordievader | What I usually do is open a shell as that user and see if I can do it manually. | 11:41 |
hehehe | lordievader: like simply su as that user and copy file into dir in question? | 11:41 |
lordievader | For example, touch would be sufficient ;) | 11:42 |
hehehe | su www-data This account is currently not available. | 11:43 |
hehehe | why is that .. :) | 11:43 |
lordievader | Because it is disabled ;) | 11:44 |
lordievader | But there are ways around that: sudo -u www-data bash | 11:44 |
hehehe | bash: /root/.bashrc: Permission denied | 11:45 |
hehehe | ok it worked | 11:47 |
hehehe | lordievader: yes I was able to copy file to /images and create a file there | 11:51 |
hehehe | weird | 11:51 |
lordievader | Is the app running as some other user? | 11:52 |
hehehe | it should run via nginx as www-data, anyways to double check? | 11:52 |
lordievader | I don't know what you are running. | 11:53 |
hehehe | opencart a php app | 11:55 |
hehehe | its simply uses nginx and php fpm | 11:55 |
lordievader | Oh, but php-fpm runs as a different user, I though. | 11:57 |
lordievader | thought* | 11:57 |
hehehe | I checked php-fpm config - user www-data, group www-data | 11:58 |
lordievader | Hmmm | 11:58 |
hehehe | is that a right way to do it? | 11:58 |
lordievader | Then I do not really know what the problem is. | 11:58 |
lordievader | Yes | 11:58 |
hehehe | and in sockets owners listen mode 0660 | 11:59 |
hehehe | ok I will check more :D | 12:01 |
hehehe | lordievader: PHP Warning: fwrite() expects parameter 1 to be resource | 12:20 |
hehehe | hehe | 12:20 |
hehehe | I am getting closer to it | 12:20 |
lordievader | That sound like an error in the program. | 12:21 |
hehehe | https://pastebin.com/ufV76bda | 12:21 |
lordievader | Could be a mismatch between target php version and installed php version. | 12:21 |
SlimG | Is it possible to stop mysql from creating the default files in the datadir when they are missing? | 12:22 |
hehehe | lordievader: many say delete cache | 12:26 |
hehehe | I googled the error | 12:26 |
=== JanC is now known as Guest53242 | ||
=== JanC_ is now known as JanC | ||
hehehe | i think that can fix it :D | 12:33 |
DirtyCajun | so, NFS mount. If a single mount and moving files within that mount then there is no loss in speed over the lan. But 2 mounts that go to the same server would require the information to pass from mount a to mount be causing lan slowdown correct? | 14:00 |
=== MAbeeTT_ is now known as MAbeeTT | ||
lordievader | Most likely, yes. | 14:05 |
DirtyCajun | lordievader, e.g. /parent/folder1 /parent/folder2 mount /parent as /parent and symlink folder1 and folder2 as /folder1 /folder2. then you can move files from folder1 to folder 2 with no loss of lan speed though right? | 14:13 |
DirtyCajun | ***from /folder1 to /folder2 | 14:14 |
lordievader | Yes, they move stuff from the same mount. | 14:16 |
lordievader | As long as they do not traverse the boundary of the mount, you should be fine. | 14:17 |
DirtyCajun | wonderful. | 14:17 |
DirtyCajun | lordievader, nope. No cigar. Looks like if folder1 and folder2 are their own filesystems on the host server then nfs cannot traverse the subdirectoreis | 14:49 |
DirtyCajun | guess im gonna use SMB -,- | 14:50 |
Aison | can I define some default user and password for "mysqladmin"? | 14:57 |
DirtyCajun | Aison, what do you mean by default... its a tool | 15:08 |
DirtyCajun | you just want to be able to type in mysqladmin without typing a u or p? | 15:08 |
yeeve | Aison, a nice way of making the mysql tools easier to use is 'login paths'. Have you used .ssh/config file before? | 15:18 |
yeeve | Aison, I think by default it may already try `-uroot -p -hlocalhost` but I'm not 100% sure | 15:19 |
Aison | yeeve, DirtyCajun eg. when I try to install zoneminder, mysqladmin is used to create some database | 15:35 |
Aison | and because there is no username password defined, I get the error | 15:35 |
Aison | mysqladmin: connect to server at 'localhost' failed | 15:36 |
Aison | error: 'Access denied for user 'root'@'localhost' (using password: NO)' | 15:36 |
Aison | during apt-get install | 15:36 |
Aison | brb | 15:39 |
yeeve | Aison, by default it could be that MySQL is locked down so root cannot login. You need to change your MySQL setup so root without password can login to localhost. | 15:49 |
jamespage | anyone know whether the s390x autopkgtests run under LXD or under KVM? | 15:52 |
xnox | jamespage, lxd | 15:58 |
xnox | jamespage, or actually lxc. | 15:58 |
jamespage | xnox: oh | 15:58 |
xnox | jamespage, both armhf and s390x are containers, one is lxc the other is lxd. | 15:58 |
xnox | hence the two are "different" from everyone else, and between each other. | 15:59 |
jamespage | xnox: I'm trying to reproduce a s390x failure | 15:59 |
xnox | should be possible with local amd64 lxc / lxd runners. | 15:59 |
jamespage | have a lxd container on an s390x; can get test to fail... | 15:59 |
jamespage | :( | 15:59 |
jamespage | can't rather | 15:59 |
xnox | which package / test? | 15:59 |
jamespage | xnox: gnocchi | 16:01 |
jamespage | its been failing pretty consistently on that architecture | 16:01 |
jamespage | xnox: hmm when not running with security.privledged=True, I see alot of systemd unit startup issues - "status=237/KEYRING" | 16:18 |
* jamespage scratches his head | 16:20 | |
xnox | jamespage, that one is a known regression in artful, yet to be fixed. | 16:38 |
jamespage | xnox: ah | 16:38 |
hallyn | rharper: cpaelzer: any plans on keeping https://launchpad.net/~ubuntu-virt/+archive/ubuntu/virt-daily-upstream updated? | 16:43 |
hallyn | (I don't have any, at least for now, sorry) | 16:43 |
hallyn | (wouldn'tmind doing a rotating schedule for handling it if we want to do it as a team) | 16:44 |
cpaelzer | hallyn: to be honest I didn't even know it existed | 16:47 |
cpaelzer | hallyn: but if it is a no commitment as good as possible thing we could try to get it back to live again | 16:47 |
cpaelzer | hallyn: it is also nnot so daily anymore since a long time | 16:48 |
hallyn | cpaelzer: right, someone just complained aobut htat which is why i bring it up | 16:50 |
cpaelzer | hallyn: I'm actually not here today (public holidy), but I added a card to not forget looking into it more seriously at https://trello.com/c/RdKlRFk2 | 16:50 |
cpaelzer | hallyn: I'd reach out to you once I have taken a deeper look - ok ? | 16:50 |
hallyn | wtf is that - trello :) | 16:51 |
hallyn | sure. ttyl :) | 16:51 |
dpb1 | hallyn: welcome to 2017 | 16:51 |
hallyn | (I'm actually on vacation too :) - see you on relaxation island) | 16:51 |
dpb1 | :) | 16:51 |
cpaelzer | hallyn: the Team is now "planning in the public space" | 16:51 |
hallyn | we used to do that on lp with blueprints :) | 16:51 |
hallyn | anyway - \o | 16:51 |
cpaelzer | hallyn: it is world readable like the blueprints were, yet more featureful | 16:51 |
dpb1 | have a good vacation hallyn | 16:51 |
cpaelzer | hallyn: if you want to write dpb1can make you an external Team member | 16:51 |
hallyn | sure why not | 16:52 |
hallyn | can see how it compares to atlassian and lp. maybe it rocks | 16:52 |
dpb1 | will do | 16:53 |
* cpaelzer is hiding again | 16:54 | |
dpb1 | yay https://github.com/boto/boto/issues/3739 | 18:49 |
dpb1 | now I just need to figure out how to get a change to the 2.44.0 upload re-uploaded... | 18:50 |
Capprentice | What to use for DNS ad filtering for a Metro ISP ? | 18:59 |
sarnold | Capprentice: I'd probably start with powerdns recursor and rpz https://blog.powerdns.com/2016/06/28/response-policy-zone-support-in-powerdns-recursor/ | 19:00 |
jelly | where does one get an anti-advertising rbl anyway | 19:07 |
=== bleepy_ is now known as bleepy | ||
drab | re | 21:19 |
adv-t | Hello all! | 22:18 |
adv-t | How do you do? | 22:18 |
adv-t | Wondering: How much space do you guys leave for your Ubuntu server installs? | 22:19 |
adv-t | I only have a 120GB SSD, and I'm planning to do some virtualization, so... | 22:19 |
dpb1 | ya, virt is what takes up the room for sure | 22:20 |
adv-t | Yeah, I've got some more hard drives in there that I can "give" to the VMs, but I want all of the OSes/apps to be running off of the SSD, ideally. | 22:20 |
dpb1 | I personally like to segregate my VM disk usage in some way | 22:21 |
adv-t | I was thinking 10GB pretty much each | 22:21 |
adv-t | Oh, yeah, ideally that'd be great. | 22:21 |
adv-t | And I may end up doing that, but I think that what I'm looking to do with my server + vms isn't really super disk intensive. | 22:21 |
sarnold | I see our is guys having to clean up space on vms due to being short on space from time to time; I think they grumbly about 10g roots | 22:22 |
drab | adv-t: about 10GB for a basic install of roots and then I export disks for data | 22:22 |
adv-t | This is why I asked! :D | 22:22 |
sarnold | if you're religious about the 'disks for data' then probably 10 gigs does work okay | 22:23 |
drab | it also depends what you're doing... | 22:23 |
adv-t | I think I'm pretty religious about disks for data. | 22:24 |
drab | for example, if you are doing qemu/kvm and you'll mostly use static images, then using a shared root + incrementals could dramatically reduce your data usage | 22:24 |
drab | same with lxd and something like overlayfs | 22:24 |
drab | but generally speaking everybody recommends against using snaps/immutables for prod because sooner or later things will drift enough you'll regret it | 22:24 |
sarnold | oh? | 22:25 |
drab | however ime if you know your workload well that can be really advantageous | 22:25 |
adv-t | I have a 120GB SSD that I wanted to use as the boot drive, and then I've got three VM's that I plan to build: One for my own files (SMB and such which will be located on a separate disk), one for an ethereum stratum proxy (I will store the full blockchain on a separate disk), and one for a web server for me to play around with. | 22:26 |
adv-t | Again, I figured that for the most part, it'd just be the OS and applications that "run" off of the SSD - data would be stored on separate disks. | 22:27 |
adv-t | This means I need to reinstall Ubuntu and redo my Xen VM. T_T | 22:27 |
drab | for that use case I think you've got plenty if you don't need to save up SSD space for future usage | 22:27 |
drab | if data is always on another disk for each VM, then 15GB is prolly safer | 22:28 |
adv-t | Yeah, I don't think I do. I figured 10GB partitions JUST to be extra conservative, but, shoot, it's not like I can't get a bigger SSD if I need. | 22:28 |
adv-t | I could do 15GB. | 22:28 |
adv-t | I just had this 120GB laying around, figured I'd put her to use. | 22:28 |
drab | most of my / start at about 4GB with all my | 22:29 |
drab | "basic sw" installed | 22:29 |
drab | so to my use case, 10GB is plenty | 22:29 |
drab | but I've ran into some cases where it got tight | 22:29 |
drab | especiallyif you need to keep multiple kernels or source code around for some reason | 22:29 |
adv-t | i do like to tinker though. | 22:30 |
adv-t | i might need an ubuntu 16.04.2 vm just for that. | 22:30 |
adv-t | so i can blow that one up, and not nuke all my services. | 22:30 |
drab | fwiw, depending on your taste, I've moved 99% of my thinkering to lxd instead of VMs | 22:31 |
drab | but I'm also stubborn and refuse to use libvirt which would have made sticking with VMs probably a lot easier :P | 22:32 |
drab | so like I said, it's partly a taste thing | 22:32 |
drab | the real physical limit is how many "VMs" you need to thinker with and if you can pack those on the machien you have or not | 22:32 |
drab | containers will obviously pack a lot more | 22:33 |
jushur | you want to keep 20% of the drive free at all times, so it has good space to use for rewrites. | 22:34 |
adv-t | Because it's an SSD? Or just in general? | 22:35 |
jushur | due to SSD | 22:35 |
adv-t | Gotcha, yeah. Good idea. | 22:35 |
drab | lol | 22:35 |
jushur | performance will drop realy fast if you fill it upp | 22:35 |
adv-t | Does Ubuntu Server 16.04.2 do TRIM? | 22:35 |
drab | there was just a massive thread^Wflame about that on ZOL list | 22:36 |
adv-t | Like, automagically? Or do I need to set that up via cron? | 22:36 |
trippeh | on consumer ssds this is good advice. | 22:36 |
adv-t | It should be obvious by now that I am... learning... am nub | 22:36 |
jushur | actually "small" ssds in particular | 22:36 |
jushur | if you have a 240gb or bigger its less of an issue. as you tend to not actually fill them. while a 120 you easily fill | 22:37 |
trippeh | enterprise ssds tend to have like 40% unaddressable flash set off for spare/gc management so "filling up" is much less of an issue on those. | 22:38 |
jushur | yep | 22:38 |
jushur | is also why they seem faster then consumer ones | 22:38 |
jushur | and cost more | 22:39 |
drab | http://list.zfsonlinux.org/pipermail/zfs-discuss/2017-June/028440.html | 22:39 |
drab | just for reference | 22:39 |
drab | there's some good comments and myth busting | 22:40 |
drab | and I think people overall agree with the above, especially the distinction between enterprise vs consumer SSDs regarding overprosioning | 22:40 |
sarnold | adv-t: if you use a filesystem that supports the fstrim ioctls crontab up fstrim.. | 23:38 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!